s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature()

[metze/samba/wip.git] / source3 / librpc / crypto / gse.c

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 5a5492f80aca935e1b7f6c1c3e19c7260b4fb834..f0b389e508ecf0c7187c31c5c9f813900b9209b3 100644 (file)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -70,21 +70,24 @@ gss_OID_desc gse_authz_data_oid = {
 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
 
 struct gse_context {
+       gss_ctx_id_t gssapi_context;
+       gss_name_t server_name;
+       gss_name_t client_name;
+       OM_uint32 gss_want_flags, gss_got_flags;
+
+       gss_cred_id_t delegated_cred_handle;
+
+       gss_krb5_lucid_context_v1_t *lucid;
+
+       /* gensec_gse only */
        krb5_context k5ctx;
        krb5_ccache ccache;
        krb5_keytab keytab;
 
-       gss_ctx_id_t gssapi_context;
-
        gss_OID_desc gss_mech;
-       OM_uint32 gss_want_flags;
        gss_cred_id_t creds;
-       gss_name_t server_name;
 
        gss_OID ret_mech;
-       OM_uint32 gss_got_flags;
-       gss_cred_id_t delegated_cred_handle;
-       gss_name_t client_name;
 };
 
 #ifndef HAVE_GSS_OID_EQUAL
@@ -188,6 +191,7 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
                gse_ctx->gss_want_flags |= GSS_C_INTEG_FLAG;
        }
        if (do_seal) {
+               gse_ctx->gss_want_flags |= GSS_C_INTEG_FLAG;
                gse_ctx->gss_want_flags |= GSS_C_CONF_FLAG;
        }
 
@@ -350,12 +354,15 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
                goto done;
        }
 
-       blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
-       if (!blob.data) {
-               status = NT_STATUS_NO_MEMORY;
-       }
+       /* we may be told to return nothing */
+       if (out_data.length) {
+               blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
+               if (!blob.data) {
+                       status = NT_STATUS_NO_MEMORY;
+               }
 
-       gss_maj = gss_release_buffer(&gss_min, &out_data);
+               gss_maj = gss_release_buffer(&gss_min, &out_data);
+       }
 
 done:
        *token_out = blob;
@@ -527,12 +534,6 @@ static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
        }
 
        /* GSS_C_MUTUAL_FLAG */
-       if (gse_ctx->gss_want_flags & GSS_C_MUTUAL_FLAG) {
-               if (!(gse_ctx->gss_got_flags & GSS_C_MUTUAL_FLAG)) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-       }
-
        /* GSS_C_DELEG_FLAG */
        /* GSS_C_DELEG_POLICY_FLAG */
        /* GSS_C_REPLAY_FLAG */
@@ -550,6 +551,11 @@ static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
                if (!(gse_ctx->gss_got_flags & GSS_C_CONF_FLAG)) {
                        return NT_STATUS_ACCESS_DENIED;
                }
+
+               /* GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG */
+               if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
        }
 
        /* GSS_C_DCE_STYLE */
@@ -617,6 +623,36 @@ done:
        return errstr;
 }
 
+static NTSTATUS gse_init_lucid(struct gse_context *gse_ctx)
+{
+       OM_uint32 maj_stat, min_stat;
+       void *ptr = NULL;
+
+       if (gse_ctx->lucid) {
+               return NT_STATUS_OK;
+       }
+
+       maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+                                                    &gse_ctx->gssapi_context,
+                                                    1, &ptr);
+       if (maj_stat != GSS_S_COMPLETE) {
+               DEBUG(0,("gse_init_lucid: %s\n",
+                       gse_errstr(talloc_tos(), maj_stat, min_stat)));
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+       gse_ctx->lucid = (gss_krb5_lucid_context_v1_t *)ptr;
+
+       if (gse_ctx->lucid->version != 1) {
+               DEBUG(0,("gse_init_lucid: lucid version[%d] != 1\n",
+                       gse_ctx->lucid->version));
+               gss_krb5_free_lucid_sec_context(&min_stat, gse_ctx->lucid);
+               gse_ctx->lucid = NULL;
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+       return NT_STATUS_OK;
+}
+
 static DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
                                     struct gse_context *gse_ctx)
 {
@@ -1135,6 +1171,24 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security,
        if (feature & GENSEC_FEATURE_DCE_STYLE) {
                return gse_ctx->gss_got_flags & GSS_C_DCE_STYLE;
        }
+       if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
+               NTSTATUS status;
+
+               if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
+                       return false;
+               }
+
+               status = gse_init_lucid(gse_ctx);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return false;
+               }
+
+               if (gse_ctx->lucid->protocol == 1) {
+                       return true;
+               }
+
+               return false;
+       }
        /* We can always do async (rather than strict request/reply) packets.  */
        if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
                return true;