LCOV - code coverage report
Current view: top level - source4/auth/gensec - gensec_krb5.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 299 499 59.9 %
Date: 2021-08-25 13:27:56 Functions: 19 21 90.5 %

          Line data    Source code
       1             : /* 
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    Kerberos backend for GENSEC
       5             :    
       6             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
       7             :    Copyright (C) Andrew Tridgell 2001
       8             :    Copyright (C) Luke Howard 2002-2003
       9             :    Copyright (C) Stefan Metzmacher 2004-2005
      10             : 
      11             :    This program is free software; you can redistribute it and/or modify
      12             :    it under the terms of the GNU General Public License as published by
      13             :    the Free Software Foundation; either version 3 of the License, or
      14             :    (at your option) any later version.
      15             :    
      16             :    This program is distributed in the hope that it will be useful,
      17             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      18             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      19             :    GNU General Public License for more details.
      20             : 
      21             :    
      22             :    You should have received a copy of the GNU General Public License
      23             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      24             : */
      25             : 
      26             : #include "includes.h"
      27             : #include <tevent.h>
      28             : #include "lib/util/tevent_ntstatus.h"
      29             : #include "system/kerberos.h"
      30             : #include "auth/kerberos/kerberos.h"
      31             : #include "auth/auth.h"
      32             : #include "lib/tsocket/tsocket.h"
      33             : #include "librpc/gen_ndr/dcerpc.h"
      34             : #include "auth/credentials/credentials.h"
      35             : #include "auth/credentials/credentials_krb5.h"
      36             : #include "auth/kerberos/kerberos_credentials.h"
      37             : #include "auth/gensec/gensec.h"
      38             : #include "auth/gensec/gensec_internal.h"
      39             : #include "auth/gensec/gensec_proto.h"
      40             : #include "auth/gensec/gensec_toplevel_proto.h"
      41             : #include "param/param.h"
      42             : #include "auth/auth_sam_reply.h"
      43             : #include "lib/util/util_net.h"
      44             : #include "../lib/util/asn1.h"
      45             : #include "auth/kerberos/pac_utils.h"
      46             : #include "gensec_krb5.h"
      47             : 
      48             : _PUBLIC_ NTSTATUS gensec_krb5_init(TALLOC_CTX *);
      49             : 
      50             : enum GENSEC_KRB5_STATE {
      51             :         GENSEC_KRB5_SERVER_START,
      52             :         GENSEC_KRB5_CLIENT_START,
      53             :         GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
      54             :         GENSEC_KRB5_DONE
      55             : };
      56             : 
      57             : struct gensec_krb5_state {
      58             :         enum GENSEC_KRB5_STATE state_position;
      59             :         struct smb_krb5_context *smb_krb5_context;
      60             :         krb5_auth_context auth_context;
      61             :         krb5_data enc_ticket;
      62             :         krb5_keyblock *keyblock;
      63             :         krb5_ticket *ticket;
      64             :         bool gssapi;
      65             :         krb5_flags ap_req_options;
      66             : };
      67             : 
      68        1655 : static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
      69             : {
      70        1655 :         if (!gensec_krb5_state->smb_krb5_context) {
      71             :                 /* We can't clean anything else up unless we started up this far */
      72           0 :                 return 0;
      73             :         }
      74        1655 :         if (gensec_krb5_state->enc_ticket.length) { 
      75         200 :                 smb_krb5_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
      76             :                                             &gensec_krb5_state->enc_ticket); 
      77             :         }
      78             : 
      79        1655 :         if (gensec_krb5_state->ticket) {
      80        1455 :                 krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context, 
      81             :                                  gensec_krb5_state->ticket);
      82             :         }
      83             : 
      84             :         /* ccache freed in a child destructor */
      85             : 
      86        1655 :         krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context, 
      87             :                            gensec_krb5_state->keyblock);
      88             :                 
      89        1655 :         if (gensec_krb5_state->auth_context) {
      90        1655 :                 krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context, 
      91             :                                    gensec_krb5_state->auth_context);
      92             :         }
      93             : 
      94        1655 :         return 0;
      95             : }
      96             : 
      97        1655 : static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi)
      98             : {
      99             :         krb5_error_code ret;
     100             :         struct gensec_krb5_state *gensec_krb5_state;
     101             :         struct cli_credentials *creds;
     102             :         const struct tsocket_address *tlocal_addr, *tremote_addr;
     103             :         krb5_address my_krb5_addr, peer_krb5_addr;
     104             :         
     105        1655 :         creds = gensec_get_credentials(gensec_security);
     106        1655 :         if (!creds) {
     107           0 :                 return NT_STATUS_INVALID_PARAMETER;
     108             :         }
     109             : 
     110        1655 :         gensec_krb5_state = talloc_zero(gensec_security, struct gensec_krb5_state);
     111        1655 :         if (!gensec_krb5_state) {
     112           0 :                 return NT_STATUS_NO_MEMORY;
     113             :         }
     114             : 
     115        1655 :         gensec_security->private_data = gensec_krb5_state;
     116        1655 :         gensec_krb5_state->gssapi = gssapi;
     117             : 
     118        1655 :         talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); 
     119             : 
     120        3310 :         if (cli_credentials_get_krb5_context(creds, 
     121        1655 :                                              gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
     122           0 :                 talloc_free(gensec_krb5_state);
     123           0 :                 return NT_STATUS_INTERNAL_ERROR;
     124             :         }
     125             : 
     126        1655 :         ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
     127        1655 :         if (ret) {
     128           0 :                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", 
     129             :                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
     130             :                                                     ret, gensec_krb5_state)));
     131           0 :                 talloc_free(gensec_krb5_state);
     132           0 :                 return NT_STATUS_INTERNAL_ERROR;
     133             :         }
     134             : 
     135        1655 :         ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context, 
     136             :                                      gensec_krb5_state->auth_context,
     137             :                                      KRB5_AUTH_CONTEXT_DO_SEQUENCE);
     138        1655 :         if (ret) {
     139           0 :                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n", 
     140             :                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
     141             :                                                     ret, gensec_krb5_state)));
     142           0 :                 talloc_free(gensec_krb5_state);
     143           0 :                 return NT_STATUS_INTERNAL_ERROR;
     144             :         }
     145             : 
     146        1655 :         tlocal_addr = gensec_get_local_address(gensec_security);
     147        1655 :         if (tlocal_addr) {
     148             :                 ssize_t sockaddr_ret;
     149             :                 struct samba_sockaddr addr;
     150             :                 bool ok;
     151             : 
     152          41 :                 addr.sa_socklen = sizeof(addr.u);
     153          41 :                 sockaddr_ret = tsocket_address_bsd_sockaddr(
     154          41 :                         tlocal_addr, &addr.u.sa, addr.sa_socklen);
     155          41 :                 if (sockaddr_ret < 0) {
     156           0 :                         talloc_free(gensec_krb5_state);
     157           0 :                         return NT_STATUS_INTERNAL_ERROR;
     158             :                 }
     159          41 :                 addr.sa_socklen = sockaddr_ret;
     160          41 :                 ok = smb_krb5_sockaddr_to_kaddr(&addr.u.ss, &my_krb5_addr);
     161          41 :                 if (!ok) {
     162           0 :                         DBG_WARNING("smb_krb5_sockaddr_to_kaddr (local) failed\n");
     163           0 :                         talloc_free(gensec_krb5_state);
     164           0 :                         return NT_STATUS_INTERNAL_ERROR;
     165             :                 }
     166             :         }
     167             : 
     168        1655 :         tremote_addr = gensec_get_remote_address(gensec_security);
     169        1655 :         if (tremote_addr) {
     170             :                 ssize_t sockaddr_ret;
     171             :                 struct samba_sockaddr addr;
     172             :                 bool ok;
     173             : 
     174           7 :                 addr.sa_socklen = sizeof(addr.u);
     175           7 :                 sockaddr_ret = tsocket_address_bsd_sockaddr(
     176           7 :                         tremote_addr, &addr.u.sa, addr.sa_socklen);
     177           7 :                 if (sockaddr_ret < 0) {
     178           0 :                         talloc_free(gensec_krb5_state);
     179           0 :                         return NT_STATUS_INTERNAL_ERROR;
     180             :                 }
     181           7 :                 addr.sa_socklen = sockaddr_ret;
     182           7 :                 ok = smb_krb5_sockaddr_to_kaddr(&addr.u.ss, &peer_krb5_addr);
     183           7 :                 if (!ok) {
     184           0 :                         DBG_WARNING("smb_krb5_sockaddr_to_kaddr (remote) failed\n");
     185           0 :                         talloc_free(gensec_krb5_state);
     186           0 :                         return NT_STATUS_INTERNAL_ERROR;
     187             :                 }
     188             :         }
     189             : 
     190        1655 :         ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context, 
     191             :                                      gensec_krb5_state->auth_context,
     192             :                                      tlocal_addr ? &my_krb5_addr : NULL,
     193             :                                      tremote_addr ? &peer_krb5_addr : NULL);
     194        1655 :         if (ret) {
     195           0 :                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n", 
     196             :                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
     197             :                                                     ret, gensec_krb5_state)));
     198           0 :                 talloc_free(gensec_krb5_state);
     199           0 :                 return NT_STATUS_INTERNAL_ERROR;
     200             :         }
     201             : 
     202        1655 :         return NT_STATUS_OK;
     203             : }
     204             : 
     205        1455 : static NTSTATUS gensec_krb5_common_server_start(struct gensec_security *gensec_security, bool gssapi)
     206             : {
     207             :         NTSTATUS nt_status;
     208             :         struct gensec_krb5_state *gensec_krb5_state;
     209             : 
     210        1455 :         nt_status = gensec_krb5_start(gensec_security, gssapi);
     211        1455 :         if (!NT_STATUS_IS_OK(nt_status)) {
     212           0 :                 return nt_status;
     213             :         }
     214             :         
     215        1455 :         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
     216        1455 :         gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
     217             : 
     218        1455 :         return NT_STATUS_OK;
     219             : }
     220             : 
     221        1455 : static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
     222             : {
     223        1455 :         return gensec_krb5_common_server_start(gensec_security, false);
     224             : }
     225             : 
     226           0 : static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
     227             : {
     228           0 :         return gensec_krb5_common_server_start(gensec_security, true);
     229             : }
     230             : 
     231         200 : static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi)
     232             : {
     233             :         const char *hostname;
     234             :         struct gensec_krb5_state *gensec_krb5_state;
     235             :         NTSTATUS nt_status;
     236         200 :         hostname = gensec_get_target_hostname(gensec_security);
     237         200 :         if (!hostname) {
     238           0 :                 DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
     239           0 :                 return NT_STATUS_INVALID_PARAMETER;
     240             :         }
     241         200 :         if (is_ipaddress(hostname)) {
     242           0 :                 DEBUG(2, ("Cannot do krb5 to an IP address"));
     243           0 :                 return NT_STATUS_INVALID_PARAMETER;
     244             :         }
     245         200 :         if (strcmp(hostname, "localhost") == 0) {
     246           0 :                 DEBUG(2, ("krb5 to 'localhost' does not make sense"));
     247           0 :                 return NT_STATUS_INVALID_PARAMETER;
     248             :         }
     249             :                         
     250         200 :         nt_status = gensec_krb5_start(gensec_security, gssapi);
     251         200 :         if (!NT_STATUS_IS_OK(nt_status)) {
     252           0 :                 return nt_status;
     253             :         }
     254             : 
     255         200 :         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
     256         200 :         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
     257         200 :         gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
     258             : 
     259         200 :         if (gensec_krb5_state->gssapi) {
     260             :                 /* The Fake GSSAPI model emulates Samba3, which does not do mutual authentication */
     261         194 :                 if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) {
     262           0 :                         gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
     263             :                 }
     264             :         } else {
     265             :                 /* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */
     266           6 :                 if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
     267           6 :                         gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
     268             :                 }
     269             :         }
     270         200 :         return NT_STATUS_OK;
     271             : }
     272             : 
     273         200 : static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_security,
     274             :                                                 struct tevent_context *ev)
     275             : {
     276             :         struct gensec_krb5_state *gensec_krb5_state;
     277             :         krb5_error_code ret;
     278             :         struct ccache_container *ccache_container;
     279             :         const char *error_string;
     280             :         const char *principal;
     281             :         const char *hostname;
     282         200 :         krb5_data in_data = { .length = 0 };
     283         200 :         krb5_data *in_data_p = NULL;
     284             : #ifdef SAMBA4_USES_HEIMDAL
     285             :         struct tevent_context *previous_ev;
     286             : #endif
     287             : 
     288         200 :         if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
     289             :                             NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
     290         136 :                 in_data_p = &in_data;
     291             :         }
     292             :         
     293         200 :         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
     294             : 
     295         200 :         principal = gensec_get_target_principal(gensec_security);
     296         200 :         hostname = gensec_get_target_hostname(gensec_security);
     297             : 
     298         200 :         ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), 
     299             :                                          ev,
     300         200 :                                          gensec_security->settings->lp_ctx, &ccache_container, &error_string);
     301         200 :         switch (ret) {
     302         200 :         case 0:
     303         200 :                 break;
     304           0 :         case KRB5KDC_ERR_PREAUTH_FAILED:
     305             :         case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
     306           0 :                 return NT_STATUS_LOGON_FAILURE;
     307           0 :         case KRB5_KDC_UNREACH:
     308           0 :                 DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string));
     309           0 :                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
     310           0 :         case KRB5_CC_NOTFOUND:
     311             :         case KRB5_CC_END:
     312           0 :                 DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
     313           0 :                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
     314           0 :         default:
     315           0 :                 DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
     316           0 :                 return NT_STATUS_UNSUCCESSFUL;
     317             :         }
     318             :         
     319             : #ifdef SAMBA4_USES_HEIMDAL
     320             :         /* Do this every time, in case we have weird recursive issues here */
     321         101 :         ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
     322         101 :         if (ret != 0) {
     323           0 :                 DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
     324           0 :                 return NT_STATUS_NO_MEMORY;
     325             :         }
     326             : #endif
     327         200 :         if (principal) {
     328             :                 krb5_principal target_principal;
     329           0 :                 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
     330             :                                       &target_principal);
     331           0 :                 if (ret == 0) {
     332             :                         krb5_creds this_cred;
     333             :                         krb5_creds *cred;
     334             : 
     335           0 :                         ZERO_STRUCT(this_cred);
     336           0 :                         ret = krb5_cc_get_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
     337           0 :                                                     ccache_container->ccache,
     338             :                                                     &this_cred.client);
     339           0 :                         if (ret != 0) {
     340           0 :                                 krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
     341             :                                                     target_principal);
     342           0 :                                 return NT_STATUS_UNSUCCESSFUL;
     343             :                         }
     344             : 
     345           0 :                         ret = krb5_copy_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
     346             :                                                   target_principal,
     347             :                                                   &this_cred.server);
     348           0 :                         krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
     349             :                                             target_principal);
     350           0 :                         if (ret != 0) {
     351           0 :                                 krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
     352             :                                                         &this_cred);
     353           0 :                                 return NT_STATUS_UNSUCCESSFUL;
     354             :                         }
     355           0 :                         this_cred.times.endtime = 0;
     356             : 
     357           0 :                         ret = krb5_get_credentials(gensec_krb5_state->smb_krb5_context->krb5_context,
     358             :                                                    0,
     359           0 :                                                    ccache_container->ccache,
     360             :                                                    &this_cred,
     361             :                                                    &cred);
     362           0 :                         krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
     363             :                                                 &this_cred);
     364           0 :                         if (ret != 0) {
     365           0 :                                 return NT_STATUS_UNSUCCESSFUL;
     366             :                         }
     367             : 
     368           0 :                         ret = krb5_mk_req_extended(gensec_krb5_state->smb_krb5_context->krb5_context,
     369             :                                                    &gensec_krb5_state->auth_context,
     370             :                                                    gensec_krb5_state->ap_req_options,
     371             :                                                    in_data_p,
     372             :                                                    cred,
     373             :                                                    &gensec_krb5_state->enc_ticket);
     374             :                 }
     375             :         } else {
     376         400 :                 ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
     377             :                                   &gensec_krb5_state->auth_context,
     378             :                                   gensec_krb5_state->ap_req_options,
     379             :                                   discard_const_p(char, gensec_get_target_service(gensec_security)),
     380             :                                   discard_const_p(char, hostname),
     381         200 :                                   in_data_p, ccache_container->ccache, 
     382             :                                   &gensec_krb5_state->enc_ticket);
     383             :         }
     384             : 
     385             : #ifdef SAMBA4_USES_HEIMDAL
     386         101 :         smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, ev);
     387             : #endif
     388             : 
     389         200 :         switch (ret) {
     390         200 :         case 0:
     391         200 :                 return NT_STATUS_OK;
     392           0 :         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
     393           0 :                 DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
     394             :                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
     395           0 :                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
     396           0 :         case KRB5_KDC_UNREACH:
     397           0 :                 DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
     398             :                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
     399           0 :                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
     400           0 :         case KRB5KDC_ERR_PREAUTH_FAILED:
     401             :         case KRB5KRB_AP_ERR_TKT_EXPIRED:
     402             :         case KRB5_CC_END:
     403             :                 /* Too much clock skew - we will need to kinit to re-skew the clock */
     404             :         case KRB5KRB_AP_ERR_SKEW:
     405             :         case KRB5_KDCREP_SKEW:
     406           0 :                 DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
     407             :                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
     408             :                 FALL_THROUGH;
     409             :         /* just don't print a message for these really ordinary messages */
     410             :         case KRB5_FCC_NOFILE:
     411             :         case KRB5_CC_NOTFOUND:
     412             :         case ENOENT:
     413             :                 
     414           0 :                 return NT_STATUS_UNSUCCESSFUL;
     415             :                 break;
     416             :                 
     417           0 :         default:
     418           0 :                 DEBUG(0, ("kerberos: %s\n", 
     419             :                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
     420           0 :                 return NT_STATUS_UNSUCCESSFUL;
     421             :         }
     422             : }
     423             : 
     424           6 : static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
     425             : {
     426           6 :         return gensec_krb5_common_client_start(gensec_security, false);
     427             : }
     428             : 
     429         194 : static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
     430             : {
     431         194 :         return gensec_krb5_common_client_start(gensec_security, true);
     432             : }
     433             : 
     434             : 
     435             : /*
     436             :   generate a krb5 GSS-API wrapper packet given a ticket
     437             : */
     438         194 : static DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2])
     439             : {
     440             :         struct asn1_data *data;
     441         194 :         DATA_BLOB ret = data_blob_null;
     442             : 
     443         194 :         data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
     444         194 :         if (!data || !ticket->data) {
     445           0 :                 return ret;
     446             :         }
     447             : 
     448         194 :         if (!asn1_push_tag(data, ASN1_APPLICATION(0))) goto err;
     449         194 :         if (!asn1_write_OID(data, GENSEC_OID_KERBEROS5)) goto err;
     450             : 
     451         194 :         if (!asn1_write(data, tok_id, 2)) goto err;
     452         194 :         if (!asn1_write(data, ticket->data, ticket->length)) goto err;
     453         194 :         if (!asn1_pop_tag(data)) goto err;
     454             : 
     455             : 
     456         194 :         if (!asn1_extract_blob(data, mem_ctx, &ret)) {
     457           0 :                 goto err;
     458             :         }
     459         194 :         asn1_free(data);
     460             : 
     461         194 :         return ret;
     462             : 
     463           0 :   err:
     464             : 
     465           0 :         DEBUG(1, ("Failed to build krb5 wrapper at offset %d\n",
     466             :                   (int)asn1_current_ofs(data)));
     467           0 :         asn1_free(data);
     468           0 :         return ret;
     469             : }
     470             : 
     471             : /*
     472             :   parse a krb5 GSS-API wrapper packet giving a ticket
     473             : */
     474           0 : static bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2])
     475             : {
     476           0 :         bool ret = false;
     477           0 :         struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
     478             :         int data_remaining;
     479             : 
     480           0 :         if (!data) {
     481           0 :                 return false;
     482             :         }
     483             : 
     484           0 :         if (!asn1_load(data, *blob)) goto err;
     485           0 :         if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
     486           0 :         if (!asn1_check_OID(data, GENSEC_OID_KERBEROS5)) goto err;
     487             : 
     488           0 :         data_remaining = asn1_tag_remaining(data);
     489             : 
     490           0 :         if (data_remaining < 3) {
     491           0 :                 asn1_set_error(data);
     492             :         } else {
     493           0 :                 if (!asn1_read(data, tok_id, 2)) goto err;
     494           0 :                 data_remaining -= 2;
     495           0 :                 *ticket = data_blob_talloc(mem_ctx, NULL, data_remaining);
     496           0 :                 if (!asn1_read(data, ticket->data, ticket->length)) goto err;
     497             :         }
     498             : 
     499           0 :         if (!asn1_end_tag(data)) goto err;
     500             : 
     501           0 :         ret = !asn1_has_error(data);
     502             : 
     503           0 :   err:
     504             : 
     505           0 :         asn1_free(data);
     506             : 
     507           0 :         return ret;
     508             : }
     509             : 
     510        1655 : static NTSTATUS gensec_krb5_update_internal(struct gensec_security *gensec_security,
     511             :                                             TALLOC_CTX *out_mem_ctx,
     512             :                                             struct tevent_context *ev,
     513             :                                             const DATA_BLOB in, DATA_BLOB *out)
     514             : {
     515        1655 :         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
     516        1655 :         krb5_error_code ret = 0;
     517             :         NTSTATUS nt_status;
     518             : 
     519        1655 :         switch (gensec_krb5_state->state_position) {
     520         200 :         case GENSEC_KRB5_CLIENT_START:
     521             :         {
     522             :                 DATA_BLOB unwrapped_out;
     523             :                 
     524         200 :                 nt_status = gensec_krb5_common_client_creds(gensec_security, ev);
     525         200 :                 if (!NT_STATUS_IS_OK(nt_status)) {
     526           0 :                         return nt_status;
     527             :                 }
     528             : 
     529         200 :                 if (gensec_krb5_state->gssapi) {
     530         194 :                         unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
     531             :                         
     532             :                         /* wrap that up in a nice GSS-API wrapping */
     533         194 :                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
     534             :                 } else {
     535           6 :                         *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
     536             :                 }
     537         200 :                 if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
     538           6 :                         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
     539           6 :                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
     540             :                 } else {
     541         194 :                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
     542         194 :                         nt_status = NT_STATUS_OK;
     543             :                 }
     544         200 :                 return nt_status;
     545             :         }
     546             :                 
     547           0 :         case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
     548             :         {
     549             :                 DATA_BLOB unwrapped_in;
     550             :                 krb5_data inbuf;
     551           0 :                 krb5_ap_rep_enc_part *repl = NULL;
     552             :                 uint8_t tok_id[2];
     553             : 
     554           0 :                 if (gensec_krb5_state->gssapi) {
     555           0 :                         if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
     556           0 :                                 DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
     557           0 :                                 dump_data_pw("Mutual authentication message:\n", in.data, in.length);
     558           0 :                                 return NT_STATUS_INVALID_PARAMETER;
     559             :                         }
     560             :                 } else {
     561           0 :                         unwrapped_in = in;
     562             :                 }
     563             :                 /* TODO: check the tok_id */
     564             : 
     565           0 :                 inbuf.data = (char *)unwrapped_in.data;
     566           0 :                 inbuf.length = unwrapped_in.length;
     567           0 :                 ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context, 
     568             :                                   gensec_krb5_state->auth_context,
     569             :                                   &inbuf, &repl);
     570           0 :                 if (ret) {
     571           0 :                         DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
     572             :                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
     573           0 :                         dump_data_pw("Mutual authentication message:\n", (uint8_t *)inbuf.data, inbuf.length);
     574           0 :                         nt_status = NT_STATUS_ACCESS_DENIED;
     575             :                 } else {
     576           0 :                         *out = data_blob(NULL, 0);
     577           0 :                         nt_status = NT_STATUS_OK;
     578           0 :                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
     579             :                 }
     580           0 :                 if (repl) {
     581           0 :                         krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
     582             :                 }
     583           0 :                 return nt_status;
     584             :         }
     585             : 
     586        1455 :         case GENSEC_KRB5_SERVER_START:
     587             :         {
     588             :                 DATA_BLOB unwrapped_in;
     589        1455 :                 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
     590             :                 krb5_data inbuf, outbuf;
     591             :                 uint8_t tok_id[2];
     592             :                 struct keytab_container *keytab;
     593             :                 krb5_principal server_in_keytab;
     594             :                 const char *error_string;
     595             :                 enum credentials_obtained obtained;
     596             : 
     597        1455 :                 if (!in.data) {
     598           0 :                         return NT_STATUS_INVALID_PARAMETER;
     599             :                 }       
     600             : 
     601             :                 /* Grab the keytab, however generated */
     602        1455 :                 ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), 
     603        1455 :                                                  gensec_security->settings->lp_ctx, &keytab);
     604        1455 :                 if (ret) {
     605           0 :                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
     606             :                 }
     607             :                 
     608             :                 /* This ensures we lookup the correct entry in that
     609             :                  * keytab.  A NULL principal is acceptable, and means
     610             :                  * that the krb5 libs should search the keytab at
     611             :                  * accept time for any matching key */
     612        1455 :                 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), 
     613             :                                                  gensec_krb5_state->smb_krb5_context, 
     614             :                                                  &server_in_keytab, &obtained, &error_string);
     615             : 
     616        1455 :                 if (ret) {
     617           0 :                         DEBUG(2,("Failed to make credentials from principal: %s\n", error_string));
     618           0 :                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
     619             :                 }
     620             : 
     621        1455 :                 if (keytab->password_based || obtained < CRED_SPECIFIED) {
     622             :                         /* 
     623             :                          * Use match-by-key in this case (matches
     624             :                          * cli_credentials_get_server_gss_creds()
     625             :                          * behaviour).  No need to free the memory,
     626             :                          * this is handled with a talloc destructor.
     627             :                          */
     628         427 :                         server_in_keytab = NULL;
     629             :                 }
     630             : 
     631             :                 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
     632        1455 :                 if (gensec_krb5_state->gssapi
     633           0 :                     && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
     634           0 :                         inbuf.data = (char *)unwrapped_in.data;
     635           0 :                         inbuf.length = unwrapped_in.length;
     636             :                 } else {
     637        1455 :                         inbuf.data = (char *)in.data;
     638        1455 :                         inbuf.length = in.length;
     639             :                 }
     640             : 
     641        2910 :                 ret = smb_krb5_rd_req_decoded(gensec_krb5_state->smb_krb5_context->krb5_context,
     642             :                                               &gensec_krb5_state->auth_context,
     643             :                                               &inbuf,
     644        1455 :                                               keytab->keytab,
     645             :                                               server_in_keytab,
     646             :                                               &outbuf,
     647             :                                               &gensec_krb5_state->ticket,
     648             :                                               &gensec_krb5_state->keyblock);
     649             : 
     650        1455 :                 if (ret) {
     651           0 :                         DBG_WARNING("smb_krb5_rd_req_decoded failed\n");
     652           0 :                         return NT_STATUS_LOGON_FAILURE;
     653             :                 }
     654        1455 :                 unwrapped_out.data = (uint8_t *)outbuf.data;
     655        1455 :                 unwrapped_out.length = outbuf.length;
     656        1455 :                 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
     657             :                 /* wrap that up in a nice GSS-API wrapping */
     658        1455 :                 if (gensec_krb5_state->gssapi) {
     659           0 :                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
     660             :                 } else {
     661        1455 :                         *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
     662             :                 }
     663        1455 :                 smb_krb5_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
     664             :                                             &outbuf);
     665        1455 :                 return NT_STATUS_OK;
     666             :         }
     667             : 
     668           0 :         case GENSEC_KRB5_DONE:
     669             :         default:
     670             :                 /* Asking too many times... */
     671           0 :                 return NT_STATUS_INVALID_PARAMETER;
     672             :         }
     673             : }
     674             : 
     675             : struct gensec_krb5_update_state {
     676             :         NTSTATUS status;
     677             :         DATA_BLOB out;
     678             : };
     679             : 
     680        1655 : static struct tevent_req *gensec_krb5_update_send(TALLOC_CTX *mem_ctx,
     681             :                                                   struct tevent_context *ev,
     682             :                                                   struct gensec_security *gensec_security,
     683             :                                                   const DATA_BLOB in)
     684             : {
     685        1655 :         struct tevent_req *req = NULL;
     686        1655 :         struct gensec_krb5_update_state *state = NULL;
     687             :         NTSTATUS status;
     688             : 
     689        1655 :         req = tevent_req_create(mem_ctx, &state,
     690             :                                 struct gensec_krb5_update_state);
     691        1655 :         if (req == NULL) {
     692           0 :                 return NULL;
     693             :         }
     694             : 
     695        1655 :         status = gensec_krb5_update_internal(gensec_security,
     696             :                                              state, ev, in,
     697        1655 :                                              &state->out);
     698        1655 :         state->status = status;
     699        1655 :         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
     700           6 :                 tevent_req_done(req);
     701           6 :                 return tevent_req_post(req, ev);
     702             :         }
     703        1649 :         if (tevent_req_nterror(req, status)) {
     704           0 :                 return tevent_req_post(req, ev);
     705             :         }
     706             : 
     707        1649 :         tevent_req_done(req);
     708        1649 :         return tevent_req_post(req, ev);
     709             : }
     710             : 
     711        1655 : static NTSTATUS gensec_krb5_update_recv(struct tevent_req *req,
     712             :                                         TALLOC_CTX *out_mem_ctx,
     713             :                                         DATA_BLOB *out)
     714             : {
     715        1655 :         struct gensec_krb5_update_state *state =
     716        1655 :                 tevent_req_data(req,
     717             :                 struct gensec_krb5_update_state);
     718             :         NTSTATUS status;
     719             : 
     720        1655 :         *out = data_blob_null;
     721             : 
     722        1655 :         if (tevent_req_is_nterror(req, &status)) {
     723           0 :                 tevent_req_received(req);
     724           0 :                 return status;
     725             :         }
     726             : 
     727        1655 :         *out = state->out;
     728        1655 :         talloc_steal(out_mem_ctx, state->out.data);
     729        1655 :         status = state->status;
     730        1655 :         tevent_req_received(req);
     731        1655 :         return status;
     732             : }
     733             : 
     734        1649 : static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, 
     735             :                                         TALLOC_CTX *mem_ctx,
     736             :                                         DATA_BLOB *session_key) 
     737             : {
     738        1649 :         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
     739        1649 :         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
     740        1649 :         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
     741        1649 :         krb5_error_code err = -1;
     742        1649 :         bool remote = false;
     743             :         bool ok;
     744             : 
     745        1649 :         if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
     746           0 :                 return NT_STATUS_NO_USER_SESSION_KEY;
     747             :         }
     748             : 
     749        1649 :         switch (gensec_security->gensec_role) {
     750         194 :         case GENSEC_CLIENT:
     751         194 :                 remote = false;
     752         194 :                 break;
     753        1455 :         case GENSEC_SERVER:
     754        1455 :                 remote = true;
     755        1455 :                 break;
     756             :         }
     757             : 
     758        1649 :         ok = smb_krb5_get_smb_session_key(mem_ctx,
     759             :                                           context,
     760             :                                           auth_context,
     761             :                                           session_key,
     762             :                                           remote);
     763        1649 :         if (!ok) {
     764           0 :                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
     765           0 :                 return NT_STATUS_NO_USER_SESSION_KEY;
     766             :         }
     767             : 
     768        1649 :         return NT_STATUS_OK;
     769             : }
     770             : 
     771             : #ifdef SAMBA4_USES_HEIMDAL
     772        1445 : static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
     773             :                                          TALLOC_CTX *mem_ctx,
     774             :                                          struct auth_session_info **_session_info) 
     775             : {
     776        1445 :         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
     777        1445 :         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
     778        1445 :         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
     779        1445 :         struct auth_session_info *session_info = NULL;
     780             : 
     781             :         krb5_principal client_principal;
     782        1445 :         char *principal_string = NULL;
     783             :         
     784        1445 :         DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
     785             :         krb5_data pac_data;
     786             : 
     787             :         krb5_error_code ret;
     788             : 
     789        1445 :         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
     790        1445 :         if (!tmp_ctx) {
     791           0 :                 return NT_STATUS_NO_MEMORY;
     792             :         }
     793             :         
     794        1445 :         ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
     795        1445 :         if (ret) {
     796           0 :                 DEBUG(5, ("krb5_ticket_get_client failed to get client principal: %s\n", 
     797             :                           smb_get_krb5_error_message(context, 
     798             :                                                      ret, tmp_ctx)));
     799           0 :                 talloc_free(tmp_ctx);
     800           0 :                 return NT_STATUS_NO_MEMORY;
     801             :         }
     802             :         
     803        1445 :         ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, 
     804             :                                 client_principal, &principal_string);
     805        1445 :         if (ret) {
     806           0 :                 DEBUG(1, ("Unable to parse client principal: %s\n",
     807             :                           smb_get_krb5_error_message(context, 
     808             :                                                      ret, tmp_ctx)));
     809           0 :                 krb5_free_principal(context, client_principal);
     810           0 :                 talloc_free(tmp_ctx);
     811           0 :                 return NT_STATUS_NO_MEMORY;
     812             :         }
     813             : 
     814        1445 :         ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket, 
     815             :                                                       KRB5_AUTHDATA_WIN2K_PAC, 
     816             :                                                       &pac_data);
     817             :         
     818        1445 :         if (ret) {
     819             :                 /* NO pac */
     820           0 :                 DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", 
     821             :                           smb_get_krb5_error_message(context, 
     822             :                                                      ret, tmp_ctx)));
     823             :         } else {
     824             :                 /* Found pac */
     825        1445 :                 pac_blob = data_blob_talloc(tmp_ctx, pac_data.data, pac_data.length);
     826        1445 :                 smb_krb5_free_data_contents(context, &pac_data);
     827        1445 :                 if (!pac_blob.data) {
     828           0 :                         free(principal_string);
     829           0 :                         krb5_free_principal(context, client_principal);
     830           0 :                         talloc_free(tmp_ctx);
     831           0 :                         return NT_STATUS_NO_MEMORY;
     832             :                 }
     833             : 
     834             :                 /* decode and verify the pac */
     835        2890 :                 nt_status = kerberos_decode_pac(gensec_krb5_state,
     836             :                                                 pac_blob,
     837        1445 :                                                 gensec_krb5_state->smb_krb5_context->krb5_context,
     838        1445 :                                                 NULL, gensec_krb5_state->keyblock,
     839             :                                                 client_principal,
     840        1445 :                                                 gensec_krb5_state->ticket->ticket.authtime, NULL);
     841             : 
     842        1445 :                 if (!NT_STATUS_IS_OK(nt_status)) {
     843           0 :                         free(principal_string);
     844           0 :                         krb5_free_principal(context, client_principal);
     845           0 :                         talloc_free(tmp_ctx);
     846           0 :                         return nt_status;
     847             :                 }
     848             : 
     849        1445 :                 pac_blob_ptr = &pac_blob;
     850             :         }
     851             : 
     852        1445 :         nt_status = gensec_generate_session_info_pac(tmp_ctx,
     853             :                                                      gensec_security,
     854             :                                                      gensec_krb5_state->smb_krb5_context,
     855             :                                                      pac_blob_ptr, principal_string,
     856             :                                                      gensec_get_remote_address(gensec_security),
     857             :                                                      &session_info);
     858             : 
     859        1445 :         free(principal_string);
     860        1445 :         krb5_free_principal(context, client_principal);
     861             : 
     862        1445 :         if (!NT_STATUS_IS_OK(nt_status)) {
     863           0 :                 talloc_free(tmp_ctx);
     864           0 :                 return nt_status;
     865             :         }
     866             : 
     867        1445 :         nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key);
     868             : 
     869        1445 :         if (!NT_STATUS_IS_OK(nt_status)) {
     870           0 :                 talloc_free(tmp_ctx);
     871           0 :                 return nt_status;
     872             :         }
     873             : 
     874        1445 :         *_session_info = talloc_steal(mem_ctx, session_info);
     875             : 
     876        1445 :         talloc_free(tmp_ctx);
     877        1445 :         return NT_STATUS_OK;
     878             : }
     879             : #else /* MIT KERBEROS */
     880          10 : static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
     881             :                                          TALLOC_CTX *mem_ctx,
     882             :                                          struct auth_session_info **psession_info)
     883             : {
     884          10 :         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
     885          10 :         struct gensec_krb5_state *gensec_krb5_state =
     886             :                 (struct gensec_krb5_state *)gensec_security->private_data;
     887          10 :         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
     888          10 :         struct auth_session_info *session_info = NULL;
     889             : 
     890             :         krb5_principal client_principal;
     891          10 :         char *principal_string = NULL;
     892             : 
     893          10 :         krb5_authdata **auth_pac_data = NULL;
     894          10 :         DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
     895             : 
     896             :         krb5_error_code code;
     897             : 
     898             :         TALLOC_CTX *tmp_ctx;
     899             : 
     900          10 :         tmp_ctx = talloc_new(mem_ctx);
     901          10 :         if (tmp_ctx == NULL) {
     902           0 :                 return NT_STATUS_NO_MEMORY;
     903             :         }
     904             : 
     905          10 :         code = krb5_copy_principal(context,
     906          10 :                                    gensec_krb5_state->ticket->enc_part2->client,
     907             :                                    &client_principal);
     908          10 :         if (code != 0) {
     909           0 :                 DBG_INFO("krb5_copy_principal failed to copy client "
     910             :                          "principal: %s\n",
     911             :                          smb_get_krb5_error_message(context, code, tmp_ctx));
     912           0 :                 talloc_free(tmp_ctx);
     913           0 :                 return NT_STATUS_NO_MEMORY;
     914             :         }
     915             : 
     916          10 :         code = krb5_unparse_name(context, client_principal, &principal_string);
     917          10 :         if (code != 0) {
     918           0 :                 DBG_WARNING("Unable to parse client principal: %s\n",
     919             :                             smb_get_krb5_error_message(context, code, tmp_ctx));
     920           0 :                 krb5_free_principal(context, client_principal);
     921           0 :                 talloc_free(tmp_ctx);
     922           0 :                 return NT_STATUS_NO_MEMORY;
     923             :         }
     924             : 
     925          10 :         code = krb5_find_authdata(context,
     926          10 :                                   gensec_krb5_state->ticket->enc_part2->authorization_data,
     927             :                                   NULL,
     928             :                                   KRB5_AUTHDATA_WIN2K_PAC,
     929             :                                   &auth_pac_data);
     930          10 :         if (code != 0) {
     931             :                 /* NO pac */
     932           0 :                 DBG_INFO("krb5_find_authdata failed to find PAC: %s\n",
     933             :                          smb_get_krb5_error_message(context, code, tmp_ctx));
     934             :         } else {
     935          10 :                 krb5_timestamp ticket_authtime =
     936          10 :                         gensec_krb5_state->ticket->enc_part2->times.authtime;
     937             : 
     938             :                 /* Found pac */
     939          10 :                 pac_blob = data_blob_talloc(tmp_ctx,
     940             :                                             auth_pac_data[0]->contents,
     941             :                                             auth_pac_data[0]->length);
     942          10 :                 krb5_free_authdata(context, auth_pac_data);
     943          10 :                 if (pac_blob.data == NULL) {
     944           0 :                         free(principal_string);
     945           0 :                         krb5_free_principal(context, client_principal);
     946           0 :                         talloc_free(tmp_ctx);
     947           0 :                         return NT_STATUS_NO_MEMORY;
     948             :                 }
     949             : 
     950             :                 /* decode and verify the pac */
     951          20 :                 status = kerberos_decode_pac(gensec_krb5_state,
     952             :                                              pac_blob,
     953             :                                              context,
     954             :                                              NULL,
     955          10 :                                              gensec_krb5_state->keyblock,
     956             :                                              client_principal,
     957             :                                              ticket_authtime,
     958             :                                              NULL);
     959             : 
     960          10 :                 if (!NT_STATUS_IS_OK(status)) {
     961           0 :                         free(principal_string);
     962           0 :                         krb5_free_principal(context, client_principal);
     963           0 :                         talloc_free(tmp_ctx);
     964           0 :                         return status;
     965             :                 }
     966             : 
     967          10 :                 pac_blob_ptr = &pac_blob;
     968             :         }
     969          10 :         krb5_free_principal(context, client_principal);
     970             : 
     971          10 :         status = gensec_generate_session_info_pac(tmp_ctx,
     972             :                                                   gensec_security,
     973             :                                                   gensec_krb5_state->smb_krb5_context,
     974             :                                                   pac_blob_ptr,
     975             :                                                   principal_string,
     976             :                                                   gensec_get_remote_address(gensec_security),
     977             :                                                   &session_info);
     978          10 :         SAFE_FREE(principal_string);
     979          10 :         if (!NT_STATUS_IS_OK(status)) {
     980           0 :                 talloc_free(tmp_ctx);
     981           0 :                 return status;
     982             :         }
     983             : 
     984          10 :         status = gensec_krb5_session_key(gensec_security,
     985             :                                          session_info,
     986          10 :                                          &session_info->session_key);
     987          10 :         if (!NT_STATUS_IS_OK(status)) {
     988           0 :                 talloc_free(tmp_ctx);
     989           0 :                 return status;
     990             :         }
     991             : 
     992          10 :         *psession_info = talloc_steal(mem_ctx, session_info);
     993          10 :         talloc_free(tmp_ctx);
     994             : 
     995          10 :         return NT_STATUS_OK;
     996             : }
     997             : #endif /* SAMBA4_USES_HEIMDAL */
     998             : 
     999          41 : static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security, 
    1000             :                                    TALLOC_CTX *mem_ctx, 
    1001             :                                    const DATA_BLOB *in, 
    1002             :                                    DATA_BLOB *out)
    1003             : {
    1004          41 :         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
    1005          41 :         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
    1006          41 :         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
    1007             :         krb5_error_code ret;
    1008             :         krb5_data input, output;
    1009          41 :         input.length = in->length;
    1010          41 :         input.data = (char *)in->data;
    1011             :         
    1012          41 :         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
    1013          41 :                 ret = krb5_mk_priv(context, auth_context, &input, &output, NULL);
    1014          41 :                 if (ret) {
    1015           0 :                         DEBUG(1, ("krb5_mk_priv failed: %s\n", 
    1016             :                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
    1017             :                                                              ret, mem_ctx)));
    1018           0 :                         return NT_STATUS_ACCESS_DENIED;
    1019             :                 }
    1020          41 :                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
    1021             :                 
    1022          41 :                 smb_krb5_free_data_contents(context, &output);
    1023             :         } else {
    1024           0 :                 return NT_STATUS_ACCESS_DENIED;
    1025             :         }
    1026          41 :         return NT_STATUS_OK;
    1027             : }
    1028             : 
    1029          41 : static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security, 
    1030             :                                      TALLOC_CTX *mem_ctx, 
    1031             :                                      const DATA_BLOB *in, 
    1032             :                                      DATA_BLOB *out)
    1033             : {
    1034          41 :         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
    1035          41 :         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
    1036          41 :         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
    1037             :         krb5_error_code ret;
    1038             :         krb5_data input, output;
    1039             :         krb5_replay_data replay;
    1040          41 :         input.length = in->length;
    1041          41 :         input.data = (char *)in->data;
    1042             :         
    1043          41 :         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
    1044          41 :                 ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
    1045          41 :                 if (ret) {
    1046           0 :                         DEBUG(1, ("krb5_rd_priv failed: %s\n", 
    1047             :                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
    1048             :                                                              ret, mem_ctx)));
    1049           0 :                         return NT_STATUS_ACCESS_DENIED;
    1050             :                 }
    1051          41 :                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
    1052             :                 
    1053          41 :                 smb_krb5_free_data_contents(context, &output);
    1054             :         } else {
    1055           0 :                 return NT_STATUS_ACCESS_DENIED;
    1056             :         }
    1057          41 :         return NT_STATUS_OK;
    1058             : }
    1059             : 
    1060        2395 : static bool gensec_krb5_have_feature(struct gensec_security *gensec_security,
    1061             :                                      uint32_t feature)
    1062             : {
    1063        2395 :         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
    1064        2395 :         if (feature & GENSEC_FEATURE_SESSION_KEY) {
    1065         388 :                 return true;
    1066             :         } 
    1067        2007 :         if (gensec_krb5_state->gssapi) {
    1068         388 :                 return false;
    1069             :         }
    1070             : 
    1071             :         /*
    1072             :          * krb5_mk_priv provides SIGN and SEAL
    1073             :          */
    1074        1619 :         if (feature & GENSEC_FEATURE_SIGN) {
    1075          41 :                 return true;
    1076             :         }
    1077        1578 :         if (feature & GENSEC_FEATURE_SEAL) {
    1078        1578 :                 return true;
    1079             :         }
    1080             : 
    1081           0 :         return false;
    1082             : }
    1083             : 
    1084        1455 : static const char *gensec_krb5_final_auth_type(struct gensec_security *gensec_security)
    1085             : {
    1086        1455 :         return GENSEC_FINAL_AUTH_TYPE_KRB5;
    1087             : }
    1088             : 
    1089             : static const char *gensec_krb5_oids[] = { 
    1090             :         GENSEC_OID_KERBEROS5,
    1091             :         GENSEC_OID_KERBEROS5_OLD,
    1092             :         NULL 
    1093             : };
    1094             : 
    1095             : static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
    1096             :         .name           = "fake_gssapi_krb5",
    1097             :         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
    1098             :         .oid            = gensec_krb5_oids,
    1099             :         .client_start   = gensec_fake_gssapi_krb5_client_start,
    1100             :         .server_start   = gensec_fake_gssapi_krb5_server_start,
    1101             :         .update_send    = gensec_krb5_update_send,
    1102             :         .update_recv    = gensec_krb5_update_recv,
    1103             :         .magic          = gensec_magic_check_krb5_oid,
    1104             :         .session_key    = gensec_krb5_session_key,
    1105             :         .session_info   = gensec_krb5_session_info,
    1106             :         .have_feature   = gensec_krb5_have_feature,
    1107             :         .final_auth_type = gensec_krb5_final_auth_type,
    1108             :         .enabled        = false,
    1109             :         .kerberos       = true,
    1110             :         .priority       = GENSEC_KRB5,
    1111             : };
    1112             : 
    1113             : static const struct gensec_security_ops gensec_krb5_security_ops = {
    1114             :         .name           = "krb5",
    1115             :         .client_start   = gensec_krb5_client_start,
    1116             :         .server_start   = gensec_krb5_server_start,
    1117             :         .update_send    = gensec_krb5_update_send,
    1118             :         .update_recv    = gensec_krb5_update_recv,
    1119             :         .session_key    = gensec_krb5_session_key,
    1120             :         .session_info   = gensec_krb5_session_info,
    1121             :         .have_feature   = gensec_krb5_have_feature,
    1122             :         .wrap           = gensec_krb5_wrap,
    1123             :         .unwrap         = gensec_krb5_unwrap,
    1124             :         .final_auth_type = gensec_krb5_final_auth_type,
    1125             :         .enabled        = true,
    1126             :         .kerberos       = true,
    1127             :         .priority       = GENSEC_KRB5
    1128             : };
    1129             : 
    1130       15356 : _PUBLIC_ NTSTATUS gensec_krb5_init(TALLOC_CTX *ctx)
    1131             : {
    1132             :         NTSTATUS ret;
    1133             : 
    1134       15356 :         ret = gensec_register(ctx, &gensec_krb5_security_ops);
    1135       15356 :         if (!NT_STATUS_IS_OK(ret)) {
    1136           0 :                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
    1137             :                         gensec_krb5_security_ops.name));
    1138           0 :                 return ret;
    1139             :         }
    1140             : 
    1141       15356 :         ret = gensec_register(ctx, &gensec_fake_gssapi_krb5_security_ops);
    1142       15356 :         if (!NT_STATUS_IS_OK(ret)) {
    1143           0 :                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
    1144             :                         gensec_fake_gssapi_krb5_security_ops.name));
    1145           0 :                 return ret;
    1146             :         }
    1147             : 
    1148       15356 :         return ret;
    1149             : }

Generated by: LCOV version 1.13