s3-dcerpc: Add sign/seal with gssapi

3 files changed, 318 insertions, 0 deletions

diff --git a/source3/librpc/rpc/dcerpc_gssapi.c b/source3/librpc/rpc/dcerpc_gssapi.c
index d415369207..8c0ad6a8b3 100644
--- a/source3/librpc/rpc/dcerpc_gssapi.c
+++ b/source3/librpc/rpc/dcerpc_gssapi.c
@@ -22,6 +22,7 @@
 #include "includes.h"
 #include <gssapi/gssapi.h>
 #include <gssapi/gssapi_krb5.h>
+#include <gssapi/gssapi_ext.h>
 #include "dcerpc_gssapi.h"
 
 #ifdef HAVE_GSSAPI_H
@@ -413,3 +414,224 @@ DATA_BLOB gse_get_session_key(struct gse_context *gse_ctx)
 }
 
 #endif /* HAVE_GSSAPI_H */
+
+#ifdef HAVE_GSS_WRAP_IOV
+
+size_t gse_get_signature_length(struct gse_context *gse_ctx,
+				int seal, size_t payload_size)
+{
+	OM_uint32 gss_min, gss_maj;
+	gss_iov_buffer_desc iov[2];
+	uint8_t fakebuf[payload_size];
+	int sealed;
+
+	iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+	iov[0].buffer.value = NULL;
+	iov[0].buffer.length = 0;
+	iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+	iov[1].buffer.value = fakebuf;
+	iov[1].buffer.length = payload_size;
+
+	gss_maj = gss_wrap_iov_length(&gss_min, gse_ctx->gss_ctx,
+					seal, GSS_C_QOP_DEFAULT,
+					&sealed, iov, 2);
+	if (gss_maj) {
+		DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
+			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
+		return 0;
+	}
+
+	return iov[0].buffer.length;
+}
+
+NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		  DATA_BLOB *data, DATA_BLOB *signature)
+{
+	OM_uint32 gss_min, gss_maj;
+	gss_iov_buffer_desc iov[2];
+	int req_seal = 1; /* setting to 1 means we request sign+seal */
+	int sealed;
+	NTSTATUS status;
+
+	/* allocate the memory ourselves so we do not need to talloc_memdup */
+	signature->length = gse_get_signature_length(gse_ctx, 1, data->length);
+	if (!signature->length) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	signature->data = talloc_size(mem_ctx, signature->length);
+	if (!signature->data) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+	iov[0].buffer.value = signature->data;
+	iov[0].buffer.length = signature->length;
+
+	/* data is encrypted in place, which is ok */
+	iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+	iov[1].buffer.value = data->data;
+	iov[1].buffer.length = data->length;
+
+	gss_maj = gss_wrap_iov(&gss_min, gse_ctx->gss_ctx,
+				req_seal, GSS_C_QOP_DEFAULT,
+				&sealed, iov, 2);
+	if (gss_maj) {
+		DEBUG(0, ("gss_wrap_iov failed with [%s]\n",
+			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
+		status = NT_STATUS_ACCESS_DENIED;
+		goto done;
+	}
+
+	if (!sealed) {
+		DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
+		status = NT_STATUS_ACCESS_DENIED;
+		goto done;
+	}
+
+	status = NT_STATUS_OK;
+
+	DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
+		   (int)iov[1].buffer.length, (int)iov[0].buffer.length));
+
+done:
+	return status;
+}
+
+NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		    DATA_BLOB *data, DATA_BLOB *signature)
+{
+	OM_uint32 gss_min, gss_maj;
+	gss_iov_buffer_desc iov[2];
+	int sealed;
+	NTSTATUS status;
+
+	iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+	iov[0].buffer.value = signature->data;
+	iov[0].buffer.length = signature->length;
+
+	/* data is decrypted in place, which is ok */
+	iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+	iov[1].buffer.value = data->data;
+	iov[1].buffer.length = data->length;
+
+	gss_maj = gss_unwrap_iov(&gss_min, gse_ctx->gss_ctx,
+				 &sealed, NULL, iov, 2);
+	if (gss_maj) {
+		DEBUG(0, ("gss_unwrap_iov failed with [%s]\n",
+			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
+		status = NT_STATUS_ACCESS_DENIED;
+		goto done;
+	}
+
+	if (!sealed) {
+		DEBUG(0, ("gss_unwrap_iov says data is not sealed!\n"));
+		status = NT_STATUS_ACCESS_DENIED;
+		goto done;
+	}
+
+	status = NT_STATUS_OK;
+
+	DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
+		   (int)iov[1].buffer.length, (int)iov[0].buffer.length));
+
+done:
+	return status;
+}
+
+NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		  DATA_BLOB *data, DATA_BLOB *signature)
+{
+	OM_uint32 gss_min, gss_maj;
+	gss_buffer_desc in_data = { 0, NULL };
+	gss_buffer_desc out_data = { 0, NULL};
+	NTSTATUS status;
+
+	in_data.value = data->data;
+	in_data.length = data->length;
+
+	gss_maj = gss_get_mic(&gss_min, gse_ctx->gss_ctx,
+			      GSS_C_QOP_DEFAULT,
+			      &in_data, &out_data);
+	if (gss_maj) {
+		DEBUG(0, ("gss_get_mic failed with [%s]\n",
+			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
+		status = NT_STATUS_ACCESS_DENIED;
+		goto done;
+	}
+
+	*signature = data_blob_talloc(mem_ctx,
+					out_data.value, out_data.length);
+	if (!signature->data) {
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	status = NT_STATUS_OK;
+
+done:
+	if (out_data.value) {
+		gss_maj = gss_release_buffer(&gss_min, &out_data);
+	}
+	return status;
+}
+
+NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		      DATA_BLOB *data, DATA_BLOB *signature)
+{
+	OM_uint32 gss_min, gss_maj;
+	gss_buffer_desc in_data = { 0, NULL };
+	gss_buffer_desc in_token = { 0, NULL};
+	NTSTATUS status;
+
+	in_data.value = data->data;
+	in_data.length = data->length;
+	in_token.value = signature->data;
+	in_token.length = signature->length;
+
+	gss_maj = gss_verify_mic(&gss_min, gse_ctx->gss_ctx,
+				 &in_data, &in_token, NULL);
+	if (gss_maj) {
+		DEBUG(0, ("gss_verify_mic failed with [%s]\n",
+			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
+		status = NT_STATUS_ACCESS_DENIED;
+		goto done;
+	}
+
+	status = NT_STATUS_OK;
+
+done:
+	return status;
+}
+
+#else /* HAVE_GSS_WRAP_IOV */
+
+size_t gse_get_signature_length(struct gse_context *gse_ctx,
+				int seal, size_t payload_size)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		  DATA_BLOB *data, DATA_BLOB *signature)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		    DATA_BLOB *data, DATA_BLOB *signature)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		  DATA_BLOB *data, DATA_BLOB *signature)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		      DATA_BLOB *data, DATA_BLOB *signature)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+#endif /* HAVE_GSS_WRAP_IOV */
diff --git a/source3/librpc/rpc/dcerpc_gssapi.h b/source3/librpc/rpc/dcerpc_gssapi.h
index ea44e9e383..6367990ac1 100644
--- a/source3/librpc/rpc/dcerpc_gssapi.h
+++ b/source3/librpc/rpc/dcerpc_gssapi.h
@@ -45,4 +45,14 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
 bool gse_require_more_processing(struct gse_context *gse_ctx);
 DATA_BLOB gse_get_session_key(struct gse_context *gse_ctx);
 
+size_t gse_get_signature_length(struct gse_context *gse_ctx,
+				int seal, size_t payload_size);
+NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		  DATA_BLOB *data, DATA_BLOB *signature);
+NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		    DATA_BLOB *data, DATA_BLOB *signature);
+NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		  DATA_BLOB *data, DATA_BLOB *signature);
+NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
+		      DATA_BLOB *data, DATA_BLOB *signature);
 #endif /* _CLI_PIPE_GSSAPI_H_ */
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index be076d8645..4dc3d7f81f 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -26,6 +26,7 @@
 #include "../libcli/auth/spnego.h"
 #include "../libcli/auth/ntlmssp.h"
 #include "ntlmssp_wrap.h"
+#include "librpc/rpc/dcerpc_gssapi.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_PARSE
@@ -371,6 +372,55 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
 	return NT_STATUS_OK;
 }
 
+/*******************************************************************
+ Create and add the gssapi sign/seal auth data.
+ ********************************************************************/
+
+static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx,
+					enum dcerpc_AuthLevel auth_level,
+					DATA_BLOB *rpc_out)
+{
+	DATA_BLOB data;
+	DATA_BLOB auth_blob;
+	NTSTATUS status;
+
+	if (!gse_ctx) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH;
+	data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH
+					- DCERPC_AUTH_TRAILER_LENGTH;
+
+	switch (auth_level) {
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+		status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob);
+		break;
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob);
+		break;
+	default:
+		status = NT_STATUS_INTERNAL_ERROR;
+		break;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("Failed to process packet: %s\n",
+			  nt_errstr(status)));
+		return status;
+	}
+
+	/* Finally attach the blob. */
+	if (!data_blob_append(NULL, rpc_out,
+				auth_blob.data, auth_blob.length)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	data_blob_free(&auth_blob);
+
+	return NT_STATUS_OK;
+}
+
 /**
 * @brief   Append an auth footer according to what is the current mechanism
 *
@@ -443,6 +493,11 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
 						  auth->auth_level,
 						  rpc_out);
 		break;
+	case DCERPC_AUTH_TYPE_KRB5:
+		status = add_gssapi_auth_footer(auth->a_u.gssapi_state,
+						auth->auth_level,
+						rpc_out);
+		break;
 	default:
 		status = NT_STATUS_INVALID_PARAMETER;
 		break;
@@ -617,6 +672,37 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 		}
 		break;
 
+	case DCERPC_AUTH_TYPE_KRB5:
+
+		DEBUG(10, ("KRB5 auth\n"));
+
+		switch (auth->auth_level) {
+		case DCERPC_AUTH_LEVEL_PRIVACY:
+			status = gse_unseal(pkt, auth->a_u.gssapi_state,
+					    &data, &auth_info.credentials);
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+			memcpy(pkt_trailer->data, data.data, data.length);
+			break;
+
+		case DCERPC_AUTH_LEVEL_INTEGRITY:
+			/* TODO: pass in full_pkt when
+			 * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
+			status = gse_sigcheck(pkt, auth->a_u.gssapi_state,
+					      &data, &auth_info.credentials);
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+			break;
+
+		default:
+			DEBUG(0, ("Invalid auth level, "
+				  "failed to process packet auth.\n"));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+		break;
+
 	default:
 		DEBUG(0, ("process_request_pdu: "
 			  "unknown auth type %u set.\n",