/src/samba/auth/kerberos/gssapi_pac.c

Source
/*
   Unix SMB/CIFS implementation.
   kerberos authorization data (PAC) utility library
   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011
   Copyright (C) Simo Sorce 2010.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH

#ifdef HAVE_KRB5

#include "auth/kerberos/pac_utils.h"

#if 0
/* FIXME - need proper configure/waf test
 * to determine if gss_mech_krb5 and friends
 * exist. JRA.
 */
/*
 * These are not exported by Solaris -lkrb5
 * Maybe move to libreplace somewhere?
 */
static const gss_OID_desc krb5_gss_oid_array[] = {
  /* this is the official, rfc-specified OID */
  { 9, "\052\206\110\206\367\022\001\002\002" },
  /* this is the pre-RFC mech OID */
  { 5, "\053\005\001\005\002" },
  /* this is the unofficial, incorrect mech OID emitted by MS */
  { 9, "\052\206\110\202\367\022\001\002\002" },
  { 0, 0 }
};

const gss_OID_desc * const gss_mech_krb5              = krb5_gss_oid_array+0;
const gss_OID_desc * const gss_mech_krb5_old          = krb5_gss_oid_array+1;
const gss_OID_desc * const gss_mech_krb5_wrong        = krb5_gss_oid_array+2;
#endif

#ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
#endif

gss_OID_desc gse_sesskey_inq_oid = {
  GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH,
  discard_const(GSS_KRB5_INQ_SSPI_SESSION_KEY_OID)
};

#ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID
#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID  "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
#endif

gss_OID_desc gse_sesskeytype_oid = {
  GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
  discard_const(GSS_KRB5_SESSION_KEY_ENCTYPE_OID)
};

/* The Heimdal OID for getting the PAC */
#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 8
/*                          EXTRACTION OID       AUTHZ ID */
#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x85\x70\x2b\x0d\x03" "\x81\x00"

NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
        gss_ctx_id_t gssapi_context,
        gss_name_t gss_client_name,
        DATA_BLOB *pac_blob)
{
  NTSTATUS status;
  OM_uint32 gss_maj, gss_min;
#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
/*
 * gss_get_name_attribute() in MIT krb5 1.10.0 can return uninitialized pac_display_buffer
 * and later gss_release_buffer() will crash on attempting to release it.
 *
 * So always initialize the buffer descriptors.
 *
 * See following links for more details:
 * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
 * http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
 */
  gss_buffer_desc pac_buffer = {
    .value = NULL,
    .length = 0
  };
  gss_buffer_desc pac_display_buffer = {
    .value = NULL,
    .length = 0
  };
  gss_buffer_desc pac_name = {
    .value = discard_const("urn:mspac:"),
    .length = sizeof("urn:mspac:")-1
  };
  int more = -1;
  int authenticated = false;
  int complete = false;

  gss_maj = gss_get_name_attribute(
    &gss_min, gss_client_name, &pac_name,
    &authenticated, &complete,
    &pac_buffer, &pac_display_buffer, &more);

  if (gss_maj != 0) {
    gss_OID oid = discard_const(gss_mech_krb5);
    DBG_NOTICE("obtaining PAC via GSSAPI gss_get_name_attribute "
         "failed: %s\n", gssapi_error_string(mem_ctx,
                     gss_maj, gss_min,
                     oid));
    return NT_STATUS_ACCESS_DENIED;
  } else if (authenticated && complete) {
    /* The PAC blob is returned directly */
    *pac_blob = data_blob_talloc(mem_ctx, pac_buffer.value,
              pac_buffer.length);

    if (!pac_blob->data) {
      status = NT_STATUS_NO_MEMORY;
    } else {
      status = NT_STATUS_OK;
    }

    gss_release_buffer(&gss_min, &pac_buffer);
    gss_release_buffer(&gss_min, &pac_display_buffer);
    return status;
  } else {
    DEBUG(0, ("obtaining PAC via GSSAPI failed: authenticated: %s, complete: %s, more: %s\n",
        authenticated ? "true" : "false",
        complete ? "true" : "false",
        more ? "true" : "false"));
    return NT_STATUS_ACCESS_DENIED;
  }

#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
  gss_OID_desc pac_data_oid = {
    .elements = discard_const(EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID),
    .length = EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH
  };

  gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;

  /* If we didn't have the routine to get a verified, validated
   * PAC (supplied only by MIT at the time of writing), then try
   * with the Heimdal OID (fetches the PAC directly and always
   * validates) */
  gss_maj = gss_inquire_sec_context_by_oid(
        &gss_min, gssapi_context,
        &pac_data_oid, &set);

  /* First check for the error MIT gives for an unknown OID */
  if (gss_maj == GSS_S_UNAVAILABLE) {
    DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
        "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
  } else if (gss_maj != 0) {
    DEBUG(2, ("obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed: %s\n",
        gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
  } else {
    if (set == GSS_C_NO_BUFFER_SET) {
      DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
          "data in results.\n"));
      return NT_STATUS_INTERNAL_ERROR;
    }

    /* The PAC blob is returned directly */
    *pac_blob = data_blob_talloc(mem_ctx, set->elements[0].value,
              set->elements[0].length);
    if (!pac_blob->data) {
      status = NT_STATUS_NO_MEMORY;
    } else {
      status = NT_STATUS_OK;
    }

    gss_maj = gss_release_buffer_set(&gss_min, &set);
    return status;
  }
#else
  DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
      "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
#endif
  return NT_STATUS_ACCESS_DENIED;
}

NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
        gss_ctx_id_t gssapi_context,
        DATA_BLOB *session_key, 
        uint32_t *keytype)
{
  OM_uint32 gss_min, gss_maj;
  gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;

  gss_maj = gss_inquire_sec_context_by_oid(
        &gss_min, gssapi_context,
        &gse_sesskey_inq_oid, &set);
  if (gss_maj) {
    DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
        gssapi_error_string(mem_ctx,
                gss_maj,
                gss_min,
                discard_const_p(struct gss_OID_desc_struct,
                    gss_mech_krb5))));
    return NT_STATUS_NO_USER_SESSION_KEY;
  }

  if ((set == GSS_C_NO_BUFFER_SET) ||
      (set->count == 0)) {
#ifdef HAVE_GSSKRB5_GET_SUBKEY
    krb5_keyblock *subkey;
    gss_maj = gsskrb5_get_subkey(&gss_min,
               gssapi_context,
               &subkey);
    if (gss_maj != 0) {
      DEBUG(1, ("NO session key for this mech\n"));
      return NT_STATUS_NO_USER_SESSION_KEY;
    }
    if (session_key) {
      *session_key = data_blob_talloc(mem_ctx,
              KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
    }
    if (keytype) {
      *keytype = KRB5_KEY_TYPE(subkey);
    }
    krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
    return NT_STATUS_OK;
#else
    DEBUG(0, ("gss_inquire_sec_context_by_oid didn't return any session key (and no alternative method available)\n"));
    return NT_STATUS_NO_USER_SESSION_KEY;
#endif
  }

  if (session_key) {
    *session_key = data_blob_talloc(mem_ctx, set->elements[0].value,
            set->elements[0].length);
  }

  if (keytype) {
    int diflen, i;
    const uint8_t *p;

    *keytype = 0;
    if (set->count < 2) {

#ifdef HAVE_GSSKRB5_GET_SUBKEY
      krb5_keyblock *subkey;
      gss_maj = gsskrb5_get_subkey(&gss_min,
                 gssapi_context,
                 &subkey);
      if (gss_maj == 0) {
        *keytype = KRB5_KEY_TYPE(subkey);
        krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
      }
#endif
      gss_release_buffer_set(&gss_min, &set);
  
      return NT_STATUS_OK;

    } else if (memcmp(set->elements[1].value,
          gse_sesskeytype_oid.elements,
          gse_sesskeytype_oid.length) != 0) {
      /* Perhaps a non-krb5 session key */
      gss_release_buffer_set(&gss_min, &set);
      return NT_STATUS_OK;
    }
    p = (const uint8_t *)set->elements[1].value + gse_sesskeytype_oid.length;
    diflen = set->elements[1].length - gse_sesskeytype_oid.length;
    if (diflen <= 0) {
      gss_release_buffer_set(&gss_min, &set);
      return NT_STATUS_INVALID_PARAMETER;
    }
    for (i = 0; i < diflen; i++) {
      *keytype = (*keytype << 7) | (p[i] & 0x7f);
      if (i + 1 != diflen && (p[i] & 0x80) == 0) {
        gss_release_buffer_set(&gss_min, &set);
        return NT_STATUS_INVALID_PARAMETER;
      }
    }
  }

  gss_release_buffer_set(&gss_min, &set);
  return NT_STATUS_OK;
}


char *gssapi_error_string(TALLOC_CTX *mem_ctx,
        OM_uint32 maj_stat, OM_uint32 min_stat,
        const gss_OID mech)
{
  OM_uint32 disp_min_stat, disp_maj_stat;
  gss_buffer_desc maj_error_message;
  gss_buffer_desc min_error_message;
  char *maj_error_string, *min_error_string;
  OM_uint32 msg_ctx = 0;

  char *ret;

  maj_error_message.value = NULL;
  min_error_message.value = NULL;
  maj_error_message.length = 0;
  min_error_message.length = 0;

  disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat,
             GSS_C_GSS_CODE, mech,
             &msg_ctx, &maj_error_message);
  if (disp_maj_stat != 0) {
    maj_error_message.value = NULL;
    maj_error_message.length = 0;
  }
  disp_maj_stat = gss_display_status(&disp_min_stat, min_stat,
             GSS_C_MECH_CODE, mech,
             &msg_ctx, &min_error_message);
  if (disp_maj_stat != 0) {
    min_error_message.value = NULL;
    min_error_message.length = 0;
  }

  maj_error_string = talloc_strndup(mem_ctx,
            (char *)maj_error_message.value,
            maj_error_message.length);

  min_error_string = talloc_strndup(mem_ctx,
            (char *)min_error_message.value,
            min_error_message.length);

  ret = talloc_asprintf(mem_ctx, "%s: %s",
        maj_error_string, min_error_string);

  talloc_free(maj_error_string);
  talloc_free(min_error_string);

  gss_release_buffer(&disp_min_stat, &maj_error_message);
  gss_release_buffer(&disp_min_stat, &min_error_message);

  return ret;
}

#endif /* HAVE_KRB5 */

Coverage Report

Created: 2025-11-16 06:57

Line	Count	Source
1		/*
2		Unix SMB/CIFS implementation.
3		kerberos authorization data (PAC) utility library
4		Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011
5		Copyright (C) Simo Sorce 2010.
6
7		This program is free software; you can redistribute it and/or modify
8		it under the terms of the GNU General Public License as published by
9		the Free Software Foundation; either version 3 of the License, or
10		(at your option) any later version.
11
12		This program is distributed in the hope that it will be useful,
13		but WITHOUT ANY WARRANTY; without even the implied warranty of
14		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15		GNU General Public License for more details.
16
17		You should have received a copy of the GNU General Public License
18		along with this program. If not, see <http://www.gnu.org/licenses/>.
19		*/
20
21		#include "includes.h"
22
23		#undef DBGC_CLASS
24	0	#define DBGC_CLASS DBGC_AUTH
25
26		#ifdef HAVE_KRB5
27
28		#include "auth/kerberos/pac_utils.h"
29
30		#if 0
31		/* FIXME - need proper configure/waf test
32		* to determine if gss_mech_krb5 and friends
33		* exist. JRA.
34		*/
35		/*
36		* These are not exported by Solaris -lkrb5
37		* Maybe move to libreplace somewhere?
38		*/
39		static const gss_OID_desc krb5_gss_oid_array[] = {
40		/* this is the official, rfc-specified OID */
41		{ 9, "\052\206\110\206\367\022\001\002\002" },
42		/* this is the pre-RFC mech OID */
43		{ 5, "\053\005\001\005\002" },
44		/* this is the unofficial, incorrect mech OID emitted by MS */
45		{ 9, "\052\206\110\202\367\022\001\002\002" },
46		{ 0, 0 }
47		};
48
49		const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0;
50		const gss_OID_desc * const gss_mech_krb5_old = krb5_gss_oid_array+1;
51		const gss_OID_desc * const gss_mech_krb5_wrong = krb5_gss_oid_array+2;
52		#endif
53
54		#ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
55		#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
56		#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
57		#endif
58
59		gss_OID_desc gse_sesskey_inq_oid = {
60		GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH,
61		discard_const(GSS_KRB5_INQ_SSPI_SESSION_KEY_OID)
62		};
63
64		#ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID
65		#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
66		#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
67		#endif
68
69		gss_OID_desc gse_sesskeytype_oid = {
70		GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
71		discard_const(GSS_KRB5_SESSION_KEY_ENCTYPE_OID)
72		};
73
74		/* The Heimdal OID for getting the PAC */
75	0	#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 8
76		/* EXTRACTION OID AUTHZ ID */
77		#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x85\x70\x2b\x0d\x03" "\x81\x00"
78
79		NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
80		gss_ctx_id_t gssapi_context,
81		gss_name_t gss_client_name,
82		DATA_BLOB *pac_blob)
83	0	{
84	0	NTSTATUS status;
85	0	OM_uint32 gss_maj, gss_min;
86		#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
87		/*
88		* gss_get_name_attribute() in MIT krb5 1.10.0 can return uninitialized pac_display_buffer
89		* and later gss_release_buffer() will crash on attempting to release it.
90		*
91		* So always initialize the buffer descriptors.
92		*
93		* See following links for more details:
94		* http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
95		* http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
96		*/
97		gss_buffer_desc pac_buffer = {
98		.value = NULL,
99		.length = 0
100		};
101		gss_buffer_desc pac_display_buffer = {
102		.value = NULL,
103		.length = 0
104		};
105		gss_buffer_desc pac_name = {
106		.value = discard_const("urn:mspac:"),
107		.length = sizeof("urn:mspac:")-1
108		};
109		int more = -1;
110		int authenticated = false;
111		int complete = false;
112
113		gss_maj = gss_get_name_attribute(
114		&gss_min, gss_client_name, &pac_name,
115		&authenticated, &complete,
116		&pac_buffer, &pac_display_buffer, &more);
117
118		if (gss_maj != 0) {
119		gss_OID oid = discard_const(gss_mech_krb5);
120		DBG_NOTICE("obtaining PAC via GSSAPI gss_get_name_attribute "
121		"failed: %s\n", gssapi_error_string(mem_ctx,
122		gss_maj, gss_min,
123		oid));
124		return NT_STATUS_ACCESS_DENIED;
125		} else if (authenticated && complete) {
126		/* The PAC blob is returned directly */
127		*pac_blob = data_blob_talloc(mem_ctx, pac_buffer.value,
128		pac_buffer.length);
129
130		if (!pac_blob->data) {
131		status = NT_STATUS_NO_MEMORY;
132		} else {
133		status = NT_STATUS_OK;
134		}
135
136		gss_release_buffer(&gss_min, &pac_buffer);
137		gss_release_buffer(&gss_min, &pac_display_buffer);
138		return status;
139		} else {
140		DEBUG(0, ("obtaining PAC via GSSAPI failed: authenticated: %s, complete: %s, more: %s\n",
141		authenticated ? "true" : "false",
142		complete ? "true" : "false",
143		more ? "true" : "false"));
144		return NT_STATUS_ACCESS_DENIED;
145		}
146
147		#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
148		gss_OID_desc pac_data_oid = {
149	0	.elements = discard_const(EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID),
150	0	.length = EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH
151	0	};
152
153	0	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
154
155		/* If we didn't have the routine to get a verified, validated
156		* PAC (supplied only by MIT at the time of writing), then try
157		* with the Heimdal OID (fetches the PAC directly and always
158		* validates) */
159	0	gss_maj = gss_inquire_sec_context_by_oid(
160	0	&gss_min, gssapi_context,
161	0	&pac_data_oid, &set);
162
163		/* First check for the error MIT gives for an unknown OID */
164	0	if (gss_maj == GSS_S_UNAVAILABLE) {
165	0	DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. "
166	0	"GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
167	0	} else if (gss_maj != 0) {
168	0	DEBUG(2, ("obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed: %s\n",
169	0	gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
170	0	} else {
171	0	if (set == GSS_C_NO_BUFFER_SET) {
172	0	DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
173	0	"data in results.\n"));
174	0	return NT_STATUS_INTERNAL_ERROR;
175	0	}
176
177		/* The PAC blob is returned directly */
178	0	*pac_blob = data_blob_talloc(mem_ctx, set->elements[0].value,
179	0	set->elements[0].length);
180	0	if (!pac_blob->data) {
181	0	status = NT_STATUS_NO_MEMORY;
182	0	} else {
183	0	status = NT_STATUS_OK;
184	0	}
185
186	0	gss_maj = gss_release_buffer_set(&gss_min, &set);
187	0	return status;
188	0	}
189		#else
190		DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. "
191		"GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
192		#endif
193	0	return NT_STATUS_ACCESS_DENIED;
194	0	}
195
196		NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
197		gss_ctx_id_t gssapi_context,
198		DATA_BLOB *session_key,
199		uint32_t *keytype)
200	0	{
201	0	OM_uint32 gss_min, gss_maj;
202	0	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
203
204	0	gss_maj = gss_inquire_sec_context_by_oid(
205	0	&gss_min, gssapi_context,
206	0	&gse_sesskey_inq_oid, &set);
207	0	if (gss_maj) {
208	0	DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
209	0	gssapi_error_string(mem_ctx,
210	0	gss_maj,
211	0	gss_min,
212	0	discard_const_p(struct gss_OID_desc_struct,
213	0	gss_mech_krb5))));
214	0	return NT_STATUS_NO_USER_SESSION_KEY;
215	0	}
216
217	0	if ((set == GSS_C_NO_BUFFER_SET) \|\|
218	0	(set->count == 0)) {
219	0	#ifdef HAVE_GSSKRB5_GET_SUBKEY
220	0	krb5_keyblock *subkey;
221	0	gss_maj = gsskrb5_get_subkey(&gss_min,
222	0	gssapi_context,
223	0	&subkey);
224	0	if (gss_maj != 0) {
225	0	DEBUG(1, ("NO session key for this mech\n"));
226	0	return NT_STATUS_NO_USER_SESSION_KEY;
227	0	}
228	0	if (session_key) {
229	0	*session_key = data_blob_talloc(mem_ctx,
230	0	KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
231	0	}
232	0	if (keytype) {
233	0	*keytype = KRB5_KEY_TYPE(subkey);
234	0	}
235	0	krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
236	0	return NT_STATUS_OK;
237		#else
238		DEBUG(0, ("gss_inquire_sec_context_by_oid didn't return any session key (and no alternative method available)\n"));
239		return NT_STATUS_NO_USER_SESSION_KEY;
240		#endif
241	0	}
242
243	0	if (session_key) {
244	0	*session_key = data_blob_talloc(mem_ctx, set->elements[0].value,
245	0	set->elements[0].length);
246	0	}
247
248	0	if (keytype) {
249	0	int diflen, i;
250	0	const uint8_t *p;
251
252	0	*keytype = 0;
253	0	if (set->count < 2) {
254
255	0	#ifdef HAVE_GSSKRB5_GET_SUBKEY
256	0	krb5_keyblock *subkey;
257	0	gss_maj = gsskrb5_get_subkey(&gss_min,
258	0	gssapi_context,
259	0	&subkey);
260	0	if (gss_maj == 0) {
261	0	*keytype = KRB5_KEY_TYPE(subkey);
262	0	krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
263	0	}
264	0	#endif
265	0	gss_release_buffer_set(&gss_min, &set);
266
267	0	return NT_STATUS_OK;
268
269	0	} else if (memcmp(set->elements[1].value,
270	0	gse_sesskeytype_oid.elements,
271	0	gse_sesskeytype_oid.length) != 0) {
272		/* Perhaps a non-krb5 session key */
273	0	gss_release_buffer_set(&gss_min, &set);
274	0	return NT_STATUS_OK;
275	0	}
276	0	p = (const uint8_t *)set->elements[1].value + gse_sesskeytype_oid.length;
277	0	diflen = set->elements[1].length - gse_sesskeytype_oid.length;
278	0	if (diflen <= 0) {
279	0	gss_release_buffer_set(&gss_min, &set);
280	0	return NT_STATUS_INVALID_PARAMETER;
281	0	}
282	0	for (i = 0; i < diflen; i++) {
283	0	keytype = (keytype << 7) \| (p[i] & 0x7f);
284	0	if (i + 1 != diflen && (p[i] & 0x80) == 0) {
285	0	gss_release_buffer_set(&gss_min, &set);
286	0	return NT_STATUS_INVALID_PARAMETER;
287	0	}
288	0	}
289	0	}
290
291	0	gss_release_buffer_set(&gss_min, &set);
292	0	return NT_STATUS_OK;
293	0	}
294
295
296		char gssapi_error_string(TALLOC_CTX mem_ctx,
297		OM_uint32 maj_stat, OM_uint32 min_stat,
298		const gss_OID mech)
299	0	{
300	0	OM_uint32 disp_min_stat, disp_maj_stat;
301	0	gss_buffer_desc maj_error_message;
302	0	gss_buffer_desc min_error_message;
303	0	char maj_error_string, min_error_string;
304	0	OM_uint32 msg_ctx = 0;
305
306	0	char *ret;
307
308	0	maj_error_message.value = NULL;
309	0	min_error_message.value = NULL;
310	0	maj_error_message.length = 0;
311	0	min_error_message.length = 0;
312
313	0	disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat,
314	0	GSS_C_GSS_CODE, mech,
315	0	&msg_ctx, &maj_error_message);
316	0	if (disp_maj_stat != 0) {
317	0	maj_error_message.value = NULL;
318	0	maj_error_message.length = 0;
319	0	}
320	0	disp_maj_stat = gss_display_status(&disp_min_stat, min_stat,
321	0	GSS_C_MECH_CODE, mech,
322	0	&msg_ctx, &min_error_message);
323	0	if (disp_maj_stat != 0) {
324	0	min_error_message.value = NULL;
325	0	min_error_message.length = 0;
326	0	}
327
328	0	maj_error_string = talloc_strndup(mem_ctx,
329	0	(char *)maj_error_message.value,
330	0	maj_error_message.length);
331
332	0	min_error_string = talloc_strndup(mem_ctx,
333	0	(char *)min_error_message.value,
334	0	min_error_message.length);
335
336	0	ret = talloc_asprintf(mem_ctx, "%s: %s",
337	0	maj_error_string, min_error_string);
338
339	0	talloc_free(maj_error_string);
340	0	talloc_free(min_error_string);
341
342	0	gss_release_buffer(&disp_min_stat, &maj_error_message);
343	0	gss_release_buffer(&disp_min_stat, &min_error_message);
344
345	0	return ret;
346	0	}
347
348		#endif /* HAVE_KRB5 */