Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Generic Authentication Interface
5 :
6 : Copyright (C) Andrew Tridgell 2003
7 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "system/network.h"
25 : #define TEVENT_DEPRECATED 1
26 : #include <tevent.h>
27 : #include "lib/tsocket/tsocket.h"
28 : #include "lib/util/tevent_ntstatus.h"
29 : #include "auth/gensec/gensec.h"
30 : #include "auth/gensec/gensec_internal.h"
31 : #include "librpc/gen_ndr/dcerpc.h"
32 : #include "auth/common_auth.h"
33 :
34 : #undef DBGC_CLASS
35 : #define DBGC_CLASS DBGC_AUTH
36 :
37 130826 : _PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
38 : bool full_reset)
39 : {
40 130826 : if (!gensec_security->ops->may_reset_crypto) {
41 63421 : return NT_STATUS_OK;
42 : }
43 :
44 67405 : return gensec_security->ops->may_reset_crypto(gensec_security, full_reset);
45 : }
46 :
47 : /*
48 : wrappers for the gensec function pointers
49 : */
50 699614 : _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
51 : uint8_t *data, size_t length,
52 : const uint8_t *whole_pdu, size_t pdu_length,
53 : const DATA_BLOB *sig)
54 : {
55 699614 : if (!gensec_security->ops->unseal_packet) {
56 0 : return NT_STATUS_NOT_IMPLEMENTED;
57 : }
58 699614 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
59 0 : return NT_STATUS_INVALID_PARAMETER;
60 : }
61 699614 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
62 0 : return NT_STATUS_INVALID_PARAMETER;
63 : }
64 699614 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
65 0 : return NT_STATUS_INVALID_PARAMETER;
66 : }
67 :
68 699614 : return gensec_security->ops->unseal_packet(gensec_security,
69 : data, length,
70 : whole_pdu, pdu_length,
71 : sig);
72 : }
73 :
74 213125 : _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
75 : const uint8_t *data, size_t length,
76 : const uint8_t *whole_pdu, size_t pdu_length,
77 : const DATA_BLOB *sig)
78 : {
79 213125 : if (!gensec_security->ops->check_packet) {
80 0 : return NT_STATUS_NOT_IMPLEMENTED;
81 : }
82 213125 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
83 6 : return NT_STATUS_INVALID_PARAMETER;
84 : }
85 :
86 213119 : return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
87 : }
88 :
89 699720 : _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
90 : TALLOC_CTX *mem_ctx,
91 : uint8_t *data, size_t length,
92 : const uint8_t *whole_pdu, size_t pdu_length,
93 : DATA_BLOB *sig)
94 : {
95 699720 : if (!gensec_security->ops->seal_packet) {
96 0 : return NT_STATUS_NOT_IMPLEMENTED;
97 : }
98 699720 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
99 0 : return NT_STATUS_INVALID_PARAMETER;
100 : }
101 699720 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
102 0 : return NT_STATUS_INVALID_PARAMETER;
103 : }
104 699720 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
105 0 : return NT_STATUS_INVALID_PARAMETER;
106 : }
107 :
108 699720 : return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
109 : }
110 :
111 217322 : _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
112 : TALLOC_CTX *mem_ctx,
113 : const uint8_t *data, size_t length,
114 : const uint8_t *whole_pdu, size_t pdu_length,
115 : DATA_BLOB *sig)
116 : {
117 217322 : if (!gensec_security->ops->sign_packet) {
118 0 : return NT_STATUS_NOT_IMPLEMENTED;
119 : }
120 217322 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
121 0 : return NT_STATUS_INVALID_PARAMETER;
122 : }
123 :
124 217322 : return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
125 : }
126 :
127 313939 : _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
128 : {
129 313939 : if (!gensec_security->ops->sig_size) {
130 1047 : return 0;
131 : }
132 312878 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
133 322 : return 0;
134 : }
135 312556 : if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
136 182184 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
137 0 : return 0;
138 : }
139 : }
140 :
141 312556 : return gensec_security->ops->sig_size(gensec_security, data_size);
142 : }
143 :
144 104024 : _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
145 : {
146 104024 : if (!gensec_security->ops->max_wrapped_size) {
147 17521 : return (1 << 17);
148 : }
149 :
150 86503 : return gensec_security->ops->max_wrapped_size(gensec_security);
151 : }
152 :
153 104024 : _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security)
154 : {
155 104024 : if (!gensec_security->ops->max_input_size) {
156 17521 : return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
157 : }
158 :
159 86503 : return gensec_security->ops->max_input_size(gensec_security);
160 : }
161 :
162 2952152 : _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
163 : TALLOC_CTX *mem_ctx,
164 : const DATA_BLOB *in,
165 : DATA_BLOB *out)
166 : {
167 2952152 : if (!gensec_security->ops->wrap) {
168 0 : return NT_STATUS_NOT_IMPLEMENTED;
169 : }
170 2952152 : return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
171 : }
172 :
173 2951600 : _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
174 : TALLOC_CTX *mem_ctx,
175 : const DATA_BLOB *in,
176 : DATA_BLOB *out)
177 : {
178 2951600 : if (!gensec_security->ops->unwrap) {
179 0 : return NT_STATUS_NOT_IMPLEMENTED;
180 : }
181 2951600 : return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
182 : }
183 :
184 77515 : _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
185 : TALLOC_CTX *mem_ctx,
186 : DATA_BLOB *session_key)
187 : {
188 77515 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
189 0 : return NT_STATUS_NO_USER_SESSION_KEY;
190 : }
191 :
192 77515 : if (!gensec_security->ops->session_key) {
193 0 : return NT_STATUS_NOT_IMPLEMENTED;
194 : }
195 :
196 77515 : return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
197 : }
198 :
199 172959 : const char *gensec_final_auth_type(struct gensec_security *gensec_security)
200 : {
201 172959 : if (!gensec_security->ops->final_auth_type) {
202 3078 : return gensec_security->ops->name;
203 : }
204 :
205 169881 : return gensec_security->ops->final_auth_type(gensec_security);
206 : }
207 :
208 : /*
209 : * Log details of a successful GENSEC authorization to a service.
210 : *
211 : * Only successful authorizations are logged, as only these call gensec_session_info()
212 : *
213 : * The service may later refuse authorization due to an ACL.
214 : *
215 : */
216 69913 : static void log_successful_gensec_authz_event(struct gensec_security *gensec_security,
217 : struct auth_session_info *session_info)
218 : {
219 1372 : const struct tsocket_address *remote
220 69913 : = gensec_get_remote_address(gensec_security);
221 1372 : const struct tsocket_address *local
222 69913 : = gensec_get_local_address(gensec_security);
223 1372 : const char *service_description
224 69913 : = gensec_get_target_service_description(gensec_security);
225 1372 : const char *final_auth_type
226 69913 : = gensec_final_auth_type(gensec_security);
227 69913 : const char *transport_protection = NULL;
228 69913 : if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) {
229 32241 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
230 36846 : } else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) {
231 125 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
232 36721 : } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
233 32104 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL;
234 4232 : } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
235 3299 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN;
236 : } else {
237 780 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
238 : }
239 69913 : log_successful_authz_event(gensec_security->auth_context->msg_ctx,
240 69913 : gensec_security->auth_context->lp_ctx,
241 : remote, local,
242 : service_description,
243 : final_auth_type,
244 : transport_protection,
245 : session_info,
246 : NULL /* client_audit_info */,
247 : NULL /* server_audit_info */);
248 69913 : }
249 :
250 :
251 : /**
252 : * Return the credentials of a logged on user, including session keys
253 : * etc.
254 : *
255 : * Only valid after a successful authentication
256 : *
257 : * May only be called once per authentication. This will also make an
258 : * authorization log entry, as it is already called by all the
259 : * callers.
260 : *
261 : */
262 :
263 135145 : _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
264 : TALLOC_CTX *mem_ctx,
265 : struct auth_session_info **session_info)
266 : {
267 2416 : NTSTATUS status;
268 135145 : if (!gensec_security->ops->session_info) {
269 0 : return NT_STATUS_NOT_IMPLEMENTED;
270 : }
271 135145 : status = gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
272 :
273 135145 : if (NT_STATUS_IS_OK(status) && !gensec_security->subcontext
274 70009 : && (gensec_security->want_features & GENSEC_FEATURE_NO_AUTHZ_LOG) == 0) {
275 69913 : log_successful_gensec_authz_event(gensec_security, *session_info);
276 : }
277 :
278 135145 : return status;
279 : }
280 :
281 446 : _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
282 : uint32_t max_update_size)
283 : {
284 446 : gensec_security->max_update_size = max_update_size;
285 446 : }
286 :
287 192902 : _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
288 : {
289 192902 : if (gensec_security->max_update_size == 0) {
290 188752 : return UINT32_MAX;
291 : }
292 :
293 446 : return gensec_security->max_update_size;
294 : }
295 :
296 274928 : static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
297 : {
298 4838 : bool ok;
299 :
300 : /*
301 : * gensec_want_feature(GENSEC_FEATURE_SIGN)
302 : * and
303 : * gensec_want_feature(GENSEC_FEATURE_SEAL)
304 : * require these flags to be available.
305 : */
306 274928 : if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
307 78469 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
308 3 : DEBUG(0,("Did not manage to negotiate mandatory feature "
309 : "SIGN\n"));
310 3 : return NT_STATUS_ACCESS_DENIED;
311 : }
312 : }
313 274925 : if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
314 72397 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
315 3 : DEBUG(0,("Did not manage to negotiate mandatory feature "
316 : "SEAL\n"));
317 3 : return NT_STATUS_ACCESS_DENIED;
318 : }
319 72394 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
320 0 : DEBUG(0,("Did not manage to negotiate mandatory feature "
321 : "SIGN for SEAL\n"));
322 0 : return NT_STATUS_ACCESS_DENIED;
323 : }
324 : }
325 :
326 274922 : if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_PACKET) {
327 246238 : return NT_STATUS_OK;
328 : }
329 :
330 28684 : ok = gensec_have_feature(gensec_security,
331 : GENSEC_FEATURE_SIGN_PKT_HEADER);
332 28684 : if (!ok) {
333 0 : DBG_ERR("backend [%s] does not support header signing! "
334 : "auth_level[0x%x]\n",
335 : gensec_security->ops->name,
336 : gensec_security->dcerpc_auth_level);
337 0 : return NT_STATUS_INTERNAL_ERROR;
338 : }
339 :
340 28684 : return NT_STATUS_OK;
341 : }
342 :
343 : /**
344 : * Next state function for the GENSEC state machine
345 : *
346 : * @param gensec_security GENSEC State
347 : * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
348 : * @param in The request, as a DATA_BLOB
349 : * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
350 : * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
351 : * or NT_STATUS_OK if the user is authenticated.
352 : */
353 135749 : _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security,
354 : TALLOC_CTX *out_mem_ctx,
355 : const DATA_BLOB in, DATA_BLOB *out)
356 : {
357 1673 : NTSTATUS status;
358 135749 : TALLOC_CTX *frame = NULL;
359 135749 : struct tevent_context *ev = NULL;
360 135749 : struct tevent_req *subreq = NULL;
361 1673 : bool ok;
362 :
363 135749 : if (gensec_security->subcontext) {
364 : /*
365 : * gensec modules are not allowed to call the sync version.
366 : */
367 0 : return NT_STATUS_INTERNAL_ERROR;
368 : }
369 :
370 135749 : frame = talloc_stackframe();
371 :
372 135749 : ev = samba_tevent_context_init(frame);
373 135749 : if (ev == NULL) {
374 0 : status = NT_STATUS_NO_MEMORY;
375 0 : goto fail;
376 : }
377 :
378 : /*
379 : * TODO: remove this hack once the backends
380 : * are fixed.
381 : */
382 135749 : tevent_loop_allow_nesting(ev);
383 :
384 135749 : subreq = gensec_update_send(frame, ev, gensec_security, in);
385 135749 : if (subreq == NULL) {
386 0 : status = NT_STATUS_NO_MEMORY;
387 0 : goto fail;
388 : }
389 135749 : ok = tevent_req_poll_ntstatus(subreq, ev, &status);
390 135749 : if (!ok) {
391 0 : goto fail;
392 : }
393 135749 : status = gensec_update_recv(subreq, out_mem_ctx, out);
394 135749 : fail:
395 135749 : TALLOC_FREE(frame);
396 135749 : return status;
397 : }
398 :
399 : struct gensec_update_state {
400 : const struct gensec_security_ops *ops;
401 : struct gensec_security *gensec_security;
402 : NTSTATUS status;
403 : DATA_BLOB out;
404 : };
405 :
406 : static void gensec_update_cleanup(struct tevent_req *req,
407 : enum tevent_req_state req_state);
408 : static void gensec_update_done(struct tevent_req *subreq);
409 :
410 : /**
411 : * Next state function for the GENSEC state machine async version
412 : *
413 : * @param mem_ctx The memory context for the request
414 : * @param ev The event context for the request
415 : * @param gensec_security GENSEC State
416 : * @param in The request, as a DATA_BLOB
417 : *
418 : * @return The request handle or NULL on no memory failure
419 : */
420 :
421 612461 : _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
422 : struct tevent_context *ev,
423 : struct gensec_security *gensec_security,
424 : const DATA_BLOB in)
425 : {
426 612461 : struct tevent_req *req = NULL;
427 612461 : struct gensec_update_state *state = NULL;
428 612461 : struct tevent_req *subreq = NULL;
429 :
430 612461 : req = tevent_req_create(mem_ctx, &state,
431 : struct gensec_update_state);
432 612461 : if (req == NULL) {
433 0 : return NULL;
434 : }
435 612461 : state->ops = gensec_security->ops;
436 612461 : state->gensec_security = gensec_security;
437 :
438 612461 : if (gensec_security->update_busy_ptr != NULL) {
439 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
440 0 : return tevent_req_post(req, ev);
441 : }
442 :
443 612461 : if (gensec_security->child_security != NULL) {
444 0 : tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
445 0 : return tevent_req_post(req, ev);
446 : }
447 :
448 612461 : gensec_security->update_busy_ptr = &state->gensec_security;
449 612461 : tevent_req_set_cleanup_fn(req, gensec_update_cleanup);
450 :
451 612461 : subreq = state->ops->update_send(state, ev, gensec_security, in);
452 612461 : if (tevent_req_nomem(subreq, req)) {
453 0 : return tevent_req_post(req, ev);
454 : }
455 612461 : tevent_req_set_callback(subreq, gensec_update_done, req);
456 :
457 612461 : DBG_DEBUG("%s[%p]: subreq: %p\n", state->ops->name,
458 : state->gensec_security, subreq);
459 :
460 602488 : return req;
461 : }
462 :
463 1224922 : static void gensec_update_cleanup(struct tevent_req *req,
464 : enum tevent_req_state req_state)
465 : {
466 19946 : struct gensec_update_state *state =
467 1224922 : tevent_req_data(req,
468 : struct gensec_update_state);
469 :
470 1224922 : if (state->gensec_security == NULL) {
471 602488 : return;
472 : }
473 :
474 612461 : if (state->gensec_security->update_busy_ptr == &state->gensec_security) {
475 612461 : state->gensec_security->update_busy_ptr = NULL;
476 : }
477 :
478 612461 : state->gensec_security = NULL;
479 : }
480 :
481 612461 : static void gensec_update_done(struct tevent_req *subreq)
482 : {
483 9973 : struct tevent_req *req =
484 612461 : tevent_req_callback_data(subreq,
485 : struct tevent_req);
486 9973 : struct gensec_update_state *state =
487 612461 : tevent_req_data(req,
488 : struct gensec_update_state);
489 9973 : NTSTATUS status;
490 612461 : const char *debug_subreq = NULL;
491 :
492 612461 : if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) {
493 : /*
494 : * We need to call tevent_req_print()
495 : * before calling the _recv function,
496 : * before tevent_req_received() was called.
497 : * in order to print the pointer value of
498 : * the subreq state.
499 : */
500 15 : debug_subreq = tevent_req_print(state, subreq);
501 : }
502 :
503 612461 : status = state->ops->update_recv(subreq, state, &state->out);
504 612461 : TALLOC_FREE(subreq);
505 612461 : state->status = status;
506 612461 : if (GENSEC_UPDATE_IS_NTERROR(status)) {
507 9915 : NTSTATUS orig_status = status;
508 9915 : bool force_no_such_user = false;
509 :
510 : /*
511 : * callers only expect NT_STATUS_NO_SUCH_USER.
512 : */
513 9915 : if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) {
514 0 : force_no_such_user = true;
515 9915 : } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
516 0 : force_no_such_user = true;
517 : }
518 :
519 9915 : if (state->gensec_security->subcontext) {
520 : /*
521 : * We should only map on the outer
522 : * gensec_update exchange, spnego
523 : * needs the raw status.
524 : */
525 5527 : force_no_such_user = false;
526 : }
527 :
528 9906 : if (force_no_such_user) {
529 : /*
530 : * nt_status_squash() may map
531 : * to NT_STATUS_LOGON_FAILURE later
532 : */
533 0 : status = NT_STATUS_NO_SUCH_USER;
534 : }
535 :
536 9915 : DBG_INFO("%s[%p]: %s%s%s%s%s\n",
537 : state->ops->name,
538 : state->gensec_security,
539 : NT_STATUS_EQUAL(status, orig_status) ?
540 : "" : nt_errstr(orig_status),
541 : NT_STATUS_EQUAL(status, orig_status) ?
542 : "" : " ",
543 : nt_errstr(status),
544 : debug_subreq ? " " : "",
545 : debug_subreq ? debug_subreq : "");
546 9915 : tevent_req_nterror(req, status);
547 9915 : return;
548 : }
549 602546 : DBG_DEBUG("%s[%p]: %s %s\n", state->ops->name,
550 : state->gensec_security, nt_errstr(status),
551 : debug_subreq);
552 602546 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
553 327618 : tevent_req_done(req);
554 327618 : return;
555 : }
556 :
557 : /*
558 : * Because callers using the
559 : * gensec_start_mech_by_authtype() never call
560 : * gensec_want_feature(), it isn't sensible for them
561 : * to have to call gensec_have_feature() manually, and
562 : * these are not points of negotiation, but are
563 : * asserted by the client
564 : */
565 274928 : status = gensec_verify_features(state->gensec_security);
566 274928 : if (tevent_req_nterror(req, status)) {
567 6 : return;
568 : }
569 :
570 274922 : tevent_req_done(req);
571 : }
572 :
573 : /**
574 : * Next state function for the GENSEC state machine
575 : *
576 : * @param req request state
577 : * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
578 : * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
579 : * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
580 : * or NT_STATUS_OK if the user is authenticated.
581 : */
582 612461 : _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
583 : TALLOC_CTX *out_mem_ctx,
584 : DATA_BLOB *out)
585 : {
586 9973 : struct gensec_update_state *state =
587 612461 : tevent_req_data(req, struct gensec_update_state);
588 9973 : NTSTATUS status;
589 :
590 612461 : *out = data_blob_null;
591 :
592 612461 : if (tevent_req_is_nterror(req, &status)) {
593 9921 : tevent_req_received(req);
594 9921 : return status;
595 : }
596 :
597 602540 : *out = state->out;
598 602540 : talloc_steal(out_mem_ctx, out->data);
599 602540 : status = state->status;
600 602540 : tevent_req_received(req);
601 602540 : return status;
602 : }
603 :
604 : /**
605 : * Set the requirement for a certain feature on the connection
606 : *
607 : */
608 :
609 712790 : _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
610 : uint32_t feature)
611 : {
612 712790 : if (!gensec_security->ops || !gensec_security->ops->want_feature) {
613 662410 : gensec_security->want_features |= feature;
614 662410 : return;
615 : }
616 50380 : gensec_security->ops->want_feature(gensec_security, feature);
617 : }
618 :
619 : /**
620 : * Check the requirement for a certain feature on the connection
621 : *
622 : */
623 :
624 12218638 : _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
625 : uint32_t feature)
626 : {
627 12218638 : if (!gensec_security->ops || !gensec_security->ops->have_feature) {
628 0 : return false;
629 : }
630 :
631 : /* We might 'have' features that we don't 'want', because the
632 : * other end demanded them, or we can't negotiate them off */
633 12218638 : return gensec_security->ops->have_feature(gensec_security, feature);
634 : }
635 :
636 101052 : _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security)
637 : {
638 101052 : if (!gensec_security->ops->expire_time) {
639 25785 : return GENSEC_EXPIRE_TIME_INFINITY;
640 : }
641 :
642 75121 : return gensec_security->ops->expire_time(gensec_security);
643 : }
644 : /**
645 : * Return the credentials structure associated with a GENSEC context
646 : *
647 : */
648 :
649 907120 : _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
650 : {
651 907120 : if (!gensec_security) {
652 0 : return NULL;
653 : }
654 907120 : return gensec_security->credentials;
655 : }
656 :
657 : /**
658 : * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
659 : *
660 : * This is used for Kerberos service principal name resolution.
661 : */
662 :
663 186408 : _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
664 : {
665 186408 : gensec_security->target.service = talloc_strdup(gensec_security, service);
666 186408 : if (!gensec_security->target.service) {
667 0 : return NT_STATUS_NO_MEMORY;
668 : }
669 186408 : return NT_STATUS_OK;
670 : }
671 :
672 167978 : _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
673 : {
674 167978 : if (gensec_security->target.service) {
675 158324 : return gensec_security->target.service;
676 : }
677 :
678 9462 : return "host";
679 : }
680 :
681 : /**
682 : * Set the target service (such as 'samr') on an GENSEC context - ensures it is talloc()ed.
683 : *
684 : * This is not the Kerberos service principal, instead this is a
685 : * constant value that can be logged as part of authentication and
686 : * authorization logging
687 : */
688 123058 : _PUBLIC_ NTSTATUS gensec_set_target_service_description(struct gensec_security *gensec_security,
689 : const char *service)
690 : {
691 123058 : gensec_security->target.service_description = talloc_strdup(gensec_security, service);
692 123058 : if (!gensec_security->target.service_description) {
693 0 : return NT_STATUS_NO_MEMORY;
694 : }
695 123058 : return NT_STATUS_OK;
696 : }
697 :
698 107916 : _PUBLIC_ const char *gensec_get_target_service_description(struct gensec_security *gensec_security)
699 : {
700 107916 : if (gensec_security->target.service_description) {
701 104840 : return gensec_security->target.service_description;
702 1541 : } else if (gensec_security->target.service) {
703 189 : return gensec_security->target.service;
704 : }
705 :
706 1352 : return NULL;
707 : }
708 :
709 : /**
710 : * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
711 : *
712 : */
713 :
714 74951 : _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
715 : {
716 74951 : gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
717 74951 : if (hostname && !gensec_security->target.hostname) {
718 0 : return NT_STATUS_NO_MEMORY;
719 : }
720 74951 : return NT_STATUS_OK;
721 : }
722 :
723 226790 : _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
724 : {
725 : /* We allow the target hostname to be overridden for testing purposes */
726 226790 : if (gensec_security->settings->target_hostname) {
727 3784 : return gensec_security->settings->target_hostname;
728 : }
729 :
730 223006 : if (gensec_security->target.hostname) {
731 186280 : return gensec_security->target.hostname;
732 : }
733 :
734 : /* We could add use the 'set sockaddr' call, and do a reverse
735 : * lookup, but this would be both insecure (compromising the
736 : * way kerberos works) and add DNS timeouts */
737 35742 : return NULL;
738 : }
739 :
740 : /**
741 : * Set (and copy) local and peer socket addresses onto a socket
742 : * context on the GENSEC context.
743 : *
744 : * This is so that kerberos can include these addresses in
745 : * cryptographic tokens, to avoid certain attacks.
746 : */
747 :
748 : /**
749 : * @brief Set the local gensec address.
750 : *
751 : * @param gensec_security The gensec security context to use.
752 : *
753 : * @param remote The local address to set.
754 : *
755 : * @return On success NT_STATUS_OK is returned or an NT_STATUS
756 : * error.
757 : */
758 123145 : _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
759 : const struct tsocket_address *local)
760 : {
761 123145 : TALLOC_FREE(gensec_security->local_addr);
762 :
763 123145 : if (local == NULL) {
764 0 : return NT_STATUS_OK;
765 : }
766 :
767 123145 : gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
768 123145 : if (gensec_security->local_addr == NULL) {
769 0 : return NT_STATUS_NO_MEMORY;
770 : }
771 :
772 123145 : return NT_STATUS_OK;
773 : }
774 :
775 : /**
776 : * @brief Set the remote gensec address.
777 : *
778 : * @param gensec_security The gensec security context to use.
779 : *
780 : * @param remote The remote address to set.
781 : *
782 : * @return On success NT_STATUS_OK is returned or an NT_STATUS
783 : * error.
784 : */
785 123077 : _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
786 : const struct tsocket_address *remote)
787 : {
788 123077 : TALLOC_FREE(gensec_security->remote_addr);
789 :
790 123077 : if (remote == NULL) {
791 0 : return NT_STATUS_OK;
792 : }
793 :
794 123077 : gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
795 123077 : if (gensec_security->remote_addr == NULL) {
796 0 : return NT_STATUS_NO_MEMORY;
797 : }
798 :
799 123077 : return NT_STATUS_OK;
800 : }
801 :
802 : /**
803 : * @brief Get the local address from a gensec security context.
804 : *
805 : * @param gensec_security The security context to get the address from.
806 : *
807 : * @return The address as tsocket_address which could be NULL if
808 : * no address is set.
809 : */
810 109324 : _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
811 : {
812 109324 : if (gensec_security == NULL) {
813 0 : return NULL;
814 : }
815 109324 : return gensec_security->local_addr;
816 : }
817 :
818 : /**
819 : * @brief Get the remote address from a gensec security context.
820 : *
821 : * @param gensec_security The security context to get the address from.
822 : *
823 : * @return The address as tsocket_address which could be NULL if
824 : * no address is set.
825 : */
826 142667 : _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
827 : {
828 142667 : if (gensec_security == NULL) {
829 0 : return NULL;
830 : }
831 142667 : return gensec_security->remote_addr;
832 : }
833 :
834 : /**
835 : * Set the target principal (assuming it it known, say from the SPNEGO reply)
836 : * - ensures it is talloc()ed
837 : *
838 : */
839 :
840 219 : _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
841 : {
842 219 : gensec_security->target.principal = talloc_strdup(gensec_security, principal);
843 219 : if (!gensec_security->target.principal) {
844 0 : return NT_STATUS_NO_MEMORY;
845 : }
846 219 : return NT_STATUS_OK;
847 : }
848 :
849 189439 : _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
850 : {
851 189439 : if (gensec_security->target.principal) {
852 667 : return gensec_security->target.principal;
853 : }
854 :
855 184799 : return NULL;
856 : }
857 :
858 414 : static int gensec_channel_bindings_destructor(struct gensec_channel_bindings *cb)
859 : {
860 414 : data_blob_clear_free(&cb->initiator_address);
861 414 : data_blob_clear_free(&cb->acceptor_address);
862 414 : data_blob_clear_free(&cb->application_data);
863 414 : *cb = (struct gensec_channel_bindings) { .initiator_addrtype = 0, };
864 414 : return 0;
865 : }
866 :
867 414 : _PUBLIC_ NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security,
868 : uint32_t initiator_addrtype,
869 : const DATA_BLOB *initiator_address,
870 : uint32_t acceptor_addrtype,
871 : const DATA_BLOB *acceptor_address,
872 : const DATA_BLOB *application_data)
873 : {
874 414 : struct gensec_channel_bindings *cb = NULL;
875 :
876 414 : if (gensec_security->subcontext) {
877 0 : return NT_STATUS_INTERNAL_ERROR;
878 : }
879 :
880 414 : if (gensec_security->channel_bindings != NULL) {
881 0 : return NT_STATUS_ALREADY_REGISTERED;
882 : }
883 :
884 414 : cb = talloc_zero(gensec_security, struct gensec_channel_bindings);
885 414 : if (cb == NULL) {
886 0 : return NT_STATUS_NO_MEMORY;
887 : }
888 414 : talloc_set_destructor(cb, gensec_channel_bindings_destructor);
889 :
890 414 : cb->initiator_addrtype = initiator_addrtype;
891 414 : if (initiator_address != NULL) {
892 0 : cb->initiator_address = data_blob_dup_talloc(cb,
893 : *initiator_address);
894 0 : if (cb->initiator_address.length != initiator_address->length) {
895 0 : TALLOC_FREE(cb);
896 0 : return NT_STATUS_NO_MEMORY;
897 : }
898 : }
899 414 : cb->acceptor_addrtype = acceptor_addrtype;
900 414 : if (acceptor_address != NULL) {
901 0 : cb->acceptor_address = data_blob_dup_talloc(cb,
902 : *acceptor_address);
903 0 : if (cb->acceptor_address.length != acceptor_address->length) {
904 0 : TALLOC_FREE(cb);
905 0 : return NT_STATUS_NO_MEMORY;
906 : }
907 : }
908 414 : if (application_data != NULL) {
909 414 : cb->application_data = data_blob_dup_talloc(cb,
910 : *application_data);
911 414 : if (cb->application_data.length != application_data->length) {
912 0 : TALLOC_FREE(cb);
913 0 : return NT_STATUS_NO_MEMORY;
914 : }
915 : }
916 :
917 414 : gensec_security->channel_bindings = cb;
918 414 : return NT_STATUS_OK;
919 : }
|
