Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Generic Authentication Interface
5 :
6 : Copyright (C) Andrew Tridgell 2003
7 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "system/network.h"
25 : #define TEVENT_DEPRECATED 1
26 : #include <tevent.h>
27 : #include "lib/tsocket/tsocket.h"
28 : #include "lib/util/tevent_ntstatus.h"
29 : #include "auth/gensec/gensec.h"
30 : #include "auth/gensec/gensec_internal.h"
31 : #include "librpc/gen_ndr/dcerpc.h"
32 : #include "auth/common_auth.h"
33 :
34 : #undef DBGC_CLASS
35 : #define DBGC_CLASS DBGC_AUTH
36 :
37 63100 : _PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
38 : bool full_reset)
39 : {
40 63100 : if (!gensec_security->ops->may_reset_crypto) {
41 44214 : return NT_STATUS_OK;
42 : }
43 :
44 18886 : return gensec_security->ops->may_reset_crypto(gensec_security, full_reset);
45 : }
46 :
47 : /*
48 : wrappers for the gensec function pointers
49 : */
50 546469 : _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
51 : uint8_t *data, size_t length,
52 : const uint8_t *whole_pdu, size_t pdu_length,
53 : const DATA_BLOB *sig)
54 : {
55 546469 : if (!gensec_security->ops->unseal_packet) {
56 0 : return NT_STATUS_NOT_IMPLEMENTED;
57 : }
58 546469 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
59 0 : return NT_STATUS_INVALID_PARAMETER;
60 : }
61 546469 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
62 0 : return NT_STATUS_INVALID_PARAMETER;
63 : }
64 546469 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
65 0 : return NT_STATUS_INVALID_PARAMETER;
66 : }
67 :
68 546469 : return gensec_security->ops->unseal_packet(gensec_security,
69 : data, length,
70 : whole_pdu, pdu_length,
71 : sig);
72 : }
73 :
74 133568 : _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
75 : const uint8_t *data, size_t length,
76 : const uint8_t *whole_pdu, size_t pdu_length,
77 : const DATA_BLOB *sig)
78 : {
79 133568 : if (!gensec_security->ops->check_packet) {
80 0 : return NT_STATUS_NOT_IMPLEMENTED;
81 : }
82 133568 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
83 6 : return NT_STATUS_INVALID_PARAMETER;
84 : }
85 :
86 133562 : return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
87 : }
88 :
89 546457 : _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
90 : TALLOC_CTX *mem_ctx,
91 : uint8_t *data, size_t length,
92 : const uint8_t *whole_pdu, size_t pdu_length,
93 : DATA_BLOB *sig)
94 : {
95 546457 : if (!gensec_security->ops->seal_packet) {
96 0 : return NT_STATUS_NOT_IMPLEMENTED;
97 : }
98 546457 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
99 0 : return NT_STATUS_INVALID_PARAMETER;
100 : }
101 546457 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
102 0 : return NT_STATUS_INVALID_PARAMETER;
103 : }
104 546457 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
105 0 : return NT_STATUS_INVALID_PARAMETER;
106 : }
107 :
108 546457 : return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
109 : }
110 :
111 134409 : _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
112 : TALLOC_CTX *mem_ctx,
113 : const uint8_t *data, size_t length,
114 : const uint8_t *whole_pdu, size_t pdu_length,
115 : DATA_BLOB *sig)
116 : {
117 134409 : if (!gensec_security->ops->sign_packet) {
118 0 : return NT_STATUS_NOT_IMPLEMENTED;
119 : }
120 134409 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
121 0 : return NT_STATUS_INVALID_PARAMETER;
122 : }
123 :
124 134409 : return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
125 : }
126 :
127 241422 : _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
128 : {
129 241422 : if (!gensec_security->ops->sig_size) {
130 863 : return 0;
131 : }
132 240559 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
133 322 : return 0;
134 : }
135 240237 : if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
136 142319 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
137 0 : return 0;
138 : }
139 : }
140 :
141 240237 : return gensec_security->ops->sig_size(gensec_security, data_size);
142 : }
143 :
144 75416 : _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
145 : {
146 75416 : if (!gensec_security->ops->max_wrapped_size) {
147 13018 : return (1 << 17);
148 : }
149 :
150 62398 : return gensec_security->ops->max_wrapped_size(gensec_security);
151 : }
152 :
153 75416 : _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security)
154 : {
155 75416 : if (!gensec_security->ops->max_input_size) {
156 13018 : return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
157 : }
158 :
159 62398 : return gensec_security->ops->max_input_size(gensec_security);
160 : }
161 :
162 1751692 : _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
163 : TALLOC_CTX *mem_ctx,
164 : const DATA_BLOB *in,
165 : DATA_BLOB *out)
166 : {
167 1751692 : if (!gensec_security->ops->wrap) {
168 0 : return NT_STATUS_NOT_IMPLEMENTED;
169 : }
170 1751692 : return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
171 : }
172 :
173 1751692 : _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
174 : TALLOC_CTX *mem_ctx,
175 : const DATA_BLOB *in,
176 : DATA_BLOB *out)
177 : {
178 1751692 : if (!gensec_security->ops->unwrap) {
179 0 : return NT_STATUS_NOT_IMPLEMENTED;
180 : }
181 1751692 : return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
182 : }
183 :
184 17395 : _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
185 : TALLOC_CTX *mem_ctx,
186 : DATA_BLOB *session_key)
187 : {
188 17395 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
189 0 : return NT_STATUS_NO_USER_SESSION_KEY;
190 : }
191 :
192 17395 : if (!gensec_security->ops->session_key) {
193 0 : return NT_STATUS_NOT_IMPLEMENTED;
194 : }
195 :
196 17395 : return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
197 : }
198 :
199 76783 : const char *gensec_final_auth_type(struct gensec_security *gensec_security)
200 : {
201 76783 : if (!gensec_security->ops->final_auth_type) {
202 1534 : return gensec_security->ops->name;
203 : }
204 :
205 75249 : return gensec_security->ops->final_auth_type(gensec_security);
206 : }
207 :
208 : /*
209 : * Log details of a successful GENSEC authorization to a service.
210 : *
211 : * Only successful authorizations are logged, as only these call gensec_session_info()
212 : *
213 : * The service may later refuse authorization due to an ACL.
214 : *
215 : */
216 34872 : static void log_successful_gensec_authz_event(struct gensec_security *gensec_security,
217 : struct auth_session_info *session_info)
218 : {
219 27468 : const struct tsocket_address *remote
220 7404 : = gensec_get_remote_address(gensec_security);
221 27468 : const struct tsocket_address *local
222 7404 : = gensec_get_local_address(gensec_security);
223 27468 : const char *service_description
224 7404 : = gensec_get_target_service_description(gensec_security);
225 27468 : const char *final_auth_type
226 7404 : = gensec_final_auth_type(gensec_security);
227 34872 : const char *transport_protection = NULL;
228 34872 : if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) {
229 7477 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
230 27395 : } else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) {
231 46 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
232 27349 : } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
233 24258 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL;
234 3091 : } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
235 2529 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN;
236 : } else {
237 562 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
238 : }
239 34872 : log_successful_authz_event(gensec_security->auth_context->msg_ctx,
240 34872 : gensec_security->auth_context->lp_ctx,
241 : remote, local,
242 : service_description,
243 : final_auth_type,
244 : transport_protection,
245 : session_info);
246 34872 : }
247 :
248 :
249 : /**
250 : * Return the credentials of a logged on user, including session keys
251 : * etc.
252 : *
253 : * Only valid after a successful authentication
254 : *
255 : * May only be called once per authentication. This will also make an
256 : * authorization log entry, as it is already called by all the
257 : * callers.
258 : *
259 : */
260 :
261 66719 : _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
262 : TALLOC_CTX *mem_ctx,
263 : struct auth_session_info **session_info)
264 : {
265 : NTSTATUS status;
266 66719 : if (!gensec_security->ops->session_info) {
267 0 : return NT_STATUS_NOT_IMPLEMENTED;
268 : }
269 66719 : status = gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
270 :
271 66719 : if (NT_STATUS_IS_OK(status) && !gensec_security->subcontext
272 34912 : && (gensec_security->want_features & GENSEC_FEATURE_NO_AUTHZ_LOG) == 0) {
273 34872 : log_successful_gensec_authz_event(gensec_security, *session_info);
274 : }
275 :
276 66719 : return status;
277 : }
278 :
279 2 : _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
280 : uint32_t max_update_size)
281 : {
282 2 : gensec_security->max_update_size = max_update_size;
283 2 : }
284 :
285 75920 : _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
286 : {
287 75920 : if (gensec_security->max_update_size == 0) {
288 75918 : return UINT32_MAX;
289 : }
290 :
291 2 : return gensec_security->max_update_size;
292 : }
293 :
294 132204 : static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
295 : {
296 : bool ok;
297 :
298 : /*
299 : * gensec_want_feature(GENSEC_FEATURE_SIGN)
300 : * and
301 : * gensec_want_feature(GENSEC_FEATURE_SEAL)
302 : * require these flags to be available.
303 : */
304 132204 : if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
305 57420 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
306 3 : DEBUG(0,("Did not manage to negotiate mandatory feature "
307 : "SIGN\n"));
308 3 : return NT_STATUS_ACCESS_DENIED;
309 : }
310 : }
311 132201 : if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
312 52405 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
313 3 : DEBUG(0,("Did not manage to negotiate mandatory feature "
314 : "SEAL\n"));
315 3 : return NT_STATUS_ACCESS_DENIED;
316 : }
317 52402 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
318 0 : DEBUG(0,("Did not manage to negotiate mandatory feature "
319 : "SIGN for SEAL\n"));
320 0 : return NT_STATUS_ACCESS_DENIED;
321 : }
322 : }
323 :
324 132198 : if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_PACKET) {
325 109066 : return NT_STATUS_OK;
326 : }
327 :
328 23132 : ok = gensec_have_feature(gensec_security,
329 : GENSEC_FEATURE_SIGN_PKT_HEADER);
330 23132 : if (!ok) {
331 0 : DBG_ERR("backend [%s] does not support header signing! "
332 : "auth_level[0x%x]\n",
333 : gensec_security->ops->name,
334 : gensec_security->dcerpc_auth_level);
335 0 : return NT_STATUS_INTERNAL_ERROR;
336 : }
337 :
338 23132 : return NT_STATUS_OK;
339 : }
340 :
341 : /**
342 : * Next state function for the GENSEC state machine
343 : *
344 : * @param gensec_security GENSEC State
345 : * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
346 : * @param in The request, as a DATA_BLOB
347 : * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
348 : * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
349 : * or NT_STATUS_OK if the user is authenticated.
350 : */
351 60906 : _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security,
352 : TALLOC_CTX *out_mem_ctx,
353 : const DATA_BLOB in, DATA_BLOB *out)
354 : {
355 : NTSTATUS status;
356 60906 : TALLOC_CTX *frame = NULL;
357 60906 : struct tevent_context *ev = NULL;
358 60906 : struct tevent_req *subreq = NULL;
359 : bool ok;
360 :
361 60906 : if (gensec_security->subcontext) {
362 : /*
363 : * gensec modules are not allowed to call the sync version.
364 : */
365 0 : return NT_STATUS_INTERNAL_ERROR;
366 : }
367 :
368 60906 : frame = talloc_stackframe();
369 :
370 60906 : ev = samba_tevent_context_init(frame);
371 60906 : if (ev == NULL) {
372 0 : status = NT_STATUS_NO_MEMORY;
373 0 : goto fail;
374 : }
375 :
376 : /*
377 : * TODO: remove this hack once the backends
378 : * are fixed.
379 : */
380 60906 : tevent_loop_allow_nesting(ev);
381 :
382 60906 : subreq = gensec_update_send(frame, ev, gensec_security, in);
383 60906 : if (subreq == NULL) {
384 0 : status = NT_STATUS_NO_MEMORY;
385 0 : goto fail;
386 : }
387 60906 : ok = tevent_req_poll_ntstatus(subreq, ev, &status);
388 60906 : if (!ok) {
389 0 : goto fail;
390 : }
391 60906 : status = gensec_update_recv(subreq, out_mem_ctx, out);
392 60906 : fail:
393 60906 : TALLOC_FREE(frame);
394 60906 : return status;
395 : }
396 :
397 : struct gensec_update_state {
398 : const struct gensec_security_ops *ops;
399 : struct gensec_security *gensec_security;
400 : NTSTATUS status;
401 : DATA_BLOB out;
402 : };
403 :
404 : static void gensec_update_cleanup(struct tevent_req *req,
405 : enum tevent_req_state req_state);
406 : static void gensec_update_done(struct tevent_req *subreq);
407 :
408 : /**
409 : * Next state function for the GENSEC state machine async version
410 : *
411 : * @param mem_ctx The memory context for the request
412 : * @param ev The event context for the request
413 : * @param gensec_security GENSEC State
414 : * @param in The request, as a DATA_BLOB
415 : *
416 : * @return The request handle or NULL on no memory failure
417 : */
418 :
419 254873 : _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
420 : struct tevent_context *ev,
421 : struct gensec_security *gensec_security,
422 : const DATA_BLOB in)
423 : {
424 254873 : struct tevent_req *req = NULL;
425 254873 : struct gensec_update_state *state = NULL;
426 254873 : struct tevent_req *subreq = NULL;
427 :
428 254873 : req = tevent_req_create(mem_ctx, &state,
429 : struct gensec_update_state);
430 254873 : if (req == NULL) {
431 0 : return NULL;
432 : }
433 254873 : state->ops = gensec_security->ops;
434 254873 : state->gensec_security = gensec_security;
435 :
436 254873 : if (gensec_security->update_busy_ptr != NULL) {
437 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
438 0 : return tevent_req_post(req, ev);
439 : }
440 :
441 254873 : if (gensec_security->child_security != NULL) {
442 0 : tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
443 0 : return tevent_req_post(req, ev);
444 : }
445 :
446 254873 : gensec_security->update_busy_ptr = &state->gensec_security;
447 254873 : tevent_req_set_cleanup_fn(req, gensec_update_cleanup);
448 :
449 254873 : subreq = state->ops->update_send(state, ev, gensec_security, in);
450 254873 : if (tevent_req_nomem(subreq, req)) {
451 0 : return tevent_req_post(req, ev);
452 : }
453 254873 : tevent_req_set_callback(subreq, gensec_update_done, req);
454 :
455 254873 : DBG_DEBUG("%s[%p]: subreq: %p\n", state->ops->name,
456 : state->gensec_security, subreq);
457 :
458 254873 : return req;
459 : }
460 :
461 509746 : static void gensec_update_cleanup(struct tevent_req *req,
462 : enum tevent_req_state req_state)
463 : {
464 396744 : struct gensec_update_state *state =
465 509746 : tevent_req_data(req,
466 : struct gensec_update_state);
467 :
468 509746 : if (state->gensec_security == NULL) {
469 254873 : return;
470 : }
471 :
472 254873 : if (state->gensec_security->update_busy_ptr == &state->gensec_security) {
473 254873 : state->gensec_security->update_busy_ptr = NULL;
474 : }
475 :
476 254873 : state->gensec_security = NULL;
477 : }
478 :
479 254873 : static void gensec_update_done(struct tevent_req *subreq)
480 : {
481 198372 : struct tevent_req *req =
482 254873 : tevent_req_callback_data(subreq,
483 : struct tevent_req);
484 198372 : struct gensec_update_state *state =
485 254873 : tevent_req_data(req,
486 : struct gensec_update_state);
487 : NTSTATUS status;
488 254873 : const char *debug_subreq = NULL;
489 :
490 254873 : if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) {
491 : /*
492 : * We need to call tevent_req_print()
493 : * before calling the _recv function,
494 : * before tevent_req_received() was called.
495 : * in order to print the pointer value of
496 : * the subreq state.
497 : */
498 0 : debug_subreq = tevent_req_print(state, subreq);
499 : }
500 :
501 254873 : status = state->ops->update_recv(subreq, state, &state->out);
502 254873 : TALLOC_FREE(subreq);
503 254873 : state->status = status;
504 254873 : if (GENSEC_UPDATE_IS_NTERROR(status)) {
505 1440 : NTSTATUS orig_status = status;
506 1440 : bool force_no_such_user = false;
507 :
508 : /*
509 : * callers only expect NT_STATUS_NO_SUCH_USER.
510 : */
511 1440 : if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) {
512 0 : force_no_such_user = true;
513 1440 : } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
514 0 : force_no_such_user = true;
515 : }
516 :
517 1440 : if (state->gensec_security->subcontext) {
518 : /*
519 : * We should only map on the outer
520 : * gensec_update exchange, spnego
521 : * needs the raw status.
522 : */
523 824 : force_no_such_user = false;
524 : }
525 :
526 1440 : if (force_no_such_user) {
527 : /*
528 : * nt_status_squash() may map
529 : * to NT_STATUS_LOGON_FAILURE later
530 : */
531 0 : status = NT_STATUS_NO_SUCH_USER;
532 : }
533 :
534 1440 : DBG_INFO("%s[%p]: %s%s%s%s%s\n",
535 : state->ops->name,
536 : state->gensec_security,
537 : NT_STATUS_EQUAL(status, orig_status) ?
538 : "" : nt_errstr(orig_status),
539 : NT_STATUS_EQUAL(status, orig_status) ?
540 : "" : " ",
541 : nt_errstr(status),
542 : debug_subreq ? " " : "",
543 : debug_subreq ? debug_subreq : "");
544 1440 : tevent_req_nterror(req, status);
545 1440 : return;
546 : }
547 253433 : DBG_DEBUG("%s[%p]: %s %s\n", state->ops->name,
548 : state->gensec_security, nt_errstr(status),
549 : debug_subreq);
550 253433 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
551 121229 : tevent_req_done(req);
552 121229 : return;
553 : }
554 :
555 : /*
556 : * Because callers using the
557 : * gensec_start_mech_by_authtype() never call
558 : * gensec_want_feature(), it isn't sensible for them
559 : * to have to call gensec_have_feature() manually, and
560 : * these are not points of negotiation, but are
561 : * asserted by the client
562 : */
563 132204 : status = gensec_verify_features(state->gensec_security);
564 132204 : if (tevent_req_nterror(req, status)) {
565 6 : return;
566 : }
567 :
568 132198 : tevent_req_done(req);
569 : }
570 :
571 : /**
572 : * Next state function for the GENSEC state machine
573 : *
574 : * @param req request state
575 : * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
576 : * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
577 : * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
578 : * or NT_STATUS_OK if the user is authenticated.
579 : */
580 254873 : _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
581 : TALLOC_CTX *out_mem_ctx,
582 : DATA_BLOB *out)
583 : {
584 198372 : struct gensec_update_state *state =
585 254873 : tevent_req_data(req, struct gensec_update_state);
586 : NTSTATUS status;
587 :
588 254873 : *out = data_blob_null;
589 :
590 254873 : if (tevent_req_is_nterror(req, &status)) {
591 1446 : tevent_req_received(req);
592 1446 : return status;
593 : }
594 :
595 253427 : *out = state->out;
596 253427 : talloc_steal(out_mem_ctx, out->data);
597 253427 : status = state->status;
598 253427 : tevent_req_received(req);
599 253427 : return status;
600 : }
601 :
602 : /**
603 : * Set the requirement for a certain feature on the connection
604 : *
605 : */
606 :
607 330882 : _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
608 : uint32_t feature)
609 : {
610 330882 : if (!gensec_security->ops || !gensec_security->ops->want_feature) {
611 286196 : gensec_security->want_features |= feature;
612 286196 : return;
613 : }
614 44686 : gensec_security->ops->want_feature(gensec_security, feature);
615 : }
616 :
617 : /**
618 : * Check the requirement for a certain feature on the connection
619 : *
620 : */
621 :
622 9162120 : _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
623 : uint32_t feature)
624 : {
625 9162120 : if (!gensec_security->ops || !gensec_security->ops->have_feature) {
626 0 : return false;
627 : }
628 :
629 : /* We might 'have' features that we don't 'want', because the
630 : * other end demanded them, or we can't negotiate them off */
631 9162120 : return gensec_security->ops->have_feature(gensec_security, feature);
632 : }
633 :
634 47622 : _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security)
635 : {
636 47622 : if (!gensec_security->ops->expire_time) {
637 7932 : return GENSEC_EXPIRE_TIME_INFINITY;
638 : }
639 :
640 39690 : return gensec_security->ops->expire_time(gensec_security);
641 : }
642 : /**
643 : * Return the credentials structure associated with a GENSEC context
644 : *
645 : */
646 :
647 413432 : _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
648 : {
649 413432 : if (!gensec_security) {
650 0 : return NULL;
651 : }
652 413432 : return gensec_security->credentials;
653 : }
654 :
655 : /**
656 : * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
657 : *
658 : * This is used for Kerberos service principal name resolution.
659 : */
660 :
661 109174 : _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
662 : {
663 109174 : gensec_security->target.service = talloc_strdup(gensec_security, service);
664 109174 : if (!gensec_security->target.service) {
665 0 : return NT_STATUS_NO_MEMORY;
666 : }
667 109174 : return NT_STATUS_OK;
668 : }
669 :
670 106254 : _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
671 : {
672 106254 : if (gensec_security->target.service) {
673 97219 : return gensec_security->target.service;
674 : }
675 :
676 9035 : return "host";
677 : }
678 :
679 : /**
680 : * Set the target service (such as 'samr') on an GENSEC context - ensures it is talloc()ed.
681 : *
682 : * This is not the Kerberos service principal, instead this is a
683 : * constant value that can be logged as part of authentication and
684 : * authorization logging
685 : */
686 42721 : _PUBLIC_ NTSTATUS gensec_set_target_service_description(struct gensec_security *gensec_security,
687 : const char *service)
688 : {
689 42721 : gensec_security->target.service_description = talloc_strdup(gensec_security, service);
690 42721 : if (!gensec_security->target.service_description) {
691 0 : return NT_STATUS_NO_MEMORY;
692 : }
693 42721 : return NT_STATUS_OK;
694 : }
695 :
696 45033 : _PUBLIC_ const char *gensec_get_target_service_description(struct gensec_security *gensec_security)
697 : {
698 45033 : if (gensec_security->target.service_description) {
699 43543 : return gensec_security->target.service_description;
700 1490 : } else if (gensec_security->target.service) {
701 237 : return gensec_security->target.service;
702 : }
703 :
704 1253 : return NULL;
705 : }
706 :
707 : /**
708 : * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
709 : *
710 : */
711 :
712 34144 : _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
713 : {
714 34144 : gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
715 34144 : if (hostname && !gensec_security->target.hostname) {
716 0 : return NT_STATUS_NO_MEMORY;
717 : }
718 34144 : return NT_STATUS_OK;
719 : }
720 :
721 106450 : _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
722 : {
723 : /* We allow the target hostname to be overridden for testing purposes */
724 106450 : if (gensec_security->settings->target_hostname) {
725 4044 : return gensec_security->settings->target_hostname;
726 : }
727 :
728 102406 : if (gensec_security->target.hostname) {
729 75741 : return gensec_security->target.hostname;
730 : }
731 :
732 : /* We could add use the 'set sockaddr' call, and do a reverse
733 : * lookup, but this would be both insecure (compromising the
734 : * way kerberos works) and add DNS timeouts */
735 26665 : return NULL;
736 : }
737 :
738 : /**
739 : * Set (and copy) local and peer socket addresses onto a socket
740 : * context on the GENSEC context.
741 : *
742 : * This is so that kerberos can include these addresses in
743 : * cryptographic tokens, to avoid certain attacks.
744 : */
745 :
746 : /**
747 : * @brief Set the local gensec address.
748 : *
749 : * @param gensec_security The gensec security context to use.
750 : *
751 : * @param remote The local address to set.
752 : *
753 : * @return On success NT_STATUS_OK is returned or an NT_STATUS
754 : * error.
755 : */
756 42906 : _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
757 : const struct tsocket_address *local)
758 : {
759 42906 : TALLOC_FREE(gensec_security->local_addr);
760 :
761 42906 : if (local == NULL) {
762 0 : return NT_STATUS_OK;
763 : }
764 :
765 42906 : gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
766 42906 : if (gensec_security->local_addr == NULL) {
767 0 : return NT_STATUS_NO_MEMORY;
768 : }
769 :
770 42906 : return NT_STATUS_OK;
771 : }
772 :
773 : /**
774 : * @brief Set the remote gensec address.
775 : *
776 : * @param gensec_security The gensec security context to use.
777 : *
778 : * @param remote The remote address to set.
779 : *
780 : * @return On success NT_STATUS_OK is returned or an NT_STATUS
781 : * error.
782 : */
783 42874 : _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
784 : const struct tsocket_address *remote)
785 : {
786 42874 : TALLOC_FREE(gensec_security->remote_addr);
787 :
788 42874 : if (remote == NULL) {
789 0 : return NT_STATUS_OK;
790 : }
791 :
792 42874 : gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
793 42874 : if (gensec_security->remote_addr == NULL) {
794 0 : return NT_STATUS_NO_MEMORY;
795 : }
796 :
797 42874 : return NT_STATUS_OK;
798 : }
799 :
800 : /**
801 : * @brief Get the local address from a gensec security context.
802 : *
803 : * @param gensec_security The security context to get the address from.
804 : *
805 : * @return The address as tsocket_address which could be NULL if
806 : * no address is set.
807 : */
808 46421 : _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
809 : {
810 46421 : if (gensec_security == NULL) {
811 0 : return NULL;
812 : }
813 46421 : return gensec_security->local_addr;
814 : }
815 :
816 : /**
817 : * @brief Get the remote address from a gensec security context.
818 : *
819 : * @param gensec_security The security context to get the address from.
820 : *
821 : * @return The address as tsocket_address which could be NULL if
822 : * no address is set.
823 : */
824 70115 : _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
825 : {
826 70115 : if (gensec_security == NULL) {
827 0 : return NULL;
828 : }
829 70115 : return gensec_security->remote_addr;
830 : }
831 :
832 : /**
833 : * Set the target principal (assuming it it known, say from the SPNEGO reply)
834 : * - ensures it is talloc()ed
835 : *
836 : */
837 :
838 218 : _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
839 : {
840 218 : gensec_security->target.principal = talloc_strdup(gensec_security, principal);
841 218 : if (!gensec_security->target.principal) {
842 0 : return NT_STATUS_NO_MEMORY;
843 : }
844 218 : return NT_STATUS_OK;
845 : }
846 :
847 94455 : _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
848 : {
849 94455 : if (gensec_security->target.principal) {
850 657 : return gensec_security->target.principal;
851 : }
852 :
853 93798 : return NULL;
854 : }
|
