Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Generic Authentication Interface
5 :
6 : Copyright (C) Andrew Tridgell 2003
7 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "system/network.h"
25 : #define TEVENT_DEPRECATED 1
26 : #include <tevent.h>
27 : #include "lib/tsocket/tsocket.h"
28 : #include "lib/util/tevent_ntstatus.h"
29 : #include "auth/gensec/gensec.h"
30 : #include "auth/gensec/gensec_internal.h"
31 : #include "librpc/gen_ndr/dcerpc.h"
32 : #include "auth/common_auth.h"
33 :
34 : #undef DBGC_CLASS
35 : #define DBGC_CLASS DBGC_AUTH
36 :
37 104038 : _PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
38 : bool full_reset)
39 : {
40 104038 : if (!gensec_security->ops->may_reset_crypto) {
41 52399 : return NT_STATUS_OK;
42 : }
43 :
44 51639 : return gensec_security->ops->may_reset_crypto(gensec_security, full_reset);
45 : }
46 :
47 : /*
48 : wrappers for the gensec function pointers
49 : */
50 544090 : _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
51 : uint8_t *data, size_t length,
52 : const uint8_t *whole_pdu, size_t pdu_length,
53 : const DATA_BLOB *sig)
54 : {
55 544090 : if (!gensec_security->ops->unseal_packet) {
56 0 : return NT_STATUS_NOT_IMPLEMENTED;
57 : }
58 544090 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
59 0 : return NT_STATUS_INVALID_PARAMETER;
60 : }
61 544090 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
62 0 : return NT_STATUS_INVALID_PARAMETER;
63 : }
64 544090 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
65 0 : return NT_STATUS_INVALID_PARAMETER;
66 : }
67 :
68 544090 : return gensec_security->ops->unseal_packet(gensec_security,
69 : data, length,
70 : whole_pdu, pdu_length,
71 : sig);
72 : }
73 :
74 193810 : _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
75 : const uint8_t *data, size_t length,
76 : const uint8_t *whole_pdu, size_t pdu_length,
77 : const DATA_BLOB *sig)
78 : {
79 193810 : if (!gensec_security->ops->check_packet) {
80 0 : return NT_STATUS_NOT_IMPLEMENTED;
81 : }
82 193810 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
83 2 : return NT_STATUS_INVALID_PARAMETER;
84 : }
85 :
86 193808 : return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
87 : }
88 :
89 544096 : _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
90 : TALLOC_CTX *mem_ctx,
91 : uint8_t *data, size_t length,
92 : const uint8_t *whole_pdu, size_t pdu_length,
93 : DATA_BLOB *sig)
94 : {
95 544096 : if (!gensec_security->ops->seal_packet) {
96 0 : return NT_STATUS_NOT_IMPLEMENTED;
97 : }
98 544096 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
99 0 : return NT_STATUS_INVALID_PARAMETER;
100 : }
101 544096 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
102 0 : return NT_STATUS_INVALID_PARAMETER;
103 : }
104 544096 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
105 0 : return NT_STATUS_INVALID_PARAMETER;
106 : }
107 :
108 544096 : return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
109 : }
110 :
111 197146 : _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
112 : TALLOC_CTX *mem_ctx,
113 : const uint8_t *data, size_t length,
114 : const uint8_t *whole_pdu, size_t pdu_length,
115 : DATA_BLOB *sig)
116 : {
117 197146 : if (!gensec_security->ops->sign_packet) {
118 0 : return NT_STATUS_NOT_IMPLEMENTED;
119 : }
120 197146 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
121 0 : return NT_STATUS_INVALID_PARAMETER;
122 : }
123 :
124 197146 : return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
125 : }
126 :
127 276976 : _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
128 : {
129 276976 : if (!gensec_security->ops->sig_size) {
130 905 : return 0;
131 : }
132 276057 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
133 294 : return 0;
134 : }
135 275763 : if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
136 150175 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
137 0 : return 0;
138 : }
139 : }
140 :
141 275763 : return gensec_security->ops->sig_size(gensec_security, data_size);
142 : }
143 :
144 70558 : _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
145 : {
146 70558 : if (!gensec_security->ops->max_wrapped_size) {
147 9981 : return (1 << 17);
148 : }
149 :
150 60577 : return gensec_security->ops->max_wrapped_size(gensec_security);
151 : }
152 :
153 70558 : _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security)
154 : {
155 70558 : if (!gensec_security->ops->max_input_size) {
156 9981 : return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
157 : }
158 :
159 60577 : return gensec_security->ops->max_input_size(gensec_security);
160 : }
161 :
162 2332681 : _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
163 : TALLOC_CTX *mem_ctx,
164 : const DATA_BLOB *in,
165 : DATA_BLOB *out)
166 : {
167 2332681 : if (!gensec_security->ops->wrap) {
168 0 : return NT_STATUS_NOT_IMPLEMENTED;
169 : }
170 2332681 : return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
171 : }
172 :
173 2332689 : _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
174 : TALLOC_CTX *mem_ctx,
175 : const DATA_BLOB *in,
176 : DATA_BLOB *out)
177 : {
178 2332689 : if (!gensec_security->ops->unwrap) {
179 0 : return NT_STATUS_NOT_IMPLEMENTED;
180 : }
181 2332689 : return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
182 : }
183 :
184 58018 : _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
185 : TALLOC_CTX *mem_ctx,
186 : DATA_BLOB *session_key)
187 : {
188 58018 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
189 0 : return NT_STATUS_NO_USER_SESSION_KEY;
190 : }
191 :
192 58018 : if (!gensec_security->ops->session_key) {
193 0 : return NT_STATUS_NOT_IMPLEMENTED;
194 : }
195 :
196 58018 : return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
197 : }
198 :
199 136560 : const char *gensec_final_auth_type(struct gensec_security *gensec_security)
200 : {
201 136560 : if (!gensec_security->ops->final_auth_type) {
202 2645 : return gensec_security->ops->name;
203 : }
204 :
205 133915 : return gensec_security->ops->final_auth_type(gensec_security);
206 : }
207 :
208 : /*
209 : * Log details of a successful GENSEC authorization to a service.
210 : *
211 : * Only successful authorizations are logged, as only these call gensec_session_info()
212 : *
213 : * The service may later refuse authorization due to an ACL.
214 : *
215 : */
216 56082 : static void log_successful_gensec_authz_event(struct gensec_security *gensec_security,
217 : struct auth_session_info *session_info)
218 : {
219 45927 : const struct tsocket_address *remote
220 10155 : = gensec_get_remote_address(gensec_security);
221 45927 : const struct tsocket_address *local
222 10155 : = gensec_get_local_address(gensec_security);
223 45927 : const char *service_description
224 10155 : = gensec_get_target_service_description(gensec_security);
225 45927 : const char *final_auth_type
226 10155 : = gensec_final_auth_type(gensec_security);
227 56082 : const char *transport_protection = NULL;
228 56082 : if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) {
229 28261 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
230 27299 : } else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) {
231 74 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
232 27225 : } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
233 15947 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL;
234 11015 : } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
235 10118 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN;
236 : } else {
237 622 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
238 : }
239 56082 : log_successful_authz_event(gensec_security->auth_context->msg_ctx,
240 56082 : gensec_security->auth_context->lp_ctx,
241 : remote, local,
242 : service_description,
243 : final_auth_type,
244 : transport_protection,
245 : session_info);
246 56082 : }
247 :
248 :
249 : /**
250 : * Return the credentials of a logged on user, including session keys
251 : * etc.
252 : *
253 : * Only valid after a successful authentication
254 : *
255 : * May only be called once per authentication. This will also make an
256 : * authorization log entry, as it is already called by all the
257 : * callers.
258 : *
259 : */
260 :
261 107943 : _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
262 : TALLOC_CTX *mem_ctx,
263 : struct auth_session_info **session_info)
264 : {
265 : NTSTATUS status;
266 107943 : if (!gensec_security->ops->session_info) {
267 0 : return NT_STATUS_NOT_IMPLEMENTED;
268 : }
269 107943 : status = gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
270 :
271 107943 : if (NT_STATUS_IS_OK(status) && !gensec_security->subcontext
272 56196 : && (gensec_security->want_features & GENSEC_FEATURE_NO_AUTHZ_LOG) == 0) {
273 56082 : log_successful_gensec_authz_event(gensec_security, *session_info);
274 : }
275 :
276 107943 : return status;
277 : }
278 :
279 394 : _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
280 : uint32_t max_update_size)
281 : {
282 394 : gensec_security->max_update_size = max_update_size;
283 394 : }
284 :
285 156760 : _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
286 : {
287 156760 : if (gensec_security->max_update_size == 0) {
288 153962 : return UINT32_MAX;
289 : }
290 :
291 394 : return gensec_security->max_update_size;
292 : }
293 :
294 219989 : static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
295 : {
296 : bool ok;
297 :
298 : /*
299 : * gensec_want_feature(GENSEC_FEATURE_SIGN)
300 : * and
301 : * gensec_want_feature(GENSEC_FEATURE_SEAL)
302 : * require these flags to be available.
303 : */
304 219989 : if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
305 58807 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
306 1 : DEBUG(0,("Did not manage to negotiate mandatory feature "
307 : "SIGN\n"));
308 1 : return NT_STATUS_ACCESS_DENIED;
309 : }
310 : }
311 219988 : if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
312 36303 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
313 1 : DEBUG(0,("Did not manage to negotiate mandatory feature "
314 : "SEAL\n"));
315 1 : return NT_STATUS_ACCESS_DENIED;
316 : }
317 36302 : if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
318 0 : DEBUG(0,("Did not manage to negotiate mandatory feature "
319 : "SIGN for SEAL\n"));
320 0 : return NT_STATUS_ACCESS_DENIED;
321 : }
322 : }
323 :
324 219987 : if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_PACKET) {
325 194786 : return NT_STATUS_OK;
326 : }
327 :
328 25201 : ok = gensec_have_feature(gensec_security,
329 : GENSEC_FEATURE_SIGN_PKT_HEADER);
330 25201 : if (!ok) {
331 0 : DBG_ERR("backend [%s] does not support header signing! "
332 : "auth_level[0x%x]\n",
333 : gensec_security->ops->name,
334 : gensec_security->dcerpc_auth_level);
335 0 : return NT_STATUS_INTERNAL_ERROR;
336 : }
337 :
338 25201 : return NT_STATUS_OK;
339 : }
340 :
341 : /**
342 : * Next state function for the GENSEC state machine
343 : *
344 : * @param gensec_security GENSEC State
345 : * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
346 : * @param in The request, as a DATA_BLOB
347 : * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
348 : * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
349 : * or NT_STATUS_OK if the user is authenticated.
350 : */
351 104122 : _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security,
352 : TALLOC_CTX *out_mem_ctx,
353 : const DATA_BLOB in, DATA_BLOB *out)
354 : {
355 : NTSTATUS status;
356 104122 : TALLOC_CTX *frame = NULL;
357 104122 : struct tevent_context *ev = NULL;
358 104122 : struct tevent_req *subreq = NULL;
359 : bool ok;
360 :
361 104122 : if (gensec_security->subcontext) {
362 : /*
363 : * gensec modules are not allowed to call the sync version.
364 : */
365 0 : return NT_STATUS_INTERNAL_ERROR;
366 : }
367 :
368 104122 : frame = talloc_stackframe();
369 :
370 104122 : ev = samba_tevent_context_init(frame);
371 104122 : if (ev == NULL) {
372 0 : status = NT_STATUS_NO_MEMORY;
373 0 : goto fail;
374 : }
375 :
376 : /*
377 : * TODO: remove this hack once the backends
378 : * are fixed.
379 : */
380 104122 : tevent_loop_allow_nesting(ev);
381 :
382 104122 : subreq = gensec_update_send(frame, ev, gensec_security, in);
383 104122 : if (subreq == NULL) {
384 0 : status = NT_STATUS_NO_MEMORY;
385 0 : goto fail;
386 : }
387 104122 : ok = tevent_req_poll_ntstatus(subreq, ev, &status);
388 104122 : if (!ok) {
389 0 : goto fail;
390 : }
391 104122 : status = gensec_update_recv(subreq, out_mem_ctx, out);
392 104122 : fail:
393 104122 : TALLOC_FREE(frame);
394 104122 : return status;
395 : }
396 :
397 : struct gensec_update_state {
398 : const struct gensec_security_ops *ops;
399 : struct gensec_security *gensec_security;
400 : NTSTATUS status;
401 : DATA_BLOB out;
402 : };
403 :
404 : static void gensec_update_cleanup(struct tevent_req *req,
405 : enum tevent_req_state req_state);
406 : static void gensec_update_done(struct tevent_req *subreq);
407 :
408 : /**
409 : * Next state function for the GENSEC state machine async version
410 : *
411 : * @param mem_ctx The memory context for the request
412 : * @param ev The event context for the request
413 : * @param gensec_security GENSEC State
414 : * @param in The request, as a DATA_BLOB
415 : *
416 : * @return The request handle or NULL on no memory failure
417 : */
418 :
419 489208 : _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
420 : struct tevent_context *ev,
421 : struct gensec_security *gensec_security,
422 : const DATA_BLOB in)
423 : {
424 489208 : struct tevent_req *req = NULL;
425 489208 : struct gensec_update_state *state = NULL;
426 489208 : struct tevent_req *subreq = NULL;
427 :
428 489208 : req = tevent_req_create(mem_ctx, &state,
429 : struct gensec_update_state);
430 489208 : if (req == NULL) {
431 0 : return NULL;
432 : }
433 489208 : state->ops = gensec_security->ops;
434 489208 : state->gensec_security = gensec_security;
435 :
436 489208 : if (gensec_security->update_busy_ptr != NULL) {
437 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
438 0 : return tevent_req_post(req, ev);
439 : }
440 :
441 489208 : if (gensec_security->child_security != NULL) {
442 0 : tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
443 0 : return tevent_req_post(req, ev);
444 : }
445 :
446 489208 : gensec_security->update_busy_ptr = &state->gensec_security;
447 489208 : tevent_req_set_cleanup_fn(req, gensec_update_cleanup);
448 :
449 489208 : subreq = state->ops->update_send(state, ev, gensec_security, in);
450 489208 : if (tevent_req_nomem(subreq, req)) {
451 0 : return tevent_req_post(req, ev);
452 : }
453 489208 : tevent_req_set_callback(subreq, gensec_update_done, req);
454 :
455 489208 : DBG_DEBUG("%s[%p]: subreq: %p\n", state->ops->name,
456 : state->gensec_security, subreq);
457 :
458 482554 : return req;
459 : }
460 :
461 978416 : static void gensec_update_cleanup(struct tevent_req *req,
462 : enum tevent_req_state req_state)
463 : {
464 823210 : struct gensec_update_state *state =
465 978416 : tevent_req_data(req,
466 : struct gensec_update_state);
467 :
468 978416 : if (state->gensec_security == NULL) {
469 482554 : return;
470 : }
471 :
472 489208 : if (state->gensec_security->update_busy_ptr == &state->gensec_security) {
473 489208 : state->gensec_security->update_busy_ptr = NULL;
474 : }
475 :
476 489208 : state->gensec_security = NULL;
477 : }
478 :
479 489208 : static void gensec_update_done(struct tevent_req *subreq)
480 : {
481 411605 : struct tevent_req *req =
482 489208 : tevent_req_callback_data(subreq,
483 : struct tevent_req);
484 411605 : struct gensec_update_state *state =
485 489208 : tevent_req_data(req,
486 : struct gensec_update_state);
487 : NTSTATUS status;
488 489208 : const char *debug_subreq = NULL;
489 :
490 489208 : if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) {
491 : /*
492 : * We need to call tevent_req_print()
493 : * before calling the _recv function,
494 : * before tevent_req_received() was called.
495 : * in order to print the pointer value of
496 : * the subreq state.
497 : */
498 10 : debug_subreq = tevent_req_print(state, subreq);
499 : }
500 :
501 489208 : status = state->ops->update_recv(subreq, state, &state->out);
502 489208 : TALLOC_FREE(subreq);
503 489208 : state->status = status;
504 489208 : if (GENSEC_UPDATE_IS_NTERROR(status)) {
505 7095 : NTSTATUS orig_status = status;
506 7095 : bool force_no_such_user = false;
507 :
508 : /*
509 : * callers only expect NT_STATUS_NO_SUCH_USER.
510 : */
511 7095 : if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) {
512 0 : force_no_such_user = true;
513 7095 : } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
514 0 : force_no_such_user = true;
515 : }
516 :
517 7095 : if (state->gensec_security->subcontext) {
518 : /*
519 : * We should only map on the outer
520 : * gensec_update exchange, spnego
521 : * needs the raw status.
522 : */
523 3991 : force_no_such_user = false;
524 : }
525 :
526 7095 : if (force_no_such_user) {
527 : /*
528 : * nt_status_squash() may map
529 : * to NT_STATUS_LOGON_FAILURE later
530 : */
531 0 : status = NT_STATUS_NO_SUCH_USER;
532 : }
533 :
534 7095 : DBG_INFO("%s[%p]: %s%s%s%s%s\n",
535 : state->ops->name,
536 : state->gensec_security,
537 : NT_STATUS_EQUAL(status, orig_status) ?
538 : "" : nt_errstr(orig_status),
539 : NT_STATUS_EQUAL(status, orig_status) ?
540 : "" : " ",
541 : nt_errstr(status),
542 : debug_subreq ? " " : "",
543 : debug_subreq ? debug_subreq : "");
544 7095 : tevent_req_nterror(req, status);
545 7095 : return;
546 : }
547 482113 : DBG_DEBUG("%s[%p]: %s %s\n", state->ops->name,
548 : state->gensec_security, nt_errstr(status),
549 : debug_subreq);
550 482113 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
551 262124 : tevent_req_done(req);
552 262124 : return;
553 : }
554 :
555 : /*
556 : * Because callers using the
557 : * gensec_start_mech_by_authtype() never call
558 : * gensec_want_feature(), it isn't sensible for them
559 : * to have to call gensec_have_feature() manually, and
560 : * these are not points of negotiation, but are
561 : * asserted by the client
562 : */
563 219989 : status = gensec_verify_features(state->gensec_security);
564 219989 : if (tevent_req_nterror(req, status)) {
565 2 : return;
566 : }
567 :
568 219987 : tevent_req_done(req);
569 : }
570 :
571 : /**
572 : * Next state function for the GENSEC state machine
573 : *
574 : * @param req request state
575 : * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
576 : * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
577 : * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
578 : * or NT_STATUS_OK if the user is authenticated.
579 : */
580 489208 : _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
581 : TALLOC_CTX *out_mem_ctx,
582 : DATA_BLOB *out)
583 : {
584 411605 : struct gensec_update_state *state =
585 489208 : tevent_req_data(req, struct gensec_update_state);
586 : NTSTATUS status;
587 :
588 489208 : *out = data_blob_null;
589 :
590 489208 : if (tevent_req_is_nterror(req, &status)) {
591 7097 : tevent_req_received(req);
592 7097 : return status;
593 : }
594 :
595 482111 : *out = state->out;
596 482111 : talloc_steal(out_mem_ctx, out->data);
597 482111 : status = state->status;
598 482111 : tevent_req_received(req);
599 482111 : return status;
600 : }
601 :
602 : /**
603 : * Set the requirement for a certain feature on the connection
604 : *
605 : */
606 :
607 529172 : _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
608 : uint32_t feature)
609 : {
610 529172 : if (!gensec_security->ops || !gensec_security->ops->want_feature) {
611 484657 : gensec_security->want_features |= feature;
612 484657 : return;
613 : }
614 44515 : gensec_security->ops->want_feature(gensec_security, feature);
615 : }
616 :
617 : /**
618 : * Check the requirement for a certain feature on the connection
619 : *
620 : */
621 :
622 9328070 : _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
623 : uint32_t feature)
624 : {
625 9328070 : if (!gensec_security->ops || !gensec_security->ops->have_feature) {
626 0 : return false;
627 : }
628 :
629 : /* We might 'have' features that we don't 'want', because the
630 : * other end demanded them, or we can't negotiate them off */
631 9328070 : return gensec_security->ops->have_feature(gensec_security, feature);
632 : }
633 :
634 77238 : _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security)
635 : {
636 77238 : if (!gensec_security->ops->expire_time) {
637 19387 : return GENSEC_EXPIRE_TIME_INFINITY;
638 : }
639 :
640 57849 : return gensec_security->ops->expire_time(gensec_security);
641 : }
642 : /**
643 : * Return the credentials structure associated with a GENSEC context
644 : *
645 : */
646 :
647 691680 : _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
648 : {
649 691680 : if (!gensec_security) {
650 0 : return NULL;
651 : }
652 691680 : return gensec_security->credentials;
653 : }
654 :
655 : /**
656 : * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
657 : *
658 : * This is used for Kerberos service principal name resolution.
659 : */
660 :
661 143674 : _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
662 : {
663 143674 : gensec_security->target.service = talloc_strdup(gensec_security, service);
664 143674 : if (!gensec_security->target.service) {
665 0 : return NT_STATUS_NO_MEMORY;
666 : }
667 143674 : return NT_STATUS_OK;
668 : }
669 :
670 163107 : _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
671 : {
672 163107 : if (gensec_security->target.service) {
673 153897 : return gensec_security->target.service;
674 : }
675 :
676 9018 : return "host";
677 : }
678 :
679 : /**
680 : * Set the target service (such as 'samr') on an GENSEC context - ensures it is talloc()ed.
681 : *
682 : * This is not the Kerberos service principal, instead this is a
683 : * constant value that can be logged as part of authentication and
684 : * authorization logging
685 : */
686 100164 : _PUBLIC_ NTSTATUS gensec_set_target_service_description(struct gensec_security *gensec_security,
687 : const char *service)
688 : {
689 100164 : gensec_security->target.service_description = talloc_strdup(gensec_security, service);
690 100164 : if (!gensec_security->target.service_description) {
691 0 : return NT_STATUS_NO_MEMORY;
692 : }
693 100164 : return NT_STATUS_OK;
694 : }
695 :
696 84883 : _PUBLIC_ const char *gensec_get_target_service_description(struct gensec_security *gensec_security)
697 : {
698 84883 : if (gensec_security->target.service_description) {
699 81989 : return gensec_security->target.service_description;
700 1824 : } else if (gensec_security->target.service) {
701 276 : return gensec_security->target.service;
702 : }
703 :
704 1548 : return NULL;
705 : }
706 :
707 : /**
708 : * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
709 : *
710 : */
711 :
712 60466 : _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
713 : {
714 60466 : gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
715 60466 : if (hostname && !gensec_security->target.hostname) {
716 0 : return NT_STATUS_NO_MEMORY;
717 : }
718 60466 : return NT_STATUS_OK;
719 : }
720 :
721 163307 : _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
722 : {
723 : /* We allow the target hostname to be overridden for testing purposes */
724 163307 : if (gensec_security->settings->target_hostname) {
725 4766 : return gensec_security->settings->target_hostname;
726 : }
727 :
728 158541 : if (gensec_security->target.hostname) {
729 127453 : return gensec_security->target.hostname;
730 : }
731 :
732 : /* We could add use the 'set sockaddr' call, and do a reverse
733 : * lookup, but this would be both insecure (compromising the
734 : * way kerberos works) and add DNS timeouts */
735 30254 : return NULL;
736 : }
737 :
738 : /**
739 : * Set (and copy) local and peer socket addresses onto a socket
740 : * context on the GENSEC context.
741 : *
742 : * This is so that kerberos can include these addresses in
743 : * cryptographic tokens, to avoid certain attacks.
744 : */
745 :
746 : /**
747 : * @brief Set the local gensec address.
748 : *
749 : * @param gensec_security The gensec security context to use.
750 : *
751 : * @param remote The local address to set.
752 : *
753 : * @return On success NT_STATUS_OK is returned or an NT_STATUS
754 : * error.
755 : */
756 100296 : _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
757 : const struct tsocket_address *local)
758 : {
759 100296 : TALLOC_FREE(gensec_security->local_addr);
760 :
761 100296 : if (local == NULL) {
762 0 : return NT_STATUS_OK;
763 : }
764 :
765 100296 : gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
766 100296 : if (gensec_security->local_addr == NULL) {
767 0 : return NT_STATUS_NO_MEMORY;
768 : }
769 :
770 100296 : return NT_STATUS_OK;
771 : }
772 :
773 : /**
774 : * @brief Set the remote gensec address.
775 : *
776 : * @param gensec_security The gensec security context to use.
777 : *
778 : * @param remote The remote address to set.
779 : *
780 : * @return On success NT_STATUS_OK is returned or an NT_STATUS
781 : * error.
782 : */
783 100262 : _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
784 : const struct tsocket_address *remote)
785 : {
786 100262 : TALLOC_FREE(gensec_security->remote_addr);
787 :
788 100262 : if (remote == NULL) {
789 0 : return NT_STATUS_OK;
790 : }
791 :
792 100262 : gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
793 100262 : if (gensec_security->remote_addr == NULL) {
794 0 : return NT_STATUS_NO_MEMORY;
795 : }
796 :
797 100262 : return NT_STATUS_OK;
798 : }
799 :
800 : /**
801 : * @brief Get the local address from a gensec security context.
802 : *
803 : * @param gensec_security The security context to get the address from.
804 : *
805 : * @return The address as tsocket_address which could be NULL if
806 : * no address is set.
807 : */
808 86540 : _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
809 : {
810 86540 : if (gensec_security == NULL) {
811 0 : return NULL;
812 : }
813 86540 : return gensec_security->local_addr;
814 : }
815 :
816 : /**
817 : * @brief Get the remote address from a gensec security context.
818 : *
819 : * @param gensec_security The security context to get the address from.
820 : *
821 : * @return The address as tsocket_address which could be NULL if
822 : * no address is set.
823 : */
824 114625 : _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
825 : {
826 114625 : if (gensec_security == NULL) {
827 0 : return NULL;
828 : }
829 114625 : return gensec_security->remote_addr;
830 : }
831 :
832 : /**
833 : * Set the target principal (assuming it it known, say from the SPNEGO reply)
834 : * - ensures it is talloc()ed
835 : *
836 : */
837 :
838 227 : _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
839 : {
840 227 : gensec_security->target.principal = talloc_strdup(gensec_security, principal);
841 227 : if (!gensec_security->target.principal) {
842 0 : return NT_STATUS_NO_MEMORY;
843 : }
844 227 : return NT_STATUS_OK;
845 : }
846 :
847 120640 : _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
848 : {
849 120640 : if (gensec_security->target.principal) {
850 683 : return gensec_security->target.principal;
851 : }
852 :
853 116879 : return NULL;
854 : }
|