LCOV - code coverage report
Current view: top level - auth/gensec - gensec_util.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 78 98 79.6 %
Date: 2021-08-25 13:27:56 Functions: 18 18 100.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    Generic Authentication Interface
       5             : 
       6             :    Copyright (C) Andrew Tridgell 2003
       7             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
       8             : 
       9             :    This program is free software; you can redistribute it and/or modify
      10             :    it under the terms of the GNU General Public License as published by
      11             :    the Free Software Foundation; either version 3 of the License, or
      12             :    (at your option) any later version.
      13             : 
      14             :    This program is distributed in the hope that it will be useful,
      15             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      16             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      17             :    GNU General Public License for more details.
      18             : 
      19             :    You should have received a copy of the GNU General Public License
      20             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      21             : */
      22             : 
      23             : #include "includes.h"
      24             : #include "auth/gensec/gensec.h"
      25             : #include "auth/gensec/gensec_internal.h"
      26             : #include "auth/common_auth.h"
      27             : #include "../lib/util/asn1.h"
      28             : 
      29             : #undef DBGC_CLASS
      30             : #define DBGC_CLASS DBGC_AUTH
      31             : 
      32       28223 : NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
      33             :                                           struct gensec_security *gensec_security,
      34             :                                           struct smb_krb5_context *smb_krb5_context,
      35             :                                           DATA_BLOB *pac_blob,
      36             :                                           const char *principal_string,
      37             :                                           const struct tsocket_address *remote_address,
      38             :                                           struct auth_session_info **session_info)
      39             : {
      40       28223 :         uint32_t session_info_flags = 0;
      41       28223 :         struct auth4_context *auth_context = NULL;
      42             :         NTSTATUS status;
      43             : 
      44       28223 :         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
      45        7467 :                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
      46             :         }
      47             : 
      48       28223 :         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
      49             : 
      50       28223 :         if (!pac_blob) {
      51           0 :                 if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
      52           0 :                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
      53             :                                   principal_string));
      54           0 :                         return NT_STATUS_ACCESS_DENIED;
      55             :                 }
      56           0 :                 DBG_NOTICE("Unable to find PAC for %s, resorting to local "
      57             :                            "user lookup\n", principal_string);
      58             :         }
      59             : 
      60       28223 :         auth_context = gensec_security->auth_context;
      61             : 
      62       56446 :         if ((auth_context == NULL) ||
      63       28223 :             (auth_context->generate_session_info_pac == NULL)) {
      64           0 :                 DBG_ERR("Cannot generate a session_info without "
      65             :                         "the auth_context\n");
      66           0 :                 return NT_STATUS_INTERNAL_ERROR;
      67             :         }
      68             : 
      69       28223 :         status = auth_context->generate_session_info_pac(
      70             :                 auth_context,
      71             :                 mem_ctx,
      72             :                 smb_krb5_context,
      73             :                 pac_blob,
      74             :                 principal_string,
      75             :                 remote_address,
      76             :                 session_info_flags,
      77             :                 session_info);
      78       28223 :         return status;
      79             : }
      80             : 
      81             : /*
      82             :   magic check a GSS-API wrapper packet for an Kerberos OID
      83             : */
      84         263 : static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
      85             : {
      86         263 :         bool ret = false;
      87         263 :         struct asn1_data *data = asn1_init(NULL, ASN1_MAX_TREE_DEPTH);
      88             : 
      89         263 :         if (!data) return false;
      90             : 
      91         263 :         if (!asn1_load(data, *blob)) goto err;
      92         263 :         if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
      93         222 :         if (!asn1_check_OID(data, oid)) goto err;
      94             : 
      95         222 :         ret = !asn1_has_error(data);
      96             : 
      97         263 :   err:
      98             : 
      99         263 :         asn1_free(data);
     100         263 :         return ret;
     101             : }
     102             : 
     103             : /**
     104             :  * Check if the packet is one for the KRB5 mechansim
     105             :  *
     106             :  * NOTE: This is a helper that can be employed by multiple mechanisms, do
     107             :  * not make assumptions about the private_data
     108             :  *
     109             :  * @param gensec_security GENSEC state, unused
     110             :  * @param in The request, as a DATA_BLOB
     111             :  * @return Error, INVALID_PARAMETER if it's not a packet for us
     112             :  *                or NT_STATUS_OK if the packet is ok.
     113             :  */
     114             : 
     115         263 : NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
     116             :                                         const DATA_BLOB *blob)
     117             : {
     118         263 :         if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
     119         222 :                 return NT_STATUS_OK;
     120             :         } else {
     121          41 :                 return NT_STATUS_INVALID_PARAMETER;
     122             :         }
     123             : }
     124             : 
     125       45184 : void gensec_child_want_feature(struct gensec_security *gensec_security,
     126             :                                uint32_t feature)
     127             : {
     128       45184 :         struct gensec_security *child_security = gensec_security->child_security;
     129             : 
     130       45184 :         gensec_security->want_features |= feature;
     131       45184 :         if (child_security == NULL) {
     132       39441 :                 return;
     133             :         }
     134        4834 :         gensec_want_feature(child_security, feature);
     135             : }
     136             : 
     137     2151542 : bool gensec_child_have_feature(struct gensec_security *gensec_security,
     138             :                                uint32_t feature)
     139             : {
     140     2151542 :         struct gensec_security *child_security = gensec_security->child_security;
     141             : 
     142     2151542 :         if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
     143             :                 /*
     144             :                  * All mechs with sub (child) mechs need to provide DCERPC
     145             :                  * header signing! This is required because the negotiation
     146             :                  * of header signing is done before the authentication
     147             :                  * is completed.
     148             :                  */
     149       15662 :                 return true;
     150             :         }
     151             : 
     152     2135580 :         if (child_security == NULL) {
     153           0 :                 return false;
     154             :         }
     155             : 
     156     2135580 :         return gensec_have_feature(child_security, feature);
     157             : }
     158             : 
     159      247548 : NTSTATUS gensec_child_unseal_packet(struct gensec_security *gensec_security,
     160             :                                     uint8_t *data, size_t length,
     161             :                                     const uint8_t *whole_pdu, size_t pdu_length,
     162             :                                     const DATA_BLOB *sig)
     163             : {
     164      247548 :         if (gensec_security->child_security == NULL) {
     165           0 :                 return NT_STATUS_INVALID_PARAMETER;
     166             :         }
     167             : 
     168      247548 :         return gensec_unseal_packet(gensec_security->child_security,
     169             :                                     data, length,
     170             :                                     whole_pdu, pdu_length,
     171             :                                     sig);
     172             : }
     173             : 
     174       55434 : NTSTATUS gensec_child_check_packet(struct gensec_security *gensec_security,
     175             :                                    const uint8_t *data, size_t length,
     176             :                                    const uint8_t *whole_pdu, size_t pdu_length,
     177             :                                    const DATA_BLOB *sig)
     178             : {
     179       55434 :         if (gensec_security->child_security == NULL) {
     180           0 :                 return NT_STATUS_INVALID_PARAMETER;
     181             :         }
     182             : 
     183       55434 :         return gensec_check_packet(gensec_security->child_security,
     184             :                                    data, length,
     185             :                                    whole_pdu, pdu_length,
     186             :                                    sig);
     187             : }
     188             : 
     189      247557 : NTSTATUS gensec_child_seal_packet(struct gensec_security *gensec_security,
     190             :                                   TALLOC_CTX *mem_ctx,
     191             :                                   uint8_t *data, size_t length,
     192             :                                   const uint8_t *whole_pdu, size_t pdu_length,
     193             :                                   DATA_BLOB *sig)
     194             : {
     195      247557 :         if (gensec_security->child_security == NULL) {
     196           0 :                 return NT_STATUS_INVALID_PARAMETER;
     197             :         }
     198             : 
     199      247557 :         return gensec_seal_packet(gensec_security->child_security,
     200             :                                   mem_ctx,
     201             :                                   data, length,
     202             :                                   whole_pdu, pdu_length,
     203             :                                   sig);
     204             : }
     205             : 
     206       55676 : NTSTATUS gensec_child_sign_packet(struct gensec_security *gensec_security,
     207             :                                   TALLOC_CTX *mem_ctx,
     208             :                                   const uint8_t *data, size_t length,
     209             :                                   const uint8_t *whole_pdu, size_t pdu_length,
     210             :                                   DATA_BLOB *sig)
     211             : {
     212       55676 :         if (gensec_security->child_security == NULL) {
     213           0 :                 return NT_STATUS_INVALID_PARAMETER;
     214             :         }
     215             : 
     216       55676 :         return gensec_sign_packet(gensec_security->child_security,
     217             :                                   mem_ctx,
     218             :                                   data, length,
     219             :                                   whole_pdu, pdu_length,
     220             :                                   sig);
     221             : }
     222             : 
     223     1167138 : NTSTATUS gensec_child_wrap(struct gensec_security *gensec_security,
     224             :                            TALLOC_CTX *mem_ctx,
     225             :                            const DATA_BLOB *in,
     226             :                            DATA_BLOB *out)
     227             : {
     228     1167138 :         if (gensec_security->child_security == NULL) {
     229           0 :                 return NT_STATUS_INVALID_PARAMETER;
     230             :         }
     231             : 
     232     1167138 :         return gensec_wrap(gensec_security->child_security,
     233             :                            mem_ctx, in, out);
     234             : }
     235             : 
     236     1167138 : NTSTATUS gensec_child_unwrap(struct gensec_security *gensec_security,
     237             :                              TALLOC_CTX *mem_ctx,
     238             :                              const DATA_BLOB *in,
     239             :                              DATA_BLOB *out)
     240             : {
     241     1167138 :         if (gensec_security->child_security == NULL) {
     242           0 :                 return NT_STATUS_INVALID_PARAMETER;
     243             :         }
     244             : 
     245     1167138 :         return gensec_unwrap(gensec_security->child_security,
     246             :                              mem_ctx, in, out);
     247             : }
     248             : 
     249       94155 : size_t gensec_child_sig_size(struct gensec_security *gensec_security,
     250             :                              size_t data_size)
     251             : {
     252       94155 :         if (gensec_security->child_security == NULL) {
     253           0 :                 return 0;
     254             :         }
     255             : 
     256       94155 :         return gensec_sig_size(gensec_security->child_security, data_size);
     257             : }
     258             : 
     259       35516 : size_t gensec_child_max_input_size(struct gensec_security *gensec_security)
     260             : {
     261       35516 :         if (gensec_security->child_security == NULL) {
     262           0 :                 return 0;
     263             :         }
     264             : 
     265       35516 :         return gensec_max_input_size(gensec_security->child_security);
     266             : }
     267             : 
     268       35516 : size_t gensec_child_max_wrapped_size(struct gensec_security *gensec_security)
     269             : {
     270       35516 :         if (gensec_security->child_security == NULL) {
     271           0 :                 return 0;
     272             :         }
     273             : 
     274       35516 :         return gensec_max_wrapped_size(gensec_security->child_security);
     275             : }
     276             : 
     277       28907 : NTSTATUS gensec_child_session_key(struct gensec_security *gensec_security,
     278             :                                   TALLOC_CTX *mem_ctx,
     279             :                                   DATA_BLOB *session_key)
     280             : {
     281       28907 :         if (gensec_security->child_security == NULL) {
     282           0 :                 return NT_STATUS_INVALID_PARAMETER;
     283             :         }
     284             : 
     285       28907 :         return gensec_session_key(gensec_security->child_security,
     286             :                                   mem_ctx,
     287             :                                   session_key);
     288             : }
     289             : 
     290       52048 : NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,
     291             :                                    TALLOC_CTX *mem_ctx,
     292             :                                    struct auth_session_info **session_info)
     293             : {
     294       52048 :         if (gensec_security->child_security == NULL) {
     295           0 :                 return NT_STATUS_INVALID_PARAMETER;
     296             :         }
     297             : 
     298       52048 :         return gensec_session_info(gensec_security->child_security,
     299             :                                    mem_ctx,
     300             :                                    session_info);
     301             : }
     302             : 
     303       38966 : NTTIME gensec_child_expire_time(struct gensec_security *gensec_security)
     304             : {
     305       38966 :         if (gensec_security->child_security == NULL) {
     306           0 :                 return GENSEC_EXPIRE_TIME_INFINITY;
     307             :         }
     308             : 
     309       38966 :         return gensec_expire_time(gensec_security->child_security);
     310             : }
     311             : 
     312       51980 : const char *gensec_child_final_auth_type(struct gensec_security *gensec_security)
     313             : {
     314       51980 :         if (gensec_security->child_security == NULL) {
     315           0 :                 return "NONE";
     316             :         }
     317             : 
     318       51980 :         return gensec_final_auth_type(gensec_security->child_security);
     319             : }

Generated by: LCOV version 1.13