/src/samba/auth/gensec/gensec.c
Line | Count | Source |
1 | | /* |
2 | | Unix SMB/CIFS implementation. |
3 | | |
4 | | Generic Authentication Interface |
5 | | |
6 | | Copyright (C) Andrew Tridgell 2003 |
7 | | Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 |
8 | | |
9 | | This program is free software; you can redistribute it and/or modify |
10 | | it under the terms of the GNU General Public License as published by |
11 | | the Free Software Foundation; either version 3 of the License, or |
12 | | (at your option) any later version. |
13 | | |
14 | | This program is distributed in the hope that it will be useful, |
15 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17 | | GNU General Public License for more details. |
18 | | |
19 | | You should have received a copy of the GNU General Public License |
20 | | along with this program. If not, see <http://www.gnu.org/licenses/>. |
21 | | */ |
22 | | |
23 | | #include "includes.h" |
24 | | #include "system/network.h" |
25 | | #define TEVENT_DEPRECATED 1 |
26 | | #include <tevent.h> |
27 | | #include "lib/tsocket/tsocket.h" |
28 | | #include "lib/util/tevent_ntstatus.h" |
29 | | #include "auth/gensec/gensec.h" |
30 | | #include "auth/gensec/gensec_internal.h" |
31 | | #include "librpc/gen_ndr/dcerpc.h" |
32 | | #include "auth/common_auth.h" |
33 | | |
34 | | #undef DBGC_CLASS |
35 | 0 | #define DBGC_CLASS DBGC_AUTH |
36 | | |
37 | | _PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security, |
38 | | bool full_reset) |
39 | 0 | { |
40 | 0 | if (!gensec_security->ops->may_reset_crypto) { |
41 | 0 | return NT_STATUS_OK; |
42 | 0 | } |
43 | | |
44 | 0 | return gensec_security->ops->may_reset_crypto(gensec_security, full_reset); |
45 | 0 | } |
46 | | |
47 | | /* |
48 | | wrappers for the gensec function pointers |
49 | | */ |
50 | | _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, |
51 | | uint8_t *data, size_t length, |
52 | | const uint8_t *whole_pdu, size_t pdu_length, |
53 | | const DATA_BLOB *sig) |
54 | 0 | { |
55 | 0 | if (!gensec_security->ops->unseal_packet) { |
56 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
57 | 0 | } |
58 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
59 | 0 | return NT_STATUS_INVALID_PARAMETER; |
60 | 0 | } |
61 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { |
62 | 0 | return NT_STATUS_INVALID_PARAMETER; |
63 | 0 | } |
64 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { |
65 | 0 | return NT_STATUS_INVALID_PARAMETER; |
66 | 0 | } |
67 | | |
68 | 0 | return gensec_security->ops->unseal_packet(gensec_security, |
69 | 0 | data, length, |
70 | 0 | whole_pdu, pdu_length, |
71 | 0 | sig); |
72 | 0 | } |
73 | | |
74 | | _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, |
75 | | const uint8_t *data, size_t length, |
76 | | const uint8_t *whole_pdu, size_t pdu_length, |
77 | | const DATA_BLOB *sig) |
78 | 0 | { |
79 | 0 | if (!gensec_security->ops->check_packet) { |
80 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
81 | 0 | } |
82 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
83 | 0 | return NT_STATUS_INVALID_PARAMETER; |
84 | 0 | } |
85 | | |
86 | 0 | return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig); |
87 | 0 | } |
88 | | |
89 | | _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, |
90 | | TALLOC_CTX *mem_ctx, |
91 | | uint8_t *data, size_t length, |
92 | | const uint8_t *whole_pdu, size_t pdu_length, |
93 | | DATA_BLOB *sig) |
94 | 0 | { |
95 | 0 | if (!gensec_security->ops->seal_packet) { |
96 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
97 | 0 | } |
98 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { |
99 | 0 | return NT_STATUS_INVALID_PARAMETER; |
100 | 0 | } |
101 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
102 | 0 | return NT_STATUS_INVALID_PARAMETER; |
103 | 0 | } |
104 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { |
105 | 0 | return NT_STATUS_INVALID_PARAMETER; |
106 | 0 | } |
107 | | |
108 | 0 | return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); |
109 | 0 | } |
110 | | |
111 | | _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, |
112 | | TALLOC_CTX *mem_ctx, |
113 | | const uint8_t *data, size_t length, |
114 | | const uint8_t *whole_pdu, size_t pdu_length, |
115 | | DATA_BLOB *sig) |
116 | 0 | { |
117 | 0 | if (!gensec_security->ops->sign_packet) { |
118 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
119 | 0 | } |
120 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
121 | 0 | return NT_STATUS_INVALID_PARAMETER; |
122 | 0 | } |
123 | | |
124 | 0 | return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); |
125 | 0 | } |
126 | | |
127 | | _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size) |
128 | 0 | { |
129 | 0 | if (!gensec_security->ops->sig_size) { |
130 | 0 | return 0; |
131 | 0 | } |
132 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
133 | 0 | return 0; |
134 | 0 | } |
135 | 0 | if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { |
136 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { |
137 | 0 | return 0; |
138 | 0 | } |
139 | 0 | } |
140 | | |
141 | 0 | return gensec_security->ops->sig_size(gensec_security, data_size); |
142 | 0 | } |
143 | | |
144 | | _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) |
145 | 0 | { |
146 | 0 | if (!gensec_security->ops->max_wrapped_size) { |
147 | 0 | return (1 << 17); |
148 | 0 | } |
149 | | |
150 | 0 | return gensec_security->ops->max_wrapped_size(gensec_security); |
151 | 0 | } |
152 | | |
153 | | _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security) |
154 | 0 | { |
155 | 0 | if (!gensec_security->ops->max_input_size) { |
156 | 0 | return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17); |
157 | 0 | } |
158 | | |
159 | 0 | return gensec_security->ops->max_input_size(gensec_security); |
160 | 0 | } |
161 | | |
162 | | _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, |
163 | | TALLOC_CTX *mem_ctx, |
164 | | const DATA_BLOB *in, |
165 | | DATA_BLOB *out) |
166 | 0 | { |
167 | 0 | if (!gensec_security->ops->wrap) { |
168 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
169 | 0 | } |
170 | 0 | return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out); |
171 | 0 | } |
172 | | |
173 | | _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, |
174 | | TALLOC_CTX *mem_ctx, |
175 | | const DATA_BLOB *in, |
176 | | DATA_BLOB *out) |
177 | 0 | { |
178 | 0 | if (!gensec_security->ops->unwrap) { |
179 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
180 | 0 | } |
181 | 0 | return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out); |
182 | 0 | } |
183 | | |
184 | | _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, |
185 | | TALLOC_CTX *mem_ctx, |
186 | | DATA_BLOB *session_key) |
187 | 0 | { |
188 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) { |
189 | 0 | return NT_STATUS_NO_USER_SESSION_KEY; |
190 | 0 | } |
191 | | |
192 | 0 | if (!gensec_security->ops->session_key) { |
193 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
194 | 0 | } |
195 | | |
196 | 0 | return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key); |
197 | 0 | } |
198 | | |
199 | | const char *gensec_final_auth_type(struct gensec_security *gensec_security) |
200 | 0 | { |
201 | 0 | if (!gensec_security->ops->final_auth_type) { |
202 | 0 | return gensec_security->ops->name; |
203 | 0 | } |
204 | | |
205 | 0 | return gensec_security->ops->final_auth_type(gensec_security); |
206 | 0 | } |
207 | | |
208 | | /* |
209 | | * Log details of a successful GENSEC authorization to a service. |
210 | | * |
211 | | * Only successful authorizations are logged, as only these call gensec_session_info() |
212 | | * |
213 | | * The service may later refuse authorization due to an ACL. |
214 | | * |
215 | | */ |
216 | | static void log_successful_gensec_authz_event(struct gensec_security *gensec_security, |
217 | | struct auth_session_info *session_info) |
218 | 0 | { |
219 | 0 | const struct tsocket_address *remote |
220 | 0 | = gensec_get_remote_address(gensec_security); |
221 | 0 | const struct tsocket_address *local |
222 | 0 | = gensec_get_local_address(gensec_security); |
223 | 0 | const char *service_description |
224 | 0 | = gensec_get_target_service_description(gensec_security); |
225 | 0 | const char *final_auth_type |
226 | 0 | = gensec_final_auth_type(gensec_security); |
227 | 0 | const char *transport_protection = NULL; |
228 | 0 | if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) { |
229 | 0 | transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB; |
230 | 0 | } else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) { |
231 | 0 | transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; |
232 | 0 | } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { |
233 | 0 | transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL; |
234 | 0 | } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
235 | 0 | transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN; |
236 | 0 | } else { |
237 | 0 | transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; |
238 | 0 | } |
239 | 0 | log_successful_authz_event(gensec_security->auth_context->msg_ctx, |
240 | 0 | gensec_security->auth_context->lp_ctx, |
241 | 0 | remote, local, |
242 | 0 | service_description, |
243 | 0 | final_auth_type, |
244 | 0 | transport_protection, |
245 | 0 | session_info, |
246 | 0 | NULL /* client_audit_info */, |
247 | 0 | NULL /* server_audit_info */); |
248 | 0 | } |
249 | | |
250 | | |
251 | | /** |
252 | | * Return the credentials of a logged on user, including session keys |
253 | | * etc. |
254 | | * |
255 | | * Only valid after a successful authentication |
256 | | * |
257 | | * May only be called once per authentication. This will also make an |
258 | | * authorization log entry, as it is already called by all the |
259 | | * callers. |
260 | | * |
261 | | */ |
262 | | |
263 | | _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, |
264 | | TALLOC_CTX *mem_ctx, |
265 | | struct auth_session_info **session_info) |
266 | 0 | { |
267 | 0 | NTSTATUS status; |
268 | 0 | if (!gensec_security->ops->session_info) { |
269 | 0 | return NT_STATUS_NOT_IMPLEMENTED; |
270 | 0 | } |
271 | 0 | status = gensec_security->ops->session_info(gensec_security, mem_ctx, session_info); |
272 | |
|
273 | 0 | if (NT_STATUS_IS_OK(status) && !gensec_security->subcontext |
274 | 0 | && (gensec_security->want_features & GENSEC_FEATURE_NO_AUTHZ_LOG) == 0) { |
275 | 0 | log_successful_gensec_authz_event(gensec_security, *session_info); |
276 | 0 | } |
277 | |
|
278 | 0 | return status; |
279 | 0 | } |
280 | | |
281 | | _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security, |
282 | | uint32_t max_update_size) |
283 | 0 | { |
284 | 0 | gensec_security->max_update_size = max_update_size; |
285 | 0 | } |
286 | | |
287 | | _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security) |
288 | 0 | { |
289 | 0 | if (gensec_security->max_update_size == 0) { |
290 | 0 | return UINT32_MAX; |
291 | 0 | } |
292 | | |
293 | 0 | return gensec_security->max_update_size; |
294 | 0 | } |
295 | | |
296 | | static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security) |
297 | 0 | { |
298 | 0 | bool ok; |
299 | | |
300 | | /* |
301 | | * gensec_want_feature(GENSEC_FEATURE_SIGN) |
302 | | * and |
303 | | * gensec_want_feature(GENSEC_FEATURE_SEAL) |
304 | | * require these flags to be available. |
305 | | */ |
306 | 0 | if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { |
307 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
308 | 0 | DEBUG(0,("Did not manage to negotiate mandatory feature " |
309 | 0 | "SIGN\n")); |
310 | 0 | return NT_STATUS_ACCESS_DENIED; |
311 | 0 | } |
312 | 0 | } |
313 | 0 | if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { |
314 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { |
315 | 0 | DEBUG(0,("Did not manage to negotiate mandatory feature " |
316 | 0 | "SEAL\n")); |
317 | 0 | return NT_STATUS_ACCESS_DENIED; |
318 | 0 | } |
319 | 0 | if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { |
320 | 0 | DEBUG(0,("Did not manage to negotiate mandatory feature " |
321 | 0 | "SIGN for SEAL\n")); |
322 | 0 | return NT_STATUS_ACCESS_DENIED; |
323 | 0 | } |
324 | 0 | } |
325 | | |
326 | 0 | if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_PACKET) { |
327 | 0 | return NT_STATUS_OK; |
328 | 0 | } |
329 | | |
330 | 0 | ok = gensec_have_feature(gensec_security, |
331 | 0 | GENSEC_FEATURE_SIGN_PKT_HEADER); |
332 | 0 | if (!ok) { |
333 | 0 | DBG_ERR("backend [%s] does not support header signing! " |
334 | 0 | "auth_level[0x%x]\n", |
335 | 0 | gensec_security->ops->name, |
336 | 0 | gensec_security->dcerpc_auth_level); |
337 | 0 | return NT_STATUS_INTERNAL_ERROR; |
338 | 0 | } |
339 | | |
340 | 0 | return NT_STATUS_OK; |
341 | 0 | } |
342 | | |
343 | | /** |
344 | | * Next state function for the GENSEC state machine |
345 | | * |
346 | | * @param gensec_security GENSEC State |
347 | | * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on |
348 | | * @param in The request, as a DATA_BLOB |
349 | | * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx |
350 | | * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, |
351 | | * or NT_STATUS_OK if the user is authenticated. |
352 | | */ |
353 | | _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, |
354 | | TALLOC_CTX *out_mem_ctx, |
355 | | const DATA_BLOB in, DATA_BLOB *out) |
356 | 0 | { |
357 | 0 | NTSTATUS status; |
358 | 0 | TALLOC_CTX *frame = NULL; |
359 | 0 | struct tevent_context *ev = NULL; |
360 | 0 | struct tevent_req *subreq = NULL; |
361 | 0 | bool ok; |
362 | |
|
363 | 0 | if (gensec_security->subcontext) { |
364 | | /* |
365 | | * gensec modules are not allowed to call the sync version. |
366 | | */ |
367 | 0 | return NT_STATUS_INTERNAL_ERROR; |
368 | 0 | } |
369 | | |
370 | 0 | frame = talloc_stackframe(); |
371 | |
|
372 | 0 | ev = samba_tevent_context_init(frame); |
373 | 0 | if (ev == NULL) { |
374 | 0 | status = NT_STATUS_NO_MEMORY; |
375 | 0 | goto fail; |
376 | 0 | } |
377 | | |
378 | | /* |
379 | | * TODO: remove this hack once the backends |
380 | | * are fixed. |
381 | | */ |
382 | 0 | tevent_loop_allow_nesting(ev); |
383 | |
|
384 | 0 | subreq = gensec_update_send(frame, ev, gensec_security, in); |
385 | 0 | if (subreq == NULL) { |
386 | 0 | status = NT_STATUS_NO_MEMORY; |
387 | 0 | goto fail; |
388 | 0 | } |
389 | 0 | ok = tevent_req_poll_ntstatus(subreq, ev, &status); |
390 | 0 | if (!ok) { |
391 | 0 | goto fail; |
392 | 0 | } |
393 | 0 | status = gensec_update_recv(subreq, out_mem_ctx, out); |
394 | 0 | fail: |
395 | 0 | TALLOC_FREE(frame); |
396 | 0 | return status; |
397 | 0 | } |
398 | | |
399 | | struct gensec_update_state { |
400 | | const struct gensec_security_ops *ops; |
401 | | struct gensec_security *gensec_security; |
402 | | NTSTATUS status; |
403 | | DATA_BLOB out; |
404 | | }; |
405 | | |
406 | | static void gensec_update_cleanup(struct tevent_req *req, |
407 | | enum tevent_req_state req_state); |
408 | | static void gensec_update_done(struct tevent_req *subreq); |
409 | | |
410 | | /** |
411 | | * Next state function for the GENSEC state machine async version |
412 | | * |
413 | | * @param mem_ctx The memory context for the request |
414 | | * @param ev The event context for the request |
415 | | * @param gensec_security GENSEC State |
416 | | * @param in The request, as a DATA_BLOB |
417 | | * |
418 | | * @return The request handle or NULL on no memory failure |
419 | | */ |
420 | | |
421 | | _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, |
422 | | struct tevent_context *ev, |
423 | | struct gensec_security *gensec_security, |
424 | | const DATA_BLOB in) |
425 | 0 | { |
426 | 0 | struct tevent_req *req = NULL; |
427 | 0 | struct gensec_update_state *state = NULL; |
428 | 0 | struct tevent_req *subreq = NULL; |
429 | |
|
430 | 0 | req = tevent_req_create(mem_ctx, &state, |
431 | 0 | struct gensec_update_state); |
432 | 0 | if (req == NULL) { |
433 | 0 | return NULL; |
434 | 0 | } |
435 | 0 | state->ops = gensec_security->ops; |
436 | 0 | state->gensec_security = gensec_security; |
437 | |
|
438 | 0 | if (gensec_security->update_busy_ptr != NULL) { |
439 | 0 | tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); |
440 | 0 | return tevent_req_post(req, ev); |
441 | 0 | } |
442 | | |
443 | 0 | if (gensec_security->child_security != NULL) { |
444 | 0 | tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); |
445 | 0 | return tevent_req_post(req, ev); |
446 | 0 | } |
447 | | |
448 | 0 | gensec_security->update_busy_ptr = &state->gensec_security; |
449 | 0 | tevent_req_set_cleanup_fn(req, gensec_update_cleanup); |
450 | |
|
451 | 0 | subreq = state->ops->update_send(state, ev, gensec_security, in); |
452 | 0 | if (tevent_req_nomem(subreq, req)) { |
453 | 0 | return tevent_req_post(req, ev); |
454 | 0 | } |
455 | 0 | tevent_req_set_callback(subreq, gensec_update_done, req); |
456 | |
|
457 | 0 | DBG_DEBUG("%s[%p]: subreq: %p\n", state->ops->name, |
458 | 0 | state->gensec_security, subreq); |
459 | |
|
460 | 0 | return req; |
461 | 0 | } |
462 | | |
463 | | static void gensec_update_cleanup(struct tevent_req *req, |
464 | | enum tevent_req_state req_state) |
465 | 0 | { |
466 | 0 | struct gensec_update_state *state = |
467 | 0 | tevent_req_data(req, |
468 | 0 | struct gensec_update_state); |
469 | |
|
470 | 0 | if (state->gensec_security == NULL) { |
471 | 0 | return; |
472 | 0 | } |
473 | | |
474 | 0 | if (state->gensec_security->update_busy_ptr == &state->gensec_security) { |
475 | 0 | state->gensec_security->update_busy_ptr = NULL; |
476 | 0 | } |
477 | |
|
478 | 0 | state->gensec_security = NULL; |
479 | 0 | } |
480 | | |
481 | | static void gensec_update_done(struct tevent_req *subreq) |
482 | 0 | { |
483 | 0 | struct tevent_req *req = |
484 | 0 | tevent_req_callback_data(subreq, |
485 | 0 | struct tevent_req); |
486 | 0 | struct gensec_update_state *state = |
487 | 0 | tevent_req_data(req, |
488 | 0 | struct gensec_update_state); |
489 | 0 | NTSTATUS status; |
490 | 0 | const char *debug_subreq = NULL; |
491 | |
|
492 | 0 | if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) { |
493 | | /* |
494 | | * We need to call tevent_req_print() |
495 | | * before calling the _recv function, |
496 | | * before tevent_req_received() was called. |
497 | | * in order to print the pointer value of |
498 | | * the subreq state. |
499 | | */ |
500 | 0 | debug_subreq = tevent_req_print(state, subreq); |
501 | 0 | } |
502 | |
|
503 | 0 | status = state->ops->update_recv(subreq, state, &state->out); |
504 | 0 | TALLOC_FREE(subreq); |
505 | 0 | state->status = status; |
506 | 0 | if (GENSEC_UPDATE_IS_NTERROR(status)) { |
507 | 0 | NTSTATUS orig_status = status; |
508 | 0 | bool force_no_such_user = false; |
509 | | |
510 | | /* |
511 | | * callers only expect NT_STATUS_NO_SUCH_USER. |
512 | | */ |
513 | 0 | if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) { |
514 | 0 | force_no_such_user = true; |
515 | 0 | } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) { |
516 | 0 | force_no_such_user = true; |
517 | 0 | } |
518 | |
|
519 | 0 | if (state->gensec_security->subcontext) { |
520 | | /* |
521 | | * We should only map on the outer |
522 | | * gensec_update exchange, spnego |
523 | | * needs the raw status. |
524 | | */ |
525 | 0 | force_no_such_user = false; |
526 | 0 | } |
527 | |
|
528 | 0 | if (force_no_such_user) { |
529 | | /* |
530 | | * nt_status_squash() may map |
531 | | * to NT_STATUS_LOGON_FAILURE later |
532 | | */ |
533 | 0 | status = NT_STATUS_NO_SUCH_USER; |
534 | 0 | } |
535 | |
|
536 | 0 | DBG_INFO("%s[%p]: %s%s%s%s%s\n", |
537 | 0 | state->ops->name, |
538 | 0 | state->gensec_security, |
539 | 0 | NT_STATUS_EQUAL(status, orig_status) ? |
540 | 0 | "" : nt_errstr(orig_status), |
541 | 0 | NT_STATUS_EQUAL(status, orig_status) ? |
542 | 0 | "" : " ", |
543 | 0 | nt_errstr(status), |
544 | 0 | debug_subreq ? " " : "", |
545 | 0 | debug_subreq ? debug_subreq : ""); |
546 | 0 | tevent_req_nterror(req, status); |
547 | 0 | return; |
548 | 0 | } |
549 | 0 | DBG_DEBUG("%s[%p]: %s %s\n", state->ops->name, |
550 | 0 | state->gensec_security, nt_errstr(status), |
551 | 0 | debug_subreq); |
552 | 0 | if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { |
553 | 0 | tevent_req_done(req); |
554 | 0 | return; |
555 | 0 | } |
556 | | |
557 | | /* |
558 | | * Because callers using the |
559 | | * gensec_start_mech_by_authtype() never call |
560 | | * gensec_want_feature(), it isn't sensible for them |
561 | | * to have to call gensec_have_feature() manually, and |
562 | | * these are not points of negotiation, but are |
563 | | * asserted by the client |
564 | | */ |
565 | 0 | status = gensec_verify_features(state->gensec_security); |
566 | 0 | if (tevent_req_nterror(req, status)) { |
567 | 0 | return; |
568 | 0 | } |
569 | | |
570 | 0 | tevent_req_done(req); |
571 | 0 | } |
572 | | |
573 | | /** |
574 | | * Next state function for the GENSEC state machine |
575 | | * |
576 | | * @param req request state |
577 | | * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on |
578 | | * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx |
579 | | * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, |
580 | | * or NT_STATUS_OK if the user is authenticated. |
581 | | */ |
582 | | _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req, |
583 | | TALLOC_CTX *out_mem_ctx, |
584 | | DATA_BLOB *out) |
585 | 0 | { |
586 | 0 | struct gensec_update_state *state = |
587 | 0 | tevent_req_data(req, struct gensec_update_state); |
588 | 0 | NTSTATUS status; |
589 | |
|
590 | 0 | *out = data_blob_null; |
591 | |
|
592 | 0 | if (tevent_req_is_nterror(req, &status)) { |
593 | 0 | tevent_req_received(req); |
594 | 0 | return status; |
595 | 0 | } |
596 | | |
597 | 0 | *out = state->out; |
598 | 0 | talloc_steal(out_mem_ctx, out->data); |
599 | 0 | status = state->status; |
600 | 0 | tevent_req_received(req); |
601 | 0 | return status; |
602 | 0 | } |
603 | | |
604 | | /** |
605 | | * Set the requirement for a certain feature on the connection |
606 | | * |
607 | | */ |
608 | | |
609 | | _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security, |
610 | | uint32_t feature) |
611 | 0 | { |
612 | 0 | if (!gensec_security->ops || !gensec_security->ops->want_feature) { |
613 | 0 | gensec_security->want_features |= feature; |
614 | 0 | return; |
615 | 0 | } |
616 | 0 | gensec_security->ops->want_feature(gensec_security, feature); |
617 | 0 | } |
618 | | |
619 | | /** |
620 | | * Check the requirement for a certain feature on the connection |
621 | | * |
622 | | */ |
623 | | |
624 | | _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security, |
625 | | uint32_t feature) |
626 | 0 | { |
627 | 0 | if (!gensec_security->ops || !gensec_security->ops->have_feature) { |
628 | 0 | return false; |
629 | 0 | } |
630 | | |
631 | | /* We might 'have' features that we don't 'want', because the |
632 | | * other end demanded them, or we can't negotiate them off */ |
633 | 0 | return gensec_security->ops->have_feature(gensec_security, feature); |
634 | 0 | } |
635 | | |
636 | | _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security) |
637 | 0 | { |
638 | 0 | if (!gensec_security->ops->expire_time) { |
639 | 0 | return GENSEC_EXPIRE_TIME_INFINITY; |
640 | 0 | } |
641 | | |
642 | 0 | return gensec_security->ops->expire_time(gensec_security); |
643 | 0 | } |
644 | | /** |
645 | | * Return the credentials structure associated with a GENSEC context |
646 | | * |
647 | | */ |
648 | | |
649 | | _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) |
650 | 0 | { |
651 | 0 | if (!gensec_security) { |
652 | 0 | return NULL; |
653 | 0 | } |
654 | 0 | return gensec_security->credentials; |
655 | 0 | } |
656 | | |
657 | | /** |
658 | | * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed |
659 | | * |
660 | | * This is used for Kerberos service principal name resolution. |
661 | | */ |
662 | | |
663 | | _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service) |
664 | 0 | { |
665 | 0 | gensec_security->target.service = talloc_strdup(gensec_security, service); |
666 | 0 | if (!gensec_security->target.service) { |
667 | 0 | return NT_STATUS_NO_MEMORY; |
668 | 0 | } |
669 | 0 | return NT_STATUS_OK; |
670 | 0 | } |
671 | | |
672 | | _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security) |
673 | 0 | { |
674 | 0 | if (gensec_security->target.service) { |
675 | 0 | return gensec_security->target.service; |
676 | 0 | } |
677 | | |
678 | 0 | return "host"; |
679 | 0 | } |
680 | | |
681 | | /** |
682 | | * Set the target service (such as 'samr') on an GENSEC context - ensures it is talloc()ed. |
683 | | * |
684 | | * This is not the Kerberos service principal, instead this is a |
685 | | * constant value that can be logged as part of authentication and |
686 | | * authorization logging |
687 | | */ |
688 | | _PUBLIC_ NTSTATUS gensec_set_target_service_description(struct gensec_security *gensec_security, |
689 | | const char *service) |
690 | 0 | { |
691 | 0 | gensec_security->target.service_description = talloc_strdup(gensec_security, service); |
692 | 0 | if (!gensec_security->target.service_description) { |
693 | 0 | return NT_STATUS_NO_MEMORY; |
694 | 0 | } |
695 | 0 | return NT_STATUS_OK; |
696 | 0 | } |
697 | | |
698 | | _PUBLIC_ const char *gensec_get_target_service_description(struct gensec_security *gensec_security) |
699 | 0 | { |
700 | 0 | if (gensec_security->target.service_description) { |
701 | 0 | return gensec_security->target.service_description; |
702 | 0 | } else if (gensec_security->target.service) { |
703 | 0 | return gensec_security->target.service; |
704 | 0 | } |
705 | | |
706 | 0 | return NULL; |
707 | 0 | } |
708 | | |
709 | | /** |
710 | | * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed |
711 | | * |
712 | | */ |
713 | | |
714 | | _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname) |
715 | 0 | { |
716 | 0 | gensec_security->target.hostname = talloc_strdup(gensec_security, hostname); |
717 | 0 | if (hostname && !gensec_security->target.hostname) { |
718 | 0 | return NT_STATUS_NO_MEMORY; |
719 | 0 | } |
720 | 0 | return NT_STATUS_OK; |
721 | 0 | } |
722 | | |
723 | | _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) |
724 | 0 | { |
725 | | /* We allow the target hostname to be overridden for testing purposes */ |
726 | 0 | if (gensec_security->settings->target_hostname) { |
727 | 0 | return gensec_security->settings->target_hostname; |
728 | 0 | } |
729 | | |
730 | 0 | if (gensec_security->target.hostname) { |
731 | 0 | return gensec_security->target.hostname; |
732 | 0 | } |
733 | | |
734 | | /* We could add use the 'set sockaddr' call, and do a reverse |
735 | | * lookup, but this would be both insecure (compromising the |
736 | | * way kerberos works) and add DNS timeouts */ |
737 | 0 | return NULL; |
738 | 0 | } |
739 | | |
740 | | /** |
741 | | * Set (and copy) local and peer socket addresses onto a socket |
742 | | * context on the GENSEC context. |
743 | | * |
744 | | * This is so that kerberos can include these addresses in |
745 | | * cryptographic tokens, to avoid certain attacks. |
746 | | */ |
747 | | |
748 | | /** |
749 | | * @brief Set the local gensec address. |
750 | | * |
751 | | * @param gensec_security The gensec security context to use. |
752 | | * |
753 | | * @param remote The local address to set. |
754 | | * |
755 | | * @return On success NT_STATUS_OK is returned or an NT_STATUS |
756 | | * error. |
757 | | */ |
758 | | _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, |
759 | | const struct tsocket_address *local) |
760 | 0 | { |
761 | 0 | TALLOC_FREE(gensec_security->local_addr); |
762 | |
|
763 | 0 | if (local == NULL) { |
764 | 0 | return NT_STATUS_OK; |
765 | 0 | } |
766 | | |
767 | 0 | gensec_security->local_addr = tsocket_address_copy(local, gensec_security); |
768 | 0 | if (gensec_security->local_addr == NULL) { |
769 | 0 | return NT_STATUS_NO_MEMORY; |
770 | 0 | } |
771 | | |
772 | 0 | return NT_STATUS_OK; |
773 | 0 | } |
774 | | |
775 | | /** |
776 | | * @brief Set the remote gensec address. |
777 | | * |
778 | | * @param gensec_security The gensec security context to use. |
779 | | * |
780 | | * @param remote The remote address to set. |
781 | | * |
782 | | * @return On success NT_STATUS_OK is returned or an NT_STATUS |
783 | | * error. |
784 | | */ |
785 | | _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, |
786 | | const struct tsocket_address *remote) |
787 | 0 | { |
788 | 0 | TALLOC_FREE(gensec_security->remote_addr); |
789 | |
|
790 | 0 | if (remote == NULL) { |
791 | 0 | return NT_STATUS_OK; |
792 | 0 | } |
793 | | |
794 | 0 | gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security); |
795 | 0 | if (gensec_security->remote_addr == NULL) { |
796 | 0 | return NT_STATUS_NO_MEMORY; |
797 | 0 | } |
798 | | |
799 | 0 | return NT_STATUS_OK; |
800 | 0 | } |
801 | | |
802 | | /** |
803 | | * @brief Get the local address from a gensec security context. |
804 | | * |
805 | | * @param gensec_security The security context to get the address from. |
806 | | * |
807 | | * @return The address as tsocket_address which could be NULL if |
808 | | * no address is set. |
809 | | */ |
810 | | _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security) |
811 | 0 | { |
812 | 0 | if (gensec_security == NULL) { |
813 | 0 | return NULL; |
814 | 0 | } |
815 | 0 | return gensec_security->local_addr; |
816 | 0 | } |
817 | | |
818 | | /** |
819 | | * @brief Get the remote address from a gensec security context. |
820 | | * |
821 | | * @param gensec_security The security context to get the address from. |
822 | | * |
823 | | * @return The address as tsocket_address which could be NULL if |
824 | | * no address is set. |
825 | | */ |
826 | | _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security) |
827 | 0 | { |
828 | 0 | if (gensec_security == NULL) { |
829 | 0 | return NULL; |
830 | 0 | } |
831 | 0 | return gensec_security->remote_addr; |
832 | 0 | } |
833 | | |
834 | | /** |
835 | | * Set the target principal (assuming it it known, say from the SPNEGO reply) |
836 | | * - ensures it is talloc()ed |
837 | | * |
838 | | */ |
839 | | |
840 | | _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal) |
841 | 0 | { |
842 | 0 | gensec_security->target.principal = talloc_strdup(gensec_security, principal); |
843 | 0 | if (!gensec_security->target.principal) { |
844 | 0 | return NT_STATUS_NO_MEMORY; |
845 | 0 | } |
846 | 0 | return NT_STATUS_OK; |
847 | 0 | } |
848 | | |
849 | | _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security) |
850 | 0 | { |
851 | 0 | if (gensec_security->target.principal) { |
852 | 0 | return gensec_security->target.principal; |
853 | 0 | } |
854 | | |
855 | 0 | return NULL; |
856 | 0 | } |
857 | | |
858 | | static int gensec_channel_bindings_destructor(struct gensec_channel_bindings *cb) |
859 | 0 | { |
860 | 0 | data_blob_clear_free(&cb->initiator_address); |
861 | 0 | data_blob_clear_free(&cb->acceptor_address); |
862 | 0 | data_blob_clear_free(&cb->application_data); |
863 | 0 | *cb = (struct gensec_channel_bindings) { .initiator_addrtype = 0, }; |
864 | 0 | return 0; |
865 | 0 | } |
866 | | |
867 | | _PUBLIC_ NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security, |
868 | | uint32_t initiator_addrtype, |
869 | | const DATA_BLOB *initiator_address, |
870 | | uint32_t acceptor_addrtype, |
871 | | const DATA_BLOB *acceptor_address, |
872 | | const DATA_BLOB *application_data) |
873 | 0 | { |
874 | 0 | struct gensec_channel_bindings *cb = NULL; |
875 | |
|
876 | 0 | if (gensec_security->subcontext) { |
877 | 0 | return NT_STATUS_INTERNAL_ERROR; |
878 | 0 | } |
879 | | |
880 | 0 | if (gensec_security->channel_bindings != NULL) { |
881 | 0 | return NT_STATUS_ALREADY_REGISTERED; |
882 | 0 | } |
883 | | |
884 | 0 | cb = talloc_zero(gensec_security, struct gensec_channel_bindings); |
885 | 0 | if (cb == NULL) { |
886 | 0 | return NT_STATUS_NO_MEMORY; |
887 | 0 | } |
888 | 0 | talloc_set_destructor(cb, gensec_channel_bindings_destructor); |
889 | |
|
890 | 0 | cb->initiator_addrtype = initiator_addrtype; |
891 | 0 | if (initiator_address != NULL) { |
892 | 0 | cb->initiator_address = data_blob_dup_talloc(cb, |
893 | 0 | *initiator_address); |
894 | 0 | if (cb->initiator_address.length != initiator_address->length) { |
895 | 0 | TALLOC_FREE(cb); |
896 | 0 | return NT_STATUS_NO_MEMORY; |
897 | 0 | } |
898 | 0 | } |
899 | 0 | cb->acceptor_addrtype = acceptor_addrtype; |
900 | 0 | if (acceptor_address != NULL) { |
901 | 0 | cb->acceptor_address = data_blob_dup_talloc(cb, |
902 | 0 | *acceptor_address); |
903 | 0 | if (cb->acceptor_address.length != acceptor_address->length) { |
904 | 0 | TALLOC_FREE(cb); |
905 | 0 | return NT_STATUS_NO_MEMORY; |
906 | 0 | } |
907 | 0 | } |
908 | 0 | if (application_data != NULL) { |
909 | 0 | cb->application_data = data_blob_dup_talloc(cb, |
910 | 0 | *application_data); |
911 | 0 | if (cb->application_data.length != application_data->length) { |
912 | 0 | TALLOC_FREE(cb); |
913 | 0 | return NT_STATUS_NO_MEMORY; |
914 | 0 | } |
915 | 0 | } |
916 | | |
917 | 0 | gensec_security->channel_bindings = cb; |
918 | 0 | return NT_STATUS_OK; |
919 | 0 | } |