search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
auth:creds: Fix cli_credentials_get_password_and_obtained() with callback
[Samba.git] / auth / credentials / credentials.c
blobb9da77c6b84f94e3a1b17f7ba90431d819be8bf2
1 /*
2 Unix SMB/CIFS implementation.
3
4 User credentials handling
5
6 Copyright (C) Jelmer Vernooij 2005
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
26 #include "auth/credentials/credentials.h"
27 #include "auth/credentials/credentials_internal.h"
28 #include "auth/gensec/gensec.h"
29 #include "libcli/auth/libcli_auth.h"
30 #include "tevent.h"
31 #include "param/param.h"
32 #include "system/filesys.h"
33 #include "system/passwd.h"
34
35 /**
36 * Create a new credentials structure
37 * @param mem_ctx TALLOC_CTX parent for credentials structure
38 */
39 _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
40 {
41 struct cli_credentials *cred = talloc_zero(mem_ctx, struct cli_credentials);
42 if (cred == NULL) {
43 return cred;
44 }
45
46 cred->winbind_separator = '\\';
47
48 cred->kerberos_state = CRED_USE_KERBEROS_DESIRED;
49
50 cred->signing_state = SMB_SIGNING_DEFAULT;
51
52 /*
53 * The default value of lpcfg_client_ipc_signing() is REQUIRED, so use
54 * the same value here.
55 */
56 cred->ipc_signing_state = SMB_SIGNING_REQUIRED;
57 cred->encryption_state = SMB_ENCRYPTION_DEFAULT;
58
59 return cred;
60 }
61
62 _PUBLIC_
63 struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx,
64 struct loadparm_context *lp_ctx)
65 {
66 struct cli_credentials *server_creds = NULL;
67 NTSTATUS status;
68 bool ok;
69
70 server_creds = cli_credentials_init(mem_ctx);
71 if (server_creds == NULL) {
72 return NULL;
73 }
74
75 ok = cli_credentials_set_conf(server_creds, lp_ctx);
76 if (!ok) {
77 TALLOC_FREE(server_creds);
78 return NULL;
79 }
80
81 status = cli_credentials_set_machine_account(server_creds, lp_ctx);
82 if (!NT_STATUS_IS_OK(status)) {
83 DEBUG(1, ("Failed to obtain server credentials: %s\n",
84 nt_errstr(status)));
85 TALLOC_FREE(server_creds);
86 return NULL;
87 }
88
89 return server_creds;
90 }
91
92 _PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
93 void *callback_data)
94 {
95 cred->priv_data = callback_data;
96 }
97
98 _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
99 {
100 return cred->priv_data;
101 }
102
103 /**
104 * Create a new anonymous credential
105 * @param mem_ctx TALLOC_CTX parent for credentials structure
106 */
107 _PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
108 {
109 struct cli_credentials *anon_credentials;
110
111 anon_credentials = cli_credentials_init(mem_ctx);
112 cli_credentials_set_anonymous(anon_credentials);
113
114 return anon_credentials;
115 }
116
117 _PUBLIC_ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
118 enum credentials_use_kerberos kerberos_state,
119 enum credentials_obtained obtained)
120 {
121 if (obtained >= creds->kerberos_state_obtained) {
122 creds->kerberos_state = kerberos_state;
123 creds->kerberos_state_obtained = obtained;
124
125 return true;
126 }
127
128 return false;
129 }
130
131 _PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
132 const char *sasl_mech)
133 {
134 TALLOC_FREE(creds->forced_sasl_mech);
135 creds->forced_sasl_mech = talloc_strdup(creds, sasl_mech);
136 }
137
138 _PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
139 enum credentials_krb_forwardable krb_forwardable)
140 {
141 creds->krb_forwardable = krb_forwardable;
142 }
143
144 _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
145 {
146 return creds->kerberos_state;
147 }
148
149 _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
150 {
151 return creds->forced_sasl_mech;
152 }
153
154 _PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds)
155 {
156 return creds->krb_forwardable;
157 }
158
159 _PUBLIC_ bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
160 uint32_t gensec_features,
161 enum credentials_obtained obtained)
162 {
163 if (obtained >= creds->gensec_features_obtained) {
164 creds->gensec_features_obtained = obtained;
165 creds->gensec_features = gensec_features;
166
167 return true;
168 }
169
170 return false;
171 }
172
173 _PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
174 {
175 return creds->gensec_features;
176 }
177
178
179 /**
180 * Obtain the username for this credentials context.
181 * @param cred credentials context
182 * @retval The username set on this context.
183 * @note Return value will never be NULL except by programmer error.
184 */
185 _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
186 {
187 if (cred->machine_account_pending) {
188 cli_credentials_set_machine_account(cred,
189 cred->machine_account_pending_lp_ctx);
190 }
191
192 if (cred->username_obtained == CRED_CALLBACK &&
193 !cred->callback_running) {
194 cred->callback_running = true;
195 cred->username = cred->username_cb(cred);
196 cred->callback_running = false;
197 if (cred->username_obtained == CRED_CALLBACK) {
198 cred->username_obtained = CRED_CALLBACK_RESULT;
199 cli_credentials_invalidate_ccache(cred, cred->username_obtained);
200 }
201 }
202
203 return cred->username;
204 }
205
206 /**
207 * @brief Obtain the username for this credentials context.
208 *
209 * @param[in] cred The credential context.
210 *
211 * @param[in] obtained A pointer to store the obtained information.
212 *
213 * return The user name or NULL if an error occurred.
214 */
215 _PUBLIC_ const char *
216 cli_credentials_get_username_and_obtained(struct cli_credentials *cred,
217 enum credentials_obtained *obtained)
218 {
219 if (obtained != NULL) {
220 *obtained = cred->username_obtained;
221 }
222
223 return cli_credentials_get_username(cred);
224 }
225
226 _PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred,
227 const char *val, enum credentials_obtained obtained)
228 {
229 if (obtained >= cred->username_obtained) {
230 cred->username = talloc_strdup(cred, val);
231 cred->username_obtained = obtained;
232 cli_credentials_invalidate_ccache(cred, cred->username_obtained);
233 return true;
234 }
235
236 return false;
237 }
238
239 _PUBLIC_ bool cli_credentials_set_username_callback(struct cli_credentials *cred,
240 const char *(*username_cb) (struct cli_credentials *))
241 {
242 if (cred->username_obtained < CRED_CALLBACK) {
243 cred->username_cb = username_cb;
244 cred->username_obtained = CRED_CALLBACK;
245 return true;
246 }
247
248 return false;
249 }
250
251 _PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
252 const char *bind_dn)
253 {
254 cred->bind_dn = talloc_strdup(cred, bind_dn);
255 return true;
256 }
257
258 /**
259 * Obtain the BIND DN for this credentials context.
260 * @param cred credentials context
261 * @retval The username set on this context.
262 * @note Return value will be NULL if not specified explicitly
263 */
264 _PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
265 {
266 return cred->bind_dn;
267 }
268
269
270 /**
271 * Obtain the client principal for this credentials context.
272 * @param cred credentials context
273 * @retval The username set on this context.
274 * @note Return value will never be NULL except by programmer error.
275 */
276 _PUBLIC_ char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
277 {
278 if (cred->machine_account_pending) {
279 cli_credentials_set_machine_account(cred,
280 cred->machine_account_pending_lp_ctx);
281 }
282
283 if (cred->principal_obtained == CRED_CALLBACK &&
284 !cred->callback_running) {
285 cred->callback_running = true;
286 cred->principal = cred->principal_cb(cred);
287 cred->callback_running = false;
288 if (cred->principal_obtained == CRED_CALLBACK) {
289 cred->principal_obtained = CRED_CALLBACK_RESULT;
290 cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
291 }
292 }
293
294 if (cred->principal_obtained < cred->username_obtained
295 || cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) {
296 const char *effective_username = NULL;
297 const char *effective_realm = NULL;
298 enum credentials_obtained effective_obtained;
299
300 effective_username = cli_credentials_get_username(cred);
301 if (effective_username == NULL || strlen(effective_username) == 0) {
302 *obtained = cred->username_obtained;
303 return NULL;
304 }
305
306 if (cred->domain_obtained > cred->realm_obtained) {
307 effective_realm = cli_credentials_get_domain(cred);
308 effective_obtained = MIN(cred->domain_obtained,
309 cred->username_obtained);
310 } else {
311 effective_realm = cli_credentials_get_realm(cred);
312 effective_obtained = MIN(cred->realm_obtained,
313 cred->username_obtained);
314 }
315
316 if (effective_realm == NULL || strlen(effective_realm) == 0) {
317 effective_realm = cli_credentials_get_domain(cred);
318 effective_obtained = MIN(cred->domain_obtained,
319 cred->username_obtained);
320 }
321
322 if (effective_realm != NULL && strlen(effective_realm) != 0) {
323 *obtained = effective_obtained;
324 return talloc_asprintf(mem_ctx, "%s@%s",
325 effective_username,
326 effective_realm);
327 }
328 }
329 *obtained = cred->principal_obtained;
330 return talloc_strdup(mem_ctx, cred->principal);
331 }
332
333 /**
334 * Obtain the client principal for this credentials context.
335 * @param cred credentials context
336 * @retval The username set on this context.
337 * @note Return value will never be NULL except by programmer error.
338 */
339 _PUBLIC_ char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
340 {
341 enum credentials_obtained obtained;
342 return cli_credentials_get_principal_and_obtained(cred, mem_ctx, &obtained);
343 }
344
345 _PUBLIC_ bool cli_credentials_set_principal(struct cli_credentials *cred,
346 const char *val,
347 enum credentials_obtained obtained)
348 {
349 if (obtained >= cred->principal_obtained) {
350 cred->principal = talloc_strdup(cred, val);
351 if (cred->principal == NULL) {
352 return false;
353 }
354 cred->principal_obtained = obtained;
355
356 cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
357 return true;
358 }
359
360 return false;
361 }
362
363 /* Set a callback to get the principal. This could be a popup dialog,
364 * a terminal prompt or similar. */
365 _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
366 const char *(*principal_cb) (struct cli_credentials *))
367 {
368 if (cred->principal_obtained < CRED_CALLBACK) {
369 cred->principal_cb = principal_cb;
370 cred->principal_obtained = CRED_CALLBACK;
371 return true;
372 }
373
374 return false;
375 }
376
377 /* Some of our tools are 'anonymous by default'. This is a single
378 * function to determine if authentication has been explicitly
379 * requested */
380
381 _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
382 {
383 uint32_t gensec_features = 0;
384
385 if (cred->bind_dn) {
386 return true;
387 }
388
389 /*
390 * If we forced the mech we clearly want authentication. E.g. to use
391 * SASL/EXTERNAL which has no credentials.
392 */
393 if (cred->forced_sasl_mech) {
394 return true;
395 }
396
397 if (cli_credentials_is_anonymous(cred)){
398 return false;
399 }
400
401 if (cred->principal_obtained >= CRED_SPECIFIED) {
402 return true;
403 }
404 if (cred->username_obtained >= CRED_SPECIFIED) {
405 return true;
406 }
407
408 if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
409 return true;
410 }
411
412 gensec_features = cli_credentials_get_gensec_features(cred);
413 if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
414 return true;
415 }
416
417 if (gensec_features & GENSEC_FEATURE_SIGN) {
418 return true;
419 }
420
421 if (gensec_features & GENSEC_FEATURE_SEAL) {
422 return true;
423 }
424
425 return false;
426 }
427
428 /**
429 * Obtain the password for this credentials context.
430 * @param cred credentials context
431 * @retval If set, the cleartext password, otherwise NULL
432 */
433 _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
434 {
435 if (cred->machine_account_pending) {
436 cli_credentials_set_machine_account(cred,
437 cred->machine_account_pending_lp_ctx);
438 }
439
440 if (cred->password_obtained == CRED_CALLBACK &&
441 !cred->callback_running &&
442 !cred->password_will_be_nt_hash) {
443 cred->callback_running = true;
444 cred->password = cred->password_cb(cred);
445 cred->callback_running = false;
446 if (cred->password_obtained == CRED_CALLBACK) {
447 cred->password_obtained = CRED_CALLBACK_RESULT;
448 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
449 }
450 }
451
452 return cred->password;
453 }
454
455 /**
456 * @brief Obtain the password for this credentials context.
457 *
458 * @param[in] cred The credential context.
459 *
460 * @param[in] obtained A pointer to store the obtained information.
461 *
462 * return The user name or NULL if an error occurred.
463 */
464 _PUBLIC_ const char *
465 cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
466 enum credentials_obtained *obtained)
467 {
468 const char *password = cli_credentials_get_password(cred);
469
470 if (obtained != NULL) {
471 *obtained = cred->password_obtained;
472 }
473
474 return password;
475 }
476
477 /* Set a password on the credentials context, including an indication
478 * of 'how' the password was obtained */
479
480 _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
481 const char *val,
482 enum credentials_obtained obtained)
483 {
484 if (obtained >= cred->password_obtained) {
485
486 cred->lm_response = data_blob_null;
487 cred->nt_response = data_blob_null;
488 cred->nt_hash = NULL;
489 cred->password = NULL;
490
491 cli_credentials_invalidate_ccache(cred, obtained);
492
493 cred->password_tries = 0;
494
495 if (val == NULL) {
496 cred->password_obtained = obtained;
497 return true;
498 }
499
500 if (cred->password_will_be_nt_hash) {
501 struct samr_Password *nt_hash = NULL;
502 size_t val_len = strlen(val);
503 size_t converted;
504
505 nt_hash = talloc(cred, struct samr_Password);
506 if (nt_hash == NULL) {
507 return false;
508 }
509
510 converted = strhex_to_str((char *)nt_hash->hash,
511 sizeof(nt_hash->hash),
512 val, val_len);
513 if (converted != sizeof(nt_hash->hash)) {
514 TALLOC_FREE(nt_hash);
515 return false;
516 }
517
518 cred->nt_hash = nt_hash;
519 cred->password_obtained = obtained;
520 return true;
521 }
522
523 cred->password = talloc_strdup(cred, val);
524 if (cred->password == NULL) {
525 return false;
526 }
527
528 /* Don't print the actual password in talloc memory dumps */
529 talloc_set_name_const(cred->password,
530 "password set via cli_credentials_set_password");
531 cred->password_obtained = obtained;
532
533 return true;
534 }
535
536 return false;
537 }
538
539 _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred,
540 const char *(*password_cb) (struct cli_credentials *))
541 {
542 if (cred->password_obtained < CRED_CALLBACK) {
543 cred->password_tries = 3;
544 cred->password_cb = password_cb;
545 cred->password_obtained = CRED_CALLBACK;
546 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
547 return true;
548 }
549
550 return false;
551 }
552
553 /**
554 * Obtain the 'old' password for this credentials context (used for join accounts).
555 * @param cred credentials context
556 * @retval If set, the cleartext password, otherwise NULL
557 */
558 _PUBLIC_ const char *cli_credentials_get_old_password(struct cli_credentials *cred)
559 {
560 if (cred->machine_account_pending) {
561 cli_credentials_set_machine_account(cred,
562 cred->machine_account_pending_lp_ctx);
563 }
564
565 return cred->old_password;
566 }
567
568 _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
569 const char *val,
570 enum credentials_obtained obtained)
571 {
572 cred->old_password = talloc_strdup(cred, val);
573 if (cred->old_password) {
574 /* Don't print the actual password in talloc memory dumps */
575 talloc_set_name_const(cred->old_password, "password set via cli_credentials_set_old_password");
576 }
577 cred->old_nt_hash = NULL;
578 return true;
579 }
580
581 /**
582 * Obtain the password, in the form MD4(unicode(password)) for this credentials context.
583 *
584 * Sometimes we only have this much of the password, while the rest of
585 * the time this call avoids calling E_md4hash themselves.
586 *
587 * @param cred credentials context
588 * @retval If set, the cleartext password, otherwise NULL
589 */
590 _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
591 TALLOC_CTX *mem_ctx)
592 {
593 enum credentials_obtained password_obtained;
594 enum credentials_obtained ccache_threshold;
595 enum credentials_obtained client_gss_creds_threshold;
596 bool password_is_nt_hash;
597 const char *password = NULL;
598 struct samr_Password *nt_hash = NULL;
599
600 if (cred->nt_hash != NULL) {
601 /*
602 * If we already have a hash it's easy.
603 */
604 goto return_hash;
605 }
606
607 /*
608 * This is a bit tricky, with password_will_be_nt_hash
609 * we still need to get the value via the password_callback
610 * but if we did that we should not remember it's state
611 * in the long run so we need to undo it.
612 */
613
614 password_obtained = cred->password_obtained;
615 ccache_threshold = cred->ccache_threshold;
616 client_gss_creds_threshold = cred->client_gss_creds_threshold;
617 password_is_nt_hash = cred->password_will_be_nt_hash;
618
619 cred->password_will_be_nt_hash = false;
620 password = cli_credentials_get_password(cred);
621
622 cred->password_will_be_nt_hash = password_is_nt_hash;
623 if (password_is_nt_hash && password_obtained == CRED_CALLBACK) {
624 /*
625 * We got the nt_hash as string via the callback,
626 * so we need to undo the state change.
627 *
628 * And also don't remember it as plaintext password.
629 */
630 cred->client_gss_creds_threshold = client_gss_creds_threshold;
631 cred->ccache_threshold = ccache_threshold;
632 cred->password_obtained = password_obtained;
633 cred->password = NULL;
634 }
635
636 if (password == NULL) {
637 return NULL;
638 }
639
640 nt_hash = talloc(cred, struct samr_Password);
641 if (nt_hash == NULL) {
642 return NULL;
643 }
644
645 if (password_is_nt_hash) {
646 size_t password_len = strlen(password);
647 size_t converted;
648
649 converted = strhex_to_str((char *)nt_hash->hash,
650 sizeof(nt_hash->hash),
651 password, password_len);
652 if (converted != sizeof(nt_hash->hash)) {
653 TALLOC_FREE(nt_hash);
654 return NULL;
655 }
656 } else {
657 E_md4hash(password, nt_hash->hash);
658 }
659
660 cred->nt_hash = nt_hash;
661 nt_hash = NULL;
662
663 return_hash:
664 nt_hash = talloc(mem_ctx, struct samr_Password);
665 if (nt_hash == NULL) {
666 return NULL;
667 }
668
669 *nt_hash = *cred->nt_hash;
670
671 return nt_hash;
672 }
673
674 /**
675 * Obtain the old password, in the form MD4(unicode(password)) for this credentials context.
676 *
677 * Sometimes we only have this much of the password, while the rest of
678 * the time this call avoids calling E_md4hash themselves.
679 *
680 * @param cred credentials context
681 * @retval If set, the cleartext password, otherwise NULL
682 */
683 _PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
684 TALLOC_CTX *mem_ctx)
685 {
686 const char *old_password = NULL;
687
688 if (cred->old_nt_hash != NULL) {
689 struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
690 if (!nt_hash) {
691 return NULL;
692 }
693
694 *nt_hash = *cred->old_nt_hash;
695
696 return nt_hash;
697 }
698
699 old_password = cli_credentials_get_old_password(cred);
700 if (old_password) {
701 struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
702 if (!nt_hash) {
703 return NULL;
704 }
705
706 E_md4hash(old_password, nt_hash->hash);
707
708 return nt_hash;
709 }
710
711 return NULL;
712 }
713
714 /**
715 * Obtain the 'short' or 'NetBIOS' domain for this credentials context.
716 * @param cred credentials context
717 * @retval The domain set on this context.
718 * @note Return value will never be NULL except by programmer error.
719 */
720 _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
721 {
722 if (cred->machine_account_pending) {
723 cli_credentials_set_machine_account(cred,
724 cred->machine_account_pending_lp_ctx);
725 }
726
727 if (cred->domain_obtained == CRED_CALLBACK &&
728 !cred->callback_running) {
729 cred->callback_running = true;
730 cred->domain = cred->domain_cb(cred);
731 cred->callback_running = false;
732 if (cred->domain_obtained == CRED_CALLBACK) {
733 cred->domain_obtained = CRED_CALLBACK_RESULT;
734 cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
735 }
736 }
737
738 return cred->domain;
739 }
740
741
742 _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
743 const char *val,
744 enum credentials_obtained obtained)
745 {
746 if (obtained >= cred->domain_obtained) {
747 /* it is important that the domain be in upper case,
748 * particularly for the sensitive NTLMv2
749 * calculations */
750 cred->domain = strupper_talloc(cred, val);
751 cred->domain_obtained = obtained;
752 /* setting domain does not mean we have to invalidate ccache
753 * because domain in not used for Kerberos operations.
754 * If ccache invalidation is required, one will anyway specify
755 * a password to kinit, and that will force invalidation of the ccache
756 */
757 return true;
758 }
759
760 return false;
761 }
762
763 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
764 const char *(*domain_cb) (struct cli_credentials *))
765 {
766 if (cred->domain_obtained < CRED_CALLBACK) {
767 cred->domain_cb = domain_cb;
768 cred->domain_obtained = CRED_CALLBACK;
769 return true;
770 }
771
772 return false;
773 }
774
775 /**
776 * Obtain the Kerberos realm for this credentials context.
777 * @param cred credentials context
778 * @retval The realm set on this context.
779 * @note Return value will never be NULL except by programmer error.
780 */
781 _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
782 {
783 if (cred->machine_account_pending) {
784 cli_credentials_set_machine_account(cred,
785 cred->machine_account_pending_lp_ctx);
786 }
787
788 if (cred->realm_obtained == CRED_CALLBACK &&
789 !cred->callback_running) {
790 cred->callback_running = true;
791 cred->realm = cred->realm_cb(cred);
792 cred->callback_running = false;
793 if (cred->realm_obtained == CRED_CALLBACK) {
794 cred->realm_obtained = CRED_CALLBACK_RESULT;
795 cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
796 }
797 }
798
799 return cred->realm;
800 }
801
802 /**
803 * Set the realm for this credentials context, and force it to
804 * uppercase for the sanity of our local kerberos libraries
805 */
806 _PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred,
807 const char *val,
808 enum credentials_obtained obtained)
809 {
810 if (obtained >= cred->realm_obtained) {
811 cred->realm = strupper_talloc(cred, val);
812 cred->realm_obtained = obtained;
813 cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
814 return true;
815 }
816
817 return false;
818 }
819
820 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
821 const char *(*realm_cb) (struct cli_credentials *))
822 {
823 if (cred->realm_obtained < CRED_CALLBACK) {
824 cred->realm_cb = realm_cb;
825 cred->realm_obtained = CRED_CALLBACK;
826 return true;
827 }
828
829 return false;
830 }
831
832 /**
833 * Obtain the 'short' or 'NetBIOS' workstation name for this credentials context.
834 *
835 * @param cred credentials context
836 * @retval The workstation name set on this context.
837 * @note Return value will never be NULL except by programmer error.
838 */
839 _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cred)
840 {
841 if (cred->workstation_obtained == CRED_CALLBACK &&
842 !cred->callback_running) {
843 cred->callback_running = true;
844 cred->workstation = cred->workstation_cb(cred);
845 cred->callback_running = false;
846 if (cred->workstation_obtained == CRED_CALLBACK) {
847 cred->workstation_obtained = CRED_CALLBACK_RESULT;
848 }
849 }
850
851 return cred->workstation;
852 }
853
854 _PUBLIC_ bool cli_credentials_set_workstation(struct cli_credentials *cred,
855 const char *val,
856 enum credentials_obtained obtained)
857 {
858 if (obtained >= cred->workstation_obtained) {
859 cred->workstation = talloc_strdup(cred, val);
860 cred->workstation_obtained = obtained;
861 return true;
862 }
863
864 return false;
865 }
866
867 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
868 const char *(*workstation_cb) (struct cli_credentials *))
869 {
870 if (cred->workstation_obtained < CRED_CALLBACK) {
871 cred->workstation_cb = workstation_cb;
872 cred->workstation_obtained = CRED_CALLBACK;
873 return true;
874 }
875
876 return false;
877 }
878
879 /**
880 * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields
881 *
882 * The format accepted is [domain\\]user[%password] or user[@realm][%password]
883 *
884 * @param credentials Credentials structure on which to set the password
885 * @param data the string containing the username, password etc
886 * @param obtained This enum describes how 'specified' this password is
887 */
888
889 _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
890 {
891 char *uname, *p;
892 char *uname_free = NULL;
893
894 if (strcmp("%",data) == 0) {
895 cli_credentials_set_anonymous(credentials);
896 return;
897 }
898
899 uname = talloc_strdup(credentials, data);
900 uname_free = uname;
901
902 if ((p = strchr_m(uname,'%'))) {
903 *p = 0;
904 cli_credentials_set_password(credentials, p+1, obtained);
905 }
906
907 if ((p = strchr_m(uname,'@'))) {
908 /*
909 * We also need to set username and domain
910 * in order to undo the effect of
911 * cli_credentials_guess().
912 */
913 cli_credentials_set_username(credentials, uname, obtained);
914 cli_credentials_set_domain(credentials, "", obtained);
915
916 cli_credentials_set_principal(credentials, uname, obtained);
917 *p = 0;
918 cli_credentials_set_realm(credentials, p+1, obtained);
919 TALLOC_FREE(uname_free);
920 return;
921 } else if ((p = strchr_m(uname,'\\'))
922 || (p = strchr_m(uname, '/'))
923 || (p = strchr_m(uname, credentials->winbind_separator)))
924 {
925 const char *domain = NULL;
926
927 domain = uname;
928 *p = 0;
929 uname = p+1;
930
931 if (obtained == credentials->realm_obtained &&
932 !strequal_m(credentials->domain, domain))
933 {
934 /*
935 * We need to undo a former set with the same level
936 * in order to get the expected result from
937 * cli_credentials_get_principal().
938 *
939 * But we only need to do that if the domain
940 * actually changes.
941 */
942 cli_credentials_set_realm(credentials, domain, obtained);
943 }
944 cli_credentials_set_domain(credentials, domain, obtained);
945 }
946 if (obtained == credentials->principal_obtained &&
947 !strequal_m(credentials->username, uname))
948 {
949 /*
950 * We need to undo a former set with the same level
951 * in order to get the expected result from
952 * cli_credentials_get_principal().
953 *
954 * But we only need to do that if the username
955 * actually changes.
956 */
957 credentials->principal_obtained = CRED_UNINITIALISED;
958 credentials->principal = NULL;
959 }
960 cli_credentials_set_username(credentials, uname, obtained);
961
962 TALLOC_FREE(uname_free);
963 }
964
965 /**
966 * Given a a credentials structure, print it as a string
967 *
968 * The format output is [domain\\]user[%password] or user[@realm][%password]
969 *
970 * @param credentials Credentials structure on which to set the password
971 * @param mem_ctx The memory context to place the result on
972 */
973
974 _PUBLIC_ char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
975 {
976 const char *bind_dn = cli_credentials_get_bind_dn(credentials);
977 const char *domain = NULL;
978 const char *username = NULL;
979 char *name = NULL;
980
981 if (bind_dn) {
982 name = talloc_strdup(mem_ctx, bind_dn);
983 } else {
984 cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
985 if (domain && domain[0]) {
986 name = talloc_asprintf(mem_ctx, "%s\\%s",
987 domain, username);
988 } else {
989 name = talloc_asprintf(mem_ctx, "%s",
990 username);
991 }
992 }
993 return name;
994 }
995
996
997 /**
998 * Specifies default values for domain, workstation and realm
999 * from the smb.conf configuration file
1000 *
1001 * @param cred Credentials structure to fill in
1002 *
1003 * @return true on success, false on error.
1004 */
1005 _PUBLIC_ bool cli_credentials_set_conf(struct cli_credentials *cred,
1006 struct loadparm_context *lp_ctx)
1007 {
1008 const char *sep = NULL;
1009 const char *realm = lpcfg_realm(lp_ctx);
1010 enum credentials_client_protection protection =
1011 lpcfg_client_protection(lp_ctx);
1012 const char *workgroup = lpcfg_workgroup(lp_ctx);
1013 const char *netbios_name = lpcfg_netbios_name(lp_ctx);
1014 bool ok;
1015
1016 (void)cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
1017
1018 if (workgroup != NULL && strlen(workgroup) == 0) {
1019 workgroup = NULL;
1020 }
1021
1022 if (workgroup != NULL) {
1023 if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
1024 ok = cli_credentials_set_domain(cred,
1025 workgroup,
1026 CRED_SPECIFIED);
1027 if (!ok) {
1028 DBG_ERR("Failed to set domain!\n");
1029 return false;
1030 }
1031 } else {
1032 (void)cli_credentials_set_domain(cred,
1033 workgroup,
1034 CRED_SMB_CONF);
1035 }
1036 }
1037
1038 if (netbios_name != NULL && strlen(netbios_name) == 0) {
1039 netbios_name = NULL;
1040 }
1041
1042 if (netbios_name != NULL) {
1043 if (lpcfg_parm_is_cmdline(lp_ctx, "netbios name")) {
1044 ok = cli_credentials_set_workstation(cred,
1045 netbios_name,
1046 CRED_SPECIFIED);
1047 if (!ok) {
1048 DBG_ERR("Failed to set workstation!\n");
1049 return false;
1050 }
1051 } else {
1052 (void)cli_credentials_set_workstation(cred,
1053 netbios_name,
1054 CRED_SMB_CONF);
1055 }
1056 }
1057
1058 if (realm != NULL && strlen(realm) == 0) {
1059 realm = NULL;
1060 }
1061
1062 if (realm != NULL) {
1063 if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) {
1064 ok = cli_credentials_set_realm(cred,
1065 realm,
1066 CRED_SPECIFIED);
1067 if (!ok) {
1068 DBG_ERR("Failed to set realm!\n");
1069 return false;
1070 }
1071 } else {
1072 (void)cli_credentials_set_realm(cred,
1073 realm,
1074 CRED_SMB_CONF);
1075 }
1076 }
1077
1078 sep = lpcfg_winbind_separator(lp_ctx);
1079 if (sep != NULL && sep[0] != '\0') {
1080 cred->winbind_separator = *lpcfg_winbind_separator(lp_ctx);
1081 }
1082
1083 if (cred->signing_state_obtained <= CRED_SMB_CONF) {
1084 /* Will be set to default for invalid smb.conf values */
1085 cred->signing_state = lpcfg_client_signing(lp_ctx);
1086 if (cred->signing_state == SMB_SIGNING_DEFAULT) {
1087 switch (protection) {
1088 case CRED_CLIENT_PROTECTION_DEFAULT:
1089 break;
1090 case CRED_CLIENT_PROTECTION_PLAIN:
1091 cred->signing_state = SMB_SIGNING_OFF;
1092 break;
1093 case CRED_CLIENT_PROTECTION_SIGN:
1094 case CRED_CLIENT_PROTECTION_ENCRYPT:
1095 cred->signing_state = SMB_SIGNING_REQUIRED;
1096 break;
1097 }
1098 }
1099
1100 cred->signing_state_obtained = CRED_SMB_CONF;
1101 }
1102
1103 if (cred->ipc_signing_state_obtained <= CRED_SMB_CONF) {
1104 /* Will be set to required for invalid smb.conf values */
1105 cred->ipc_signing_state = lpcfg_client_ipc_signing(lp_ctx);
1106 cred->ipc_signing_state_obtained = CRED_SMB_CONF;
1107 }
1108
1109 if (cred->encryption_state_obtained <= CRED_SMB_CONF) {
1110 /* Will be set to default for invalid smb.conf values */
1111 cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
1112 if (cred->encryption_state == SMB_ENCRYPTION_DEFAULT) {
1113 switch (protection) {
1114 case CRED_CLIENT_PROTECTION_DEFAULT:
1115 break;
1116 case CRED_CLIENT_PROTECTION_PLAIN:
1117 case CRED_CLIENT_PROTECTION_SIGN:
1118 cred->encryption_state = SMB_ENCRYPTION_OFF;
1119 break;
1120 case CRED_CLIENT_PROTECTION_ENCRYPT:
1121 cred->encryption_state = SMB_ENCRYPTION_REQUIRED;
1122 break;
1123 }
1124 }
1125 }
1126
1127 if (cred->kerberos_state_obtained <= CRED_SMB_CONF) {
1128 /* Will be set to default for invalid smb.conf values */
1129 cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx);
1130 cred->kerberos_state_obtained = CRED_SMB_CONF;
1131 }
1132
1133 if (cred->gensec_features_obtained <= CRED_SMB_CONF) {
1134 switch (protection) {
1135 case CRED_CLIENT_PROTECTION_DEFAULT:
1136 break;
1137 case CRED_CLIENT_PROTECTION_PLAIN:
1138 cred->gensec_features = 0;
1139 break;
1140 case CRED_CLIENT_PROTECTION_SIGN:
1141 cred->gensec_features = GENSEC_FEATURE_SIGN;
1142 break;
1143 case CRED_CLIENT_PROTECTION_ENCRYPT:
1144 cred->gensec_features =
1145 GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL;
1146 break;
1147 }
1148 cred->gensec_features_obtained = CRED_SMB_CONF;
1149 }
1150
1151 return true;
1152 }
1153
1154 /**
1155 * Guess defaults for credentials from environment variables,
1156 * and from the configuration file
1157 *
1158 * @param cred Credentials structure to fill in
1159 */
1160 _PUBLIC_ bool cli_credentials_guess(struct cli_credentials *cred,
1161 struct loadparm_context *lp_ctx)
1162 {
1163 const char *error_string;
1164 const char *env = NULL;
1165 struct passwd *pwd = NULL;
1166 bool ok;
1167
1168 if (lp_ctx != NULL) {
1169 ok = cli_credentials_set_conf(cred, lp_ctx);
1170 if (!ok) {
1171 return false;
1172 }
1173 }
1174
1175 pwd = getpwuid(getuid());
1176 if (pwd != NULL) {
1177 size_t len = strlen(pwd->pw_name);
1178
1179 if (len > 0 && len <= 1024) {
1180 (void)cli_credentials_parse_string(cred,
1181 pwd->pw_name,
1182 CRED_GUESS_ENV);
1183 }
1184 }
1185
1186 env = getenv("LOGNAME");
1187 if (env != NULL) {
1188 size_t len = strlen(env);
1189
1190 if (len > 0 && len <= 1024) {
1191 (void)cli_credentials_set_username(cred,
1192 env,
1193 CRED_GUESS_ENV);
1194 }
1195 }
1196
1197 env = getenv("USER");
1198 if (env != NULL) {
1199 size_t len = strlen(env);
1200
1201 if (len > 0 && len <= 1024) {
1202 char *p = NULL;
1203
1204 (void)cli_credentials_parse_string(cred,
1205 env,
1206 CRED_GUESS_ENV);
1207 if ((p = strchr_m(env, '%'))) {
1208 memset(p, '\0', strlen(cred->password));
1209 }
1210 }
1211 }
1212
1213 env = getenv("PASSWD");
1214 if (env != NULL) {
1215 size_t len = strlen(env);
1216
1217 if (len > 0 && len <= 1024) {
1218 (void)cli_credentials_set_password(cred,
1219 env,
1220 CRED_GUESS_ENV);
1221 }
1222 }
1223
1224 env = getenv("PASSWD_FD");
1225 if (env != NULL) {
1226 size_t len = strlen(env);
1227
1228 if (len > 0 && len <= 1024) {
1229 int fd = atoi(env);
1230
1231 (void)cli_credentials_parse_password_fd(cred,
1232 fd,
1233 CRED_GUESS_FILE);
1234 }
1235 }
1236
1237 env = getenv("PASSWD_FILE");
1238 if (env != NULL) {
1239 size_t len = strlen(env);
1240
1241 if (len > 0 && len <= 4096) {
1242 (void)cli_credentials_parse_password_file(cred,
1243 env,
1244 CRED_GUESS_FILE);
1245 }
1246 }
1247
1248 if (lp_ctx != NULL &&
1249 cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) {
1250 (void)cli_credentials_set_ccache(cred,
1251 lp_ctx,
1252 NULL,
1253 CRED_GUESS_FILE,
1254 &error_string);
1255 }
1256
1257 return true;
1258 }
1259
1260 /**
1261 * Attach NETLOGON credentials for use with SCHANNEL
1262 */
1263
1264 _PUBLIC_ void cli_credentials_set_netlogon_creds(
1265 struct cli_credentials *cred,
1266 const struct netlogon_creds_CredentialState *netlogon_creds)
1267 {
1268 TALLOC_FREE(cred->netlogon_creds);
1269 if (netlogon_creds == NULL) {
1270 return;
1271 }
1272 cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
1273 }
1274
1275 /**
1276 * Return attached NETLOGON credentials
1277 */
1278
1279 _PUBLIC_ struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred)
1280 {
1281 return cred->netlogon_creds;
1282 }
1283
1284 /**
1285 * Set NETLOGON secure channel type
1286 */
1287
1288 _PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
1289 enum netr_SchannelType secure_channel_type)
1290 {
1291 cred->secure_channel_type = secure_channel_type;
1292 }
1293
1294 /**
1295 * Return NETLOGON secure channel type
1296 */
1297
1298 _PUBLIC_ time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred)
1299 {
1300 return cred->password_last_changed_time;
1301 }
1302
1303 /**
1304 * Set NETLOGON secure channel type
1305 */
1306
1307 _PUBLIC_ void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
1308 time_t last_changed_time)
1309 {
1310 cred->password_last_changed_time = last_changed_time;
1311 }
1312
1313 /**
1314 * Return NETLOGON secure channel type
1315 */
1316
1317 _PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
1318 {
1319 return cred->secure_channel_type;
1320 }
1321
1322 /**
1323 * Fill in a credentials structure as the anonymous user
1324 */
1325 _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
1326 {
1327 cli_credentials_set_username(cred, "", CRED_SPECIFIED);
1328 cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
1329 cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
1330 cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
1331 cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
1332 cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
1333 cli_credentials_set_kerberos_state(cred,
1334 CRED_USE_KERBEROS_DISABLED,
1335 CRED_SPECIFIED);
1336 }
1337
1338 /**
1339 * Describe a credentials context as anonymous or authenticated
1340 * @retval true if anonymous, false if a username is specified
1341 */
1342
1343 _PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
1344 {
1345 const char *username;
1346
1347 /* if bind dn is set it's not anonymous */
1348 if (cred->bind_dn) {
1349 return false;
1350 }
1351
1352 if (cred->machine_account_pending) {
1353 cli_credentials_set_machine_account(cred,
1354 cred->machine_account_pending_lp_ctx);
1355 }
1356
1357 /* if principal is set, it's not anonymous */
1358 if ((cred->principal != NULL) && cred->principal_obtained >= cred->username_obtained) {
1359 return false;
1360 }
1361
1362 username = cli_credentials_get_username(cred);
1363
1364 /* Yes, it is deliberate that we die if we have a NULL pointer
1365 * here - anonymous is "", not NULL, which is 'never specified,
1366 * never guessed', ie programmer bug */
1367 if (!username[0]) {
1368 return true;
1369 }
1370
1371 return false;
1372 }
1373
1374 /**
1375 * Mark the current password for a credentials struct as wrong. This will
1376 * cause the password to be prompted again (if a callback is set).
1377 *
1378 * This will decrement the number of times the password can be tried.
1379 *
1380 * @retval whether the credentials struct is finished
1381 */
1382 _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
1383 {
1384 if (cred->password_obtained != CRED_CALLBACK_RESULT) {
1385 return false;
1386 }
1387
1388 if (cred->password_tries == 0) {
1389 return false;
1390 }
1391
1392 cred->password_tries--;
1393
1394 if (cred->password_tries == 0) {
1395 return false;
1396 }
1397
1398 cred->password_obtained = CRED_CALLBACK;
1399 return true;
1400 }
1401
1402 _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
1403 const char **username,
1404 const char **domain)
1405 {
1406 if (cred->principal_obtained >= cred->username_obtained) {
1407 *domain = talloc_strdup(mem_ctx, "");
1408 *username = cli_credentials_get_principal(cred, mem_ctx);
1409 } else {
1410 *domain = cli_credentials_get_domain(cred);
1411 *username = cli_credentials_get_username(cred);
1412 }
1413 }
1414
1415 /**
1416 * Read a named file, and parse it for username, domain, realm and password
1417 *
1418 * @param credentials Credentials structure on which to set the password
1419 * @param file a named file to read the details from
1420 * @param obtained This enum describes how 'specified' this password is
1421 */
1422
1423 _PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained)
1424 {
1425 uint16_t len = 0;
1426 char *ptr, *val, *param;
1427 char **lines;
1428 int i, numlines;
1429 const char *realm = NULL;
1430 const char *domain = NULL;
1431 const char *password = NULL;
1432 const char *username = NULL;
1433
1434 lines = file_lines_load(file, &numlines, 0, NULL);
1435
1436 if (lines == NULL)
1437 {
1438 /* fail if we can't open the credentials file */
1439 d_printf("ERROR: Unable to open credentials file!\n");
1440 return false;
1441 }
1442
1443 for (i = 0; i < numlines; i++) {
1444 len = strlen(lines[i]);
1445
1446 if (len == 0)
1447 continue;
1448
1449 /* break up the line into parameter & value.
1450 * will need to eat a little whitespace possibly */
1451 param = lines[i];
1452 if (!(ptr = strchr_m (lines[i], '=')))
1453 continue;
1454
1455 val = ptr+1;
1456 *ptr = '\0';
1457
1458 /* eat leading white space */
1459 while ((*val!='\0') && ((*val==' ') || (*val=='\t')))
1460 val++;
1461
1462 if (strwicmp("password", param) == 0) {
1463 password = val;
1464 } else if (strwicmp("username", param) == 0) {
1465 username = val;
1466 } else if (strwicmp("domain", param) == 0) {
1467 domain = val;
1468 } else if (strwicmp("realm", param) == 0) {
1469 realm = val;
1470 }
1471
1472 /*
1473 * We need to readd '=' in order to let
1474 * the strlen() work in the last loop
1475 * that clears the memory.
1476 */
1477 *ptr = '=';
1478 }
1479
1480 if (realm != NULL && strlen(realm) != 0) {
1481 /*
1482 * only overwrite with a valid string
1483 */
1484 cli_credentials_set_realm(cred, realm, obtained);
1485 }
1486
1487 if (domain != NULL && strlen(domain) != 0) {
1488 /*
1489 * only overwrite with a valid string
1490 */
1491 cli_credentials_set_domain(cred, domain, obtained);
1492 }
1493
1494 if (password != NULL) {
1495 /*
1496 * Here we allow "".
1497 */
1498 cli_credentials_set_password(cred, password, obtained);
1499 }
1500
1501 if (username != NULL) {
1502 /*
1503 * The last "username" line takes preference
1504 * if the string also contains domain, realm or
1505 * password.
1506 */
1507 cli_credentials_parse_string(cred, username, obtained);
1508 }
1509
1510 for (i = 0; i < numlines; i++) {
1511 len = strlen(lines[i]);
1512 memset(lines[i], 0, len);
1513 }
1514 talloc_free(lines);
1515
1516 return true;
1517 }
1518
1519 /**
1520 * Read a named file, and parse it for a password
1521 *
1522 * @param credentials Credentials structure on which to set the password
1523 * @param file a named file to read the password from
1524 * @param obtained This enum describes how 'specified' this password is
1525 */
1526
1527 _PUBLIC_ bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained)
1528 {
1529 int fd = open(file, O_RDONLY, 0);
1530 bool ret;
1531
1532 if (fd < 0) {
1533 fprintf(stderr, "Error opening password file %s: %s\n",
1534 file, strerror(errno));
1535 return false;
1536 }
1537
1538 ret = cli_credentials_parse_password_fd(credentials, fd, obtained);
1539
1540 close(fd);
1541
1542 return ret;
1543 }
1544
1545
1546 /**
1547 * Read a file descriptor, and parse it for a password (eg from a file or stdin)
1548 *
1549 * @param credentials Credentials structure on which to set the password
1550 * @param fd open file descriptor to read the password from
1551 * @param obtained This enum describes how 'specified' this password is
1552 */
1553
1554 _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
1555 int fd, enum credentials_obtained obtained)
1556 {
1557 char *p;
1558 char pass[128];
1559
1560 if (credentials->password_obtained >= obtained) {
1561 return false;
1562 }
1563
1564 for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
1565 p && p - pass < sizeof(pass) - 1;) {
1566 switch (read(fd, p, 1)) {
1567 case 1:
1568 if (*p != '\n' && *p != '\0') {
1569 *++p = '\0'; /* advance p, and null-terminate pass */
1570 break;
1571 }
1572
1573 FALL_THROUGH;
1574 case 0:
1575 if (p - pass) {
1576 *p = '\0'; /* null-terminate it, just in case... */
1577 p = NULL; /* then force the loop condition to become false */
1578 break;
1579 }
1580
1581 fprintf(stderr,
1582 "Error reading password from file descriptor "
1583 "%d: empty password\n",
1584 fd);
1585 return false;
1586
1587 default:
1588 fprintf(stderr, "Error reading password from file descriptor %d: %s\n",
1589 fd, strerror(errno));
1590 return false;
1591 }
1592 }
1593
1594 cli_credentials_set_password(credentials, pass, obtained);
1595 return true;
1596 }
1597
1598 /**
1599 * @brief Set the SMB signing state to request for a SMB connection.
1600 *
1601 * @param[in] creds The credentials structure to update.
1602 *
1603 * @param[in] signing_state The signing state to set.
1604 *
1605 * @param obtained This way the described signing state was specified.
1606 *
1607 * @return true if we could set the signing state, false otherwise.
1608 */
1609 _PUBLIC_ bool cli_credentials_set_smb_signing(struct cli_credentials *creds,
1610 enum smb_signing_setting signing_state,
1611 enum credentials_obtained obtained)
1612 {
1613 if (obtained >= creds->signing_state_obtained) {
1614 creds->signing_state_obtained = obtained;
1615 creds->signing_state = signing_state;
1616 return true;
1617 }
1618
1619 return false;
1620 }
1621
1622 /**
1623 * @brief Obtain the SMB signing state from a credentials structure.
1624 *
1625 * @param[in] creds The credential structure to obtain the SMB signing state
1626 * from.
1627 *
1628 * @return The SMB signing state.
1629 */
1630 _PUBLIC_ enum smb_signing_setting
1631 cli_credentials_get_smb_signing(struct cli_credentials *creds)
1632 {
1633 return creds->signing_state;
1634 }
1635
1636 /**
1637 * @brief Set the SMB IPC signing state to request for a SMB connection.
1638 *
1639 * @param[in] creds The credentials structure to update.
1640 *
1641 * @param[in] signing_state The signing state to set.
1642 *
1643 * @param obtained This way the described signing state was specified.
1644 *
1645 * @return true if we could set the signing state, false otherwise.
1646 */
1647 _PUBLIC_ bool
1648 cli_credentials_set_smb_ipc_signing(struct cli_credentials *creds,
1649 enum smb_signing_setting ipc_signing_state,
1650 enum credentials_obtained obtained)
1651 {
1652 if (obtained >= creds->ipc_signing_state_obtained) {
1653 creds->ipc_signing_state_obtained = obtained;
1654 creds->ipc_signing_state = ipc_signing_state;
1655 return true;
1656 }
1657
1658 return false;
1659 }
1660
1661 /**
1662 * @brief Obtain the SMB IPC signing state from a credentials structure.
1663 *
1664 * @param[in] creds The credential structure to obtain the SMB IPC signing
1665 * state from.
1666 *
1667 * @return The SMB signing state.
1668 */
1669 _PUBLIC_ enum smb_signing_setting
1670 cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds)
1671 {
1672 return creds->ipc_signing_state;
1673 }
1674
1675 /**
1676 * @brief Set the SMB encryption state to request for a SMB connection.
1677 *
1678 * @param[in] creds The credentials structure to update.
1679 *
1680 * @param[in] encryption_state The encryption state to set.
1681 *
1682 * @param obtained This way the described encryption state was specified.
1683 *
1684 * @return true if we could set the encryption state, false otherwise.
1685 */
1686 _PUBLIC_ bool cli_credentials_set_smb_encryption(struct cli_credentials *creds,
1687 enum smb_encryption_setting encryption_state,
1688 enum credentials_obtained obtained)
1689 {
1690 if (obtained >= creds->encryption_state_obtained) {
1691 creds->encryption_state_obtained = obtained;
1692 creds->encryption_state = encryption_state;
1693 return true;
1694 }
1695
1696 return false;
1697 }
1698
1699 static const char *obtained_to_str(enum credentials_obtained obtained)
1700 {
1701 switch (obtained) {
1702 case CRED_UNINITIALISED:
1703 return "CRED_UNINITIALISED";
1704 case CRED_SMB_CONF:
1705 return "CRED_SMB_CONF";
1706 case CRED_CALLBACK:
1707 return "CRED_CALLBACK";
1708 case CRED_GUESS_ENV:
1709 return "CRED_GUESS_ENV";
1710 case CRED_GUESS_FILE:
1711 return "CRED_GUESS_FILE";
1712 case CRED_CALLBACK_RESULT:
1713 return "CRED_CALLBACK_RESULT";
1714 case CRED_SPECIFIED:
1715 return "CRED_SPECIFIED";
1716 }
1717
1718 /* Never reached */
1719 return "";
1720 }
1721
1722 static const char *krb5_state_to_str(enum credentials_use_kerberos krb5_state)
1723 {
1724 switch (krb5_state) {
1725 case CRED_USE_KERBEROS_DISABLED:
1726 return "CRED_USE_KERBEROS_DISABLED";
1727 case CRED_USE_KERBEROS_DESIRED:
1728 return "CRED_USE_KERBEROS_DESIRED";
1729 case CRED_USE_KERBEROS_REQUIRED:
1730 return "CRED_USE_KERBEROS_REQUIRED";
1731 }
1732
1733 /* Never reached */
1734 return "";
1735 }
1736
1737 static const char *krb5_fwd_to_str(enum credentials_krb_forwardable krb5_fwd)
1738 {
1739 switch (krb5_fwd) {
1740 case CRED_AUTO_KRB_FORWARDABLE:
1741 return "CRED_AUTO_KRB_FORWARDABLE";
1742 case CRED_NO_KRB_FORWARDABLE:
1743 return "CRED_NO_KRB_FORWARDABLE";
1744 case CRED_FORCE_KRB_FORWARDABLE:
1745 return "CRED_FORCE_KRB_FORWARDABLE";
1746 }
1747
1748 /* Never reached */
1749 return "";
1750 }
1751
1752 static const char *signing_state_to_str(enum smb_signing_setting signing_state)
1753 {
1754 switch(signing_state) {
1755 case SMB_SIGNING_IPC_DEFAULT:
1756 return "SMB_SIGNING_IPC_DEFAULT";
1757 case SMB_SIGNING_DEFAULT:
1758 return "SMB_SIGNING_DEFAULT";
1759 case SMB_SIGNING_OFF:
1760 return "SMB_SIGNING_OFF";
1761 case SMB_SIGNING_IF_REQUIRED:
1762 return "SMB_SIGNING_IF_REQUIRED";
1763 case SMB_SIGNING_DESIRED:
1764 return "SMB_SIGNING_DESIRED";
1765 case SMB_SIGNING_REQUIRED:
1766 return "SMB_SIGNING_REQUIRED";
1767 }
1768
1769 /* Never reached */
1770 return "";
1771 }
1772
1773 static const char *encryption_state_to_str(enum smb_encryption_setting encryption_state)
1774 {
1775 switch(encryption_state) {
1776 case SMB_ENCRYPTION_DEFAULT:
1777 return "SMB_ENCRYPTION_DEFAULT";
1778 case SMB_ENCRYPTION_OFF:
1779 return "SMB_ENCRYPTION_OFF";
1780 case SMB_ENCRYPTION_IF_REQUIRED:
1781 return "SMB_ENCRYPTION_IF_REQUIRED";
1782 case SMB_ENCRYPTION_DESIRED:
1783 return "SMB_ENCRYPTION_DESIRED";
1784 case SMB_ENCRYPTION_REQUIRED:
1785 return "SMB_ENCRYPTION_REQUIRED";
1786 }
1787
1788 /* Never reached */
1789 return "";
1790 }
1791
1792 _PUBLIC_ void cli_credentials_dump(struct cli_credentials *creds)
1793 {
1794 DBG_ERR("CLI_CREDENTIALS:\n");
1795 DBG_ERR("\n");
1796 DBG_ERR(" Username: %s - %s\n",
1797 creds->username,
1798 obtained_to_str(creds->username_obtained));
1799 DBG_ERR(" Workstation: %s - %s\n",
1800 creds->workstation,
1801 obtained_to_str(creds->workstation_obtained));
1802 DBG_ERR(" Domain: %s - %s\n",
1803 creds->domain,
1804 obtained_to_str(creds->domain_obtained));
1805 DBG_ERR(" Password: %s - %s\n",
1806 creds->password != NULL ? "*SECRET*" : "NULL",
1807 obtained_to_str(creds->password_obtained));
1808 DBG_ERR(" Old password: %s\n",
1809 creds->old_password != NULL ? "*SECRET*" : "NULL");
1810 DBG_ERR(" Password tries: %u\n",
1811 creds->password_tries);
1812 DBG_ERR(" Realm: %s - %s\n",
1813 creds->realm,
1814 obtained_to_str(creds->realm_obtained));
1815 DBG_ERR(" Principal: %s - %s\n",
1816 creds->principal,
1817 obtained_to_str(creds->principal_obtained));
1818 DBG_ERR(" Salt principal: %s\n",
1819 creds->salt_principal);
1820 DBG_ERR(" Impersonate principal: %s\n",
1821 creds->impersonate_principal);
1822 DBG_ERR(" Self service: %s\n",
1823 creds->self_service);
1824 DBG_ERR(" Target service: %s\n",
1825 creds->target_service);
1826 DBG_ERR(" Kerberos state: %s - %s\n",
1827 krb5_state_to_str(creds->kerberos_state),
1828 obtained_to_str(creds->kerberos_state_obtained));
1829 DBG_ERR(" Kerberos forwardable ticket: %s\n",
1830 krb5_fwd_to_str(creds->krb_forwardable));
1831 DBG_ERR(" Signing state: %s - %s\n",
1832 signing_state_to_str(creds->signing_state),
1833 obtained_to_str(creds->signing_state_obtained));
1834 DBG_ERR(" IPC signing state: %s - %s\n",
1835 signing_state_to_str(creds->ipc_signing_state),
1836 obtained_to_str(creds->ipc_signing_state_obtained));
1837 DBG_ERR(" Encryption state: %s - %s\n",
1838 encryption_state_to_str(creds->encryption_state),
1839 obtained_to_str(creds->encryption_state_obtained));
1840 DBG_ERR(" Gensec features: %#X\n",
1841 creds->gensec_features);
1842 DBG_ERR(" Forced sasl mech: %s\n",
1843 creds->forced_sasl_mech);
1844 DBG_ERR(" CCACHE: %p - %s\n",
1845 creds->ccache,
1846 obtained_to_str(creds->ccache_obtained));
1847 DBG_ERR(" CLIENT_GSS_CREDS: %p - %s\n",
1848 creds->client_gss_creds,
1849 obtained_to_str(creds->client_gss_creds_obtained));
1850 DBG_ERR(" SERVER_GSS_CREDS: %p - %s\n",
1851 creds->server_gss_creds,
1852 obtained_to_str(creds->server_gss_creds_obtained));
1853 DBG_ERR(" KEYTAB: %p - %s\n",
1854 creds->keytab,
1855 obtained_to_str(creds->keytab_obtained));
1856 DBG_ERR(" KVNO: %u\n",
1857 creds->kvno);
1858 DBG_ERR("\n");
1859 }
1860
1861 /**
1862 * @brief Obtain the SMB encryption state from a credentials structure.
1863 *
1864 * @param[in] creds The credential structure to obtain the SMB encryption state
1865 * from.
1866 *
1867 * @return The SMB signing state.
1868 */
1869 _PUBLIC_ enum smb_encryption_setting
1870 cli_credentials_get_smb_encryption(struct cli_credentials *creds)
1871 {
1872 return creds->encryption_state;
1873 }
1874
1875 /**
1876 * Encrypt a data blob using the session key and the negotiated encryption
1877 * algorithm
1878 *
1879 * @param state Credential state, contains the session key and algorithm
1880 * @param data Data blob containing the data to be encrypted.
1881 *
1882 */
1883 _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
1884 struct netlogon_creds_CredentialState *state,
1885 DATA_BLOB data)
1886 {
1887 NTSTATUS status;
1888
1889 if (data.data == NULL || data.length == 0) {
1890 DBG_ERR("Nothing to encrypt "
1891 "data.data == NULL or data.length == 0\n");
1892 return NT_STATUS_INVALID_PARAMETER;
1893 }
1894 /*
1895 * Don't crypt an all-zero password it will give away the
1896 * NETLOGON pipe session key .
1897 */
1898 if (all_zero(data.data, data.length)) {
1899 DBG_ERR("Supplied data all zeros, could leak session key\n");
1900 return NT_STATUS_INVALID_PARAMETER;
1901 }
1902 if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
1903 status = netlogon_creds_aes_encrypt(state,
1904 data.data,
1905 data.length);
1906 } else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
1907 status = netlogon_creds_arcfour_crypt(state,
1908 data.data,
1909 data.length);
1910 } else {
1911 DBG_ERR("Unsupported encryption option negotiated\n");
1912 status = NT_STATUS_NOT_SUPPORTED;
1913 }
1914 if (!NT_STATUS_IS_OK(status)) {
1915 return status;
1916 }
1917 return NT_STATUS_OK;
1918 }
1919
Samba GIT mirror