search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VERSION: Bump version up to Samba 4.19.6...
[Samba.git] / auth / gensec / gensec_util.c
blobb6b4a722f271b4d15340403ac24456960a869a3a
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth/gensec/gensec.h"
25 #include "auth/gensec/gensec_internal.h"
26 #include "auth/common_auth.h"
27 #include "../lib/util/asn1.h"
28 #include "param/param.h"
29 #include "libds/common/roles.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_AUTH
33
34 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
35 struct gensec_security *gensec_security,
36 struct smb_krb5_context *smb_krb5_context,
37 DATA_BLOB *pac_blob,
38 const char *principal_string,
39 const struct tsocket_address *remote_address,
40 struct auth_session_info **session_info)
41 {
42 uint32_t session_info_flags = 0;
43 struct auth4_context *auth_context = NULL;
44 NTSTATUS status;
45
46 if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
47 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
48 }
49
50 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
51
52 if (!pac_blob) {
53 enum server_role server_role =
54 lpcfg_server_role(gensec_security->settings->lp_ctx);
55
56 /*
57 * For any domain setup (DC or member) we require having
58 * a PAC, as the service ticket comes from an AD DC,
59 * which will always provide a PAC, unless
60 * UF_NO_AUTH_DATA_REQUIRED is configured for our
61 * account, but that's just an invalid configuration,
62 * the admin configured for us!
63 *
64 * As a legacy case, we still allow kerberos tickets from an MIT
65 * realm, but only in standalone mode. In that mode we'll only
66 * ever accept a kerberos authentication with a keytab file
67 * being explicitly configured via the 'keytab method' option.
68 */
69 if (server_role != ROLE_STANDALONE) {
70 DBG_WARNING("Unable to find PAC in ticket from %s, "
71 "failing to allow access\n",
72 principal_string);
73 return NT_STATUS_NO_IMPERSONATION_TOKEN;
74 }
75 DBG_NOTICE("Unable to find PAC for %s, resorting to local "
76 "user lookup\n", principal_string);
77 }
78
79 auth_context = gensec_security->auth_context;
80
81 if ((auth_context == NULL) ||
82 (auth_context->generate_session_info_pac == NULL)) {
83 DBG_ERR("Cannot generate a session_info without "
84 "the auth_context\n");
85 return NT_STATUS_INTERNAL_ERROR;
86 }
87
88 status = auth_context->generate_session_info_pac(
89 auth_context,
90 mem_ctx,
91 smb_krb5_context,
92 pac_blob,
93 principal_string,
94 remote_address,
95 session_info_flags,
96 session_info);
97 return status;
98 }
99
100 /*
101 magic check a GSS-API wrapper packet for an Kerberos OID
102 */
103 static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
104 {
105 bool ret = false;
106 struct asn1_data *data = asn1_init(NULL, ASN1_MAX_TREE_DEPTH);
107
108 if (!data) return false;
109
110 if (!asn1_load(data, *blob)) goto err;
111 if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
112 if (!asn1_check_OID(data, oid)) goto err;
113
114 ret = !asn1_has_error(data);
115
116 err:
117
118 asn1_free(data);
119 return ret;
120 }
121
122 /**
123 * Check if the packet is one for the KRB5 mechanism
124 *
125 * NOTE: This is a helper that can be employed by multiple mechanisms, do
126 * not make assumptions about the private_data
127 *
128 * @param gensec_security GENSEC state, unused
129 * @param in The request, as a DATA_BLOB
130 * @return Error, INVALID_PARAMETER if it's not a packet for us
131 * or NT_STATUS_OK if the packet is ok.
132 */
133
134 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
135 const DATA_BLOB *blob)
136 {
137 if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
138 return NT_STATUS_OK;
139 } else {
140 return NT_STATUS_INVALID_PARAMETER;
141 }
142 }
143
144 void gensec_child_want_feature(struct gensec_security *gensec_security,
145 uint32_t feature)
146 {
147 struct gensec_security *child_security = gensec_security->child_security;
148
149 gensec_security->want_features |= feature;
150 if (child_security == NULL) {
151 return;
152 }
153 gensec_want_feature(child_security, feature);
154 }
155
156 bool gensec_child_have_feature(struct gensec_security *gensec_security,
157 uint32_t feature)
158 {
159 struct gensec_security *child_security = gensec_security->child_security;
160
161 if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
162 /*
163 * All mechs with sub (child) mechs need to provide DCERPC
164 * header signing! This is required because the negotiation
165 * of header signing is done before the authentication
166 * is completed.
167 */
168 return true;
169 }
170
171 if (child_security == NULL) {
172 return false;
173 }
174
175 return gensec_have_feature(child_security, feature);
176 }
177
178 NTSTATUS gensec_child_unseal_packet(struct gensec_security *gensec_security,
179 uint8_t *data, size_t length,
180 const uint8_t *whole_pdu, size_t pdu_length,
181 const DATA_BLOB *sig)
182 {
183 if (gensec_security->child_security == NULL) {
184 return NT_STATUS_INVALID_PARAMETER;
185 }
186
187 return gensec_unseal_packet(gensec_security->child_security,
188 data, length,
189 whole_pdu, pdu_length,
190 sig);
191 }
192
193 NTSTATUS gensec_child_check_packet(struct gensec_security *gensec_security,
194 const uint8_t *data, size_t length,
195 const uint8_t *whole_pdu, size_t pdu_length,
196 const DATA_BLOB *sig)
197 {
198 if (gensec_security->child_security == NULL) {
199 return NT_STATUS_INVALID_PARAMETER;
200 }
201
202 return gensec_check_packet(gensec_security->child_security,
203 data, length,
204 whole_pdu, pdu_length,
205 sig);
206 }
207
208 NTSTATUS gensec_child_seal_packet(struct gensec_security *gensec_security,
209 TALLOC_CTX *mem_ctx,
210 uint8_t *data, size_t length,
211 const uint8_t *whole_pdu, size_t pdu_length,
212 DATA_BLOB *sig)
213 {
214 if (gensec_security->child_security == NULL) {
215 return NT_STATUS_INVALID_PARAMETER;
216 }
217
218 return gensec_seal_packet(gensec_security->child_security,
219 mem_ctx,
220 data, length,
221 whole_pdu, pdu_length,
222 sig);
223 }
224
225 NTSTATUS gensec_child_sign_packet(struct gensec_security *gensec_security,
226 TALLOC_CTX *mem_ctx,
227 const uint8_t *data, size_t length,
228 const uint8_t *whole_pdu, size_t pdu_length,
229 DATA_BLOB *sig)
230 {
231 if (gensec_security->child_security == NULL) {
232 return NT_STATUS_INVALID_PARAMETER;
233 }
234
235 return gensec_sign_packet(gensec_security->child_security,
236 mem_ctx,
237 data, length,
238 whole_pdu, pdu_length,
239 sig);
240 }
241
242 NTSTATUS gensec_child_wrap(struct gensec_security *gensec_security,
243 TALLOC_CTX *mem_ctx,
244 const DATA_BLOB *in,
245 DATA_BLOB *out)
246 {
247 if (gensec_security->child_security == NULL) {
248 return NT_STATUS_INVALID_PARAMETER;
249 }
250
251 return gensec_wrap(gensec_security->child_security,
252 mem_ctx, in, out);
253 }
254
255 NTSTATUS gensec_child_unwrap(struct gensec_security *gensec_security,
256 TALLOC_CTX *mem_ctx,
257 const DATA_BLOB *in,
258 DATA_BLOB *out)
259 {
260 if (gensec_security->child_security == NULL) {
261 return NT_STATUS_INVALID_PARAMETER;
262 }
263
264 return gensec_unwrap(gensec_security->child_security,
265 mem_ctx, in, out);
266 }
267
268 size_t gensec_child_sig_size(struct gensec_security *gensec_security,
269 size_t data_size)
270 {
271 if (gensec_security->child_security == NULL) {
272 return 0;
273 }
274
275 return gensec_sig_size(gensec_security->child_security, data_size);
276 }
277
278 size_t gensec_child_max_input_size(struct gensec_security *gensec_security)
279 {
280 if (gensec_security->child_security == NULL) {
281 return 0;
282 }
283
284 return gensec_max_input_size(gensec_security->child_security);
285 }
286
287 size_t gensec_child_max_wrapped_size(struct gensec_security *gensec_security)
288 {
289 if (gensec_security->child_security == NULL) {
290 return 0;
291 }
292
293 return gensec_max_wrapped_size(gensec_security->child_security);
294 }
295
296 NTSTATUS gensec_child_session_key(struct gensec_security *gensec_security,
297 TALLOC_CTX *mem_ctx,
298 DATA_BLOB *session_key)
299 {
300 if (gensec_security->child_security == NULL) {
301 return NT_STATUS_INVALID_PARAMETER;
302 }
303
304 return gensec_session_key(gensec_security->child_security,
305 mem_ctx,
306 session_key);
307 }
308
309 NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,
310 TALLOC_CTX *mem_ctx,
311 struct auth_session_info **session_info)
312 {
313 if (gensec_security->child_security == NULL) {
314 return NT_STATUS_INVALID_PARAMETER;
315 }
316
317 return gensec_session_info(gensec_security->child_security,
318 mem_ctx,
319 session_info);
320 }
321
322 NTTIME gensec_child_expire_time(struct gensec_security *gensec_security)
323 {
324 if (gensec_security->child_security == NULL) {
325 return GENSEC_EXPIRE_TIME_INFINITY;
326 }
327
328 return gensec_expire_time(gensec_security->child_security);
329 }
330
331 const char *gensec_child_final_auth_type(struct gensec_security *gensec_security)
332 {
333 if (gensec_security->child_security == NULL) {
334 return "NONE";
335 }
336
337 return gensec_final_auth_type(gensec_security->child_security);
338 }
Samba GIT mirror