search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcli/auth: add const to set_pw_in_buffer()
[Samba.git] / auth / gensec / gensec_util.c
blobca5e581f63f930922ff41874f03260ba99175f27
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth/gensec/gensec.h"
25 #include "auth/gensec/gensec_internal.h"
26 #include "auth/common_auth.h"
27 #include "../lib/util/asn1.h"
28
29 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
30 struct gensec_security *gensec_security,
31 struct smb_krb5_context *smb_krb5_context,
32 DATA_BLOB *pac_blob,
33 const char *principal_string,
34 const struct tsocket_address *remote_address,
35 struct auth_session_info **session_info)
36 {
37 uint32_t session_info_flags = 0;
38
39 if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
40 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
41 }
42
43 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
44
45 if (!pac_blob) {
46 if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
47 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
48 principal_string));
49 return NT_STATUS_ACCESS_DENIED;
50 }
51 DBG_NOTICE("Unable to find PAC for %s, resorting to local "
52 "user lookup\n", principal_string);
53 }
54
55 if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
56 return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
57 mem_ctx,
58 smb_krb5_context,
59 pac_blob,
60 principal_string,
61 remote_address,
62 session_info_flags,
63 session_info);
64 } else {
65 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
66 return NT_STATUS_INTERNAL_ERROR;
67 }
68 }
69
70 /*
71 magic check a GSS-API wrapper packet for an Kerberos OID
72 */
73 static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
74 {
75 bool ret = false;
76 struct asn1_data *data = asn1_init(NULL);
77
78 if (!data) return false;
79
80 if (!asn1_load(data, *blob)) goto err;
81 if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
82 if (!asn1_check_OID(data, oid)) goto err;
83
84 ret = !asn1_has_error(data);
85
86 err:
87
88 asn1_free(data);
89 return ret;
90 }
91
92 /**
93 * Check if the packet is one for the KRB5 mechansim
94 *
95 * NOTE: This is a helper that can be employed by multiple mechanisms, do
96 * not make assumptions about the private_data
97 *
98 * @param gensec_security GENSEC state, unused
99 * @param in The request, as a DATA_BLOB
100 * @return Error, INVALID_PARAMETER if it's not a packet for us
101 * or NT_STATUS_OK if the packet is ok.
102 */
103
104 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
105 const DATA_BLOB *blob)
106 {
107 if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
108 return NT_STATUS_OK;
109 } else {
110 return NT_STATUS_INVALID_PARAMETER;
111 }
112 }
113
114 void gensec_child_want_feature(struct gensec_security *gensec_security,
115 uint32_t feature)
116 {
117 struct gensec_security *child_security = gensec_security->child_security;
118
119 gensec_security->want_features |= feature;
120 if (child_security == NULL) {
121 return;
122 }
123 gensec_want_feature(child_security, feature);
124 }
125
126 bool gensec_child_have_feature(struct gensec_security *gensec_security,
127 uint32_t feature)
128 {
129 struct gensec_security *child_security = gensec_security->child_security;
130
131 if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
132 /*
133 * All mechs with sub (child) mechs need to provide DCERPC
134 * header signing! This is required because the negotiation
135 * of header signing is done before the authentication
136 * is completed.
137 */
138 return true;
139 }
140
141 if (child_security == NULL) {
142 return false;
143 }
144
145 return gensec_have_feature(child_security, feature);
146 }
147
148 NTSTATUS gensec_child_unseal_packet(struct gensec_security *gensec_security,
149 uint8_t *data, size_t length,
150 const uint8_t *whole_pdu, size_t pdu_length,
151 const DATA_BLOB *sig)
152 {
153 if (gensec_security->child_security == NULL) {
154 return NT_STATUS_INVALID_PARAMETER;
155 }
156
157 return gensec_unseal_packet(gensec_security->child_security,
158 data, length,
159 whole_pdu, pdu_length,
160 sig);
161 }
162
163 NTSTATUS gensec_child_check_packet(struct gensec_security *gensec_security,
164 const uint8_t *data, size_t length,
165 const uint8_t *whole_pdu, size_t pdu_length,
166 const DATA_BLOB *sig)
167 {
168 if (gensec_security->child_security == NULL) {
169 return NT_STATUS_INVALID_PARAMETER;
170 }
171
172 return gensec_check_packet(gensec_security->child_security,
173 data, length,
174 whole_pdu, pdu_length,
175 sig);
176 }
177
178 NTSTATUS gensec_child_seal_packet(struct gensec_security *gensec_security,
179 TALLOC_CTX *mem_ctx,
180 uint8_t *data, size_t length,
181 const uint8_t *whole_pdu, size_t pdu_length,
182 DATA_BLOB *sig)
183 {
184 if (gensec_security->child_security == NULL) {
185 return NT_STATUS_INVALID_PARAMETER;
186 }
187
188 return gensec_seal_packet(gensec_security->child_security,
189 mem_ctx,
190 data, length,
191 whole_pdu, pdu_length,
192 sig);
193 }
194
195 NTSTATUS gensec_child_sign_packet(struct gensec_security *gensec_security,
196 TALLOC_CTX *mem_ctx,
197 const uint8_t *data, size_t length,
198 const uint8_t *whole_pdu, size_t pdu_length,
199 DATA_BLOB *sig)
200 {
201 if (gensec_security->child_security == NULL) {
202 return NT_STATUS_INVALID_PARAMETER;
203 }
204
205 return gensec_sign_packet(gensec_security->child_security,
206 mem_ctx,
207 data, length,
208 whole_pdu, pdu_length,
209 sig);
210 }
211
212 NTSTATUS gensec_child_wrap(struct gensec_security *gensec_security,
213 TALLOC_CTX *mem_ctx,
214 const DATA_BLOB *in,
215 DATA_BLOB *out)
216 {
217 if (gensec_security->child_security == NULL) {
218 return NT_STATUS_INVALID_PARAMETER;
219 }
220
221 return gensec_wrap(gensec_security->child_security,
222 mem_ctx, in, out);
223 }
224
225 NTSTATUS gensec_child_unwrap(struct gensec_security *gensec_security,
226 TALLOC_CTX *mem_ctx,
227 const DATA_BLOB *in,
228 DATA_BLOB *out)
229 {
230 if (gensec_security->child_security == NULL) {
231 return NT_STATUS_INVALID_PARAMETER;
232 }
233
234 return gensec_unwrap(gensec_security->child_security,
235 mem_ctx, in, out);
236 }
237
238 size_t gensec_child_sig_size(struct gensec_security *gensec_security,
239 size_t data_size)
240 {
241 if (gensec_security->child_security == NULL) {
242 return 0;
243 }
244
245 return gensec_sig_size(gensec_security->child_security, data_size);
246 }
247
248 size_t gensec_child_max_input_size(struct gensec_security *gensec_security)
249 {
250 if (gensec_security->child_security == NULL) {
251 return 0;
252 }
253
254 return gensec_max_input_size(gensec_security->child_security);
255 }
256
257 size_t gensec_child_max_wrapped_size(struct gensec_security *gensec_security)
258 {
259 if (gensec_security->child_security == NULL) {
260 return 0;
261 }
262
263 return gensec_max_wrapped_size(gensec_security->child_security);
264 }
265
266 NTSTATUS gensec_child_session_key(struct gensec_security *gensec_security,
267 TALLOC_CTX *mem_ctx,
268 DATA_BLOB *session_key)
269 {
270 if (gensec_security->child_security == NULL) {
271 return NT_STATUS_INVALID_PARAMETER;
272 }
273
274 return gensec_session_key(gensec_security->child_security,
275 mem_ctx,
276 session_key);
277 }
278
279 NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,
280 TALLOC_CTX *mem_ctx,
281 struct auth_session_info **session_info)
282 {
283 if (gensec_security->child_security == NULL) {
284 return NT_STATUS_INVALID_PARAMETER;
285 }
286
287 return gensec_session_info(gensec_security->child_security,
288 mem_ctx,
289 session_info);
290 }
291
292 NTTIME gensec_child_expire_time(struct gensec_security *gensec_security)
293 {
294 if (gensec_security->child_security == NULL) {
295 return GENSEC_EXPIRE_TIME_INFINITY;
296 }
297
298 return gensec_expire_time(gensec_security->child_security);
299 }
300
301 const char *gensec_child_final_auth_type(struct gensec_security *gensec_security)
302 {
303 if (gensec_security->child_security == NULL) {
304 return "NONE";
305 }
306
307 return gensec_final_auth_type(gensec_security->child_security);
308 }
Samba GIT mirror