search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
auth:creds:tests: Add test for password callback
[Samba.git] / auth / credentials / credentials.c
blob0485cc4e64e51d932eb395f0541c9f56afffd2ea
1 /*
2 Unix SMB/CIFS implementation.
3
4 User credentials handling
5
6 Copyright (C) Jelmer Vernooij 2005
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
26 #include "auth/credentials/credentials.h"
27 #include "auth/credentials/credentials_internal.h"
28 #include "auth/gensec/gensec.h"
29 #include "libcli/auth/libcli_auth.h"
30 #include "tevent.h"
31 #include "param/param.h"
32 #include "system/filesys.h"
33 #include "system/passwd.h"
34
35 /**
36 * Create a new credentials structure
37 * @param mem_ctx TALLOC_CTX parent for credentials structure
38 */
39 _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
40 {
41 struct cli_credentials *cred = talloc_zero(mem_ctx, struct cli_credentials);
42 if (cred == NULL) {
43 return cred;
44 }
45
46 cred->winbind_separator = '\\';
47
48 cred->kerberos_state = CRED_USE_KERBEROS_DESIRED;
49
50 cred->signing_state = SMB_SIGNING_DEFAULT;
51
52 /*
53 * The default value of lpcfg_client_ipc_signing() is REQUIRED, so use
54 * the same value here.
55 */
56 cred->ipc_signing_state = SMB_SIGNING_REQUIRED;
57 cred->encryption_state = SMB_ENCRYPTION_DEFAULT;
58
59 return cred;
60 }
61
62 _PUBLIC_
63 struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx,
64 struct loadparm_context *lp_ctx)
65 {
66 struct cli_credentials *server_creds = NULL;
67 NTSTATUS status;
68 bool ok;
69
70 server_creds = cli_credentials_init(mem_ctx);
71 if (server_creds == NULL) {
72 return NULL;
73 }
74
75 ok = cli_credentials_set_conf(server_creds, lp_ctx);
76 if (!ok) {
77 TALLOC_FREE(server_creds);
78 return NULL;
79 }
80
81 status = cli_credentials_set_machine_account(server_creds, lp_ctx);
82 if (!NT_STATUS_IS_OK(status)) {
83 DEBUG(1, ("Failed to obtain server credentials: %s\n",
84 nt_errstr(status)));
85 TALLOC_FREE(server_creds);
86 return NULL;
87 }
88
89 return server_creds;
90 }
91
92 _PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
93 void *callback_data)
94 {
95 cred->priv_data = callback_data;
96 }
97
98 _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
99 {
100 return cred->priv_data;
101 }
102
103 /**
104 * Create a new anonymous credential
105 * @param mem_ctx TALLOC_CTX parent for credentials structure
106 */
107 _PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
108 {
109 struct cli_credentials *anon_credentials;
110
111 anon_credentials = cli_credentials_init(mem_ctx);
112 cli_credentials_set_anonymous(anon_credentials);
113
114 return anon_credentials;
115 }
116
117 _PUBLIC_ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
118 enum credentials_use_kerberos kerberos_state,
119 enum credentials_obtained obtained)
120 {
121 if (obtained >= creds->kerberos_state_obtained) {
122 creds->kerberos_state = kerberos_state;
123 creds->kerberos_state_obtained = obtained;
124
125 return true;
126 }
127
128 return false;
129 }
130
131 _PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
132 const char *sasl_mech)
133 {
134 TALLOC_FREE(creds->forced_sasl_mech);
135 creds->forced_sasl_mech = talloc_strdup(creds, sasl_mech);
136 }
137
138 _PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
139 enum credentials_krb_forwardable krb_forwardable)
140 {
141 creds->krb_forwardable = krb_forwardable;
142 }
143
144 _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
145 {
146 return creds->kerberos_state;
147 }
148
149 _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
150 {
151 return creds->forced_sasl_mech;
152 }
153
154 _PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds)
155 {
156 return creds->krb_forwardable;
157 }
158
159 _PUBLIC_ bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
160 uint32_t gensec_features,
161 enum credentials_obtained obtained)
162 {
163 if (obtained >= creds->gensec_features_obtained) {
164 creds->gensec_features_obtained = obtained;
165 creds->gensec_features = gensec_features;
166
167 return true;
168 }
169
170 return false;
171 }
172
173 _PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
174 {
175 return creds->gensec_features;
176 }
177
178
179 /**
180 * Obtain the username for this credentials context.
181 * @param cred credentials context
182 * @retval The username set on this context.
183 * @note Return value will never be NULL except by programmer error.
184 */
185 _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
186 {
187 if (cred->machine_account_pending) {
188 cli_credentials_set_machine_account(cred,
189 cred->machine_account_pending_lp_ctx);
190 }
191
192 if (cred->username_obtained == CRED_CALLBACK &&
193 !cred->callback_running) {
194 cred->callback_running = true;
195 cred->username = cred->username_cb(cred);
196 cred->callback_running = false;
197 if (cred->username_obtained == CRED_CALLBACK) {
198 cred->username_obtained = CRED_CALLBACK_RESULT;
199 cli_credentials_invalidate_ccache(cred, cred->username_obtained);
200 }
201 }
202
203 return cred->username;
204 }
205
206 /**
207 * @brief Obtain the username for this credentials context.
208 *
209 * @param[in] cred The credential context.
210 *
211 * @param[in] obtained A pointer to store the obtained information.
212 *
213 * return The user name or NULL if an error occurred.
214 */
215 _PUBLIC_ const char *
216 cli_credentials_get_username_and_obtained(struct cli_credentials *cred,
217 enum credentials_obtained *obtained)
218 {
219 if (obtained != NULL) {
220 *obtained = cred->username_obtained;
221 }
222
223 return cli_credentials_get_username(cred);
224 }
225
226 _PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred,
227 const char *val, enum credentials_obtained obtained)
228 {
229 if (obtained >= cred->username_obtained) {
230 cred->username = talloc_strdup(cred, val);
231 cred->username_obtained = obtained;
232 cli_credentials_invalidate_ccache(cred, cred->username_obtained);
233 return true;
234 }
235
236 return false;
237 }
238
239 _PUBLIC_ bool cli_credentials_set_username_callback(struct cli_credentials *cred,
240 const char *(*username_cb) (struct cli_credentials *))
241 {
242 if (cred->username_obtained < CRED_CALLBACK) {
243 cred->username_cb = username_cb;
244 cred->username_obtained = CRED_CALLBACK;
245 return true;
246 }
247
248 return false;
249 }
250
251 _PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
252 const char *bind_dn)
253 {
254 cred->bind_dn = talloc_strdup(cred, bind_dn);
255 return true;
256 }
257
258 /**
259 * Obtain the BIND DN for this credentials context.
260 * @param cred credentials context
261 * @retval The username set on this context.
262 * @note Return value will be NULL if not specified explicitly
263 */
264 _PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
265 {
266 return cred->bind_dn;
267 }
268
269
270 /**
271 * Obtain the client principal for this credentials context.
272 * @param cred credentials context
273 * @retval The username set on this context.
274 * @note Return value will never be NULL except by programmer error.
275 */
276 _PUBLIC_ char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
277 {
278 if (cred->machine_account_pending) {
279 cli_credentials_set_machine_account(cred,
280 cred->machine_account_pending_lp_ctx);
281 }
282
283 if (cred->principal_obtained == CRED_CALLBACK &&
284 !cred->callback_running) {
285 cred->callback_running = true;
286 cred->principal = cred->principal_cb(cred);
287 cred->callback_running = false;
288 if (cred->principal_obtained == CRED_CALLBACK) {
289 cred->principal_obtained = CRED_CALLBACK_RESULT;
290 cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
291 }
292 }
293
294 if (cred->principal_obtained < cred->username_obtained
295 || cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) {
296 const char *effective_username = NULL;
297 const char *effective_realm = NULL;
298 enum credentials_obtained effective_obtained;
299
300 effective_username = cli_credentials_get_username(cred);
301 if (effective_username == NULL || strlen(effective_username) == 0) {
302 *obtained = cred->username_obtained;
303 return NULL;
304 }
305
306 if (cred->domain_obtained > cred->realm_obtained) {
307 effective_realm = cli_credentials_get_domain(cred);
308 effective_obtained = MIN(cred->domain_obtained,
309 cred->username_obtained);
310 } else {
311 effective_realm = cli_credentials_get_realm(cred);
312 effective_obtained = MIN(cred->realm_obtained,
313 cred->username_obtained);
314 }
315
316 if (effective_realm == NULL || strlen(effective_realm) == 0) {
317 effective_realm = cli_credentials_get_domain(cred);
318 effective_obtained = MIN(cred->domain_obtained,
319 cred->username_obtained);
320 }
321
322 if (effective_realm != NULL && strlen(effective_realm) != 0) {
323 *obtained = effective_obtained;
324 return talloc_asprintf(mem_ctx, "%s@%s",
325 effective_username,
326 effective_realm);
327 }
328 }
329 *obtained = cred->principal_obtained;
330 return talloc_strdup(mem_ctx, cred->principal);
331 }
332
333 /**
334 * Obtain the client principal for this credentials context.
335 * @param cred credentials context
336 * @retval The username set on this context.
337 * @note Return value will never be NULL except by programmer error.
338 */
339 _PUBLIC_ char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
340 {
341 enum credentials_obtained obtained;
342 return cli_credentials_get_principal_and_obtained(cred, mem_ctx, &obtained);
343 }
344
345 _PUBLIC_ bool cli_credentials_set_principal(struct cli_credentials *cred,
346 const char *val,
347 enum credentials_obtained obtained)
348 {
349 if (obtained >= cred->principal_obtained) {
350 cred->principal = talloc_strdup(cred, val);
351 if (cred->principal == NULL) {
352 return false;
353 }
354 cred->principal_obtained = obtained;
355
356 cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
357 return true;
358 }
359
360 return false;
361 }
362
363 /* Set a callback to get the principal. This could be a popup dialog,
364 * a terminal prompt or similar. */
365 _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
366 const char *(*principal_cb) (struct cli_credentials *))
367 {
368 if (cred->principal_obtained < CRED_CALLBACK) {
369 cred->principal_cb = principal_cb;
370 cred->principal_obtained = CRED_CALLBACK;
371 return true;
372 }
373
374 return false;
375 }
376
377 /* Some of our tools are 'anonymous by default'. This is a single
378 * function to determine if authentication has been explicitly
379 * requested */
380
381 _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
382 {
383 uint32_t gensec_features = 0;
384
385 if (cred->bind_dn) {
386 return true;
387 }
388
389 /*
390 * If we forced the mech we clearly want authentication. E.g. to use
391 * SASL/EXTERNAL which has no credentials.
392 */
393 if (cred->forced_sasl_mech) {
394 return true;
395 }
396
397 if (cli_credentials_is_anonymous(cred)){
398 return false;
399 }
400
401 if (cred->principal_obtained >= CRED_SPECIFIED) {
402 return true;
403 }
404 if (cred->username_obtained >= CRED_SPECIFIED) {
405 return true;
406 }
407
408 if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
409 return true;
410 }
411
412 gensec_features = cli_credentials_get_gensec_features(cred);
413 if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
414 return true;
415 }
416
417 if (gensec_features & GENSEC_FEATURE_SIGN) {
418 return true;
419 }
420
421 if (gensec_features & GENSEC_FEATURE_SEAL) {
422 return true;
423 }
424
425 return false;
426 }
427
428 /**
429 * Obtain the password for this credentials context.
430 * @param cred credentials context
431 * @retval If set, the cleartext password, otherwise NULL
432 */
433 _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
434 {
435 if (cred->machine_account_pending) {
436 cli_credentials_set_machine_account(cred,
437 cred->machine_account_pending_lp_ctx);
438 }
439
440 if (cred->password_obtained == CRED_CALLBACK &&
441 !cred->callback_running &&
442 !cred->password_will_be_nt_hash) {
443 cred->callback_running = true;
444 cred->password = cred->password_cb(cred);
445 cred->callback_running = false;
446 if (cred->password_obtained == CRED_CALLBACK) {
447 cred->password_obtained = CRED_CALLBACK_RESULT;
448 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
449 }
450 }
451
452 return cred->password;
453 }
454
455 /**
456 * @brief Obtain the password for this credentials context.
457 *
458 * @param[in] cred The credential context.
459 *
460 * @param[in] obtained A pointer to store the obtained information.
461 *
462 * return The user name or NULL if an error occurred.
463 */
464 _PUBLIC_ const char *
465 cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
466 enum credentials_obtained *obtained)
467 {
468 if (obtained != NULL) {
469 *obtained = cred->password_obtained;
470 }
471
472 return cli_credentials_get_password(cred);
473 }
474
475 /* Set a password on the credentials context, including an indication
476 * of 'how' the password was obtained */
477
478 _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
479 const char *val,
480 enum credentials_obtained obtained)
481 {
482 if (obtained >= cred->password_obtained) {
483
484 cred->lm_response = data_blob_null;
485 cred->nt_response = data_blob_null;
486 cred->nt_hash = NULL;
487 cred->password = NULL;
488
489 cli_credentials_invalidate_ccache(cred, obtained);
490
491 cred->password_tries = 0;
492
493 if (val == NULL) {
494 cred->password_obtained = obtained;
495 return true;
496 }
497
498 if (cred->password_will_be_nt_hash) {
499 struct samr_Password *nt_hash = NULL;
500 size_t val_len = strlen(val);
501 size_t converted;
502
503 nt_hash = talloc(cred, struct samr_Password);
504 if (nt_hash == NULL) {
505 return false;
506 }
507
508 converted = strhex_to_str((char *)nt_hash->hash,
509 sizeof(nt_hash->hash),
510 val, val_len);
511 if (converted != sizeof(nt_hash->hash)) {
512 TALLOC_FREE(nt_hash);
513 return false;
514 }
515
516 cred->nt_hash = nt_hash;
517 cred->password_obtained = obtained;
518 return true;
519 }
520
521 cred->password = talloc_strdup(cred, val);
522 if (cred->password == NULL) {
523 return false;
524 }
525
526 /* Don't print the actual password in talloc memory dumps */
527 talloc_set_name_const(cred->password,
528 "password set via cli_credentials_set_password");
529 cred->password_obtained = obtained;
530
531 return true;
532 }
533
534 return false;
535 }
536
537 _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred,
538 const char *(*password_cb) (struct cli_credentials *))
539 {
540 if (cred->password_obtained < CRED_CALLBACK) {
541 cred->password_tries = 3;
542 cred->password_cb = password_cb;
543 cred->password_obtained = CRED_CALLBACK;
544 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
545 return true;
546 }
547
548 return false;
549 }
550
551 /**
552 * Obtain the 'old' password for this credentials context (used for join accounts).
553 * @param cred credentials context
554 * @retval If set, the cleartext password, otherwise NULL
555 */
556 _PUBLIC_ const char *cli_credentials_get_old_password(struct cli_credentials *cred)
557 {
558 if (cred->machine_account_pending) {
559 cli_credentials_set_machine_account(cred,
560 cred->machine_account_pending_lp_ctx);
561 }
562
563 return cred->old_password;
564 }
565
566 _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
567 const char *val,
568 enum credentials_obtained obtained)
569 {
570 cred->old_password = talloc_strdup(cred, val);
571 if (cred->old_password) {
572 /* Don't print the actual password in talloc memory dumps */
573 talloc_set_name_const(cred->old_password, "password set via cli_credentials_set_old_password");
574 }
575 cred->old_nt_hash = NULL;
576 return true;
577 }
578
579 /**
580 * Obtain the password, in the form MD4(unicode(password)) for this credentials context.
581 *
582 * Sometimes we only have this much of the password, while the rest of
583 * the time this call avoids calling E_md4hash themselves.
584 *
585 * @param cred credentials context
586 * @retval If set, the cleartext password, otherwise NULL
587 */
588 _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
589 TALLOC_CTX *mem_ctx)
590 {
591 enum credentials_obtained password_obtained;
592 enum credentials_obtained ccache_threshold;
593 enum credentials_obtained client_gss_creds_threshold;
594 bool password_is_nt_hash;
595 const char *password = NULL;
596 struct samr_Password *nt_hash = NULL;
597
598 if (cred->nt_hash != NULL) {
599 /*
600 * If we already have a hash it's easy.
601 */
602 goto return_hash;
603 }
604
605 /*
606 * This is a bit tricky, with password_will_be_nt_hash
607 * we still need to get the value via the password_callback
608 * but if we did that we should not remember it's state
609 * in the long run so we need to undo it.
610 */
611
612 password_obtained = cred->password_obtained;
613 ccache_threshold = cred->ccache_threshold;
614 client_gss_creds_threshold = cred->client_gss_creds_threshold;
615 password_is_nt_hash = cred->password_will_be_nt_hash;
616
617 cred->password_will_be_nt_hash = false;
618 password = cli_credentials_get_password(cred);
619
620 cred->password_will_be_nt_hash = password_is_nt_hash;
621 if (password_is_nt_hash && password_obtained == CRED_CALLBACK) {
622 /*
623 * We got the nt_hash as string via the callback,
624 * so we need to undo the state change.
625 *
626 * And also don't remember it as plaintext password.
627 */
628 cred->client_gss_creds_threshold = client_gss_creds_threshold;
629 cred->ccache_threshold = ccache_threshold;
630 cred->password_obtained = password_obtained;
631 cred->password = NULL;
632 }
633
634 if (password == NULL) {
635 return NULL;
636 }
637
638 nt_hash = talloc(cred, struct samr_Password);
639 if (nt_hash == NULL) {
640 return NULL;
641 }
642
643 if (password_is_nt_hash) {
644 size_t password_len = strlen(password);
645 size_t converted;
646
647 converted = strhex_to_str((char *)nt_hash->hash,
648 sizeof(nt_hash->hash),
649 password, password_len);
650 if (converted != sizeof(nt_hash->hash)) {
651 TALLOC_FREE(nt_hash);
652 return NULL;
653 }
654 } else {
655 E_md4hash(password, nt_hash->hash);
656 }
657
658 cred->nt_hash = nt_hash;
659 nt_hash = NULL;
660
661 return_hash:
662 nt_hash = talloc(mem_ctx, struct samr_Password);
663 if (nt_hash == NULL) {
664 return NULL;
665 }
666
667 *nt_hash = *cred->nt_hash;
668
669 return nt_hash;
670 }
671
672 /**
673 * Obtain the old password, in the form MD4(unicode(password)) for this credentials context.
674 *
675 * Sometimes we only have this much of the password, while the rest of
676 * the time this call avoids calling E_md4hash themselves.
677 *
678 * @param cred credentials context
679 * @retval If set, the cleartext password, otherwise NULL
680 */
681 _PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
682 TALLOC_CTX *mem_ctx)
683 {
684 const char *old_password = NULL;
685
686 if (cred->old_nt_hash != NULL) {
687 struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
688 if (!nt_hash) {
689 return NULL;
690 }
691
692 *nt_hash = *cred->old_nt_hash;
693
694 return nt_hash;
695 }
696
697 old_password = cli_credentials_get_old_password(cred);
698 if (old_password) {
699 struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
700 if (!nt_hash) {
701 return NULL;
702 }
703
704 E_md4hash(old_password, nt_hash->hash);
705
706 return nt_hash;
707 }
708
709 return NULL;
710 }
711
712 /**
713 * Obtain the 'short' or 'NetBIOS' domain for this credentials context.
714 * @param cred credentials context
715 * @retval The domain set on this context.
716 * @note Return value will never be NULL except by programmer error.
717 */
718 _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
719 {
720 if (cred->machine_account_pending) {
721 cli_credentials_set_machine_account(cred,
722 cred->machine_account_pending_lp_ctx);
723 }
724
725 if (cred->domain_obtained == CRED_CALLBACK &&
726 !cred->callback_running) {
727 cred->callback_running = true;
728 cred->domain = cred->domain_cb(cred);
729 cred->callback_running = false;
730 if (cred->domain_obtained == CRED_CALLBACK) {
731 cred->domain_obtained = CRED_CALLBACK_RESULT;
732 cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
733 }
734 }
735
736 return cred->domain;
737 }
738
739
740 _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
741 const char *val,
742 enum credentials_obtained obtained)
743 {
744 if (obtained >= cred->domain_obtained) {
745 /* it is important that the domain be in upper case,
746 * particularly for the sensitive NTLMv2
747 * calculations */
748 cred->domain = strupper_talloc(cred, val);
749 cred->domain_obtained = obtained;
750 /* setting domain does not mean we have to invalidate ccache
751 * because domain in not used for Kerberos operations.
752 * If ccache invalidation is required, one will anyway specify
753 * a password to kinit, and that will force invalidation of the ccache
754 */
755 return true;
756 }
757
758 return false;
759 }
760
761 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
762 const char *(*domain_cb) (struct cli_credentials *))
763 {
764 if (cred->domain_obtained < CRED_CALLBACK) {
765 cred->domain_cb = domain_cb;
766 cred->domain_obtained = CRED_CALLBACK;
767 return true;
768 }
769
770 return false;
771 }
772
773 /**
774 * Obtain the Kerberos realm for this credentials context.
775 * @param cred credentials context
776 * @retval The realm set on this context.
777 * @note Return value will never be NULL except by programmer error.
778 */
779 _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
780 {
781 if (cred->machine_account_pending) {
782 cli_credentials_set_machine_account(cred,
783 cred->machine_account_pending_lp_ctx);
784 }
785
786 if (cred->realm_obtained == CRED_CALLBACK &&
787 !cred->callback_running) {
788 cred->callback_running = true;
789 cred->realm = cred->realm_cb(cred);
790 cred->callback_running = false;
791 if (cred->realm_obtained == CRED_CALLBACK) {
792 cred->realm_obtained = CRED_CALLBACK_RESULT;
793 cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
794 }
795 }
796
797 return cred->realm;
798 }
799
800 /**
801 * Set the realm for this credentials context, and force it to
802 * uppercase for the sanity of our local kerberos libraries
803 */
804 _PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred,
805 const char *val,
806 enum credentials_obtained obtained)
807 {
808 if (obtained >= cred->realm_obtained) {
809 cred->realm = strupper_talloc(cred, val);
810 cred->realm_obtained = obtained;
811 cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
812 return true;
813 }
814
815 return false;
816 }
817
818 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
819 const char *(*realm_cb) (struct cli_credentials *))
820 {
821 if (cred->realm_obtained < CRED_CALLBACK) {
822 cred->realm_cb = realm_cb;
823 cred->realm_obtained = CRED_CALLBACK;
824 return true;
825 }
826
827 return false;
828 }
829
830 /**
831 * Obtain the 'short' or 'NetBIOS' workstation name for this credentials context.
832 *
833 * @param cred credentials context
834 * @retval The workstation name set on this context.
835 * @note Return value will never be NULL except by programmer error.
836 */
837 _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cred)
838 {
839 if (cred->workstation_obtained == CRED_CALLBACK &&
840 !cred->callback_running) {
841 cred->callback_running = true;
842 cred->workstation = cred->workstation_cb(cred);
843 cred->callback_running = false;
844 if (cred->workstation_obtained == CRED_CALLBACK) {
845 cred->workstation_obtained = CRED_CALLBACK_RESULT;
846 }
847 }
848
849 return cred->workstation;
850 }
851
852 _PUBLIC_ bool cli_credentials_set_workstation(struct cli_credentials *cred,
853 const char *val,
854 enum credentials_obtained obtained)
855 {
856 if (obtained >= cred->workstation_obtained) {
857 cred->workstation = talloc_strdup(cred, val);
858 cred->workstation_obtained = obtained;
859 return true;
860 }
861
862 return false;
863 }
864
865 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
866 const char *(*workstation_cb) (struct cli_credentials *))
867 {
868 if (cred->workstation_obtained < CRED_CALLBACK) {
869 cred->workstation_cb = workstation_cb;
870 cred->workstation_obtained = CRED_CALLBACK;
871 return true;
872 }
873
874 return false;
875 }
876
877 /**
878 * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields
879 *
880 * The format accepted is [domain\\]user[%password] or user[@realm][%password]
881 *
882 * @param credentials Credentials structure on which to set the password
883 * @param data the string containing the username, password etc
884 * @param obtained This enum describes how 'specified' this password is
885 */
886
887 _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
888 {
889 char *uname, *p;
890 char *uname_free = NULL;
891
892 if (strcmp("%",data) == 0) {
893 cli_credentials_set_anonymous(credentials);
894 return;
895 }
896
897 uname = talloc_strdup(credentials, data);
898 uname_free = uname;
899
900 if ((p = strchr_m(uname,'%'))) {
901 *p = 0;
902 cli_credentials_set_password(credentials, p+1, obtained);
903 }
904
905 if ((p = strchr_m(uname,'@'))) {
906 /*
907 * We also need to set username and domain
908 * in order to undo the effect of
909 * cli_credentials_guess().
910 */
911 cli_credentials_set_username(credentials, uname, obtained);
912 cli_credentials_set_domain(credentials, "", obtained);
913
914 cli_credentials_set_principal(credentials, uname, obtained);
915 *p = 0;
916 cli_credentials_set_realm(credentials, p+1, obtained);
917 TALLOC_FREE(uname_free);
918 return;
919 } else if ((p = strchr_m(uname,'\\'))
920 || (p = strchr_m(uname, '/'))
921 || (p = strchr_m(uname, credentials->winbind_separator)))
922 {
923 const char *domain = NULL;
924
925 domain = uname;
926 *p = 0;
927 uname = p+1;
928
929 if (obtained == credentials->realm_obtained &&
930 !strequal_m(credentials->domain, domain))
931 {
932 /*
933 * We need to undo a former set with the same level
934 * in order to get the expected result from
935 * cli_credentials_get_principal().
936 *
937 * But we only need to do that if the domain
938 * actually changes.
939 */
940 cli_credentials_set_realm(credentials, domain, obtained);
941 }
942 cli_credentials_set_domain(credentials, domain, obtained);
943 }
944 if (obtained == credentials->principal_obtained &&
945 !strequal_m(credentials->username, uname))
946 {
947 /*
948 * We need to undo a former set with the same level
949 * in order to get the expected result from
950 * cli_credentials_get_principal().
951 *
952 * But we only need to do that if the username
953 * actually changes.
954 */
955 credentials->principal_obtained = CRED_UNINITIALISED;
956 credentials->principal = NULL;
957 }
958 cli_credentials_set_username(credentials, uname, obtained);
959
960 TALLOC_FREE(uname_free);
961 }
962
963 /**
964 * Given a a credentials structure, print it as a string
965 *
966 * The format output is [domain\\]user[%password] or user[@realm][%password]
967 *
968 * @param credentials Credentials structure on which to set the password
969 * @param mem_ctx The memory context to place the result on
970 */
971
972 _PUBLIC_ char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
973 {
974 const char *bind_dn = cli_credentials_get_bind_dn(credentials);
975 const char *domain = NULL;
976 const char *username = NULL;
977 char *name = NULL;
978
979 if (bind_dn) {
980 name = talloc_strdup(mem_ctx, bind_dn);
981 } else {
982 cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
983 if (domain && domain[0]) {
984 name = talloc_asprintf(mem_ctx, "%s\\%s",
985 domain, username);
986 } else {
987 name = talloc_asprintf(mem_ctx, "%s",
988 username);
989 }
990 }
991 return name;
992 }
993
994
995 /**
996 * Specifies default values for domain, workstation and realm
997 * from the smb.conf configuration file
998 *
999 * @param cred Credentials structure to fill in
1000 *
1001 * @return true on success, false on error.
1002 */
1003 _PUBLIC_ bool cli_credentials_set_conf(struct cli_credentials *cred,
1004 struct loadparm_context *lp_ctx)
1005 {
1006 const char *sep = NULL;
1007 const char *realm = lpcfg_realm(lp_ctx);
1008 enum credentials_client_protection protection =
1009 lpcfg_client_protection(lp_ctx);
1010 const char *workgroup = lpcfg_workgroup(lp_ctx);
1011 const char *netbios_name = lpcfg_netbios_name(lp_ctx);
1012 bool ok;
1013
1014 (void)cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
1015
1016 if (workgroup != NULL && strlen(workgroup) == 0) {
1017 workgroup = NULL;
1018 }
1019
1020 if (workgroup != NULL) {
1021 if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
1022 ok = cli_credentials_set_domain(cred,
1023 workgroup,
1024 CRED_SPECIFIED);
1025 if (!ok) {
1026 DBG_ERR("Failed to set domain!\n");
1027 return false;
1028 }
1029 } else {
1030 (void)cli_credentials_set_domain(cred,
1031 workgroup,
1032 CRED_SMB_CONF);
1033 }
1034 }
1035
1036 if (netbios_name != NULL && strlen(netbios_name) == 0) {
1037 netbios_name = NULL;
1038 }
1039
1040 if (netbios_name != NULL) {
1041 if (lpcfg_parm_is_cmdline(lp_ctx, "netbios name")) {
1042 ok = cli_credentials_set_workstation(cred,
1043 netbios_name,
1044 CRED_SPECIFIED);
1045 if (!ok) {
1046 DBG_ERR("Failed to set workstation!\n");
1047 return false;
1048 }
1049 } else {
1050 (void)cli_credentials_set_workstation(cred,
1051 netbios_name,
1052 CRED_SMB_CONF);
1053 }
1054 }
1055
1056 if (realm != NULL && strlen(realm) == 0) {
1057 realm = NULL;
1058 }
1059
1060 if (realm != NULL) {
1061 if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) {
1062 ok = cli_credentials_set_realm(cred,
1063 realm,
1064 CRED_SPECIFIED);
1065 if (!ok) {
1066 DBG_ERR("Failed to set realm!\n");
1067 return false;
1068 }
1069 } else {
1070 (void)cli_credentials_set_realm(cred,
1071 realm,
1072 CRED_SMB_CONF);
1073 }
1074 }
1075
1076 sep = lpcfg_winbind_separator(lp_ctx);
1077 if (sep != NULL && sep[0] != '\0') {
1078 cred->winbind_separator = *lpcfg_winbind_separator(lp_ctx);
1079 }
1080
1081 if (cred->signing_state_obtained <= CRED_SMB_CONF) {
1082 /* Will be set to default for invalid smb.conf values */
1083 cred->signing_state = lpcfg_client_signing(lp_ctx);
1084 if (cred->signing_state == SMB_SIGNING_DEFAULT) {
1085 switch (protection) {
1086 case CRED_CLIENT_PROTECTION_DEFAULT:
1087 break;
1088 case CRED_CLIENT_PROTECTION_PLAIN:
1089 cred->signing_state = SMB_SIGNING_OFF;
1090 break;
1091 case CRED_CLIENT_PROTECTION_SIGN:
1092 case CRED_CLIENT_PROTECTION_ENCRYPT:
1093 cred->signing_state = SMB_SIGNING_REQUIRED;
1094 break;
1095 }
1096 }
1097
1098 cred->signing_state_obtained = CRED_SMB_CONF;
1099 }
1100
1101 if (cred->ipc_signing_state_obtained <= CRED_SMB_CONF) {
1102 /* Will be set to required for invalid smb.conf values */
1103 cred->ipc_signing_state = lpcfg_client_ipc_signing(lp_ctx);
1104 cred->ipc_signing_state_obtained = CRED_SMB_CONF;
1105 }
1106
1107 if (cred->encryption_state_obtained <= CRED_SMB_CONF) {
1108 /* Will be set to default for invalid smb.conf values */
1109 cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
1110 if (cred->encryption_state == SMB_ENCRYPTION_DEFAULT) {
1111 switch (protection) {
1112 case CRED_CLIENT_PROTECTION_DEFAULT:
1113 break;
1114 case CRED_CLIENT_PROTECTION_PLAIN:
1115 case CRED_CLIENT_PROTECTION_SIGN:
1116 cred->encryption_state = SMB_ENCRYPTION_OFF;
1117 break;
1118 case CRED_CLIENT_PROTECTION_ENCRYPT:
1119 cred->encryption_state = SMB_ENCRYPTION_REQUIRED;
1120 break;
1121 }
1122 }
1123 }
1124
1125 if (cred->kerberos_state_obtained <= CRED_SMB_CONF) {
1126 /* Will be set to default for invalid smb.conf values */
1127 cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx);
1128 cred->kerberos_state_obtained = CRED_SMB_CONF;
1129 }
1130
1131 if (cred->gensec_features_obtained <= CRED_SMB_CONF) {
1132 switch (protection) {
1133 case CRED_CLIENT_PROTECTION_DEFAULT:
1134 break;
1135 case CRED_CLIENT_PROTECTION_PLAIN:
1136 cred->gensec_features = 0;
1137 break;
1138 case CRED_CLIENT_PROTECTION_SIGN:
1139 cred->gensec_features = GENSEC_FEATURE_SIGN;
1140 break;
1141 case CRED_CLIENT_PROTECTION_ENCRYPT:
1142 cred->gensec_features =
1143 GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL;
1144 break;
1145 }
1146 cred->gensec_features_obtained = CRED_SMB_CONF;
1147 }
1148
1149 return true;
1150 }
1151
1152 /**
1153 * Guess defaults for credentials from environment variables,
1154 * and from the configuration file
1155 *
1156 * @param cred Credentials structure to fill in
1157 */
1158 _PUBLIC_ bool cli_credentials_guess(struct cli_credentials *cred,
1159 struct loadparm_context *lp_ctx)
1160 {
1161 const char *error_string;
1162 const char *env = NULL;
1163 struct passwd *pwd = NULL;
1164 bool ok;
1165
1166 if (lp_ctx != NULL) {
1167 ok = cli_credentials_set_conf(cred, lp_ctx);
1168 if (!ok) {
1169 return false;
1170 }
1171 }
1172
1173 pwd = getpwuid(getuid());
1174 if (pwd != NULL) {
1175 size_t len = strlen(pwd->pw_name);
1176
1177 if (len > 0 && len <= 1024) {
1178 (void)cli_credentials_parse_string(cred,
1179 pwd->pw_name,
1180 CRED_GUESS_ENV);
1181 }
1182 }
1183
1184 env = getenv("LOGNAME");
1185 if (env != NULL) {
1186 size_t len = strlen(env);
1187
1188 if (len > 0 && len <= 1024) {
1189 (void)cli_credentials_set_username(cred,
1190 env,
1191 CRED_GUESS_ENV);
1192 }
1193 }
1194
1195 env = getenv("USER");
1196 if (env != NULL) {
1197 size_t len = strlen(env);
1198
1199 if (len > 0 && len <= 1024) {
1200 char *p = NULL;
1201
1202 (void)cli_credentials_parse_string(cred,
1203 env,
1204 CRED_GUESS_ENV);
1205 if ((p = strchr_m(env, '%'))) {
1206 memset(p, '\0', strlen(cred->password));
1207 }
1208 }
1209 }
1210
1211 env = getenv("PASSWD");
1212 if (env != NULL) {
1213 size_t len = strlen(env);
1214
1215 if (len > 0 && len <= 1024) {
1216 (void)cli_credentials_set_password(cred,
1217 env,
1218 CRED_GUESS_ENV);
1219 }
1220 }
1221
1222 env = getenv("PASSWD_FD");
1223 if (env != NULL) {
1224 size_t len = strlen(env);
1225
1226 if (len > 0 && len <= 1024) {
1227 int fd = atoi(env);
1228
1229 (void)cli_credentials_parse_password_fd(cred,
1230 fd,
1231 CRED_GUESS_FILE);
1232 }
1233 }
1234
1235 env = getenv("PASSWD_FILE");
1236 if (env != NULL) {
1237 size_t len = strlen(env);
1238
1239 if (len > 0 && len <= 4096) {
1240 (void)cli_credentials_parse_password_file(cred,
1241 env,
1242 CRED_GUESS_FILE);
1243 }
1244 }
1245
1246 if (lp_ctx != NULL &&
1247 cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) {
1248 (void)cli_credentials_set_ccache(cred,
1249 lp_ctx,
1250 NULL,
1251 CRED_GUESS_FILE,
1252 &error_string);
1253 }
1254
1255 return true;
1256 }
1257
1258 /**
1259 * Attach NETLOGON credentials for use with SCHANNEL
1260 */
1261
1262 _PUBLIC_ void cli_credentials_set_netlogon_creds(
1263 struct cli_credentials *cred,
1264 const struct netlogon_creds_CredentialState *netlogon_creds)
1265 {
1266 TALLOC_FREE(cred->netlogon_creds);
1267 if (netlogon_creds == NULL) {
1268 return;
1269 }
1270 cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
1271 }
1272
1273 /**
1274 * Return attached NETLOGON credentials
1275 */
1276
1277 _PUBLIC_ struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred)
1278 {
1279 return cred->netlogon_creds;
1280 }
1281
1282 /**
1283 * Set NETLOGON secure channel type
1284 */
1285
1286 _PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
1287 enum netr_SchannelType secure_channel_type)
1288 {
1289 cred->secure_channel_type = secure_channel_type;
1290 }
1291
1292 /**
1293 * Return NETLOGON secure channel type
1294 */
1295
1296 _PUBLIC_ time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred)
1297 {
1298 return cred->password_last_changed_time;
1299 }
1300
1301 /**
1302 * Set NETLOGON secure channel type
1303 */
1304
1305 _PUBLIC_ void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
1306 time_t last_changed_time)
1307 {
1308 cred->password_last_changed_time = last_changed_time;
1309 }
1310
1311 /**
1312 * Return NETLOGON secure channel type
1313 */
1314
1315 _PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
1316 {
1317 return cred->secure_channel_type;
1318 }
1319
1320 /**
1321 * Fill in a credentials structure as the anonymous user
1322 */
1323 _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
1324 {
1325 cli_credentials_set_username(cred, "", CRED_SPECIFIED);
1326 cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
1327 cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
1328 cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
1329 cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
1330 cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
1331 cli_credentials_set_kerberos_state(cred,
1332 CRED_USE_KERBEROS_DISABLED,
1333 CRED_SPECIFIED);
1334 }
1335
1336 /**
1337 * Describe a credentials context as anonymous or authenticated
1338 * @retval true if anonymous, false if a username is specified
1339 */
1340
1341 _PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
1342 {
1343 const char *username;
1344
1345 /* if bind dn is set it's not anonymous */
1346 if (cred->bind_dn) {
1347 return false;
1348 }
1349
1350 if (cred->machine_account_pending) {
1351 cli_credentials_set_machine_account(cred,
1352 cred->machine_account_pending_lp_ctx);
1353 }
1354
1355 /* if principal is set, it's not anonymous */
1356 if ((cred->principal != NULL) && cred->principal_obtained >= cred->username_obtained) {
1357 return false;
1358 }
1359
1360 username = cli_credentials_get_username(cred);
1361
1362 /* Yes, it is deliberate that we die if we have a NULL pointer
1363 * here - anonymous is "", not NULL, which is 'never specified,
1364 * never guessed', ie programmer bug */
1365 if (!username[0]) {
1366 return true;
1367 }
1368
1369 return false;
1370 }
1371
1372 /**
1373 * Mark the current password for a credentials struct as wrong. This will
1374 * cause the password to be prompted again (if a callback is set).
1375 *
1376 * This will decrement the number of times the password can be tried.
1377 *
1378 * @retval whether the credentials struct is finished
1379 */
1380 _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
1381 {
1382 if (cred->password_obtained != CRED_CALLBACK_RESULT) {
1383 return false;
1384 }
1385
1386 if (cred->password_tries == 0) {
1387 return false;
1388 }
1389
1390 cred->password_tries--;
1391
1392 if (cred->password_tries == 0) {
1393 return false;
1394 }
1395
1396 cred->password_obtained = CRED_CALLBACK;
1397 return true;
1398 }
1399
1400 _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
1401 const char **username,
1402 const char **domain)
1403 {
1404 if (cred->principal_obtained >= cred->username_obtained) {
1405 *domain = talloc_strdup(mem_ctx, "");
1406 *username = cli_credentials_get_principal(cred, mem_ctx);
1407 } else {
1408 *domain = cli_credentials_get_domain(cred);
1409 *username = cli_credentials_get_username(cred);
1410 }
1411 }
1412
1413 /**
1414 * Read a named file, and parse it for username, domain, realm and password
1415 *
1416 * @param credentials Credentials structure on which to set the password
1417 * @param file a named file to read the details from
1418 * @param obtained This enum describes how 'specified' this password is
1419 */
1420
1421 _PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained)
1422 {
1423 uint16_t len = 0;
1424 char *ptr, *val, *param;
1425 char **lines;
1426 int i, numlines;
1427 const char *realm = NULL;
1428 const char *domain = NULL;
1429 const char *password = NULL;
1430 const char *username = NULL;
1431
1432 lines = file_lines_load(file, &numlines, 0, NULL);
1433
1434 if (lines == NULL)
1435 {
1436 /* fail if we can't open the credentials file */
1437 d_printf("ERROR: Unable to open credentials file!\n");
1438 return false;
1439 }
1440
1441 for (i = 0; i < numlines; i++) {
1442 len = strlen(lines[i]);
1443
1444 if (len == 0)
1445 continue;
1446
1447 /* break up the line into parameter & value.
1448 * will need to eat a little whitespace possibly */
1449 param = lines[i];
1450 if (!(ptr = strchr_m (lines[i], '=')))
1451 continue;
1452
1453 val = ptr+1;
1454 *ptr = '\0';
1455
1456 /* eat leading white space */
1457 while ((*val!='\0') && ((*val==' ') || (*val=='\t')))
1458 val++;
1459
1460 if (strwicmp("password", param) == 0) {
1461 password = val;
1462 } else if (strwicmp("username", param) == 0) {
1463 username = val;
1464 } else if (strwicmp("domain", param) == 0) {
1465 domain = val;
1466 } else if (strwicmp("realm", param) == 0) {
1467 realm = val;
1468 }
1469
1470 /*
1471 * We need to readd '=' in order to let
1472 * the strlen() work in the last loop
1473 * that clears the memory.
1474 */
1475 *ptr = '=';
1476 }
1477
1478 if (realm != NULL && strlen(realm) != 0) {
1479 /*
1480 * only overwrite with a valid string
1481 */
1482 cli_credentials_set_realm(cred, realm, obtained);
1483 }
1484
1485 if (domain != NULL && strlen(domain) != 0) {
1486 /*
1487 * only overwrite with a valid string
1488 */
1489 cli_credentials_set_domain(cred, domain, obtained);
1490 }
1491
1492 if (password != NULL) {
1493 /*
1494 * Here we allow "".
1495 */
1496 cli_credentials_set_password(cred, password, obtained);
1497 }
1498
1499 if (username != NULL) {
1500 /*
1501 * The last "username" line takes preference
1502 * if the string also contains domain, realm or
1503 * password.
1504 */
1505 cli_credentials_parse_string(cred, username, obtained);
1506 }
1507
1508 for (i = 0; i < numlines; i++) {
1509 len = strlen(lines[i]);
1510 memset(lines[i], 0, len);
1511 }
1512 talloc_free(lines);
1513
1514 return true;
1515 }
1516
1517 /**
1518 * Read a named file, and parse it for a password
1519 *
1520 * @param credentials Credentials structure on which to set the password
1521 * @param file a named file to read the password from
1522 * @param obtained This enum describes how 'specified' this password is
1523 */
1524
1525 _PUBLIC_ bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained)
1526 {
1527 int fd = open(file, O_RDONLY, 0);
1528 bool ret;
1529
1530 if (fd < 0) {
1531 fprintf(stderr, "Error opening password file %s: %s\n",
1532 file, strerror(errno));
1533 return false;
1534 }
1535
1536 ret = cli_credentials_parse_password_fd(credentials, fd, obtained);
1537
1538 close(fd);
1539
1540 return ret;
1541 }
1542
1543
1544 /**
1545 * Read a file descriptor, and parse it for a password (eg from a file or stdin)
1546 *
1547 * @param credentials Credentials structure on which to set the password
1548 * @param fd open file descriptor to read the password from
1549 * @param obtained This enum describes how 'specified' this password is
1550 */
1551
1552 _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
1553 int fd, enum credentials_obtained obtained)
1554 {
1555 char *p;
1556 char pass[128];
1557
1558 for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
1559 p && p - pass < sizeof(pass) - 1;) {
1560 switch (read(fd, p, 1)) {
1561 case 1:
1562 if (*p != '\n' && *p != '\0') {
1563 *++p = '\0'; /* advance p, and null-terminate pass */
1564 break;
1565 }
1566
1567 FALL_THROUGH;
1568 case 0:
1569 if (p - pass) {
1570 *p = '\0'; /* null-terminate it, just in case... */
1571 p = NULL; /* then force the loop condition to become false */
1572 break;
1573 }
1574
1575 fprintf(stderr,
1576 "Error reading password from file descriptor "
1577 "%d: empty password\n",
1578 fd);
1579 return false;
1580
1581 default:
1582 fprintf(stderr, "Error reading password from file descriptor %d: %s\n",
1583 fd, strerror(errno));
1584 return false;
1585 }
1586 }
1587
1588 cli_credentials_set_password(credentials, pass, obtained);
1589 return true;
1590 }
1591
1592 /**
1593 * @brief Set the SMB signing state to request for a SMB connection.
1594 *
1595 * @param[in] creds The credentials structure to update.
1596 *
1597 * @param[in] signing_state The signing state to set.
1598 *
1599 * @param obtained This way the described signing state was specified.
1600 *
1601 * @return true if we could set the signing state, false otherwise.
1602 */
1603 _PUBLIC_ bool cli_credentials_set_smb_signing(struct cli_credentials *creds,
1604 enum smb_signing_setting signing_state,
1605 enum credentials_obtained obtained)
1606 {
1607 if (obtained >= creds->signing_state_obtained) {
1608 creds->signing_state_obtained = obtained;
1609 creds->signing_state = signing_state;
1610 return true;
1611 }
1612
1613 return false;
1614 }
1615
1616 /**
1617 * @brief Obtain the SMB signing state from a credentials structure.
1618 *
1619 * @param[in] creds The credential structure to obtain the SMB signing state
1620 * from.
1621 *
1622 * @return The SMB signing state.
1623 */
1624 _PUBLIC_ enum smb_signing_setting
1625 cli_credentials_get_smb_signing(struct cli_credentials *creds)
1626 {
1627 return creds->signing_state;
1628 }
1629
1630 /**
1631 * @brief Set the SMB IPC signing state to request for a SMB connection.
1632 *
1633 * @param[in] creds The credentials structure to update.
1634 *
1635 * @param[in] signing_state The signing state to set.
1636 *
1637 * @param obtained This way the described signing state was specified.
1638 *
1639 * @return true if we could set the signing state, false otherwise.
1640 */
1641 _PUBLIC_ bool
1642 cli_credentials_set_smb_ipc_signing(struct cli_credentials *creds,
1643 enum smb_signing_setting ipc_signing_state,
1644 enum credentials_obtained obtained)
1645 {
1646 if (obtained >= creds->ipc_signing_state_obtained) {
1647 creds->ipc_signing_state_obtained = obtained;
1648 creds->ipc_signing_state = ipc_signing_state;
1649 return true;
1650 }
1651
1652 return false;
1653 }
1654
1655 /**
1656 * @brief Obtain the SMB IPC signing state from a credentials structure.
1657 *
1658 * @param[in] creds The credential structure to obtain the SMB IPC signing
1659 * state from.
1660 *
1661 * @return The SMB signing state.
1662 */
1663 _PUBLIC_ enum smb_signing_setting
1664 cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds)
1665 {
1666 return creds->ipc_signing_state;
1667 }
1668
1669 /**
1670 * @brief Set the SMB encryption state to request for a SMB connection.
1671 *
1672 * @param[in] creds The credentials structure to update.
1673 *
1674 * @param[in] encryption_state The encryption state to set.
1675 *
1676 * @param obtained This way the described encryption state was specified.
1677 *
1678 * @return true if we could set the encryption state, false otherwise.
1679 */
1680 _PUBLIC_ bool cli_credentials_set_smb_encryption(struct cli_credentials *creds,
1681 enum smb_encryption_setting encryption_state,
1682 enum credentials_obtained obtained)
1683 {
1684 if (obtained >= creds->encryption_state_obtained) {
1685 creds->encryption_state_obtained = obtained;
1686 creds->encryption_state = encryption_state;
1687 return true;
1688 }
1689
1690 return false;
1691 }
1692
1693 static const char *obtained_to_str(enum credentials_obtained obtained)
1694 {
1695 switch (obtained) {
1696 case CRED_UNINITIALISED:
1697 return "CRED_UNINITIALISED";
1698 case CRED_SMB_CONF:
1699 return "CRED_SMB_CONF";
1700 case CRED_CALLBACK:
1701 return "CRED_CALLBACK";
1702 case CRED_GUESS_ENV:
1703 return "CRED_GUESS_ENV";
1704 case CRED_GUESS_FILE:
1705 return "CRED_GUESS_FILE";
1706 case CRED_CALLBACK_RESULT:
1707 return "CRED_CALLBACK_RESULT";
1708 case CRED_SPECIFIED:
1709 return "CRED_SPECIFIED";
1710 }
1711
1712 /* Never reached */
1713 return "";
1714 }
1715
1716 static const char *krb5_state_to_str(enum credentials_use_kerberos krb5_state)
1717 {
1718 switch (krb5_state) {
1719 case CRED_USE_KERBEROS_DISABLED:
1720 return "CRED_USE_KERBEROS_DISABLED";
1721 case CRED_USE_KERBEROS_DESIRED:
1722 return "CRED_USE_KERBEROS_DESIRED";
1723 case CRED_USE_KERBEROS_REQUIRED:
1724 return "CRED_USE_KERBEROS_REQUIRED";
1725 }
1726
1727 /* Never reached */
1728 return "";
1729 }
1730
1731 static const char *krb5_fwd_to_str(enum credentials_krb_forwardable krb5_fwd)
1732 {
1733 switch (krb5_fwd) {
1734 case CRED_AUTO_KRB_FORWARDABLE:
1735 return "CRED_AUTO_KRB_FORWARDABLE";
1736 case CRED_NO_KRB_FORWARDABLE:
1737 return "CRED_NO_KRB_FORWARDABLE";
1738 case CRED_FORCE_KRB_FORWARDABLE:
1739 return "CRED_FORCE_KRB_FORWARDABLE";
1740 }
1741
1742 /* Never reached */
1743 return "";
1744 }
1745
1746 static const char *signing_state_to_str(enum smb_signing_setting signing_state)
1747 {
1748 switch(signing_state) {
1749 case SMB_SIGNING_IPC_DEFAULT:
1750 return "SMB_SIGNING_IPC_DEFAULT";
1751 case SMB_SIGNING_DEFAULT:
1752 return "SMB_SIGNING_DEFAULT";
1753 case SMB_SIGNING_OFF:
1754 return "SMB_SIGNING_OFF";
1755 case SMB_SIGNING_IF_REQUIRED:
1756 return "SMB_SIGNING_IF_REQUIRED";
1757 case SMB_SIGNING_DESIRED:
1758 return "SMB_SIGNING_DESIRED";
1759 case SMB_SIGNING_REQUIRED:
1760 return "SMB_SIGNING_REQUIRED";
1761 }
1762
1763 /* Never reached */
1764 return "";
1765 }
1766
1767 static const char *encryption_state_to_str(enum smb_encryption_setting encryption_state)
1768 {
1769 switch(encryption_state) {
1770 case SMB_ENCRYPTION_DEFAULT:
1771 return "SMB_ENCRYPTION_DEFAULT";
1772 case SMB_ENCRYPTION_OFF:
1773 return "SMB_ENCRYPTION_OFF";
1774 case SMB_ENCRYPTION_IF_REQUIRED:
1775 return "SMB_ENCRYPTION_IF_REQUIRED";
1776 case SMB_ENCRYPTION_DESIRED:
1777 return "SMB_ENCRYPTION_DESIRED";
1778 case SMB_ENCRYPTION_REQUIRED:
1779 return "SMB_ENCRYPTION_REQUIRED";
1780 }
1781
1782 /* Never reached */
1783 return "";
1784 }
1785
1786 _PUBLIC_ void cli_credentials_dump(struct cli_credentials *creds)
1787 {
1788 DBG_ERR("CLI_CREDENTIALS:\n");
1789 DBG_ERR("\n");
1790 DBG_ERR(" Username: %s - %s\n",
1791 creds->username,
1792 obtained_to_str(creds->username_obtained));
1793 DBG_ERR(" Workstation: %s - %s\n",
1794 creds->workstation,
1795 obtained_to_str(creds->workstation_obtained));
1796 DBG_ERR(" Domain: %s - %s\n",
1797 creds->domain,
1798 obtained_to_str(creds->domain_obtained));
1799 DBG_ERR(" Password: %s - %s\n",
1800 creds->password != NULL ? "*SECRET*" : "NULL",
1801 obtained_to_str(creds->password_obtained));
1802 DBG_ERR(" Old password: %s\n",
1803 creds->old_password != NULL ? "*SECRET*" : "NULL");
1804 DBG_ERR(" Password tries: %u\n",
1805 creds->password_tries);
1806 DBG_ERR(" Realm: %s - %s\n",
1807 creds->realm,
1808 obtained_to_str(creds->realm_obtained));
1809 DBG_ERR(" Principal: %s - %s\n",
1810 creds->principal,
1811 obtained_to_str(creds->principal_obtained));
1812 DBG_ERR(" Salt principal: %s\n",
1813 creds->salt_principal);
1814 DBG_ERR(" Impersonate principal: %s\n",
1815 creds->impersonate_principal);
1816 DBG_ERR(" Self service: %s\n",
1817 creds->self_service);
1818 DBG_ERR(" Target service: %s\n",
1819 creds->target_service);
1820 DBG_ERR(" Kerberos state: %s - %s\n",
1821 krb5_state_to_str(creds->kerberos_state),
1822 obtained_to_str(creds->kerberos_state_obtained));
1823 DBG_ERR(" Kerberos forwardable ticket: %s\n",
1824 krb5_fwd_to_str(creds->krb_forwardable));
1825 DBG_ERR(" Signing state: %s - %s\n",
1826 signing_state_to_str(creds->signing_state),
1827 obtained_to_str(creds->signing_state_obtained));
1828 DBG_ERR(" IPC signing state: %s - %s\n",
1829 signing_state_to_str(creds->ipc_signing_state),
1830 obtained_to_str(creds->ipc_signing_state_obtained));
1831 DBG_ERR(" Encryption state: %s - %s\n",
1832 encryption_state_to_str(creds->encryption_state),
1833 obtained_to_str(creds->encryption_state_obtained));
1834 DBG_ERR(" Gensec features: %#X\n",
1835 creds->gensec_features);
1836 DBG_ERR(" Forced sasl mech: %s\n",
1837 creds->forced_sasl_mech);
1838 DBG_ERR(" CCACHE: %p - %s\n",
1839 creds->ccache,
1840 obtained_to_str(creds->ccache_obtained));
1841 DBG_ERR(" CLIENT_GSS_CREDS: %p - %s\n",
1842 creds->client_gss_creds,
1843 obtained_to_str(creds->client_gss_creds_obtained));
1844 DBG_ERR(" SERVER_GSS_CREDS: %p - %s\n",
1845 creds->server_gss_creds,
1846 obtained_to_str(creds->server_gss_creds_obtained));
1847 DBG_ERR(" KEYTAB: %p - %s\n",
1848 creds->keytab,
1849 obtained_to_str(creds->keytab_obtained));
1850 DBG_ERR(" KVNO: %u\n",
1851 creds->kvno);
1852 DBG_ERR("\n");
1853 }
1854
1855 /**
1856 * @brief Obtain the SMB encryption state from a credentials structure.
1857 *
1858 * @param[in] creds The credential structure to obtain the SMB encryption state
1859 * from.
1860 *
1861 * @return The SMB signing state.
1862 */
1863 _PUBLIC_ enum smb_encryption_setting
1864 cli_credentials_get_smb_encryption(struct cli_credentials *creds)
1865 {
1866 return creds->encryption_state;
1867 }
1868
1869 /**
1870 * Encrypt a data blob using the session key and the negotiated encryption
1871 * algorithm
1872 *
1873 * @param state Credential state, contains the session key and algorithm
1874 * @param data Data blob containing the data to be encrypted.
1875 *
1876 */
1877 _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
1878 struct netlogon_creds_CredentialState *state,
1879 DATA_BLOB data)
1880 {
1881 NTSTATUS status;
1882
1883 if (data.data == NULL || data.length == 0) {
1884 DBG_ERR("Nothing to encrypt "
1885 "data.data == NULL or data.length == 0");
1886 return NT_STATUS_INVALID_PARAMETER;
1887 }
1888 /*
1889 * Don't crypt an all-zero password it will give away the
1890 * NETLOGON pipe session key .
1891 */
1892 if (all_zero(data.data, data.length)) {
1893 DBG_ERR("Supplied data all zeros, could leak session key");
1894 return NT_STATUS_INVALID_PARAMETER;
1895 }
1896 if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
1897 status = netlogon_creds_aes_encrypt(state,
1898 data.data,
1899 data.length);
1900 } else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
1901 status = netlogon_creds_arcfour_crypt(state,
1902 data.data,
1903 data.length);
1904 } else {
1905 DBG_ERR("Unsupported encryption option negotiated");
1906 status = NT_STATUS_NOT_SUPPORTED;
1907 }
1908 if (!NT_STATUS_IS_OK(status)) {
1909 return status;
1910 }
1911 return NT_STATUS_OK;
1912 }
1913
Samba GIT mirror