s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.
[Samba.git] / auth / gensec / gensec_util.c
blob568128add153327b82086aeee0d6307ef1b920d7
1 /*
2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "includes.h"
24 #include "auth/gensec/gensec.h"
25 #include "auth/gensec/gensec_internal.h"
26 #include "auth/common_auth.h"
27 #include "../lib/util/asn1.h"
29 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
30 struct gensec_security *gensec_security,
31 struct smb_krb5_context *smb_krb5_context,
32 DATA_BLOB *pac_blob,
33 const char *principal_string,
34 const struct tsocket_address *remote_address,
35 struct auth_session_info **session_info)
37 uint32_t session_info_flags = 0;
39 if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
40 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
43 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
45 if (!pac_blob) {
46 if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
47 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
48 principal_string));
49 return NT_STATUS_ACCESS_DENIED;
51 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
52 principal_string));
55 if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
56 return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
57 mem_ctx,
58 smb_krb5_context,
59 pac_blob,
60 principal_string,
61 remote_address,
62 session_info_flags,
63 session_info);
64 } else {
65 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
66 return NT_STATUS_INTERNAL_ERROR;
71 * These functions are for use in the deprecated
72 * gensec_socket code (public because SPNEGO must
73 * use them for recursion)
75 _PUBLIC_ NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security,
76 TALLOC_CTX *mem_ctx,
77 const DATA_BLOB *in,
78 DATA_BLOB *out,
79 size_t *len_processed)
81 if (!gensec_security->ops->wrap_packets) {
82 NTSTATUS nt_status;
83 size_t max_input_size;
84 DATA_BLOB unwrapped, wrapped;
85 max_input_size = gensec_max_input_size(gensec_security);
86 unwrapped = data_blob_const(in->data, MIN(max_input_size, (size_t)in->length));
88 nt_status = gensec_wrap(gensec_security,
89 mem_ctx,
90 &unwrapped, &wrapped);
91 if (!NT_STATUS_IS_OK(nt_status)) {
92 return nt_status;
95 *out = data_blob_talloc(mem_ctx, NULL, 4);
96 if (!out->data) {
97 return NT_STATUS_NO_MEMORY;
99 RSIVAL(out->data, 0, wrapped.length);
101 if (!data_blob_append(mem_ctx, out, wrapped.data, wrapped.length)) {
102 return NT_STATUS_NO_MEMORY;
104 *len_processed = unwrapped.length;
105 return NT_STATUS_OK;
107 return gensec_security->ops->wrap_packets(gensec_security, mem_ctx, in, out,
108 len_processed);
112 * These functions are for use in the deprecated
113 * gensec_socket code (public because SPNEGO must
114 * use them for recursion)
116 NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security,
117 TALLOC_CTX *mem_ctx,
118 const DATA_BLOB *in,
119 DATA_BLOB *out,
120 size_t *len_processed)
122 if (!gensec_security->ops->unwrap_packets) {
123 DATA_BLOB wrapped;
124 NTSTATUS nt_status;
125 size_t packet_size;
126 if (in->length < 4) {
127 /* Missing the header we already had! */
128 DEBUG(0, ("Asked to unwrap packet of bogus length! How did we get the short packet?!\n"));
129 return NT_STATUS_INVALID_PARAMETER;
132 packet_size = RIVAL(in->data, 0);
134 wrapped = data_blob_const(in->data + 4, packet_size);
136 if (wrapped.length > (in->length - 4)) {
137 DEBUG(0, ("Asked to unwrap packed of bogus length %d > %d! How did we get this?!\n",
138 (int)wrapped.length, (int)(in->length - 4)));
139 return NT_STATUS_INTERNAL_ERROR;
142 nt_status = gensec_unwrap(gensec_security,
143 mem_ctx,
144 &wrapped, out);
145 if (!NT_STATUS_IS_OK(nt_status)) {
146 return nt_status;
149 *len_processed = packet_size + 4;
150 return nt_status;
152 return gensec_security->ops->unwrap_packets(gensec_security, mem_ctx, in, out,
153 len_processed);
157 * These functions are for use in the deprecated
158 * gensec_socket code (public because SPNEGO must
159 * use them for recursion)
161 NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
162 DATA_BLOB blob, size_t *size)
164 if (gensec_security->ops->packet_full_request) {
165 return gensec_security->ops->packet_full_request(gensec_security,
166 blob, size);
168 if (gensec_security->ops->unwrap_packets) {
169 if (blob.length) {
170 *size = blob.length;
171 return NT_STATUS_OK;
173 return STATUS_MORE_ENTRIES;
176 if (blob.length < 4) {
177 return STATUS_MORE_ENTRIES;
179 *size = 4 + RIVAL(blob.data, 0);
180 if (*size > blob.length) {
181 return STATUS_MORE_ENTRIES;
183 return NT_STATUS_OK;
187 magic check a GSS-API wrapper packet for an Kerberos OID
189 static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
191 bool ret;
192 struct asn1_data *data = asn1_init(NULL);
194 if (!data) return false;
196 asn1_load(data, *blob);
197 asn1_start_tag(data, ASN1_APPLICATION(0));
198 asn1_check_OID(data, oid);
200 ret = !data->has_error;
202 asn1_free(data);
204 return ret;
208 * Check if the packet is one for the KRB5 mechansim
210 * NOTE: This is a helper that can be employed by multiple mechanisms, do
211 * not make assumptions about the private_data
213 * @param gensec_security GENSEC state, unused
214 * @param in The request, as a DATA_BLOB
215 * @return Error, INVALID_PARAMETER if it's not a packet for us
216 * or NT_STATUS_OK if the packet is ok.
219 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
220 const DATA_BLOB *blob)
222 if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
223 return NT_STATUS_OK;
224 } else {
225 return NT_STATUS_INVALID_PARAMETER;