search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gensec: Fix CID 1063258 Uninitialized scalar variable
[Samba.git] / auth / gensec / gensec.c
blob63ebc19c8180cbd32b33938de6395be3af70b681
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/network.h"
25 #include <tevent.h>
26 #include "lib/tsocket/tsocket.h"
27 #include "lib/util/tevent_ntstatus.h"
28 #include "auth/gensec/gensec.h"
29 #include "auth/gensec/gensec_internal.h"
30 #include "librpc/rpc/dcerpc.h"
31
32 /*
33 wrappers for the gensec function pointers
34 */
35 _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
36 uint8_t *data, size_t length,
37 const uint8_t *whole_pdu, size_t pdu_length,
38 const DATA_BLOB *sig)
39 {
40 if (!gensec_security->ops->unseal_packet) {
41 return NT_STATUS_NOT_IMPLEMENTED;
42 }
43 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
44 return NT_STATUS_INVALID_PARAMETER;
45 }
46
47 return gensec_security->ops->unseal_packet(gensec_security,
48 data, length,
49 whole_pdu, pdu_length,
50 sig);
51 }
52
53 _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
54 const uint8_t *data, size_t length,
55 const uint8_t *whole_pdu, size_t pdu_length,
56 const DATA_BLOB *sig)
57 {
58 if (!gensec_security->ops->check_packet) {
59 return NT_STATUS_NOT_IMPLEMENTED;
60 }
61 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
62 return NT_STATUS_INVALID_PARAMETER;
63 }
64
65 return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
66 }
67
68 _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
69 TALLOC_CTX *mem_ctx,
70 uint8_t *data, size_t length,
71 const uint8_t *whole_pdu, size_t pdu_length,
72 DATA_BLOB *sig)
73 {
74 if (!gensec_security->ops->seal_packet) {
75 return NT_STATUS_NOT_IMPLEMENTED;
76 }
77 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
78 return NT_STATUS_INVALID_PARAMETER;
79 }
80 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
81 return NT_STATUS_INVALID_PARAMETER;
82 }
83
84 return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
85 }
86
87 _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
88 TALLOC_CTX *mem_ctx,
89 const uint8_t *data, size_t length,
90 const uint8_t *whole_pdu, size_t pdu_length,
91 DATA_BLOB *sig)
92 {
93 if (!gensec_security->ops->sign_packet) {
94 return NT_STATUS_NOT_IMPLEMENTED;
95 }
96 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
97 return NT_STATUS_INVALID_PARAMETER;
98 }
99
100 return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
101 }
102
103 _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
104 {
105 if (!gensec_security->ops->sig_size) {
106 return 0;
107 }
108 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
109 return 0;
110 }
111
112 return gensec_security->ops->sig_size(gensec_security, data_size);
113 }
114
115 _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
116 {
117 if (!gensec_security->ops->max_wrapped_size) {
118 return (1 << 17);
119 }
120
121 return gensec_security->ops->max_wrapped_size(gensec_security);
122 }
123
124 _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security)
125 {
126 if (!gensec_security->ops->max_input_size) {
127 return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
128 }
129
130 return gensec_security->ops->max_input_size(gensec_security);
131 }
132
133 _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
134 TALLOC_CTX *mem_ctx,
135 const DATA_BLOB *in,
136 DATA_BLOB *out)
137 {
138 if (!gensec_security->ops->wrap) {
139 return NT_STATUS_NOT_IMPLEMENTED;
140 }
141 return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
142 }
143
144 _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
145 TALLOC_CTX *mem_ctx,
146 const DATA_BLOB *in,
147 DATA_BLOB *out)
148 {
149 if (!gensec_security->ops->unwrap) {
150 return NT_STATUS_NOT_IMPLEMENTED;
151 }
152 return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
153 }
154
155 _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
156 TALLOC_CTX *mem_ctx,
157 DATA_BLOB *session_key)
158 {
159 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
160 return NT_STATUS_NO_USER_SESSION_KEY;
161 }
162
163 if (!gensec_security->ops->session_key) {
164 return NT_STATUS_NOT_IMPLEMENTED;
165 }
166
167 return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
168 }
169
170 /**
171 * Return the credentials of a logged on user, including session keys
172 * etc.
173 *
174 * Only valid after a successful authentication
175 *
176 * May only be called once per authentication.
177 *
178 */
179
180 _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
181 TALLOC_CTX *mem_ctx,
182 struct auth_session_info **session_info)
183 {
184 if (!gensec_security->ops->session_info) {
185 return NT_STATUS_NOT_IMPLEMENTED;
186 }
187 return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
188 }
189
190 _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
191 uint32_t max_update_size)
192 {
193 gensec_security->max_update_size = max_update_size;
194 }
195
196 _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
197 {
198 if (gensec_security->max_update_size == 0) {
199 return UINT32_MAX;
200 }
201
202 return gensec_security->max_update_size;
203 }
204
205 /**
206 * Next state function for the GENSEC state machine
207 *
208 * @param gensec_security GENSEC State
209 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
210 * @param in The request, as a DATA_BLOB
211 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
212 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
213 * or NT_STATUS_OK if the user is authenticated.
214 */
215
216 _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
217 struct tevent_context *ev,
218 const DATA_BLOB in, DATA_BLOB *out)
219 {
220 NTSTATUS status;
221 const struct gensec_security_ops *ops = gensec_security->ops;
222 TALLOC_CTX *frame = NULL;
223 struct tevent_req *subreq = NULL;
224 bool ok;
225
226 if (ops->update_send == NULL) {
227
228 status = ops->update(gensec_security, out_mem_ctx,
229 ev, in, out);
230 if (!NT_STATUS_IS_OK(status)) {
231 return status;
232 }
233
234 /*
235 * Because callers using the
236 * gensec_start_mech_by_auth_type() never call
237 * gensec_want_feature(), it isn't sensible for them
238 * to have to call gensec_have_feature() manually, and
239 * these are not points of negotiation, but are
240 * asserted by the client
241 */
242 switch (gensec_security->dcerpc_auth_level) {
243 case DCERPC_AUTH_LEVEL_INTEGRITY:
244 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
245 DEBUG(0,("Did not manage to negotiate mandetory feature "
246 "SIGN for dcerpc auth_level %u\n",
247 gensec_security->dcerpc_auth_level));
248 return NT_STATUS_ACCESS_DENIED;
249 }
250 break;
251 case DCERPC_AUTH_LEVEL_PRIVACY:
252 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
253 DEBUG(0,("Did not manage to negotiate mandetory feature "
254 "SIGN for dcerpc auth_level %u\n",
255 gensec_security->dcerpc_auth_level));
256 return NT_STATUS_ACCESS_DENIED;
257 }
258 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
259 DEBUG(0,("Did not manage to negotiate mandetory feature "
260 "SEAL for dcerpc auth_level %u\n",
261 gensec_security->dcerpc_auth_level));
262 return NT_STATUS_ACCESS_DENIED;
263 }
264 break;
265 default:
266 break;
267 }
268
269 return NT_STATUS_OK;
270 }
271
272 frame = talloc_stackframe();
273
274 subreq = ops->update_send(frame, ev, gensec_security, in);
275 if (subreq == NULL) {
276 status = NT_STATUS_NO_MEMORY;
277 goto fail;
278 }
279 ok = tevent_req_poll_ntstatus(subreq, ev, &status);
280 if (!ok) {
281 goto fail;
282 }
283 status = ops->update_recv(subreq, out_mem_ctx, out);
284 fail:
285 TALLOC_FREE(frame);
286 return status;
287 }
288
289 struct gensec_update_state {
290 const struct gensec_security_ops *ops;
291 struct tevent_req *subreq;
292 struct gensec_security *gensec_security;
293 DATA_BLOB out;
294
295 /*
296 * only for sync backends, we should remove this
297 * once all backends are async.
298 */
299 struct tevent_immediate *im;
300 DATA_BLOB in;
301 };
302
303 static void gensec_update_async_trigger(struct tevent_context *ctx,
304 struct tevent_immediate *im,
305 void *private_data);
306 static void gensec_update_subreq_done(struct tevent_req *subreq);
307
308 /**
309 * Next state function for the GENSEC state machine async version
310 *
311 * @param mem_ctx The memory context for the request
312 * @param ev The event context for the request
313 * @param gensec_security GENSEC State
314 * @param in The request, as a DATA_BLOB
315 *
316 * @return The request handle or NULL on no memory failure
317 */
318
319 _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
320 struct tevent_context *ev,
321 struct gensec_security *gensec_security,
322 const DATA_BLOB in)
323 {
324 struct tevent_req *req;
325 struct gensec_update_state *state = NULL;
326
327 req = tevent_req_create(mem_ctx, &state,
328 struct gensec_update_state);
329 if (req == NULL) {
330 return NULL;
331 }
332
333 state->ops = gensec_security->ops;
334 state->gensec_security = gensec_security;
335
336 if (state->ops->update_send == NULL) {
337 state->in = in;
338 state->im = tevent_create_immediate(state);
339 if (tevent_req_nomem(state->im, req)) {
340 return tevent_req_post(req, ev);
341 }
342
343 tevent_schedule_immediate(state->im, ev,
344 gensec_update_async_trigger,
345 req);
346
347 return req;
348 }
349
350 state->subreq = state->ops->update_send(state, ev, gensec_security, in);
351 if (tevent_req_nomem(state->subreq, req)) {
352 return tevent_req_post(req, ev);
353 }
354
355 tevent_req_set_callback(state->subreq,
356 gensec_update_subreq_done,
357 req);
358
359 return req;
360 }
361
362 static void gensec_update_async_trigger(struct tevent_context *ctx,
363 struct tevent_immediate *im,
364 void *private_data)
365 {
366 struct tevent_req *req =
367 talloc_get_type_abort(private_data, struct tevent_req);
368 struct gensec_update_state *state =
369 tevent_req_data(req, struct gensec_update_state);
370 NTSTATUS status;
371
372 status = state->ops->update(state->gensec_security, state, ctx,
373 state->in, &state->out);
374 if (tevent_req_nterror(req, status)) {
375 return;
376 }
377
378 tevent_req_done(req);
379 }
380
381 static void gensec_update_subreq_done(struct tevent_req *subreq)
382 {
383 struct tevent_req *req =
384 tevent_req_callback_data(subreq,
385 struct tevent_req);
386 struct gensec_update_state *state =
387 tevent_req_data(req,
388 struct gensec_update_state);
389 NTSTATUS status;
390
391 state->subreq = NULL;
392
393 status = state->ops->update_recv(subreq, state, &state->out);
394 TALLOC_FREE(subreq);
395 if (tevent_req_nterror(req, status)) {
396 return;
397 }
398
399 /*
400 * Because callers using the
401 * gensec_start_mech_by_authtype() never call
402 * gensec_want_feature(), it isn't sensible for them
403 * to have to call gensec_have_feature() manually, and
404 * these are not points of negotiation, but are
405 * asserted by the client
406 */
407 switch (state->gensec_security->dcerpc_auth_level) {
408 case DCERPC_AUTH_LEVEL_INTEGRITY:
409 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
410 DEBUG(0,("Did not manage to negotiate mandetory feature "
411 "SIGN for dcerpc auth_level %u\n",
412 state->gensec_security->dcerpc_auth_level));
413 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
414 return;
415 }
416 break;
417 case DCERPC_AUTH_LEVEL_PRIVACY:
418 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
419 DEBUG(0,("Did not manage to negotiate mandetory feature "
420 "SIGN for dcerpc auth_level %u\n",
421 state->gensec_security->dcerpc_auth_level));
422 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
423 return;
424 }
425 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
426 DEBUG(0,("Did not manage to negotiate mandetory feature "
427 "SEAL for dcerpc auth_level %u\n",
428 state->gensec_security->dcerpc_auth_level));
429 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
430 return;
431 }
432 break;
433 default:
434 break;
435 }
436
437 tevent_req_done(req);
438 }
439
440 /**
441 * Next state function for the GENSEC state machine
442 *
443 * @param req request state
444 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
445 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
446 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
447 * or NT_STATUS_OK if the user is authenticated.
448 */
449 _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
450 TALLOC_CTX *out_mem_ctx,
451 DATA_BLOB *out)
452 {
453 struct gensec_update_state *state =
454 tevent_req_data(req, struct gensec_update_state);
455 NTSTATUS status;
456
457 if (tevent_req_is_nterror(req, &status)) {
458 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
459 tevent_req_received(req);
460 return status;
461 }
462 } else {
463 status = NT_STATUS_OK;
464 }
465
466 *out = state->out;
467 talloc_steal(out_mem_ctx, out->data);
468
469 tevent_req_received(req);
470 return status;
471 }
472
473 /**
474 * Set the requirement for a certain feature on the connection
475 *
476 */
477
478 _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
479 uint32_t feature)
480 {
481 if (!gensec_security->ops || !gensec_security->ops->want_feature) {
482 gensec_security->want_features |= feature;
483 return;
484 }
485 gensec_security->ops->want_feature(gensec_security, feature);
486 }
487
488 /**
489 * Check the requirement for a certain feature on the connection
490 *
491 */
492
493 _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
494 uint32_t feature)
495 {
496 if (!gensec_security->ops->have_feature) {
497 return false;
498 }
499
500 /* We might 'have' features that we don't 'want', because the
501 * other end demanded them, or we can't neotiate them off */
502 return gensec_security->ops->have_feature(gensec_security, feature);
503 }
504
505 _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security)
506 {
507 if (!gensec_security->ops->expire_time) {
508 return GENSEC_EXPIRE_TIME_INFINITY;
509 }
510
511 return gensec_security->ops->expire_time(gensec_security);
512 }
513 /**
514 * Return the credentials structure associated with a GENSEC context
515 *
516 */
517
518 _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
519 {
520 if (!gensec_security) {
521 return NULL;
522 }
523 return gensec_security->credentials;
524 }
525
526 /**
527 * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
528 *
529 */
530
531 _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
532 {
533 gensec_security->target.service = talloc_strdup(gensec_security, service);
534 if (!gensec_security->target.service) {
535 return NT_STATUS_NO_MEMORY;
536 }
537 return NT_STATUS_OK;
538 }
539
540 _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
541 {
542 if (gensec_security->target.service) {
543 return gensec_security->target.service;
544 }
545
546 return "host";
547 }
548
549 /**
550 * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
551 *
552 */
553
554 _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
555 {
556 gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
557 if (hostname && !gensec_security->target.hostname) {
558 return NT_STATUS_NO_MEMORY;
559 }
560 return NT_STATUS_OK;
561 }
562
563 _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
564 {
565 /* We allow the target hostname to be overriden for testing purposes */
566 if (gensec_security->settings->target_hostname) {
567 return gensec_security->settings->target_hostname;
568 }
569
570 if (gensec_security->target.hostname) {
571 return gensec_security->target.hostname;
572 }
573
574 /* We could add use the 'set sockaddr' call, and do a reverse
575 * lookup, but this would be both insecure (compromising the
576 * way kerberos works) and add DNS timeouts */
577 return NULL;
578 }
579
580 /**
581 * Set (and copy) local and peer socket addresses onto a socket
582 * context on the GENSEC context.
583 *
584 * This is so that kerberos can include these addresses in
585 * cryptographic tokens, to avoid certain attacks.
586 */
587
588 /**
589 * @brief Set the local gensec address.
590 *
591 * @param gensec_security The gensec security context to use.
592 *
593 * @param remote The local address to set.
594 *
595 * @return On success NT_STATUS_OK is returned or an NT_STATUS
596 * error.
597 */
598 _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
599 const struct tsocket_address *local)
600 {
601 TALLOC_FREE(gensec_security->local_addr);
602
603 if (local == NULL) {
604 return NT_STATUS_OK;
605 }
606
607 gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
608 if (gensec_security->local_addr == NULL) {
609 return NT_STATUS_NO_MEMORY;
610 }
611
612 return NT_STATUS_OK;
613 }
614
615 /**
616 * @brief Set the remote gensec address.
617 *
618 * @param gensec_security The gensec security context to use.
619 *
620 * @param remote The remote address to set.
621 *
622 * @return On success NT_STATUS_OK is returned or an NT_STATUS
623 * error.
624 */
625 _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
626 const struct tsocket_address *remote)
627 {
628 TALLOC_FREE(gensec_security->remote_addr);
629
630 if (remote == NULL) {
631 return NT_STATUS_OK;
632 }
633
634 gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
635 if (gensec_security->remote_addr == NULL) {
636 return NT_STATUS_NO_MEMORY;
637 }
638
639 return NT_STATUS_OK;
640 }
641
642 /**
643 * @brief Get the local address from a gensec security context.
644 *
645 * @param gensec_security The security context to get the address from.
646 *
647 * @return The address as tsocket_address which could be NULL if
648 * no address is set.
649 */
650 _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
651 {
652 if (gensec_security == NULL) {
653 return NULL;
654 }
655 return gensec_security->local_addr;
656 }
657
658 /**
659 * @brief Get the remote address from a gensec security context.
660 *
661 * @param gensec_security The security context to get the address from.
662 *
663 * @return The address as tsocket_address which could be NULL if
664 * no address is set.
665 */
666 _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
667 {
668 if (gensec_security == NULL) {
669 return NULL;
670 }
671 return gensec_security->remote_addr;
672 }
673
674 /**
675 * Set the target principal (assuming it it known, say from the SPNEGO reply)
676 * - ensures it is talloc()ed
677 *
678 */
679
680 _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
681 {
682 gensec_security->target.principal = talloc_strdup(gensec_security, principal);
683 if (!gensec_security->target.principal) {
684 return NT_STATUS_NO_MEMORY;
685 }
686 return NT_STATUS_OK;
687 }
688
689 _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
690 {
691 if (gensec_security->target.principal) {
692 return gensec_security->target.principal;
693 }
694
695 return NULL;
696 }
Samba GIT mirror