2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "auth/gensec/gensec.h"
25 #include "auth/gensec/gensec_internal.h"
26 #include "auth/common_auth.h"
27 #include "../lib/util/asn1.h"
29 NTSTATUS
gensec_generate_session_info_pac(TALLOC_CTX
*mem_ctx
,
30 struct gensec_security
*gensec_security
,
31 struct smb_krb5_context
*smb_krb5_context
,
33 const char *principal_string
,
34 const struct tsocket_address
*remote_address
,
35 struct auth_session_info
**session_info
)
37 uint32_t session_info_flags
= 0;
39 if (gensec_security
->want_features
& GENSEC_FEATURE_UNIX_TOKEN
) {
40 session_info_flags
|= AUTH_SESSION_INFO_UNIX_TOKEN
;
43 session_info_flags
|= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
46 if (gensec_setting_bool(gensec_security
->settings
, "gensec", "require_pac", false)) {
47 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
49 return NT_STATUS_ACCESS_DENIED
;
51 DBG_NOTICE("Unable to find PAC for %s, resorting to local "
52 "user lookup\n", principal_string
);
55 if (gensec_security
->auth_context
&& gensec_security
->auth_context
->generate_session_info_pac
) {
56 return gensec_security
->auth_context
->generate_session_info_pac(gensec_security
->auth_context
,
65 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
66 return NT_STATUS_INTERNAL_ERROR
;
71 magic check a GSS-API wrapper packet for an Kerberos OID
73 static bool gensec_gssapi_check_oid(const DATA_BLOB
*blob
, const char *oid
)
76 struct asn1_data
*data
= asn1_init(NULL
);
78 if (!data
) return false;
80 if (!asn1_load(data
, *blob
)) goto err
;
81 if (!asn1_start_tag(data
, ASN1_APPLICATION(0))) goto err
;
82 if (!asn1_check_OID(data
, oid
)) goto err
;
84 ret
= !asn1_has_error(data
);
93 * Check if the packet is one for the KRB5 mechansim
95 * NOTE: This is a helper that can be employed by multiple mechanisms, do
96 * not make assumptions about the private_data
98 * @param gensec_security GENSEC state, unused
99 * @param in The request, as a DATA_BLOB
100 * @return Error, INVALID_PARAMETER if it's not a packet for us
101 * or NT_STATUS_OK if the packet is ok.
104 NTSTATUS
gensec_magic_check_krb5_oid(struct gensec_security
*unused
,
105 const DATA_BLOB
*blob
)
107 if (gensec_gssapi_check_oid(blob
, GENSEC_OID_KERBEROS5
)) {
110 return NT_STATUS_INVALID_PARAMETER
;
114 void gensec_child_want_feature(struct gensec_security
*gensec_security
,
117 struct gensec_security
*child_security
= gensec_security
->child_security
;
119 gensec_security
->want_features
|= feature
;
120 if (child_security
== NULL
) {
123 gensec_want_feature(child_security
, feature
);
126 bool gensec_child_have_feature(struct gensec_security
*gensec_security
,
129 struct gensec_security
*child_security
= gensec_security
->child_security
;
131 if (feature
& GENSEC_FEATURE_SIGN_PKT_HEADER
) {
133 * All mechs with sub (child) mechs need to provide DCERPC
134 * header signing! This is required because the negotiation
135 * of header signing is done before the authentication
141 if (child_security
== NULL
) {
145 return gensec_have_feature(child_security
, feature
);
148 NTSTATUS
gensec_child_unseal_packet(struct gensec_security
*gensec_security
,
149 uint8_t *data
, size_t length
,
150 const uint8_t *whole_pdu
, size_t pdu_length
,
151 const DATA_BLOB
*sig
)
153 if (gensec_security
->child_security
== NULL
) {
154 return NT_STATUS_INVALID_PARAMETER
;
157 return gensec_unseal_packet(gensec_security
->child_security
,
159 whole_pdu
, pdu_length
,
163 NTSTATUS
gensec_child_check_packet(struct gensec_security
*gensec_security
,
164 const uint8_t *data
, size_t length
,
165 const uint8_t *whole_pdu
, size_t pdu_length
,
166 const DATA_BLOB
*sig
)
168 if (gensec_security
->child_security
== NULL
) {
169 return NT_STATUS_INVALID_PARAMETER
;
172 return gensec_check_packet(gensec_security
->child_security
,
174 whole_pdu
, pdu_length
,
178 NTSTATUS
gensec_child_seal_packet(struct gensec_security
*gensec_security
,
180 uint8_t *data
, size_t length
,
181 const uint8_t *whole_pdu
, size_t pdu_length
,
184 if (gensec_security
->child_security
== NULL
) {
185 return NT_STATUS_INVALID_PARAMETER
;
188 return gensec_seal_packet(gensec_security
->child_security
,
191 whole_pdu
, pdu_length
,
195 NTSTATUS
gensec_child_sign_packet(struct gensec_security
*gensec_security
,
197 const uint8_t *data
, size_t length
,
198 const uint8_t *whole_pdu
, size_t pdu_length
,
201 if (gensec_security
->child_security
== NULL
) {
202 return NT_STATUS_INVALID_PARAMETER
;
205 return gensec_sign_packet(gensec_security
->child_security
,
208 whole_pdu
, pdu_length
,
212 NTSTATUS
gensec_child_wrap(struct gensec_security
*gensec_security
,
217 if (gensec_security
->child_security
== NULL
) {
218 return NT_STATUS_INVALID_PARAMETER
;
221 return gensec_wrap(gensec_security
->child_security
,
225 NTSTATUS
gensec_child_unwrap(struct gensec_security
*gensec_security
,
230 if (gensec_security
->child_security
== NULL
) {
231 return NT_STATUS_INVALID_PARAMETER
;
234 return gensec_unwrap(gensec_security
->child_security
,
238 size_t gensec_child_sig_size(struct gensec_security
*gensec_security
,
241 if (gensec_security
->child_security
== NULL
) {
245 return gensec_sig_size(gensec_security
->child_security
, data_size
);
248 size_t gensec_child_max_input_size(struct gensec_security
*gensec_security
)
250 if (gensec_security
->child_security
== NULL
) {
254 return gensec_max_input_size(gensec_security
->child_security
);
257 size_t gensec_child_max_wrapped_size(struct gensec_security
*gensec_security
)
259 if (gensec_security
->child_security
== NULL
) {
263 return gensec_max_wrapped_size(gensec_security
->child_security
);
266 NTSTATUS
gensec_child_session_key(struct gensec_security
*gensec_security
,
268 DATA_BLOB
*session_key
)
270 if (gensec_security
->child_security
== NULL
) {
271 return NT_STATUS_INVALID_PARAMETER
;
274 return gensec_session_key(gensec_security
->child_security
,
279 NTSTATUS
gensec_child_session_info(struct gensec_security
*gensec_security
,
281 struct auth_session_info
**session_info
)
283 if (gensec_security
->child_security
== NULL
) {
284 return NT_STATUS_INVALID_PARAMETER
;
287 return gensec_session_info(gensec_security
->child_security
,
292 NTTIME
gensec_child_expire_time(struct gensec_security
*gensec_security
)
294 if (gensec_security
->child_security
== NULL
) {
295 return GENSEC_EXPIRE_TIME_INFINITY
;
298 return gensec_expire_time(gensec_security
->child_security
);
301 const char *gensec_child_final_auth_type(struct gensec_security
*gensec_security
)
303 if (gensec_security
->child_security
== NULL
) {
307 return gensec_final_auth_type(gensec_security
->child_security
);