2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "auth/gensec/gensec.h"
25 #include "auth/common_auth.h"
26 #include "../lib/util/asn1.h"
28 NTSTATUS
gensec_generate_session_info_pac(TALLOC_CTX
*mem_ctx
,
29 struct gensec_security
*gensec_security
,
30 struct smb_krb5_context
*smb_krb5_context
,
32 const char *principal_string
,
33 const struct tsocket_address
*remote_address
,
34 struct auth_session_info
**session_info
)
36 uint32_t session_info_flags
= 0;
38 if (gensec_security
->want_features
& GENSEC_FEATURE_UNIX_TOKEN
) {
39 session_info_flags
|= AUTH_SESSION_INFO_UNIX_TOKEN
;
42 session_info_flags
|= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
45 if (gensec_setting_bool(gensec_security
->settings
, "gensec", "require_pac", false)) {
46 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
48 return NT_STATUS_ACCESS_DENIED
;
50 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
54 if (gensec_security
->auth_context
&& gensec_security
->auth_context
->generate_session_info_pac
) {
55 return gensec_security
->auth_context
->generate_session_info_pac(gensec_security
->auth_context
,
64 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
65 return NT_STATUS_INTERNAL_ERROR
;
70 * These functions are for use in the deprecated
71 * gensec_socket code (public because SPNEGO must
72 * use them for recursion)
74 _PUBLIC_ NTSTATUS
gensec_wrap_packets(struct gensec_security
*gensec_security
,
78 size_t *len_processed
)
80 if (!gensec_security
->ops
->wrap_packets
) {
82 size_t max_input_size
;
83 DATA_BLOB unwrapped
, wrapped
;
84 max_input_size
= gensec_max_input_size(gensec_security
);
85 unwrapped
= data_blob_const(in
->data
, MIN(max_input_size
, (size_t)in
->length
));
87 nt_status
= gensec_wrap(gensec_security
,
89 &unwrapped
, &wrapped
);
90 if (!NT_STATUS_IS_OK(nt_status
)) {
94 *out
= data_blob_talloc(mem_ctx
, NULL
, 4);
96 return NT_STATUS_NO_MEMORY
;
98 RSIVAL(out
->data
, 0, wrapped
.length
);
100 if (!data_blob_append(mem_ctx
, out
, wrapped
.data
, wrapped
.length
)) {
101 return NT_STATUS_NO_MEMORY
;
103 *len_processed
= unwrapped
.length
;
106 return gensec_security
->ops
->wrap_packets(gensec_security
, mem_ctx
, in
, out
,
111 * These functions are for use in the deprecated
112 * gensec_socket code (public because SPNEGO must
113 * use them for recursion)
115 NTSTATUS
gensec_unwrap_packets(struct gensec_security
*gensec_security
,
119 size_t *len_processed
)
121 if (!gensec_security
->ops
->unwrap_packets
) {
125 if (in
->length
< 4) {
126 /* Missing the header we already had! */
127 DEBUG(0, ("Asked to unwrap packet of bogus length! How did we get the short packet?!\n"));
128 return NT_STATUS_INVALID_PARAMETER
;
131 packet_size
= RIVAL(in
->data
, 0);
133 wrapped
= data_blob_const(in
->data
+ 4, packet_size
);
135 if (wrapped
.length
> (in
->length
- 4)) {
136 DEBUG(0, ("Asked to unwrap packed of bogus length %d > %d! How did we get this?!\n",
137 (int)wrapped
.length
, (int)(in
->length
- 4)));
138 return NT_STATUS_INTERNAL_ERROR
;
141 nt_status
= gensec_unwrap(gensec_security
,
144 if (!NT_STATUS_IS_OK(nt_status
)) {
148 *len_processed
= packet_size
+ 4;
151 return gensec_security
->ops
->unwrap_packets(gensec_security
, mem_ctx
, in
, out
,
156 * These functions are for use in the deprecated
157 * gensec_socket code (public because SPNEGO must
158 * use them for recursion)
160 NTSTATUS
gensec_packet_full_request(struct gensec_security
*gensec_security
,
161 DATA_BLOB blob
, size_t *size
)
163 if (gensec_security
->ops
->packet_full_request
) {
164 return gensec_security
->ops
->packet_full_request(gensec_security
,
167 if (gensec_security
->ops
->unwrap_packets
) {
172 return STATUS_MORE_ENTRIES
;
175 if (blob
.length
< 4) {
176 return STATUS_MORE_ENTRIES
;
178 *size
= 4 + RIVAL(blob
.data
, 0);
179 if (*size
> blob
.length
) {
180 return STATUS_MORE_ENTRIES
;
186 magic check a GSS-API wrapper packet for an Kerberos OID
188 static bool gensec_gssapi_check_oid(const DATA_BLOB
*blob
, const char *oid
)
191 struct asn1_data
*data
= asn1_init(NULL
);
193 if (!data
) return false;
195 asn1_load(data
, *blob
);
196 asn1_start_tag(data
, ASN1_APPLICATION(0));
197 asn1_check_OID(data
, oid
);
199 ret
= !data
->has_error
;
207 * Check if the packet is one for the KRB5 mechansim
209 * NOTE: This is a helper that can be employed by multiple mechanisms, do
210 * not make assumptions about the private_data
212 * @param gensec_security GENSEC state, unused
213 * @param in The request, as a DATA_BLOB
214 * @return Error, INVALID_PARAMETER if it's not a packet for us
215 * or NT_STATUS_OK if the packet is ok.
218 NTSTATUS
gensec_magic_check_krb5_oid(struct gensec_security
*unused
,
219 const DATA_BLOB
*blob
)
221 if (gensec_gssapi_check_oid(blob
, GENSEC_OID_KERBEROS5
)) {
224 return NT_STATUS_INVALID_PARAMETER
;