2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "auth/gensec/gensec.h"
25 #include "auth/common_auth.h"
27 NTSTATUS
gensec_generate_session_info_pac(TALLOC_CTX
*mem_ctx
,
28 struct gensec_security
*gensec_security
,
29 struct smb_krb5_context
*smb_krb5_context
,
31 const char *principal_string
,
32 const struct tsocket_address
*remote_address
,
33 struct auth_session_info
**session_info
)
35 uint32_t session_info_flags
= 0;
37 if (gensec_security
->want_features
& GENSEC_FEATURE_UNIX_TOKEN
) {
38 session_info_flags
|= AUTH_SESSION_INFO_UNIX_TOKEN
;
41 session_info_flags
|= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
44 if (!gensec_setting_bool(gensec_security
->settings
, "gensec", "require_pac", false)) {
45 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
47 return NT_STATUS_ACCESS_DENIED
;
49 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
53 if (gensec_security
->auth_context
&& gensec_security
->auth_context
->generate_session_info_pac
) {
54 return gensec_security
->auth_context
->generate_session_info_pac(gensec_security
->auth_context
,
63 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
64 return NT_STATUS_INTERNAL_ERROR
;
69 * These functions are for use in the deprecated
70 * gensec_socket code (public because SPNEGO must
71 * use them for recursion)
73 _PUBLIC_ NTSTATUS
gensec_wrap_packets(struct gensec_security
*gensec_security
,
77 size_t *len_processed
)
79 if (!gensec_security
->ops
->wrap_packets
) {
81 size_t max_input_size
;
82 DATA_BLOB unwrapped
, wrapped
;
83 max_input_size
= gensec_max_input_size(gensec_security
);
84 unwrapped
= data_blob_const(in
->data
, MIN(max_input_size
, (size_t)in
->length
));
86 nt_status
= gensec_wrap(gensec_security
,
88 &unwrapped
, &wrapped
);
89 if (!NT_STATUS_IS_OK(nt_status
)) {
93 *out
= data_blob_talloc(mem_ctx
, NULL
, 4);
95 return NT_STATUS_NO_MEMORY
;
97 RSIVAL(out
->data
, 0, wrapped
.length
);
99 if (!data_blob_append(mem_ctx
, out
, wrapped
.data
, wrapped
.length
)) {
100 return NT_STATUS_NO_MEMORY
;
102 *len_processed
= unwrapped
.length
;
105 return gensec_security
->ops
->wrap_packets(gensec_security
, mem_ctx
, in
, out
,
110 * These functions are for use in the deprecated
111 * gensec_socket code (public because SPNEGO must
112 * use them for recursion)
114 NTSTATUS
gensec_unwrap_packets(struct gensec_security
*gensec_security
,
118 size_t *len_processed
)
120 if (!gensec_security
->ops
->unwrap_packets
) {
124 if (in
->length
< 4) {
125 /* Missing the header we already had! */
126 DEBUG(0, ("Asked to unwrap packet of bogus length! How did we get the short packet?!\n"));
127 return NT_STATUS_INVALID_PARAMETER
;
130 packet_size
= RIVAL(in
->data
, 0);
132 wrapped
= data_blob_const(in
->data
+ 4, packet_size
);
134 if (wrapped
.length
> (in
->length
- 4)) {
135 DEBUG(0, ("Asked to unwrap packed of bogus length %d > %d! How did we get this?!\n",
136 (int)wrapped
.length
, (int)(in
->length
- 4)));
137 return NT_STATUS_INTERNAL_ERROR
;
140 nt_status
= gensec_unwrap(gensec_security
,
143 if (!NT_STATUS_IS_OK(nt_status
)) {
147 *len_processed
= packet_size
+ 4;
150 return gensec_security
->ops
->unwrap_packets(gensec_security
, mem_ctx
, in
, out
,
155 * These functions are for use in the deprecated
156 * gensec_socket code (public because SPNEGO must
157 * use them for recursion)
159 NTSTATUS
gensec_packet_full_request(struct gensec_security
*gensec_security
,
160 DATA_BLOB blob
, size_t *size
)
162 if (gensec_security
->ops
->packet_full_request
) {
163 return gensec_security
->ops
->packet_full_request(gensec_security
,
166 if (gensec_security
->ops
->unwrap_packets
) {
171 return STATUS_MORE_ENTRIES
;
174 if (blob
.length
< 4) {
175 return STATUS_MORE_ENTRIES
;
177 *size
= 4 + RIVAL(blob
.data
, 0);
178 if (*size
> blob
.length
) {
179 return STATUS_MORE_ENTRIES
;