search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
samba-tool: refuse to demote if the current DC has still roles
[Samba/gebeck_regimport.git] / source4 / auth / gensec / gensec_tstream.c
blob91915b503488c9501224c10b79bcbc6bc7311029
1 /*
2 Unix SMB/CIFS implementation.
3
4 tstream based generic authentication interface
5
6 Copyright (c) 2010 Stefan Metzmacher
7 Copyright (c) 2010 Andreas Schneider <asn@redhat.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/network.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_proto.h"
27 #include "auth/gensec/gensec_tstream.h"
28 #include "lib/tsocket/tsocket.h"
29 #include "lib/tsocket/tsocket_internal.h"
30 #include "auth/gensec/gensec_toplevel_proto.h"
31
32 static const struct tstream_context_ops tstream_gensec_ops;
33
34 struct tstream_gensec {
35 struct tstream_context *plain_stream;
36
37 struct gensec_security *gensec_security;
38
39 int error;
40
41 struct {
42 size_t max_unwrapped_size;
43 size_t max_wrapped_size;
44 } write;
45
46 struct {
47 off_t ofs;
48 size_t left;
49 DATA_BLOB unwrapped;
50 } read;
51 };
52
53 _PUBLIC_ NTSTATUS _gensec_create_tstream(TALLOC_CTX *mem_ctx,
54 struct gensec_security *gensec_security,
55 struct tstream_context *plain_stream,
56 struct tstream_context **_gensec_stream,
57 const char *location)
58 {
59 struct tstream_context *gensec_stream;
60 struct tstream_gensec *tgss;
61
62 gensec_stream = tstream_context_create(mem_ctx,
63 &tstream_gensec_ops,
64 &tgss,
65 struct tstream_gensec,
66 location);
67 if (gensec_stream == NULL) {
68 return NT_STATUS_NO_MEMORY;
69 }
70
71 tgss->plain_stream = plain_stream;
72 tgss->gensec_security = gensec_security;
73 tgss->error = 0;
74
75 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN) &&
76 !gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
77 talloc_free(gensec_stream);
78 return NT_STATUS_INVALID_PARAMETER;
79 }
80
81 tgss->write.max_unwrapped_size = gensec_max_input_size(gensec_security);
82 tgss->write.max_wrapped_size = gensec_max_wrapped_size(gensec_security);
83
84 ZERO_STRUCT(tgss->read);
85
86 *_gensec_stream = gensec_stream;
87 return NT_STATUS_OK;
88 }
89
90 static ssize_t tstream_gensec_pending_bytes(struct tstream_context *stream)
91 {
92 struct tstream_gensec *tgss =
93 tstream_context_data(stream,
94 struct tstream_gensec);
95
96 if (tgss->error != 0) {
97 errno = tgss->error;
98 return -1;
99 }
100
101 return tgss->read.left;
102 }
103
104 struct tstream_gensec_readv_state {
105 struct tevent_context *ev;
106 struct tstream_context *stream;
107
108 struct iovec *vector;
109 int count;
110
111 struct {
112 bool asked_for_hdr;
113 uint8_t hdr[4];
114 bool asked_for_blob;
115 DATA_BLOB blob;
116 } wrapped;
117
118 int ret;
119 };
120
121 static void tstream_gensec_readv_wrapped_next(struct tevent_req *req);
122
123 static struct tevent_req *tstream_gensec_readv_send(TALLOC_CTX *mem_ctx,
124 struct tevent_context *ev,
125 struct tstream_context *stream,
126 struct iovec *vector,
127 size_t count)
128 {
129 struct tstream_gensec *tgss =
130 tstream_context_data(stream,
131 struct tstream_gensec);
132 struct tevent_req *req;
133 struct tstream_gensec_readv_state *state;
134
135 req = tevent_req_create(mem_ctx, &state,
136 struct tstream_gensec_readv_state);
137 if (!req) {
138 return NULL;
139 }
140
141 if (tgss->error != 0) {
142 tevent_req_error(req, tgss->error);
143 return tevent_req_post(req, ev);
144 }
145
146 state->ev = ev;
147 state->stream = stream;
148 state->ret = 0;
149
150 /*
151 * we make a copy of the vector so we can change the structure
152 */
153 state->vector = talloc_array(state, struct iovec, count);
154 if (tevent_req_nomem(state->vector, req)) {
155 return tevent_req_post(req, ev);
156 }
157 memcpy(state->vector, vector, sizeof(struct iovec) * count);
158 state->count = count;
159
160 tstream_gensec_readv_wrapped_next(req);
161 if (!tevent_req_is_in_progress(req)) {
162 return tevent_req_post(req, ev);
163 }
164
165 return req;
166 }
167
168 static int tstream_gensec_readv_next_vector(struct tstream_context *unix_stream,
169 void *private_data,
170 TALLOC_CTX *mem_ctx,
171 struct iovec **_vector,
172 size_t *_count);
173 static void tstream_gensec_readv_wrapped_done(struct tevent_req *subreq);
174
175 static void tstream_gensec_readv_wrapped_next(struct tevent_req *req)
176 {
177 struct tstream_gensec_readv_state *state =
178 tevent_req_data(req,
179 struct tstream_gensec_readv_state);
180 struct tstream_gensec *tgss =
181 tstream_context_data(state->stream,
182 struct tstream_gensec);
183 struct tevent_req *subreq;
184
185 /*
186 * copy the pending buffer first
187 */
188 while (tgss->read.left > 0 && state->count > 0) {
189 uint8_t *base = (uint8_t *)state->vector[0].iov_base;
190 size_t len = MIN(tgss->read.left, state->vector[0].iov_len);
191
192 memcpy(base, tgss->read.unwrapped.data + tgss->read.ofs, len);
193
194 base += len;
195 state->vector[0].iov_base = (char *) base;
196 state->vector[0].iov_len -= len;
197
198 tgss->read.ofs += len;
199 tgss->read.left -= len;
200
201 if (state->vector[0].iov_len == 0) {
202 state->vector += 1;
203 state->count -= 1;
204 }
205
206 state->ret += len;
207 }
208
209 if (state->count == 0) {
210 tevent_req_done(req);
211 return;
212 }
213
214 data_blob_free(&tgss->read.unwrapped);
215 ZERO_STRUCT(state->wrapped);
216
217 subreq = tstream_readv_pdu_send(state, state->ev,
218 tgss->plain_stream,
219 tstream_gensec_readv_next_vector,
220 state);
221 if (tevent_req_nomem(subreq, req)) {
222 return;
223 }
224 tevent_req_set_callback(subreq, tstream_gensec_readv_wrapped_done, req);
225 }
226
227 static int tstream_gensec_readv_next_vector(struct tstream_context *unix_stream,
228 void *private_data,
229 TALLOC_CTX *mem_ctx,
230 struct iovec **_vector,
231 size_t *_count)
232 {
233 struct tstream_gensec_readv_state *state =
234 talloc_get_type_abort(private_data,
235 struct tstream_gensec_readv_state);
236 struct iovec *vector;
237 size_t count = 1;
238
239 /* we need to get a message header */
240 vector = talloc_array(mem_ctx, struct iovec, count);
241 if (!vector) {
242 return -1;
243 }
244
245 if (!state->wrapped.asked_for_hdr) {
246 state->wrapped.asked_for_hdr = true;
247 vector[0].iov_base = (char *)state->wrapped.hdr;
248 vector[0].iov_len = sizeof(state->wrapped.hdr);
249 } else if (!state->wrapped.asked_for_blob) {
250 state->wrapped.asked_for_blob = true;
251 uint32_t msg_len;
252
253 msg_len = RIVAL(state->wrapped.hdr, 0);
254
255 if (msg_len > 0x00FFFFFF) {
256 errno = EMSGSIZE;
257 return -1;
258 }
259
260 if (msg_len == 0) {
261 errno = EMSGSIZE;
262 return -1;
263 }
264
265 state->wrapped.blob = data_blob_talloc(state, NULL, msg_len);
266 if (state->wrapped.blob.data == NULL) {
267 return -1;
268 }
269
270 vector[0].iov_base = (char *)state->wrapped.blob.data;
271 vector[0].iov_len = state->wrapped.blob.length;
272 } else {
273 *_vector = NULL;
274 *_count = 0;
275 return 0;
276 }
277
278 *_vector = vector;
279 *_count = count;
280 return 0;
281 }
282
283 static void tstream_gensec_readv_wrapped_done(struct tevent_req *subreq)
284 {
285 struct tevent_req *req =
286 tevent_req_callback_data(subreq,
287 struct tevent_req);
288 struct tstream_gensec_readv_state *state =
289 tevent_req_data(req,
290 struct tstream_gensec_readv_state);
291 struct tstream_gensec *tgss =
292 tstream_context_data(state->stream,
293 struct tstream_gensec);
294 int ret;
295 int sys_errno;
296 NTSTATUS status;
297
298 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
299 TALLOC_FREE(subreq);
300 if (ret == -1) {
301 tgss->error = sys_errno;
302 tevent_req_error(req, sys_errno);
303 return;
304 }
305
306 status = gensec_unwrap(tgss->gensec_security,
307 state,
308 &state->wrapped.blob,
309 &tgss->read.unwrapped);
310 if (!NT_STATUS_IS_OK(status)) {
311 tgss->error = EIO;
312 tevent_req_error(req, tgss->error);
313 return;
314 }
315
316 data_blob_free(&state->wrapped.blob);
317
318 talloc_steal(tgss, tgss->read.unwrapped.data);
319 tgss->read.left = tgss->read.unwrapped.length;
320 tgss->read.ofs = 0;
321
322 tstream_gensec_readv_wrapped_next(req);
323 }
324
325 static int tstream_gensec_readv_recv(struct tevent_req *req, int *perrno)
326 {
327 struct tstream_gensec_readv_state *state =
328 tevent_req_data(req,
329 struct tstream_gensec_readv_state);
330 int ret;
331
332 ret = tsocket_simple_int_recv(req, perrno);
333 if (ret == 0) {
334 ret = state->ret;
335 }
336
337 tevent_req_received(req);
338 return ret;
339 }
340
341 struct tstream_gensec_writev_state {
342 struct tevent_context *ev;
343 struct tstream_context *stream;
344
345 struct iovec *vector;
346 int count;
347
348 struct {
349 off_t ofs;
350 size_t left;
351 DATA_BLOB blob;
352 } unwrapped;
353
354 struct {
355 uint8_t hdr[4];
356 DATA_BLOB blob;
357 struct iovec iov[2];
358 } wrapped;
359
360 int ret;
361 };
362
363 static void tstream_gensec_writev_wrapped_next(struct tevent_req *req);
364
365 static struct tevent_req *tstream_gensec_writev_send(TALLOC_CTX *mem_ctx,
366 struct tevent_context *ev,
367 struct tstream_context *stream,
368 const struct iovec *vector,
369 size_t count)
370 {
371 struct tstream_gensec *tgss =
372 tstream_context_data(stream,
373 struct tstream_gensec);
374 struct tevent_req *req;
375 struct tstream_gensec_writev_state *state;
376 int i;
377 int total;
378 int chunk;
379
380 req = tevent_req_create(mem_ctx, &state,
381 struct tstream_gensec_writev_state);
382 if (req == NULL) {
383 return NULL;
384 }
385
386 if (tgss->error != 0) {
387 tevent_req_error(req, tgss->error);
388 return tevent_req_post(req, ev);
389 }
390
391 state->ev = ev;
392 state->stream = stream;
393 state->ret = 0;
394
395 /*
396 * we make a copy of the vector so we can change the structure
397 */
398 state->vector = talloc_array(state, struct iovec, count);
399 if (tevent_req_nomem(state->vector, req)) {
400 return tevent_req_post(req, ev);
401 }
402 memcpy(state->vector, vector, sizeof(struct iovec) * count);
403 state->count = count;
404
405 total = 0;
406 for (i = 0; i < count; i++) {
407 /*
408 * the generic tstream code makes sure that
409 * this never wraps.
410 */
411 total += vector[i].iov_len;
412 }
413
414 /*
415 * We may need to send data in chunks.
416 */
417 chunk = MIN(total, tgss->write.max_unwrapped_size);
418
419 state->unwrapped.blob = data_blob_talloc(state, NULL, chunk);
420 if (tevent_req_nomem(state->unwrapped.blob.data, req)) {
421 return tevent_req_post(req, ev);
422 }
423
424 tstream_gensec_writev_wrapped_next(req);
425 if (!tevent_req_is_in_progress(req)) {
426 return tevent_req_post(req, ev);
427 }
428
429 return req;
430 }
431
432 static void tstream_gensec_writev_wrapped_done(struct tevent_req *subreq);
433
434 static void tstream_gensec_writev_wrapped_next(struct tevent_req *req)
435 {
436 struct tstream_gensec_writev_state *state =
437 tevent_req_data(req,
438 struct tstream_gensec_writev_state);
439 struct tstream_gensec *tgss =
440 tstream_context_data(state->stream,
441 struct tstream_gensec);
442 struct tevent_req *subreq;
443 NTSTATUS status;
444
445 data_blob_free(&state->wrapped.blob);
446
447 state->unwrapped.left = state->unwrapped.blob.length;
448 state->unwrapped.ofs = 0;
449
450 /*
451 * first fill our buffer
452 */
453 while (state->unwrapped.left > 0 && state->count > 0) {
454 uint8_t *base = (uint8_t *)state->vector[0].iov_base;
455 size_t len = MIN(state->unwrapped.left, state->vector[0].iov_len);
456
457 memcpy(state->unwrapped.blob.data + state->unwrapped.ofs, base, len);
458
459 base += len;
460 state->vector[0].iov_base = (char *) base;
461 state->vector[0].iov_len -= len;
462
463 state->unwrapped.ofs += len;
464 state->unwrapped.left -= len;
465
466 if (state->vector[0].iov_len == 0) {
467 state->vector += 1;
468 state->count -= 1;
469 }
470
471 state->ret += len;
472 }
473
474 if (state->unwrapped.ofs == 0) {
475 tevent_req_done(req);
476 return;
477 }
478
479 state->unwrapped.blob.length = state->unwrapped.ofs;
480
481 status = gensec_wrap(tgss->gensec_security,
482 state,
483 &state->unwrapped.blob,
484 &state->wrapped.blob);
485 if (!NT_STATUS_IS_OK(status)) {
486 tgss->error = EIO;
487 tevent_req_error(req, tgss->error);
488 return;
489 }
490
491 RSIVAL(state->wrapped.hdr, 0, state->wrapped.blob.length);
492
493 state->wrapped.iov[0].iov_base = (void *)state->wrapped.hdr;
494 state->wrapped.iov[0].iov_len = sizeof(state->wrapped.hdr);
495 state->wrapped.iov[1].iov_base = (void *)state->wrapped.blob.data;
496 state->wrapped.iov[1].iov_len = state->wrapped.blob.length;
497
498 subreq = tstream_writev_send(state, state->ev,
499 tgss->plain_stream,
500 state->wrapped.iov, 2);
501 if (tevent_req_nomem(subreq, req)) {
502 return;
503 }
504 tevent_req_set_callback(subreq,
505 tstream_gensec_writev_wrapped_done,
506 req);
507 }
508
509 static void tstream_gensec_writev_wrapped_done(struct tevent_req *subreq)
510 {
511 struct tevent_req *req =
512 tevent_req_callback_data(subreq,
513 struct tevent_req);
514 struct tstream_gensec_writev_state *state =
515 tevent_req_data(req,
516 struct tstream_gensec_writev_state);
517 struct tstream_gensec *tgss =
518 tstream_context_data(state->stream,
519 struct tstream_gensec);
520 int sys_errno;
521 int ret;
522
523 ret = tstream_writev_recv(subreq, &sys_errno);
524 TALLOC_FREE(subreq);
525 if (ret == -1) {
526 tgss->error = sys_errno;
527 tevent_req_error(req, sys_errno);
528 return;
529 }
530
531 tstream_gensec_writev_wrapped_next(req);
532 }
533
534 static int tstream_gensec_writev_recv(struct tevent_req *req,
535 int *perrno)
536 {
537 struct tstream_gensec_writev_state *state =
538 tevent_req_data(req,
539 struct tstream_gensec_writev_state);
540 int ret;
541
542 ret = tsocket_simple_int_recv(req, perrno);
543 if (ret == 0) {
544 ret = state->ret;
545 }
546
547 tevent_req_received(req);
548 return ret;
549 }
550
551 struct tstream_gensec_disconnect_state {
552 uint8_t _dummy;
553 };
554
555 static struct tevent_req *tstream_gensec_disconnect_send(TALLOC_CTX *mem_ctx,
556 struct tevent_context *ev,
557 struct tstream_context *stream)
558 {
559 struct tstream_gensec *tgss =
560 tstream_context_data(stream,
561 struct tstream_gensec);
562 struct tevent_req *req;
563 struct tstream_gensec_disconnect_state *state;
564
565 req = tevent_req_create(mem_ctx, &state,
566 struct tstream_gensec_disconnect_state);
567 if (req == NULL) {
568 return NULL;
569 }
570
571 if (tgss->error != 0) {
572 tevent_req_error(req, tgss->error);
573 return tevent_req_post(req, ev);
574 }
575
576 /*
577 * The caller is responsible to do the real disconnect
578 * on the plain stream!
579 */
580 tgss->plain_stream = NULL;
581 tgss->error = ENOTCONN;
582
583 tevent_req_done(req);
584 return tevent_req_post(req, ev);
585 }
586
587 static int tstream_gensec_disconnect_recv(struct tevent_req *req,
588 int *perrno)
589 {
590 int ret;
591
592 ret = tsocket_simple_int_recv(req, perrno);
593
594 tevent_req_received(req);
595 return ret;
596 }
597
598 static const struct tstream_context_ops tstream_gensec_ops = {
599 .name = "gensec",
600
601 .pending_bytes = tstream_gensec_pending_bytes,
602
603 .readv_send = tstream_gensec_readv_send,
604 .readv_recv = tstream_gensec_readv_recv,
605
606 .writev_send = tstream_gensec_writev_send,
607 .writev_recv = tstream_gensec_writev_recv,
608
609 .disconnect_send = tstream_gensec_disconnect_send,
610 .disconnect_recv = tstream_gensec_disconnect_recv,
611 };
reg import