search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Update waf build to include missed dependancy on Lion.
[Samba/gebeck_regimport.git] / auth / gensec / gensec_util.c
blobcdd615fb60cb4ec21de683b4b774dcaeca59684d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth/gensec/gensec.h"
25 #include "auth/common_auth.h"
26
27 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
28 struct gensec_security *gensec_security,
29 struct smb_krb5_context *smb_krb5_context,
30 DATA_BLOB *pac_blob,
31 const char *principal_string,
32 const struct tsocket_address *remote_address,
33 struct auth_session_info **session_info)
34 {
35 uint32_t session_info_flags = 0;
36
37 if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
38 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
39 }
40
41 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
42
43 if (!pac_blob) {
44 if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
45 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
46 principal_string));
47 return NT_STATUS_ACCESS_DENIED;
48 }
49 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
50 principal_string));
51 }
52
53 if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
54 return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
55 mem_ctx,
56 smb_krb5_context,
57 pac_blob,
58 principal_string,
59 remote_address,
60 session_info_flags,
61 session_info);
62 } else {
63 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
64 return NT_STATUS_INTERNAL_ERROR;
65 }
66 }
67
68 /*
69 * These functions are for use in the deprecated
70 * gensec_socket code (public because SPNEGO must
71 * use them for recursion)
72 */
73 _PUBLIC_ NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security,
74 TALLOC_CTX *mem_ctx,
75 const DATA_BLOB *in,
76 DATA_BLOB *out,
77 size_t *len_processed)
78 {
79 if (!gensec_security->ops->wrap_packets) {
80 NTSTATUS nt_status;
81 size_t max_input_size;
82 DATA_BLOB unwrapped, wrapped;
83 max_input_size = gensec_max_input_size(gensec_security);
84 unwrapped = data_blob_const(in->data, MIN(max_input_size, (size_t)in->length));
85
86 nt_status = gensec_wrap(gensec_security,
87 mem_ctx,
88 &unwrapped, &wrapped);
89 if (!NT_STATUS_IS_OK(nt_status)) {
90 return nt_status;
91 }
92
93 *out = data_blob_talloc(mem_ctx, NULL, 4);
94 if (!out->data) {
95 return NT_STATUS_NO_MEMORY;
96 }
97 RSIVAL(out->data, 0, wrapped.length);
98
99 if (!data_blob_append(mem_ctx, out, wrapped.data, wrapped.length)) {
100 return NT_STATUS_NO_MEMORY;
101 }
102 *len_processed = unwrapped.length;
103 return NT_STATUS_OK;
104 }
105 return gensec_security->ops->wrap_packets(gensec_security, mem_ctx, in, out,
106 len_processed);
107 }
108
109 /*
110 * These functions are for use in the deprecated
111 * gensec_socket code (public because SPNEGO must
112 * use them for recursion)
113 */
114 NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security,
115 TALLOC_CTX *mem_ctx,
116 const DATA_BLOB *in,
117 DATA_BLOB *out,
118 size_t *len_processed)
119 {
120 if (!gensec_security->ops->unwrap_packets) {
121 DATA_BLOB wrapped;
122 NTSTATUS nt_status;
123 size_t packet_size;
124 if (in->length < 4) {
125 /* Missing the header we already had! */
126 DEBUG(0, ("Asked to unwrap packet of bogus length! How did we get the short packet?!\n"));
127 return NT_STATUS_INVALID_PARAMETER;
128 }
129
130 packet_size = RIVAL(in->data, 0);
131
132 wrapped = data_blob_const(in->data + 4, packet_size);
133
134 if (wrapped.length > (in->length - 4)) {
135 DEBUG(0, ("Asked to unwrap packed of bogus length %d > %d! How did we get this?!\n",
136 (int)wrapped.length, (int)(in->length - 4)));
137 return NT_STATUS_INTERNAL_ERROR;
138 }
139
140 nt_status = gensec_unwrap(gensec_security,
141 mem_ctx,
142 &wrapped, out);
143 if (!NT_STATUS_IS_OK(nt_status)) {
144 return nt_status;
145 }
146
147 *len_processed = packet_size + 4;
148 return nt_status;
149 }
150 return gensec_security->ops->unwrap_packets(gensec_security, mem_ctx, in, out,
151 len_processed);
152 }
153
154 /*
155 * These functions are for use in the deprecated
156 * gensec_socket code (public because SPNEGO must
157 * use them for recursion)
158 */
159 NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
160 DATA_BLOB blob, size_t *size)
161 {
162 if (gensec_security->ops->packet_full_request) {
163 return gensec_security->ops->packet_full_request(gensec_security,
164 blob, size);
165 }
166 if (gensec_security->ops->unwrap_packets) {
167 if (blob.length) {
168 *size = blob.length;
169 return NT_STATUS_OK;
170 }
171 return STATUS_MORE_ENTRIES;
172 }
173
174 if (blob.length < 4) {
175 return STATUS_MORE_ENTRIES;
176 }
177 *size = 4 + RIVAL(blob.data, 0);
178 if (*size > blob.length) {
179 return STATUS_MORE_ENTRIES;
180 }
181 return NT_STATUS_OK;
182 }
reg import