search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest/knownfail.d: move encrypted_secrets to expectedfail.d
[samba.git] / source4 / kdc / kdc-server.c
blob297d91e2716b9420466e56585ab088fc43f1ddf9
1 /*
2 Unix SMB/CIFS implementation.
3
4 KDC related functions
5
6 Copyright (c) 2005-2008 Andrew Bartlett <abartlet@samba.org>
7 Copyright (c) 2005 Andrew Tridgell <tridge@samba.org>
8 Copyright (c) 2005 Stefan Metzmacher <metze@samba.org>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "param/param.h"
26 #include "samba/process_model.h"
27 #include "lib/tsocket/tsocket.h"
28 #include "libcli/util/tstream.h"
29 #include "kdc/kdc-server.h"
30 #include "kdc/kdc-proxy.h"
31 #include "lib/stream/packet.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_KERBEROS
35
36 /*
37 * State of an open tcp connection
38 */
39 struct kdc_tcp_connection {
40 /* stream connection we belong to */
41 struct stream_connection *conn;
42
43 /* the kdc_server the connection belongs to */
44 struct kdc_socket *kdc_socket;
45
46 struct tstream_context *tstream;
47
48 struct tevent_queue *send_queue;
49 };
50
51 struct kdc_tcp_call {
52 struct kdc_tcp_connection *kdc_conn;
53 DATA_BLOB in;
54 DATA_BLOB out;
55 uint8_t out_hdr[4];
56 struct iovec out_iov[2];
57 };
58
59 struct kdc_udp_call {
60 struct kdc_udp_socket *sock;
61 struct tsocket_address *src;
62 DATA_BLOB in;
63 DATA_BLOB out;
64 };
65
66 static void kdc_udp_call_proxy_done(struct tevent_req *subreq);
67 static void kdc_udp_call_sendto_done(struct tevent_req *subreq);
68
69 static void kdc_tcp_call_writev_done(struct tevent_req *subreq);
70 static void kdc_tcp_call_proxy_done(struct tevent_req *subreq);
71
72 static void kdc_tcp_terminate_connection(struct kdc_tcp_connection *kdc_conn,
73 const char *reason)
74 {
75 stream_terminate_connection(kdc_conn->conn, reason);
76 }
77
78 static NTSTATUS kdc_proxy_unavailable_error(struct kdc_server *kdc,
79 TALLOC_CTX *mem_ctx,
80 DATA_BLOB *out)
81 {
82 krb5_error_code code;
83 krb5_data enc_error;
84
85 code = smb_krb5_mk_error(kdc->smb_krb5_context->krb5_context,
86 KRB5KDC_ERR_SVC_UNAVAILABLE,
87 NULL,
88 NULL,
89 NULL,
90 NULL,
91 &enc_error);
92 if (code != 0) {
93 DBG_WARNING("Unable to form krb5 error reply\n");
94 return NT_STATUS_INTERNAL_ERROR;
95 }
96
97 *out = data_blob_talloc(mem_ctx, enc_error.data, enc_error.length);
98 smb_krb5_free_data_contents(kdc->smb_krb5_context->krb5_context,
99 &enc_error);
100 if (!out->data) {
101 return NT_STATUS_NO_MEMORY;
102 }
103
104 return NT_STATUS_OK;
105 }
106
107 static void kdc_udp_call_loop(struct tevent_req *subreq)
108 {
109 struct kdc_udp_socket *sock = tevent_req_callback_data(subreq,
110 struct kdc_udp_socket);
111 struct kdc_udp_call *call;
112 uint8_t *buf;
113 ssize_t len;
114 int sys_errno;
115 kdc_code ret;
116
117 call = talloc(sock, struct kdc_udp_call);
118 if (call == NULL) {
119 talloc_free(call);
120 goto done;
121 }
122 call->sock = sock;
123
124 len = tdgram_recvfrom_recv(subreq, &sys_errno,
125 call, &buf, &call->src);
126 TALLOC_FREE(subreq);
127 if (len == -1) {
128 talloc_free(call);
129 goto done;
130 }
131
132 call->in.data = buf;
133 call->in.length = len;
134
135 DBG_DEBUG("Received krb5 UDP packet of length %zu from %s\n",
136 call->in.length,
137 tsocket_address_string(call->src, call));
138
139 /* Call krb5 */
140 ret = sock->kdc_socket->process(sock->kdc_socket->kdc,
141 call,
142 &call->in,
143 &call->out,
144 call->src,
145 sock->kdc_socket->local_address,
146 1 /* Datagram */);
147 if (ret == KDC_ERROR) {
148 talloc_free(call);
149 goto done;
150 }
151
152 if (ret == KDC_PROXY_REQUEST) {
153 uint16_t port;
154
155 if (!sock->kdc_socket->kdc->am_rodc) {
156 DBG_ERR("proxying requested when not RODC\n");
157 talloc_free(call);
158 goto done;
159 }
160
161 port = tsocket_address_inet_port(sock->kdc_socket->local_address);
162
163 subreq = kdc_udp_proxy_send(call,
164 sock->kdc_socket->kdc->task->event_ctx,
165 sock->kdc_socket->kdc,
166 port,
167 call->in);
168 if (subreq == NULL) {
169 talloc_free(call);
170 goto done;
171 }
172 tevent_req_set_callback(subreq, kdc_udp_call_proxy_done, call);
173 goto done;
174 }
175
176 subreq = tdgram_sendto_queue_send(call,
177 sock->kdc_socket->kdc->task->event_ctx,
178 sock->dgram,
179 sock->send_queue,
180 call->out.data,
181 call->out.length,
182 call->src);
183 if (subreq == NULL) {
184 talloc_free(call);
185 goto done;
186 }
187 tevent_req_set_callback(subreq, kdc_udp_call_sendto_done, call);
188
189 done:
190 subreq = tdgram_recvfrom_send(sock,
191 sock->kdc_socket->kdc->task->event_ctx,
192 sock->dgram);
193 if (subreq == NULL) {
194 task_server_terminate(sock->kdc_socket->kdc->task,
195 "no memory for tdgram_recvfrom_send",
196 true);
197 return;
198 }
199 tevent_req_set_callback(subreq, kdc_udp_call_loop, sock);
200 }
201
202 static void kdc_udp_call_proxy_done(struct tevent_req *subreq)
203 {
204 struct kdc_udp_call *call =
205 tevent_req_callback_data(subreq,
206 struct kdc_udp_call);
207 NTSTATUS status;
208
209 status = kdc_udp_proxy_recv(subreq, call, &call->out);
210 TALLOC_FREE(subreq);
211 if (!NT_STATUS_IS_OK(status)) {
212 /* generate an error packet */
213 status = kdc_proxy_unavailable_error(call->sock->kdc_socket->kdc,
214 call, &call->out);
215 }
216
217 if (!NT_STATUS_IS_OK(status)) {
218 talloc_free(call);
219 return;
220 }
221
222 subreq = tdgram_sendto_queue_send(call,
223 call->sock->kdc_socket->kdc->task->event_ctx,
224 call->sock->dgram,
225 call->sock->send_queue,
226 call->out.data,
227 call->out.length,
228 call->src);
229 if (subreq == NULL) {
230 talloc_free(call);
231 return;
232 }
233
234 tevent_req_set_callback(subreq, kdc_udp_call_sendto_done, call);
235 }
236
237 static void kdc_udp_call_sendto_done(struct tevent_req *subreq)
238 {
239 struct kdc_udp_call *call = tevent_req_callback_data(subreq,
240 struct kdc_udp_call);
241 int sys_errno;
242
243 tdgram_sendto_queue_recv(subreq, &sys_errno);
244
245 /* We don't care about errors */
246
247 talloc_free(call);
248 }
249
250 static void kdc_tcp_call_loop(struct tevent_req *subreq)
251 {
252 struct kdc_tcp_connection *kdc_conn = tevent_req_callback_data(subreq,
253 struct kdc_tcp_connection);
254 struct kdc_tcp_call *call;
255 NTSTATUS status;
256 kdc_code ret;
257
258 call = talloc(kdc_conn, struct kdc_tcp_call);
259 if (call == NULL) {
260 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
261 "no memory for kdc_tcp_call");
262 return;
263 }
264 call->kdc_conn = kdc_conn;
265
266 status = tstream_read_pdu_blob_recv(subreq,
267 call,
268 &call->in);
269 TALLOC_FREE(subreq);
270 if (!NT_STATUS_IS_OK(status)) {
271 const char *reason;
272
273 reason = talloc_asprintf(call, "kdc_tcp_call_loop: "
274 "tstream_read_pdu_blob_recv() - %s",
275 nt_errstr(status));
276 if (!reason) {
277 reason = nt_errstr(status);
278 }
279
280 kdc_tcp_terminate_connection(kdc_conn, reason);
281 return;
282 }
283
284 DBG_DEBUG("Received krb5 TCP packet of length %zu from %s\n",
285 call->in.length,
286 tsocket_address_string(kdc_conn->conn->remote_address, call));
287
288 /* skip length header */
289 call->in.data +=4;
290 call->in.length -= 4;
291
292 /* Call krb5 */
293 ret = kdc_conn->kdc_socket->process(kdc_conn->kdc_socket->kdc,
294 call,
295 &call->in,
296 &call->out,
297 kdc_conn->conn->remote_address,
298 kdc_conn->conn->local_address,
299 0 /* Stream */);
300 if (ret == KDC_ERROR) {
301 kdc_tcp_terminate_connection(kdc_conn,
302 "kdc_tcp_call_loop: process function failed");
303 return;
304 }
305
306 if (ret == KDC_PROXY_REQUEST) {
307 uint16_t port;
308
309 if (!kdc_conn->kdc_socket->kdc->am_rodc) {
310 kdc_tcp_terminate_connection(kdc_conn,
311 "kdc_tcp_call_loop: proxying requested when not RODC");
312 return;
313 }
314 port = tsocket_address_inet_port(kdc_conn->conn->local_address);
315
316 subreq = kdc_tcp_proxy_send(call,
317 kdc_conn->conn->event.ctx,
318 kdc_conn->kdc_socket->kdc,
319 port,
320 call->in);
321 if (subreq == NULL) {
322 kdc_tcp_terminate_connection(kdc_conn,
323 "kdc_tcp_call_loop: kdc_tcp_proxy_send failed");
324 return;
325 }
326 tevent_req_set_callback(subreq, kdc_tcp_call_proxy_done, call);
327 return;
328 }
329
330 /* First add the length of the out buffer */
331 RSIVAL(call->out_hdr, 0, call->out.length);
332 call->out_iov[0].iov_base = (char *) call->out_hdr;
333 call->out_iov[0].iov_len = 4;
334
335 call->out_iov[1].iov_base = (char *) call->out.data;
336 call->out_iov[1].iov_len = call->out.length;
337
338 subreq = tstream_writev_queue_send(call,
339 kdc_conn->conn->event.ctx,
340 kdc_conn->tstream,
341 kdc_conn->send_queue,
342 call->out_iov, 2);
343 if (subreq == NULL) {
344 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
345 "no memory for tstream_writev_queue_send");
346 return;
347 }
348 tevent_req_set_callback(subreq, kdc_tcp_call_writev_done, call);
349
350 /*
351 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
352 * tstream_full_request_u32 provides the pdu length then.
353 */
354 subreq = tstream_read_pdu_blob_send(kdc_conn,
355 kdc_conn->conn->event.ctx,
356 kdc_conn->tstream,
357 4, /* initial_read_size */
358 tstream_full_request_u32,
359 kdc_conn);
360 if (subreq == NULL) {
361 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
362 "no memory for tstream_read_pdu_blob_send");
363 return;
364 }
365 tevent_req_set_callback(subreq, kdc_tcp_call_loop, kdc_conn);
366 }
367
368 static void kdc_tcp_call_proxy_done(struct tevent_req *subreq)
369 {
370 struct kdc_tcp_call *call = tevent_req_callback_data(subreq,
371 struct kdc_tcp_call);
372 struct kdc_tcp_connection *kdc_conn = call->kdc_conn;
373 NTSTATUS status;
374
375 status = kdc_tcp_proxy_recv(subreq, call, &call->out);
376 TALLOC_FREE(subreq);
377 if (!NT_STATUS_IS_OK(status)) {
378 /* generate an error packet */
379 status = kdc_proxy_unavailable_error(kdc_conn->kdc_socket->kdc,
380 call, &call->out);
381 }
382
383 if (!NT_STATUS_IS_OK(status)) {
384 const char *reason;
385
386 reason = talloc_asprintf(call, "kdc_tcp_call_proxy_done: "
387 "kdc_proxy_unavailable_error - %s",
388 nt_errstr(status));
389 if (!reason) {
390 reason = "kdc_tcp_call_proxy_done: kdc_proxy_unavailable_error() failed";
391 }
392
393 kdc_tcp_terminate_connection(call->kdc_conn, reason);
394 return;
395 }
396
397 /* First add the length of the out buffer */
398 RSIVAL(call->out_hdr, 0, call->out.length);
399 call->out_iov[0].iov_base = (char *) call->out_hdr;
400 call->out_iov[0].iov_len = 4;
401
402 call->out_iov[1].iov_base = (char *) call->out.data;
403 call->out_iov[1].iov_len = call->out.length;
404
405 subreq = tstream_writev_queue_send(call,
406 kdc_conn->conn->event.ctx,
407 kdc_conn->tstream,
408 kdc_conn->send_queue,
409 call->out_iov, 2);
410 if (subreq == NULL) {
411 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_proxy_done: "
412 "no memory for tstream_writev_queue_send");
413 return;
414 }
415 tevent_req_set_callback(subreq, kdc_tcp_call_writev_done, call);
416
417 /*
418 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
419 * tstream_full_request_u32 provides the pdu length then.
420 */
421 subreq = tstream_read_pdu_blob_send(kdc_conn,
422 kdc_conn->conn->event.ctx,
423 kdc_conn->tstream,
424 4, /* initial_read_size */
425 tstream_full_request_u32,
426 kdc_conn);
427 if (subreq == NULL) {
428 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_proxy_done: "
429 "no memory for tstream_read_pdu_blob_send");
430 return;
431 }
432 tevent_req_set_callback(subreq, kdc_tcp_call_loop, kdc_conn);
433 }
434
435 static void kdc_tcp_call_writev_done(struct tevent_req *subreq)
436 {
437 struct kdc_tcp_call *call = tevent_req_callback_data(subreq,
438 struct kdc_tcp_call);
439 int sys_errno;
440 int rc;
441
442 rc = tstream_writev_queue_recv(subreq, &sys_errno);
443 TALLOC_FREE(subreq);
444 if (rc == -1) {
445 const char *reason;
446
447 reason = talloc_asprintf(call, "kdc_tcp_call_writev_done: "
448 "tstream_writev_queue_recv() - %d:%s",
449 sys_errno, strerror(sys_errno));
450 if (!reason) {
451 reason = "kdc_tcp_call_writev_done: tstream_writev_queue_recv() failed";
452 }
453
454 kdc_tcp_terminate_connection(call->kdc_conn, reason);
455 return;
456 }
457
458 /* We don't care about errors */
459
460 talloc_free(call);
461 }
462
463 /*
464 called when we get a new connection
465 */
466 static void kdc_tcp_accept(struct stream_connection *conn)
467 {
468 struct kdc_socket *kdc_socket;
469 struct kdc_tcp_connection *kdc_conn;
470 struct tevent_req *subreq;
471 int rc;
472
473 kdc_conn = talloc_zero(conn, struct kdc_tcp_connection);
474 if (kdc_conn == NULL) {
475 stream_terminate_connection(conn,
476 "kdc_tcp_accept: out of memory");
477 return;
478 }
479
480 kdc_conn->send_queue = tevent_queue_create(conn, "kdc_tcp_accept");
481 if (kdc_conn->send_queue == NULL) {
482 stream_terminate_connection(conn,
483 "kdc_tcp_accept: out of memory");
484 return;
485 }
486
487 kdc_socket = talloc_get_type(conn->private_data, struct kdc_socket);
488
489 TALLOC_FREE(conn->event.fde);
490
491 rc = tstream_bsd_existing_socket(kdc_conn,
492 socket_get_fd(conn->socket),
493 &kdc_conn->tstream);
494 if (rc < 0) {
495 stream_terminate_connection(conn,
496 "kdc_tcp_accept: out of memory");
497 return;
498 }
499 /* as server we want to fail early */
500 tstream_bsd_fail_readv_first_error(kdc_conn->tstream, true);
501
502 kdc_conn->conn = conn;
503 kdc_conn->kdc_socket = kdc_socket;
504 conn->private_data = kdc_conn;
505
506 /*
507 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
508 * tstream_full_request_u32 provides the pdu length then.
509 */
510 subreq = tstream_read_pdu_blob_send(kdc_conn,
511 kdc_conn->conn->event.ctx,
512 kdc_conn->tstream,
513 4, /* initial_read_size */
514 tstream_full_request_u32,
515 kdc_conn);
516 if (subreq == NULL) {
517 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_accept: "
518 "no memory for tstream_read_pdu_blob_send");
519 return;
520 }
521 tevent_req_set_callback(subreq, kdc_tcp_call_loop, kdc_conn);
522 }
523
524 static void kdc_tcp_recv(struct stream_connection *conn, uint16_t flags)
525 {
526 struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private_data,
527 struct kdc_tcp_connection);
528 /* this should never be triggered! */
529 kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_recv: called");
530 }
531
532 static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags)
533 {
534 struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private_data,
535 struct kdc_tcp_connection);
536 /* this should never be triggered! */
537 kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_send: called");
538 }
539
540 static const struct stream_server_ops kdc_tcp_stream_ops = {
541 .name = "kdc_tcp",
542 .accept_connection = kdc_tcp_accept,
543 .recv_handler = kdc_tcp_recv,
544 .send_handler = kdc_tcp_send
545 };
546
547 /*
548 * Start listening on the given address
549 */
550 NTSTATUS kdc_add_socket(struct kdc_server *kdc,
551 const struct model_ops *model_ops,
552 const char *name,
553 const char *address,
554 uint16_t port,
555 kdc_process_fn_t process,
556 bool udp_only)
557 {
558 struct kdc_socket *kdc_socket;
559 struct kdc_udp_socket *kdc_udp_socket;
560 struct tevent_req *udpsubreq;
561 NTSTATUS status;
562 int ret;
563
564 kdc_socket = talloc(kdc, struct kdc_socket);
565 NT_STATUS_HAVE_NO_MEMORY(kdc_socket);
566
567 kdc_socket->kdc = kdc;
568 kdc_socket->process = process;
569
570 ret = tsocket_address_inet_from_strings(kdc_socket, "ip",
571 address, port,
572 &kdc_socket->local_address);
573 if (ret != 0) {
574 status = map_nt_error_from_unix_common(errno);
575 return status;
576 }
577
578 if (!udp_only) {
579 status = stream_setup_socket(kdc->task,
580 kdc->task->event_ctx,
581 kdc->task->lp_ctx,
582 model_ops,
583 &kdc_tcp_stream_ops,
584 "ip", address, &port,
585 lpcfg_socket_options(kdc->task->lp_ctx),
586 kdc_socket,
587 kdc->task->process_context);
588 if (!NT_STATUS_IS_OK(status)) {
589 DBG_ERR("Failed to bind to %s:%u TCP - %s\n",
590 address, port, nt_errstr(status));
591 talloc_free(kdc_socket);
592 return status;
593 }
594 }
595
596 kdc_udp_socket = talloc(kdc_socket, struct kdc_udp_socket);
597 NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket);
598
599 kdc_udp_socket->kdc_socket = kdc_socket;
600
601 ret = tdgram_inet_udp_socket(kdc_socket->local_address,
602 NULL,
603 kdc_udp_socket,
604 &kdc_udp_socket->dgram);
605 if (ret != 0) {
606 status = map_nt_error_from_unix_common(errno);
607 DBG_ERR("Failed to bind to %s:%u UDP - %s\n",
608 address, port, nt_errstr(status));
609 return status;
610 }
611
612 kdc_udp_socket->send_queue = tevent_queue_create(kdc_udp_socket,
613 "kdc_udp_send_queue");
614 NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket->send_queue);
615
616 udpsubreq = tdgram_recvfrom_send(kdc_udp_socket,
617 kdc->task->event_ctx,
618 kdc_udp_socket->dgram);
619 NT_STATUS_HAVE_NO_MEMORY(udpsubreq);
620 tevent_req_set_callback(udpsubreq, kdc_udp_call_loop, kdc_udp_socket);
621
622 return NT_STATUS_OK;
623 }
Samba git mirror