auth/gensec/gensec_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth/gensec/gensec.h"
  25 #include "auth/gensec/gensec_internal.h"
  26 #include "auth/common_auth.h"
  27 #include "../lib/util/asn1.h"
  28
  29 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
  30                                           struct gensec_security *gensec_security,
  31                                           struct smb_krb5_context *smb_krb5_context,
  32                                           DATA_BLOB *pac_blob,
  33                                           const char *principal_string,
  34                                           const struct tsocket_address *remote_address,
  35                                           struct auth_session_info **session_info)
  36 {
  37         uint32_t session_info_flags = 0;
  38
  39         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
  40                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
  41         }
  42
  43         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
  44
  45         if (!pac_blob) {
  46                 if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
  47                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
  48                                   principal_string));
  49                         return NT_STATUS_ACCESS_DENIED;
  50                 }
  51                 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
  52                           principal_string));
  53         }
  54
  55         if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
  56                 return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
  57                                                                                 mem_ctx,
  58                                                                                 smb_krb5_context,
  59                                                                                 pac_blob,
  60                                                                                 principal_string,
  61                                                                                 remote_address,
  62                                                                                 session_info_flags,
  63                                                                                 session_info);
  64         } else {
  65                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
  66                 return NT_STATUS_INTERNAL_ERROR;
  67         }
  68 }
  69
  70 /*
  71  * These functions are for use in the deprecated
  72  * gensec_socket code (public because SPNEGO must
  73  * use them for recursion)
  74  */
  75 _PUBLIC_ NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security,
  76                              TALLOC_CTX *mem_ctx,
  77                              const DATA_BLOB *in,
  78                              DATA_BLOB *out,
  79                              size_t *len_processed)
  80 {
  81         if (!gensec_security->ops->wrap_packets) {
  82                 NTSTATUS nt_status;
  83                 size_t max_input_size;
  84                 DATA_BLOB unwrapped, wrapped;
  85                 max_input_size = gensec_max_input_size(gensec_security);
  86                 unwrapped = data_blob_const(in->data, MIN(max_input_size, (size_t)in->length));
  87
  88                 nt_status = gensec_wrap(gensec_security,
  89                                         mem_ctx,
  90                                         &unwrapped, &wrapped);
  91                 if (!NT_STATUS_IS_OK(nt_status)) {
  92                         return nt_status;
  93                 }
  94
  95                 *out = data_blob_talloc(mem_ctx, NULL, 4);
  96                 if (!out->data) {
  97                         return NT_STATUS_NO_MEMORY;
  98                 }
  99                 RSIVAL(out->data, 0, wrapped.length);
 100
 101                 if (!data_blob_append(mem_ctx, out, wrapped.data, wrapped.length)) {
 102                         return NT_STATUS_NO_MEMORY;
 103                 }
 104                 *len_processed = unwrapped.length;
 105                 return NT_STATUS_OK;
 106         }
 107         return gensec_security->ops->wrap_packets(gensec_security, mem_ctx, in, out,
 108                                                   len_processed);
 109 }
 110
 111 /*
 112  * These functions are for use in the deprecated
 113  * gensec_socket code (public because SPNEGO must
 114  * use them for recursion)
 115  */
 116 NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security,
 117                                         TALLOC_CTX *mem_ctx,
 118                                         const DATA_BLOB *in,
 119                                         DATA_BLOB *out,
 120                                         size_t *len_processed)
 121 {
 122         if (!gensec_security->ops->unwrap_packets) {
 123                 DATA_BLOB wrapped;
 124                 NTSTATUS nt_status;
 125                 size_t packet_size;
 126                 if (in->length < 4) {
 127                         /* Missing the header we already had! */
 128                         DEBUG(0, ("Asked to unwrap packet of bogus length!  How did we get the short packet?!\n"));
 129                         return NT_STATUS_INVALID_PARAMETER;
 130                 }
 131
 132                 packet_size = RIVAL(in->data, 0);
 133
 134                 wrapped = data_blob_const(in->data + 4, packet_size);
 135
 136                 if (wrapped.length > (in->length - 4)) {
 137                         DEBUG(0, ("Asked to unwrap packed of bogus length %d > %d!  How did we get this?!\n",
 138                                   (int)wrapped.length, (int)(in->length - 4)));
 139                         return NT_STATUS_INTERNAL_ERROR;
 140                 }
 141
 142                 nt_status = gensec_unwrap(gensec_security,
 143                                           mem_ctx,
 144                                           &wrapped, out);
 145                 if (!NT_STATUS_IS_OK(nt_status)) {
 146                         return nt_status;
 147                 }
 148
 149                 *len_processed = packet_size + 4;
 150                 return nt_status;
 151         }
 152         return gensec_security->ops->unwrap_packets(gensec_security, mem_ctx, in, out,
 153                                                     len_processed);
 154 }
 155
 156 /*
 157  * These functions are for use in the deprecated
 158  * gensec_socket code (public because SPNEGO must
 159  * use them for recursion)
 160  */
 161 NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
 162                                     DATA_BLOB blob, size_t *size)
 163 {
 164         if (gensec_security->ops->packet_full_request) {
 165                 return gensec_security->ops->packet_full_request(gensec_security,
 166                                                                  blob, size);
 167         }
 168         if (gensec_security->ops->unwrap_packets) {
 169                 if (blob.length) {
 170                         *size = blob.length;
 171                         return NT_STATUS_OK;
 172                 }
 173                 return STATUS_MORE_ENTRIES;
 174         }
 175
 176         if (blob.length < 4) {
 177                 return STATUS_MORE_ENTRIES;
 178         }
 179         *size = 4 + RIVAL(blob.data, 0);
 180         if (*size > blob.length) {
 181                 return STATUS_MORE_ENTRIES;
 182         }
 183         return NT_STATUS_OK;
 184 }
 185
 186 /*
 187   magic check a GSS-API wrapper packet for an Kerberos OID
 188 */
 189 static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
 190 {
 191         bool ret;
 192         struct asn1_data *data = asn1_init(NULL);
 193
 194         if (!data) return false;
 195
 196         asn1_load(data, *blob);
 197         asn1_start_tag(data, ASN1_APPLICATION(0));
 198         asn1_check_OID(data, oid);
 199
 200         ret = !data->has_error;
 201
 202         asn1_free(data);
 203
 204         return ret;
 205 }
 206
 207 /**
 208  * Check if the packet is one for the KRB5 mechansim
 209  *
 210  * NOTE: This is a helper that can be employed by multiple mechanisms, do
 211  * not make assumptions about the private_data
 212  *
 213  * @param gensec_security GENSEC state, unused
 214  * @param in The request, as a DATA_BLOB
 215  * @return Error, INVALID_PARAMETER if it's not a packet for us
 216  *                or NT_STATUS_OK if the packet is ok.
 217  */
 218
 219 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
 220                                         const DATA_BLOB *blob)
 221 {
 222         if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
 223                 return NT_STATUS_OK;
 224         } else {
 225                 return NT_STATUS_INVALID_PARAMETER;
 226         }
 227 }