auth/gensec/gensec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "system/network.h"
  25 #include <tevent.h>
  26 #include "lib/tsocket/tsocket.h"
  27 #include "lib/util/tevent_ntstatus.h"
  28 #include "auth/gensec/gensec.h"
  29 #include "librpc/rpc/dcerpc.h"
  30
  31 /*
  32   wrappers for the gensec function pointers
  33 */
  34 _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
  35                               uint8_t *data, size_t length,
  36                               const uint8_t *whole_pdu, size_t pdu_length,
  37                               const DATA_BLOB *sig)
  38 {
  39         if (!gensec_security->ops->unseal_packet) {
  40                 return NT_STATUS_NOT_IMPLEMENTED;
  41         }
  42         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
  43                 return NT_STATUS_INVALID_PARAMETER;
  44         }
  45
  46         return gensec_security->ops->unseal_packet(gensec_security,
  47                                                    data, length,
  48                                                    whole_pdu, pdu_length,
  49                                                    sig);
  50 }
  51
  52 _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
  53                              const uint8_t *data, size_t length,
  54                              const uint8_t *whole_pdu, size_t pdu_length,
  55                              const DATA_BLOB *sig)
  56 {
  57         if (!gensec_security->ops->check_packet) {
  58                 return NT_STATUS_NOT_IMPLEMENTED;
  59         }
  60         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
  61                 return NT_STATUS_INVALID_PARAMETER;
  62         }
  63
  64         return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
  65 }
  66
  67 _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
  68                             TALLOC_CTX *mem_ctx,
  69                             uint8_t *data, size_t length,
  70                             const uint8_t *whole_pdu, size_t pdu_length,
  71                             DATA_BLOB *sig)
  72 {
  73         if (!gensec_security->ops->seal_packet) {
  74                 return NT_STATUS_NOT_IMPLEMENTED;
  75         }
  76         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
  77                 return NT_STATUS_INVALID_PARAMETER;
  78         }
  79         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
  80                 return NT_STATUS_INVALID_PARAMETER;
  81         }
  82
  83         return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
  84 }
  85
  86 _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
  87                             TALLOC_CTX *mem_ctx,
  88                             const uint8_t *data, size_t length,
  89                             const uint8_t *whole_pdu, size_t pdu_length,
  90                             DATA_BLOB *sig)
  91 {
  92         if (!gensec_security->ops->sign_packet) {
  93                 return NT_STATUS_NOT_IMPLEMENTED;
  94         }
  95         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
  96                 return NT_STATUS_INVALID_PARAMETER;
  97         }
  98
  99         return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 100 }
 101
 102 _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
 103 {
 104         if (!gensec_security->ops->sig_size) {
 105                 return 0;
 106         }
 107         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 108                 return 0;
 109         }
 110
 111         return gensec_security->ops->sig_size(gensec_security, data_size);
 112 }
 113
 114 size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
 115 {
 116         if (!gensec_security->ops->max_wrapped_size) {
 117                 return (1 << 17);
 118         }
 119
 120         return gensec_security->ops->max_wrapped_size(gensec_security);
 121 }
 122
 123 size_t gensec_max_input_size(struct gensec_security *gensec_security)
 124 {
 125         if (!gensec_security->ops->max_input_size) {
 126                 return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
 127         }
 128
 129         return gensec_security->ops->max_input_size(gensec_security);
 130 }
 131
 132 _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
 133                      TALLOC_CTX *mem_ctx,
 134                      const DATA_BLOB *in,
 135                      DATA_BLOB *out)
 136 {
 137         if (!gensec_security->ops->wrap) {
 138                 return NT_STATUS_NOT_IMPLEMENTED;
 139         }
 140         return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
 141 }
 142
 143 _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
 144                        TALLOC_CTX *mem_ctx,
 145                        const DATA_BLOB *in,
 146                        DATA_BLOB *out)
 147 {
 148         if (!gensec_security->ops->unwrap) {
 149                 return NT_STATUS_NOT_IMPLEMENTED;
 150         }
 151         return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
 152 }
 153
 154 _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
 155                                      TALLOC_CTX *mem_ctx,
 156                                      DATA_BLOB *session_key)
 157 {
 158         if (!gensec_security->ops->session_key) {
 159                 return NT_STATUS_NOT_IMPLEMENTED;
 160         }
 161         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
 162                 return NT_STATUS_NO_USER_SESSION_KEY;
 163         }
 164
 165         return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
 166 }
 167
 168 /**
 169  * Return the credentials of a logged on user, including session keys
 170  * etc.
 171  *
 172  * Only valid after a successful authentication
 173  *
 174  * May only be called once per authentication.
 175  *
 176  */
 177
 178 _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
 179                                       TALLOC_CTX *mem_ctx,
 180                                       struct auth_session_info **session_info)
 181 {
 182         if (!gensec_security->ops->session_info) {
 183                 return NT_STATUS_NOT_IMPLEMENTED;
 184         }
 185         return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
 186 }
 187
 188 /**
 189  * Next state function for the GENSEC state machine
 190  *
 191  * @param gensec_security GENSEC State
 192  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
 193  * @param in The request, as a DATA_BLOB
 194  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
 195  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
 196  *                or NT_STATUS_OK if the user is authenticated.
 197  */
 198
 199 _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 200                                 struct tevent_context *ev,
 201                                 const DATA_BLOB in, DATA_BLOB *out)
 202 {
 203         NTSTATUS status;
 204
 205         status = gensec_security->ops->update(gensec_security, out_mem_ctx,
 206                                               ev, in, out);
 207         if (!NT_STATUS_IS_OK(status)) {
 208                 return status;
 209         }
 210
 211         /*
 212          * Because callers using the
 213          * gensec_start_mech_by_auth_type() never call
 214          * gensec_want_feature(), it isn't sensible for them
 215          * to have to call gensec_have_feature() manually, and
 216          * these are not points of negotiation, but are
 217          * asserted by the client
 218          */
 219         switch (gensec_security->dcerpc_auth_level) {
 220         case DCERPC_AUTH_LEVEL_INTEGRITY:
 221                 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 222                         DEBUG(0,("Did not manage to negotiate mandetory feature "
 223                                  "SIGN for dcerpc auth_level %u\n",
 224                                  gensec_security->dcerpc_auth_level));
 225                         return NT_STATUS_ACCESS_DENIED;
 226                 }
 227                 break;
 228         case DCERPC_AUTH_LEVEL_PRIVACY:
 229                 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 230                         DEBUG(0,("Did not manage to negotiate mandetory feature "
 231                                  "SIGN for dcerpc auth_level %u\n",
 232                                  gensec_security->dcerpc_auth_level));
 233                         return NT_STATUS_ACCESS_DENIED;
 234                 }
 235                 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 236                         DEBUG(0,("Did not manage to negotiate mandetory feature "
 237                                  "SEAL for dcerpc auth_level %u\n",
 238                                  gensec_security->dcerpc_auth_level));
 239                         return NT_STATUS_ACCESS_DENIED;
 240                 }
 241                 break;
 242         default:
 243                 break;
 244         }
 245
 246         return NT_STATUS_OK;
 247 }
 248
 249 struct gensec_update_state {
 250         struct tevent_immediate *im;
 251         struct gensec_security *gensec_security;
 252         DATA_BLOB in;
 253         DATA_BLOB out;
 254 };
 255
 256 static void gensec_update_async_trigger(struct tevent_context *ctx,
 257                                         struct tevent_immediate *im,
 258                                         void *private_data);
 259 /**
 260  * Next state function for the GENSEC state machine async version
 261  *
 262  * @param mem_ctx The memory context for the request
 263  * @param ev The event context for the request
 264  * @param gensec_security GENSEC State
 265  * @param in The request, as a DATA_BLOB
 266  *
 267  * @return The request handle or NULL on no memory failure
 268  */
 269
 270 _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
 271                                                struct tevent_context *ev,
 272                                                struct gensec_security *gensec_security,
 273                                                const DATA_BLOB in)
 274 {
 275         struct tevent_req *req;
 276         struct gensec_update_state *state = NULL;
 277
 278         req = tevent_req_create(mem_ctx, &state,
 279                                 struct gensec_update_state);
 280         if (req == NULL) {
 281                 return NULL;
 282         }
 283
 284         state->gensec_security          = gensec_security;
 285         state->in                       = in;
 286         state->out                      = data_blob(NULL, 0);
 287         state->im                       = tevent_create_immediate(state);
 288         if (tevent_req_nomem(state->im, req)) {
 289                 return tevent_req_post(req, ev);
 290         }
 291
 292         tevent_schedule_immediate(state->im, ev,
 293                                   gensec_update_async_trigger,
 294                                   req);
 295
 296         return req;
 297 }
 298
 299 static void gensec_update_async_trigger(struct tevent_context *ctx,
 300                                         struct tevent_immediate *im,
 301                                         void *private_data)
 302 {
 303         struct tevent_req *req =
 304                 talloc_get_type_abort(private_data, struct tevent_req);
 305         struct gensec_update_state *state =
 306                 tevent_req_data(req, struct gensec_update_state);
 307         NTSTATUS status;
 308
 309         status = gensec_update(state->gensec_security, state, ctx,
 310                                state->in, &state->out);
 311         if (tevent_req_nterror(req, status)) {
 312                 return;
 313         }
 314
 315         tevent_req_done(req);
 316 }
 317
 318 /**
 319  * Next state function for the GENSEC state machine
 320  *
 321  * @param req request state
 322  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
 323  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
 324  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
 325  *                or NT_STATUS_OK if the user is authenticated.
 326  */
 327 _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
 328                                      TALLOC_CTX *out_mem_ctx,
 329                                      DATA_BLOB *out)
 330 {
 331         struct gensec_update_state *state =
 332                 tevent_req_data(req, struct gensec_update_state);
 333         NTSTATUS status;
 334
 335         if (tevent_req_is_nterror(req, &status)) {
 336                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 337                         tevent_req_received(req);
 338                         return status;
 339                 }
 340         } else {
 341                 status = NT_STATUS_OK;
 342         }
 343
 344         *out = state->out;
 345         talloc_steal(out_mem_ctx, out->data);
 346
 347         tevent_req_received(req);
 348         return status;
 349 }
 350
 351 /**
 352  * Set the requirement for a certain feature on the connection
 353  *
 354  */
 355
 356 _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
 357                          uint32_t feature)
 358 {
 359         if (!gensec_security->ops || !gensec_security->ops->want_feature) {
 360                 gensec_security->want_features |= feature;
 361                 return;
 362         }
 363         gensec_security->ops->want_feature(gensec_security, feature);
 364 }
 365
 366 /**
 367  * Check the requirement for a certain feature on the connection
 368  *
 369  */
 370
 371 _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
 372                          uint32_t feature)
 373 {
 374         if (!gensec_security->ops->have_feature) {
 375                 return false;
 376         }
 377
 378         /* We might 'have' features that we don't 'want', because the
 379          * other end demanded them, or we can't neotiate them off */
 380         return gensec_security->ops->have_feature(gensec_security, feature);
 381 }
 382
 383 /**
 384  * Return the credentials structure associated with a GENSEC context
 385  *
 386  */
 387
 388 _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
 389 {
 390         if (!gensec_security) {
 391                 return NULL;
 392         }
 393         return gensec_security->credentials;
 394 }
 395
 396 /**
 397  * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
 398  *
 399  */
 400
 401 _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
 402 {
 403         gensec_security->target.service = talloc_strdup(gensec_security, service);
 404         if (!gensec_security->target.service) {
 405                 return NT_STATUS_NO_MEMORY;
 406         }
 407         return NT_STATUS_OK;
 408 }
 409
 410 _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
 411 {
 412         if (gensec_security->target.service) {
 413                 return gensec_security->target.service;
 414         }
 415
 416         return "host";
 417 }
 418
 419 /**
 420  * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
 421  *
 422  */
 423
 424 _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
 425 {
 426         gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
 427         if (hostname && !gensec_security->target.hostname) {
 428                 return NT_STATUS_NO_MEMORY;
 429         }
 430         return NT_STATUS_OK;
 431 }
 432
 433 _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
 434 {
 435         /* We allow the target hostname to be overriden for testing purposes */
 436         if (gensec_security->settings->target_hostname) {
 437                 return gensec_security->settings->target_hostname;
 438         }
 439
 440         if (gensec_security->target.hostname) {
 441                 return gensec_security->target.hostname;
 442         }
 443
 444         /* We could add use the 'set sockaddr' call, and do a reverse
 445          * lookup, but this would be both insecure (compromising the
 446          * way kerberos works) and add DNS timeouts */
 447         return NULL;
 448 }
 449
 450 /**
 451  * Set (and copy) local and peer socket addresses onto a socket
 452  * context on the GENSEC context.
 453  *
 454  * This is so that kerberos can include these addresses in
 455  * cryptographic tokens, to avoid certain attacks.
 456  */
 457
 458 /**
 459  * @brief Set the local gensec address.
 460  *
 461  * @param  gensec_security   The gensec security context to use.
 462  *
 463  * @param  remote       The local address to set.
 464  *
 465  * @return              On success NT_STATUS_OK is returned or an NT_STATUS
 466  *                      error.
 467  */
 468 _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
 469                 const struct tsocket_address *local)
 470 {
 471         TALLOC_FREE(gensec_security->local_addr);
 472
 473         if (local == NULL) {
 474                 return NT_STATUS_OK;
 475         }
 476
 477         gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
 478         if (gensec_security->local_addr == NULL) {
 479                 return NT_STATUS_NO_MEMORY;
 480         }
 481
 482         return NT_STATUS_OK;
 483 }
 484
 485 /**
 486  * @brief Set the remote gensec address.
 487  *
 488  * @param  gensec_security   The gensec security context to use.
 489  *
 490  * @param  remote       The remote address to set.
 491  *
 492  * @return              On success NT_STATUS_OK is returned or an NT_STATUS
 493  *                      error.
 494  */
 495 _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
 496                 const struct tsocket_address *remote)
 497 {
 498         TALLOC_FREE(gensec_security->remote_addr);
 499
 500         if (remote == NULL) {
 501                 return NT_STATUS_OK;
 502         }
 503
 504         gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
 505         if (gensec_security->remote_addr == NULL) {
 506                 return NT_STATUS_NO_MEMORY;
 507         }
 508
 509         return NT_STATUS_OK;
 510 }
 511
 512 /**
 513  * @brief Get the local address from a gensec security context.
 514  *
 515  * @param  gensec_security   The security context to get the address from.
 516  *
 517  * @return              The address as tsocket_address which could be NULL if
 518  *                      no address is set.
 519  */
 520 _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
 521 {
 522         if (gensec_security == NULL) {
 523                 return NULL;
 524         }
 525         return gensec_security->local_addr;
 526 }
 527
 528 /**
 529  * @brief Get the remote address from a gensec security context.
 530  *
 531  * @param  gensec_security   The security context to get the address from.
 532  *
 533  * @return              The address as tsocket_address which could be NULL if
 534  *                      no address is set.
 535  */
 536 _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
 537 {
 538         if (gensec_security == NULL) {
 539                 return NULL;
 540         }
 541         return gensec_security->remote_addr;
 542 }
 543
 544 /**
 545  * Set the target principal (assuming it it known, say from the SPNEGO reply)
 546  *  - ensures it is talloc()ed
 547  *
 548  */
 549
 550 _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
 551 {
 552         gensec_security->target.principal = talloc_strdup(gensec_security, principal);
 553         if (!gensec_security->target.principal) {
 554                 return NT_STATUS_NO_MEMORY;
 555         }
 556         return NT_STATUS_OK;
 557 }
 558
 559 const char *gensec_get_target_principal(struct gensec_security *gensec_security)
 560 {
 561         if (gensec_security->target.principal) {
 562                 return gensec_security->target.principal;
 563         }
 564
 565         return NULL;
 566 }