auth/gensec/gensec_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth/gensec/gensec.h"
  25 #include "auth/gensec/gensec_internal.h"
  26 #include "auth/common_auth.h"
  27 #include "../lib/util/asn1.h"
  28
  29 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
  30                                           struct gensec_security *gensec_security,
  31                                           struct smb_krb5_context *smb_krb5_context,
  32                                           DATA_BLOB *pac_blob,
  33                                           const char *principal_string,
  34                                           const struct tsocket_address *remote_address,
  35                                           struct auth_session_info **session_info)
  36 {
  37         uint32_t session_info_flags = 0;
  38
  39         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
  40                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
  41         }
  42
  43         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
  44
  45         if (!pac_blob) {
  46                 if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
  47                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
  48                                   principal_string));
  49                         return NT_STATUS_ACCESS_DENIED;
  50                 }
  51                 DBG_NOTICE("Unable to find PAC for %s, resorting to local "
  52                            "user lookup\n", principal_string);
  53         }
  54
  55         if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
  56                 return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
  57                                                                                 mem_ctx,
  58                                                                                 smb_krb5_context,
  59                                                                                 pac_blob,
  60                                                                                 principal_string,
  61                                                                                 remote_address,
  62                                                                                 session_info_flags,
  63                                                                                 session_info);
  64         } else {
  65                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
  66                 return NT_STATUS_INTERNAL_ERROR;
  67         }
  68 }
  69
  70 /*
  71   magic check a GSS-API wrapper packet for an Kerberos OID
  72 */
  73 static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
  74 {
  75         bool ret = false;
  76         struct asn1_data *data = asn1_init(NULL);
  77
  78         if (!data) return false;
  79
  80         if (!asn1_load(data, *blob)) goto err;
  81         if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
  82         if (!asn1_check_OID(data, oid)) goto err;
  83
  84         ret = !asn1_has_error(data);
  85
  86   err:
  87
  88         asn1_free(data);
  89         return ret;
  90 }
  91
  92 /**
  93  * Check if the packet is one for the KRB5 mechansim
  94  *
  95  * NOTE: This is a helper that can be employed by multiple mechanisms, do
  96  * not make assumptions about the private_data
  97  *
  98  * @param gensec_security GENSEC state, unused
  99  * @param in The request, as a DATA_BLOB
 100  * @return Error, INVALID_PARAMETER if it's not a packet for us
 101  *                or NT_STATUS_OK if the packet is ok.
 102  */
 103
 104 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
 105                                         const DATA_BLOB *blob)
 106 {
 107         if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
 108                 return NT_STATUS_OK;
 109         } else {
 110                 return NT_STATUS_INVALID_PARAMETER;
 111         }
 112 }