/* Unix SMB/CIFS implementation. Generic Authentication Interface Copyright (C) Andrew Tridgell 2003 Copyright (C) Andrew Bartlett 2004-2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "includes.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_internal.h" #include "auth/common_auth.h" #include "../lib/util/asn1.h" NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, struct smb_krb5_context *smb_krb5_context, DATA_BLOB *pac_blob, const char *principal_string, const struct tsocket_address *remote_address, struct auth_session_info **session_info) { uint32_t session_info_flags = 0; if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; } session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", principal_string)); return NT_STATUS_ACCESS_DENIED; } DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n", principal_string)); } if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) { return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context, mem_ctx, smb_krb5_context, pac_blob, principal_string, remote_address, session_info_flags, session_info); } else { DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); return NT_STATUS_INTERNAL_ERROR; } } /* * These functions are for use in the deprecated * gensec_socket code (public because SPNEGO must * use them for recursion) */ _PUBLIC_ NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, const DATA_BLOB *in, DATA_BLOB *out, size_t *len_processed) { if (!gensec_security->ops->wrap_packets) { NTSTATUS nt_status; size_t max_input_size; DATA_BLOB unwrapped, wrapped; max_input_size = gensec_max_input_size(gensec_security); unwrapped = data_blob_const(in->data, MIN(max_input_size, (size_t)in->length)); nt_status = gensec_wrap(gensec_security, mem_ctx, &unwrapped, &wrapped); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } *out = data_blob_talloc(mem_ctx, NULL, 4); if (!out->data) { return NT_STATUS_NO_MEMORY; } RSIVAL(out->data, 0, wrapped.length); if (!data_blob_append(mem_ctx, out, wrapped.data, wrapped.length)) { return NT_STATUS_NO_MEMORY; } *len_processed = unwrapped.length; return NT_STATUS_OK; } return gensec_security->ops->wrap_packets(gensec_security, mem_ctx, in, out, len_processed); } /* * These functions are for use in the deprecated * gensec_socket code (public because SPNEGO must * use them for recursion) */ NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, const DATA_BLOB *in, DATA_BLOB *out, size_t *len_processed) { if (!gensec_security->ops->unwrap_packets) { DATA_BLOB wrapped; NTSTATUS nt_status; size_t packet_size; if (in->length < 4) { /* Missing the header we already had! */ DEBUG(0, ("Asked to unwrap packet of bogus length! How did we get the short packet?!\n")); return NT_STATUS_INVALID_PARAMETER; } packet_size = RIVAL(in->data, 0); wrapped = data_blob_const(in->data + 4, packet_size); if (wrapped.length > (in->length - 4)) { DEBUG(0, ("Asked to unwrap packed of bogus length %d > %d! How did we get this?!\n", (int)wrapped.length, (int)(in->length - 4))); return NT_STATUS_INTERNAL_ERROR; } nt_status = gensec_unwrap(gensec_security, mem_ctx, &wrapped, out); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } *len_processed = packet_size + 4; return nt_status; } return gensec_security->ops->unwrap_packets(gensec_security, mem_ctx, in, out, len_processed); } /* * These functions are for use in the deprecated * gensec_socket code (public because SPNEGO must * use them for recursion) */ NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security, DATA_BLOB blob, size_t *size) { if (gensec_security->ops->packet_full_request) { return gensec_security->ops->packet_full_request(gensec_security, blob, size); } if (gensec_security->ops->unwrap_packets) { if (blob.length) { *size = blob.length; return NT_STATUS_OK; } return STATUS_MORE_ENTRIES; } if (blob.length < 4) { return STATUS_MORE_ENTRIES; } *size = 4 + RIVAL(blob.data, 0); if (*size > blob.length) { return STATUS_MORE_ENTRIES; } return NT_STATUS_OK; } /* magic check a GSS-API wrapper packet for an Kerberos OID */ static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid) { bool ret; struct asn1_data *data = asn1_init(NULL); if (!data) return false; asn1_load(data, *blob); asn1_start_tag(data, ASN1_APPLICATION(0)); asn1_check_OID(data, oid); ret = !data->has_error; asn1_free(data); return ret; } /** * Check if the packet is one for the KRB5 mechansim * * NOTE: This is a helper that can be employed by multiple mechanisms, do * not make assumptions about the private_data * * @param gensec_security GENSEC state, unused * @param in The request, as a DATA_BLOB * @return Error, INVALID_PARAMETER if it's not a packet for us * or NT_STATUS_OK if the packet is ok. */ NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused, const DATA_BLOB *blob) { if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) { return NT_STATUS_OK; } else { return NT_STATUS_INVALID_PARAMETER; } }