samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-02-12 21:58:10 +03:00

312 lines

8.3 KiB

C

Raw Normal View History

auth: move gensec_start.c to the top level This does not change who uses gensec for now, but makes it possible to write new gensec modules outside source4/ Andrew Bartlett 2011-10-07 17:24:12 +11:00			`/*`
			`Unix SMB/CIFS implementation.`

			`Generic Authentication Interface`

			`Copyright (C) Andrew Tridgell 2003`
			`Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006`

			`This program is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`#include "includes.h"`
			`#include "auth/gensec/gensec.h"`
auth/gensec: introduce gensec_internal.h We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2013-08-05 07:12:01 +02:00			`#include "auth/gensec/gensec_internal.h"`
gensec: move gensec_util.c to the top level To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> 2011-12-31 22:24:44 +11:00			`#include "auth/common_auth.h"`
auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org> 2012-03-31 21:37:56 -04:00			`#include "../lib/util/asn1.h"`
auth: move gensec_start.c to the top level This does not change who uses gensec for now, but makes it possible to write new gensec modules outside source4/ Andrew Bartlett 2011-10-07 17:24:12 +11:00
define DBGC_AUTH class Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2017-12-19 10:49:10 +01:00			`#undef DBGC_CLASS`
			`#define DBGC_CLASS DBGC_AUTH`

s4-gensec: Rename memory contexts in gensec_util for greater clarity This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett 2011-12-29 22:34:28 +11:00			`NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,`
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104 2011-12-28 17:48:45 +11:00			`struct gensec_security *gensec_security,`
			`struct smb_krb5_context *smb_krb5_context,`
			`DATA_BLOB *pac_blob,`
			`const char *principal_string,`
			`const struct tsocket_address *remote_address,`
			`struct auth_session_info **session_info)`
			`{`
			`uint32_t session_info_flags = 0;`

			`if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {`
			`session_info_flags \|= AUTH_SESSION_INFO_UNIX_TOKEN;`
			`}`

			`session_info_flags \|= AUTH_SESSION_INFO_DEFAULT_GROUPS;`

			`if (!pac_blob) {`
gensec: Allow login without a PAC by default (bug #9581) The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> 2013-01-22 14:45:14 +11:00			`if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {`
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104 2011-12-28 17:48:45 +11:00			`DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",`
			`principal_string));`
			`return NT_STATUS_ACCESS_DENIED;`
			`}`
gensec: Change log level of message when no PAC is found For a Samba server that uses a non-AD KDC this message is triggered on every new connection. Change the log level from warning/1 to a more appropriate notice/5. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 2016-04-28 11:23:41 -07:00			`DBG_NOTICE("Unable to find PAC for %s, resorting to local "`
			`"user lookup\n", principal_string);`
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104 2011-12-28 17:48:45 +11:00			`}`

s4-torture: Demonstrate handling of the PAC in a custom auth_context This demonstrates how a different function pointer can be supplied to handle the PAC blob, without depending on the provisioned samdb etc. Andrew Bartlett 2011-12-29 11:46:41 +11:00			`if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {`
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104 2011-12-28 17:48:45 +11:00			`return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,`
s4-gensec: Rename memory contexts in gensec_util for greater clarity This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett 2011-12-29 22:34:28 +11:00			`mem_ctx,`
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104 2011-12-28 17:48:45 +11:00			`smb_krb5_context,`
			`pac_blob,`
			`principal_string,`
			`remote_address,`
			`session_info_flags,`
			`session_info);`
s4-torture: Demonstrate handling of the PAC in a custom auth_context This demonstrates how a different function pointer can be supplied to handle the PAC blob, without depending on the provisioned samdb etc. Andrew Bartlett 2011-12-29 11:46:41 +11:00			`} else {`
			`DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));`
			`return NT_STATUS_INTERNAL_ERROR;`
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104 2011-12-28 17:48:45 +11:00			`}`
			`}`
auth/gensec: common helper functions should be in gensec_util.c This makes the dependencies easier to handle. metze 2012-01-12 22:03:07 +01:00
auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org> 2012-03-31 21:37:56 -04:00			`/*`
			`magic check a GSS-API wrapper packet for an Kerberos OID`
			`*/`
			`static bool gensec_gssapi_check_oid(const DATA_BLOB blob, const char oid)`
			`{`
auth: gensec: asn1 fixes - check all returns. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> 2014-09-19 12:41:22 -07:00			`bool ret = false;`
auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org> 2012-03-31 21:37:56 -04:00			`struct asn1_data *data = asn1_init(NULL);`

			`if (!data) return false;`

auth: gensec: asn1 fixes - check all returns. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> 2014-09-19 12:41:22 -07:00			`if (!asn1_load(data, *blob)) goto err;`
			`if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;`
			`if (!asn1_check_OID(data, oid)) goto err;`
auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org> 2012-03-31 21:37:56 -04:00
lib: Use asn1_has_error() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 2016-01-02 18:11:00 +01:00			`ret = !asn1_has_error(data);`
auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org> 2012-03-31 21:37:56 -04:00
auth: gensec: asn1 fixes - check all returns. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> 2014-09-19 12:41:22 -07:00			`err:`
auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org> 2012-03-31 21:37:56 -04:00
auth: gensec: asn1 fixes - check all returns. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> 2014-09-19 12:41:22 -07:00			`asn1_free(data);`
auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org> 2012-03-31 21:37:56 -04:00			`return ret;`
			`}`

			`/**`
			`* Check if the packet is one for the KRB5 mechansim`
			`*`
			`* NOTE: This is a helper that can be employed by multiple mechanisms, do`
			`* not make assumptions about the private_data`
			`*`
			`* @param gensec_security GENSEC state, unused`
			`* @param in The request, as a DATA_BLOB`
			`* @return Error, INVALID_PARAMETER if it's not a packet for us`
			`* or NT_STATUS_OK if the packet is ok.`
			`*/`

			`NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,`
			`const DATA_BLOB *blob)`
			`{`
			`if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {`
			`return NT_STATUS_OK;`
			`} else {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`
			`}`
auth/gensec: add gensec_child_* helper functions They will be used to simplify the spnego backend and maybe of some use for a future negoex backend. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2016-12-30 17:54:12 +01:00
			`void gensec_child_want_feature(struct gensec_security *gensec_security,`
			`uint32_t feature)`
			`{`
			`struct gensec_security *child_security = gensec_security->child_security;`

			`gensec_security->want_features \|= feature;`
			`if (child_security == NULL) {`
			`return;`
			`}`
			`gensec_want_feature(child_security, feature);`
			`}`

			`bool gensec_child_have_feature(struct gensec_security *gensec_security,`
			`uint32_t feature)`
			`{`
			`struct gensec_security *child_security = gensec_security->child_security;`

			`if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {`
			`/*`
			`* All mechs with sub (child) mechs need to provide DCERPC`
			`* header signing! This is required because the negotiation`
			`* of header signing is done before the authentication`
			`* is completed.`
			`*/`
			`return true;`
			`}`

			`if (child_security == NULL) {`
			`return false;`
			`}`

			`return gensec_have_feature(child_security, feature);`
			`}`

			`NTSTATUS gensec_child_unseal_packet(struct gensec_security *gensec_security,`
			`uint8_t *data, size_t length,`
			`const uint8_t *whole_pdu, size_t pdu_length,`
			`const DATA_BLOB *sig)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_unseal_packet(gensec_security->child_security,`
			`data, length,`
			`whole_pdu, pdu_length,`
			`sig);`
			`}`

			`NTSTATUS gensec_child_check_packet(struct gensec_security *gensec_security,`
			`const uint8_t *data, size_t length,`
			`const uint8_t *whole_pdu, size_t pdu_length,`
			`const DATA_BLOB *sig)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_check_packet(gensec_security->child_security,`
			`data, length,`
			`whole_pdu, pdu_length,`
			`sig);`
			`}`

			`NTSTATUS gensec_child_seal_packet(struct gensec_security *gensec_security,`
			`TALLOC_CTX *mem_ctx,`
			`uint8_t *data, size_t length,`
			`const uint8_t *whole_pdu, size_t pdu_length,`
			`DATA_BLOB *sig)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_seal_packet(gensec_security->child_security,`
			`mem_ctx,`
			`data, length,`
			`whole_pdu, pdu_length,`
			`sig);`
			`}`

			`NTSTATUS gensec_child_sign_packet(struct gensec_security *gensec_security,`
			`TALLOC_CTX *mem_ctx,`
			`const uint8_t *data, size_t length,`
			`const uint8_t *whole_pdu, size_t pdu_length,`
			`DATA_BLOB *sig)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_sign_packet(gensec_security->child_security,`
			`mem_ctx,`
			`data, length,`
			`whole_pdu, pdu_length,`
			`sig);`
			`}`

			`NTSTATUS gensec_child_wrap(struct gensec_security *gensec_security,`
			`TALLOC_CTX *mem_ctx,`
			`const DATA_BLOB *in,`
			`DATA_BLOB *out)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_wrap(gensec_security->child_security,`
			`mem_ctx, in, out);`
			`}`

			`NTSTATUS gensec_child_unwrap(struct gensec_security *gensec_security,`
			`TALLOC_CTX *mem_ctx,`
			`const DATA_BLOB *in,`
			`DATA_BLOB *out)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_unwrap(gensec_security->child_security,`
			`mem_ctx, in, out);`
			`}`

			`size_t gensec_child_sig_size(struct gensec_security *gensec_security,`
			`size_t data_size)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return 0;`
			`}`

			`return gensec_sig_size(gensec_security->child_security, data_size);`
			`}`

			`size_t gensec_child_max_input_size(struct gensec_security *gensec_security)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return 0;`
			`}`

			`return gensec_max_input_size(gensec_security->child_security);`
			`}`

			`size_t gensec_child_max_wrapped_size(struct gensec_security *gensec_security)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return 0;`
			`}`

			`return gensec_max_wrapped_size(gensec_security->child_security);`
			`}`

			`NTSTATUS gensec_child_session_key(struct gensec_security *gensec_security,`
			`TALLOC_CTX *mem_ctx,`
			`DATA_BLOB *session_key)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_session_key(gensec_security->child_security,`
			`mem_ctx,`
			`session_key);`
			`}`

			`NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,`
			`TALLOC_CTX *mem_ctx,`
			`struct auth_session_info **session_info)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return NT_STATUS_INVALID_PARAMETER;`
			`}`

			`return gensec_session_info(gensec_security->child_security,`
			`mem_ctx,`
			`session_info);`
			`}`

			`NTTIME gensec_child_expire_time(struct gensec_security *gensec_security)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return GENSEC_EXPIRE_TIME_INFINITY;`
			`}`

			`return gensec_expire_time(gensec_security->child_security);`
			`}`

			`const char gensec_child_final_auth_type(struct gensec_security gensec_security)`
			`{`
			`if (gensec_security->child_security == NULL) {`
			`return "NONE";`
			`}`

			`return gensec_final_auth_type(gensec_security->child_security);`
			`}`

312 lines 8.3 KiB C Raw Normal View History Unescape Escape

312 lines

8.3 KiB

C

Raw Normal View History