auth/gensec/gensec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "system/network.h"
  25 #include <tevent.h>
  26 #include "lib/tsocket/tsocket.h"
  27 #include "lib/util/tevent_ntstatus.h"
  28 #include "auth/gensec/gensec.h"
  29 #include "librpc/rpc/dcerpc.h"
  30
  31 /*
  32   wrappers for the gensec function pointers
  33 */
  34 _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
  35                               uint8_t *data, size_t length,
  36                               const uint8_t *whole_pdu, size_t pdu_length,
  37                               const DATA_BLOB *sig)
  38 {
  39         if (!gensec_security->ops->unseal_packet) {
  40                 return NT_STATUS_NOT_IMPLEMENTED;
  41         }
  42         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
  43                 return NT_STATUS_INVALID_PARAMETER;
  44         }
  45
  46         return gensec_security->ops->unseal_packet(gensec_security,
  47                                                    data, length,
  48                                                    whole_pdu, pdu_length,
  49                                                    sig);
  50 }
  51
  52 _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
  53                              const uint8_t *data, size_t length,
  54                              const uint8_t *whole_pdu, size_t pdu_length,
  55                              const DATA_BLOB *sig)
  56 {
  57         if (!gensec_security->ops->check_packet) {
  58                 return NT_STATUS_NOT_IMPLEMENTED;
  59         }
  60         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
  61                 return NT_STATUS_INVALID_PARAMETER;
  62         }
  63
  64         return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
  65 }
  66
  67 _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
  68                             TALLOC_CTX *mem_ctx,
  69                             uint8_t *data, size_t length,
  70                             const uint8_t *whole_pdu, size_t pdu_length,
  71                             DATA_BLOB *sig)
  72 {
  73         if (!gensec_security->ops->seal_packet) {
  74                 return NT_STATUS_NOT_IMPLEMENTED;
  75         }
  76         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
  77                 return NT_STATUS_INVALID_PARAMETER;
  78         }
  79         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
  80                 return NT_STATUS_INVALID_PARAMETER;
  81         }
  82
  83         return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
  84 }
  85
  86 _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
  87                             TALLOC_CTX *mem_ctx,
  88                             const uint8_t *data, size_t length,
  89                             const uint8_t *whole_pdu, size_t pdu_length,
  90                             DATA_BLOB *sig)
  91 {
  92         if (!gensec_security->ops->sign_packet) {
  93                 return NT_STATUS_NOT_IMPLEMENTED;
  94         }
  95         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
  96                 return NT_STATUS_INVALID_PARAMETER;
  97         }
  98
  99         return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 100 }
 101
 102 _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
 103 {
 104         if (!gensec_security->ops->sig_size) {
 105                 return 0;
 106         }
 107         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 108                 return 0;
 109         }
 110
 111         return gensec_security->ops->sig_size(gensec_security, data_size);
 112 }
 113
 114 _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
 115 {
 116         if (!gensec_security->ops->max_wrapped_size) {
 117                 return (1 << 17);
 118         }
 119
 120         return gensec_security->ops->max_wrapped_size(gensec_security);
 121 }
 122
 123 _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security)
 124 {
 125         if (!gensec_security->ops->max_input_size) {
 126                 return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
 127         }
 128
 129         return gensec_security->ops->max_input_size(gensec_security);
 130 }
 131
 132 _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
 133                      TALLOC_CTX *mem_ctx,
 134                      const DATA_BLOB *in,
 135                      DATA_BLOB *out)
 136 {
 137         if (!gensec_security->ops->wrap) {
 138                 return NT_STATUS_NOT_IMPLEMENTED;
 139         }
 140         return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
 141 }
 142
 143 _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
 144                        TALLOC_CTX *mem_ctx,
 145                        const DATA_BLOB *in,
 146                        DATA_BLOB *out)
 147 {
 148         if (!gensec_security->ops->unwrap) {
 149                 return NT_STATUS_NOT_IMPLEMENTED;
 150         }
 151         return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
 152 }
 153
 154 _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
 155                                      TALLOC_CTX *mem_ctx,
 156                                      DATA_BLOB *session_key)
 157 {
 158         if (!gensec_security->ops->session_key) {
 159                 return NT_STATUS_NOT_IMPLEMENTED;
 160         }
 161         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
 162                 return NT_STATUS_NO_USER_SESSION_KEY;
 163         }
 164
 165         return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
 166 }
 167
 168 /**
 169  * Return the credentials of a logged on user, including session keys
 170  * etc.
 171  *
 172  * Only valid after a successful authentication
 173  *
 174  * May only be called once per authentication.
 175  *
 176  */
 177
 178 _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
 179                                       TALLOC_CTX *mem_ctx,
 180                                       struct auth_session_info **session_info)
 181 {
 182         if (!gensec_security->ops->session_info) {
 183                 return NT_STATUS_NOT_IMPLEMENTED;
 184         }
 185         return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
 186 }
 187
 188 _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
 189                                 uint32_t max_update_size)
 190 {
 191         gensec_security->max_update_size = max_update_size;
 192 }
 193
 194 _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
 195 {
 196         if (gensec_security->max_update_size == 0) {
 197                 return UINT32_MAX;
 198         }
 199
 200         return gensec_security->max_update_size;
 201 }
 202
 203 /**
 204  * Next state function for the GENSEC state machine
 205  *
 206  * @param gensec_security GENSEC State
 207  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
 208  * @param in The request, as a DATA_BLOB
 209  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
 210  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
 211  *                or NT_STATUS_OK if the user is authenticated.
 212  */
 213
 214 _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 215                                 struct tevent_context *ev,
 216                                 const DATA_BLOB in, DATA_BLOB *out)
 217 {
 218         NTSTATUS status;
 219
 220         status = gensec_security->ops->update(gensec_security, out_mem_ctx,
 221                                               ev, in, out);
 222         if (!NT_STATUS_IS_OK(status)) {
 223                 return status;
 224         }
 225
 226         /*
 227          * Because callers using the
 228          * gensec_start_mech_by_auth_type() never call
 229          * gensec_want_feature(), it isn't sensible for them
 230          * to have to call gensec_have_feature() manually, and
 231          * these are not points of negotiation, but are
 232          * asserted by the client
 233          */
 234         switch (gensec_security->dcerpc_auth_level) {
 235         case DCERPC_AUTH_LEVEL_INTEGRITY:
 236                 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 237                         DEBUG(0,("Did not manage to negotiate mandetory feature "
 238                                  "SIGN for dcerpc auth_level %u\n",
 239                                  gensec_security->dcerpc_auth_level));
 240                         return NT_STATUS_ACCESS_DENIED;
 241                 }
 242                 break;
 243         case DCERPC_AUTH_LEVEL_PRIVACY:
 244                 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 245                         DEBUG(0,("Did not manage to negotiate mandetory feature "
 246                                  "SIGN for dcerpc auth_level %u\n",
 247                                  gensec_security->dcerpc_auth_level));
 248                         return NT_STATUS_ACCESS_DENIED;
 249                 }
 250                 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 251                         DEBUG(0,("Did not manage to negotiate mandetory feature "
 252                                  "SEAL for dcerpc auth_level %u\n",
 253                                  gensec_security->dcerpc_auth_level));
 254                         return NT_STATUS_ACCESS_DENIED;
 255                 }
 256                 break;
 257         default:
 258                 break;
 259         }
 260
 261         return NT_STATUS_OK;
 262 }
 263
 264 struct gensec_update_state {
 265         struct tevent_immediate *im;
 266         struct gensec_security *gensec_security;
 267         DATA_BLOB in;
 268         DATA_BLOB out;
 269 };
 270
 271 static void gensec_update_async_trigger(struct tevent_context *ctx,
 272                                         struct tevent_immediate *im,
 273                                         void *private_data);
 274 /**
 275  * Next state function for the GENSEC state machine async version
 276  *
 277  * @param mem_ctx The memory context for the request
 278  * @param ev The event context for the request
 279  * @param gensec_security GENSEC State
 280  * @param in The request, as a DATA_BLOB
 281  *
 282  * @return The request handle or NULL on no memory failure
 283  */
 284
 285 _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
 286                                                struct tevent_context *ev,
 287                                                struct gensec_security *gensec_security,
 288                                                const DATA_BLOB in)
 289 {
 290         struct tevent_req *req;
 291         struct gensec_update_state *state = NULL;
 292
 293         req = tevent_req_create(mem_ctx, &state,
 294                                 struct gensec_update_state);
 295         if (req == NULL) {
 296                 return NULL;
 297         }
 298
 299         state->gensec_security          = gensec_security;
 300         state->in                       = in;
 301         state->out                      = data_blob(NULL, 0);
 302         state->im                       = tevent_create_immediate(state);
 303         if (tevent_req_nomem(state->im, req)) {
 304                 return tevent_req_post(req, ev);
 305         }
 306
 307         tevent_schedule_immediate(state->im, ev,
 308                                   gensec_update_async_trigger,
 309                                   req);
 310
 311         return req;
 312 }
 313
 314 static void gensec_update_async_trigger(struct tevent_context *ctx,
 315                                         struct tevent_immediate *im,
 316                                         void *private_data)
 317 {
 318         struct tevent_req *req =
 319                 talloc_get_type_abort(private_data, struct tevent_req);
 320         struct gensec_update_state *state =
 321                 tevent_req_data(req, struct gensec_update_state);
 322         NTSTATUS status;
 323
 324         status = gensec_update(state->gensec_security, state, ctx,
 325                                state->in, &state->out);
 326         if (tevent_req_nterror(req, status)) {
 327                 return;
 328         }
 329
 330         tevent_req_done(req);
 331 }
 332
 333 /**
 334  * Next state function for the GENSEC state machine
 335  *
 336  * @param req request state
 337  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
 338  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
 339  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
 340  *                or NT_STATUS_OK if the user is authenticated.
 341  */
 342 _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
 343                                      TALLOC_CTX *out_mem_ctx,
 344                                      DATA_BLOB *out)
 345 {
 346         struct gensec_update_state *state =
 347                 tevent_req_data(req, struct gensec_update_state);
 348         NTSTATUS status;
 349
 350         if (tevent_req_is_nterror(req, &status)) {
 351                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 352                         tevent_req_received(req);
 353                         return status;
 354                 }
 355         } else {
 356                 status = NT_STATUS_OK;
 357         }
 358
 359         *out = state->out;
 360         talloc_steal(out_mem_ctx, out->data);
 361
 362         tevent_req_received(req);
 363         return status;
 364 }
 365
 366 /**
 367  * Set the requirement for a certain feature on the connection
 368  *
 369  */
 370
 371 _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
 372                          uint32_t feature)
 373 {
 374         if (!gensec_security->ops || !gensec_security->ops->want_feature) {
 375                 gensec_security->want_features |= feature;
 376                 return;
 377         }
 378         gensec_security->ops->want_feature(gensec_security, feature);
 379 }
 380
 381 /**
 382  * Check the requirement for a certain feature on the connection
 383  *
 384  */
 385
 386 _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
 387                          uint32_t feature)
 388 {
 389         if (!gensec_security->ops->have_feature) {
 390                 return false;
 391         }
 392
 393         /* We might 'have' features that we don't 'want', because the
 394          * other end demanded them, or we can't neotiate them off */
 395         return gensec_security->ops->have_feature(gensec_security, feature);
 396 }
 397
 398 _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security)
 399 {
 400         if (!gensec_security->ops->expire_time) {
 401                 return GENSEC_EXPIRE_TIME_INFINITY;
 402         }
 403
 404         return gensec_security->ops->expire_time(gensec_security);
 405 }
 406 /**
 407  * Return the credentials structure associated with a GENSEC context
 408  *
 409  */
 410
 411 _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
 412 {
 413         if (!gensec_security) {
 414                 return NULL;
 415         }
 416         return gensec_security->credentials;
 417 }
 418
 419 /**
 420  * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
 421  *
 422  */
 423
 424 _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
 425 {
 426         gensec_security->target.service = talloc_strdup(gensec_security, service);
 427         if (!gensec_security->target.service) {
 428                 return NT_STATUS_NO_MEMORY;
 429         }
 430         return NT_STATUS_OK;
 431 }
 432
 433 _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
 434 {
 435         if (gensec_security->target.service) {
 436                 return gensec_security->target.service;
 437         }
 438
 439         return "host";
 440 }
 441
 442 /**
 443  * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
 444  *
 445  */
 446
 447 _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
 448 {
 449         gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
 450         if (hostname && !gensec_security->target.hostname) {
 451                 return NT_STATUS_NO_MEMORY;
 452         }
 453         return NT_STATUS_OK;
 454 }
 455
 456 _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
 457 {
 458         /* We allow the target hostname to be overriden for testing purposes */
 459         if (gensec_security->settings->target_hostname) {
 460                 return gensec_security->settings->target_hostname;
 461         }
 462
 463         if (gensec_security->target.hostname) {
 464                 return gensec_security->target.hostname;
 465         }
 466
 467         /* We could add use the 'set sockaddr' call, and do a reverse
 468          * lookup, but this would be both insecure (compromising the
 469          * way kerberos works) and add DNS timeouts */
 470         return NULL;
 471 }
 472
 473 /**
 474  * Set (and copy) local and peer socket addresses onto a socket
 475  * context on the GENSEC context.
 476  *
 477  * This is so that kerberos can include these addresses in
 478  * cryptographic tokens, to avoid certain attacks.
 479  */
 480
 481 /**
 482  * @brief Set the local gensec address.
 483  *
 484  * @param  gensec_security   The gensec security context to use.
 485  *
 486  * @param  remote       The local address to set.
 487  *
 488  * @return              On success NT_STATUS_OK is returned or an NT_STATUS
 489  *                      error.
 490  */
 491 _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
 492                 const struct tsocket_address *local)
 493 {
 494         TALLOC_FREE(gensec_security->local_addr);
 495
 496         if (local == NULL) {
 497                 return NT_STATUS_OK;
 498         }
 499
 500         gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
 501         if (gensec_security->local_addr == NULL) {
 502                 return NT_STATUS_NO_MEMORY;
 503         }
 504
 505         return NT_STATUS_OK;
 506 }
 507
 508 /**
 509  * @brief Set the remote gensec address.
 510  *
 511  * @param  gensec_security   The gensec security context to use.
 512  *
 513  * @param  remote       The remote address to set.
 514  *
 515  * @return              On success NT_STATUS_OK is returned or an NT_STATUS
 516  *                      error.
 517  */
 518 _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
 519                 const struct tsocket_address *remote)
 520 {
 521         TALLOC_FREE(gensec_security->remote_addr);
 522
 523         if (remote == NULL) {
 524                 return NT_STATUS_OK;
 525         }
 526
 527         gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
 528         if (gensec_security->remote_addr == NULL) {
 529                 return NT_STATUS_NO_MEMORY;
 530         }
 531
 532         return NT_STATUS_OK;
 533 }
 534
 535 /**
 536  * @brief Get the local address from a gensec security context.
 537  *
 538  * @param  gensec_security   The security context to get the address from.
 539  *
 540  * @return              The address as tsocket_address which could be NULL if
 541  *                      no address is set.
 542  */
 543 _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
 544 {
 545         if (gensec_security == NULL) {
 546                 return NULL;
 547         }
 548         return gensec_security->local_addr;
 549 }
 550
 551 /**
 552  * @brief Get the remote address from a gensec security context.
 553  *
 554  * @param  gensec_security   The security context to get the address from.
 555  *
 556  * @return              The address as tsocket_address which could be NULL if
 557  *                      no address is set.
 558  */
 559 _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
 560 {
 561         if (gensec_security == NULL) {
 562                 return NULL;
 563         }
 564         return gensec_security->remote_addr;
 565 }
 566
 567 /**
 568  * Set the target principal (assuming it it known, say from the SPNEGO reply)
 569  *  - ensures it is talloc()ed
 570  *
 571  */
 572
 573 _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
 574 {
 575         gensec_security->target.principal = talloc_strdup(gensec_security, principal);
 576         if (!gensec_security->target.principal) {
 577                 return NT_STATUS_NO_MEMORY;
 578         }
 579         return NT_STATUS_OK;
 580 }
 581
 582 _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
 583 {
 584         if (gensec_security->target.principal) {
 585                 return gensec_security->target.principal;
 586         }
 587
 588         return NULL;
 589 }