Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Generic Authentication Interface
5 :
6 : Copyright (C) Andrew Tridgell 2003
7 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "system/network.h"
25 : #include "tevent.h"
26 : #include "../lib/util/tevent_ntstatus.h"
27 : #include "librpc/gen_ndr/dcerpc.h"
28 : #include "auth/credentials/credentials.h"
29 : #include "auth/gensec/gensec.h"
30 : #include "auth/gensec/gensec_internal.h"
31 : #include "lib/param/param.h"
32 : #include "lib/param/loadparm.h"
33 : #include "lib/util/tsort.h"
34 : #include "lib/util/samba_modules.h"
35 : #include "lib/util/base64.h"
36 :
37 : #undef DBGC_CLASS
38 : #define DBGC_CLASS DBGC_AUTH
39 :
40 : #undef strcasecmp
41 :
42 : /* the list of currently registered GENSEC backends */
43 : static const struct gensec_security_ops **generic_security_ops;
44 : static int gensec_num_backends;
45 :
46 3815063 : bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
47 : {
48 3906577 : bool ok = lpcfg_parm_bool(security->settings->lp_ctx,
49 : NULL,
50 : "gensec",
51 3815063 : ops->name,
52 3815063 : ops->enabled);
53 :
54 4512503 : if (ops->weak_crypto &&
55 697440 : lpcfg_weak_crypto(security->settings->lp_ctx) != SAMBA_WEAK_CRYPTO_ALLOWED) {
56 0 : ok = false;
57 : }
58 :
59 3815063 : return ok;
60 : }
61 :
62 : /* Sometimes we want to force only kerberos, sometimes we want to
63 : * force it's avoidance. The old list could be either
64 : * gensec_security_all(), or from cli_credentials_gensec_list() (ie,
65 : * an existing list we have trimmed down)
66 : *
67 : * The intended logic is:
68 : *
69 : * if we are in the default AUTO have kerberos:
70 : * - take a reference to the master list
71 : * otherwise
72 : * - always add spnego then:
73 : * - if we 'MUST' have kerberos:
74 : * only add kerberos mechs
75 : * - if we 'DONT' want kerberos':
76 : * only add non-kerberos mechs
77 : *
78 : * Once we get things like NegoEx or moonshot, this will of course get
79 : * more complex.
80 : */
81 :
82 1746707 : static const struct gensec_security_ops **gensec_use_kerberos_mechs(
83 : TALLOC_CTX *mem_ctx,
84 : const struct gensec_security_ops * const *old_gensec_list,
85 : enum credentials_use_kerberos use_kerberos,
86 : bool keep_schannel)
87 : {
88 27217 : const struct gensec_security_ops **new_gensec_list;
89 27217 : int i, j, num_mechs_in;
90 :
91 18232588 : for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
92 : /* noop */
93 257768 : }
94 :
95 1746707 : new_gensec_list = talloc_array(mem_ctx,
96 : const struct gensec_security_ops *,
97 : num_mechs_in + 1);
98 1746707 : if (!new_gensec_list) {
99 0 : return NULL;
100 : }
101 :
102 1719490 : j = 0;
103 18232588 : for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
104 16485881 : bool keep = false;
105 :
106 : /*
107 : * We want to keep SPNEGO and other backends
108 : */
109 16485881 : keep = old_gensec_list[i]->glue;
110 :
111 16485881 : if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
112 1488653 : keep = keep_schannel;
113 : }
114 :
115 16485881 : switch (use_kerberos) {
116 14713988 : case CRED_USE_KERBEROS_DESIRED:
117 14713988 : keep = true;
118 14713988 : break;
119 :
120 1202839 : case CRED_USE_KERBEROS_DISABLED:
121 1202839 : if (old_gensec_list[i]->kerberos == false) {
122 882277 : keep = true;
123 : }
124 :
125 1190547 : break;
126 :
127 335716 : case CRED_USE_KERBEROS_REQUIRED:
128 335716 : if (old_gensec_list[i]->kerberos == true) {
129 113143 : keep = true;
130 : }
131 :
132 323578 : break;
133 0 : default:
134 : /* Can't happen or invalid parameter */
135 0 : return NULL;
136 : }
137 :
138 16240306 : if (!keep) {
139 481256 : continue;
140 : }
141 :
142 16004625 : new_gensec_list[j] = old_gensec_list[i];
143 16004625 : j++;
144 : }
145 1746707 : new_gensec_list[j] = NULL;
146 :
147 1746707 : return new_gensec_list;
148 : }
149 :
150 1746707 : _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
151 : struct gensec_security *gensec_security,
152 : TALLOC_CTX *mem_ctx)
153 : {
154 1746707 : const struct gensec_security_ops * const *backends =
155 : generic_security_ops;
156 1746707 : enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED;
157 1746707 : bool keep_schannel = false;
158 :
159 1746707 : if (gensec_security != NULL) {
160 564147 : struct cli_credentials *creds = NULL;
161 :
162 564147 : creds = gensec_get_credentials(gensec_security);
163 564147 : if (creds != NULL) {
164 564143 : use_kerberos = cli_credentials_get_kerberos_state(creds);
165 564143 : if (cli_credentials_get_netlogon_creds(creds) != NULL) {
166 5405 : keep_schannel = true;
167 : }
168 :
169 : /*
170 : * Even if Kerberos is set to REQUIRED, keep the
171 : * schannel auth mechanism so that machine accounts are
172 : * able to authenticate via netlogon.
173 : */
174 564143 : if (gensec_security->gensec_role == GENSEC_SERVER) {
175 347536 : keep_schannel = true;
176 : }
177 : }
178 :
179 564147 : if (gensec_security->settings->backends) {
180 204700 : backends = gensec_security->settings->backends;
181 : }
182 : }
183 :
184 1746707 : return gensec_use_kerberos_mechs(mem_ctx, backends,
185 : use_kerberos, keep_schannel);
186 :
187 : }
188 :
189 360608 : _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
190 : struct gensec_security *gensec_security,
191 : const char *oid_string)
192 : {
193 3196 : int i, j;
194 3196 : const struct gensec_security_ops **backends;
195 3196 : const struct gensec_security_ops *backend;
196 360608 : TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
197 360608 : if (!mem_ctx) {
198 0 : return NULL;
199 : }
200 360608 : backends = gensec_security_mechs(gensec_security, mem_ctx);
201 1114172 : for (i=0; backends && backends[i]; i++) {
202 1114042 : if (gensec_security != NULL &&
203 239814 : !gensec_security_ops_enabled(backends[i],
204 : gensec_security))
205 240 : continue;
206 1110592 : if (backends[i]->oid) {
207 1467905 : for (j=0; backends[i]->oid[j]; j++) {
208 995553 : if (backends[i]->oid[j] &&
209 995553 : (strcmp(backends[i]->oid[j], oid_string) == 0)) {
210 360464 : backend = backends[i];
211 360464 : talloc_free(mem_ctx);
212 360464 : return backend;
213 : }
214 : }
215 : }
216 : }
217 144 : talloc_free(mem_ctx);
218 :
219 144 : return NULL;
220 : }
221 :
222 26502 : _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
223 : struct gensec_security *gensec_security,
224 : const char *sasl_name)
225 : {
226 122 : int i;
227 122 : const struct gensec_security_ops **backends;
228 122 : const struct gensec_security_ops *backend;
229 26502 : TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
230 26502 : if (!mem_ctx) {
231 0 : return NULL;
232 : }
233 26502 : backends = gensec_security_mechs(gensec_security, mem_ctx);
234 27422 : for (i=0; backends && backends[i]; i++) {
235 27420 : if (gensec_security != NULL &&
236 27298 : !gensec_security_ops_enabled(backends[i], gensec_security)) {
237 260 : continue;
238 : }
239 27038 : if (backends[i]->sasl_name
240 26766 : && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
241 26500 : backend = backends[i];
242 26500 : talloc_free(mem_ctx);
243 26500 : return backend;
244 : }
245 : }
246 2 : talloc_free(mem_ctx);
247 :
248 2 : return NULL;
249 : }
250 :
251 253515 : _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
252 : struct gensec_security *gensec_security,
253 : uint32_t auth_type)
254 : {
255 854 : int i;
256 854 : const struct gensec_security_ops **backends;
257 854 : const struct gensec_security_ops *backend;
258 854 : TALLOC_CTX *mem_ctx;
259 :
260 253515 : if (auth_type == DCERPC_AUTH_TYPE_NONE) {
261 0 : return NULL;
262 : }
263 :
264 253515 : mem_ctx = talloc_new(gensec_security);
265 253515 : if (!mem_ctx) {
266 0 : return NULL;
267 : }
268 253515 : backends = gensec_security_mechs(gensec_security, mem_ctx);
269 1680756 : for (i=0; backends && backends[i]; i++) {
270 1684622 : if (gensec_security != NULL &&
271 58908 : !gensec_security_ops_enabled(backends[i], gensec_security)) {
272 11004 : continue;
273 : }
274 1668820 : if (backends[i]->auth_type == auth_type) {
275 253437 : backend = backends[i];
276 253437 : talloc_free(mem_ctx);
277 253437 : return backend;
278 : }
279 : }
280 78 : talloc_free(mem_ctx);
281 :
282 78 : return NULL;
283 : }
284 :
285 714827 : const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
286 : const char *name)
287 : {
288 16436 : int i;
289 16436 : const struct gensec_security_ops **backends;
290 16436 : const struct gensec_security_ops *backend;
291 714827 : TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
292 714827 : if (!mem_ctx) {
293 0 : return NULL;
294 : }
295 714827 : backends = gensec_security_mechs(gensec_security, mem_ctx);
296 4987544 : for (i=0; backends && backends[i]; i++) {
297 4316598 : if (gensec_security != NULL &&
298 6629 : !gensec_security_ops_enabled(backends[i], gensec_security))
299 1288 : continue;
300 4315310 : if (backends[i]->name
301 4315310 : && (strcmp(backends[i]->name, name) == 0)) {
302 60317 : backend = backends[i];
303 60317 : talloc_free(mem_ctx);
304 60317 : return backend;
305 : }
306 : }
307 654510 : talloc_free(mem_ctx);
308 654510 : return NULL;
309 : }
310 :
311 53013 : static const char **gensec_security_sasl_names_from_ops(
312 : struct gensec_security *gensec_security,
313 : TALLOC_CTX *mem_ctx,
314 : const struct gensec_security_ops * const *ops)
315 : {
316 53013 : const char **sasl_names = NULL;
317 53013 : size_t i, sasl_names_count = 0;
318 :
319 53013 : if (ops == NULL) {
320 0 : return NULL;
321 : }
322 :
323 53013 : sasl_names = talloc_array(mem_ctx, const char *, 1);
324 53013 : if (sasl_names == NULL) {
325 0 : return NULL;
326 : }
327 :
328 795195 : for (i = 0; ops[i] != NULL; i++) {
329 742182 : enum gensec_role role = GENSEC_SERVER;
330 742182 : const char **tmp = NULL;
331 :
332 742182 : if (ops[i]->sasl_name == NULL) {
333 477117 : continue;
334 : }
335 :
336 265065 : if (gensec_security != NULL) {
337 265065 : if (!gensec_security_ops_enabled(ops[i],
338 : gensec_security)) {
339 53013 : continue;
340 : }
341 :
342 212052 : role = gensec_security->gensec_role;
343 : }
344 :
345 212052 : switch (role) {
346 0 : case GENSEC_CLIENT:
347 0 : if (ops[i]->client_start == NULL) {
348 0 : continue;
349 : }
350 0 : break;
351 212052 : case GENSEC_SERVER:
352 212052 : if (ops[i]->server_start == NULL) {
353 53013 : continue;
354 : }
355 158307 : break;
356 : }
357 :
358 159039 : tmp = talloc_realloc(mem_ctx,
359 : sasl_names,
360 : const char *,
361 : sasl_names_count + 2);
362 159039 : if (tmp == NULL) {
363 0 : TALLOC_FREE(sasl_names);
364 0 : return NULL;
365 : }
366 159039 : sasl_names = tmp;
367 :
368 159039 : sasl_names[sasl_names_count] = ops[i]->sasl_name;
369 159039 : sasl_names_count++;
370 : }
371 53013 : sasl_names[sasl_names_count] = NULL;
372 :
373 53013 : return sasl_names;
374 : }
375 :
376 : /**
377 : * @brief Get the sasl names from the gensec security context.
378 : *
379 : * @param[in] gensec_security The gensec security context.
380 : *
381 : * @param[in] mem_ctx The memory context to allocate memory on.
382 : *
383 : * @return An allocated array with sasl names, NULL on error.
384 : */
385 : _PUBLIC_
386 53013 : const char **gensec_security_sasl_names(struct gensec_security *gensec_security,
387 : TALLOC_CTX *mem_ctx)
388 : {
389 53013 : const struct gensec_security_ops **ops = NULL;
390 :
391 53013 : ops = gensec_security_mechs(gensec_security, mem_ctx);
392 :
393 53013 : return gensec_security_sasl_names_from_ops(gensec_security,
394 : mem_ctx,
395 : ops);
396 : }
397 :
398 : /**
399 : * Return a unique list of security subsystems from those specified in
400 : * the list of SASL names.
401 : *
402 : * Use the list of enabled GENSEC mechanisms from the credentials
403 : * attached to the gensec_security, and return in our preferred order.
404 : */
405 :
406 26278 : static const struct gensec_security_ops **gensec_security_by_sasl_list(
407 : struct gensec_security *gensec_security,
408 : TALLOC_CTX *mem_ctx,
409 : const char **sasl_names)
410 : {
411 122 : const struct gensec_security_ops **backends_out;
412 122 : const struct gensec_security_ops **backends;
413 122 : int i, k, sasl_idx;
414 26278 : int num_backends_out = 0;
415 :
416 26278 : if (!sasl_names) {
417 0 : return NULL;
418 : }
419 :
420 26278 : backends = gensec_security_mechs(gensec_security, mem_ctx);
421 :
422 26278 : backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1);
423 26278 : if (!backends_out) {
424 0 : return NULL;
425 : }
426 26278 : backends_out[0] = NULL;
427 :
428 : /* Find backends in our preferred order, by walking our list,
429 : * then looking in the supplied list */
430 331198 : for (i=0; backends && backends[i]; i++) {
431 306628 : if (gensec_security != NULL &&
432 304920 : !gensec_security_ops_enabled(backends[i], gensec_security))
433 35122 : continue;
434 1077942 : for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
435 808144 : if (!backends[i]->sasl_name ||
436 271944 : !(strcmp(backends[i]->sasl_name,
437 270480 : sasl_names[sasl_idx]) == 0)) {
438 740797 : continue;
439 : }
440 :
441 123518 : for (k=0; backends_out[k]; k++) {
442 56171 : if (backends_out[k] == backends[i]) {
443 0 : break;
444 : }
445 : }
446 :
447 67347 : if (k < num_backends_out) {
448 : /* already in there */
449 0 : continue;
450 : }
451 :
452 67347 : backends_out = talloc_realloc(mem_ctx, backends_out,
453 : const struct gensec_security_ops *,
454 : num_backends_out + 2);
455 67347 : if (!backends_out) {
456 0 : return NULL;
457 : }
458 :
459 67347 : backends_out[num_backends_out] = backends[i];
460 67347 : num_backends_out++;
461 67347 : backends_out[num_backends_out] = NULL;
462 : }
463 : }
464 26156 : return backends_out;
465 : }
466 :
467 : /**
468 : * Return a unique list of security subsystems from those specified in
469 : * the OID list. That is, where two OIDs refer to the same module,
470 : * return that module only once.
471 : *
472 : * Use the list of enabled GENSEC mechanisms from the credentials
473 : * attached to the gensec_security, and return in our preferred order.
474 : */
475 :
476 190339 : _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
477 : struct gensec_security *gensec_security,
478 : TALLOC_CTX *mem_ctx,
479 : const char * const *oid_strings,
480 : const char *skip)
481 : {
482 3636 : struct gensec_security_ops_wrapper *backends_out;
483 3636 : const struct gensec_security_ops **backends;
484 3636 : int i, j, k, oid_idx;
485 190339 : int num_backends_out = 0;
486 :
487 190339 : if (!oid_strings) {
488 0 : return NULL;
489 : }
490 :
491 190339 : backends = gensec_security_mechs(gensec_security, gensec_security);
492 :
493 190339 : backends_out = talloc_array(mem_ctx, struct gensec_security_ops_wrapper, 1);
494 190339 : if (!backends_out) {
495 0 : return NULL;
496 : }
497 190339 : backends_out[0].op = NULL;
498 190339 : backends_out[0].oid = NULL;
499 :
500 : /* Find backends in our preferred order, by walking our list,
501 : * then looking in the supplied list */
502 2008127 : for (i=0; backends && backends[i]; i++) {
503 1865219 : if (gensec_security != NULL &&
504 1817788 : !gensec_security_ops_enabled(backends[i], gensec_security))
505 197894 : continue;
506 1619894 : if (!backends[i]->oid) {
507 1123089 : continue;
508 : }
509 1599224 : for (oid_idx = 0; oid_strings[oid_idx]; oid_idx++) {
510 1102419 : if (strcmp(oid_strings[oid_idx], skip) == 0) {
511 0 : continue;
512 : }
513 :
514 2533402 : for (j=0; backends[i]->oid[j]; j++) {
515 1458631 : if (!backends[i]->oid[j] ||
516 1430983 : !(strcmp(backends[i]->oid[j],
517 1393733 : oid_strings[oid_idx]) == 0)) {
518 1036144 : continue;
519 : }
520 :
521 489642 : for (k=0; backends_out[k].op; k++) {
522 204503 : if (backends_out[k].op == backends[i]) {
523 106502 : break;
524 : }
525 : }
526 :
527 394839 : if (k < num_backends_out) {
528 : /* already in there */
529 109700 : continue;
530 : }
531 :
532 285139 : backends_out = talloc_realloc(mem_ctx, backends_out,
533 : struct gensec_security_ops_wrapper,
534 : num_backends_out + 2);
535 285139 : if (!backends_out) {
536 0 : return NULL;
537 : }
538 :
539 285139 : backends_out[num_backends_out].op = backends[i];
540 285139 : backends_out[num_backends_out].oid = backends[i]->oid[j];
541 285139 : num_backends_out++;
542 285139 : backends_out[num_backends_out].op = NULL;
543 285139 : backends_out[num_backends_out].oid = NULL;
544 : }
545 : }
546 : }
547 186703 : return backends_out;
548 : }
549 :
550 : /**
551 : * Return OIDS from the security subsystems listed
552 : */
553 :
554 121478 : static const char **gensec_security_oids_from_ops(
555 : struct gensec_security *gensec_security,
556 : TALLOC_CTX *mem_ctx,
557 : const struct gensec_security_ops * const *ops,
558 : const char *skip)
559 : {
560 2607 : int i;
561 121478 : int j = 0;
562 2607 : int k;
563 2607 : const char **oid_list;
564 121478 : if (!ops) {
565 0 : return NULL;
566 : }
567 121478 : oid_list = talloc_array(mem_ctx, const char *, 1);
568 121478 : if (!oid_list) {
569 0 : return NULL;
570 : }
571 :
572 1215774 : for (i=0; ops && ops[i]; i++) {
573 1127321 : if (gensec_security != NULL &&
574 1094296 : !gensec_security_ops_enabled(ops[i], gensec_security)) {
575 108582 : continue;
576 : }
577 985714 : if (!ops[i]->oid) {
578 672947 : continue;
579 : }
580 :
581 703246 : for (k = 0; ops[i]->oid[k]; k++) {
582 390479 : if (skip && strcmp(skip, ops[i]->oid[k])==0) {
583 : } else {
584 269001 : oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
585 269001 : if (!oid_list) {
586 0 : return NULL;
587 : }
588 269001 : oid_list[j] = ops[i]->oid[k];
589 269001 : j++;
590 : }
591 : }
592 : }
593 121478 : oid_list[j] = NULL;
594 121478 : return oid_list;
595 : }
596 :
597 :
598 : /**
599 : * Return OIDS from the security subsystems listed
600 : */
601 :
602 83004 : _PUBLIC_ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
603 : const struct gensec_security_ops_wrapper *wops)
604 : {
605 1500 : int i;
606 83004 : int j = 0;
607 1500 : int k;
608 1500 : const char **oid_list;
609 83004 : if (!wops) {
610 0 : return NULL;
611 : }
612 83004 : oid_list = talloc_array(mem_ctx, const char *, 1);
613 83004 : if (!oid_list) {
614 0 : return NULL;
615 : }
616 :
617 203144 : for (i=0; wops[i].op; i++) {
618 120140 : if (!wops[i].op->oid) {
619 0 : continue;
620 : }
621 :
622 281397 : for (k = 0; wops[i].op->oid[k]; k++) {
623 161257 : oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
624 161257 : if (!oid_list) {
625 0 : return NULL;
626 : }
627 161257 : oid_list[j] = wops[i].op->oid[k];
628 161257 : j++;
629 : }
630 : }
631 83004 : oid_list[j] = NULL;
632 83004 : return oid_list;
633 : }
634 :
635 :
636 : /**
637 : * Return all the security subsystems currently enabled on a GENSEC context.
638 : *
639 : * This is taken from a list attached to the cli_credentials, and
640 : * skips the OID in 'skip'. (Typically the SPNEGO OID)
641 : *
642 : */
643 :
644 121478 : _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_security,
645 : TALLOC_CTX *mem_ctx,
646 : const char *skip)
647 : {
648 2607 : const struct gensec_security_ops **ops;
649 :
650 121478 : ops = gensec_security_mechs(gensec_security, mem_ctx);
651 :
652 121478 : return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
653 : }
654 :
655 507668 : static int gensec_security_destructor(struct gensec_security *gctx)
656 : {
657 507668 : if (gctx->parent_security != NULL) {
658 169 : if (gctx->parent_security->child_security == gctx) {
659 169 : gctx->parent_security->child_security = NULL;
660 : }
661 169 : gctx->parent_security = NULL;
662 : }
663 :
664 507668 : if (gctx->child_security != NULL) {
665 128417 : if (gctx->child_security->parent_security == gctx) {
666 128417 : gctx->child_security->parent_security = NULL;
667 : }
668 128417 : gctx->child_security = NULL;
669 : }
670 :
671 507668 : return 0;
672 : }
673 :
674 : /**
675 : Start the GENSEC system, returning a context pointer.
676 : @param mem_ctx The parent TALLOC memory context.
677 : @param gensec_security Returned GENSEC context pointer.
678 : @note The mem_ctx is only a parent and may be NULL.
679 : @note, the auth context is moved to be a referenced pointer of the
680 : @ gensec_security return
681 : */
682 293644 : static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
683 : struct gensec_settings *settings,
684 : struct auth4_context *auth_context,
685 : struct gensec_security **gensec_security)
686 : {
687 293644 : (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
688 293644 : NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
689 :
690 293644 : (*gensec_security)->max_update_size = 0;
691 :
692 293644 : SMB_ASSERT(settings->lp_ctx != NULL);
693 293644 : (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
694 :
695 : /* We need to reference this, not steal, as the caller may be
696 : * python, which won't like it if we steal it's object away
697 : * from it */
698 293644 : (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
699 :
700 293644 : talloc_set_destructor((*gensec_security), gensec_security_destructor);
701 293644 : return NT_STATUS_OK;
702 : }
703 :
704 : /**
705 : * Start a GENSEC subcontext, with a copy of the properties of the parent
706 : * @param mem_ctx The parent TALLOC memory context.
707 : * @param parent The parent GENSEC context
708 : * @param gensec_security Returned GENSEC context pointer.
709 : * @note Used by SPNEGO in particular, for the actual implementation mechanism
710 : */
711 :
712 215623 : _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
713 : struct gensec_security *parent,
714 : struct gensec_security **gensec_security)
715 : {
716 215623 : if (parent->child_security != NULL) {
717 0 : return NT_STATUS_INTERNAL_ERROR;
718 : }
719 :
720 215623 : (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
721 215623 : NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
722 :
723 215623 : (**gensec_security) = *parent;
724 215623 : (*gensec_security)->ops = NULL;
725 215623 : (*gensec_security)->private_data = NULL;
726 215623 : (*gensec_security)->update_busy_ptr = NULL;
727 :
728 215623 : (*gensec_security)->subcontext = true;
729 215623 : (*gensec_security)->want_features = parent->want_features;
730 215623 : (*gensec_security)->max_update_size = parent->max_update_size;
731 215623 : (*gensec_security)->dcerpc_auth_level = parent->dcerpc_auth_level;
732 215623 : (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
733 215623 : (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
734 215623 : (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
735 :
736 215623 : talloc_set_destructor((*gensec_security), gensec_security_destructor);
737 215623 : return NT_STATUS_OK;
738 : }
739 :
740 129231 : _PUBLIC_ NTSTATUS gensec_child_ready(struct gensec_security *parent,
741 : struct gensec_security *child)
742 : {
743 129231 : if (parent->child_security != NULL) {
744 0 : return NT_STATUS_INTERNAL_ERROR;
745 : }
746 :
747 129231 : if (child->parent_security != NULL) {
748 0 : return NT_STATUS_INTERNAL_ERROR;
749 : }
750 :
751 129231 : parent->child_security = child;
752 129231 : child->parent_security = parent;
753 129231 : return NT_STATUS_OK;
754 : }
755 :
756 : /**
757 : Start the GENSEC system, in client mode, returning a context pointer.
758 : @param mem_ctx The parent TALLOC memory context.
759 : @param gensec_security Returned GENSEC context pointer.
760 : @note The mem_ctx is only a parent and may be NULL.
761 : */
762 116442 : _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
763 : struct gensec_security **gensec_security,
764 : struct gensec_settings *settings)
765 : {
766 1716 : NTSTATUS status;
767 :
768 116442 : if (settings == NULL) {
769 0 : DEBUG(0,("gensec_client_start: no settings given!\n"));
770 0 : return NT_STATUS_INTERNAL_ERROR;
771 : }
772 :
773 116442 : status = gensec_start(mem_ctx, settings, NULL, gensec_security);
774 116442 : if (!NT_STATUS_IS_OK(status)) {
775 0 : return status;
776 : }
777 116442 : (*gensec_security)->gensec_role = GENSEC_CLIENT;
778 :
779 116442 : return status;
780 : }
781 :
782 :
783 :
784 : /**
785 : Start the GENSEC system, in server mode, returning a context pointer.
786 : @param mem_ctx The parent TALLOC memory context.
787 : @param gensec_security Returned GENSEC context pointer.
788 : @note The mem_ctx is only a parent and may be NULL.
789 : */
790 177202 : _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
791 : struct gensec_settings *settings,
792 : struct auth4_context *auth_context,
793 : struct gensec_security **gensec_security)
794 : {
795 2877 : NTSTATUS status;
796 :
797 177202 : if (!settings) {
798 0 : DEBUG(0,("gensec_server_start: no settings given!\n"));
799 0 : return NT_STATUS_INTERNAL_ERROR;
800 : }
801 :
802 177202 : status = gensec_start(mem_ctx, settings, auth_context, gensec_security);
803 177202 : if (!NT_STATUS_IS_OK(status)) {
804 0 : return status;
805 : }
806 177202 : (*gensec_security)->gensec_role = GENSEC_SERVER;
807 :
808 177202 : return status;
809 : }
810 :
811 414553 : static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
812 : {
813 7936 : NTSTATUS status;
814 :
815 : /*
816 : * Callers sometimes just reuse a context, we should
817 : * clear the internal state before starting it again.
818 : */
819 414553 : talloc_unlink(gensec_security, gensec_security->private_data);
820 414553 : gensec_security->private_data = NULL;
821 :
822 414553 : if (gensec_security->child_security != NULL) {
823 : /*
824 : * The talloc_unlink(.., gensec_security->private_data)
825 : * should have cleared this via
826 : * gensec_security_destructor().
827 : */
828 0 : return NT_STATUS_INTERNAL_ERROR;
829 : }
830 :
831 414553 : if (gensec_security->credentials) {
832 414551 : const char *forced_mech = cli_credentials_get_forced_sasl_mech(gensec_security->credentials);
833 414551 : if (forced_mech &&
834 0 : (gensec_security->ops->sasl_name == NULL ||
835 0 : strcasecmp(forced_mech, gensec_security->ops->sasl_name) != 0)) {
836 0 : DEBUG(5, ("GENSEC mechanism %s (%s) skipped, as it "
837 : "did not match forced mechanism %s\n",
838 : gensec_security->ops->name,
839 : gensec_security->ops->sasl_name,
840 : forced_mech));
841 0 : return NT_STATUS_INVALID_PARAMETER;
842 : }
843 : }
844 414553 : DEBUG(5, ("Starting GENSEC %smechanism %s\n",
845 : gensec_security->subcontext ? "sub" : "",
846 : gensec_security->ops->name));
847 414553 : switch (gensec_security->gensec_role) {
848 170712 : case GENSEC_CLIENT:
849 170712 : if (gensec_security->ops->client_start) {
850 170712 : status = gensec_security->ops->client_start(gensec_security);
851 170712 : if (!NT_STATUS_IS_OK(status)) {
852 24067 : DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n",
853 : gensec_security->ops->name, nt_errstr(status)));
854 : }
855 170712 : return status;
856 : }
857 0 : break;
858 243841 : case GENSEC_SERVER:
859 243841 : if (gensec_security->ops->server_start) {
860 243841 : status = gensec_security->ops->server_start(gensec_security);
861 243841 : if (!NT_STATUS_IS_OK(status)) {
862 10 : DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n",
863 : gensec_security->ops->name, nt_errstr(status)));
864 : }
865 243841 : return status;
866 : }
867 0 : break;
868 : }
869 0 : return NT_STATUS_INVALID_PARAMETER;
870 : }
871 :
872 : /**
873 : * Start a GENSEC sub-mechanism with a specified mechanism structure, used in SPNEGO
874 : *
875 : */
876 :
877 241899 : NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
878 : const struct gensec_security_ops *ops)
879 : {
880 241899 : gensec_security->ops = ops;
881 241899 : return gensec_start_mech(gensec_security);
882 : }
883 :
884 :
885 : /**
886 : * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number
887 : * @param gensec_security GENSEC context pointer.
888 : * @param auth_type DCERPC auth type
889 : * @param auth_level DCERPC auth level
890 : */
891 :
892 19179 : _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
893 : uint8_t auth_type, uint8_t auth_level)
894 : {
895 19179 : gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
896 19179 : if (!gensec_security->ops) {
897 39 : DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
898 39 : return NT_STATUS_INVALID_PARAMETER;
899 : }
900 19140 : gensec_security->dcerpc_auth_level = auth_level;
901 : /*
902 : * We need to reset sign/seal in order to reset it.
903 : * We may got some default features inherited by the credentials
904 : */
905 19140 : gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
906 19140 : gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
907 19140 : gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
908 19140 : gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
909 19140 : if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
910 6485 : if (gensec_security->gensec_role == GENSEC_CLIENT) {
911 3313 : gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
912 : }
913 12655 : } else if (auth_level == DCERPC_AUTH_LEVEL_PACKET) {
914 : /*
915 : * For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4)
916 : * has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5).
917 : */
918 408 : if (gensec_security->gensec_role == GENSEC_CLIENT) {
919 255 : gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
920 : }
921 12247 : } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
922 10809 : gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
923 10809 : gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
924 1438 : } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
925 : /* Default features */
926 : } else {
927 3 : DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
928 : auth_level));
929 3 : return NT_STATUS_INVALID_PARAMETER;
930 : }
931 :
932 19137 : return gensec_start_mech(gensec_security);
933 : }
934 :
935 160 : _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
936 : {
937 0 : const struct gensec_security_ops *ops;
938 160 : ops = gensec_security_by_auth_type(gensec_security, authtype);
939 160 : if (ops) {
940 121 : return ops->name;
941 : }
942 39 : return NULL;
943 : }
944 :
945 :
946 76 : _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
947 : const char *oid_string)
948 : {
949 0 : const struct gensec_security_ops *ops;
950 76 : ops = gensec_security_by_oid(gensec_security, oid_string);
951 76 : if (ops) {
952 4 : return ops->name;
953 : }
954 72 : return oid_string;
955 : }
956 :
957 : /**
958 : * Start a GENSEC sub-mechanism by OID, used in SPNEGO
959 : *
960 : * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a
961 : * well-known #define to hook it in.
962 : */
963 :
964 125736 : _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
965 : const char *mech_oid)
966 : {
967 125736 : SMB_ASSERT(gensec_security != NULL);
968 :
969 125736 : gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid);
970 125736 : if (!gensec_security->ops) {
971 72 : DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
972 72 : return NT_STATUS_INVALID_PARAMETER;
973 : }
974 125664 : return gensec_start_mech(gensec_security);
975 : }
976 :
977 : /**
978 : * Start a GENSEC sub-mechanism by a well known SASL name
979 : *
980 : */
981 :
982 26502 : _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
983 : const char *sasl_name)
984 : {
985 26502 : gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name);
986 26502 : if (!gensec_security->ops) {
987 2 : DEBUG(3, ("Could not find GENSEC backend for sasl_name=%s\n", sasl_name));
988 2 : return NT_STATUS_INVALID_PARAMETER;
989 : }
990 26500 : return gensec_start_mech(gensec_security);
991 : }
992 :
993 : /**
994 : * Start a GENSEC sub-mechanism with the preferred option from a SASL name list
995 : *
996 : */
997 :
998 26278 : _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
999 : const char **sasl_names)
1000 : {
1001 26278 : NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
1002 26278 : TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
1003 122 : const struct gensec_security_ops **ops;
1004 122 : int i;
1005 26278 : if (!mem_ctx) {
1006 0 : return NT_STATUS_NO_MEMORY;
1007 : }
1008 26278 : ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names);
1009 26278 : if (!ops || !*ops) {
1010 0 : DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n",
1011 : str_list_join(mem_ctx,
1012 : sasl_names, ' ')));
1013 0 : talloc_free(mem_ctx);
1014 0 : return NT_STATUS_INVALID_PARAMETER;
1015 : }
1016 26278 : for (i=0; ops[i]; i++) {
1017 26278 : nt_status = gensec_start_mech_by_ops(gensec_security, ops[i]);
1018 26278 : if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
1019 26156 : break;
1020 : }
1021 : }
1022 26278 : talloc_free(mem_ctx);
1023 26278 : return nt_status;
1024 : }
1025 :
1026 : /**
1027 : * Start a GENSEC sub-mechanism by an internal name
1028 : *
1029 : */
1030 :
1031 1357 : _PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
1032 : const char *name)
1033 : {
1034 1357 : gensec_security->ops = gensec_security_by_name(gensec_security, name);
1035 1357 : if (!gensec_security->ops) {
1036 4 : DEBUG(3, ("Could not find GENSEC backend for name=%s\n", name));
1037 4 : return NT_STATUS_INVALID_PARAMETER;
1038 : }
1039 1353 : return gensec_start_mech(gensec_security);
1040 : }
1041 :
1042 : /**
1043 : * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context
1044 : *
1045 : */
1046 :
1047 294058 : _PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials)
1048 : {
1049 294058 : gensec_security->credentials = talloc_reference(gensec_security, credentials);
1050 294058 : NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials);
1051 294058 : gensec_want_feature(gensec_security, cli_credentials_get_gensec_features(gensec_security->credentials));
1052 294058 : return NT_STATUS_OK;
1053 : }
1054 :
1055 : /*
1056 : register a GENSEC backend.
1057 :
1058 : The 'name' can be later used by other backends to find the operations
1059 : structure for this backend.
1060 : */
1061 654506 : _PUBLIC_ NTSTATUS gensec_register(TALLOC_CTX *ctx,
1062 : const struct gensec_security_ops *ops)
1063 : {
1064 654506 : if (gensec_security_by_name(NULL, ops->name) != NULL) {
1065 : /* its already registered! */
1066 0 : DEBUG(0,("GENSEC backend '%s' already registered\n",
1067 : ops->name));
1068 0 : return NT_STATUS_OBJECT_NAME_COLLISION;
1069 : }
1070 :
1071 654506 : generic_security_ops = talloc_realloc(ctx,
1072 : generic_security_ops,
1073 : const struct gensec_security_ops *,
1074 : gensec_num_backends+2);
1075 654506 : if (!generic_security_ops) {
1076 0 : return NT_STATUS_NO_MEMORY;
1077 : }
1078 :
1079 654506 : generic_security_ops[gensec_num_backends] = ops;
1080 654506 : gensec_num_backends++;
1081 654506 : generic_security_ops[gensec_num_backends] = NULL;
1082 :
1083 654506 : DEBUG(3,("GENSEC backend '%s' registered\n",
1084 : ops->name));
1085 :
1086 654506 : return NT_STATUS_OK;
1087 : }
1088 :
1089 : /*
1090 : return the GENSEC interface version, and the size of some critical types
1091 : This can be used by backends to either detect compilation errors, or provide
1092 : multiple implementations for different smbd compilation options in one module
1093 : */
1094 0 : _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
1095 : {
1096 0 : static const struct gensec_critical_sizes critical_sizes = {
1097 : GENSEC_INTERFACE_VERSION,
1098 : sizeof(struct gensec_security_ops),
1099 : sizeof(struct gensec_security),
1100 : };
1101 :
1102 0 : return &critical_sizes;
1103 : }
1104 :
1105 1433938 : static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
1106 1433938 : return (*gs2)->priority - (*gs1)->priority;
1107 : }
1108 :
1109 181635 : int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
1110 : {
1111 181635 : return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
1112 : }
1113 :
1114 1586396 : bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
1115 : {
1116 1586396 : return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
1117 : }
1118 :
1119 : /*
1120 : initialise the GENSEC subsystem
1121 : */
1122 198489 : _PUBLIC_ NTSTATUS gensec_init(void)
1123 : {
1124 2659 : static bool initialized = false;
1125 : #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
1126 : #ifdef STATIC_gensec_MODULES
1127 2659 : STATIC_gensec_MODULES_PROTO;
1128 198489 : init_module_fn static_init[] = { STATIC_gensec_MODULES };
1129 : #else
1130 : init_module_fn *static_init = NULL;
1131 : #endif
1132 2659 : init_module_fn *shared_init;
1133 :
1134 198489 : if (initialized) return NT_STATUS_OK;
1135 51482 : initialized = true;
1136 :
1137 51482 : shared_init = load_samba_modules(NULL, "gensec");
1138 :
1139 51482 : run_init_functions(NULL, static_init);
1140 51482 : run_init_functions(NULL, shared_init);
1141 :
1142 51482 : talloc_free(shared_init);
1143 :
1144 51482 : TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
1145 :
1146 51482 : return NT_STATUS_OK;
1147 : }
|