diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
| commit | 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch) | |
| tree | 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /auth | |
| parent | Initial commit. (diff) | |
| download | samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip | |
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
53 files changed, 23750 insertions, 0 deletions
diff --git a/auth/auth_log.c b/auth/auth_log.c new file mode 100644 index 0000000..9a110fd --- /dev/null +++ b/auth/auth_log.c @@ -0,0 +1,1083 @@ +/* + + Authentication and authorization logging + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/* + * Debug log levels for authentication logging (these both map to + * LOG_NOTICE in syslog) + */ +#define AUTH_FAILURE_LEVEL 2 +#define AUTH_SUCCESS_LEVEL 3 +#define AUTHZ_SUCCESS_LEVEL 4 +#define KDC_AUTHZ_FAILURE_LEVEL 2 +#define KDC_AUTHZ_SUCCESS_LEVEL 3 + +/* 5 is used for both authentication and authorization */ +#define AUTH_ANONYMOUS_LEVEL 5 +#define AUTHZ_ANONYMOUS_LEVEL 5 + +#define AUTHZ_JSON_TYPE "Authorization" +#define AUTH_JSON_TYPE "Authentication" +#define KDC_AUTHZ_JSON_TYPE "KDC Authorization" + +/* + * JSON message version numbers + * + * If adding a field increment the minor version + * If removing or changing the format/meaning of a field + * increment the major version. + */ +#define AUTH_MAJOR 1 +#define AUTH_MINOR 3 +#define AUTHZ_MAJOR 1 +#define AUTHZ_MINOR 2 +#define KDC_AUTHZ_MAJOR 1 +#define KDC_AUTHZ_MINOR 0 + +#include "includes.h" +#include "../lib/tsocket/tsocket.h" +#include "common_auth.h" +#include "lib/util/util_str_escape.h" +#include "libcli/security/dom_sid.h" +#include "libcli/security/security_token.h" +#include "librpc/gen_ndr/server_id.h" +#include "source4/lib/messaging/messaging.h" +#include "source4/lib/messaging/irpc.h" +#include "lib/util/server_id_db.h" +#include "lib/param/param.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/windows_event_ids.h" +#include "lib/audit_logging/audit_logging.h" + +/* + * Determine the type of the password supplied for the + * authorisation attempt. + * + */ +static const char* get_password_type(const struct auth_usersupplied_info *ui); + +#ifdef HAVE_JANSSON + +#include <jansson.h> +#include "system/time.h" + +/* + * Write the json object to the debug logs. + * + */ +static void log_json(struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + struct json_object *object, + int debug_class, + int debug_level) +{ + audit_log_json(object, debug_class, debug_level); + if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) { + audit_message_send(msg_ctx, + AUTH_EVENT_NAME, + MSG_AUTH_LOG, + object); + } +} + +/* + * Determine the Windows logon type for the current authorisation attempt. + * + * Currently Samba only supports + * + * 2 Interactive A user logged on to this computer. + * 3 Network A user or computer logged on to this computer from + * the network. + * 8 NetworkCleartext A user logged on to this computer from the network. + * The user's password was passed to the authentication + * package in its unhashed form. + * + */ +static enum event_logon_type get_logon_type( + const struct auth_usersupplied_info *ui) +{ + if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED) + || (ui->password_state == AUTH_PASSWORD_PLAIN)) { + return EVT_LOGON_NETWORK_CLEAR_TEXT; + } else if (ui->flags & USER_INFO_INTERACTIVE_LOGON) { + return EVT_LOGON_INTERACTIVE; + } + return EVT_LOGON_NETWORK; +} + +/* + * Write a machine parsable json formatted authentication log entry. + * + * IF removing or changing the format/meaning of a field please update the + * major version number AUTH_MAJOR + * + * IF adding a new field please update the minor version number AUTH_MINOR + * + * To process the resulting log lines from the command line use jq to + * parse the json. + * + * grep "^ {" log file | + * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t + * \(.Authentication.clientDomain)\t + * \(.Authentication.clientAccount) + * \t\(.Authentication.workstation) + * \t\(.Authentication.remoteAddress) + * \t\(.Authentication.localAddress)"' + */ +static void log_authentication_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct timeval *start_time, + const struct auth_usersupplied_info *ui, + NTSTATUS status, + const char *domain_name, + const char *account_name, + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, + enum event_id_type event_id, + int debug_level) +{ + struct json_object wrapper = json_empty_object; + struct json_object authentication = json_empty_object; + struct json_object client_policy = json_null_object(); + struct json_object server_policy = json_null_object(); + char logon_id[19]; + int rc = 0; + const char *clientDomain = ui->orig_client.domain_name ? + ui->orig_client.domain_name : + ui->client.domain_name; + const char *clientAccount = ui->orig_client.account_name ? + ui->orig_client.account_name : + ui->client.account_name; + + authentication = json_new_object(); + if (json_is_invalid(&authentication)) { + goto failure; + } + rc = json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR); + if (rc != 0) { + goto failure; + } + rc = json_add_int(&authentication, + "eventId", + event_id); + if (rc != 0) { + goto failure; + } + snprintf(logon_id, + sizeof( logon_id), + "%"PRIx64"", + ui->logon_id); + rc = json_add_string(&authentication, "logonId", logon_id); + if (rc != 0) { + goto failure; + } + rc = json_add_int(&authentication, "logonType", get_logon_type(ui)); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authentication, "status", nt_errstr(status)); + if (rc != 0) { + goto failure; + } + rc = json_add_address(&authentication, "localAddress", ui->local_host); + if (rc != 0) { + goto failure; + } + rc = + json_add_address(&authentication, "remoteAddress", ui->remote_host); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "serviceDescription", ui->service_description); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "authDescription", ui->auth_description); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "clientDomain", clientDomain); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "clientAccount", clientAccount); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "workstation", ui->workstation_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authentication, "becameAccount", account_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authentication, "becameDomain", domain_name); + if (rc != 0) { + goto failure; + } + rc = json_add_sid(&authentication, "becameSid", sid); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "mappedAccount", ui->mapped.account_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "mappedDomain", ui->mapped.domain_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authentication, + "netlogonComputer", + ui->netlogon_trust_account.computer_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authentication, + "netlogonTrustAccount", + ui->netlogon_trust_account.account_name); + if (rc != 0) { + goto failure; + } + rc = json_add_flags32( + &authentication, "netlogonNegotiateFlags", + ui->netlogon_trust_account.negotiate_flags); + if (rc != 0) { + goto failure; + } + rc = json_add_int(&authentication, + "netlogonSecureChannelType", + ui->netlogon_trust_account.secure_channel_type); + if (rc != 0) { + goto failure; + } + rc = json_add_sid(&authentication, + "netlogonTrustAccountSid", + ui->netlogon_trust_account.sid); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authentication, "passwordType", get_password_type(ui)); + if (rc != 0) { + goto failure; + } + + if (client_audit_info != NULL) { + client_policy = json_from_audit_info(client_audit_info); + if (json_is_invalid(&client_policy)) { + goto failure; + } + } + + rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy); + if (rc != 0) { + goto failure; + } + + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + + wrapper = json_new_object(); + if (json_is_invalid(&wrapper)) { + goto failure; + } + rc = json_add_timestamp(&wrapper); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&wrapper, "type", AUTH_JSON_TYPE); + if (rc != 0) { + goto failure; + } + rc = json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication); + if (rc != 0) { + goto failure; + } + + /* + * While not a general-purpose profiling solution this will + * assist some to determine how long NTLM and KDC + * authentication takes once this process can handle it. This + * covers transactions elsewhere but not (eg) the delay while + * this is waiting unread on the input socket. + */ + if (start_time != NULL) { + struct timeval current_time = timeval_current(); + uint64_t duration = usec_time_diff(¤t_time, + start_time); + rc = json_add_int(&authentication, "duration", duration); + if (rc != 0) { + goto failure; + } + } + + log_json(msg_ctx, + lp_ctx, + &wrapper, + DBGC_AUTH_AUDIT_JSON, + debug_level); + json_free(&wrapper); + return; +failure: + json_free(&server_policy); + json_free(&client_policy); + /* + * On a failure authentication will not have been added to wrapper so it + * needs to be freed to avoid a leak. + * + */ + json_free(&authentication); + json_free(&wrapper); + DBG_ERR("Failed to write authentication event JSON log message\n"); +} + +/* + * Log details of a successful authorization to a service, + * in a machine parsable json format + * + * IF removing or changing the format/meaning of a field please update the + * major version number AUTHZ_MAJOR + * + * IF adding a new field please update the minor version number AUTHZ_MINOR + * + * To process the resulting log lines from the command line use jq to + * parse the json. + * + * grep "^ {" log_file |\ + * jq -rc '"\(.timestamp)\t + * \(.Authorization.domain)\t + * \(.Authorization.account)\t + * \(.Authorization.remoteAddress)"' + * + */ +static void log_successful_authz_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + const char *transport_protection, + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, + int debug_level) +{ + struct json_object wrapper = json_empty_object; + struct json_object authorization = json_empty_object; + struct json_object client_policy = json_null_object(); + struct json_object server_policy = json_null_object(); + int rc = 0; + + authorization = json_new_object(); + if (json_is_invalid(&authorization)) { + goto failure; + } + rc = json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR); + if (rc != 0) { + goto failure; + } + rc = json_add_address(&authorization, "localAddress", local); + if (rc != 0) { + goto failure; + } + rc = json_add_address(&authorization, "remoteAddress", remote); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authorization, "serviceDescription", service_description); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "authType", auth_type); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authorization, "domain", session_info->info->domain_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authorization, "account", session_info->info->account_name); + if (rc != 0) { + goto failure; + } + rc = json_add_sid( + &authorization, "sid", &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); + if (rc != 0) { + goto failure; + } + rc = json_add_guid( + &authorization, "sessionId", &session_info->unique_session_token); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authorization, "logonServer", session_info->info->logon_server); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authorization, "transportProtection", transport_protection); + if (rc != 0) { + goto failure; + } + rc = json_add_flags32(&authorization, "accountFlags", session_info->info->acct_flags); + if (rc != 0) { + goto failure; + } + + if (client_audit_info != NULL) { + client_policy = json_from_audit_info(client_audit_info); + if (json_is_invalid(&client_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy); + if (rc != 0) { + goto failure; + } + + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + + wrapper = json_new_object(); + if (json_is_invalid(&wrapper)) { + goto failure; + } + rc = json_add_timestamp(&wrapper); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&wrapper, "type", AUTHZ_JSON_TYPE); + if (rc != 0) { + goto failure; + } + rc = json_add_object(&wrapper, AUTHZ_JSON_TYPE, &authorization); + if (rc != 0) { + goto failure; + } + + log_json(msg_ctx, + lp_ctx, + &wrapper, + DBGC_AUTH_AUDIT_JSON, + debug_level); + json_free(&wrapper); + return; +failure: + json_free(&server_policy); + json_free(&client_policy); + /* + * On a failure authorization will not have been added to wrapper so it + * needs to be freed to avoid a leak. + * + */ + json_free(&authorization); + json_free(&wrapper); + DBG_ERR("Unable to log Authentication event JSON audit message\n"); +} + +/* + * Log details of an authorization to a service, in a machine parsable json + * format + * + * IF removing or changing the format/meaning of a field please update the + * major version number KDC_AUTHZ_MAJOR + * + * IF adding a new field please update the minor version number KDC_AUTHZ_MINOR + * + * To process the resulting log lines from the command line use jq to + * parse the json. + * + * grep "^ {" log_file |\ + * jq -rc '"\(.timestamp)\t + * \(."KDC Authorization".domain)\t + * \(."KDC Authorization".account)\t + * \(."KDC Authorization".remoteAddress)"' + * + */ +static void log_authz_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, + const char *service_description, + const char *auth_type, + const char *domain_name, + const char *account_name, + const struct dom_sid *sid, + const char *logon_server, + const struct timeval authtime, + NTSTATUS status, + int debug_level) +{ + struct json_object wrapper = json_empty_object; + struct json_object authorization = json_empty_object; + struct json_object server_policy = json_null_object(); + int rc = 0; + + authorization = json_new_object(); + if (json_is_invalid(&authorization)) { + goto failure; + } + rc = json_add_version(&authorization, KDC_AUTHZ_MAJOR, KDC_AUTHZ_MINOR); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "status", nt_errstr(status)); + if (rc != 0) { + goto failure; + } + rc = json_add_address(&authorization, "localAddress", local); + if (rc != 0) { + goto failure; + } + rc = json_add_address(&authorization, "remoteAddress", remote); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authorization, "serviceDescription", service_description); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "authType", auth_type); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "domain", domain_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "account", account_name); + if (rc != 0) { + goto failure; + } + rc = json_add_sid(&authorization, "sid", sid); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "logonServer", logon_server); + if (rc != 0) { + goto failure; + } + rc = json_add_time(&authorization, "authTime", authtime); + if (rc != 0) { + goto failure; + } + + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + + wrapper = json_new_object(); + if (json_is_invalid(&wrapper)) { + goto failure; + } + rc = json_add_timestamp(&wrapper); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&wrapper, "type", KDC_AUTHZ_JSON_TYPE); + if (rc != 0) { + goto failure; + } + rc = json_add_object(&wrapper, KDC_AUTHZ_JSON_TYPE, &authorization); + if (rc != 0) { + goto failure; + } + + log_json(msg_ctx, + lp_ctx, + &wrapper, + DBGC_AUTH_AUDIT_JSON, + debug_level); + json_free(&wrapper); + return; +failure: + json_free(&server_policy); + /* + * On a failure authorization will not have been added to wrapper so it + * needs to be freed to avoid a leak. + */ + json_free(&authorization); + json_free(&wrapper); + DBG_ERR("Unable to log KDC Authorization event JSON audit message\n"); +} + +#else + +static void log_no_json(struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx) +{ + if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) { + static bool auth_event_logged = false; + if (auth_event_logged == false) { + auth_event_logged = true; + DBG_ERR("auth event notification = true but Samba was " + "not compiled with jansson\n"); + } + } else { + static bool json_logged = false; + if (json_logged == false) { + json_logged = true; + DBG_NOTICE("JSON auth logs not available unless " + "compiled with jansson\n"); + } + } +} + +static void log_authentication_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct timeval *start_time, + const struct auth_usersupplied_info *ui, + NTSTATUS status, + const char *domain_name, + const char *account_name, + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, + enum event_id_type event_id, + int debug_level) +{ + log_no_json(msg_ctx, lp_ctx); +} + +static void log_successful_authz_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + const char *transport_protection, + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, + int debug_level) +{ + log_no_json(msg_ctx, lp_ctx); +} + +static void log_authz_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, + const char *service_description, + const char *auth_type, + const char *domain_name, + const char *account_name, + const struct dom_sid *sid, + const char *logon_server, + const struct timeval authtime, + NTSTATUS status, + int debug_level) +{ + log_no_json(msg_ctx, lp_ctx); +} + +#endif + +/* + * Determine the type of the password supplied for the + * authorisation attempt. + * + */ +static const char* get_password_type(const struct auth_usersupplied_info *ui) +{ + + const char *password_type = NULL; + + if (ui->password_type != NULL) { + password_type = ui->password_type; + } else if (ui->auth_description != NULL && + strncmp("ServerAuthenticate", ui->auth_description, 18) == 0) + { + if (ui->netlogon_trust_account.negotiate_flags + & NETLOGON_NEG_SUPPORTS_AES) { + password_type = "HMAC-SHA256"; + } else if (ui->netlogon_trust_account.negotiate_flags + & NETLOGON_NEG_STRONG_KEYS) { + password_type = "HMAC-MD5"; + } else { + password_type = "DES"; + } + } else if (ui->password_state == AUTH_PASSWORD_RESPONSE && + (ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) && + ui->password.response.nt.length == 24) { + password_type = "MSCHAPv2"; + } else if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED) + || (ui->password_state == AUTH_PASSWORD_PLAIN)) { + password_type = "Plaintext"; + } else if (ui->password_state == AUTH_PASSWORD_HASH) { + password_type = "Supplied-NT-Hash"; + } else if (ui->password_state == AUTH_PASSWORD_RESPONSE + && ui->password.response.nt.length > 24) { + password_type = "NTLMv2"; + } else if (ui->password_state == AUTH_PASSWORD_RESPONSE + && ui->password.response.nt.length == 24) { + password_type = "NTLMv1"; + } else if (ui->password_state == AUTH_PASSWORD_RESPONSE + && ui->password.response.lanman.length == 24) { + password_type = "LANMan"; + } else if (ui->password_state == AUTH_PASSWORD_RESPONSE + && ui->password.response.nt.length == 0 + && ui->password.response.lanman.length == 0) { + password_type = "No-Password"; + } + return password_type; +} + +/* + * Write a human readable authentication log entry. + * + */ +static void log_authentication_event_human_readable( + const struct auth_usersupplied_info *ui, + NTSTATUS status, + const char *domain_name, + const char *account_name, + struct dom_sid *sid, + int debug_level) +{ + TALLOC_CTX *frame = NULL; + + const char *ts = NULL; /* formatted current time */ + char *remote = NULL; /* formatted remote host */ + char *local = NULL; /* formatted local host */ + char *nl = NULL; /* NETLOGON details if present */ + char *trust_computer_name = NULL; + char *trust_account_name = NULL; + char *logon_line = NULL; + const char *password_type = NULL; + const char *clientDomain = ui->orig_client.domain_name ? + ui->orig_client.domain_name : + ui->client.domain_name; + const char *clientAccount = ui->orig_client.account_name ? + ui->orig_client.account_name : + ui->client.account_name; + + frame = talloc_stackframe(); + + password_type = get_password_type(ui); + /* Get the current time */ + ts = audit_get_timestamp(frame); + + /* Only log the NETLOGON details if they are present */ + if (ui->netlogon_trust_account.computer_name || + ui->netlogon_trust_account.account_name) { + trust_computer_name = log_escape(frame, + ui->netlogon_trust_account.computer_name); + trust_account_name = log_escape(frame, + ui->netlogon_trust_account.account_name); + nl = talloc_asprintf(frame, + " NETLOGON computer [%s] trust account [%s]", + trust_computer_name, trust_account_name); + } + + remote = tsocket_address_string(ui->remote_host, frame); + local = tsocket_address_string(ui->local_host, frame); + + if (NT_STATUS_IS_OK(status)) { + struct dom_sid_buf sid_buf; + + logon_line = talloc_asprintf(frame, + " became [%s]\\[%s] [%s].", + log_escape(frame, domain_name), + log_escape(frame, account_name), + dom_sid_str_buf(sid, &sid_buf)); + } else { + logon_line = talloc_asprintf( + frame, + " mapped to [%s]\\[%s].", + log_escape(frame, ui->mapped.domain_name), + log_escape(frame, ui->mapped.account_name)); + } + + DEBUGC(DBGC_AUTH_AUDIT, debug_level, + ("Auth: [%s,%s] user [%s]\\[%s]" + " at [%s] with [%s] status [%s]" + " workstation [%s] remote host [%s]" + "%s local host [%s]" + " %s\n", + ui->service_description, + ui->auth_description, + log_escape(frame, clientDomain), + log_escape(frame, clientAccount), + ts, + password_type, + nt_errstr(status), + log_escape(frame, ui->workstation_name), + remote, + logon_line, + local, + nl ? nl : "" + )); + + talloc_free(frame); +} + +/* + * Log details of an authentication attempt. + * Successful and unsuccessful attempts are logged. + * + * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the + * authentication events over the message bus. + */ +void log_authentication_event( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct timeval *start_time, + const struct auth_usersupplied_info *ui, + NTSTATUS status, + const char *domain_name, + const char *account_name, + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info) +{ + /* set the log level */ + int debug_level = AUTH_FAILURE_LEVEL; + enum event_id_type event_id = EVT_ID_UNSUCCESSFUL_LOGON; + + if (NT_STATUS_IS_OK(status)) { + debug_level = AUTH_SUCCESS_LEVEL; + event_id = EVT_ID_SUCCESSFUL_LOGON; + if (dom_sid_equal(sid, &global_sid_Anonymous)) { + debug_level = AUTH_ANONYMOUS_LEVEL; + } + } + + if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT, debug_level)) { + log_authentication_event_human_readable(ui, + status, + domain_name, + account_name, + sid, + debug_level); + } + if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) || + (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) { + log_authentication_event_json(msg_ctx, + lp_ctx, + start_time, + ui, + status, + domain_name, + account_name, + sid, + client_audit_info, + server_audit_info, + event_id, + debug_level); + } +} + + + +/* + * Log details of a successful authorization to a service, + * in a human readable format. + * + */ +static void log_successful_authz_event_human_readable( + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + struct auth_session_info *session_info, + int debug_level) +{ + TALLOC_CTX *frame = NULL; + + const char *ts = NULL; /* formatted current time */ + char *remote_str = NULL; /* formatted remote host */ + char *local_str = NULL; /* formatted local host */ + struct dom_sid_buf sid_buf; + + frame = talloc_stackframe(); + + /* Get the current time */ + ts = audit_get_timestamp(frame); + + remote_str = tsocket_address_string(remote, frame); + local_str = tsocket_address_string(local, frame); + + DEBUGC(DBGC_AUTH_AUDIT, debug_level, + ("Successful AuthZ: [%s,%s] user [%s]\\[%s] [%s]" + " at [%s]" + " Remote host [%s]" + " local host [%s]\n", + service_description, + auth_type, + log_escape(frame, session_info->info->domain_name), + log_escape(frame, session_info->info->account_name), + dom_sid_str_buf(&session_info->security_token->sids[PRIMARY_USER_SID_INDEX], + &sid_buf), + ts, + remote_str, + local_str)); + + talloc_free(frame); +} + +/* + * Log details of a successful authorization to a service. + * + * Only successful authorizations are logged. For clarity: + * - NTLM bad passwords will be recorded by log_authentication_event + * - Kerberos decrypt failures need to be logged in gensec_gssapi et al + * + * The service may later refuse authorization due to an ACL. + * + * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the + * authentication events over the message bus. + */ +void log_successful_authz_event( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + const char *transport_protection, + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info) +{ + int debug_level = AUTHZ_SUCCESS_LEVEL; + + /* set the log level */ + if (security_token_is_anonymous(session_info->security_token)) { + debug_level = AUTH_ANONYMOUS_LEVEL; + } + + if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT, debug_level)) { + log_successful_authz_event_human_readable(remote, + local, + service_description, + auth_type, + session_info, + debug_level); + } + if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) || + (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) { + log_successful_authz_event_json(msg_ctx, lp_ctx, + remote, + local, + service_description, + auth_type, + transport_protection, + session_info, + client_audit_info, + server_audit_info, + debug_level); + } +} + +/* + * Log details of an authorization to a service. + * + * NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the + * authorization events over the message bus. + */ +void log_authz_event( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, + const char *service_description, + const char *auth_type, + const char *domain_name, + const char *account_name, + const struct dom_sid *sid, + const char *logon_server, + const struct timeval authtime, + NTSTATUS status) +{ + /* set the log level */ + int debug_level = KDC_AUTHZ_FAILURE_LEVEL; + + if (NT_STATUS_IS_OK(status)) { + debug_level = KDC_AUTHZ_SUCCESS_LEVEL; + } + + if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) || + (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) { + log_authz_event_json(msg_ctx, lp_ctx, + remote, + local, + server_audit_info, + service_description, + auth_type, + domain_name, + account_name, + sid, + logon_server, + authtime, + status, + debug_level); + } +} diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c new file mode 100644 index 0000000..8c0ebe5 --- /dev/null +++ b/auth/auth_sam_reply.c @@ -0,0 +1,955 @@ +/* + Unix SMB/CIFS implementation. + + Convert a server info struct into the form for PAC and NETLOGON replies + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2011 + Copyright (C) Stefan Metzmacher <metze@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/auth.h" +#include "libcli/security/security.h" +#include "auth/auth_sam_reply.h" + +/* Returns true if this SID belongs in SamBaseInfo, otherwise false. */ +static bool is_base_sid(const struct auth_SidAttr *sid, + const struct dom_sid *domain_sid) +{ + if (sid->attrs & SE_GROUP_RESOURCE) { + /* + * Resource groups don't belong in the base + * RIDs, they're handled elsewhere. + */ + return false; + } + + /* + * This SID belongs in the base structure only if it's in the account's + * domain. + */ + return dom_sid_in_domain(domain_sid, &sid->sid); +} + +/* Stores a SID in a previously allocated array. */ +static NTSTATUS store_extra_sid(struct netr_SidAttr *sids, + uint32_t *sidcount, + const uint32_t allocated_sids, + const struct auth_SidAttr *sid) +{ + /* Check we aren't about to overflow our allocation. */ + if (*sidcount >= allocated_sids) { + return NT_STATUS_INVALID_PARAMETER; + } + + sids[*sidcount].sid = dom_sid_dup(sids, &sid->sid); + if (sids[*sidcount].sid == NULL) { + return NT_STATUS_NO_MEMORY; + } + sids[*sidcount].attributes = sid->attrs; + *sidcount += 1; + + return NT_STATUS_OK; +} + +/* + * Stores a resource SID in a previously allocated array, either Extra SIDs or + * Resource SIDs. Any SID within the domain of the first SID so added is stored + * there, while remaining SIDs are stored in Extra SIDs. + */ +static NTSTATUS store_resource_sid(struct netr_SidAttr *sids, + uint32_t *sidcount, + const uint32_t allocated_sids, + const struct auth_SidAttr *sid, + struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups, + const uint32_t allocated_resource_groups) +{ + NTSTATUS status; + + struct dom_sid *resource_domain = NULL; + uint32_t rid; + + if (resource_groups == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* Split the SID into domain and RID. */ + status = dom_sid_split_rid(resource_groups, &sid->sid, &resource_domain, &rid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (resource_groups->domain_sid == NULL) { + /* + * There is no domain SID set. Set it to the domain of this SID. + */ + resource_groups->domain_sid = resource_domain; + } else { + /* + * A domain SID has already been set. Check whether this SID's + * domain matches. + * + * Assuming that resource SIDs have been obtained with + * dsdb_expand_nested_groups(), they should all be within the + * same domain (ours), so unless something has gone horribly + * wrong, we should always find that they match. + */ + bool match = dom_sid_equal(resource_groups->domain_sid, resource_domain); + talloc_free(resource_domain); + if (!match) { + /* + * It doesn't match, so we can't store this SID here. It + * will have to go in Extra SIDs. + */ + return store_extra_sid(sids, sidcount, allocated_sids, sid); + } + } + + /* Store the SID in Resource SIDs. */ + + /* Check we aren't about to overflow our allocation. */ + if (resource_groups->groups.count >= allocated_resource_groups) { + return NT_STATUS_INVALID_PARAMETER; + } + + resource_groups->groups.rids[resource_groups->groups.count].rid = rid; + resource_groups->groups.rids[resource_groups->groups.count].attributes = sid->attrs; + resource_groups->groups.count++; + + return NT_STATUS_OK; +} + +/* + * Stores a SID in a previously allocated array, or excludes it if we are not + * storing resource groups. It will be placed in either Extra SIDs or Resource + * SIDs, depending on which is appropriate. + */ +static NTSTATUS store_sid(struct netr_SidAttr *sids, + uint32_t *sidcount, + const uint32_t allocated_sids, + const struct auth_SidAttr *sid, + struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups, + const uint32_t allocated_resource_groups, + const enum auth_group_inclusion group_inclusion) +{ + /* See if it's a resource SID. */ + if (sid->attrs & SE_GROUP_RESOURCE) { + /* + * If this is the SID of a resource group, determine whether it + * should be included or filtered out. + */ + switch (group_inclusion) { + case AUTH_INCLUDE_RESOURCE_GROUPS: + /* Include this SID in Extra SIDs. */ + break; + case AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED: + /* + * Try to include this SID in Resource Groups. If this + * can't be arranged, we shall fall back to Extra + * SIDs. + */ + return store_resource_sid(sids, + sidcount, + allocated_sids, + sid, + resource_groups, + allocated_resource_groups); + case AUTH_EXCLUDE_RESOURCE_GROUPS: + /* Ignore this SID. */ + return NT_STATUS_OK; + default: + /* This means we have a bug. */ + DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion); + return NT_STATUS_INVALID_PARAMETER; + } + } + + /* Just store the SID in Extra SIDs. */ + return store_extra_sid(sids, + sidcount, + allocated_sids, + sid); +} + +static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + struct netr_SamBaseInfo *sam) +{ + NTSTATUS status; + const struct auth_user_info *info; + + ZERO_STRUCTP(sam); + + if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) { + status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, + &sam->domain_sid, &sam->rid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } else { + return NT_STATUS_INVALID_PARAMETER; + } + + if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) { + status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, + NULL, &sam->primary_gid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } else { + /* if we have to encode something like SYSTEM (with no + * second SID in the token) then this is the only + * choice */ + sam->primary_gid = sam->rid; + } + + info = user_info_dc->info; + + sam->logon_time = info->last_logon; + sam->logoff_time = info->last_logoff; + sam->kickoff_time = info->acct_expiry; + sam->last_password_change = info->last_password_change; + sam->allow_password_change = info->allow_password_change; + sam->force_password_change = info->force_password_change; + +#define _COPY_STRING_TALLOC(src_name, dst_name) do { \ + if (info->src_name != NULL) {\ + sam->dst_name.string = talloc_strdup(mem_ctx, info->src_name); \ + if (sam->dst_name.string == NULL) { \ + return NT_STATUS_NO_MEMORY; \ + } \ + } \ +} while(0) + _COPY_STRING_TALLOC(account_name, account_name); + _COPY_STRING_TALLOC(full_name, full_name); + _COPY_STRING_TALLOC(logon_script, logon_script); + _COPY_STRING_TALLOC(profile_path, profile_path); + _COPY_STRING_TALLOC(home_directory, home_directory); + _COPY_STRING_TALLOC(home_drive, home_drive); + _COPY_STRING_TALLOC(logon_server, logon_server); + _COPY_STRING_TALLOC(domain_name, logon_domain); +#undef _COPY_STRING_TALLOC + + sam->logon_count = info->logon_count; + sam->bad_password_count = info->bad_password_count; + sam->groups.count = 0; + sam->groups.rids = NULL; + + if (user_info_dc->num_sids > REMAINING_SIDS_INDEX) { + size_t i; + sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithAttribute, + user_info_dc->num_sids); + + if (sam->groups.rids == NULL) + return NT_STATUS_NO_MEMORY; + + for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) { + struct auth_SidAttr *group_sid = &user_info_dc->sids[i]; + + bool belongs_in_base = is_base_sid(group_sid, sam->domain_sid); + if (!belongs_in_base) { + /* We handle this elsewhere */ + continue; + } + sam->groups.rids[sam->groups.count].rid = + group_sid->sid.sub_auths[group_sid->sid.num_auths-1]; + + sam->groups.rids[sam->groups.count].attributes = group_sid->attrs; + sam->groups.count += 1; + } + + if (sam->groups.count == 0) { + TALLOC_FREE(sam->groups.rids); + } + } + + sam->user_flags = info->user_flags; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */ + sam->acct_flags = user_info_dc->info->acct_flags; + sam->sub_auth_status = 0; + sam->last_successful_logon = 0; + sam->last_failed_logon = 0; + sam->failed_logon_count = 0; + sam->reserved = 0; + + ZERO_STRUCT(sam->key); + if (user_info_dc->user_session_key.length == sizeof(sam->key.key)) { + memcpy(sam->key.key, user_info_dc->user_session_key.data, sizeof(sam->key.key)); + } + + ZERO_STRUCT(sam->LMSessKey); + if (user_info_dc->lm_session_key.length == sizeof(sam->LMSessKey.key)) { + memcpy(sam->LMSessKey.key, user_info_dc->lm_session_key.data, + sizeof(sam->LMSessKey.key)); + } + + return NT_STATUS_OK; +} + +/* Note that the validity of the _sam6 and resource_groups structures is only as + * long as the user_info_dc it was generated from */ +NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo6 **_sam6, + struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups) +{ + NTSTATUS status; + struct netr_SamInfo6 *sam6 = NULL; + struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL; + size_t i; + + const uint32_t allocated_sids = user_info_dc->num_sids; + uint32_t allocated_resource_groups = 0; + + sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6); + if (sam6 == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (_resource_groups == NULL) { + if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) { + DBG_ERR("_resource_groups parameter not provided to receive resource groups!\n"); + TALLOC_FREE(sam6); + return NT_STATUS_INVALID_PARAMETER; + } + } else if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) { + *_resource_groups = NULL; + + /* Allocate resource groups structure. */ + resource_groups = talloc_zero(mem_ctx, struct PAC_DOMAIN_GROUP_MEMBERSHIP); + if (resource_groups == NULL) { + TALLOC_FREE(sam6); + return NT_STATUS_NO_MEMORY; + } + + /* + * Allocate enough space to store user_info_dc->num_sids + * RIDs in the worst case. + */ + allocated_resource_groups = user_info_dc->num_sids; + resource_groups->groups.rids = talloc_zero_array(resource_groups, + struct samr_RidWithAttribute, + allocated_resource_groups); + if (resource_groups->groups.rids == NULL) { + TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); + return NT_STATUS_NO_MEMORY; + } + } else { + /* No resource groups will be provided. */ + *_resource_groups = NULL; + } + + status = auth_convert_user_info_dc_sambaseinfo(sam6, + user_info_dc, + &sam6->base); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); + return status; + } + + /* + * Allocate enough space to store user_info_dc->num_sids SIDs in the + * worst case. + */ + sam6->sids = talloc_zero_array(sam6, struct netr_SidAttr, + allocated_sids); + if (sam6->sids == NULL) { + TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); + return NT_STATUS_NO_MEMORY; + } + + /* We don't put the user and group SIDs in there */ + for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) { + struct auth_SidAttr *group_sid = &user_info_dc->sids[i]; + bool belongs_in_base = is_base_sid(group_sid, sam6->base.domain_sid); + if (belongs_in_base) { + /* We already handled this in the base. */ + continue; + } + + status = store_sid(sam6->sids, + &sam6->sidcount, + allocated_sids, + group_sid, + resource_groups, + allocated_resource_groups, + group_inclusion); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); + return status; + } + } + if (sam6->sidcount) { + sam6->base.user_flags |= NETLOGON_EXTRA_SIDS; + } else { + sam6->base.user_flags &= ~NETLOGON_EXTRA_SIDS; + TALLOC_FREE(sam6->sids); + } + + if (user_info_dc->info->dns_domain_name != NULL) { + sam6->dns_domainname.string = talloc_strdup(sam6, + user_info_dc->info->dns_domain_name); + if (sam6->dns_domainname.string == NULL) { + TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); + return NT_STATUS_NO_MEMORY; + } + } + + if (user_info_dc->info->user_principal_name != NULL) { + sam6->principal_name.string = talloc_strdup(sam6, + user_info_dc->info->user_principal_name); + if (sam6->principal_name.string == NULL) { + TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); + return NT_STATUS_NO_MEMORY; + } + } + + *_sam6 = sam6; + if (resource_groups != NULL) { + if (resource_groups->groups.count > 0) { + *_resource_groups = resource_groups; + } else { + TALLOC_FREE(resource_groups); + } + } + return NT_STATUS_OK; +} + +/* Note that the validity of the _sam2 structure is only as long as + * the user_info_dc it was generated from */ +NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo2 **_sam2) +{ + NTSTATUS status; + struct netr_SamInfo6 *sam6 = NULL; + struct netr_SamInfo2 *sam2 = NULL; + + sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2); + if (sam2 == NULL) { + return NT_STATUS_NO_MEMORY; + } + + status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, + group_inclusion, &sam6, + NULL); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sam2); + return status; + } + sam2->base = sam6->base; + /* + * We have nowhere to put sam6->sids, so we follow Windows here and drop + * it. Any resource groups it happened to contain are lost. + */ + sam2->base.user_flags &= ~NETLOGON_EXTRA_SIDS; + TALLOC_FREE(sam6->sids); + + *_sam2 = sam2; + return NT_STATUS_OK; +} + +/* Note that the validity of the _sam3 structure is only as long as + * the user_info_dc it was generated from */ +NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo3 **_sam3, + struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups) +{ + NTSTATUS status; + struct netr_SamInfo6 *sam6 = NULL; + struct netr_SamInfo3 *sam3 = NULL; + + sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3); + if (sam3 == NULL) { + return NT_STATUS_NO_MEMORY; + } + + status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, + group_inclusion, &sam6, + _resource_groups); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sam3); + return status; + } + sam3->base = sam6->base; + sam3->sidcount = sam6->sidcount; + sam3->sids = sam6->sids; + + *_sam3 = sam3; + return NT_STATUS_OK; +} + +/** + * Make a user_info struct from the info3 or similar returned by a domain logon. + * + * The netr_SamInfo3 is also a key structure in the source3 auth subsystem + */ + +NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, + const char *account_name, + const struct netr_SamBaseInfo *base, + bool authenticated, + struct auth_user_info **_user_info) +{ + struct auth_user_info *info; + + info = talloc_zero(mem_ctx, struct auth_user_info); + if (info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (base->account_name.string) { + info->account_name = talloc_strdup(info, base->account_name.string); + } else { + info->account_name = talloc_strdup(info, account_name); + } + if (info->account_name == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + + if (base->logon_domain.string) { + info->domain_name = talloc_strdup(info, base->logon_domain.string); + if (info->domain_name == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + } + + if (base->full_name.string) { + info->full_name = talloc_strdup(info, base->full_name.string); + if (info->full_name == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + } + if (base->logon_script.string) { + info->logon_script = talloc_strdup(info, base->logon_script.string); + if (info->logon_script == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + } + if (base->profile_path.string) { + info->profile_path = talloc_strdup(info, base->profile_path.string); + if (info->profile_path == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + } + if (base->home_directory.string) { + info->home_directory = talloc_strdup(info, base->home_directory.string); + if (info->home_directory == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + } + if (base->home_drive.string) { + info->home_drive = talloc_strdup(info, base->home_drive.string); + if (info->home_drive == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + } + if (base->logon_server.string) { + info->logon_server = talloc_strdup(info, base->logon_server.string); + if (info->logon_server == NULL) { + talloc_free(info); + return NT_STATUS_NO_MEMORY; + } + } + info->last_logon = base->logon_time; + info->last_logoff = base->logoff_time; + info->acct_expiry = base->kickoff_time; + info->last_password_change = base->last_password_change; + info->allow_password_change = base->allow_password_change; + info->force_password_change = base->force_password_change; + info->logon_count = base->logon_count; + info->bad_password_count = base->bad_password_count; + info->acct_flags = base->acct_flags; + + info->user_flags = base->user_flags; + if (!authenticated) { + /* + * We only consider the user authenticated if NETLOGON_GUEST is + * not set, and authenticated is set + */ + info->user_flags |= NETLOGON_GUEST; + } + + *_user_info = info; + return NT_STATUS_OK; +} + +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src) +{ + struct auth_user_info *dst = NULL; + + dst = talloc_zero(mem_ctx, struct auth_user_info); + if (dst == NULL) { + return NULL; + } + + *dst = *src; +#define _COPY_STRING(_mem, _str) do { \ + if ((_str) != NULL) { \ + (_str) = talloc_strdup((_mem), (_str)); \ + if ((_str) == NULL) { \ + TALLOC_FREE(dst); \ + return NULL; \ + } \ + } \ +} while(0) + _COPY_STRING(dst, dst->account_name); + _COPY_STRING(dst, dst->user_principal_name); + _COPY_STRING(dst, dst->domain_name); + _COPY_STRING(dst, dst->dns_domain_name); + _COPY_STRING(dst, dst->full_name); + _COPY_STRING(dst, dst->logon_script); + _COPY_STRING(dst, dst->profile_path); + _COPY_STRING(dst, dst->home_directory); + _COPY_STRING(dst, dst->home_drive); + _COPY_STRING(dst, dst->logon_server); +#undef _COPY_STRING + + return dst; +} + +/** + * Make a user_info_dc struct from the info3 returned by a domain logon + */ +NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, + const char *account_name, + uint16_t validation_level, + const union netr_Validation *validation, + bool authenticated, + struct auth_user_info_dc **_user_info_dc) +{ + NTSTATUS status; + struct auth_user_info_dc *user_info_dc = NULL; + const struct netr_SamBaseInfo *base = NULL; + uint32_t sidcount = 0; + const struct netr_SidAttr *sids = NULL; + const char *dns_domainname = NULL; + const char *principal = NULL; + uint32_t i; + + switch (validation_level) { + case 2: + if (!validation || !validation->sam2) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam2->base; + break; + case 3: + if (!validation || !validation->sam3) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam3->base; + sidcount = validation->sam3->sidcount; + sids = validation->sam3->sids; + break; + case 6: + if (!validation || !validation->sam6) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam6->base; + sidcount = validation->sam6->sidcount; + sids = validation->sam6->sids; + dns_domainname = validation->sam6->dns_domainname.string; + principal = validation->sam6->principal_name.string; + break; + default: + return NT_STATUS_INVALID_LEVEL; + } + + user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); + if (user_info_dc == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + if (!base->domain_sid) { + DEBUG(0, ("Cannot operate on a Netlogon Validation without a domain SID\n")); + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + + /* The IDL layer would be a better place to check this, but to + * guard the integer addition below, we double-check */ + if (base->groups.count > 65535) { + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + + user_info_dc->num_sids = PRIMARY_SIDS_COUNT; + + user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids + base->groups.count); + if (user_info_dc->sids == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + + user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) { + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS; + + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) { + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + /* + * This attribute value might be wrong if the primary group is a + * resource group. But a resource group is not meant to be in a primary + * group in the first place, and besides, these attributes will never + * make their way into a PAC. + */ + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS; + + for (i = 0; i < base->groups.count; i++) { + user_info_dc->sids[user_info_dc->num_sids].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, base->groups.rids[i].rid)) { + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + user_info_dc->sids[user_info_dc->num_sids].attrs = base->groups.rids[i].attributes; + user_info_dc->num_sids++; + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + /* + * The IDL layer would be a better place to check this, but to + * guard the integer addition below, we double-check + */ + if (sidcount > UINT16_MAX) { + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + + if (sidcount > 0) { + struct auth_SidAttr *dgrps = user_info_dc->sids; + size_t dgrps_count; + + dgrps_count = user_info_dc->num_sids + sidcount; + dgrps = talloc_realloc(user_info_dc, dgrps, struct auth_SidAttr, + dgrps_count); + if (dgrps == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < sidcount; i++) { + if (sids[i].sid) { + dgrps[user_info_dc->num_sids].sid = *sids[i].sid; + dgrps[user_info_dc->num_sids].attrs = sids[i].attributes; + user_info_dc->num_sids++; + } + } + + user_info_dc->sids = dgrps; + + /* Where are the 'global' sids?... */ + } + + status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(user_info_dc); + return status; + } + + if (dns_domainname != NULL) { + user_info_dc->info->dns_domain_name = talloc_strdup(user_info_dc->info, + dns_domainname); + if (user_info_dc->info->dns_domain_name == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + } + + if (principal != NULL) { + user_info_dc->info->user_principal_name = talloc_strdup(user_info_dc->info, + principal); + if (user_info_dc->info->user_principal_name == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + } + + /* ensure we are never given NULL session keys */ + + if (all_zero(base->key.key, sizeof(base->key.key))) { + user_info_dc->user_session_key = data_blob(NULL, 0); + } else { + user_info_dc->user_session_key = data_blob_talloc(user_info_dc, base->key.key, sizeof(base->key.key)); + if (user_info_dc->user_session_key.data == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + } + + if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) { + user_info_dc->lm_session_key = data_blob(NULL, 0); + } else { + user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, base->LMSessKey.key, sizeof(base->LMSessKey.key)); + if (user_info_dc->lm_session_key.data == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + } + + *_user_info_dc = user_info_dc; + return NT_STATUS_OK; +} + +/** + * Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 + * logon. For group_inclusion, pass AUTH_INCLUDE_RESOURCE_GROUPS if SIDs from + * the resource groups are to be included in the resulting structure, and pass + * AUTH_EXCLUDE_RESOURCE_GROUPS otherwise. + */ +NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, + const struct PAC_LOGON_INFO *pac_logon_info, + const struct PAC_UPN_DNS_INFO *pac_upn_dns_info, + const enum auth_group_inclusion group_inclusion, + struct auth_user_info_dc **_user_info_dc) +{ + uint32_t i; + NTSTATUS nt_status; + union netr_Validation validation; + struct auth_user_info_dc *user_info_dc; + const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL; + size_t sidcount; + + validation.sam3 = discard_const_p(struct netr_SamInfo3, &pac_logon_info->info3); + + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, + true, /* This user was authenticated */ + &user_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (pac_logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) { + switch (group_inclusion) { + case AUTH_INCLUDE_RESOURCE_GROUPS: + /* Take resource groups from the PAC. */ + rg = &pac_logon_info->resource_groups; + break; + case AUTH_EXCLUDE_RESOURCE_GROUPS: + /* + * The PAC is from a TGT, or we don't want to process + * its resource groups. + */ + break; + default: + DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion); + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + } + + if (rg != NULL && rg->groups.count > 0) { + /* The IDL layer would be a better place to check this, but to + * guard the integer addition below, we double-check */ + if (rg->groups.count > 65535) { + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + if (rg->domain_sid == NULL) { + talloc_free(user_info_dc); + DEBUG(0, ("Cannot operate on a PAC without a resource domain SID\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + sidcount = user_info_dc->num_sids + rg->groups.count; + user_info_dc->sids + = talloc_realloc(user_info_dc, user_info_dc->sids, struct auth_SidAttr, sidcount); + if (user_info_dc->sids == NULL) { + TALLOC_FREE(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < rg->groups.count; i++) { + bool ok; + + user_info_dc->sids[user_info_dc->num_sids].sid = *rg->domain_sid; + ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, + rg->groups.rids[i].rid); + if (!ok) { + talloc_free(user_info_dc); + return NT_STATUS_INVALID_PARAMETER; + } + user_info_dc->sids[user_info_dc->num_sids].attrs = rg->groups.rids[i].attributes; + user_info_dc->num_sids++; + } + } + + if (pac_upn_dns_info != NULL) { + if (pac_upn_dns_info->upn_name != NULL) { + user_info_dc->info->user_principal_name = + talloc_strdup(user_info_dc->info, + pac_upn_dns_info->upn_name); + if (user_info_dc->info->user_principal_name == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + } + + user_info_dc->info->dns_domain_name = + talloc_strdup(user_info_dc->info, + pac_upn_dns_info->dns_domain_name); + if (user_info_dc->info->dns_domain_name == NULL) { + talloc_free(user_info_dc); + return NT_STATUS_NO_MEMORY; + } + + if (pac_upn_dns_info->flags & PAC_UPN_DNS_FLAG_CONSTRUCTED) { + user_info_dc->info->user_principal_constructed = true; + } + } + + *_user_info_dc = user_info_dc; + return NT_STATUS_OK; +} diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h new file mode 100644 index 0000000..57a9824 --- /dev/null +++ b/auth/auth_sam_reply.h @@ -0,0 +1,92 @@ +/* + Unix SMB/CIFS implementation. + + Convert a server info struct into the form for PAC and NETLOGON replies + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 + Copyright (C) Stefan Metzmacher <metze@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __AUTH_AUTH_SAM_REPLY_H__ +#define __AUTH_AUTH_SAM_REPLY_H__ + +#include "libcli/util/ntstatus.h" +#include "libcli/util/werror.h" +#include "librpc/gen_ndr/auth.h" + +#undef _PRINTF_ATTRIBUTE +#define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2) +/* this file contains prototypes for functions that are private + * to this subsystem or library. These functions should not be + * used outside this particular subsystem! */ + + +/* The following definitions come from auth/auth_sam_reply.c */ + +NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, + const char *account_name, + const struct netr_SamBaseInfo *base, + bool authenticated, + struct auth_user_info **_user_info); + +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src); + +NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo6 **_sam6, + struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups); +NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo2 **_sam2); +NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo3 **_sam3, + struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups); + +/** + * Make a user_info_dc struct from the info3 returned by a domain logon + */ +NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, + const char *account_name, + uint16_t validation_level, + const union netr_Validation *validation, + bool authenticated, + struct auth_user_info_dc **_user_info_dc); + +/** + * Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 logon + */ +NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, + const struct PAC_LOGON_INFO *pac_logon_info, + const struct PAC_UPN_DNS_INFO *pac_upn_dns_info, + enum auth_group_inclusion group_inclusion, + struct auth_user_info_dc **_user_info_dc); + +/* The following definitions come from auth/wbc_auth_util.c */ + +struct wbcAuthUserInfo; + +struct netr_SamInfo6 *wbcAuthUserInfo_to_netr_SamInfo6(TALLOC_CTX *mem_ctx, + const struct wbcAuthUserInfo *info); + +#undef _PRINTF_ATTRIBUTE +#define _PRINTF_ATTRIBUTE(a1, a2) + +#endif /* __AUTH_AUTH_SAM_REPLY_H__ */ diff --git a/auth/auth_util.c b/auth/auth_util.c new file mode 100644 index 0000000..ec9094d --- /dev/null +++ b/auth/auth_util.c @@ -0,0 +1,71 @@ +/* + Unix SMB/CIFS implementation. + Authentication utility functions + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_auth.h" +#include "auth_util.h" + +struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, + const struct auth_session_info *src) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct auth_session_info *dst; + DATA_BLOB blob; + enum ndr_err_code ndr_err; + + ndr_err = ndr_push_struct_blob( + &blob, + frame, + src, + (ndr_push_flags_fn_t)ndr_push_auth_session_info); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DBG_ERR("copy_session_info(): ndr_push_auth_session_info " + "failed: %s\n", + ndr_errstr(ndr_err)); + TALLOC_FREE(frame); + return NULL; + } + + dst = talloc_zero(mem_ctx, struct auth_session_info); + if (dst == NULL) { + DBG_ERR("talloc failed\n"); + TALLOC_FREE(frame); + return NULL; + } + + ndr_err = ndr_pull_struct_blob( + &blob, + dst, + dst, + (ndr_pull_flags_fn_t)ndr_pull_auth_session_info); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DBG_ERR("copy_session_info(): ndr_pull_auth_session_info " + "failed: %s\n", + ndr_errstr(ndr_err)); + TALLOC_FREE(dst); + TALLOC_FREE(frame); + return NULL; + } + + TALLOC_FREE(frame); + return dst; +} diff --git a/auth/auth_util.h b/auth/auth_util.h new file mode 100644 index 0000000..0af6ff5 --- /dev/null +++ b/auth/auth_util.h @@ -0,0 +1,32 @@ +/* + Unix SMB/CIFS implementation. + Authentication utility functions + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __AUTH_AUTH_UTIL_H__ +#define __AUTH_AUTH_UTIL_H__ + +#include "replace.h" +#include <talloc.h> +#include "librpc/gen_ndr/auth.h" + +struct auth_session_info *copy_session_info( + TALLOC_CTX *mem_ctx, + const struct auth_session_info *src); + +#endif diff --git a/auth/authn_policy.c b/auth/authn_policy.c new file mode 100644 index 0000000..5929c00 --- /dev/null +++ b/auth/authn_policy.c @@ -0,0 +1,198 @@ +/* + Unix SMB/CIFS implementation. + Samba Active Directory authentication policy functions + + Copyright (C) Catalyst.Net Ltd 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "lib/replace/replace.h" +#include "auth/authn_policy.h" +#include "auth/authn_policy_impl.h" + +bool authn_policy_is_enforced(const struct authn_policy *policy) +{ + return policy->enforced; +} + +/* Authentication policies for Kerberos clients. */ + +/* Is an authentication policy enforced? */ +bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy) +{ + return authn_policy_is_enforced(&policy->policy); +} + +/* Get the raw TGT lifetime enforced by an authentication policy. */ +int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy) +{ + if (policy == NULL) { + return 0; + } + + if (!authn_policy_is_enforced(&policy->policy)) { + return 0; + } + + return policy->tgt_lifetime_raw; +} + +/* Auditing information. */ + +enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info) +{ + bool is_enforced; + + if (audit_info->event == AUTHN_AUDIT_EVENT_OK) { + /* We didn’t get an error. */ + return AUTH_EVT_ID_NONE; + } + + if (audit_info->policy == NULL) { + /* + * We got an error, but there’s no policy, so it must have + * stemmed from something else. + */ + return AUTH_EVT_ID_NONE; + } + + is_enforced = authn_policy_is_enforced(audit_info->policy); + + switch (audit_info->event) { + case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION: + if (is_enforced) { + return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION; + } + + return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT; + + case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION: + if (is_enforced) { + return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION; + } + + return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT; + + case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION: + if (is_enforced) { + return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION; + } + + /* No relevant event ID. */ + break; + + case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION: + case AUTHN_AUDIT_EVENT_OTHER_ERROR: + default: + /* No relevant event ID. */ + break; + } + + return AUTH_EVT_ID_NONE; +} + +const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info) +{ + if (audit_info->policy == NULL) { + return NULL; + } + + return audit_info->policy->silo_name; +} + +const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info) +{ + if (audit_info->policy == NULL) { + return NULL; + } + + return audit_info->policy->policy_name; +} + +const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info) +{ + if (audit_info->policy == NULL) { + return NULL; + } + + return &audit_info->policy->enforced; +} + +const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info) +{ + return audit_info->client_info; +} + +const char *authn_audit_info_event(const struct authn_audit_info *audit_info) +{ + switch (audit_info->event) { + case AUTHN_AUDIT_EVENT_OK: + return "OK"; + case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION: + return "KERBEROS_DEVICE_RESTRICTION"; + case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION: + return "KERBEROS_SERVER_RESTRICTION"; + case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION: + return "NTLM_DEVICE_RESTRICTION"; + case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION: + return "NTLM_SERVER_RESTRICTION"; + case AUTHN_AUDIT_EVENT_OTHER_ERROR: + default: + return "OTHER_ERROR"; + } +} + +const char *authn_audit_info_reason(const struct authn_audit_info *audit_info) +{ + switch (audit_info->reason) { + case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID: + return "DESCRIPTOR_INVALID"; + case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER: + return "DESCRIPTOR_NO_OWNER"; + case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE: + return "SECURITY_TOKEN_FAILURE"; + case AUTHN_AUDIT_REASON_ACCESS_DENIED: + return "ACCESS_DENIED"; + case AUTHN_AUDIT_REASON_FAST_REQUIRED: + return "FAST_REQUIRED"; + case AUTHN_AUDIT_REASON_NONE: + default: + return NULL; + } +} + +NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info) +{ + return audit_info->policy_status; +} + +const char *authn_audit_info_location(const struct authn_audit_info *audit_info) +{ + return audit_info->location; +} + +struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info) +{ + int64_t lifetime; + + if (!audit_info->tgt_lifetime_raw.is_present) { + return authn_int64_none(); + } + + lifetime = audit_info->tgt_lifetime_raw.val; + lifetime /= INT64_C(1000) * 1000 * 10 * 60; + + return authn_int64_some(lifetime); +} diff --git a/auth/authn_policy.h b/auth/authn_policy.h new file mode 100644 index 0000000..f2142fe --- /dev/null +++ b/auth/authn_policy.h @@ -0,0 +1,87 @@ +/* + Unix SMB/CIFS implementation. + Samba Active Directory authentication policy functions + + Copyright (C) Catalyst.Net Ltd 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef KDC_AUTHN_POLICY_H +#define KDC_AUTHN_POLICY_H + +#include "lib/replace/replace.h" +#include "libcli/util/ntstatus.h" +#include "librpc/gen_ndr/windows_event_ids.h" + +/* Authentication policies for Kerberos clients. */ + +struct authn_kerberos_client_policy; + +/* Is an authentication policy enforced? */ +bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy); + +/* Get the raw TGT lifetime enforced by an authentication policy. */ +int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy); + +/* Auditing information. */ + +struct authn_audit_info; + +/* This enum should be kept in sync with authn_audit_info_event(). */ +enum authn_audit_event { + AUTHN_AUDIT_EVENT_OK = 0, + AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION, + AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION, + AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION, + AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION, + AUTHN_AUDIT_EVENT_OTHER_ERROR, +}; + +/* This enum should be kept in sync with authn_audit_info_reason(). */ +enum authn_audit_reason { + AUTHN_AUDIT_REASON_NONE = 0, + AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID, + AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER, + AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE, + AUTHN_AUDIT_REASON_ACCESS_DENIED, + AUTHN_AUDIT_REASON_FAST_REQUIRED, +}; + +enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info); + +const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info); + +const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info); + +const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info); + +const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info); + +const char *authn_audit_info_event(const struct authn_audit_info *audit_info); + +const char *authn_audit_info_reason(const struct authn_audit_info *audit_info); + +NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info); + +const char *authn_audit_info_location(const struct authn_audit_info *audit_info); + +struct authn_int64_optional { + bool is_present; + int64_t val; +}; + +struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info); + +#endif diff --git a/auth/authn_policy_impl.h b/auth/authn_policy_impl.h new file mode 100644 index 0000000..121c6cb --- /dev/null +++ b/auth/authn_policy_impl.h @@ -0,0 +1,82 @@ +/* + Unix SMB/CIFS implementation. + Samba Active Directory authentication policy private implementation details + + Copyright (C) Catalyst.Net Ltd 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef KDC_AUTHN_POLICY_IMPL_H +#define KDC_AUTHN_POLICY_IMPL_H + +#include "lib/replace/replace.h" + +#include "auth/authn_policy.h" +#include "lib/util/data_blob.h" +#include "libcli/util/ntstatus.h" + +struct authn_policy { + const char *silo_name; + const char *policy_name; + bool enforced; +}; + +bool authn_policy_is_enforced(const struct authn_policy *policy); + +struct authn_kerberos_client_policy { + struct authn_policy policy; + DATA_BLOB allowed_to_authenticate_from; + int64_t tgt_lifetime_raw; +}; + +struct authn_ntlm_client_policy { + struct authn_policy policy; + DATA_BLOB allowed_to_authenticate_from; + bool allowed_ntlm_network_auth; +}; + +struct authn_server_policy { + struct authn_policy policy; + DATA_BLOB allowed_to_authenticate_to; +}; + +/* Auditing information. */ + +struct authn_audit_info { + struct authn_policy *policy; + const struct auth_user_info_dc *client_info; + enum authn_audit_event event; + enum authn_audit_reason reason; + NTSTATUS policy_status; + const char *location; + struct authn_int64_optional tgt_lifetime_raw; +}; + +static inline struct authn_int64_optional authn_int64_some(const int64_t val) +{ + return (struct authn_int64_optional) { + .is_present = true, + .val = val, + }; +} + +static inline struct authn_int64_optional authn_int64_none(void) +{ + return (struct authn_int64_optional) { + .is_present = false, + }; +} + +#endif diff --git a/auth/common_auth.h b/auth/common_auth.h new file mode 100644 index 0000000..1afb79e --- /dev/null +++ b/auth/common_auth.h @@ -0,0 +1,240 @@ +/* + Unix SMB/CIFS implementation. + Standardised Authentication types + Copyright (C) Andrew Bartlett 2001-2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef AUTH_COMMON_AUTH_H +#define AUTH_COMMON_AUTH_H + +#include "librpc/gen_ndr/auth.h" + +#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ +#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ +#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */ +#define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */ +/*unused #define USER_INFO_LOCAL_SAM_ONLY 0x10 Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */ +#define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */ + +enum auth_password_state { + AUTH_PASSWORD_PLAIN = 1, + AUTH_PASSWORD_HASH = 2, + AUTH_PASSWORD_RESPONSE = 3 +}; + +#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */ +#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */ +#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privileges, rather than a DB */ +#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */ +#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */ +#define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION 0x20 /* The user authenticated with a device. */ +#define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS 0x40 /* Add the device to the default world and network groups */ +#define AUTH_SESSION_INFO_DEVICE_AUTHENTICATED 0x80 /* Add the device to the 'authenticated users' group */ + +struct auth_usersupplied_info +{ + const char *workstation_name; + const struct tsocket_address *remote_host; + const struct tsocket_address *local_host; + + uint32_t logon_parameters; + + bool cracknames_called; + bool was_mapped; + uint64_t logon_id; + /* the values the client gives us */ + struct { + const char *account_name; + const char *domain_name; + } client, mapped, orig_client; + + enum auth_password_state password_state; + + struct { + struct { + DATA_BLOB lanman; + DATA_BLOB nt; + } response; + struct { + struct samr_Password *lanman; + struct samr_Password *nt; + } hash; + + char *plaintext; + } password; + uint32_t flags; + + struct { + uint32_t negotiate_flags; + enum netr_SchannelType secure_channel_type; + const char *computer_name; /* [charset(UTF8)] */ + const char *account_name; /* [charset(UTF8)] */ + struct dom_sid *sid; /* [unique] */ + } netlogon_trust_account; + + const char *service_description; + const char *auth_description; + + /* + * for logging only, normally worked out from the password but + * for krb5 logging only (krb5 normally doesn't use this) we + * record the enc type here + */ + const char *password_type; +}; + +struct auth_method_context; +struct tevent_context; +struct imessaging_context; +struct loadparm_context; +struct ldb_context; +struct smb_krb5_context; + +struct auth4_context { + struct { + /* Who set this up in the first place? */ + const char *set_by; + + DATA_BLOB data; + } challenge; + + /* methods, in the order they should be called */ + struct auth_method_context *methods; + + /* the event context to use for calls that can block */ + struct tevent_context *event_ctx; + + /* the messaging context which can be used by backends */ + struct imessaging_context *msg_ctx; + + /* loadparm context */ + struct loadparm_context *lp_ctx; + + /* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */ + struct ldb_context *sam_ctx; + + /* The time this authentication started */ + struct timeval start_time; + + /* Private data for the callbacks on this auth context */ + void *private_data; + + /* Kerberos context, set up on demand */ + struct smb_krb5_context *smb_krb5_context; + + struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct auth4_context *auth_ctx, + const struct auth_usersupplied_info *user_info); + NTSTATUS (*check_ntlm_password_recv)(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uint8_t *pauthoritative, + void **server_returned_info, + DATA_BLOB *nt_session_key, + DATA_BLOB *lm_session_key); + + NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]); + + NTSTATUS (*set_ntlm_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by); + + NTSTATUS (*generate_session_info)(struct auth4_context *auth_context, + TALLOC_CTX *mem_ctx, + void *server_returned_info, + const char *original_user_name, + uint32_t session_info_flags, + struct auth_session_info **session_info); + + NTSTATUS (*generate_session_info_pac)(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info); +}; + +#define AUTHZ_TRANSPORT_PROTECTION_NONE "NONE" +#define AUTHZ_TRANSPORT_PROTECTION_SMB "SMB" +#define AUTHZ_TRANSPORT_PROTECTION_TLS "TLS" +#define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL" +#define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN" + +/* + * Log details of an authentication attempt. + * Successful and unsuccessful attempts are logged. + * + * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the + * authentication events over the message bus. + */ +struct authn_audit_info; +void log_authentication_event(struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct timeval *start_time, + const struct auth_usersupplied_info *ui, + NTSTATUS status, + const char *domain_name, + const char *account_name, + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info); + +/* + * Log details of a successful authorization to a service. + * + * Only successful authorizations are logged. For clarity: + * - NTLM bad passwords will be recorded by log_authentication_event + * - Kerberos decrypt failures need to be logged in gensec_gssapi et al + * + * The service may later refuse authorization due to an ACL. + * + * + * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the + * authorization events over the message bus. + */ +void log_successful_authz_event(struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + const char *transport_protection, + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info); + +/* + * Log details of an authorization to a service. + * + * NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the + * authorization events over the message bus. + */ +void log_authz_event( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, + const char *service_description, + const char *auth_type, + const char *domain_name, + const char *account_name, + const struct dom_sid *sid, + const char *logon_server, + const struct timeval authtime, + NTSTATUS status); + +#endif diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c new file mode 100644 index 0000000..20ab858 --- /dev/null +++ b/auth/credentials/credentials.c @@ -0,0 +1,1941 @@ +/* + Unix SMB/CIFS implementation. + + User credentials handling + + Copyright (C) Jelmer Vernooij 2005 + Copyright (C) Tim Potter 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ +#include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_internal.h" +#include "auth/gensec/gensec.h" +#include "libcli/auth/libcli_auth.h" +#include "tevent.h" +#include "param/param.h" +#include "system/filesys.h" +#include "system/passwd.h" + +/** + * Create a new credentials structure + * @param mem_ctx TALLOC_CTX parent for credentials structure + */ +_PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) +{ + struct cli_credentials *cred = talloc_zero(mem_ctx, struct cli_credentials); + if (cred == NULL) { + return cred; + } + + cred->winbind_separator = '\\'; + + cred->kerberos_state = CRED_USE_KERBEROS_DESIRED; + + cred->signing_state = SMB_SIGNING_DEFAULT; + + /* + * The default value of lpcfg_client_ipc_signing() is REQUIRED, so use + * the same value here. + */ + cred->ipc_signing_state = SMB_SIGNING_REQUIRED; + cred->encryption_state = SMB_ENCRYPTION_DEFAULT; + + return cred; +} + +_PUBLIC_ +struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx) +{ + struct cli_credentials *server_creds = NULL; + NTSTATUS status; + bool ok; + + server_creds = cli_credentials_init(mem_ctx); + if (server_creds == NULL) { + return NULL; + } + + ok = cli_credentials_set_conf(server_creds, lp_ctx); + if (!ok) { + TALLOC_FREE(server_creds); + return NULL; + } + + status = cli_credentials_set_machine_account(server_creds, lp_ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to obtain server credentials: %s\n", + nt_errstr(status))); + TALLOC_FREE(server_creds); + return NULL; + } + + return server_creds; +} + +_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred, + void *callback_data) +{ + cred->priv_data = callback_data; +} + +_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred) +{ + return cred->priv_data; +} + +/** + * Create a new anonymous credential + * @param mem_ctx TALLOC_CTX parent for credentials structure + */ +_PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) +{ + struct cli_credentials *anon_credentials; + + anon_credentials = cli_credentials_init(mem_ctx); + cli_credentials_set_anonymous(anon_credentials); + + return anon_credentials; +} + +_PUBLIC_ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos kerberos_state, + enum credentials_obtained obtained) +{ + if (obtained >= creds->kerberos_state_obtained) { + creds->kerberos_state = kerberos_state; + creds->kerberos_state_obtained = obtained; + + return true; + } + + return false; +} + +_PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds, + const char *sasl_mech) +{ + TALLOC_FREE(creds->forced_sasl_mech); + creds->forced_sasl_mech = talloc_strdup(creds, sasl_mech); +} + +_PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds, + enum credentials_krb_forwardable krb_forwardable) +{ + creds->krb_forwardable = krb_forwardable; +} + +_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) +{ + return creds->kerberos_state; +} + +_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds) +{ + return creds->forced_sasl_mech; +} + +_PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds) +{ + return creds->krb_forwardable; +} + +_PUBLIC_ bool cli_credentials_set_gensec_features(struct cli_credentials *creds, + uint32_t gensec_features, + enum credentials_obtained obtained) +{ + if (obtained >= creds->gensec_features_obtained) { + creds->gensec_features_obtained = obtained; + creds->gensec_features = gensec_features; + + return true; + } + + return false; +} + +_PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) +{ + return creds->gensec_features; +} + + +/** + * Obtain the username for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will never be NULL except by programmer error. + */ +_PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + if (cred->username_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; + cred->username = cred->username_cb(cred); + cred->callback_running = false; + if (cred->username_obtained == CRED_CALLBACK) { + cred->username_obtained = CRED_CALLBACK_RESULT; + cli_credentials_invalidate_ccache(cred, cred->username_obtained); + } + } + + return cred->username; +} + +/** + * @brief Obtain the username for this credentials context. + * + * @param[in] cred The credential context. + * + * @param[in] obtained A pointer to store the obtained information. + * + * return The user name or NULL if an error occurred. + */ +_PUBLIC_ const char * +cli_credentials_get_username_and_obtained(struct cli_credentials *cred, + enum credentials_obtained *obtained) +{ + if (obtained != NULL) { + *obtained = cred->username_obtained; + } + + return cli_credentials_get_username(cred); +} + +_PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred, + const char *val, enum credentials_obtained obtained) +{ + if (obtained >= cred->username_obtained) { + cred->username = talloc_strdup(cred, val); + cred->username_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->username_obtained); + return true; + } + + return false; +} + +_PUBLIC_ bool cli_credentials_set_username_callback(struct cli_credentials *cred, + const char *(*username_cb) (struct cli_credentials *)) +{ + if (cred->username_obtained < CRED_CALLBACK) { + cred->username_cb = username_cb; + cred->username_obtained = CRED_CALLBACK; + return true; + } + + return false; +} + +_PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred, + const char *bind_dn) +{ + cred->bind_dn = talloc_strdup(cred, bind_dn); + return true; +} + +/** + * Obtain the BIND DN for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will be NULL if not specified explicitly + */ +_PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred) +{ + return cred->bind_dn; +} + + +/** + * Obtain the client principal for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will never be NULL except by programmer error. + */ +_PUBLIC_ char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + if (cred->principal_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; + cred->principal = cred->principal_cb(cred); + cred->callback_running = false; + if (cred->principal_obtained == CRED_CALLBACK) { + cred->principal_obtained = CRED_CALLBACK_RESULT; + cli_credentials_invalidate_ccache(cred, cred->principal_obtained); + } + } + + if (cred->principal_obtained < cred->username_obtained + || cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) { + const char *effective_username = NULL; + const char *effective_realm = NULL; + enum credentials_obtained effective_obtained; + + effective_username = cli_credentials_get_username(cred); + if (effective_username == NULL || strlen(effective_username) == 0) { + *obtained = cred->username_obtained; + return NULL; + } + + if (cred->domain_obtained > cred->realm_obtained) { + effective_realm = cli_credentials_get_domain(cred); + effective_obtained = MIN(cred->domain_obtained, + cred->username_obtained); + } else { + effective_realm = cli_credentials_get_realm(cred); + effective_obtained = MIN(cred->realm_obtained, + cred->username_obtained); + } + + if (effective_realm == NULL || strlen(effective_realm) == 0) { + effective_realm = cli_credentials_get_domain(cred); + effective_obtained = MIN(cred->domain_obtained, + cred->username_obtained); + } + + if (effective_realm != NULL && strlen(effective_realm) != 0) { + *obtained = effective_obtained; + return talloc_asprintf(mem_ctx, "%s@%s", + effective_username, + effective_realm); + } + } + *obtained = cred->principal_obtained; + return talloc_strdup(mem_ctx, cred->principal); +} + +/** + * Obtain the client principal for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will never be NULL except by programmer error. + */ +_PUBLIC_ char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) +{ + enum credentials_obtained obtained; + return cli_credentials_get_principal_and_obtained(cred, mem_ctx, &obtained); +} + +_PUBLIC_ bool cli_credentials_set_principal(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->principal_obtained) { + cred->principal = talloc_strdup(cred, val); + if (cred->principal == NULL) { + return false; + } + cred->principal_obtained = obtained; + + cli_credentials_invalidate_ccache(cred, cred->principal_obtained); + return true; + } + + return false; +} + +/* Set a callback to get the principal. This could be a popup dialog, + * a terminal prompt or similar. */ +_PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cred, + const char *(*principal_cb) (struct cli_credentials *)) +{ + if (cred->principal_obtained < CRED_CALLBACK) { + cred->principal_cb = principal_cb; + cred->principal_obtained = CRED_CALLBACK; + return true; + } + + return false; +} + +/* Some of our tools are 'anonymous by default'. This is a single + * function to determine if authentication has been explicitly + * requested */ + +_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) +{ + uint32_t gensec_features = 0; + + if (cred->bind_dn) { + return true; + } + + /* + * If we forced the mech we clearly want authentication. E.g. to use + * SASL/EXTERNAL which has no credentials. + */ + if (cred->forced_sasl_mech) { + return true; + } + + if (cli_credentials_is_anonymous(cred)){ + return false; + } + + if (cred->principal_obtained >= CRED_SPECIFIED) { + return true; + } + if (cred->username_obtained >= CRED_SPECIFIED) { + return true; + } + + if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) { + return true; + } + + gensec_features = cli_credentials_get_gensec_features(cred); + if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) { + return true; + } + + if (gensec_features & GENSEC_FEATURE_SIGN) { + return true; + } + + if (gensec_features & GENSEC_FEATURE_SEAL) { + return true; + } + + return false; +} + +/** + * Obtain the password for this credentials context. + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +_PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + if (cred->password_obtained == CRED_CALLBACK && + !cred->callback_running && + !cred->password_will_be_nt_hash) { + cred->callback_running = true; + cred->password = cred->password_cb(cred); + cred->callback_running = false; + if (cred->password_obtained == CRED_CALLBACK) { + cred->password_obtained = CRED_CALLBACK_RESULT; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); + } + } + + return cred->password; +} + +/** + * @brief Obtain the password for this credentials context. + * + * @param[in] cred The credential context. + * + * @param[in] obtained A pointer to store the obtained information. + * + * return The user name or NULL if an error occurred. + */ +_PUBLIC_ const char * +cli_credentials_get_password_and_obtained(struct cli_credentials *cred, + enum credentials_obtained *obtained) +{ + const char *password = cli_credentials_get_password(cred); + + if (obtained != NULL) { + *obtained = cred->password_obtained; + } + + return password; +} + +/* Set a password on the credentials context, including an indication + * of 'how' the password was obtained */ + +_PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + + cred->lm_response = data_blob_null; + cred->nt_response = data_blob_null; + cred->nt_hash = NULL; + cred->password = NULL; + + cli_credentials_invalidate_ccache(cred, obtained); + + cred->password_tries = 0; + + if (val == NULL) { + cred->password_obtained = obtained; + return true; + } + + if (cred->password_will_be_nt_hash) { + struct samr_Password *nt_hash = NULL; + size_t val_len = strlen(val); + size_t converted; + + nt_hash = talloc(cred, struct samr_Password); + if (nt_hash == NULL) { + return false; + } + + converted = strhex_to_str((char *)nt_hash->hash, + sizeof(nt_hash->hash), + val, val_len); + if (converted != sizeof(nt_hash->hash)) { + TALLOC_FREE(nt_hash); + return false; + } + + cred->nt_hash = nt_hash; + cred->password_obtained = obtained; + return true; + } + + cred->password = talloc_strdup(cred, val); + if (cred->password == NULL) { + return false; + } + + /* Don't print the actual password in talloc memory dumps */ + talloc_set_name_const(cred->password, + "password set via cli_credentials_set_password"); + cred->password_obtained = obtained; + + return true; + } + + return false; +} + +_PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred, + const char *(*password_cb) (struct cli_credentials *)) +{ + if (cred->password_obtained < CRED_CALLBACK) { + cred->password_tries = 3; + cred->password_cb = password_cb; + cred->password_obtained = CRED_CALLBACK; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); + return true; + } + + return false; +} + +/** + * Obtain the 'old' password for this credentials context (used for join accounts). + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +_PUBLIC_ const char *cli_credentials_get_old_password(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + return cred->old_password; +} + +_PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + cred->old_password = talloc_strdup(cred, val); + if (cred->old_password) { + /* Don't print the actual password in talloc memory dumps */ + talloc_set_name_const(cred->old_password, "password set via cli_credentials_set_old_password"); + } + cred->old_nt_hash = NULL; + return true; +} + +/** + * Obtain the password, in the form MD4(unicode(password)) for this credentials context. + * + * Sometimes we only have this much of the password, while the rest of + * the time this call avoids calling E_md4hash themselves. + * + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx) +{ + enum credentials_obtained password_obtained; + enum credentials_obtained ccache_threshold; + enum credentials_obtained client_gss_creds_threshold; + bool password_is_nt_hash; + const char *password = NULL; + struct samr_Password *nt_hash = NULL; + + if (cred->nt_hash != NULL) { + /* + * If we already have a hash it's easy. + */ + goto return_hash; + } + + /* + * This is a bit tricky, with password_will_be_nt_hash + * we still need to get the value via the password_callback + * but if we did that we should not remember it's state + * in the long run so we need to undo it. + */ + + password_obtained = cred->password_obtained; + ccache_threshold = cred->ccache_threshold; + client_gss_creds_threshold = cred->client_gss_creds_threshold; + password_is_nt_hash = cred->password_will_be_nt_hash; + + cred->password_will_be_nt_hash = false; + password = cli_credentials_get_password(cred); + + cred->password_will_be_nt_hash = password_is_nt_hash; + if (password_is_nt_hash && password_obtained == CRED_CALLBACK) { + /* + * We got the nt_hash as string via the callback, + * so we need to undo the state change. + * + * And also don't remember it as plaintext password. + */ + cred->client_gss_creds_threshold = client_gss_creds_threshold; + cred->ccache_threshold = ccache_threshold; + cred->password_obtained = password_obtained; + cred->password = NULL; + } + + if (password == NULL) { + return NULL; + } + + nt_hash = talloc(cred, struct samr_Password); + if (nt_hash == NULL) { + return NULL; + } + + if (password_is_nt_hash) { + size_t password_len = strlen(password); + size_t converted; + + converted = strhex_to_str((char *)nt_hash->hash, + sizeof(nt_hash->hash), + password, password_len); + if (converted != sizeof(nt_hash->hash)) { + TALLOC_FREE(nt_hash); + return NULL; + } + } else { + E_md4hash(password, nt_hash->hash); + } + + cred->nt_hash = nt_hash; + nt_hash = NULL; + +return_hash: + nt_hash = talloc(mem_ctx, struct samr_Password); + if (nt_hash == NULL) { + return NULL; + } + + *nt_hash = *cred->nt_hash; + + return nt_hash; +} + +/** + * Obtain the old password, in the form MD4(unicode(password)) for this credentials context. + * + * Sometimes we only have this much of the password, while the rest of + * the time this call avoids calling E_md4hash themselves. + * + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +_PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx) +{ + const char *old_password = NULL; + + if (cred->old_nt_hash != NULL) { + struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password); + if (!nt_hash) { + return NULL; + } + + *nt_hash = *cred->old_nt_hash; + + return nt_hash; + } + + old_password = cli_credentials_get_old_password(cred); + if (old_password) { + struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password); + if (!nt_hash) { + return NULL; + } + + E_md4hash(old_password, nt_hash->hash); + + return nt_hash; + } + + return NULL; +} + +/** + * Obtain the 'short' or 'NetBIOS' domain for this credentials context. + * @param cred credentials context + * @retval The domain set on this context. + * @note Return value will never be NULL except by programmer error. + */ +_PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + if (cred->domain_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; + cred->domain = cred->domain_cb(cred); + cred->callback_running = false; + if (cred->domain_obtained == CRED_CALLBACK) { + cred->domain_obtained = CRED_CALLBACK_RESULT; + cli_credentials_invalidate_ccache(cred, cred->domain_obtained); + } + } + + return cred->domain; +} + +/** + * @brief Obtain the domain for this credential context. + * + * @param[in] cred The credential context. + * + * @param[out] obtained A pointer to store the obtained information. + * + * @return The domain name or NULL if an error occurred. + */ +_PUBLIC_ const char *cli_credentials_get_domain_and_obtained( + struct cli_credentials *cred, + enum credentials_obtained *obtained) +{ + const char *domain = cli_credentials_get_domain(cred); + + if (obtained != NULL) { + *obtained = cred->domain_obtained; + } + + return domain; +} + + +_PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->domain_obtained) { + /* it is important that the domain be in upper case, + * particularly for the sensitive NTLMv2 + * calculations */ + cred->domain = strupper_talloc(cred, val); + cred->domain_obtained = obtained; + /* setting domain does not mean we have to invalidate ccache + * because domain in not used for Kerberos operations. + * If ccache invalidation is required, one will anyway specify + * a password to kinit, and that will force invalidation of the ccache + */ + return true; + } + + return false; +} + +bool cli_credentials_set_domain_callback(struct cli_credentials *cred, + const char *(*domain_cb) (struct cli_credentials *)) +{ + if (cred->domain_obtained < CRED_CALLBACK) { + cred->domain_cb = domain_cb; + cred->domain_obtained = CRED_CALLBACK; + return true; + } + + return false; +} + +/** + * Obtain the Kerberos realm for this credentials context. + * @param cred credentials context + * @retval The realm set on this context. + * @note Return value will never be NULL except by programmer error. + */ +_PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + if (cred->realm_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; + cred->realm = cred->realm_cb(cred); + cred->callback_running = false; + if (cred->realm_obtained == CRED_CALLBACK) { + cred->realm_obtained = CRED_CALLBACK_RESULT; + cli_credentials_invalidate_ccache(cred, cred->realm_obtained); + } + } + + return cred->realm; +} + +/** + * Set the realm for this credentials context, and force it to + * uppercase for the sanity of our local kerberos libraries + */ +_PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->realm_obtained) { + cred->realm = strupper_talloc(cred, val); + cred->realm_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->realm_obtained); + return true; + } + + return false; +} + +bool cli_credentials_set_realm_callback(struct cli_credentials *cred, + const char *(*realm_cb) (struct cli_credentials *)) +{ + if (cred->realm_obtained < CRED_CALLBACK) { + cred->realm_cb = realm_cb; + cred->realm_obtained = CRED_CALLBACK; + return true; + } + + return false; +} + +/** + * Obtain the 'short' or 'NetBIOS' workstation name for this credentials context. + * + * @param cred credentials context + * @retval The workstation name set on this context. + * @note Return value will never be NULL except by programmer error. + */ +_PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cred) +{ + if (cred->workstation_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; + cred->workstation = cred->workstation_cb(cred); + cred->callback_running = false; + if (cred->workstation_obtained == CRED_CALLBACK) { + cred->workstation_obtained = CRED_CALLBACK_RESULT; + } + } + + return cred->workstation; +} + +_PUBLIC_ bool cli_credentials_set_workstation(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->workstation_obtained) { + cred->workstation = talloc_strdup(cred, val); + cred->workstation_obtained = obtained; + return true; + } + + return false; +} + +bool cli_credentials_set_workstation_callback(struct cli_credentials *cred, + const char *(*workstation_cb) (struct cli_credentials *)) +{ + if (cred->workstation_obtained < CRED_CALLBACK) { + cred->workstation_cb = workstation_cb; + cred->workstation_obtained = CRED_CALLBACK; + return true; + } + + return false; +} + +/** + * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields + * + * The format accepted is [domain\\]user[%password] or user[@realm][%password] + * + * @param credentials Credentials structure on which to set the password + * @param data the string containing the username, password etc + * @param obtained This enum describes how 'specified' this password is + */ + +_PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained) +{ + char *uname, *p; + char *uname_free = NULL; + + if (strcmp("%",data) == 0) { + cli_credentials_set_anonymous(credentials); + return; + } + + uname = talloc_strdup(credentials, data); + uname_free = uname; + + if ((p = strchr_m(uname,'%'))) { + *p = 0; + cli_credentials_set_password(credentials, p+1, obtained); + } + + if ((p = strchr_m(uname,'@'))) { + /* + * We also need to set username and domain + * in order to undo the effect of + * cli_credentials_guess(). + */ + cli_credentials_set_username(credentials, uname, obtained); + cli_credentials_set_domain(credentials, "", obtained); + + cli_credentials_set_principal(credentials, uname, obtained); + *p = 0; + cli_credentials_set_realm(credentials, p+1, obtained); + TALLOC_FREE(uname_free); + return; + } else if ((p = strchr_m(uname,'\\')) + || (p = strchr_m(uname, '/')) + || (p = strchr_m(uname, credentials->winbind_separator))) + { + const char *domain = NULL; + + domain = uname; + *p = 0; + uname = p+1; + + if (obtained == credentials->realm_obtained && + !strequal_m(credentials->domain, domain)) + { + /* + * We need to undo a former set with the same level + * in order to get the expected result from + * cli_credentials_get_principal(). + * + * But we only need to do that if the domain + * actually changes. + */ + cli_credentials_set_realm(credentials, domain, obtained); + } + cli_credentials_set_domain(credentials, domain, obtained); + } + if (obtained == credentials->principal_obtained && + !strequal_m(credentials->username, uname)) + { + /* + * We need to undo a former set with the same level + * in order to get the expected result from + * cli_credentials_get_principal(). + * + * But we only need to do that if the username + * actually changes. + */ + credentials->principal_obtained = CRED_UNINITIALISED; + credentials->principal = NULL; + } + cli_credentials_set_username(credentials, uname, obtained); + + TALLOC_FREE(uname_free); +} + +/** + * Given a a credentials structure, print it as a string + * + * The format output is [domain\\]user[%password] or user[@realm][%password] + * + * @param credentials Credentials structure on which to set the password + * @param mem_ctx The memory context to place the result on + */ + +_PUBLIC_ char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx) +{ + const char *bind_dn = cli_credentials_get_bind_dn(credentials); + const char *domain = NULL; + const char *username = NULL; + char *name = NULL; + + if (bind_dn) { + name = talloc_strdup(mem_ctx, bind_dn); + } else { + cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain); + if (domain && domain[0]) { + name = talloc_asprintf(mem_ctx, "%s\\%s", + domain, username); + } else { + name = talloc_asprintf(mem_ctx, "%s", + username); + } + } + return name; +} + + +/** + * Specifies default values for domain, workstation and realm + * from the smb.conf configuration file + * + * @param cred Credentials structure to fill in + * + * @return true on success, false on error. + */ +_PUBLIC_ bool cli_credentials_set_conf(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) +{ + const char *sep = NULL; + const char *realm = lpcfg_realm(lp_ctx); + enum credentials_client_protection protection = + lpcfg_client_protection(lp_ctx); + const char *workgroup = lpcfg_workgroup(lp_ctx); + const char *netbios_name = lpcfg_netbios_name(lp_ctx); + bool ok; + + (void)cli_credentials_set_username(cred, "", CRED_UNINITIALISED); + + if (workgroup != NULL && strlen(workgroup) == 0) { + workgroup = NULL; + } + + if (workgroup != NULL) { + if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) { + ok = cli_credentials_set_domain(cred, + workgroup, + CRED_SPECIFIED); + if (!ok) { + DBG_ERR("Failed to set domain!\n"); + return false; + } + } else { + (void)cli_credentials_set_domain(cred, + workgroup, + CRED_SMB_CONF); + } + } + + if (netbios_name != NULL && strlen(netbios_name) == 0) { + netbios_name = NULL; + } + + if (netbios_name != NULL) { + if (lpcfg_parm_is_cmdline(lp_ctx, "netbios name")) { + ok = cli_credentials_set_workstation(cred, + netbios_name, + CRED_SPECIFIED); + if (!ok) { + DBG_ERR("Failed to set workstation!\n"); + return false; + } + } else { + (void)cli_credentials_set_workstation(cred, + netbios_name, + CRED_SMB_CONF); + } + } + + if (realm != NULL && strlen(realm) == 0) { + realm = NULL; + } + + if (realm != NULL) { + if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) { + ok = cli_credentials_set_realm(cred, + realm, + CRED_SPECIFIED); + if (!ok) { + DBG_ERR("Failed to set realm!\n"); + return false; + } + } else { + (void)cli_credentials_set_realm(cred, + realm, + CRED_SMB_CONF); + } + } + + sep = lpcfg_winbind_separator(lp_ctx); + if (sep != NULL && sep[0] != '\0') { + cred->winbind_separator = *lpcfg_winbind_separator(lp_ctx); + } + + if (cred->signing_state_obtained <= CRED_SMB_CONF) { + /* Will be set to default for invalid smb.conf values */ + cred->signing_state = lpcfg_client_signing(lp_ctx); + if (cred->signing_state == SMB_SIGNING_DEFAULT) { + switch (protection) { + case CRED_CLIENT_PROTECTION_DEFAULT: + break; + case CRED_CLIENT_PROTECTION_PLAIN: + cred->signing_state = SMB_SIGNING_OFF; + break; + case CRED_CLIENT_PROTECTION_SIGN: + case CRED_CLIENT_PROTECTION_ENCRYPT: + cred->signing_state = SMB_SIGNING_REQUIRED; + break; + } + } + + cred->signing_state_obtained = CRED_SMB_CONF; + } + + if (cred->ipc_signing_state_obtained <= CRED_SMB_CONF) { + /* Will be set to required for invalid smb.conf values */ + cred->ipc_signing_state = lpcfg_client_ipc_signing(lp_ctx); + cred->ipc_signing_state_obtained = CRED_SMB_CONF; + } + + if (cred->encryption_state_obtained <= CRED_SMB_CONF) { + /* Will be set to default for invalid smb.conf values */ + cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx); + if (cred->encryption_state == SMB_ENCRYPTION_DEFAULT) { + switch (protection) { + case CRED_CLIENT_PROTECTION_DEFAULT: + break; + case CRED_CLIENT_PROTECTION_PLAIN: + case CRED_CLIENT_PROTECTION_SIGN: + cred->encryption_state = SMB_ENCRYPTION_OFF; + break; + case CRED_CLIENT_PROTECTION_ENCRYPT: + cred->encryption_state = SMB_ENCRYPTION_REQUIRED; + break; + } + } + } + + if (cred->kerberos_state_obtained <= CRED_SMB_CONF) { + /* Will be set to default for invalid smb.conf values */ + cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx); + cred->kerberos_state_obtained = CRED_SMB_CONF; + } + + if (cred->gensec_features_obtained <= CRED_SMB_CONF) { + switch (protection) { + case CRED_CLIENT_PROTECTION_DEFAULT: + break; + case CRED_CLIENT_PROTECTION_PLAIN: + cred->gensec_features = 0; + break; + case CRED_CLIENT_PROTECTION_SIGN: + cred->gensec_features = GENSEC_FEATURE_SIGN; + break; + case CRED_CLIENT_PROTECTION_ENCRYPT: + cred->gensec_features = + GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL; + break; + } + cred->gensec_features_obtained = CRED_SMB_CONF; + } + + return true; +} + +/** + * Guess defaults for credentials from environment variables, + * and from the configuration file + * + * @param cred Credentials structure to fill in + */ +_PUBLIC_ bool cli_credentials_guess(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) +{ + const char *error_string; + const char *env = NULL; + struct passwd *pwd = NULL; + bool ok; + + if (lp_ctx != NULL) { + ok = cli_credentials_set_conf(cred, lp_ctx); + if (!ok) { + return false; + } + } + + pwd = getpwuid(getuid()); + if (pwd != NULL) { + size_t len = strlen(pwd->pw_name); + + if (len > 0 && len <= 1024) { + (void)cli_credentials_parse_string(cred, + pwd->pw_name, + CRED_GUESS_ENV); + } + } + + env = getenv("LOGNAME"); + if (env != NULL) { + size_t len = strlen(env); + + if (len > 0 && len <= 1024) { + (void)cli_credentials_set_username(cred, + env, + CRED_GUESS_ENV); + } + } + + env = getenv("USER"); + if (env != NULL) { + size_t len = strlen(env); + + if (len > 0 && len <= 1024) { + char *p = NULL; + + (void)cli_credentials_parse_string(cred, + env, + CRED_GUESS_ENV); + if ((p = strchr_m(env, '%'))) { + memset(p, '\0', strlen(cred->password)); + } + } + } + + env = getenv("PASSWD"); + if (env != NULL) { + size_t len = strlen(env); + + if (len > 0 && len <= 1024) { + (void)cli_credentials_set_password(cred, + env, + CRED_GUESS_ENV); + } + } + + env = getenv("PASSWD_FD"); + if (env != NULL) { + size_t len = strlen(env); + + if (len > 0 && len <= 1024) { + int fd = atoi(env); + + (void)cli_credentials_parse_password_fd(cred, + fd, + CRED_GUESS_FILE); + } + } + + env = getenv("PASSWD_FILE"); + if (env != NULL) { + size_t len = strlen(env); + + if (len > 0 && len <= 4096) { + (void)cli_credentials_parse_password_file(cred, + env, + CRED_GUESS_FILE); + } + } + + if (lp_ctx != NULL && + cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) { + (void)cli_credentials_set_ccache(cred, + lp_ctx, + NULL, + CRED_GUESS_FILE, + &error_string); + } + + return true; +} + +/** + * Attach NETLOGON credentials for use with SCHANNEL + */ + +_PUBLIC_ void cli_credentials_set_netlogon_creds( + struct cli_credentials *cred, + const struct netlogon_creds_CredentialState *netlogon_creds) +{ + TALLOC_FREE(cred->netlogon_creds); + if (netlogon_creds == NULL) { + return; + } + cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds); +} + +/** + * Return attached NETLOGON credentials + */ + +_PUBLIC_ struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) +{ + return cred->netlogon_creds; +} + +/** + * Set NETLOGON secure channel type + */ + +_PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, + enum netr_SchannelType secure_channel_type) +{ + cred->secure_channel_type = secure_channel_type; +} + +/** + * Return NETLOGON secure channel type + */ + +_PUBLIC_ time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred) +{ + return cred->password_last_changed_time; +} + +/** + * Set NETLOGON secure channel type + */ + +_PUBLIC_ void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred, + time_t last_changed_time) +{ + cred->password_last_changed_time = last_changed_time; +} + +/** + * Return NETLOGON secure channel type + */ + +_PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred) +{ + return cred->secure_channel_type; +} + +/** + * Fill in a credentials structure as the anonymous user + */ +_PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred) +{ + cli_credentials_set_username(cred, "", CRED_SPECIFIED); + cli_credentials_set_domain(cred, "", CRED_SPECIFIED); + cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); + cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED); + cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED); + cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED); + cli_credentials_set_kerberos_state(cred, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); +} + +/** + * Describe a credentials context as anonymous or authenticated + * @retval true if anonymous, false if a username is specified + */ + +_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred) +{ + const char *username; + + /* if bind dn is set it's not anonymous */ + if (cred->bind_dn) { + return false; + } + + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + /* if principal is set, it's not anonymous */ + if ((cred->principal != NULL) && cred->principal_obtained >= cred->username_obtained) { + return false; + } + + username = cli_credentials_get_username(cred); + + /* Yes, it is deliberate that we die if we have a NULL pointer + * here - anonymous is "", not NULL, which is 'never specified, + * never guessed', ie programmer bug */ + if (!username[0]) { + return true; + } + + return false; +} + +/** + * Mark the current password for a credentials struct as wrong. This will + * cause the password to be prompted again (if a callback is set). + * + * This will decrement the number of times the password can be tried. + * + * @retval whether the credentials struct is finished + */ +_PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred) +{ + if (cred->password_obtained != CRED_CALLBACK_RESULT) { + return false; + } + + if (cred->password_tries == 0) { + return false; + } + + cred->password_tries--; + + if (cred->password_tries == 0) { + return false; + } + + cred->password_obtained = CRED_CALLBACK; + return true; +} + +_PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + const char **username, + const char **domain) +{ + if (cred->principal_obtained >= cred->username_obtained) { + *domain = talloc_strdup(mem_ctx, ""); + *username = cli_credentials_get_principal(cred, mem_ctx); + } else { + *domain = cli_credentials_get_domain(cred); + *username = cli_credentials_get_username(cred); + } +} + +/** + * Read a named file, and parse it for username, domain, realm and password + * + * @param credentials Credentials structure on which to set the password + * @param file a named file to read the details from + * @param obtained This enum describes how 'specified' this password is + */ + +_PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) +{ + uint16_t len = 0; + char *ptr, *val, *param; + char **lines; + int i, numlines; + const char *realm = NULL; + const char *domain = NULL; + const char *password = NULL; + const char *username = NULL; + + lines = file_lines_load(file, &numlines, 0, NULL); + + if (lines == NULL) + { + /* fail if we can't open the credentials file */ + d_printf("ERROR: Unable to open credentials file!\n"); + return false; + } + + for (i = 0; i < numlines; i++) { + len = strlen(lines[i]); + + if (len == 0) + continue; + + /* break up the line into parameter & value. + * will need to eat a little whitespace possibly */ + param = lines[i]; + if (!(ptr = strchr_m (lines[i], '='))) + continue; + + val = ptr+1; + *ptr = '\0'; + + /* eat leading white space */ + while ((*val!='\0') && ((*val==' ') || (*val=='\t'))) + val++; + + if (strwicmp("password", param) == 0) { + password = val; + } else if (strwicmp("username", param) == 0) { + username = val; + } else if (strwicmp("domain", param) == 0) { + domain = val; + } else if (strwicmp("realm", param) == 0) { + realm = val; + } + + /* + * We need to readd '=' in order to let + * the strlen() work in the last loop + * that clears the memory. + */ + *ptr = '='; + } + + if (realm != NULL && strlen(realm) != 0) { + /* + * only overwrite with a valid string + */ + cli_credentials_set_realm(cred, realm, obtained); + } + + if (domain != NULL && strlen(domain) != 0) { + /* + * only overwrite with a valid string + */ + cli_credentials_set_domain(cred, domain, obtained); + } + + if (password != NULL) { + /* + * Here we allow "". + */ + cli_credentials_set_password(cred, password, obtained); + } + + if (username != NULL) { + /* + * The last "username" line takes preference + * if the string also contains domain, realm or + * password. + */ + cli_credentials_parse_string(cred, username, obtained); + } + + for (i = 0; i < numlines; i++) { + len = strlen(lines[i]); + memset(lines[i], 0, len); + } + talloc_free(lines); + + return true; +} + +/** + * Read a named file, and parse it for a password + * + * @param credentials Credentials structure on which to set the password + * @param file a named file to read the password from + * @param obtained This enum describes how 'specified' this password is + */ + +_PUBLIC_ bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained) +{ + int fd = open(file, O_RDONLY, 0); + bool ret; + + if (fd < 0) { + fprintf(stderr, "Error opening password file %s: %s\n", + file, strerror(errno)); + return false; + } + + ret = cli_credentials_parse_password_fd(credentials, fd, obtained); + + close(fd); + + return ret; +} + + +/** + * Read a file descriptor, and parse it for a password (eg from a file or stdin) + * + * @param credentials Credentials structure on which to set the password + * @param fd open file descriptor to read the password from + * @param obtained This enum describes how 'specified' this password is + */ + +_PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, + int fd, enum credentials_obtained obtained) +{ + char *p; + char pass[128]; + + if (credentials->password_obtained >= obtained) { + return false; + } + + for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */ + p && p - pass < sizeof(pass) - 1;) { + switch (read(fd, p, 1)) { + case 1: + if (*p != '\n' && *p != '\0') { + *++p = '\0'; /* advance p, and null-terminate pass */ + break; + } + + FALL_THROUGH; + case 0: + if (p - pass) { + *p = '\0'; /* null-terminate it, just in case... */ + p = NULL; /* then force the loop condition to become false */ + break; + } + + fprintf(stderr, + "Error reading password from file descriptor " + "%d: empty password\n", + fd); + return false; + + default: + fprintf(stderr, "Error reading password from file descriptor %d: %s\n", + fd, strerror(errno)); + return false; + } + } + + cli_credentials_set_password(credentials, pass, obtained); + return true; +} + +/** + * @brief Set the SMB signing state to request for a SMB connection. + * + * @param[in] creds The credentials structure to update. + * + * @param[in] signing_state The signing state to set. + * + * @param obtained This way the described signing state was specified. + * + * @return true if we could set the signing state, false otherwise. + */ +_PUBLIC_ bool cli_credentials_set_smb_signing(struct cli_credentials *creds, + enum smb_signing_setting signing_state, + enum credentials_obtained obtained) +{ + if (obtained >= creds->signing_state_obtained) { + creds->signing_state_obtained = obtained; + creds->signing_state = signing_state; + return true; + } + + return false; +} + +/** + * @brief Obtain the SMB signing state from a credentials structure. + * + * @param[in] creds The credential structure to obtain the SMB signing state + * from. + * + * @return The SMB signing state. + */ +_PUBLIC_ enum smb_signing_setting +cli_credentials_get_smb_signing(struct cli_credentials *creds) +{ + return creds->signing_state; +} + +/** + * @brief Set the SMB IPC signing state to request for a SMB connection. + * + * @param[in] creds The credentials structure to update. + * + * @param[in] signing_state The signing state to set. + * + * @param obtained This way the described signing state was specified. + * + * @return true if we could set the signing state, false otherwise. + */ +_PUBLIC_ bool +cli_credentials_set_smb_ipc_signing(struct cli_credentials *creds, + enum smb_signing_setting ipc_signing_state, + enum credentials_obtained obtained) +{ + if (obtained >= creds->ipc_signing_state_obtained) { + creds->ipc_signing_state_obtained = obtained; + creds->ipc_signing_state = ipc_signing_state; + return true; + } + + return false; +} + +/** + * @brief Obtain the SMB IPC signing state from a credentials structure. + * + * @param[in] creds The credential structure to obtain the SMB IPC signing + * state from. + * + * @return The SMB signing state. + */ +_PUBLIC_ enum smb_signing_setting +cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds) +{ + return creds->ipc_signing_state; +} + +/** + * @brief Set the SMB encryption state to request for a SMB connection. + * + * @param[in] creds The credentials structure to update. + * + * @param[in] encryption_state The encryption state to set. + * + * @param obtained This way the described encryption state was specified. + * + * @return true if we could set the encryption state, false otherwise. + */ +_PUBLIC_ bool cli_credentials_set_smb_encryption(struct cli_credentials *creds, + enum smb_encryption_setting encryption_state, + enum credentials_obtained obtained) +{ + if (obtained >= creds->encryption_state_obtained) { + creds->encryption_state_obtained = obtained; + creds->encryption_state = encryption_state; + return true; + } + + return false; +} + +static const char *obtained_to_str(enum credentials_obtained obtained) +{ + switch (obtained) { + case CRED_UNINITIALISED: + return "CRED_UNINITIALISED"; + case CRED_SMB_CONF: + return "CRED_SMB_CONF"; + case CRED_CALLBACK: + return "CRED_CALLBACK"; + case CRED_GUESS_ENV: + return "CRED_GUESS_ENV"; + case CRED_GUESS_FILE: + return "CRED_GUESS_FILE"; + case CRED_CALLBACK_RESULT: + return "CRED_CALLBACK_RESULT"; + case CRED_SPECIFIED: + return "CRED_SPECIFIED"; + } + + /* Never reached */ + return ""; +} + +static const char *krb5_state_to_str(enum credentials_use_kerberos krb5_state) +{ + switch (krb5_state) { + case CRED_USE_KERBEROS_DISABLED: + return "CRED_USE_KERBEROS_DISABLED"; + case CRED_USE_KERBEROS_DESIRED: + return "CRED_USE_KERBEROS_DESIRED"; + case CRED_USE_KERBEROS_REQUIRED: + return "CRED_USE_KERBEROS_REQUIRED"; + } + + /* Never reached */ + return ""; +} + +static const char *krb5_fwd_to_str(enum credentials_krb_forwardable krb5_fwd) +{ + switch (krb5_fwd) { + case CRED_AUTO_KRB_FORWARDABLE: + return "CRED_AUTO_KRB_FORWARDABLE"; + case CRED_NO_KRB_FORWARDABLE: + return "CRED_NO_KRB_FORWARDABLE"; + case CRED_FORCE_KRB_FORWARDABLE: + return "CRED_FORCE_KRB_FORWARDABLE"; + } + + /* Never reached */ + return ""; +} + +static const char *signing_state_to_str(enum smb_signing_setting signing_state) +{ + switch(signing_state) { + case SMB_SIGNING_IPC_DEFAULT: + return "SMB_SIGNING_IPC_DEFAULT"; + case SMB_SIGNING_DEFAULT: + return "SMB_SIGNING_DEFAULT"; + case SMB_SIGNING_OFF: + return "SMB_SIGNING_OFF"; + case SMB_SIGNING_IF_REQUIRED: + return "SMB_SIGNING_IF_REQUIRED"; + case SMB_SIGNING_DESIRED: + return "SMB_SIGNING_DESIRED"; + case SMB_SIGNING_REQUIRED: + return "SMB_SIGNING_REQUIRED"; + } + + /* Never reached */ + return ""; +} + +static const char *encryption_state_to_str(enum smb_encryption_setting encryption_state) +{ + switch(encryption_state) { + case SMB_ENCRYPTION_DEFAULT: + return "SMB_ENCRYPTION_DEFAULT"; + case SMB_ENCRYPTION_OFF: + return "SMB_ENCRYPTION_OFF"; + case SMB_ENCRYPTION_IF_REQUIRED: + return "SMB_ENCRYPTION_IF_REQUIRED"; + case SMB_ENCRYPTION_DESIRED: + return "SMB_ENCRYPTION_DESIRED"; + case SMB_ENCRYPTION_REQUIRED: + return "SMB_ENCRYPTION_REQUIRED"; + } + + /* Never reached */ + return ""; +} + +_PUBLIC_ void cli_credentials_dump(struct cli_credentials *creds) +{ + DBG_ERR("CLI_CREDENTIALS:\n"); + DBG_ERR("\n"); + DBG_ERR(" Username: %s - %s\n", + creds->username, + obtained_to_str(creds->username_obtained)); + DBG_ERR(" Workstation: %s - %s\n", + creds->workstation, + obtained_to_str(creds->workstation_obtained)); + DBG_ERR(" Domain: %s - %s\n", + creds->domain, + obtained_to_str(creds->domain_obtained)); + DBG_ERR(" Password: %s - %s\n", + creds->password != NULL ? "*SECRET*" : "NULL", + obtained_to_str(creds->password_obtained)); + DBG_ERR(" Old password: %s\n", + creds->old_password != NULL ? "*SECRET*" : "NULL"); + DBG_ERR(" Password tries: %u\n", + creds->password_tries); + DBG_ERR(" Realm: %s - %s\n", + creds->realm, + obtained_to_str(creds->realm_obtained)); + DBG_ERR(" Principal: %s - %s\n", + creds->principal, + obtained_to_str(creds->principal_obtained)); + DBG_ERR(" Salt principal: %s\n", + creds->salt_principal); + DBG_ERR(" Impersonate principal: %s\n", + creds->impersonate_principal); + DBG_ERR(" Self service: %s\n", + creds->self_service); + DBG_ERR(" Target service: %s\n", + creds->target_service); + DBG_ERR(" Kerberos state: %s - %s\n", + krb5_state_to_str(creds->kerberos_state), + obtained_to_str(creds->kerberos_state_obtained)); + DBG_ERR(" Kerberos forwardable ticket: %s\n", + krb5_fwd_to_str(creds->krb_forwardable)); + DBG_ERR(" Signing state: %s - %s\n", + signing_state_to_str(creds->signing_state), + obtained_to_str(creds->signing_state_obtained)); + DBG_ERR(" IPC signing state: %s - %s\n", + signing_state_to_str(creds->ipc_signing_state), + obtained_to_str(creds->ipc_signing_state_obtained)); + DBG_ERR(" Encryption state: %s - %s\n", + encryption_state_to_str(creds->encryption_state), + obtained_to_str(creds->encryption_state_obtained)); + DBG_ERR(" Gensec features: %#X\n", + creds->gensec_features); + DBG_ERR(" Forced sasl mech: %s\n", + creds->forced_sasl_mech); + DBG_ERR(" CCACHE: %p - %s\n", + creds->ccache, + obtained_to_str(creds->ccache_obtained)); + DBG_ERR(" CLIENT_GSS_CREDS: %p - %s\n", + creds->client_gss_creds, + obtained_to_str(creds->client_gss_creds_obtained)); + DBG_ERR(" SERVER_GSS_CREDS: %p - %s\n", + creds->server_gss_creds, + obtained_to_str(creds->server_gss_creds_obtained)); + DBG_ERR(" KEYTAB: %p - %s\n", + creds->keytab, + obtained_to_str(creds->keytab_obtained)); + DBG_ERR(" KVNO: %u\n", + creds->kvno); + DBG_ERR("\n"); +} + +/** + * @brief Obtain the SMB encryption state from a credentials structure. + * + * @param[in] creds The credential structure to obtain the SMB encryption state + * from. + * + * @return The SMB signing state. + */ +_PUBLIC_ enum smb_encryption_setting +cli_credentials_get_smb_encryption(struct cli_credentials *creds) +{ + return creds->encryption_state; +} + +/** + * Encrypt a data blob using the session key and the negotiated encryption + * algorithm + * + * @param state Credential state, contains the session key and algorithm + * @param data Data blob containing the data to be encrypted. + * + */ +_PUBLIC_ NTSTATUS netlogon_creds_session_encrypt( + struct netlogon_creds_CredentialState *state, + DATA_BLOB data) +{ + NTSTATUS status; + + if (data.data == NULL || data.length == 0) { + DBG_ERR("Nothing to encrypt " + "data.data == NULL or data.length == 0\n"); + return NT_STATUS_INVALID_PARAMETER; + } + /* + * Don't crypt an all-zero password it will give away the + * NETLOGON pipe session key . + */ + if (all_zero(data.data, data.length)) { + DBG_ERR("Supplied data all zeros, could leak session key\n"); + return NT_STATUS_INVALID_PARAMETER; + } + if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + status = netlogon_creds_aes_encrypt(state, + data.data, + data.length); + } else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + status = netlogon_creds_arcfour_crypt(state, + data.data, + data.length); + } else { + DBG_ERR("Unsupported encryption option negotiated\n"); + status = NT_STATUS_NOT_SUPPORTED; + } + if (!NT_STATUS_IS_OK(status)) { + return status; + } + return NT_STATUS_OK; +} + diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h new file mode 100644 index 0000000..341c984 --- /dev/null +++ b/auth/credentials/credentials.h @@ -0,0 +1,369 @@ +/* + samba -- Unix SMB/CIFS implementation. + + Client credentials structure + + Copyright (C) Jelmer Vernooij 2004-2006 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ +#ifndef __CREDENTIALS_H__ +#define __CREDENTIALS_H__ + +#include "../lib/util/time.h" +#include "../lib/util/data_blob.h" +#include "librpc/gen_ndr/misc.h" + +struct cli_credentials; +struct ccache_container; +struct tevent_context; +struct netlogon_creds_CredentialState; +struct ldb_context; +struct ldb_message; +struct loadparm_context; +struct ccache_container; +struct gssapi_creds_container; +struct smb_krb5_context; +struct keytab_container; +struct db_context; +enum smb_signing_setting; +enum smb_encryption_setting; + +/* In order of priority */ +enum credentials_obtained { + CRED_UNINITIALISED = 0, /* We don't even have a guess yet */ + CRED_SMB_CONF, /* Current value should be used, which comes from smb.conf */ + CRED_CALLBACK, /* Callback should be used to obtain value */ + CRED_GUESS_ENV, /* Current value should be used, which was guessed */ + CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */ + CRED_CALLBACK_RESULT, /* Value was obtained from a callback */ + CRED_SPECIFIED /* Was explicitly specified on the command-line */ +}; + +enum credentials_use_kerberos { + /** Sometimes trying kerberos just does 'bad things', so don't */ + CRED_USE_KERBEROS_DISABLED = 0, + /** Default, we try kerberos if available */ + CRED_USE_KERBEROS_DESIRED, + /** Sometimes administrators are paranoid, so always do kerberos */ + CRED_USE_KERBEROS_REQUIRED, +}; + +enum credentials_client_protection { + CRED_CLIENT_PROTECTION_DEFAULT = -1, + CRED_CLIENT_PROTECTION_PLAIN = 0, + CRED_CLIENT_PROTECTION_SIGN, + CRED_CLIENT_PROTECTION_ENCRYPT, +}; + +enum credentials_krb_forwardable { + CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */ + CRED_NO_KRB_FORWARDABLE, /* not forwardable */ + CRED_FORCE_KRB_FORWARDABLE /* forwardable */ +}; + +#define CLI_CRED_NTLM2 0x01 +#define CLI_CRED_NTLMv2_AUTH 0x02 +#define CLI_CRED_LANMAN_AUTH 0x04 +#define CLI_CRED_NTLM_AUTH 0x08 +#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */ + +const char *cli_credentials_get_workstation(struct cli_credentials *cred); +bool cli_credentials_set_workstation(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +bool cli_credentials_is_anonymous(struct cli_credentials *cred); +struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx); +struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx); +void cli_credentials_set_anonymous(struct cli_credentials *cred); +bool cli_credentials_wrong_password(struct cli_credentials *cred); +const char *cli_credentials_get_password(struct cli_credentials *cred); +const char *cli_credentials_get_password_and_obtained(struct cli_credentials *cred, + enum credentials_obtained *obtained); +void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + const char **username, + const char **domain); +NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + int *flags, + DATA_BLOB challenge, + const NTTIME *server_timestamp, + DATA_BLOB target_info, + DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, + DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key); +const char *cli_credentials_get_realm(struct cli_credentials *cred); +const char *cli_credentials_get_username(struct cli_credentials *cred); +const char *cli_credentials_get_username_and_obtained(struct cli_credentials *cred, + enum credentials_obtained *obtained); +int cli_credentials_get_krb5_context(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct smb_krb5_context **smb_krb5_context); +int cli_credentials_get_ccache(struct cli_credentials *cred, + struct tevent_context *event_ctx, + struct loadparm_context *lp_ctx, + struct ccache_container **ccc, + const char **error_string); +int cli_credentials_get_named_ccache(struct cli_credentials *cred, + struct tevent_context *event_ctx, + struct loadparm_context *lp_ctx, + char *ccache_name, + struct ccache_container **ccc, const char **error_string); +bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred, + const char *principal, + unsigned int *count); +int cli_credentials_get_keytab(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct keytab_container **_ktc); +const char *cli_credentials_get_domain(struct cli_credentials *cred); +const char *cli_credentials_get_domain_and_obtained( + struct cli_credentials *cred, + enum credentials_obtained *obtained); +struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); +void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +bool cli_credentials_set_conf(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx); +int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct gssapi_creds_container **_gcc); +int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + struct tevent_context *event_ctx, + struct loadparm_context *lp_ctx, + struct gssapi_creds_container **_gcc, + const char **error_string); +void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds, + const char *sasl_mech); +bool cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos kerberos_state, + enum credentials_obtained obtained); +void cli_credentials_set_krb_forwardable(struct cli_credentials *creds, + enum credentials_krb_forwardable krb_forwardable); +bool cli_credentials_set_domain(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +bool cli_credentials_set_domain_callback(struct cli_credentials *cred, + const char *(*domain_cb) (struct cli_credentials *)); +bool cli_credentials_set_username(struct cli_credentials *cred, + const char *val, enum credentials_obtained obtained); +bool cli_credentials_set_username_callback(struct cli_credentials *cred, + const char *(*username_cb) (struct cli_credentials *)); +bool cli_credentials_set_principal(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +bool cli_credentials_set_principal_callback(struct cli_credentials *cred, + const char *(*principal_cb) (struct cli_credentials *)); +bool cli_credentials_set_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx); +void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained); +struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx); +struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx); +bool cli_credentials_set_realm(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, + enum netr_SchannelType secure_channel_type); +void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred, + time_t last_change_time); +void cli_credentials_set_netlogon_creds( + struct cli_credentials *cred, + const struct netlogon_creds_CredentialState *netlogon_creds); +NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, + struct smb_krb5_context *smb_krb5_context); +NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *serviceprincipal); +NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx); + +bool cli_credentials_authentication_requested(struct cli_credentials *cred); +bool cli_credentials_guess(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +bool cli_credentials_set_bind_dn(struct cli_credentials *cred, + const char *bind_dn); +const char *cli_credentials_get_bind_dn(struct cli_credentials *cred); +bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained); +char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx); +bool cli_credentials_set_password_callback(struct cli_credentials *cred, + const char *(*password_cb) (struct cli_credentials *)); +enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred); +time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred); +void cli_credentials_set_kvno(struct cli_credentials *cred, + int kvno); +bool cli_credentials_set_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16, + enum credentials_obtained obtained); +bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16); +void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred, + bool val); +bool cli_credentials_is_password_nt_hash(struct cli_credentials *cred); +bool cli_credentials_set_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash, + enum credentials_obtained obtained); +bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash); +bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, + const DATA_BLOB *lm_response, + const DATA_BLOB *lm_session_key, + const DATA_BLOB *nt_response, + const DATA_BLOB *nt_session_key, + enum credentials_obtained obtained); +int cli_credentials_set_keytab_name(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *keytab_name, + enum credentials_obtained obtained); +bool cli_credentials_set_gensec_features(struct cli_credentials *creds, + uint32_t gensec_features, + enum credentials_obtained obtained); +uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); +int cli_credentials_set_ccache(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *name, + enum credentials_obtained obtained, + const char **error_string); +bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained); +bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, + int fd, enum credentials_obtained obtained); +void cli_credentials_invalidate_ccache(struct cli_credentials *cred, + enum credentials_obtained obtained); +void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal); +void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, + const char *principal, + const char *self_service); +void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal); +const char *cli_credentials_get_salt_principal(struct cli_credentials *cred); +const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred); +const char *cli_credentials_get_self_service(struct cli_credentials *cred); +const char *cli_credentials_get_target_service(struct cli_credentials *cred); +enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); +const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred); +enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds); +NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct ldb_context *ldb, + const char *base, + const char *filter, + char **error_string); + int cli_credentials_get_kvno(struct cli_credentials *cred); + +bool cli_credentials_set_username_callback(struct cli_credentials *cred, + const char *(*username_cb) (struct cli_credentials *)); + +/** + * Obtain the client principal for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will never be NULL except by programmer error. + */ +char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained); +bool cli_credentials_set_principal(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +bool cli_credentials_set_principal_callback(struct cli_credentials *cred, + const char *(*principal_cb) (struct cli_credentials *)); + +/** + * Obtain the 'old' password for this credentials context (used for join accounts). + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +const char *cli_credentials_get_old_password(struct cli_credentials *cred); +bool cli_credentials_set_old_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +bool cli_credentials_set_domain_callback(struct cli_credentials *cred, + const char *(*domain_cb) (struct cli_credentials *)); +bool cli_credentials_set_realm_callback(struct cli_credentials *cred, + const char *(*realm_cb) (struct cli_credentials *)); +bool cli_credentials_set_workstation_callback(struct cli_credentials *cred, + const char *(*workstation_cb) (struct cli_credentials *)); + +void cli_credentials_set_callback_data(struct cli_credentials *cred, + void *callback_data); +void *_cli_credentials_callback_data(struct cli_credentials *cred); +#define cli_credentials_callback_data(_cred, _type) \ + talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type) +#define cli_credentials_callback_data_void(_cred) \ + _cli_credentials_callback_data(_cred) + +bool cli_credentials_set_smb_signing(struct cli_credentials *cred, + enum smb_signing_setting signing_state, + enum credentials_obtained obtained); +enum smb_signing_setting +cli_credentials_get_smb_signing(struct cli_credentials *cred); + +bool cli_credentials_set_smb_ipc_signing(struct cli_credentials *cred, + enum smb_signing_setting ipc_signing_state, + enum credentials_obtained obtained); +enum smb_signing_setting +cli_credentials_get_smb_ipc_signing(struct cli_credentials *cred); + +bool cli_credentials_set_smb_encryption(struct cli_credentials *cred, + enum smb_encryption_setting encryption_state, + enum credentials_obtained obtained); +enum smb_encryption_setting +cli_credentials_get_smb_encryption(struct cli_credentials *cred); + +bool cli_credentials_set_cmdline_callbacks(struct cli_credentials *cred); + +void cli_credentials_dump(struct cli_credentials *creds); + +/** + * Return attached NETLOGON credentials + */ +struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); + +NTSTATUS netlogon_creds_session_encrypt( + struct netlogon_creds_CredentialState *state, + DATA_BLOB data); + +int cli_credentials_get_aes256_key(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *salt, + DATA_BLOB *aes_256); + +/** + * Kerberos FAST handling + */ + +NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds, + struct cli_credentials *armor_creds, + bool require_fast_armor); + +struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds); + +bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds); + +#endif /* __CREDENTIALS_H__ */ diff --git a/auth/credentials/credentials_cmdline.c b/auth/credentials/credentials_cmdline.c new file mode 100644 index 0000000..c8c7c18 --- /dev/null +++ b/auth/credentials/credentials_cmdline.c @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2005 Jelmer Vernooij <jelmer@samba.org> + * Copyright (c) 2016 Stefan Metzmacher <metze@samba.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "system/filesys.h" +#include "auth/credentials/credentials.h" + +static const char *cmdline_get_userpassword(struct cli_credentials *creds) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const char *name = NULL; + char *label = NULL; + char *ret = NULL; + char pwd[256] = {0}; + int rc; + + name = cli_credentials_get_unparsed_name(creds, frame); + if (name == NULL) { + goto fail; + } + label = talloc_asprintf(frame, "Password for [%s]:", name); + if (label == NULL) { + goto fail; + } + rc = samba_getpass(label, pwd, sizeof(pwd), false, false); + if (rc != 0) { + goto fail; + } + ret = talloc_strdup(creds, pwd); + if (ret == NULL) { + goto fail; + } + talloc_set_name_const(ret, __location__); +fail: + ZERO_STRUCT(pwd); + TALLOC_FREE(frame); + return ret; +} + +/** + * @brief Set the command line password callback. + * + * This will set the callback to get the password from the command prompt or + * read it from 'stdin'. + * + * @param[in] cred The credential context. + * + * @return On success true, false otherwise. + */ +bool cli_credentials_set_cmdline_callbacks(struct cli_credentials *cred) +{ + /* + * If there is no tty, we will try to read the password from + * stdin. + */ + return cli_credentials_set_password_callback(cred, + cmdline_get_userpassword); +} diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h new file mode 100644 index 0000000..cda361e --- /dev/null +++ b/auth/credentials/credentials_internal.h @@ -0,0 +1,142 @@ +/* + samba -- Unix SMB/CIFS implementation. + + Client credentials structure + + Copyright (C) Jelmer Vernooij 2004-2006 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ +#ifndef __CREDENTIALS_INTERNAL_H__ +#define __CREDENTIALS_INTERNAL_H__ + +#include "../lib/util/data_blob.h" +#include "librpc/gen_ndr/misc.h" +#include "libcli/smb/smb_constants.h" + +struct cli_credentials { + enum credentials_obtained workstation_obtained; + enum credentials_obtained username_obtained; + enum credentials_obtained password_obtained; + enum credentials_obtained domain_obtained; + enum credentials_obtained realm_obtained; + enum credentials_obtained ccache_obtained; + enum credentials_obtained client_gss_creds_obtained; + enum credentials_obtained principal_obtained; + enum credentials_obtained keytab_obtained; + enum credentials_obtained server_gss_creds_obtained; + enum credentials_obtained signing_state_obtained; + enum credentials_obtained ipc_signing_state_obtained; + enum credentials_obtained encryption_state_obtained; + enum credentials_obtained kerberos_state_obtained; + enum credentials_obtained gensec_features_obtained; + + /* Threshold values (essentially a MAX() over a number of the + * above) for the ccache and GSS credentials, to ensure we + * regenerate/pick correctly */ + + enum credentials_obtained ccache_threshold; + enum credentials_obtained client_gss_creds_threshold; + + const char *workstation; + const char *username; + const char *password; + const char *old_password; + const char *domain; + const char *realm; + const char *principal; + char *salt_principal; + char *impersonate_principal; + char *self_service; + char *target_service; + + const char *bind_dn; + + /* Allows authentication from a keytab or similar */ + struct samr_Password *nt_hash; + struct samr_Password *old_nt_hash; + + /* Allows NTLM pass-though authentication */ + DATA_BLOB lm_response; + DATA_BLOB lm_session_key; + DATA_BLOB nt_response; + DATA_BLOB nt_session_key; + + struct ccache_container *ccache; + struct gssapi_creds_container *client_gss_creds; + struct keytab_container *keytab; + struct gssapi_creds_container *server_gss_creds; + + const char *(*workstation_cb) (struct cli_credentials *); + const char *(*password_cb) (struct cli_credentials *); + const char *(*username_cb) (struct cli_credentials *); + const char *(*domain_cb) (struct cli_credentials *); + const char *(*realm_cb) (struct cli_credentials *); + const char *(*principal_cb) (struct cli_credentials *); + + /* Private handle for the callback routines to use */ + void *priv_data; + + struct netlogon_creds_CredentialState *netlogon_creds; + enum netr_SchannelType secure_channel_type; + int kvno; + time_t password_last_changed_time; + + struct smb_krb5_context *smb_krb5_context; + + /* We are flagged to get machine account details from the + * secrets.ldb when we are asked for a username or password */ + bool machine_account_pending; + struct loadparm_context *machine_account_pending_lp_ctx; + + /* Is this a machine account? */ + bool machine_account; + + /* Should we be trying to use kerberos? */ + enum credentials_use_kerberos kerberos_state; + + /* Should we get a forwardable ticket? */ + enum credentials_krb_forwardable krb_forwardable; + + /* Forced SASL mechanism */ + char *forced_sasl_mech; + + /* gensec features which should be used for connections */ + uint32_t gensec_features; + + /* Number of retries left before bailing out */ + uint32_t password_tries; + + /* Whether any callback is currently running */ + bool callback_running; + + char winbind_separator; + + bool password_will_be_nt_hash; + + enum smb_signing_setting signing_state; + + enum smb_signing_setting ipc_signing_state; + + enum smb_encryption_setting encryption_state; + + /* Credentials to use for FAST */ + struct cli_credentials *krb5_fast_armor_credentials; + + /* Should we require FAST? */ + bool krb5_require_fast_armor; +}; + +#endif /* __CREDENTIALS_INTERNAL_H__ */ diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c new file mode 100644 index 0000000..4463401 --- /dev/null +++ b/auth/credentials/credentials_krb5.c @@ -0,0 +1,1581 @@ +/* + Unix SMB/CIFS implementation. + + Handle user credentials (as regards krb5) + + Copyright (C) Jelmer Vernooij 2005 + Copyright (C) Tim Potter 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/kerberos.h" +#include "system/gssapi.h" +#include "auth/kerberos/kerberos.h" +#include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_internal.h" +#include "auth/credentials/credentials_krb5.h" +#include "auth/kerberos/kerberos_credentials.h" +#include "auth/kerberos/kerberos_srv_keytab.h" +#include "auth/kerberos/kerberos_util.h" +#include "auth/kerberos/pac_utils.h" +#include "param/param.h" +#include "../libds/common/flags.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +#undef strncasecmp + +static void cli_credentials_invalidate_client_gss_creds( + struct cli_credentials *cred, + enum credentials_obtained obtained); + +/* Free a memory ccache */ +static int free_mccache(struct ccache_container *ccc) +{ + if (ccc->ccache != NULL) { + krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, + ccc->ccache); + ccc->ccache = NULL; + } + + return 0; +} + +/* Free a disk-based ccache */ +static int free_dccache(struct ccache_container *ccc) +{ + if (ccc->ccache != NULL) { + krb5_cc_close(ccc->smb_krb5_context->krb5_context, + ccc->ccache); + ccc->ccache = NULL; + } + + return 0; +} + +static uint32_t smb_gss_krb5_copy_ccache(uint32_t *min_stat, + gss_cred_id_t cred, + struct ccache_container *ccc) +{ +#ifndef SAMBA4_USES_HEIMDAL /* MIT 1.10 */ + krb5_context context = ccc->smb_krb5_context->krb5_context; + krb5_ccache dummy_ccache = NULL; + krb5_creds creds = {0}; + krb5_cc_cursor cursor = NULL; + krb5_principal princ = NULL; + krb5_error_code code; + char *dummy_name; + uint32_t maj_stat = GSS_S_FAILURE; + + dummy_name = talloc_asprintf(ccc, + "MEMORY:gss_krb5_copy_ccache-%p", + &ccc->ccache); + if (dummy_name == NULL) { + *min_stat = ENOMEM; + return GSS_S_FAILURE; + } + + /* + * Create a dummy ccache, so we can iterate over the credentials + * and find the default principal for the ccache we want to + * copy. The new ccache needs to be initialized with this + * principal. + */ + code = krb5_cc_resolve(context, dummy_name, &dummy_ccache); + TALLOC_FREE(dummy_name); + if (code != 0) { + *min_stat = code; + return GSS_S_FAILURE; + } + + /* + * We do not need set a default principal on the temporary dummy + * ccache, as we do consume it at all in this function. + */ + maj_stat = gss_krb5_copy_ccache(min_stat, cred, dummy_ccache); + if (maj_stat != 0) { + krb5_cc_close(context, dummy_ccache); + return maj_stat; + } + + code = krb5_cc_start_seq_get(context, dummy_ccache, &cursor); + if (code != 0) { + krb5_cc_close(context, dummy_ccache); + *min_stat = EINVAL; + return GSS_S_FAILURE; + } + + code = krb5_cc_next_cred(context, + dummy_ccache, + &cursor, + &creds); + if (code != 0) { + krb5_cc_close(context, dummy_ccache); + *min_stat = EINVAL; + return GSS_S_FAILURE; + } + + do { + if (creds.ticket_flags & TKT_FLG_PRE_AUTH) { + krb5_data *tgs; + + tgs = krb5_princ_component(context, + creds.server, + 0); + if (tgs != NULL && tgs->length >= 1) { + int cmp; + + cmp = memcmp(tgs->data, + KRB5_TGS_NAME, + tgs->length); + if (cmp == 0 && creds.client != NULL) { + princ = creds.client; + code = KRB5_CC_END; + break; + } + } + } + + krb5_free_cred_contents(context, &creds); + + code = krb5_cc_next_cred(context, + dummy_ccache, + &cursor, + &creds); + } while (code == 0); + + if (code == KRB5_CC_END) { + krb5_cc_end_seq_get(context, dummy_ccache, &cursor); + code = 0; + } + krb5_cc_close(context, dummy_ccache); + + if (code != 0 || princ == NULL) { + krb5_free_cred_contents(context, &creds); + *min_stat = EINVAL; + return GSS_S_FAILURE; + } + + /* + * Set the default principal for the cache we copy + * into. This is needed to be able that other calls + * can read it with e.g. gss_acquire_cred() or + * krb5_cc_get_principal(). + */ + code = krb5_cc_initialize(context, ccc->ccache, princ); + if (code != 0) { + krb5_free_cred_contents(context, &creds); + *min_stat = EINVAL; + return GSS_S_FAILURE; + } + krb5_free_cred_contents(context, &creds); + +#endif /* SAMBA4_USES_HEIMDAL */ + + return gss_krb5_copy_ccache(min_stat, + cred, + ccc->ccache); +} + +_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct smb_krb5_context **smb_krb5_context) +{ + int ret; + if (cred->smb_krb5_context) { + *smb_krb5_context = cred->smb_krb5_context; + return 0; + } + + ret = smb_krb5_init_context(cred, lp_ctx, + &cred->smb_krb5_context); + if (ret) { + cred->smb_krb5_context = NULL; + return ret; + } + *smb_krb5_context = cred->smb_krb5_context; + return 0; +} + +/* For most predictable behaviour, this needs to be called directly after the cli_credentials_init(), + * otherwise we may still have references to the old smb_krb5_context in a credential cache etc + */ +_PUBLIC_ NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, + struct smb_krb5_context *smb_krb5_context) +{ + if (smb_krb5_context == NULL) { + talloc_unlink(cred, cred->smb_krb5_context); + cred->smb_krb5_context = NULL; + return NT_STATUS_OK; + } + + if (!talloc_reference(cred, smb_krb5_context)) { + return NT_STATUS_NO_MEMORY; + } + cred->smb_krb5_context = smb_krb5_context; + return NT_STATUS_OK; +} + +static int cli_credentials_set_from_ccache(struct cli_credentials *cred, + struct ccache_container *ccache, + enum credentials_obtained obtained, + const char **error_string) +{ + bool ok; + char *realm; + krb5_principal princ; + krb5_error_code ret; + char *name; + + if (cred->ccache_obtained > obtained) { + return 0; + } + + ret = krb5_cc_get_principal(ccache->smb_krb5_context->krb5_context, + ccache->ccache, &princ); + + if (ret) { + (*error_string) = talloc_asprintf(cred, "failed to get principal from ccache: %s\n", + smb_get_krb5_error_message(ccache->smb_krb5_context->krb5_context, + ret, cred)); + return ret; + } + + ret = krb5_unparse_name(ccache->smb_krb5_context->krb5_context, princ, &name); + if (ret) { + (*error_string) = talloc_asprintf(cred, "failed to unparse principal from ccache: %s\n", + smb_get_krb5_error_message(ccache->smb_krb5_context->krb5_context, + ret, cred)); + krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); + return ret; + } + + ok = cli_credentials_set_principal(cred, name, obtained); + krb5_free_unparsed_name(ccache->smb_krb5_context->krb5_context, name); + if (!ok) { + krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); + return ENOMEM; + } + + realm = smb_krb5_principal_get_realm( + cred, ccache->smb_krb5_context->krb5_context, princ); + krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); + if (realm == NULL) { + return ENOMEM; + } + ok = cli_credentials_set_realm(cred, realm, obtained); + TALLOC_FREE(realm); + if (!ok) { + return ENOMEM; + } + + /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */ + cred->ccache_obtained = obtained; + + return 0; +} + +_PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *name, + enum credentials_obtained obtained, + const char **error_string) +{ + krb5_error_code ret; + krb5_principal princ; + struct ccache_container *ccc; + if (cred->ccache_obtained > obtained) { + return 0; + } + + ccc = talloc(cred, struct ccache_container); + if (!ccc) { + (*error_string) = error_message(ENOMEM); + return ENOMEM; + } + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, + &ccc->smb_krb5_context); + if (ret) { + (*error_string) = error_message(ret); + talloc_free(ccc); + return ret; + } + if (!talloc_reference(ccc, ccc->smb_krb5_context)) { + talloc_free(ccc); + (*error_string) = error_message(ENOMEM); + return ENOMEM; + } + + if (name) { + ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, name, &ccc->ccache); + if (ret) { + (*error_string) = talloc_asprintf(cred, "failed to read krb5 ccache: %s: %s\n", + name, + smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, + ret, ccc)); + talloc_free(ccc); + return ret; + } + } else { + ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache); + if (ret) { + (*error_string) = talloc_asprintf(cred, "failed to read default krb5 ccache: %s\n", + smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, + ret, ccc)); + talloc_free(ccc); + return ret; + } + } + + talloc_set_destructor(ccc, free_dccache); + + ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context, ccc->ccache, &princ); + + if (ret == 0) { + krb5_free_principal(ccc->smb_krb5_context->krb5_context, princ); + ret = cli_credentials_set_from_ccache(cred, ccc, obtained, error_string); + + if (ret) { + (*error_string) = error_message(ret); + TALLOC_FREE(ccc); + return ret; + } + } + + cred->ccache = ccc; + cred->ccache_obtained = obtained; + + cli_credentials_invalidate_client_gss_creds( + cred, cred->ccache_obtained); + + return 0; +} + +#ifndef SAMBA4_USES_HEIMDAL +/* + * This function is a workaround for old MIT Kerberos versions which did not + * implement the krb5_cc_remove_cred function. It creates a temporary + * credentials cache to copy the credentials in the current cache + * except the one we want to remove and then overwrites the contents of the + * current cache with the temporary copy. + */ +static krb5_error_code krb5_cc_remove_cred_wrap(struct ccache_container *ccc, + krb5_creds *creds) +{ + krb5_ccache dummy_ccache = NULL; + krb5_creds cached_creds = {0}; + krb5_cc_cursor cursor = NULL; + krb5_error_code code; + char *dummy_name; + + dummy_name = talloc_asprintf(ccc, + "MEMORY:copy_ccache-%p", + &ccc->ccache); + if (dummy_name == NULL) { + return KRB5_CC_NOMEM; + } + + code = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, + dummy_name, + &dummy_ccache); + if (code != 0) { + DBG_ERR("krb5_cc_resolve failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + code, ccc)); + TALLOC_FREE(dummy_name); + return code; + } + + TALLOC_FREE(dummy_name); + + code = krb5_cc_start_seq_get(ccc->smb_krb5_context->krb5_context, + ccc->ccache, + &cursor); + if (code != 0) { + krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, + dummy_ccache); + + DBG_ERR("krb5_cc_start_seq_get failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + code, ccc)); + return code; + } + + while ((code = krb5_cc_next_cred(ccc->smb_krb5_context->krb5_context, + ccc->ccache, + &cursor, + &cached_creds)) == 0) { + /* If the principal matches skip it and do not copy to the + * temporary cache as this is the one we want to remove */ + if (krb5_principal_compare_flags( + ccc->smb_krb5_context->krb5_context, + creds->server, + cached_creds.server, + 0)) { + continue; + } + + code = krb5_cc_store_cred( + ccc->smb_krb5_context->krb5_context, + dummy_ccache, + &cached_creds); + if (code != 0) { + krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, + dummy_ccache); + DBG_ERR("krb5_cc_store_cred failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + code, ccc)); + return code; + } + } + + if (code == KRB5_CC_END) { + krb5_cc_end_seq_get(ccc->smb_krb5_context->krb5_context, + dummy_ccache, + &cursor); + code = 0; + } + + if (code != 0) { + krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, + dummy_ccache); + DBG_ERR("krb5_cc_next_cred failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + code, ccc)); + return code; + } + + code = krb5_cc_initialize(ccc->smb_krb5_context->krb5_context, + ccc->ccache, + creds->client); + if (code != 0) { + krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, + dummy_ccache); + DBG_ERR("krb5_cc_initialize failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + code, ccc)); + return code; + } + + code = krb5_cc_copy_creds(ccc->smb_krb5_context->krb5_context, + dummy_ccache, + ccc->ccache); + if (code != 0) { + krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, + dummy_ccache); + DBG_ERR("krb5_cc_copy_creds failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + code, ccc)); + return code; + } + + code = krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, + dummy_ccache); + if (code != 0) { + DBG_ERR("krb5_cc_destroy failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + code, ccc)); + return code; + } + + return code; +} +#endif + +/* + * Indicate that we failed to log in to this service/host with these + * credentials. The caller passes an unsigned int which they + * initialise to the number of times they would like to retry. + * + * This method is used to support re-trying with freshly fetched + * credentials in case a server is rebuilt while clients have + * non-expired tickets. When the client code gets a logon failure they + * throw away the existing credentials for the server and retry. + */ +_PUBLIC_ bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred, + const char *principal, + unsigned int *count) +{ + struct ccache_container *ccc; + krb5_creds creds, creds2; + int ret; + + if (principal == NULL) { + /* no way to delete if we don't know the principal */ + return false; + } + + ccc = cred->ccache; + if (ccc == NULL) { + /* not a kerberos connection */ + return false; + } + + if (*count > 0) { + /* We have already tried discarding the credentials */ + return false; + } + (*count)++; + + ZERO_STRUCT(creds); + ret = krb5_parse_name(ccc->smb_krb5_context->krb5_context, principal, &creds.server); + if (ret != 0) { + return false; + } + + /* MIT kerberos requires creds.client to match against cached + * credentials */ + ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context, + ccc->ccache, + &creds.client); + if (ret != 0) { + krb5_free_cred_contents(ccc->smb_krb5_context->krb5_context, + &creds); + DBG_ERR("krb5_cc_get_principal failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + ret, ccc)); + return false; + } + + ret = krb5_cc_retrieve_cred(ccc->smb_krb5_context->krb5_context, ccc->ccache, KRB5_TC_MATCH_SRV_NAMEONLY, &creds, &creds2); + if (ret != 0) { + /* don't retry - we didn't find these credentials to remove */ + krb5_free_cred_contents(ccc->smb_krb5_context->krb5_context, &creds); + return false; + } + + ret = krb5_cc_remove_cred(ccc->smb_krb5_context->krb5_context, ccc->ccache, KRB5_TC_MATCH_SRV_NAMEONLY, &creds); +#ifndef SAMBA4_USES_HEIMDAL + if (ret == KRB5_CC_NOSUPP) { + /* Old MIT kerberos versions did not implement + * krb5_cc_remove_cred */ + ret = krb5_cc_remove_cred_wrap(ccc, &creds); + } +#endif + krb5_free_cred_contents(ccc->smb_krb5_context->krb5_context, &creds); + krb5_free_cred_contents(ccc->smb_krb5_context->krb5_context, &creds2); + if (ret != 0) { + /* don't retry - we didn't find these credentials to + * remove. Note that with the current backend this + * never happens, as it always returns 0 even if the + * creds don't exist, which is why we do a separate + * krb5_cc_retrieve_cred() above. + */ + DBG_ERR("krb5_cc_remove_cred failed: %s\n", + smb_get_krb5_error_message( + ccc->smb_krb5_context->krb5_context, + ret, ccc)); + return false; + } + return true; +} + + +static int cli_credentials_new_ccache(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + char *ccache_name, + struct ccache_container **_ccc, + const char **error_string) +{ + bool must_free_cc_name = false; + krb5_error_code ret; + struct ccache_container *ccc = talloc(cred, struct ccache_container); + if (!ccc) { + return ENOMEM; + } + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, + &ccc->smb_krb5_context); + if (ret) { + talloc_free(ccc); + (*error_string) = talloc_asprintf(cred, "Failed to get krb5_context: %s", + error_message(ret)); + return ret; + } + if (!talloc_reference(ccc, ccc->smb_krb5_context)) { + talloc_free(ccc); + (*error_string) = strerror(ENOMEM); + return ENOMEM; + } + + if (!ccache_name) { + must_free_cc_name = true; + + if (lpcfg_parm_bool(lp_ctx, NULL, "credentials", "krb5_cc_file", false)) { + ccache_name = talloc_asprintf(ccc, "FILE:/tmp/krb5_cc_samba_%u_%p", + (unsigned int)getpid(), ccc); + } else { + ccache_name = talloc_asprintf(ccc, "MEMORY:%p", + ccc); + } + + if (!ccache_name) { + talloc_free(ccc); + (*error_string) = strerror(ENOMEM); + return ENOMEM; + } + } + + ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name, + &ccc->ccache); + if (ret) { + (*error_string) = talloc_asprintf(cred, "failed to resolve a krb5 ccache (%s): %s\n", + ccache_name, + smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, + ret, ccc)); + talloc_free(ccache_name); + talloc_free(ccc); + return ret; + } + + if (strncasecmp(ccache_name, "MEMORY:", 7) == 0) { + talloc_set_destructor(ccc, free_mccache); + } else { + talloc_set_destructor(ccc, free_dccache); + } + + if (must_free_cc_name) { + talloc_free(ccache_name); + } + + *_ccc = ccc; + + return 0; +} + +_PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred, + struct tevent_context *event_ctx, + struct loadparm_context *lp_ctx, + char *ccache_name, + struct ccache_container **ccc, + const char **error_string) +{ + krb5_error_code ret; + enum credentials_obtained obtained; + + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, lp_ctx); + } + + if (cred->ccache_obtained >= cred->ccache_threshold && + cred->ccache_obtained > CRED_UNINITIALISED) { + time_t lifetime; + bool expired = false; + ret = smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context, + cred->ccache->ccache, &lifetime); + if (ret == KRB5_CC_END || ret == ENOENT) { + /* If we have a particular ccache set, without + * an initial ticket, then assume there is a + * good reason */ + } else if (ret == 0) { + if (lifetime == 0) { + DEBUG(3, ("Ticket in credentials cache for %s expired, will refresh\n", + cli_credentials_get_principal(cred, cred))); + expired = true; + } else if (lifetime < 300) { + DEBUG(3, ("Ticket in credentials cache for %s will shortly expire (%u secs), will refresh\n", + cli_credentials_get_principal(cred, cred), (unsigned int)lifetime)); + expired = true; + } + } else { + (*error_string) = talloc_asprintf(cred, "failed to get ccache lifetime: %s\n", + smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context, + ret, cred)); + return ret; + } + + DEBUG(5, ("Ticket in credentials cache for %s will expire in %u secs\n", + cli_credentials_get_principal(cred, cred), (unsigned int)lifetime)); + + if (!expired) { + *ccc = cred->ccache; + return 0; + } + } + if (cli_credentials_is_anonymous(cred)) { + (*error_string) = "Cannot get anonymous kerberos credentials"; + return EINVAL; + } + + ret = cli_credentials_new_ccache(cred, lp_ctx, ccache_name, ccc, error_string); + if (ret) { + return ret; + } + + ret = kinit_to_ccache(cred, + cred, + (*ccc)->smb_krb5_context, + lp_ctx, + event_ctx, + (*ccc)->ccache, + &obtained, + error_string); + if (ret) { + return ret; + } + + ret = cli_credentials_set_from_ccache(cred, *ccc, + obtained, error_string); + + cred->ccache = *ccc; + cred->ccache_obtained = cred->principal_obtained; + if (ret) { + return ret; + } + cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained); + return 0; +} + +_PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred, + struct tevent_context *event_ctx, + struct loadparm_context *lp_ctx, + struct ccache_container **ccc, + const char **error_string) +{ + return cli_credentials_get_named_ccache(cred, event_ctx, lp_ctx, NULL, ccc, error_string); +} + +/* We have good reason to think the ccache in these credentials is invalid - blow it away */ +static void cli_credentials_unconditionally_invalidate_client_gss_creds(struct cli_credentials *cred) +{ + if (cred->client_gss_creds_obtained > CRED_UNINITIALISED) { + talloc_unlink(cred, cred->client_gss_creds); + cred->client_gss_creds = NULL; + } + cred->client_gss_creds_obtained = CRED_UNINITIALISED; +} + +void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred, + enum credentials_obtained obtained) +{ + /* If the caller just changed the username/password etc, then + * any cached credentials are now invalid */ + if (obtained >= cred->client_gss_creds_obtained) { + if (cred->client_gss_creds_obtained > CRED_UNINITIALISED) { + talloc_unlink(cred, cred->client_gss_creds); + cred->client_gss_creds = NULL; + } + cred->client_gss_creds_obtained = CRED_UNINITIALISED; + } + /* Now that we know that the data is 'this specified', then + * don't allow something less 'known' to be returned as a + * ccache. Ie, if the username is on the command line, we + * don't want to later guess to use a file-based ccache */ + if (obtained > cred->client_gss_creds_threshold) { + cred->client_gss_creds_threshold = obtained; + } +} + +/* We have good reason to think this CCACHE is invalid. Blow it away */ +static void cli_credentials_unconditionally_invalidate_ccache(struct cli_credentials *cred) +{ + if (cred->ccache_obtained > CRED_UNINITIALISED) { + talloc_unlink(cred, cred->ccache); + cred->ccache = NULL; + } + cred->ccache_obtained = CRED_UNINITIALISED; + + cli_credentials_unconditionally_invalidate_client_gss_creds(cred); +} + +_PUBLIC_ void cli_credentials_invalidate_ccache(struct cli_credentials *cred, + enum credentials_obtained obtained) +{ + /* If the caller just changed the username/password etc, then + * any cached credentials are now invalid */ + if (obtained >= cred->ccache_obtained) { + if (cred->ccache_obtained > CRED_UNINITIALISED) { + talloc_unlink(cred, cred->ccache); + cred->ccache = NULL; + } + cred->ccache_obtained = CRED_UNINITIALISED; + } + /* Now that we know that the data is 'this specified', then + * don't allow something less 'known' to be returned as a + * ccache. i.e, if the username is on the command line, we + * don't want to later guess to use a file-based ccache */ + if (obtained > cred->ccache_threshold) { + cred->ccache_threshold = obtained; + } + + cli_credentials_invalidate_client_gss_creds(cred, + obtained); +} + +static int free_gssapi_creds(struct gssapi_creds_container *gcc) +{ + OM_uint32 min_stat; + (void)gss_release_cred(&min_stat, &gcc->creds); + return 0; +} + +_PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + struct tevent_context *event_ctx, + struct loadparm_context *lp_ctx, + struct gssapi_creds_container **_gcc, + const char **error_string) +{ + int ret = 0; + OM_uint32 maj_stat, min_stat; + struct gssapi_creds_container *gcc; + struct ccache_container *ccache; +#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); +#endif + krb5_enctype *etypes = NULL; + + if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold && + cred->client_gss_creds_obtained > CRED_UNINITIALISED) { + bool expired = false; + OM_uint32 lifetime = 0; + gss_cred_usage_t usage = 0; + maj_stat = gss_inquire_cred(&min_stat, cred->client_gss_creds->creds, + NULL, &lifetime, &usage, NULL); + if (maj_stat == GSS_S_CREDENTIALS_EXPIRED) { + DEBUG(3, ("Credentials for %s expired, must refresh credentials cache\n", cli_credentials_get_principal(cred, cred))); + expired = true; + } else if (maj_stat == GSS_S_COMPLETE && lifetime < 300) { + DEBUG(3, ("Credentials for %s will expire shortly (%u sec), must refresh credentials cache\n", cli_credentials_get_principal(cred, cred), lifetime)); + expired = true; + } else if (maj_stat != GSS_S_COMPLETE) { + *error_string = talloc_asprintf(cred, "inquiry of credential lifetime via GSSAPI gss_inquire_cred failed: %s\n", + gssapi_error_string(cred, maj_stat, min_stat, NULL)); + return EINVAL; + } + if (expired) { + cli_credentials_unconditionally_invalidate_client_gss_creds(cred); + } else { + DEBUG(5, ("GSSAPI credentials for %s will expire in %u secs\n", + cli_credentials_get_principal(cred, cred), (unsigned int)lifetime)); + + *_gcc = cred->client_gss_creds; + return 0; + } + } + + ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, + &ccache, error_string); + if (ret) { + if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) { + DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string)); + } else { + DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string)); + } + return ret; + } + + gcc = talloc(cred, struct gssapi_creds_container); + if (!gcc) { + (*error_string) = error_message(ENOMEM); + return ENOMEM; + } + + maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, + ccache->ccache, NULL, NULL, + &gcc->creds); + if ((maj_stat == GSS_S_FAILURE) && + (min_stat == (OM_uint32)KRB5_CC_END || + min_stat == (OM_uint32)KRB5_CC_NOTFOUND || + min_stat == (OM_uint32)KRB5_FCC_NOFILE)) + { + /* This CCACHE is no good. Ensure we don't use it again */ + cli_credentials_unconditionally_invalidate_ccache(cred); + + /* Now try again to get a ccache */ + ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, + &ccache, error_string); + if (ret) { + DEBUG(1, ("Failed to re-get CCACHE for GSSAPI client: %s\n", error_message(ret))); + return ret; + } + + maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, + ccache->ccache, NULL, NULL, + &gcc->creds); + + } + + if (maj_stat) { + talloc_free(gcc); + if (min_stat) { + ret = min_stat; + } else { + ret = EINVAL; + } + (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret)); + return ret; + } + + + /* + * transfer the enctypes from the smb_krb5_context to the gssapi layer + * + * We use 'our' smb_krb5_context to do the AS-REQ and it is possible + * to configure the enctypes via the krb5.conf. + * + * And the gss_init_sec_context() creates it's own krb5_context and + * the TGS-REQ had all enctypes in it and only the ones configured + * and used for the AS-REQ, so it wasn't possible to disable the usage + * of AES keys. + */ + min_stat = smb_krb5_get_allowed_etypes(ccache->smb_krb5_context->krb5_context, + &etypes); + if (min_stat == 0) { + OM_uint32 num_ktypes; + + for (num_ktypes = 0; etypes[num_ktypes]; num_ktypes++); + + maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds, + num_ktypes, + (int32_t *) etypes); + krb5_free_enctypes(ccache->smb_krb5_context->krb5_context, + etypes); + if (maj_stat) { + talloc_free(gcc); + if (min_stat) { + ret = min_stat; + } else { + ret = EINVAL; + } + (*error_string) = talloc_asprintf(cred, "gss_krb5_set_allowable_enctypes failed: %s", error_message(ret)); + return ret; + } + } + +#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X + /* + * Don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG. + * + * This allows us to disable SIGN and SEAL on a TLS connection with + * GSS-SPNENO. For example ldaps:// connections. + * + * https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575 + * http://krbdev.mit.edu/rt/Ticket/Display.html?id=6938 + */ + maj_stat = gss_set_cred_option(&min_stat, &gcc->creds, + oid, + &empty_buffer); + if (maj_stat) { + talloc_free(gcc); + if (min_stat) { + ret = min_stat; + } else { + ret = EINVAL; + } + (*error_string) = talloc_asprintf(cred, "gss_set_cred_option failed: %s", error_message(ret)); + return ret; + } +#endif + cred->client_gss_creds_obtained = cred->ccache_obtained; + talloc_set_destructor(gcc, free_gssapi_creds); + cred->client_gss_creds = gcc; + *_gcc = gcc; + return 0; +} + +/** + Set a gssapi cred_id_t into the credentials system. (Client case) + + This grabs the credentials both 'intact' and getting the krb5 + ccache out of it. This routine can be generalised in future for + the case where we deal with GSSAPI mechs other than krb5. + + On success, the caller must not free gssapi_cred, as it now belongs + to the credentials system. +*/ + + int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + gss_cred_id_t gssapi_cred, + enum credentials_obtained obtained, + const char **error_string) +{ + int ret; + OM_uint32 maj_stat, min_stat; + struct ccache_container *ccc = NULL; + struct gssapi_creds_container *gcc = NULL; + if (cred->client_gss_creds_obtained > obtained) { + return 0; + } + + gcc = talloc(cred, struct gssapi_creds_container); + if (!gcc) { + (*error_string) = error_message(ENOMEM); + return ENOMEM; + } + + ret = cli_credentials_new_ccache(cred, lp_ctx, NULL, &ccc, error_string); + if (ret != 0) { + return ret; + } + + maj_stat = smb_gss_krb5_copy_ccache(&min_stat, + gssapi_cred, + ccc); + if (maj_stat) { + if (min_stat) { + ret = min_stat; + } else { + ret = EINVAL; + } + if (ret) { + (*error_string) = error_message(ENOMEM); + } + } + + if (ret == 0) { + ret = cli_credentials_set_from_ccache(cred, ccc, obtained, error_string); + } + cred->ccache = ccc; + cred->ccache_obtained = obtained; + if (ret == 0) { + gcc->creds = gssapi_cred; + talloc_set_destructor(gcc, free_gssapi_creds); + + /* set the client_gss_creds_obtained here, as it just + got set to UNINITIALISED by the calls above */ + cred->client_gss_creds_obtained = obtained; + cred->client_gss_creds = gcc; + } + return ret; +} + +static int cli_credentials_shallow_ccache(struct cli_credentials *cred) +{ + krb5_error_code ret; + const struct ccache_container *old_ccc = NULL; + enum credentials_obtained old_obtained; + struct ccache_container *ccc = NULL; + char *ccache_name = NULL; + krb5_principal princ; + + old_obtained = cred->ccache_obtained; + old_ccc = cred->ccache; + if (old_ccc == NULL) { + return 0; + } + + cred->ccache = NULL; + cred->ccache_obtained = CRED_UNINITIALISED; + cred->client_gss_creds = NULL; + cred->client_gss_creds_obtained = CRED_UNINITIALISED; + + ret = krb5_cc_get_principal( + old_ccc->smb_krb5_context->krb5_context, + old_ccc->ccache, + &princ); + if (ret != 0) { + /* + * This is an empty ccache. No point in copying anything. + */ + return 0; + } + krb5_free_principal(old_ccc->smb_krb5_context->krb5_context, princ); + + ccc = talloc(cred, struct ccache_container); + if (ccc == NULL) { + return ENOMEM; + } + *ccc = *old_ccc; + ccc->ccache = NULL; + + ccache_name = talloc_asprintf(ccc, "MEMORY:%p", ccc); + + ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, + ccache_name, &ccc->ccache); + if (ret != 0) { + TALLOC_FREE(ccc); + return ret; + } + + talloc_set_destructor(ccc, free_mccache); + + TALLOC_FREE(ccache_name); + + ret = smb_krb5_cc_copy_creds(ccc->smb_krb5_context->krb5_context, + old_ccc->ccache, ccc->ccache); + if (ret != 0) { + TALLOC_FREE(ccc); + return ret; + } + + cred->ccache = ccc; + cred->ccache_obtained = old_obtained; + return ret; +} + +_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx, + struct cli_credentials *src) +{ + struct cli_credentials *dst, *armor_credentials; + int ret; + + dst = talloc(mem_ctx, struct cli_credentials); + if (dst == NULL) { + return NULL; + } + + *dst = *src; + + if (dst->krb5_fast_armor_credentials != NULL) { + armor_credentials = talloc_reference(dst, dst->krb5_fast_armor_credentials); + if (armor_credentials == NULL) { + TALLOC_FREE(dst); + return NULL; + } + } + + ret = cli_credentials_shallow_ccache(dst); + if (ret != 0) { + TALLOC_FREE(dst); + return NULL; + } + + return dst; +} + +/* Get the keytab (actually, a container containing the krb5_keytab) + * attached to this context. If this hasn't been done or set before, + * it will be generated from the password. + */ +_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct keytab_container **_ktc) +{ + krb5_error_code ret; + struct keytab_container *ktc; + struct smb_krb5_context *smb_krb5_context; + const char *keytab_name; + krb5_keytab keytab; + TALLOC_CTX *mem_ctx; + const char *username = cli_credentials_get_username(cred); + const char *upn = NULL; + const char *realm = cli_credentials_get_realm(cred); + char *salt_principal = NULL; + uint32_t uac_flags = 0; + + if (cred->keytab_obtained >= (MAX(cred->principal_obtained, + cred->username_obtained))) { + *_ktc = cred->keytab; + return 0; + } + + if (cli_credentials_is_anonymous(cred)) { + return EINVAL; + } + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, + &smb_krb5_context); + if (ret) { + return ret; + } + + mem_ctx = talloc_new(cred); + if (!mem_ctx) { + return ENOMEM; + } + + switch (cred->secure_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_RODC: + uac_flags = UF_WORKSTATION_TRUST_ACCOUNT; + break; + case SEC_CHAN_BDC: + uac_flags = UF_SERVER_TRUST_ACCOUNT; + break; + case SEC_CHAN_DOMAIN: + case SEC_CHAN_DNS_DOMAIN: + uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT; + break; + default: + upn = cli_credentials_get_principal(cred, mem_ctx); + if (upn == NULL) { + TALLOC_FREE(mem_ctx); + return ENOMEM; + } + uac_flags = UF_NORMAL_ACCOUNT; + break; + } + + ret = smb_krb5_salt_principal_str(realm, + username, /* sAMAccountName */ + upn, /* userPrincipalName */ + uac_flags, + mem_ctx, + &salt_principal); + if (ret) { + talloc_free(mem_ctx); + return ret; + } + + ret = smb_krb5_create_memory_keytab(mem_ctx, + smb_krb5_context->krb5_context, + cli_credentials_get_password(cred), + username, + realm, + salt_principal, + cli_credentials_get_kvno(cred), + &keytab, + &keytab_name); + if (ret) { + talloc_free(mem_ctx); + return ret; + } + + ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context, + keytab, keytab_name, &ktc); + if (ret) { + talloc_free(mem_ctx); + return ret; + } + + cred->keytab_obtained = (MAX(cred->principal_obtained, + cred->username_obtained)); + + /* We make this keytab up based on a password. Therefore + * match-by-key is acceptable, we can't match on the wrong + * principal */ + ktc->password_based = true; + + talloc_steal(cred, ktc); + cred->keytab = ktc; + *_ktc = cred->keytab; + talloc_free(mem_ctx); + return ret; +} + +/* Given the name of a keytab (presumably in the format + * FILE:/etc/krb5.keytab), open it and attach it */ + +_PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *keytab_name, + enum credentials_obtained obtained) +{ + krb5_error_code ret; + struct keytab_container *ktc; + struct smb_krb5_context *smb_krb5_context; + TALLOC_CTX *mem_ctx; + + if (cred->keytab_obtained >= obtained) { + return 0; + } + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); + if (ret) { + return ret; + } + + mem_ctx = talloc_new(cred); + if (!mem_ctx) { + return ENOMEM; + } + + ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context, + NULL, keytab_name, &ktc); + if (ret) { + return ret; + } + + cred->keytab_obtained = obtained; + + talloc_steal(cred, ktc); + cred->keytab = ktc; + talloc_free(mem_ctx); + + return ret; +} + +/* Get server gss credentials (in gsskrb5, this means the keytab) */ + +_PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct gssapi_creds_container **_gcc) +{ + int ret = 0; + OM_uint32 maj_stat, min_stat; + struct gssapi_creds_container *gcc; + struct keytab_container *ktc; + struct smb_krb5_context *smb_krb5_context; + TALLOC_CTX *mem_ctx; + krb5_principal princ; + const char *error_string; + enum credentials_obtained obtained; + + mem_ctx = talloc_new(cred); + if (!mem_ctx) { + return ENOMEM; + } + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); + if (ret) { + return ret; + } + + ret = principal_from_credentials(mem_ctx, cred, smb_krb5_context, &princ, &obtained, &error_string); + if (ret) { + DEBUG(1,("cli_credentials_get_server_gss_creds: making krb5 principal failed (%s)\n", + error_string)); + talloc_free(mem_ctx); + return ret; + } + + if (cred->server_gss_creds_obtained >= (MAX(cred->keytab_obtained, obtained))) { + talloc_free(mem_ctx); + *_gcc = cred->server_gss_creds; + return 0; + } + + ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc); + if (ret) { + DEBUG(1, ("Failed to get keytab for GSSAPI server: %s\n", error_message(ret))); + return ret; + } + + gcc = talloc(cred, struct gssapi_creds_container); + if (!gcc) { + talloc_free(mem_ctx); + return ENOMEM; + } + + if (ktc->password_based || obtained < CRED_SPECIFIED) { + /* + * This creates a GSSAPI cred_id_t for match-by-key with only + * the keytab set + */ + princ = NULL; + } + maj_stat = smb_gss_krb5_import_cred(&min_stat, + smb_krb5_context->krb5_context, + NULL, princ, + ktc->keytab, + &gcc->creds); + if (maj_stat) { + if (min_stat) { + ret = min_stat; + } else { + ret = EINVAL; + } + } + if (ret == 0) { + cred->server_gss_creds_obtained = cred->keytab_obtained; + talloc_set_destructor(gcc, free_gssapi_creds); + cred->server_gss_creds = gcc; + *_gcc = gcc; + } + talloc_free(mem_ctx); + return ret; +} + +/** + * Set Kerberos KVNO + */ + +_PUBLIC_ void cli_credentials_set_kvno(struct cli_credentials *cred, + int kvno) +{ + cred->kvno = kvno; +} + +/** + * Return Kerberos KVNO + */ + +_PUBLIC_ int cli_credentials_get_kvno(struct cli_credentials *cred) +{ + return cred->kvno; +} + + +const char *cli_credentials_get_salt_principal(struct cli_credentials *cred) +{ + return cred->salt_principal; +} + +_PUBLIC_ void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal) +{ + talloc_free(cred->salt_principal); + cred->salt_principal = talloc_strdup(cred, principal); +} + +/* The 'impersonate_principal' is used to allow one Kerberos principal + * (and it's associated keytab etc) to impersonate another. The + * ability to do this is controlled by the KDC, but it is generally + * permitted to impersonate anyone to yourself. This allows any + * member of the domain to get the groups of a user. This is also + * known as S4U2Self */ + +_PUBLIC_ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred) +{ + return cred->impersonate_principal; +} + +/* + * The 'self_service' is the service principal that + * represents the same object (by its objectSid) + * as the client principal (typically our machine account). + * When trying to impersonate 'impersonate_principal' with + * S4U2Self. + */ +_PUBLIC_ const char *cli_credentials_get_self_service(struct cli_credentials *cred) +{ + return cred->self_service; +} + +_PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, + const char *principal, + const char *self_service) +{ + talloc_free(cred->impersonate_principal); + cred->impersonate_principal = talloc_strdup(cred, principal); + talloc_free(cred->self_service); + cred->self_service = talloc_strdup(cred, self_service); + cli_credentials_set_kerberos_state(cred, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); +} + +/* + * when impersonating for S4U2proxy we need to set the target principal. + * Similarly, we may only be authorized to do general impersonation to + * some particular services. + * + * Likewise, password changes typically require a ticket to kpasswd/realm directly, not via a TGT + * + * NULL means that tickets will be obtained for the krbtgt service. +*/ + +const char *cli_credentials_get_target_service(struct cli_credentials *cred) +{ + return cred->target_service; +} + +_PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, const char *target_service) +{ + talloc_free(cred->target_service); + cred->target_service = talloc_strdup(cred, target_service); +} + +_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *salt, + DATA_BLOB *aes_256) +{ + struct smb_krb5_context *smb_krb5_context = NULL; + krb5_error_code krb5_ret; + int ret; + const char *password = NULL; + krb5_data cleartext_data; + krb5_data salt_data = { + .length = 0, + }; + krb5_keyblock key; + + if (cred->password_will_be_nt_hash) { + DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n")); + return EINVAL; + } + + password = cli_credentials_get_password(cred); + if (password == NULL) { + return EINVAL; + } + + cleartext_data.data = discard_const_p(char, password); + cleartext_data.length = strlen(password); + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, + &smb_krb5_context); + if (ret != 0) { + return ret; + } + + salt_data.data = discard_const_p(char, salt); + salt_data.length = strlen(salt); + + /* + * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of + * the salt and the cleartext password + */ + krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context, + NULL, + &salt_data, + &cleartext_data, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + &key); + if (krb5_ret != 0) { + DEBUG(1,("cli_credentials_get_aes256_key: " + "generation of a aes256-cts-hmac-sha1-96 key failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + krb5_ret, mem_ctx))); + return EINVAL; + } + *aes_256 = data_blob_talloc(mem_ctx, + KRB5_KEY_DATA(&key), + KRB5_KEY_LENGTH(&key)); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key); + if (aes_256->data == NULL) { + return ENOMEM; + } + talloc_keep_secret(aes_256->data); + + return 0; +} + +/* This take a reference to the armor credentials to ensure the lifetime is appropriate */ + +NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds, + struct cli_credentials *armor_creds, + bool require_fast_armor) +{ + talloc_unlink(creds, creds->krb5_fast_armor_credentials); + if (armor_creds == NULL) { + creds->krb5_fast_armor_credentials = NULL; + return NT_STATUS_OK; + } + + creds->krb5_fast_armor_credentials = talloc_reference(creds, armor_creds); + if (creds->krb5_fast_armor_credentials == NULL) { + return NT_STATUS_NO_MEMORY; + } + + creds->krb5_require_fast_armor = require_fast_armor; + + return NT_STATUS_OK; +} + +struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds) +{ + return creds->krb5_fast_armor_credentials; +} + +bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds) +{ + return creds->krb5_require_fast_armor; +} diff --git a/auth/credentials/credentials_krb5.h b/auth/credentials/credentials_krb5.h new file mode 100644 index 0000000..ae60104 --- /dev/null +++ b/auth/credentials/credentials_krb5.h @@ -0,0 +1,45 @@ +/* + samba -- Unix SMB/CIFS implementation. + + Client credentials structure + + Copyright (C) Jelmer Vernooij 2004-2006 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __CREDENTIALS_KRB5_H__ +#define __CREDENTIALS_KRB5_H__ + +#include <gssapi/gssapi.h> +#include <gssapi/gssapi_krb5.h> +#include <krb5.h> + +struct gssapi_creds_container { + gss_cred_id_t creds; +}; + +/* Manually prototyped here to avoid needing gss headers in most callers */ +int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + gss_cred_id_t gssapi_cred, + enum credentials_obtained obtained, + const char **error_string); + +struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx, + struct cli_credentials *src); + + +#endif /* __CREDENTIALS_KRB5_H__ */ diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c new file mode 100644 index 0000000..a018be1 --- /dev/null +++ b/auth/credentials/credentials_ntlm.c @@ -0,0 +1,560 @@ +/* + Unix SMB/CIFS implementation. + + User credentials handling + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005 + Copyright (C) Stefan Metzmacher 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ +#include "../lib/crypto/crypto.h" +#include "libcli/auth/libcli_auth.h" +#include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_internal.h" + +#include "lib/crypto/gnutls_helpers.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +_PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + int *flags, + DATA_BLOB challenge, + const NTTIME *server_timestamp, + DATA_BLOB target_info, + DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, + DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const char *user = NULL; + const char *domain = NULL; + DATA_BLOB lm_response = data_blob_null; + DATA_BLOB nt_response = data_blob_null; + DATA_BLOB lm_session_key = data_blob_null; + DATA_BLOB session_key = data_blob_null; + const struct samr_Password *nt_hash = NULL; + int rc; + + if (cred->kerberos_state == CRED_USE_KERBEROS_REQUIRED) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + /* We may already have an NTLM response we prepared earlier. + * This is used for NTLM pass-though authentication */ + if (cred->nt_response.data || cred->lm_response.data) { + if (cred->nt_response.length != 0) { + nt_response = data_blob_dup_talloc(frame, + cred->nt_response); + if (nt_response.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + if (cred->nt_session_key.length != 0) { + session_key = data_blob_dup_talloc(frame, + cred->nt_session_key); + if (session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + if (cred->lm_response.length != 0) { + lm_response = data_blob_dup_talloc(frame, + cred->lm_response); + if (lm_response.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + if (cred->lm_session_key.length != 0) { + lm_session_key = data_blob_dup_talloc(frame, + cred->lm_session_key); + if (lm_session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + + if (cred->lm_response.data == NULL) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + goto done; + } + + nt_hash = cli_credentials_get_nt_hash(cred, frame); + + cli_credentials_get_ntlm_username_domain(cred, frame, &user, &domain); + if (user == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + if (domain == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* If we are sending a username@realm login (see function + * above), then we will not send LM, it will not be + * accepted */ + if (cred->principal_obtained > cred->username_obtained) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + + /* Likewise if we are a machine account (avoid protocol downgrade attacks) */ + if (cred->machine_account) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + + if (!nt_hash) { + /* do nothing - blobs are zero length */ + + /* session key is all zeros */ + session_key = data_blob_talloc_zero(frame, 16); + if (session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + lm_session_key = data_blob_talloc_zero(frame, 16); + if (lm_session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* not doing NTLM2 without a password */ + *flags &= ~CLI_CRED_NTLM2; + } else if (*flags & CLI_CRED_NTLMv2_AUTH) { + + if (!target_info.length) { + /* be lazy, match win2k - we can't do NTLMv2 without it */ + DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n")); + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER; + } + + /* TODO: if the remote server is standalone, then we should replace 'domain' + with the server name as supplied above */ + + if (!SMBNTLMv2encrypt_hash(frame, + user, + domain, + nt_hash->hash, &challenge, + server_timestamp, &target_info, + &lm_response, &nt_response, + NULL, &session_key)) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* LM Key is incompatible... */ + *flags &= ~CLI_CRED_LANMAN_AUTH; + if (lm_response.length != 0) { + /* + * We should not expose the lm key. + */ + memset(lm_response.data, 0, lm_response.length); + } + } else if (*flags & CLI_CRED_NTLM2) { + uint8_t session_nonce[16]; + uint8_t session_nonce_hash[16]; + uint8_t user_session_key[16]; + + lm_response = data_blob_talloc_zero(frame, 24); + if (lm_response.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + generate_random_buffer(lm_response.data, 8); + + memcpy(session_nonce, challenge.data, 8); + memcpy(&session_nonce[8], lm_response.data, 8); + + rc = gnutls_hash_fast(GNUTLS_DIG_MD5, + session_nonce, + sizeof(session_nonce), + session_nonce_hash); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + DEBUG(5, ("NTLMSSP challenge set by NTLM2\n")); + DEBUG(5, ("challenge is: \n")); + dump_data(5, session_nonce_hash, 8); + + nt_response = data_blob_talloc_zero(frame, 24); + if (nt_response.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + rc = SMBOWFencrypt(nt_hash->hash, + session_nonce_hash, + nt_response.data); + if (rc != 0) { + TALLOC_FREE(frame); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } + + ZERO_ARRAY(session_nonce_hash); + + session_key = data_blob_talloc_zero(frame, 16); + if (session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + SMBsesskeygen_ntv1(nt_hash->hash, user_session_key); + + rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, + user_session_key, + sizeof(user_session_key), + session_nonce, + sizeof(session_nonce), + session_key.data); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + ZERO_ARRAY(user_session_key); + + dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); + + /* LM Key is incompatible... */ + *flags &= ~CLI_CRED_LANMAN_AUTH; + } else { + const char *password = cli_credentials_get_password(cred); + uint8_t lm_hash[16]; + bool do_lm = false; + + nt_response = data_blob_talloc_zero(frame, 24); + if (nt_response.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + rc = SMBOWFencrypt(nt_hash->hash, challenge.data, + nt_response.data); + if (rc != 0) { + TALLOC_FREE(frame); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } + + session_key = data_blob_talloc_zero(frame, 16); + if (session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + SMBsesskeygen_ntv1(nt_hash->hash, session_key.data); + dump_data_pw("NT session key:\n", session_key.data, session_key.length); + + /* lanman auth is insecure, it may be disabled. + We may also not have a password */ + + if (password != NULL) { + do_lm = E_deshash(password, lm_hash); + } + + if (*flags & CLI_CRED_LANMAN_AUTH && do_lm) { + lm_response = data_blob_talloc_zero(frame, 24); + if (lm_response.data == NULL) { + ZERO_STRUCT(lm_hash); + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + rc = SMBencrypt_hash(lm_hash, + challenge.data, + lm_response.data); + if (rc != 0) { + ZERO_STRUCT(lm_hash); + TALLOC_FREE(frame); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } + } else { + /* just copy the nt_response */ + lm_response = data_blob_dup_talloc(frame, nt_response); + if (lm_response.data == NULL) { + ZERO_STRUCT(lm_hash); + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + + if (do_lm) { + lm_session_key = data_blob_talloc_zero(frame, 16); + if (lm_session_key.data == NULL) { + ZERO_STRUCT(lm_hash); + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + memcpy(lm_session_key.data, lm_hash, 8); + + if (!(*flags & CLI_CRED_NTLM_AUTH)) { + memcpy(session_key.data, lm_session_key.data, 16); + } + ZERO_STRUCT(lm_hash); + } + } + +done: + if (_lm_response != NULL) { + talloc_steal(mem_ctx, lm_response.data); + *_lm_response = lm_response; + } else { + data_blob_clear(&lm_response); + } + if (_nt_response != NULL) { + talloc_steal(mem_ctx, nt_response.data); + *_nt_response = nt_response; + } else { + data_blob_clear(&nt_response); + } + if (_lm_session_key != NULL) { + talloc_steal(mem_ctx, lm_session_key.data); + *_lm_session_key = lm_session_key; + } else { + data_blob_clear(&lm_session_key); + } + if (_session_key != NULL) { + talloc_steal(mem_ctx, session_key.data); + *_session_key = session_key; + } else { + data_blob_clear(&session_key); + } + TALLOC_FREE(frame); + return NT_STATUS_OK; +} + +/* + * Set a utf16 password on the credentials context, including an indication + * of 'how' the password was obtained + * + * This is required because the nt_hash is calculated over the raw utf16 blob, + * which might not be completely valid utf16, which means the conversion + * from CH_UTF16MUNGED to CH_UTF8 might lose information. + */ +_PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16, + enum credentials_obtained obtained) +{ + cred->password_will_be_nt_hash = false; + + if (password_utf16 == NULL) { + return cli_credentials_set_password(cred, NULL, obtained); + } + + if (obtained >= cred->password_obtained) { + struct samr_Password *nt_hash = NULL; + char *password_talloc = NULL; + size_t password_len = 0; + bool ok; + + nt_hash = talloc(cred, struct samr_Password); + if (nt_hash == NULL) { + return false; + } + + ok = convert_string_talloc(cred, + CH_UTF16MUNGED, CH_UTF8, + password_utf16->data, + password_utf16->length, + &password_talloc, + &password_len); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + ok = cli_credentials_set_password(cred, password_talloc, obtained); + TALLOC_FREE(password_talloc); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + mdfour(nt_hash->hash, password_utf16->data, password_utf16->length); + cred->nt_hash = nt_hash; + return true; + } + + return false; +} + +/* + * Set a old utf16 password on the credentials context. + * + * This is required because the nt_hash is calculated over the raw utf16 blob, + * which might not be completely valid utf16, which means the conversion + * from CH_UTF16MUNGED to CH_UTF8 might lose information. + */ +_PUBLIC_ bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16) +{ + struct samr_Password *nt_hash = NULL; + char *password_talloc = NULL; + size_t password_len = 0; + bool ok; + + if (password_utf16 == NULL) { + return cli_credentials_set_old_password(cred, NULL, CRED_SPECIFIED); + } + + nt_hash = talloc(cred, struct samr_Password); + if (nt_hash == NULL) { + return false; + } + + ok = convert_string_talloc(cred, + CH_UTF16MUNGED, CH_UTF8, + password_utf16->data, + password_utf16->length, + &password_talloc, + &password_len); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + ok = cli_credentials_set_old_password(cred, password_talloc, CRED_SPECIFIED); + TALLOC_FREE(password_talloc); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + mdfour(nt_hash->hash, password_utf16->data, password_utf16->length); + cred->old_nt_hash = nt_hash; + return true; +} + +_PUBLIC_ void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred, + bool val) +{ + /* + * We set this here and the next cli_credentials_set_password() + * that resets the password or password callback + * will pick this up. + * + * cli_credentials_set_nt_hash() and + * cli_credentials_set_utf16_password() will reset this + * to false. + */ + cred->password_will_be_nt_hash = val; +} + +_PUBLIC_ bool cli_credentials_is_password_nt_hash(struct cli_credentials *cred) +{ + return cred->password_will_be_nt_hash; +} + +_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash, + enum credentials_obtained obtained) +{ + cred->password_will_be_nt_hash = false; + + if (obtained >= cred->password_obtained) { + cli_credentials_set_password(cred, NULL, obtained); + if (nt_hash) { + cred->nt_hash = talloc(cred, struct samr_Password); + if (cred->nt_hash == NULL) { + return false; + } + *cred->nt_hash = *nt_hash; + } else { + cred->nt_hash = NULL; + } + return true; + } + + return false; +} + +_PUBLIC_ bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash) +{ + cli_credentials_set_old_password(cred, NULL, CRED_SPECIFIED); + if (nt_hash) { + cred->old_nt_hash = talloc(cred, struct samr_Password); + if (cred->old_nt_hash == NULL) { + return false; + } + *cred->old_nt_hash = *nt_hash; + } else { + cred->old_nt_hash = NULL; + } + + return true; +} + +_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, + const DATA_BLOB *lm_response, + const DATA_BLOB *lm_session_key, + const DATA_BLOB *nt_response, + const DATA_BLOB *nt_session_key, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + cli_credentials_set_password(cred, NULL, obtained); + + data_blob_clear_free(&cred->lm_response); + data_blob_clear_free(&cred->lm_session_key); + data_blob_clear_free(&cred->nt_response); + data_blob_clear_free(&cred->nt_session_key); + + if (lm_response != NULL && lm_response->length != 0) { + cred->lm_response = data_blob_talloc(cred, + lm_response->data, + lm_response->length); + if (cred->lm_response.data == NULL) { + return false; + } + } + if (lm_session_key != NULL && lm_session_key->length != 0) { + cred->lm_session_key = data_blob_talloc(cred, + lm_session_key->data, + lm_session_key->length); + if (cred->lm_session_key.data == NULL) { + return false; + } + } + + if (nt_response != NULL && nt_response->length != 0) { + cred->nt_response = data_blob_talloc(cred, + nt_response->data, + nt_response->length); + if (cred->nt_response.data == NULL) { + return false; + } + } + if (nt_session_key != NULL && nt_session_key->length != 0) { + cred->nt_session_key = data_blob_talloc(cred, + nt_session_key->data, + nt_session_key->length); + if (cred->nt_session_key.data == NULL) { + return false; + } + } + + return true; + } + + return false; +} + diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c new file mode 100644 index 0000000..8469d6e --- /dev/null +++ b/auth/credentials/credentials_secrets.c @@ -0,0 +1,486 @@ +/* + Unix SMB/CIFS implementation. + + User credentials handling (as regards on-disk files) + + Copyright (C) Jelmer Vernooij 2005 + Copyright (C) Tim Potter 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "lib/events/events.h" +#include <ldb.h> +#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ +#include "param/secrets.h" +#include "system/filesys.h" +#include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_internal.h" +#include "auth/credentials/credentials_krb5.h" +#include "auth/kerberos/kerberos_util.h" +#include "param/param.h" +#include "lib/events/events.h" +#include "dsdb/samdb/samdb.h" +#include "source3/include/secrets.h" +#include "dbwrap/dbwrap.h" +#include "dbwrap/dbwrap_open.h" +#include "lib/util/util_tdb.h" +#include "libds/common/roles.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct ldb_context *ldb, + const char *base, + const char *filter, + time_t secrets_tdb_last_change_time, + const char *secrets_tdb_password, + char **error_string) +{ + TALLOC_CTX *mem_ctx; + + int ldb_ret; + struct ldb_message *msg; + + const char *machine_account; + const char *password; + const char *domain; + const char *realm; + enum netr_SchannelType sct; + const char *salt_principal; + char *keytab; + const struct ldb_val *whenChanged; + time_t lct; + + /* ok, we are going to get it now, don't recurse back here */ + cred->machine_account_pending = false; + + /* some other parts of the system will key off this */ + cred->machine_account = true; + + mem_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); + + if (!ldb) { + /* Local secrets are stored in secrets.ldb */ + ldb = secrets_db_connect(mem_ctx, lp_ctx); + if (!ldb) { + *error_string = talloc_strdup(cred, "Could not open secrets.ldb"); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + } + + ldb_ret = dsdb_search_one(ldb, mem_ctx, &msg, + ldb_dn_new(mem_ctx, ldb, base), + LDB_SCOPE_SUBTREE, + NULL, 0, "%s", filter); + + if (ldb_ret != LDB_SUCCESS) { + *error_string = talloc_asprintf(cred, "Could not find entry to match filter: '%s' base: '%s': %s: %s", + filter, base ? base : "", + ldb_strerror(ldb_ret), ldb_errstring(ldb)); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + password = ldb_msg_find_attr_as_string(msg, "secret", NULL); + + whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged"); + if (!whenChanged || ldb_val_to_time(whenChanged, &lct) != LDB_SUCCESS) { + /* This attribute is mandatory */ + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + /* Don't set secrets.ldb info if the secrets.tdb entry was more recent */ + if (lct < secrets_tdb_last_change_time) { + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + if ((lct == secrets_tdb_last_change_time) && + (secrets_tdb_password != NULL) && + (password != NULL) && + (strcmp(password, secrets_tdb_password) != 0)) { + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + cli_credentials_set_password_last_changed_time(cred, lct); + + machine_account = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); + + if (!machine_account) { + machine_account = ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL); + + if (!machine_account) { + const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msg, "ldapBindDn", NULL); + if (!ldap_bind_dn) { + *error_string = talloc_asprintf(cred, + "Could not find 'samAccountName', " + "'servicePrincipalName' or " + "'ldapBindDn' in secrets record: %s", + ldb_dn_get_linearized(msg->dn)); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } else { + /* store bind dn in credentials */ + cli_credentials_set_bind_dn(cred, ldap_bind_dn); + } + } + } + + salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal", NULL); + cli_credentials_set_salt_principal(cred, salt_principal); + + sct = ldb_msg_find_attr_as_int(msg, "secureChannelType", 0); + if (sct) { + cli_credentials_set_secure_channel_type(cred, sct); + } + + if (!password) { + const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msg, "unicodePwd"); + struct samr_Password hash; + ZERO_STRUCT(hash); + if (nt_password_hash) { + memcpy(hash.hash, nt_password_hash->data, + MIN(nt_password_hash->length, sizeof(hash.hash))); + + cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED); + } else { + cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); + } + } else { + cli_credentials_set_password(cred, password, CRED_SPECIFIED); + } + + domain = ldb_msg_find_attr_as_string(msg, "flatname", NULL); + if (domain) { + cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); + } + + realm = ldb_msg_find_attr_as_string(msg, "realm", NULL); + if (realm) { + cli_credentials_set_realm(cred, realm, CRED_SPECIFIED); + } + + if (machine_account) { + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + } + + cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0)); + + /* If there was an external keytab specified by reference in + * the LDB, then use this. Otherwise we will make one up + * (chewing CPU time) from the password */ + keytab = keytab_name_from_msg(cred, ldb, msg); + if (keytab) { + cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); + talloc_free(keytab); + } + talloc_free(mem_ctx); + + return NT_STATUS_OK; +} + + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct ldb_context *ldb, + const char *base, + const char *filter, + char **error_string) +{ + NTSTATUS status = cli_credentials_set_secrets_lct(cred, lp_ctx, ldb, base, filter, 0, NULL, error_string); + if (!NT_STATUS_IS_OK(status)) { + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + } + return status; +} + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) +{ + struct db_context *db_ctx; + char *secrets_tdb_path; + int hash_size, tdb_flags; + + secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + + hash_size = lpcfg_tdb_hash_size(lp_ctx, secrets_tdb_path); + tdb_flags = lpcfg_tdb_flags(lp_ctx, TDB_DEFAULT); + + db_ctx = dbwrap_local_open( + cred, + secrets_tdb_path, + hash_size, + tdb_flags, + O_RDWR, + 0600, + DBWRAP_LOCK_ORDER_1, + DBWRAP_FLAG_NONE); + TALLOC_FREE(secrets_tdb_path); + + /* + * We do not check for errors here, we might not have a + * secrets.tdb at all, and so we just need to check the + * secrets.ldb + */ + return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx); +} + +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx) +{ + NTSTATUS status; + char *filter; + char *error_string = NULL; + const char *domain; + bool secrets_tdb_password_more_recent; + time_t secrets_tdb_lct = 0; + char *secrets_tdb_password = NULL; + char *secrets_tdb_old_password = NULL; + uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; + int server_role = lpcfg_server_role(lp_ctx); + int security = lpcfg_security(lp_ctx); + char *keystr; + char *keystr_upper = NULL; + TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = false; + + /* We have to do this, as the fallback in + * cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */ + domain = cli_credentials_get_domain(cred); + + if (db_ctx) { + TDB_DATA dbuf; + keystr = talloc_asprintf(tmp_ctx, "%s/%s", + SECRETS_MACHINE_LAST_CHANGE_TIME, + domain); + keystr_upper = strupper_talloc(tmp_ctx, keystr); + status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper), + &dbuf); + if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) { + secrets_tdb_lct = IVAL(dbuf.dptr,0); + } + + keystr = talloc_asprintf(tmp_ctx, "%s/%s", + SECRETS_MACHINE_PASSWORD, + domain); + keystr_upper = strupper_talloc(tmp_ctx, keystr); + status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper), + &dbuf); + if (NT_STATUS_IS_OK(status)) { + secrets_tdb_password = (char *)dbuf.dptr; + } + + keystr = talloc_asprintf(tmp_ctx, "%s/%s", + SECRETS_MACHINE_PASSWORD_PREV, + domain); + keystr_upper = strupper_talloc(tmp_ctx, keystr); + status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper), + &dbuf); + if (NT_STATUS_IS_OK(status)) { + secrets_tdb_old_password = (char *)dbuf.dptr; + } + + keystr = talloc_asprintf(tmp_ctx, "%s/%s", + SECRETS_MACHINE_SEC_CHANNEL_TYPE, + domain); + keystr_upper = strupper_talloc(tmp_ctx, keystr); + status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper), + &dbuf); + if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) { + secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0); + } + } + + filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, + domain); + status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL, + SECRETS_PRIMARY_DOMAIN_DN, + filter, secrets_tdb_lct, secrets_tdb_password, &error_string); + if (secrets_tdb_password == NULL) { + secrets_tdb_password_more_recent = false; + } else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status) + || NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) { + secrets_tdb_password_more_recent = true; + } else if (secrets_tdb_lct > cli_credentials_get_password_last_changed_time(cred)) { + secrets_tdb_password_more_recent = true; + } else if (secrets_tdb_lct == cli_credentials_get_password_last_changed_time(cred)) { + secrets_tdb_password_more_recent = strcmp(secrets_tdb_password, cli_credentials_get_password(cred)) != 0; + } else { + secrets_tdb_password_more_recent = false; + } + + if (secrets_tdb_password_more_recent) { + enum credentials_use_kerberos use_kerberos = + CRED_USE_KERBEROS_DISABLED; + char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); + cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); + cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); + cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); + if (strequal(domain, lpcfg_workgroup(lp_ctx))) { + cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); + + switch (server_role) { + case ROLE_DOMAIN_MEMBER: + if (security != SEC_ADS) { + break; + } + + FALL_THROUGH; + case ROLE_ACTIVE_DIRECTORY_DC: + case ROLE_IPA_DC: + use_kerberos = CRED_USE_KERBEROS_DESIRED; + break; + } + } + cli_credentials_set_kerberos_state(cred, + use_kerberos, + CRED_SPECIFIED); + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); + cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); + status = NT_STATUS_OK; + } else if (!NT_STATUS_IS_OK(status)) { + if (db_ctx) { + error_string + = talloc_asprintf(cred, + "Failed to fetch machine account password for %s from both " + "secrets.ldb (%s) and from %s", + domain, + error_string == NULL ? "error" : error_string, + dbwrap_name(db_ctx)); + } else { + char *secrets_tdb_path; + + secrets_tdb_path = lpcfg_private_db_path(tmp_ctx, + lp_ctx, + "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + + error_string = talloc_asprintf(cred, + "Failed to fetch machine account password from " + "secrets.ldb: %s and failed to open %s", + error_string == NULL ? "error" : error_string, + secrets_tdb_path); + } + DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", + error_string == NULL ? "error" : error_string, + nt_errstr(status))); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + } + + TALLOC_FREE(tmp_ctx); + return status; +} + +/** + * Fill in credentials for a particular principal, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +_PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *serviceprincipal) +{ + NTSTATUS status; + char *filter; + char *error_string = NULL; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = false; + filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred), + serviceprincipal); + status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL, + SECRETS_PRINCIPALS_DN, filter, + 0, NULL, &error_string); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find %s principal in secrets database: %s: %s\n", + serviceprincipal, nt_errstr(status), + error_string ? error_string : "<no error>")); + } + return status; +} + +/** + * Ask that when required, the credentials system will be filled with + * machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @note This function is used to call the above function after, rather + * than during, popt processing. + * + */ +_PUBLIC_ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) +{ + cred->machine_account_pending = true; + cred->machine_account_pending_lp_ctx = lp_ctx; +} + + diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c new file mode 100644 index 0000000..a27e02d --- /dev/null +++ b/auth/credentials/pycredentials.c @@ -0,0 +1,1768 @@ +/* + Unix SMB/CIFS implementation. + Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "lib/replace/system/python.h" +#include "python/py3compat.h" +#include "includes.h" +#include "python/modules.h" +#include "pycredentials.h" +#include "param/param.h" +#include "auth/credentials/credentials_internal.h" +#include "librpc/gen_ndr/samr.h" /* for struct samr_Password */ +#include "librpc/gen_ndr/netlogon.h" +#include "libcli/util/pyerrors.h" +#include "libcli/auth/libcli_auth.h" +#include "param/pyparam.h" +#include <tevent.h> +#include "libcli/auth/libcli_auth.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "libcli/smb/smb_constants.h" + +void initcredentials(void); + +static PyObject *py_creds_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) +{ + return pytalloc_steal(type, cli_credentials_init(NULL)); +} + +static PyObject *PyCredentials_from_cli_credentials(struct cli_credentials *creds) +{ + return pytalloc_reference(&PyCredentials, creds); +} + +static PyObject *py_creds_get_username(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_username(creds)); +} + +static PyObject *py_creds_set_username(PyObject *self, PyObject *args) +{ + char *newval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + return PyBool_FromLong(cli_credentials_set_username(creds, newval, obt)); +} + +static PyObject *py_creds_get_ntlm_username_domain(PyObject *self, PyObject *unused) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const char *user = NULL; + const char *domain = NULL; + PyObject *ret = NULL; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + cli_credentials_get_ntlm_username_domain(creds, + frame, &user, &domain); + ret = Py_BuildValue("(ss)", + user, + domain); + + TALLOC_FREE(frame); + return ret; +} + +static PyObject *py_creds_get_ntlm_response(PyObject *self, PyObject *args, PyObject *kwargs) +{ + TALLOC_CTX *frame = talloc_stackframe(); + PyObject *ret = NULL; + int flags; + struct timeval tv_now; + NTTIME server_timestamp; + DATA_BLOB challenge = data_blob_null; + DATA_BLOB target_info = data_blob_null; + NTSTATUS status; + DATA_BLOB lm_response = data_blob_null; + DATA_BLOB nt_response = data_blob_null; + DATA_BLOB lm_session_key = data_blob_null; + DATA_BLOB nt_session_key = data_blob_null; + const char *kwnames[] = { "flags", "challenge", + "target_info", + NULL }; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + tv_now = timeval_current(); + server_timestamp = timeval_to_nttime(&tv_now); + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, "is#|s#", + discard_const_p(char *, kwnames), + &flags, + &challenge.data, + &challenge.length, + &target_info.data, + &target_info.length)) { + return NULL; + } + + status = cli_credentials_get_ntlm_response(creds, + frame, &flags, + challenge, + &server_timestamp, + target_info, + &lm_response, &nt_response, + &lm_session_key, &nt_session_key); + + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + TALLOC_FREE(frame); + return NULL; + } + + ret = Py_BuildValue("{sis" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN + "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "}", + "flags", flags, + "lm_response", + (const char *)lm_response.data, lm_response.length, + "nt_response", + (const char *)nt_response.data, nt_response.length, + "lm_session_key", + (const char *)lm_session_key.data, lm_session_key.length, + "nt_session_key", + (const char *)nt_session_key.data, nt_session_key.length); + TALLOC_FREE(frame); + return ret; +} + +static PyObject *py_creds_get_principal(PyObject *self, PyObject *unused) +{ + TALLOC_CTX *frame = talloc_stackframe(); + PyObject *ret = NULL; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + ret = PyString_FromStringOrNULL(cli_credentials_get_principal(creds, frame)); + TALLOC_FREE(frame); + return ret; +} + +static PyObject *py_creds_set_principal(PyObject *self, PyObject *args) +{ + char *newval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + return PyBool_FromLong(cli_credentials_set_principal(creds, newval, obt)); +} + +static PyObject *py_creds_get_password(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_password(creds)); +} + +static PyObject *py_creds_set_password(PyObject *self, PyObject *args) +{ + const char *newval = NULL; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + PyObject *result = NULL; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, PYARG_STR_UNI"|i", "utf8", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + result = PyBool_FromLong(cli_credentials_set_password(creds, newval, obt)); + PyMem_Free(discard_const_p(void*, newval)); + return result; +} + +static PyObject *py_creds_set_utf16_password(PyObject *self, PyObject *args) +{ + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + PyObject *newval = NULL; + DATA_BLOB blob = data_blob_null; + Py_ssize_t size = 0; + int result; + bool ok; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "O|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + result = PyBytes_AsStringAndSize(newval, (char **)&blob.data, &size); + if (result != 0) { + PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes"); + return NULL; + } + blob.length = size; + + ok = cli_credentials_set_utf16_password(creds, + &blob, obt); + + return PyBool_FromLong(ok); +} + +static PyObject *py_creds_get_old_password(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_old_password(creds)); +} + +static PyObject *py_creds_set_old_password(PyObject *self, PyObject *args) +{ + char *oldval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &oldval, &_obt)) { + return NULL; + } + obt = _obt; + + return PyBool_FromLong(cli_credentials_set_old_password(creds, oldval, obt)); +} + +static PyObject *py_creds_set_old_utf16_password(PyObject *self, PyObject *args) +{ + PyObject *oldval = NULL; + DATA_BLOB blob = data_blob_null; + Py_ssize_t size = 0; + int result; + bool ok; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "O", &oldval)) { + return NULL; + } + + result = PyBytes_AsStringAndSize(oldval, (char **)&blob.data, &size); + if (result != 0) { + PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes"); + return NULL; + } + blob.length = size; + + ok = cli_credentials_set_old_utf16_password(creds, + &blob); + + return PyBool_FromLong(ok); +} + +static PyObject *py_creds_get_domain(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_domain(creds)); +} + +static PyObject *py_creds_set_domain(PyObject *self, PyObject *args) +{ + char *newval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + return PyBool_FromLong(cli_credentials_set_domain(creds, newval, obt)); +} + +static PyObject *py_creds_get_realm(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_realm(creds)); +} + +static PyObject *py_creds_set_realm(PyObject *self, PyObject *args) +{ + char *newval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + return PyBool_FromLong(cli_credentials_set_realm(creds, newval, obt)); +} + +static PyObject *py_creds_get_bind_dn(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_bind_dn(creds)); +} + +static PyObject *py_creds_set_bind_dn(PyObject *self, PyObject *args) +{ + char *newval; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + if (!PyArg_ParseTuple(args, "z", &newval)) + return NULL; + + return PyBool_FromLong(cli_credentials_set_bind_dn(creds, newval)); +} + +static PyObject *py_creds_get_workstation(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_workstation(creds)); +} + +static PyObject *py_creds_set_workstation(PyObject *self, PyObject *args) +{ + char *newval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + return PyBool_FromLong(cli_credentials_set_workstation(creds, newval, obt)); +} + +static PyObject *py_creds_is_anonymous(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyBool_FromLong(cli_credentials_is_anonymous(creds)); +} + +static PyObject *py_creds_set_anonymous(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + cli_credentials_set_anonymous(creds); + Py_RETURN_NONE; +} + +static PyObject *py_creds_authentication_requested(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyBool_FromLong(cli_credentials_authentication_requested(creds)); +} + +static PyObject *py_creds_wrong_password(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyBool_FromLong(cli_credentials_wrong_password(creds)); +} + +static PyObject *py_creds_set_cmdline_callbacks(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyBool_FromLong(cli_credentials_set_cmdline_callbacks(creds)); +} + +static PyObject *py_creds_parse_string(PyObject *self, PyObject *args) +{ + char *newval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + cli_credentials_parse_string(creds, newval, obt); + Py_RETURN_NONE; +} + +static PyObject *py_creds_parse_file(PyObject *self, PyObject *args) +{ + char *newval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + cli_credentials_parse_file(creds, newval, obt); + Py_RETURN_NONE; +} + +static PyObject *py_cli_credentials_set_password_will_be_nt_hash(PyObject *self, PyObject *args) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + PyObject *py_val = NULL; + bool val = false; + + if (!PyArg_ParseTuple(args, "O!", &PyBool_Type, &py_val)) { + return NULL; + } + val = PyObject_IsTrue(py_val); + + cli_credentials_set_password_will_be_nt_hash(creds, val); + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_nt_hash(PyObject *self, PyObject *unused) +{ + PyObject *ret; + struct samr_Password *ntpw = NULL; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + ntpw = cli_credentials_get_nt_hash(creds, creds); + + ret = PyBytes_FromStringAndSize(discard_const_p(char, ntpw->hash), 16); + TALLOC_FREE(ntpw); + return ret; +} + +static PyObject *py_creds_set_nt_hash(PyObject *self, PyObject *args) +{ + PyObject *py_cp = Py_None; + const struct samr_Password *pwd = NULL; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "O|i", &py_cp, &_obt)) { + return NULL; + } + obt = _obt; + + if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) { + /* py_check_dcerpc_type sets TypeError */ + return NULL; + } + + pwd = pytalloc_get_type(py_cp, struct samr_Password); + if (pwd == NULL) { + /* pytalloc_get_type sets TypeError */ + return NULL; + } + + return PyBool_FromLong(cli_credentials_set_nt_hash(creds, pwd, obt)); +} + +static PyObject *py_creds_get_kerberos_state(PyObject *self, PyObject *unused) +{ + int state; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + state = cli_credentials_get_kerberos_state(creds); + return PyLong_FromLong(state); +} + +static PyObject *py_creds_set_kerberos_state(PyObject *self, PyObject *args) +{ + int state; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + if (!PyArg_ParseTuple(args, "i", &state)) + return NULL; + + cli_credentials_set_kerberos_state(creds, state, CRED_SPECIFIED); + Py_RETURN_NONE; +} + +static PyObject *py_creds_set_krb_forwardable(PyObject *self, PyObject *args) +{ + int state; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + if (!PyArg_ParseTuple(args, "i", &state)) + return NULL; + + cli_credentials_set_krb_forwardable(creds, state); + Py_RETURN_NONE; +} + + +static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + return PyString_FromStringOrNULL(cli_credentials_get_forced_sasl_mech(creds)); +} + +static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args) +{ + char *newval; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s", &newval)) { + return NULL; + } + + cli_credentials_set_forced_sasl_mech(creds, newval); + Py_RETURN_NONE; +} + +static PyObject *py_creds_set_conf(PyObject *self, PyObject *args) +{ + PyObject *py_lp_ctx = Py_None; + struct loadparm_context *lp_ctx; + TALLOC_CTX *mem_ctx; + struct cli_credentials *creds; + bool ok; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) { + return NULL; + } + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + ok = cli_credentials_set_conf(creds, lp_ctx); + talloc_free(mem_ctx); + if (!ok) { + return NULL; + } + + Py_RETURN_NONE; +} + +static PyObject *py_creds_guess(PyObject *self, PyObject *args) +{ + PyObject *py_lp_ctx = Py_None; + struct loadparm_context *lp_ctx; + TALLOC_CTX *mem_ctx; + struct cli_credentials *creds; + bool ok; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) + return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + ok = cli_credentials_guess(creds, lp_ctx); + talloc_free(mem_ctx); + if (!ok) { + return NULL; + } + + Py_RETURN_NONE; +} + +static PyObject *py_creds_set_machine_account(PyObject *self, PyObject *args) +{ + PyObject *py_lp_ctx = Py_None; + struct loadparm_context *lp_ctx; + NTSTATUS status; + struct cli_credentials *creds; + TALLOC_CTX *mem_ctx; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) + return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + status = cli_credentials_set_machine_account(creds, lp_ctx); + talloc_free(mem_ctx); + + PyErr_NTSTATUS_IS_ERR_RAISE(status); + + Py_RETURN_NONE; +} + +static PyObject *PyCredentialCacheContainer_from_ccache_container(struct ccache_container *ccc) +{ + return pytalloc_reference(&PyCredentialCacheContainer, ccc); +} + + +static PyObject *py_creds_get_named_ccache(PyObject *self, PyObject *args) +{ + PyObject *py_lp_ctx = Py_None; + char *ccache_name = NULL; + struct loadparm_context *lp_ctx; + struct ccache_container *ccc; + struct tevent_context *event_ctx; + int ret; + const char *error_string; + struct cli_credentials *creds; + TALLOC_CTX *mem_ctx; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "|Os", &py_lp_ctx, &ccache_name)) + return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + event_ctx = samba_tevent_context_init(mem_ctx); + + ret = cli_credentials_get_named_ccache(creds, event_ctx, lp_ctx, + ccache_name, &ccc, &error_string); + talloc_unlink(mem_ctx, lp_ctx); + if (ret == 0) { + talloc_steal(ccc, event_ctx); + talloc_free(mem_ctx); + return PyCredentialCacheContainer_from_ccache_container(ccc); + } + + PyErr_SetString(PyExc_RuntimeError, error_string?error_string:"NULL"); + + talloc_free(mem_ctx); + return NULL; +} + +static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) +{ + struct loadparm_context *lp_ctx = NULL; + enum credentials_obtained obt = CRED_SPECIFIED; + const char *error_string = NULL; + TALLOC_CTX *mem_ctx = NULL; + char *newval = NULL; + PyObject *py_lp_ctx = Py_None; + int _obt = obt; + int ret; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx)) + return NULL; + obt = _obt; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + ret = cli_credentials_set_ccache(creds, + lp_ctx, + newval, obt, + &error_string); + + if (ret != 0) { + PyErr_SetString(PyExc_RuntimeError, + error_string != NULL ? error_string : "NULL"); + talloc_free(mem_ctx); + return NULL; + } + + talloc_free(mem_ctx); + Py_RETURN_NONE; +} + +static PyObject *py_creds_set_gensec_features(PyObject *self, PyObject *args) +{ + unsigned int gensec_features; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "I", &gensec_features)) + return NULL; + + cli_credentials_set_gensec_features(creds, + gensec_features, + CRED_SPECIFIED); + + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_gensec_features(PyObject *self, PyObject *args) +{ + unsigned int gensec_features; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + gensec_features = cli_credentials_get_gensec_features(creds); + return PyLong_FromLong(gensec_features); +} + +static PyObject *py_creds_new_client_authenticator(PyObject *self, + PyObject *args) +{ + struct netr_Authenticator auth; + struct cli_credentials *creds = NULL; + struct netlogon_creds_CredentialState *nc = NULL; + PyObject *ret = NULL; + NTSTATUS status; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_SetString(PyExc_RuntimeError, + "Failed to get credentials from python"); + return NULL; + } + + nc = creds->netlogon_creds; + if (nc == NULL) { + PyErr_SetString(PyExc_ValueError, + "No netlogon credentials cannot make " + "client authenticator"); + return NULL; + } + + status = netlogon_creds_client_authenticator(nc, &auth); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetString(PyExc_ValueError, + "Failed to create client authenticator"); + return NULL; + } + + ret = Py_BuildValue("{s"PYARG_BYTES_LEN"si}", + "credential", + (const char *) &auth.cred, sizeof(auth.cred), + "timestamp", auth.timestamp); + return ret; +} + +static PyObject *py_creds_set_secure_channel_type(PyObject *self, PyObject *args) +{ + unsigned int channel_type; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "I", &channel_type)) + return NULL; + + cli_credentials_set_secure_channel_type( + creds, + channel_type); + + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args) +{ + enum netr_SchannelType channel_type = SEC_CHAN_NULL; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + channel_type = cli_credentials_get_secure_channel_type(creds); + + return PyLong_FromLong(channel_type); +} + +static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args) +{ + struct loadparm_context *lp_ctx = NULL; + TALLOC_CTX *mem_ctx = NULL; + PyObject *py_lp_ctx = Py_None; + const char *salt = NULL; + DATA_BLOB aes_256; + int code; + PyObject *ret = NULL; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|O", &salt, &py_lp_ctx)) + return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + code = cli_credentials_get_aes256_key(creds, + mem_ctx, + lp_ctx, + salt, + &aes_256); + if (code != 0) { + PyErr_SetString(PyExc_RuntimeError, + "Failed to generate AES256 key"); + talloc_free(mem_ctx); + return NULL; + } + + ret = PyBytes_FromStringAndSize((const char *)aes_256.data, + aes_256.length); + talloc_free(mem_ctx); + return ret; +} + +static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self, + PyObject *args) +{ + DATA_BLOB data = data_blob_null; + struct cli_credentials *creds = NULL; + struct netr_CryptPassword *pwd = NULL; + NTSTATUS status; + PyObject *py_cp = Py_None; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "O", &py_cp)) { + return NULL; + } + + pwd = pytalloc_get_type(py_cp, struct netr_CryptPassword); + if (pwd == NULL) { + /* pytalloc_get_type sets TypeError */ + return NULL; + } + data.length = sizeof(struct netr_CryptPassword); + data.data = (uint8_t *)pwd; + status = netlogon_creds_session_encrypt(creds->netlogon_creds, data); + + PyErr_NTSTATUS_IS_ERR_RAISE(status); + + Py_RETURN_NONE; +} + +static PyObject *py_creds_encrypt_samr_password(PyObject *self, + PyObject *args) +{ + DATA_BLOB data = data_blob_null; + struct cli_credentials *creds = NULL; + struct samr_Password *pwd = NULL; + NTSTATUS status; + PyObject *py_cp = Py_None; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (creds->netlogon_creds == NULL) { + PyErr_Format(PyExc_ValueError, "NetLogon credentials not set"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "O", &py_cp)) { + return NULL; + } + + if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) { + /* py_check_dcerpc_type sets TypeError */ + return NULL; + } + + pwd = pytalloc_get_type(py_cp, struct samr_Password); + if (pwd == NULL) { + /* pytalloc_get_type sets TypeError */ + return NULL; + } + data = data_blob_const(pwd->hash, sizeof(pwd->hash)); + status = netlogon_creds_session_encrypt(creds->netlogon_creds, data); + + PyErr_NTSTATUS_IS_ERR_RAISE(status); + + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_smb_signing(PyObject *self, PyObject *unused) +{ + enum smb_signing_setting signing_state; + struct cli_credentials *creds = NULL; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + signing_state = cli_credentials_get_smb_signing(creds); + return PyLong_FromLong(signing_state); +} + +static PyObject *py_creds_set_smb_signing(PyObject *self, PyObject *args) +{ + enum smb_signing_setting signing_state; + struct cli_credentials *creds = NULL; + enum credentials_obtained obt = CRED_SPECIFIED; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) { + return NULL; + } + + switch (signing_state) { + case SMB_SIGNING_DEFAULT: + case SMB_SIGNING_OFF: + case SMB_SIGNING_IF_REQUIRED: + case SMB_SIGNING_DESIRED: + case SMB_SIGNING_REQUIRED: + break; + default: + PyErr_Format(PyExc_TypeError, "Invalid signing state value"); + return NULL; + } + + cli_credentials_set_smb_signing(creds, signing_state, obt); + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_smb_ipc_signing(PyObject *self, PyObject *unused) +{ + enum smb_signing_setting signing_state; + struct cli_credentials *creds = NULL; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + signing_state = cli_credentials_get_smb_ipc_signing(creds); + return PyLong_FromLong(signing_state); +} + +static PyObject *py_creds_set_smb_ipc_signing(PyObject *self, PyObject *args) +{ + enum smb_signing_setting signing_state; + struct cli_credentials *creds = NULL; + enum credentials_obtained obt = CRED_SPECIFIED; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) { + return NULL; + } + + switch (signing_state) { + case SMB_SIGNING_DEFAULT: + case SMB_SIGNING_OFF: + case SMB_SIGNING_IF_REQUIRED: + case SMB_SIGNING_DESIRED: + case SMB_SIGNING_REQUIRED: + break; + default: + PyErr_Format(PyExc_TypeError, "Invalid signing state value"); + return NULL; + } + + cli_credentials_set_smb_ipc_signing(creds, signing_state, obt); + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_smb_encryption(PyObject *self, PyObject *unused) +{ + enum smb_encryption_setting encryption_state; + struct cli_credentials *creds = NULL; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + encryption_state = cli_credentials_get_smb_encryption(creds); + return PyLong_FromLong(encryption_state); +} + +static PyObject *py_creds_set_smb_encryption(PyObject *self, PyObject *args) +{ + enum smb_encryption_setting encryption_state; + struct cli_credentials *creds = NULL; + enum credentials_obtained obt = CRED_SPECIFIED; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + if (!PyArg_ParseTuple(args, "i|i", &encryption_state, &obt)) { + return NULL; + } + + switch (encryption_state) { + case SMB_ENCRYPTION_DEFAULT: + case SMB_ENCRYPTION_OFF: + case SMB_ENCRYPTION_IF_REQUIRED: + case SMB_ENCRYPTION_DESIRED: + case SMB_ENCRYPTION_REQUIRED: + break; + default: + PyErr_Format(PyExc_TypeError, "Invalid encryption state value"); + return NULL; + } + + (void)cli_credentials_set_smb_encryption(creds, encryption_state, obt); + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_krb5_fast_armor_credentials(PyObject *self, PyObject *unused) +{ + struct cli_credentials *creds = NULL; + struct cli_credentials *fast_creds = NULL; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + fast_creds = cli_credentials_get_krb5_fast_armor_credentials(creds); + if (fast_creds == NULL) { + Py_RETURN_NONE; + } + + return PyCredentials_from_cli_credentials(fast_creds); +} + +static PyObject *py_creds_set_krb5_fast_armor_credentials(PyObject *self, PyObject *args) +{ + struct cli_credentials *creds = NULL; + PyObject *pyfast_creds; + struct cli_credentials *fast_creds = NULL; + int fast_armor_required = 0; + NTSTATUS status; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + if (!PyArg_ParseTuple(args, "Op", &pyfast_creds, &fast_armor_required)) { + return NULL; + } + if (pyfast_creds == Py_None) { + fast_creds = NULL; + } else { + fast_creds = PyCredentials_AsCliCredentials(pyfast_creds); + if (fast_creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + } + + status = cli_credentials_set_krb5_fast_armor_credentials(creds, + fast_creds, + fast_armor_required); + + PyErr_NTSTATUS_IS_ERR_RAISE(status); + Py_RETURN_NONE; +} + +static PyObject *py_creds_get_krb5_require_fast_armor(PyObject *self, PyObject *unused) +{ + bool krb5_fast_armor_required; + struct cli_credentials *creds = NULL; + + creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + krb5_fast_armor_required = cli_credentials_get_krb5_require_fast_armor(creds); + return PyBool_FromLong(krb5_fast_armor_required); +} + +static PyMethodDef py_creds_methods[] = { + { + .ml_name = "get_username", + .ml_meth = py_creds_get_username, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_username() -> username\nObtain username.", + }, + { + .ml_name = "set_username", + .ml_meth = py_creds_set_username, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_username(name[, credentials.SPECIFIED]) -> None\n" + "Change username.", + }, + { + .ml_name = "get_principal", + .ml_meth = py_creds_get_principal, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_principal() -> user@realm\nObtain user principal.", + }, + { + .ml_name = "set_principal", + .ml_meth = py_creds_set_principal, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_principal(name[, credentials.SPECIFIED]) -> None\n" + "Change principal.", + }, + { + .ml_name = "get_password", + .ml_meth = py_creds_get_password, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_password() -> password\n" + "Obtain password.", + }, + { + .ml_name = "get_ntlm_username_domain", + .ml_meth = py_creds_get_ntlm_username_domain, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_ntlm_username_domain() -> (domain, username)\n" + "Obtain NTLM username and domain, split up either as (DOMAIN, user) or (\"\", \"user@realm\").", + }, + { + .ml_name = "get_ntlm_response", + .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction, + py_creds_get_ntlm_response), + .ml_flags = METH_VARARGS | METH_KEYWORDS, + .ml_doc = "S.get_ntlm_response" + "(flags, challenge[, target_info]) -> " + "(flags, lm_response, nt_response, lm_session_key, nt_session_key)\n" + "Obtain LM or NTLM response.", + }, + { + .ml_name = "set_password", + .ml_meth = py_creds_set_password, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_password(password[, credentials.SPECIFIED]) -> None\n" + "Change password.", + }, + { + .ml_name = "set_utf16_password", + .ml_meth = py_creds_set_utf16_password, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_utf16_password(password[, credentials.SPECIFIED]) -> None\n" + "Change password.", + }, + { + .ml_name = "get_old_password", + .ml_meth = py_creds_get_old_password, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_old_password() -> password\n" + "Obtain old password.", + }, + { + .ml_name = "set_old_password", + .ml_meth = py_creds_set_old_password, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_old_password(password[, credentials.SPECIFIED]) -> None\n" + "Change old password.", + }, + { + .ml_name = "set_old_utf16_password", + .ml_meth = py_creds_set_old_utf16_password, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_old_utf16_password(password[, credentials.SPECIFIED]) -> None\n" + "Change old password.", + }, + { + .ml_name = "get_domain", + .ml_meth = py_creds_get_domain, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_domain() -> domain\n" + "Obtain domain name.", + }, + { + .ml_name = "set_domain", + .ml_meth = py_creds_set_domain, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_domain(domain[, credentials.SPECIFIED]) -> None\n" + "Change domain name.", + }, + { + .ml_name = "get_realm", + .ml_meth = py_creds_get_realm, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_realm() -> realm\n" + "Obtain realm name.", + }, + { + .ml_name = "set_realm", + .ml_meth = py_creds_set_realm, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_realm(realm[, credentials.SPECIFIED]) -> None\n" + "Change realm name.", + }, + { + .ml_name = "get_bind_dn", + .ml_meth = py_creds_get_bind_dn, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_bind_dn() -> bind dn\n" + "Obtain bind DN.", + }, + { + .ml_name = "set_bind_dn", + .ml_meth = py_creds_set_bind_dn, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_bind_dn(bind_dn) -> None\n" + "Change bind DN.", + }, + { + .ml_name = "is_anonymous", + .ml_meth = py_creds_is_anonymous, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "set_anonymous", + .ml_meth = py_creds_set_anonymous, + .ml_flags = METH_NOARGS, + .ml_doc = "S.set_anonymous() -> None\n" + "Use anonymous credentials.", + }, + { + .ml_name = "get_workstation", + .ml_meth = py_creds_get_workstation, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "set_workstation", + .ml_meth = py_creds_set_workstation, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "authentication_requested", + .ml_meth = py_creds_authentication_requested, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "wrong_password", + .ml_meth = py_creds_wrong_password, + .ml_flags = METH_NOARGS, + .ml_doc = "S.wrong_password() -> bool\n" + "Indicate the returned password was incorrect.", + }, + { + .ml_name = "set_cmdline_callbacks", + .ml_meth = py_creds_set_cmdline_callbacks, + .ml_flags = METH_NOARGS, + .ml_doc = "S.set_cmdline_callbacks() -> bool\n" + "Use command-line to obtain credentials not explicitly set.", + }, + { + .ml_name = "parse_string", + .ml_meth = py_creds_parse_string, + .ml_flags = METH_VARARGS, + .ml_doc = "S.parse_string(text[, credentials.SPECIFIED]) -> None\n" + "Parse credentials string.", + }, + { + .ml_name = "parse_file", + .ml_meth = py_creds_parse_file, + .ml_flags = METH_VARARGS, + .ml_doc = "S.parse_file(filename[, credentials.SPECIFIED]) -> None\n" + "Parse credentials file.", + }, + { + .ml_name = "set_password_will_be_nt_hash", + .ml_meth = py_cli_credentials_set_password_will_be_nt_hash, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_password_will_be_nt_hash(bool) -> None\n" + "Alters the behaviour of S.set_password() " + "to expect the NTHASH as hexstring.", + }, + { + .ml_name = "get_nt_hash", + .ml_meth = py_creds_get_nt_hash, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "set_nt_hash", + .ml_meth = py_creds_set_nt_hash, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_net_sh(samr_Password[, credentials.SPECIFIED]) -> bool\n" + "Change NT hash.", + }, + { + .ml_name = "get_kerberos_state", + .ml_meth = py_creds_get_kerberos_state, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "set_kerberos_state", + .ml_meth = py_creds_set_kerberos_state, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "set_krb_forwardable", + .ml_meth = py_creds_set_krb_forwardable, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "set_conf", + .ml_meth = py_creds_set_conf, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "guess", + .ml_meth = py_creds_guess, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "set_machine_account", + .ml_meth = py_creds_set_machine_account, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "get_named_ccache", + .ml_meth = py_creds_get_named_ccache, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "set_named_ccache", + .ml_meth = py_creds_set_named_ccache, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_named_ccache(krb5_ccache_name, obtained, lp) -> None\n" + "Set credentials to KRB5 Credentials Cache (by name).", + }, + { + .ml_name = "set_gensec_features", + .ml_meth = py_creds_set_gensec_features, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "get_gensec_features", + .ml_meth = py_creds_get_gensec_features, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "get_forced_sasl_mech", + .ml_meth = py_creds_get_forced_sasl_mech, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_forced_sasl_mech() -> SASL mechanism\nObtain forced SASL mechanism.", + }, + { + .ml_name = "set_forced_sasl_mech", + .ml_meth = py_creds_set_forced_sasl_mech, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_forced_sasl_mech(name) -> None\n" + "Set forced SASL mechanism.", + }, + { + .ml_name = "new_client_authenticator", + .ml_meth = py_creds_new_client_authenticator, + .ml_flags = METH_NOARGS, + .ml_doc = "S.new_client_authenticator() -> Authenticator\n" + "Get a new client NETLOGON_AUTHENTICATOR"}, + { + .ml_name = "set_secure_channel_type", + .ml_meth = py_creds_set_secure_channel_type, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "get_secure_channel_type", + .ml_meth = py_creds_get_secure_channel_type, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "get_aes256_key", + .ml_meth = py_creds_get_aes256_key, + .ml_flags = METH_VARARGS, + .ml_doc = "S.get_aes256_key(salt[, lp]) -> bytes\n" + "Generate an AES256 key using the current password and\n" + "the specified salt", + }, + { + .ml_name = "encrypt_netr_crypt_password", + .ml_meth = py_creds_encrypt_netr_crypt_password, + .ml_flags = METH_VARARGS, + .ml_doc = "S.encrypt_netr_crypt_password(password) -> None\n" + "Encrypt the supplied password using the session key and\n" + "the negotiated encryption algorithm in place\n" + "i.e. it overwrites the original data"}, + { + .ml_name = "encrypt_samr_password", + .ml_meth = py_creds_encrypt_samr_password, + .ml_flags = METH_VARARGS, + .ml_doc = "S.encrypt_samr_password(password) -> None\n" + "Encrypt the supplied password using the session key and\n" + "the negotiated encryption algorithm in place\n" + "i.e. it overwrites the original data" + }, + { + .ml_name = "get_smb_signing", + .ml_meth = py_creds_get_smb_signing, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "set_smb_signing", + .ml_meth = py_creds_set_smb_signing, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "get_smb_ipc_signing", + .ml_meth = py_creds_get_smb_ipc_signing, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "set_smb_ipc_signing", + .ml_meth = py_creds_set_smb_ipc_signing, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "get_smb_encryption", + .ml_meth = py_creds_get_smb_encryption, + .ml_flags = METH_NOARGS, + }, + { + .ml_name = "set_smb_encryption", + .ml_meth = py_creds_set_smb_encryption, + .ml_flags = METH_VARARGS, + }, + { + .ml_name = "get_krb5_fast_armor_credentials", + .ml_meth = py_creds_get_krb5_fast_armor_credentials, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_krb5_fast_armor_credentials() -> Credentials\n" + "Get the Kerberos FAST credentials set on this credentials object" + }, + { + .ml_name = "set_krb5_fast_armor_credentials", + .ml_meth = py_creds_set_krb5_fast_armor_credentials, + .ml_flags = METH_VARARGS, + .ml_doc = "S.set_krb5_fast_armor_credentials(credentials, required) -> None\n" + "Set Kerberos FAST credentials for this credentials object, and if FAST armoring must be used." + }, + { + .ml_name = "get_krb5_require_fast_armor", + .ml_meth = py_creds_get_krb5_require_fast_armor, + .ml_flags = METH_NOARGS, + .ml_doc = "S.get_krb5_fast_armor() -> bool\n" + "Indicate if Kerberos FAST armor is required" + }, + { .ml_name = NULL } +}; + +static struct PyModuleDef moduledef = { + PyModuleDef_HEAD_INIT, + .m_name = "credentials", + .m_doc = "Credentials management.", + .m_size = -1, + .m_methods = py_creds_methods, +}; + +PyTypeObject PyCredentials = { + .tp_name = "credentials.Credentials", + .tp_new = py_creds_new, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, + .tp_methods = py_creds_methods, +}; + +static PyObject *py_ccache_name(PyObject *self, PyObject *unused) +{ + struct ccache_container *ccc = NULL; + char *name = NULL; + PyObject *py_name = NULL; + int ret; + + ccc = pytalloc_get_type(self, struct ccache_container); + + ret = krb5_cc_get_full_name(ccc->smb_krb5_context->krb5_context, + ccc->ccache, &name); + if (ret == 0) { + py_name = PyString_FromStringOrNULL(name); + krb5_free_string(ccc->smb_krb5_context->krb5_context, name); + } else { + PyErr_SetString(PyExc_RuntimeError, + "Failed to get ccache name"); + return NULL; + } + return py_name; +} + +static PyMethodDef py_ccache_container_methods[] = { + { "get_name", py_ccache_name, METH_NOARGS, + "S.get_name() -> name\nObtain KRB5 credentials cache name." }, + {0} +}; + +PyTypeObject PyCredentialCacheContainer = { + .tp_name = "credentials.CredentialCacheContainer", + .tp_flags = Py_TPFLAGS_DEFAULT, + .tp_methods = py_ccache_container_methods, +}; + +MODULE_INIT_FUNC(credentials) +{ + PyObject *m; + if (pytalloc_BaseObject_PyType_Ready(&PyCredentials) < 0) + return NULL; + + if (pytalloc_BaseObject_PyType_Ready(&PyCredentialCacheContainer) < 0) + return NULL; + + m = PyModule_Create(&moduledef); + if (m == NULL) + return NULL; + + PyModule_AddObject(m, "UNINITIALISED", PyLong_FromLong(CRED_UNINITIALISED)); + PyModule_AddObject(m, "SMB_CONF", PyLong_FromLong(CRED_SMB_CONF)); + PyModule_AddObject(m, "CALLBACK", PyLong_FromLong(CRED_CALLBACK)); + PyModule_AddObject(m, "GUESS_ENV", PyLong_FromLong(CRED_GUESS_ENV)); + PyModule_AddObject(m, "GUESS_FILE", PyLong_FromLong(CRED_GUESS_FILE)); + PyModule_AddObject(m, "CALLBACK_RESULT", PyLong_FromLong(CRED_CALLBACK_RESULT)); + PyModule_AddObject(m, "SPECIFIED", PyLong_FromLong(CRED_SPECIFIED)); + + PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DESIRED)); + PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DISABLED)); + PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_REQUIRED)); + + PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE", PyLong_FromLong(CRED_AUTO_KRB_FORWARDABLE)); + PyModule_AddObject(m, "NO_KRB_FORWARDABLE", PyLong_FromLong(CRED_NO_KRB_FORWARDABLE)); + PyModule_AddObject(m, "FORCE_KRB_FORWARDABLE", PyLong_FromLong(CRED_FORCE_KRB_FORWARDABLE)); + PyModule_AddObject(m, "CLI_CRED_NTLM2", PyLong_FromLong(CLI_CRED_NTLM2)); + PyModule_AddObject(m, "CLI_CRED_NTLMv2_AUTH", PyLong_FromLong(CLI_CRED_NTLMv2_AUTH)); + PyModule_AddObject(m, "CLI_CRED_LANMAN_AUTH", PyLong_FromLong(CLI_CRED_LANMAN_AUTH)); + PyModule_AddObject(m, "CLI_CRED_NTLM_AUTH", PyLong_FromLong(CLI_CRED_NTLM_AUTH)); + PyModule_AddObject(m, "CLI_CRED_CLEAR_AUTH", PyLong_FromLong(CLI_CRED_CLEAR_AUTH)); + + PyModule_AddObject(m, "SMB_SIGNING_DEFAULT", PyLong_FromLong(SMB_SIGNING_DEFAULT)); + PyModule_AddObject(m, "SMB_SIGNING_OFF", PyLong_FromLong(SMB_SIGNING_OFF)); + PyModule_AddObject(m, "SMB_SIGNING_IF_REQUIRED", PyLong_FromLong(SMB_SIGNING_IF_REQUIRED)); + PyModule_AddObject(m, "SMB_SIGNING_DESIRED", PyLong_FromLong(SMB_SIGNING_DESIRED)); + PyModule_AddObject(m, "SMB_SIGNING_REQUIRED", PyLong_FromLong(SMB_SIGNING_REQUIRED)); + + PyModule_AddObject(m, "SMB_ENCRYPTION_DEFAULT", PyLong_FromLong(SMB_ENCRYPTION_DEFAULT)); + PyModule_AddObject(m, "SMB_ENCRYPTION_OFF", PyLong_FromLong(SMB_ENCRYPTION_OFF)); + PyModule_AddObject(m, "SMB_ENCRYPTION_IF_REQUIRED", PyLong_FromLong(SMB_ENCRYPTION_IF_REQUIRED)); + PyModule_AddObject(m, "SMB_ENCRYPTION_DESIRED", PyLong_FromLong(SMB_ENCRYPTION_DESIRED)); + PyModule_AddObject(m, "SMB_ENCRYPTION_REQUIRED", PyLong_FromLong(SMB_ENCRYPTION_REQUIRED)); + + Py_INCREF(&PyCredentials); + PyModule_AddObject(m, "Credentials", (PyObject *)&PyCredentials); + Py_INCREF(&PyCredentialCacheContainer); + PyModule_AddObject(m, "CredentialCacheContainer", (PyObject *)&PyCredentialCacheContainer); + return m; +} diff --git a/auth/credentials/pycredentials.h b/auth/credentials/pycredentials.h new file mode 100644 index 0000000..bf6962c --- /dev/null +++ b/auth/credentials/pycredentials.h @@ -0,0 +1,40 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ +#ifndef _PYCREDENTIALS_H_ +#define _PYCREDENTIALS_H_ + +#include "auth/credentials/credentials.h" +#include "librpc/rpc/pyrpc_util.h" +#include <pytalloc.h> + +extern PyTypeObject PyCredentials; +extern PyTypeObject PyCredentialCacheContainer; +#define PyCredentials_Check(py_obj) \ + py_check_dcerpc_type(py_obj, "samba.credentials", "Credentials") + +#define PyCredentials_AsCliCredentials(py_obj) \ + (PyCredentials_Check(py_obj) ? \ + pytalloc_get_type(py_obj, struct cli_credentials) : NULL) + +#define cli_credentials_from_py_object(py_obj) \ + ((py_obj == Py_None) ? \ + cli_credentials_init_anon(NULL) : \ + PyCredentials_AsCliCredentials(py_obj)) + +#endif /* _PYCREDENTIALS_H_ */ diff --git a/auth/credentials/samba-credentials.pc.in b/auth/credentials/samba-credentials.pc.in new file mode 100644 index 0000000..d25bf5e --- /dev/null +++ b/auth/credentials/samba-credentials.pc.in @@ -0,0 +1,12 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ +modulesdir=${prefix}/modules/gensec + +Name: samba-credentials +Description: Credentials management +Requires: samba-util ndr +Version: @PACKAGE_VERSION@ +Libs: @LIB_RPATH@ -L${libdir} -lsamba-credentials +Cflags: -I${includedir} -DHAVE_IMMEDIATE_STRUCTURES=1 diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py new file mode 100755 index 0000000..ce81b73 --- /dev/null +++ b/auth/credentials/tests/bind.py @@ -0,0 +1,261 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# This is unit with tests for LDAP access checks + +import optparse +import sys +import base64 +import copy + +sys.path.insert(0, "bin/python") +import samba +from samba.tests.subunitrun import SubunitOptions, TestProgram + +import samba.getopt as options + +from ldb import SCOPE_BASE, SCOPE_SUBTREE, LdbError, ERR_INVALID_CREDENTIALS + +from samba import gensec +import samba.tests +from samba.tests import delete_force +from samba.credentials import Credentials + +def create_credential(lp, other): + c = Credentials() + c.guess(lp) + c.set_gensec_features(other.get_gensec_features()) + return c + +parser = optparse.OptionParser("bind [options] <host>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +subunitopts = SubunitOptions(parser) +parser.add_option_group(subunitopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) + +creds_machine = create_credential(lp, creds) +creds_virtual = create_credential(lp, creds) +creds_user1 = create_credential(lp, creds) +creds_user2 = create_credential(lp, creds) +creds_user3 = create_credential(lp, creds) +creds_user4 = create_credential(lp, creds) +creds_user5 = create_credential(lp, creds) +creds_user6 = create_credential(lp, creds) +creds_user7 = create_credential(lp, creds) + +class BindTests(samba.tests.TestCase): + + info_dc = None + + def setUp(self): + super(BindTests, self).setUp() + # fetch rootDSEs + + self.ldb = samba.tests.connect_samdb(host, credentials=creds, lp=lp, ldap_only=True) + + if self.info_dc is None: + res = self.ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + self.assertEqual(len(res), 1) + BindTests.info_dc = res[0] + # cache some of RootDSE props + self.schema_dn = self.info_dc["schemaNamingContext"][0] + self.domain_dn = self.info_dc["defaultNamingContext"][0] + self.config_dn = self.info_dc["configurationNamingContext"][0] + self.realm = self.info_dc["ldapServiceName"][0].split(b'@')[1].decode('utf-8') + self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn + self.virtual_user_dn = "CN=frednurk@%s,CN=Computers,%s" % (self.realm, self.domain_dn) + self.password = "P@ssw0rd" + self.username = "BindTestUser" + + def tearDown(self): + delete_force(self.ldb, self.virtual_user_dn) + super(BindTests, self).tearDown() + + def test_virtual_email_account_style_bind(self): + # create a user in the style often deployed for authentication + # of virtual email account at a hosting provider + # + # The userPrincipalName must not match the samAccountName for + # this test to detect when the LDAP DN is being double-parsed + # but must be in the user@realm style to allow the account to + # be created + try: + self.ldb.add_ldif(""" +dn: """ + self.virtual_user_dn + """ +cn: frednurk@""" + self.realm + """ +displayName: Fred Nurk +sAMAccountName: frednurk@""" + self.realm + """ +userPrincipalName: frednurk@NOT.""" + self.realm + """ +countryCode: 0 +objectClass: computer +objectClass: organizationalPerson +objectClass: person +objectClass: top +objectClass: user +""") + except LdbError as e: + (num, msg) = e.args + self.fail(f"Failed to create e-mail user: {msg}") + + self.addCleanup(delete_force, self.ldb, self.virtual_user_dn) + try: + self.ldb.modify_ldif(""" +dn: """ + self.virtual_user_dn + """ +changetype: modify +replace: unicodePwd +unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """ +""") + except LdbError as e: + (num, msg) = e.args + self.fail(f"Failed to set password on e-mail user: {msg}") + + self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn) + + # do a simple bind and search with the machine account + creds_virtual.set_bind_dn(self.virtual_user_dn) + creds_virtual.set_password(self.password) + print("BindTest with: " + creds_virtual.get_bind_dn()) + try: + ldb_virtual = samba.tests.connect_samdb(host, credentials=creds_virtual, + lp=lp, ldap_only=True) + except LdbError as e: + (num, msg) = e.args + if num != ERR_INVALID_CREDENTIALS: + raise + self.fail(msg) + + res = ldb_virtual.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + def test_computer_account_bind(self): + # create a computer acocount for the test + delete_force(self.ldb, self.computer_dn) + self.ldb.add_ldif(""" +dn: """ + self.computer_dn + """ +cn: CENTOS53 +displayName: CENTOS53$ +name: CENTOS53 +sAMAccountName: CENTOS53$ +countryCode: 0 +objectClass: computer +objectClass: organizationalPerson +objectClass: person +objectClass: top +objectClass: user +codePage: 0 +userAccountControl: 4096 +dNSHostName: centos53.alabala.test +operatingSystemVersion: 5.2 (3790) +operatingSystem: Windows Server 2003 +""") + self.ldb.modify_ldif(""" +dn: """ + self.computer_dn + """ +changetype: modify +replace: unicodePwd +unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """ +""") + + # do a simple bind and search with the machine account + creds_machine.set_bind_dn(self.computer_dn) + creds_machine.set_password(self.password) + print("BindTest with: " + creds_machine.get_bind_dn()) + ldb_machine = samba.tests.connect_samdb(host, credentials=creds_machine, + lp=lp, ldap_only=True) + res = ldb_machine.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + def test_user_account_bind(self): + # create user + self.ldb.newuser(username=self.username, password=self.password) + ldb_res = self.ldb.search(base=self.domain_dn, + scope=SCOPE_SUBTREE, + expression="(samAccountName=%s)" % self.username, + attrs=["objectSid"]) + self.assertEqual(len(ldb_res), 1) + user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) + + # do a simple bind and search with the user account in format user@realm + creds_user1.set_bind_dn(self.username + "@" + creds.get_realm()) + creds_user1.set_password(self.password) + print("BindTest with: " + creds_user1.get_bind_dn()) + ldb_user1 = samba.tests.connect_samdb(host, credentials=creds_user1, + lp=lp, ldap_only=True) + res = ldb_user1.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the user account in format domain\user + creds_user2.set_bind_dn(creds.get_domain() + "\\" + self.username) + creds_user2.set_password(self.password) + print("BindTest with: " + creds_user2.get_bind_dn()) + ldb_user2 = samba.tests.connect_samdb(host, credentials=creds_user2, + lp=lp, ldap_only=True) + res = ldb_user2.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the user account DN + creds_user3.set_bind_dn(str(user_dn)) + creds_user3.set_password(self.password) + print("BindTest with: " + creds_user3.get_bind_dn()) + ldb_user3 = samba.tests.connect_samdb(host, credentials=creds_user3, + lp=lp, ldap_only=True) + res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the user account SID + creds_user5.set_bind_dn(self.ldb.schema_format_value("objectSid", ldb_res[0]["objectSid"][0]).decode('utf8')) + creds_user5.set_password(self.password) + print("BindTest with: " + creds_user5.get_bind_dn()) + ldb_user5 = samba.tests.connect_samdb(host, credentials=creds_user5, + lp=lp, ldap_only=True) + res = ldb_user5.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the canonical name + creds_user6.set_bind_dn(user_dn.canonical_str()) + creds_user6.set_password(self.password) + print("BindTest with: " + creds_user6.get_bind_dn()) + ldb_user6 = samba.tests.connect_samdb(host, credentials=creds_user6, + lp=lp, ldap_only=True) + res = ldb_user6.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the extended canonical name + creds_user7.set_bind_dn(user_dn.canonical_ex_str()) + creds_user7.set_password(self.password) + print("BindTest with: " + creds_user7.get_bind_dn()) + ldb_user7 = samba.tests.connect_samdb(host, credentials=creds_user7, + lp=lp, ldap_only=True) + res = ldb_user7.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + def test_user_account_bind_no_domain(self): + # create user + self.ldb.newuser(username=self.username, password=self.password) + ldb_res = self.ldb.search(base=self.domain_dn, + scope=SCOPE_SUBTREE, + expression="(samAccountName=%s)" % self.username) + self.assertEqual(len(ldb_res), 1) + user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) + + creds_user4.set_username(self.username) + creds_user4.set_password(self.password) + creds_user4.set_domain('') + creds_user4.set_workstation('') + print("BindTest (no domain) with: " + self.username) + try: + ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4, + lp=lp, ldap_only=True) + except: + self.fail("Failed to connect without the domain set") + + res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + +TestProgram(module=__name__, opts=subunitopts) diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c new file mode 100644 index 0000000..2cb2e6d --- /dev/null +++ b/auth/credentials/tests/test_creds.c @@ -0,0 +1,349 @@ +/* + * Unix SMB/CIFS implementation. + * + * Copyright (C) 2018-2019 Andreas Schneider <asn@samba.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include <stdarg.h> +#include <stddef.h> +#include <stdint.h> +#include <setjmp.h> +#include <cmocka.h> + +#include "lib/replace/replace.h" +#include "auth/credentials/credentials.c" + +static int setup_talloc_context(void **state) +{ + TALLOC_CTX *frame = talloc_stackframe(); + + *state = frame; + return 0; +} + +static int teardown_talloc_context(void **state) +{ + TALLOC_CTX *frame = *state; + TALLOC_FREE(frame); + return 0; +} + +static void torture_creds_init(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + const char *username = NULL; + const char *domain = NULL; + const char *password = NULL; + enum credentials_obtained dom_obtained = CRED_UNINITIALISED; + enum credentials_obtained usr_obtained = CRED_UNINITIALISED; + enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + assert_null(creds->username); + assert_int_equal(creds->username_obtained, CRED_UNINITIALISED); + + domain = cli_credentials_get_domain(creds); + assert_null(domain); + ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + domain = cli_credentials_get_domain(creds); + assert_string_equal(domain, "WURST"); + + domain = cli_credentials_get_domain_and_obtained(creds, + &dom_obtained); + assert_int_equal(dom_obtained, CRED_SPECIFIED); + assert_string_equal(domain, "WURST"); + + username = cli_credentials_get_username(creds); + assert_null(username); + ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + username = cli_credentials_get_username(creds); + assert_string_equal(username, "brot"); + + username = cli_credentials_get_username_and_obtained(creds, + &usr_obtained); + assert_int_equal(usr_obtained, CRED_SPECIFIED); + assert_string_equal(username, "brot"); + + password = cli_credentials_get_password(creds); + assert_null(password); + ok = cli_credentials_set_password(creds, "SECRET", CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + password = cli_credentials_get_password(creds); + assert_string_equal(password, "SECRET"); + + password = cli_credentials_get_password_and_obtained(creds, + &pwd_obtained); + assert_int_equal(pwd_obtained, CRED_SPECIFIED); + assert_string_equal(password, "SECRET"); + + /* Run dump to check it works */ + cli_credentials_dump(creds); +} + +static void torture_creds_init_anonymous(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + + creds = cli_credentials_init_anon(mem_ctx); + assert_non_null(creds); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, ""); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_null(creds->password); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); +} + +static void torture_creds_guess(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + const char *env_user = getenv("USER"); + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + + setenv("PASSWD", "SECRET", 1); + ok = cli_credentials_guess(creds, NULL); + assert_true(ok); + + assert_string_equal(creds->username, env_user); + assert_int_equal(creds->username_obtained, CRED_GUESS_ENV); + + assert_string_equal(creds->password, "SECRET"); + assert_int_equal(creds->password_obtained, CRED_GUESS_ENV); + unsetenv("PASSWD"); +} + +static void torture_creds_anon_guess(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + bool ok; + + creds = cli_credentials_init_anon(mem_ctx); + assert_non_null(creds); + + setenv("PASSWD", "SECRET", 1); + ok = cli_credentials_guess(creds, NULL); + assert_true(ok); + + assert_string_equal(creds->username, ""); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_null(creds->password); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + unsetenv("PASSWD"); +} + +static void torture_creds_parse_string(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + + /* Anonymous */ + cli_credentials_parse_string(creds, "%", CRED_SPECIFIED); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, ""); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_null(creds->password); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + + /* Username + password */ + cli_credentials_parse_string(creds, "wurst%BROT", CRED_SPECIFIED); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, "wurst"); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->password, "BROT"); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + + /* Domain + username + password */ + cli_credentials_parse_string(creds, "XXL\\wurst%BROT", CRED_SPECIFIED); + + assert_string_equal(creds->domain, "XXL"); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, "wurst"); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->password, "BROT"); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + + /* Principal */ + cli_credentials_parse_string(creds, "wurst@brot.realm", CRED_SPECIFIED); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, "wurst@brot.realm"); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->principal, "wurst@brot.realm"); + assert_int_equal(creds->principal_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->password, "BROT"); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); +} + +static void torture_creds_krb5_state(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + struct loadparm_context *lp_ctx = NULL; + bool ok; + + lp_ctx = loadparm_init_global(true); + assert_non_null(lp_ctx); + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + + ok = cli_credentials_set_conf(creds, lp_ctx); + assert_true(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + + ok = cli_credentials_guess(creds, lp_ctx); + assert_true(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE); + assert_non_null(creds->ccache); + + ok = cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + + ok = cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SMB_CONF); + assert_false(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + +} + +static void torture_creds_gensec_feature(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + assert_int_equal(creds->gensec_features_obtained, CRED_UNINITIALISED); + assert_int_equal(creds->gensec_features, 0); + + ok = cli_credentials_set_gensec_features(creds, + GENSEC_FEATURE_SIGN, + CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->gensec_features_obtained, CRED_SPECIFIED); + assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN); + + ok = cli_credentials_set_gensec_features(creds, + GENSEC_FEATURE_SEAL, + CRED_SMB_CONF); + assert_false(ok); + assert_int_equal(creds->gensec_features_obtained, CRED_SPECIFIED); + assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN); +} + +static const char *torture_get_password(struct cli_credentials *creds) +{ + return talloc_strdup(creds, "SECRET"); +} + +static void torture_creds_password_callback(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + const char *password = NULL; + enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + + ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED); + assert_true(ok); + ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); + assert_true(ok); + + ok = cli_credentials_set_password_callback(creds, torture_get_password); + assert_true(ok); + assert_int_equal(creds->password_obtained, CRED_CALLBACK); + + password = cli_credentials_get_password_and_obtained(creds, + &pwd_obtained); + assert_int_equal(pwd_obtained, CRED_CALLBACK_RESULT); + assert_string_equal(password, "SECRET"); +} + +int main(int argc, char *argv[]) +{ + int rc; + const struct CMUnitTest tests[] = { + cmocka_unit_test(torture_creds_init), + cmocka_unit_test(torture_creds_init_anonymous), + cmocka_unit_test(torture_creds_guess), + cmocka_unit_test(torture_creds_anon_guess), + cmocka_unit_test(torture_creds_parse_string), + cmocka_unit_test(torture_creds_krb5_state), + cmocka_unit_test(torture_creds_gensec_feature), + cmocka_unit_test(torture_creds_password_callback) + }; + + if (argc == 2) { + cmocka_set_test_filter(argv[1]); + } + cmocka_set_message_output(CM_OUTPUT_SUBUNIT); + + rc = cmocka_run_group_tests(tests, + setup_talloc_context, + teardown_talloc_context); + + return rc; +} diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build new file mode 100644 index 0000000..83c6e8c --- /dev/null +++ b/auth/credentials/wscript_build @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +bld.SAMBA_LIBRARY('samba-credentials', + source='credentials.c', + public_headers='credentials.h', + pc_files='samba-credentials.pc', + deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5', + vnum='1.0.0' + ) + +bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5', + source='credentials_krb5.c', + deps='KERBEROS_SRV_KEYTAB KERBEROS_UTIL gssapi samba-credentials', + public_deps='com_err authkrb5', + ) + +bld.SAMBA_SUBSYSTEM('CREDENTIALS_SECRETS', + source='credentials_secrets.c', + deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common dbwrap', + ) + +bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM', + source='credentials_ntlm.c', + deps='samba-credentials GNUTLS_HELPERS') + +bld.SAMBA_SUBSYSTEM('CREDENTIALS_CMDLINE', + source='credentials_cmdline.c', + deps='samba-credentials') + +pyrpc_util = bld.pyembed_libname('pyrpc_util') +pytalloc_util = bld.pyembed_libname('pytalloc-util') +pyparam_util = bld.pyembed_libname('pyparam_util') + +bld.SAMBA_PYTHON('pycredentials', + source='pycredentials.c', + public_deps='samba-credentials %s %s %s CREDENTIALS_CMDLINE CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pyrpc_util, pytalloc_util, pyparam_util), + realname='samba/credentials.so' +) + +bld.SAMBA_BINARY('test_creds', + source='tests/test_creds.c', + deps='cmocka samba-credentials', + local_include=False, + for_selftest=True) diff --git a/auth/gensec/external.c b/auth/gensec/external.c new file mode 100644 index 0000000..300ce6b --- /dev/null +++ b/auth/gensec/external.c @@ -0,0 +1,127 @@ +/* + Unix SMB/CIFS implementation. + + SASL/EXTERNAL authentication. + + Copyright (C) Howard Chu <hyc@symas.com> 2013 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include <tevent.h> +#include "lib/util/tevent_ntstatus.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_toplevel_proto.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport + * layer is already mutually authenticated. + */ + +NTSTATUS gensec_external_init(TALLOC_CTX *ctx); + +static NTSTATUS gensec_external_start(struct gensec_security *gensec_security) +{ + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) + return NT_STATUS_INVALID_PARAMETER; + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) + return NT_STATUS_INVALID_PARAMETER; + + return NT_STATUS_OK; +} + +struct gensec_external_update_state { + DATA_BLOB out; +}; + +static struct tevent_req *gensec_external_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct tevent_req *req; + struct gensec_external_update_state *state = NULL; + + req = tevent_req_create(mem_ctx, &state, + struct gensec_external_update_state); + if (req == NULL) { + return NULL; + } + + state->out = data_blob_talloc(state, "", 0); + if (tevent_req_nomem(state->out.data, req)) { + return tevent_req_post(req, ev); + } + + tevent_req_done(req); + return tevent_req_post(req, ev); +} + +static NTSTATUS gensec_external_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct gensec_external_update_state *state = + tevent_req_data(req, + struct gensec_external_update_state); + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + *out = state->out; + tevent_req_received(req); + return NT_STATUS_OK; +} + +/* We have no features */ +static bool gensec_external_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + return false; +} + +static const struct gensec_security_ops gensec_external_ops = { + .name = "sasl-EXTERNAL", + .sasl_name = "EXTERNAL", + .client_start = gensec_external_start, + .update_send = gensec_external_update_send, + .update_recv = gensec_external_update_recv, + .have_feature = gensec_external_have_feature, + .enabled = true, + .priority = GENSEC_EXTERNAL +}; + + +NTSTATUS gensec_external_init(TALLOC_CTX *ctx) +{ + NTSTATUS ret; + + ret = gensec_register(ctx, &gensec_external_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_external_ops.name)); + } + return ret; +} diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c new file mode 100644 index 0000000..26b5865 --- /dev/null +++ b/auth/gensec/gensec.c @@ -0,0 +1,856 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/network.h" +#define TEVENT_DEPRECATED 1 +#include <tevent.h> +#include "lib/tsocket/tsocket.h" +#include "lib/util/tevent_ntstatus.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "librpc/gen_ndr/dcerpc.h" +#include "auth/common_auth.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +_PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security, + bool full_reset) +{ + if (!gensec_security->ops->may_reset_crypto) { + return NT_STATUS_OK; + } + + return gensec_security->ops->may_reset_crypto(gensec_security, full_reset); +} + +/* + wrappers for the gensec function pointers +*/ +_PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + if (!gensec_security->ops->unseal_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->unseal_packet(gensec_security, + data, length, + whole_pdu, pdu_length, + sig); +} + +_PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + if (!gensec_security->ops->check_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig); +} + +_PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + if (!gensec_security->ops->seal_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); +} + +_PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + if (!gensec_security->ops->sign_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); +} + +_PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size) +{ + if (!gensec_security->ops->sig_size) { + return 0; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return 0; + } + if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { + return 0; + } + } + + return gensec_security->ops->sig_size(gensec_security, data_size); +} + +_PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->max_wrapped_size) { + return (1 << 17); + } + + return gensec_security->ops->max_wrapped_size(gensec_security); +} + +_PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->max_input_size) { + return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17); + } + + return gensec_security->ops->max_input_size(gensec_security); +} + +_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + if (!gensec_security->ops->wrap) { + return NT_STATUS_NOT_IMPLEMENTED; + } + return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out); +} + +_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + if (!gensec_security->ops->unwrap) { + return NT_STATUS_NOT_IMPLEMENTED; + } + return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out); +} + +_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key) +{ + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + + if (!gensec_security->ops->session_key) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key); +} + +const char *gensec_final_auth_type(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->final_auth_type) { + return gensec_security->ops->name; + } + + return gensec_security->ops->final_auth_type(gensec_security); +} + +/* + * Log details of a successful GENSEC authorization to a service. + * + * Only successful authorizations are logged, as only these call gensec_session_info() + * + * The service may later refuse authorization due to an ACL. + * + */ +static void log_successful_gensec_authz_event(struct gensec_security *gensec_security, + struct auth_session_info *session_info) +{ + const struct tsocket_address *remote + = gensec_get_remote_address(gensec_security); + const struct tsocket_address *local + = gensec_get_local_address(gensec_security); + const char *service_description + = gensec_get_target_service_description(gensec_security); + const char *final_auth_type + = gensec_final_auth_type(gensec_security); + const char *transport_protection = NULL; + if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB; + } else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; + } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL; + } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN; + } else { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + } + log_successful_authz_event(gensec_security->auth_context->msg_ctx, + gensec_security->auth_context->lp_ctx, + remote, local, + service_description, + final_auth_type, + transport_protection, + session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); +} + + +/** + * Return the credentials of a logged on user, including session keys + * etc. + * + * Only valid after a successful authentication + * + * May only be called once per authentication. This will also make an + * authorization log entry, as it is already called by all the + * callers. + * + */ + +_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) +{ + NTSTATUS status; + if (!gensec_security->ops->session_info) { + return NT_STATUS_NOT_IMPLEMENTED; + } + status = gensec_security->ops->session_info(gensec_security, mem_ctx, session_info); + + if (NT_STATUS_IS_OK(status) && !gensec_security->subcontext + && (gensec_security->want_features & GENSEC_FEATURE_NO_AUTHZ_LOG) == 0) { + log_successful_gensec_authz_event(gensec_security, *session_info); + } + + return status; +} + +_PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security, + uint32_t max_update_size) +{ + gensec_security->max_update_size = max_update_size; +} + +_PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security) +{ + if (gensec_security->max_update_size == 0) { + return UINT32_MAX; + } + + return gensec_security->max_update_size; +} + +static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security) +{ + bool ok; + + /* + * gensec_want_feature(GENSEC_FEATURE_SIGN) + * and + * gensec_want_feature(GENSEC_FEATURE_SEAL) + * require these flags to be available. + */ + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + DEBUG(0,("Did not manage to negotiate mandatory feature " + "SIGN\n")); + return NT_STATUS_ACCESS_DENIED; + } + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + DEBUG(0,("Did not manage to negotiate mandatory feature " + "SEAL\n")); + return NT_STATUS_ACCESS_DENIED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + DEBUG(0,("Did not manage to negotiate mandatory feature " + "SIGN for SEAL\n")); + return NT_STATUS_ACCESS_DENIED; + } + } + + if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_PACKET) { + return NT_STATUS_OK; + } + + ok = gensec_have_feature(gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER); + if (!ok) { + DBG_ERR("backend [%s] does not support header signing! " + "auth_level[0x%x]\n", + gensec_security->ops->name, + gensec_security->dcerpc_auth_level); + return NT_STATUS_INTERNAL_ERROR; + } + + return NT_STATUS_OK; +} + +/** + * Next state function for the GENSEC state machine + * + * @param gensec_security GENSEC State + * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on + * @param in The request, as a DATA_BLOB + * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx + * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, + * or NT_STATUS_OK if the user is authenticated. + */ +_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) +{ + NTSTATUS status; + TALLOC_CTX *frame = NULL; + struct tevent_context *ev = NULL; + struct tevent_req *subreq = NULL; + bool ok; + + if (gensec_security->subcontext) { + /* + * gensec modules are not allowed to call the sync version. + */ + return NT_STATUS_INTERNAL_ERROR; + } + + frame = talloc_stackframe(); + + ev = samba_tevent_context_init(frame); + if (ev == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + /* + * TODO: remove this hack once the backends + * are fixed. + */ + tevent_loop_allow_nesting(ev); + + subreq = gensec_update_send(frame, ev, gensec_security, in); + if (subreq == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + ok = tevent_req_poll_ntstatus(subreq, ev, &status); + if (!ok) { + goto fail; + } + status = gensec_update_recv(subreq, out_mem_ctx, out); + fail: + TALLOC_FREE(frame); + return status; +} + +struct gensec_update_state { + const struct gensec_security_ops *ops; + struct gensec_security *gensec_security; + NTSTATUS status; + DATA_BLOB out; +}; + +static void gensec_update_cleanup(struct tevent_req *req, + enum tevent_req_state req_state); +static void gensec_update_done(struct tevent_req *subreq); + +/** + * Next state function for the GENSEC state machine async version + * + * @param mem_ctx The memory context for the request + * @param ev The event context for the request + * @param gensec_security GENSEC State + * @param in The request, as a DATA_BLOB + * + * @return The request handle or NULL on no memory failure + */ + +_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct tevent_req *req = NULL; + struct gensec_update_state *state = NULL; + struct tevent_req *subreq = NULL; + + req = tevent_req_create(mem_ctx, &state, + struct gensec_update_state); + if (req == NULL) { + return NULL; + } + state->ops = gensec_security->ops; + state->gensec_security = gensec_security; + + if (gensec_security->update_busy_ptr != NULL) { + tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); + return tevent_req_post(req, ev); + } + + if (gensec_security->child_security != NULL) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + gensec_security->update_busy_ptr = &state->gensec_security; + tevent_req_set_cleanup_fn(req, gensec_update_cleanup); + + subreq = state->ops->update_send(state, ev, gensec_security, in); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, gensec_update_done, req); + + DBG_DEBUG("%s[%p]: subreq: %p\n", state->ops->name, + state->gensec_security, subreq); + + return req; +} + +static void gensec_update_cleanup(struct tevent_req *req, + enum tevent_req_state req_state) +{ + struct gensec_update_state *state = + tevent_req_data(req, + struct gensec_update_state); + + if (state->gensec_security == NULL) { + return; + } + + if (state->gensec_security->update_busy_ptr == &state->gensec_security) { + state->gensec_security->update_busy_ptr = NULL; + } + + state->gensec_security = NULL; +} + +static void gensec_update_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct gensec_update_state *state = + tevent_req_data(req, + struct gensec_update_state); + NTSTATUS status; + const char *debug_subreq = NULL; + + if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) { + /* + * We need to call tevent_req_print() + * before calling the _recv function, + * before tevent_req_received() was called. + * in order to print the pointer value of + * the subreq state. + */ + debug_subreq = tevent_req_print(state, subreq); + } + + status = state->ops->update_recv(subreq, state, &state->out); + TALLOC_FREE(subreq); + state->status = status; + if (GENSEC_UPDATE_IS_NTERROR(status)) { + NTSTATUS orig_status = status; + bool force_no_such_user = false; + + /* + * callers only expect NT_STATUS_NO_SUCH_USER. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) { + force_no_such_user = true; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) { + force_no_such_user = true; + } + + if (state->gensec_security->subcontext) { + /* + * We should only map on the outer + * gensec_update exchange, spnego + * needs the raw status. + */ + force_no_such_user = false; + } + + if (force_no_such_user) { + /* + * nt_status_squash() may map + * to NT_STATUS_LOGON_FAILURE later + */ + status = NT_STATUS_NO_SUCH_USER; + } + + DBG_INFO("%s[%p]: %s%s%s%s%s\n", + state->ops->name, + state->gensec_security, + NT_STATUS_EQUAL(status, orig_status) ? + "" : nt_errstr(orig_status), + NT_STATUS_EQUAL(status, orig_status) ? + "" : " ", + nt_errstr(status), + debug_subreq ? " " : "", + debug_subreq ? debug_subreq : ""); + tevent_req_nterror(req, status); + return; + } + DBG_DEBUG("%s[%p]: %s %s\n", state->ops->name, + state->gensec_security, nt_errstr(status), + debug_subreq); + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + tevent_req_done(req); + return; + } + + /* + * Because callers using the + * gensec_start_mech_by_authtype() never call + * gensec_want_feature(), it isn't sensible for them + * to have to call gensec_have_feature() manually, and + * these are not points of negotiation, but are + * asserted by the client + */ + status = gensec_verify_features(state->gensec_security); + if (tevent_req_nterror(req, status)) { + return; + } + + tevent_req_done(req); +} + +/** + * Next state function for the GENSEC state machine + * + * @param req request state + * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on + * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx + * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, + * or NT_STATUS_OK if the user is authenticated. + */ +_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct gensec_update_state *state = + tevent_req_data(req, struct gensec_update_state); + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + *out = state->out; + talloc_steal(out_mem_ctx, out->data); + status = state->status; + tevent_req_received(req); + return status; +} + +/** + * Set the requirement for a certain feature on the connection + * + */ + +_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + if (!gensec_security->ops || !gensec_security->ops->want_feature) { + gensec_security->want_features |= feature; + return; + } + gensec_security->ops->want_feature(gensec_security, feature); +} + +/** + * Check the requirement for a certain feature on the connection + * + */ + +_PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + if (!gensec_security->ops || !gensec_security->ops->have_feature) { + return false; + } + + /* We might 'have' features that we don't 'want', because the + * other end demanded them, or we can't negotiate them off */ + return gensec_security->ops->have_feature(gensec_security, feature); +} + +_PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->expire_time) { + return GENSEC_EXPIRE_TIME_INFINITY; + } + + return gensec_security->ops->expire_time(gensec_security); +} +/** + * Return the credentials structure associated with a GENSEC context + * + */ + +_PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) +{ + if (!gensec_security) { + return NULL; + } + return gensec_security->credentials; +} + +/** + * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed + * + * This is used for Kerberos service principal name resolution. + */ + +_PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service) +{ + gensec_security->target.service = talloc_strdup(gensec_security, service); + if (!gensec_security->target.service) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; +} + +_PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security) +{ + if (gensec_security->target.service) { + return gensec_security->target.service; + } + + return "host"; +} + +/** + * Set the target service (such as 'samr') on an GENSEC context - ensures it is talloc()ed. + * + * This is not the Kerberos service principal, instead this is a + * constant value that can be logged as part of authentication and + * authorization logging + */ +_PUBLIC_ NTSTATUS gensec_set_target_service_description(struct gensec_security *gensec_security, + const char *service) +{ + gensec_security->target.service_description = talloc_strdup(gensec_security, service); + if (!gensec_security->target.service_description) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; +} + +_PUBLIC_ const char *gensec_get_target_service_description(struct gensec_security *gensec_security) +{ + if (gensec_security->target.service_description) { + return gensec_security->target.service_description; + } else if (gensec_security->target.service) { + return gensec_security->target.service; + } + + return NULL; +} + +/** + * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed + * + */ + +_PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname) +{ + gensec_security->target.hostname = talloc_strdup(gensec_security, hostname); + if (hostname && !gensec_security->target.hostname) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; +} + +_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) +{ + /* We allow the target hostname to be overridden for testing purposes */ + if (gensec_security->settings->target_hostname) { + return gensec_security->settings->target_hostname; + } + + if (gensec_security->target.hostname) { + return gensec_security->target.hostname; + } + + /* We could add use the 'set sockaddr' call, and do a reverse + * lookup, but this would be both insecure (compromising the + * way kerberos works) and add DNS timeouts */ + return NULL; +} + +/** + * Set (and copy) local and peer socket addresses onto a socket + * context on the GENSEC context. + * + * This is so that kerberos can include these addresses in + * cryptographic tokens, to avoid certain attacks. + */ + +/** + * @brief Set the local gensec address. + * + * @param gensec_security The gensec security context to use. + * + * @param remote The local address to set. + * + * @return On success NT_STATUS_OK is returned or an NT_STATUS + * error. + */ +_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, + const struct tsocket_address *local) +{ + TALLOC_FREE(gensec_security->local_addr); + + if (local == NULL) { + return NT_STATUS_OK; + } + + gensec_security->local_addr = tsocket_address_copy(local, gensec_security); + if (gensec_security->local_addr == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +/** + * @brief Set the remote gensec address. + * + * @param gensec_security The gensec security context to use. + * + * @param remote The remote address to set. + * + * @return On success NT_STATUS_OK is returned or an NT_STATUS + * error. + */ +_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, + const struct tsocket_address *remote) +{ + TALLOC_FREE(gensec_security->remote_addr); + + if (remote == NULL) { + return NT_STATUS_OK; + } + + gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security); + if (gensec_security->remote_addr == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +/** + * @brief Get the local address from a gensec security context. + * + * @param gensec_security The security context to get the address from. + * + * @return The address as tsocket_address which could be NULL if + * no address is set. + */ +_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security) +{ + if (gensec_security == NULL) { + return NULL; + } + return gensec_security->local_addr; +} + +/** + * @brief Get the remote address from a gensec security context. + * + * @param gensec_security The security context to get the address from. + * + * @return The address as tsocket_address which could be NULL if + * no address is set. + */ +_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security) +{ + if (gensec_security == NULL) { + return NULL; + } + return gensec_security->remote_addr; +} + +/** + * Set the target principal (assuming it it known, say from the SPNEGO reply) + * - ensures it is talloc()ed + * + */ + +_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal) +{ + gensec_security->target.principal = talloc_strdup(gensec_security, principal); + if (!gensec_security->target.principal) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; +} + +_PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security) +{ + if (gensec_security->target.principal) { + return gensec_security->target.principal; + } + + return NULL; +} diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h new file mode 100644 index 0000000..29d5e92 --- /dev/null +++ b/auth/gensec/gensec.h @@ -0,0 +1,327 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __GENSEC_H__ +#define __GENSEC_H__ + +#include "../lib/util/data_blob.h" +#include "libcli/util/ntstatus.h" + +#define GENSEC_SASL_NAME_NTLMSSP "NTLM" + +#define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10" +#define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2" +#define GENSEC_OID_KERBEROS5 "1.2.840.113554.1.2.2" +#define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2" +#define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3" + +#define GENSEC_FINAL_AUTH_TYPE_KRB5 "krb5" +#define GENSEC_FINAL_AUTH_TYPE_NTLMSSP "NTLMSSP" + +enum gensec_priority { + GENSEC_SPNEGO = 90, + GENSEC_GSSAPI = 80, + GENSEC_KRB5 = 70, + GENSEC_SCHANNEL = 60, + GENSEC_NTLMSSP = 50, + GENSEC_SASL = 20, + GENSEC_OTHER = 10, + GENSEC_EXTERNAL = 0 +}; + +struct gensec_security; +struct gensec_target { + const char *principal; + const char *hostname; + const char *service; + const char *service_description; +}; + +#define GENSEC_FEATURE_SESSION_KEY 0x00000001 +#define GENSEC_FEATURE_SIGN 0x00000002 +#define GENSEC_FEATURE_SEAL 0x00000004 +#define GENSEC_FEATURE_DCE_STYLE 0x00000008 +#define GENSEC_FEATURE_ASYNC_REPLIES 0x00000010 +#define GENSEC_FEATURE_DATAGRAM_MODE 0x00000020 +#define GENSEC_FEATURE_SIGN_PKT_HEADER 0x00000040 +#define GENSEC_FEATURE_NEW_SPNEGO 0x00000080 +#define GENSEC_FEATURE_UNIX_TOKEN 0x00000100 +#define GENSEC_FEATURE_NTLM_CCACHE 0x00000200 +#define GENSEC_FEATURE_LDAP_STYLE 0x00000400 +#define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800 +#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000 +#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000 + +#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL + +/* GENSEC mode */ +enum gensec_role +{ + GENSEC_SERVER, + GENSEC_CLIENT +}; + +struct auth_session_info; +struct cli_credentials; +struct gensec_settings; +struct tevent_context; +struct tevent_req; +struct smb_krb5_context; +struct tsocket_address; + +struct gensec_settings { + struct loadparm_context *lp_ctx; + const char *target_hostname; + + /* this allows callers to specify a specific set of ops that + * should be used, rather than those loaded by the plugin + * mechanism */ + const struct gensec_security_ops * const *backends; + + /* To fill in our own name in the NTLMSSP server */ + const char *server_dns_domain; + const char *server_dns_name; + const char *server_netbios_domain; + const char *server_netbios_name; +}; + +struct gensec_security_ops; +struct gensec_security_ops_wrapper; + +/* Change to 1, loadable modules now take a TALLOC_CTX * init() parameter. */ +#define GENSEC_INTERFACE_VERSION 1 + +/* this structure is used by backends to determine the size of some critical types */ +struct gensec_critical_sizes; +const struct gensec_critical_sizes *gensec_interface_version(void); + +/* Socket wrapper */ + +struct gensec_security; +struct auth4_context; +struct auth_user_info_dc; + +struct loadparm_context; + +NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, + struct gensec_security *parent, + struct gensec_security **gensec_security); +NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, + struct gensec_security **gensec_security, + struct gensec_settings *settings); +NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, + const struct gensec_security_ops *ops); +NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, + const char **sasl_names); +void gensec_set_max_update_size(struct gensec_security *gensec_security, + uint32_t max_update_size); +size_t gensec_max_update_size(struct gensec_security *gensec_security); +NTSTATUS gensec_update(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out); +struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in); +NTSTATUS gensec_update_recv(struct tevent_req *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out); + +#define GENSEC_UPDATE_IS_NTERROR(status) ( \ + !NT_STATUS_IS_OK(status) && \ + !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) \ + ) + +/** + * @brief Ask for features for a following authentication + * + * Typically only one specific feature bit should be passed, + * but it also works to ask for more features. + * + * The features must be requested before starting the + * gensec_update*() loop. + * + * The current exception is GENSEC_FEATURE_SIGN_PKT_HEADER, + * it can also be requested once the gensec_update*() loop + * returned NT_STATUS_OK. + * + * The features should not be changed during the gensec_update*() + * loop. + * + * @param[in] gensec_security The context to be used + * + * @param[in] feature The requested feature[s]. + * + */ +void gensec_want_feature(struct gensec_security *gensec_security, + uint32_t feature); +/** + * @brief Ask for one feature after the finished authentication + * + * Because the return value is bool, the caller can only + * ask for one feature at a time. + * + * The features must be requested after the finished + * gensec_update*() loop. + * + * The current exception is GENSEC_FEATURE_SIGN_PKT_HEADER, + * it can also be requested before the gensec_update*() loop, + * as the return value only indicates if the backend supports + * dcerpc header signing, not if header signing will be used + * between client and server. It will be used only if the caller + * also used gensec_want_feature(GENSEC_FEATURE_SIGN_PKT_HEADER). + * + * @param[in] gensec_security The context to be used. + * + * @param[in] feature The requested feature. + * + * @return true if the feature is supported, false if not. + */ +bool gensec_have_feature(struct gensec_security *gensec_security, + uint32_t feature); +NTTIME gensec_expire_time(struct gensec_security *gensec_security); +NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials); +/** + * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed + * + * This is used for Kerberos service principal name resolution. + */ + +NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service); +const char *gensec_get_target_service(struct gensec_security *gensec_security); +NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname); +const char *gensec_get_target_hostname(struct gensec_security *gensec_security); +/** + * Set the target service (such as 'samr') on an GENSEC context - ensures it is talloc()ed. + * + * This is not the Kerberos service principal, instead this is a + * constant value that can be logged as part of authentication and + * authorization logging + */ +const char *gensec_get_target_service_description(struct gensec_security *gensec_security); +NTSTATUS gensec_set_target_service_description(struct gensec_security *gensec_security, + const char *service); +NTSTATUS gensec_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key); +NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, + const char *mech_oid); +const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string); +struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security); +NTSTATUS gensec_init(void); +NTSTATUS gensec_register(TALLOC_CTX *ctx, + const struct gensec_security_ops *ops); +const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security, + const char *oid_string); +const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security, + const char *sasl_name); +const struct gensec_security_ops *gensec_security_by_auth_type( + struct gensec_security *gensec_security, + uint32_t auth_type); +const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security, + const char *name); +const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx); +const struct gensec_security_ops_wrapper *gensec_security_by_oid_list( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const char * const *oid_strings, + const char *skip); +const char **gensec_security_oids(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const char *skip); +const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, + const struct gensec_security_ops_wrapper *wops); +size_t gensec_max_input_size(struct gensec_security *gensec_security); +size_t gensec_max_wrapped_size(struct gensec_security *gensec_security); +NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size); +NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, + uint8_t auth_type, uint8_t auth_level); +const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype); +NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, + struct gensec_settings *settings, + struct auth4_context *auth_context, + struct gensec_security **gensec_security); +NTSTATUS gensec_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info); + +NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, + const struct tsocket_address *local); +NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, + const struct tsocket_address *remote); +const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security); +const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security); + +NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, + const char *name); + +NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); +NTSTATUS gensec_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); + +bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security); + +NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, + const char *sasl_name); +const char **gensec_security_sasl_names(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx); + +int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value); +bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value); + +NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal); +const char *gensec_get_target_principal(struct gensec_security *gensec_security); + +NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_string, + const struct tsocket_address *remote_address, + struct auth_session_info **session_info); + +NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused, + const DATA_BLOB *blob); + +#endif /* __GENSEC_H__ */ diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h new file mode 100644 index 0000000..8efb1bd --- /dev/null +++ b/auth/gensec/gensec_internal.h @@ -0,0 +1,183 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __GENSEC_INTERNAL_H__ +#define __GENSEC_INTERNAL_H__ + +struct gensec_security; + +struct gensec_security_ops { + const char *name; + const char *sasl_name; + bool weak_crypto; + uint8_t auth_type; /* 0 if not offered on DCE-RPC */ + const char **oid; /* NULL if not offered by SPNEGO */ + NTSTATUS (*client_start)(struct gensec_security *gensec_security); + NTSTATUS (*server_start)(struct gensec_security *gensec_security); + /** + Determine if a packet has the right 'magic' for this mechanism + */ + NTSTATUS (*magic)(struct gensec_security *gensec_security, + const DATA_BLOB *first_packet); + struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in); + NTSTATUS (*update_recv)(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out); + NTSTATUS (*may_reset_crypto)(struct gensec_security *gensec_security, + bool full_reset); + NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); + NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); + size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size); + size_t (*max_input_size)(struct gensec_security *gensec_security); + size_t (*max_wrapped_size)(struct gensec_security *gensec_security); + NTSTATUS (*check_packet)(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); + NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); + NTSTATUS (*wrap)(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); + NTSTATUS (*unwrap)(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); + NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key); + NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info); + void (*want_feature)(struct gensec_security *gensec_security, + uint32_t feature); + bool (*have_feature)(struct gensec_security *gensec_security, + uint32_t feature); + NTTIME (*expire_time)(struct gensec_security *gensec_security); + const char *(*final_auth_type)(struct gensec_security *gensec_security); + bool enabled; + bool kerberos; + enum gensec_priority priority; + bool glue; +}; + +struct gensec_security_ops_wrapper { + const struct gensec_security_ops *op; + const char *oid; +}; + +struct gensec_security { + const struct gensec_security_ops *ops; + void *private_data; + struct cli_credentials *credentials; + struct gensec_target target; + enum gensec_role gensec_role; + bool subcontext; + uint32_t want_features; + uint32_t max_update_size; + uint8_t dcerpc_auth_level; + struct tsocket_address *local_addr, *remote_addr; + struct gensec_settings *settings; + + /* When we are a server, this may be filled in to provide an + * NTLM authentication backend, and user lookup (such as if no + * PAC is found) */ + struct auth4_context *auth_context; + + struct gensec_security *parent_security; + struct gensec_security *child_security; + + /* + * This is used to mark the context as being + * busy in an async gensec_update_send(). + */ + struct gensec_security **update_busy_ptr; +}; + +/* this structure is used by backends to determine the size of some critical types */ +struct gensec_critical_sizes { + int interface_version; + int sizeof_gensec_security_ops; + int sizeof_gensec_security; +}; + +NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security, + bool full_reset); + +const char *gensec_final_auth_type(struct gensec_security *gensec_security); + +NTSTATUS gensec_child_ready(struct gensec_security *parent, + struct gensec_security *child); +void gensec_child_want_feature(struct gensec_security *gensec_security, + uint32_t feature); +bool gensec_child_have_feature(struct gensec_security *gensec_security, + uint32_t feature); +NTSTATUS gensec_child_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +NTSTATUS gensec_child_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +NTSTATUS gensec_child_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS gensec_child_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS gensec_child_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); +NTSTATUS gensec_child_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); +size_t gensec_child_sig_size(struct gensec_security *gensec_security, + size_t data_size); +size_t gensec_child_max_input_size(struct gensec_security *gensec_security); +size_t gensec_child_max_wrapped_size(struct gensec_security *gensec_security); +NTSTATUS gensec_child_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key); +NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info); +NTTIME gensec_child_expire_time(struct gensec_security *gensec_security); +const char *gensec_child_final_auth_type(struct gensec_security *gensec_security); + +#endif /* __GENSEC_H__ */ diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c new file mode 100644 index 0000000..072188a --- /dev/null +++ b/auth/gensec/gensec_start.c @@ -0,0 +1,1147 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/network.h" +#include "tevent.h" +#include "../lib/util/tevent_ntstatus.h" +#include "librpc/gen_ndr/dcerpc.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "lib/param/param.h" +#include "lib/param/loadparm.h" +#include "lib/util/tsort.h" +#include "lib/util/samba_modules.h" +#include "lib/util/base64.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +#undef strcasecmp + +/* the list of currently registered GENSEC backends */ +static const struct gensec_security_ops **generic_security_ops; +static int gensec_num_backends; + +bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security) +{ + bool ok = lpcfg_parm_bool(security->settings->lp_ctx, + NULL, + "gensec", + ops->name, + ops->enabled); + + if (ops->weak_crypto && + lpcfg_weak_crypto(security->settings->lp_ctx) != SAMBA_WEAK_CRYPTO_ALLOWED) { + ok = false; + } + + return ok; +} + +/* Sometimes we want to force only kerberos, sometimes we want to + * force it's avoidance. The old list could be either + * gensec_security_all(), or from cli_credentials_gensec_list() (ie, + * an existing list we have trimmed down) + * + * The intended logic is: + * + * if we are in the default AUTO have kerberos: + * - take a reference to the master list + * otherwise + * - always add spnego then: + * - if we 'MUST' have kerberos: + * only add kerberos mechs + * - if we 'DONT' want kerberos': + * only add non-kerberos mechs + * + * Once we get things like NegoEx or moonshot, this will of course get + * more complex. + */ + +static const struct gensec_security_ops **gensec_use_kerberos_mechs( + TALLOC_CTX *mem_ctx, + const struct gensec_security_ops * const *old_gensec_list, + enum credentials_use_kerberos use_kerberos, + bool keep_schannel) +{ + const struct gensec_security_ops **new_gensec_list; + int i, j, num_mechs_in; + + for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) { + /* noop */ + } + + new_gensec_list = talloc_array(mem_ctx, + const struct gensec_security_ops *, + num_mechs_in + 1); + if (!new_gensec_list) { + return NULL; + } + + j = 0; + for (i=0; old_gensec_list && old_gensec_list[i]; i++) { + bool keep = false; + + /* + * We want to keep SPNEGO and other backends + */ + keep = old_gensec_list[i]->glue; + + if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + keep = keep_schannel; + } + + switch (use_kerberos) { + case CRED_USE_KERBEROS_DESIRED: + keep = true; + break; + + case CRED_USE_KERBEROS_DISABLED: + if (old_gensec_list[i]->kerberos == false) { + keep = true; + } + + break; + + case CRED_USE_KERBEROS_REQUIRED: + if (old_gensec_list[i]->kerberos == true) { + keep = true; + } + + break; + default: + /* Can't happen or invalid parameter */ + return NULL; + } + + if (!keep) { + continue; + } + + new_gensec_list[j] = old_gensec_list[i]; + j++; + } + new_gensec_list[j] = NULL; + + return new_gensec_list; +} + +_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx) +{ + const struct gensec_security_ops * const *backends = + generic_security_ops; + enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED; + bool keep_schannel = false; + + if (gensec_security != NULL) { + struct cli_credentials *creds = NULL; + + creds = gensec_get_credentials(gensec_security); + if (creds != NULL) { + use_kerberos = cli_credentials_get_kerberos_state(creds); + if (cli_credentials_get_netlogon_creds(creds) != NULL) { + keep_schannel = true; + } + + /* + * Even if Kerberos is set to REQUIRED, keep the + * schannel auth mechanism so that machine accounts are + * able to authenticate via netlogon. + */ + if (gensec_security->gensec_role == GENSEC_SERVER) { + keep_schannel = true; + } + } + + if (gensec_security->settings->backends) { + backends = gensec_security->settings->backends; + } + } + + return gensec_use_kerberos_mechs(mem_ctx, backends, + use_kerberos, keep_schannel); + +} + +_PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid( + struct gensec_security *gensec_security, + const char *oid_string) +{ + int i, j; + const struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; + } + backends = gensec_security_mechs(gensec_security, mem_ctx); + for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], + gensec_security)) + continue; + if (backends[i]->oid) { + for (j=0; backends[i]->oid[j]; j++) { + if (backends[i]->oid[j] && + (strcmp(backends[i]->oid[j], oid_string) == 0)) { + backend = backends[i]; + talloc_free(mem_ctx); + return backend; + } + } + } + } + talloc_free(mem_ctx); + + return NULL; +} + +_PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name( + struct gensec_security *gensec_security, + const char *sasl_name) +{ + int i; + const struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; + } + backends = gensec_security_mechs(gensec_security, mem_ctx); + for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security)) { + continue; + } + if (backends[i]->sasl_name + && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) { + backend = backends[i]; + talloc_free(mem_ctx); + return backend; + } + } + talloc_free(mem_ctx); + + return NULL; +} + +_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type( + struct gensec_security *gensec_security, + uint32_t auth_type) +{ + int i; + const struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx; + + if (auth_type == DCERPC_AUTH_TYPE_NONE) { + return NULL; + } + + mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; + } + backends = gensec_security_mechs(gensec_security, mem_ctx); + for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security)) { + continue; + } + if (backends[i]->auth_type == auth_type) { + backend = backends[i]; + talloc_free(mem_ctx); + return backend; + } + } + talloc_free(mem_ctx); + + return NULL; +} + +const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security, + const char *name) +{ + int i; + const struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; + } + backends = gensec_security_mechs(gensec_security, mem_ctx); + for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security)) + continue; + if (backends[i]->name + && (strcmp(backends[i]->name, name) == 0)) { + backend = backends[i]; + talloc_free(mem_ctx); + return backend; + } + } + talloc_free(mem_ctx); + return NULL; +} + +static const char **gensec_security_sasl_names_from_ops( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const struct gensec_security_ops * const *ops) +{ + const char **sasl_names = NULL; + size_t i, sasl_names_count = 0; + + if (ops == NULL) { + return NULL; + } + + sasl_names = talloc_array(mem_ctx, const char *, 1); + if (sasl_names == NULL) { + return NULL; + } + + for (i = 0; ops[i] != NULL; i++) { + enum gensec_role role = GENSEC_SERVER; + const char **tmp = NULL; + + if (ops[i]->sasl_name == NULL) { + continue; + } + + if (gensec_security != NULL) { + if (!gensec_security_ops_enabled(ops[i], + gensec_security)) { + continue; + } + + role = gensec_security->gensec_role; + } + + switch (role) { + case GENSEC_CLIENT: + if (ops[i]->client_start == NULL) { + continue; + } + break; + case GENSEC_SERVER: + if (ops[i]->server_start == NULL) { + continue; + } + break; + } + + tmp = talloc_realloc(mem_ctx, + sasl_names, + const char *, + sasl_names_count + 2); + if (tmp == NULL) { + TALLOC_FREE(sasl_names); + return NULL; + } + sasl_names = tmp; + + sasl_names[sasl_names_count] = ops[i]->sasl_name; + sasl_names_count++; + } + sasl_names[sasl_names_count] = NULL; + + return sasl_names; +} + +/** + * @brief Get the sasl names from the gensec security context. + * + * @param[in] gensec_security The gensec security context. + * + * @param[in] mem_ctx The memory context to allocate memory on. + * + * @return An allocated array with sasl names, NULL on error. + */ +_PUBLIC_ +const char **gensec_security_sasl_names(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx) +{ + const struct gensec_security_ops **ops = NULL; + + ops = gensec_security_mechs(gensec_security, mem_ctx); + + return gensec_security_sasl_names_from_ops(gensec_security, + mem_ctx, + ops); +} + +/** + * Return a unique list of security subsystems from those specified in + * the list of SASL names. + * + * Use the list of enabled GENSEC mechanisms from the credentials + * attached to the gensec_security, and return in our preferred order. + */ + +static const struct gensec_security_ops **gensec_security_by_sasl_list( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const char **sasl_names) +{ + const struct gensec_security_ops **backends_out; + const struct gensec_security_ops **backends; + int i, k, sasl_idx; + int num_backends_out = 0; + + if (!sasl_names) { + return NULL; + } + + backends = gensec_security_mechs(gensec_security, mem_ctx); + + backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1); + if (!backends_out) { + return NULL; + } + backends_out[0] = NULL; + + /* Find backends in our preferred order, by walking our list, + * then looking in the supplied list */ + for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security)) + continue; + for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) { + if (!backends[i]->sasl_name || + !(strcmp(backends[i]->sasl_name, + sasl_names[sasl_idx]) == 0)) { + continue; + } + + for (k=0; backends_out[k]; k++) { + if (backends_out[k] == backends[i]) { + break; + } + } + + if (k < num_backends_out) { + /* already in there */ + continue; + } + + backends_out = talloc_realloc(mem_ctx, backends_out, + const struct gensec_security_ops *, + num_backends_out + 2); + if (!backends_out) { + return NULL; + } + + backends_out[num_backends_out] = backends[i]; + num_backends_out++; + backends_out[num_backends_out] = NULL; + } + } + return backends_out; +} + +/** + * Return a unique list of security subsystems from those specified in + * the OID list. That is, where two OIDs refer to the same module, + * return that module only once. + * + * Use the list of enabled GENSEC mechanisms from the credentials + * attached to the gensec_security, and return in our preferred order. + */ + +_PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const char * const *oid_strings, + const char *skip) +{ + struct gensec_security_ops_wrapper *backends_out; + const struct gensec_security_ops **backends; + int i, j, k, oid_idx; + int num_backends_out = 0; + + if (!oid_strings) { + return NULL; + } + + backends = gensec_security_mechs(gensec_security, gensec_security); + + backends_out = talloc_array(mem_ctx, struct gensec_security_ops_wrapper, 1); + if (!backends_out) { + return NULL; + } + backends_out[0].op = NULL; + backends_out[0].oid = NULL; + + /* Find backends in our preferred order, by walking our list, + * then looking in the supplied list */ + for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security)) + continue; + if (!backends[i]->oid) { + continue; + } + for (oid_idx = 0; oid_strings[oid_idx]; oid_idx++) { + if (strcmp(oid_strings[oid_idx], skip) == 0) { + continue; + } + + for (j=0; backends[i]->oid[j]; j++) { + if (!backends[i]->oid[j] || + !(strcmp(backends[i]->oid[j], + oid_strings[oid_idx]) == 0)) { + continue; + } + + for (k=0; backends_out[k].op; k++) { + if (backends_out[k].op == backends[i]) { + break; + } + } + + if (k < num_backends_out) { + /* already in there */ + continue; + } + + backends_out = talloc_realloc(mem_ctx, backends_out, + struct gensec_security_ops_wrapper, + num_backends_out + 2); + if (!backends_out) { + return NULL; + } + + backends_out[num_backends_out].op = backends[i]; + backends_out[num_backends_out].oid = backends[i]->oid[j]; + num_backends_out++; + backends_out[num_backends_out].op = NULL; + backends_out[num_backends_out].oid = NULL; + } + } + } + return backends_out; +} + +/** + * Return OIDS from the security subsystems listed + */ + +static const char **gensec_security_oids_from_ops( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const struct gensec_security_ops * const *ops, + const char *skip) +{ + int i; + int j = 0; + int k; + const char **oid_list; + if (!ops) { + return NULL; + } + oid_list = talloc_array(mem_ctx, const char *, 1); + if (!oid_list) { + return NULL; + } + + for (i=0; ops && ops[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(ops[i], gensec_security)) { + continue; + } + if (!ops[i]->oid) { + continue; + } + + for (k = 0; ops[i]->oid[k]; k++) { + if (skip && strcmp(skip, ops[i]->oid[k])==0) { + } else { + oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2); + if (!oid_list) { + return NULL; + } + oid_list[j] = ops[i]->oid[k]; + j++; + } + } + } + oid_list[j] = NULL; + return oid_list; +} + + +/** + * Return OIDS from the security subsystems listed + */ + +_PUBLIC_ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, + const struct gensec_security_ops_wrapper *wops) +{ + int i; + int j = 0; + int k; + const char **oid_list; + if (!wops) { + return NULL; + } + oid_list = talloc_array(mem_ctx, const char *, 1); + if (!oid_list) { + return NULL; + } + + for (i=0; wops[i].op; i++) { + if (!wops[i].op->oid) { + continue; + } + + for (k = 0; wops[i].op->oid[k]; k++) { + oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2); + if (!oid_list) { + return NULL; + } + oid_list[j] = wops[i].op->oid[k]; + j++; + } + } + oid_list[j] = NULL; + return oid_list; +} + + +/** + * Return all the security subsystems currently enabled on a GENSEC context. + * + * This is taken from a list attached to the cli_credentials, and + * skips the OID in 'skip'. (Typically the SPNEGO OID) + * + */ + +_PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const char *skip) +{ + const struct gensec_security_ops **ops; + + ops = gensec_security_mechs(gensec_security, mem_ctx); + + return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip); +} + +static int gensec_security_destructor(struct gensec_security *gctx) +{ + if (gctx->parent_security != NULL) { + if (gctx->parent_security->child_security == gctx) { + gctx->parent_security->child_security = NULL; + } + gctx->parent_security = NULL; + } + + if (gctx->child_security != NULL) { + if (gctx->child_security->parent_security == gctx) { + gctx->child_security->parent_security = NULL; + } + gctx->child_security = NULL; + } + + return 0; +} + +/** + Start the GENSEC system, returning a context pointer. + @param mem_ctx The parent TALLOC memory context. + @param gensec_security Returned GENSEC context pointer. + @note The mem_ctx is only a parent and may be NULL. + @note, the auth context is moved to be a referenced pointer of the + @ gensec_security return +*/ +static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, + struct gensec_settings *settings, + struct auth4_context *auth_context, + struct gensec_security **gensec_security) +{ + (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security); + NT_STATUS_HAVE_NO_MEMORY(*gensec_security); + + (*gensec_security)->max_update_size = 0; + + SMB_ASSERT(settings->lp_ctx != NULL); + (*gensec_security)->settings = talloc_reference(*gensec_security, settings); + + /* We need to reference this, not steal, as the caller may be + * python, which won't like it if we steal it's object away + * from it */ + (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context); + + talloc_set_destructor((*gensec_security), gensec_security_destructor); + return NT_STATUS_OK; +} + +/** + * Start a GENSEC subcontext, with a copy of the properties of the parent + * @param mem_ctx The parent TALLOC memory context. + * @param parent The parent GENSEC context + * @param gensec_security Returned GENSEC context pointer. + * @note Used by SPNEGO in particular, for the actual implementation mechanism + */ + +_PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, + struct gensec_security *parent, + struct gensec_security **gensec_security) +{ + if (parent->child_security != NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + + (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security); + NT_STATUS_HAVE_NO_MEMORY(*gensec_security); + + (**gensec_security) = *parent; + (*gensec_security)->ops = NULL; + (*gensec_security)->private_data = NULL; + (*gensec_security)->update_busy_ptr = NULL; + + (*gensec_security)->subcontext = true; + (*gensec_security)->want_features = parent->want_features; + (*gensec_security)->max_update_size = parent->max_update_size; + (*gensec_security)->dcerpc_auth_level = parent->dcerpc_auth_level; + (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context); + (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings); + (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context); + + talloc_set_destructor((*gensec_security), gensec_security_destructor); + return NT_STATUS_OK; +} + +_PUBLIC_ NTSTATUS gensec_child_ready(struct gensec_security *parent, + struct gensec_security *child) +{ + if (parent->child_security != NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + + if (child->parent_security != NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + + parent->child_security = child; + child->parent_security = parent; + return NT_STATUS_OK; +} + +/** + Start the GENSEC system, in client mode, returning a context pointer. + @param mem_ctx The parent TALLOC memory context. + @param gensec_security Returned GENSEC context pointer. + @note The mem_ctx is only a parent and may be NULL. +*/ +_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, + struct gensec_security **gensec_security, + struct gensec_settings *settings) +{ + NTSTATUS status; + + if (settings == NULL) { + DEBUG(0,("gensec_client_start: no settings given!\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = gensec_start(mem_ctx, settings, NULL, gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + (*gensec_security)->gensec_role = GENSEC_CLIENT; + + return status; +} + + + +/** + Start the GENSEC system, in server mode, returning a context pointer. + @param mem_ctx The parent TALLOC memory context. + @param gensec_security Returned GENSEC context pointer. + @note The mem_ctx is only a parent and may be NULL. +*/ +_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, + struct gensec_settings *settings, + struct auth4_context *auth_context, + struct gensec_security **gensec_security) +{ + NTSTATUS status; + + if (!settings) { + DEBUG(0,("gensec_server_start: no settings given!\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = gensec_start(mem_ctx, settings, auth_context, gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + (*gensec_security)->gensec_role = GENSEC_SERVER; + + return status; +} + +static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) +{ + NTSTATUS status; + + /* + * Callers sometimes just reuse a context, we should + * clear the internal state before starting it again. + */ + talloc_unlink(gensec_security, gensec_security->private_data); + gensec_security->private_data = NULL; + + if (gensec_security->child_security != NULL) { + /* + * The talloc_unlink(.., gensec_security->private_data) + * should have cleared this via + * gensec_security_destructor(). + */ + return NT_STATUS_INTERNAL_ERROR; + } + + if (gensec_security->credentials) { + const char *forced_mech = cli_credentials_get_forced_sasl_mech(gensec_security->credentials); + if (forced_mech && + (gensec_security->ops->sasl_name == NULL || + strcasecmp(forced_mech, gensec_security->ops->sasl_name) != 0)) { + DEBUG(5, ("GENSEC mechanism %s (%s) skipped, as it " + "did not match forced mechanism %s\n", + gensec_security->ops->name, + gensec_security->ops->sasl_name, + forced_mech)); + return NT_STATUS_INVALID_PARAMETER; + } + } + DEBUG(5, ("Starting GENSEC %smechanism %s\n", + gensec_security->subcontext ? "sub" : "", + gensec_security->ops->name)); + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: + if (gensec_security->ops->client_start) { + status = gensec_security->ops->client_start(gensec_security); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n", + gensec_security->ops->name, nt_errstr(status))); + } + return status; + } + break; + case GENSEC_SERVER: + if (gensec_security->ops->server_start) { + status = gensec_security->ops->server_start(gensec_security); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n", + gensec_security->ops->name, nt_errstr(status))); + } + return status; + } + break; + } + return NT_STATUS_INVALID_PARAMETER; +} + +/** + * Start a GENSEC sub-mechanism with a specified mechanism structure, used in SPNEGO + * + */ + +NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, + const struct gensec_security_ops *ops) +{ + gensec_security->ops = ops; + return gensec_start_mech(gensec_security); +} + + +/** + * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number + * @param gensec_security GENSEC context pointer. + * @param auth_type DCERPC auth type + * @param auth_level DCERPC auth level + */ + +_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, + uint8_t auth_type, uint8_t auth_level) +{ + gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type); + if (!gensec_security->ops) { + DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type)); + return NT_STATUS_INVALID_PARAMETER; + } + gensec_security->dcerpc_auth_level = auth_level; + /* + * We need to reset sign/seal in order to reset it. + * We may got some default features inherited by the credentials + */ + gensec_security->want_features &= ~GENSEC_FEATURE_SIGN; + gensec_security->want_features &= ~GENSEC_FEATURE_SEAL; + gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE); + gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES); + if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + if (gensec_security->gensec_role == GENSEC_CLIENT) { + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); + } + } else if (auth_level == DCERPC_AUTH_LEVEL_PACKET) { + /* + * For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4) + * has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5). + */ + if (gensec_security->gensec_role == GENSEC_CLIENT) { + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); + } + } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); + } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) { + /* Default features */ + } else { + DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n", + auth_level)); + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_start_mech(gensec_security); +} + +_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) +{ + const struct gensec_security_ops *ops; + ops = gensec_security_by_auth_type(gensec_security, authtype); + if (ops) { + return ops->name; + } + return NULL; +} + + +_PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, + const char *oid_string) +{ + const struct gensec_security_ops *ops; + ops = gensec_security_by_oid(gensec_security, oid_string); + if (ops) { + return ops->name; + } + return oid_string; +} + +/** + * Start a GENSEC sub-mechanism by OID, used in SPNEGO + * + * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a + * well-known #define to hook it in. + */ + +_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, + const char *mech_oid) +{ + SMB_ASSERT(gensec_security != NULL); + + gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid); + if (!gensec_security->ops) { + DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid)); + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_start_mech(gensec_security); +} + +/** + * Start a GENSEC sub-mechanism by a well known SASL name + * + */ + +_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, + const char *sasl_name) +{ + gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name); + if (!gensec_security->ops) { + DEBUG(3, ("Could not find GENSEC backend for sasl_name=%s\n", sasl_name)); + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_start_mech(gensec_security); +} + +/** + * Start a GENSEC sub-mechanism with the preferred option from a SASL name list + * + */ + +_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, + const char **sasl_names) +{ + NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + const struct gensec_security_ops **ops; + int i; + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names); + if (!ops || !*ops) { + DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n", + str_list_join(mem_ctx, + sasl_names, ' '))); + talloc_free(mem_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + for (i=0; ops[i]; i++) { + nt_status = gensec_start_mech_by_ops(gensec_security, ops[i]); + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) { + break; + } + } + talloc_free(mem_ctx); + return nt_status; +} + +/** + * Start a GENSEC sub-mechanism by an internal name + * + */ + +_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, + const char *name) +{ + gensec_security->ops = gensec_security_by_name(gensec_security, name); + if (!gensec_security->ops) { + DEBUG(3, ("Could not find GENSEC backend for name=%s\n", name)); + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_start_mech(gensec_security); +} + +/** + * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context + * + */ + +_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials) +{ + gensec_security->credentials = talloc_reference(gensec_security, credentials); + NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials); + gensec_want_feature(gensec_security, cli_credentials_get_gensec_features(gensec_security->credentials)); + return NT_STATUS_OK; +} + +/* + register a GENSEC backend. + + The 'name' can be later used by other backends to find the operations + structure for this backend. +*/ +_PUBLIC_ NTSTATUS gensec_register(TALLOC_CTX *ctx, + const struct gensec_security_ops *ops) +{ + if (gensec_security_by_name(NULL, ops->name) != NULL) { + /* its already registered! */ + DEBUG(0,("GENSEC backend '%s' already registered\n", + ops->name)); + return NT_STATUS_OBJECT_NAME_COLLISION; + } + + generic_security_ops = talloc_realloc(ctx, + generic_security_ops, + const struct gensec_security_ops *, + gensec_num_backends+2); + if (!generic_security_ops) { + return NT_STATUS_NO_MEMORY; + } + + generic_security_ops[gensec_num_backends] = ops; + gensec_num_backends++; + generic_security_ops[gensec_num_backends] = NULL; + + DEBUG(3,("GENSEC backend '%s' registered\n", + ops->name)); + + return NT_STATUS_OK; +} + +/* + return the GENSEC interface version, and the size of some critical types + This can be used by backends to either detect compilation errors, or provide + multiple implementations for different smbd compilation options in one module +*/ +_PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void) +{ + static const struct gensec_critical_sizes critical_sizes = { + GENSEC_INTERFACE_VERSION, + sizeof(struct gensec_security_ops), + sizeof(struct gensec_security), + }; + + return &critical_sizes; +} + +static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) { + return (*gs2)->priority - (*gs1)->priority; +} + +int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value) +{ + return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value); +} + +bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value) +{ + return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value); +} + +/* + initialise the GENSEC subsystem +*/ +_PUBLIC_ NTSTATUS gensec_init(void) +{ + static bool initialized = false; +#define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *); +#ifdef STATIC_gensec_MODULES + STATIC_gensec_MODULES_PROTO; + init_module_fn static_init[] = { STATIC_gensec_MODULES }; +#else + init_module_fn *static_init = NULL; +#endif + init_module_fn *shared_init; + + if (initialized) return NT_STATUS_OK; + initialized = true; + + shared_init = load_samba_modules(NULL, "gensec"); + + run_init_functions(NULL, static_init); + run_init_functions(NULL, shared_init); + + talloc_free(shared_init); + + TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec); + + return NT_STATUS_OK; +} diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c new file mode 100644 index 0000000..b6b4a72 --- /dev/null +++ b/auth/gensec/gensec_util.c @@ -0,0 +1,338 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "auth/common_auth.h" +#include "../lib/util/asn1.h" +#include "param/param.h" +#include "libds/common/roles.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_string, + const struct tsocket_address *remote_address, + struct auth_session_info **session_info) +{ + uint32_t session_info_flags = 0; + struct auth4_context *auth_context = NULL; + NTSTATUS status; + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + + if (!pac_blob) { + enum server_role server_role = + lpcfg_server_role(gensec_security->settings->lp_ctx); + + /* + * For any domain setup (DC or member) we require having + * a PAC, as the service ticket comes from an AD DC, + * which will always provide a PAC, unless + * UF_NO_AUTH_DATA_REQUIRED is configured for our + * account, but that's just an invalid configuration, + * the admin configured for us! + * + * As a legacy case, we still allow kerberos tickets from an MIT + * realm, but only in standalone mode. In that mode we'll only + * ever accept a kerberos authentication with a keytab file + * being explicitly configured via the 'keytab method' option. + */ + if (server_role != ROLE_STANDALONE) { + DBG_WARNING("Unable to find PAC in ticket from %s, " + "failing to allow access\n", + principal_string); + return NT_STATUS_NO_IMPERSONATION_TOKEN; + } + DBG_NOTICE("Unable to find PAC for %s, resorting to local " + "user lookup\n", principal_string); + } + + auth_context = gensec_security->auth_context; + + if ((auth_context == NULL) || + (auth_context->generate_session_info_pac == NULL)) { + DBG_ERR("Cannot generate a session_info without " + "the auth_context\n"); + return NT_STATUS_INTERNAL_ERROR; + } + + status = auth_context->generate_session_info_pac( + auth_context, + mem_ctx, + smb_krb5_context, + pac_blob, + principal_string, + remote_address, + session_info_flags, + session_info); + return status; +} + +/* + magic check a GSS-API wrapper packet for an Kerberos OID +*/ +static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid) +{ + bool ret = false; + struct asn1_data *data = asn1_init(NULL, ASN1_MAX_TREE_DEPTH); + + if (!data) return false; + + if (!asn1_load(data, *blob)) goto err; + if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err; + if (!asn1_check_OID(data, oid)) goto err; + + ret = !asn1_has_error(data); + + err: + + asn1_free(data); + return ret; +} + +/** + * Check if the packet is one for the KRB5 mechanism + * + * NOTE: This is a helper that can be employed by multiple mechanisms, do + * not make assumptions about the private_data + * + * @param gensec_security GENSEC state, unused + * @param in The request, as a DATA_BLOB + * @return Error, INVALID_PARAMETER if it's not a packet for us + * or NT_STATUS_OK if the packet is ok. + */ + +NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused, + const DATA_BLOB *blob) +{ + if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) { + return NT_STATUS_OK; + } else { + return NT_STATUS_INVALID_PARAMETER; + } +} + +void gensec_child_want_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + struct gensec_security *child_security = gensec_security->child_security; + + gensec_security->want_features |= feature; + if (child_security == NULL) { + return; + } + gensec_want_feature(child_security, feature); +} + +bool gensec_child_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + struct gensec_security *child_security = gensec_security->child_security; + + if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) { + /* + * All mechs with sub (child) mechs need to provide DCERPC + * header signing! This is required because the negotiation + * of header signing is done before the authentication + * is completed. + */ + return true; + } + + if (child_security == NULL) { + return false; + } + + return gensec_have_feature(child_security, feature); +} + +NTSTATUS gensec_child_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_unseal_packet(gensec_security->child_security, + data, length, + whole_pdu, pdu_length, + sig); +} + +NTSTATUS gensec_child_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_check_packet(gensec_security->child_security, + data, length, + whole_pdu, pdu_length, + sig); +} + +NTSTATUS gensec_child_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_seal_packet(gensec_security->child_security, + mem_ctx, + data, length, + whole_pdu, pdu_length, + sig); +} + +NTSTATUS gensec_child_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_sign_packet(gensec_security->child_security, + mem_ctx, + data, length, + whole_pdu, pdu_length, + sig); +} + +NTSTATUS gensec_child_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_wrap(gensec_security->child_security, + mem_ctx, in, out); +} + +NTSTATUS gensec_child_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_unwrap(gensec_security->child_security, + mem_ctx, in, out); +} + +size_t gensec_child_sig_size(struct gensec_security *gensec_security, + size_t data_size) +{ + if (gensec_security->child_security == NULL) { + return 0; + } + + return gensec_sig_size(gensec_security->child_security, data_size); +} + +size_t gensec_child_max_input_size(struct gensec_security *gensec_security) +{ + if (gensec_security->child_security == NULL) { + return 0; + } + + return gensec_max_input_size(gensec_security->child_security); +} + +size_t gensec_child_max_wrapped_size(struct gensec_security *gensec_security) +{ + if (gensec_security->child_security == NULL) { + return 0; + } + + return gensec_max_wrapped_size(gensec_security->child_security); +} + +NTSTATUS gensec_child_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_session_key(gensec_security->child_security, + mem_ctx, + session_key); +} + +NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) +{ + if (gensec_security->child_security == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_session_info(gensec_security->child_security, + mem_ctx, + session_info); +} + +NTTIME gensec_child_expire_time(struct gensec_security *gensec_security) +{ + if (gensec_security->child_security == NULL) { + return GENSEC_EXPIRE_TIME_INFINITY; + } + + return gensec_expire_time(gensec_security->child_security); +} + +const char *gensec_child_final_auth_type(struct gensec_security *gensec_security) +{ + if (gensec_security->child_security == NULL) { + return "NONE"; + } + + return gensec_final_auth_type(gensec_security->child_security); +} diff --git a/auth/gensec/ncalrpc.c b/auth/gensec/ncalrpc.c new file mode 100644 index 0000000..f845947 --- /dev/null +++ b/auth/gensec/ncalrpc.c @@ -0,0 +1,356 @@ +/* + Unix SMB/CIFS implementation. + + dcerpc ncalrpc as system operations + + Copyright (C) 2014 Andreas Schneider <asn@samba.org> + Copyright (C) 2014 Stefan Metzmacher <metze@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include <tevent.h> +#include "lib/util/tevent_ntstatus.h" +#include "auth/auth.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "librpc/gen_ndr/dcerpc.h" +#include "lib/param/param.h" +#include "tsocket.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +_PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(TALLOC_CTX *ctx); + +struct gensec_ncalrpc_state { + enum { + GENSEC_NCALRPC_START, + GENSEC_NCALRPC_MORE, + GENSEC_NCALRPC_DONE, + GENSEC_NCALRPC_ERROR, + } step; + + struct auth_user_info_dc *user_info_dc; +}; + +static NTSTATUS gensec_ncalrpc_client_start(struct gensec_security *gensec_security) +{ + struct gensec_ncalrpc_state *state; + + state = talloc_zero(gensec_security, + struct gensec_ncalrpc_state); + if (state == NULL) { + return NT_STATUS_NO_MEMORY; + } + gensec_security->private_data = state; + + state->step = GENSEC_NCALRPC_START; + return NT_STATUS_OK; +} + +static NTSTATUS gensec_ncalrpc_server_start(struct gensec_security *gensec_security) +{ + struct gensec_ncalrpc_state *state; + + state = talloc_zero(gensec_security, + struct gensec_ncalrpc_state); + if (state == NULL) { + return NT_STATUS_NO_MEMORY; + } + gensec_security->private_data = state; + + state->step = GENSEC_NCALRPC_START; + return NT_STATUS_OK; +} + +struct gensec_ncalrpc_update_state { + NTSTATUS status; + DATA_BLOB out; +}; + +static NTSTATUS gensec_ncalrpc_update_internal( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB in, + DATA_BLOB *out); + +static struct tevent_req *gensec_ncalrpc_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct tevent_req *req; + struct gensec_ncalrpc_update_state *state = NULL; + NTSTATUS status; + + req = tevent_req_create(mem_ctx, &state, + struct gensec_ncalrpc_update_state); + if (req == NULL) { + return NULL; + } + + status = gensec_ncalrpc_update_internal(gensec_security, + state, in, + &state->out); + state->status = status; + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + status = NT_STATUS_OK; + } + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + tevent_req_done(req); + return tevent_req_post(req, ev); +} + +static NTSTATUS gensec_ncalrpc_update_internal( + struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB in, + DATA_BLOB *out) +{ + struct gensec_ncalrpc_state *state = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ncalrpc_state); + DATA_BLOB magic_req = data_blob_string_const("NCALRPC_AUTH_TOKEN"); + DATA_BLOB magic_ok = data_blob_string_const("NCALRPC_AUTH_OK"); + DATA_BLOB magic_fail = data_blob_string_const("NCALRPC_AUTH_FAIL"); + char *unix_path = NULL; + int cmp; + NTSTATUS status; + + *out = data_blob_null; + + if (state->step >= GENSEC_NCALRPC_DONE) { + return NT_STATUS_INVALID_PARAMETER; + } + + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: + switch (state->step) { + case GENSEC_NCALRPC_START: + *out = data_blob_dup_talloc(mem_ctx, magic_req); + if (out->data == NULL) { + state->step = GENSEC_NCALRPC_ERROR; + return NT_STATUS_NO_MEMORY; + } + + state->step = GENSEC_NCALRPC_MORE; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + + case GENSEC_NCALRPC_MORE: + cmp = data_blob_cmp(&in, &magic_ok); + if (cmp != 0) { + state->step = GENSEC_NCALRPC_ERROR; + return NT_STATUS_LOGON_FAILURE; + } + + state->step = GENSEC_NCALRPC_DONE; + return NT_STATUS_OK; + + case GENSEC_NCALRPC_DONE: + case GENSEC_NCALRPC_ERROR: + break; + } + + state->step = GENSEC_NCALRPC_ERROR; + return NT_STATUS_INTERNAL_ERROR; + + case GENSEC_SERVER: + if (state->step != GENSEC_NCALRPC_START) { + state->step = GENSEC_NCALRPC_ERROR; + return NT_STATUS_INTERNAL_ERROR; + } + + cmp = data_blob_cmp(&in, &magic_req); + if (cmp != 0) { + state->step = GENSEC_NCALRPC_ERROR; + *out = data_blob_dup_talloc(mem_ctx, magic_fail); + if (out->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_LOGON_FAILURE; + } + + if (gensec_security->remote_addr == NULL) { + state->step = GENSEC_NCALRPC_ERROR; + *out = data_blob_dup_talloc(mem_ctx, magic_fail); + if (out->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_LOGON_FAILURE; + } + + unix_path = tsocket_address_unix_path(gensec_security->remote_addr, + state); + if (unix_path == NULL) { + state->step = GENSEC_NCALRPC_ERROR; + *out = data_blob_dup_talloc(mem_ctx, magic_fail); + if (out->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_LOGON_FAILURE; + } + + cmp = strcmp(unix_path, AS_SYSTEM_MAGIC_PATH_TOKEN); + TALLOC_FREE(unix_path); + if (cmp != 0) { + state->step = GENSEC_NCALRPC_ERROR; + *out = data_blob_dup_talloc(mem_ctx, magic_fail); + if (out->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_LOGON_FAILURE; + } + + status = auth_system_user_info_dc(state, + lpcfg_netbios_name(gensec_security->settings->lp_ctx), + &state->user_info_dc); + if (!NT_STATUS_IS_OK(status)) { + state->step = GENSEC_NCALRPC_ERROR; + *out = data_blob_dup_talloc(mem_ctx, magic_fail); + if (out->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + return status; + } + + *out = data_blob_dup_talloc(mem_ctx, magic_ok); + if (out->data == NULL) { + state->step = GENSEC_NCALRPC_ERROR; + return NT_STATUS_NO_MEMORY; + } + + state->step = GENSEC_NCALRPC_DONE; + return NT_STATUS_OK; + } + + state->step = GENSEC_NCALRPC_ERROR; + return NT_STATUS_INTERNAL_ERROR; +} + +static NTSTATUS gensec_ncalrpc_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct gensec_ncalrpc_update_state *state = + tevent_req_data(req, + struct gensec_ncalrpc_update_state); + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + status = state->status; + talloc_steal(out_mem_ctx, state->out.data); + *out = state->out; + tevent_req_received(req); + return status; +} + +static NTSTATUS gensec_ncalrpc_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **psession_info) +{ + struct gensec_ncalrpc_state *state = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ncalrpc_state); + struct auth4_context *auth_ctx = gensec_security->auth_context; + struct auth_session_info *session_info = NULL; + uint32_t session_info_flags = 0; + NTSTATUS status; + + if (gensec_security->gensec_role != GENSEC_SERVER) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (state->step != GENSEC_NCALRPC_DONE) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (auth_ctx == NULL) { + DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + if (auth_ctx->generate_session_info == NULL) { + DEBUG(0, ("Cannot generate a session_info without the generate_session_info hook\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + + status = auth_ctx->generate_session_info( + auth_ctx, + mem_ctx, + state->user_info_dc, + state->user_info_dc->info->account_name, + session_info_flags, + &session_info); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + *psession_info = session_info; + return NT_STATUS_OK; +} + +/* We have no features */ +static bool gensec_ncalrpc_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + if (feature & GENSEC_FEATURE_DCE_STYLE) { + return true; + } + + return false; +} + +static const struct gensec_security_ops gensec_ncalrpc_security_ops = { + .name = "ncalrpc_as_system", + .auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM, + .client_start = gensec_ncalrpc_client_start, + .server_start = gensec_ncalrpc_server_start, + .update_send = gensec_ncalrpc_update_send, + .update_recv = gensec_ncalrpc_update_recv, + .session_info = gensec_ncalrpc_session_info, + .have_feature = gensec_ncalrpc_have_feature, + .enabled = true, + .priority = GENSEC_EXTERNAL, +}; + +_PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(TALLOC_CTX *ctx) +{ + NTSTATUS status; + + status = gensec_register(ctx, &gensec_ncalrpc_security_ops); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to register '%s' gensec backend!\n", + gensec_ncalrpc_security_ops.name)); + return status; + } + + return status; +} diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c new file mode 100644 index 0000000..86527fe --- /dev/null +++ b/auth/gensec/schannel.c @@ -0,0 +1,1181 @@ +/* + Unix SMB/CIFS implementation. + + dcerpc schannel operations + + Copyright (C) Andrew Tridgell 2004 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include <tevent.h> +#include "lib/util/tevent_ntstatus.h" +#include "librpc/gen_ndr/ndr_schannel.h" +#include "auth/auth.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "auth/gensec/gensec_proto.h" +#include "../libcli/auth/schannel.h" +#include "librpc/gen_ndr/dcerpc.h" +#include "param/param.h" +#include "auth/gensec/gensec_toplevel_proto.h" +#include "libds/common/roles.h" + +#include "lib/crypto/gnutls_helpers.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +struct schannel_state { + struct gensec_security *gensec; + uint64_t seq_num; + bool initiator; + struct netlogon_creds_CredentialState *creds; + struct auth_user_info_dc *user_info_dc; +}; + +#define SETUP_SEQNUM(state, buf, initiator) do { \ + uint8_t *_buf = buf; \ + uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \ + uint32_t _seq_num_high = (state)->seq_num >> 32; \ + if (initiator) { \ + _seq_num_high |= 0x80000000; \ + } \ + RSIVAL(_buf, 0, _seq_num_low); \ + RSIVAL(_buf, 4, _seq_num_high); \ +} while(0) + +static struct schannel_state *netsec_create_state( + struct gensec_security *gensec, + struct netlogon_creds_CredentialState *creds, + bool initiator) +{ + struct schannel_state *state; + + state = talloc_zero(gensec, struct schannel_state); + if (state == NULL) { + return NULL; + } + + state->gensec = gensec; + state->initiator = initiator; + state->creds = netlogon_creds_copy(state, creds); + if (state->creds == NULL) { + talloc_free(state); + return NULL; + } + + gensec->private_data = state; + + return state; +} + +static void netsec_offset_and_sizes(struct schannel_state *state, + bool do_seal, + uint32_t *_min_sig_size, + uint32_t *_used_sig_size, + uint32_t *_checksum_length, + uint32_t *_confounder_ofs) +{ + uint32_t min_sig_size; + uint32_t used_sig_size; + uint32_t checksum_length; + uint32_t confounder_ofs; + + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + min_sig_size = 48; + used_sig_size = 56; + /* + * Note: windows has a bug here and uses the old values... + * + * checksum_length = 32; + * confounder_ofs = 48; + */ + checksum_length = 8; + confounder_ofs = 24; + } else { + min_sig_size = 24; + used_sig_size = 32; + checksum_length = 8; + confounder_ofs = 24; + } + + if (do_seal) { + min_sig_size += 8; + } + + if (_min_sig_size) { + *_min_sig_size = min_sig_size; + } + + if (_used_sig_size) { + *_used_sig_size = used_sig_size; + } + + if (_checksum_length) { + *_checksum_length = checksum_length; + } + + if (_confounder_ofs) { + *_confounder_ofs = confounder_ofs; + } +} + +/******************************************************************* + Encode or Decode the sequence number (which is symmetric) + ********************************************************************/ +static NTSTATUS netsec_do_seq_num(struct schannel_state *state, + const uint8_t *checksum, + uint32_t checksum_length, + uint8_t seq_num[8]) +{ + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + gnutls_cipher_hd_t cipher_hnd = NULL; + gnutls_datum_t key = { + .data = state->creds->session_key, + .size = sizeof(state->creds->session_key), + }; + uint32_t iv_size = + gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); + uint8_t _iv[iv_size]; + gnutls_datum_t iv = { + .data = _iv, + .size = iv_size, + }; + int rc; + + ZERO_ARRAY(_iv); + + memcpy(iv.data + 0, checksum, 8); + memcpy(iv.data + 8, checksum, 8); + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_AES_128_CFB8, + &key, + &iv); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + + rc = gnutls_cipher_encrypt(cipher_hnd, seq_num, 8); + gnutls_cipher_deinit(cipher_hnd); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + + } else { + static const uint8_t zeros[4]; + uint8_t _sequence_key[16]; + gnutls_cipher_hd_t cipher_hnd; + gnutls_datum_t sequence_key = { + .data = _sequence_key, + .size = sizeof(_sequence_key), + }; + uint8_t digest1[16]; + int rc; + + rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, + state->creds->session_key, + sizeof(state->creds->session_key), + zeros, + sizeof(zeros), + digest1); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + + rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, + digest1, + sizeof(digest1), + checksum, + checksum_length, + _sequence_key); + ZERO_ARRAY(digest1); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &sequence_key, + NULL); + if (rc < 0) { + ZERO_ARRAY(_sequence_key); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + + rc = gnutls_cipher_encrypt(cipher_hnd, + seq_num, + 8); + gnutls_cipher_deinit(cipher_hnd); + ZERO_ARRAY(_sequence_key); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + } + + state->seq_num++; + + return NT_STATUS_OK; +} + +static NTSTATUS netsec_do_seal(struct schannel_state *state, + const uint8_t seq_num[8], + uint8_t confounder[8], + uint8_t *data, uint32_t length, + bool forward) +{ + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + gnutls_cipher_hd_t cipher_hnd = NULL; + uint8_t sess_kf0[16] = {0}; + gnutls_datum_t key = { + .data = sess_kf0, + .size = sizeof(sess_kf0), + }; + uint32_t iv_size = + gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); + uint8_t _iv[iv_size]; + gnutls_datum_t iv = { + .data = _iv, + .size = iv_size, + }; + uint32_t i; + int rc; + + for (i = 0; i < key.size; i++) { + key.data[i] = state->creds->session_key[i] ^ 0xf0; + } + + ZERO_ARRAY(_iv); + + memcpy(iv.data + 0, seq_num, 8); + memcpy(iv.data + 8, seq_num, 8); + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_AES_128_CFB8, + &key, + &iv); + if (rc < 0) { + DBG_ERR("ERROR: gnutls_cipher_init: %s\n", + gnutls_strerror(rc)); + return NT_STATUS_NO_MEMORY; + } + + if (forward) { + rc = gnutls_cipher_encrypt(cipher_hnd, + confounder, + 8); + if (rc < 0) { + gnutls_cipher_deinit(cipher_hnd); + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + + rc = gnutls_cipher_encrypt(cipher_hnd, + data, + length); + if (rc < 0) { + gnutls_cipher_deinit(cipher_hnd); + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + } else { + + /* + * Workaround bug present in gnutls 3.6.8: + * + * gnutls_cipher_decrypt() uses an optimization + * internally that breaks decryption when processing + * buffers with their length not being a multiple + * of the blocksize. + */ + + uint8_t tmp[16] = { 0, }; + uint32_t tmp_dlength = MIN(length, sizeof(tmp) - 8); + + memcpy(tmp, confounder, 8); + memcpy(tmp + 8, data, tmp_dlength); + + rc = gnutls_cipher_decrypt(cipher_hnd, + tmp, + 8 + tmp_dlength); + if (rc < 0) { + ZERO_STRUCT(tmp); + gnutls_cipher_deinit(cipher_hnd); + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + + memcpy(confounder, tmp, 8); + memcpy(data, tmp + 8, tmp_dlength); + ZERO_STRUCT(tmp); + + if (length > tmp_dlength) { + rc = gnutls_cipher_decrypt(cipher_hnd, + data + tmp_dlength, + length - tmp_dlength); + if (rc < 0) { + gnutls_cipher_deinit(cipher_hnd); + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + } + } + gnutls_cipher_deinit(cipher_hnd); + } else { + gnutls_cipher_hd_t cipher_hnd; + uint8_t _sealing_key[16]; + gnutls_datum_t sealing_key = { + .data = _sealing_key, + .size = sizeof(_sealing_key), + }; + static const uint8_t zeros[4]; + uint8_t digest2[16]; + uint8_t sess_kf0[16]; + int rc; + int i; + + for (i = 0; i < 16; i++) { + sess_kf0[i] = state->creds->session_key[i] ^ 0xf0; + } + + rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, + sess_kf0, + sizeof(sess_kf0), + zeros, + 4, + digest2); + if (rc < 0) { + ZERO_ARRAY(digest2); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + + rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, + digest2, + sizeof(digest2), + seq_num, + 8, + _sealing_key); + + ZERO_ARRAY(digest2); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &sealing_key, + NULL); + if (rc < 0) { + ZERO_ARRAY(_sealing_key); + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + rc = gnutls_cipher_encrypt(cipher_hnd, + confounder, + 8); + if (rc < 0) { + ZERO_ARRAY(_sealing_key); + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + gnutls_cipher_deinit(cipher_hnd); + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &sealing_key, + NULL); + if (rc < 0) { + ZERO_ARRAY(_sealing_key); + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + rc = gnutls_cipher_encrypt(cipher_hnd, + data, + length); + gnutls_cipher_deinit(cipher_hnd); + ZERO_ARRAY(_sealing_key); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* + Create a digest over the entire packet (including the data), and + MD5 it with the session key. + ********************************************************************/ +static NTSTATUS netsec_do_sign(struct schannel_state *state, + const uint8_t *confounder, + const uint8_t *data, size_t length, + uint8_t header[8], + uint8_t *checksum) +{ + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + gnutls_hmac_hd_t hmac_hnd = NULL; + int rc; + + rc = gnutls_hmac_init(&hmac_hnd, + GNUTLS_MAC_SHA256, + state->creds->session_key, + sizeof(state->creds->session_key)); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + + if (confounder) { + SSVAL(header, 0, NL_SIGN_HMAC_SHA256); + SSVAL(header, 2, NL_SEAL_AES128); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + rc = gnutls_hmac(hmac_hnd, header, 8); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + rc = gnutls_hmac(hmac_hnd, confounder, 8); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + } else { + SSVAL(header, 0, NL_SIGN_HMAC_SHA256); + SSVAL(header, 2, NL_SEAL_NONE); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + rc = gnutls_hmac(hmac_hnd, header, 8); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + } + + rc = gnutls_hmac(hmac_hnd, data, length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + + gnutls_hmac_deinit(hmac_hnd, checksum); + } else { + uint8_t packet_digest[16]; + static const uint8_t zeros[4]; + gnutls_hash_hd_t hash_hnd = NULL; + int rc; + + rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + + rc = gnutls_hash(hash_hnd, zeros, sizeof(zeros)); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + if (confounder) { + SSVAL(header, 0, NL_SIGN_HMAC_MD5); + SSVAL(header, 2, NL_SEAL_RC4); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + rc = gnutls_hash(hash_hnd, header, 8); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + rc = gnutls_hash(hash_hnd, confounder, 8); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + } else { + SSVAL(header, 0, NL_SIGN_HMAC_MD5); + SSVAL(header, 2, NL_SEAL_NONE); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + rc = gnutls_hash(hash_hnd, header, 8); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + } + rc = gnutls_hash(hash_hnd, data, length); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + gnutls_hash_deinit(hash_hnd, packet_digest); + + rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, + state->creds->session_key, + sizeof(state->creds->session_key), + packet_digest, + sizeof(packet_digest), + checksum); + ZERO_ARRAY(packet_digest); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); + } + } + + return NT_STATUS_OK; +} + +static NTSTATUS netsec_incoming_packet(struct schannel_state *state, + bool do_unseal, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + uint32_t min_sig_size = 0; + uint8_t header[8]; + uint8_t checksum[32]; + uint32_t checksum_length = sizeof(checksum_length); + uint8_t _confounder[8]; + uint8_t *confounder = NULL; + uint32_t confounder_ofs = 0; + uint8_t seq_num[8]; + bool ret; + const uint8_t *sign_data = NULL; + size_t sign_length = 0; + NTSTATUS status; + + netsec_offset_and_sizes(state, + do_unseal, + &min_sig_size, + NULL, + &checksum_length, + &confounder_ofs); + + if (sig->length < min_sig_size) { + return NT_STATUS_ACCESS_DENIED; + } + + if (do_unseal) { + confounder = _confounder; + memcpy(confounder, sig->data+confounder_ofs, 8); + } else { + confounder = NULL; + } + + SETUP_SEQNUM(state, seq_num, !state->initiator); + + if (do_unseal) { + status = netsec_do_seal(state, + seq_num, + confounder, + data, + length, + false); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_seal failed: %s\n", nt_errstr(status)); + return NT_STATUS_ACCESS_DENIED; + } + } + + if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + sign_data = whole_pdu; + sign_length = pdu_length; + } else { + sign_data = data; + sign_length = length; + } + + status = netsec_do_sign(state, + confounder, + sign_data, + sign_length, + header, + checksum); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_sign failed: %s\n", nt_errstr(status)); + return NT_STATUS_ACCESS_DENIED; + } + + ret = mem_equal_const_time(checksum, sig->data+16, checksum_length); + if (!ret) { + dump_data_pw("calc digest:", checksum, checksum_length); + dump_data_pw("wire digest:", sig->data+16, checksum_length); + return NT_STATUS_ACCESS_DENIED; + } + + status = netsec_do_seq_num(state, checksum, checksum_length, seq_num); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_seq_num failed: %s\n", + nt_errstr(status)); + return status; + } + + ZERO_ARRAY(checksum); + + ret = mem_equal_const_time(seq_num, sig->data+8, 8); + if (!ret) { + dump_data_pw("calc seq num:", seq_num, 8); + dump_data_pw("wire seq num:", sig->data+8, 8); + return NT_STATUS_ACCESS_DENIED; + } + + return NT_STATUS_OK; +} + +static uint32_t netsec_outgoing_sig_size(struct schannel_state *state) +{ + uint32_t sig_size = 0; + + netsec_offset_and_sizes(state, + true, + NULL, + &sig_size, + NULL, + NULL); + + return sig_size; +} + +static NTSTATUS netsec_outgoing_packet(struct schannel_state *state, + TALLOC_CTX *mem_ctx, + bool do_seal, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + uint32_t min_sig_size = 0; + uint32_t used_sig_size = 0; + uint8_t header[8]; + uint8_t checksum[32]; + uint32_t checksum_length = sizeof(checksum_length); + uint8_t _confounder[8]; + uint8_t *confounder = NULL; + uint32_t confounder_ofs = 0; + uint8_t seq_num[8]; + const uint8_t *sign_data = NULL; + size_t sign_length = 0; + NTSTATUS status; + + netsec_offset_and_sizes(state, + do_seal, + &min_sig_size, + &used_sig_size, + &checksum_length, + &confounder_ofs); + + SETUP_SEQNUM(state, seq_num, state->initiator); + + if (do_seal) { + confounder = _confounder; + generate_random_buffer(confounder, 8); + } else { + confounder = NULL; + } + + if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + sign_data = whole_pdu; + sign_length = pdu_length; + } else { + sign_data = data; + sign_length = length; + } + + status = netsec_do_sign(state, + confounder, + sign_data, + sign_length, + header, + checksum); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_sign failed: %s\n", nt_errstr(status)); + return NT_STATUS_ACCESS_DENIED; + } + + if (do_seal) { + status = netsec_do_seal(state, + seq_num, + confounder, + data, + length, + true); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_seal failed: %s\n", + nt_errstr(status)); + return status; + } + } + + status = netsec_do_seq_num(state, checksum, checksum_length, seq_num); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_seq_num failed: %s\n", + nt_errstr(status)); + return status; + } + + (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size); + + memcpy(sig->data, header, 8); + memcpy(sig->data+8, seq_num, 8); + memcpy(sig->data+16, checksum, checksum_length); + + if (confounder) { + memcpy(sig->data+confounder_ofs, confounder, 8); + } + + dump_data_pw("signature:", sig->data+ 0, 8); + dump_data_pw("seq_num :", sig->data+ 8, 8); + dump_data_pw("digest :", sig->data+16, checksum_length); + dump_data_pw("confound :", sig->data+confounder_ofs, 8); + + return NT_STATUS_OK; +} + +_PUBLIC_ NTSTATUS gensec_schannel_init(TALLOC_CTX *ctx); + +static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size) +{ + struct schannel_state *state = + talloc_get_type_abort(gensec_security->private_data, + struct schannel_state); + + return netsec_outgoing_sig_size(state); +} + +struct schannel_update_state { + NTSTATUS status; + DATA_BLOB out; +}; + +static NTSTATUS schannel_update_internal(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out); + +static struct tevent_req *schannel_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct tevent_req *req; + struct schannel_update_state *state = NULL; + NTSTATUS status; + + req = tevent_req_create(mem_ctx, &state, + struct schannel_update_state); + if (req == NULL) { + return NULL; + } + + status = schannel_update_internal(gensec_security, + state, in, + &state->out); + state->status = status; + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + status = NT_STATUS_OK; + } + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + tevent_req_done(req); + return tevent_req_post(req, ev); +} + +static NTSTATUS schannel_update_internal(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) +{ + struct schannel_state *state = + talloc_get_type(gensec_security->private_data, + struct schannel_state); + NTSTATUS status; + enum ndr_err_code ndr_err; + struct NL_AUTH_MESSAGE bind_schannel = { + .Flags = 0, + }; + struct NL_AUTH_MESSAGE bind_schannel_ack; + struct netlogon_creds_CredentialState *creds; + const char *workstation; + const char *domain; + + *out = data_blob(NULL, 0); + + if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) { + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: + return NT_STATUS_INVALID_PARAMETER_MIX; + case GENSEC_SERVER: + return NT_STATUS_INVALID_PARAMETER; + } + return NT_STATUS_INTERNAL_ERROR; + } + + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: + if (state != NULL) { + /* we could parse the bind ack, but we don't know what it is yet */ + return NT_STATUS_OK; + } + + creds = cli_credentials_get_netlogon_creds(gensec_security->credentials); + if (creds == NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + state = netsec_create_state(gensec_security, + creds, true /* initiator */); + if (state == NULL) { + return NT_STATUS_NO_MEMORY; + } + + bind_schannel.MessageType = NL_NEGOTIATE_REQUEST; + + bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME | + NL_FLAG_OEM_NETBIOS_COMPUTER_NAME; + bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials); + bind_schannel.oem_netbios_computer.a = creds->computer_name; + + if (creds->secure_channel_type == SEC_CHAN_DNS_DOMAIN) { + bind_schannel.Flags |= NL_FLAG_UTF8_DNS_DOMAIN_NAME; + bind_schannel.utf8_dns_domain.u = cli_credentials_get_realm(gensec_security->credentials); + + bind_schannel.Flags |= NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME; + bind_schannel.utf8_netbios_computer.u = creds->computer_name; + } + + ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel, + (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(3, ("Could not create schannel bind: %s\n", + nt_errstr(status))); + return status; + } + + return NT_STATUS_MORE_PROCESSING_REQUIRED; + case GENSEC_SERVER: + + if (state != NULL) { + /* no third leg on this protocol */ + return NT_STATUS_INVALID_PARAMETER; + } + + /* parse the schannel startup blob */ + ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel, + (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(3, ("Could not parse incoming schannel bind: %s\n", + nt_errstr(status))); + return status; + } + + if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) { + domain = bind_schannel.oem_netbios_domain.a; + if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) { + DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n", + domain, lpcfg_workgroup(gensec_security->settings->lp_ctx))); + return NT_STATUS_LOGON_FAILURE; + } + } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) { + domain = bind_schannel.utf8_dns_domain.u; + if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) { + DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n", + domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx))); + return NT_STATUS_LOGON_FAILURE; + } + } else { + DEBUG(3, ("Request for schannel to without domain\n")); + return NT_STATUS_LOGON_FAILURE; + } + + if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) { + workstation = bind_schannel.oem_netbios_computer.a; + } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) { + workstation = bind_schannel.utf8_netbios_computer.u; + } else { + DEBUG(3, ("Request for schannel to without netbios workstation\n")); + return NT_STATUS_LOGON_FAILURE; + } + + status = schannel_get_creds_state(out_mem_ctx, + gensec_security->settings->lp_ctx, + workstation, &creds); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", + workstation, nt_errstr(status))); + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) { + return NT_STATUS_LOGON_FAILURE; + } + return status; + } + + state = netsec_create_state(gensec_security, + creds, false /* not initiator */); + if (state == NULL) { + return NT_STATUS_NO_MEMORY; + } + + status = auth_anonymous_user_info_dc(state, + lpcfg_netbios_name(gensec_security->settings->lp_ctx), + &state->user_info_dc); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE; + bind_schannel_ack.Flags = 0; + bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think + * this does not have + * any meaning here + * - gd */ + + ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack, + (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n", + workstation, nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; + } + return NT_STATUS_INVALID_PARAMETER; +} + +static NTSTATUS schannel_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct schannel_update_state *state = + tevent_req_data(req, + struct schannel_update_state); + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + status = state->status; + talloc_steal(out_mem_ctx, state->out.data); + *out = state->out; + tevent_req_received(req); + return status; +} + +/** + * Returns anonymous credentials for schannel, matching Win2k3. + * + */ + +static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **_session_info) +{ + struct schannel_state *state = + talloc_get_type(gensec_security->private_data, + struct schannel_state); + struct auth4_context *auth_ctx = gensec_security->auth_context; + struct auth_session_info *session_info = NULL; + uint32_t session_info_flags = 0; + NTSTATUS status; + + if (auth_ctx == NULL) { + DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + if (auth_ctx->generate_session_info == NULL) { + DEBUG(0, ("Cannot generate a session_info without the generate_session_info hook\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + + status = auth_ctx->generate_session_info( + auth_ctx, + mem_ctx, + state->user_info_dc, + state->user_info_dc->info->account_name, + session_info_flags, + &session_info); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + *_session_info = session_info; + return NT_STATUS_OK; +} + +/* + * Reduce the attack surface by ensuring schannel is not available when + * we are not a DC + */ +static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) +{ + enum server_role server_role + = lpcfg_server_role(gensec_security->settings->lp_ctx); + + switch (server_role) { + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: + case ROLE_IPA_DC: + return NT_STATUS_OK; + default: + return NT_STATUS_NOT_IMPLEMENTED; + } +} + +static NTSTATUS schannel_client_start(struct gensec_security *gensec_security) +{ + return NT_STATUS_OK; +} + +static bool schannel_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + if (gensec_security->dcerpc_auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) { + if (feature & GENSEC_FEATURE_SIGN) { + return true; + } + } + if (gensec_security->dcerpc_auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + if (feature & GENSEC_FEATURE_SEAL) { + return true; + } + } + if (feature & GENSEC_FEATURE_DCE_STYLE) { + return true; + } + if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) { + return true; + } + return false; +} + +/* + unseal a packet +*/ +static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + struct schannel_state *state = + talloc_get_type_abort(gensec_security->private_data, + struct schannel_state); + + return netsec_incoming_packet(state, true, + discard_const_p(uint8_t, data), + length, + whole_pdu, pdu_length, + sig); +} + +/* + check the signature on a packet +*/ +static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + struct schannel_state *state = + talloc_get_type_abort(gensec_security->private_data, + struct schannel_state); + + return netsec_incoming_packet(state, false, + discard_const_p(uint8_t, data), + length, + whole_pdu, pdu_length, + sig); +} +/* + seal a packet +*/ +static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + struct schannel_state *state = + talloc_get_type_abort(gensec_security->private_data, + struct schannel_state); + + return netsec_outgoing_packet(state, mem_ctx, true, + data, length, + whole_pdu, pdu_length, + sig); +} + +/* + sign a packet +*/ +static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + struct schannel_state *state = + talloc_get_type_abort(gensec_security->private_data, + struct schannel_state); + + return netsec_outgoing_packet(state, mem_ctx, false, + discard_const_p(uint8_t, data), + length, + whole_pdu, pdu_length, + sig); +} + +static const struct gensec_security_ops gensec_schannel_security_ops = { + .name = "schannel", + .auth_type = DCERPC_AUTH_TYPE_SCHANNEL, + .client_start = schannel_client_start, + .server_start = schannel_server_start, + .update_send = schannel_update_send, + .update_recv = schannel_update_recv, + .seal_packet = schannel_seal_packet, + .sign_packet = schannel_sign_packet, + .check_packet = schannel_check_packet, + .unseal_packet = schannel_unseal_packet, + .session_info = schannel_session_info, + .sig_size = schannel_sig_size, + .have_feature = schannel_have_feature, + .enabled = true, + .priority = GENSEC_SCHANNEL +}; + +_PUBLIC_ NTSTATUS gensec_schannel_init(TALLOC_CTX *ctx) +{ + NTSTATUS ret; + ret = gensec_register(ctx, &gensec_schannel_security_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_schannel_security_ops.name)); + return ret; + } + + return ret; +} diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c new file mode 100644 index 0000000..fcb5a06 --- /dev/null +++ b/auth/gensec/spnego.c @@ -0,0 +1,2249 @@ +/* + Unix SMB/CIFS implementation. + + RFC2478 Compliant SPNEGO implementation + + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include <tevent.h> +#include "lib/util/tevent_ntstatus.h" +#include "../libcli/auth/spnego.h" +#include "librpc/gen_ndr/ndr_dcerpc.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "param/param.h" +#include "lib/util/asn1.h" +#include "lib/util/base64.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +#undef strcasecmp + +_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx); + +enum spnego_state_position { + SPNEGO_SERVER_START, + SPNEGO_CLIENT_START, + SPNEGO_SERVER_TARG, + SPNEGO_CLIENT_TARG, + SPNEGO_FALLBACK, + SPNEGO_DONE +}; + +struct spnego_state; +struct spnego_neg_ops; +struct spnego_neg_state; + +struct spnego_neg_state { + const struct spnego_neg_ops *ops; + const struct gensec_security_ops_wrapper *all_sec; + size_t all_idx; + const char * const *mech_types; + size_t mech_idx; +}; + +struct spnego_neg_ops { + const char *name; + /* + * The start hook does the initial processing on the incoming packet and + * may starts the first possible subcontext. It indicates that + * gensec_update() is required on the subcontext by returning + * NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in + * 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the + * caller should treat 'in_next' as const and don't attempt to free the + * content. NT_STATUS_OK indicates the finish hook should be invoked + * directly within the need of gensec_update() on the subcontext. + * Every other error indicates an error that's returned to the caller. + */ + NTSTATUS (*start_fn)(struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next); + /* + * The step hook processes the result of a failed gensec_update() and + * can decide to ignore a failure and continue the negotiation by + * setting up the next possible subcontext. It indicates that + * gensec_update() is required on the subcontext by returning + * NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in + * 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the + * caller should treat 'in_next' as const and don't attempt to free the + * content. NT_STATUS_OK indicates the finish hook should be invoked + * directly within the need of gensec_update() on the subcontext. + * Every other error indicates an error that's returned to the caller. + */ + NTSTATUS (*step_fn)(struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS last_status, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next); + /* + * The finish hook processes the result of a successful gensec_update() + * (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the + * response pdu that will be returned from the toplevel gensec_update() + * together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It + * may also alter the state machine to prepare receiving the next pdu + * from the peer. + */ + NTSTATUS (*finish_fn)(struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS sub_status, + const DATA_BLOB sub_out, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out); +}; + +struct spnego_state { + enum spnego_message_type expected_packet; + enum spnego_state_position state_position; + struct gensec_security *sub_sec_security; + bool sub_sec_ready; + + const char *neg_oid; + + DATA_BLOB mech_types; + size_t num_targs; + bool downgraded; + bool mic_requested; + bool needs_mic_sign; + bool needs_mic_check; + bool may_skip_mic_check; + bool done_mic_check; + + bool simulate_w2k; + bool no_optimistic; + + /* + * The following is used to implement + * the update token fragmentation + */ + size_t in_needed; + DATA_BLOB in_frag; + size_t out_max_length; + DATA_BLOB out_frag; + NTSTATUS out_status; +}; + +static struct spnego_neg_state *gensec_spnego_neg_state(TALLOC_CTX *mem_ctx, + const struct spnego_neg_ops *ops) +{ + struct spnego_neg_state *n = NULL; + + n = talloc_zero(mem_ctx, struct spnego_neg_state); + if (n == NULL) { + return NULL; + } + n->ops = ops; + + return n; +} + +static void gensec_spnego_reset_sub_sec(struct spnego_state *spnego_state) +{ + spnego_state->sub_sec_ready = false; + TALLOC_FREE(spnego_state->sub_sec_security); +} + +static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security) +{ + struct spnego_state *spnego_state; + + spnego_state = talloc_zero(gensec_security, struct spnego_state); + if (!spnego_state) { + return NT_STATUS_NO_MEMORY; + } + + spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT; + spnego_state->state_position = SPNEGO_CLIENT_START; + spnego_state->sub_sec_security = NULL; + spnego_state->sub_sec_ready = false; + spnego_state->mech_types = data_blob_null; + spnego_state->out_max_length = gensec_max_update_size(gensec_security); + spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings, + "spnego", + "client_no_optimistic", + false); + + gensec_security->private_data = spnego_state; + return NT_STATUS_OK; +} + +static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security) +{ + struct spnego_state *spnego_state; + + spnego_state = talloc_zero(gensec_security, struct spnego_state); + if (!spnego_state) { + return NT_STATUS_NO_MEMORY; + } + + spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT; + spnego_state->state_position = SPNEGO_SERVER_START; + spnego_state->sub_sec_security = NULL; + spnego_state->sub_sec_ready = false; + spnego_state->mech_types = data_blob_null; + spnego_state->out_max_length = gensec_max_update_size(gensec_security); + spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + + gensec_security->private_data = spnego_state; + return NT_STATUS_OK; +} + +/** Fallback to another GENSEC mechanism, based on magic strings + * + * This is the 'fallback' case, where we don't get SPNEGO, and have to + * try all the other options (and hope they all have a magic string + * they check) +*/ + +static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + TALLOC_CTX *mem_ctx, + const DATA_BLOB in) +{ + int i,j; + const struct gensec_security_ops **all_ops; + + all_ops = gensec_security_mechs(gensec_security, mem_ctx); + + for (i=0; all_ops && all_ops[i]; i++) { + bool is_spnego; + NTSTATUS nt_status; + + if (gensec_security != NULL && + !gensec_security_ops_enabled(all_ops[i], gensec_security)) + { + continue; + } + + if (!all_ops[i]->oid) { + continue; + } + + is_spnego = false; + for (j=0; all_ops[i]->oid[j]; j++) { + if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) { + is_spnego = true; + } + } + if (is_spnego) { + continue; + } + + if (!all_ops[i]->magic) { + continue; + } + + nt_status = all_ops[i]->magic(gensec_security, &in); + if (!NT_STATUS_IS_OK(nt_status)) { + continue; + } + + spnego_state->state_position = SPNEGO_FALLBACK; + + nt_status = gensec_subcontext_start(spnego_state, + gensec_security, + &spnego_state->sub_sec_security); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + /* select the sub context */ + nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security, + all_ops[i]); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + return NT_STATUS_OK; + } + DEBUG(1, ("Failed to parse SPNEGO request\n")); + return NT_STATUS_INVALID_PARAMETER; +} + +static NTSTATUS gensec_spnego_create_negTokenInit_start( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + n->mech_idx = 0; + n->mech_types = gensec_security_oids(gensec_security, n, + GENSEC_OID_SPNEGO); + if (n->mech_types == NULL) { + DBG_WARNING("gensec_security_oids() failed\n"); + return NT_STATUS_NO_MEMORY; + } + + n->all_idx = 0; + n->all_sec = gensec_security_by_oid_list(gensec_security, + n, n->mech_types, + GENSEC_OID_SPNEGO); + if (n->all_sec == NULL) { + DBG_WARNING("gensec_security_by_oid_list() failed\n"); + return NT_STATUS_NO_MEMORY; + } + + return n->ops->step_fn(gensec_security, spnego_state, n, + spnego_in, NT_STATUS_OK, in_mem_ctx, in_next); +} + +static NTSTATUS gensec_spnego_create_negTokenInit_step( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS last_status, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + if (!NT_STATUS_IS_OK(last_status)) { + const struct gensec_security_ops_wrapper *cur_sec = + &n->all_sec[n->all_idx]; + const struct gensec_security_ops_wrapper *next_sec = NULL; + const char *next = NULL; + const char *principal = NULL; + int dbg_level = DBGLVL_WARNING; + NTSTATUS status = last_status; + + if (cur_sec[1].op != NULL) { + next_sec = &cur_sec[1]; + } + + if (next_sec != NULL) { + next = next_sec->op->name; + dbg_level = DBGLVL_NOTICE; + } + + if (gensec_security->target.principal != NULL) { + principal = gensec_security->target.principal; + } else if (gensec_security->target.service != NULL && + gensec_security->target.hostname != NULL) + { + principal = talloc_asprintf(spnego_state->sub_sec_security, + "%s/%s", + gensec_security->target.service, + gensec_security->target.hostname); + } else { + principal = gensec_security->target.hostname; + } + + DBG_PREFIX(dbg_level, ( + "%s: creating NEG_TOKEN_INIT for %s failed " + "(next[%s]): %s\n", cur_sec->op->name, + principal, next, nt_errstr(status))); + + if (next == NULL) { + /* + * A hard error without a possible fallback. + */ + return status; + } + + /* + * Pretend we never started it + */ + gensec_spnego_reset_sub_sec(spnego_state); + + /* + * And try the next one... + */ + n->all_idx += 1; + } + + for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) { + const struct gensec_security_ops_wrapper *cur_sec = + &n->all_sec[n->all_idx]; + NTSTATUS status; + + status = gensec_subcontext_start(spnego_state, + gensec_security, + &spnego_state->sub_sec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* select the sub context */ + status = gensec_start_mech_by_ops(spnego_state->sub_sec_security, + cur_sec->op); + if (!NT_STATUS_IS_OK(status)) { + gensec_spnego_reset_sub_sec(spnego_state); + continue; + } + + /* In the client, try and produce the first (optimistic) packet */ + if (spnego_state->state_position == SPNEGO_CLIENT_START) { + *in_next = data_blob_null; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + *in_next = data_blob_null; + return NT_STATUS_OK; + } + + DBG_WARNING("Failed to setup SPNEGO negTokenInit request\n"); + return NT_STATUS_INVALID_PARAMETER; +} + +static NTSTATUS gensec_spnego_create_negTokenInit_finish( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS sub_status, + const DATA_BLOB sub_out, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + const struct gensec_security_ops_wrapper *cur_sec = + &n->all_sec[n->all_idx]; + struct spnego_data spnego_out; + bool ok; + + spnego_out.type = SPNEGO_NEG_TOKEN_INIT; + + n->mech_types = gensec_security_oids_from_ops_wrapped(n, cur_sec); + if (n->mech_types == NULL) { + DBG_WARNING("gensec_security_oids_from_ops_wrapped() failed\n"); + return NT_STATUS_NO_MEMORY; + } + + ok = spnego_write_mech_types(spnego_state, + n->mech_types, + &spnego_state->mech_types); + if (!ok) { + DBG_ERR("Failed to write mechTypes\n"); + return NT_STATUS_NO_MEMORY; + } + + /* List the remaining mechs as options */ + spnego_out.negTokenInit.mechTypes = n->mech_types; + spnego_out.negTokenInit.reqFlags = data_blob_null; + spnego_out.negTokenInit.reqFlagsPadding = 0; + + if (spnego_state->state_position == SPNEGO_SERVER_START) { + spnego_out.negTokenInit.mechListMIC + = data_blob_string_const(ADS_IGNORE_PRINCIPAL); + } else { + spnego_out.negTokenInit.mechListMIC = data_blob_null; + } + + spnego_out.negTokenInit.mechToken = sub_out; + + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DBG_ERR("Failed to write NEG_TOKEN_INIT\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + /* + * Note that 'cur_sec' is temporary memory, but + * cur_sec->oid points to a const string in the + * backends gensec_security_ops structure. + */ + spnego_state->neg_oid = cur_sec->oid; + + /* set next state */ + if (spnego_state->state_position == SPNEGO_SERVER_START) { + spnego_state->state_position = SPNEGO_SERVER_START; + spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT; + } else { + spnego_state->state_position = SPNEGO_CLIENT_TARG; + spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG; + } + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +static const struct spnego_neg_ops gensec_spnego_create_negTokenInit_ops = { + .name = "create_negTokenInit", + .start_fn = gensec_spnego_create_negTokenInit_start, + .step_fn = gensec_spnego_create_negTokenInit_step, + .finish_fn = gensec_spnego_create_negTokenInit_finish, +}; + +static NTSTATUS gensec_spnego_client_negTokenInit_start( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + const char *tp = NULL; + + /* The server offers a list of mechanisms */ + + tp = spnego_in->negTokenInit.targetPrincipal; + if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) { + DBG_INFO("Server claims it's principal name is %s\n", tp); + if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) { + gensec_set_target_principal(gensec_security, tp); + } + } + + n->mech_idx = 0; + + /* Do not use server mech list as it isn't protected. Instead, get all + * supported mechs (excluding SPNEGO). */ + n->mech_types = gensec_security_oids(gensec_security, n, + GENSEC_OID_SPNEGO); + if (n->mech_types == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + n->all_idx = 0; + n->all_sec = gensec_security_by_oid_list(gensec_security, + n, n->mech_types, + GENSEC_OID_SPNEGO); + if (n->all_sec == NULL) { + DBG_WARNING("gensec_security_by_oid_list() failed\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + return n->ops->step_fn(gensec_security, spnego_state, n, + spnego_in, NT_STATUS_OK, in_mem_ctx, in_next); +} + +static NTSTATUS gensec_spnego_client_negTokenInit_step( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS last_status, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + if (!NT_STATUS_IS_OK(last_status)) { + const struct gensec_security_ops_wrapper *cur_sec = + &n->all_sec[n->all_idx]; + const struct gensec_security_ops_wrapper *next_sec = NULL; + const char *next = NULL; + const char *principal = NULL; + int dbg_level = DBGLVL_WARNING; + bool allow_fallback = false; + NTSTATUS status = last_status; + + if (cur_sec[1].op != NULL) { + next_sec = &cur_sec[1]; + } + + /* + * it is likely that a NULL input token will + * not be liked by most server mechs, but if + * we are in the client, we want the first + * update packet to be able to abort the use + * of this mech + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) || + NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME) || + NT_STATUS_EQUAL(status, NT_STATUS_INVALID_COMPUTER_NAME) || + NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN) || + NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) || + NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) || + NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) + { + allow_fallback = true; + } + + if (allow_fallback && next_sec != NULL) { + next = next_sec->op->name; + dbg_level = DBGLVL_NOTICE; + } + + if (gensec_security->target.principal != NULL) { + principal = gensec_security->target.principal; + } else if (gensec_security->target.service != NULL && + gensec_security->target.hostname != NULL) + { + principal = talloc_asprintf(spnego_state->sub_sec_security, + "%s/%s", + gensec_security->target.service, + gensec_security->target.hostname); + } else { + principal = gensec_security->target.hostname; + } + + DBG_PREFIX(dbg_level, ( + "%s: creating NEG_TOKEN_INIT for %s failed " + "(next[%s]): %s\n", cur_sec->op->name, + principal, next, nt_errstr(status))); + + if (next == NULL) { + /* + * A hard error without a possible fallback. + */ + return status; + } + + /* + * Pretend we never started it. + */ + gensec_spnego_reset_sub_sec(spnego_state); + + /* + * And try the next one... + */ + n->all_idx += 1; + } + + for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) { + const struct gensec_security_ops_wrapper *cur_sec = + &n->all_sec[n->all_idx]; + NTSTATUS status; + + status = gensec_subcontext_start(spnego_state, + gensec_security, + &spnego_state->sub_sec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* select the sub context */ + status = gensec_start_mech_by_ops(spnego_state->sub_sec_security, + cur_sec->op); + if (!NT_STATUS_IS_OK(status)) { + gensec_spnego_reset_sub_sec(spnego_state); + continue; + } + + /* + * Note that 'cur_sec' is temporary memory, but + * cur_sec->oid points to a const string in the + * backends gensec_security_ops structure. + */ + spnego_state->neg_oid = cur_sec->oid; + + /* + * As client we don't use an optimistic token from the server. + * But try to produce one for the server. + */ + *in_next = data_blob_null; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n"); + return NT_STATUS_INVALID_PARAMETER; +} + +static NTSTATUS gensec_spnego_client_negTokenInit_finish( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS sub_status, + const DATA_BLOB sub_out, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct spnego_data spnego_out; + const char * const *mech_types = NULL; + bool ok; + + if (n->mech_types == NULL) { + DBG_WARNING("No mech_types list\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) { + int cmp = strcmp(*mech_types, spnego_state->neg_oid); + + if (cmp == 0) { + break; + } + } + + if (*mech_types == NULL) { + DBG_ERR("Can't find selected sub mechanism in mech_types\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + /* compose reply */ + spnego_out.type = SPNEGO_NEG_TOKEN_INIT; + spnego_out.negTokenInit.mechTypes = mech_types; + spnego_out.negTokenInit.reqFlags = data_blob_null; + spnego_out.negTokenInit.reqFlagsPadding = 0; + spnego_out.negTokenInit.mechListMIC = data_blob_null; + spnego_out.negTokenInit.mechToken = sub_out; + + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + ok = spnego_write_mech_types(spnego_state, + mech_types, + &spnego_state->mech_types); + if (!ok) { + DBG_ERR("failed to write mechTypes\n"); + return NT_STATUS_NO_MEMORY; + } + + /* set next state */ + spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG; + spnego_state->state_position = SPNEGO_CLIENT_TARG; + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +static const struct spnego_neg_ops gensec_spnego_client_negTokenInit_ops = { + .name = "client_negTokenInit", + .start_fn = gensec_spnego_client_negTokenInit_start, + .step_fn = gensec_spnego_client_negTokenInit_step, + .finish_fn = gensec_spnego_client_negTokenInit_finish, +}; + +static NTSTATUS gensec_spnego_client_negTokenTarg_start( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg; + NTSTATUS status; + + spnego_state->num_targs++; + + if (ta->negResult == SPNEGO_REJECT) { + return NT_STATUS_LOGON_FAILURE; + } + + if (ta->negResult == SPNEGO_REQUEST_MIC) { + spnego_state->mic_requested = true; + } + + if (ta->mechListMIC.length > 0) { + DATA_BLOB *m = &ta->mechListMIC; + const DATA_BLOB *r = &ta->responseToken; + + /* + * Windows 2000 has a bug, it repeats the + * responseToken in the mechListMIC field. + */ + if (m->length == r->length) { + int cmp; + + cmp = memcmp(m->data, r->data, m->length); + if (cmp == 0) { + data_blob_free(m); + } + } + } + + /* Server didn't like our choice of mech, and chose something else */ + if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) || + (ta->negResult == SPNEGO_REQUEST_MIC)) && + ta->supportedMech != NULL && + strcmp(ta->supportedMech, spnego_state->neg_oid) != 0) + { + const char *client_mech = NULL; + const char *client_oid = NULL; + const char *server_mech = NULL; + const char *server_oid = NULL; + + client_mech = gensec_get_name_by_oid(gensec_security, + spnego_state->neg_oid); + client_oid = spnego_state->neg_oid; + server_mech = gensec_get_name_by_oid(gensec_security, + ta->supportedMech); + server_oid = ta->supportedMech; + + DBG_NOTICE("client preferred mech (%s[%s]) not accepted, " + "server wants: %s[%s]\n", + client_mech, client_oid, server_mech, server_oid); + + spnego_state->downgraded = true; + gensec_spnego_reset_sub_sec(spnego_state); + + status = gensec_subcontext_start(spnego_state, + gensec_security, + &spnego_state->sub_sec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* select the sub context */ + status = gensec_start_mech_by_oid(spnego_state->sub_sec_security, + ta->supportedMech); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + spnego_state->neg_oid = talloc_strdup(spnego_state, + ta->supportedMech); + if (spnego_state->neg_oid == NULL) { + return NT_STATUS_NO_MEMORY; + } + } + + if (ta->mechListMIC.length > 0) { + if (spnego_state->sub_sec_ready) { + spnego_state->needs_mic_check = true; + } + } + + if (spnego_state->needs_mic_check) { + if (ta->responseToken.length != 0) { + DBG_WARNING("non empty response token not expected\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + if (ta->mechListMIC.length == 0 + && spnego_state->may_skip_mic_check) { + /* + * In this case we don't require + * a mechListMIC from the server. + * + * This works around bugs in the Azure + * and Apple spnego implementations. + * + * See + * https://bugzilla.samba.org/show_bug.cgi?id=11994 + */ + spnego_state->needs_mic_check = false; + return NT_STATUS_OK; + } + + status = gensec_check_packet(spnego_state->sub_sec_security, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + &ta->mechListMIC); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to verify mechListMIC: %s\n", + nt_errstr(status)); + return status; + } + spnego_state->needs_mic_check = false; + spnego_state->done_mic_check = true; + return NT_STATUS_OK; + } + + if (!spnego_state->sub_sec_ready) { + *in_next = ta->responseToken; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + return NT_STATUS_OK; +} + +static NTSTATUS gensec_spnego_client_negTokenTarg_step( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS last_status, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + if (GENSEC_UPDATE_IS_NTERROR(last_status)) { + DBG_WARNING("SPNEGO(%s) login failed: %s\n", + spnego_state->sub_sec_security->ops->name, + nt_errstr(last_status)); + return last_status; + } + + /* + * This should never be reached! + * The step function is only called on errors! + */ + smb_panic(__location__); + return NT_STATUS_INTERNAL_ERROR; +} + +static NTSTATUS gensec_spnego_client_negTokenTarg_finish( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS sub_status, + const DATA_BLOB sub_out, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + const struct spnego_negTokenTarg *ta = + &spnego_in->negTokenTarg; + DATA_BLOB mech_list_mic = data_blob_null; + NTSTATUS status; + struct spnego_data spnego_out; + + if (!spnego_state->sub_sec_ready) { + /* + * We're not yet ready to deal with signatures. + */ + goto client_response; + } + + if (spnego_state->done_mic_check) { + /* + * We already checked the mic, + * either the in last round here + * in gensec_spnego_client_negTokenTarg_finish() + * or during this round in + * gensec_spnego_client_negTokenTarg_start(). + * + * Both cases we're sure we don't have to + * call gensec_sign_packet(). + */ + goto client_response; + } + + if (spnego_state->may_skip_mic_check) { + /* + * This can only be set during + * the last round here in + * gensec_spnego_client_negTokenTarg_finish() + * below. And during this round + * we already passed the checks in + * gensec_spnego_client_negTokenTarg_start(). + * + * So we need to skip to deal with + * any signatures now. + */ + goto client_response; + } + + if (!spnego_state->done_mic_check) { + bool have_sign = true; + bool new_spnego = false; + + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } + new_spnego = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_NEW_SPNEGO); + + switch (ta->negResult) { + case SPNEGO_ACCEPT_COMPLETED: + case SPNEGO_NONE_RESULT: + if (spnego_state->num_targs == 1) { + /* + * the first exchange doesn't require + * verification + */ + new_spnego = false; + } + + break; + + case SPNEGO_ACCEPT_INCOMPLETE: + if (ta->mechListMIC.length > 0) { + new_spnego = true; + break; + } + + if (spnego_state->downgraded) { + /* + * A downgrade should be protected if + * supported + */ + break; + } + + /* + * The caller may just asked for + * GENSEC_FEATURE_SESSION_KEY, this + * is only reflected in the want_features. + * + * As it will imply + * gensec_have_features(GENSEC_FEATURE_SIGN) + * to return true. + */ + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + break; + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + break; + } + /* + * Here we're sure our preferred mech was + * selected by the server and our caller doesn't + * need GENSEC_FEATURE_SIGN nor + * GENSEC_FEATURE_SEAL support. + * + * In this case we don't require + * a mechListMIC from the server. + * + * This works around bugs in the Azure + * and Apple spnego implementations. + * + * See + * https://bugzilla.samba.org/show_bug.cgi?id=11994 + */ + spnego_state->may_skip_mic_check = true; + break; + + case SPNEGO_REQUEST_MIC: + if (ta->mechListMIC.length > 0) { + new_spnego = true; + } + break; + default: + break; + } + + if (spnego_state->mic_requested) { + if (have_sign) { + new_spnego = true; + } + } + + if (have_sign && new_spnego) { + spnego_state->needs_mic_check = true; + spnego_state->needs_mic_sign = true; + } + } + + if (ta->mechListMIC.length > 0) { + status = gensec_check_packet(spnego_state->sub_sec_security, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + &ta->mechListMIC); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to verify mechListMIC: %s\n", + nt_errstr(status)); + return status; + } + spnego_state->needs_mic_check = false; + spnego_state->done_mic_check = true; + } + + if (spnego_state->needs_mic_sign) { + status = gensec_sign_packet(spnego_state->sub_sec_security, + n, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + &mech_list_mic); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to sign mechListMIC: %s\n", + nt_errstr(status)); + return status; + } + spnego_state->needs_mic_sign = false; + } + + client_response: + if (sub_out.length == 0 && mech_list_mic.length == 0) { + *out = data_blob_null; + + if (!spnego_state->sub_sec_ready) { + /* somethings wrong here... */ + DBG_ERR("gensec_update not ready without output\n"); + return NT_STATUS_INTERNAL_ERROR; + } + + if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) { + /* unless of course it did not accept */ + DBG_WARNING("gensec_update ok but not accepted\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!spnego_state->needs_mic_check) { + spnego_state->state_position = SPNEGO_DONE; + return NT_STATUS_OK; + } + } + + /* compose reply */ + spnego_out.type = SPNEGO_NEG_TOKEN_TARG; + spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; + spnego_out.negTokenTarg.supportedMech = NULL; + spnego_out.negTokenTarg.responseToken = sub_out; + spnego_out.negTokenTarg.mechListMIC = mech_list_mic; + + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DBG_WARNING("Failed to write NEG_TOKEN_TARG\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + spnego_state->num_targs++; + + /* set next state */ + spnego_state->state_position = SPNEGO_CLIENT_TARG; + spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG; + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +static const struct spnego_neg_ops gensec_spnego_client_negTokenTarg_ops = { + .name = "client_negTokenTarg", + .start_fn = gensec_spnego_client_negTokenTarg_start, + .step_fn = gensec_spnego_client_negTokenTarg_step, + .finish_fn = gensec_spnego_client_negTokenTarg_finish, +}; + +/** create a server negTokenTarg + * + * This is the case, where the client is the first one who sends data +*/ + +static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state, + TALLOC_CTX *out_mem_ctx, + NTSTATUS nt_status, + const DATA_BLOB unwrapped_out, + DATA_BLOB mech_list_mic, + DATA_BLOB *out) +{ + struct spnego_data spnego_out; + + /* compose reply */ + spnego_out.type = SPNEGO_NEG_TOKEN_TARG; + spnego_out.negTokenTarg.responseToken = unwrapped_out; + spnego_out.negTokenTarg.mechListMIC = mech_list_mic; + spnego_out.negTokenTarg.supportedMech = NULL; + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid; + if (spnego_state->mic_requested) { + spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC; + spnego_state->mic_requested = false; + } else { + spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; + } + spnego_state->state_position = SPNEGO_SERVER_TARG; + } else if (NT_STATUS_IS_OK(nt_status)) { + if (unwrapped_out.data) { + spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid; + } + spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; + spnego_state->state_position = SPNEGO_DONE; + } + + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG; + spnego_state->num_targs++; + + return nt_status; +} + +static NTSTATUS gensec_spnego_server_negTokenInit_start( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + bool ok; + + n->mech_idx = 0; + n->mech_types = spnego_in->negTokenInit.mechTypes; + if (n->mech_types == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + n->all_idx = 0; + n->all_sec = gensec_security_by_oid_list(gensec_security, + n, n->mech_types, + GENSEC_OID_SPNEGO); + if (n->all_sec == NULL) { + DBG_WARNING("gensec_security_by_oid_list() failed\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + ok = spnego_write_mech_types(spnego_state, + n->mech_types, + &spnego_state->mech_types); + if (!ok) { + DBG_ERR("Failed to write mechTypes\n"); + return NT_STATUS_NO_MEMORY; + } + + return n->ops->step_fn(gensec_security, spnego_state, n, + spnego_in, NT_STATUS_OK, in_mem_ctx, in_next); +} + +static NTSTATUS gensec_spnego_server_negTokenInit_step( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS last_status, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + if (!NT_STATUS_IS_OK(last_status)) { + const struct gensec_security_ops_wrapper *cur_sec = + &n->all_sec[n->all_idx]; + const char *next_mech = n->mech_types[n->mech_idx+1]; + const struct gensec_security_ops_wrapper *next_sec = NULL; + const char *next = NULL; + int dbg_level = DBGLVL_WARNING; + bool allow_fallback = false; + NTSTATUS status = last_status; + size_t i; + + for (i = 0; next_mech != NULL && n->all_sec[i].op != NULL; i++) { + if (strcmp(next_mech, n->all_sec[i].oid) != 0) { + continue; + } + + next_sec = &n->all_sec[i]; + break; + } + + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) || + NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) + { + allow_fallback = true; + } + + if (allow_fallback && next_sec != NULL) { + next = next_sec->op->name; + dbg_level = DBGLVL_NOTICE; + } + + DBG_PREFIX(dbg_level, ( + "%s: parsing NEG_TOKEN_INIT content failed " + "(next[%s]): %s\n", cur_sec->op->name, + next, nt_errstr(status))); + + if (next == NULL) { + /* + * A hard error without a possible fallback. + */ + return status; + } + + /* + * Pretend we never started it + */ + gensec_spnego_reset_sub_sec(spnego_state); + + /* + * And try the next one, based on the clients + * mech type list... + */ + n->mech_idx += 1; + } + + /* + * we always reset all_idx here, as the negotiation is + * done via mech_idx! + */ + n->all_idx = 0; + + for (; n->mech_types[n->mech_idx] != NULL; n->mech_idx++) { + const char *cur_mech = n->mech_types[n->mech_idx]; + const struct gensec_security_ops_wrapper *cur_sec = NULL; + NTSTATUS status; + DATA_BLOB sub_in = data_blob_null; + size_t i; + + for (i = 0; n->all_sec[i].op != NULL; i++) { + if (strcmp(cur_mech, n->all_sec[i].oid) != 0) { + continue; + } + + cur_sec = &n->all_sec[i]; + n->all_idx = i; + break; + } + + if (cur_sec == NULL) { + continue; + } + + status = gensec_subcontext_start(spnego_state, + gensec_security, + &spnego_state->sub_sec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* select the sub context */ + status = gensec_start_mech_by_ops(spnego_state->sub_sec_security, + cur_sec->op); + if (!NT_STATUS_IS_OK(status)) { + /* + * Pretend we never started it + */ + gensec_spnego_reset_sub_sec(spnego_state); + continue; + } + + if (n->mech_idx == 0) { + /* + * We can use the optimistic token. + */ + sub_in = spnego_in->negTokenInit.mechToken; + } else { + /* + * Indicate the downgrade and request a + * mic. + */ + spnego_state->downgraded = true; + spnego_state->mic_requested = true; + } + + if (sub_in.length == 0) { + spnego_state->no_optimistic = true; + } + + /* + * Note that 'cur_sec' is temporary memory, but + * cur_sec->oid points to a const string in the + * backends gensec_security_ops structure. + */ + spnego_state->neg_oid = cur_sec->oid; + + /* we need some content from the mech */ + *in_next = sub_in; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n"); + return NT_STATUS_INVALID_PARAMETER; +} + +static NTSTATUS gensec_spnego_server_negTokenInit_finish( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS sub_status, + const DATA_BLOB sub_out, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + DATA_BLOB mech_list_mic = data_blob_null; + + if (spnego_state->simulate_w2k) { + /* + * Windows 2000 returns the unwrapped token + * also in the mech_list_mic field. + * + * In order to verify our client code, + * we need a way to have a server with this + * broken behaviour + */ + mech_list_mic = sub_out; + } + + return gensec_spnego_server_response(spnego_state, + out_mem_ctx, + sub_status, + sub_out, + mech_list_mic, + out); +} + +static const struct spnego_neg_ops gensec_spnego_server_negTokenInit_ops = { + .name = "server_negTokenInit", + .start_fn = gensec_spnego_server_negTokenInit_start, + .step_fn = gensec_spnego_server_negTokenInit_step, + .finish_fn = gensec_spnego_server_negTokenInit_finish, +}; + +static NTSTATUS gensec_spnego_server_negTokenTarg_start( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg; + NTSTATUS status; + + spnego_state->num_targs++; + + if (spnego_state->sub_sec_security == NULL) { + DBG_ERR("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + if (spnego_state->needs_mic_check) { + if (ta->responseToken.length != 0) { + DBG_WARNING("non empty response token not expected\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + status = gensec_check_packet(spnego_state->sub_sec_security, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + &ta->mechListMIC); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to verify mechListMIC: %s\n", + nt_errstr(status)); + return status; + } + + spnego_state->needs_mic_check = false; + spnego_state->done_mic_check = true; + return NT_STATUS_OK; + } + + if (!spnego_state->sub_sec_ready) { + *in_next = ta->responseToken; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + return NT_STATUS_OK; +} + +static NTSTATUS gensec_spnego_server_negTokenTarg_step( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS last_status, + TALLOC_CTX *in_mem_ctx, + DATA_BLOB *in_next) +{ + if (GENSEC_UPDATE_IS_NTERROR(last_status)) { + DBG_NOTICE("SPNEGO(%s) login failed: %s\n", + spnego_state->sub_sec_security->ops->name, + nt_errstr(last_status)); + return last_status; + } + + /* + * This should never be reached! + * The step function is only called on errors! + */ + smb_panic(__location__); + return NT_STATUS_INTERNAL_ERROR; +} + +static NTSTATUS gensec_spnego_server_negTokenTarg_finish( + struct gensec_security *gensec_security, + struct spnego_state *spnego_state, + struct spnego_neg_state *n, + struct spnego_data *spnego_in, + NTSTATUS sub_status, + const DATA_BLOB sub_out, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg; + DATA_BLOB mech_list_mic = data_blob_null; + NTSTATUS status; + bool have_sign = true; + bool new_spnego = false; + + status = sub_status; + + if (!spnego_state->sub_sec_ready) { + /* + * We're not yet ready to deal with signatures. + */ + goto server_response; + } + + if (spnego_state->done_mic_check) { + /* + * We already checked the mic, + * either the in last round here + * in gensec_spnego_server_negTokenTarg_finish() + * or during this round in + * gensec_spnego_server_negTokenTarg_start(). + * + * Both cases we're sure we don't have to + * call gensec_sign_packet(). + */ + goto server_response; + } + + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } + new_spnego = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_NEW_SPNEGO); + if (ta->mechListMIC.length > 0) { + new_spnego = true; + } + + if (have_sign && new_spnego) { + spnego_state->needs_mic_check = true; + spnego_state->needs_mic_sign = true; + } + + if (have_sign && ta->mechListMIC.length > 0) { + status = gensec_check_packet(spnego_state->sub_sec_security, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + &ta->mechListMIC); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to verify mechListMIC: %s\n", + nt_errstr(status)); + return status; + } + + spnego_state->needs_mic_check = false; + spnego_state->done_mic_check = true; + } + + if (spnego_state->needs_mic_sign) { + status = gensec_sign_packet(spnego_state->sub_sec_security, + n, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + spnego_state->mech_types.data, + spnego_state->mech_types.length, + &mech_list_mic); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to sign mechListMIC: %s\n", + nt_errstr(status)); + return status; + } + spnego_state->needs_mic_sign = false; + } + + if (spnego_state->needs_mic_check) { + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + server_response: + return gensec_spnego_server_response(spnego_state, + out_mem_ctx, + status, + sub_out, + mech_list_mic, + out); +} + +static const struct spnego_neg_ops gensec_spnego_server_negTokenTarg_ops = { + .name = "server_negTokenTarg", + .start_fn = gensec_spnego_server_negTokenTarg_start, + .step_fn = gensec_spnego_server_negTokenTarg_step, + .finish_fn = gensec_spnego_server_negTokenTarg_finish, +}; + +struct gensec_spnego_update_state { + struct tevent_context *ev; + struct gensec_security *gensec; + struct spnego_state *spnego; + + DATA_BLOB full_in; + struct spnego_data _spnego_in; + struct spnego_data *spnego_in; + + struct { + bool needed; + DATA_BLOB in; + NTSTATUS status; + DATA_BLOB out; + } sub; + + struct spnego_neg_state *n; + + NTSTATUS status; + DATA_BLOB out; +}; + +static void gensec_spnego_update_cleanup(struct tevent_req *req, + enum tevent_req_state req_state) +{ + struct gensec_spnego_update_state *state = + tevent_req_data(req, + struct gensec_spnego_update_state); + + switch (req_state) { + case TEVENT_REQ_USER_ERROR: + case TEVENT_REQ_TIMED_OUT: + case TEVENT_REQ_NO_MEMORY: + /* + * A fatal error, further updates are not allowed. + */ + state->spnego->state_position = SPNEGO_DONE; + break; + default: + break; + } +} + +static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security, + const DATA_BLOB in, TALLOC_CTX *mem_ctx, + DATA_BLOB *full_in); +static void gensec_spnego_update_pre(struct tevent_req *req); +static void gensec_spnego_update_done(struct tevent_req *subreq); +static void gensec_spnego_update_post(struct tevent_req *req); +static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *_out); + +static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct spnego_state *spnego_state = + talloc_get_type_abort(gensec_security->private_data, + struct spnego_state); + struct tevent_req *req = NULL; + struct gensec_spnego_update_state *state = NULL; + NTSTATUS status; + ssize_t len; + + req = tevent_req_create(mem_ctx, &state, + struct gensec_spnego_update_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->gensec = gensec_security; + state->spnego = spnego_state; + tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup); + + if (spnego_state->out_frag.length > 0) { + if (in.length > 0) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + status = gensec_spnego_update_out(gensec_security, + state, &state->out); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + tevent_req_nterror(req, status); + return tevent_req_post(req, ev); + } + + state->status = status; + tevent_req_done(req); + return tevent_req_post(req, ev); + } + + status = gensec_spnego_update_in(gensec_security, in, + state, &state->full_in); + state->status = status; + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + /* Check if we got a valid SPNEGO blob... */ + + switch (spnego_state->state_position) { + case SPNEGO_FALLBACK: + break; + + case SPNEGO_CLIENT_TARG: + case SPNEGO_SERVER_TARG: + if (state->full_in.length == 0) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + FALL_THROUGH; + case SPNEGO_CLIENT_START: + case SPNEGO_SERVER_START: + + if (state->full_in.length == 0) { + /* create_negTokenInit later */ + break; + } + + len = spnego_read_data(state, + state->full_in, + &state->_spnego_in); + if (len == -1) { + if (spnego_state->state_position != SPNEGO_SERVER_START) { + DEBUG(1, ("Invalid SPNEGO request:\n")); + dump_data(1, state->full_in.data, + state->full_in.length); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + /* + * This is the 'fallback' case, where we don't get + * SPNEGO, and have to try all the other options (and + * hope they all have a magic string they check) + */ + status = gensec_spnego_server_try_fallback(gensec_security, + spnego_state, + state, + state->full_in); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + /* + * We'll continue with SPNEGO_FALLBACK below... + */ + break; + } + state->spnego_in = &state->_spnego_in; + + /* OK, so it's real SPNEGO, check the packet's the one we expect */ + if (state->spnego_in->type != spnego_state->expected_packet) { + DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", + state->spnego_in->type, + spnego_state->expected_packet)); + dump_data(1, state->full_in.data, + state->full_in.length); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + break; + + default: + smb_panic(__location__); + return NULL; + } + + gensec_spnego_update_pre(req); + if (!tevent_req_is_in_progress(req)) { + return tevent_req_post(req, ev); + } + + if (state->sub.needed) { + struct tevent_req *subreq = NULL; + + /* + * We may need one more roundtrip... + */ + subreq = gensec_update_send(state, state->ev, + spnego_state->sub_sec_security, + state->sub.in); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, + gensec_spnego_update_done, + req); + state->sub.needed = false; + return req; + } + + gensec_spnego_update_post(req); + if (!tevent_req_is_in_progress(req)) { + return tevent_req_post(req, ev); + } + + return req; +} + +static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security, + const DATA_BLOB in, TALLOC_CTX *mem_ctx, + DATA_BLOB *full_in) +{ + struct spnego_state *spnego_state = + talloc_get_type_abort(gensec_security->private_data, + struct spnego_state); + size_t expected; + bool ok; + + *full_in = data_blob_null; + + switch (spnego_state->state_position) { + case SPNEGO_FALLBACK: + *full_in = in; + spnego_state->in_needed = 0; + return NT_STATUS_OK; + + case SPNEGO_CLIENT_START: + case SPNEGO_CLIENT_TARG: + case SPNEGO_SERVER_START: + case SPNEGO_SERVER_TARG: + break; + + case SPNEGO_DONE: + default: + return NT_STATUS_INVALID_PARAMETER; + } + + if (spnego_state->in_needed == 0) { + size_t size = 0; + int ret; + + /* + * try to work out the size of the full + * input token, it might be fragmented + */ + ret = asn1_peek_full_tag(in, ASN1_APPLICATION(0), &size); + if ((ret != 0) && (ret != EAGAIN)) { + ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size); + } + + if ((ret == 0) || (ret == EAGAIN)) { + spnego_state->in_needed = size; + } else { + /* + * If it is not an asn1 message + * just call the next layer. + */ + spnego_state->in_needed = in.length; + } + } + + if (spnego_state->in_needed > UINT16_MAX) { + /* + * limit the incoming message to 0xFFFF + * to avoid DoS attacks. + */ + return NT_STATUS_INVALID_BUFFER_SIZE; + } + + if ((spnego_state->in_needed > 0) && (in.length == 0)) { + /* + * If we reach this, we know we got at least + * part of an asn1 message, getting 0 means + * the remote peer wants us to spin. + */ + return NT_STATUS_INVALID_PARAMETER; + } + + expected = spnego_state->in_needed - spnego_state->in_frag.length; + if (in.length > expected) { + /* + * we got more than expected + */ + return NT_STATUS_INVALID_PARAMETER; + } + + if (in.length == spnego_state->in_needed) { + /* + * if the in.length contains the full blob + * we are done. + * + * Note: this implies spnego_state->in_frag.length == 0, + * but we do not need to check this explicitly + * because we already know that we did not get + * more than expected. + */ + *full_in = in; + spnego_state->in_needed = 0; + return NT_STATUS_OK; + } + + ok = data_blob_append(spnego_state, &spnego_state->in_frag, + in.data, in.length); + if (!ok) { + return NT_STATUS_NO_MEMORY; + } + + if (spnego_state->in_needed > spnego_state->in_frag.length) { + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + *full_in = spnego_state->in_frag; + talloc_steal(mem_ctx, full_in->data); + spnego_state->in_frag = data_blob_null; + spnego_state->in_needed = 0; + return NT_STATUS_OK; +} + +static void gensec_spnego_update_pre(struct tevent_req *req) +{ + struct gensec_spnego_update_state *state = + tevent_req_data(req, + struct gensec_spnego_update_state); + struct spnego_state *spnego_state = state->spnego; + const struct spnego_neg_ops *ops = NULL; + NTSTATUS status; + + state->sub.needed = false; + state->sub.in = data_blob_null; + state->sub.status = NT_STATUS_INTERNAL_ERROR; + state->sub.out = data_blob_null; + + if (spnego_state->state_position == SPNEGO_FALLBACK) { + state->sub.in = state->full_in; + state->full_in = data_blob_null; + state->sub.needed = true; + return; + } + + switch (spnego_state->state_position) { + case SPNEGO_CLIENT_START: + if (state->spnego_in == NULL) { + /* client to produce negTokenInit */ + ops = &gensec_spnego_create_negTokenInit_ops; + break; + } + + ops = &gensec_spnego_client_negTokenInit_ops; + break; + + case SPNEGO_CLIENT_TARG: + ops = &gensec_spnego_client_negTokenTarg_ops; + break; + + case SPNEGO_SERVER_START: + if (state->spnego_in == NULL) { + /* server to produce negTokenInit */ + ops = &gensec_spnego_create_negTokenInit_ops; + break; + } + + ops = &gensec_spnego_server_negTokenInit_ops; + break; + + case SPNEGO_SERVER_TARG: + ops = &gensec_spnego_server_negTokenTarg_ops; + break; + + default: + smb_panic(__location__); + return; + } + + state->n = gensec_spnego_neg_state(state, ops); + if (tevent_req_nomem(state->n, req)) { + return; + } + + status = ops->start_fn(state->gensec, spnego_state, state->n, + state->spnego_in, state, &state->sub.in); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + tevent_req_nterror(req, status); + return; + } + + if (NT_STATUS_IS_OK(status)) { + /* + * Call finish_fn() with an empty + * blob and NT_STATUS_OK. + */ + state->sub.status = NT_STATUS_OK; + } else if (spnego_state->state_position == SPNEGO_CLIENT_START && + spnego_state->no_optimistic) { + /* + * Skip optimistic token per conf. + */ + state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else if (spnego_state->state_position == SPNEGO_SERVER_START && + state->sub.in.length == 0 && spnego_state->no_optimistic) { + /* + * If we didn't like the mechanism for which the client sent us + * an optimistic token, or if he didn't send any, don't call + * the sub mechanism just yet. + */ + state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->no_optimistic = false; + } else { + /* + * MORE_PROCESSING_REQUIRED => + * we need to call gensec_update_send(). + */ + state->sub.needed = true; + } +} + +static void gensec_spnego_update_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct gensec_spnego_update_state *state = + tevent_req_data(req, + struct gensec_spnego_update_state); + struct spnego_state *spnego_state = state->spnego; + + state->sub.status = gensec_update_recv(subreq, state, &state->sub.out); + TALLOC_FREE(subreq); + if (NT_STATUS_IS_OK(state->sub.status)) { + spnego_state->sub_sec_ready = true; + } + + gensec_spnego_update_post(req); +} + +static void gensec_spnego_update_post(struct tevent_req *req) +{ + struct gensec_spnego_update_state *state = + tevent_req_data(req, + struct gensec_spnego_update_state); + struct spnego_state *spnego_state = state->spnego; + const struct spnego_neg_ops *ops = NULL; + NTSTATUS status; + + state->sub.in = data_blob_null; + state->sub.needed = false; + + if (spnego_state->state_position == SPNEGO_FALLBACK) { + status = state->sub.status; + spnego_state->out_frag = state->sub.out; + talloc_steal(spnego_state, spnego_state->out_frag.data); + state->sub.out = data_blob_null; + goto respond; + } + + ops = state->n->ops; + + if (GENSEC_UPDATE_IS_NTERROR(state->sub.status)) { + + + /* + * gensec_update_recv() returned an error, + * let's see if the step_fn() want to + * handle it and negotiate something else. + */ + + status = ops->step_fn(state->gensec, + spnego_state, + state->n, + state->spnego_in, + state->sub.status, + state, + &state->sub.in); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + tevent_req_nterror(req, status); + return; + } + + state->sub.out = data_blob_null; + state->sub.status = NT_STATUS_INTERNAL_ERROR; + + if (NT_STATUS_IS_OK(status)) { + /* + * Call finish_fn() with an empty + * blob and NT_STATUS_OK. + */ + state->sub.status = NT_STATUS_OK; + } else { + /* + * MORE_PROCESSING_REQUIRED... + */ + state->sub.needed = true; + } + } + + if (state->sub.needed) { + struct tevent_req *subreq = NULL; + + /* + * We may need one more roundtrip... + */ + subreq = gensec_update_send(state, state->ev, + spnego_state->sub_sec_security, + state->sub.in); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, + gensec_spnego_update_done, + req); + state->sub.needed = false; + return; + } + + status = ops->finish_fn(state->gensec, + spnego_state, + state->n, + state->spnego_in, + state->sub.status, + state->sub.out, + spnego_state, + &spnego_state->out_frag); + TALLOC_FREE(state->n); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + tevent_req_nterror(req, status); + return; + } + + if (NT_STATUS_IS_OK(status)) { + bool reset_full = true; + + reset_full = !spnego_state->done_mic_check; + + status = gensec_may_reset_crypto(spnego_state->sub_sec_security, + reset_full); + if (tevent_req_nterror(req, status)) { + return; + } + } + +respond: + spnego_state->out_status = status; + + status = gensec_spnego_update_out(state->gensec, + state, &state->out); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + tevent_req_nterror(req, status); + return; + } + + state->status = status; + tevent_req_done(req); + return; +} + +static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *_out) +{ + struct spnego_state *spnego_state = + talloc_get_type_abort(gensec_security->private_data, + struct spnego_state); + DATA_BLOB out = data_blob_null; + bool ok; + + *_out = data_blob_null; + + if (spnego_state->out_frag.length <= spnego_state->out_max_length) { + /* + * Fast path, we can deliver everything + */ + + *_out = spnego_state->out_frag; + if (spnego_state->out_frag.length > 0) { + talloc_steal(out_mem_ctx, _out->data); + spnego_state->out_frag = data_blob_null; + } + + if (!NT_STATUS_IS_OK(spnego_state->out_status)) { + return spnego_state->out_status; + } + + /* + * We're completely done, further updates are not allowed. + */ + spnego_state->state_position = SPNEGO_DONE; + return gensec_child_ready(gensec_security, + spnego_state->sub_sec_security); + } + + out = spnego_state->out_frag; + + /* + * copy the remaining bytes + */ + spnego_state->out_frag = data_blob_talloc(spnego_state, + out.data + spnego_state->out_max_length, + out.length - spnego_state->out_max_length); + if (spnego_state->out_frag.data == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* + * truncate the buffer + */ + ok = data_blob_realloc(spnego_state, &out, + spnego_state->out_max_length); + if (!ok) { + return NT_STATUS_NO_MEMORY; + } + + talloc_steal(out_mem_ctx, out.data); + *_out = out; + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +static NTSTATUS gensec_spnego_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct gensec_spnego_update_state *state = + tevent_req_data(req, + struct gensec_spnego_update_state); + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + *out = state->out; + talloc_steal(out_mem_ctx, state->out.data); + status = state->status; + tevent_req_received(req); + return status; +} + +static const char *gensec_spnego_oids[] = { + GENSEC_OID_SPNEGO, + NULL +}; + +static const struct gensec_security_ops gensec_spnego_security_ops = { + .name = "spnego", + .sasl_name = "GSS-SPNEGO", + .auth_type = DCERPC_AUTH_TYPE_SPNEGO, + .oid = gensec_spnego_oids, + .client_start = gensec_spnego_client_start, + .server_start = gensec_spnego_server_start, + .update_send = gensec_spnego_update_send, + .update_recv = gensec_spnego_update_recv, + .seal_packet = gensec_child_seal_packet, + .sign_packet = gensec_child_sign_packet, + .sig_size = gensec_child_sig_size, + .max_wrapped_size = gensec_child_max_wrapped_size, + .max_input_size = gensec_child_max_input_size, + .check_packet = gensec_child_check_packet, + .unseal_packet = gensec_child_unseal_packet, + .wrap = gensec_child_wrap, + .unwrap = gensec_child_unwrap, + .session_key = gensec_child_session_key, + .session_info = gensec_child_session_info, + .want_feature = gensec_child_want_feature, + .have_feature = gensec_child_have_feature, + .expire_time = gensec_child_expire_time, + .final_auth_type = gensec_child_final_auth_type, + .enabled = true, + .priority = GENSEC_SPNEGO, + .glue = true, +}; + +_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx) +{ + NTSTATUS ret; + ret = gensec_register(ctx, &gensec_spnego_security_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_spnego_security_ops.name)); + return ret; + } + + return ret; +} diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build new file mode 100644 index 0000000..1d8071d --- /dev/null +++ b/auth/gensec/wscript_build @@ -0,0 +1,37 @@ +#!/usr/bin/env python +bld.SAMBA_LIBRARY('gensec', + source='gensec.c gensec_start.c gensec_util.c', + autoproto='gensec_toplevel_proto.h', + public_deps='tevent-util samba-util samba-errors auth_system_session samba-modules gensec_util asn1util', + private_headers='gensec.h', + deps='com_err', + private_library=True, + ) + +bld.SAMBA_MODULE('gensec_spnego', + source='spnego.c', + subsystem='gensec', + init_function='gensec_spnego_init', + deps='asn1util samba-credentials SPNEGO_PARSE' + ) + +bld.SAMBA_MODULE('gensec_schannel', + source='schannel.c', + subsystem='gensec', + init_function='gensec_schannel_init', + deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session GNUTLS_HELPERS' + ) + +bld.SAMBA_MODULE('gensec_ncalrpc', + source='ncalrpc.c', + subsystem='gensec', + init_function='gensec_ncalrpc_as_system_init', + deps='samba-util auth_session' + ) + +bld.SAMBA_MODULE('gensec_external', + source='external.c', + subsystem='gensec', + deps='samba-debug talloc tevent tevent-util', + init_function='gensec_external_init' + ) diff --git a/auth/kerberos/gssapi_helper.c b/auth/kerberos/gssapi_helper.c new file mode 100644 index 0000000..52c953c --- /dev/null +++ b/auth/kerberos/gssapi_helper.c @@ -0,0 +1,398 @@ +/* + Unix SMB/CIFS implementation. + GSSAPI helper functions + + Copyright (C) Stefan Metzmacher 2008,2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/gssapi.h" +#include "auth/kerberos/pac_utils.h" +#include "auth/kerberos/gssapi_helper.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +size_t gssapi_get_sig_size(gss_ctx_id_t gssapi_context, + const gss_OID mech, + uint32_t gss_want_flags, + size_t data_size) +{ + TALLOC_CTX *frame = talloc_stackframe(); + size_t sig_size = 0; + + if (gss_want_flags & GSS_C_CONF_FLAG) { + OM_uint32 min_stat, maj_stat; + bool want_sealing = true; + int sealed = 0; + gss_iov_buffer_desc iov[2]; + + if (!(gss_want_flags & GSS_C_DCE_STYLE)) { + TALLOC_FREE(frame); + return 0; + } + + /* + * gss_wrap_iov_length() only needs the type and length + */ + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[0].buffer.value = NULL; + iov[0].buffer.length = 0; + iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[1].buffer.value = NULL; + iov[1].buffer.length = data_size; + + maj_stat = gss_wrap_iov_length(&min_stat, + gssapi_context, + want_sealing, + GSS_C_QOP_DEFAULT, + &sealed, + iov, ARRAY_SIZE(iov)); + if (maj_stat) { + DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n", + gssapi_error_string(frame, + maj_stat, + min_stat, + mech))); + TALLOC_FREE(frame); + return 0; + } + + sig_size = iov[0].buffer.length; + } else if (gss_want_flags & GSS_C_INTEG_FLAG) { + NTSTATUS status; + uint32_t keytype; + + status = gssapi_get_session_key(frame, + gssapi_context, + NULL, &keytype); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return 0; + } + + switch (keytype) { + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: + sig_size = 37; + break; + default: + sig_size = 28; + break; + } + } + + TALLOC_FREE(frame); + return sig_size; +} + +NTSTATUS gssapi_seal_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, size_t sig_size, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + TALLOC_CTX *mem_ctx, + DATA_BLOB *sig) +{ + OM_uint32 maj_stat, min_stat; + gss_iov_buffer_desc iov[4]; + int req_seal = 1; + int sealed = 0; + const uint8_t *pre_sign_ptr = NULL; + size_t pre_sign_len = 0; + const uint8_t *post_sign_ptr = NULL; + size_t post_sign_len = 0; + + if (hdr_signing) { + const uint8_t *de = data + length; + const uint8_t *we = whole_pdu + pdu_length; + + if (data < whole_pdu) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (de > we) { + return NT_STATUS_INVALID_PARAMETER; + } + + pre_sign_len = data - whole_pdu; + if (pre_sign_len > 0) { + pre_sign_ptr = whole_pdu; + } + post_sign_len = we - de; + if (post_sign_len > 0) { + post_sign_ptr = de; + } + } + + sig->length = sig_size; + if (sig->length == 0) { + return NT_STATUS_ACCESS_DENIED; + } + + sig->data = talloc_zero_array(mem_ctx, uint8_t, sig->length); + if (sig->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[0].buffer.length = sig->length; + iov[0].buffer.value = sig->data; + + if (pre_sign_ptr != NULL) { + iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[1].buffer.length = pre_sign_len; + iov[1].buffer.value = discard_const(pre_sign_ptr); + } else { + iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY; + iov[1].buffer.length = 0; + iov[1].buffer.value = NULL; + } + + /* data is encrypted in place, which is ok */ + iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[2].buffer.length = length; + iov[2].buffer.value = data; + + if (post_sign_ptr != NULL) { + iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[3].buffer.length = post_sign_len; + iov[3].buffer.value = discard_const(post_sign_ptr); + } else { + iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY; + iov[3].buffer.length = 0; + iov[3].buffer.value = NULL; + } + + maj_stat = gss_wrap_iov(&min_stat, + gssapi_context, + req_seal, + GSS_C_QOP_DEFAULT, + &sealed, + iov, ARRAY_SIZE(iov)); + if (GSS_ERROR(maj_stat)) { + char *error_string = gssapi_error_string(mem_ctx, + maj_stat, + min_stat, + mech); + DEBUG(1, ("gss_wrap_iov failed: %s\n", error_string)); + talloc_free(error_string); + data_blob_free(sig); + return NT_STATUS_ACCESS_DENIED; + } + + if (req_seal == 1 && sealed == 0) { + DEBUG(0, ("gss_wrap_iov says data was not sealed!\n")); + data_blob_free(sig); + return NT_STATUS_ACCESS_DENIED; + } + + dump_data_pw("gssapi_seal_packet: sig\n", sig->data, sig->length); + dump_data_pw("gssapi_seal_packet: sealed\n", data, length); + + DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n", + (int)iov[2].buffer.length, (int)iov[0].buffer.length)); + + return NT_STATUS_OK; +} + +NTSTATUS gssapi_unseal_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + OM_uint32 maj_stat, min_stat; + gss_iov_buffer_desc iov[4]; + gss_qop_t qop_state; + int sealed = 0; + const uint8_t *pre_sign_ptr = NULL; + size_t pre_sign_len = 0; + const uint8_t *post_sign_ptr = NULL; + size_t post_sign_len = 0; + + if (hdr_signing) { + const uint8_t *de = data + length; + const uint8_t *we = whole_pdu + pdu_length; + + if (data < whole_pdu) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (de > we) { + return NT_STATUS_INVALID_PARAMETER; + } + + pre_sign_len = data - whole_pdu; + if (pre_sign_len > 0) { + pre_sign_ptr = whole_pdu; + } + post_sign_len = we - de; + if (post_sign_len > 0) { + post_sign_ptr = de; + } + } + + dump_data_pw("gssapi_unseal_packet: sig\n", sig->data, sig->length); + dump_data_pw("gssapi_unseal_packet: sealed\n", data, length); + + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[0].buffer.length = sig->length; + iov[0].buffer.value = sig->data; + + if (pre_sign_ptr != NULL) { + iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[1].buffer.length = pre_sign_len; + iov[1].buffer.value = discard_const(pre_sign_ptr); + } else { + iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY; + iov[1].buffer.length = 0; + iov[1].buffer.value = NULL; + } + + /* data is encrypted in place, which is ok */ + iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[2].buffer.length = length; + iov[2].buffer.value = data; + + if (post_sign_ptr != NULL) { + iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[3].buffer.length = post_sign_len; + iov[3].buffer.value = discard_const(post_sign_ptr); + } else { + iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY; + iov[3].buffer.length = 0; + iov[3].buffer.value = NULL; + } + + maj_stat = gss_unwrap_iov(&min_stat, + gssapi_context, + &sealed, + &qop_state, + iov, ARRAY_SIZE(iov)); + if (GSS_ERROR(maj_stat)) { + char *error_string = gssapi_error_string(NULL, + maj_stat, + min_stat, + mech); + DEBUG(1, ("gss_unwrap_iov failed: %s\n", error_string)); + talloc_free(error_string); + + return NT_STATUS_ACCESS_DENIED; + } + + if (sealed == 0) { + DEBUG(0, ("gss_unwrap_iov says data was not sealed!\n")); + return NT_STATUS_ACCESS_DENIED; + } + + DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n", + (int)iov[2].buffer.length, (int)iov[0].buffer.length)); + + return NT_STATUS_OK; +} + +NTSTATUS gssapi_sign_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + TALLOC_CTX *mem_ctx, + DATA_BLOB *sig) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token; + + if (hdr_signing) { + input_token.length = pdu_length; + input_token.value = discard_const_p(uint8_t *, whole_pdu); + } else { + input_token.length = length; + input_token.value = discard_const_p(uint8_t *, data); + } + + maj_stat = gss_get_mic(&min_stat, + gssapi_context, + GSS_C_QOP_DEFAULT, + &input_token, + &output_token); + if (GSS_ERROR(maj_stat)) { + char *error_string = gssapi_error_string(mem_ctx, + maj_stat, + min_stat, + mech); + DEBUG(1, ("GSS GetMic failed: %s\n", error_string)); + talloc_free(error_string); + return NT_STATUS_ACCESS_DENIED; + } + + *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length); + gss_release_buffer(&min_stat, &output_token); + if (sig->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + + dump_data_pw("gssapi_sign_packet: sig\n", sig->data, sig->length); + + return NT_STATUS_OK; +} + +NTSTATUS gssapi_check_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token; + gss_buffer_desc input_message; + gss_qop_t qop_state; + + dump_data_pw("gssapi_check_packet: sig\n", sig->data, sig->length); + + if (hdr_signing) { + input_message.length = pdu_length; + input_message.value = discard_const(whole_pdu); + } else { + input_message.length = length; + input_message.value = discard_const(data); + } + + input_token.length = sig->length; + input_token.value = sig->data; + + maj_stat = gss_verify_mic(&min_stat, + gssapi_context, + &input_message, + &input_token, + &qop_state); + if (GSS_ERROR(maj_stat)) { + char *error_string = gssapi_error_string(NULL, + maj_stat, + min_stat, + mech); + DEBUG(1, ("GSS VerifyMic failed: %s\n", error_string)); + talloc_free(error_string); + + return NT_STATUS_ACCESS_DENIED; + } + + return NT_STATUS_OK; +} diff --git a/auth/kerberos/gssapi_helper.h b/auth/kerberos/gssapi_helper.h new file mode 100644 index 0000000..f40adf1 --- /dev/null +++ b/auth/kerberos/gssapi_helper.h @@ -0,0 +1,55 @@ +/* + Unix SMB/CIFS implementation. + GSSAPI helper functions + + Copyright (C) Stefan Metzmacher 2008,2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef AUTH_KERBEROS_GSSAPI_HELPER_H +#define AUTH_KERBEROS_GSSAPI_HELPER_H 1 + +size_t gssapi_get_sig_size(gss_ctx_id_t gssapi_context, + const gss_OID mech, + uint32_t gss_want_flags, + size_t data_size); +NTSTATUS gssapi_seal_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, size_t sig_size, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + TALLOC_CTX *mem_ctx, + DATA_BLOB *sig); +NTSTATUS gssapi_unseal_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +NTSTATUS gssapi_sign_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + TALLOC_CTX *mem_ctx, + DATA_BLOB *sig); +NTSTATUS gssapi_check_packet(gss_ctx_id_t gssapi_context, + const gss_OID mech, + bool hdr_signing, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); + +#endif /* AUTH_KERBEROS_GSSAPI_HELPER_H */ diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c new file mode 100644 index 0000000..4ad7873 --- /dev/null +++ b/auth/kerberos/gssapi_pac.c @@ -0,0 +1,348 @@ +/* + Unix SMB/CIFS implementation. + kerberos authorization data (PAC) utility library + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011 + Copyright (C) Simo Sorce 2010. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +#ifdef HAVE_KRB5 + +#include "auth/kerberos/pac_utils.h" + +#if 0 +/* FIXME - need proper configure/waf test + * to determine if gss_mech_krb5 and friends + * exist. JRA. + */ +/* + * These are not exported by Solaris -lkrb5 + * Maybe move to libreplace somewhere? + */ +static const gss_OID_desc krb5_gss_oid_array[] = { + /* this is the official, rfc-specified OID */ + { 9, "\052\206\110\206\367\022\001\002\002" }, + /* this is the pre-RFC mech OID */ + { 5, "\053\005\001\005\002" }, + /* this is the unofficial, incorrect mech OID emitted by MS */ + { 9, "\052\206\110\202\367\022\001\002\002" }, + { 0, 0 } +}; + +const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0; +const gss_OID_desc * const gss_mech_krb5_old = krb5_gss_oid_array+1; +const gss_OID_desc * const gss_mech_krb5_wrong = krb5_gss_oid_array+2; +#endif + +#ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" +#endif + +gss_OID_desc gse_sesskey_inq_oid = { + GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH, + discard_const(GSS_KRB5_INQ_SSPI_SESSION_KEY_OID) +}; + +#ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID +#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10 +#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04" +#endif + +gss_OID_desc gse_sesskeytype_oid = { + GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH, + discard_const(GSS_KRB5_SESSION_KEY_ENCTYPE_OID) +}; + +/* The Heimdal OID for getting the PAC */ +#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 8 +/* EXTRACTION OID AUTHZ ID */ +#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x85\x70\x2b\x0d\x03" "\x81\x00" + +NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + gss_name_t gss_client_name, + DATA_BLOB *pac_blob) +{ + NTSTATUS status; + OM_uint32 gss_maj, gss_min; +#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE +/* + * gss_get_name_attribute() in MIT krb5 1.10.0 can return uninitialized pac_display_buffer + * and later gss_release_buffer() will crash on attempting to release it. + * + * So always initialize the buffer descriptors. + * + * See following links for more details: + * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 + * http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 + */ + gss_buffer_desc pac_buffer = { + .value = NULL, + .length = 0 + }; + gss_buffer_desc pac_display_buffer = { + .value = NULL, + .length = 0 + }; + gss_buffer_desc pac_name = { + .value = discard_const("urn:mspac:"), + .length = sizeof("urn:mspac:")-1 + }; + int more = -1; + int authenticated = false; + int complete = false; + + gss_maj = gss_get_name_attribute( + &gss_min, gss_client_name, &pac_name, + &authenticated, &complete, + &pac_buffer, &pac_display_buffer, &more); + + if (gss_maj != 0) { + gss_OID oid = discard_const(gss_mech_krb5); + DBG_NOTICE("obtaining PAC via GSSAPI gss_get_name_attribute " + "failed: %s\n", gssapi_error_string(mem_ctx, + gss_maj, gss_min, + oid)); + return NT_STATUS_ACCESS_DENIED; + } else if (authenticated && complete) { + /* The PAC blob is returned directly */ + *pac_blob = data_blob_talloc(mem_ctx, pac_buffer.value, + pac_buffer.length); + + if (!pac_blob->data) { + status = NT_STATUS_NO_MEMORY; + } else { + status = NT_STATUS_OK; + } + + gss_release_buffer(&gss_min, &pac_buffer); + gss_release_buffer(&gss_min, &pac_display_buffer); + return status; + } else { + DEBUG(0, ("obtaining PAC via GSSAPI failed: authenticated: %s, complete: %s, more: %s\n", + authenticated ? "true" : "false", + complete ? "true" : "false", + more ? "true" : "false")); + return NT_STATUS_ACCESS_DENIED; + } + +#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID) + gss_OID_desc pac_data_oid = { + .elements = discard_const(EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID), + .length = EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH + }; + + gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; + + /* If we didn't have the routine to get a verified, validated + * PAC (supplied only by MIT at the time of writing), then try + * with the Heimdal OID (fetches the PAC directly and always + * validates) */ + gss_maj = gss_inquire_sec_context_by_oid( + &gss_min, gssapi_context, + &pac_data_oid, &set); + + /* First check for the error MIT gives for an unknown OID */ + if (gss_maj == GSS_S_UNAVAILABLE) { + DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. " + "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n")); + } else if (gss_maj != 0) { + DEBUG(2, ("obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed: %s\n", + gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5))); + } else { + if (set == GSS_C_NO_BUFFER_SET) { + DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown " + "data in results.\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + /* The PAC blob is returned directly */ + *pac_blob = data_blob_talloc(mem_ctx, set->elements[0].value, + set->elements[0].length); + if (!pac_blob->data) { + status = NT_STATUS_NO_MEMORY; + } else { + status = NT_STATUS_OK; + } + + gss_maj = gss_release_buffer_set(&gss_min, &set); + return status; + } +#else + DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. " + "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n")); +#endif + return NT_STATUS_ACCESS_DENIED; +} + +NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + DATA_BLOB *session_key, + uint32_t *keytype) +{ + OM_uint32 gss_min, gss_maj; + gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; + + gss_maj = gss_inquire_sec_context_by_oid( + &gss_min, gssapi_context, + &gse_sesskey_inq_oid, &set); + if (gss_maj) { + DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n", + gssapi_error_string(mem_ctx, + gss_maj, + gss_min, + discard_const_p(struct gss_OID_desc_struct, + gss_mech_krb5)))); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + if ((set == GSS_C_NO_BUFFER_SET) || + (set->count == 0)) { +#ifdef HAVE_GSSKRB5_GET_SUBKEY + krb5_keyblock *subkey; + gss_maj = gsskrb5_get_subkey(&gss_min, + gssapi_context, + &subkey); + if (gss_maj != 0) { + DEBUG(1, ("NO session key for this mech\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + if (session_key) { + *session_key = data_blob_talloc(mem_ctx, + KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); + } + if (keytype) { + *keytype = KRB5_KEY_TYPE(subkey); + } + krb5_free_keyblock(NULL /* should be krb5_context */, subkey); + return NT_STATUS_OK; +#else + DEBUG(0, ("gss_inquire_sec_context_by_oid didn't return any session key (and no alternative method available)\n")); + return NT_STATUS_NO_USER_SESSION_KEY; +#endif + } + + if (session_key) { + *session_key = data_blob_talloc(mem_ctx, set->elements[0].value, + set->elements[0].length); + } + + if (keytype) { + int diflen, i; + const uint8_t *p; + + *keytype = 0; + if (set->count < 2) { + +#ifdef HAVE_GSSKRB5_GET_SUBKEY + krb5_keyblock *subkey; + gss_maj = gsskrb5_get_subkey(&gss_min, + gssapi_context, + &subkey); + if (gss_maj == 0) { + *keytype = KRB5_KEY_TYPE(subkey); + krb5_free_keyblock(NULL /* should be krb5_context */, subkey); + } +#endif + gss_release_buffer_set(&gss_min, &set); + + return NT_STATUS_OK; + + } else if (memcmp(set->elements[1].value, + gse_sesskeytype_oid.elements, + gse_sesskeytype_oid.length) != 0) { + /* Perhaps a non-krb5 session key */ + gss_release_buffer_set(&gss_min, &set); + return NT_STATUS_OK; + } + p = (const uint8_t *)set->elements[1].value + gse_sesskeytype_oid.length; + diflen = set->elements[1].length - gse_sesskeytype_oid.length; + if (diflen <= 0) { + gss_release_buffer_set(&gss_min, &set); + return NT_STATUS_INVALID_PARAMETER; + } + for (i = 0; i < diflen; i++) { + *keytype = (*keytype << 7) | (p[i] & 0x7f); + if (i + 1 != diflen && (p[i] & 0x80) == 0) { + gss_release_buffer_set(&gss_min, &set); + return NT_STATUS_INVALID_PARAMETER; + } + } + } + + gss_release_buffer_set(&gss_min, &set); + return NT_STATUS_OK; +} + + +char *gssapi_error_string(TALLOC_CTX *mem_ctx, + OM_uint32 maj_stat, OM_uint32 min_stat, + const gss_OID mech) +{ + OM_uint32 disp_min_stat, disp_maj_stat; + gss_buffer_desc maj_error_message; + gss_buffer_desc min_error_message; + char *maj_error_string, *min_error_string; + OM_uint32 msg_ctx = 0; + + char *ret; + + maj_error_message.value = NULL; + min_error_message.value = NULL; + maj_error_message.length = 0; + min_error_message.length = 0; + + disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, + GSS_C_GSS_CODE, mech, + &msg_ctx, &maj_error_message); + if (disp_maj_stat != 0) { + maj_error_message.value = NULL; + maj_error_message.length = 0; + } + disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, + GSS_C_MECH_CODE, mech, + &msg_ctx, &min_error_message); + if (disp_maj_stat != 0) { + min_error_message.value = NULL; + min_error_message.length = 0; + } + + maj_error_string = talloc_strndup(mem_ctx, + (char *)maj_error_message.value, + maj_error_message.length); + + min_error_string = talloc_strndup(mem_ctx, + (char *)min_error_message.value, + min_error_message.length); + + ret = talloc_asprintf(mem_ctx, "%s: %s", + maj_error_string, min_error_string); + + talloc_free(maj_error_string); + talloc_free(min_error_string); + + gss_release_buffer(&disp_min_stat, &maj_error_message); + gss_release_buffer(&disp_min_stat, &min_error_message); + + return ret; +} + +#endif /* HAVE_KRB5 */ diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c new file mode 100644 index 0000000..ae4557b --- /dev/null +++ b/auth/kerberos/kerberos_pac.c @@ -0,0 +1,554 @@ +/* + Unix SMB/CIFS implementation. + kerberos authorization data (PAC) utility library + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Luke Howard 2002-2003 + Copyright (C) Stefan Metzmacher 2004-2005 + Copyright (C) Guenther Deschner 2005,2007,2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +#ifdef HAVE_KRB5 + +#include "librpc/gen_ndr/ndr_krb5pac.h" +#include "librpc/gen_ndr/auth.h" +#include "auth/common_auth.h" +#include "auth/kerberos/pac_utils.h" + +krb5_error_code check_pac_checksum(DATA_BLOB pac_data, + struct PAC_SIGNATURE_DATA *sig, + krb5_context context, + const krb5_keyblock *keyblock) +{ + krb5_error_code ret; + krb5_checksum cksum; + krb5_keyusage usage = 0; + krb5_boolean checksum_valid = false; + krb5_data input; + + switch (sig->type) { + case CKSUMTYPE_HMAC_MD5: + /* ignores the key type */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_256: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_128: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + default: + DEBUG(2,("check_pac_checksum: Checksum Type %"PRIu32" is not supported\n", + sig->type)); + return EINVAL; + } + +#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ + cksum.cksumtype = (krb5_cksumtype)sig->type; + cksum.checksum.length = sig->signature.length; + cksum.checksum.data = sig->signature.data; +#else /* MIT */ + cksum.checksum_type = (krb5_cksumtype)sig->type; + cksum.length = sig->signature.length; + cksum.contents = sig->signature.data; +#endif + +#ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */ + usage = KRB5_KU_OTHER_CKSUM; +#elif defined(HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM) /* MIT */ + usage = KRB5_KEYUSAGE_APP_DATA_CKSUM; +#else +#error UNKNOWN_KRB5_KEYUSAGE +#endif + + input.data = (char *)pac_data.data; + input.length = pac_data.length; + + ret = krb5_c_verify_checksum(context, + keyblock, + usage, + &input, + &cksum, + &checksum_valid); + if (!checksum_valid) { + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + } + if (ret){ + DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n", + error_message(ret), ret)); + return ret; + } + + return ret; +} + +/** +* @brief Decode a blob containing a NDR encoded PAC structure +* +* @param mem_ctx - The memory context +* @param pac_data_blob - The data blob containing the NDR encoded data +* @param context - The Kerberos Context +* @param service_keyblock - The Service Key used to verify the checksum +* @param client_principal - The client principal +* @param tgs_authtime - The ticket timestamp +* @param pac_data_out - [out] The decoded PAC +* +* @return - A NTSTATUS error code +*/ +NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_data_blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_DATA **pac_data_out) +{ + NTSTATUS status; + enum ndr_err_code ndr_err; + krb5_error_code ret; + DATA_BLOB modified_pac_blob; + + NTTIME tgs_authtime_nttime; + int i; + + struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL; + struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL; + struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL; + struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL; + struct PAC_LOGON_NAME *logon_name = NULL; + struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; + struct PAC_DATA_RAW *pac_data_raw = NULL; + + DATA_BLOB *srv_sig_blob = NULL; + DATA_BLOB *kdc_sig_blob = NULL; + + bool bool_ret; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + if (pac_data_out) { + *pac_data_out = NULL; + } + + pac_data = talloc(tmp_ctx, struct PAC_DATA); + pac_data_raw = talloc(tmp_ctx, struct PAC_DATA_RAW); + kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); + srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) { + talloc_free(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data, + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the PAC: %s\n", + nt_errstr(status))); + talloc_free(tmp_ctx); + return status; + } + + if (pac_data->num_buffers < 4) { + /* we need logon_info, service_key and kdc_key */ + DEBUG(0,("less than 4 PAC buffers\n")); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + ndr_err = ndr_pull_struct_blob( + &pac_data_blob, pac_data_raw, pac_data_raw, + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the PAC: %s\n", + nt_errstr(status))); + talloc_free(tmp_ctx); + return status; + } + + if (pac_data_raw->num_buffers < 4) { + /* we need logon_info, service_key and kdc_key */ + DEBUG(0,("less than 4 PAC buffers\n")); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + if (pac_data->num_buffers != pac_data_raw->num_buffers) { + /* we need logon_info, service_key and kdc_key */ + DEBUG(0, ("misparse! PAC_DATA has %d buffers while " + "PAC_DATA_RAW has %d\n", pac_data->num_buffers, + pac_data_raw->num_buffers)); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + for (i=0; i < pac_data->num_buffers; i++) { + struct PAC_BUFFER *data_buf = &pac_data->buffers[i]; + struct PAC_BUFFER_RAW *raw_buf = &pac_data_raw->buffers[i]; + + if (data_buf->type != raw_buf->type) { + DEBUG(0, ("misparse! PAC_DATA buffer %d has type " + "%d while PAC_DATA_RAW has %d\n", i, + data_buf->type, raw_buf->type)); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + switch (data_buf->type) { + case PAC_TYPE_LOGON_INFO: + if (!data_buf->info) { + break; + } + logon_info = data_buf->info->logon_info.info; + break; + case PAC_TYPE_SRV_CHECKSUM: + if (!data_buf->info) { + break; + } + srv_sig_ptr = &data_buf->info->srv_cksum; + srv_sig_blob = &raw_buf->info->remaining; + break; + case PAC_TYPE_KDC_CHECKSUM: + if (!data_buf->info) { + break; + } + kdc_sig_ptr = &data_buf->info->kdc_cksum; + kdc_sig_blob = &raw_buf->info->remaining; + break; + case PAC_TYPE_LOGON_NAME: + logon_name = &data_buf->info->logon_name; + break; + default: + break; + } + } + + if (!logon_info) { + DEBUG(0,("PAC no logon_info\n")); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!logon_name) { + DEBUG(0,("PAC no logon_name\n")); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!srv_sig_ptr || !srv_sig_blob) { + DEBUG(0,("PAC no srv_key\n")); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!kdc_sig_ptr || !kdc_sig_blob) { + DEBUG(0,("PAC no kdc_key\n")); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + /* Find and zero out the signatures, + * as required by the signing algorithm */ + + /* We find the data blobs above, + * now we parse them to get at the exact portion we should zero */ + ndr_err = ndr_pull_struct_blob( + kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the KDC signature: %s\n", + nt_errstr(status))); + talloc_free(tmp_ctx); + return status; + } + + ndr_err = ndr_pull_struct_blob( + srv_sig_blob, srv_sig_wipe, srv_sig_wipe, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the SRV signature: %s\n", + nt_errstr(status))); + talloc_free(tmp_ctx); + return status; + } + + /* Now zero the decoded structure */ + memset(kdc_sig_wipe->signature.data, + '\0', kdc_sig_wipe->signature.length); + memset(srv_sig_wipe->signature.data, + '\0', srv_sig_wipe->signature.length); + + /* and re-encode, back into the same place it came from */ + ndr_err = ndr_push_struct_blob( + kdc_sig_blob, pac_data_raw, kdc_sig_wipe, + (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't repack the KDC signature: %s\n", + nt_errstr(status))); + talloc_free(tmp_ctx); + return status; + } + ndr_err = ndr_push_struct_blob( + srv_sig_blob, pac_data_raw, srv_sig_wipe, + (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't repack the SRV signature: %s\n", + nt_errstr(status))); + talloc_free(tmp_ctx); + return status; + } + + /* push out the whole structure, but now with zero'ed signatures */ + ndr_err = ndr_push_struct_blob( + &modified_pac_blob, pac_data_raw, pac_data_raw, + (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't repack the RAW PAC: %s\n", + nt_errstr(status))); + talloc_free(tmp_ctx); + return status; + } + + if (service_keyblock) { + /* verify by service_key */ + ret = check_pac_checksum(modified_pac_blob, srv_sig_ptr, + context, + service_keyblock); + if (ret) { + DEBUG(5, ("PAC Decode: Failed to verify the service " + "signature: %s\n", error_message(ret))); + return NT_STATUS_ACCESS_DENIED; + } + + if (krbtgt_keyblock) { + /* verify the service key checksum by krbtgt_key */ + ret = check_pac_checksum(srv_sig_ptr->signature, kdc_sig_ptr, + context, krbtgt_keyblock); + if (ret) { + DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n", + smb_get_krb5_error_message(context, ret, tmp_ctx))); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + } + } + + if (tgs_authtime) { + /* Convert to NT time, so as not to lose accuracy in comparison */ + unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime); + + if (tgs_authtime_nttime != logon_name->logon_time) { + DEBUG(2, ("PAC Decode: " + "Logon time mismatch between ticket and PAC!\n")); + DEBUG(2, ("PAC Decode: PAC: %s\n", + nt_time_string(tmp_ctx, logon_name->logon_time))); + DEBUG(2, ("PAC Decode: Ticket: %s\n", + nt_time_string(tmp_ctx, tgs_authtime_nttime))); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + } + + if (client_principal) { + char *client_principal_string; + ret = krb5_unparse_name_flags(context, client_principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &client_principal_string); + if (ret) { + DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n", + logon_name->account_name, error_message(ret))); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0; + + if (!bool_ret) { + DEBUG(2, ("Name in PAC [%s] does not match principal name " + "in ticket [%s]\n", + logon_name->account_name, + client_principal_string)); + SAFE_FREE(client_principal_string); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + SAFE_FREE(client_principal_string); + + } + + DEBUG(3,("Found account name from PAC: %s [%s]\n", + logon_info->info3.base.account_name.string, + logon_info->info3.base.full_name.string)); + + DEBUG(10,("Successfully validated Kerberos PAC\n")); + + if (DEBUGLEVEL >= 10) { + const char *s; + s = NDR_PRINT_STRUCT_STRING(tmp_ctx, PAC_DATA, pac_data); + if (s) { + DEBUGADD(10,("%s\n", s)); + } + } + + if (pac_data_out) { + *pac_data_out = talloc_steal(mem_ctx, pac_data); + } + + return NT_STATUS_OK; +} + +NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, + DATA_BLOB blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_LOGON_INFO **logon_info) +{ + NTSTATUS nt_status; + struct PAC_DATA *pac_data; + int i; + nt_status = kerberos_decode_pac(mem_ctx, + blob, + context, + krbtgt_keyblock, + service_keyblock, + client_principal, + tgs_authtime, + &pac_data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + *logon_info = NULL; + for (i=0; i < pac_data->num_buffers; i++) { + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + *logon_info = pac_data->buffers[i].info->logon_info.info; + } + if (!*logon_info) { + return NT_STATUS_INVALID_PARAMETER; + } + return NT_STATUS_OK; +} + +static NTSTATUS auth4_context_fetch_PAC_DATA_CTR( + struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *princ_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + struct PAC_DATA_CTR *pac_data_ctr = NULL; + NTSTATUS status; + + if (pac_blob == NULL) { + return NT_STATUS_NO_IMPERSONATION_TOKEN; + } + + pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR); + if (pac_data_ctr == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + status = kerberos_decode_pac(pac_data_ctr, + *pac_blob, + NULL, + NULL, + NULL, + NULL, + 0, + &pac_data_ctr->pac_data); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr, + pac_blob->data, + pac_blob->length); + if (pac_data_ctr->pac_blob.length != pac_blob->length) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + *session_info = talloc_zero(mem_ctx, struct auth_session_info); + if (*session_info == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + TALLOC_FREE(auth_ctx->private_data); + auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr); + + return NT_STATUS_OK; + +fail: + TALLOC_FREE(pac_data_ctr); + + return status; +} + +struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx) +{ + struct auth4_context *auth_ctx = NULL; + + auth_ctx = talloc_zero(mem_ctx, struct auth4_context); + if (auth_ctx == NULL) { + return NULL; + } + auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR; + + return auth_ctx; +} + +struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx) +{ + struct PAC_DATA_CTR *p = NULL; + SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR); + p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR); + auth_ctx->private_data = NULL; + return talloc_move(mem_ctx, &p); +} + +#endif diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h new file mode 100644 index 0000000..36fd60c --- /dev/null +++ b/auth/kerberos/pac_utils.h @@ -0,0 +1,81 @@ +/* + Unix SMB/CIFS implementation. + kerberos authorization data (PAC) utility library + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011 + Copyright (C) Simo Sorce 2010-2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _PAC_UTILS_H +#define _PAC_UTILS_H + +#ifdef HAVE_KRB5 + +#include "lib/krb5_wrap/krb5_samba.h" +#include "lib/krb5_wrap/gss_samba.h" + +struct PAC_SIGNATURE_DATA; +struct PAC_DATA; +struct PAC_LOGON_INFO; + +krb5_error_code check_pac_checksum(DATA_BLOB pac_data, + struct PAC_SIGNATURE_DATA *sig, + krb5_context context, + const krb5_keyblock *keyblock); + +NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_data_blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_DATA **pac_data_out); + +NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, + DATA_BLOB blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_LOGON_INFO **logon_info); + +struct PAC_DATA; +struct PAC_DATA_CTR { + DATA_BLOB pac_blob; + struct PAC_DATA *pac_data; +}; + +struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx); +struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx); + +NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + gss_name_t gss_client_name, + DATA_BLOB *pac_data); +NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + DATA_BLOB *session_key, + uint32_t *keytype); + +/* not the best place here, need to move to a more generic gssapi + * wrapper later */ +char *gssapi_error_string(TALLOC_CTX *mem_ctx, + OM_uint32 maj_stat, OM_uint32 min_stat, + const gss_OID mech); +#endif /* HAVE_KRB5 */ +#endif /* _PAC_UTILS_H */ diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build new file mode 100644 index 0000000..bf8b05c --- /dev/null +++ b/auth/kerberos/wscript_build @@ -0,0 +1,4 @@ +#!/usr/bin/env python +bld.SAMBA_SUBSYSTEM('KRB5_PAC', + source='gssapi_pac.c kerberos_pac.c gssapi_helper.c', + deps='gssapi ndr-krb5pac krb5samba') diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c new file mode 100644 index 0000000..329d8eb --- /dev/null +++ b/auth/ntlmssp/gensec_ntlmssp.c @@ -0,0 +1,246 @@ +/* + * Unix SMB/CIFS implementation. + * Version 3.0 + * NTLMSSP Signing routines + * Copyright (C) Luke Kenneth Casson Leighton 1996-2001 + * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "auth/ntlmssp/ntlmssp.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "auth/ntlmssp/ntlmssp_private.h" + +NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security, + const DATA_BLOB *first_packet) +{ + if (ntlmssp_blob_matches_magic(first_packet)) { + return NT_STATUS_OK; + } else { + return NT_STATUS_INVALID_PARAMETER; + } +} + +/** + * Return the NTLMSSP master session key + * + * @param ntlmssp_state NTLMSSP State + */ + +NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + + if (ntlmssp_state->expected_state != NTLMSSP_DONE) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + + if (!ntlmssp_state->session_key.data) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + *session_key = data_blob_talloc(mem_ctx, ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); + if (!session_key->data) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + + if (feature & GENSEC_FEATURE_SIGN) { + if (!ntlmssp_state->session_key.length) { + return false; + } + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { + return true; + } + } + if (feature & GENSEC_FEATURE_SEAL) { + if (!ntlmssp_state->session_key.length) { + return false; + } + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { + return true; + } + } + if (feature & GENSEC_FEATURE_SESSION_KEY) { + if (ntlmssp_state->session_key.length) { + return true; + } + } + if (feature & GENSEC_FEATURE_DCE_STYLE) { + return true; + } + if (feature & GENSEC_FEATURE_ASYNC_REPLIES) { + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + return true; + } + } + if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) { + return true; + } + if (feature & GENSEC_FEATURE_NEW_SPNEGO) { + if (!ntlmssp_state->session_key.length) { + return false; + } + if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + return false; + } + return ntlmssp_state->new_spnego; + } + + return false; +} + +NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp; + + gensec_ntlmssp = talloc_zero(gensec_security, + struct gensec_ntlmssp_context); + if (!gensec_ntlmssp) { + return NT_STATUS_NO_MEMORY; + } + + gensec_security->private_data = gensec_ntlmssp; + return NT_STATUS_OK; +} + +NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + NTSTATUS nt_status; + + nt_status = ntlmssp_sign_packet(gensec_ntlmssp->ntlmssp_state, + sig_mem_ctx, + data, length, + whole_pdu, pdu_length, + sig); + + return nt_status; +} + +NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + NTSTATUS nt_status; + + nt_status = ntlmssp_check_packet(gensec_ntlmssp->ntlmssp_state, + data, length, + whole_pdu, pdu_length, + sig); + + return nt_status; +} + +NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *sig_mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + NTSTATUS nt_status; + + nt_status = ntlmssp_seal_packet(gensec_ntlmssp->ntlmssp_state, + sig_mem_ctx, + data, length, + whole_pdu, pdu_length, + sig); + + return nt_status; +} + +/* + wrappers for the ntlmssp_*() functions +*/ +NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + NTSTATUS nt_status; + + nt_status = ntlmssp_unseal_packet(gensec_ntlmssp->ntlmssp_state, + data, length, + whole_pdu, pdu_length, + sig); + + return nt_status; +} + +size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size) +{ + return NTLMSSP_SIG_SIZE; +} + +NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + + return ntlmssp_wrap(gensec_ntlmssp->ntlmssp_state, + out_mem_ctx, + in, out); +} + + +NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + + return ntlmssp_unwrap(gensec_ntlmssp->ntlmssp_state, + out_mem_ctx, + in, out); +} diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c new file mode 100644 index 0000000..ab92f4d --- /dev/null +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -0,0 +1,245 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NLTMSSP, client server side parsing + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005 + Copyright (C) Stefan Metzmacher 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/network.h" +#include "lib/tsocket/tsocket.h" +#include "auth/ntlmssp/ntlmssp.h" +#include "../librpc/gen_ndr/ndr_ntlmssp.h" +#include "auth/ntlmssp/ntlmssp_ndr.h" +#include "auth/ntlmssp/ntlmssp_private.h" +#include "../libcli/auth/libcli_auth.h" +#include "../lib/crypto/crypto.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "auth/common_auth.h" +#include "param/param.h" +#include "param/loadparm.h" +#include "libds/common/roles.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/** + * Return the credentials of a logged on user, including session keys + * etc. + * + * Only valid after a successful authentication + * + * May only be called once per authentication. + * + */ + +NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + uint32_t session_info_flags = 0; + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + session_info_flags |= AUTH_SESSION_INFO_NTLM; + + if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) { + nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx, + gensec_ntlmssp->server_returned_info, + gensec_ntlmssp->ntlmssp_state->user, + session_info_flags, + session_info); + } else { + DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + NT_STATUS_NOT_OK_RETURN(nt_status); + + nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info, + &(*session_info)->session_key); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) { + (*session_info)->session_key = data_blob_null; + nt_status = NT_STATUS_OK; + } + + return nt_status; +} + +/** + * Start NTLMSSP on the server side + * + */ +NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) +{ + NTSTATUS nt_status; + struct ntlmssp_state *ntlmssp_state; + struct gensec_ntlmssp_context *gensec_ntlmssp; + const char *netbios_name; + const char *netbios_domain; + const char *dns_name; + const char *dns_domain; + enum server_role role; + + role = lpcfg_server_role(gensec_security->settings->lp_ctx); + + nt_status = gensec_ntlmssp_start(gensec_security); + NT_STATUS_NOT_OK_RETURN(nt_status); + + gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + + ntlmssp_state = talloc_zero(gensec_ntlmssp, + struct ntlmssp_state); + if (!ntlmssp_state) { + return NT_STATUS_NO_MEMORY; + } + gensec_ntlmssp->ntlmssp_state = ntlmssp_state; + + ntlmssp_state->role = NTLMSSP_SERVER; + + ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE; + + ntlmssp_state->allow_lm_response = + lpcfg_lanman_auth(gensec_security->settings->lp_ctx); + + if (ntlmssp_state->allow_lm_response && + gensec_setting_bool(gensec_security->settings, + "ntlmssp_server", "allow_lm_key", false)) + { + ntlmssp_state->allow_lm_key = true; + } + + ntlmssp_state->force_old_spnego = false; + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) { + /* + * For testing Windows 2000 mode + */ + ntlmssp_state->force_old_spnego = true; + } + + ntlmssp_state->neg_flags = + NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + + if (ntlmssp_state->allow_lm_key) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; + } + + /* + * We always allow NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. + * + * These will be removed if the client doesn't want them. + */ + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + + + if (role == ROLE_STANDALONE) { + ntlmssp_state->server.is_standalone = true; + } else { + ntlmssp_state->server.is_standalone = false; + } + + if (gensec_security->settings->server_netbios_name) { + netbios_name = gensec_security->settings->server_netbios_name; + } else { + netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx); + } + + if (gensec_security->settings->server_netbios_domain) { + netbios_domain = gensec_security->settings->server_netbios_domain; + } else { + netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx); + } + + if (gensec_security->settings->server_dns_name) { + dns_name = gensec_security->settings->server_dns_name; + } else { + const char *dnsdomain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx); + char *lower_netbiosname; + + lower_netbiosname = strlower_talloc(ntlmssp_state, netbios_name); + NT_STATUS_HAVE_NO_MEMORY(lower_netbiosname); + + /* Find out the DNS host name */ + if (dnsdomain && dnsdomain[0] != '\0') { + dns_name = talloc_asprintf(ntlmssp_state, "%s.%s", + lower_netbiosname, + dnsdomain); + talloc_free(lower_netbiosname); + NT_STATUS_HAVE_NO_MEMORY(dns_name); + } else { + dns_name = lower_netbiosname; + } + } + + if (gensec_security->settings->server_dns_domain) { + dns_domain = gensec_security->settings->server_dns_domain; + } else { + dns_domain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx); + } + + ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name); + NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_name); + + ntlmssp_state->server.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain); + NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_domain); + + ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state, dns_name); + NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name); + + ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain); + NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain); + + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; + ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; + + return NT_STATUS_OK; +} + diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c new file mode 100644 index 0000000..745f262 --- /dev/null +++ b/auth/ntlmssp/ntlmssp.c @@ -0,0 +1,408 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NLTMSSP, client server side parsing + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005 + Copyright (C) Stefan Metzmacher 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +struct auth_session_info; + +#include "includes.h" +#include <tevent.h> +#include "lib/util/tevent_ntstatus.h" +#include "auth/ntlmssp/ntlmssp.h" +#include "auth/ntlmssp/ntlmssp_private.h" +#include "../libcli/auth/libcli_auth.h" +#include "librpc/gen_ndr/ndr_dcerpc.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/** + * Callbacks for NTLMSSP - for both client and server operating modes + * + */ + +static const struct ntlmssp_callbacks { + enum ntlmssp_role role; + enum ntlmssp_message_type command; + NTSTATUS (*sync_fn)(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB in, DATA_BLOB *out); + struct tevent_req *(*send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in); + NTSTATUS (*recv_fn)(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out); +} ntlmssp_callbacks[] = { + { + .role = NTLMSSP_CLIENT, + .command = NTLMSSP_INITIAL, + .sync_fn = ntlmssp_client_initial, + },{ + .role = NTLMSSP_CLIENT, + .command = NTLMSSP_NEGOTIATE, + .sync_fn = gensec_ntlmssp_resume_ccache, + },{ + .role = NTLMSSP_SERVER, + .command = NTLMSSP_NEGOTIATE, + .sync_fn = gensec_ntlmssp_server_negotiate, + },{ + .role = NTLMSSP_CLIENT, + .command = NTLMSSP_CHALLENGE, + .sync_fn = ntlmssp_client_challenge, + },{ + .role = NTLMSSP_SERVER, + .command = NTLMSSP_AUTH, + .send_fn = ntlmssp_server_auth_send, + .recv_fn = ntlmssp_server_auth_recv, + } +}; + + +static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_security, + struct gensec_ntlmssp_context *gensec_ntlmssp, + const DATA_BLOB input, uint32_t *idx) +{ + uint32_t ntlmssp_command; + uint32_t i; + + if (gensec_ntlmssp->ntlmssp_state->expected_state == NTLMSSP_DONE) { + /* We are strict here because other modules, which we + * don't fully control (such as GSSAPI) are also + * strict, but are tested less often */ + + DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!input.length) { + switch (gensec_ntlmssp->ntlmssp_state->role) { + case NTLMSSP_CLIENT: + if (gensec_ntlmssp->ntlmssp_state->resume_ccache) { + /* + * make sure gensec_ntlmssp_resume_ccache() + * will be called + */ + ntlmssp_command = NTLMSSP_NEGOTIATE; + break; + } + + ntlmssp_command = NTLMSSP_INITIAL; + break; + case NTLMSSP_SERVER: + if (gensec_security->want_features & GENSEC_FEATURE_DATAGRAM_MODE) { + /* 'datagram' mode - no neg packet */ + ntlmssp_command = NTLMSSP_NEGOTIATE; + } else { + /* This is normal in SPNEGO mech negotiation fallback */ + DEBUG(2, ("Failed to parse NTLMSSP packet: zero length\n")); + return NT_STATUS_INVALID_PARAMETER; + } + break; + default: + DEBUG(1, ("NTLMSSP state has invalid role %d\n", + gensec_ntlmssp->ntlmssp_state->role)); + return NT_STATUS_INVALID_PARAMETER; + } + } else { + if (!msrpc_parse(gensec_ntlmssp->ntlmssp_state, + &input, "Cd", + "NTLMSSP", + &ntlmssp_command)) { + DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n")); + dump_data(2, input.data, input.length); + return NT_STATUS_INVALID_PARAMETER; + } + } + + if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) { + DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, + gensec_ntlmssp->ntlmssp_state->expected_state)); + return NT_STATUS_INVALID_PARAMETER; + } + + for (i=0; i < ARRAY_SIZE(ntlmssp_callbacks); i++) { + if (ntlmssp_callbacks[i].role == gensec_ntlmssp->ntlmssp_state->role && + ntlmssp_callbacks[i].command == ntlmssp_command) { + *idx = i; + return NT_STATUS_OK; + } + } + + DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n", + gensec_ntlmssp->ntlmssp_state->role, ntlmssp_command)); + + return NT_STATUS_INVALID_PARAMETER; +} + +struct gensec_ntlmssp_update_state { + const struct ntlmssp_callbacks *cb; + NTSTATUS status; + DATA_BLOB out; +}; + +static void gensec_ntlmssp_update_done(struct tevent_req *subreq); + +static struct tevent_req *gensec_ntlmssp_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct tevent_req *req = NULL; + struct gensec_ntlmssp_update_state *state = NULL; + NTSTATUS status; + uint32_t i = 0; + + req = tevent_req_create(mem_ctx, &state, + struct gensec_ntlmssp_update_state); + if (req == NULL) { + return NULL; + } + + status = gensec_ntlmssp_update_find(gensec_security, + gensec_ntlmssp, + in, &i); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + if (ntlmssp_callbacks[i].send_fn != NULL) { + struct tevent_req *subreq = NULL; + + state->cb = &ntlmssp_callbacks[i]; + + subreq = state->cb->send_fn(state, ev, + gensec_security, + in); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, + gensec_ntlmssp_update_done, + req); + return req; + } + + status = ntlmssp_callbacks[i].sync_fn(gensec_security, + state, + in, &state->out); + state->status = status; + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + tevent_req_done(req); + return tevent_req_post(req, ev); +} + +static void gensec_ntlmssp_update_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct gensec_ntlmssp_update_state *state = + tevent_req_data(req, + struct gensec_ntlmssp_update_state); + NTSTATUS status; + + status = state->cb->recv_fn(subreq, state, &state->out); + TALLOC_FREE(subreq); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + tevent_req_nterror(req, status); + return; + } + + state->status = status; + tevent_req_done(req); +} + +static NTSTATUS gensec_ntlmssp_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct gensec_ntlmssp_update_state *state = + tevent_req_data(req, + struct gensec_ntlmssp_update_state); + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + *out = state->out; + talloc_steal(out_mem_ctx, state->out.data); + status = state->status; + tevent_req_received(req); + return status; +} + +static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_security, + bool full_reset) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + NTSTATUS status; + bool reset_seqnums = full_reset; + + if (!gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_OK; + } + + status = ntlmssp_sign_reset(ntlmssp_state, reset_seqnums); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not reset NTLMSSP signing/sealing system (error was: %s)\n", + nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; +} + +static const char *gensec_ntlmssp_final_auth_type(struct gensec_security *gensec_security) +{ + return GENSEC_FINAL_AUTH_TYPE_NTLMSSP; +} + +static const char *gensec_ntlmssp_oids[] = { + GENSEC_OID_NTLMSSP, + NULL +}; + +static const struct gensec_security_ops gensec_ntlmssp_security_ops = { + .name = "ntlmssp", + .sasl_name = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */ + .auth_type = DCERPC_AUTH_TYPE_NTLMSSP, + .weak_crypto = true, + .oid = gensec_ntlmssp_oids, + .client_start = gensec_ntlmssp_client_start, + .server_start = gensec_ntlmssp_server_start, + .magic = gensec_ntlmssp_magic, + .update_send = gensec_ntlmssp_update_send, + .update_recv = gensec_ntlmssp_update_recv, + .may_reset_crypto= gensec_ntlmssp_may_reset_crypto, + .sig_size = gensec_ntlmssp_sig_size, + .sign_packet = gensec_ntlmssp_sign_packet, + .check_packet = gensec_ntlmssp_check_packet, + .seal_packet = gensec_ntlmssp_seal_packet, + .unseal_packet = gensec_ntlmssp_unseal_packet, + .wrap = gensec_ntlmssp_wrap, + .unwrap = gensec_ntlmssp_unwrap, + .session_key = gensec_ntlmssp_session_key, + .session_info = gensec_ntlmssp_session_info, + .have_feature = gensec_ntlmssp_have_feature, + .final_auth_type = gensec_ntlmssp_final_auth_type, + .enabled = true, + .priority = GENSEC_NTLMSSP +}; + +static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = { + .name = "ntlmssp_resume_ccache", + .weak_crypto = true, + .client_start = gensec_ntlmssp_resume_ccache_start, + .update_send = gensec_ntlmssp_update_send, + .update_recv = gensec_ntlmssp_update_recv, + .session_key = gensec_ntlmssp_session_key, + .have_feature = gensec_ntlmssp_have_feature, + .enabled = true, + .priority = GENSEC_NTLMSSP +}; + +_PUBLIC_ NTSTATUS gensec_ntlmssp_init(TALLOC_CTX *ctx) +{ + NTSTATUS ret; + + ret = gensec_register(ctx, &gensec_ntlmssp_security_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_ntlmssp_security_ops.name)); + return ret; + } + + ret = gensec_register(ctx, &gensec_ntlmssp_resume_ccache_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_ntlmssp_resume_ccache_ops.name)); + return ret; + } + + return ret; +} + +static struct gensec_security *gensec_find_child_by_ops(struct gensec_security *gensec_security, + const struct gensec_security_ops *ops) +{ + struct gensec_security *current = gensec_security; + + while (current != NULL) { + if (current->ops == ops) { + return current; + } + + current = current->child_security; + } + + return NULL; +} + +uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp; + + gensec_security = gensec_find_child_by_ops(gensec_security, + &gensec_ntlmssp_security_ops); + if (gensec_security == NULL) { + return 0; + } + + gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + return gensec_ntlmssp->ntlmssp_state->neg_flags; +} + +const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp; + + gensec_security = gensec_find_child_by_ops(gensec_security, + &gensec_ntlmssp_security_ops); + if (gensec_security == NULL) { + return NULL; + } + + gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + return gensec_ntlmssp->ntlmssp_state->server.netbios_domain; +} diff --git a/auth/ntlmssp/ntlmssp.h b/auth/ntlmssp/ntlmssp.h new file mode 100644 index 0000000..49f47c2 --- /dev/null +++ b/auth/ntlmssp/ntlmssp.h @@ -0,0 +1,151 @@ +/* + Unix SMB/CIFS implementation. + SMB parameters and setup + Copyright (C) Andrew Tridgell 1992-1997 + Copyright (C) Luke Kenneth Casson Leighton 1996-1997 + Copyright (C) Paul Ashton 1997 + Copyright (C) Andrew Bartlett 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "../librpc/gen_ndr/ntlmssp.h" + +struct auth_context; +struct auth_serversupplied_info; +struct tsocket_address; +struct auth_user_info_dc; +struct gensec_security; +struct ntlmssp_state; + +/* NTLMSSP mode */ +enum ntlmssp_role +{ + NTLMSSP_SERVER, + NTLMSSP_CLIENT +}; + +/* NTLMSSP message types */ +enum ntlmssp_message_type +{ + NTLMSSP_INITIAL = 0 /* samba internal state */, + NTLMSSP_NEGOTIATE = 1, + NTLMSSP_CHALLENGE = 2, + NTLMSSP_AUTH = 3, + NTLMSSP_UNKNOWN = 4, + NTLMSSP_DONE = 5 /* samba final state */ +}; + +#define NTLMSSP_FEATURE_SESSION_KEY 0x00000001 +#define NTLMSSP_FEATURE_SIGN 0x00000002 +#define NTLMSSP_FEATURE_SEAL 0x00000004 +#define NTLMSSP_FEATURE_CCACHE 0x00000008 + +union ntlmssp_crypt_state; + +struct ntlmssp_state +{ + enum ntlmssp_role role; + uint32_t expected_state; + + bool unicode; + bool use_ntlmv2; + bool use_ccache; + bool resume_ccache; + bool use_nt_response; /* Set to 'False' to debug what happens when the NT response is omitted */ + bool allow_lm_response;/* The LM_RESPONSE code is not very secure... */ + bool allow_lm_key; /* The LM_KEY code is not very secure... */ + + const char *user; + const char *domain; + uint8_t *nt_hash; + uint8_t *lm_hash; + + DATA_BLOB negotiate_blob; + DATA_BLOB challenge_blob; + bool new_spnego; + bool force_old_spnego; + + struct { + const char *netbios_name; + const char *netbios_domain; + struct AV_PAIR_LIST av_pair_list; + } client; + + struct { + bool is_standalone; + const char *netbios_name; + const char *netbios_domain; + const char *dns_name; + const char *dns_domain; + NTTIME challenge_endtime; + struct AV_PAIR_LIST av_pair_list; + } server; + + DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */ + + DATA_BLOB chal; /* Random challenge as input into the actual NTLM (or NTLM2) authentication */ + DATA_BLOB lm_resp; + DATA_BLOB nt_resp; + DATA_BLOB session_key; + + uint32_t conf_flags; + uint32_t required_flags; + uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */ + + bool force_wrap_seal; + + union ntlmssp_crypt_state *crypt; +}; + +/* The following definitions come from libcli/auth/ntlmssp_sign.c */ + +NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) ; +NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); +NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_stae, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); +NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, + bool reset_seqnums); +NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state); + +bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob); + +/* The following definitions come from auth/ntlmssp/gensec_ntlmssp.c */ + +NTSTATUS gensec_ntlmssp_init(TALLOC_CTX *ctx); + +uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security); +const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security); diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c new file mode 100644 index 0000000..337aeed --- /dev/null +++ b/auth/ntlmssp/ntlmssp_client.c @@ -0,0 +1,1020 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NLTMSSP, client server side parsing + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005 + Copyright (C) Stefan Metzmacher 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +struct auth_session_info; + +#include "includes.h" +#include "auth/ntlmssp/ntlmssp.h" +#include "../libcli/auth/libcli_auth.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "param/param.h" +#include "auth/ntlmssp/ntlmssp_private.h" +#include "../librpc/gen_ndr/ndr_ntlmssp.h" +#include "../auth/ntlmssp/ntlmssp_ndr.h" +#include "../nsswitch/libwbclient/wbclient.h" + +#include "lib/crypto/gnutls_helpers.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/********************************************************************* + Client side NTLMSSP +*********************************************************************/ + +/** + * Next state function for the Initial packet + * + * @param ntlmssp_state NTLMSSP State + * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context + * @param in A NULL data blob (input ignored) + * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx + * @return Errors or NT_STATUS_OK. + */ + +NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB in, DATA_BLOB *out) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + NTSTATUS status; + const DATA_BLOB version_blob = ntlmssp_version_blob(); + + /* generate the ntlmssp negotiate packet */ + status = msrpc_gen(out_mem_ctx, + out, "CddAAb", + "NTLMSSP", + NTLMSSP_NEGOTIATE, + ntlmssp_state->neg_flags, + "", /* domain */ + "", /* workstation */ + version_blob.data, version_blob.length); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("ntlmssp_client_initial: failed to generate " + "ntlmssp negotiate packet\n")); + return status; + } + + if (DEBUGLEVEL >= 10) { + struct NEGOTIATE_MESSAGE *negotiate = talloc( + ntlmssp_state, struct NEGOTIATE_MESSAGE); + if (negotiate != NULL) { + status = ntlmssp_pull_NEGOTIATE_MESSAGE( + out, negotiate, negotiate); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, + negotiate); + } + TALLOC_FREE(negotiate); + } + } + + ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state, + *out); + if (ntlmssp_state->negotiate_blob.length != out->length) { + return NT_STATUS_NO_MEMORY; + } + + ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB in, DATA_BLOB *out) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + uint32_t neg_flags = 0; + uint32_t ntlmssp_command; + NTSTATUS status; + bool ok; + + *out = data_blob_null; + + if (in.length == 0) { + /* + * This is compat code for older callers + * which were missing the "initial_blob"/"negotiate_blob". + * + * That means we can't calculate the NTLMSSP_MIC + * field correctly and need to force the + * old_spnego behaviour. + */ + DEBUG(10, ("%s: in.length==%u force_old_spnego!\n", + __func__, (unsigned int)in.length)); + ntlmssp_state->force_old_spnego = true; + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; + ntlmssp_state->required_flags = 0; + ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + + /* parse the NTLMSSP packet */ + + if (in.length > UINT16_MAX) { + DEBUG(1, ("%s: reject large request of length %u\n", + __func__, (unsigned int)in.length)); + return NT_STATUS_INVALID_PARAMETER; + } + + ok = msrpc_parse(ntlmssp_state, &in, "Cdd", + "NTLMSSP", + &ntlmssp_command, + &neg_flags); + if (!ok) { + DEBUG(1, ("%s: failed to parse NTLMSSP Negotiate of length %u\n", + __func__, (unsigned int)in.length)); + dump_data(2, in.data, in.length); + return NT_STATUS_INVALID_PARAMETER; + } + + if (ntlmssp_command != NTLMSSP_NEGOTIATE) { + DEBUG(1, ("%s: no NTLMSSP Negotiate message (length %u)\n", + __func__, (unsigned int)in.length)); + dump_data(2, in.data, in.length); + return NT_STATUS_INVALID_PARAMETER; + } + + ntlmssp_state->neg_flags = neg_flags; + DEBUG(3, ("Imported Negotiate flags:\n")); + debug_ntlmssp_flags(neg_flags); + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_UNICODE) { + ntlmssp_state->unicode = true; + } else { + ntlmssp_state->unicode = false; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { + gensec_security->want_features |= GENSEC_FEATURE_SIGN; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { + gensec_security->want_features |= GENSEC_FEATURE_SEAL; + } + + ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; + ntlmssp_state->required_flags = 0; + + if (DEBUGLEVEL >= 10) { + struct NEGOTIATE_MESSAGE *negotiate = talloc( + ntlmssp_state, struct NEGOTIATE_MESSAGE); + if (negotiate != NULL) { + status = ntlmssp_pull_NEGOTIATE_MESSAGE( + &in, negotiate, negotiate); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, + negotiate); + } + TALLOC_FREE(negotiate); + } + } + + ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state, + in); + if (ntlmssp_state->negotiate_blob.length != in.length) { + return NT_STATUS_NO_MEMORY; + } + + ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +/** + * Next state function for the Challenge Packet. Generate an auth packet. + * + * @param gensec_security GENSEC state + * @param out_mem_ctx Memory context for *out + * @param in The server challnege, as a DATA_BLOB. reply.data must be NULL + * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context + * @return Errors or NT_STATUS_OK. + */ + +NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + uint32_t chal_flags, ntlmssp_command, unkn1 = 0, unkn2 = 0; + DATA_BLOB server_domain_blob; + DATA_BLOB challenge_blob; + DATA_BLOB target_info = data_blob(NULL, 0); + char *server_domain; + const char *chal_parse_string; + const char *chal_parse_string_short = NULL; + const char *auth_gen_string; + DATA_BLOB lm_response = data_blob(NULL, 0); + DATA_BLOB nt_response = data_blob(NULL, 0); + DATA_BLOB session_key = data_blob(NULL, 0); + DATA_BLOB lm_session_key = data_blob(NULL, 0); + DATA_BLOB encrypted_session_key = data_blob(NULL, 0); + NTSTATUS nt_status; + int flags = 0; + const char *user = NULL, *domain = NULL, *workstation = NULL; + bool is_anonymous = false; + const DATA_BLOB version_blob = ntlmssp_version_blob(); + const NTTIME *server_timestamp = NULL; + uint8_t mic_buffer[NTLMSSP_MIC_SIZE] = { 0, }; + DATA_BLOB mic_blob = data_blob_const(mic_buffer, sizeof(mic_buffer)); + gnutls_hmac_hd_t hmac_hnd = NULL; + int rc; + + TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx); + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + + if (!msrpc_parse(mem_ctx, + &in, "CdBd", + "NTLMSSP", + &ntlmssp_command, + &server_domain_blob, + &chal_flags)) { + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); + dump_data(2, in.data, in.length); + talloc_free(mem_ctx); + + return NT_STATUS_INVALID_PARAMETER; + } + + data_blob_free(&server_domain_blob); + + DEBUG(3, ("Got challenge flags:\n")); + debug_ntlmssp_flags(chal_flags); + + nt_status = ntlmssp_handle_neg_flags(ntlmssp_state, + chal_flags, "challenge"); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (ntlmssp_state->unicode) { + if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { + chal_parse_string = "CdUdbddB"; + } else { + chal_parse_string = "CdUdbdd"; + chal_parse_string_short = "CdUdb"; + } + auth_gen_string = "CdBBUUUBdbb"; + } else { + if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { + chal_parse_string = "CdAdbddB"; + } else { + chal_parse_string = "CdAdbdd"; + chal_parse_string_short = "CdAdb"; + } + + auth_gen_string = "CdBBAAABdbb"; + } + + if (!msrpc_parse(mem_ctx, + &in, chal_parse_string, + "NTLMSSP", + &ntlmssp_command, + &server_domain, + &chal_flags, + &challenge_blob, 8, + &unkn1, &unkn2, + &target_info)) { + + bool ok = false; + + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n")); + + if (chal_parse_string_short != NULL) { + /* + * In the case where NTLMSSP_NEGOTIATE_TARGET_INFO + * is not used, some NTLMSSP servers don't return + * the unused unkn1 and unkn2 fields. + * See bug: + * https://bugzilla.samba.org/show_bug.cgi?id=10016 + * for packet traces. + * Try and parse again without them. + */ + ok = msrpc_parse(mem_ctx, + &in, chal_parse_string_short, + "NTLMSSP", + &ntlmssp_command, + &server_domain, + &chal_flags, + &challenge_blob, 8); + if (!ok) { + DEBUG(1, ("Failed to short parse " + "the NTLMSSP Challenge: (#2)\n")); + } + } + + if (!ok) { + dump_data(2, in.data, in.length); + talloc_free(mem_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + } + + if (DEBUGLEVEL >= 10) { + struct CHALLENGE_MESSAGE *challenge = + talloc(ntlmssp_state, struct CHALLENGE_MESSAGE); + if (challenge != NULL) { + NTSTATUS status; + challenge->NegotiateFlags = chal_flags; + status = ntlmssp_pull_CHALLENGE_MESSAGE( + &in, challenge, challenge); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, + challenge); + } + TALLOC_FREE(challenge); + } + } + + if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) { + ntlmssp_state->server.is_standalone = true; + } else { + ntlmssp_state->server.is_standalone = false; + } + /* TODO: parse struct_blob and fill in the rest */ + ntlmssp_state->server.netbios_name = ""; + ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain); + ntlmssp_state->server.dns_name = ""; + ntlmssp_state->server.dns_domain = ""; + + if (challenge_blob.length != 8) { + talloc_free(mem_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + is_anonymous = cli_credentials_is_anonymous(gensec_security->credentials); + cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx, + &user, &domain); + + workstation = cli_credentials_get_workstation(gensec_security->credentials); + + if (user == NULL) { + DEBUG(10, ("User is NULL, returning INVALID_PARAMETER\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (domain == NULL) { + DEBUG(10, ("Domain is NULL, returning INVALID_PARAMETER\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (workstation == NULL) { + DEBUG(10, ("Workstation is NULL, returning INVALID_PARAMETER\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (is_anonymous) { + ntlmssp_state->neg_flags |= NTLMSSP_ANONYMOUS; + /* + * don't use the ccache for anonymous auth + */ + ntlmssp_state->use_ccache = false; + } + if (ntlmssp_state->use_ccache) { + struct samr_Password *nt_hash = NULL; + + /* + * If we have a password given we don't + * use the ccache + */ + nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, + mem_ctx); + if (nt_hash != NULL) { + ZERO_STRUCTP(nt_hash); + TALLOC_FREE(nt_hash); + ntlmssp_state->use_ccache = false; + } + } + + if (ntlmssp_state->use_ccache) { + struct wbcCredentialCacheParams params; + struct wbcCredentialCacheInfo *info = NULL; + struct wbcAuthErrorInfo *error = NULL; + struct wbcNamedBlob auth_blobs[2]; + const struct wbcBlob *wbc_auth_blob = NULL; + const struct wbcBlob *wbc_session_key = NULL; + wbcErr wbc_status; + size_t i; + bool new_spnego = false; + + params.account_name = user; + params.domain_name = domain; + params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP; + + auth_blobs[0].name = "challenge_blob"; + auth_blobs[0].flags = 0; + auth_blobs[0].blob.data = in.data; + auth_blobs[0].blob.length = in.length; + auth_blobs[1].name = "negotiate_blob"; + auth_blobs[1].flags = 0; + auth_blobs[1].blob.data = ntlmssp_state->negotiate_blob.data; + auth_blobs[1].blob.length = ntlmssp_state->negotiate_blob.length; + params.num_blobs = ARRAY_SIZE(auth_blobs); + params.blobs = auth_blobs; + + wbc_status = wbcCredentialCache(¶ms, &info, &error); + wbcFreeMemory(error); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return NT_STATUS_WRONG_CREDENTIAL_HANDLE; + } + + for (i=0; i<info->num_blobs; i++) { + if (strequal(info->blobs[i].name, "auth_blob")) { + wbc_auth_blob = &info->blobs[i].blob; + } + if (strequal(info->blobs[i].name, "session_key")) { + wbc_session_key = &info->blobs[i].blob; + } + if (strequal(info->blobs[i].name, "new_spnego")) { + new_spnego = true; + } + } + if ((wbc_auth_blob == NULL) || (wbc_session_key == NULL)) { + wbcFreeMemory(info); + return NT_STATUS_WRONG_CREDENTIAL_HANDLE; + } + + session_key = data_blob_talloc(mem_ctx, + wbc_session_key->data, + wbc_session_key->length); + if (session_key.length != wbc_session_key->length) { + wbcFreeMemory(info); + return NT_STATUS_NO_MEMORY; + } + *out = data_blob_talloc(mem_ctx, + wbc_auth_blob->data, + wbc_auth_blob->length); + if (out->length != wbc_auth_blob->length) { + wbcFreeMemory(info); + return NT_STATUS_NO_MEMORY; + } + ntlmssp_state->new_spnego = new_spnego; + + wbcFreeMemory(info); + goto done; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + flags |= CLI_CRED_NTLM2; + } + if (ntlmssp_state->use_ntlmv2) { + flags |= CLI_CRED_NTLMv2_AUTH; + } + if (ntlmssp_state->use_nt_response) { + flags |= CLI_CRED_NTLM_AUTH; + } + if (ntlmssp_state->allow_lm_response) { + flags |= CLI_CRED_LANMAN_AUTH; + } + + if (target_info.length != 0 && !is_anonymous) { + struct AV_PAIR *pairs = NULL; + uint32_t count = 0; + enum ndr_err_code err; + struct AV_PAIR *timestamp = NULL; + struct AV_PAIR *eol = NULL; + uint32_t i = 0; + const char *service = NULL; + const char *hostname = NULL; + + err = ndr_pull_struct_blob(&target_info, + ntlmssp_state, + &ntlmssp_state->server.av_pair_list, + (ndr_pull_flags_fn_t)ndr_pull_AV_PAIR_LIST); + if (!NDR_ERR_CODE_IS_SUCCESS(err)) { + return ndr_map_error2ntstatus(err); + } + + count = ntlmssp_state->server.av_pair_list.count; + /* + * We need room for Flags, SingleHost, + * ChannelBindings and Target + */ + pairs = talloc_zero_array(ntlmssp_state, struct AV_PAIR, + count + 4); + if (pairs == NULL) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < count; i++) { + pairs[i] = ntlmssp_state->server.av_pair_list.pair[i]; + } + + ntlmssp_state->client.av_pair_list.count = count; + ntlmssp_state->client.av_pair_list.pair = pairs; + + eol = ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list, + MsvAvEOL); + if (eol == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + timestamp = ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list, + MsvAvTimestamp); + if (timestamp != NULL) { + uint32_t sign_features = + GENSEC_FEATURE_SESSION_KEY | + GENSEC_FEATURE_SIGN | + GENSEC_FEATURE_SEAL; + + server_timestamp = ×tamp->Value.AvTimestamp; + + if (ntlmssp_state->force_old_spnego) { + sign_features = 0; + } + + if (gensec_security->want_features & sign_features) { + struct AV_PAIR *av_flags = NULL; + + av_flags = ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list, + MsvAvFlags); + if (av_flags == NULL) { + av_flags = eol; + eol++; + count++; + *eol = *av_flags; + av_flags->AvId = MsvAvFlags; + av_flags->Value.AvFlags = 0; + } + + av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE; + ntlmssp_state->new_spnego = true; + } + } + + { + struct AV_PAIR *SingleHost = NULL; + + SingleHost = eol; + eol++; + count++; + *eol = *SingleHost; + + /* + * This is not really used, but we want to + * add some more random bytes and match + * Windows. + */ + SingleHost->AvId = MsvAvSingleHost; + SingleHost->Value.AvSingleHost.token_info.Flags = 0; + SingleHost->Value.AvSingleHost.token_info.TokenIL = 0; + generate_random_buffer(SingleHost->Value.AvSingleHost.token_info.MachineId, + sizeof(SingleHost->Value.AvSingleHost.token_info.MachineId)); + SingleHost->Value.AvSingleHost.remaining = data_blob_null; + } + + { + struct AV_PAIR *ChannelBindings = NULL; + + ChannelBindings = eol; + eol++; + count++; + *eol = *ChannelBindings; + + /* + * gensec doesn't support channel bindings yet, + * but we want to match Windows on the wire + */ + ChannelBindings->AvId = MsvChannelBindings; + memset(ChannelBindings->Value.ChannelBindings, 0, + sizeof(ChannelBindings->Value.ChannelBindings)); + } + + service = gensec_get_target_service(gensec_security); + hostname = gensec_get_target_hostname(gensec_security); + if (service != NULL && hostname != NULL) { + struct AV_PAIR *target = NULL; + + target = eol; + eol++; + count++; + *eol = *target; + + target->AvId = MsvAvTargetName; + target->Value.AvTargetName = talloc_asprintf(pairs, "%s/%s", + service, + hostname); + if (target->Value.AvTargetName == NULL) { + return NT_STATUS_NO_MEMORY; + } + } + + ntlmssp_state->client.av_pair_list.count = count; + ntlmssp_state->client.av_pair_list.pair = pairs; + + err = ndr_push_struct_blob(&target_info, + ntlmssp_state, + &ntlmssp_state->client.av_pair_list, + (ndr_push_flags_fn_t)ndr_push_AV_PAIR_LIST); + if (!NDR_ERR_CODE_IS_SUCCESS(err)) { + return NT_STATUS_NO_MEMORY; + } + } + + nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx, + &flags, challenge_blob, + server_timestamp, target_info, + &lm_response, &nt_response, + &lm_session_key, &session_key); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (!(flags & CLI_CRED_LANMAN_AUTH)) { + /* LM Key is still possible, just silly, so we do not + * allow it. Fortunately all LM crypto is off by + * default and we require command line options to end + * up here */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } + + if (!(flags & CLI_CRED_NTLM2)) { + /* NTLM2 is incompatible... */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; + } + + if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) + && ntlmssp_state->allow_lm_key && lm_session_key.length == 16) { + DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); + if (lm_response.length == 24) { + nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, + lm_response.data, + new_session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + } else { + static const uint8_t zeros[24]; + nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, + zeros, + new_session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + } + session_key = new_session_key; + dump_data_pw("LM session key\n", session_key.data, session_key.length); + } + + + /* Key exchange encryptes a new client-generated session key with + the password-derived key */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + /* Make up a new session key */ + uint8_t client_session_key[16]; + gnutls_cipher_hd_t cipher_hnd; + gnutls_datum_t enc_session_key = { + .data = session_key.data, + .size = session_key.length, + }; + + generate_random_buffer(client_session_key, sizeof(client_session_key)); + + /* Encrypt the new session key with the old one */ + encrypted_session_key = data_blob_talloc(ntlmssp_state, + client_session_key, sizeof(client_session_key)); + dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length); + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &enc_session_key, + NULL); + if (rc < 0) { + nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + ZERO_ARRAY(client_session_key); + goto done; + } + rc = gnutls_cipher_encrypt(cipher_hnd, + encrypted_session_key.data, + encrypted_session_key.length); + gnutls_cipher_deinit(cipher_hnd); + if (rc < 0) { + nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + ZERO_ARRAY(client_session_key); + goto done; + } + + dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length); + + /* Mark the new session key as the 'real' session key */ + session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key)); + ZERO_ARRAY(client_session_key); + } + + /* this generates the actual auth packet */ + nt_status = msrpc_gen(mem_ctx, + out, auth_gen_string, + "NTLMSSP", + NTLMSSP_AUTH, + lm_response.data, lm_response.length, + nt_response.data, nt_response.length, + domain, + user, + workstation, + encrypted_session_key.data, encrypted_session_key.length, + ntlmssp_state->neg_flags, + version_blob.data, version_blob.length, + mic_blob.data, mic_blob.length); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + if (DEBUGLEVEL >= 10) { + struct AUTHENTICATE_MESSAGE *authenticate = + talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE); + if (authenticate != NULL) { + NTSTATUS status; + authenticate->NegotiateFlags = ntlmssp_state->neg_flags; + status = ntlmssp_pull_AUTHENTICATE_MESSAGE( + out, authenticate, authenticate); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, + authenticate); + } + TALLOC_FREE(authenticate); + } + } + + /* + * We always include the MIC, even without: + * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE; + * ntlmssp_state->new_spnego = true; + * + * This matches a Windows client. + */ + rc = gnutls_hmac_init(&hmac_hnd, + GNUTLS_MAC_MD5, + session_key.data, + MIN(session_key.length, 64)); + if (rc < 0) { + nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + goto done; + } + + rc = gnutls_hmac(hmac_hnd, + ntlmssp_state->negotiate_blob.data, + ntlmssp_state->negotiate_blob.length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + goto done; + } + rc = gnutls_hmac(hmac_hnd, in.data, in.length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + goto done; + } + rc = gnutls_hmac(hmac_hnd, out->data, out->length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + goto done; + } + + gnutls_hmac_deinit(hmac_hnd, mic_buffer); + + memcpy(out->data + NTLMSSP_MIC_OFFSET, mic_buffer, NTLMSSP_MIC_SIZE); + ZERO_ARRAY(mic_buffer); + + nt_status = NT_STATUS_OK; +done: + ZERO_ARRAY_LEN(ntlmssp_state->negotiate_blob.data, + ntlmssp_state->negotiate_blob.length); + data_blob_free(&ntlmssp_state->negotiate_blob); + + ntlmssp_state->session_key = session_key; + talloc_steal(ntlmssp_state, session_key.data); + + DEBUG(3, ("NTLMSSP: Set final flags:\n")); + debug_ntlmssp_flags(ntlmssp_state->neg_flags); + + talloc_steal(out_mem_ctx, out->data); + + ntlmssp_state->expected_state = NTLMSSP_DONE; + + if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + nt_status = ntlmssp_sign_init(ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", + nt_errstr(nt_status))); + talloc_free(mem_ctx); + return nt_status; + } + } + + talloc_free(mem_ctx); + return nt_status; +} + +NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp; + struct ntlmssp_state *ntlmssp_state; + NTSTATUS nt_status; + + nt_status = gensec_ntlmssp_start(gensec_security); + NT_STATUS_NOT_OK_RETURN(nt_status); + + gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + + ntlmssp_state = talloc_zero(gensec_ntlmssp, + struct ntlmssp_state); + if (!ntlmssp_state) { + return NT_STATUS_NO_MEMORY; + } + + gensec_ntlmssp->ntlmssp_state = ntlmssp_state; + + ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + + ntlmssp_state->role = NTLMSSP_CLIENT; + + ntlmssp_state->client.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx); + ntlmssp_state->client.netbios_name = cli_credentials_get_workstation(gensec_security->credentials); + + ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true); + + ntlmssp_state->use_nt_response = \ + gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", + "send_nt_response", + true); + + ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx); + + ntlmssp_state->allow_lm_key = (ntlmssp_state->allow_lm_response + && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false) + || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false))); + + ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx); + + ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", "force_old_spnego", false); + + ntlmssp_state->expected_state = NTLMSSP_INITIAL; + + ntlmssp_state->neg_flags = + NTLMSSP_NEGOTIATE_NTLM | + NTLMSSP_NEGOTIATE_VERSION | + NTLMSSP_REQUEST_TARGET; + + if (ntlmssp_state->unicode) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; + } else { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + } + + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } else { + /* apparently we can't do ntlmv2 if we don't do ntlm2 */ + ntlmssp_state->use_ntlmv2 = false; + } + + if (ntlmssp_state->use_ntlmv2) { + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2; + ntlmssp_state->allow_lm_response = false; + ntlmssp_state->allow_lm_key = false; + } + + if (ntlmssp_state->allow_lm_key) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; + } + + if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { + /* + * We need to set this to allow a later SetPassword + * via the SAMR pipe to succeed. Strange.... We could + * also add NTLMSSP_NEGOTIATE_SEAL here. JRA. + * + * Without this, Windows will not create the master key + * that it thinks is only used for NTLMSSP signing and + * sealing. (It is actually pulled out and used directly) + * + * We don't require this here as some servers (e.g. NetAPP) + * doesn't support this. + */ + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; + + if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { + /* + * We need to handle NTLMSSP_NEGOTIATE_SIGN as + * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE + * is requested. + */ + ntlmssp_state->force_wrap_seal = true; + } + } + if (ntlmssp_state->force_wrap_seal) { + bool ret; + + /* + * We want also work against old Samba servers + * which didn't had GENSEC_FEATURE_LDAP_STYLE + * we negotiate SEAL too. We may remove this + * in a few years. As all servers should have + * GENSEC_FEATURE_LDAP_STYLE by then. + */ + ret = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", + "ldap_style_send_seal", + true); + if (ret) { + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; + } + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; + } + if (gensec_security->want_features & GENSEC_FEATURE_NTLM_CCACHE) { + ntlmssp_state->use_ccache = true; + } + + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; + ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; + + return NT_STATUS_OK; +} + +NTSTATUS gensec_ntlmssp_resume_ccache_start(struct gensec_security *gensec_security) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = NULL; + NTSTATUS status; + + status = gensec_ntlmssp_client_start(gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + gensec_ntlmssp->ntlmssp_state->use_ccache = false; + gensec_ntlmssp->ntlmssp_state->resume_ccache = true; + gensec_ntlmssp->ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE; + + return NT_STATUS_OK; +} diff --git a/auth/ntlmssp/ntlmssp_ndr.c b/auth/ntlmssp/ntlmssp_ndr.c new file mode 100644 index 0000000..ea5d6f0 --- /dev/null +++ b/auth/ntlmssp/ntlmssp_ndr.c @@ -0,0 +1,134 @@ +/* + Unix SMB/Netbios implementation. + NTLMSSP ndr functions + + Copyright (C) Guenther Deschner 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "../librpc/gen_ndr/ndr_ntlmssp.h" +#include "ntlmssp_ndr.h" + +#define NTLMSSP_PULL_MESSAGE(type, blob, mem_ctx, r) \ +do { \ + enum ndr_err_code __ndr_err; \ + ZERO_STRUCTP(r); /* in order to deal with unset neg flags */\ + __ndr_err = ndr_pull_struct_blob(blob, mem_ctx, r, \ + (ndr_pull_flags_fn_t)ndr_pull_ ##type); \ + if (!NDR_ERR_CODE_IS_SUCCESS(__ndr_err)) { \ + return ndr_map_error2ntstatus(__ndr_err); \ + } \ + if (!mem_equal_const_time(r->Signature, "NTLMSSP\0", 8)) { \ + return NT_STATUS_INVALID_PARAMETER; \ + } \ + return NT_STATUS_OK; \ +} while(0); + +#define NTLMSSP_PUSH_MESSAGE(type, blob, mem_ctx, r) \ +do { \ + enum ndr_err_code __ndr_err; \ + __ndr_err = ndr_push_struct_blob(blob, mem_ctx, r, \ + (ndr_push_flags_fn_t)ndr_push_ ##type); \ + if (!NDR_ERR_CODE_IS_SUCCESS(__ndr_err)) { \ + return ndr_map_error2ntstatus(__ndr_err); \ + } \ + return NT_STATUS_OK; \ +} while(0); + + +/** + * Pull NTLMSSP NEGOTIATE_MESSAGE struct from a blob + * @param blob The plain packet blob + * @param mem_ctx A talloc context + * @param r Pointer to a NTLMSSP NEGOTIATE_MESSAGE structure + */ + +NTSTATUS ntlmssp_pull_NEGOTIATE_MESSAGE(const DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + struct NEGOTIATE_MESSAGE *r) +{ + NTLMSSP_PULL_MESSAGE(NEGOTIATE_MESSAGE, blob, mem_ctx, r); +} + +/** + * Pull NTLMSSP CHALLENGE_MESSAGE struct from a blob + * @param blob The plain packet blob + * @param mem_ctx A talloc context + * @param r Pointer to a NTLMSSP CHALLENGE_MESSAGE structure + */ + +NTSTATUS ntlmssp_pull_CHALLENGE_MESSAGE(const DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + struct CHALLENGE_MESSAGE *r) +{ + NTLMSSP_PULL_MESSAGE(CHALLENGE_MESSAGE, blob, mem_ctx, r); +} + +/** + * Pull NTLMSSP AUTHENTICATE_MESSAGE struct from a blob + * @param blob The plain packet blob + * @param mem_ctx A talloc context + * @param r Pointer to a NTLMSSP AUTHENTICATE_MESSAGE structure + */ + +NTSTATUS ntlmssp_pull_AUTHENTICATE_MESSAGE(const DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + struct AUTHENTICATE_MESSAGE *r) +{ + NTLMSSP_PULL_MESSAGE(AUTHENTICATE_MESSAGE, blob, mem_ctx, r); +} + +/** + * Push NTLMSSP NEGOTIATE_MESSAGE struct into a blob + * @param blob The plain packet blob + * @param mem_ctx A talloc context + * @param r Pointer to a NTLMSSP NEGOTIATE_MESSAGE structure + */ + +NTSTATUS ntlmssp_push_NEGOTIATE_MESSAGE(DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + const struct NEGOTIATE_MESSAGE *r) +{ + NTLMSSP_PUSH_MESSAGE(NEGOTIATE_MESSAGE, blob, mem_ctx, r); +} + +/** + * Push NTLMSSP CHALLENGE_MESSAGE struct into a blob + * @param blob The plain packet blob + * @param mem_ctx A talloc context + * @param r Pointer to a NTLMSSP CHALLENGE_MESSAGE structure + */ + +NTSTATUS ntlmssp_push_CHALLENGE_MESSAGE(DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + const struct CHALLENGE_MESSAGE *r) +{ + NTLMSSP_PUSH_MESSAGE(CHALLENGE_MESSAGE, blob, mem_ctx, r); +} + +/** + * Push NTLMSSP AUTHENTICATE_MESSAGE struct into a blob + * @param blob The plain packet blob + * @param mem_ctx A talloc context + * @param r Pointer to a NTLMSSP AUTHENTICATE_MESSAGE structure + */ + +NTSTATUS ntlmssp_push_AUTHENTICATE_MESSAGE(DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + const struct AUTHENTICATE_MESSAGE *r) +{ + NTLMSSP_PUSH_MESSAGE(AUTHENTICATE_MESSAGE, blob, mem_ctx, r); +} diff --git a/auth/ntlmssp/ntlmssp_ndr.h b/auth/ntlmssp/ntlmssp_ndr.h new file mode 100644 index 0000000..e619231 --- /dev/null +++ b/auth/ntlmssp/ntlmssp_ndr.h @@ -0,0 +1,38 @@ +/* + Unix SMB/Netbios implementation. + NTLMSSP ndr functions + + Copyright (C) Guenther Deschner 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +NTSTATUS ntlmssp_pull_NEGOTIATE_MESSAGE(const DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + struct NEGOTIATE_MESSAGE *r); +NTSTATUS ntlmssp_pull_CHALLENGE_MESSAGE(const DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + struct CHALLENGE_MESSAGE *r); +NTSTATUS ntlmssp_pull_AUTHENTICATE_MESSAGE(const DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + struct AUTHENTICATE_MESSAGE *r); +NTSTATUS ntlmssp_push_NEGOTIATE_MESSAGE(DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + const struct NEGOTIATE_MESSAGE *r); +NTSTATUS ntlmssp_push_CHALLENGE_MESSAGE(DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + const struct CHALLENGE_MESSAGE *r); +NTSTATUS ntlmssp_push_AUTHENTICATE_MESSAGE(DATA_BLOB *blob, + TALLOC_CTX *mem_ctx, + const struct AUTHENTICATE_MESSAGE *r); diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h new file mode 100644 index 0000000..4d84e33 --- /dev/null +++ b/auth/ntlmssp/ntlmssp_private.h @@ -0,0 +1,192 @@ +/* + * Unix SMB/CIFS implementation. + * Version 3.0 + * NTLMSSP Signing routines + * Copyright (C) Andrew Bartlett 2003-2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +/* For structures internal to the NTLMSSP implementation that should not be exposed */ + +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +struct auth_session_info; + +struct ntlmssp_crypt_direction { + uint32_t seq_num; + uint8_t sign_key[16]; + gnutls_cipher_hd_t seal_state; +}; + +union ntlmssp_crypt_state { + /* NTLM */ + struct ntlmssp_crypt_direction ntlm; + + /* NTLM2 */ + struct { + struct ntlmssp_crypt_direction sending; + struct ntlmssp_crypt_direction receiving; + } ntlm2; +}; + +struct gensec_ntlmssp_context { + /* For GENSEC users */ + void *server_returned_info; + + /* used by both client and server implementation */ + struct ntlmssp_state *ntlmssp_state; +}; + +/* The following definitions come from auth/ntlmssp_util.c */ + +void debug_ntlmssp_flags(uint32_t neg_flags); +NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, + uint32_t neg_flags, const char *name); +const DATA_BLOB ntlmssp_version_blob(void); + +/* The following definitions come from auth/ntlmssp_server.c */ + +const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state, + uint32_t neg_flags, uint32_t *chal_flags); +NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out); +NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB request, DATA_BLOB *reply); +/* The following definitions come from auth/ntlmssp/ntlmssp_client.c */ + + +/** + * Next state function for the Initial packet + * + * @param ntlmssp_state NTLMSSP State + * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context + * @param in A NULL data blob (input ignored) + * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx + * @return Errors or NT_STATUS_OK. + */ +NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB in, DATA_BLOB *out) ; + +NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB in, DATA_BLOB *out); + +/** + * Next state function for the Challenge Packet. Generate an auth packet. + * + * @param gensec_security GENSEC state + * @param out_mem_ctx Memory context for *out + * @param in The server challnege, as a DATA_BLOB. reply.data must be NULL + * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context + * @return Errors or NT_STATUS_OK. + */ +NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) ; +NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security); +NTSTATUS gensec_ntlmssp_resume_ccache_start(struct gensec_security *gensec_security); + +/* The following definitions come from auth/ntlmssp/gensec_ntlmssp_server.c */ + + +/** + * Next state function for the Negotiate packet (GENSEC wrapper) + * + * @param gensec_security GENSEC state + * @param out_mem_ctx Memory context for *out + * @param in The request, as a DATA_BLOB. reply.data must be NULL + * @param out The reply, as an allocated DATA_BLOB, caller to free. + * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required. + */ +NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB request, DATA_BLOB *reply); + +struct tevent_req *ntlmssp_server_auth_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in); +NTSTATUS ntlmssp_server_auth_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out); + + +/** + * Start NTLMSSP on the server side + * + */ +NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security); + +/** + * Return the credentials of a logged on user, including session keys + * etc. + * + * Only valid after a successful authentication + * + * May only be called once per authentication. + * + */ +NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) ; + +/* The following definitions come from auth/ntlmssp/gensec_ntlmssp.c */ + +NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *sig_mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size) ; +NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); +NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); + +/** + * Return the NTLMSSP master session key + * + * @param ntlmssp_state NTLMSSP State + */ +NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security, + const DATA_BLOB *first_packet); +bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security, + uint32_t feature); +NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key); +NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security); + diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c new file mode 100644 index 0000000..64b9628 --- /dev/null +++ b/auth/ntlmssp/ntlmssp_server.c @@ -0,0 +1,1160 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NTLMSSP, server side + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001-2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include <tevent.h> +#include "lib/util/tevent_ntstatus.h" +#include "lib/util/time_basic.h" +#include "auth/ntlmssp/ntlmssp.h" +#include "auth/ntlmssp/ntlmssp_private.h" +#include "../librpc/gen_ndr/ndr_ntlmssp.h" +#include "auth/ntlmssp/ntlmssp_ndr.h" +#include "../libcli/auth/libcli_auth.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "auth/common_auth.h" +#include "param/param.h" +#include "param/loadparm.h" +#include "libcli/security/session.h" + +#include "lib/crypto/gnutls_helpers.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/** + * Determine correct target name flags for reply, given server role + * and negotiated flags + * + * @param ntlmssp_state NTLMSSP State + * @param neg_flags The flags from the packet + * @param chal_flags The flags to be set in the reply packet + * @return The 'target name' string. + */ + +const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state, + uint32_t neg_flags, uint32_t *chal_flags) +{ + if (neg_flags & NTLMSSP_REQUEST_TARGET) { + *chal_flags |= NTLMSSP_NEGOTIATE_TARGET_INFO; + *chal_flags |= NTLMSSP_REQUEST_TARGET; + if (ntlmssp_state->server.is_standalone) { + *chal_flags |= NTLMSSP_TARGET_TYPE_SERVER; + return ntlmssp_state->server.netbios_name; + } else { + *chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN; + return ntlmssp_state->server.netbios_domain; + }; + } else { + return ""; + } +} + +/** + * Next state function for the NTLMSSP Negotiate packet + * + * @param gensec_security GENSEC state + * @param out_mem_ctx Memory context for *out + * @param in The request, as a DATA_BLOB. reply.data must be NULL + * @param out The reply, as an allocated DATA_BLOB, caller to free. + * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required. + */ + +NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB request, DATA_BLOB *reply) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + struct auth4_context *auth_context = gensec_security->auth_context; + DATA_BLOB struct_blob; + uint32_t neg_flags = 0; + uint32_t ntlmssp_command, chal_flags; + uint8_t cryptkey[8]; + const char *target_name; + NTSTATUS status; + struct timeval tv_now = timeval_current(); + /* + * See [MS-NLMP] + * + * Windows NT 4.0, windows_2000: use 30 minutes, + * Windows XP, Windows Server 2003, Windows Vista, + * Windows Server 2008, Windows 7, and Windows Server 2008 R2 + * use 36 hours. + * + * Newer systems doesn't check this, likely because the + * connectionless NTLMSSP is no longer supported. + * + * As we expect the AUTHENTICATION_MESSAGE to arrive + * directly after the NEGOTIATE_MESSAGE (typically less than + * as 1 second later). We use a hard timeout of 30 Minutes. + * + * We don't look at AUTHENTICATE_MESSAGE.NtChallengeResponse.TimeStamp + * instead we just remember our own time. + */ + uint32_t max_lifetime = 30 * 60; + struct timeval tv_end = timeval_add(&tv_now, max_lifetime, 0); + + /* parse the NTLMSSP packet */ +#if 0 + file_save("ntlmssp_negotiate.dat", request.data, request.length); +#endif + + if (request.length) { + if (request.length > UINT16_MAX) { + DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n", + (unsigned int)request.length)); + return NT_STATUS_INVALID_PARAMETER; + } + + if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd", + "NTLMSSP", + &ntlmssp_command, + &neg_flags)) { + DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n", + (unsigned int)request.length)); + dump_data(2, request.data, request.length); + return NT_STATUS_INVALID_PARAMETER; + } + debug_ntlmssp_flags(neg_flags); + + if (DEBUGLEVEL >= 10) { + struct NEGOTIATE_MESSAGE *negotiate = talloc( + ntlmssp_state, struct NEGOTIATE_MESSAGE); + if (negotiate != NULL) { + status = ntlmssp_pull_NEGOTIATE_MESSAGE( + &request, negotiate, negotiate); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, + negotiate); + } + TALLOC_FREE(negotiate); + } + } + } + + status = ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, "negotiate"); + if (!NT_STATUS_IS_OK(status)){ + return status; + } + + /* Ask our caller what challenge they would like in the packet */ + if (auth_context->get_ntlm_challenge) { + status = auth_context->get_ntlm_challenge(auth_context, cryptkey); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("gensec_ntlmssp_server_negotiate: failed to get challenge: %s\n", + nt_errstr(status))); + return status; + } + } else { + DEBUG(1, ("gensec_ntlmssp_server_negotiate: backend doesn't give a challenge\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* The flags we send back are not just the negotiated flags, + * they are also 'what is in this packet'. Therefore, we + * operate on 'chal_flags' from here on + */ + + chal_flags = ntlmssp_state->neg_flags; + ntlmssp_state->server.challenge_endtime = timeval_to_nttime(&tv_end); + + /* get the right name to fill in as 'target' */ + target_name = ntlmssp_target_name(ntlmssp_state, + neg_flags, &chal_flags); + if (target_name == NULL) + return NT_STATUS_INVALID_PARAMETER; + + ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8); + ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state, + cryptkey, 8); + + /* This creates the 'blob' of names that appears at the end of the packet */ + if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { + enum ndr_err_code err; + struct AV_PAIR *pairs = NULL; + uint32_t count = 5; + + pairs = talloc_zero_array(ntlmssp_state, struct AV_PAIR, count + 1); + if (pairs == NULL) { + return NT_STATUS_NO_MEMORY; + } + + pairs[0].AvId = MsvAvNbDomainName; + pairs[0].Value.AvNbDomainName = target_name; + + pairs[1].AvId = MsvAvNbComputerName; + pairs[1].Value.AvNbComputerName = ntlmssp_state->server.netbios_name; + + pairs[2].AvId = MsvAvDnsDomainName; + pairs[2].Value.AvDnsDomainName = ntlmssp_state->server.dns_domain; + + pairs[3].AvId = MsvAvDnsComputerName; + pairs[3].Value.AvDnsComputerName= ntlmssp_state->server.dns_name; + + if (!ntlmssp_state->force_old_spnego) { + pairs[4].AvId = MsvAvTimestamp; + pairs[4].Value.AvTimestamp = + timeval_to_nttime(&tv_now); + count += 1; + + pairs[5].AvId = MsvAvEOL; + } else { + pairs[4].AvId = MsvAvEOL; + } + + ntlmssp_state->server.av_pair_list.count = count; + ntlmssp_state->server.av_pair_list.pair = pairs; + + err = ndr_push_struct_blob(&struct_blob, + ntlmssp_state, + &ntlmssp_state->server.av_pair_list, + (ndr_push_flags_fn_t)ndr_push_AV_PAIR_LIST); + if (!NDR_ERR_CODE_IS_SUCCESS(err)) { + return NT_STATUS_NO_MEMORY; + } + } else { + struct_blob = data_blob_null; + } + + { + /* Marshal the packet in the right format, be it unicode or ASCII */ + const char *gen_string; + const DATA_BLOB version_blob = ntlmssp_version_blob(); + + if (ntlmssp_state->unicode) { + gen_string = "CdUdbddBb"; + } else { + gen_string = "CdAdbddBb"; + } + + status = msrpc_gen(out_mem_ctx, reply, gen_string, + "NTLMSSP", + NTLMSSP_CHALLENGE, + target_name, + chal_flags, + cryptkey, 8, + 0, 0, + struct_blob.data, struct_blob.length, + version_blob.data, version_blob.length); + + if (!NT_STATUS_IS_OK(status)) { + data_blob_free(&struct_blob); + return status; + } + + if (DEBUGLEVEL >= 10) { + struct CHALLENGE_MESSAGE *challenge = talloc( + ntlmssp_state, struct CHALLENGE_MESSAGE); + if (challenge != NULL) { + challenge->NegotiateFlags = chal_flags; + status = ntlmssp_pull_CHALLENGE_MESSAGE( + reply, challenge, challenge); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, + challenge); + } + TALLOC_FREE(challenge); + } + } + } + + data_blob_free(&struct_blob); + + ntlmssp_state->negotiate_blob = data_blob_dup_talloc(ntlmssp_state, + request); + if (ntlmssp_state->negotiate_blob.length != request.length) { + return NT_STATUS_NO_MEMORY; + } + + ntlmssp_state->challenge_blob = data_blob_dup_talloc(ntlmssp_state, + *reply); + if (ntlmssp_state->challenge_blob.length != reply->length) { + return NT_STATUS_NO_MEMORY; + } + + ntlmssp_state->expected_state = NTLMSSP_AUTH; + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +struct ntlmssp_server_auth_state { + struct gensec_security *gensec_security; + struct gensec_ntlmssp_context *gensec_ntlmssp; + DATA_BLOB in; + struct auth_usersupplied_info *user_info; + DATA_BLOB user_session_key; + DATA_BLOB lm_session_key; + /* internal variables used by KEY_EXCH (client-supplied user session key */ + DATA_BLOB encrypted_session_key; + bool doing_ntlm2; + /* internal variables used by NTLM2 */ + uint8_t session_nonce[16]; +}; + +static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security, + struct gensec_ntlmssp_context *gensec_ntlmssp, + struct ntlmssp_server_auth_state *state, + const DATA_BLOB request); +static void ntlmssp_server_auth_done(struct tevent_req *subreq); +static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, + struct gensec_ntlmssp_context *gensec_ntlmssp, + struct ntlmssp_server_auth_state *state, + DATA_BLOB request); + +struct tevent_req *ntlmssp_server_auth_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct gensec_ntlmssp_context *gensec_ntlmssp = + talloc_get_type_abort(gensec_security->private_data, + struct gensec_ntlmssp_context); + struct auth4_context *auth_context = gensec_security->auth_context; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ntlmssp_server_auth_state *state = NULL; + NTSTATUS status; + + req = tevent_req_create(mem_ctx, &state, + struct ntlmssp_server_auth_state); + if (req == NULL) { + return NULL; + } + state->gensec_security = gensec_security; + state->gensec_ntlmssp = gensec_ntlmssp; + state->in = in; + + status = ntlmssp_server_preauth(gensec_security, + gensec_ntlmssp, + state, in); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + subreq = auth_context->check_ntlm_password_send( + state, ev, auth_context, state->user_info); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, ntlmssp_server_auth_done, req); + return req; +} + +/** + * Next state function for the Authenticate packet + * + * @param ntlmssp_state NTLMSSP State + * @param request The request, as a DATA_BLOB + * @return Errors or NT_STATUS_OK. + */ + +static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security, + struct gensec_ntlmssp_context *gensec_ntlmssp, + struct ntlmssp_server_auth_state *state, + const DATA_BLOB request) +{ + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + struct auth4_context *auth_context = gensec_security->auth_context; + struct auth_usersupplied_info *user_info = NULL; + uint32_t ntlmssp_command, auth_flags; + NTSTATUS nt_status; + const unsigned int version_len = 8; + DATA_BLOB version_blob = data_blob_null; + const unsigned int mic_len = NTLMSSP_MIC_SIZE; + DATA_BLOB mic_blob = data_blob_null; + const char *parse_string; + bool ok; + struct timeval endtime; + bool expired = false; + +#if 0 + file_save("ntlmssp_auth.dat", request.data, request.length); +#endif + + if (ntlmssp_state->unicode) { + parse_string = "CdBBUUUBdbb"; + } else { + parse_string = "CdBBAAABdbb"; + } + + /* zero these out */ + data_blob_free(&ntlmssp_state->session_key); + data_blob_free(&ntlmssp_state->lm_resp); + data_blob_free(&ntlmssp_state->nt_resp); + + ntlmssp_state->user = NULL; + ntlmssp_state->domain = NULL; + ntlmssp_state->client.netbios_name = NULL; + + /* now the NTLMSSP encoded auth hashes */ + ok = msrpc_parse(ntlmssp_state, &request, parse_string, + "NTLMSSP", + &ntlmssp_command, + &ntlmssp_state->lm_resp, + &ntlmssp_state->nt_resp, + &ntlmssp_state->domain, + &ntlmssp_state->user, + &ntlmssp_state->client.netbios_name, + &state->encrypted_session_key, + &auth_flags, + &version_blob, version_len, + &mic_blob, mic_len); + if (!ok) { + DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n")); + dump_data(10, request.data, request.length); + + data_blob_free(&version_blob); + data_blob_free(&mic_blob); + + if (ntlmssp_state->unicode) { + parse_string = "CdBBUUUBd"; + } else { + parse_string = "CdBBAAABd"; + } + + ok = msrpc_parse(ntlmssp_state, &request, parse_string, + "NTLMSSP", + &ntlmssp_command, + &ntlmssp_state->lm_resp, + &ntlmssp_state->nt_resp, + &ntlmssp_state->domain, + &ntlmssp_state->user, + &ntlmssp_state->client.netbios_name, + &state->encrypted_session_key, + &auth_flags); + } + + if (!ok) { + DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n")); + dump_data(10, request.data, request.length); + + /* zero this out */ + data_blob_free(&state->encrypted_session_key); + auth_flags = 0; + + /* Try again with a shorter string (Win9X truncates this packet) */ + if (ntlmssp_state->unicode) { + parse_string = "CdBBUUU"; + } else { + parse_string = "CdBBAAA"; + } + + /* now the NTLMSSP encoded auth hashes */ + if (!msrpc_parse(ntlmssp_state, &request, parse_string, + "NTLMSSP", + &ntlmssp_command, + &ntlmssp_state->lm_resp, + &ntlmssp_state->nt_resp, + &ntlmssp_state->domain, + &ntlmssp_state->user, + &ntlmssp_state->client.netbios_name)) { + DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n")); + dump_data(2, request.data, request.length); + + return NT_STATUS_INVALID_PARAMETER; + } + } + + talloc_steal(state, state->encrypted_session_key.data); + + if (auth_flags != 0) { + nt_status = ntlmssp_handle_neg_flags(ntlmssp_state, + auth_flags, + "authenticate"); + if (!NT_STATUS_IS_OK(nt_status)){ + return nt_status; + } + } + + if (DEBUGLEVEL >= 10) { + struct AUTHENTICATE_MESSAGE *authenticate = talloc( + ntlmssp_state, struct AUTHENTICATE_MESSAGE); + if (authenticate != NULL) { + NTSTATUS status; + authenticate->NegotiateFlags = auth_flags; + status = ntlmssp_pull_AUTHENTICATE_MESSAGE( + &request, authenticate, authenticate); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, + authenticate); + } + TALLOC_FREE(authenticate); + } + } + + DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n", + ntlmssp_state->user, ntlmssp_state->domain, + ntlmssp_state->client.netbios_name, + (unsigned long)ntlmssp_state->lm_resp.length, + (unsigned long)ntlmssp_state->nt_resp.length)); + +#if 0 + file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length); + file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length); +#endif + + if (ntlmssp_state->nt_resp.length > 24) { + struct NTLMv2_RESPONSE v2_resp; + enum ndr_err_code err; + uint32_t i = 0; + uint32_t count = 0; + const struct AV_PAIR *flags = NULL; + const struct AV_PAIR *eol = NULL; + uint32_t av_flags = 0; + + err = ndr_pull_struct_blob(&ntlmssp_state->nt_resp, + ntlmssp_state, + &v2_resp, + (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE); + if (!NDR_ERR_CODE_IS_SUCCESS(err)) { + nt_status = ndr_map_error2ntstatus(err); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_BUFFER_TOO_SMALL)) { + /* + * Note that invalid blobs should result in + * INVALID_PARAMETER, as demonstrated by + * smb2.session.ntlmssp_bug14932 + */ + nt_status = NT_STATUS_INVALID_PARAMETER; + } + DEBUG(1,("%s: failed to parse NTLMv2_RESPONSE of length %zu for " + "user=[%s] domain=[%s] workstation=[%s] - %s %s\n", + __func__, ntlmssp_state->nt_resp.length, + ntlmssp_state->user, ntlmssp_state->domain, + ntlmssp_state->client.netbios_name, + ndr_errstr(err), nt_errstr(nt_status))); + return nt_status; + } + + if (DEBUGLVL(10)) { + NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp); + } + + eol = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs, + MsvAvEOL); + if (eol == NULL) { + DEBUG(1,("%s: missing MsvAvEOL for " + "user=[%s] domain=[%s] workstation=[%s]\n", + __func__, ntlmssp_state->user, ntlmssp_state->domain, + ntlmssp_state->client.netbios_name)); + return NT_STATUS_INVALID_PARAMETER; + } + + flags = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs, + MsvAvFlags); + if (flags != NULL) { + av_flags = flags->Value.AvFlags; + } + + if (av_flags & NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE) { + if (mic_blob.length != NTLMSSP_MIC_SIZE) { + DEBUG(1,("%s: mic_blob.length[%u] for " + "user=[%s] domain=[%s] workstation=[%s]\n", + __func__, + (unsigned)mic_blob.length, + ntlmssp_state->user, + ntlmssp_state->domain, + ntlmssp_state->client.netbios_name)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (request.length < + (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE)) + { + DEBUG(1,("%s: missing MIC " + "request.length[%u] for " + "user=[%s] domain=[%s] workstation=[%s]\n", + __func__, + (unsigned)request.length, + ntlmssp_state->user, + ntlmssp_state->domain, + ntlmssp_state->client.netbios_name)); + return NT_STATUS_INVALID_PARAMETER; + } + + ntlmssp_state->new_spnego = true; + } + + count = ntlmssp_state->server.av_pair_list.count; + if (v2_resp.Challenge.AvPairs.count < count) { + return NT_STATUS_INVALID_PARAMETER; + } + + for (i = 0; i < count; i++) { + const struct AV_PAIR *sp = + &ntlmssp_state->server.av_pair_list.pair[i]; + const struct AV_PAIR *cp = NULL; + + if (sp->AvId == MsvAvEOL) { + continue; + } + + cp = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs, + sp->AvId); + if (cp == NULL) { + DEBUG(1,("%s: AvId 0x%x missing for" + "user=[%s] domain=[%s] " + "workstation=[%s]\n", + __func__, + (unsigned)sp->AvId, + ntlmssp_state->user, + ntlmssp_state->domain, + ntlmssp_state->client.netbios_name)); + return NT_STATUS_INVALID_PARAMETER; + } + + switch (cp->AvId) { +#define CASE_STRING(v) case Msv ## v: do { \ + int cmp; \ + if (sp->Value.v == NULL) { \ + return NT_STATUS_INTERNAL_ERROR; \ + } \ + if (cp->Value.v == NULL) { \ + DEBUG(1,("%s: invalid %s " \ + "got[%s] expect[%s] for " \ + "user=[%s] domain=[%s] workstation=[%s]\n", \ + __func__, #v, \ + cp->Value.v, \ + sp->Value.v, \ + ntlmssp_state->user, \ + ntlmssp_state->domain, \ + ntlmssp_state->client.netbios_name)); \ + return NT_STATUS_INVALID_PARAMETER; \ + } \ + cmp = strcmp(cp->Value.v, sp->Value.v); \ + if (cmp != 0) { \ + DEBUG(1,("%s: invalid %s " \ + "got[%s] expect[%s] for " \ + "user=[%s] domain=[%s] workstation=[%s]\n", \ + __func__, #v, \ + cp->Value.v, \ + sp->Value.v, \ + ntlmssp_state->user, \ + ntlmssp_state->domain, \ + ntlmssp_state->client.netbios_name)); \ + return NT_STATUS_INVALID_PARAMETER; \ + } \ +} while(0); break + CASE_STRING(AvNbComputerName); + CASE_STRING(AvNbDomainName); + CASE_STRING(AvDnsComputerName); + CASE_STRING(AvDnsDomainName); + CASE_STRING(AvDnsTreeName); + case MsvAvTimestamp: + if (cp->Value.AvTimestamp != sp->Value.AvTimestamp) { + struct timeval ct; + struct timeval st; + struct timeval_buf tmp1; + struct timeval_buf tmp2; + + nttime_to_timeval(&ct, + cp->Value.AvTimestamp); + nttime_to_timeval(&st, + sp->Value.AvTimestamp); + + DEBUG(1,("%s: invalid AvTimestamp " + "got[%s] expect[%s] for " + "user=[%s] domain=[%s] " + "workstation=[%s]\n", + __func__, + timeval_str_buf(&ct, false, + true, &tmp1), + timeval_str_buf(&st, false, + true, &tmp2), + ntlmssp_state->user, + ntlmssp_state->domain, + ntlmssp_state->client.netbios_name)); + return NT_STATUS_INVALID_PARAMETER; + } + break; + default: + /* + * This can't happen as we control + * ntlmssp_state->server.av_pair_list + */ + return NT_STATUS_INTERNAL_ERROR; + } + } + } + + nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime); + expired = timeval_expired(&endtime); + if (expired) { + struct timeval_buf tmp; + DEBUG(1,("%s: challenge invalid (expired %s) for " + "user=[%s] domain=[%s] workstation=[%s]\n", + __func__, + timeval_str_buf(&endtime, false, true, &tmp), + ntlmssp_state->user, ntlmssp_state->domain, + ntlmssp_state->client.netbios_name)); + return NT_STATUS_INVALID_PARAMETER; + } + + /* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a + client challenge + + However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful. + */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) { + state->doing_ntlm2 = true; + + memcpy(state->session_nonce, ntlmssp_state->internal_chal.data, 8); + memcpy(&state->session_nonce[8], ntlmssp_state->lm_resp.data, 8); + + SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8); + + /* LM response is no longer useful */ + data_blob_free(&ntlmssp_state->lm_resp); + + /* We changed the effective challenge - set it */ + if (auth_context->set_ntlm_challenge) { + uint8_t session_nonce_hash[16]; + int rc; + + rc = gnutls_hash_fast(GNUTLS_DIG_MD5, + state->session_nonce, + 16, + session_nonce_hash); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + + nt_status = auth_context->set_ntlm_challenge(auth_context, + session_nonce_hash, + "NTLMSSP callback (NTLM2)"); + ZERO_ARRAY(session_nonce_hash); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("gensec_ntlmssp_server_negotiate: failed to get challenge: %s\n", + nt_errstr(nt_status))); + return nt_status; + } + } else { + DEBUG(1, ("gensec_ntlmssp_server_negotiate: backend doesn't have facility for challenge to be set\n")); + + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* LM Key is incompatible. */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } + } + + user_info = talloc_zero(state, struct auth_usersupplied_info); + if (!user_info) { + return NT_STATUS_NO_MEMORY; + } + + user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; + user_info->flags = 0; + user_info->client.account_name = ntlmssp_state->user; + user_info->client.domain_name = ntlmssp_state->domain; + user_info->workstation_name = ntlmssp_state->client.netbios_name; + user_info->remote_host = gensec_get_remote_address(gensec_security); + user_info->local_host = gensec_get_local_address(gensec_security); + user_info->service_description + = gensec_get_target_service_description(gensec_security); + + /* + * This will just be the string "NTLMSSP" from + * gensec_ntlmssp_final_auth_type, but ensures it stays in sync + * with the same use in the authorization logging triggered by + * gensec_session_info() later + */ + user_info->auth_description = gensec_final_auth_type(gensec_security); + + user_info->password_state = AUTH_PASSWORD_RESPONSE; + user_info->password.response.lanman = ntlmssp_state->lm_resp; + user_info->password.response.nt = ntlmssp_state->nt_resp; + + state->user_info = user_info; + return NT_STATUS_OK; +} + +static void ntlmssp_server_auth_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct ntlmssp_server_auth_state *state = + tevent_req_data(req, + struct ntlmssp_server_auth_state); + struct gensec_security *gensec_security = state->gensec_security; + struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp; + struct auth4_context *auth_context = gensec_security->auth_context; + uint8_t authoritative = 1; + NTSTATUS status; + + status = auth_context->check_ntlm_password_recv(subreq, + gensec_ntlmssp, + &authoritative, + &gensec_ntlmssp->server_returned_info, + &state->user_session_key, + &state->lm_session_key); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + DBG_INFO("Checking NTLMSSP password for %s\\%s failed: %s\n", + state->user_info->client.domain_name, + state->user_info->client.account_name, + nt_errstr(status)); + } + if (tevent_req_nterror(req, status)) { + return; + } + talloc_steal(state, state->user_session_key.data); + talloc_steal(state, state->lm_session_key.data); + + status = ntlmssp_server_postauth(state->gensec_security, + state->gensec_ntlmssp, + state, state->in); + if (tevent_req_nterror(req, status)) { + return; + } + + tevent_req_done(req); +} + +/** + * Next state function for the Authenticate packet + * (after authentication - figures out the session keys etc) + * + * @param ntlmssp_state NTLMSSP State + * @return Errors or NT_STATUS_OK. + */ + +static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, + struct gensec_ntlmssp_context *gensec_ntlmssp, + struct ntlmssp_server_auth_state *state, + DATA_BLOB request) +{ + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + struct auth4_context *auth_context = gensec_security->auth_context; + DATA_BLOB user_session_key = state->user_session_key; + DATA_BLOB lm_session_key = state->lm_session_key; + NTSTATUS nt_status = NT_STATUS_OK; + DATA_BLOB session_key = data_blob(NULL, 0); + struct auth_session_info *session_info = NULL; + + TALLOC_FREE(state->user_info); + + if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST + && auth_context->generate_session_info != NULL) + { + NTSTATUS tmp_status; + + /* + * We need to check if the auth is anonymous or mapped to guest + */ + tmp_status = auth_context->generate_session_info(auth_context, state, + gensec_ntlmssp->server_returned_info, + gensec_ntlmssp->ntlmssp_state->user, + AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, + &session_info); + if (!NT_STATUS_IS_OK(tmp_status)) { + /* + * We don't care about failures, + * the worst result is that we try MIC checking + * for a map to guest authentication. + */ + TALLOC_FREE(session_info); + } + } + + if (session_info != NULL) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + /* + * Anonymous and GUEST are not secure anyway. + * avoid new_spnego and MIC checking. + */ + ntlmssp_state->new_spnego = false; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + TALLOC_FREE(session_info); + } + + dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length); + dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length); + + /* Handle the different session key derivation for NTLM2 */ + if (state->doing_ntlm2) { + if (user_session_key.data && user_session_key.length == 16) { + int rc; + + session_key = data_blob_talloc(ntlmssp_state, + NULL, 16); + + rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, + user_session_key.data, + user_session_key.length, + state->session_nonce, + sizeof(state->session_nonce), + session_key.data); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n")); + dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); + + } else { + DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n")); + session_key = data_blob_null; + } + } else if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) + /* Ensure we can never get here on NTLMv2 */ + && (ntlmssp_state->nt_resp.length == 0 || ntlmssp_state->nt_resp.length == 24)) { + + if (lm_session_key.data && lm_session_key.length >= 8) { + if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) { + session_key = data_blob_talloc(ntlmssp_state, + NULL, 16); + if (session_key.data == NULL) { + return NT_STATUS_NO_MEMORY; + } + nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, + ntlmssp_state->lm_resp.data, + session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n")); + } else { + static const uint8_t zeros[24] = {0, }; + session_key = data_blob_talloc( + ntlmssp_state, NULL, 16); + if (session_key.data == NULL) { + return NT_STATUS_NO_MEMORY; + } + nt_status = SMBsesskeygen_lm_sess_key(zeros, zeros, + session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n")); + } + dump_data_pw("LM session key:\n", session_key.data, + session_key.length); + } else { + /* LM Key not selected */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + + DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n")); + session_key = data_blob_null; + } + + } else if (user_session_key.data) { + session_key = user_session_key; + DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n")); + dump_data_pw("unmodified session key:\n", session_key.data, session_key.length); + + /* LM Key not selected */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + + } else if (lm_session_key.data) { + /* Very weird to have LM key, but no user session key, but anyway.. */ + session_key = lm_session_key; + DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n")); + dump_data_pw("unmodified session key:\n", session_key.data, session_key.length); + + /* LM Key not selected */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + + } else { + DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n")); + session_key = data_blob_null; + + /* LM Key not selected */ + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } + + /* With KEY_EXCH, the client supplies the proposed session key, + but encrypts it with the long-term key */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + if (!state->encrypted_session_key.data + || state->encrypted_session_key.length != 16) { + DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n", + (unsigned)state->encrypted_session_key.length)); + return NT_STATUS_INVALID_PARAMETER; + } else if (!session_key.data || session_key.length != 16) { + DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n", + (unsigned int)session_key.length)); + ntlmssp_state->session_key = session_key; + talloc_steal(ntlmssp_state, session_key.data); + } else { + gnutls_cipher_hd_t cipher_hnd; + gnutls_datum_t enc_session_key = { + .data = session_key.data, + .size = session_key.length, + }; + int rc; + + dump_data_pw("KEY_EXCH session key (enc):\n", + state->encrypted_session_key.data, + state->encrypted_session_key.length); + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &enc_session_key, + NULL); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_cipher_encrypt(cipher_hnd, + state->encrypted_session_key.data, + state->encrypted_session_key.length); + gnutls_cipher_deinit(cipher_hnd); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state, + state->encrypted_session_key.data, + state->encrypted_session_key.length); + dump_data_pw("KEY_EXCH session key:\n", + state->encrypted_session_key.data, + state->encrypted_session_key.length); + } + } else { + ntlmssp_state->session_key = session_key; + talloc_steal(ntlmssp_state, session_key.data); + } + + if (ntlmssp_state->new_spnego) { + gnutls_hmac_hd_t hmac_hnd = NULL; + uint8_t mic_buffer[NTLMSSP_MIC_SIZE] = { 0, }; + bool cmp; + int rc; + + rc = gnutls_hmac_init(&hmac_hnd, + GNUTLS_MAC_MD5, + ntlmssp_state->session_key.data, + MIN(ntlmssp_state->session_key.length, 64)); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_hmac(hmac_hnd, + ntlmssp_state->negotiate_blob.data, + ntlmssp_state->negotiate_blob.length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_hmac(hmac_hnd, + ntlmssp_state->challenge_blob.data, + ntlmssp_state->challenge_blob.length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + /* checked were we set ntlmssp_state->new_spnego */ + SMB_ASSERT(request.length > + (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE)); + + rc = gnutls_hmac(hmac_hnd, request.data, NTLMSSP_MIC_OFFSET); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_hmac(hmac_hnd, mic_buffer, NTLMSSP_MIC_SIZE); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_hmac(hmac_hnd, + request.data + (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE), + request.length - (NTLMSSP_MIC_OFFSET + NTLMSSP_MIC_SIZE)); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + gnutls_hmac_deinit(hmac_hnd, mic_buffer); + + cmp = mem_equal_const_time(request.data + NTLMSSP_MIC_OFFSET, + mic_buffer, NTLMSSP_MIC_SIZE); + if (!cmp) { + DEBUG(1,("%s: invalid NTLMSSP_MIC for " + "user=[%s] domain=[%s] workstation=[%s]\n", + __func__, + ntlmssp_state->user, + ntlmssp_state->domain, + ntlmssp_state->client.netbios_name)); + dump_data(11, request.data + NTLMSSP_MIC_OFFSET, + NTLMSSP_MIC_SIZE); + dump_data(11, mic_buffer, + NTLMSSP_MIC_SIZE); + } + + ZERO_ARRAY(mic_buffer); + + if (!cmp) { + return NT_STATUS_INVALID_PARAMETER; + } + } + + data_blob_free(&ntlmssp_state->negotiate_blob); + data_blob_free(&ntlmssp_state->challenge_blob); + + if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { + /* + * We need to handle NTLMSSP_NEGOTIATE_SIGN as + * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE + * is requested. + */ + ntlmssp_state->force_wrap_seal = true; + } + nt_status = ntlmssp_sign_init(ntlmssp_state); + } + + data_blob_clear_free(&ntlmssp_state->internal_chal); + data_blob_clear_free(&ntlmssp_state->chal); + data_blob_clear_free(&ntlmssp_state->lm_resp); + data_blob_clear_free(&ntlmssp_state->nt_resp); + + ntlmssp_state->expected_state = NTLMSSP_DONE; + + return nt_status; +} + +NTSTATUS ntlmssp_server_auth_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + tevent_req_received(req); + return NT_STATUS_OK; +} diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c new file mode 100644 index 0000000..404129a --- /dev/null +++ b/auth/ntlmssp/ntlmssp_sign.c @@ -0,0 +1,893 @@ +/* + * Unix SMB/CIFS implementation. + * Version 3.0 + * NTLMSSP Signing routines + * Copyright (C) Andrew Bartlett 2003-2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "../auth/ntlmssp/ntlmssp.h" +#include "../libcli/auth/libcli_auth.h" +#include "zlib.h" +#include "../auth/ntlmssp/ntlmssp_private.h" + +#include "lib/crypto/gnutls_helpers.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +#define CLI_SIGN "session key to client-to-server signing key magic constant" +#define CLI_SEAL "session key to client-to-server sealing key magic constant" +#define SRV_SIGN "session key to server-to-client signing key magic constant" +#define SRV_SEAL "session key to server-to-client sealing key magic constant" + +/** + * Some notes on the NTLM2 code: + * + * NTLM2 is a AEAD system. This means that the data encrypted is not + * all the data that is signed. In DCE-RPC case, the headers of the + * DCE-RPC packets are also signed. This prevents some of the + * fun-and-games one might have by changing them. + * + */ + +static void dump_arc4_state(const char *description, + gnutls_cipher_hd_t *state) +{ + DBG_DEBUG("%s\n", description); +} + +static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16], + DATA_BLOB session_key, + const char *constant) +{ + gnutls_hash_hd_t hash_hnd = NULL; + int rc; + + rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_hash(hash_hnd, session_key.data, session_key.length); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_hash(hash_hnd, constant, strlen(constant) + 1); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + gnutls_hash_deinit(hash_hnd, subkey); + + return NT_STATUS_OK; +} + +enum ntlmssp_direction { + NTLMSSP_SEND, + NTLMSSP_RECEIVE +}; + +static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + enum ntlmssp_direction direction, + DATA_BLOB *sig, bool encrypt_sig) +{ + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + int rc; + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + gnutls_hmac_hd_t hmac_hnd = NULL; + uint8_t digest[16]; + uint8_t seq_num[4]; + + *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE); + if (!sig->data) { + return NT_STATUS_NO_MEMORY; + } + + switch (direction) { + case NTLMSSP_SEND: + DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n", + ntlmssp_state->crypt->ntlm2.sending.seq_num, + (unsigned int)length, + (unsigned int)pdu_length)); + + SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num); + ntlmssp_state->crypt->ntlm2.sending.seq_num++; + + rc = gnutls_hmac_init(&hmac_hnd, + GNUTLS_MAC_MD5, + ntlmssp_state->crypt->ntlm2.sending.sign_key, + 16); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + break; + case NTLMSSP_RECEIVE: + + DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n", + ntlmssp_state->crypt->ntlm2.receiving.seq_num, + (unsigned int)length, + (unsigned int)pdu_length)); + + SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num); + ntlmssp_state->crypt->ntlm2.receiving.seq_num++; + + rc = gnutls_hmac_init(&hmac_hnd, + GNUTLS_MAC_MD5, + ntlmssp_state->crypt->ntlm2.receiving.sign_key, + 16); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + break; + } + + dump_data_pw("pdu data ", whole_pdu, pdu_length); + + rc = gnutls_hmac(hmac_hnd, seq_num, sizeof(seq_num)); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + rc = gnutls_hmac(hmac_hnd, whole_pdu, pdu_length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + gnutls_hmac_deinit(hmac_hnd, digest); + + if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { + switch (direction) { + case NTLMSSP_SEND: + rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state, + digest, + 8); + break; + case NTLMSSP_RECEIVE: + rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state, + digest, + 8); + break; + } + if (rc < 0) { + DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH " + "%s packet signature failed: %s\n", + direction == NTLMSSP_SEND ? + "send" : "receive", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + } + + SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION); + memcpy(sig->data + 4, digest, 8); + ZERO_ARRAY(digest); + memcpy(sig->data + 12, seq_num, 4); + ZERO_ARRAY(seq_num); + + dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length); + + } else { + uint32_t crc; + + crc = crc32(0, Z_NULL, 0); + crc = crc32(crc, data, length); + + status = msrpc_gen(sig_mem_ctx, + sig, "dddd", + NTLMSSP_SIGN_VERSION, 0, crc, + ntlmssp_state->crypt->ntlm.seq_num); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + ntlmssp_state->crypt->ntlm.seq_num++; + + dump_arc4_state("ntlmssp hash: \n", + &ntlmssp_state->crypt->ntlm.seal_state); + rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state, + sig->data + 4, + sig->length - 4); + if (rc < 0) { + DBG_ERR("gnutls_cipher_encrypt for NTLM packet " + "signature failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + } + + return NT_STATUS_OK; +} + +NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + NTSTATUS nt_status; + + if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot check sign packet\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + nt_status = ntlmssp_make_packet_signature(ntlmssp_state, + sig_mem_ctx, + data, length, + whole_pdu, pdu_length, + NTLMSSP_SEND, sig, true); + + return nt_status; +} + +/** + * Check the signature of an incoming packet + * @note caller *must* check that the signature is the size it expects + * + */ + +NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + DATA_BLOB local_sig; + NTSTATUS nt_status; + TALLOC_CTX *tmp_ctx; + + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot check packet signature\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + if (sig->length < 8) { + DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", + (unsigned long)sig->length)); + } + + tmp_ctx = talloc_new(ntlmssp_state); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = ntlmssp_make_packet_signature(ntlmssp_state, + tmp_ctx, + data, length, + whole_pdu, pdu_length, + NTLMSSP_RECEIVE, + &local_sig, true); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("NTLMSSP packet sig creation failed with %s\n", + nt_errstr(nt_status))); + talloc_free(tmp_ctx); + return nt_status; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + if (local_sig.length != sig->length || + !mem_equal_const_time(local_sig.data, sig->data, sig->length)) { + DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n")); + dump_data(5, local_sig.data, local_sig.length); + + DEBUG(5, ("BAD SIG: got signature of\n")); + dump_data(5, sig->data, sig->length); + + DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n")); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + } else { + if (local_sig.length != sig->length || + !mem_equal_const_time(local_sig.data + 8, sig->data + 8, sig->length - 8)) { + DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n")); + dump_data(5, local_sig.data, local_sig.length); + + DEBUG(5, ("BAD SIG: got signature of\n")); + dump_data(5, sig->data, sig->length); + + DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n")); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + } + dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length); + DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n")); + + talloc_free(tmp_ctx); + return NT_STATUS_OK; +} + +/** + * Seal data with the NTLMSSP algorithm + * + */ + +NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + int rc; + + if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot seal packet\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + DEBUG(10,("ntlmssp_seal_data: seal\n")); + dump_data_pw("ntlmssp clear data\n", data, length); + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + NTSTATUS nt_status; + /* + * The order of these two operations matters - we + * must first seal the packet, then seal the + * sequence number - this is because the + * send_seal_hash is not constant, but is rather + * updated with each iteration + */ + nt_status = ntlmssp_make_packet_signature(ntlmssp_state, + sig_mem_ctx, + data, length, + whole_pdu, pdu_length, + NTLMSSP_SEND, + sig, false); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state, + data, + length); + if (rc < 0) { + DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data " + "failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state, + sig->data + 4, + 8); + if (rc < 0) { + DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing " + "the EXCH signature data failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + } + } else { + NTSTATUS status; + uint32_t crc; + + crc = crc32(0, Z_NULL, 0); + crc = crc32(crc, data, length); + + status = msrpc_gen(sig_mem_ctx, + sig, "dddd", + NTLMSSP_SIGN_VERSION, 0, crc, + ntlmssp_state->crypt->ntlm.seq_num); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* + * The order of these two operations matters - we + * must first seal the packet, then seal the + * sequence number - this is because the ntlmv1_arc4_state + * is not constant, but is rather updated with + * each iteration + */ + dump_arc4_state("ntlmv1 arc4 state:\n", + &ntlmssp_state->crypt->ntlm.seal_state); + rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state, + data, + length); + if (rc < 0) { + DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data" + "failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + dump_arc4_state("ntlmv1 arc4 state:\n", + &ntlmssp_state->crypt->ntlm.seal_state); + + rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state, + sig->data + 4, + sig->length - 4); + if (rc < 0) { + DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing " + "data failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + ntlmssp_state->crypt->ntlm.seq_num++; + } + dump_data_pw("ntlmssp signature\n", sig->data, sig->length); + dump_data_pw("ntlmssp sealed data\n", data, length); + + return NT_STATUS_OK; +} + +/** + * Unseal data with the NTLMSSP algorithm + * + */ + +NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + NTSTATUS status; + int rc; + + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot unseal packet\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + DEBUG(10,("ntlmssp_unseal_packet: seal\n")); + dump_data_pw("ntlmssp sealed data\n", data, length); + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + /* First unseal the data. */ + rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state, + data, + length); + if (rc < 0) { + DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the " + "data failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + dump_data_pw("ntlmv2 clear data\n", data, length); + } else { + rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state, + data, + length); + if (rc < 0) { + DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the " + "data failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + dump_data_pw("ntlmv1 clear data\n", data, length); + } + + status = ntlmssp_check_packet(ntlmssp_state, + data, length, + whole_pdu, pdu_length, + sig); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n", + (unsigned long long)length)); + } + return status; +} + +NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + NTSTATUS nt_status; + DATA_BLOB sig; + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { + if (in->length + NTLMSSP_SIG_SIZE < in->length) { + return NT_STATUS_INVALID_PARAMETER; + } + + *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE); + if (!out->data) { + return NT_STATUS_NO_MEMORY; + } + memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length); + + nt_status = ntlmssp_seal_packet(ntlmssp_state, out_mem_ctx, + out->data + NTLMSSP_SIG_SIZE, + out->length - NTLMSSP_SIG_SIZE, + out->data + NTLMSSP_SIG_SIZE, + out->length - NTLMSSP_SIG_SIZE, + &sig); + + if (NT_STATUS_IS_OK(nt_status)) { + memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE); + talloc_free(sig.data); + } + return nt_status; + + } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { + if (in->length + NTLMSSP_SIG_SIZE < in->length) { + return NT_STATUS_INVALID_PARAMETER; + } + + *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE); + if (!out->data) { + return NT_STATUS_NO_MEMORY; + } + memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length); + + nt_status = ntlmssp_sign_packet(ntlmssp_state, out_mem_ctx, + out->data + NTLMSSP_SIG_SIZE, + out->length - NTLMSSP_SIG_SIZE, + out->data + NTLMSSP_SIG_SIZE, + out->length - NTLMSSP_SIG_SIZE, + &sig); + + if (NT_STATUS_IS_OK(nt_status)) { + memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE); + talloc_free(sig.data); + } + return nt_status; + } else { + *out = data_blob_talloc(out_mem_ctx, in->data, in->length); + if (!out->data) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; + } +} + +NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + DATA_BLOB sig; + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { + if (in->length < NTLMSSP_SIG_SIZE) { + return NT_STATUS_INVALID_PARAMETER; + } + sig.data = in->data; + sig.length = NTLMSSP_SIG_SIZE; + + *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE); + + return ntlmssp_unseal_packet(ntlmssp_state, + out->data, out->length, + out->data, out->length, + &sig); + + } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { + if (in->length < NTLMSSP_SIG_SIZE) { + return NT_STATUS_INVALID_PARAMETER; + } + sig.data = in->data; + sig.length = NTLMSSP_SIG_SIZE; + + *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE); + + return ntlmssp_check_packet(ntlmssp_state, + out->data, out->length, + out->data, out->length, + &sig); + } else { + *out = data_blob_talloc(out_mem_ctx, in->data, in->length); + if (!out->data) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; + } +} + +/** + Initialise the state for NTLMSSP signing. +*/ +NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, + bool reset_seqnums) +{ + int rc; + + DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n")); + debug_ntlmssp_flags(ntlmssp_state->neg_flags); + + if (ntlmssp_state->crypt == NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + if (ntlmssp_state->force_wrap_seal && + (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) + { + /* + * We need to handle NTLMSSP_NEGOTIATE_SIGN as + * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE + * is requested. + * + * The negotiation of flags (and authentication) + * is completed when ntlmssp_sign_init() is called + * so we can safely pretent NTLMSSP_NEGOTIATE_SEAL + * was negotiated. + */ + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + DATA_BLOB weak_session_key = ntlmssp_state->session_key; + const char *send_sign_const; + const char *send_seal_const; + const char *recv_sign_const; + const char *recv_seal_const; + uint8_t send_seal_key[16] = {0}; + gnutls_datum_t send_seal_blob = { + .data = send_seal_key, + .size = sizeof(send_seal_key), + }; + uint8_t recv_seal_key[16] = {0}; + gnutls_datum_t recv_seal_blob = { + .data = recv_seal_key, + .size = sizeof(recv_seal_key), + }; + NTSTATUS status; + + switch (ntlmssp_state->role) { + case NTLMSSP_CLIENT: + send_sign_const = CLI_SIGN; + send_seal_const = CLI_SEAL; + recv_sign_const = SRV_SIGN; + recv_seal_const = SRV_SEAL; + break; + case NTLMSSP_SERVER: + send_sign_const = SRV_SIGN; + send_seal_const = SRV_SEAL; + recv_sign_const = CLI_SIGN; + recv_seal_const = CLI_SEAL; + break; + default: + return NT_STATUS_INTERNAL_ERROR; + } + + /* + * Weaken NTLMSSP keys to cope with down-level + * clients, servers and export restrictions. + * + * We probably should have some parameters to + * control this, once we get NTLM2 working. + * + * Key weakening was not performed on the master key + * for NTLM2, but must be done on the encryption subkeys only. + */ + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { + /* nothing to do */ + } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { + weak_session_key.length = 7; + } else { /* forty bits */ + weak_session_key.length = 5; + } + + dump_data_pw("NTLMSSP weakend master key:\n", + weak_session_key.data, + weak_session_key.length); + + /* SEND: sign key */ + status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key, + ntlmssp_state->session_key, send_sign_const); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + dump_data_pw("NTLMSSP send sign key:\n", + ntlmssp_state->crypt->ntlm2.sending.sign_key, 16); + + /* SEND: seal ARCFOUR pad */ + status = calc_ntlmv2_key(send_seal_key, + weak_session_key, + send_seal_const); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + dump_data_pw("NTLMSSP send seal key:\n", + send_seal_key, + sizeof(send_seal_key)); + + if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) { + gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state); + } + rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state, + GNUTLS_CIPHER_ARCFOUR_128, + &send_seal_blob, + NULL); + if (rc < 0) { + DBG_ERR("gnutls_cipher_init failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + dump_arc4_state("NTLMSSP send seal arc4 state:\n", + &ntlmssp_state->crypt->ntlm2.sending.seal_state); + + /* SEND: seq num */ + if (reset_seqnums) { + ntlmssp_state->crypt->ntlm2.sending.seq_num = 0; + } + + /* RECV: sign key */ + status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key, + ntlmssp_state->session_key, recv_sign_const); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + dump_data_pw("NTLMSSP recv sign key:\n", + ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16); + + /* RECV: seal ARCFOUR pad */ + status = calc_ntlmv2_key(recv_seal_key, + weak_session_key, + recv_seal_const); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + dump_data_pw("NTLMSSP recv seal key:\n", + recv_seal_key, + sizeof(recv_seal_key)); + + if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) { + gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state); + } + rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, + GNUTLS_CIPHER_ARCFOUR_128, + &recv_seal_blob, + NULL); + if (rc < 0) { + DBG_ERR("gnutls_cipher_init failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + dump_arc4_state("NTLMSSP recv seal arc4 state:\n", + &ntlmssp_state->crypt->ntlm2.receiving.seal_state); + + /* RECV: seq num */ + if (reset_seqnums) { + ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0; + } + } else { + gnutls_datum_t seal_session_key = { + .data = ntlmssp_state->session_key.data, + .size = ntlmssp_state->session_key.length, + }; + bool do_weak = false; + + DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n")); + + /* + * Key weakening not performed on the master key for NTLM2 + * and does not occur for NTLM1. Therefore we only need + * to do this for the LM_KEY. + */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) { + do_weak = true; + } + + /* + * Nothing to weaken. + * We certainly don't want to 'extend' the length... + */ + if (ntlmssp_state->session_key.length < 16) { + /* TODO: is this really correct? */ + do_weak = false; + } + + if (do_weak) { + uint8_t weak_session_key[8]; + + memcpy(weak_session_key, seal_session_key.data, 8); + seal_session_key = (gnutls_datum_t) { + .data = weak_session_key, + .size = sizeof(weak_session_key), + }; + + /* + * LM key doesn't support 128 bit crypto, so this is + * the best we can do. If you negotiate 128 bit, but + * not 56, you end up with 40 bit... + */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { + weak_session_key[7] = 0xa0; + } else { /* forty bits */ + weak_session_key[5] = 0xe5; + weak_session_key[6] = 0x38; + weak_session_key[7] = 0xb0; + } + } + + if (ntlmssp_state->crypt->ntlm.seal_state != NULL) { + gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state); + } + rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state, + GNUTLS_CIPHER_ARCFOUR_128, + &seal_session_key, + NULL); + if (rc < 0) { + DBG_ERR("gnutls_cipher_init failed: %s\n", + gnutls_strerror(rc)); + return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); + } + + dump_arc4_state("NTLMv1 arc4 state:\n", + &ntlmssp_state->crypt->ntlm.seal_state); + + if (reset_seqnums) { + ntlmssp_state->crypt->ntlm.seq_num = 0; + } + } + + return NT_STATUS_OK; +} + +static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c) +{ + if (c->ntlm2.sending.seal_state != NULL) { + gnutls_cipher_deinit(c->ntlm2.sending.seal_state); + c->ntlm2.sending.seal_state = NULL; + } + if (c->ntlm2.receiving.seal_state != NULL) { + gnutls_cipher_deinit(c->ntlm2.receiving.seal_state); + c->ntlm2.receiving.seal_state = NULL; + } + if (c->ntlm.seal_state != NULL) { + gnutls_cipher_deinit(c->ntlm.seal_state); + c->ntlm.seal_state = NULL; + } + + return 0; +} + +NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state) +{ + if (ntlmssp_state->session_key.length < 8) { + DEBUG(3, ("NO session key, cannot initialise signing\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + ntlmssp_state->crypt = talloc_zero(ntlmssp_state, + union ntlmssp_crypt_state); + if (ntlmssp_state->crypt == NULL) { + return NT_STATUS_NO_MEMORY; + } + talloc_set_destructor(ntlmssp_state->crypt, + ntlmssp_crypt_free_gnutls_cipher_state); + + return ntlmssp_sign_reset(ntlmssp_state, true); +} diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c new file mode 100644 index 0000000..6f3b474 --- /dev/null +++ b/auth/ntlmssp/ntlmssp_util.c @@ -0,0 +1,220 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NLTMSSP, server side + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001-2003 + Copyright (C) Andrew Bartlett 2005 (Updated from gensec). + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "../auth/ntlmssp/ntlmssp.h" +#include "../auth/ntlmssp/ntlmssp_private.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +static void debug_ntlmssp_flags_raw(int level, uint32_t flags) +{ +#define _PRINT_FLAG_LINE(v) do { \ + if (flags & (v)) { \ + DEBUGADD(level, (" " #v "\n")); \ + } \ +} while (0) + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_UNICODE); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM); + _PRINT_FLAG_LINE(NTLMSSP_REQUEST_TARGET); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SIGN); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_SEAL); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_DATAGRAM); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_LM_KEY); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NETWARE); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NTLM); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_NT_ONLY); + _PRINT_FLAG_LINE(NTLMSSP_ANONYMOUS); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_ALWAYS_SIGN); + _PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_DOMAIN); + _PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SERVER); + _PRINT_FLAG_LINE(NTLMSSP_TARGET_TYPE_SHARE); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_IDENTIFY); + _PRINT_FLAG_LINE(NTLMSSP_REQUEST_NON_NT_SESSION_KEY); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_TARGET_INFO); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_VERSION); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_128); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_KEY_EXCH); + _PRINT_FLAG_LINE(NTLMSSP_NEGOTIATE_56); +} + +/** + * Print out the NTLMSSP flags for debugging + * @param neg_flags The flags from the packet + */ +void debug_ntlmssp_flags(uint32_t neg_flags) +{ + DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags)); + debug_ntlmssp_flags_raw(4, neg_flags); +} + +NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, + uint32_t flags, const char *name) +{ + uint32_t missing_flags = ntlmssp_state->required_flags; + + if (ntlmssp_state->use_ntlmv2) { + /* + * Using NTLMv2 as a client implies + * using NTLMSSP_NEGOTIATE_NTLM2 + * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) + * + * Note that 'use_ntlmv2' is only set + * true in the client case. + * + * Even if the server has a bug and does not announce + * it, we need to assume it's present. + * + * Note that we also have the flag + * in ntlmssp_state->required_flags, + * see gensec_ntlmssp_client_start(). + * + * See bug #12862. + */ + flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + + if (flags & NTLMSSP_NEGOTIATE_UNICODE) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; + ntlmssp_state->unicode = true; + } else { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; + ntlmssp_state->unicode = false; + } + + /* + * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) + * has priority over NTLMSSP_NEGOTIATE_LM_KEY + */ + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } + + if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } + + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + } + + if (!(flags & NTLMSSP_NEGOTIATE_128)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128; + } + + if (!(flags & NTLMSSP_NEGOTIATE_56)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56; + } + + if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH; + } + + if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + } + + if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + + if ((flags & NTLMSSP_REQUEST_TARGET)) { + ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; + } + + missing_flags &= ~ntlmssp_state->neg_flags; + if (missing_flags != 0) { + HRESULT hres = HRES_SEC_E_UNSUPPORTED_FUNCTION; + NTSTATUS status = NT_STATUS(HRES_ERROR_V(hres)); + DEBUG(1, ("%s: Got %s flags[0x%08x] " + "- possible downgrade detected! " + "missing_flags[0x%08x] - %s\n", + __func__, name, + (unsigned)flags, + (unsigned)missing_flags, + nt_errstr(status))); + debug_ntlmssp_flags_raw(1, missing_flags); + DEBUGADD(4, ("neg_flags[0x%08x]\n", + (unsigned)ntlmssp_state->neg_flags)); + debug_ntlmssp_flags_raw(4, ntlmssp_state->neg_flags); + return status; + } + + return NT_STATUS_OK; +} + +/* Does this blob looks like it could be NTLMSSP? */ +bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob) +{ + if (blob->length > 8 && memcmp("NTLMSSP\0", blob->data, 8) == 0) { + return true; + } else { + return false; + } +} + +const DATA_BLOB ntlmssp_version_blob(void) +{ + /* + * This is a simplified version of + * + * enum ndr_err_code err; + * struct ntlmssp_VERSION vers; + * + * ZERO_STRUCT(vers); + * vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6; + * vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1; + * vers.ProductBuild = 0; + * vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; + * + * err = ndr_push_struct_blob(&version_blob, + * ntlmssp_state, + * &vers, + * (ndr_push_flags_fn_t)ndr_push_ntlmssp_VERSION); + * + * if (!NDR_ERR_CODE_IS_SUCCESS(err)) { + * data_blob_free(&struct_blob); + * return NT_STATUS_NO_MEMORY; + * } + */ + static const uint8_t version_buffer[8] = { + NTLMSSP_WINDOWS_MAJOR_VERSION_6, + NTLMSSP_WINDOWS_MINOR_VERSION_1, + 0x00, 0x00, /* product build */ + 0x00, 0x00, 0x00, /* reserved */ + NTLMSSP_REVISION_W2K3 + }; + + return data_blob_const(version_buffer, ARRAY_SIZE(version_buffer)); +} diff --git a/auth/ntlmssp/wscript_build b/auth/ntlmssp/wscript_build new file mode 100644 index 0000000..20836ef --- /dev/null +++ b/auth/ntlmssp/wscript_build @@ -0,0 +1,27 @@ +bld.SAMBA_SUBSYSTEM('NTLMSSP_COMMON', + source='''gensec_ntlmssp.c + ntlmssp.c + ntlmssp_util.c + ntlmssp_ndr.c + ntlmssp_client.c + ntlmssp_server.c + ntlmssp_sign.c + gensec_ntlmssp_server.c''', + deps=''' + samba-util + NDR_NTLMSSP + MSRPC_PARSE + NTLM_CHECK + samba-credentials + wbclient + z + GNUTLS_HELPERS + ''') + +bld.SAMBA_MODULE('gensec_ntlmssp', + source='''''', + subsystem='gensec', + init_function='gensec_ntlmssp_init', + deps='NTLMSSP_COMMON', + internal_module=True + ) diff --git a/auth/wbc_auth_util.c b/auth/wbc_auth_util.c new file mode 100644 index 0000000..83b22ad --- /dev/null +++ b/auth/wbc_auth_util.c @@ -0,0 +1,238 @@ +/* + Unix SMB/CIFS implementation. + Authentication utility functions + Copyright (C) Volker Lendecke 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "libcli/security/security.h" +#include "librpc/gen_ndr/netlogon.h" +#include "nsswitch/libwbclient/wbclient.h" +#include "librpc/gen_ndr/auth.h" +#include "auth/auth_sam_reply.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +static NTSTATUS wbcsids_to_samr_RidWithAttributeArray( + TALLOC_CTX *mem_ctx, + struct samr_RidWithAttributeArray *groups, + const struct dom_sid *domain_sid, + const struct wbcSidWithAttr *sids, + size_t num_sids) +{ + unsigned int i, j = 0; + bool ok; + + groups->rids = talloc_array(mem_ctx, + struct samr_RidWithAttribute, num_sids); + if (!groups->rids) { + return NT_STATUS_NO_MEMORY; + } + + /* a wbcDomainSid is the same as a dom_sid */ + for (i = 0; i < num_sids; i++) { + ok = sid_peek_check_rid(domain_sid, + (const struct dom_sid *)&sids[i].sid, + &groups->rids[j].rid); + if (!ok) continue; + + groups->rids[j].attributes = SE_GROUP_DEFAULT_FLAGS; + j++; + } + + groups->count = j; + return NT_STATUS_OK; +} + +static NTSTATUS wbcsids_to_netr_SidAttrArray( + const struct dom_sid *domain_sid, + const struct wbcSidWithAttr *sids, + size_t num_sids, + TALLOC_CTX *mem_ctx, + struct netr_SidAttr **_info3_sids, + uint32_t *info3_num_sids) +{ + unsigned int i, j = 0; + struct netr_SidAttr *info3_sids; + + info3_sids = talloc_array(mem_ctx, struct netr_SidAttr, num_sids); + if (info3_sids == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* a wbcDomainSid is the same as a dom_sid */ + for (i = 0; i < num_sids; i++) { + const struct dom_sid *sid; + + sid = (const struct dom_sid *)&sids[i].sid; + + if (dom_sid_in_domain(domain_sid, sid)) { + continue; + } + + info3_sids[j].sid = dom_sid_dup(info3_sids, sid); + if (info3_sids[j].sid == NULL) { + talloc_free(info3_sids); + return NT_STATUS_NO_MEMORY; + } + info3_sids[j].attributes = SE_GROUP_DEFAULT_FLAGS; + j++; + } + + *info3_num_sids = j; + *_info3_sids = info3_sids; + return NT_STATUS_OK; +} + +#undef RET_NOMEM + +#define RET_NOMEM(ptr) do { \ + if (!ptr) { \ + TALLOC_FREE(info6); \ + return NULL; \ + } } while(0) + +struct netr_SamInfo6 *wbcAuthUserInfo_to_netr_SamInfo6(TALLOC_CTX *mem_ctx, + const struct wbcAuthUserInfo *info) +{ + struct netr_SamInfo6 *info6; + struct dom_sid user_sid; + struct dom_sid group_sid; + struct dom_sid domain_sid; + NTSTATUS status; + bool ok; + + memcpy(&user_sid, &info->sids[PRIMARY_USER_SID_INDEX].sid, sizeof(user_sid)); + memcpy(&group_sid, &info->sids[PRIMARY_GROUP_SID_INDEX].sid, sizeof(group_sid)); + + info6 = talloc_zero(mem_ctx, struct netr_SamInfo6); + if (!info6) return NULL; + + unix_to_nt_time(&info6->base.logon_time, info->logon_time); + unix_to_nt_time(&info6->base.logoff_time, info->logoff_time); + unix_to_nt_time(&info6->base.kickoff_time, info->kickoff_time); + unix_to_nt_time(&info6->base.last_password_change, info->pass_last_set_time); + unix_to_nt_time(&info6->base.allow_password_change, + info->pass_can_change_time); + unix_to_nt_time(&info6->base.force_password_change, + info->pass_must_change_time); + + if (info->account_name) { + info6->base.account_name.string = + talloc_strdup(info6, info->account_name); + RET_NOMEM(info6->base.account_name.string); + } + if (info->user_principal) { + info6->principal_name.string = + talloc_strdup(info6, info->user_principal); + RET_NOMEM(info6->principal_name.string); + } + if (info->full_name) { + info6->base.full_name.string = + talloc_strdup(info6, info->full_name); + RET_NOMEM(info6->base.full_name.string); + } + if (info->domain_name) { + info6->base.logon_domain.string = + talloc_strdup(info6, info->domain_name); + RET_NOMEM(info6->base.logon_domain.string); + } + if (info->dns_domain_name) { + info6->dns_domainname.string = + talloc_strdup(info6, info->dns_domain_name); + RET_NOMEM(info6->dns_domainname.string); + } + if (info->logon_script) { + info6->base.logon_script.string = + talloc_strdup(info6, info->logon_script); + RET_NOMEM(info6->base.logon_script.string); + } + if (info->profile_path) { + info6->base.profile_path.string = + talloc_strdup(info6, info->profile_path); + RET_NOMEM(info6->base.profile_path.string); + } + if (info->home_directory) { + info6->base.home_directory.string = + talloc_strdup(info6, info->home_directory); + RET_NOMEM(info6->base.home_directory.string); + } + if (info->home_drive) { + info6->base.home_drive.string = + talloc_strdup(info6, info->home_drive); + RET_NOMEM(info6->base.home_drive.string); + } + + info6->base.logon_count = info->logon_count; + info6->base.bad_password_count = info->bad_password_count; + + sid_copy(&domain_sid, &user_sid); + sid_split_rid(&domain_sid, &info6->base.rid); + + ok = sid_peek_check_rid(&domain_sid, &group_sid, + &info6->base.primary_gid); + if (!ok) { + DEBUG(1, ("The primary group sid domain does not" + "match user sid domain for user: %s\n", + info->account_name)); + TALLOC_FREE(info6); + return NULL; + } + + status = wbcsids_to_samr_RidWithAttributeArray(info6, + &info6->base.groups, + &domain_sid, + &info->sids[PRIMARY_GROUP_SID_INDEX], + info->num_sids - 1); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(info6); + return NULL; + } + + status = wbcsids_to_netr_SidAttrArray(&domain_sid, + &info->sids[PRIMARY_GROUP_SID_INDEX], + info->num_sids - 1, + info6, + &info6->sids, + &info6->sidcount); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(info6); + return NULL; + } + + info6->base.user_flags = info->user_flags; + memcpy(info6->base.key.key, info->user_session_key, 16); + + if (info->logon_server) { + info6->base.logon_server.string = + talloc_strdup(info6, info->logon_server); + RET_NOMEM(info6->base.logon_server.string); + } + if (info->domain_name) { + info6->base.logon_domain.string = + talloc_strdup(info6, info->domain_name); + RET_NOMEM(info6->base.logon_domain.string); + } + + info6->base.domain_sid = dom_sid_dup(info6, &domain_sid); + RET_NOMEM(info6->base.domain_sid); + + memcpy(info6->base.LMSessKey.key, info->lm_session_key, 8); + info6->base.acct_flags = info->acct_flags; + + return info6; +} diff --git a/auth/wscript_build b/auth/wscript_build new file mode 100644 index 0000000..33cbed0 --- /dev/null +++ b/auth/wscript_build @@ -0,0 +1,26 @@ +#!/usr/bin/env python + +bld.SAMBA_SUBSYSTEM('authn_policy', + source='authn_policy.c', + deps='samba-util') + +bld.SAMBA_LIBRARY('common_auth', + source='''auth_sam_reply.c + wbc_auth_util.c + auth_log.c + auth_util.c''', + deps='''talloc + samba-security + samba-util + util_str_escape + LIBTSOCKET + audit_logging + jansson + MESSAGING_SEND + server_id_db + ndr-samba''', + private_library=True) + +bld.RECURSE('gensec') +bld.RECURSE('ntlmssp') +bld.RECURSE('credentials') |