search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Support storing statd-callout state in cluster filesystem
[samba4-gss.git] / auth / credentials / pycredentials.c
blobfa6040e35c0273000db660a5753e64db7b49a30c
1 /*
2 Unix SMB/CIFS implementation.
3 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 3 of the License, or
8 (at your option) any later version.
9
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
14
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 #include "lib/replace/system/python.h"
20 #include "python/py3compat.h"
21 #include "includes.h"
22 #include "python/modules.h"
23 #include "pycredentials.h"
24 #include "param/param.h"
25 #include "auth/credentials/credentials_internal.h"
26 #include "auth/credentials/credentials_krb5.h"
27 #include "librpc/gen_ndr/dcerpc.h"
28 #include "librpc/gen_ndr/samr.h" /* for struct samr_Password */
29 #include "librpc/gen_ndr/netlogon.h"
30 #include "libcli/util/pyerrors.h"
31 #include "libcli/auth/libcli_auth.h"
32 #include "param/pyparam.h"
33 #include <tevent.h>
34 #include "libcli/auth/libcli_auth.h"
35 #include "system/kerberos.h"
36 #include "auth/kerberos/kerberos.h"
37 #include "libcli/smb/smb_constants.h"
38
39 static PyObject *py_creds_new(PyTypeObject *type, PyObject *args, PyObject *kwargs)
40 {
41 return pytalloc_steal(type, cli_credentials_init(NULL));
42 }
43
44 static PyObject *PyCredentials_from_cli_credentials(struct cli_credentials *creds)
45 {
46 return pytalloc_reference(&PyCredentials, creds);
47 }
48
49 static PyObject *py_creds_get_username(PyObject *self, PyObject *unused)
50 {
51 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
52 if (creds == NULL) {
53 PyErr_Format(PyExc_TypeError, "Credentials expected");
54 return NULL;
55 }
56 return PyString_FromStringOrNULL(cli_credentials_get_username(creds));
57 }
58
59 static PyObject *py_creds_set_username(PyObject *self, PyObject *args)
60 {
61 char *newval;
62 enum credentials_obtained obt = CRED_SPECIFIED;
63 int _obt = obt;
64 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
65 if (creds == NULL) {
66 PyErr_Format(PyExc_TypeError, "Credentials expected");
67 return NULL;
68 }
69
70 if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
71 return NULL;
72 }
73 obt = _obt;
74
75 return PyBool_FromLong(cli_credentials_set_username(creds, newval, obt));
76 }
77
78 static PyObject *py_creds_get_ntlm_username_domain(PyObject *self, PyObject *unused)
79 {
80 TALLOC_CTX *frame = talloc_stackframe();
81 const char *user = NULL;
82 const char *domain = NULL;
83 PyObject *ret = NULL;
84 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
85 if (creds == NULL) {
86 PyErr_Format(PyExc_TypeError, "Credentials expected");
87 return NULL;
88 }
89 cli_credentials_get_ntlm_username_domain(creds,
90 frame, &user, &domain);
91 ret = Py_BuildValue("(ss)",
92 user,
93 domain);
94
95 TALLOC_FREE(frame);
96 return ret;
97 }
98
99 static PyObject *py_creds_get_ntlm_response(PyObject *self, PyObject *args, PyObject *kwargs)
100 {
101 TALLOC_CTX *frame = talloc_stackframe();
102 PyObject *ret = NULL;
103 int flags;
104 struct timeval tv_now;
105 NTTIME server_timestamp;
106 DATA_BLOB challenge = data_blob_null;
107 DATA_BLOB target_info = data_blob_null;
108 NTSTATUS status;
109 DATA_BLOB lm_response = data_blob_null;
110 DATA_BLOB nt_response = data_blob_null;
111 DATA_BLOB lm_session_key = data_blob_null;
112 DATA_BLOB nt_session_key = data_blob_null;
113 const char *kwnames[] = { "flags", "challenge",
114 "target_info",
115 NULL };
116 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
117 if (creds == NULL) {
118 PyErr_Format(PyExc_TypeError, "Credentials expected");
119 return NULL;
120 }
121
122 tv_now = timeval_current();
123 server_timestamp = timeval_to_nttime(&tv_now);
124
125 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "is#|s#",
126 discard_const_p(char *, kwnames),
127 &flags,
128 &challenge.data,
129 &challenge.length,
130 &target_info.data,
131 &target_info.length)) {
132 return NULL;
133 }
134
135 status = cli_credentials_get_ntlm_response(creds,
136 frame, &flags,
137 challenge,
138 &server_timestamp,
139 target_info,
140 &lm_response, &nt_response,
141 &lm_session_key, &nt_session_key);
142
143 if (!NT_STATUS_IS_OK(status)) {
144 PyErr_SetNTSTATUS(status);
145 TALLOC_FREE(frame);
146 return NULL;
147 }
148
149 ret = Py_BuildValue("{sis" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN
150 "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "}",
151 "flags", flags,
152 "lm_response",
153 (const char *)lm_response.data, lm_response.length,
154 "nt_response",
155 (const char *)nt_response.data, nt_response.length,
156 "lm_session_key",
157 (const char *)lm_session_key.data, lm_session_key.length,
158 "nt_session_key",
159 (const char *)nt_session_key.data, nt_session_key.length);
160 TALLOC_FREE(frame);
161 return ret;
162 }
163
164 static PyObject *py_creds_get_principal(PyObject *self, PyObject *unused)
165 {
166 TALLOC_CTX *frame = talloc_stackframe();
167 PyObject *ret = NULL;
168 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
169 if (creds == NULL) {
170 PyErr_Format(PyExc_TypeError, "Credentials expected");
171 return NULL;
172 }
173 ret = PyString_FromStringOrNULL(cli_credentials_get_principal(creds, frame));
174 TALLOC_FREE(frame);
175 return ret;
176 }
177
178 static PyObject *py_creds_set_principal(PyObject *self, PyObject *args)
179 {
180 char *newval;
181 enum credentials_obtained obt = CRED_SPECIFIED;
182 int _obt = obt;
183 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
184 if (creds == NULL) {
185 PyErr_Format(PyExc_TypeError, "Credentials expected");
186 return NULL;
187 }
188
189 if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
190 return NULL;
191 }
192 obt = _obt;
193
194 return PyBool_FromLong(cli_credentials_set_principal(creds, newval, obt));
195 }
196
197 static PyObject *py_creds_get_password(PyObject *self, PyObject *unused)
198 {
199 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
200 if (creds == NULL) {
201 PyErr_Format(PyExc_TypeError, "Credentials expected");
202 return NULL;
203 }
204 return PyString_FromStringOrNULL(cli_credentials_get_password(creds));
205 }
206
207 static PyObject *py_creds_set_password(PyObject *self, PyObject *args)
208 {
209 const char *newval = NULL;
210 enum credentials_obtained obt = CRED_SPECIFIED;
211 int _obt = obt;
212 PyObject *result = NULL;
213 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
214 if (creds == NULL) {
215 PyErr_Format(PyExc_TypeError, "Credentials expected");
216 return NULL;
217 }
218
219 if (!PyArg_ParseTuple(args, PYARG_STR_UNI"|i", "utf8", &newval, &_obt)) {
220 return NULL;
221 }
222 obt = _obt;
223
224 result = PyBool_FromLong(cli_credentials_set_password(creds, newval, obt));
225 PyMem_Free(discard_const_p(void*, newval));
226 return result;
227 }
228
229 static PyObject *py_creds_set_utf16_password(PyObject *self, PyObject *args)
230 {
231 enum credentials_obtained obt = CRED_SPECIFIED;
232 int _obt = obt;
233 PyObject *newval = NULL;
234 DATA_BLOB blob = data_blob_null;
235 Py_ssize_t size = 0;
236 int result;
237 bool ok;
238 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
239 if (creds == NULL) {
240 PyErr_Format(PyExc_TypeError, "Credentials expected");
241 return NULL;
242 }
243
244 if (!PyArg_ParseTuple(args, "O|i", &newval, &_obt)) {
245 return NULL;
246 }
247 obt = _obt;
248
249 result = PyBytes_AsStringAndSize(newval, (char **)&blob.data, &size);
250 if (result != 0) {
251 PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes");
252 return NULL;
253 }
254 blob.length = size;
255
256 ok = cli_credentials_set_utf16_password(creds,
257 &blob, obt);
258
259 return PyBool_FromLong(ok);
260 }
261
262 static PyObject *py_creds_get_old_password(PyObject *self, PyObject *unused)
263 {
264 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
265 if (creds == NULL) {
266 PyErr_Format(PyExc_TypeError, "Credentials expected");
267 return NULL;
268 }
269 return PyString_FromStringOrNULL(cli_credentials_get_old_password(creds));
270 }
271
272 static PyObject *py_creds_set_old_password(PyObject *self, PyObject *args)
273 {
274 char *oldval;
275 enum credentials_obtained obt = CRED_SPECIFIED;
276 int _obt = obt;
277 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
278 if (creds == NULL) {
279 PyErr_Format(PyExc_TypeError, "Credentials expected");
280 return NULL;
281 }
282
283 if (!PyArg_ParseTuple(args, "s|i", &oldval, &_obt)) {
284 return NULL;
285 }
286 obt = _obt;
287
288 return PyBool_FromLong(cli_credentials_set_old_password(creds, oldval, obt));
289 }
290
291 static PyObject *py_creds_set_old_utf16_password(PyObject *self, PyObject *args)
292 {
293 PyObject *oldval = NULL;
294 DATA_BLOB blob = data_blob_null;
295 Py_ssize_t size = 0;
296 int result;
297 bool ok;
298 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
299 if (creds == NULL) {
300 PyErr_Format(PyExc_TypeError, "Credentials expected");
301 return NULL;
302 }
303
304 if (!PyArg_ParseTuple(args, "O", &oldval)) {
305 return NULL;
306 }
307
308 result = PyBytes_AsStringAndSize(oldval, (char **)&blob.data, &size);
309 if (result != 0) {
310 PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes");
311 return NULL;
312 }
313 blob.length = size;
314
315 ok = cli_credentials_set_old_utf16_password(creds,
316 &blob);
317
318 return PyBool_FromLong(ok);
319 }
320
321 static PyObject *py_creds_get_domain(PyObject *self, PyObject *unused)
322 {
323 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
324 if (creds == NULL) {
325 PyErr_Format(PyExc_TypeError, "Credentials expected");
326 return NULL;
327 }
328 return PyString_FromStringOrNULL(cli_credentials_get_domain(creds));
329 }
330
331 static PyObject *py_creds_set_domain(PyObject *self, PyObject *args)
332 {
333 char *newval;
334 enum credentials_obtained obt = CRED_SPECIFIED;
335 int _obt = obt;
336 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
337 if (creds == NULL) {
338 PyErr_Format(PyExc_TypeError, "Credentials expected");
339 return NULL;
340 }
341
342 if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
343 return NULL;
344 }
345 obt = _obt;
346
347 return PyBool_FromLong(cli_credentials_set_domain(creds, newval, obt));
348 }
349
350 static PyObject *py_creds_get_realm(PyObject *self, PyObject *unused)
351 {
352 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
353 if (creds == NULL) {
354 PyErr_Format(PyExc_TypeError, "Credentials expected");
355 return NULL;
356 }
357 return PyString_FromStringOrNULL(cli_credentials_get_realm(creds));
358 }
359
360 static PyObject *py_creds_set_realm(PyObject *self, PyObject *args)
361 {
362 char *newval;
363 enum credentials_obtained obt = CRED_SPECIFIED;
364 int _obt = obt;
365 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
366 if (creds == NULL) {
367 PyErr_Format(PyExc_TypeError, "Credentials expected");
368 return NULL;
369 }
370
371 if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
372 return NULL;
373 }
374 obt = _obt;
375
376 return PyBool_FromLong(cli_credentials_set_realm(creds, newval, obt));
377 }
378
379 static PyObject *py_creds_get_bind_dn(PyObject *self, PyObject *unused)
380 {
381 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
382 if (creds == NULL) {
383 PyErr_Format(PyExc_TypeError, "Credentials expected");
384 return NULL;
385 }
386 return PyString_FromStringOrNULL(cli_credentials_get_bind_dn(creds));
387 }
388
389 static PyObject *py_creds_set_bind_dn(PyObject *self, PyObject *args)
390 {
391 char *newval;
392 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
393 if (creds == NULL) {
394 PyErr_Format(PyExc_TypeError, "Credentials expected");
395 return NULL;
396 }
397 if (!PyArg_ParseTuple(args, "z", &newval))
398 return NULL;
399
400 return PyBool_FromLong(cli_credentials_set_bind_dn(creds, newval));
401 }
402
403 static PyObject *py_creds_get_workstation(PyObject *self, PyObject *unused)
404 {
405 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
406 if (creds == NULL) {
407 PyErr_Format(PyExc_TypeError, "Credentials expected");
408 return NULL;
409 }
410 return PyString_FromStringOrNULL(cli_credentials_get_workstation(creds));
411 }
412
413 static PyObject *py_creds_set_workstation(PyObject *self, PyObject *args)
414 {
415 char *newval;
416 enum credentials_obtained obt = CRED_SPECIFIED;
417 int _obt = obt;
418 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
419 if (creds == NULL) {
420 PyErr_Format(PyExc_TypeError, "Credentials expected");
421 return NULL;
422 }
423
424 if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
425 return NULL;
426 }
427 obt = _obt;
428
429 return PyBool_FromLong(cli_credentials_set_workstation(creds, newval, obt));
430 }
431
432 static PyObject *py_creds_is_anonymous(PyObject *self, PyObject *unused)
433 {
434 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
435 if (creds == NULL) {
436 PyErr_Format(PyExc_TypeError, "Credentials expected");
437 return NULL;
438 }
439 return PyBool_FromLong(cli_credentials_is_anonymous(creds));
440 }
441
442 static PyObject *py_creds_set_anonymous(PyObject *self, PyObject *unused)
443 {
444 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
445 if (creds == NULL) {
446 PyErr_Format(PyExc_TypeError, "Credentials expected");
447 return NULL;
448 }
449 cli_credentials_set_anonymous(creds);
450 Py_RETURN_NONE;
451 }
452
453 static PyObject *py_creds_authentication_requested(PyObject *self, PyObject *unused)
454 {
455 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
456 if (creds == NULL) {
457 PyErr_Format(PyExc_TypeError, "Credentials expected");
458 return NULL;
459 }
460 return PyBool_FromLong(cli_credentials_authentication_requested(creds));
461 }
462
463 static PyObject *py_creds_wrong_password(PyObject *self, PyObject *unused)
464 {
465 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
466 if (creds == NULL) {
467 PyErr_Format(PyExc_TypeError, "Credentials expected");
468 return NULL;
469 }
470 return PyBool_FromLong(cli_credentials_wrong_password(creds));
471 }
472
473 static PyObject *py_creds_set_cmdline_callbacks(PyObject *self, PyObject *unused)
474 {
475 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
476 if (creds == NULL) {
477 PyErr_Format(PyExc_TypeError, "Credentials expected");
478 return NULL;
479 }
480 return PyBool_FromLong(cli_credentials_set_cmdline_callbacks(creds));
481 }
482
483 static PyObject *py_creds_parse_string(PyObject *self, PyObject *args)
484 {
485 char *newval;
486 enum credentials_obtained obt = CRED_SPECIFIED;
487 int _obt = obt;
488 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
489 if (creds == NULL) {
490 PyErr_Format(PyExc_TypeError, "Credentials expected");
491 return NULL;
492 }
493
494 if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
495 return NULL;
496 }
497 obt = _obt;
498
499 cli_credentials_parse_string(creds, newval, obt);
500 Py_RETURN_NONE;
501 }
502
503 static PyObject *py_creds_parse_file(PyObject *self, PyObject *args)
504 {
505 char *newval;
506 enum credentials_obtained obt = CRED_SPECIFIED;
507 int _obt = obt;
508 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
509 if (creds == NULL) {
510 PyErr_Format(PyExc_TypeError, "Credentials expected");
511 return NULL;
512 }
513
514 if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
515 return NULL;
516 }
517 obt = _obt;
518
519 cli_credentials_parse_file(creds, newval, obt);
520 Py_RETURN_NONE;
521 }
522
523 static PyObject *py_cli_credentials_set_password_will_be_nt_hash(PyObject *self, PyObject *args)
524 {
525 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
526 PyObject *py_val = NULL;
527 bool val = false;
528
529 if (!PyArg_ParseTuple(args, "O!", &PyBool_Type, &py_val)) {
530 return NULL;
531 }
532 val = PyObject_IsTrue(py_val);
533
534 cli_credentials_set_password_will_be_nt_hash(creds, val);
535 Py_RETURN_NONE;
536 }
537
538 static PyObject *py_creds_get_nt_hash(PyObject *self, PyObject *unused)
539 {
540 PyObject *ret;
541 struct samr_Password *ntpw = NULL;
542 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
543 if (creds == NULL) {
544 PyErr_Format(PyExc_TypeError, "Credentials expected");
545 return NULL;
546 }
547 ntpw = cli_credentials_get_nt_hash(creds, creds);
548 if (ntpw == NULL) {
549 Py_RETURN_NONE;
550 }
551
552 ret = PyBytes_FromStringAndSize(discard_const_p(char, ntpw->hash), 16);
553 TALLOC_FREE(ntpw);
554 return ret;
555 }
556
557 static PyObject *py_creds_set_nt_hash(PyObject *self, PyObject *args)
558 {
559 PyObject *py_cp = Py_None;
560 const struct samr_Password *pwd = NULL;
561 enum credentials_obtained obt = CRED_SPECIFIED;
562 int _obt = obt;
563 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
564 if (creds == NULL) {
565 PyErr_Format(PyExc_TypeError, "Credentials expected");
566 return NULL;
567 }
568
569 if (!PyArg_ParseTuple(args, "O|i", &py_cp, &_obt)) {
570 return NULL;
571 }
572 obt = _obt;
573
574 if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) {
575 /* py_check_dcerpc_type sets TypeError */
576 return NULL;
577 }
578
579 pwd = pytalloc_get_ptr(py_cp);
580
581 return PyBool_FromLong(cli_credentials_set_nt_hash(creds, pwd, obt));
582 }
583
584 static PyObject *py_creds_get_kerberos_state(PyObject *self, PyObject *unused)
585 {
586 int state;
587 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
588 if (creds == NULL) {
589 PyErr_Format(PyExc_TypeError, "Credentials expected");
590 return NULL;
591 }
592 state = cli_credentials_get_kerberos_state(creds);
593 return PyLong_FromLong(state);
594 }
595
596 static PyObject *py_creds_set_kerberos_state(PyObject *self, PyObject *args)
597 {
598 int state;
599 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
600 if (creds == NULL) {
601 PyErr_Format(PyExc_TypeError, "Credentials expected");
602 return NULL;
603 }
604 if (!PyArg_ParseTuple(args, "i", &state))
605 return NULL;
606
607 cli_credentials_set_kerberos_state(creds, state, CRED_SPECIFIED);
608 Py_RETURN_NONE;
609 }
610
611 static PyObject *py_creds_set_krb_forwardable(PyObject *self, PyObject *args)
612 {
613 int state;
614 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
615 if (creds == NULL) {
616 PyErr_Format(PyExc_TypeError, "Credentials expected");
617 return NULL;
618 }
619 if (!PyArg_ParseTuple(args, "i", &state))
620 return NULL;
621
622 cli_credentials_set_krb_forwardable(creds, state);
623 Py_RETURN_NONE;
624 }
625
626
627 static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
628 {
629 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
630 if (creds == NULL) {
631 PyErr_Format(PyExc_TypeError, "Credentials expected");
632 return NULL;
633 }
634 return PyString_FromStringOrNULL(cli_credentials_get_forced_sasl_mech(creds));
635 }
636
637 static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
638 {
639 char *newval;
640 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
641 if (creds == NULL) {
642 PyErr_Format(PyExc_TypeError, "Credentials expected");
643 return NULL;
644 }
645
646 if (!PyArg_ParseTuple(args, "s", &newval)) {
647 return NULL;
648 }
649
650 cli_credentials_set_forced_sasl_mech(creds, newval);
651 Py_RETURN_NONE;
652 }
653
654 static PyObject *py_creds_set_conf(PyObject *self, PyObject *args)
655 {
656 PyObject *py_lp_ctx = Py_None;
657 struct loadparm_context *lp_ctx;
658 TALLOC_CTX *mem_ctx;
659 struct cli_credentials *creds;
660 bool ok;
661
662 creds = PyCredentials_AsCliCredentials(self);
663 if (creds == NULL) {
664 PyErr_Format(PyExc_TypeError, "Credentials expected");
665 return NULL;
666 }
667
668 if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) {
669 return NULL;
670 }
671
672 mem_ctx = talloc_new(NULL);
673 if (mem_ctx == NULL) {
674 PyErr_NoMemory();
675 return NULL;
676 }
677
678 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
679 if (lp_ctx == NULL) {
680 talloc_free(mem_ctx);
681 return NULL;
682 }
683
684 ok = cli_credentials_set_conf(creds, lp_ctx);
685 talloc_free(mem_ctx);
686 if (!ok) {
687 return NULL;
688 }
689
690 Py_RETURN_NONE;
691 }
692
693 static PyObject *py_creds_guess(PyObject *self, PyObject *args)
694 {
695 PyObject *py_lp_ctx = Py_None;
696 struct loadparm_context *lp_ctx;
697 TALLOC_CTX *mem_ctx;
698 struct cli_credentials *creds;
699 bool ok;
700
701 creds = PyCredentials_AsCliCredentials(self);
702 if (creds == NULL) {
703 PyErr_Format(PyExc_TypeError, "Credentials expected");
704 return NULL;
705 }
706
707 if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx))
708 return NULL;
709
710 mem_ctx = talloc_new(NULL);
711 if (mem_ctx == NULL) {
712 PyErr_NoMemory();
713 return NULL;
714 }
715
716 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
717 if (lp_ctx == NULL) {
718 talloc_free(mem_ctx);
719 return NULL;
720 }
721
722 ok = cli_credentials_guess(creds, lp_ctx);
723 talloc_free(mem_ctx);
724 if (!ok) {
725 return NULL;
726 }
727
728 Py_RETURN_NONE;
729 }
730
731 static PyObject *py_creds_set_machine_account(PyObject *self, PyObject *args)
732 {
733 PyObject *py_lp_ctx = Py_None;
734 struct loadparm_context *lp_ctx;
735 NTSTATUS status;
736 struct cli_credentials *creds;
737 TALLOC_CTX *mem_ctx;
738
739 creds = PyCredentials_AsCliCredentials(self);
740 if (creds == NULL) {
741 PyErr_Format(PyExc_TypeError, "Credentials expected");
742 return NULL;
743 }
744
745 if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx))
746 return NULL;
747
748 mem_ctx = talloc_new(NULL);
749 if (mem_ctx == NULL) {
750 PyErr_NoMemory();
751 return NULL;
752 }
753
754 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
755 if (lp_ctx == NULL) {
756 talloc_free(mem_ctx);
757 return NULL;
758 }
759
760 status = cli_credentials_set_machine_account(creds, lp_ctx);
761 talloc_free(mem_ctx);
762
763 PyErr_NTSTATUS_IS_ERR_RAISE(status);
764
765 Py_RETURN_NONE;
766 }
767
768 static PyObject *PyCredentialCacheContainer_from_ccache_container(struct ccache_container *ccc)
769 {
770 return pytalloc_reference(&PyCredentialCacheContainer, ccc);
771 }
772
773
774 static PyObject *py_creds_get_named_ccache(PyObject *self, PyObject *args)
775 {
776 PyObject *py_lp_ctx = Py_None;
777 char *ccache_name = NULL;
778 struct loadparm_context *lp_ctx;
779 struct ccache_container *ccc;
780 struct tevent_context *event_ctx;
781 int ret;
782 const char *error_string;
783 struct cli_credentials *creds;
784 TALLOC_CTX *mem_ctx;
785
786 creds = PyCredentials_AsCliCredentials(self);
787 if (creds == NULL) {
788 PyErr_Format(PyExc_TypeError, "Credentials expected");
789 return NULL;
790 }
791
792 if (!PyArg_ParseTuple(args, "|Os", &py_lp_ctx, &ccache_name))
793 return NULL;
794
795 mem_ctx = talloc_new(NULL);
796 if (mem_ctx == NULL) {
797 PyErr_NoMemory();
798 return NULL;
799 }
800
801 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
802 if (lp_ctx == NULL) {
803 talloc_free(mem_ctx);
804 return NULL;
805 }
806
807 event_ctx = samba_tevent_context_init(mem_ctx);
808
809 ret = cli_credentials_get_named_ccache(creds, event_ctx, lp_ctx,
810 ccache_name, &ccc, &error_string);
811 talloc_unlink(mem_ctx, lp_ctx);
812 if (ret == 0) {
813 talloc_steal(ccc, event_ctx);
814 talloc_free(mem_ctx);
815 return PyCredentialCacheContainer_from_ccache_container(ccc);
816 }
817
818 PyErr_SetString(PyExc_RuntimeError, error_string?error_string:"NULL");
819
820 talloc_free(mem_ctx);
821 return NULL;
822 }
823
824 static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
825 {
826 struct loadparm_context *lp_ctx = NULL;
827 enum credentials_obtained obt = CRED_SPECIFIED;
828 const char *error_string = NULL;
829 TALLOC_CTX *mem_ctx = NULL;
830 char *newval = NULL;
831 PyObject *py_lp_ctx = Py_None;
832 int _obt = obt;
833 int ret;
834 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
835 if (creds == NULL) {
836 PyErr_Format(PyExc_TypeError, "Credentials expected");
837 return NULL;
838 }
839
840 if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
841 return NULL;
842 obt = _obt;
843
844 mem_ctx = talloc_new(NULL);
845 if (mem_ctx == NULL) {
846 PyErr_NoMemory();
847 return NULL;
848 }
849
850 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
851 if (lp_ctx == NULL) {
852 talloc_free(mem_ctx);
853 return NULL;
854 }
855
856 ret = cli_credentials_set_ccache(creds,
857 lp_ctx,
858 newval, obt,
859 &error_string);
860
861 if (ret != 0) {
862 PyErr_SetString(PyExc_RuntimeError,
863 error_string != NULL ? error_string : "NULL");
864 talloc_free(mem_ctx);
865 return NULL;
866 }
867
868 talloc_free(mem_ctx);
869 Py_RETURN_NONE;
870 }
871
872 static PyObject *py_creds_set_gensec_features(PyObject *self, PyObject *args)
873 {
874 unsigned int gensec_features;
875 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
876 if (creds == NULL) {
877 PyErr_Format(PyExc_TypeError, "Credentials expected");
878 return NULL;
879 }
880
881 if (!PyArg_ParseTuple(args, "I", &gensec_features))
882 return NULL;
883
884 cli_credentials_set_gensec_features(creds,
885 gensec_features,
886 CRED_SPECIFIED);
887
888 Py_RETURN_NONE;
889 }
890
891 static PyObject *py_creds_get_gensec_features(PyObject *self, PyObject *args)
892 {
893 unsigned int gensec_features;
894 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
895 if (creds == NULL) {
896 PyErr_Format(PyExc_TypeError, "Credentials expected");
897 return NULL;
898 }
899
900 gensec_features = cli_credentials_get_gensec_features(creds);
901 return PyLong_FromLong(gensec_features);
902 }
903
904 static PyObject *py_creds_new_client_authenticator(PyObject *self,
905 PyObject *args)
906 {
907 struct netr_Authenticator auth;
908 struct cli_credentials *creds = NULL;
909 struct netlogon_creds_CredentialState *nc = NULL;
910 PyObject *ret = NULL;
911 NTSTATUS status;
912
913 creds = PyCredentials_AsCliCredentials(self);
914 if (creds == NULL) {
915 PyErr_SetString(PyExc_RuntimeError,
916 "Failed to get credentials from python");
917 return NULL;
918 }
919
920 nc = creds->netlogon_creds;
921 if (nc == NULL) {
922 PyErr_SetString(PyExc_ValueError,
923 "No netlogon credentials cannot make "
924 "client authenticator");
925 return NULL;
926 }
927
928 status = netlogon_creds_client_authenticator(nc, &auth);
929 if (!NT_STATUS_IS_OK(status)) {
930 PyErr_SetString(PyExc_ValueError,
931 "Failed to create client authenticator");
932 return NULL;
933 }
934
935 ret = Py_BuildValue("{s"PYARG_BYTES_LEN"si}",
936 "credential",
937 (const char *) &auth.cred, sizeof(auth.cred),
938 "timestamp", auth.timestamp);
939 return ret;
940 }
941
942 static PyObject *py_creds_set_secure_channel_type(PyObject *self, PyObject *args)
943 {
944 unsigned int channel_type;
945 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
946 if (creds == NULL) {
947 PyErr_Format(PyExc_TypeError, "Credentials expected");
948 return NULL;
949 }
950
951 if (!PyArg_ParseTuple(args, "I", &channel_type))
952 return NULL;
953
954 cli_credentials_set_secure_channel_type(
955 creds,
956 channel_type);
957
958 Py_RETURN_NONE;
959 }
960
961 static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args)
962 {
963 enum netr_SchannelType channel_type = SEC_CHAN_NULL;
964 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
965 if (creds == NULL) {
966 PyErr_Format(PyExc_TypeError, "Credentials expected");
967 return NULL;
968 }
969
970 channel_type = cli_credentials_get_secure_channel_type(creds);
971
972 return PyLong_FromLong(channel_type);
973 }
974
975 static PyObject *py_creds_get_netlogon_creds(PyObject *self, PyObject *unused)
976 {
977 struct cli_credentials *creds = NULL;
978 struct netlogon_creds_CredentialState *ncreds = NULL;
979 PyObject *py_ncreds = Py_None;
980
981 creds = PyCredentials_AsCliCredentials(self);
982 if (creds == NULL) {
983 PyErr_Format(PyExc_TypeError, "Credentials expected");
984 return NULL;
985 }
986
987 if (creds->netlogon_creds == NULL) {
988 Py_RETURN_NONE;
989 }
990
991 ncreds = netlogon_creds_copy(NULL, creds->netlogon_creds);
992 if (ncreds == NULL) {
993 PyErr_NoMemory();
994 return NULL;
995 }
996
997 py_ncreds = py_return_ndr_struct("samba.dcerpc.schannel",
998 "netlogon_creds_CredentialState",
999 ncreds,
1000 ncreds);
1001 if (py_ncreds == NULL) {
1002 TALLOC_FREE(ncreds);
1003 return NULL;
1004 }
1005
1006 return py_ncreds;
1007 }
1008
1009 static PyObject *py_creds_set_netlogon_creds(PyObject *self, PyObject *args)
1010 {
1011 struct cli_credentials *creds = NULL;
1012 const struct netlogon_creds_CredentialState *ncreds = NULL;
1013 PyObject *py_ncreds = Py_None;
1014
1015 creds = PyCredentials_AsCliCredentials(self);
1016 if (creds == NULL) {
1017 PyErr_Format(PyExc_TypeError, "Credentials expected");
1018 return NULL;
1019 }
1020
1021 if (!PyArg_ParseTuple(args, "O", &py_ncreds))
1022 return NULL;
1023
1024 if (py_ncreds == Py_None) {
1025 ncreds = NULL;
1026 } else {
1027 bool ok;
1028
1029 ok = py_check_dcerpc_type(py_ncreds,
1030 "samba.dcerpc.schannel",
1031 "netlogon_creds_CredentialState");
1032 if (!ok) {
1033 /* py_check_dcerpc_type sets TypeError */
1034 return NULL;
1035 }
1036
1037 ncreds = pytalloc_get_type(py_ncreds,
1038 struct netlogon_creds_CredentialState);
1039 if (ncreds == NULL) {
1040 /* pytalloc_get_type sets TypeError */
1041 return NULL;
1042 }
1043 }
1044
1045 cli_credentials_set_netlogon_creds(creds, ncreds);
1046 if (ncreds != NULL && creds->netlogon_creds == NULL) {
1047 PyErr_NoMemory();
1048 return NULL;
1049 }
1050
1051 Py_RETURN_NONE;
1052 }
1053
1054 static PyObject *py_creds_set_kerberos_salt_principal(PyObject *self, PyObject *args)
1055 {
1056 char *salt_principal = NULL;
1057 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
1058 if (creds == NULL) {
1059 PyErr_Format(PyExc_TypeError, "Credentials expected");
1060 return NULL;
1061 }
1062
1063 if (!PyArg_ParseTuple(args, "s", &salt_principal))
1064 return NULL;
1065
1066 cli_credentials_set_salt_principal(
1067 creds,
1068 salt_principal);
1069
1070 Py_RETURN_NONE;
1071 }
1072
1073 static PyObject *py_creds_get_kerberos_salt_principal(PyObject *self, PyObject *unused)
1074 {
1075 TALLOC_CTX *mem_ctx;
1076 PyObject *ret = NULL;
1077 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
1078 if (creds == NULL) {
1079 PyErr_Format(PyExc_TypeError, "Credentials expected");
1080 return NULL;
1081 }
1082 mem_ctx = talloc_new(NULL);
1083 if (mem_ctx == NULL) {
1084 PyErr_NoMemory();
1085 return NULL;
1086 }
1087
1088 ret = PyString_FromStringOrNULL(cli_credentials_get_salt_principal(creds, mem_ctx));
1089
1090 TALLOC_FREE(mem_ctx);
1091
1092 return ret;
1093 }
1094
1095 static PyObject *py_creds_get_kerberos_key_current_or_old(PyObject *self, PyObject *args, bool old)
1096 {
1097 struct loadparm_context *lp_ctx = NULL;
1098 TALLOC_CTX *mem_ctx = NULL;
1099 PyObject *py_lp_ctx = Py_None;
1100 DATA_BLOB key;
1101 int code;
1102 int enctype;
1103 PyObject *ret = NULL;
1104 struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
1105 if (creds == NULL) {
1106 PyErr_Format(PyExc_TypeError, "Credentials expected");
1107 return NULL;
1108 }
1109
1110 if (!PyArg_ParseTuple(args, "i|O", &enctype, &py_lp_ctx))
1111 return NULL;
1112
1113 mem_ctx = talloc_new(NULL);
1114 if (mem_ctx == NULL) {
1115 PyErr_NoMemory();
1116 return NULL;
1117 }
1118
1119 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
1120 if (lp_ctx == NULL) {
1121 talloc_free(mem_ctx);
1122 return NULL;
1123 }
1124
1125 code = cli_credentials_get_kerberos_key(creds,
1126 mem_ctx,
1127 lp_ctx,
1128 enctype,
1129 old,
1130 &key);
1131 if (code != 0) {
1132 PyErr_SetString(PyExc_RuntimeError,
1133 "Failed to generate Kerberos key");
1134 talloc_free(mem_ctx);
1135 return NULL;
1136 }
1137
1138 ret = PyBytes_FromStringAndSize((const char *)key.data,
1139 key.length);
1140 talloc_free(mem_ctx);
1141 return ret;
1142 }
1143
1144 static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
1145 {
1146 return py_creds_get_kerberos_key_current_or_old(self, args, false);
1147 }
1148
1149 static PyObject *py_creds_get_old_kerberos_key(PyObject *self, PyObject *args)
1150 {
1151 return py_creds_get_kerberos_key_current_or_old(self, args, true);
1152 }
1153
1154 static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
1155 PyObject *args)
1156 {
1157 struct cli_credentials *creds = NULL;
1158 struct netr_CryptPassword *pwd = NULL;
1159 struct samr_CryptPassword spwd;
1160 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1161 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
1162 NTSTATUS status;
1163 PyObject *py_cp = Py_None;
1164
1165 creds = PyCredentials_AsCliCredentials(self);
1166 if (creds == NULL) {
1167 PyErr_Format(PyExc_TypeError, "Credentials expected");
1168 return NULL;
1169 }
1170
1171 if (!PyArg_ParseTuple(args, "O", &py_cp)) {
1172 return NULL;
1173 }
1174
1175 if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.netlogon", "netr_CryptPassword")) {
1176 /* py_check_dcerpc_type sets TypeError */
1177 return NULL;
1178 }
1179
1180 pwd = pytalloc_get_ptr(py_cp);
1181 if (pwd == NULL) {
1182 /* pytalloc_get_type sets TypeError */
1183 return NULL;
1184 }
1185
1186 memcpy(spwd.data, pwd->data, 512);
1187 PUSH_LE_U32(spwd.data, 512, pwd->length);
1188
1189 status = netlogon_creds_encrypt_samr_CryptPassword(creds->netlogon_creds,
1190 &spwd,
1191 auth_type,
1192 auth_level);
1193
1194 memcpy(pwd->data, spwd.data, 512);
1195 pwd->length = PULL_LE_U32(spwd.data, 512);
1196 ZERO_STRUCT(spwd);
1197
1198 PyErr_NTSTATUS_IS_ERR_RAISE(status);
1199
1200 Py_RETURN_NONE;
1201 }
1202
1203 static PyObject *py_creds_encrypt_netr_PasswordInfo(PyObject *self,
1204 PyObject *args,
1205 PyObject *kwargs)
1206 {
1207 const char * const kwnames[] = {
1208 "info",
1209 "auth_type",
1210 "auth_level",
1211 NULL
1212 };
1213 struct cli_credentials *creds = NULL;
1214 PyObject *py_info = Py_None;
1215 enum netr_LogonInfoClass level = NetlogonInteractiveInformation;
1216 union netr_LogonLevel logon = { .password = NULL, };
1217 uint8_t auth_type = DCERPC_AUTH_TYPE_NONE;
1218 uint8_t auth_level = DCERPC_AUTH_LEVEL_NONE;
1219 NTSTATUS status;
1220 bool ok;
1221
1222 creds = PyCredentials_AsCliCredentials(self);
1223 if (creds == NULL) {
1224 PyErr_Format(PyExc_TypeError, "Credentials expected");
1225 return NULL;
1226 }
1227
1228 if (creds->netlogon_creds == NULL) {
1229 PyErr_Format(PyExc_ValueError, "NetLogon credentials not set");
1230 return NULL;
1231 }
1232
1233 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Obb",
1234 discard_const_p(char *, kwnames),
1235 &py_info, &auth_type, &auth_level))
1236 {
1237 return NULL;
1238 }
1239
1240 ok = py_check_dcerpc_type(py_info,
1241 "samba.dcerpc.netlogon",
1242 "netr_PasswordInfo");
1243 if (!ok) {
1244 /* py_check_dcerpc_type sets TypeError */
1245 return NULL;
1246 }
1247
1248 logon.password = pytalloc_get_type(py_info, struct netr_PasswordInfo);
1249 if (logon.password == NULL) {
1250 /* pytalloc_get_type sets TypeError */
1251 return NULL;
1252 }
1253
1254 status = netlogon_creds_encrypt_samlogon_logon(creds->netlogon_creds,
1255 level,
1256 &logon,
1257 auth_type,
1258 auth_level);
1259
1260 PyErr_NTSTATUS_IS_ERR_RAISE(status);
1261
1262 Py_RETURN_NONE;
1263 }
1264
1265 static PyObject *py_creds_get_smb_signing(PyObject *self, PyObject *unused)
1266 {
1267 enum smb_signing_setting signing_state;
1268 struct cli_credentials *creds = NULL;
1269
1270 creds = PyCredentials_AsCliCredentials(self);
1271 if (creds == NULL) {
1272 PyErr_Format(PyExc_TypeError, "Credentials expected");
1273 return NULL;
1274 }
1275
1276 signing_state = cli_credentials_get_smb_signing(creds);
1277 return PyLong_FromLong(signing_state);
1278 }
1279
1280 static PyObject *py_creds_set_smb_signing(PyObject *self, PyObject *args)
1281 {
1282 enum smb_signing_setting signing_state;
1283 struct cli_credentials *creds = NULL;
1284 enum credentials_obtained obt = CRED_SPECIFIED;
1285
1286 creds = PyCredentials_AsCliCredentials(self);
1287 if (creds == NULL) {
1288 PyErr_Format(PyExc_TypeError, "Credentials expected");
1289 return NULL;
1290 }
1291 if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
1292 return NULL;
1293 }
1294
1295 switch (signing_state) {
1296 case SMB_SIGNING_DEFAULT:
1297 case SMB_SIGNING_OFF:
1298 case SMB_SIGNING_IF_REQUIRED:
1299 case SMB_SIGNING_DESIRED:
1300 case SMB_SIGNING_REQUIRED:
1301 break;
1302 default:
1303 PyErr_Format(PyExc_TypeError, "Invalid signing state value");
1304 return NULL;
1305 }
1306
1307 cli_credentials_set_smb_signing(creds, signing_state, obt);
1308 Py_RETURN_NONE;
1309 }
1310
1311 static PyObject *py_creds_get_smb_ipc_signing(PyObject *self, PyObject *unused)
1312 {
1313 enum smb_signing_setting signing_state;
1314 struct cli_credentials *creds = NULL;
1315
1316 creds = PyCredentials_AsCliCredentials(self);
1317 if (creds == NULL) {
1318 PyErr_Format(PyExc_TypeError, "Credentials expected");
1319 return NULL;
1320 }
1321
1322 signing_state = cli_credentials_get_smb_ipc_signing(creds);
1323 return PyLong_FromLong(signing_state);
1324 }
1325
1326 static PyObject *py_creds_set_smb_ipc_signing(PyObject *self, PyObject *args)
1327 {
1328 enum smb_signing_setting signing_state;
1329 struct cli_credentials *creds = NULL;
1330 enum credentials_obtained obt = CRED_SPECIFIED;
1331
1332 creds = PyCredentials_AsCliCredentials(self);
1333 if (creds == NULL) {
1334 PyErr_Format(PyExc_TypeError, "Credentials expected");
1335 return NULL;
1336 }
1337 if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
1338 return NULL;
1339 }
1340
1341 switch (signing_state) {
1342 case SMB_SIGNING_DEFAULT:
1343 case SMB_SIGNING_OFF:
1344 case SMB_SIGNING_IF_REQUIRED:
1345 case SMB_SIGNING_DESIRED:
1346 case SMB_SIGNING_REQUIRED:
1347 break;
1348 default:
1349 PyErr_Format(PyExc_TypeError, "Invalid signing state value");
1350 return NULL;
1351 }
1352
1353 cli_credentials_set_smb_ipc_signing(creds, signing_state, obt);
1354 Py_RETURN_NONE;
1355 }
1356
1357 static PyObject *py_creds_get_smb_encryption(PyObject *self, PyObject *unused)
1358 {
1359 enum smb_encryption_setting encryption_state;
1360 struct cli_credentials *creds = NULL;
1361
1362 creds = PyCredentials_AsCliCredentials(self);
1363 if (creds == NULL) {
1364 PyErr_Format(PyExc_TypeError, "Credentials expected");
1365 return NULL;
1366 }
1367
1368 encryption_state = cli_credentials_get_smb_encryption(creds);
1369 return PyLong_FromLong(encryption_state);
1370 }
1371
1372 static PyObject *py_creds_set_smb_encryption(PyObject *self, PyObject *args)
1373 {
1374 enum smb_encryption_setting encryption_state;
1375 struct cli_credentials *creds = NULL;
1376 enum credentials_obtained obt = CRED_SPECIFIED;
1377
1378 creds = PyCredentials_AsCliCredentials(self);
1379 if (creds == NULL) {
1380 PyErr_Format(PyExc_TypeError, "Credentials expected");
1381 return NULL;
1382 }
1383 if (!PyArg_ParseTuple(args, "i|i", &encryption_state, &obt)) {
1384 return NULL;
1385 }
1386
1387 switch (encryption_state) {
1388 case SMB_ENCRYPTION_DEFAULT:
1389 case SMB_ENCRYPTION_OFF:
1390 case SMB_ENCRYPTION_IF_REQUIRED:
1391 case SMB_ENCRYPTION_DESIRED:
1392 case SMB_ENCRYPTION_REQUIRED:
1393 break;
1394 default:
1395 PyErr_Format(PyExc_TypeError, "Invalid encryption state value");
1396 return NULL;
1397 }
1398
1399 (void)cli_credentials_set_smb_encryption(creds, encryption_state, obt);
1400 Py_RETURN_NONE;
1401 }
1402
1403 static PyObject *py_creds_get_krb5_fast_armor_credentials(PyObject *self, PyObject *unused)
1404 {
1405 struct cli_credentials *creds = NULL;
1406 struct cli_credentials *fast_creds = NULL;
1407
1408 creds = PyCredentials_AsCliCredentials(self);
1409 if (creds == NULL) {
1410 PyErr_Format(PyExc_TypeError, "Credentials expected");
1411 return NULL;
1412 }
1413
1414 fast_creds = cli_credentials_get_krb5_fast_armor_credentials(creds);
1415 if (fast_creds == NULL) {
1416 Py_RETURN_NONE;
1417 }
1418
1419 return PyCredentials_from_cli_credentials(fast_creds);
1420 }
1421
1422 static PyObject *py_creds_set_krb5_fast_armor_credentials(PyObject *self, PyObject *args)
1423 {
1424 struct cli_credentials *creds = NULL;
1425 PyObject *pyfast_creds;
1426 struct cli_credentials *fast_creds = NULL;
1427 int fast_armor_required = 0;
1428 NTSTATUS status;
1429
1430 creds = PyCredentials_AsCliCredentials(self);
1431 if (creds == NULL) {
1432 PyErr_Format(PyExc_TypeError, "Credentials expected");
1433 return NULL;
1434 }
1435 if (!PyArg_ParseTuple(args, "Op", &pyfast_creds, &fast_armor_required)) {
1436 return NULL;
1437 }
1438 if (pyfast_creds == Py_None) {
1439 fast_creds = NULL;
1440 } else {
1441 fast_creds = PyCredentials_AsCliCredentials(pyfast_creds);
1442 if (fast_creds == NULL) {
1443 PyErr_Format(PyExc_TypeError, "Credentials expected");
1444 return NULL;
1445 }
1446 }
1447
1448 status = cli_credentials_set_krb5_fast_armor_credentials(creds,
1449 fast_creds,
1450 fast_armor_required);
1451
1452 PyErr_NTSTATUS_IS_ERR_RAISE(status);
1453 Py_RETURN_NONE;
1454 }
1455
1456 static PyObject *py_creds_get_krb5_require_fast_armor(PyObject *self, PyObject *unused)
1457 {
1458 bool krb5_fast_armor_required;
1459 struct cli_credentials *creds = NULL;
1460
1461 creds = PyCredentials_AsCliCredentials(self);
1462 if (creds == NULL) {
1463 PyErr_Format(PyExc_TypeError, "Credentials expected");
1464 return NULL;
1465 }
1466
1467 krb5_fast_armor_required = cli_credentials_get_krb5_require_fast_armor(creds);
1468 return PyBool_FromLong(krb5_fast_armor_required);
1469 }
1470
1471 static PyMethodDef py_creds_methods[] = {
1472 {
1473 .ml_name = "get_username",
1474 .ml_meth = py_creds_get_username,
1475 .ml_flags = METH_NOARGS,
1476 .ml_doc = "S.get_username() -> username\nObtain username.",
1477 },
1478 {
1479 .ml_name = "set_username",
1480 .ml_meth = py_creds_set_username,
1481 .ml_flags = METH_VARARGS,
1482 .ml_doc = "S.set_username(name[, credentials.SPECIFIED]) -> None\n"
1483 "Change username.",
1484 },
1485 {
1486 .ml_name = "get_principal",
1487 .ml_meth = py_creds_get_principal,
1488 .ml_flags = METH_NOARGS,
1489 .ml_doc = "S.get_principal() -> user@realm\nObtain user principal.",
1490 },
1491 {
1492 .ml_name = "set_principal",
1493 .ml_meth = py_creds_set_principal,
1494 .ml_flags = METH_VARARGS,
1495 .ml_doc = "S.set_principal(name[, credentials.SPECIFIED]) -> None\n"
1496 "Change principal.",
1497 },
1498 {
1499 .ml_name = "get_password",
1500 .ml_meth = py_creds_get_password,
1501 .ml_flags = METH_NOARGS,
1502 .ml_doc = "S.get_password() -> password\n"
1503 "Obtain password.",
1504 },
1505 {
1506 .ml_name = "get_ntlm_username_domain",
1507 .ml_meth = py_creds_get_ntlm_username_domain,
1508 .ml_flags = METH_NOARGS,
1509 .ml_doc = "S.get_ntlm_username_domain() -> (domain, username)\n"
1510 "Obtain NTLM username and domain, split up either as (DOMAIN, user) or (\"\", \"user@realm\").",
1511 },
1512 {
1513 .ml_name = "get_ntlm_response",
1514 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
1515 py_creds_get_ntlm_response),
1516 .ml_flags = METH_VARARGS | METH_KEYWORDS,
1517 .ml_doc = "S.get_ntlm_response"
1518 "(flags, challenge[, target_info]) -> "
1519 "(flags, lm_response, nt_response, lm_session_key, nt_session_key)\n"
1520 "Obtain LM or NTLM response.",
1521 },
1522 {
1523 .ml_name = "set_password",
1524 .ml_meth = py_creds_set_password,
1525 .ml_flags = METH_VARARGS,
1526 .ml_doc = "S.set_password(password[, credentials.SPECIFIED]) -> None\n"
1527 "Change password.",
1528 },
1529 {
1530 .ml_name = "set_utf16_password",
1531 .ml_meth = py_creds_set_utf16_password,
1532 .ml_flags = METH_VARARGS,
1533 .ml_doc = "S.set_utf16_password(password[, credentials.SPECIFIED]) -> None\n"
1534 "Change password.",
1535 },
1536 {
1537 .ml_name = "get_old_password",
1538 .ml_meth = py_creds_get_old_password,
1539 .ml_flags = METH_NOARGS,
1540 .ml_doc = "S.get_old_password() -> password\n"
1541 "Obtain old password.",
1542 },
1543 {
1544 .ml_name = "set_old_password",
1545 .ml_meth = py_creds_set_old_password,
1546 .ml_flags = METH_VARARGS,
1547 .ml_doc = "S.set_old_password(password[, credentials.SPECIFIED]) -> None\n"
1548 "Change old password.",
1549 },
1550 {
1551 .ml_name = "set_old_utf16_password",
1552 .ml_meth = py_creds_set_old_utf16_password,
1553 .ml_flags = METH_VARARGS,
1554 .ml_doc = "S.set_old_utf16_password(password[, credentials.SPECIFIED]) -> None\n"
1555 "Change old password.",
1556 },
1557 {
1558 .ml_name = "get_domain",
1559 .ml_meth = py_creds_get_domain,
1560 .ml_flags = METH_NOARGS,
1561 .ml_doc = "S.get_domain() -> domain\n"
1562 "Obtain domain name.",
1563 },
1564 {
1565 .ml_name = "set_domain",
1566 .ml_meth = py_creds_set_domain,
1567 .ml_flags = METH_VARARGS,
1568 .ml_doc = "S.set_domain(domain[, credentials.SPECIFIED]) -> None\n"
1569 "Change domain name.",
1570 },
1571 {
1572 .ml_name = "get_realm",
1573 .ml_meth = py_creds_get_realm,
1574 .ml_flags = METH_NOARGS,
1575 .ml_doc = "S.get_realm() -> realm\n"
1576 "Obtain realm name.",
1577 },
1578 {
1579 .ml_name = "set_realm",
1580 .ml_meth = py_creds_set_realm,
1581 .ml_flags = METH_VARARGS,
1582 .ml_doc = "S.set_realm(realm[, credentials.SPECIFIED]) -> None\n"
1583 "Change realm name.",
1584 },
1585 {
1586 .ml_name = "get_bind_dn",
1587 .ml_meth = py_creds_get_bind_dn,
1588 .ml_flags = METH_NOARGS,
1589 .ml_doc = "S.get_bind_dn() -> bind dn\n"
1590 "Obtain bind DN.",
1591 },
1592 {
1593 .ml_name = "set_bind_dn",
1594 .ml_meth = py_creds_set_bind_dn,
1595 .ml_flags = METH_VARARGS,
1596 .ml_doc = "S.set_bind_dn(bind_dn) -> None\n"
1597 "Change bind DN.",
1598 },
1599 {
1600 .ml_name = "is_anonymous",
1601 .ml_meth = py_creds_is_anonymous,
1602 .ml_flags = METH_NOARGS,
1603 },
1604 {
1605 .ml_name = "set_anonymous",
1606 .ml_meth = py_creds_set_anonymous,
1607 .ml_flags = METH_NOARGS,
1608 .ml_doc = "S.set_anonymous() -> None\n"
1609 "Use anonymous credentials.",
1610 },
1611 {
1612 .ml_name = "get_workstation",
1613 .ml_meth = py_creds_get_workstation,
1614 .ml_flags = METH_NOARGS,
1615 },
1616 {
1617 .ml_name = "set_workstation",
1618 .ml_meth = py_creds_set_workstation,
1619 .ml_flags = METH_VARARGS,
1620 },
1621 {
1622 .ml_name = "authentication_requested",
1623 .ml_meth = py_creds_authentication_requested,
1624 .ml_flags = METH_NOARGS,
1625 },
1626 {
1627 .ml_name = "wrong_password",
1628 .ml_meth = py_creds_wrong_password,
1629 .ml_flags = METH_NOARGS,
1630 .ml_doc = "S.wrong_password() -> bool\n"
1631 "Indicate the returned password was incorrect.",
1632 },
1633 {
1634 .ml_name = "set_cmdline_callbacks",
1635 .ml_meth = py_creds_set_cmdline_callbacks,
1636 .ml_flags = METH_NOARGS,
1637 .ml_doc = "S.set_cmdline_callbacks() -> bool\n"
1638 "Use command-line to obtain credentials not explicitly set.",
1639 },
1640 {
1641 .ml_name = "parse_string",
1642 .ml_meth = py_creds_parse_string,
1643 .ml_flags = METH_VARARGS,
1644 .ml_doc = "S.parse_string(text[, credentials.SPECIFIED]) -> None\n"
1645 "Parse credentials string.",
1646 },
1647 {
1648 .ml_name = "parse_file",
1649 .ml_meth = py_creds_parse_file,
1650 .ml_flags = METH_VARARGS,
1651 .ml_doc = "S.parse_file(filename[, credentials.SPECIFIED]) -> None\n"
1652 "Parse credentials file.",
1653 },
1654 {
1655 .ml_name = "set_password_will_be_nt_hash",
1656 .ml_meth = py_cli_credentials_set_password_will_be_nt_hash,
1657 .ml_flags = METH_VARARGS,
1658 .ml_doc = "S.set_password_will_be_nt_hash(bool) -> None\n"
1659 "Alters the behaviour of S.set_password() "
1660 "to expect the NTHASH as hexstring.",
1661 },
1662 {
1663 .ml_name = "get_nt_hash",
1664 .ml_meth = py_creds_get_nt_hash,
1665 .ml_flags = METH_NOARGS,
1666 },
1667 {
1668 .ml_name = "set_nt_hash",
1669 .ml_meth = py_creds_set_nt_hash,
1670 .ml_flags = METH_VARARGS,
1671 .ml_doc = "S.set_net_sh(samr_Password[, credentials.SPECIFIED]) -> bool\n"
1672 "Change NT hash.",
1673 },
1674 {
1675 .ml_name = "get_kerberos_state",
1676 .ml_meth = py_creds_get_kerberos_state,
1677 .ml_flags = METH_NOARGS,
1678 },
1679 {
1680 .ml_name = "set_kerberos_state",
1681 .ml_meth = py_creds_set_kerberos_state,
1682 .ml_flags = METH_VARARGS,
1683 },
1684 {
1685 .ml_name = "set_krb_forwardable",
1686 .ml_meth = py_creds_set_krb_forwardable,
1687 .ml_flags = METH_VARARGS,
1688 },
1689 {
1690 .ml_name = "set_conf",
1691 .ml_meth = py_creds_set_conf,
1692 .ml_flags = METH_VARARGS,
1693 },
1694 {
1695 .ml_name = "guess",
1696 .ml_meth = py_creds_guess,
1697 .ml_flags = METH_VARARGS,
1698 },
1699 {
1700 .ml_name = "set_machine_account",
1701 .ml_meth = py_creds_set_machine_account,
1702 .ml_flags = METH_VARARGS,
1703 },
1704 {
1705 .ml_name = "get_named_ccache",
1706 .ml_meth = py_creds_get_named_ccache,
1707 .ml_flags = METH_VARARGS,
1708 },
1709 {
1710 .ml_name = "set_named_ccache",
1711 .ml_meth = py_creds_set_named_ccache,
1712 .ml_flags = METH_VARARGS,
1713 .ml_doc = "S.set_named_ccache(krb5_ccache_name, obtained, lp) -> None\n"
1714 "Set credentials to KRB5 Credentials Cache (by name).",
1715 },
1716 {
1717 .ml_name = "set_gensec_features",
1718 .ml_meth = py_creds_set_gensec_features,
1719 .ml_flags = METH_VARARGS,
1720 },
1721 {
1722 .ml_name = "get_gensec_features",
1723 .ml_meth = py_creds_get_gensec_features,
1724 .ml_flags = METH_NOARGS,
1725 },
1726 {
1727 .ml_name = "get_forced_sasl_mech",
1728 .ml_meth = py_creds_get_forced_sasl_mech,
1729 .ml_flags = METH_NOARGS,
1730 .ml_doc = "S.get_forced_sasl_mech() -> SASL mechanism\nObtain forced SASL mechanism.",
1731 },
1732 {
1733 .ml_name = "set_forced_sasl_mech",
1734 .ml_meth = py_creds_set_forced_sasl_mech,
1735 .ml_flags = METH_VARARGS,
1736 .ml_doc = "S.set_forced_sasl_mech(name) -> None\n"
1737 "Set forced SASL mechanism.",
1738 },
1739 {
1740 .ml_name = "new_client_authenticator",
1741 .ml_meth = py_creds_new_client_authenticator,
1742 .ml_flags = METH_NOARGS,
1743 .ml_doc = "S.new_client_authenticator() -> Authenticator\n"
1744 "Get a new client NETLOGON_AUTHENTICATOR"},
1745 {
1746 .ml_name = "set_secure_channel_type",
1747 .ml_meth = py_creds_set_secure_channel_type,
1748 .ml_flags = METH_VARARGS,
1749 },
1750 {
1751 .ml_name = "get_secure_channel_type",
1752 .ml_meth = py_creds_get_secure_channel_type,
1753 .ml_flags = METH_VARARGS,
1754 },
1755 {
1756 .ml_name = "get_netlogon_creds",
1757 .ml_meth = py_creds_get_netlogon_creds,
1758 .ml_flags = METH_NOARGS,
1759 },
1760 {
1761 .ml_name = "set_netlogon_creds",
1762 .ml_meth = py_creds_set_netlogon_creds,
1763 .ml_flags = METH_VARARGS,
1764 },
1765 {
1766 .ml_name = "set_kerberos_salt_principal",
1767 .ml_meth = py_creds_set_kerberos_salt_principal,
1768 .ml_flags = METH_VARARGS,
1769 },
1770 {
1771 .ml_name = "get_kerberos_salt_principal",
1772 .ml_meth = py_creds_get_kerberos_salt_principal,
1773 .ml_flags = METH_VARARGS,
1774 },
1775 {
1776 .ml_name = "get_kerberos_key",
1777 .ml_meth = py_creds_get_kerberos_key,
1778 .ml_flags = METH_VARARGS,
1779 .ml_doc = "S.get_kerberos_key(enctype, [lp]) -> bytes\n"
1780 "Generate a Kerberos key using the current password and\n"
1781 "the salt on this credentials object",
1782 },
1783 {
1784 .ml_name = "get_old_kerberos_key",
1785 .ml_meth = py_creds_get_old_kerberos_key,
1786 .ml_flags = METH_VARARGS,
1787 .ml_doc = "S.get_old_kerberos_key(enctype, [lp]) -> bytes\n"
1788 "Generate a Kerberos key using the old (previous) password and\n"
1789 "the salt on this credentials object",
1790 },
1791 {
1792 .ml_name = "encrypt_netr_crypt_password",
1793 .ml_meth = py_creds_encrypt_netr_crypt_password,
1794 .ml_flags = METH_VARARGS,
1795 .ml_doc = "S.encrypt_netr_crypt_password(password) -> None\n"
1796 "Encrypt the supplied password using the session key and\n"
1797 "the negotiated encryption algorithm in place\n"
1798 "i.e. it overwrites the original data"},
1799 {
1800 .ml_name = "encrypt_netr_PasswordInfo",
1801 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
1802 py_creds_encrypt_netr_PasswordInfo),
1803 .ml_flags = METH_VARARGS | METH_KEYWORDS,
1804 .ml_doc = "S.encrypt_netr_PasswordInfo(info, "
1805 "auth_type, auth_level) -> None\n"
1806 "Encrypt the supplied password info using the session key and\n"
1807 "the negotiated encryption algorithm in place\n"
1808 "i.e. it overwrites the original data"
1809 },
1810 {
1811 .ml_name = "get_smb_signing",
1812 .ml_meth = py_creds_get_smb_signing,
1813 .ml_flags = METH_NOARGS,
1814 },
1815 {
1816 .ml_name = "set_smb_signing",
1817 .ml_meth = py_creds_set_smb_signing,
1818 .ml_flags = METH_VARARGS,
1819 },
1820 {
1821 .ml_name = "get_smb_ipc_signing",
1822 .ml_meth = py_creds_get_smb_ipc_signing,
1823 .ml_flags = METH_NOARGS,
1824 },
1825 {
1826 .ml_name = "set_smb_ipc_signing",
1827 .ml_meth = py_creds_set_smb_ipc_signing,
1828 .ml_flags = METH_VARARGS,
1829 },
1830 {
1831 .ml_name = "get_smb_encryption",
1832 .ml_meth = py_creds_get_smb_encryption,
1833 .ml_flags = METH_NOARGS,
1834 },
1835 {
1836 .ml_name = "set_smb_encryption",
1837 .ml_meth = py_creds_set_smb_encryption,
1838 .ml_flags = METH_VARARGS,
1839 },
1840 {
1841 .ml_name = "get_krb5_fast_armor_credentials",
1842 .ml_meth = py_creds_get_krb5_fast_armor_credentials,
1843 .ml_flags = METH_NOARGS,
1844 .ml_doc = "S.get_krb5_fast_armor_credentials() -> Credentials\n"
1845 "Get the Kerberos FAST credentials set on this credentials object"
1846 },
1847 {
1848 .ml_name = "set_krb5_fast_armor_credentials",
1849 .ml_meth = py_creds_set_krb5_fast_armor_credentials,
1850 .ml_flags = METH_VARARGS,
1851 .ml_doc = "S.set_krb5_fast_armor_credentials(credentials, required) -> None\n"
1852 "Set Kerberos FAST credentials for this credentials object, and if FAST armoring must be used."
1853 },
1854 {
1855 .ml_name = "get_krb5_require_fast_armor",
1856 .ml_meth = py_creds_get_krb5_require_fast_armor,
1857 .ml_flags = METH_NOARGS,
1858 .ml_doc = "S.get_krb5_fast_armor() -> bool\n"
1859 "Indicate if Kerberos FAST armor is required"
1860 },
1861 { .ml_name = NULL }
1862 };
1863
1864 PyTypeObject PyCredentials = {
1865 .tp_name = "credentials.Credentials",
1866 .tp_new = py_creds_new,
1867 .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
1868 .tp_methods = py_creds_methods,
1869 };
1870
1871 static PyObject *py_ccache_name(PyObject *self, PyObject *unused)
1872 {
1873 struct ccache_container *ccc = NULL;
1874 char *name = NULL;
1875 PyObject *py_name = NULL;
1876 int ret;
1877
1878 ccc = pytalloc_get_type(self, struct ccache_container);
1879
1880 ret = krb5_cc_get_full_name(ccc->smb_krb5_context->krb5_context,
1881 ccc->ccache, &name);
1882 if (ret == 0) {
1883 py_name = PyString_FromStringOrNULL(name);
1884 krb5_free_string(ccc->smb_krb5_context->krb5_context, name);
1885 } else {
1886 PyErr_SetString(PyExc_RuntimeError,
1887 "Failed to get ccache name");
1888 return NULL;
1889 }
1890 return py_name;
1891 }
1892
1893 static PyMethodDef py_ccache_container_methods[] = {
1894 { "get_name", py_ccache_name, METH_NOARGS,
1895 "S.get_name() -> name\nObtain KRB5 credentials cache name." },
1896 {0}
1897 };
1898
1899 PyTypeObject PyCredentialCacheContainer = {
1900 .tp_name = "credentials.CredentialCacheContainer",
1901 .tp_flags = Py_TPFLAGS_DEFAULT,
1902 .tp_methods = py_ccache_container_methods,
1903 };
1904
1905 static PyObject *py_netlogon_creds_kerberos_init(PyObject *module,
1906 PyObject *args,
1907 PyObject *kwargs)
1908 {
1909 const char * const kwnames[] = {
1910 "client_account",
1911 "client_computer_name",
1912 "secure_channel_type",
1913 "client_requested_flags",
1914 "negotiate_flags",
1915 NULL,
1916 };
1917 const char *client_account = NULL;
1918 const char *client_computer_name = NULL;
1919 unsigned short secure_channel_type = 0;
1920 unsigned int client_requested_flags = 0;
1921 unsigned int negotiate_flags = 0;
1922 struct netlogon_creds_CredentialState *ncreds = NULL;
1923 PyObject *py_ncreds = Py_None;
1924 bool ok;
1925
1926 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "ssHII",
1927 discard_const_p(char *, kwnames),
1928 &client_account,
1929 &client_computer_name,
1930 &secure_channel_type,
1931 &client_requested_flags,
1932 &negotiate_flags);
1933 if (!ok) {
1934 return NULL;
1935 }
1936
1937 ncreds = netlogon_creds_kerberos_init(NULL,
1938 client_account,
1939 client_computer_name,
1940 secure_channel_type,
1941 client_requested_flags,
1942 NULL, /* client_sid */
1943 negotiate_flags);
1944 if (ncreds == NULL) {
1945 PyErr_NoMemory();
1946 return NULL;
1947 }
1948
1949 py_ncreds = py_return_ndr_struct("samba.dcerpc.schannel",
1950 "netlogon_creds_CredentialState",
1951 ncreds,
1952 ncreds);
1953 if (py_ncreds == NULL) {
1954 TALLOC_FREE(ncreds);
1955 return NULL;
1956 }
1957
1958 return py_ncreds;
1959 }
1960
1961 static PyObject *py_netlogon_creds_random_challenge(PyObject *module,
1962 PyObject *unused)
1963 {
1964 struct netr_Credential *challenge = NULL;
1965 PyObject *py_challenge = Py_None;
1966
1967 challenge = talloc(NULL, struct netr_Credential);
1968 if (challenge == NULL) {
1969 PyErr_NoMemory();
1970 return NULL;
1971 }
1972 netlogon_creds_random_challenge(challenge);
1973
1974 py_challenge = py_return_ndr_struct("samba.dcerpc.netlogon",
1975 "netr_Credential",
1976 challenge,
1977 challenge);
1978 if (py_challenge == NULL) {
1979 TALLOC_FREE(challenge);
1980 return NULL;
1981 }
1982
1983 return py_challenge;
1984 }
1985
1986 static PyObject *py_netlogon_creds_client_init(PyObject *module,
1987 PyObject *args,
1988 PyObject *kwargs)
1989 {
1990 const char * const kwnames[] = {
1991 "client_account",
1992 "client_computer_name",
1993 "secure_channel_type",
1994 "client_challenge",
1995 "server_challenge",
1996 "machine_password",
1997 "client_requested_flags",
1998 "negotiate_flags",
1999 NULL,
2000 };
2001 const char *client_account = NULL;
2002 const char *client_computer_name = NULL;
2003 unsigned short secure_channel_type = 0;
2004 unsigned int client_requested_flags = 0;
2005 unsigned int negotiate_flags = 0;
2006 PyObject *py_client_challenge = Py_None;
2007 const struct netr_Credential *client_challenge = NULL;
2008 PyObject *py_server_challenge = Py_None;
2009 const struct netr_Credential *server_challenge = NULL;
2010 PyObject *py_machine_password = Py_None;
2011 const struct samr_Password *machine_password = NULL;
2012 struct netlogon_creds_CredentialState *ncreds = NULL;
2013 PyObject *py_ncreds = Py_None;
2014 struct netr_Credential *initial_credential = NULL;
2015 PyObject *py_initial_credential = Py_None;
2016 PyObject *py_result = Py_None;
2017 bool ok;
2018
2019 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "ssHOOOII",
2020 discard_const_p(char *, kwnames),
2021 &client_account,
2022 &client_computer_name,
2023 &secure_channel_type,
2024 &py_client_challenge,
2025 &py_server_challenge,
2026 &py_machine_password,
2027 &client_requested_flags,
2028 &negotiate_flags);
2029 if (!ok) {
2030 return NULL;
2031 }
2032
2033 ok = py_check_dcerpc_type(py_client_challenge,
2034 "samba.dcerpc.netlogon",
2035 "netr_Credential");
2036 if (!ok) {
2037 /* py_check_dcerpc_type sets TypeError */
2038 return NULL;
2039 }
2040
2041 client_challenge = pytalloc_get_type(py_client_challenge,
2042 struct netr_Credential);
2043 if (client_challenge == NULL) {
2044 /* pytalloc_get_type sets TypeError */
2045 return NULL;
2046 }
2047
2048 ok = py_check_dcerpc_type(py_server_challenge,
2049 "samba.dcerpc.netlogon",
2050 "netr_Credential");
2051 if (!ok) {
2052 /* py_check_dcerpc_type sets TypeError */
2053 return NULL;
2054 }
2055
2056 /*
2057 * we can't use pytalloc_get_type as
2058 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2059 * correct talloc name because of old
2060 * compilers.
2061 */
2062 server_challenge = pytalloc_get_ptr(py_server_challenge);
2063 if (server_challenge == NULL) {
2064 return NULL;
2065 }
2066
2067 ok = py_check_dcerpc_type(py_machine_password,
2068 "samba.dcerpc.samr",
2069 "Password");
2070 if (!ok) {
2071 /* py_check_dcerpc_type sets TypeError */
2072 return NULL;
2073 }
2074
2075 machine_password = pytalloc_get_type(py_machine_password,
2076 struct samr_Password);
2077 if (machine_password == NULL) {
2078 /* pytalloc_get_type sets TypeError */
2079 return NULL;
2080 }
2081
2082 initial_credential = talloc_zero(NULL, struct netr_Credential);
2083 if (initial_credential == NULL) {
2084 PyErr_NoMemory();
2085 return NULL;
2086 }
2087
2088 ncreds = netlogon_creds_client_init(NULL,
2089 client_account,
2090 client_computer_name,
2091 secure_channel_type,
2092 client_challenge,
2093 server_challenge,
2094 machine_password,
2095 initial_credential,
2096 client_requested_flags,
2097 negotiate_flags);
2098 if (ncreds == NULL) {
2099 TALLOC_FREE(initial_credential);
2100 PyErr_NoMemory();
2101 return NULL;
2102 }
2103
2104 py_ncreds = py_return_ndr_struct("samba.dcerpc.schannel",
2105 "netlogon_creds_CredentialState",
2106 ncreds,
2107 ncreds);
2108 if (py_ncreds == NULL) {
2109 TALLOC_FREE(initial_credential);
2110 TALLOC_FREE(ncreds);
2111 return NULL;
2112 }
2113
2114 py_initial_credential = py_return_ndr_struct("samba.dcerpc.netlogon",
2115 "netr_Credential",
2116 initial_credential,
2117 initial_credential);
2118 if (py_ncreds == NULL) {
2119 Py_DECREF(py_ncreds);
2120 TALLOC_FREE(initial_credential);
2121 return NULL;
2122 }
2123
2124 py_result = Py_BuildValue("(OO)",
2125 py_ncreds,
2126 py_initial_credential);
2127 if (py_result == NULL) {
2128 Py_DECREF(py_ncreds);
2129 Py_DECREF(py_initial_credential);
2130 return NULL;
2131 }
2132
2133 return py_result;
2134 }
2135
2136 static PyObject *py_netlogon_creds_client_update(PyObject *module,
2137 PyObject *args,
2138 PyObject *kwargs)
2139 {
2140 const char * const kwnames[] = {
2141 "netlogon_creds",
2142 "negotiated_flags",
2143 "client_rid",
2144 NULL,
2145 };
2146 PyObject *py_ncreds = Py_None;
2147 struct netlogon_creds_CredentialState *ncreds = NULL;
2148 unsigned int negotiated_flags = 0;
2149 unsigned int client_rid = 0;
2150 bool ok;
2151
2152 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OII",
2153 discard_const_p(char *, kwnames),
2154 &py_ncreds,
2155 &negotiated_flags,
2156 &client_rid);
2157 if (!ok) {
2158 return NULL;
2159 }
2160
2161 ok = py_check_dcerpc_type(py_ncreds,
2162 "samba.dcerpc.schannel",
2163 "netlogon_creds_CredentialState");
2164 if (!ok) {
2165 /* py_check_dcerpc_type sets TypeError */
2166 return NULL;
2167 }
2168
2169 ncreds = pytalloc_get_type(py_ncreds,
2170 struct netlogon_creds_CredentialState);
2171 if (ncreds == NULL) {
2172 /* pytalloc_get_type sets TypeError */
2173 return NULL;
2174 }
2175
2176 ncreds->negotiate_flags = negotiated_flags;
2177 ncreds->client_sid.sub_auths[0] = client_rid;
2178
2179 Py_RETURN_NONE;
2180 }
2181
2182 static PyObject *py_netlogon_creds_client_authenticator(PyObject *module,
2183 PyObject *args,
2184 PyObject *kwargs)
2185 {
2186 const char * const kwnames[] = {
2187 "netlogon_creds",
2188 NULL,
2189 };
2190 PyObject *py_ncreds = Py_None;
2191 struct netlogon_creds_CredentialState *ncreds = NULL;
2192 struct netlogon_creds_CredentialState _ncreds;
2193 struct netr_Authenticator _auth;
2194 struct netr_Authenticator *auth = NULL;
2195 PyObject *py_auth = Py_None;
2196 NTSTATUS status;
2197 bool ok;
2198
2199 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "O",
2200 discard_const_p(char *, kwnames),
2201 &py_ncreds);
2202 if (!ok) {
2203 return NULL;
2204 }
2205
2206 ok = py_check_dcerpc_type(py_ncreds,
2207 "samba.dcerpc.schannel",
2208 "netlogon_creds_CredentialState");
2209 if (!ok) {
2210 /* py_check_dcerpc_type sets TypeError */
2211 return NULL;
2212 }
2213
2214 ncreds = pytalloc_get_type(py_ncreds,
2215 struct netlogon_creds_CredentialState);
2216 if (ncreds == NULL) {
2217 /* pytalloc_get_type sets TypeError */
2218 return NULL;
2219 }
2220
2221 _ncreds = *ncreds;
2222 status = netlogon_creds_client_authenticator(&_ncreds, &_auth);
2223 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2224
2225 auth = talloc(NULL, struct netr_Authenticator);
2226 if (auth == NULL) {
2227 PyErr_NoMemory();
2228 return NULL;
2229 }
2230 *auth = _auth;
2231
2232 py_auth = py_return_ndr_struct("samba.dcerpc.netlogon",
2233 "netr_Authenticator",
2234 auth,
2235 auth);
2236 if (py_auth == NULL) {
2237 TALLOC_FREE(auth);
2238 return NULL;
2239 }
2240
2241 *ncreds = _ncreds;
2242 return py_auth;
2243 }
2244
2245 static PyObject *py_netlogon_creds_client_verify(PyObject *module,
2246 PyObject *args,
2247 PyObject *kwargs)
2248 {
2249 const char * const kwnames[] = {
2250 "netlogon_creds",
2251 "received_credentials",
2252 "auth_type",
2253 "auth_level",
2254 NULL,
2255 };
2256 PyObject *py_ncreds = Py_None;
2257 struct netlogon_creds_CredentialState *ncreds = NULL;
2258 PyObject *py_rcreds = Py_None;
2259 const struct netr_Credential *rcreds = NULL;
2260 uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
2261 enum dcerpc_AuthType auth_type;
2262 uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
2263 enum dcerpc_AuthLevel auth_level;
2264 NTSTATUS status;
2265 bool ok;
2266
2267 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OObb",
2268 discard_const_p(char *, kwnames),
2269 &py_ncreds,
2270 &py_rcreds,
2271 &_auth_type,
2272 &_auth_level);
2273 if (!ok) {
2274 return NULL;
2275 }
2276 auth_type = _auth_type;
2277 auth_level = _auth_level;
2278
2279 ok = py_check_dcerpc_type(py_ncreds,
2280 "samba.dcerpc.schannel",
2281 "netlogon_creds_CredentialState");
2282 if (!ok) {
2283 /* py_check_dcerpc_type sets TypeError */
2284 return NULL;
2285 }
2286
2287 ncreds = pytalloc_get_type(py_ncreds,
2288 struct netlogon_creds_CredentialState);
2289 if (ncreds == NULL) {
2290 /* pytalloc_get_type sets TypeError */
2291 return NULL;
2292 }
2293
2294 ok = py_check_dcerpc_type(py_rcreds,
2295 "samba.dcerpc.netlogon",
2296 "netr_Credential");
2297 if (!ok) {
2298 /* py_check_dcerpc_type sets TypeError */
2299 return NULL;
2300 }
2301
2302 /*
2303 * we can't use pytalloc_get_type as
2304 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2305 * correct talloc name because of old
2306 * compilers.
2307 */
2308 rcreds = pytalloc_get_ptr(py_rcreds);
2309 if (rcreds == NULL) {
2310 return NULL;
2311 }
2312
2313 status = netlogon_creds_client_verify(ncreds,
2314 rcreds,
2315 auth_type,
2316 auth_level);
2317 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2318
2319 Py_RETURN_NONE;
2320 }
2321
2322 static PyObject *py_netlogon_creds_encrypt_netr_LogonLevel(PyObject *module,
2323 PyObject *args,
2324 PyObject *kwargs)
2325 {
2326 const char * const kwnames[] = {
2327 "netlogon_creds",
2328 "level",
2329 "info",
2330 "auth_type",
2331 "auth_level",
2332 NULL,
2333 };
2334 PyObject *py_ncreds = Py_None;
2335 struct netlogon_creds_CredentialState *ncreds = NULL;
2336 uint8_t _level = 0;
2337 enum netr_LogonInfoClass level = NetlogonInteractiveInformation;
2338 PyObject *py_info = Py_None;
2339 union netr_LogonLevel logon = { .password = NULL, };
2340 const void *info_ptr = NULL;
2341 uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
2342 enum dcerpc_AuthType auth_type;
2343 uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
2344 enum dcerpc_AuthLevel auth_level;
2345 NTSTATUS status;
2346 bool ok;
2347
2348 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "ObObb",
2349 discard_const_p(char *, kwnames),
2350 &py_ncreds,
2351 &_level,
2352 &py_info,
2353 &_auth_type,
2354 &_auth_level);
2355 if (!ok) {
2356 return NULL;
2357 }
2358 level = _level;
2359 auth_type = _auth_type;
2360 auth_level = _auth_level;
2361
2362 ok = py_check_dcerpc_type(py_ncreds,
2363 "samba.dcerpc.schannel",
2364 "netlogon_creds_CredentialState");
2365 if (!ok) {
2366 /* py_check_dcerpc_type sets TypeError */
2367 return NULL;
2368 }
2369
2370 ncreds = pytalloc_get_type(py_ncreds,
2371 struct netlogon_creds_CredentialState);
2372 if (ncreds == NULL) {
2373 /* pytalloc_get_type sets TypeError */
2374 return NULL;
2375 }
2376
2377 switch (level) {
2378 case NetlogonInteractiveInformation:
2379 case NetlogonInteractiveTransitiveInformation:
2380 case NetlogonServiceInformation:
2381 case NetlogonServiceTransitiveInformation:
2382 ok = py_check_dcerpc_type(py_info,
2383 "samba.dcerpc.netlogon",
2384 "netr_PasswordInfo");
2385 if (!ok) {
2386 /* py_check_dcerpc_type sets TypeError */
2387 return NULL;
2388 }
2389
2390 logon.password = pytalloc_get_type(py_info,
2391 struct netr_PasswordInfo);
2392 if (logon.password == NULL) {
2393 /* pytalloc_get_type sets TypeError */
2394 return NULL;
2395 }
2396 info_ptr = logon.password;
2397 break;
2398
2399 case NetlogonNetworkInformation:
2400 case NetlogonNetworkTransitiveInformation:
2401 ok = py_check_dcerpc_type(py_info,
2402 "samba.dcerpc.netlogon",
2403 "netr_NetworkInfo");
2404 if (!ok) {
2405 /* py_check_dcerpc_type sets TypeError */
2406 return NULL;
2407 }
2408
2409 logon.network = pytalloc_get_type(py_info,
2410 struct netr_NetworkInfo);
2411 if (logon.network == NULL) {
2412 /* pytalloc_get_type sets TypeError */
2413 return NULL;
2414 }
2415 info_ptr = logon.network;
2416 break;
2417
2418 case NetlogonGenericInformation:
2419 ok = py_check_dcerpc_type(py_info,
2420 "samba.dcerpc.netlogon",
2421 "netr_GenericInfo");
2422 if (!ok) {
2423 /* py_check_dcerpc_type sets TypeError */
2424 return NULL;
2425 }
2426
2427 logon.generic = pytalloc_get_type(py_info,
2428 struct netr_GenericInfo);
2429 if (logon.generic == NULL) {
2430 /* pytalloc_get_type sets TypeError */
2431 return NULL;
2432 }
2433 info_ptr = logon.generic;
2434 break;
2435
2436 case NetlogonTicketLogonInformation:
2437 ok = py_check_dcerpc_type(py_info,
2438 "samba.dcerpc.netlogon",
2439 "netr_TicketLogonInfo");
2440 if (!ok) {
2441 /* py_check_dcerpc_type sets TypeError */
2442 return NULL;
2443 }
2444
2445 logon.ticket = pytalloc_get_type(py_info,
2446 struct netr_TicketLogonInfo);
2447 if (logon.ticket == NULL) {
2448 /* pytalloc_get_type sets TypeError */
2449 return NULL;
2450 }
2451 info_ptr = logon.ticket;
2452 break;
2453 }
2454
2455 if (info_ptr == NULL) {
2456 PyErr_SetString(PyExc_ValueError,
2457 "Invalid netr_LogonInfoClass value");
2458 return NULL;
2459 }
2460
2461 status = netlogon_creds_encrypt_samlogon_logon(ncreds,
2462 level,
2463 &logon,
2464 auth_type,
2465 auth_level);
2466 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2467
2468 Py_RETURN_NONE;
2469 }
2470
2471 static PyObject *py_netlogon_creds_decrypt_netr_Validation(PyObject *module,
2472 PyObject *args,
2473 PyObject *kwargs)
2474 {
2475 const char * const kwnames[] = {
2476 "netlogon_creds",
2477 "level",
2478 "validation",
2479 "auth_type",
2480 "auth_level",
2481 NULL,
2482 };
2483 PyObject *py_ncreds = Py_None;
2484 struct netlogon_creds_CredentialState *ncreds = NULL;
2485 uint8_t _level = 0;
2486 enum netr_ValidationInfoClass level = NetlogonValidationUasInfo;
2487 PyObject *py_validation = Py_None;
2488 union netr_Validation validation = { .generic = NULL, };
2489 const void *validation_ptr = NULL;
2490 uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
2491 enum dcerpc_AuthType auth_type;
2492 uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
2493 enum dcerpc_AuthLevel auth_level;
2494 NTSTATUS status;
2495 bool ok;
2496
2497 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "ObObb",
2498 discard_const_p(char *, kwnames),
2499 &py_ncreds,
2500 &_level,
2501 &py_validation,
2502 &_auth_type,
2503 &_auth_level);
2504 if (!ok) {
2505 return NULL;
2506 }
2507 level = _level;
2508 auth_type = _auth_type;
2509 auth_level = _auth_level;
2510
2511 ok = py_check_dcerpc_type(py_ncreds,
2512 "samba.dcerpc.schannel",
2513 "netlogon_creds_CredentialState");
2514 if (!ok) {
2515 /* py_check_dcerpc_type sets TypeError */
2516 return NULL;
2517 }
2518
2519 ncreds = pytalloc_get_type(py_ncreds,
2520 struct netlogon_creds_CredentialState);
2521 if (ncreds == NULL) {
2522 /* pytalloc_get_type sets TypeError */
2523 return NULL;
2524 }
2525
2526 switch (level) {
2527 case NetlogonValidationUasInfo:
2528 break;
2529
2530 case NetlogonValidationSamInfo:
2531 ok = py_check_dcerpc_type(py_validation,
2532 "samba.dcerpc.netlogon",
2533 "netr_SamInfo2");
2534 if (!ok) {
2535 /* py_check_dcerpc_type sets TypeError */
2536 return NULL;
2537 }
2538
2539 /*
2540 * we can't use pytalloc_get_type as
2541 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2542 * correct talloc name because of old
2543 * compilers.
2544 */
2545 validation.sam2 = pytalloc_get_ptr(py_validation);
2546 if (validation.sam2 == NULL) {
2547 return NULL;
2548 }
2549 validation_ptr = validation.sam2;
2550 break;
2551
2552 case NetlogonValidationSamInfo2:
2553 ok = py_check_dcerpc_type(py_validation,
2554 "samba.dcerpc.netlogon",
2555 "netr_SamInfo3");
2556 if (!ok) {
2557 /* py_check_dcerpc_type sets TypeError */
2558 return NULL;
2559 }
2560
2561 /*
2562 * we can't use pytalloc_get_type as
2563 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2564 * correct talloc name because of old
2565 * compilers.
2566 */
2567 validation.sam3 = pytalloc_get_ptr(py_validation);
2568 if (validation.sam3 == NULL) {
2569 return NULL;
2570 }
2571 validation_ptr = validation.sam3;
2572 break;
2573
2574 case NetlogonValidationGenericInfo2:
2575 ok = py_check_dcerpc_type(py_validation,
2576 "samba.dcerpc.netlogon",
2577 "netr_GenericInfo2");
2578 if (!ok) {
2579 /* py_check_dcerpc_type sets TypeError */
2580 return NULL;
2581 }
2582
2583 /*
2584 * we can't use pytalloc_get_type as
2585 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2586 * correct talloc name because of old
2587 * compilers.
2588 */
2589 validation.generic = pytalloc_get_ptr(py_validation);
2590 if (validation.generic == NULL) {
2591 return NULL;
2592 }
2593 validation_ptr = validation.generic;
2594 break;
2595
2596 case NetlogonValidationSamInfo4:
2597 ok = py_check_dcerpc_type(py_validation,
2598 "samba.dcerpc.netlogon",
2599 "netr_SamInfo6");
2600 if (!ok) {
2601 /* py_check_dcerpc_type sets TypeError */
2602 return NULL;
2603 }
2604
2605 /*
2606 * we can't use pytalloc_get_type as
2607 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2608 * correct talloc name because of old
2609 * compilers.
2610 */
2611 validation.sam6 = pytalloc_get_ptr(py_validation);
2612 if (validation.sam6 == NULL) {
2613 return NULL;
2614 }
2615 validation_ptr = validation.sam6;
2616 break;
2617
2618 case NetlogonValidationTicketLogon:
2619 ok = py_check_dcerpc_type(py_validation,
2620 "samba.dcerpc.netlogon",
2621 "netr_ValidationTicketLogon");
2622 if (!ok) {
2623 /* py_check_dcerpc_type sets TypeError */
2624 return NULL;
2625 }
2626
2627 /*
2628 * we can't use pytalloc_get_type as
2629 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2630 * correct talloc name because of old
2631 * compilers.
2632 */
2633 validation.ticket = pytalloc_get_ptr(py_validation);
2634 if (validation.ticket == NULL) {
2635 return NULL;
2636 }
2637 validation_ptr = validation.ticket;
2638 break;
2639
2640 }
2641
2642 if (validation_ptr == NULL) {
2643 PyErr_SetString(PyExc_RuntimeError,
2644 "Unexpected netr_Validation value");
2645 return NULL;
2646 }
2647
2648 status = netlogon_creds_decrypt_samlogon_validation(ncreds,
2649 level,
2650 &validation,
2651 auth_type,
2652 auth_level);
2653 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2654
2655 Py_RETURN_NONE;
2656 }
2657
2658 static PyObject *py_netlogon_creds_decrypt_samr_Password(PyObject *module,
2659 PyObject *args,
2660 PyObject *kwargs)
2661 {
2662 const char * const kwnames[] = {
2663 "netlogon_creds",
2664 "pwd",
2665 "auth_type",
2666 "auth_level",
2667 NULL,
2668 };
2669 PyObject *py_ncreds = Py_None;
2670 struct netlogon_creds_CredentialState *ncreds = NULL;
2671 PyObject *py_pwd = Py_None;
2672 struct samr_Password *pwd = NULL;
2673 uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
2674 enum dcerpc_AuthType auth_type;
2675 uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
2676 enum dcerpc_AuthLevel auth_level;
2677 NTSTATUS status;
2678 bool ok;
2679
2680 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OObb",
2681 discard_const_p(char *, kwnames),
2682 &py_ncreds,
2683 &py_pwd,
2684 &_auth_type,
2685 &_auth_level);
2686 if (!ok) {
2687 return NULL;
2688 }
2689 auth_type = _auth_type;
2690 auth_level = _auth_level;
2691
2692 ok = py_check_dcerpc_type(py_ncreds,
2693 "samba.dcerpc.schannel",
2694 "netlogon_creds_CredentialState");
2695 if (!ok) {
2696 /* py_check_dcerpc_type sets TypeError */
2697 return NULL;
2698 }
2699
2700 ncreds = pytalloc_get_type(py_ncreds,
2701 struct netlogon_creds_CredentialState);
2702 if (ncreds == NULL) {
2703 /* pytalloc_get_type sets TypeError */
2704 return NULL;
2705 }
2706
2707 ok = py_check_dcerpc_type(py_pwd,
2708 "samba.dcerpc.samr",
2709 "Password");
2710 if (!ok) {
2711 /* py_check_dcerpc_type sets TypeError */
2712 return NULL;
2713 }
2714
2715 /*
2716 * we can't use pytalloc_get_type as
2717 * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
2718 * correct talloc name because of old
2719 * compilers.
2720 */
2721 pwd = pytalloc_get_ptr(py_pwd);
2722 if (pwd == NULL) {
2723 /* pytalloc_get_type sets TypeError */
2724 return NULL;
2725 }
2726
2727 status = netlogon_creds_decrypt_samr_Password(ncreds,
2728 pwd,
2729 auth_type,
2730 auth_level);
2731 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2732
2733 Py_RETURN_NONE;
2734 }
2735
2736 static PyObject *py_netlogon_creds_encrypt_samr_Password(PyObject *module,
2737 PyObject *args,
2738 PyObject *kwargs)
2739 {
2740 const char * const kwnames[] = {
2741 "netlogon_creds",
2742 "pwd",
2743 "auth_type",
2744 "auth_level",
2745 NULL,
2746 };
2747 PyObject *py_ncreds = Py_None;
2748 struct netlogon_creds_CredentialState *ncreds = NULL;
2749 PyObject *py_pwd = Py_None;
2750 struct samr_Password *pwd = NULL;
2751 uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
2752 enum dcerpc_AuthType auth_type;
2753 uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
2754 enum dcerpc_AuthLevel auth_level;
2755 NTSTATUS status;
2756 bool ok;
2757
2758 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OObb",
2759 discard_const_p(char *, kwnames),
2760 &py_ncreds,
2761 &py_pwd,
2762 &_auth_type,
2763 &_auth_level);
2764 if (!ok) {
2765 return NULL;
2766 }
2767 auth_type = _auth_type;
2768 auth_level = _auth_level;
2769
2770 ok = py_check_dcerpc_type(py_ncreds,
2771 "samba.dcerpc.schannel",
2772 "netlogon_creds_CredentialState");
2773 if (!ok) {
2774 /* py_check_dcerpc_type sets TypeError */
2775 return NULL;
2776 }
2777
2778 ncreds = pytalloc_get_type(py_ncreds,
2779 struct netlogon_creds_CredentialState);
2780 if (ncreds == NULL) {
2781 /* pytalloc_get_type sets TypeError */
2782 return NULL;
2783 }
2784
2785 ok = py_check_dcerpc_type(py_pwd,
2786 "samba.dcerpc.samr",
2787 "Password");
2788 if (!ok) {
2789 /* py_check_dcerpc_type sets TypeError */
2790 return NULL;
2791 }
2792
2793 pwd = pytalloc_get_type(py_pwd,
2794 struct samr_Password);
2795 if (pwd == NULL) {
2796 /* pytalloc_get_type sets TypeError */
2797 return NULL;
2798 }
2799
2800 status = netlogon_creds_encrypt_samr_Password(ncreds,
2801 pwd,
2802 auth_type,
2803 auth_level);
2804 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2805
2806 Py_RETURN_NONE;
2807 }
2808
2809 static PyObject *py_netlogon_creds_encrypt_netr_CryptPassword(PyObject *module,
2810 PyObject *args,
2811 PyObject *kwargs)
2812 {
2813 const char * const kwnames[] = {
2814 "netlogon_creds",
2815 "pwd",
2816 "auth_type",
2817 "auth_level",
2818 NULL,
2819 };
2820 PyObject *py_ncreds = Py_None;
2821 struct netlogon_creds_CredentialState *ncreds = NULL;
2822 PyObject *py_pwd = Py_None;
2823 struct netr_CryptPassword *pwd = NULL;
2824 struct samr_CryptPassword spwd;
2825 uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
2826 enum dcerpc_AuthType auth_type;
2827 uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
2828 enum dcerpc_AuthLevel auth_level;
2829 NTSTATUS status;
2830 bool ok;
2831
2832 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OObb",
2833 discard_const_p(char *, kwnames),
2834 &py_ncreds,
2835 &py_pwd,
2836 &_auth_type,
2837 &_auth_level);
2838 if (!ok) {
2839 return NULL;
2840 }
2841 auth_type = _auth_type;
2842 auth_level = _auth_level;
2843
2844 ok = py_check_dcerpc_type(py_ncreds,
2845 "samba.dcerpc.schannel",
2846 "netlogon_creds_CredentialState");
2847 if (!ok) {
2848 /* py_check_dcerpc_type sets TypeError */
2849 return NULL;
2850 }
2851
2852 ncreds = pytalloc_get_type(py_ncreds,
2853 struct netlogon_creds_CredentialState);
2854 if (ncreds == NULL) {
2855 /* pytalloc_get_type sets TypeError */
2856 return NULL;
2857 }
2858
2859 ok = py_check_dcerpc_type(py_pwd,
2860 "samba.dcerpc.netlogon",
2861 "netr_CryptPassword");
2862 if (!ok) {
2863 /* py_check_dcerpc_type sets TypeError */
2864 return NULL;
2865 }
2866
2867 pwd = pytalloc_get_type(py_pwd,
2868 struct netr_CryptPassword);
2869 if (pwd == NULL) {
2870 /* pytalloc_get_type sets TypeError */
2871 return NULL;
2872 }
2873
2874 memcpy(spwd.data, pwd->data, 512);
2875 PUSH_LE_U32(spwd.data, 512, pwd->length);
2876
2877 status = netlogon_creds_encrypt_samr_CryptPassword(ncreds,
2878 &spwd,
2879 auth_type,
2880 auth_level);
2881
2882 memcpy(pwd->data, spwd.data, 512);
2883 pwd->length = PULL_LE_U32(spwd.data, 512);
2884 ZERO_STRUCT(spwd);
2885
2886 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2887
2888 Py_RETURN_NONE;
2889 }
2890
2891 static PyObject *py_netlogon_creds_encrypt_SendToSam(PyObject *module,
2892 PyObject *args,
2893 PyObject *kwargs)
2894 {
2895 const char * const kwnames[] = {
2896 "netlogon_creds",
2897 "opaque_buffer",
2898 "auth_type",
2899 "auth_level",
2900 NULL,
2901 };
2902 PyObject *py_ncreds = Py_None;
2903 struct netlogon_creds_CredentialState *ncreds = NULL;
2904 PyObject *py_opaque = Py_None;
2905 uint8_t *opaque_data = NULL;
2906 size_t opaque_length = 0;
2907 uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
2908 enum dcerpc_AuthType auth_type;
2909 uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
2910 enum dcerpc_AuthLevel auth_level;
2911 NTSTATUS status;
2912 bool ok;
2913
2914 ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OSbb",
2915 discard_const_p(char *, kwnames),
2916 &py_ncreds,
2917 &py_opaque,
2918 &_auth_type,
2919 &_auth_level);
2920 if (!ok) {
2921 return NULL;
2922 }
2923 auth_type = _auth_type;
2924 auth_level = _auth_level;
2925
2926 ok = py_check_dcerpc_type(py_ncreds,
2927 "samba.dcerpc.schannel",
2928 "netlogon_creds_CredentialState");
2929 if (!ok) {
2930 /* py_check_dcerpc_type sets TypeError */
2931 return NULL;
2932 }
2933
2934 ncreds = pytalloc_get_type(py_ncreds,
2935 struct netlogon_creds_CredentialState);
2936 if (ncreds == NULL) {
2937 /* pytalloc_get_type sets TypeError */
2938 return NULL;
2939 }
2940
2941 opaque_data = (uint8_t *)PyBytes_AsString(py_opaque);
2942 opaque_length = PyBytes_Size(py_opaque);
2943
2944 status = netlogon_creds_encrypt_SendToSam(ncreds,
2945 opaque_data,
2946 opaque_length,
2947 auth_type,
2948 auth_level);
2949 PyErr_NTSTATUS_IS_ERR_RAISE(status);
2950
2951 Py_RETURN_NONE;
2952 }
2953
2954 static PyMethodDef py_module_methods[] = {
2955 {
2956 .ml_name = "netlogon_creds_kerberos_init",
2957 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
2958 py_netlogon_creds_kerberos_init),
2959 .ml_flags = METH_VARARGS | METH_KEYWORDS,
2960 .ml_doc = "credentials.netlogon_creds_kerberos_init("
2961 "client_account, client_computer_name,"
2962 "secure_channel_type, "
2963 "client_requested_flags, negotiate_flags)"
2964 "-> netlogon_creds_CredentialState\n"
2965 "Create a new state for netr_ServerAuthenticateKerberos()",
2966 },
2967 {
2968 .ml_name = "netlogon_creds_random_challenge",
2969 .ml_meth = py_netlogon_creds_random_challenge,
2970 .ml_flags = METH_NOARGS,
2971 .ml_doc = "credentials.netlogon_creds_random_challenge()"
2972 "-> netr_Credential\n"
2973 "Create a new random netr_Credential",
2974 },
2975 {
2976 .ml_name = "netlogon_creds_client_init",
2977 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
2978 py_netlogon_creds_client_init),
2979 .ml_flags = METH_VARARGS | METH_KEYWORDS,
2980 .ml_doc = "credentials.netlogon_creds_client_init("
2981 "client_account, client_computer_name,"
2982 "secure_channel_type, "
2983 "client_challenge, server_challenge, "
2984 "machine_password, "
2985 "client_requested_flags, negotiate_flags)"
2986 "-> (netlogon_creds_CredentialState, initial_credential)\n"
2987 "Create a new state for netr_ServerAuthenticate3()",
2988 },
2989 {
2990 .ml_name = "netlogon_creds_client_update",
2991 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
2992 py_netlogon_creds_client_update),
2993 .ml_flags = METH_VARARGS | METH_KEYWORDS,
2994 .ml_doc = "credentials.netlogon_creds_client_update("
2995 "netlogon_creds, negotiated_flags, client_rid)"
2996 "-> None\n"
2997 "Update the negotiated flags and client rid",
2998 },
2999 {
3000 .ml_name = "netlogon_creds_client_authenticator",
3001 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3002 py_netlogon_creds_client_authenticator),
3003 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3004 .ml_doc = "credentials.netlogon_creds_client_authenticator(netlogon_creds) -> Authenticator\n"
3005 "Get a new client NETLOGON_AUTHENTICATOR"
3006 },
3007 {
3008 .ml_name = "netlogon_creds_client_verify",
3009 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3010 py_netlogon_creds_client_verify),
3011 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3012 .ml_doc = "credentials.py_netlogon_creds_client_verify(netlogon_creds, "
3013 "received_credentials, auth_type, auth_level) -> None\n"
3014 "Verify the NETLOGON_AUTHENTICATOR.credentials from a server"
3015 },
3016 {
3017 .ml_name = "netlogon_creds_encrypt_netr_LogonLevel",
3018 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3019 py_netlogon_creds_encrypt_netr_LogonLevel),
3020 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3021 .ml_doc = "credentials.netlogon_creds_encrypt_netr_LogonLevel(netlogon_creds, "
3022 "level, info, auth_type, auth_level) -> None\n"
3023 "Encrypt the supplied logon info using the session key and\n"
3024 "the negotiated encryption algorithm in place\n"
3025 "i.e. it overwrites the original data",
3026 },
3027 {
3028 .ml_name = "netlogon_creds_decrypt_netr_Validation",
3029 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3030 py_netlogon_creds_decrypt_netr_Validation),
3031 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3032 .ml_doc = "credentials.netlogon_creds_decrypt_netr_Validation(netlogon_creds, "
3033 "level, validation, auth_type, auth_level) -> None\n"
3034 "Encrypt the supplied validation info using the session key and\n"
3035 "the negotiated encryption algorithm in place\n"
3036 "i.e. it overwrites the original data",
3037 },
3038 {
3039 .ml_name = "netlogon_creds_decrypt_samr_Password",
3040 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3041 py_netlogon_creds_decrypt_samr_Password),
3042 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3043 .ml_doc = "credentials.netlogon_creds_decrypt_samr_Password(netlogon_creds, "
3044 "pwd, auth_type, auth_level) -> None\n"
3045 "Encrypt the supplied samr_Password using the session key and\n"
3046 "the negotiated encryption algorithm in place\n"
3047 "i.e. it overwrites the original data",
3048 },
3049 {
3050 .ml_name = "netlogon_creds_encrypt_samr_Password",
3051 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3052 py_netlogon_creds_encrypt_samr_Password),
3053 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3054 .ml_doc = "credentials.netlogon_creds_encrypt_samr_Password(netlogon_creds, "
3055 "pwd, auth_type, auth_level) -> None\n"
3056 "Encrypt the supplied samr_Password using the session key and\n"
3057 "the negotiated encryption algorithm in place\n"
3058 "i.e. it overwrites the original data",
3059 },
3060 {
3061 .ml_name = "netlogon_creds_encrypt_netr_CryptPassword",
3062 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3063 py_netlogon_creds_encrypt_netr_CryptPassword),
3064 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3065 .ml_doc = "credentials.netlogon_creds_encrypt_netr_CryptPassword(netlogon_creds, "
3066 "pwd, auth_type, auth_level) -> None\n"
3067 "Encrypt the supplied netr_CryptPassword using the session key and\n"
3068 "the negotiated encryption algorithm in place\n"
3069 "i.e. it overwrites the original data",
3070 },
3071 {
3072 .ml_name = "netlogon_creds_encrypt_SendToSam",
3073 .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
3074 py_netlogon_creds_encrypt_SendToSam),
3075 .ml_flags = METH_VARARGS | METH_KEYWORDS,
3076 .ml_doc = "credentials.netlogon_creds_encrypt_SendToSam(netlogon_creds, "
3077 "opaque_buffer, auth_type, auth_level) -> None\n"
3078 "Encrypt the supplied opaque_buffer using the session key and\n"
3079 "the negotiated encryption algorithm in place\n"
3080 "i.e. it overwrites the original data",
3081 },
3082 { .ml_name = NULL }
3083 };
3084
3085 static struct PyModuleDef moduledef = {
3086 PyModuleDef_HEAD_INIT,
3087 .m_name = "credentials",
3088 .m_doc = "Credentials management.",
3089 .m_size = -1,
3090 .m_methods = py_module_methods,
3091 };
3092
3093 MODULE_INIT_FUNC(credentials)
3094 {
3095 PyObject *m;
3096 if (pytalloc_BaseObject_PyType_Ready(&PyCredentials) < 0)
3097 return NULL;
3098
3099 if (pytalloc_BaseObject_PyType_Ready(&PyCredentialCacheContainer) < 0)
3100 return NULL;
3101
3102 m = PyModule_Create(&moduledef);
3103 if (m == NULL)
3104 return NULL;
3105
3106 PyModule_AddObject(m, "UNINITIALISED", PyLong_FromLong(CRED_UNINITIALISED));
3107 PyModule_AddObject(m, "SMB_CONF", PyLong_FromLong(CRED_SMB_CONF));
3108 PyModule_AddObject(m, "CALLBACK", PyLong_FromLong(CRED_CALLBACK));
3109 PyModule_AddObject(m, "GUESS_ENV", PyLong_FromLong(CRED_GUESS_ENV));
3110 PyModule_AddObject(m, "GUESS_FILE", PyLong_FromLong(CRED_GUESS_FILE));
3111 PyModule_AddObject(m, "CALLBACK_RESULT", PyLong_FromLong(CRED_CALLBACK_RESULT));
3112 PyModule_AddObject(m, "SPECIFIED", PyLong_FromLong(CRED_SPECIFIED));
3113
3114 PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DESIRED));
3115 PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DISABLED));
3116 PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_REQUIRED));
3117
3118 PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE", PyLong_FromLong(CRED_AUTO_KRB_FORWARDABLE));
3119 PyModule_AddObject(m, "NO_KRB_FORWARDABLE", PyLong_FromLong(CRED_NO_KRB_FORWARDABLE));
3120 PyModule_AddObject(m, "FORCE_KRB_FORWARDABLE", PyLong_FromLong(CRED_FORCE_KRB_FORWARDABLE));
3121 PyModule_AddObject(m, "CLI_CRED_NTLM2", PyLong_FromLong(CLI_CRED_NTLM2));
3122 PyModule_AddObject(m, "CLI_CRED_NTLMv2_AUTH", PyLong_FromLong(CLI_CRED_NTLMv2_AUTH));
3123 PyModule_AddObject(m, "CLI_CRED_LANMAN_AUTH", PyLong_FromLong(CLI_CRED_LANMAN_AUTH));
3124 PyModule_AddObject(m, "CLI_CRED_NTLM_AUTH", PyLong_FromLong(CLI_CRED_NTLM_AUTH));
3125 PyModule_AddObject(m, "CLI_CRED_CLEAR_AUTH", PyLong_FromLong(CLI_CRED_CLEAR_AUTH));
3126
3127 PyModule_AddObject(m, "SMB_SIGNING_DEFAULT", PyLong_FromLong(SMB_SIGNING_DEFAULT));
3128 PyModule_AddObject(m, "SMB_SIGNING_OFF", PyLong_FromLong(SMB_SIGNING_OFF));
3129 PyModule_AddObject(m, "SMB_SIGNING_IF_REQUIRED", PyLong_FromLong(SMB_SIGNING_IF_REQUIRED));
3130 PyModule_AddObject(m, "SMB_SIGNING_DESIRED", PyLong_FromLong(SMB_SIGNING_DESIRED));
3131 PyModule_AddObject(m, "SMB_SIGNING_REQUIRED", PyLong_FromLong(SMB_SIGNING_REQUIRED));
3132
3133 PyModule_AddObject(m, "SMB_ENCRYPTION_DEFAULT", PyLong_FromLong(SMB_ENCRYPTION_DEFAULT));
3134 PyModule_AddObject(m, "SMB_ENCRYPTION_OFF", PyLong_FromLong(SMB_ENCRYPTION_OFF));
3135 PyModule_AddObject(m, "SMB_ENCRYPTION_IF_REQUIRED", PyLong_FromLong(SMB_ENCRYPTION_IF_REQUIRED));
3136 PyModule_AddObject(m, "SMB_ENCRYPTION_DESIRED", PyLong_FromLong(SMB_ENCRYPTION_DESIRED));
3137 PyModule_AddObject(m, "SMB_ENCRYPTION_REQUIRED", PyLong_FromLong(SMB_ENCRYPTION_REQUIRED));
3138
3139 PyModule_AddObject(m, "ENCTYPE_ARCFOUR_HMAC", PyLong_FromLong(ENCTYPE_ARCFOUR_HMAC));
3140 PyModule_AddObject(m, "ENCTYPE_AES128_CTS_HMAC_SHA1_96", PyLong_FromLong(ENCTYPE_AES128_CTS_HMAC_SHA1_96));
3141 PyModule_AddObject(m, "ENCTYPE_AES256_CTS_HMAC_SHA1_96", PyLong_FromLong(ENCTYPE_AES256_CTS_HMAC_SHA1_96));
3142
3143 Py_INCREF(&PyCredentials);
3144 PyModule_AddObject(m, "Credentials", (PyObject *)&PyCredentials);
3145 Py_INCREF(&PyCredentialCacheContainer);
3146 PyModule_AddObject(m, "CredentialCacheContainer", (PyObject *)&PyCredentialCacheContainer);
3147 return m;
3148 }
GSS-enabled samba4