r11521: Add in client support for checking supportedSASLmechanisms, and then

determining a mechanism to use.

Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).

This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).

Also make the similar function used for OIDs in SPNEGO do the same.

This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...

Andrew Bartlett
(This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)

3 files changed, 74 insertions, 5 deletions

diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 375c55e3ba..3818965a6f 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -98,6 +98,71 @@ const struct gensec_security_ops **gensec_security_all(int *num_backends_out)
  * The list is in the exact order of the OIDs asked for, where available.
  */
 
+const struct gensec_security_ops **gensec_security_by_sasl(TALLOC_CTX *mem_ctx, 
+							  const char **sasl_names)
+{
+	const struct gensec_security_ops **backends_out;
+	const struct gensec_security_ops **backends;
+	int i, k, sasl_idx;
+	int num_backends_out = 0;
+	int num_backends;
+
+	if (!sasl_names) {
+		return NULL;
+	}
+
+	backends = gensec_security_all(&num_backends);
+
+	backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1);
+	if (!backends_out) {
+		return NULL;
+	}
+	backends_out[0] = NULL;
+
+	/* Find backends in our preferred order, by walking our list,
+	 * then looking in the supplied list */
+	for (i=0; i < num_backends; i++) {
+		for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
+			if (!backends[i]->sasl_name ||
+			    !(strcmp(backends[i]->sasl_name, 
+				     sasl_names[sasl_idx]) == 0)) {
+				continue;
+			}
+			
+			for (k=0; backends_out[k]; k++) {
+				if (backends_out[k] == backends[i]) {
+					break;
+				}
+			}
+			
+			if (k < num_backends_out) {
+				/* already in there */
+				continue;
+			}
+			
+			backends_out = talloc_realloc(mem_ctx, backends_out, 
+						      const struct gensec_security_ops *, 
+						      num_backends_out + 2);
+			if (!backends_out) {
+				return NULL;
+			}
+			
+			backends_out[num_backends_out] = backends[i];
+			num_backends_out++;
+			backends_out[num_backends_out] = NULL;
+		}
+	}
+	return backends_out;
+}
+
+/**
+ * Return a unique list of security subsystems from those specified in
+ * the OID list.  That is, where two OIDs refer to the same module,
+ * return that module only once 
+ *
+ * The list is in the exact order of the OIDs asked for, where available.
+ */
+
 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(TALLOC_CTX *mem_ctx, 
 								      const char **oid_strings,
 								      const char *skip)
@@ -121,15 +186,17 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(TALLOC_CTX
 	backends_out[0].op = NULL;
 	backends_out[0].oid = NULL;
 
-	for (oid_idx = 0; oid_strings[oid_idx]; oid_idx++) {
-		if (strcmp(oid_strings[oid_idx], skip) == 0) {
+	/* Find backends in our preferred order, by walking our list,
+	 * then looking in the supplied list */
+	for (i=0; i < num_backends; i++) {
+		if (!backends[i]->oid) {
 			continue;
 		}
-
-		for (i=0; i < num_backends; i++) {
-			if (!backends[i]->oid) {
+		for (oid_idx = 0; oid_strings[oid_idx]; oid_idx++) {
+			if (strcmp(oid_strings[oid_idx], skip) == 0) {
 				continue;
 			}
+
 			for (j=0; backends[i]->oid[j]; j++) { 
 				if (!backends[i]->oid[j] ||
 				    !(strcmp(backends[i]->oid[j], 
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 745191e693..08e2298c1a 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -965,6 +965,7 @@ static const char *gensec_gssapi_krb5_oids[] = {
 /* As a server, this could in theory accept any GSSAPI mech */
 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
 	.name		= "gssapi_krb5",
+	.sasl_name      = "GSSAPI",
 	.auth_type	= DCERPC_AUTH_TYPE_KRB5,
 	.oid            = gensec_gssapi_krb5_oids,
 	.client_start   = gensec_gssapi_client_start,
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 43187939bb..d5a2fd9a8f 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -667,6 +667,7 @@ static const char *gensec_krb5_oids[] = {
 
 static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
 	.name		= "fake_gssapi_krb5",
+	.sasl_name      = "GSSAPI",
 	.auth_type	= DCERPC_AUTH_TYPE_KRB5,
 	.oid            = gensec_krb5_oids,
 	.client_start   = gensec_fake_gssapi_krb5_client_start,