diff options
-rw-r--r-- | auth/gensec/gensec.c | 518 | ||||
-rw-r--r-- | auth/gensec/gensec.h (renamed from source4/auth/gensec/gensec.h) | 172 | ||||
-rw-r--r-- | auth/gensec/wscript_build | 7 | ||||
-rw-r--r-- | auth/wscript_build | 2 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 1 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 1 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_socket.h | 28 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_start.c (renamed from source4/auth/gensec/gensec.c) | 714 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_tstream.c | 2 | ||||
-rw-r--r-- | source4/auth/gensec/schannel.h | 26 | ||||
-rw-r--r-- | source4/auth/gensec/spnego.c | 1 | ||||
-rw-r--r-- | source4/auth/gensec/wscript_build | 5 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_bind.c | 1 | ||||
-rw-r--r-- | source4/libnet/libnet_samsync.c | 1 | ||||
-rw-r--r-- | source4/torture/rpc/samlogon.c | 1 | ||||
-rw-r--r-- | source4/torture/rpc/samr.c | 1 | ||||
-rw-r--r-- | source4/torture/rpc/samsync.c | 1 | ||||
-rw-r--r-- | source4/torture/rpc/schannel.c | 1 |
18 files changed, 787 insertions, 696 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c new file mode 100644 index 0000000000..390913d01b --- /dev/null +++ b/auth/gensec/gensec.c @@ -0,0 +1,518 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/network.h" +#include <tevent.h> +#include "lib/tsocket/tsocket.h" +#include "lib/util/tevent_ntstatus.h" +#include "auth/gensec/gensec.h" + +/* + wrappers for the gensec function pointers +*/ +_PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + if (!gensec_security->ops->unseal_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, + data, length, + whole_pdu, pdu_length, + sig); +} + +_PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + if (!gensec_security->ops->check_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); +} + +_PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + if (!gensec_security->ops->seal_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); +} + +_PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + if (!gensec_security->ops->sign_packet) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + + return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); +} + +_PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size) +{ + if (!gensec_security->ops->sig_size) { + return 0; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return 0; + } + + return gensec_security->ops->sig_size(gensec_security, data_size); +} + +size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->max_wrapped_size) { + return (1 << 17); + } + + return gensec_security->ops->max_wrapped_size(gensec_security); +} + +size_t gensec_max_input_size(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->max_input_size) { + return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17); + } + + return gensec_security->ops->max_input_size(gensec_security); +} + +_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + if (!gensec_security->ops->wrap) { + return NT_STATUS_NOT_IMPLEMENTED; + } + return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out); +} + +_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + if (!gensec_security->ops->unwrap) { + return NT_STATUS_NOT_IMPLEMENTED; + } + return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out); +} + +_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, + DATA_BLOB *session_key) +{ + if (!gensec_security->ops->session_key) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + + return gensec_security->ops->session_key(gensec_security, session_key); +} + +/** + * Return the credentials of a logged on user, including session keys + * etc. + * + * Only valid after a successful authentication + * + * May only be called once per authentication. + * + */ + +_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, + struct auth_session_info **session_info) +{ + if (!gensec_security->ops->session_info) { + return NT_STATUS_NOT_IMPLEMENTED; + } + return gensec_security->ops->session_info(gensec_security, session_info); +} + +/** + * Next state function for the GENSEC state machine + * + * @param gensec_security GENSEC State + * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on + * @param in The request, as a DATA_BLOB + * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx + * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, + * or NT_STATUS_OK if the user is authenticated. + */ + +_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) +{ + return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out); +} + +struct gensec_update_state { + struct tevent_immediate *im; + struct gensec_security *gensec_security; + DATA_BLOB in; + DATA_BLOB out; +}; + +static void gensec_update_async_trigger(struct tevent_context *ctx, + struct tevent_immediate *im, + void *private_data); +/** + * Next state function for the GENSEC state machine async version + * + * @param mem_ctx The memory context for the request + * @param ev The event context for the request + * @param gensec_security GENSEC State + * @param in The request, as a DATA_BLOB + * + * @return The request handle or NULL on no memory failure + */ + +_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct tevent_req *req; + struct gensec_update_state *state = NULL; + + req = tevent_req_create(mem_ctx, &state, + struct gensec_update_state); + if (req == NULL) { + return NULL; + } + + state->gensec_security = gensec_security; + state->in = in; + state->out = data_blob(NULL, 0); + state->im = tevent_create_immediate(state); + if (tevent_req_nomem(state->im, req)) { + return tevent_req_post(req, ev); + } + + tevent_schedule_immediate(state->im, ev, + gensec_update_async_trigger, + req); + + return req; +} + +static void gensec_update_async_trigger(struct tevent_context *ctx, + struct tevent_immediate *im, + void *private_data) +{ + struct tevent_req *req = + talloc_get_type_abort(private_data, struct tevent_req); + struct gensec_update_state *state = + tevent_req_data(req, struct gensec_update_state); + NTSTATUS status; + + status = gensec_update(state->gensec_security, state, + state->in, &state->out); + if (tevent_req_nterror(req, status)) { + return; + } + + tevent_req_done(req); +} + +/** + * Next state function for the GENSEC state machine + * + * @param req request state + * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on + * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx + * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, + * or NT_STATUS_OK if the user is authenticated. + */ +_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct gensec_update_state *state = + tevent_req_data(req, struct gensec_update_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + tevent_req_received(req); + return status; + } + } else { + status = NT_STATUS_OK; + } + + *out = state->out; + talloc_steal(out_mem_ctx, out->data); + + tevent_req_received(req); + return status; +} + +/** + * Set the requirement for a certain feature on the connection + * + */ + +_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + if (!gensec_security->ops || !gensec_security->ops->want_feature) { + gensec_security->want_features |= feature; + return; + } + gensec_security->ops->want_feature(gensec_security, feature); +} + +/** + * Check the requirement for a certain feature on the connection + * + */ + +_PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + if (!gensec_security->ops->have_feature) { + return false; + } + + /* We might 'have' features that we don't 'want', because the + * other end demanded them, or we can't neotiate them off */ + return gensec_security->ops->have_feature(gensec_security, feature); +} + +/** + * Return the credentials structure associated with a GENSEC context + * + */ + +_PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) +{ + if (!gensec_security) { + return NULL; + } + return gensec_security->credentials; +} + +/** + * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed + * + */ + +_PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service) +{ + gensec_security->target.service = talloc_strdup(gensec_security, service); + if (!gensec_security->target.service) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; +} + +_PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security) +{ + if (gensec_security->target.service) { + return gensec_security->target.service; + } + + return "host"; +} + +/** + * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed + * + */ + +_PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname) +{ + gensec_security->target.hostname = talloc_strdup(gensec_security, hostname); + if (hostname && !gensec_security->target.hostname) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; +} + +_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) +{ + /* We allow the target hostname to be overriden for testing purposes */ + if (gensec_security->settings->target_hostname) { + return gensec_security->settings->target_hostname; + } + + if (gensec_security->target.hostname) { + return gensec_security->target.hostname; + } + + /* We could add use the 'set sockaddr' call, and do a reverse + * lookup, but this would be both insecure (compromising the + * way kerberos works) and add DNS timeouts */ + return NULL; +} + +/** + * Set (and talloc_reference) local and peer socket addresses onto a socket + * context on the GENSEC context. + * + * This is so that kerberos can include these addresses in + * cryptographic tokens, to avoid certain attacks. + */ + +/** + * @brief Set the local gensec address. + * + * @param gensec_security The gensec security context to use. + * + * @param remote The local address to set. + * + * @return On success NT_STATUS_OK is returned or an NT_STATUS + * error. + */ +_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, + const struct tsocket_address *local) +{ + TALLOC_FREE(gensec_security->local_addr); + + if (local == NULL) { + return NT_STATUS_OK; + } + + gensec_security->local_addr = tsocket_address_copy(local, gensec_security); + if (gensec_security->local_addr == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +/** + * @brief Set the remote gensec address. + * + * @param gensec_security The gensec security context to use. + * + * @param remote The remote address to set. + * + * @return On success NT_STATUS_OK is returned or an NT_STATUS + * error. + */ +_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, + const struct tsocket_address *remote) +{ + TALLOC_FREE(gensec_security->remote_addr); + + if (remote == NULL) { + return NT_STATUS_OK; + } + + gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security); + if (gensec_security->remote_addr == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +/** + * @brief Get the local address from a gensec security context. + * + * @param gensec_security The security context to get the address from. + * + * @return The address as tsocket_address which could be NULL if + * no address is set. + */ +_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security) +{ + if (gensec_security == NULL) { + return NULL; + } + return gensec_security->local_addr; +} + +/** + * @brief Get the remote address from a gensec security context. + * + * @param gensec_security The security context to get the address from. + * + * @return The address as tsocket_address which could be NULL if + * no address is set. + */ +_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security) +{ + if (gensec_security == NULL) { + return NULL; + } + return gensec_security->remote_addr; +} + +/** + * Set the target principal (assuming it it known, say from the SPNEGO reply) + * - ensures it is talloc()ed + * + */ + +_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal) +{ + gensec_security->target.principal = talloc_strdup(gensec_security, principal); + if (!gensec_security->target.principal) { + return NT_STATUS_NO_MEMORY; + } + return NT_STATUS_OK; +} + +const char *gensec_get_target_principal(struct gensec_security *gensec_security) +{ + if (gensec_security->target.principal) { + return gensec_security->target.principal; + } + + return NULL; +} diff --git a/source4/auth/gensec/gensec.h b/auth/gensec/gensec.h index 322adce2ea..b897419473 100644 --- a/source4/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. - + Generic Authentication Interface Copyright (C) Andrew Tridgell 2003 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -89,61 +89,61 @@ struct gensec_security_ops { /** Determine if a packet has the right 'magic' for this mechanism */ - NTSTATUS (*magic)(struct gensec_security *gensec_security, + NTSTATUS (*magic)(struct gensec_security *gensec_security, const DATA_BLOB *first_packet); NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out); NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig); NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig); size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size); size_t (*max_input_size)(struct gensec_security *gensec_security); size_t (*max_wrapped_size)(struct gensec_security *gensec_security); - NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, + NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); - NTSTATUS (*wrap)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out); - NTSTATUS (*unwrap)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out); - NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, + NTSTATUS (*wrap)(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); + NTSTATUS (*unwrap)(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out); + NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, DATA_BLOB *out, - size_t *len_processed); - NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, + size_t *len_processed); + NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, DATA_BLOB *out, - size_t *len_processed); + size_t *len_processed); NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security, DATA_BLOB blob, size_t *size); NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key); - NTSTATUS (*session_info)(struct gensec_security *gensec_security, - struct auth_session_info **session_info); + NTSTATUS (*session_info)(struct gensec_security *gensec_security, + struct auth_session_info **session_info); void (*want_feature)(struct gensec_security *gensec_security, uint32_t feature); bool (*have_feature)(struct gensec_security *gensec_security, - uint32_t feature); + uint32_t feature); bool enabled; bool kerberos; enum gensec_priority priority; }; - + struct gensec_security_ops_wrapper { const struct gensec_security_ops *op; const char *oid; @@ -162,7 +162,7 @@ struct gensec_security { struct tevent_context *event_ctx; struct tsocket_address *local_addr, *remote_addr; struct gensec_settings *settings; - + /* When we are a server, this may be filled in to provide an * NTLM authentication backend, and user lookup (such as if no * PAC is found) */ @@ -183,25 +183,18 @@ struct socket_context; struct auth4_context; struct auth_user_info_dc; -NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct socket_context *current_socket, - struct tevent_context *ev, - void (*recv_handler)(void *, uint16_t), - void *recv_private, - struct socket_context **new_socket); /* These functions are for use here only (public because SPNEGO must * use them for recursion) */ -NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, +NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, DATA_BLOB *out, size_t *len_processed); /* These functions are for use here only (public because SPNEGO must * use them for recursion) */ -NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, +NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, DATA_BLOB *out, size_t *len_processed); @@ -212,16 +205,18 @@ NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security, struct loadparm_context; -NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, - struct gensec_security *parent, +NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, + struct gensec_security *parent, struct gensec_security **gensec_security); -NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, +NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct tevent_context *ev, struct gensec_settings *settings); -NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, +NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, + const struct gensec_security_ops *ops); +NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, const char **sasl_names); -NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, +NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out); struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -237,49 +232,46 @@ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, cons const char *gensec_get_target_service(struct gensec_security *gensec_security); NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname); const char *gensec_get_target_hostname(struct gensec_security *gensec_security); -NTSTATUS gensec_session_key(struct gensec_security *gensec_security, +NTSTATUS gensec_session_key(struct gensec_security *gensec_security, DATA_BLOB *session_key); -NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, +NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, const char *mech_oid); const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string); struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security); NTSTATUS gensec_init(void); -NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, +size_t gensec_max_input_size(struct gensec_security *gensec_security); +NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); -NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, +NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size); -NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, +NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig); -NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, +NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig); -NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, +NTSTATUS gensec_start_mech(struct gensec_security *gensec_security); +NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, uint8_t auth_type, uint8_t auth_level); const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype); -NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, +NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct gensec_settings *settings, struct auth4_context *auth_context, struct gensec_security **gensec_security); -NTSTATUS gensec_session_info(struct gensec_security *gensec_security, +NTSTATUS gensec_session_info(struct gensec_security *gensec_security, struct auth_session_info **session_info); -struct netlogon_creds_CredentialState; -NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct netlogon_creds_CredentialState **creds); - NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, const struct tsocket_address *local); @@ -288,25 +280,25 @@ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security); const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security); -NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, +NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, const char *name); -NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, +NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, DATA_BLOB *out); -NTSTATUS gensec_wrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, +NTSTATUS gensec_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, DATA_BLOB *out); struct gensec_security_ops **gensec_security_all(void); bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security); -struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, - struct gensec_security_ops **old_gensec_list, +struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, + struct gensec_security_ops **old_gensec_list, struct cli_credentials *creds); -NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, +NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, const char *sasl_name); int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value); diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build new file mode 100644 index 0000000000..4daa1de634 --- /dev/null +++ b/auth/gensec/wscript_build @@ -0,0 +1,7 @@ +#!/usr/bin/env python + +bld.SAMBA_SUBSYSTEM('gensec_runtime', + source='gensec.c', + deps='UTIL_TEVENT tevent samba-util LIBTSOCKET', + public_headers='gensec.h', + autoproto='gensec_toplevel_proto.h') diff --git a/auth/wscript_build b/auth/wscript_build index 0472a20a01..976e8ab090 100644 --- a/auth/wscript_build +++ b/auth/wscript_build @@ -6,3 +6,5 @@ bld.SAMBA_LIBRARY('auth_sam_reply', autoproto='auth_sam_reply.h', private_library=True ) + +bld.RECURSE('gensec') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 72c6b3f991..6ecd29bf34 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -34,6 +34,7 @@ #include "auth/credentials/credentials_krb5.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_toplevel_proto.h" #include "param/param.h" #include "auth/session_proto.h" #include <gssapi/gssapi.h> diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index d47bc7709c..90794b850c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -35,6 +35,7 @@ #include "auth/kerberos/kerberos_credentials.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_toplevel_proto.h" #include "param/param.h" #include "auth/auth_sam_reply.h" #include "lib/util/util_net.h" diff --git a/source4/auth/gensec/gensec_socket.h b/source4/auth/gensec/gensec_socket.h new file mode 100644 index 0000000000..bb12cc00ea --- /dev/null +++ b/source4/auth/gensec/gensec_socket.h @@ -0,0 +1,28 @@ +/* + Unix SMB/CIFS implementation. + + GENSEC socket interface + + Copyright (C) Andrew Bartlett 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct socket_context *current_socket, + struct tevent_context *ev, + void (*recv_handler)(void *, uint16_t), + void *recv_private, + struct socket_context **new_socket); diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec_start.c index 7dd3eac3b7..d754bb0cde 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec_start.c @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. - + Generic Authentication Interface Copyright (C) Andrew Tridgell 2003 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -34,6 +34,7 @@ #include "auth/system_session_proto.h" #include "param/param.h" #include "lib/util/tsort.h" +#include "auth/gensec/gensec_toplevel_proto.h" /* the list of currently registered GENSEC backends */ static struct gensec_security_ops **generic_security_ops; @@ -56,8 +57,8 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_ * gensec_security_all(), or from cli_credentials_gensec_list() (ie, * an existing list we have trimmed down) */ -_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, - struct gensec_security_ops **old_gensec_list, +_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, + struct gensec_security_ops **old_gensec_list, struct cli_credentials *creds) { struct gensec_security_ops **new_gensec_list; @@ -113,13 +114,13 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ return NULL; } } - new_gensec_list[j] = NULL; - + new_gensec_list[j] = NULL; + return new_gensec_list; } struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx) + TALLOC_CTX *mem_ctx) { struct gensec_security_ops **backends; backends = gensec_security_all(); @@ -152,7 +153,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (!gensec_security_ops_enabled(backends[i], gensec_security)) + if (!gensec_security_ops_enabled(backends[i], gensec_security)) continue; if (backends[i]->auth_type == auth_type) { backend = backends[i]; @@ -177,12 +178,12 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && - !gensec_security_ops_enabled(backends[i], + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security)) continue; if (backends[i]->oid) { - for (j=0; backends[i]->oid[j]; j++) { + for (j=0; backends[i]->oid[j]; j++) { if (backends[i]->oid[j] && (strcmp(backends[i]->oid[j], oid_string) == 0)) { backend = backends[i]; @@ -209,9 +210,9 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (!gensec_security_ops_enabled(backends[i], gensec_security)) + if (!gensec_security_ops_enabled(backends[i], gensec_security)) continue; - if (backends[i]->sasl_name + if (backends[i]->sasl_name && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) { backend = backends[i]; talloc_free(mem_ctx); @@ -235,10 +236,10 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(backends[i], gensec_security)) continue; - if (backends[i]->name + if (backends[i]->name && (strcmp(backends[i]->name, name) == 0)) { backend = backends[i]; talloc_free(mem_ctx); @@ -251,14 +252,14 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s /** * Return a unique list of security subsystems from those specified in - * the list of SASL names. + * the list of SASL names. * * Use the list of enabled GENSEC mechanisms from the credentials * attached to the gensec_security, and return in our preferred order. */ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, const char **sasl_names) { const struct gensec_security_ops **backends_out; @@ -281,34 +282,34 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(backends[i], gensec_security)) continue; for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) { if (!backends[i]->sasl_name || - !(strcmp(backends[i]->sasl_name, + !(strcmp(backends[i]->sasl_name, sasl_names[sasl_idx]) == 0)) { continue; } - + for (k=0; backends_out[k]; k++) { if (backends_out[k] == backends[i]) { break; } } - + if (k < num_backends_out) { /* already in there */ continue; } - - backends_out = talloc_realloc(mem_ctx, backends_out, - const struct gensec_security_ops *, + + backends_out = talloc_realloc(mem_ctx, backends_out, + const struct gensec_security_ops *, num_backends_out + 2); if (!backends_out) { return NULL; } - + backends_out[num_backends_out] = backends[i]; num_backends_out++; backends_out[num_backends_out] = NULL; @@ -320,14 +321,14 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se /** * Return a unique list of security subsystems from those specified in * the OID list. That is, where two OIDs refer to the same module, - * return that module only once. + * return that module only once. * * Use the list of enabled GENSEC mechanisms from the credentials * attached to the gensec_security, and return in our preferred order. */ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, const char **oid_strings, const char *skip) { @@ -352,7 +353,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(backends[i], gensec_security)) continue; if (!backends[i]->oid) { @@ -363,31 +364,31 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen continue; } - for (j=0; backends[i]->oid[j]; j++) { + for (j=0; backends[i]->oid[j]; j++) { if (!backends[i]->oid[j] || - !(strcmp(backends[i]->oid[j], + !(strcmp(backends[i]->oid[j], oid_strings[oid_idx]) == 0)) { continue; } - + for (k=0; backends_out[k].op; k++) { if (backends_out[k].op == backends[i]) { break; } } - + if (k < num_backends_out) { /* already in there */ continue; } - backends_out = talloc_realloc(mem_ctx, backends_out, - struct gensec_security_ops_wrapper, + backends_out = talloc_realloc(mem_ctx, backends_out, + struct gensec_security_ops_wrapper, num_backends_out + 2); if (!backends_out) { return NULL; } - + backends_out[num_backends_out].op = backends[i]; backends_out[num_backends_out].oid = backends[i]->oid[j]; num_backends_out++; @@ -404,9 +405,9 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen */ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct gensec_security_ops **ops, - const char *skip) + TALLOC_CTX *mem_ctx, + struct gensec_security_ops **ops, + const char *skip) { int i; int j = 0; @@ -419,16 +420,16 @@ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_securi if (!oid_list) { return NULL; } - + for (i=0; ops && ops[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(ops[i], gensec_security)) { continue; } if (!ops[i]->oid) { continue; } - + for (k = 0; ops[i]->oid[k]; k++) { if (skip && strcmp(skip, ops[i]->oid[k])==0) { } else { @@ -450,7 +451,7 @@ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_securi * Return OIDS from the security subsystems listed */ -const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, +const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, const struct gensec_security_ops_wrapper *wops) { int i; @@ -464,12 +465,12 @@ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, if (!oid_list) { return NULL; } - + for (i=0; wops[i].op; i++) { if (!wops[i].op->oid) { continue; } - + for (k = 0; wops[i].op->oid[k]; k++) { oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2); if (!oid_list) { @@ -486,35 +487,33 @@ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, /** * Return all the security subsystems currently enabled on a GENSEC context. - * + * * This is taken from a list attached to the cli_credentials, and * skips the OID in 'skip'. (Typically the SPNEGO OID) - * + * */ -const char **gensec_security_oids(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const char *skip) +const char **gensec_security_oids(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const char *skip) { struct gensec_security_ops **ops = gensec_security_mechs(gensec_security, mem_ctx); return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip); } - - /** Start the GENSEC system, returning a context pointer. @param mem_ctx The parent TALLOC memory context. @param gensec_security Returned GENSEC context pointer. @note The mem_ctx is only a parent and may be NULL. @note, the auth context is moved to be a referenced pointer of the - @ gensec_security return + @ gensec_security return */ -static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, +static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct gensec_settings *settings, - struct auth4_context *auth_context, + struct auth4_context *auth_context, struct gensec_security **gensec_security) { if (ev == NULL) { @@ -537,16 +536,16 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -/** +/** * Start a GENSEC subcontext, with a copy of the properties of the parent * @param mem_ctx The parent TALLOC memory context. - * @param parent The parent GENSEC context + * @param parent The parent GENSEC context * @param gensec_security Returned GENSEC context pointer. * @note Used by SPNEGO in particular, for the actual implementation mechanism */ -_PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, - struct gensec_security *parent, +_PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, + struct gensec_security *parent, struct gensec_security **gensec_security) { (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security); @@ -572,7 +571,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, @param gensec_security Returned GENSEC context pointer. @note The mem_ctx is only a parent and may be NULL. */ -_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, +_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct tevent_context *ev, struct gensec_settings *settings) @@ -601,7 +600,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, @param gensec_security Returned GENSEC context pointer. @note The mem_ctx is only a parent and may be NULL. */ -_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, +_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct gensec_settings *settings, struct auth4_context *auth_context, @@ -628,11 +627,11 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, return status; } -static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) +NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) { NTSTATUS status; - DEBUG(5, ("Starting GENSEC %smechanism %s\n", - gensec_security->subcontext ? "sub" : "", + DEBUG(5, ("Starting GENSEC %smechanism %s\n", + gensec_security->subcontext ? "sub" : "", gensec_security->ops->name)); switch (gensec_security->gensec_role) { case GENSEC_CLIENT: @@ -640,7 +639,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) status = gensec_security->ops->client_start(gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n", - gensec_security->ops->name, nt_errstr(status))); + gensec_security->ops->name, nt_errstr(status))); } return status; } @@ -650,7 +649,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) status = gensec_security->ops->server_start(gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n", - gensec_security->ops->name, nt_errstr(status))); + gensec_security->ops->name, nt_errstr(status))); } return status; } @@ -659,15 +658,28 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) return NT_STATUS_INVALID_PARAMETER; } -/** - * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number +/** + * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO + * + */ + +NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, + const struct gensec_security_ops *ops) +{ + gensec_security->ops = ops; + return gensec_start_mech(gensec_security); +} + + +/** + * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number * @param gensec_security GENSEC context pointer. * @param auth_type DCERPC auth type - * @param auth_level DCERPC auth level + * @param auth_level DCERPC auth level */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, - uint8_t auth_type, uint8_t auth_level) +_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, + uint8_t auth_type, uint8_t auth_level) { gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type); if (!gensec_security->ops) { @@ -684,7 +696,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) { /* Default features */ } else { - DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n", + DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n", auth_level)); return NT_STATUS_INVALID_PARAMETER; } @@ -692,7 +704,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s return gensec_start_mech(gensec_security); } -_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) +_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) { const struct gensec_security_ops *ops; ops = gensec_security_by_authtype(gensec_security, authtype); @@ -701,10 +713,10 @@ _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_ } return NULL; } - + _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, - const char *oid_string) + const char *oid_string) { const struct gensec_security_ops *ops; ops = gensec_security_by_oid(gensec_security, oid_string); @@ -715,26 +727,14 @@ _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_secur } /** - * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO - * - */ - -NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, - const struct gensec_security_ops *ops) -{ - gensec_security->ops = ops; - return gensec_start_mech(gensec_security); -} - -/** * Start a GENSEC sub-mechanism by OID, used in SPNEGO * * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a * well-known #define to hook it in. */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, - const char *mech_oid) +_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, + const char *mech_oid) { SMB_ASSERT(gensec_security != NULL); @@ -746,13 +746,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_securi return gensec_start_mech(gensec_security); } -/** +/** * Start a GENSEC sub-mechanism by a well know SASL name * */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, - const char *sasl_name) +_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, + const char *sasl_name) { gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name); if (!gensec_security->ops) { @@ -762,13 +762,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_ return gensec_start_mech(gensec_security); } -/** +/** * Start a GENSEC sub-mechanism with the preferred option from a SASL name list * */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, - const char **sasl_names) +_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, + const char **sasl_names) { NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER; TALLOC_CTX *mem_ctx = talloc_new(gensec_security); @@ -779,8 +779,8 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_ } ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names); if (!ops || !*ops) { - DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n", - str_list_join(mem_ctx, + DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n", + str_list_join(mem_ctx, sasl_names, ' '))); talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; @@ -795,13 +795,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_ return nt_status; } -/** +/** * Start a GENSEC sub-mechanism by an internal name * */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, - const char *name) +_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, + const char *name) { gensec_security->ops = gensec_security_by_name(gensec_security, name); if (!gensec_security->ops) { @@ -811,317 +811,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_secur return gensec_start_mech(gensec_security); } -/* - wrappers for the gensec function pointers -*/ -_PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - if (!gensec_security->ops->unseal_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, - data, length, - whole_pdu, pdu_length, - sig); -} - -_PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - if (!gensec_security->ops->check_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); -} - -_PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - if (!gensec_security->ops->seal_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); -} - -_PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - if (!gensec_security->ops->sign_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); -} - -_PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size) -{ - if (!gensec_security->ops->sig_size) { - return 0; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - return 0; - } - - return gensec_security->ops->sig_size(gensec_security, data_size); -} - -size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) -{ - if (!gensec_security->ops->max_wrapped_size) { - return (1 << 17); - } - - return gensec_security->ops->max_wrapped_size(gensec_security); -} - -size_t gensec_max_input_size(struct gensec_security *gensec_security) -{ - if (!gensec_security->ops->max_input_size) { - return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17); - } - - return gensec_security->ops->max_input_size(gensec_security); -} - -_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out) -{ - if (!gensec_security->ops->wrap) { - return NT_STATUS_NOT_IMPLEMENTED; - } - return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out); -} - -_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out) -{ - if (!gensec_security->ops->unwrap) { - return NT_STATUS_NOT_IMPLEMENTED; - } - return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out); -} - -_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, - DATA_BLOB *session_key) -{ - if (!gensec_security->ops->session_key) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) { - return NT_STATUS_NO_USER_SESSION_KEY; - } - - return gensec_security->ops->session_key(gensec_security, session_key); -} - -/** - * Return the credentials of a logged on user, including session keys - * etc. - * - * Only valid after a successful authentication - * - * May only be called once per authentication. - * - */ - -_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, - struct auth_session_info **session_info) -{ - if (!gensec_security->ops->session_info) { - return NT_STATUS_NOT_IMPLEMENTED; - } - return gensec_security->ops->session_info(gensec_security, session_info); -} - /** - * Next state function for the GENSEC state machine - * - * @param gensec_security GENSEC State - * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on - * @param in The request, as a DATA_BLOB - * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx - * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, - * or NT_STATUS_OK if the user is authenticated. - */ - -_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) -{ - return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out); -} - -struct gensec_update_state { - struct tevent_immediate *im; - struct gensec_security *gensec_security; - DATA_BLOB in; - DATA_BLOB out; -}; - -static void gensec_update_async_trigger(struct tevent_context *ctx, - struct tevent_immediate *im, - void *private_data); -/** - * Next state function for the GENSEC state machine async version - * - * @param mem_ctx The memory context for the request - * @param ev The event context for the request - * @param gensec_security GENSEC State - * @param in The request, as a DATA_BLOB + * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context * - * @return The request handle or NULL on no memory failure */ -_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct gensec_security *gensec_security, - const DATA_BLOB in) -{ - struct tevent_req *req; - struct gensec_update_state *state = NULL; - - req = tevent_req_create(mem_ctx, &state, - struct gensec_update_state); - if (req == NULL) { - return NULL; - } - - state->gensec_security = gensec_security; - state->in = in; - state->out = data_blob(NULL, 0); - state->im = tevent_create_immediate(state); - if (tevent_req_nomem(state->im, req)) { - return tevent_req_post(req, ev); - } - - tevent_schedule_immediate(state->im, ev, - gensec_update_async_trigger, - req); - - return req; -} - -static void gensec_update_async_trigger(struct tevent_context *ctx, - struct tevent_immediate *im, - void *private_data) -{ - struct tevent_req *req = - talloc_get_type_abort(private_data, struct tevent_req); - struct gensec_update_state *state = - tevent_req_data(req, struct gensec_update_state); - NTSTATUS status; - - status = gensec_update(state->gensec_security, state, - state->in, &state->out); - if (tevent_req_nterror(req, status)) { - return; - } - - tevent_req_done(req); -} - -/** - * Next state function for the GENSEC state machine - * - * @param req request state - * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on - * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx - * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, - * or NT_STATUS_OK if the user is authenticated. - */ -_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req, - TALLOC_CTX *out_mem_ctx, - DATA_BLOB *out) -{ - struct gensec_update_state *state = - tevent_req_data(req, struct gensec_update_state); - NTSTATUS status; - - if (tevent_req_is_nterror(req, &status)) { - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - tevent_req_received(req); - return status; - } - } else { - status = NT_STATUS_OK; - } - - *out = state->out; - talloc_steal(out_mem_ctx, out->data); - - tevent_req_received(req); - return status; -} - -/** - * Set the requirement for a certain feature on the connection - * - */ - -_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security, - uint32_t feature) -{ - if (!gensec_security->ops || !gensec_security->ops->want_feature) { - gensec_security->want_features |= feature; - return; - } - gensec_security->ops->want_feature(gensec_security, feature); -} - -/** - * Check the requirement for a certain feature on the connection - * - */ - -_PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security, - uint32_t feature) -{ - if (!gensec_security->ops->have_feature) { - return false; - } - - /* We might 'have' features that we don't 'want', because the - * other end demanded them, or we can't neotiate them off */ - return gensec_security->ops->have_feature(gensec_security, feature); -} - -/** - * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context - * - */ - -_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials) +_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials) { gensec_security->credentials = talloc_reference(gensec_security, credentials); NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials); @@ -1129,191 +824,6 @@ _PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security return NT_STATUS_OK; } -/** - * Return the credentials structure associated with a GENSEC context - * - */ - -_PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) -{ - if (!gensec_security) { - return NULL; - } - return gensec_security->credentials; -} - -/** - * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed - * - */ - -_PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service) -{ - gensec_security->target.service = talloc_strdup(gensec_security, service); - if (!gensec_security->target.service) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -_PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security) -{ - if (gensec_security->target.service) { - return gensec_security->target.service; - } - - return "host"; -} - -/** - * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed - * - */ - -_PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname) -{ - gensec_security->target.hostname = talloc_strdup(gensec_security, hostname); - if (hostname && !gensec_security->target.hostname) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) -{ - /* We allow the target hostname to be overriden for testing purposes */ - if (gensec_security->settings->target_hostname) { - return gensec_security->settings->target_hostname; - } - - if (gensec_security->target.hostname) { - return gensec_security->target.hostname; - } - - /* We could add use the 'set sockaddr' call, and do a reverse - * lookup, but this would be both insecure (compromising the - * way kerberos works) and add DNS timeouts */ - return NULL; -} - -/** - * Set (and talloc_reference) local and peer socket addresses onto a socket - * context on the GENSEC context. - * - * This is so that kerberos can include these addresses in - * cryptographic tokens, to avoid certain attacks. - */ - -/** - * @brief Set the local gensec address. - * - * @param gensec_security The gensec security context to use. - * - * @param remote The local address to set. - * - * @return On success NT_STATUS_OK is returned or an NT_STATUS - * error. - */ -_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, - const struct tsocket_address *local) -{ - TALLOC_FREE(gensec_security->local_addr); - - if (local == NULL) { - return NT_STATUS_OK; - } - - gensec_security->local_addr = tsocket_address_copy(local, gensec_security); - if (gensec_security->local_addr == NULL) { - return NT_STATUS_NO_MEMORY; - } - - return NT_STATUS_OK; -} - -/** - * @brief Set the remote gensec address. - * - * @param gensec_security The gensec security context to use. - * - * @param remote The remote address to set. - * - * @return On success NT_STATUS_OK is returned or an NT_STATUS - * error. - */ -_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, - const struct tsocket_address *remote) -{ - TALLOC_FREE(gensec_security->remote_addr); - - if (remote == NULL) { - return NT_STATUS_OK; - } - - gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security); - if (gensec_security->remote_addr == NULL) { - return NT_STATUS_NO_MEMORY; - } - - return NT_STATUS_OK; -} - -/** - * @brief Get the local address from a gensec security context. - * - * @param gensec_security The security context to get the address from. - * - * @return The address as tsocket_address which could be NULL if - * no address is set. - */ -_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security) -{ - if (gensec_security == NULL) { - return NULL; - } - return gensec_security->local_addr; -} - -/** - * @brief Get the remote address from a gensec security context. - * - * @param gensec_security The security context to get the address from. - * - * @return The address as tsocket_address which could be NULL if - * no address is set. - */ -_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security) -{ - if (gensec_security == NULL) { - return NULL; - } - return gensec_security->remote_addr; -} - -/** - * Set the target principal (assuming it it known, say from the SPNEGO reply) - * - ensures it is talloc()ed - * - */ - -_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal) -{ - gensec_security->target.principal = talloc_strdup(gensec_security, principal); - if (!gensec_security->target.principal) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -const char *gensec_get_target_principal(struct gensec_security *gensec_security) -{ - if (gensec_security->target.principal) { - return gensec_security->target.principal; - } - - return NULL; -} - NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, struct auth_user_info_dc *user_info_dc, @@ -1348,7 +858,7 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, } /* - register a GENSEC backend. + register a GENSEC backend. The 'name' can be later used by other backends to find the operations structure for this backend. @@ -1357,14 +867,14 @@ NTSTATUS gensec_register(const struct gensec_security_ops *ops) { if (gensec_security_by_name(NULL, ops->name) != NULL) { /* its already registered! */ - DEBUG(0,("GENSEC backend '%s' already registered\n", + DEBUG(0,("GENSEC backend '%s' already registered\n", ops->name)); return NT_STATUS_OBJECT_NAME_COLLISION; } - generic_security_ops = talloc_realloc(talloc_autofree_context(), - generic_security_ops, - struct gensec_security_ops *, + generic_security_ops = talloc_realloc(talloc_autofree_context(), + generic_security_ops, + struct gensec_security_ops *, gensec_num_backends+2); if (!generic_security_ops) { return NT_STATUS_NO_MEMORY; @@ -1374,7 +884,7 @@ NTSTATUS gensec_register(const struct gensec_security_ops *ops) gensec_num_backends++; generic_security_ops[gensec_num_backends] = NULL; - DEBUG(3,("GENSEC backend '%s' registered\n", + DEBUG(3,("GENSEC backend '%s' registered\n", ops->name)); return NT_STATUS_OK; @@ -1423,7 +933,7 @@ _PUBLIC_ NTSTATUS gensec_init(void) if (initialized) return NT_STATUS_OK; initialized = true; - + shared_init = load_samba_modules(NULL, "gensec"); run_init_functions(static_init); @@ -1432,6 +942,6 @@ _PUBLIC_ NTSTATUS gensec_init(void) talloc_free(shared_init); TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec); - + return NT_STATUS_OK; } diff --git a/source4/auth/gensec/gensec_tstream.c b/source4/auth/gensec/gensec_tstream.c index 3bc69ab915..91915b5034 100644 --- a/source4/auth/gensec/gensec_tstream.c +++ b/source4/auth/gensec/gensec_tstream.c @@ -27,7 +27,7 @@ #include "auth/gensec/gensec_tstream.h" #include "lib/tsocket/tsocket.h" #include "lib/tsocket/tsocket_internal.h" - +#include "auth/gensec/gensec_toplevel_proto.h" static const struct tstream_context_ops tstream_gensec_ops; diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h new file mode 100644 index 0000000000..88a32a7490 --- /dev/null +++ b/source4/auth/gensec/schannel.h @@ -0,0 +1,26 @@ +/* + Unix SMB/CIFS implementation. + + dcerpc schannel operations + + Copyright (C) Andrew Tridgell 2004 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +struct netlogon_creds_CredentialState; +NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct netlogon_creds_CredentialState **creds); diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 1423423cc0..3611d31a23 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -28,6 +28,7 @@ #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_toplevel_proto.h" #include "param/param.h" _PUBLIC_ NTSTATUS gensec_spnego_init(void); diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index 42d7dc5fd4..4eed751408 100644 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -1,11 +1,10 @@ #!/usr/bin/env python bld.SAMBA_LIBRARY('gensec', - source='gensec.c socket.c gensec_tstream.c', + source='gensec_start.c socket.c gensec_tstream.c', pc_files='gensec.pc', autoproto='gensec_proto.h', - public_deps='UTIL_TEVENT samba-util errors LIBPACKET auth_system_session', - public_headers='gensec.h', + public_deps='UTIL_TEVENT samba-util errors LIBPACKET auth_system_session gensec_runtime', deps='com_err', vnum='0.0.1' ) diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index f5cf25ec3f..e5e8cbadb4 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -27,6 +27,7 @@ #include "libcli/ldap/ldap_client.h" #include "lib/tls/tls.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_socket.h" #include "auth/credentials/credentials.h" #include "lib/stream/packet.h" #include "param/param.h" diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c index 774451fad4..7c999db5eb 100644 --- a/source4/libnet/libnet_samsync.c +++ b/source4/libnet/libnet_samsync.c @@ -25,6 +25,7 @@ #include "libcli/auth/libcli_auth.h" #include "../libcli/samsync/samsync.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/schannel.h" #include "auth/credentials/credentials.h" #include "libcli/auth/schannel.h" #include "librpc/gen_ndr/ndr_netlogon.h" diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 80828e26a2..cff39dde56 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -29,6 +29,7 @@ #include "lib/cmdline/popt_common.h" #include "torture/rpc/torture_rpc.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/schannel.h" #include "libcli/auth/libcli_auth.h" #include "param/param.h" diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 53cb10abf2..f7d6a93bb3 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -35,6 +35,7 @@ #include "torture/rpc/torture_rpc.h" #include "param/param.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/schannel.h" #include "auth/gensec/gensec_proto.h" #include "../libcli/auth/schannel.h" diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 980e085268..fd1fbbff1f 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -27,6 +27,7 @@ #include "system/time.h" #include "torture/rpc/torture_rpc.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/schannel.h" #include "libcli/auth/libcli_auth.h" #include "libcli/samsync/samsync.h" #include "libcli/security/security.h" diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index c76231c991..245f33c991 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -26,6 +26,7 @@ #include "auth/credentials/credentials.h" #include "torture/rpc/torture_rpc.h" #include "lib/cmdline/popt_common.h" +#include "auth/gensec/schannel.h" #include "../libcli/auth/schannel.h" #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" |