diff options
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec.h | 317 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 1 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 1 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_socket.h | 28 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_start.c (renamed from source4/auth/gensec/gensec.c) | 714 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_tstream.c | 2 | ||||
-rw-r--r-- | source4/auth/gensec/schannel.h | 26 | ||||
-rw-r--r-- | source4/auth/gensec/spnego.c | 1 | ||||
-rw-r--r-- | source4/auth/gensec/wscript_build | 5 |
9 files changed, 172 insertions, 923 deletions
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h deleted file mode 100644 index 322adce2ea..0000000000 --- a/source4/auth/gensec/gensec.h +++ /dev/null @@ -1,317 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Generic Authentication Interface - - Copyright (C) Andrew Tridgell 2003 - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#ifndef __GENSEC_H__ -#define __GENSEC_H__ - -#include "../lib/util/data_blob.h" -#include "libcli/util/ntstatus.h" - -#define GENSEC_SASL_NAME_NTLMSSP "NTLM" - -#define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10" -#define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2" -#define GENSEC_OID_KERBEROS5 "1.2.840.113554.1.2.2" -#define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2" -#define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3" - -enum gensec_priority { - GENSEC_SPNEGO = 90, - GENSEC_GSSAPI = 80, - GENSEC_KRB5 = 70, - GENSEC_SCHANNEL = 60, - GENSEC_NTLMSSP = 50, - GENSEC_SASL = 20, - GENSEC_OTHER = 0 -}; - -struct gensec_security; -struct gensec_target { - const char *principal; - const char *hostname; - const char *service; -}; - -#define GENSEC_FEATURE_SESSION_KEY 0x00000001 -#define GENSEC_FEATURE_SIGN 0x00000002 -#define GENSEC_FEATURE_SEAL 0x00000004 -#define GENSEC_FEATURE_DCE_STYLE 0x00000008 -#define GENSEC_FEATURE_ASYNC_REPLIES 0x00000010 -#define GENSEC_FEATURE_DATAGRAM_MODE 0x00000020 -#define GENSEC_FEATURE_SIGN_PKT_HEADER 0x00000040 -#define GENSEC_FEATURE_NEW_SPNEGO 0x00000080 -#define GENSEC_FEATURE_UNIX_TOKEN 0x00000100 - -/* GENSEC mode */ -enum gensec_role -{ - GENSEC_SERVER, - GENSEC_CLIENT -}; - -struct auth_session_info; -struct cli_credentials; -struct gensec_settings; -struct tevent_context; -struct tevent_req; - -struct gensec_settings { - struct loadparm_context *lp_ctx; - const char *target_hostname; -}; - -struct gensec_security_ops { - const char *name; - const char *sasl_name; - uint8_t auth_type; /* 0 if not offered on DCE-RPC */ - const char **oid; /* NULL if not offered by SPNEGO */ - NTSTATUS (*client_start)(struct gensec_security *gensec_security); - NTSTATUS (*server_start)(struct gensec_security *gensec_security); - /** - Determine if a packet has the right 'magic' for this mechanism - */ - NTSTATUS (*magic)(struct gensec_security *gensec_security, - const DATA_BLOB *first_packet); - NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out); - NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig); - NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig); - size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size); - size_t (*max_input_size)(struct gensec_security *gensec_security); - size_t (*max_wrapped_size)(struct gensec_security *gensec_security); - NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig); - NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig); - NTSTATUS (*wrap)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out); - NTSTATUS (*unwrap)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out); - NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out, - size_t *len_processed); - NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out, - size_t *len_processed); - NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security, - DATA_BLOB blob, size_t *size); - NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key); - NTSTATUS (*session_info)(struct gensec_security *gensec_security, - struct auth_session_info **session_info); - void (*want_feature)(struct gensec_security *gensec_security, - uint32_t feature); - bool (*have_feature)(struct gensec_security *gensec_security, - uint32_t feature); - bool enabled; - bool kerberos; - enum gensec_priority priority; -}; - -struct gensec_security_ops_wrapper { - const struct gensec_security_ops *op; - const char *oid; -}; - -#define GENSEC_INTERFACE_VERSION 0 - -struct gensec_security { - const struct gensec_security_ops *ops; - void *private_data; - struct cli_credentials *credentials; - struct gensec_target target; - enum gensec_role gensec_role; - bool subcontext; - uint32_t want_features; - struct tevent_context *event_ctx; - struct tsocket_address *local_addr, *remote_addr; - struct gensec_settings *settings; - - /* When we are a server, this may be filled in to provide an - * NTLM authentication backend, and user lookup (such as if no - * PAC is found) */ - struct auth4_context *auth_context; -}; - -/* this structure is used by backends to determine the size of some critical types */ -struct gensec_critical_sizes { - int interface_version; - int sizeof_gensec_security_ops; - int sizeof_gensec_security; -}; - -/* Socket wrapper */ - -struct gensec_security; -struct socket_context; -struct auth4_context; -struct auth_user_info_dc; - -NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct socket_context *current_socket, - struct tevent_context *ev, - void (*recv_handler)(void *, uint16_t), - void *recv_private, - struct socket_context **new_socket); -/* These functions are for use here only (public because SPNEGO must - * use them for recursion) */ -NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out, - size_t *len_processed); -/* These functions are for use here only (public because SPNEGO must - * use them for recursion) */ -NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out, - size_t *len_processed); - -/* These functions are for use here only (public because SPNEGO must - * use them for recursion) */ -NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security, - DATA_BLOB blob, size_t *size); - -struct loadparm_context; - -NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, - struct gensec_security *parent, - struct gensec_security **gensec_security); -NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, - struct gensec_security **gensec_security, - struct tevent_context *ev, - struct gensec_settings *settings); -NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, - const char **sasl_names); -NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out); -struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct gensec_security *gensec_security, - const DATA_BLOB in); -NTSTATUS gensec_update_recv(struct tevent_req *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out); -void gensec_want_feature(struct gensec_security *gensec_security, - uint32_t feature); -bool gensec_have_feature(struct gensec_security *gensec_security, - uint32_t feature); -NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials); -NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service); -const char *gensec_get_target_service(struct gensec_security *gensec_security); -NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname); -const char *gensec_get_target_hostname(struct gensec_security *gensec_security); -NTSTATUS gensec_session_key(struct gensec_security *gensec_security, - DATA_BLOB *session_key); -NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, - const char *mech_oid); -const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string); -struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security); -NTSTATUS gensec_init(void); -NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig); -NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig); -size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size); -NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig); -NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig); -NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, - uint8_t auth_type, uint8_t auth_level); -const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype); -NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct gensec_settings *settings, - struct auth4_context *auth_context, - struct gensec_security **gensec_security); -NTSTATUS gensec_session_info(struct gensec_security *gensec_security, - struct auth_session_info **session_info); -struct netlogon_creds_CredentialState; -NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct netlogon_creds_CredentialState **creds); - - -NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, - const struct tsocket_address *local); -NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, - const struct tsocket_address *remote); -const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security); -const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security); - -NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, - const char *name); - -NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out); -NTSTATUS gensec_wrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out); - -struct gensec_security_ops **gensec_security_all(void); -bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security); -struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, - struct gensec_security_ops **old_gensec_list, - struct cli_credentials *creds); - -NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, - const char *sasl_name); - -int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value); -bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value); - -NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal); - -#endif /* __GENSEC_H__ */ diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 72c6b3f991..6ecd29bf34 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -34,6 +34,7 @@ #include "auth/credentials/credentials_krb5.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_toplevel_proto.h" #include "param/param.h" #include "auth/session_proto.h" #include <gssapi/gssapi.h> diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index d47bc7709c..90794b850c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -35,6 +35,7 @@ #include "auth/kerberos/kerberos_credentials.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_toplevel_proto.h" #include "param/param.h" #include "auth/auth_sam_reply.h" #include "lib/util/util_net.h" diff --git a/source4/auth/gensec/gensec_socket.h b/source4/auth/gensec/gensec_socket.h new file mode 100644 index 0000000000..bb12cc00ea --- /dev/null +++ b/source4/auth/gensec/gensec_socket.h @@ -0,0 +1,28 @@ +/* + Unix SMB/CIFS implementation. + + GENSEC socket interface + + Copyright (C) Andrew Bartlett 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct socket_context *current_socket, + struct tevent_context *ev, + void (*recv_handler)(void *, uint16_t), + void *recv_private, + struct socket_context **new_socket); diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec_start.c index 7dd3eac3b7..d754bb0cde 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec_start.c @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. - + Generic Authentication Interface Copyright (C) Andrew Tridgell 2003 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -34,6 +34,7 @@ #include "auth/system_session_proto.h" #include "param/param.h" #include "lib/util/tsort.h" +#include "auth/gensec/gensec_toplevel_proto.h" /* the list of currently registered GENSEC backends */ static struct gensec_security_ops **generic_security_ops; @@ -56,8 +57,8 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_ * gensec_security_all(), or from cli_credentials_gensec_list() (ie, * an existing list we have trimmed down) */ -_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, - struct gensec_security_ops **old_gensec_list, +_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, + struct gensec_security_ops **old_gensec_list, struct cli_credentials *creds) { struct gensec_security_ops **new_gensec_list; @@ -113,13 +114,13 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ return NULL; } } - new_gensec_list[j] = NULL; - + new_gensec_list[j] = NULL; + return new_gensec_list; } struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx) + TALLOC_CTX *mem_ctx) { struct gensec_security_ops **backends; backends = gensec_security_all(); @@ -152,7 +153,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (!gensec_security_ops_enabled(backends[i], gensec_security)) + if (!gensec_security_ops_enabled(backends[i], gensec_security)) continue; if (backends[i]->auth_type == auth_type) { backend = backends[i]; @@ -177,12 +178,12 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && - !gensec_security_ops_enabled(backends[i], + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security)) continue; if (backends[i]->oid) { - for (j=0; backends[i]->oid[j]; j++) { + for (j=0; backends[i]->oid[j]; j++) { if (backends[i]->oid[j] && (strcmp(backends[i]->oid[j], oid_string) == 0)) { backend = backends[i]; @@ -209,9 +210,9 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (!gensec_security_ops_enabled(backends[i], gensec_security)) + if (!gensec_security_ops_enabled(backends[i], gensec_security)) continue; - if (backends[i]->sasl_name + if (backends[i]->sasl_name && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) { backend = backends[i]; talloc_free(mem_ctx); @@ -235,10 +236,10 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(backends[i], gensec_security)) continue; - if (backends[i]->name + if (backends[i]->name && (strcmp(backends[i]->name, name) == 0)) { backend = backends[i]; talloc_free(mem_ctx); @@ -251,14 +252,14 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s /** * Return a unique list of security subsystems from those specified in - * the list of SASL names. + * the list of SASL names. * * Use the list of enabled GENSEC mechanisms from the credentials * attached to the gensec_security, and return in our preferred order. */ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, const char **sasl_names) { const struct gensec_security_ops **backends_out; @@ -281,34 +282,34 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(backends[i], gensec_security)) continue; for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) { if (!backends[i]->sasl_name || - !(strcmp(backends[i]->sasl_name, + !(strcmp(backends[i]->sasl_name, sasl_names[sasl_idx]) == 0)) { continue; } - + for (k=0; backends_out[k]; k++) { if (backends_out[k] == backends[i]) { break; } } - + if (k < num_backends_out) { /* already in there */ continue; } - - backends_out = talloc_realloc(mem_ctx, backends_out, - const struct gensec_security_ops *, + + backends_out = talloc_realloc(mem_ctx, backends_out, + const struct gensec_security_ops *, num_backends_out + 2); if (!backends_out) { return NULL; } - + backends_out[num_backends_out] = backends[i]; num_backends_out++; backends_out[num_backends_out] = NULL; @@ -320,14 +321,14 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se /** * Return a unique list of security subsystems from those specified in * the OID list. That is, where two OIDs refer to the same module, - * return that module only once. + * return that module only once. * * Use the list of enabled GENSEC mechanisms from the credentials * attached to the gensec_security, and return in our preferred order. */ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, const char **oid_strings, const char *skip) { @@ -352,7 +353,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(backends[i], gensec_security)) continue; if (!backends[i]->oid) { @@ -363,31 +364,31 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen continue; } - for (j=0; backends[i]->oid[j]; j++) { + for (j=0; backends[i]->oid[j]; j++) { if (!backends[i]->oid[j] || - !(strcmp(backends[i]->oid[j], + !(strcmp(backends[i]->oid[j], oid_strings[oid_idx]) == 0)) { continue; } - + for (k=0; backends_out[k].op; k++) { if (backends_out[k].op == backends[i]) { break; } } - + if (k < num_backends_out) { /* already in there */ continue; } - backends_out = talloc_realloc(mem_ctx, backends_out, - struct gensec_security_ops_wrapper, + backends_out = talloc_realloc(mem_ctx, backends_out, + struct gensec_security_ops_wrapper, num_backends_out + 2); if (!backends_out) { return NULL; } - + backends_out[num_backends_out].op = backends[i]; backends_out[num_backends_out].oid = backends[i]->oid[j]; num_backends_out++; @@ -404,9 +405,9 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen */ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct gensec_security_ops **ops, - const char *skip) + TALLOC_CTX *mem_ctx, + struct gensec_security_ops **ops, + const char *skip) { int i; int j = 0; @@ -419,16 +420,16 @@ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_securi if (!oid_list) { return NULL; } - + for (i=0; ops && ops[i]; i++) { - if (gensec_security != NULL && + if (gensec_security != NULL && !gensec_security_ops_enabled(ops[i], gensec_security)) { continue; } if (!ops[i]->oid) { continue; } - + for (k = 0; ops[i]->oid[k]; k++) { if (skip && strcmp(skip, ops[i]->oid[k])==0) { } else { @@ -450,7 +451,7 @@ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_securi * Return OIDS from the security subsystems listed */ -const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, +const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, const struct gensec_security_ops_wrapper *wops) { int i; @@ -464,12 +465,12 @@ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, if (!oid_list) { return NULL; } - + for (i=0; wops[i].op; i++) { if (!wops[i].op->oid) { continue; } - + for (k = 0; wops[i].op->oid[k]; k++) { oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2); if (!oid_list) { @@ -486,35 +487,33 @@ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, /** * Return all the security subsystems currently enabled on a GENSEC context. - * + * * This is taken from a list attached to the cli_credentials, and * skips the OID in 'skip'. (Typically the SPNEGO OID) - * + * */ -const char **gensec_security_oids(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const char *skip) +const char **gensec_security_oids(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const char *skip) { struct gensec_security_ops **ops = gensec_security_mechs(gensec_security, mem_ctx); return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip); } - - /** Start the GENSEC system, returning a context pointer. @param mem_ctx The parent TALLOC memory context. @param gensec_security Returned GENSEC context pointer. @note The mem_ctx is only a parent and may be NULL. @note, the auth context is moved to be a referenced pointer of the - @ gensec_security return + @ gensec_security return */ -static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, +static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct gensec_settings *settings, - struct auth4_context *auth_context, + struct auth4_context *auth_context, struct gensec_security **gensec_security) { if (ev == NULL) { @@ -537,16 +536,16 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -/** +/** * Start a GENSEC subcontext, with a copy of the properties of the parent * @param mem_ctx The parent TALLOC memory context. - * @param parent The parent GENSEC context + * @param parent The parent GENSEC context * @param gensec_security Returned GENSEC context pointer. * @note Used by SPNEGO in particular, for the actual implementation mechanism */ -_PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, - struct gensec_security *parent, +_PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, + struct gensec_security *parent, struct gensec_security **gensec_security) { (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security); @@ -572,7 +571,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, @param gensec_security Returned GENSEC context pointer. @note The mem_ctx is only a parent and may be NULL. */ -_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, +_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct tevent_context *ev, struct gensec_settings *settings) @@ -601,7 +600,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, @param gensec_security Returned GENSEC context pointer. @note The mem_ctx is only a parent and may be NULL. */ -_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, +_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct gensec_settings *settings, struct auth4_context *auth_context, @@ -628,11 +627,11 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, return status; } -static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) +NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) { NTSTATUS status; - DEBUG(5, ("Starting GENSEC %smechanism %s\n", - gensec_security->subcontext ? "sub" : "", + DEBUG(5, ("Starting GENSEC %smechanism %s\n", + gensec_security->subcontext ? "sub" : "", gensec_security->ops->name)); switch (gensec_security->gensec_role) { case GENSEC_CLIENT: @@ -640,7 +639,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) status = gensec_security->ops->client_start(gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n", - gensec_security->ops->name, nt_errstr(status))); + gensec_security->ops->name, nt_errstr(status))); } return status; } @@ -650,7 +649,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) status = gensec_security->ops->server_start(gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n", - gensec_security->ops->name, nt_errstr(status))); + gensec_security->ops->name, nt_errstr(status))); } return status; } @@ -659,15 +658,28 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) return NT_STATUS_INVALID_PARAMETER; } -/** - * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number +/** + * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO + * + */ + +NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, + const struct gensec_security_ops *ops) +{ + gensec_security->ops = ops; + return gensec_start_mech(gensec_security); +} + + +/** + * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number * @param gensec_security GENSEC context pointer. * @param auth_type DCERPC auth type - * @param auth_level DCERPC auth level + * @param auth_level DCERPC auth level */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, - uint8_t auth_type, uint8_t auth_level) +_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, + uint8_t auth_type, uint8_t auth_level) { gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type); if (!gensec_security->ops) { @@ -684,7 +696,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) { /* Default features */ } else { - DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n", + DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n", auth_level)); return NT_STATUS_INVALID_PARAMETER; } @@ -692,7 +704,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s return gensec_start_mech(gensec_security); } -_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) +_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) { const struct gensec_security_ops *ops; ops = gensec_security_by_authtype(gensec_security, authtype); @@ -701,10 +713,10 @@ _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_ } return NULL; } - + _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, - const char *oid_string) + const char *oid_string) { const struct gensec_security_ops *ops; ops = gensec_security_by_oid(gensec_security, oid_string); @@ -715,26 +727,14 @@ _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_secur } /** - * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO - * - */ - -NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, - const struct gensec_security_ops *ops) -{ - gensec_security->ops = ops; - return gensec_start_mech(gensec_security); -} - -/** * Start a GENSEC sub-mechanism by OID, used in SPNEGO * * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a * well-known #define to hook it in. */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, - const char *mech_oid) +_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, + const char *mech_oid) { SMB_ASSERT(gensec_security != NULL); @@ -746,13 +746,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_securi return gensec_start_mech(gensec_security); } -/** +/** * Start a GENSEC sub-mechanism by a well know SASL name * */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, - const char *sasl_name) +_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, + const char *sasl_name) { gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name); if (!gensec_security->ops) { @@ -762,13 +762,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_ return gensec_start_mech(gensec_security); } -/** +/** * Start a GENSEC sub-mechanism with the preferred option from a SASL name list * */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, - const char **sasl_names) +_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, + const char **sasl_names) { NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER; TALLOC_CTX *mem_ctx = talloc_new(gensec_security); @@ -779,8 +779,8 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_ } ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names); if (!ops || !*ops) { - DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n", - str_list_join(mem_ctx, + DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n", + str_list_join(mem_ctx, sasl_names, ' '))); talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; @@ -795,13 +795,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_ return nt_status; } -/** +/** * Start a GENSEC sub-mechanism by an internal name * */ -_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, - const char *name) +_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, + const char *name) { gensec_security->ops = gensec_security_by_name(gensec_security, name); if (!gensec_security->ops) { @@ -811,317 +811,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_secur return gensec_start_mech(gensec_security); } -/* - wrappers for the gensec function pointers -*/ -_PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - if (!gensec_security->ops->unseal_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, - data, length, - whole_pdu, pdu_length, - sig); -} - -_PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - if (!gensec_security->ops->check_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); -} - -_PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - if (!gensec_security->ops->seal_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); -} - -_PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - if (!gensec_security->ops->sign_packet) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - return NT_STATUS_INVALID_PARAMETER; - } - - return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); -} - -_PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size) -{ - if (!gensec_security->ops->sig_size) { - return 0; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - return 0; - } - - return gensec_security->ops->sig_size(gensec_security, data_size); -} - -size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) -{ - if (!gensec_security->ops->max_wrapped_size) { - return (1 << 17); - } - - return gensec_security->ops->max_wrapped_size(gensec_security); -} - -size_t gensec_max_input_size(struct gensec_security *gensec_security) -{ - if (!gensec_security->ops->max_input_size) { - return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17); - } - - return gensec_security->ops->max_input_size(gensec_security); -} - -_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out) -{ - if (!gensec_security->ops->wrap) { - return NT_STATUS_NOT_IMPLEMENTED; - } - return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out); -} - -_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out) -{ - if (!gensec_security->ops->unwrap) { - return NT_STATUS_NOT_IMPLEMENTED; - } - return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out); -} - -_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, - DATA_BLOB *session_key) -{ - if (!gensec_security->ops->session_key) { - return NT_STATUS_NOT_IMPLEMENTED; - } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) { - return NT_STATUS_NO_USER_SESSION_KEY; - } - - return gensec_security->ops->session_key(gensec_security, session_key); -} - -/** - * Return the credentials of a logged on user, including session keys - * etc. - * - * Only valid after a successful authentication - * - * May only be called once per authentication. - * - */ - -_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, - struct auth_session_info **session_info) -{ - if (!gensec_security->ops->session_info) { - return NT_STATUS_NOT_IMPLEMENTED; - } - return gensec_security->ops->session_info(gensec_security, session_info); -} - /** - * Next state function for the GENSEC state machine - * - * @param gensec_security GENSEC State - * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on - * @param in The request, as a DATA_BLOB - * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx - * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, - * or NT_STATUS_OK if the user is authenticated. - */ - -_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) -{ - return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out); -} - -struct gensec_update_state { - struct tevent_immediate *im; - struct gensec_security *gensec_security; - DATA_BLOB in; - DATA_BLOB out; -}; - -static void gensec_update_async_trigger(struct tevent_context *ctx, - struct tevent_immediate *im, - void *private_data); -/** - * Next state function for the GENSEC state machine async version - * - * @param mem_ctx The memory context for the request - * @param ev The event context for the request - * @param gensec_security GENSEC State - * @param in The request, as a DATA_BLOB + * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context * - * @return The request handle or NULL on no memory failure */ -_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct gensec_security *gensec_security, - const DATA_BLOB in) -{ - struct tevent_req *req; - struct gensec_update_state *state = NULL; - - req = tevent_req_create(mem_ctx, &state, - struct gensec_update_state); - if (req == NULL) { - return NULL; - } - - state->gensec_security = gensec_security; - state->in = in; - state->out = data_blob(NULL, 0); - state->im = tevent_create_immediate(state); - if (tevent_req_nomem(state->im, req)) { - return tevent_req_post(req, ev); - } - - tevent_schedule_immediate(state->im, ev, - gensec_update_async_trigger, - req); - - return req; -} - -static void gensec_update_async_trigger(struct tevent_context *ctx, - struct tevent_immediate *im, - void *private_data) -{ - struct tevent_req *req = - talloc_get_type_abort(private_data, struct tevent_req); - struct gensec_update_state *state = - tevent_req_data(req, struct gensec_update_state); - NTSTATUS status; - - status = gensec_update(state->gensec_security, state, - state->in, &state->out); - if (tevent_req_nterror(req, status)) { - return; - } - - tevent_req_done(req); -} - -/** - * Next state function for the GENSEC state machine - * - * @param req request state - * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on - * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx - * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, - * or NT_STATUS_OK if the user is authenticated. - */ -_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req, - TALLOC_CTX *out_mem_ctx, - DATA_BLOB *out) -{ - struct gensec_update_state *state = - tevent_req_data(req, struct gensec_update_state); - NTSTATUS status; - - if (tevent_req_is_nterror(req, &status)) { - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - tevent_req_received(req); - return status; - } - } else { - status = NT_STATUS_OK; - } - - *out = state->out; - talloc_steal(out_mem_ctx, out->data); - - tevent_req_received(req); - return status; -} - -/** - * Set the requirement for a certain feature on the connection - * - */ - -_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security, - uint32_t feature) -{ - if (!gensec_security->ops || !gensec_security->ops->want_feature) { - gensec_security->want_features |= feature; - return; - } - gensec_security->ops->want_feature(gensec_security, feature); -} - -/** - * Check the requirement for a certain feature on the connection - * - */ - -_PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security, - uint32_t feature) -{ - if (!gensec_security->ops->have_feature) { - return false; - } - - /* We might 'have' features that we don't 'want', because the - * other end demanded them, or we can't neotiate them off */ - return gensec_security->ops->have_feature(gensec_security, feature); -} - -/** - * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context - * - */ - -_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials) +_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials) { gensec_security->credentials = talloc_reference(gensec_security, credentials); NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials); @@ -1129,191 +824,6 @@ _PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security return NT_STATUS_OK; } -/** - * Return the credentials structure associated with a GENSEC context - * - */ - -_PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) -{ - if (!gensec_security) { - return NULL; - } - return gensec_security->credentials; -} - -/** - * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed - * - */ - -_PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service) -{ - gensec_security->target.service = talloc_strdup(gensec_security, service); - if (!gensec_security->target.service) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -_PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security) -{ - if (gensec_security->target.service) { - return gensec_security->target.service; - } - - return "host"; -} - -/** - * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed - * - */ - -_PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname) -{ - gensec_security->target.hostname = talloc_strdup(gensec_security, hostname); - if (hostname && !gensec_security->target.hostname) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) -{ - /* We allow the target hostname to be overriden for testing purposes */ - if (gensec_security->settings->target_hostname) { - return gensec_security->settings->target_hostname; - } - - if (gensec_security->target.hostname) { - return gensec_security->target.hostname; - } - - /* We could add use the 'set sockaddr' call, and do a reverse - * lookup, but this would be both insecure (compromising the - * way kerberos works) and add DNS timeouts */ - return NULL; -} - -/** - * Set (and talloc_reference) local and peer socket addresses onto a socket - * context on the GENSEC context. - * - * This is so that kerberos can include these addresses in - * cryptographic tokens, to avoid certain attacks. - */ - -/** - * @brief Set the local gensec address. - * - * @param gensec_security The gensec security context to use. - * - * @param remote The local address to set. - * - * @return On success NT_STATUS_OK is returned or an NT_STATUS - * error. - */ -_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, - const struct tsocket_address *local) -{ - TALLOC_FREE(gensec_security->local_addr); - - if (local == NULL) { - return NT_STATUS_OK; - } - - gensec_security->local_addr = tsocket_address_copy(local, gensec_security); - if (gensec_security->local_addr == NULL) { - return NT_STATUS_NO_MEMORY; - } - - return NT_STATUS_OK; -} - -/** - * @brief Set the remote gensec address. - * - * @param gensec_security The gensec security context to use. - * - * @param remote The remote address to set. - * - * @return On success NT_STATUS_OK is returned or an NT_STATUS - * error. - */ -_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security, - const struct tsocket_address *remote) -{ - TALLOC_FREE(gensec_security->remote_addr); - - if (remote == NULL) { - return NT_STATUS_OK; - } - - gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security); - if (gensec_security->remote_addr == NULL) { - return NT_STATUS_NO_MEMORY; - } - - return NT_STATUS_OK; -} - -/** - * @brief Get the local address from a gensec security context. - * - * @param gensec_security The security context to get the address from. - * - * @return The address as tsocket_address which could be NULL if - * no address is set. - */ -_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security) -{ - if (gensec_security == NULL) { - return NULL; - } - return gensec_security->local_addr; -} - -/** - * @brief Get the remote address from a gensec security context. - * - * @param gensec_security The security context to get the address from. - * - * @return The address as tsocket_address which could be NULL if - * no address is set. - */ -_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security) -{ - if (gensec_security == NULL) { - return NULL; - } - return gensec_security->remote_addr; -} - -/** - * Set the target principal (assuming it it known, say from the SPNEGO reply) - * - ensures it is talloc()ed - * - */ - -_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal) -{ - gensec_security->target.principal = talloc_strdup(gensec_security, principal); - if (!gensec_security->target.principal) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -const char *gensec_get_target_principal(struct gensec_security *gensec_security) -{ - if (gensec_security->target.principal) { - return gensec_security->target.principal; - } - - return NULL; -} - NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, struct auth_user_info_dc *user_info_dc, @@ -1348,7 +858,7 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, } /* - register a GENSEC backend. + register a GENSEC backend. The 'name' can be later used by other backends to find the operations structure for this backend. @@ -1357,14 +867,14 @@ NTSTATUS gensec_register(const struct gensec_security_ops *ops) { if (gensec_security_by_name(NULL, ops->name) != NULL) { /* its already registered! */ - DEBUG(0,("GENSEC backend '%s' already registered\n", + DEBUG(0,("GENSEC backend '%s' already registered\n", ops->name)); return NT_STATUS_OBJECT_NAME_COLLISION; } - generic_security_ops = talloc_realloc(talloc_autofree_context(), - generic_security_ops, - struct gensec_security_ops *, + generic_security_ops = talloc_realloc(talloc_autofree_context(), + generic_security_ops, + struct gensec_security_ops *, gensec_num_backends+2); if (!generic_security_ops) { return NT_STATUS_NO_MEMORY; @@ -1374,7 +884,7 @@ NTSTATUS gensec_register(const struct gensec_security_ops *ops) gensec_num_backends++; generic_security_ops[gensec_num_backends] = NULL; - DEBUG(3,("GENSEC backend '%s' registered\n", + DEBUG(3,("GENSEC backend '%s' registered\n", ops->name)); return NT_STATUS_OK; @@ -1423,7 +933,7 @@ _PUBLIC_ NTSTATUS gensec_init(void) if (initialized) return NT_STATUS_OK; initialized = true; - + shared_init = load_samba_modules(NULL, "gensec"); run_init_functions(static_init); @@ -1432,6 +942,6 @@ _PUBLIC_ NTSTATUS gensec_init(void) talloc_free(shared_init); TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec); - + return NT_STATUS_OK; } diff --git a/source4/auth/gensec/gensec_tstream.c b/source4/auth/gensec/gensec_tstream.c index 3bc69ab915..91915b5034 100644 --- a/source4/auth/gensec/gensec_tstream.c +++ b/source4/auth/gensec/gensec_tstream.c @@ -27,7 +27,7 @@ #include "auth/gensec/gensec_tstream.h" #include "lib/tsocket/tsocket.h" #include "lib/tsocket/tsocket_internal.h" - +#include "auth/gensec/gensec_toplevel_proto.h" static const struct tstream_context_ops tstream_gensec_ops; diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h new file mode 100644 index 0000000000..88a32a7490 --- /dev/null +++ b/source4/auth/gensec/schannel.h @@ -0,0 +1,26 @@ +/* + Unix SMB/CIFS implementation. + + dcerpc schannel operations + + Copyright (C) Andrew Tridgell 2004 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +struct netlogon_creds_CredentialState; +NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct netlogon_creds_CredentialState **creds); diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 1423423cc0..3611d31a23 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -28,6 +28,7 @@ #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_toplevel_proto.h" #include "param/param.h" _PUBLIC_ NTSTATUS gensec_spnego_init(void); diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index 42d7dc5fd4..4eed751408 100644 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -1,11 +1,10 @@ #!/usr/bin/env python bld.SAMBA_LIBRARY('gensec', - source='gensec.c socket.c gensec_tstream.c', + source='gensec_start.c socket.c gensec_tstream.c', pc_files='gensec.pc', autoproto='gensec_proto.h', - public_deps='UTIL_TEVENT samba-util errors LIBPACKET auth_system_session', - public_headers='gensec.h', + public_deps='UTIL_TEVENT samba-util errors LIBPACKET auth_system_session gensec_runtime', deps='com_err', vnum='0.0.1' ) |