auth/gensec/gensec.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #ifndef __GENSEC_H__
  24 #define __GENSEC_H__
  25
  26 #include "../lib/util/data_blob.h"
  27 #include "libcli/util/ntstatus.h"
  28
  29 #define GENSEC_SASL_NAME_NTLMSSP "NTLM"
  30
  31 #define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10"
  32 #define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2"
  33 #define GENSEC_OID_KERBEROS5 "1.2.840.113554.1.2.2"
  34 #define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2"
  35 #define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3"
  36
  37 enum gensec_priority {
  38         GENSEC_SPNEGO = 90,
  39         GENSEC_GSSAPI = 80,
  40         GENSEC_KRB5 = 70,
  41         GENSEC_SCHANNEL = 60,
  42         GENSEC_NTLMSSP = 50,
  43         GENSEC_SASL = 20,
  44         GENSEC_OTHER = 10,
  45         GENSEC_EXTERNAL = 0
  46 };
  47
  48 struct gensec_security;
  49 struct gensec_target {
  50         const char *principal;
  51         const char *hostname;
  52         const char *service;
  53 };
  54
  55 #define GENSEC_FEATURE_SESSION_KEY      0x00000001
  56 #define GENSEC_FEATURE_SIGN             0x00000002
  57 #define GENSEC_FEATURE_SEAL             0x00000004
  58 #define GENSEC_FEATURE_DCE_STYLE        0x00000008
  59 #define GENSEC_FEATURE_ASYNC_REPLIES    0x00000010
  60 #define GENSEC_FEATURE_DATAGRAM_MODE    0x00000020
  61 #define GENSEC_FEATURE_SIGN_PKT_HEADER  0x00000040
  62 #define GENSEC_FEATURE_NEW_SPNEGO       0x00000080
  63 #define GENSEC_FEATURE_UNIX_TOKEN       0x00000100
  64
  65 #define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
  66
  67 /* GENSEC mode */
  68 enum gensec_role
  69 {
  70         GENSEC_SERVER,
  71         GENSEC_CLIENT
  72 };
  73
  74 struct auth_session_info;
  75 struct cli_credentials;
  76 struct gensec_settings;
  77 struct tevent_context;
  78 struct tevent_req;
  79 struct smb_krb5_context;
  80 struct tsocket_address;
  81
  82 struct gensec_settings {
  83         struct loadparm_context *lp_ctx;
  84         const char *target_hostname;
  85
  86         /* this allows callers to specify a specific set of ops that
  87          * should be used, rather than those loaded by the plugin
  88          * mechanism */
  89         const struct gensec_security_ops * const *backends;
  90
  91         /* To fill in our own name in the NTLMSSP server */
  92         const char *server_dns_domain;
  93         const char *server_dns_name;
  94         const char *server_netbios_domain;
  95         const char *server_netbios_name;
  96 };
  97
  98 struct gensec_security_ops;
  99 struct gensec_security_ops_wrapper;
 100
 101 #define GENSEC_INTERFACE_VERSION 0
 102
 103 /* this structure is used by backends to determine the size of some critical types */
 104 struct gensec_critical_sizes;
 105 const struct gensec_critical_sizes *gensec_interface_version(void);
 106
 107 /* Socket wrapper */
 108
 109 struct gensec_security;
 110 struct auth4_context;
 111 struct auth_user_info_dc;
 112
 113 struct loadparm_context;
 114
 115 NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
 116                                  struct gensec_security *parent,
 117                                  struct gensec_security **gensec_security);
 118 NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
 119                              struct gensec_security **gensec_security,
 120                              struct gensec_settings *settings);
 121 NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
 122                                   const struct gensec_security_ops *ops);
 123 NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
 124                                                  const char **sasl_names);
 125 void gensec_set_max_update_size(struct gensec_security *gensec_security,
 126                                 uint32_t max_update_size);
 127 size_t gensec_max_update_size(struct gensec_security *gensec_security);
 128 NTSTATUS gensec_update(struct gensec_security *gensec_security,
 129                        TALLOC_CTX *out_mem_ctx,
 130                        const DATA_BLOB in, DATA_BLOB *out);
 131 NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
 132                           TALLOC_CTX *out_mem_ctx,
 133                           struct tevent_context *ev,
 134                           const DATA_BLOB in, DATA_BLOB *out);
 135 struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
 136                                       struct tevent_context *ev,
 137                                       struct gensec_security *gensec_security,
 138                                       const DATA_BLOB in);
 139 NTSTATUS gensec_update_recv(struct tevent_req *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
 140 void gensec_want_feature(struct gensec_security *gensec_security,
 141                          uint32_t feature);
 142 bool gensec_have_feature(struct gensec_security *gensec_security,
 143                          uint32_t feature);
 144 NTTIME gensec_expire_time(struct gensec_security *gensec_security);
 145 NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials);
 146 NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service);
 147 const char *gensec_get_target_service(struct gensec_security *gensec_security);
 148 NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname);
 149 const char *gensec_get_target_hostname(struct gensec_security *gensec_security);
 150 NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
 151                             TALLOC_CTX *mem_ctx,
 152                             DATA_BLOB *session_key);
 153 NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
 154                                   const char *mech_oid);
 155 const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
 156 struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
 157 NTSTATUS gensec_init(void);
 158 NTSTATUS gensec_register(const struct gensec_security_ops *ops);
 159 const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
 160                                                          const char *oid_string);
 161 const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
 162                                                                const char *sasl_name);
 163 const struct gensec_security_ops *gensec_security_by_auth_type(
 164                                 struct gensec_security *gensec_security,
 165                                 uint32_t auth_type);
 166 const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
 167                                                    TALLOC_CTX *mem_ctx);
 168 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
 169                                         struct gensec_security *gensec_security,
 170                                         TALLOC_CTX *mem_ctx,
 171                                         const char * const *oid_strings,
 172                                         const char *skip);
 173 const char **gensec_security_oids(struct gensec_security *gensec_security,
 174                                   TALLOC_CTX *mem_ctx,
 175                                   const char *skip);
 176 const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
 177                                 const struct gensec_security_ops_wrapper *wops);
 178 size_t gensec_max_input_size(struct gensec_security *gensec_security);
 179 size_t gensec_max_wrapped_size(struct gensec_security *gensec_security);
 180 NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 181                               uint8_t *data, size_t length,
 182                               const uint8_t *whole_pdu, size_t pdu_length,
 183                               const DATA_BLOB *sig);
 184 NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
 185                              const uint8_t *data, size_t length,
 186                              const uint8_t *whole_pdu, size_t pdu_length,
 187                              const DATA_BLOB *sig);
 188 size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size);
 189 NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 190                             TALLOC_CTX *mem_ctx,
 191                             uint8_t *data, size_t length,
 192                             const uint8_t *whole_pdu, size_t pdu_length,
 193                             DATA_BLOB *sig);
 194 NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
 195                             TALLOC_CTX *mem_ctx,
 196                             const uint8_t *data, size_t length,
 197                             const uint8_t *whole_pdu, size_t pdu_length,
 198                             DATA_BLOB *sig);
 199 NTSTATUS gensec_start_mech(struct gensec_security *gensec_security);
 200 NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
 201                                        uint8_t auth_type, uint8_t auth_level);
 202 const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype);
 203 NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
 204                              struct gensec_settings *settings,
 205                              struct auth4_context *auth_context,
 206                              struct gensec_security **gensec_security);
 207 NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
 208                              TALLOC_CTX *mem_ctx,
 209                              struct auth_session_info **session_info);
 210
 211 NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
 212                 const struct tsocket_address *local);
 213 NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
 214                 const struct tsocket_address *remote);
 215 const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security);
 216 const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security);
 217
 218 NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
 219                                         const char *name);
 220
 221 NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
 222                        TALLOC_CTX *mem_ctx,
 223                        const DATA_BLOB *in,
 224                        DATA_BLOB *out);
 225 NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
 226                      TALLOC_CTX *mem_ctx,
 227                      const DATA_BLOB *in,
 228                      DATA_BLOB *out);
 229
 230 const struct gensec_security_ops * const *gensec_security_all(void);
 231 bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
 232 const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
 233                         const struct gensec_security_ops * const *old_gensec_list,
 234                         struct cli_credentials *creds);
 235
 236 NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
 237                                         const char *sasl_name);
 238
 239 int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
 240 bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
 241
 242 NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
 243 const char *gensec_get_target_principal(struct gensec_security *gensec_security);
 244
 245 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 246                                           struct gensec_security *gensec_security,
 247                                           struct smb_krb5_context *smb_krb5_context,
 248                                           DATA_BLOB *pac_blob,
 249                                           const char *principal_string,
 250                                           const struct tsocket_address *remote_address,
 251                                           struct auth_session_info **session_info);
 252
 253 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
 254                                         const DATA_BLOB *blob);
 255
 256 #endif /* __GENSEC_H__ */