search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4 dns: Update prerequisite checking conforming to RFC
[Samba/gebeck_regimport.git] / auth / gensec / gensec_start.c
blobc38b97050f29c1abfe725d16e70fc1c9dd40cf4d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/network.h"
25 #include "tevent.h"
26 #include "../lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "lib/param/param.h"
31 #include "lib/util/tsort.h"
32 #include "lib/util/samba_modules.h"
33
34 /* the list of currently registered GENSEC backends */
35 static struct gensec_security_ops **generic_security_ops;
36 static int gensec_num_backends;
37
38 /* Return all the registered mechs. Don't modify the return pointer,
39 * but you may talloc_reference it if convient */
40 _PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
41 {
42 return generic_security_ops;
43 }
44
45 bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
46 {
47 return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
48 }
49
50 /* Sometimes we want to force only kerberos, sometimes we want to
51 * force it's avoidance. The old list could be either
52 * gensec_security_all(), or from cli_credentials_gensec_list() (ie,
53 * an existing list we have trimmed down) */
54
55 _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
56 struct gensec_security_ops **old_gensec_list,
57 struct cli_credentials *creds)
58 {
59 struct gensec_security_ops **new_gensec_list;
60 int i, j, num_mechs_in;
61 enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
62
63 if (creds) {
64 use_kerberos = cli_credentials_get_kerberos_state(creds);
65 }
66
67 if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
68 if (!talloc_reference(mem_ctx, old_gensec_list)) {
69 return NULL;
70 }
71 return old_gensec_list;
72 }
73
74 for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
75 /* noop */
76 }
77
78 new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
79 if (!new_gensec_list) {
80 return NULL;
81 }
82
83 j = 0;
84 for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
85 int oid_idx;
86
87 for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
88 if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
89 new_gensec_list[j] = old_gensec_list[i];
90 j++;
91 break;
92 }
93 }
94 switch (use_kerberos) {
95 case CRED_DONT_USE_KERBEROS:
96 if (old_gensec_list[i]->kerberos == false) {
97 new_gensec_list[j] = old_gensec_list[i];
98 j++;
99 }
100 break;
101 case CRED_MUST_USE_KERBEROS:
102 if (old_gensec_list[i]->kerberos == true) {
103 new_gensec_list[j] = old_gensec_list[i];
104 j++;
105 }
106 break;
107 default:
108 /* Can't happen or invalid parameter */
109 return NULL;
110 }
111 }
112 new_gensec_list[j] = NULL;
113
114 return new_gensec_list;
115 }
116
117 struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
118 TALLOC_CTX *mem_ctx)
119 {
120 struct gensec_security_ops **backends;
121 backends = gensec_security_all();
122 if (!gensec_security) {
123 if (!talloc_reference(mem_ctx, backends)) {
124 return NULL;
125 }
126 return backends;
127 } else {
128 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
129 if (!creds) {
130 if (!talloc_reference(mem_ctx, backends)) {
131 return NULL;
132 }
133 return backends;
134 }
135 return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
136 }
137 }
138
139 static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
140 uint8_t auth_type)
141 {
142 int i;
143 struct gensec_security_ops **backends;
144 const struct gensec_security_ops *backend;
145 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
146 if (!mem_ctx) {
147 return NULL;
148 }
149 backends = gensec_security_mechs(gensec_security, mem_ctx);
150 for (i=0; backends && backends[i]; i++) {
151 if (!gensec_security_ops_enabled(backends[i], gensec_security))
152 continue;
153 if (backends[i]->auth_type == auth_type) {
154 backend = backends[i];
155 talloc_free(mem_ctx);
156 return backend;
157 }
158 }
159 talloc_free(mem_ctx);
160
161 return NULL;
162 }
163
164 const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
165 const char *oid_string)
166 {
167 int i, j;
168 struct gensec_security_ops **backends;
169 const struct gensec_security_ops *backend;
170 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
171 if (!mem_ctx) {
172 return NULL;
173 }
174 backends = gensec_security_mechs(gensec_security, mem_ctx);
175 for (i=0; backends && backends[i]; i++) {
176 if (gensec_security != NULL &&
177 !gensec_security_ops_enabled(backends[i],
178 gensec_security))
179 continue;
180 if (backends[i]->oid) {
181 for (j=0; backends[i]->oid[j]; j++) {
182 if (backends[i]->oid[j] &&
183 (strcmp(backends[i]->oid[j], oid_string) == 0)) {
184 backend = backends[i];
185 talloc_free(mem_ctx);
186 return backend;
187 }
188 }
189 }
190 }
191 talloc_free(mem_ctx);
192
193 return NULL;
194 }
195
196 const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
197 const char *sasl_name)
198 {
199 int i;
200 struct gensec_security_ops **backends;
201 const struct gensec_security_ops *backend;
202 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
203 if (!mem_ctx) {
204 return NULL;
205 }
206 backends = gensec_security_mechs(gensec_security, mem_ctx);
207 for (i=0; backends && backends[i]; i++) {
208 if (!gensec_security_ops_enabled(backends[i], gensec_security))
209 continue;
210 if (backends[i]->sasl_name
211 && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
212 backend = backends[i];
213 talloc_free(mem_ctx);
214 return backend;
215 }
216 }
217 talloc_free(mem_ctx);
218
219 return NULL;
220 }
221
222 static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
223 const char *name)
224 {
225 int i;
226 struct gensec_security_ops **backends;
227 const struct gensec_security_ops *backend;
228 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
229 if (!mem_ctx) {
230 return NULL;
231 }
232 backends = gensec_security_mechs(gensec_security, mem_ctx);
233 for (i=0; backends && backends[i]; i++) {
234 if (gensec_security != NULL &&
235 !gensec_security_ops_enabled(backends[i], gensec_security))
236 continue;
237 if (backends[i]->name
238 && (strcmp(backends[i]->name, name) == 0)) {
239 backend = backends[i];
240 talloc_free(mem_ctx);
241 return backend;
242 }
243 }
244 talloc_free(mem_ctx);
245 return NULL;
246 }
247
248 /**
249 * Return a unique list of security subsystems from those specified in
250 * the list of SASL names.
251 *
252 * Use the list of enabled GENSEC mechanisms from the credentials
253 * attached to the gensec_security, and return in our preferred order.
254 */
255
256 const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_security *gensec_security,
257 TALLOC_CTX *mem_ctx,
258 const char **sasl_names)
259 {
260 const struct gensec_security_ops **backends_out;
261 struct gensec_security_ops **backends;
262 int i, k, sasl_idx;
263 int num_backends_out = 0;
264
265 if (!sasl_names) {
266 return NULL;
267 }
268
269 backends = gensec_security_mechs(gensec_security, mem_ctx);
270
271 backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1);
272 if (!backends_out) {
273 return NULL;
274 }
275 backends_out[0] = NULL;
276
277 /* Find backends in our preferred order, by walking our list,
278 * then looking in the supplied list */
279 for (i=0; backends && backends[i]; i++) {
280 if (gensec_security != NULL &&
281 !gensec_security_ops_enabled(backends[i], gensec_security))
282 continue;
283 for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
284 if (!backends[i]->sasl_name ||
285 !(strcmp(backends[i]->sasl_name,
286 sasl_names[sasl_idx]) == 0)) {
287 continue;
288 }
289
290 for (k=0; backends_out[k]; k++) {
291 if (backends_out[k] == backends[i]) {
292 break;
293 }
294 }
295
296 if (k < num_backends_out) {
297 /* already in there */
298 continue;
299 }
300
301 backends_out = talloc_realloc(mem_ctx, backends_out,
302 const struct gensec_security_ops *,
303 num_backends_out + 2);
304 if (!backends_out) {
305 return NULL;
306 }
307
308 backends_out[num_backends_out] = backends[i];
309 num_backends_out++;
310 backends_out[num_backends_out] = NULL;
311 }
312 }
313 return backends_out;
314 }
315
316 /**
317 * Return a unique list of security subsystems from those specified in
318 * the OID list. That is, where two OIDs refer to the same module,
319 * return that module only once.
320 *
321 * Use the list of enabled GENSEC mechanisms from the credentials
322 * attached to the gensec_security, and return in our preferred order.
323 */
324
325 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gensec_security *gensec_security,
326 TALLOC_CTX *mem_ctx,
327 const char **oid_strings,
328 const char *skip)
329 {
330 struct gensec_security_ops_wrapper *backends_out;
331 struct gensec_security_ops **backends;
332 int i, j, k, oid_idx;
333 int num_backends_out = 0;
334
335 if (!oid_strings) {
336 return NULL;
337 }
338
339 backends = gensec_security_mechs(gensec_security, gensec_security);
340
341 backends_out = talloc_array(mem_ctx, struct gensec_security_ops_wrapper, 1);
342 if (!backends_out) {
343 return NULL;
344 }
345 backends_out[0].op = NULL;
346 backends_out[0].oid = NULL;
347
348 /* Find backends in our preferred order, by walking our list,
349 * then looking in the supplied list */
350 for (i=0; backends && backends[i]; i++) {
351 if (gensec_security != NULL &&
352 !gensec_security_ops_enabled(backends[i], gensec_security))
353 continue;
354 if (!backends[i]->oid) {
355 continue;
356 }
357 for (oid_idx = 0; oid_strings[oid_idx]; oid_idx++) {
358 if (strcmp(oid_strings[oid_idx], skip) == 0) {
359 continue;
360 }
361
362 for (j=0; backends[i]->oid[j]; j++) {
363 if (!backends[i]->oid[j] ||
364 !(strcmp(backends[i]->oid[j],
365 oid_strings[oid_idx]) == 0)) {
366 continue;
367 }
368
369 for (k=0; backends_out[k].op; k++) {
370 if (backends_out[k].op == backends[i]) {
371 break;
372 }
373 }
374
375 if (k < num_backends_out) {
376 /* already in there */
377 continue;
378 }
379
380 backends_out = talloc_realloc(mem_ctx, backends_out,
381 struct gensec_security_ops_wrapper,
382 num_backends_out + 2);
383 if (!backends_out) {
384 return NULL;
385 }
386
387 backends_out[num_backends_out].op = backends[i];
388 backends_out[num_backends_out].oid = backends[i]->oid[j];
389 num_backends_out++;
390 backends_out[num_backends_out].op = NULL;
391 backends_out[num_backends_out].oid = NULL;
392 }
393 }
394 }
395 return backends_out;
396 }
397
398 /**
399 * Return OIDS from the security subsystems listed
400 */
401
402 const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security,
403 TALLOC_CTX *mem_ctx,
404 struct gensec_security_ops **ops,
405 const char *skip)
406 {
407 int i;
408 int j = 0;
409 int k;
410 const char **oid_list;
411 if (!ops) {
412 return NULL;
413 }
414 oid_list = talloc_array(mem_ctx, const char *, 1);
415 if (!oid_list) {
416 return NULL;
417 }
418
419 for (i=0; ops && ops[i]; i++) {
420 if (gensec_security != NULL &&
421 !gensec_security_ops_enabled(ops[i], gensec_security)) {
422 continue;
423 }
424 if (!ops[i]->oid) {
425 continue;
426 }
427
428 for (k = 0; ops[i]->oid[k]; k++) {
429 if (skip && strcmp(skip, ops[i]->oid[k])==0) {
430 } else {
431 oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
432 if (!oid_list) {
433 return NULL;
434 }
435 oid_list[j] = ops[i]->oid[k];
436 j++;
437 }
438 }
439 }
440 oid_list[j] = NULL;
441 return oid_list;
442 }
443
444
445 /**
446 * Return OIDS from the security subsystems listed
447 */
448
449 const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
450 const struct gensec_security_ops_wrapper *wops)
451 {
452 int i;
453 int j = 0;
454 int k;
455 const char **oid_list;
456 if (!wops) {
457 return NULL;
458 }
459 oid_list = talloc_array(mem_ctx, const char *, 1);
460 if (!oid_list) {
461 return NULL;
462 }
463
464 for (i=0; wops[i].op; i++) {
465 if (!wops[i].op->oid) {
466 continue;
467 }
468
469 for (k = 0; wops[i].op->oid[k]; k++) {
470 oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
471 if (!oid_list) {
472 return NULL;
473 }
474 oid_list[j] = wops[i].op->oid[k];
475 j++;
476 }
477 }
478 oid_list[j] = NULL;
479 return oid_list;
480 }
481
482
483 /**
484 * Return all the security subsystems currently enabled on a GENSEC context.
485 *
486 * This is taken from a list attached to the cli_credentials, and
487 * skips the OID in 'skip'. (Typically the SPNEGO OID)
488 *
489 */
490
491 const char **gensec_security_oids(struct gensec_security *gensec_security,
492 TALLOC_CTX *mem_ctx,
493 const char *skip)
494 {
495 struct gensec_security_ops **ops
496 = gensec_security_mechs(gensec_security, mem_ctx);
497 return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
498 }
499
500 /**
501 Start the GENSEC system, returning a context pointer.
502 @param mem_ctx The parent TALLOC memory context.
503 @param gensec_security Returned GENSEC context pointer.
504 @note The mem_ctx is only a parent and may be NULL.
505 @note, the auth context is moved to be a referenced pointer of the
506 @ gensec_security return
507 */
508 static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
509 struct gensec_settings *settings,
510 struct auth4_context *auth_context,
511 struct gensec_security **gensec_security)
512 {
513 (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
514 NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
515
516 SMB_ASSERT(settings->lp_ctx != NULL);
517 (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
518
519 /* We need to reference this, not steal, as the caller may be
520 * python, which won't like it if we steal it's object away
521 * from it */
522 (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
523
524 return NT_STATUS_OK;
525 }
526
527 /**
528 * Start a GENSEC subcontext, with a copy of the properties of the parent
529 * @param mem_ctx The parent TALLOC memory context.
530 * @param parent The parent GENSEC context
531 * @param gensec_security Returned GENSEC context pointer.
532 * @note Used by SPNEGO in particular, for the actual implementation mechanism
533 */
534
535 _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
536 struct gensec_security *parent,
537 struct gensec_security **gensec_security)
538 {
539 (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
540 NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
541
542 (**gensec_security) = *parent;
543 (*gensec_security)->ops = NULL;
544 (*gensec_security)->private_data = NULL;
545
546 (*gensec_security)->subcontext = true;
547 (*gensec_security)->want_features = parent->want_features;
548 (*gensec_security)->dcerpc_auth_level = parent->dcerpc_auth_level;
549 (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
550 (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
551 (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
552
553 return NT_STATUS_OK;
554 }
555
556 /**
557 Start the GENSEC system, in client mode, returning a context pointer.
558 @param mem_ctx The parent TALLOC memory context.
559 @param gensec_security Returned GENSEC context pointer.
560 @note The mem_ctx is only a parent and may be NULL.
561 */
562 _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
563 struct gensec_security **gensec_security,
564 struct gensec_settings *settings)
565 {
566 NTSTATUS status;
567
568 if (settings == NULL) {
569 DEBUG(0,("gensec_client_start: no settings given!\n"));
570 return NT_STATUS_INTERNAL_ERROR;
571 }
572
573 status = gensec_start(mem_ctx, settings, NULL, gensec_security);
574 if (!NT_STATUS_IS_OK(status)) {
575 return status;
576 }
577 (*gensec_security)->gensec_role = GENSEC_CLIENT;
578
579 return status;
580 }
581
582
583
584 /**
585 Start the GENSEC system, in server mode, returning a context pointer.
586 @param mem_ctx The parent TALLOC memory context.
587 @param gensec_security Returned GENSEC context pointer.
588 @note The mem_ctx is only a parent and may be NULL.
589 */
590 _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
591 struct gensec_settings *settings,
592 struct auth4_context *auth_context,
593 struct gensec_security **gensec_security)
594 {
595 NTSTATUS status;
596
597 if (!settings) {
598 DEBUG(0,("gensec_server_start: no settings given!\n"));
599 return NT_STATUS_INTERNAL_ERROR;
600 }
601
602 status = gensec_start(mem_ctx, settings, auth_context, gensec_security);
603 if (!NT_STATUS_IS_OK(status)) {
604 return status;
605 }
606 (*gensec_security)->gensec_role = GENSEC_SERVER;
607
608 return status;
609 }
610
611 NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
612 {
613 NTSTATUS status;
614 DEBUG(5, ("Starting GENSEC %smechanism %s\n",
615 gensec_security->subcontext ? "sub" : "",
616 gensec_security->ops->name));
617 switch (gensec_security->gensec_role) {
618 case GENSEC_CLIENT:
619 if (gensec_security->ops->client_start) {
620 status = gensec_security->ops->client_start(gensec_security);
621 if (!NT_STATUS_IS_OK(status)) {
622 DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n",
623 gensec_security->ops->name, nt_errstr(status)));
624 }
625 return status;
626 }
627 break;
628 case GENSEC_SERVER:
629 if (gensec_security->ops->server_start) {
630 status = gensec_security->ops->server_start(gensec_security);
631 if (!NT_STATUS_IS_OK(status)) {
632 DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n",
633 gensec_security->ops->name, nt_errstr(status)));
634 }
635 return status;
636 }
637 break;
638 }
639 return NT_STATUS_INVALID_PARAMETER;
640 }
641
642 /**
643 * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
644 *
645 */
646
647 NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
648 const struct gensec_security_ops *ops)
649 {
650 gensec_security->ops = ops;
651 return gensec_start_mech(gensec_security);
652 }
653
654
655 /**
656 * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number
657 * @param gensec_security GENSEC context pointer.
658 * @param auth_type DCERPC auth type
659 * @param auth_level DCERPC auth level
660 */
661
662 _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
663 uint8_t auth_type, uint8_t auth_level)
664 {
665 gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
666 if (!gensec_security->ops) {
667 DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
668 return NT_STATUS_INVALID_PARAMETER;
669 }
670 gensec_security->dcerpc_auth_level = auth_level;
671 gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
672 gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
673 if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
674 gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
675 } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
676 gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
677 gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
678 } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
679 /* Default features */
680 } else {
681 DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
682 auth_level));
683 return NT_STATUS_INVALID_PARAMETER;
684 }
685
686 return gensec_start_mech(gensec_security);
687 }
688
689 _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
690 {
691 const struct gensec_security_ops *ops;
692 ops = gensec_security_by_authtype(gensec_security, authtype);
693 if (ops) {
694 return ops->name;
695 }
696 return NULL;
697 }
698
699
700 _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
701 const char *oid_string)
702 {
703 const struct gensec_security_ops *ops;
704 ops = gensec_security_by_oid(gensec_security, oid_string);
705 if (ops) {
706 return ops->name;
707 }
708 return oid_string;
709 }
710
711 /**
712 * Start a GENSEC sub-mechanism by OID, used in SPNEGO
713 *
714 * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a
715 * well-known #define to hook it in.
716 */
717
718 _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
719 const char *mech_oid)
720 {
721 SMB_ASSERT(gensec_security != NULL);
722
723 gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid);
724 if (!gensec_security->ops) {
725 DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
726 return NT_STATUS_INVALID_PARAMETER;
727 }
728 return gensec_start_mech(gensec_security);
729 }
730
731 /**
732 * Start a GENSEC sub-mechanism by a well know SASL name
733 *
734 */
735
736 _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
737 const char *sasl_name)
738 {
739 gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name);
740 if (!gensec_security->ops) {
741 DEBUG(3, ("Could not find GENSEC backend for sasl_name=%s\n", sasl_name));
742 return NT_STATUS_INVALID_PARAMETER;
743 }
744 return gensec_start_mech(gensec_security);
745 }
746
747 /**
748 * Start a GENSEC sub-mechanism with the preferred option from a SASL name list
749 *
750 */
751
752 _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
753 const char **sasl_names)
754 {
755 NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
756 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
757 const struct gensec_security_ops **ops;
758 int i;
759 if (!mem_ctx) {
760 return NT_STATUS_NO_MEMORY;
761 }
762 ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names);
763 if (!ops || !*ops) {
764 DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n",
765 str_list_join(mem_ctx,
766 sasl_names, ' ')));
767 talloc_free(mem_ctx);
768 return NT_STATUS_INVALID_PARAMETER;
769 }
770 for (i=0; ops[i]; i++) {
771 nt_status = gensec_start_mech_by_ops(gensec_security, ops[i]);
772 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
773 break;
774 }
775 }
776 talloc_free(mem_ctx);
777 return nt_status;
778 }
779
780 /**
781 * Start a GENSEC sub-mechanism by an internal name
782 *
783 */
784
785 _PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
786 const char *name)
787 {
788 gensec_security->ops = gensec_security_by_name(gensec_security, name);
789 if (!gensec_security->ops) {
790 DEBUG(3, ("Could not find GENSEC backend for name=%s\n", name));
791 return NT_STATUS_INVALID_PARAMETER;
792 }
793 return gensec_start_mech(gensec_security);
794 }
795
796 /**
797 * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context
798 *
799 */
800
801 _PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials)
802 {
803 gensec_security->credentials = talloc_reference(gensec_security, credentials);
804 NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials);
805 gensec_want_feature(gensec_security, cli_credentials_get_gensec_features(gensec_security->credentials));
806 return NT_STATUS_OK;
807 }
808
809 /*
810 register a GENSEC backend.
811
812 The 'name' can be later used by other backends to find the operations
813 structure for this backend.
814 */
815 NTSTATUS gensec_register(const struct gensec_security_ops *ops)
816 {
817 if (gensec_security_by_name(NULL, ops->name) != NULL) {
818 /* its already registered! */
819 DEBUG(0,("GENSEC backend '%s' already registered\n",
820 ops->name));
821 return NT_STATUS_OBJECT_NAME_COLLISION;
822 }
823
824 generic_security_ops = talloc_realloc(talloc_autofree_context(),
825 generic_security_ops,
826 struct gensec_security_ops *,
827 gensec_num_backends+2);
828 if (!generic_security_ops) {
829 return NT_STATUS_NO_MEMORY;
830 }
831
832 generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
833 gensec_num_backends++;
834 generic_security_ops[gensec_num_backends] = NULL;
835
836 DEBUG(3,("GENSEC backend '%s' registered\n",
837 ops->name));
838
839 return NT_STATUS_OK;
840 }
841
842 /*
843 return the GENSEC interface version, and the size of some critical types
844 This can be used by backends to either detect compilation errors, or provide
845 multiple implementations for different smbd compilation options in one module
846 */
847 const struct gensec_critical_sizes *gensec_interface_version(void)
848 {
849 static const struct gensec_critical_sizes critical_sizes = {
850 GENSEC_INTERFACE_VERSION,
851 sizeof(struct gensec_security_ops),
852 sizeof(struct gensec_security),
853 };
854
855 return &critical_sizes;
856 }
857
858 static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
859 return (*gs2)->priority - (*gs1)->priority;
860 }
861
862 int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
863 {
864 return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
865 }
866
867 bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
868 {
869 return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
870 }
871
872 /*
873 initialise the GENSEC subsystem
874 */
875 _PUBLIC_ NTSTATUS gensec_init(void)
876 {
877 static bool initialized = false;
878 #define _MODULE_PROTO(init) extern NTSTATUS init(void);
879 #ifdef STATIC_gensec_MODULES
880 STATIC_gensec_MODULES_PROTO;
881 init_module_fn static_init[] = { STATIC_gensec_MODULES };
882 #else
883 init_module_fn *static_init = NULL;
884 #endif
885 init_module_fn *shared_init;
886
887 if (initialized) return NT_STATUS_OK;
888 initialized = true;
889
890 shared_init = load_samba_modules(NULL, "gensec");
891
892 run_init_functions(static_init);
893 run_init_functions(shared_init);
894
895 talloc_free(shared_init);
896
897 TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
898
899 return NT_STATUS_OK;
900 }
reg import