← Back to branch summary

~zulcss/samba/server-dailies-3.4

« back to all changes in this revision

Viewing changes to source4/auth/gensec/gensec.h

  • Committer: Chuck Short
  • Date: 2010-09-28 20:38:39 UTC
  • Revision ID: zulcss@ubuntu.com-20100928203839-pgjulytsi9ue63x1
Initial version

Show diffs side-by-side

added added

removed removed

Lines of Context:
source4/auth/gensec/gensec.h
 
1
/* 
 
2
   Unix SMB/CIFS implementation.
 
3
 
 
4
   Generic Authentication Interface
 
5
 
 
6
   Copyright (C) Andrew Tridgell 2003
 
7
   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
 
8
   
 
9
   This program is free software; you can redistribute it and/or modify
 
10
   it under the terms of the GNU General Public License as published by
 
11
   the Free Software Foundation; either version 3 of the License, or
 
12
   (at your option) any later version.
 
13
   
 
14
   This program is distributed in the hope that it will be useful,
 
15
   but WITHOUT ANY WARRANTY; without even the implied warranty of
 
16
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
17
   GNU General Public License for more details.
 
18
   
 
19
   You should have received a copy of the GNU General Public License
 
20
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
21
*/
 
22
 
 
23
#ifndef __GENSEC_H__
 
24
#define __GENSEC_H__
 
25
 
 
26
#include "../lib/util/data_blob.h"
 
27
#include "libcli/util/ntstatus.h"
 
28
 
 
29
#define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10"
 
30
#define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2"
 
31
#define GENSEC_OID_KERBEROS5 "1.2.840.113554.1.2.2"
 
32
#define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2"
 
33
#define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3"
 
34
 
 
35
enum gensec_priority {
 
36
        GENSEC_SPNEGO = 90,
 
37
        GENSEC_GSSAPI = 80,
 
38
        GENSEC_KRB5 = 70,
 
39
        GENSEC_SCHANNEL = 60,
 
40
        GENSEC_NTLMSSP = 50,
 
41
        GENSEC_SASL = 20,
 
42
        GENSEC_OTHER = 0
 
43
};
 
44
 
 
45
struct gensec_security;
 
46
struct gensec_target {
 
47
        const char *principal;
 
48
        const char *hostname;
 
49
        const char *service;
 
50
};
 
51
 
 
52
#define GENSEC_FEATURE_SESSION_KEY      0x00000001
 
53
#define GENSEC_FEATURE_SIGN             0x00000002
 
54
#define GENSEC_FEATURE_SEAL             0x00000004
 
55
#define GENSEC_FEATURE_DCE_STYLE        0x00000008
 
56
#define GENSEC_FEATURE_ASYNC_REPLIES    0x00000010
 
57
#define GENSEC_FEATURE_DATAGRAM_MODE    0x00000020
 
58
#define GENSEC_FEATURE_SIGN_PKT_HEADER  0x00000040
 
59
#define GENSEC_FEATURE_NEW_SPNEGO       0x00000080
 
60
 
 
61
/* GENSEC mode */
 
62
enum gensec_role
 
63
{
 
64
        GENSEC_SERVER,
 
65
        GENSEC_CLIENT
 
66
};
 
67
 
 
68
struct auth_session_info;
 
69
struct cli_credentials;
 
70
struct gensec_settings;
 
71
struct tevent_context;
 
72
 
 
73
struct gensec_update_request {
 
74
        struct gensec_security *gensec_security;
 
75
        void *private_data;
 
76
        DATA_BLOB in;
 
77
        DATA_BLOB out;
 
78
        NTSTATUS status;
 
79
        struct {
 
80
                void (*fn)(struct gensec_update_request *req, void *private_data);
 
81
                void *private_data;
 
82
        } callback;
 
83
};
 
84
 
 
85
struct gensec_settings {
 
86
        struct loadparm_context *lp_ctx;
 
87
        struct smb_iconv_convenience *iconv_convenience;
 
88
        const char *target_hostname;
 
89
};
 
90
 
 
91
struct gensec_security_ops {
 
92
        const char *name;
 
93
        const char *sasl_name;
 
94
        uint8_t auth_type;  /* 0 if not offered on DCE-RPC */
 
95
        const char **oid;  /* NULL if not offered by SPNEGO */
 
96
        NTSTATUS (*client_start)(struct gensec_security *gensec_security);
 
97
        NTSTATUS (*server_start)(struct gensec_security *gensec_security);
 
98
        /**
 
99
           Determine if a packet has the right 'magic' for this mechanism
 
100
        */
 
101
        NTSTATUS (*magic)(struct gensec_security *gensec_security, 
 
102
                          const DATA_BLOB *first_packet);
 
103
        NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 
104
                           const DATA_BLOB in, DATA_BLOB *out);
 
105
        NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
 
106
                                uint8_t *data, size_t length, 
 
107
                                const uint8_t *whole_pdu, size_t pdu_length, 
 
108
                                DATA_BLOB *sig);
 
109
        NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
 
110
                                const uint8_t *data, size_t length, 
 
111
                                const uint8_t *whole_pdu, size_t pdu_length, 
 
112
                                DATA_BLOB *sig);
 
113
        size_t   (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
 
114
        size_t   (*max_input_size)(struct gensec_security *gensec_security);
 
115
        size_t   (*max_wrapped_size)(struct gensec_security *gensec_security);
 
116
        NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, 
 
117
                                 const uint8_t *data, size_t length, 
 
118
                                 const uint8_t *whole_pdu, size_t pdu_length, 
 
119
                                 const DATA_BLOB *sig);
 
120
        NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
 
121
                                  uint8_t *data, size_t length, 
 
122
                                  const uint8_t *whole_pdu, size_t pdu_length, 
 
123
                                  const DATA_BLOB *sig);
 
124
        NTSTATUS (*wrap)(struct gensec_security *gensec_security, 
 
125
                                  TALLOC_CTX *mem_ctx, 
 
126
                                  const DATA_BLOB *in, 
 
127
                                  DATA_BLOB *out); 
 
128
        NTSTATUS (*unwrap)(struct gensec_security *gensec_security, 
 
129
                           TALLOC_CTX *mem_ctx, 
 
130
                           const DATA_BLOB *in, 
 
131
                           DATA_BLOB *out); 
 
132
        NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security, 
 
133
                                 TALLOC_CTX *mem_ctx, 
 
134
                                 const DATA_BLOB *in, 
 
135
                                 DATA_BLOB *out,
 
136
                                 size_t *len_processed); 
 
137
        NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security, 
 
138
                                   TALLOC_CTX *mem_ctx, 
 
139
                                   const DATA_BLOB *in, 
 
140
                                   DATA_BLOB *out,
 
141
                                   size_t *len_processed); 
 
142
        NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
 
143
                                        DATA_BLOB blob, size_t *size);
 
144
        NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key);
 
145
        NTSTATUS (*session_info)(struct gensec_security *gensec_security, 
 
146
                                 struct auth_session_info **session_info); 
 
147
        void (*want_feature)(struct gensec_security *gensec_security,
 
148
                                    uint32_t feature);
 
149
        bool (*have_feature)(struct gensec_security *gensec_security,
 
150
                                    uint32_t feature); 
 
151
        bool enabled;
 
152
        bool kerberos;
 
153
        enum gensec_priority priority;
 
154
};
 
155
        
 
156
struct gensec_security_ops_wrapper {
 
157
        const struct gensec_security_ops *op;
 
158
        const char *oid;
 
159
};
 
160
 
 
161
#define GENSEC_INTERFACE_VERSION 0
 
162
 
 
163
struct gensec_security {
 
164
        const struct gensec_security_ops *ops;
 
165
        void *private_data;
 
166
        struct cli_credentials *credentials;
 
167
        struct gensec_target target;
 
168
        enum gensec_role gensec_role;
 
169
        bool subcontext;
 
170
        uint32_t want_features;
 
171
        struct tevent_context *event_ctx;
 
172
        struct socket_address *my_addr, *peer_addr;
 
173
        struct gensec_settings *settings;
 
174
        
 
175
        /* When we are a server, this may be filled in to provide an
 
176
         * NTLM authentication backend, and user lookup (such as if no
 
177
         * PAC is found) */
 
178
        struct auth_context *auth_context;
 
179
};
 
180
 
 
181
/* this structure is used by backends to determine the size of some critical types */
 
182
struct gensec_critical_sizes {
 
183
        int interface_version;
 
184
        int sizeof_gensec_security_ops;
 
185
        int sizeof_gensec_security;
 
186
};
 
187
 
 
188
/* Socket wrapper */
 
189
 
 
190
struct gensec_security;
 
191
struct socket_context;
 
192
struct auth_context;
 
193
 
 
194
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
 
195
                            TALLOC_CTX *mem_ctx, 
 
196
                            struct socket_context *current_socket,
 
197
                            struct tevent_context *ev,
 
198
                            void (*recv_handler)(void *, uint16_t),
 
199
                            void *recv_private,
 
200
                            struct socket_context **new_socket);
 
201
/* These functions are for use here only (public because SPNEGO must
 
202
 * use them for recursion) */
 
203
NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security, 
 
204
                             TALLOC_CTX *mem_ctx, 
 
205
                             const DATA_BLOB *in, 
 
206
                             DATA_BLOB *out,
 
207
                             size_t *len_processed);
 
208
/* These functions are for use here only (public because SPNEGO must
 
209
 * use them for recursion) */
 
210
NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security, 
 
211
                               TALLOC_CTX *mem_ctx, 
 
212
                               const DATA_BLOB *in, 
 
213
                               DATA_BLOB *out,
 
214
                               size_t *len_processed);
 
215
 
 
216
/* These functions are for use here only (public because SPNEGO must
 
217
 * use them for recursion) */
 
218
NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
 
219
                                    DATA_BLOB blob, size_t *size);
 
220
 
 
221
struct loadparm_context;
 
222
 
 
223
NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, 
 
224
                                 struct gensec_security *parent, 
 
225
                                 struct gensec_security **gensec_security);
 
226
NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, 
 
227
                             struct gensec_security **gensec_security,
 
228
                             struct tevent_context *ev,
 
229
                             struct gensec_settings *settings);
 
230
NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, 
 
231
                                                 const char **sasl_names);
 
232
NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 
 
233
                       const DATA_BLOB in, DATA_BLOB *out);
 
234
void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
 
235
                                 void (*callback)(struct gensec_update_request *req, void *private_data),
 
236
                                 void *private_data);
 
237
NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
 
238
void gensec_want_feature(struct gensec_security *gensec_security,
 
239
                         uint32_t feature);
 
240
bool gensec_have_feature(struct gensec_security *gensec_security,
 
241
                         uint32_t feature);
 
242
NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials);
 
243
NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service);
 
244
const char *gensec_get_target_service(struct gensec_security *gensec_security);
 
245
NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname);
 
246
const char *gensec_get_target_hostname(struct gensec_security *gensec_security);
 
247
NTSTATUS gensec_session_key(struct gensec_security *gensec_security, 
 
248
                            DATA_BLOB *session_key);
 
249
NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, 
 
250
                                  const char *mech_oid);
 
251
const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
 
252
struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
 
253
struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security);
 
254
NTSTATUS gensec_init(struct loadparm_context *lp_ctx);
 
255
NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, 
 
256
                              TALLOC_CTX *mem_ctx, 
 
257
                              uint8_t *data, size_t length, 
 
258
                              const uint8_t *whole_pdu, size_t pdu_length, 
 
259
                              const DATA_BLOB *sig);
 
260
NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, 
 
261
                             TALLOC_CTX *mem_ctx, 
 
262
                             const uint8_t *data, size_t length, 
 
263
                             const uint8_t *whole_pdu, size_t pdu_length, 
 
264
                             const DATA_BLOB *sig);
 
265
size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size);
 
266
NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, 
 
267
                            TALLOC_CTX *mem_ctx, 
 
268
                            uint8_t *data, size_t length, 
 
269
                            const uint8_t *whole_pdu, size_t pdu_length, 
 
270
                            DATA_BLOB *sig);
 
271
NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, 
 
272
                            TALLOC_CTX *mem_ctx, 
 
273
                            const uint8_t *data, size_t length, 
 
274
                            const uint8_t *whole_pdu, size_t pdu_length, 
 
275
                            DATA_BLOB *sig);
 
276
NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, 
 
277
                                       uint8_t auth_type, uint8_t auth_level);
 
278
const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype);
 
279
NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, 
 
280
                             struct tevent_context *ev,
 
281
                             struct gensec_settings *settings,
 
282
                             struct auth_context *auth_context,
 
283
                             struct gensec_security **gensec_security);
 
284
NTSTATUS gensec_session_info(struct gensec_security *gensec_security, 
 
285
                             struct auth_session_info **session_info);
 
286
NTSTATUS auth_nt_status_squash(NTSTATUS nt_status);
 
287
struct creds_CredentialState;
 
288
NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 
289
                               TALLOC_CTX *mem_ctx,
 
290
                               struct creds_CredentialState **creds);
 
291
NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr);
 
292
NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr);
 
293
 
 
294
NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, 
 
295
                                        const char *name);
 
296
 
 
297
NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, 
 
298
                       TALLOC_CTX *mem_ctx, 
 
299
                       const DATA_BLOB *in, 
 
300
                       DATA_BLOB *out);
 
301
NTSTATUS gensec_wrap(struct gensec_security *gensec_security, 
 
302
                     TALLOC_CTX *mem_ctx, 
 
303
                     const DATA_BLOB *in, 
 
304
                     DATA_BLOB *out);
 
305
 
 
306
struct gensec_security_ops **gensec_security_all(void);
 
307
bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct loadparm_context *lp_ctx);
 
308
struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, 
 
309
                                                       struct gensec_security_ops **old_gensec_list, 
 
310
                                                       struct cli_credentials *creds);
 
311
 
 
312
NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, 
 
313
                                        const char *sasl_name);
 
314
 
 
315
int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
 
316
bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
 
317
 
 
318
#endif /* __GENSEC_H__ */