2
Unix SMB/CIFS implementation.
4
Generic Authentication Interface
6
Copyright (C) Andrew Tridgell 2003
7
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9
This program is free software; you can redistribute it and/or modify
10
it under the terms of the GNU General Public License as published by
11
the Free Software Foundation; either version 3 of the License, or
12
(at your option) any later version.
14
This program is distributed in the hope that it will be useful,
15
but WITHOUT ANY WARRANTY; without even the implied warranty of
16
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
GNU General Public License for more details.
19
You should have received a copy of the GNU General Public License
20
along with this program. If not, see <http://www.gnu.org/licenses/>.
26
#include "../lib/util/data_blob.h"
27
#include "libcli/util/ntstatus.h"
29
#define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10"
30
#define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2"
31
#define GENSEC_OID_KERBEROS5 "1.2.840.113554.1.2.2"
32
#define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2"
33
#define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3"
35
enum gensec_priority {
45
struct gensec_security;
46
struct gensec_target {
47
const char *principal;
52
#define GENSEC_FEATURE_SESSION_KEY 0x00000001
53
#define GENSEC_FEATURE_SIGN 0x00000002
54
#define GENSEC_FEATURE_SEAL 0x00000004
55
#define GENSEC_FEATURE_DCE_STYLE 0x00000008
56
#define GENSEC_FEATURE_ASYNC_REPLIES 0x00000010
57
#define GENSEC_FEATURE_DATAGRAM_MODE 0x00000020
58
#define GENSEC_FEATURE_SIGN_PKT_HEADER 0x00000040
59
#define GENSEC_FEATURE_NEW_SPNEGO 0x00000080
68
struct auth_session_info;
69
struct cli_credentials;
70
struct gensec_settings;
71
struct tevent_context;
73
struct gensec_update_request {
74
struct gensec_security *gensec_security;
80
void (*fn)(struct gensec_update_request *req, void *private_data);
85
struct gensec_settings {
86
struct loadparm_context *lp_ctx;
87
struct smb_iconv_convenience *iconv_convenience;
88
const char *target_hostname;
91
struct gensec_security_ops {
93
const char *sasl_name;
94
uint8_t auth_type; /* 0 if not offered on DCE-RPC */
95
const char **oid; /* NULL if not offered by SPNEGO */
96
NTSTATUS (*client_start)(struct gensec_security *gensec_security);
97
NTSTATUS (*server_start)(struct gensec_security *gensec_security);
99
Determine if a packet has the right 'magic' for this mechanism
101
NTSTATUS (*magic)(struct gensec_security *gensec_security,
102
const DATA_BLOB *first_packet);
103
NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
104
const DATA_BLOB in, DATA_BLOB *out);
105
NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
106
uint8_t *data, size_t length,
107
const uint8_t *whole_pdu, size_t pdu_length,
109
NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
110
const uint8_t *data, size_t length,
111
const uint8_t *whole_pdu, size_t pdu_length,
113
size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
114
size_t (*max_input_size)(struct gensec_security *gensec_security);
115
size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
116
NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
117
const uint8_t *data, size_t length,
118
const uint8_t *whole_pdu, size_t pdu_length,
119
const DATA_BLOB *sig);
120
NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
121
uint8_t *data, size_t length,
122
const uint8_t *whole_pdu, size_t pdu_length,
123
const DATA_BLOB *sig);
124
NTSTATUS (*wrap)(struct gensec_security *gensec_security,
128
NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
132
NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
136
size_t *len_processed);
137
NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
141
size_t *len_processed);
142
NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
143
DATA_BLOB blob, size_t *size);
144
NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key);
145
NTSTATUS (*session_info)(struct gensec_security *gensec_security,
146
struct auth_session_info **session_info);
147
void (*want_feature)(struct gensec_security *gensec_security,
149
bool (*have_feature)(struct gensec_security *gensec_security,
153
enum gensec_priority priority;
156
struct gensec_security_ops_wrapper {
157
const struct gensec_security_ops *op;
161
#define GENSEC_INTERFACE_VERSION 0
163
struct gensec_security {
164
const struct gensec_security_ops *ops;
166
struct cli_credentials *credentials;
167
struct gensec_target target;
168
enum gensec_role gensec_role;
170
uint32_t want_features;
171
struct tevent_context *event_ctx;
172
struct socket_address *my_addr, *peer_addr;
173
struct gensec_settings *settings;
175
/* When we are a server, this may be filled in to provide an
176
* NTLM authentication backend, and user lookup (such as if no
178
struct auth_context *auth_context;
181
/* this structure is used by backends to determine the size of some critical types */
182
struct gensec_critical_sizes {
183
int interface_version;
184
int sizeof_gensec_security_ops;
185
int sizeof_gensec_security;
190
struct gensec_security;
191
struct socket_context;
194
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
196
struct socket_context *current_socket,
197
struct tevent_context *ev,
198
void (*recv_handler)(void *, uint16_t),
200
struct socket_context **new_socket);
201
/* These functions are for use here only (public because SPNEGO must
202
* use them for recursion) */
203
NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security,
207
size_t *len_processed);
208
/* These functions are for use here only (public because SPNEGO must
209
* use them for recursion) */
210
NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security,
214
size_t *len_processed);
216
/* These functions are for use here only (public because SPNEGO must
217
* use them for recursion) */
218
NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
219
DATA_BLOB blob, size_t *size);
221
struct loadparm_context;
223
NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
224
struct gensec_security *parent,
225
struct gensec_security **gensec_security);
226
NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
227
struct gensec_security **gensec_security,
228
struct tevent_context *ev,
229
struct gensec_settings *settings);
230
NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
231
const char **sasl_names);
232
NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
233
const DATA_BLOB in, DATA_BLOB *out);
234
void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
235
void (*callback)(struct gensec_update_request *req, void *private_data),
237
NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
238
void gensec_want_feature(struct gensec_security *gensec_security,
240
bool gensec_have_feature(struct gensec_security *gensec_security,
242
NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials);
243
NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service);
244
const char *gensec_get_target_service(struct gensec_security *gensec_security);
245
NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname);
246
const char *gensec_get_target_hostname(struct gensec_security *gensec_security);
247
NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
248
DATA_BLOB *session_key);
249
NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
250
const char *mech_oid);
251
const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
252
struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
253
struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security);
254
NTSTATUS gensec_init(struct loadparm_context *lp_ctx);
255
NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
257
uint8_t *data, size_t length,
258
const uint8_t *whole_pdu, size_t pdu_length,
259
const DATA_BLOB *sig);
260
NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
262
const uint8_t *data, size_t length,
263
const uint8_t *whole_pdu, size_t pdu_length,
264
const DATA_BLOB *sig);
265
size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size);
266
NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
268
uint8_t *data, size_t length,
269
const uint8_t *whole_pdu, size_t pdu_length,
271
NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
273
const uint8_t *data, size_t length,
274
const uint8_t *whole_pdu, size_t pdu_length,
276
NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
277
uint8_t auth_type, uint8_t auth_level);
278
const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype);
279
NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
280
struct tevent_context *ev,
281
struct gensec_settings *settings,
282
struct auth_context *auth_context,
283
struct gensec_security **gensec_security);
284
NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
285
struct auth_session_info **session_info);
286
NTSTATUS auth_nt_status_squash(NTSTATUS nt_status);
287
struct creds_CredentialState;
288
NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
290
struct creds_CredentialState **creds);
291
NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr);
292
NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr);
294
NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
297
NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
301
NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
306
struct gensec_security_ops **gensec_security_all(void);
307
bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct loadparm_context *lp_ctx);
308
struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
309
struct gensec_security_ops **old_gensec_list,
310
struct cli_credentials *creds);
312
NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
313
const char *sasl_name);
315
int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
316
bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
318
#endif /* __GENSEC_H__ */