Generic Authentication Interface
Copyright (C) Andrew Tridgell 2003
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "lib/events/events.h"
#include "build.h"
#include "librpc/rpc/dcerpc.h"
+#include "auth/credentials/credentials.h"
+#include "auth/gensec/gensec.h"
+#include "param/param.h"
/* the list of currently registered GENSEC backends */
static struct gensec_security_ops **generic_security_ops;
struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
struct gensec_security_ops **old_gensec_list,
- enum credentials_use_kerberos use_kerberos)
+ struct cli_credentials *creds)
{
struct gensec_security_ops **new_gensec_list;
int i, j, num_mechs_in;
+ enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+
+ if (creds) {
+ use_kerberos = cli_credentials_get_kerberos_state(creds);
+ }
if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
- talloc_reference(mem_ctx, old_gensec_list);
+ if (!talloc_reference(mem_ctx, old_gensec_list)) {
+ return NULL;
+ }
return old_gensec_list;
}
struct gensec_security_ops **backends;
backends = gensec_security_all();
if (!gensec_security) {
- talloc_reference(mem_ctx, backends);
+ if (!talloc_reference(mem_ctx, backends)) {
+ return NULL;
+ }
return backends;
} else {
- enum credentials_use_kerberos use_kerberos;
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
if (!creds) {
- talloc_reference(mem_ctx, backends);
+ if (!talloc_reference(mem_ctx, backends)) {
+ return NULL;
+ }
return backends;
}
- use_kerberos = cli_credentials_get_kerberos_state(creds);
- return gensec_use_kerberos_mechs(mem_ctx, backends, use_kerberos);
+ return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
}
}
return NULL;
}
-static const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
- const char *sasl_name)
+const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
+ const char *sasl_name)
{
int i;
struct gensec_security_ops **backends;
@note The mem_ctx is only a parent and may be NULL.
*/
static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
- struct gensec_security **gensec_security,
- struct event_context *ev)
+ struct event_context *ev,
+ struct messaging_context *msg,
+ struct gensec_security **gensec_security)
{
(*gensec_security) = talloc(mem_ctx, struct gensec_security);
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
}
(*gensec_security)->event_ctx = ev;
+ (*gensec_security)->msg_ctx = msg;
return NT_STATUS_OK;
}
(*gensec_security)->subcontext = True;
(*gensec_security)->event_ctx = parent->event_ctx;
+ (*gensec_security)->msg_ctx = parent->msg_ctx;
return NT_STATUS_OK;
}
struct event_context *ev)
{
NTSTATUS status;
- status = gensec_start(mem_ctx, gensec_security, ev);
+ struct event_context *new_ev = NULL;
+
+ if (ev == NULL) {
+ new_ev = event_context_init(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(new_ev);
+ ev = new_ev;
+ }
+
+ status = gensec_start(mem_ctx, ev, NULL, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(new_ev);
return status;
}
+ talloc_steal((*gensec_security), new_ev);
(*gensec_security)->gensec_role = GENSEC_CLIENT;
return status;
@note The mem_ctx is only a parent and may be NULL.
*/
NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
- struct gensec_security **gensec_security,
- struct event_context *ev)
+ struct event_context *ev,
+ struct messaging_context *msg,
+ struct gensec_security **gensec_security)
{
NTSTATUS status;
- status = gensec_start(mem_ctx, gensec_security, ev);
+
+ if (!ev) {
+ DEBUG(0,("gensec_server_start: no event context given!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!msg) {
+ DEBUG(0,("gensec_server_start: no messaging context given!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = gensec_start(mem_ctx, ev, msg, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
*/
_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
- const char **sasl_names)
+ const char **sasl_names)
{
- NTSTATUS nt_status;
+ NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
const struct gensec_security_ops **ops;
+ int i;
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = gensec_start_mech_by_ops(gensec_security, ops[0]);
+ for (i=0; ops[i]; i++) {
+ nt_status = gensec_start_mech_by_ops(gensec_security, ops[i]);
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
+ break;
+ }
+ }
talloc_free(mem_ctx);
return nt_status;
}
return gensec_security->ops->sig_size(gensec_security, data_size);
}
-size_t gensec_max_input_size(struct gensec_security *gensec_security)
+size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
{
- if (!gensec_security->ops->max_input_size) {
- return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
+ if (!gensec_security->ops->max_wrapped_size) {
+ return (1 << 17);
}
- return gensec_security->ops->max_input_size(gensec_security);
+ return gensec_security->ops->max_wrapped_size(gensec_security);
}
-size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
+size_t gensec_max_input_size(struct gensec_security *gensec_security)
{
- if (!gensec_security->ops->max_wrapped_size) {
- return (1 << 17);
+ if (!gensec_security->ops->max_input_size) {
+ return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
}
- return gensec_security->ops->max_wrapped_size(gensec_security);
+ return gensec_security->ops->max_input_size(gensec_security);
}
-_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
+NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out)
return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
}
-_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
+NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out)
return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out);
}
-struct gensec_update_request {
- struct gensec_security *gensec_security;
- DATA_BLOB in;
- DATA_BLOB out;
- NTSTATUS status;
- struct {
- void (*fn)(struct gensec_update_request *req, void *private_data);
- void *private_data;
- } callback;
-};
-
static void gensec_update_async_timed_handler(struct event_context *ev, struct timed_event *te,
struct timeval t, void *ptr)
{
_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials)
{
gensec_security->credentials = talloc_reference(gensec_security, credentials);
+ NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials);
+ gensec_want_feature(gensec_security, cli_credentials_get_gensec_features(gensec_security->credentials));
return NT_STATUS_OK;
}
_PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
{
gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
- if (!gensec_security->target.hostname) {
+ if (hostname && !gensec_security->target.hostname) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
{
/* We allow the target hostname to be overriden for testing purposes */
- const char *target_hostname = lp_parm_string(-1, "gensec", "target_hostname");
+ const char *target_hostname = lp_parm_string(global_loadparm, NULL, "gensec", "target_hostname");
if (target_hostname) {
return target_hostname;
}
*/
NTSTATUS gensec_register(const struct gensec_security_ops *ops)
{
- if (!lp_parm_bool(-1, "gensec", ops->name, ops->enabled)) {
+ if (!lp_parm_bool(global_loadparm, NULL, "gensec", ops->name, ops->enabled)) {
DEBUG(2,("gensec subsystem %s is disabled\n", ops->name));
return NT_STATUS_OK;
}
return NT_STATUS_NO_MEMORY;
}
- generic_security_ops[gensec_num_backends] = discard_const(ops);
+ generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
gensec_num_backends++;
generic_security_ops[gensec_num_backends] = NULL;
return &critical_sizes;
}
+static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
+ return (*gs2)->priority - (*gs1)->priority;
+}
+
/*
initialise the GENSEC subsystem
*/
if (initialized) return NT_STATUS_OK;
initialized = True;
- shared_init = load_samba_modules(NULL, "gensec");
+ shared_init = load_samba_modules(NULL, global_loadparm, "gensec");
run_init_functions(static_init);
run_init_functions(shared_init);
talloc_free(shared_init);
+
+ qsort(generic_security_ops, gensec_num_backends, sizeof(*generic_security_ops), QSORT_CAST sort_gensec);
return NT_STATUS_OK;
}