auth/gensec: replace #if _SAMBA_BUILD_ == 4 by a feature test
[samba.git] / auth / gensec / gensec_start.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Generic Authentication Interface
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/network.h"
25 #include "tevent.h"
26 #include "../lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "lib/param/param.h"
31 #include "lib/util/tsort.h"
32 #include "lib/util/samba_modules.h"
33
34 /* the list of currently registered GENSEC backends */
35 static struct gensec_security_ops **generic_security_ops;
36 static int gensec_num_backends;
37
38 /* Return all the registered mechs.  Don't modify the return pointer,
39  * but you may talloc_reference it if convient */
40 _PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
41 {
42         return generic_security_ops;
43 }
44
45 bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
46 {
47         return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
48 }
49
50 /* Sometimes we want to force only kerberos, sometimes we want to
51  * force it's avoidance.  The old list could be either
52  * gensec_security_all(), or from cli_credentials_gensec_list() (ie,
53  * an existing list we have trimmed down) */
54
55 _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
56                                                        struct gensec_security_ops **old_gensec_list,
57                                                        struct cli_credentials *creds)
58 {
59         struct gensec_security_ops **new_gensec_list;
60         int i, j, num_mechs_in;
61         enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
62
63         if (creds) {
64                 use_kerberos = cli_credentials_get_kerberos_state(creds);
65         }
66
67         if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
68                 if (!talloc_reference(mem_ctx, old_gensec_list)) {
69                         return NULL;
70                 }
71                 return old_gensec_list;
72         }
73
74         for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
75                 /* noop */
76         }
77
78         new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
79         if (!new_gensec_list) {
80                 return NULL;
81         }
82
83         j = 0;
84         for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
85                 int oid_idx;
86
87                 for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
88                         if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
89                                 new_gensec_list[j] = old_gensec_list[i];
90                                 j++;
91                                 break;
92                         }
93                 }
94                 switch (use_kerberos) {
95                 case CRED_DONT_USE_KERBEROS:
96                         if (old_gensec_list[i]->kerberos == false) {
97                                 new_gensec_list[j] = old_gensec_list[i];
98                                 j++;
99                         }
100                         break;
101                 case CRED_MUST_USE_KERBEROS:
102                         if (old_gensec_list[i]->kerberos == true) {
103                                 new_gensec_list[j] = old_gensec_list[i];
104                                 j++;
105                         }
106                         break;
107                 default:
108                         /* Can't happen or invalid parameter */
109                         return NULL;
110                 }
111         }
112         new_gensec_list[j] = NULL;
113
114         return new_gensec_list;
115 }
116
117 struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
118                                                    TALLOC_CTX *mem_ctx)
119 {
120         struct gensec_security_ops **backends;
121         backends = gensec_security_all();
122         if (!gensec_security) {
123                 if (!talloc_reference(mem_ctx, backends)) {
124                         return NULL;
125                 }
126                 return backends;
127         } else {
128                 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
129                 if (!creds) {
130                         if (!talloc_reference(mem_ctx, backends)) {
131                                 return NULL;
132                         }
133                         return backends;
134                 }
135                 return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
136         }
137 }
138
139 static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
140                                                                      uint8_t auth_type)
141 {
142         int i;
143         struct gensec_security_ops **backends;
144         const struct gensec_security_ops *backend;
145         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
146         if (!mem_ctx) {
147                 return NULL;
148         }
149         backends = gensec_security_mechs(gensec_security, mem_ctx);
150         for (i=0; backends && backends[i]; i++) {
151                 if (!gensec_security_ops_enabled(backends[i], gensec_security))
152                                 continue;
153                 if (backends[i]->auth_type == auth_type) {
154                         backend = backends[i];
155                         talloc_free(mem_ctx);
156                         return backend;
157                 }
158         }
159         talloc_free(mem_ctx);
160
161         return NULL;
162 }
163
164 const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
165                                                          const char *oid_string)
166 {
167         int i, j;
168         struct gensec_security_ops **backends;
169         const struct gensec_security_ops *backend;
170         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
171         if (!mem_ctx) {
172                 return NULL;
173         }
174         backends = gensec_security_mechs(gensec_security, mem_ctx);
175         for (i=0; backends && backends[i]; i++) {
176                 if (gensec_security != NULL &&
177                                 !gensec_security_ops_enabled(backends[i],
178                                                                                          gensec_security))
179                     continue;
180                 if (backends[i]->oid) {
181                         for (j=0; backends[i]->oid[j]; j++) {
182                                 if (backends[i]->oid[j] &&
183                                     (strcmp(backends[i]->oid[j], oid_string) == 0)) {
184                                         backend = backends[i];
185                                         talloc_free(mem_ctx);
186                                         return backend;
187                                 }
188                         }
189                 }
190         }
191         talloc_free(mem_ctx);
192
193         return NULL;
194 }
195
196 const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
197                                                                const char *sasl_name)
198 {
199         int i;
200         struct gensec_security_ops **backends;
201         const struct gensec_security_ops *backend;
202         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
203         if (!mem_ctx) {
204                 return NULL;
205         }
206         backends = gensec_security_mechs(gensec_security, mem_ctx);
207         for (i=0; backends && backends[i]; i++) {
208                 if (!gensec_security_ops_enabled(backends[i], gensec_security))
209                     continue;
210                 if (backends[i]->sasl_name
211                     && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
212                         backend = backends[i];
213                         talloc_free(mem_ctx);
214                         return backend;
215                 }
216         }
217         talloc_free(mem_ctx);
218
219         return NULL;
220 }
221
222 static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
223                                                                  const char *name)
224 {
225         int i;
226         struct gensec_security_ops **backends;
227         const struct gensec_security_ops *backend;
228         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
229         if (!mem_ctx) {
230                 return NULL;
231         }
232         backends = gensec_security_mechs(gensec_security, mem_ctx);
233         for (i=0; backends && backends[i]; i++) {
234                 if (gensec_security != NULL &&
235                                 !gensec_security_ops_enabled(backends[i], gensec_security))
236                     continue;
237                 if (backends[i]->name
238                     && (strcmp(backends[i]->name, name) == 0)) {
239                         backend = backends[i];
240                         talloc_free(mem_ctx);
241                         return backend;
242                 }
243         }
244         talloc_free(mem_ctx);
245         return NULL;
246 }
247
248 /**
249  * Return a unique list of security subsystems from those specified in
250  * the list of SASL names.
251  *
252  * Use the list of enabled GENSEC mechanisms from the credentials
253  * attached to the gensec_security, and return in our preferred order.
254  */
255
256 const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_security *gensec_security,
257                                                                 TALLOC_CTX *mem_ctx,
258                                                                 const char **sasl_names)
259 {
260         const struct gensec_security_ops **backends_out;
261         struct gensec_security_ops **backends;
262         int i, k, sasl_idx;
263         int num_backends_out = 0;
264
265         if (!sasl_names) {
266                 return NULL;
267         }
268
269         backends = gensec_security_mechs(gensec_security, mem_ctx);
270
271         backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1);
272         if (!backends_out) {
273                 return NULL;
274         }
275         backends_out[0] = NULL;
276
277         /* Find backends in our preferred order, by walking our list,
278          * then looking in the supplied list */
279         for (i=0; backends && backends[i]; i++) {
280                 if (gensec_security != NULL &&
281                                 !gensec_security_ops_enabled(backends[i], gensec_security))
282                     continue;
283                 for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
284                         if (!backends[i]->sasl_name ||
285                             !(strcmp(backends[i]->sasl_name,
286                                      sasl_names[sasl_idx]) == 0)) {
287                                 continue;
288                         }
289
290                         for (k=0; backends_out[k]; k++) {
291                                 if (backends_out[k] == backends[i]) {
292                                         break;
293                                 }
294                         }
295
296                         if (k < num_backends_out) {
297                                 /* already in there */
298                                 continue;
299                         }
300
301                         backends_out = talloc_realloc(mem_ctx, backends_out,
302                                                       const struct gensec_security_ops *,
303                                                       num_backends_out + 2);
304                         if (!backends_out) {
305                                 return NULL;
306                         }
307
308                         backends_out[num_backends_out] = backends[i];
309                         num_backends_out++;
310                         backends_out[num_backends_out] = NULL;
311                 }
312         }
313         return backends_out;
314 }
315
316 /**
317  * Return a unique list of security subsystems from those specified in
318  * the OID list.  That is, where two OIDs refer to the same module,
319  * return that module only once.
320  *
321  * Use the list of enabled GENSEC mechanisms from the credentials
322  * attached to the gensec_security, and return in our preferred order.
323  */
324
325 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gensec_security *gensec_security,
326                                                                       TALLOC_CTX *mem_ctx,
327                                                                       const char **oid_strings,
328                                                                       const char *skip)
329 {
330         struct gensec_security_ops_wrapper *backends_out;
331         struct gensec_security_ops **backends;
332         int i, j, k, oid_idx;
333         int num_backends_out = 0;
334
335         if (!oid_strings) {
336                 return NULL;
337         }
338
339         backends = gensec_security_mechs(gensec_security, gensec_security);
340
341         backends_out = talloc_array(mem_ctx, struct gensec_security_ops_wrapper, 1);
342         if (!backends_out) {
343                 return NULL;
344         }
345         backends_out[0].op = NULL;
346         backends_out[0].oid = NULL;
347
348         /* Find backends in our preferred order, by walking our list,
349          * then looking in the supplied list */
350         for (i=0; backends && backends[i]; i++) {
351                 if (gensec_security != NULL &&
352                                 !gensec_security_ops_enabled(backends[i], gensec_security))
353                     continue;
354                 if (!backends[i]->oid) {
355                         continue;
356                 }
357                 for (oid_idx = 0; oid_strings[oid_idx]; oid_idx++) {
358                         if (strcmp(oid_strings[oid_idx], skip) == 0) {
359                                 continue;
360                         }
361
362                         for (j=0; backends[i]->oid[j]; j++) {
363                                 if (!backends[i]->oid[j] ||
364                                     !(strcmp(backends[i]->oid[j],
365                                             oid_strings[oid_idx]) == 0)) {
366                                         continue;
367                                 }
368
369                                 for (k=0; backends_out[k].op; k++) {
370                                         if (backends_out[k].op == backends[i]) {
371                                                 break;
372                                         }
373                                 }
374
375                                 if (k < num_backends_out) {
376                                         /* already in there */
377                                         continue;
378                                 }
379
380                                 backends_out = talloc_realloc(mem_ctx, backends_out,
381                                                               struct gensec_security_ops_wrapper,
382                                                               num_backends_out + 2);
383                                 if (!backends_out) {
384                                         return NULL;
385                                 }
386
387                                 backends_out[num_backends_out].op = backends[i];
388                                 backends_out[num_backends_out].oid = backends[i]->oid[j];
389                                 num_backends_out++;
390                                 backends_out[num_backends_out].op = NULL;
391                                 backends_out[num_backends_out].oid = NULL;
392                         }
393                 }
394         }
395         return backends_out;
396 }
397
398 /**
399  * Return OIDS from the security subsystems listed
400  */
401
402 const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security,
403                                                                                    TALLOC_CTX *mem_ctx,
404                                            struct gensec_security_ops **ops,
405                                            const char *skip)
406 {
407         int i;
408         int j = 0;
409         int k;
410         const char **oid_list;
411         if (!ops) {
412                 return NULL;
413         }
414         oid_list = talloc_array(mem_ctx, const char *, 1);
415         if (!oid_list) {
416                 return NULL;
417         }
418
419         for (i=0; ops && ops[i]; i++) {
420                 if (gensec_security != NULL &&
421                         !gensec_security_ops_enabled(ops[i], gensec_security)) {
422                         continue;
423                 }
424                 if (!ops[i]->oid) {
425                         continue;
426                 }
427
428                 for (k = 0; ops[i]->oid[k]; k++) {
429                         if (skip && strcmp(skip, ops[i]->oid[k])==0) {
430                         } else {
431                                 oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
432                                 if (!oid_list) {
433                                         return NULL;
434                                 }
435                                 oid_list[j] = ops[i]->oid[k];
436                                 j++;
437                         }
438                 }
439         }
440         oid_list[j] = NULL;
441         return oid_list;
442 }
443
444
445 /**
446  * Return OIDS from the security subsystems listed
447  */
448
449 const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
450                                                    const struct gensec_security_ops_wrapper *wops)
451 {
452         int i;
453         int j = 0;
454         int k;
455         const char **oid_list;
456         if (!wops) {
457                 return NULL;
458         }
459         oid_list = talloc_array(mem_ctx, const char *, 1);
460         if (!oid_list) {
461                 return NULL;
462         }
463
464         for (i=0; wops[i].op; i++) {
465                 if (!wops[i].op->oid) {
466                         continue;
467                 }
468
469                 for (k = 0; wops[i].op->oid[k]; k++) {
470                         oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
471                         if (!oid_list) {
472                                 return NULL;
473                         }
474                         oid_list[j] = wops[i].op->oid[k];
475                         j++;
476                 }
477         }
478         oid_list[j] = NULL;
479         return oid_list;
480 }
481
482
483 /**
484  * Return all the security subsystems currently enabled on a GENSEC context.
485  *
486  * This is taken from a list attached to the cli_credentials, and
487  * skips the OID in 'skip'.  (Typically the SPNEGO OID)
488  *
489  */
490
491 const char **gensec_security_oids(struct gensec_security *gensec_security,
492                                   TALLOC_CTX *mem_ctx,
493                                   const char *skip)
494 {
495         struct gensec_security_ops **ops
496                 = gensec_security_mechs(gensec_security, mem_ctx);
497         return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
498 }
499
500 /**
501   Start the GENSEC system, returning a context pointer.
502   @param mem_ctx The parent TALLOC memory context.
503   @param gensec_security Returned GENSEC context pointer.
504   @note  The mem_ctx is only a parent and may be NULL.
505   @note, the auth context is moved to be a referenced pointer of the
506   @ gensec_security return
507 */
508 static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
509                              struct gensec_settings *settings,
510                              struct auth4_context *auth_context,
511                              struct gensec_security **gensec_security)
512 {
513         (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
514         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
515
516         SMB_ASSERT(settings->lp_ctx != NULL);
517         (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
518
519         /* We need to reference this, not steal, as the caller may be
520          * python, which won't like it if we steal it's object away
521          * from it */
522         (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
523
524         return NT_STATUS_OK;
525 }
526
527 /**
528  * Start a GENSEC subcontext, with a copy of the properties of the parent
529  * @param mem_ctx The parent TALLOC memory context.
530  * @param parent The parent GENSEC context
531  * @param gensec_security Returned GENSEC context pointer.
532  * @note Used by SPNEGO in particular, for the actual implementation mechanism
533  */
534
535 _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
536                                  struct gensec_security *parent,
537                                  struct gensec_security **gensec_security)
538 {
539         (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
540         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
541
542         (**gensec_security) = *parent;
543         (*gensec_security)->ops = NULL;
544         (*gensec_security)->private_data = NULL;
545
546         (*gensec_security)->subcontext = true;
547         (*gensec_security)->want_features = parent->want_features;
548         (*gensec_security)->dcerpc_auth_level = parent->dcerpc_auth_level;
549         (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
550         (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
551         (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
552
553         return NT_STATUS_OK;
554 }
555
556 /**
557   Start the GENSEC system, in client mode, returning a context pointer.
558   @param mem_ctx The parent TALLOC memory context.
559   @param gensec_security Returned GENSEC context pointer.
560   @note  The mem_ctx is only a parent and may be NULL.
561 */
562 _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
563                              struct gensec_security **gensec_security,
564                              struct gensec_settings *settings)
565 {
566         NTSTATUS status;
567
568         if (settings == NULL) {
569                 DEBUG(0,("gensec_client_start: no settings given!\n"));
570                 return NT_STATUS_INTERNAL_ERROR;
571         }
572
573         status = gensec_start(mem_ctx, settings, NULL, gensec_security);
574         if (!NT_STATUS_IS_OK(status)) {
575                 return status;
576         }
577         (*gensec_security)->gensec_role = GENSEC_CLIENT;
578
579         return status;
580 }
581
582
583
584 /**
585   Start the GENSEC system, in server mode, returning a context pointer.
586   @param mem_ctx The parent TALLOC memory context.
587   @param gensec_security Returned GENSEC context pointer.
588   @note  The mem_ctx is only a parent and may be NULL.
589 */
590 _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
591                                       struct gensec_settings *settings,
592                                       struct auth4_context *auth_context,
593                                       struct gensec_security **gensec_security)
594 {
595         NTSTATUS status;
596
597         if (!settings) {
598                 DEBUG(0,("gensec_server_start: no settings given!\n"));
599                 return NT_STATUS_INTERNAL_ERROR;
600         }
601
602         status = gensec_start(mem_ctx, settings, auth_context, gensec_security);
603         if (!NT_STATUS_IS_OK(status)) {
604                 return status;
605         }
606         (*gensec_security)->gensec_role = GENSEC_SERVER;
607
608         return status;
609 }
610
611 NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
612 {
613         NTSTATUS status;
614         DEBUG(5, ("Starting GENSEC %smechanism %s\n",
615                   gensec_security->subcontext ? "sub" : "",
616                   gensec_security->ops->name));
617         switch (gensec_security->gensec_role) {
618         case GENSEC_CLIENT:
619                 if (gensec_security->ops->client_start) {
620                         status = gensec_security->ops->client_start(gensec_security);
621                         if (!NT_STATUS_IS_OK(status)) {
622                                 DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n",
623                                           gensec_security->ops->name, nt_errstr(status)));
624                         }
625                         return status;
626                 }
627                 break;
628         case GENSEC_SERVER:
629                 if (gensec_security->ops->server_start) {
630                         status = gensec_security->ops->server_start(gensec_security);
631                         if (!NT_STATUS_IS_OK(status)) {
632                                 DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n",
633                                           gensec_security->ops->name, nt_errstr(status)));
634                         }
635                         return status;
636                 }
637                 break;
638         }
639         return NT_STATUS_INVALID_PARAMETER;
640 }
641
642 /**
643  * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
644  *
645  */
646
647 NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
648                                   const struct gensec_security_ops *ops)
649 {
650         gensec_security->ops = ops;
651         return gensec_start_mech(gensec_security);
652 }
653
654
655 /**
656  * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number
657  * @param gensec_security GENSEC context pointer.
658  * @param auth_type DCERPC auth type
659  * @param auth_level DCERPC auth level
660  */
661
662 _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
663                                        uint8_t auth_type, uint8_t auth_level)
664 {
665         gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
666         if (!gensec_security->ops) {
667                 DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
668                 return NT_STATUS_INVALID_PARAMETER;
669         }
670         gensec_security->dcerpc_auth_level = auth_level;
671         gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
672         gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
673         if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
674                 gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
675         } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
676                 gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
677                 gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
678         } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
679                 /* Default features */
680         } else {
681                 DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
682                          auth_level));
683                 return NT_STATUS_INVALID_PARAMETER;
684         }
685
686         return gensec_start_mech(gensec_security);
687 }
688
689 _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
690 {
691         const struct gensec_security_ops *ops;
692         ops = gensec_security_by_authtype(gensec_security, authtype);
693         if (ops) {
694                 return ops->name;
695         }
696         return NULL;
697 }
698
699
700 _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
701                                                                                         const char *oid_string)
702 {
703         const struct gensec_security_ops *ops;
704         ops = gensec_security_by_oid(gensec_security, oid_string);
705         if (ops) {
706                 return ops->name;
707         }
708         return oid_string;
709 }
710
711 /**
712  * Start a GENSEC sub-mechanism by OID, used in SPNEGO
713  *
714  * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a
715  *       well-known #define to hook it in.
716  */
717
718 _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
719                                   const char *mech_oid)
720 {
721         SMB_ASSERT(gensec_security != NULL);
722
723         gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid);
724         if (!gensec_security->ops) {
725                 DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
726                 return NT_STATUS_INVALID_PARAMETER;
727         }
728         return gensec_start_mech(gensec_security);
729 }
730
731 /**
732  * Start a GENSEC sub-mechanism by a well know SASL name
733  *
734  */
735
736 _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
737                                         const char *sasl_name)
738 {
739         gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name);
740         if (!gensec_security->ops) {
741                 DEBUG(3, ("Could not find GENSEC backend for sasl_name=%s\n", sasl_name));
742                 return NT_STATUS_INVALID_PARAMETER;
743         }
744         return gensec_start_mech(gensec_security);
745 }
746
747 /**
748  * Start a GENSEC sub-mechanism with the preferred option from a SASL name list
749  *
750  */
751
752 _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
753                                                  const char **sasl_names)
754 {
755         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
756         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
757         const struct gensec_security_ops **ops;
758         int i;
759         if (!mem_ctx) {
760                 return NT_STATUS_NO_MEMORY;
761         }
762         ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names);
763         if (!ops || !*ops) {
764                 DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n",
765                           str_list_join(mem_ctx,
766                                         sasl_names, ' ')));
767                 talloc_free(mem_ctx);
768                 return NT_STATUS_INVALID_PARAMETER;
769         }
770         for (i=0; ops[i]; i++) {
771                 nt_status = gensec_start_mech_by_ops(gensec_security, ops[i]);
772                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
773                         break;
774                 }
775         }
776         talloc_free(mem_ctx);
777         return nt_status;
778 }
779
780 /**
781  * Start a GENSEC sub-mechanism by an internal name
782  *
783  */
784
785 _PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
786                                         const char *name)
787 {
788         gensec_security->ops = gensec_security_by_name(gensec_security, name);
789         if (!gensec_security->ops) {
790                 DEBUG(3, ("Could not find GENSEC backend for name=%s\n", name));
791                 return NT_STATUS_INVALID_PARAMETER;
792         }
793         return gensec_start_mech(gensec_security);
794 }
795
796 /**
797  * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context
798  *
799  */
800
801 _PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials)
802 {
803         gensec_security->credentials = talloc_reference(gensec_security, credentials);
804         NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials);
805         gensec_want_feature(gensec_security, cli_credentials_get_gensec_features(gensec_security->credentials));
806         return NT_STATUS_OK;
807 }
808
809 /*
810   register a GENSEC backend.
811
812   The 'name' can be later used by other backends to find the operations
813   structure for this backend.
814 */
815 NTSTATUS gensec_register(const struct gensec_security_ops *ops)
816 {
817         if (gensec_security_by_name(NULL, ops->name) != NULL) {
818                 /* its already registered! */
819                 DEBUG(0,("GENSEC backend '%s' already registered\n",
820                          ops->name));
821                 return NT_STATUS_OBJECT_NAME_COLLISION;
822         }
823
824         generic_security_ops = talloc_realloc(talloc_autofree_context(),
825                                               generic_security_ops,
826                                               struct gensec_security_ops *,
827                                               gensec_num_backends+2);
828         if (!generic_security_ops) {
829                 return NT_STATUS_NO_MEMORY;
830         }
831
832         generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
833         gensec_num_backends++;
834         generic_security_ops[gensec_num_backends] = NULL;
835
836         DEBUG(3,("GENSEC backend '%s' registered\n",
837                  ops->name));
838
839         return NT_STATUS_OK;
840 }
841
842 /*
843   return the GENSEC interface version, and the size of some critical types
844   This can be used by backends to either detect compilation errors, or provide
845   multiple implementations for different smbd compilation options in one module
846 */
847 const struct gensec_critical_sizes *gensec_interface_version(void)
848 {
849         static const struct gensec_critical_sizes critical_sizes = {
850                 GENSEC_INTERFACE_VERSION,
851                 sizeof(struct gensec_security_ops),
852                 sizeof(struct gensec_security),
853         };
854
855         return &critical_sizes;
856 }
857
858 static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
859         return (*gs2)->priority - (*gs1)->priority;
860 }
861
862 int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
863 {
864         return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
865 }
866
867 bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
868 {
869         return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
870 }
871
872 /*
873   initialise the GENSEC subsystem
874 */
875 _PUBLIC_ NTSTATUS gensec_init(void)
876 {
877         static bool initialized = false;
878 #define _MODULE_PROTO(init) extern NTSTATUS init(void);
879 #ifdef STATIC_gensec_MODULES
880         STATIC_gensec_MODULES_PROTO;
881         init_module_fn static_init[] = { STATIC_gensec_MODULES };
882 #else
883         init_module_fn *static_init = NULL;
884 #endif
885         init_module_fn *shared_init;
886
887         if (initialized) return NT_STATUS_OK;
888         initialized = true;
889
890         shared_init = load_samba_modules(NULL, "gensec");
891
892         run_init_functions(static_init);
893         run_init_functions(shared_init);
894
895         talloc_free(shared_init);
896
897         TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
898
899         return NT_STATUS_OK;
900 }