360a69c0e0359f78adc0a9594618d8940a2f7f0e
[samba.git] / source4 / libcli / auth / gensec.c
1 /* 
2    Unix SMB/CIFS implementation.
3  
4    Generic Authentication Interface
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "auth/auth.h"
26
27 /* the list of currently registered GENSEC backends */
28 const static struct gensec_security_ops **generic_security_ops;
29 static int gensec_num_backends;
30
31 static const struct gensec_security_ops *gensec_security_by_authtype(uint8_t auth_type)
32 {
33         int i;
34         for (i=0; i < gensec_num_backends; i++) {
35                 if (generic_security_ops[i]->auth_type == auth_type) {
36                         return generic_security_ops[i];
37                 }
38         }
39
40         return NULL;
41 }
42
43 static const struct gensec_security_ops *gensec_security_by_oid(const char *oid_string)
44 {
45         int i;
46         for (i=0; i < gensec_num_backends; i++) {
47                 if (generic_security_ops[i]->oid &&
48                     (strcmp(generic_security_ops[i]->oid, oid_string) == 0)) {
49                         return generic_security_ops[i];
50                 }
51         }
52
53         return NULL;
54 }
55
56 static const struct gensec_security_ops *gensec_security_by_sasl_name(const char *sasl_name)
57 {
58         int i;
59         for (i=0; i < gensec_num_backends; i++) {
60                 if (generic_security_ops[i]->sasl_name 
61                     && (strcmp(generic_security_ops[i]->sasl_name, sasl_name) == 0)) {
62                         return generic_security_ops[i];
63                 }
64         }
65
66         return NULL;
67 }
68
69 static const struct gensec_security_ops *gensec_security_by_name(const char *name)
70 {
71         int i;
72         for (i=0; i < gensec_num_backends; i++) {
73                 if (generic_security_ops[i]->name 
74                     && (strcmp(generic_security_ops[i]->name, name) == 0)) {
75                         return generic_security_ops[i];
76                 }
77         }
78
79         return NULL;
80 }
81
82 const struct gensec_security_ops **gensec_security_all(int *num_backends_out)
83 {
84         *num_backends_out = gensec_num_backends;
85         return generic_security_ops;
86 }
87
88 const char **gensec_security_oids(TALLOC_CTX *mem_ctx, const char *skip) 
89 {
90         int i, j = 0;
91         const char **oid_list;
92         int num_backends;
93         const struct gensec_security_ops **ops = gensec_security_all(&num_backends);
94         if (!ops) {
95                 return NULL;
96         }
97         oid_list = talloc_array_p(mem_ctx, const char *, num_backends + 1);
98         if (!oid_list) {
99                 return NULL;
100         }
101         
102         for (i=0; i<num_backends; i++) {
103                 if (!ops[i]->oid) {
104                         continue;
105                 }
106                 
107                 if (skip && strcmp(skip, ops[i]->oid)==0) {
108                         continue;
109                 }
110
111                 oid_list[j] = ops[i]->oid;
112                 j++;
113         }
114         oid_list[j] = NULL;
115         return oid_list;
116 }
117
118 /*
119   note that memory context is the parent context to hang this gensec context off. It may be NULL.
120 */
121 static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security) 
122 {
123         (*gensec_security) = talloc_p(mem_ctx, struct gensec_security);
124         if (!(*gensec_security)) {
125                 return NT_STATUS_NO_MEMORY;
126         }
127
128         (*gensec_security)->ops = NULL;
129
130         ZERO_STRUCT((*gensec_security)->user);
131         ZERO_STRUCT((*gensec_security)->target);
132         ZERO_STRUCT((*gensec_security)->default_user);
133
134         (*gensec_security)->default_user.name = "";
135         (*gensec_security)->default_user.domain = talloc_strdup(*gensec_security, lp_workgroup());
136         (*gensec_security)->default_user.realm = talloc_strdup(*gensec_security, lp_realm());
137
138         (*gensec_security)->subcontext = False;
139         (*gensec_security)->want_features = 0;
140         return NT_STATUS_OK;
141 }
142
143 /** 
144  * Start a GENSEC subcontext, with a copy of the properties of the parent
145  *
146  * @note Used by SPENGO in particular, for the actual implementation mechanism
147  */
148
149 NTSTATUS gensec_subcontext_start(struct gensec_security *parent, 
150                                  struct gensec_security **gensec_security)
151 {
152         (*gensec_security) = talloc_p(parent, struct gensec_security);
153         if (!(*gensec_security)) {
154                 return NT_STATUS_NO_MEMORY;
155         }
156
157         (**gensec_security) = *parent;
158         (*gensec_security)->ops = NULL;
159         (*gensec_security)->private_data = NULL;
160
161         (*gensec_security)->subcontext = True;
162
163         return NT_STATUS_OK;
164 }
165
166 NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security)
167 {
168         NTSTATUS status;
169         status = gensec_start(mem_ctx, gensec_security);
170         if (!NT_STATUS_IS_OK(status)) {
171                 return status;
172         }
173         (*gensec_security)->gensec_role = GENSEC_CLIENT;
174         (*gensec_security)->password_callback = NULL;
175
176         ZERO_STRUCT((*gensec_security)->user);
177
178         return status;
179 }
180
181 NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security)
182 {
183         NTSTATUS status;
184         status = gensec_start(mem_ctx, gensec_security);
185         if (!NT_STATUS_IS_OK(status)) {
186                 return status;
187         }
188         (*gensec_security)->gensec_role = GENSEC_SERVER;
189
190         return status;
191 }
192
193 static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) 
194 {
195         NTSTATUS status;
196         DEBUG(5, ("Starting GENSEC %smechanism %s\n", 
197                   gensec_security->subcontext ? "sub" : "", 
198                   gensec_security->ops->name));
199         switch (gensec_security->gensec_role) {
200         case GENSEC_CLIENT:
201                 if (gensec_security->ops->client_start) {
202                         status = gensec_security->ops->client_start(gensec_security);
203                         if (!NT_STATUS_IS_OK(status)) {
204                                 DEBUG(1, ("Failed to start GENSEC client mech %s: %s\n",
205                                           gensec_security->ops->name, nt_errstr(status))); 
206                         }
207                         return status;
208                 }
209         case GENSEC_SERVER:
210                 if (gensec_security->ops->server_start) {
211                         status = gensec_security->ops->server_start(gensec_security);
212                         if (!NT_STATUS_IS_OK(status)) {
213                                 DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n",
214                                           gensec_security->ops->name, nt_errstr(status))); 
215                         }
216                         return status;
217                 }
218         }
219         return NT_STATUS_INVALID_PARAMETER;
220 }
221
222 /** 
223  * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number 
224  */
225
226 NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, 
227                                        uint8_t auth_type, uint8_t auth_level) 
228 {
229         gensec_security->ops = gensec_security_by_authtype(auth_type);
230         if (!gensec_security->ops) {
231                 DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
232                 return NT_STATUS_INVALID_PARAMETER;
233         }
234         if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
235                 gensec_want_feature(gensec_security, GENSEC_WANT_SIGN);
236         }
237         if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
238                 gensec_want_feature(gensec_security, GENSEC_WANT_SIGN);
239                 gensec_want_feature(gensec_security, GENSEC_WANT_SEAL);
240         }
241
242         return gensec_start_mech(gensec_security);
243 }
244
245 const char *gensec_get_name_by_authtype(uint8_t authtype) 
246 {
247         const struct gensec_security_ops *ops;
248         ops = gensec_security_by_authtype(authtype);
249         if (ops) {
250                 return ops->name;
251         }
252         return NULL;
253 }
254         
255
256 const char *gensec_get_name_by_oid(const char *oid_string) 
257 {
258         const struct gensec_security_ops *ops;
259         ops = gensec_security_by_oid(oid_string);
260         if (ops) {
261                 return ops->name;
262         }
263         return NULL;
264 }
265         
266
267 /** 
268  * Start a GENSEC sub-mechanism by OID, used in SPNEGO
269  *
270  * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a
271  *       well-known #define to hook it in.
272  */
273
274 NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, 
275                                   const char *mech_oid) 
276 {
277         gensec_security->ops = gensec_security_by_oid(mech_oid);
278         if (!gensec_security->ops) {
279                 DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
280                 return NT_STATUS_INVALID_PARAMETER;
281         }
282         return gensec_start_mech(gensec_security);
283 }
284
285 /** 
286  * Start a GENSEC sub-mechanism by a well know SASL name
287  *
288  */
289
290 NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, 
291                                         const char *sasl_name) 
292 {
293         gensec_security->ops = gensec_security_by_sasl_name(sasl_name);
294         if (!gensec_security->ops) {
295                 DEBUG(3, ("Could not find GENSEC backend for sasl_name=%s\n", sasl_name));
296                 return NT_STATUS_INVALID_PARAMETER;
297         }
298         return gensec_start_mech(gensec_security);
299 }
300
301 /*
302   wrappers for the gensec function pointers
303 */
304 NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, 
305                               TALLOC_CTX *mem_ctx, 
306                               uint8_t *data, size_t length, 
307                               const uint8_t *whole_pdu, size_t pdu_length, 
308                               DATA_BLOB *sig)
309 {
310         if (!gensec_security->ops->unseal_packet) {
311                 return NT_STATUS_NOT_IMPLEMENTED;
312         }
313         if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) {
314                 if (gensec_security->want_features & GENSEC_WANT_SIGN) {
315                         return gensec_check_packet(gensec_security, mem_ctx, 
316                                                    data, length, 
317                                                    whole_pdu, pdu_length, 
318                                                    sig);
319                 }
320                 return NT_STATUS_INVALID_PARAMETER;
321         }
322
323         return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, 
324                                                    data, length, 
325                                                    whole_pdu, pdu_length, 
326                                                    sig);
327 }
328
329 NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, 
330                              TALLOC_CTX *mem_ctx, 
331                              const uint8_t *data, size_t length, 
332                              const uint8_t *whole_pdu, size_t pdu_length, 
333                              const DATA_BLOB *sig)
334 {
335         if (!gensec_security->ops->check_packet) {
336                 return NT_STATUS_NOT_IMPLEMENTED;
337         }
338         if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
339                 return NT_STATUS_INVALID_PARAMETER;
340         }
341         
342         return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
343 }
344
345 NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, 
346                             TALLOC_CTX *mem_ctx, 
347                             uint8_t *data, size_t length, 
348                             const uint8_t *whole_pdu, size_t pdu_length, 
349                             DATA_BLOB *sig)
350 {
351         if (!gensec_security->ops->seal_packet) {
352                 return NT_STATUS_NOT_IMPLEMENTED;
353         }
354         if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) {
355                 if (gensec_security->want_features & GENSEC_WANT_SIGN) {
356                         return gensec_sign_packet(gensec_security, mem_ctx, 
357                                                   data, length, 
358                                                   whole_pdu, pdu_length, 
359                                                   sig);
360                 }
361                 return NT_STATUS_INVALID_PARAMETER;
362         }
363
364         return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
365 }
366
367 NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, 
368                             TALLOC_CTX *mem_ctx, 
369                             const uint8_t *data, size_t length, 
370                             const uint8_t *whole_pdu, size_t pdu_length, 
371                             DATA_BLOB *sig)
372 {
373         if (!gensec_security->ops->sign_packet) {
374                 return NT_STATUS_NOT_IMPLEMENTED;
375         }
376         if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
377                 return NT_STATUS_INVALID_PARAMETER;
378         }
379         
380         return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
381 }
382
383 size_t gensec_sig_size(struct gensec_security *gensec_security) 
384 {
385         if (!gensec_security->ops->sig_size) {
386                 return 0;
387         }
388         if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
389                 return 0;
390         }
391         
392         return gensec_security->ops->sig_size(gensec_security);
393 }
394
395 NTSTATUS gensec_session_key(struct gensec_security *gensec_security, 
396                             DATA_BLOB *session_key)
397 {
398         if (!gensec_security->ops->session_key) {
399                 return NT_STATUS_NOT_IMPLEMENTED;
400         }
401         if (!(gensec_security->want_features & GENSEC_WANT_SESSION_KEY)) {
402                 return NT_STATUS_INVALID_PARAMETER;
403         }
404         
405         return gensec_security->ops->session_key(gensec_security, session_key);
406 }
407
408 /** 
409  * Return the credentials of a logged on user, including session keys
410  * etc.
411  *
412  * Only valid after a successful authentication
413  *
414  * May only be called once per authentication.
415  *
416  */
417
418 NTSTATUS gensec_session_info(struct gensec_security *gensec_security, 
419                              struct auth_session_info **session_info)
420 {
421         if (!gensec_security->ops->session_info) {
422                 return NT_STATUS_NOT_IMPLEMENTED;
423         }
424         return gensec_security->ops->session_info(gensec_security, session_info);
425 }
426
427 /**
428  * Next state function for the GENSEC state machine
429  * 
430  * @param gensec_security GENSEC State
431  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
432  * @param in The request, as a DATA_BLOB
433  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
434  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
435  *                or NT_STATUS_OK if the user is authenticated. 
436  */
437
438 NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 
439                        const DATA_BLOB in, DATA_BLOB *out) 
440 {
441         return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out);
442 }
443
444 void gensec_end(struct gensec_security **gensec_security)
445 {
446         if ((*gensec_security)->ops) {
447                 (*gensec_security)->ops->end(*gensec_security);
448         }
449         (*gensec_security)->private_data = NULL;
450
451         talloc_free(*gensec_security);
452         *gensec_security = NULL;
453 }
454
455 /** 
456  * Set the requirement for a certain feature on the connection
457  *
458  */
459
460 void gensec_want_feature(struct gensec_security *gensec_security,
461                          uint32 feature) 
462 {
463         gensec_security->want_features |= feature;
464 }
465
466 /** 
467  * Check the requirement for a certain feature on the connection
468  *
469  */
470
471 BOOL gensec_have_feature(struct gensec_security *gensec_security,
472                          uint32 feature) 
473 {
474         if (gensec_security->want_features & feature) {
475                 return True;
476         }
477
478         return False;
479 }
480
481 /** 
482  * Set a username on a GENSEC context - ensures it is talloc()ed 
483  *
484  */
485
486 NTSTATUS gensec_set_unparsed_username(struct gensec_security *gensec_security, const char *user) 
487 {
488         char *p;
489         char *u = talloc_strdup(gensec_security, user);
490         if (!u) {
491                 return NT_STATUS_NO_MEMORY;
492         }
493
494         p = strchr_m(user, '@');
495         
496         if (p) {
497                 *p = '\0';
498                 gensec_security->user.name = talloc_strdup(gensec_security, u);
499                 if (!gensec_security->user.name) {
500                         return NT_STATUS_NO_MEMORY;
501                 }
502                 
503                 gensec_security->user.realm = talloc_strdup(gensec_security, p+1);
504                 if (!gensec_security->user.realm) {
505                         return NT_STATUS_NO_MEMORY;
506                 }
507                 return NT_STATUS_OK;
508         } 
509
510         p = strchr_m(user, '\\');
511         if (!p) {
512                 p = strchr_m(user, '/');
513         }
514         
515         if (p) {
516                 *p = '\0';
517                 gensec_security->user.domain = talloc_strdup(gensec_security, u);
518                 if (!gensec_security->user.domain) {
519                         return NT_STATUS_NO_MEMORY;
520                 }
521                 gensec_security->user.name = talloc_strdup(gensec_security, p+1);
522                 if (!gensec_security->user.name) {
523                         return NT_STATUS_NO_MEMORY;
524                 }
525                 
526                 return NT_STATUS_OK;
527         } 
528         
529         gensec_security->user.name = u;
530         if (!gensec_security->user.name) {
531                 return NT_STATUS_NO_MEMORY;
532         }
533         return NT_STATUS_OK;
534 }
535
536 /** 
537  * Set a username on a GENSEC context - ensures it is talloc()ed 
538  *
539  */
540
541 NTSTATUS gensec_set_username(struct gensec_security *gensec_security, const char *user) 
542 {
543         gensec_security->user.name = talloc_strdup(gensec_security, user);
544         if (!gensec_security->user.name) {
545                 return NT_STATUS_NO_MEMORY;
546         }
547         return NT_STATUS_OK;
548 }
549
550 /** 
551  * Set a username on a GENSEC context - ensures it is talloc()ed 
552  *
553  */
554
555 const char *gensec_get_username(struct gensec_security *gensec_security) 
556 {
557         if (gensec_security->user.name) {
558                 return gensec_security->user.name;
559         }
560         return gensec_security->default_user.name;
561 }
562
563 /** 
564  * Set a domain on a GENSEC context - ensures it is talloc()ed 
565  *
566  */
567
568 NTSTATUS gensec_set_domain(struct gensec_security *gensec_security, const char *domain) 
569 {
570         gensec_security->user.domain = talloc_strdup(gensec_security, domain);
571         if (!gensec_security->user.domain) {
572                 return NT_STATUS_NO_MEMORY;
573         }
574         return NT_STATUS_OK;
575 }
576
577 /** 
578  * Return the NT domain for this GENSEC context
579  *
580  */
581
582 const char *gensec_get_domain(struct gensec_security *gensec_security) 
583 {
584         if (gensec_security->user.domain) {
585                 return gensec_security->user.domain;
586         } else if (gensec_security->user.realm) {
587                 return gensec_security->user.realm;
588         }
589         return gensec_security->default_user.domain;
590 }
591
592 /** 
593  * Set a kerberos realm on a GENSEC context - ensures it is talloc()ed 
594  *
595  */
596
597 NTSTATUS gensec_set_realm(struct gensec_security *gensec_security, const char *realm) 
598 {
599         gensec_security->user.realm = talloc_strdup(gensec_security, realm);
600         if (!gensec_security->user.realm) {
601                 return NT_STATUS_NO_MEMORY;
602         }
603         return NT_STATUS_OK;
604 }
605
606 /** 
607  * Return the Krb5 realm for this context
608  *
609  */
610
611 const char *gensec_get_realm(struct gensec_security *gensec_security) 
612 {
613         if (gensec_security->user.realm) {
614                 return gensec_security->user.realm;
615         } else if (gensec_security->user.domain) {
616                 return gensec_security->user.domain;
617         }
618         return gensec_security->default_user.realm;
619 }
620
621 /** 
622  * Return a kerberos principal for this context, if one has been set 
623  *
624  */
625
626 char *gensec_get_client_principal(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx) 
627 {
628         const char *realm = gensec_get_realm(gensec_security);
629         if (realm) {
630                 return talloc_asprintf(mem_ctx, "%s@%s", 
631                                        gensec_get_username(gensec_security), 
632                                        gensec_get_realm(gensec_security));
633         } else {
634                 return talloc_strdup(mem_ctx, gensec_get_username(gensec_security));
635         }
636 }
637
638 /** 
639  * Set the password outright on GENSEC context - ensures it is talloc()ed, and that we will
640  * not do a callback
641  *
642  */
643
644 NTSTATUS gensec_set_password(struct gensec_security *gensec_security,
645                              const char *password) 
646 {
647         gensec_security->user.password = talloc_strdup(gensec_security, password);
648         if (!gensec_security->user.password) {
649                 return NT_STATUS_NO_MEMORY;
650         }
651         return NT_STATUS_OK;
652 }
653
654 /** 
655  * Set the target principal name (if already known) on a GENSEC context - ensures it is talloc()ed 
656  *
657  */
658
659 NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal) 
660 {
661         gensec_security->target.principal = talloc_strdup(gensec_security, principal);
662         if (!gensec_security->target.principal) {
663                 return NT_STATUS_NO_MEMORY;
664         }
665         return NT_STATUS_OK;
666 }
667
668 /** 
669  * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed 
670  *
671  */
672
673 NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service) 
674 {
675         gensec_security->target.service = talloc_strdup(gensec_security, service);
676         if (!gensec_security->target.service) {
677                 return NT_STATUS_NO_MEMORY;
678         }
679         return NT_STATUS_OK;
680 }
681
682 /** 
683  * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed 
684  *
685  */
686
687 NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname) 
688 {
689         gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
690         if (!gensec_security->target.hostname) {
691                 return NT_STATUS_NO_MEMORY;
692         }
693         return NT_STATUS_OK;
694 }
695
696 const char *gensec_get_target_hostname(struct gensec_security *gensec_security) 
697 {
698         if (gensec_security->target.hostname) {
699                 return gensec_security->target.hostname;
700         }
701
702         /* TODO: Add a 'set sockaddr' call, and do a reverse lookup */
703         return NULL;
704 }
705
706 const char *gensec_get_target_service(struct gensec_security *gensec_security) 
707 {
708         if (gensec_security->target.service) {
709                 return gensec_security->target.service;
710         }
711
712         return "host";
713 }
714
715 /** 
716  * Set a password callback, if the gensec module we use demands a password
717  */
718
719 void gensec_set_password_callback(struct gensec_security *gensec_security, 
720                                   gensec_password_callback callback, void *callback_private_data) 
721 {
722         gensec_security->password_callback = callback;
723         gensec_security->password_callback_private = callback_private_data;
724 }
725
726 /**
727  * Get (or call back for) a password.
728  */
729
730 NTSTATUS gensec_get_password(struct gensec_security *gensec_security,
731                              TALLOC_CTX *mem_ctx, 
732                              char **password) 
733 {
734         if (gensec_security->user.password) {
735                 *password = talloc_strdup(mem_ctx, gensec_security->user.password);
736                 if (!*password) {
737                         return NT_STATUS_NO_MEMORY;
738                 } else {
739                         return NT_STATUS_OK;
740                 }
741         }
742         if (!gensec_security->password_callback) {
743                 return NT_STATUS_INVALID_PARAMETER;
744         }
745         return gensec_security->password_callback(gensec_security, mem_ctx, password);
746 }
747
748 /*
749   register a GENSEC backend. 
750
751   The 'name' can be later used by other backends to find the operations
752   structure for this backend.
753 */
754 NTSTATUS gensec_register(const void *_ops)
755 {
756         const struct gensec_security_ops *ops = _ops;
757         
758         if (!lp_parm_bool(-1, "gensec", ops->name, True)) {
759                 DEBUG(2,("gensec subsystem %s is disabled\n", ops->name));
760                 return NT_STATUS_OK;
761         }
762
763         if (gensec_security_by_name(ops->name) != NULL) {
764                 /* its already registered! */
765                 DEBUG(0,("GENSEC backend '%s' already registered\n", 
766                          ops->name));
767                 return NT_STATUS_OBJECT_NAME_COLLISION;
768         }
769
770         generic_security_ops = Realloc(generic_security_ops, sizeof(generic_security_ops[0]) * (gensec_num_backends+1));
771         if (!generic_security_ops) {
772                 smb_panic("out of memory in gensec_register");
773         }
774
775         generic_security_ops[gensec_num_backends] = ops;
776
777         gensec_num_backends++;
778
779         DEBUG(3,("GENSEC backend '%s' registered\n", 
780                  ops->name));
781
782         return NT_STATUS_OK;
783 }
784
785 /*
786   return the GENSEC interface version, and the size of some critical types
787   This can be used by backends to either detect compilation errors, or provide
788   multiple implementations for different smbd compilation options in one module
789 */
790 const struct gensec_critical_sizes *gensec_interface_version(void)
791 {
792         static const struct gensec_critical_sizes critical_sizes = {
793                 GENSEC_INTERFACE_VERSION,
794                 sizeof(struct gensec_security_ops),
795                 sizeof(struct gensec_security),
796         };
797
798         return &critical_sizes;
799 }
800
801 /*
802   initialise the GENSEC subsystem
803 */
804 NTSTATUS gensec_init(void)
805 {
806         gensec_dcerpc_schannel_init();
807         return NT_STATUS_OK;
808 }