gensec: split GENSEC into mechanism-dependent and runtime functions
authorAndrew Bartlett <abartlet@samba.org>
Thu, 21 Jul 2011 03:20:26 +0000 (13:20 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 3 Aug 2011 08:48:01 +0000 (18:48 +1000)
The startup and runtime functions that have no dependencies are moved
into the top level.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
18 files changed:
auth/gensec/gensec.c [new file with mode: 0644]
auth/gensec/gensec.h [moved from source4/auth/gensec/gensec.h with 77% similarity]
auth/gensec/wscript_build [new file with mode: 0644]
auth/wscript_build
source4/auth/gensec/gensec_gssapi.c
source4/auth/gensec/gensec_krb5.c
source4/auth/gensec/gensec_socket.h [new file with mode: 0644]
source4/auth/gensec/gensec_start.c [moved from source4/auth/gensec/gensec.c with 59% similarity]
source4/auth/gensec/gensec_tstream.c
source4/auth/gensec/schannel.h [new file with mode: 0644]
source4/auth/gensec/spnego.c
source4/auth/gensec/wscript_build
source4/libcli/ldap/ldap_bind.c
source4/libnet/libnet_samsync.c
source4/torture/rpc/samlogon.c
source4/torture/rpc/samr.c
source4/torture/rpc/samsync.c
source4/torture/rpc/schannel.c

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
new file mode 100644 (file)
index 0000000..390913d
--- /dev/null
@@ -0,0 +1,518 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Generic Authentication Interface
+
+   Copyright (C) Andrew Tridgell 2003
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/network.h"
+#include <tevent.h>
+#include "lib/tsocket/tsocket.h"
+#include "lib/util/tevent_ntstatus.h"
+#include "auth/gensec/gensec.h"
+
+/*
+  wrappers for the gensec function pointers
+*/
+_PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
+                             TALLOC_CTX *mem_ctx,
+                             uint8_t *data, size_t length,
+                             const uint8_t *whole_pdu, size_t pdu_length,
+                             const DATA_BLOB *sig)
+{
+       if (!gensec_security->ops->unseal_packet) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       return gensec_security->ops->unseal_packet(gensec_security, mem_ctx,
+                                                  data, length,
+                                                  whole_pdu, pdu_length,
+                                                  sig);
+}
+
+_PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
+                            TALLOC_CTX *mem_ctx,
+                            const uint8_t *data, size_t length,
+                            const uint8_t *whole_pdu, size_t pdu_length,
+                            const DATA_BLOB *sig)
+{
+       if (!gensec_security->ops->check_packet) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
+}
+
+_PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
+                           TALLOC_CTX *mem_ctx,
+                           uint8_t *data, size_t length,
+                           const uint8_t *whole_pdu, size_t pdu_length,
+                           DATA_BLOB *sig)
+{
+       if (!gensec_security->ops->seal_packet) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
+}
+
+_PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
+                           TALLOC_CTX *mem_ctx,
+                           const uint8_t *data, size_t length,
+                           const uint8_t *whole_pdu, size_t pdu_length,
+                           DATA_BLOB *sig)
+{
+       if (!gensec_security->ops->sign_packet) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
+}
+
+_PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
+{
+       if (!gensec_security->ops->sig_size) {
+               return 0;
+       }
+       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+               return 0;
+       }
+
+       return gensec_security->ops->sig_size(gensec_security, data_size);
+}
+
+size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
+{
+       if (!gensec_security->ops->max_wrapped_size) {
+               return (1 << 17);
+       }
+
+       return gensec_security->ops->max_wrapped_size(gensec_security);
+}
+
+size_t gensec_max_input_size(struct gensec_security *gensec_security)
+{
+       if (!gensec_security->ops->max_input_size) {
+               return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
+       }
+
+       return gensec_security->ops->max_input_size(gensec_security);
+}
+
+_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
+                    TALLOC_CTX *mem_ctx,
+                    const DATA_BLOB *in,
+                    DATA_BLOB *out)
+{
+       if (!gensec_security->ops->wrap) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
+}
+
+_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
+                      TALLOC_CTX *mem_ctx,
+                      const DATA_BLOB *in,
+                      DATA_BLOB *out)
+{
+       if (!gensec_security->ops->unwrap) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
+}
+
+_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
+                           DATA_BLOB *session_key)
+{
+       if (!gensec_security->ops->session_key) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
+               return NT_STATUS_NO_USER_SESSION_KEY;
+       }
+
+       return gensec_security->ops->session_key(gensec_security, session_key);
+}
+
+/**
+ * Return the credentials of a logged on user, including session keys
+ * etc.
+ *
+ * Only valid after a successful authentication
+ *
+ * May only be called once per authentication.
+ *
+ */
+
+_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
+                            struct auth_session_info **session_info)
+{
+       if (!gensec_security->ops->session_info) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+       return gensec_security->ops->session_info(gensec_security, session_info);
+}
+
+/**
+ * Next state function for the GENSEC state machine
+ *
+ * @param gensec_security GENSEC State
+ * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
+ * @param in The request, as a DATA_BLOB
+ * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
+ * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
+ *                or NT_STATUS_OK if the user is authenticated.
+ */
+
+_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+                      const DATA_BLOB in, DATA_BLOB *out)
+{
+       return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out);
+}
+
+struct gensec_update_state {
+       struct tevent_immediate *im;
+       struct gensec_security *gensec_security;
+       DATA_BLOB in;
+       DATA_BLOB out;
+};
+
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+                                       struct tevent_immediate *im,
+                                       void *private_data);
+/**
+ * Next state function for the GENSEC state machine async version
+ *
+ * @param mem_ctx The memory context for the request
+ * @param ev The event context for the request
+ * @param gensec_security GENSEC State
+ * @param in The request, as a DATA_BLOB
+ *
+ * @return The request handle or NULL on no memory failure
+ */
+
+_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+                                              struct tevent_context *ev,
+                                              struct gensec_security *gensec_security,
+                                              const DATA_BLOB in)
+{
+       struct tevent_req *req;
+       struct gensec_update_state *state = NULL;
+
+       req = tevent_req_create(mem_ctx, &state,
+                               struct gensec_update_state);
+       if (req == NULL) {
+               return NULL;
+       }
+
+       state->gensec_security          = gensec_security;
+       state->in                       = in;
+       state->out                      = data_blob(NULL, 0);
+       state->im                       = tevent_create_immediate(state);
+       if (tevent_req_nomem(state->im, req)) {
+               return tevent_req_post(req, ev);
+       }
+
+       tevent_schedule_immediate(state->im, ev,
+                                 gensec_update_async_trigger,
+                                 req);
+
+       return req;
+}
+
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+                                       struct tevent_immediate *im,
+                                       void *private_data)
+{
+       struct tevent_req *req =
+               talloc_get_type_abort(private_data, struct tevent_req);
+       struct gensec_update_state *state =
+               tevent_req_data(req, struct gensec_update_state);
+       NTSTATUS status;
+
+       status = gensec_update(state->gensec_security, state,
+                              state->in, &state->out);
+       if (tevent_req_nterror(req, status)) {
+               return;
+       }
+
+       tevent_req_done(req);
+}
+
+/**
+ * Next state function for the GENSEC state machine
+ *
+ * @param req request state
+ * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
+ * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
+ * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
+ *                or NT_STATUS_OK if the user is authenticated.
+ */
+_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
+                                    TALLOC_CTX *out_mem_ctx,
+                                    DATA_BLOB *out)
+{
+       struct gensec_update_state *state =
+               tevent_req_data(req, struct gensec_update_state);
+       NTSTATUS status;
+
+       if (tevent_req_is_nterror(req, &status)) {
+               if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+                       tevent_req_received(req);
+                       return status;
+               }
+       } else {
+               status = NT_STATUS_OK;
+       }
+
+       *out = state->out;
+       talloc_steal(out_mem_ctx, out->data);
+
+       tevent_req_received(req);
+       return status;
+}
+
+/**
+ * Set the requirement for a certain feature on the connection
+ *
+ */
+
+_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
+                        uint32_t feature)
+{
+       if (!gensec_security->ops || !gensec_security->ops->want_feature) {
+               gensec_security->want_features |= feature;
+               return;
+       }
+       gensec_security->ops->want_feature(gensec_security, feature);
+}
+
+/**
+ * Check the requirement for a certain feature on the connection
+ *
+ */
+
+_PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
+                        uint32_t feature)
+{
+       if (!gensec_security->ops->have_feature) {
+               return false;
+       }
+
+       /* We might 'have' features that we don't 'want', because the
+        * other end demanded them, or we can't neotiate them off */
+       return gensec_security->ops->have_feature(gensec_security, feature);
+}
+
+/**
+ * Return the credentials structure associated with a GENSEC context
+ *
+ */
+
+_PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
+{
+       if (!gensec_security) {
+               return NULL;
+       }
+       return gensec_security->credentials;
+}
+
+/**
+ * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
+ *
+ */
+
+_PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
+{
+       gensec_security->target.service = talloc_strdup(gensec_security, service);
+       if (!gensec_security->target.service) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       return NT_STATUS_OK;
+}
+
+_PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
+{
+       if (gensec_security->target.service) {
+               return gensec_security->target.service;
+       }
+
+       return "host";
+}
+
+/**
+ * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
+ *
+ */
+
+_PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
+{
+       gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
+       if (hostname && !gensec_security->target.hostname) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       return NT_STATUS_OK;
+}
+
+_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
+{
+       /* We allow the target hostname to be overriden for testing purposes */
+       if (gensec_security->settings->target_hostname) {
+               return gensec_security->settings->target_hostname;
+       }
+
+       if (gensec_security->target.hostname) {
+               return gensec_security->target.hostname;
+       }
+
+       /* We could add use the 'set sockaddr' call, and do a reverse
+        * lookup, but this would be both insecure (compromising the
+        * way kerberos works) and add DNS timeouts */
+       return NULL;
+}
+
+/**
+ * Set (and talloc_reference) local and peer socket addresses onto a socket
+ * context on the GENSEC context.
+ *
+ * This is so that kerberos can include these addresses in
+ * cryptographic tokens, to avoid certain attacks.
+ */
+
+/**
+ * @brief Set the local gensec address.
+ *
+ * @param  gensec_security   The gensec security context to use.
+ *
+ * @param  remote       The local address to set.
+ *
+ * @return              On success NT_STATUS_OK is returned or an NT_STATUS
+ *                      error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+               const struct tsocket_address *local)
+{
+       TALLOC_FREE(gensec_security->local_addr);
+
+       if (local == NULL) {
+               return NT_STATUS_OK;
+       }
+
+       gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
+       if (gensec_security->local_addr == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       return NT_STATUS_OK;
+}
+
+/**
+ * @brief Set the remote gensec address.
+ *
+ * @param  gensec_security   The gensec security context to use.
+ *
+ * @param  remote       The remote address to set.
+ *
+ * @return              On success NT_STATUS_OK is returned or an NT_STATUS
+ *                      error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+               const struct tsocket_address *remote)
+{
+       TALLOC_FREE(gensec_security->remote_addr);
+
+       if (remote == NULL) {
+               return NT_STATUS_OK;
+       }
+
+       gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
+       if (gensec_security->remote_addr == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       return NT_STATUS_OK;
+}
+
+/**
+ * @brief Get the local address from a gensec security context.
+ *
+ * @param  gensec_security   The security context to get the address from.
+ *
+ * @return              The address as tsocket_address which could be NULL if
+ *                      no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
+{
+       if (gensec_security == NULL) {
+               return NULL;
+       }
+       return gensec_security->local_addr;
+}
+
+/**
+ * @brief Get the remote address from a gensec security context.
+ *
+ * @param  gensec_security   The security context to get the address from.
+ *
+ * @return              The address as tsocket_address which could be NULL if
+ *                      no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
+{
+       if (gensec_security == NULL) {
+               return NULL;
+       }
+       return gensec_security->remote_addr;
+}
+
+/**
+ * Set the target principal (assuming it it known, say from the SPNEGO reply)
+ *  - ensures it is talloc()ed
+ *
+ */
+
+_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
+{
+       gensec_security->target.principal = talloc_strdup(gensec_security, principal);
+       if (!gensec_security->target.principal) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       return NT_STATUS_OK;
+}
+
+const char *gensec_get_target_principal(struct gensec_security *gensec_security)
+{
+       if (gensec_security->target.principal) {
+               return gensec_security->target.principal;
+       }
+
+       return NULL;
+}
similarity index 77%
rename from source4/auth/gensec/gensec.h
rename to auth/gensec/gensec.h
index 322adce..b897419 100644 (file)
@@ -1,21 +1,21 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
+
    Generic Authentication Interface
 
    Copyright (C) Andrew Tridgell 2003
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -89,61 +89,61 @@ struct gensec_security_ops {
        /**
           Determine if a packet has the right 'magic' for this mechanism
        */
-       NTSTATUS (*magic)(struct gensec_security *gensec_security, 
+       NTSTATUS (*magic)(struct gensec_security *gensec_security,
                          const DATA_BLOB *first_packet);
        NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
                           const DATA_BLOB in, DATA_BLOB *out);
        NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-                               uint8_t *data, size_t length, 
-                               const uint8_t *whole_pdu, size_t pdu_length, 
+                               uint8_t *data, size_t length,
+                               const uint8_t *whole_pdu, size_t pdu_length,
                                DATA_BLOB *sig);
        NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-                               const uint8_t *data, size_t length, 
-                               const uint8_t *whole_pdu, size_t pdu_length, 
+                               const uint8_t *data, size_t length,
+                               const uint8_t *whole_pdu, size_t pdu_length,
                                DATA_BLOB *sig);
        size_t   (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
        size_t   (*max_input_size)(struct gensec_security *gensec_security);
        size_t   (*max_wrapped_size)(struct gensec_security *gensec_security);
-       NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, 
-                                const uint8_t *data, size_t length, 
-                                const uint8_t *whole_pdu, size_t pdu_length, 
+       NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+                                const uint8_t *data, size_t length,
+                                const uint8_t *whole_pdu, size_t pdu_length,
                                 const DATA_BLOB *sig);
        NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-                                 uint8_t *data, size_t length, 
-                                 const uint8_t *whole_pdu, size_t pdu_length, 
+                                 uint8_t *data, size_t length,
+                                 const uint8_t *whole_pdu, size_t pdu_length,
                                  const DATA_BLOB *sig);
-       NTSTATUS (*wrap)(struct gensec_security *gensec_security, 
-                                 TALLOC_CTX *mem_ctx, 
-                                 const DATA_BLOB *in, 
-                                 DATA_BLOB *out); 
-       NTSTATUS (*unwrap)(struct gensec_security *gensec_security, 
-                          TALLOC_CTX *mem_ctx, 
-                          const DATA_BLOB *in, 
-                          DATA_BLOB *out); 
-       NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security, 
-                                TALLOC_CTX *mem_ctx, 
-                                const DATA_BLOB *in, 
+       NTSTATUS (*wrap)(struct gensec_security *gensec_security,
+                                 TALLOC_CTX *mem_ctx,
+                                 const DATA_BLOB *in,
+                                 DATA_BLOB *out);
+       NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
+                          TALLOC_CTX *mem_ctx,
+                          const DATA_BLOB *in,
+                          DATA_BLOB *out);
+       NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
+                                TALLOC_CTX *mem_ctx,
+                                const DATA_BLOB *in,
                                 DATA_BLOB *out,
-                                size_t *len_processed); 
-       NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security, 
-                                  TALLOC_CTX *mem_ctx, 
-                                  const DATA_BLOB *in, 
+                                size_t *len_processed);
+       NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
+                                  TALLOC_CTX *mem_ctx,
+                                  const DATA_BLOB *in,
                                   DATA_BLOB *out,
-                                  size_t *len_processed); 
+                                  size_t *len_processed);
        NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
                                        DATA_BLOB blob, size_t *size);
        NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key);
-       NTSTATUS (*session_info)(struct gensec_security *gensec_security, 
-                                struct auth_session_info **session_info); 
+       NTSTATUS (*session_info)(struct gensec_security *gensec_security,
+                                struct auth_session_info **session_info);
        void (*want_feature)(struct gensec_security *gensec_security,
                                    uint32_t feature);
        bool (*have_feature)(struct gensec_security *gensec_security,
-                                   uint32_t feature); 
+                                   uint32_t feature);
        bool enabled;
        bool kerberos;
        enum gensec_priority priority;
 };
-       
+
 struct gensec_security_ops_wrapper {
        const struct gensec_security_ops *op;
        const char *oid;
@@ -162,7 +162,7 @@ struct gensec_security {
        struct tevent_context *event_ctx;
        struct tsocket_address *local_addr, *remote_addr;
        struct gensec_settings *settings;
-       
+
        /* When we are a server, this may be filled in to provide an
         * NTLM authentication backend, and user lookup (such as if no
         * PAC is found) */
@@ -183,25 +183,18 @@ struct socket_context;
 struct auth4_context;
 struct auth_user_info_dc;
 
-NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
-                           TALLOC_CTX *mem_ctx, 
-                           struct socket_context *current_socket,
-                           struct tevent_context *ev,
-                           void (*recv_handler)(void *, uint16_t),
-                           void *recv_private,
-                           struct socket_context **new_socket);
 /* These functions are for use here only (public because SPNEGO must
  * use them for recursion) */
-NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security, 
-                            TALLOC_CTX *mem_ctx, 
-                            const DATA_BLOB *in, 
+NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security,
+                            TALLOC_CTX *mem_ctx,
+                            const DATA_BLOB *in,
                             DATA_BLOB *out,
                             size_t *len_processed);
 /* These functions are for use here only (public because SPNEGO must
  * use them for recursion) */
-NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security, 
-                              TALLOC_CTX *mem_ctx, 
-                              const DATA_BLOB *in, 
+NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security,
+                              TALLOC_CTX *mem_ctx,
+                              const DATA_BLOB *in,
                               DATA_BLOB *out,
                               size_t *len_processed);
 
@@ -212,16 +205,18 @@ NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
 
 struct loadparm_context;
 
-NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, 
-                                struct gensec_security *parent, 
+NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
+                                struct gensec_security *parent,
                                 struct gensec_security **gensec_security);
-NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, 
+NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
                             struct gensec_security **gensec_security,
                             struct tevent_context *ev,
                             struct gensec_settings *settings);
-NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, 
+NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
+                                 const struct gensec_security_ops *ops);
+NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
                                                 const char **sasl_names);
-NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 
+NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
                       const DATA_BLOB in, DATA_BLOB *out);
 struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
                                      struct tevent_context *ev,
@@ -237,49 +232,46 @@ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, cons
 const char *gensec_get_target_service(struct gensec_security *gensec_security);
 NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname);
 const char *gensec_get_target_hostname(struct gensec_security *gensec_security);
-NTSTATUS gensec_session_key(struct gensec_security *gensec_security, 
+NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
                            DATA_BLOB *session_key);
-NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, 
+NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
                                  const char *mech_oid);
 const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
 struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
 NTSTATUS gensec_init(void);
-NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, 
-                             TALLOC_CTX *mem_ctx, 
-                             uint8_t *data, size_t length, 
-                             const uint8_t *whole_pdu, size_t pdu_length, 
+size_t gensec_max_input_size(struct gensec_security *gensec_security);
+NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
+                             TALLOC_CTX *mem_ctx,
+                             uint8_t *data, size_t length,
+                             const uint8_t *whole_pdu, size_t pdu_length,
                              const DATA_BLOB *sig);
-NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, 
-                            TALLOC_CTX *mem_ctx, 
-                            const uint8_t *data, size_t length, 
-                            const uint8_t *whole_pdu, size_t pdu_length, 
+NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
+                            TALLOC_CTX *mem_ctx,
+                            const uint8_t *data, size_t length,
+                            const uint8_t *whole_pdu, size_t pdu_length,
                             const DATA_BLOB *sig);
 size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size);
-NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, 
-                           TALLOC_CTX *mem_ctx, 
-                           uint8_t *data, size_t length, 
-                           const uint8_t *whole_pdu, size_t pdu_length, 
+NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
+                           TALLOC_CTX *mem_ctx,
+                           uint8_t *data, size_t length,
+                           const uint8_t *whole_pdu, size_t pdu_length,
                            DATA_BLOB *sig);
-NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, 
-                           TALLOC_CTX *mem_ctx, 
-                           const uint8_t *data, size_t length, 
-                           const uint8_t *whole_pdu, size_t pdu_length, 
+NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
+                           TALLOC_CTX *mem_ctx,
+                           const uint8_t *data, size_t length,
+                           const uint8_t *whole_pdu, size_t pdu_length,
                            DATA_BLOB *sig);
-NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, 
+NTSTATUS gensec_start_mech(struct gensec_security *gensec_security);
+NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
                                       uint8_t auth_type, uint8_t auth_level);
 const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype);
-NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, 
+NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
                             struct tevent_context *ev,
                             struct gensec_settings *settings,
                             struct auth4_context *auth_context,
                             struct gensec_security **gensec_security);
-NTSTATUS gensec_session_info(struct gensec_security *gensec_security, 
+NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
                             struct auth_session_info **session_info);
-struct netlogon_creds_CredentialState;
-NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
-                              TALLOC_CTX *mem_ctx,
-                              struct netlogon_creds_CredentialState **creds);
-
 
 NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
                const struct tsocket_address *local);
@@ -288,25 +280,25 @@ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
 const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security);
 const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security);
 
-NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, 
+NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
                                        const char *name);
 
-NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, 
-                      TALLOC_CTX *mem_ctx, 
-                      const DATA_BLOB *in, 
+NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
+                      TALLOC_CTX *mem_ctx,
+                      const DATA_BLOB *in,
                       DATA_BLOB *out);
-NTSTATUS gensec_wrap(struct gensec_security *gensec_security, 
-                    TALLOC_CTX *mem_ctx, 
-                    const DATA_BLOB *in, 
+NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
+                    TALLOC_CTX *mem_ctx,
+                    const DATA_BLOB *in,
                     DATA_BLOB *out);
 
 struct gensec_security_ops **gensec_security_all(void);
 bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
-struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, 
-                                                      struct gensec_security_ops **old_gensec_list, 
+struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
+                                                      struct gensec_security_ops **old_gensec_list,
                                                       struct cli_credentials *creds);
 
-NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, 
+NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
                                        const char *sasl_name);
 
 int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
new file mode 100644 (file)
index 0000000..4daa1de
--- /dev/null
@@ -0,0 +1,7 @@
+#!/usr/bin/env python
+
+bld.SAMBA_SUBSYSTEM('gensec_runtime',
+                    source='gensec.c',
+                    deps='UTIL_TEVENT tevent samba-util LIBTSOCKET',
+                    public_headers='gensec.h',
+                    autoproto='gensec_toplevel_proto.h')
index 0472a20..976e8ab 100644 (file)
@@ -6,3 +6,5 @@ bld.SAMBA_LIBRARY('auth_sam_reply',
                   autoproto='auth_sam_reply.h',
                   private_library=True
                   )
+
+bld.RECURSE('gensec')
index 72c6b3f..6ecd29b 100644 (file)
@@ -34,6 +34,7 @@
 #include "auth/credentials/credentials_krb5.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
+#include "auth/gensec/gensec_toplevel_proto.h"
 #include "param/param.h"
 #include "auth/session_proto.h"
 #include <gssapi/gssapi.h>
index d47bc77..90794b8 100644 (file)
@@ -35,6 +35,7 @@
 #include "auth/kerberos/kerberos_credentials.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
+#include "auth/gensec/gensec_toplevel_proto.h"
 #include "param/param.h"
 #include "auth/auth_sam_reply.h"
 #include "lib/util/util_net.h"
diff --git a/source4/auth/gensec/gensec_socket.h b/source4/auth/gensec/gensec_socket.h
new file mode 100644 (file)
index 0000000..bb12cc0
--- /dev/null
@@ -0,0 +1,28 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   GENSEC socket interface
+
+   Copyright (C) Andrew Bartlett 2006
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
+                           TALLOC_CTX *mem_ctx,
+                           struct socket_context *current_socket,
+                           struct tevent_context *ev,
+                           void (*recv_handler)(void *, uint16_t),
+                           void *recv_private,
+                           struct socket_context **new_socket);
similarity index 59%
rename from source4/auth/gensec/gensec.c
rename to source4/auth/gensec/gensec_start.c
index 7dd3eac..d754bb0 100644 (file)
@@ -1,21 +1,21 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
+
    Generic Authentication Interface
 
    Copyright (C) Andrew Tridgell 2003
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -34,6 +34,7 @@
 #include "auth/system_session_proto.h"
 #include "param/param.h"
 #include "lib/util/tsort.h"
+#include "auth/gensec/gensec_toplevel_proto.h"
 
 /* the list of currently registered GENSEC backends */
 static struct gensec_security_ops **generic_security_ops;
@@ -56,8 +57,8 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
  * gensec_security_all(), or from cli_credentials_gensec_list() (ie,
  * an existing list we have trimmed down) */
 
-_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, 
-                                                      struct gensec_security_ops **old_gensec_list, 
+_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
+                                                      struct gensec_security_ops **old_gensec_list,
                                                       struct cli_credentials *creds)
 {
        struct gensec_security_ops **new_gensec_list;
@@ -113,13 +114,13 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
                        return NULL;
                }
        }
-       new_gensec_list[j] = NULL; 
-       
+       new_gensec_list[j] = NULL;
+
        return new_gensec_list;
 }
 
 struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
-                                                  TALLOC_CTX *mem_ctx) 
+                                                  TALLOC_CTX *mem_ctx)
 {
        struct gensec_security_ops **backends;
        backends = gensec_security_all();
@@ -152,7 +153,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
        }
        backends = gensec_security_mechs(gensec_security, mem_ctx);
        for (i=0; backends && backends[i]; i++) {
-               if (!gensec_security_ops_enabled(backends[i], gensec_security))
+               if (!gensec_security_ops_enabled(backends[i], gensec_security))
                                continue;
                if (backends[i]->auth_type == auth_type) {
                        backend = backends[i];
@@ -177,12 +178,12 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
        }
        backends = gensec_security_mechs(gensec_security, mem_ctx);
        for (i=0; backends && backends[i]; i++) {
-               if (gensec_security != NULL && 
-                               !gensec_security_ops_enabled(backends[i], 
+               if (gensec_security != NULL &&
+                               !gensec_security_ops_enabled(backends[i],
                                                                                         gensec_security))
                    continue;
                if (backends[i]->oid) {
-                       for (j=0; backends[i]->oid[j]; j++) { 
+                       for (j=0; backends[i]->oid[j]; j++) {
                                if (backends[i]->oid[j] &&
                                    (strcmp(backends[i]->oid[j], oid_string) == 0)) {
                                        backend = backends[i];
@@ -209,9 +210,9 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
        }
        backends = gensec_security_mechs(gensec_security, mem_ctx);
        for (i=0; backends && backends[i]; i++) {
-               if (!gensec_security_ops_enabled(backends[i], gensec_security))
+               if (!gensec_security_ops_enabled(backends[i], gensec_security))
                    continue;
-               if (backends[i]->sasl_name 
+               if (backends[i]->sasl_name
                    && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
                        backend = backends[i];
                        talloc_free(mem_ctx);
@@ -235,10 +236,10 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
        }
        backends = gensec_security_mechs(gensec_security, mem_ctx);
        for (i=0; backends && backends[i]; i++) {
-               if (gensec_security != NULL && 
+               if (gensec_security != NULL &&
                                !gensec_security_ops_enabled(backends[i], gensec_security))
                    continue;
-               if (backends[i]->name 
+               if (backends[i]->name
                    && (strcmp(backends[i]->name, name) == 0)) {
                        backend = backends[i];
                        talloc_free(mem_ctx);
@@ -251,14 +252,14 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
 
 /**
  * Return a unique list of security subsystems from those specified in
- * the list of SASL names.   
+ * the list of SASL names.
  *
  * Use the list of enabled GENSEC mechanisms from the credentials
  * attached to the gensec_security, and return in our preferred order.
  */
 
 const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_security *gensec_security,
-                                                               TALLOC_CTX *mem_ctx, 
+                                                               TALLOC_CTX *mem_ctx,
                                                                const char **sasl_names)
 {
        const struct gensec_security_ops **backends_out;
@@ -281,34 +282,34 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se
        /* Find backends in our preferred order, by walking our list,
         * then looking in the supplied list */
        for (i=0; backends && backends[i]; i++) {
-               if (gensec_security != NULL &&
+               if (gensec_security != NULL &&
                                !gensec_security_ops_enabled(backends[i], gensec_security))
                    continue;
                for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
                        if (!backends[i]->sasl_name ||
-                           !(strcmp(backends[i]->sasl_name, 
+                           !(strcmp(backends[i]->sasl_name,
                                     sasl_names[sasl_idx]) == 0)) {
                                continue;
                        }
-                       
+
                        for (k=0; backends_out[k]; k++) {
                                if (backends_out[k] == backends[i]) {
                                        break;
                                }
                        }
-                       
+
                        if (k < num_backends_out) {
                                /* already in there */
                                continue;
                        }
-                       
-                       backends_out = talloc_realloc(mem_ctx, backends_out, 
-                                                     const struct gensec_security_ops *, 
+
+                       backends_out = talloc_realloc(mem_ctx, backends_out,
+                                                     const struct gensec_security_ops *,
                                                      num_backends_out + 2);
                        if (!backends_out) {
                                return NULL;
                        }
-                       
+
                        backends_out[num_backends_out] = backends[i];
                        num_backends_out++;
                        backends_out[num_backends_out] = NULL;
@@ -320,14 +321,14 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se
 /**
  * Return a unique list of security subsystems from those specified in
  * the OID list.  That is, where two OIDs refer to the same module,
- * return that module only once. 
+ * return that module only once.
  *
  * Use the list of enabled GENSEC mechanisms from the credentials
  * attached to the gensec_security, and return in our preferred order.
  */
 
 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gensec_security *gensec_security,
-                                                                     TALLOC_CTX *mem_ctx, 
+                                                                     TALLOC_CTX *mem_ctx,
                                                                      const char **oid_strings,
                                                                      const char *skip)
 {
@@ -352,7 +353,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
        /* Find backends in our preferred order, by walking our list,
         * then looking in the supplied list */
        for (i=0; backends && backends[i]; i++) {
-               if (gensec_security != NULL && 
+               if (gensec_security != NULL &&
                                !gensec_security_ops_enabled(backends[i], gensec_security))
                    continue;
                if (!backends[i]->oid) {
@@ -363,31 +364,31 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
                                continue;
                        }
 
-                       for (j=0; backends[i]->oid[j]; j++) { 
+                       for (j=0; backends[i]->oid[j]; j++) {
                                if (!backends[i]->oid[j] ||
-                                   !(strcmp(backends[i]->oid[j], 
+                                   !(strcmp(backends[i]->oid[j],
                                            oid_strings[oid_idx]) == 0)) {
                                        continue;
                                }
-                               
+
                                for (k=0; backends_out[k].op; k++) {
                                        if (backends_out[k].op == backends[i]) {
                                                break;
                                        }
                                }
-                               
+
                                if (k < num_backends_out) {
                                        /* already in there */
                                        continue;
                                }
 
-                               backends_out = talloc_realloc(mem_ctx, backends_out, 
-                                                             struct gensec_security_ops_wrapper, 
+                               backends_out = talloc_realloc(mem_ctx, backends_out,
+                                                             struct gensec_security_ops_wrapper,
                                                              num_backends_out + 2);
                                if (!backends_out) {
                                        return NULL;
                                }
-                               
+
                                backends_out[num_backends_out].op = backends[i];
                                backends_out[num_backends_out].oid = backends[i]->oid[j];
                                num_backends_out++;
@@ -404,9 +405,9 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
  */
 
 const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security,
-                                                                                  TALLOC_CTX *mem_ctx, 
-                                          struct gensec_security_ops **ops,                               
-                                          const char *skip) 
+                                                                                  TALLOC_CTX *mem_ctx,
+                                          struct gensec_security_ops **ops,
+                                          const char *skip)
 {
        int i;
        int j = 0;
@@ -419,16 +420,16 @@ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_securi
        if (!oid_list) {
                return NULL;
        }
-       
+
        for (i=0; ops && ops[i]; i++) {
-               if (gensec_security != NULL && 
+               if (gensec_security != NULL &&
                        !gensec_security_ops_enabled(ops[i], gensec_security)) {
                        continue;
                }
                if (!ops[i]->oid) {
                        continue;
                }
-               
+
                for (k = 0; ops[i]->oid[k]; k++) {
                        if (skip && strcmp(skip, ops[i]->oid[k])==0) {
                        } else {
@@ -450,7 +451,7 @@ const char **gensec_security_oids_from_ops(struct gensec_security *gensec_securi
  * Return OIDS from the security subsystems listed
  */
 
-const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, 
+const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
                                                   const struct gensec_security_ops_wrapper *wops)
 {
        int i;
@@ -464,12 +465,12 @@ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
        if (!oid_list) {
                return NULL;
        }
-       
+
        for (i=0; wops[i].op; i++) {
                if (!wops[i].op->oid) {
                        continue;
                }
-               
+
                for (k = 0; wops[i].op->oid[k]; k++) {
                        oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
                        if (!oid_list) {
@@ -486,35 +487,33 @@ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
 
 /**
  * Return all the security subsystems currently enabled on a GENSEC context.
- * 
+ *
  * This is taken from a list attached to the cli_credentials, and
  * skips the OID in 'skip'.  (Typically the SPNEGO OID)
- * 
+ *
  */
 
-const char **gensec_security_oids(struct gensec_security *gensec_security, 
-                                 TALLOC_CTX *mem_ctx, 
-                                 const char *skip) 
+const char **gensec_security_oids(struct gensec_security *gensec_security,
+                                 TALLOC_CTX *mem_ctx,
+                                 const char *skip)
 {
        struct gensec_security_ops **ops
                = gensec_security_mechs(gensec_security, mem_ctx);
        return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
 }
 
-
-
 /**
   Start the GENSEC system, returning a context pointer.
   @param mem_ctx The parent TALLOC memory context.
   @param gensec_security Returned GENSEC context pointer.
   @note  The mem_ctx is only a parent and may be NULL.
   @note, the auth context is moved to be a referenced pointer of the
-  @ gensec_security return 
+  @ gensec_security return
 */
-static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, 
+static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
                             struct tevent_context *ev,
                             struct gensec_settings *settings,
-                            struct auth4_context *auth_context,
+                            struct auth4_context *auth_context,
                             struct gensec_security **gensec_security)
 {
        if (ev == NULL) {
@@ -537,16 +536,16 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
        return NT_STATUS_OK;
 }
 
-/** 
+/**
  * Start a GENSEC subcontext, with a copy of the properties of the parent
  * @param mem_ctx The parent TALLOC memory context.
- * @param parent The parent GENSEC context 
+ * @param parent The parent GENSEC context
  * @param gensec_security Returned GENSEC context pointer.
  * @note Used by SPNEGO in particular, for the actual implementation mechanism
  */
 
-_PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, 
-                                struct gensec_security *parent, 
+_PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
+                                struct gensec_security *parent,
                                 struct gensec_security **gensec_security)
 {
        (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
@@ -572,7 +571,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
   @param gensec_security Returned GENSEC context pointer.
   @note  The mem_ctx is only a parent and may be NULL.
 */
-_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, 
+_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
                             struct gensec_security **gensec_security,
                             struct tevent_context *ev,
                             struct gensec_settings *settings)
@@ -601,7 +600,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
   @param gensec_security Returned GENSEC context pointer.
   @note  The mem_ctx is only a parent and may be NULL.
 */
-_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, 
+_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
                                      struct tevent_context *ev,
                                      struct gensec_settings *settings,
                                      struct auth4_context *auth_context,
@@ -628,11 +627,11 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
        return status;
 }
 
-static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) 
+NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
 {
        NTSTATUS status;
-       DEBUG(5, ("Starting GENSEC %smechanism %s\n", 
-                 gensec_security->subcontext ? "sub" : "", 
+       DEBUG(5, ("Starting GENSEC %smechanism %s\n",
+                 gensec_security->subcontext ? "sub" : "",
                  gensec_security->ops->name));
        switch (gensec_security->gensec_role) {
        case GENSEC_CLIENT:
@@ -640,7 +639,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
                        status = gensec_security->ops->client_start(gensec_security);
                        if (!NT_STATUS_IS_OK(status)) {
                                DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n",
-                                         gensec_security->ops->name, nt_errstr(status))); 
+                                         gensec_security->ops->name, nt_errstr(status)));
                        }
                        return status;
                }
@@ -650,7 +649,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
                        status = gensec_security->ops->server_start(gensec_security);
                        if (!NT_STATUS_IS_OK(status)) {
                                DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n",
-                                         gensec_security->ops->name, nt_errstr(status))); 
+                                         gensec_security->ops->name, nt_errstr(status)));
                        }
                        return status;
                }
@@ -659,15 +658,28 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
        return NT_STATUS_INVALID_PARAMETER;
 }
 
-/** 
- * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number 
+/**
+ * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
+ *
+ */
+
+NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
+                                 const struct gensec_security_ops *ops)
+{
+       gensec_security->ops = ops;
+       return gensec_start_mech(gensec_security);
+}
+
+
+/**
+ * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number
  * @param gensec_security GENSEC context pointer.
  * @param auth_type DCERPC auth type
- * @param auth_level DCERPC auth level 
+ * @param auth_level DCERPC auth level
  */
 
-_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, 
-                                      uint8_t auth_type, uint8_t auth_level) 
+_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
+                                      uint8_t auth_type, uint8_t auth_level)
 {
        gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
        if (!gensec_security->ops) {
@@ -684,7 +696,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
        } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
                /* Default features */
        } else {
-               DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n", 
+               DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
                         auth_level));
                return NT_STATUS_INVALID_PARAMETER;
        }
@@ -692,7 +704,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
        return gensec_start_mech(gensec_security);
 }
 
-_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) 
+_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
 {
        const struct gensec_security_ops *ops;
        ops = gensec_security_by_authtype(gensec_security, authtype);
@@ -701,10 +713,10 @@ _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_
        }
        return NULL;
 }
-       
+
 
 _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
-                                                                                       const char *oid_string) 
+                                                                                       const char *oid_string)
 {
        const struct gensec_security_ops *ops;
        ops = gensec_security_by_oid(gensec_security, oid_string);
@@ -715,26 +727,14 @@ _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_secur
 }
 
 /**
- * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
- *
- */
-
-NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, 
-                                 const struct gensec_security_ops *ops) 
-{
-       gensec_security->ops = ops;
-       return gensec_start_mech(gensec_security);
-}
-
-/** 
  * Start a GENSEC sub-mechanism by OID, used in SPNEGO
  *
  * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a
  *       well-known #define to hook it in.
  */
 
-_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, 
-                                 const char *mech_oid) 
+_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
+                                 const char *mech_oid)
 {
        SMB_ASSERT(gensec_security != NULL);
 
@@ -746,13 +746,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_securi
        return gensec_start_mech(gensec_security);
 }
 
-/** 
+/**
  * Start a GENSEC sub-mechanism by a well know SASL name
  *
  */
 
-_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, 
-                                       const char *sasl_name) 
+_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
+                                       const char *sasl_name)
 {
        gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name);
        if (!gensec_security->ops) {
@@ -762,13 +762,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_
        return gensec_start_mech(gensec_security);
 }
 
-/** 
+/**
  * Start a GENSEC sub-mechanism with the preferred option from a SASL name list
  *
  */
 
-_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, 
-                                                const char **sasl_names) 
+_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
+                                                const char **sasl_names)
 {
        NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
        TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
@@ -779,8 +779,8 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_
        }
        ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names);
        if (!ops || !*ops) {
-               DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n", 
-                         str_list_join(mem_ctx, 
+               DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n",
+                         str_list_join(mem_ctx,
                                        sasl_names, ' ')));
                talloc_free(mem_ctx);
                return NT_STATUS_INVALID_PARAMETER;
@@ -795,13 +795,13 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_
        return nt_status;
 }
 
-/** 
+/**
  * Start a GENSEC sub-mechanism by an internal name
  *
  */
 
-_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, 
-                                       const char *name) 
+_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
+                                       const char *name)
 {
        gensec_security->ops = gensec_security_by_name(gensec_security, name);
        if (!gensec_security->ops) {
@@ -811,317 +811,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_secur
        return gensec_start_mech(gensec_security);
 }
 
-/*
-  wrappers for the gensec function pointers
-*/
-_PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, 
-                             TALLOC_CTX *mem_ctx, 
-                             uint8_t *data, size_t length, 
-                             const uint8_t *whole_pdu, size_t pdu_length, 
-                             const DATA_BLOB *sig)
-{
-       if (!gensec_security->ops->unseal_packet) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-       
-       return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, 
-                                                  data, length, 
-                                                  whole_pdu, pdu_length, 
-                                                  sig);
-}
-
-_PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, 
-                            TALLOC_CTX *mem_ctx, 
-                            const uint8_t *data, size_t length, 
-                            const uint8_t *whole_pdu, size_t pdu_length, 
-                            const DATA_BLOB *sig)
-{
-       if (!gensec_security->ops->check_packet) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-       
-       return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
-}
-
-_PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, 
-                           TALLOC_CTX *mem_ctx, 
-                           uint8_t *data, size_t length, 
-                           const uint8_t *whole_pdu, size_t pdu_length, 
-                           DATA_BLOB *sig)
-{
-       if (!gensec_security->ops->seal_packet) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-       
-       return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
-}
-
-_PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, 
-                           TALLOC_CTX *mem_ctx, 
-                           const uint8_t *data, size_t length, 
-                           const uint8_t *whole_pdu, size_t pdu_length, 
-                           DATA_BLOB *sig)
-{
-       if (!gensec_security->ops->sign_packet) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-       
-       return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
-}
-
-_PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size) 
-{
-       if (!gensec_security->ops->sig_size) {
-               return 0;
-       }
-       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-               return 0;
-       }
-       
-       return gensec_security->ops->sig_size(gensec_security, data_size);
-}
-
-size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) 
-{
-       if (!gensec_security->ops->max_wrapped_size) {
-               return (1 << 17);
-       }
-       
-       return gensec_security->ops->max_wrapped_size(gensec_security);
-}
-
-size_t gensec_max_input_size(struct gensec_security *gensec_security) 
-{
-       if (!gensec_security->ops->max_input_size) {
-               return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
-       }
-       
-       return gensec_security->ops->max_input_size(gensec_security);
-}
-
-_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, 
-                    TALLOC_CTX *mem_ctx, 
-                    const DATA_BLOB *in, 
-                    DATA_BLOB *out) 
-{
-       if (!gensec_security->ops->wrap) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
-}
-
-_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, 
-                      TALLOC_CTX *mem_ctx, 
-                      const DATA_BLOB *in, 
-                      DATA_BLOB *out) 
-{
-       if (!gensec_security->ops->unwrap) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
-}
-
-_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, 
-                           DATA_BLOB *session_key)
-{
-       if (!gensec_security->ops->session_key) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
-               return NT_STATUS_NO_USER_SESSION_KEY;
-       }
-       
-       return gensec_security->ops->session_key(gensec_security, session_key);
-}
-
-/** 
- * Return the credentials of a logged on user, including session keys
- * etc.
- *
- * Only valid after a successful authentication
- *
- * May only be called once per authentication.
- *
- */
-
-_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, 
-                            struct auth_session_info **session_info)
-{
-       if (!gensec_security->ops->session_info) {
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-       return gensec_security->ops->session_info(gensec_security, session_info);
-}
-
 /**
- * Next state function for the GENSEC state machine
- * 
- * @param gensec_security GENSEC State
- * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
- * @param in The request, as a DATA_BLOB
- * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
- * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
- *                or NT_STATUS_OK if the user is authenticated. 
- */
-
-_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 
-                      const DATA_BLOB in, DATA_BLOB *out) 
-{
-       return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out);
-}
-
-struct gensec_update_state {
-       struct tevent_immediate *im;
-       struct gensec_security *gensec_security;
-       DATA_BLOB in;
-       DATA_BLOB out;
-};
-
-static void gensec_update_async_trigger(struct tevent_context *ctx,
-                                       struct tevent_immediate *im,
-                                       void *private_data);
-/**
- * Next state function for the GENSEC state machine async version
- *
- * @param mem_ctx The memory context for the request
- * @param ev The event context for the request
- * @param gensec_security GENSEC State
- * @param in The request, as a DATA_BLOB
+ * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context
  *
- * @return The request handle or NULL on no memory failure
  */
 
-_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
-                                              struct tevent_context *ev,
-                                              struct gensec_security *gensec_security,
-                                              const DATA_BLOB in)
-{
-       struct tevent_req *req;
-       struct gensec_update_state *state = NULL;
-
-       req = tevent_req_create(mem_ctx, &state,
-                               struct gensec_update_state);
-       if (req == NULL) {
-               return NULL;
-       }
-
-       state->gensec_security          = gensec_security;
-       state->in                       = in;
-       state->out                      = data_blob(NULL, 0);
-       state->im                       = tevent_create_immediate(state);
-       if (tevent_req_nomem(state->im, req)) {
-               return tevent_req_post(req, ev);
-       }
-
-       tevent_schedule_immediate(state->im, ev,
-                                 gensec_update_async_trigger,
-                                 req);
-
-       return req;
-}
-
-static void gensec_update_async_trigger(struct tevent_context *ctx,
-                                       struct tevent_immediate *im,
-                                       void *private_data)
-{
-       struct tevent_req *req =
-               talloc_get_type_abort(private_data, struct tevent_req);
-       struct gensec_update_state *state =
-               tevent_req_data(req, struct gensec_update_state);
-       NTSTATUS status;
-
-       status = gensec_update(state->gensec_security, state,
-                              state->in, &state->out);
-       if (tevent_req_nterror(req, status)) {
-               return;
-       }
-
-       tevent_req_done(req);
-}
-
-/**
- * Next state function for the GENSEC state machine
- * 
- * @param req request state
- * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
- * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
- * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
- *                or NT_STATUS_OK if the user is authenticated. 
- */
-_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
-                                    TALLOC_CTX *out_mem_ctx,
-                                    DATA_BLOB *out)
-{
-       struct gensec_update_state *state =
-               tevent_req_data(req, struct gensec_update_state);
-       NTSTATUS status;
-
-       if (tevent_req_is_nterror(req, &status)) {
-               if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-                       tevent_req_received(req);
-                       return status;
-               }
-       } else {
-               status = NT_STATUS_OK;
-       }
-
-       *out = state->out;
-       talloc_steal(out_mem_ctx, out->data);
-
-       tevent_req_received(req);
-       return status;
-}
-
-/** 
- * Set the requirement for a certain feature on the connection
- *
- */
-
-_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
-                        uint32_t feature) 
-{
-       if (!gensec_security->ops || !gensec_security->ops->want_feature) {
-               gensec_security->want_features |= feature;
-               return;
-       }
-       gensec_security->ops->want_feature(gensec_security, feature);
-}
-
-/** 
- * Check the requirement for a certain feature on the connection
- *
- */
-
-_PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
-                        uint32_t feature) 
-{
-       if (!gensec_security->ops->have_feature) {
-               return false;
-       }
-       
-       /* We might 'have' features that we don't 'want', because the
-        * other end demanded them, or we can't neotiate them off */
-       return gensec_security->ops->have_feature(gensec_security, feature);
-}
-
-/** 
- * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context 
- *
- */
-
-_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials) 
+_PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials)
 {
        gensec_security->credentials = talloc_reference(gensec_security, credentials);
        NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials);
@@ -1129,191 +824,6 @@ _PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security
        return NT_STATUS_OK;
 }
 
-/** 
- * Return the credentials structure associated with a GENSEC context
- *
- */
-
-_PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) 
-{
-       if (!gensec_security) {
-               return NULL;
-       }
-       return gensec_security->credentials;
-}
-
-/** 
- * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed 
- *
- */
-
-_PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service) 
-{
-       gensec_security->target.service = talloc_strdup(gensec_security, service);
-       if (!gensec_security->target.service) {
-               return NT_STATUS_NO_MEMORY;
-       }
-       return NT_STATUS_OK;
-}
-
-_PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security) 
-{
-       if (gensec_security->target.service) {
-               return gensec_security->target.service;
-       }
-
-       return "host";
-}
-
-/** 
- * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed 
- *
- */
-
-_PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname) 
-{
-       gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
-       if (hostname && !gensec_security->target.hostname) {
-               return NT_STATUS_NO_MEMORY;
-       }
-       return NT_STATUS_OK;
-}
-
-_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) 
-{
-       /* We allow the target hostname to be overriden for testing purposes */
-       if (gensec_security->settings->target_hostname) {
-               return gensec_security->settings->target_hostname;
-       }
-
-       if (gensec_security->target.hostname) {
-               return gensec_security->target.hostname;
-       }
-
-       /* We could add use the 'set sockaddr' call, and do a reverse
-        * lookup, but this would be both insecure (compromising the
-        * way kerberos works) and add DNS timeouts */
-       return NULL;
-}
-
-/**
- * Set (and talloc_reference) local and peer socket addresses onto a socket
- * context on the GENSEC context.
- *
- * This is so that kerberos can include these addresses in
- * cryptographic tokens, to avoid certain attacks.
- */
-
-/**
- * @brief Set the local gensec address.
- *
- * @param  gensec_security   The gensec security context to use.
- *
- * @param  remote       The local address to set.
- *
- * @return              On success NT_STATUS_OK is returned or an NT_STATUS
- *                      error.
- */
-_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
-               const struct tsocket_address *local)
-{
-       TALLOC_FREE(gensec_security->local_addr);
-
-       if (local == NULL) {
-               return NT_STATUS_OK;
-       }
-
-       gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
-       if (gensec_security->local_addr == NULL) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       return NT_STATUS_OK;
-}
-
-/**
- * @brief Set the remote gensec address.
- *
- * @param  gensec_security   The gensec security context to use.
- *
- * @param  remote       The remote address to set.
- *
- * @return              On success NT_STATUS_OK is returned or an NT_STATUS
- *                      error.
- */
-_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
-               const struct tsocket_address *remote)
-{
-       TALLOC_FREE(gensec_security->remote_addr);
-
-       if (remote == NULL) {
-               return NT_STATUS_OK;
-       }
-
-       gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
-       if (gensec_security->remote_addr == NULL) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       return NT_STATUS_OK;
-}
-
-/**
- * @brief Get the local address from a gensec security context.
- *
- * @param  gensec_security   The security context to get the address from.
- *
- * @return              The address as tsocket_address which could be NULL if
- *                      no address is set.
- */
-_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
-{
-       if (gensec_security == NULL) {
-               return NULL;
-       }
-       return gensec_security->local_addr;
-}
-
-/**
- * @brief Get the remote address from a gensec security context.
- *
- * @param  gensec_security   The security context to get the address from.
- *
- * @return              The address as tsocket_address which could be NULL if
- *                      no address is set.
- */
-_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
-{
-       if (gensec_security == NULL) {
-               return NULL;
-       }
-       return gensec_security->remote_addr;
-}
-
-/** 
- * Set the target principal (assuming it it known, say from the SPNEGO reply)
- *  - ensures it is talloc()ed 
- *
- */
-
-_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
-{
-       gensec_security->target.principal = talloc_strdup(gensec_security, principal);
-       if (!gensec_security->target.principal) {
-               return NT_STATUS_NO_MEMORY;
-       }
-       return NT_STATUS_OK;
-}
-
-const char *gensec_get_target_principal(struct gensec_security *gensec_security) 
-{
-       if (gensec_security->target.principal) {
-               return gensec_security->target.principal;
-       }
-
-       return NULL;
-}
-
 NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
                                      struct gensec_security *gensec_security,
                                      struct auth_user_info_dc *user_info_dc,
@@ -1348,7 +858,7 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
 }
 
 /*
-  register a GENSEC backend. 
+  register a GENSEC backend.
 
   The 'name' can be later used by other backends to find the operations
   structure for this backend.
@@ -1357,14 +867,14 @@ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
 {
        if (gensec_security_by_name(NULL, ops->name) != NULL) {
                /* its already registered! */
-               DEBUG(0,("GENSEC backend '%s' already registered\n", 
+               DEBUG(0,("GENSEC backend '%s' already registered\n",
                         ops->name));
                return NT_STATUS_OBJECT_NAME_COLLISION;
        }
 
-       generic_security_ops = talloc_realloc(talloc_autofree_context(), 
-                                             generic_security_ops, 
-                                             struct gensec_security_ops *, 
+       generic_security_ops = talloc_realloc(talloc_autofree_context(),
+                                             generic_security_ops,
+                                             struct gensec_security_ops *,
                                              gensec_num_backends+2);
        if (!generic_security_ops) {
                return NT_STATUS_NO_MEMORY;
@@ -1374,7 +884,7 @@ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
        gensec_num_backends++;
        generic_security_ops[gensec_num_backends] = NULL;
 
-       DEBUG(3,("GENSEC backend '%s' registered\n", 
+       DEBUG(3,("GENSEC backend '%s' registered\n",
                 ops->name));
 
        return NT_STATUS_OK;
@@ -1423,7 +933,7 @@ _PUBLIC_ NTSTATUS gensec_init(void)
 
        if (initialized) return NT_STATUS_OK;
        initialized = true;
-       
+
        shared_init = load_samba_modules(NULL, "gensec");
 
        run_init_functions(static_init);
@@ -1432,6 +942,6 @@ _PUBLIC_ NTSTATUS gensec_init(void)
        talloc_free(shared_init);
 
        TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
-       
+
        return NT_STATUS_OK;
 }
index 3bc69ab..91915b5 100644 (file)
@@ -27,7 +27,7 @@
 #include "auth/gensec/gensec_tstream.h"
 #include "lib/tsocket/tsocket.h"
 #include "lib/tsocket/tsocket_internal.h"
-
+#include "auth/gensec/gensec_toplevel_proto.h"
 
 static const struct tstream_context_ops tstream_gensec_ops;
 
diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
new file mode 100644 (file)
index 0000000..88a32a7
--- /dev/null
@@ -0,0 +1,26 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   dcerpc schannel operations
+
+   Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+struct netlogon_creds_CredentialState;
+NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
+                              TALLOC_CTX *mem_ctx,
+                              struct netlogon_creds_CredentialState **creds);
index 1423423..3611d31 100644 (file)
@@ -28,6 +28,7 @@
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
+#include "auth/gensec/gensec_toplevel_proto.h"
 #include "param/param.h"
 
 _PUBLIC_ NTSTATUS gensec_spnego_init(void);
index 42d7dc5..4eed751 100644 (file)
@@ -1,11 +1,10 @@
 #!/usr/bin/env python
 
 bld.SAMBA_LIBRARY('gensec',
-       source='gensec.c socket.c gensec_tstream.c',
+       source='gensec_start.c socket.c gensec_tstream.c',
        pc_files='gensec.pc',
        autoproto='gensec_proto.h',
-       public_deps='UTIL_TEVENT samba-util errors LIBPACKET auth_system_session',
-       public_headers='gensec.h',
+       public_deps='UTIL_TEVENT samba-util errors LIBPACKET auth_system_session gensec_runtime',
        deps='com_err',
        vnum='0.0.1'
        )
index f5cf25e..e5e8cba 100644 (file)
@@ -27,6 +27,7 @@
 #include "libcli/ldap/ldap_client.h"
 #include "lib/tls/tls.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_socket.h"
 #include "auth/credentials/credentials.h"
 #include "lib/stream/packet.h"
 #include "param/param.h"
index 774451f..7c999db 100644 (file)
@@ -25,6 +25,7 @@
 #include "libcli/auth/libcli_auth.h"
 #include "../libcli/samsync/samsync.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/schannel.h"
 #include "auth/credentials/credentials.h"
 #include "libcli/auth/schannel.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
index 80828e2..cff39dd 100644 (file)
@@ -29,6 +29,7 @@
 #include "lib/cmdline/popt_common.h"
 #include "torture/rpc/torture_rpc.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/schannel.h"
 #include "libcli/auth/libcli_auth.h"
 #include "param/param.h"
 
index 53cb10a..f7d6a93 100644 (file)
@@ -35,6 +35,7 @@
 #include "torture/rpc/torture_rpc.h"
 #include "param/param.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/schannel.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
 
index 980e085..fd1fbbf 100644 (file)
@@ -27,6 +27,7 @@
 #include "system/time.h"
 #include "torture/rpc/torture_rpc.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/schannel.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/samsync/samsync.h"
 #include "libcli/security/security.h"
index c76231c..245f33c 100644 (file)
@@ -26,6 +26,7 @@
 #include "auth/credentials/credentials.h"
 #include "torture/rpc/torture_rpc.h"
 #include "lib/cmdline/popt_common.h"
+#include "auth/gensec/schannel.h"
 #include "../libcli/auth/schannel.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/security/security.h"