auth/gensec/gensec.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #ifndef __GENSEC_H__
  24 #define __GENSEC_H__
  25
  26 #include "../lib/util/data_blob.h"
  27 #include "libcli/util/ntstatus.h"
  28
  29 #define GENSEC_SASL_NAME_NTLMSSP "NTLM"
  30
  31 #define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10"
  32 #define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2"
  33 #define GENSEC_OID_KERBEROS5 "1.2.840.113554.1.2.2"
  34 #define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2"
  35 #define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3"
  36
  37 enum gensec_priority {
  38         GENSEC_SPNEGO = 90,
  39         GENSEC_GSSAPI = 80,
  40         GENSEC_KRB5 = 70,
  41         GENSEC_SCHANNEL = 60,
  42         GENSEC_NTLMSSP = 50,
  43         GENSEC_SASL = 20,
  44         GENSEC_OTHER = 0
  45 };
  46
  47 struct gensec_security;
  48 struct gensec_target {
  49         const char *principal;
  50         const char *hostname;
  51         const char *service;
  52 };
  53
  54 #define GENSEC_FEATURE_SESSION_KEY      0x00000001
  55 #define GENSEC_FEATURE_SIGN             0x00000002
  56 #define GENSEC_FEATURE_SEAL             0x00000004
  57 #define GENSEC_FEATURE_DCE_STYLE        0x00000008
  58 #define GENSEC_FEATURE_ASYNC_REPLIES    0x00000010
  59 #define GENSEC_FEATURE_DATAGRAM_MODE    0x00000020
  60 #define GENSEC_FEATURE_SIGN_PKT_HEADER  0x00000040
  61 #define GENSEC_FEATURE_NEW_SPNEGO       0x00000080
  62 #define GENSEC_FEATURE_UNIX_TOKEN       0x00000100
  63
  64 #define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
  65
  66 /* GENSEC mode */
  67 enum gensec_role
  68 {
  69         GENSEC_SERVER,
  70         GENSEC_CLIENT
  71 };
  72
  73 struct auth_session_info;
  74 struct cli_credentials;
  75 struct gensec_settings;
  76 struct tevent_context;
  77 struct tevent_req;
  78 struct smb_krb5_context;
  79 struct tsocket_address;
  80
  81 struct gensec_settings {
  82         struct loadparm_context *lp_ctx;
  83         const char *target_hostname;
  84
  85         /* this allows callers to specify a specific set of ops that
  86          * should be used, rather than those loaded by the plugin
  87          * mechanism */
  88         struct gensec_security_ops **backends;
  89
  90         /* To fill in our own name in the NTLMSSP server */
  91         const char *server_dns_domain;
  92         const char *server_dns_name;
  93         const char *server_netbios_domain;
  94         const char *server_netbios_name;
  95 };
  96
  97 struct gensec_security_ops;
  98 struct gensec_security_ops_wrapper;
  99
 100 #define GENSEC_INTERFACE_VERSION 0
 101
 102 /* this structure is used by backends to determine the size of some critical types */
 103 struct gensec_critical_sizes;
 104 const struct gensec_critical_sizes *gensec_interface_version(void);
 105
 106 /* Socket wrapper */
 107
 108 struct gensec_security;
 109 struct socket_context;
 110 struct auth4_context;
 111 struct auth_user_info_dc;
 112
 113 /* These functions are for use here only (public because SPNEGO must
 114  * use them for recursion) */
 115 NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security,
 116                              TALLOC_CTX *mem_ctx,
 117                              const DATA_BLOB *in,
 118                              DATA_BLOB *out,
 119                              size_t *len_processed);
 120 /* These functions are for use here only (public because SPNEGO must
 121  * use them for recursion) */
 122 NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security,
 123                                TALLOC_CTX *mem_ctx,
 124                                const DATA_BLOB *in,
 125                                DATA_BLOB *out,
 126                                size_t *len_processed);
 127
 128 /* These functions are for use here only (public because SPNEGO must
 129  * use them for recursion) */
 130 NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
 131                                     DATA_BLOB blob, size_t *size);
 132
 133 struct loadparm_context;
 134
 135 NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
 136                                  struct gensec_security *parent,
 137                                  struct gensec_security **gensec_security);
 138 NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
 139                              struct gensec_security **gensec_security,
 140                              struct gensec_settings *settings);
 141 NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
 142                                   const struct gensec_security_ops *ops);
 143 NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
 144                                                  const char **sasl_names);
 145 void gensec_set_max_update_size(struct gensec_security *gensec_security,
 146                                 uint32_t max_update_size);
 147 size_t gensec_max_update_size(struct gensec_security *gensec_security);
 148 NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 149                        struct tevent_context *ev,
 150                        const DATA_BLOB in, DATA_BLOB *out);
 151 struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
 152                                       struct tevent_context *ev,
 153                                       struct gensec_security *gensec_security,
 154                                       const DATA_BLOB in);
 155 NTSTATUS gensec_update_recv(struct tevent_req *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
 156 void gensec_want_feature(struct gensec_security *gensec_security,
 157                          uint32_t feature);
 158 bool gensec_have_feature(struct gensec_security *gensec_security,
 159                          uint32_t feature);
 160 NTTIME gensec_expire_time(struct gensec_security *gensec_security);
 161 NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials);
 162 NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service);
 163 const char *gensec_get_target_service(struct gensec_security *gensec_security);
 164 NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname);
 165 const char *gensec_get_target_hostname(struct gensec_security *gensec_security);
 166 NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
 167                             TALLOC_CTX *mem_ctx,
 168                             DATA_BLOB *session_key);
 169 NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
 170                                   const char *mech_oid);
 171 const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
 172 struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
 173 NTSTATUS gensec_init(void);
 174 NTSTATUS gensec_register(const struct gensec_security_ops *ops);
 175 const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
 176                                                          const char *oid_string);
 177 const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
 178                                                                const char *sasl_name);
 179 const struct gensec_security_ops *gensec_security_by_auth_type(
 180                                 struct gensec_security *gensec_security,
 181                                 uint32_t auth_type);
 182 struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
 183                                                    TALLOC_CTX *mem_ctx);
 184 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
 185                                         struct gensec_security *gensec_security,
 186                                         TALLOC_CTX *mem_ctx,
 187                                         const char * const *oid_strings,
 188                                         const char *skip);
 189 const char **gensec_security_oids(struct gensec_security *gensec_security,
 190                                   TALLOC_CTX *mem_ctx,
 191                                   const char *skip);
 192 const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
 193                                 const struct gensec_security_ops_wrapper *wops);
 194 size_t gensec_max_input_size(struct gensec_security *gensec_security);
 195 size_t gensec_max_wrapped_size(struct gensec_security *gensec_security);
 196 NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 197                               uint8_t *data, size_t length,
 198                               const uint8_t *whole_pdu, size_t pdu_length,
 199                               const DATA_BLOB *sig);
 200 NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
 201                              const uint8_t *data, size_t length,
 202                              const uint8_t *whole_pdu, size_t pdu_length,
 203                              const DATA_BLOB *sig);
 204 size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size);
 205 NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 206                             TALLOC_CTX *mem_ctx,
 207                             uint8_t *data, size_t length,
 208                             const uint8_t *whole_pdu, size_t pdu_length,
 209                             DATA_BLOB *sig);
 210 NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
 211                             TALLOC_CTX *mem_ctx,
 212                             const uint8_t *data, size_t length,
 213                             const uint8_t *whole_pdu, size_t pdu_length,
 214                             DATA_BLOB *sig);
 215 NTSTATUS gensec_start_mech(struct gensec_security *gensec_security);
 216 NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
 217                                        uint8_t auth_type, uint8_t auth_level);
 218 const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype);
 219 NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
 220                              struct gensec_settings *settings,
 221                              struct auth4_context *auth_context,
 222                              struct gensec_security **gensec_security);
 223 NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
 224                              TALLOC_CTX *mem_ctx,
 225                              struct auth_session_info **session_info);
 226
 227 NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
 228                 const struct tsocket_address *local);
 229 NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
 230                 const struct tsocket_address *remote);
 231 const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security);
 232 const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security);
 233
 234 NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
 235                                         const char *name);
 236
 237 NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
 238                        TALLOC_CTX *mem_ctx,
 239                        const DATA_BLOB *in,
 240                        DATA_BLOB *out);
 241 NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
 242                      TALLOC_CTX *mem_ctx,
 243                      const DATA_BLOB *in,
 244                      DATA_BLOB *out);
 245
 246 struct gensec_security_ops **gensec_security_all(void);
 247 bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
 248 struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
 249                                                        struct gensec_security_ops **old_gensec_list,
 250                                                        struct cli_credentials *creds);
 251
 252 NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
 253                                         const char *sasl_name);
 254
 255 int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
 256 bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
 257
 258 NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
 259 const char *gensec_get_target_principal(struct gensec_security *gensec_security);
 260
 261 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 262                                           struct gensec_security *gensec_security,
 263                                           struct smb_krb5_context *smb_krb5_context,
 264                                           DATA_BLOB *pac_blob,
 265                                           const char *principal_string,
 266                                           const struct tsocket_address *remote_address,
 267                                           struct auth_session_info **session_info);
 268
 269 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
 270                                         const DATA_BLOB *blob);
 271
 272 #endif /* __GENSEC_H__ */