1/* 2 Unix SMB/CIFS implementation. 3 4 Generic Authentication Interface 5 6 Copyright (C) Andrew Tridgell 2003 7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 8 9 This program is free software; you can redistribute it and/or modify 10 it under the terms of the GNU General Public License as published by 11 the Free Software Foundation; either version 3 of the License, or 12 (at your option) any later version. 13 14 This program is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 GNU General Public License for more details. 18 19 You should have received a copy of the GNU General Public License 20 along with this program. If not, see <http://www.gnu.org/licenses/>. 21*/ 22 23#ifndef __GENSEC_H__ 24#define __GENSEC_H__ 25 26#include "../lib/util/data_blob.h" 27#include "libcli/util/ntstatus.h" 28 29#define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10" 30#define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2" 31#define GENSEC_OID_KERBEROS5 "1.2.840.113554.1.2.2" 32#define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2" 33#define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3" 34 35enum gensec_priority { 36 GENSEC_SPNEGO = 90, 37 GENSEC_GSSAPI = 80, 38 GENSEC_KRB5 = 70, 39 GENSEC_SCHANNEL = 60, 40 GENSEC_NTLMSSP = 50, 41 GENSEC_SASL = 20, 42 GENSEC_OTHER = 0 43}; 44 45struct gensec_security; 46struct gensec_target { 47 const char *principal; 48 const char *hostname; 49 const char *service; 50}; 51 52#define GENSEC_FEATURE_SESSION_KEY 0x00000001 53#define GENSEC_FEATURE_SIGN 0x00000002 54#define GENSEC_FEATURE_SEAL 0x00000004 55#define GENSEC_FEATURE_DCE_STYLE 0x00000008 56#define GENSEC_FEATURE_ASYNC_REPLIES 0x00000010 57#define GENSEC_FEATURE_DATAGRAM_MODE 0x00000020 58#define GENSEC_FEATURE_SIGN_PKT_HEADER 0x00000040 59#define GENSEC_FEATURE_NEW_SPNEGO 0x00000080 60 61/* GENSEC mode */ 62enum gensec_role 63{ 64 GENSEC_SERVER, 65 GENSEC_CLIENT 66}; 67 68struct auth_session_info; 69struct cli_credentials; 70struct gensec_settings; 71struct tevent_context; 72 73struct gensec_update_request { 74 struct gensec_security *gensec_security; 75 void *private_data; 76 DATA_BLOB in; 77 DATA_BLOB out; 78 NTSTATUS status; 79 struct { 80 void (*fn)(struct gensec_update_request *req, void *private_data); 81 void *private_data; 82 } callback; 83}; 84 85struct gensec_settings { 86 struct loadparm_context *lp_ctx; 87 struct smb_iconv_convenience *iconv_convenience; 88 const char *target_hostname; 89}; 90 91struct gensec_security_ops { 92 const char *name; 93 const char *sasl_name; 94 uint8_t auth_type; /* 0 if not offered on DCE-RPC */ 95 const char **oid; /* NULL if not offered by SPNEGO */ 96 NTSTATUS (*client_start)(struct gensec_security *gensec_security); 97 NTSTATUS (*server_start)(struct gensec_security *gensec_security); 98 /** 99 Determine if a packet has the right 'magic' for this mechanism 100 */ 101 NTSTATUS (*magic)(struct gensec_security *gensec_security, 102 const DATA_BLOB *first_packet); 103 NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 104 const DATA_BLOB in, DATA_BLOB *out); 105 NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, 106 uint8_t *data, size_t length, 107 const uint8_t *whole_pdu, size_t pdu_length, 108 DATA_BLOB *sig); 109 NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, 110 const uint8_t *data, size_t length, 111 const uint8_t *whole_pdu, size_t pdu_length, 112 DATA_BLOB *sig); 113 size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size); 114 size_t (*max_input_size)(struct gensec_security *gensec_security); 115 size_t (*max_wrapped_size)(struct gensec_security *gensec_security); 116 NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, 117 const uint8_t *data, size_t length, 118 const uint8_t *whole_pdu, size_t pdu_length, 119 const DATA_BLOB *sig); 120 NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, 121 uint8_t *data, size_t length, 122 const uint8_t *whole_pdu, size_t pdu_length, 123 const DATA_BLOB *sig); 124 NTSTATUS (*wrap)(struct gensec_security *gensec_security, 125 TALLOC_CTX *mem_ctx, 126 const DATA_BLOB *in, 127 DATA_BLOB *out); 128 NTSTATUS (*unwrap)(struct gensec_security *gensec_security, 129 TALLOC_CTX *mem_ctx, 130 const DATA_BLOB *in, 131 DATA_BLOB *out); 132 NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security, 133 TALLOC_CTX *mem_ctx, 134 const DATA_BLOB *in, 135 DATA_BLOB *out, 136 size_t *len_processed); 137 NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security, 138 TALLOC_CTX *mem_ctx, 139 const DATA_BLOB *in, 140 DATA_BLOB *out, 141 size_t *len_processed); 142 NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security, 143 DATA_BLOB blob, size_t *size); 144 NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key); 145 NTSTATUS (*session_info)(struct gensec_security *gensec_security, 146 struct auth_session_info **session_info); 147 void (*want_feature)(struct gensec_security *gensec_security, 148 uint32_t feature); 149 bool (*have_feature)(struct gensec_security *gensec_security, 150 uint32_t feature); 151 bool enabled; 152 bool kerberos; 153 enum gensec_priority priority; 154}; 155 156struct gensec_security_ops_wrapper { 157 const struct gensec_security_ops *op; 158 const char *oid; 159}; 160 161#define GENSEC_INTERFACE_VERSION 0 162 163struct gensec_security { 164 const struct gensec_security_ops *ops; 165 void *private_data; 166 struct cli_credentials *credentials; 167 struct gensec_target target; 168 enum gensec_role gensec_role; 169 bool subcontext; 170 uint32_t want_features; 171 struct tevent_context *event_ctx; 172 struct socket_address *my_addr, *peer_addr; 173 struct gensec_settings *settings; 174 175 /* When we are a server, this may be filled in to provide an 176 * NTLM authentication backend, and user lookup (such as if no 177 * PAC is found) */ 178 struct auth_context *auth_context; 179}; 180 181/* this structure is used by backends to determine the size of some critical types */ 182struct gensec_critical_sizes { 183 int interface_version; 184 int sizeof_gensec_security_ops; 185 int sizeof_gensec_security; 186}; 187 188/* Socket wrapper */ 189 190struct gensec_security; 191struct socket_context; 192struct auth_context; 193 194NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, 195 TALLOC_CTX *mem_ctx, 196 struct socket_context *current_socket, 197 struct tevent_context *ev, 198 void (*recv_handler)(void *, uint16_t), 199 void *recv_private, 200 struct socket_context **new_socket); 201/* These functions are for use here only (public because SPNEGO must 202 * use them for recursion) */ 203NTSTATUS gensec_wrap_packets(struct gensec_security *gensec_security, 204 TALLOC_CTX *mem_ctx, 205 const DATA_BLOB *in, 206 DATA_BLOB *out, 207 size_t *len_processed); 208/* These functions are for use here only (public because SPNEGO must 209 * use them for recursion) */ 210NTSTATUS gensec_unwrap_packets(struct gensec_security *gensec_security, 211 TALLOC_CTX *mem_ctx, 212 const DATA_BLOB *in, 213 DATA_BLOB *out, 214 size_t *len_processed); 215 216/* These functions are for use here only (public because SPNEGO must 217 * use them for recursion) */ 218NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security, 219 DATA_BLOB blob, size_t *size); 220 221struct loadparm_context; 222 223NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, 224 struct gensec_security *parent, 225 struct gensec_security **gensec_security); 226NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, 227 struct gensec_security **gensec_security, 228 struct tevent_context *ev, 229 struct gensec_settings *settings); 230NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, 231 const char **sasl_names); 232NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 233 const DATA_BLOB in, DATA_BLOB *out); 234void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in, 235 void (*callback)(struct gensec_update_request *req, void *private_data), 236 void *private_data); 237NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out); 238void gensec_want_feature(struct gensec_security *gensec_security, 239 uint32_t feature); 240bool gensec_have_feature(struct gensec_security *gensec_security, 241 uint32_t feature); 242NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials); 243NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service); 244const char *gensec_get_target_service(struct gensec_security *gensec_security); 245NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname); 246const char *gensec_get_target_hostname(struct gensec_security *gensec_security); 247NTSTATUS gensec_session_key(struct gensec_security *gensec_security, 248 DATA_BLOB *session_key); 249NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, 250 const char *mech_oid); 251const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string); 252struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security); 253struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security); 254NTSTATUS gensec_init(struct loadparm_context *lp_ctx); 255NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, 256 TALLOC_CTX *mem_ctx, 257 uint8_t *data, size_t length, 258 const uint8_t *whole_pdu, size_t pdu_length, 259 const DATA_BLOB *sig); 260NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, 261 TALLOC_CTX *mem_ctx, 262 const uint8_t *data, size_t length, 263 const uint8_t *whole_pdu, size_t pdu_length, 264 const DATA_BLOB *sig); 265size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size); 266NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, 267 TALLOC_CTX *mem_ctx, 268 uint8_t *data, size_t length, 269 const uint8_t *whole_pdu, size_t pdu_length, 270 DATA_BLOB *sig); 271NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, 272 TALLOC_CTX *mem_ctx, 273 const uint8_t *data, size_t length, 274 const uint8_t *whole_pdu, size_t pdu_length, 275 DATA_BLOB *sig); 276NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, 277 uint8_t auth_type, uint8_t auth_level); 278const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype); 279NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, 280 struct tevent_context *ev, 281 struct gensec_settings *settings, 282 struct auth_context *auth_context, 283 struct gensec_security **gensec_security); 284NTSTATUS gensec_session_info(struct gensec_security *gensec_security, 285 struct auth_session_info **session_info); 286NTSTATUS auth_nt_status_squash(NTSTATUS nt_status); 287struct netlogon_creds_CredentialState; 288NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, 289 TALLOC_CTX *mem_ctx, 290 struct netlogon_creds_CredentialState **creds); 291NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr); 292NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr); 293 294NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, 295 const char *name); 296 297NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, 298 TALLOC_CTX *mem_ctx, 299 const DATA_BLOB *in, 300 DATA_BLOB *out); 301NTSTATUS gensec_wrap(struct gensec_security *gensec_security, 302 TALLOC_CTX *mem_ctx, 303 const DATA_BLOB *in, 304 DATA_BLOB *out); 305 306struct gensec_security_ops **gensec_security_all(void); 307bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security); 308struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, 309 struct gensec_security_ops **old_gensec_list, 310 struct cli_credentials *creds); 311 312NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, 313 const char *sasl_name); 314 315int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value); 316bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value); 317 318#endif /* __GENSEC_H__ */ 319