LCOV - code coverage report
Current view: top level - auth/gensec - gensec_start.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 411 469 87.6 %
Date: 2021-08-25 13:27:56 Functions: 35 36 97.2 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    Generic Authentication Interface
       5             : 
       6             :    Copyright (C) Andrew Tridgell 2003
       7             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
       8             : 
       9             :    This program is free software; you can redistribute it and/or modify
      10             :    it under the terms of the GNU General Public License as published by
      11             :    the Free Software Foundation; either version 3 of the License, or
      12             :    (at your option) any later version.
      13             : 
      14             :    This program is distributed in the hope that it will be useful,
      15             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      16             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      17             :    GNU General Public License for more details.
      18             : 
      19             :    You should have received a copy of the GNU General Public License
      20             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      21             : */
      22             : 
      23             : #include "includes.h"
      24             : #include "system/network.h"
      25             : #include "tevent.h"
      26             : #include "../lib/util/tevent_ntstatus.h"
      27             : #include "librpc/gen_ndr/dcerpc.h"
      28             : #include "auth/credentials/credentials.h"
      29             : #include "auth/gensec/gensec.h"
      30             : #include "auth/gensec/gensec_internal.h"
      31             : #include "lib/param/param.h"
      32             : #include "lib/param/loadparm.h"
      33             : #include "lib/util/tsort.h"
      34             : #include "lib/util/samba_modules.h"
      35             : #include "lib/util/base64.h"
      36             : 
      37             : #undef DBGC_CLASS
      38             : #define DBGC_CLASS DBGC_AUTH
      39             : 
      40             : #undef strcasecmp
      41             : 
      42             : /* the list of currently registered GENSEC backends */
      43             : static const struct gensec_security_ops **generic_security_ops;
      44             : static int gensec_num_backends;
      45             : 
      46     3055695 : bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
      47             : {
      48     3055695 :         bool ok = lpcfg_parm_bool(security->settings->lp_ctx,
      49             :                                   NULL,
      50             :                                   "gensec",
      51             :                                   ops->name,
      52     3055695 :                                   ops->enabled);
      53             : 
      54     3611216 :         if (ops->weak_crypto &&
      55      555521 :             lpcfg_weak_crypto(security->settings->lp_ctx) != SAMBA_WEAK_CRYPTO_ALLOWED) {
      56           0 :                 ok = false;
      57             :         }
      58             : 
      59     3055695 :         return ok;
      60             : }
      61             : 
      62             : /* Sometimes we want to force only kerberos, sometimes we want to
      63             :  * force it's avoidance.  The old list could be either
      64             :  * gensec_security_all(), or from cli_credentials_gensec_list() (ie,
      65             :  * an existing list we have trimmed down)
      66             :  *
      67             :  * The intended logic is:
      68             :  *
      69             :  * if we are in the default AUTO have kerberos:
      70             :  * - take a reference to the master list
      71             :  * otherwise
      72             :  * - always add spnego then:
      73             :  * - if we 'MUST' have kerberos:
      74             :  *   only add kerberos mechs
      75             :  * - if we 'DONT' want kerberos':
      76             :  *   only add non-kerberos mechs
      77             :  *
      78             :  * Once we get things like NegoEx or moonshot, this will of course get
      79             :  * more compplex.
      80             :  */
      81             : 
      82     1258428 : static const struct gensec_security_ops **gensec_use_kerberos_mechs(
      83             :                 TALLOC_CTX *mem_ctx,
      84             :                 const struct gensec_security_ops * const *old_gensec_list,
      85             :                 enum credentials_use_kerberos use_kerberos,
      86             :                 bool keep_schannel)
      87             : {
      88             :         const struct gensec_security_ops **new_gensec_list;
      89             :         int i, j, num_mechs_in;
      90             : 
      91     1258428 :         for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
      92             :                 /* noop */
      93             :         }
      94             : 
      95     1258428 :         new_gensec_list = talloc_array(mem_ctx,
      96             :                                        const struct gensec_security_ops *,
      97             :                                        num_mechs_in + 1);
      98     1258428 :         if (!new_gensec_list) {
      99           0 :                 return NULL;
     100             :         }
     101             : 
     102     1238958 :         j = 0;
     103    12872014 :         for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
     104    11633056 :                 bool keep = false;
     105             : 
     106             :                 /*
     107             :                  * We want to keep SPNGEO and other backends
     108             :                  */
     109    11633056 :                 keep = old_gensec_list[i]->glue;
     110             : 
     111    11633056 :                 if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
     112     1071747 :                         keep = keep_schannel;
     113             :                 }
     114             : 
     115    11633056 :                 switch (use_kerberos) {
     116    10215709 :                 case CRED_USE_KERBEROS_DESIRED:
     117    10215709 :                         keep = true;
     118    10215709 :                         break;
     119             : 
     120      913135 :                 case CRED_USE_KERBEROS_DISABLED:
     121      913135 :                         if (old_gensec_list[i]->kerberos == false) {
     122      688823 :                                 keep = true;
     123             :                         }
     124             : 
     125      912939 :                         break;
     126             : 
     127      322548 :                 case CRED_USE_KERBEROS_REQUIRED:
     128      322548 :                         if (old_gensec_list[i]->kerberos == true) {
     129      112974 :                                 keep = true;
     130             :                         }
     131             : 
     132      322548 :                         break;
     133           0 :                 default:
     134             :                         /* Can't happen or invalid parameter */
     135           0 :                         return NULL;
     136             :                 }
     137             : 
     138    11451266 :                 if (!keep) {
     139      385906 :                         continue;
     140             :                 }
     141             : 
     142    11247150 :                 new_gensec_list[j] = old_gensec_list[i];
     143    11247150 :                 j++;
     144             :         }
     145     1258428 :         new_gensec_list[j] = NULL;
     146             : 
     147     1258428 :         return new_gensec_list;
     148             : }
     149             : 
     150     1258428 : _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
     151             :                                 struct gensec_security *gensec_security,
     152             :                                 TALLOC_CTX *mem_ctx)
     153             : {
     154     1258428 :         const struct gensec_security_ops * const *backends =
     155             :                 generic_security_ops;
     156     1258428 :         enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED;
     157     1258428 :         bool keep_schannel = false;
     158             : 
     159     1258428 :         if (gensec_security != NULL) {
     160      457526 :                 struct cli_credentials *creds = NULL;
     161             : 
     162      457526 :                 creds = gensec_get_credentials(gensec_security);
     163      457526 :                 if (creds != NULL) {
     164      457524 :                         use_kerberos = cli_credentials_get_kerberos_state(creds);
     165      457524 :                         if (cli_credentials_get_netlogon_creds(creds) != NULL) {
     166        5216 :                                 keep_schannel = true;
     167             :                         }
     168             : 
     169             :                         /*
     170             :                          * Even if Kerberos is set to REQUIRED, keep the
     171             :                          * schannel auth mechanism that machine accounts are
     172             :                          * able to authenticate via netlogon.
     173             :                          */
     174      457524 :                         if (gensec_security->gensec_role == GENSEC_SERVER) {
     175      285255 :                                 keep_schannel = true;
     176             :                         }
     177             :                 }
     178             : 
     179      457526 :                 if (gensec_security->settings->backends) {
     180      174649 :                         backends = gensec_security->settings->backends;
     181             :                 }
     182             :         }
     183             : 
     184     1258428 :         return gensec_use_kerberos_mechs(mem_ctx, backends,
     185             :                                          use_kerberos, keep_schannel);
     186             : 
     187             : }
     188             : 
     189      258519 : _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
     190             :                                 struct gensec_security *gensec_security,
     191             :                                 const char *oid_string)
     192             : {
     193             :         int i, j;
     194             :         const struct gensec_security_ops **backends;
     195             :         const struct gensec_security_ops *backend;
     196      258519 :         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
     197      258519 :         if (!mem_ctx) {
     198           0 :                 return NULL;
     199             :         }
     200      258519 :         backends = gensec_security_mechs(gensec_security, mem_ctx);
     201      744046 :         for (i=0; backends && backends[i]; i++) {
     202      949002 :                 if (gensec_security != NULL &&
     203      205100 :                                 !gensec_security_ops_enabled(backends[i],
     204             :                                                                                          gensec_security))
     205         233 :                     continue;
     206      743669 :                 if (backends[i]->oid) {
     207      981019 :                         for (j=0; backends[i]->oid[j]; j++) {
     208     1338724 :                                 if (backends[i]->oid[j] &&
     209      670344 :                                     (strcmp(backends[i]->oid[j], oid_string) == 0)) {
     210      258375 :                                         backend = backends[i];
     211      258375 :                                         talloc_free(mem_ctx);
     212      258375 :                                         return backend;
     213             :                                 }
     214             :                         }
     215             :                 }
     216             :         }
     217         144 :         talloc_free(mem_ctx);
     218             : 
     219         144 :         return NULL;
     220             : }
     221             : 
     222       18599 : _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
     223             :                                 struct gensec_security *gensec_security,
     224             :                                 const char *sasl_name)
     225             : {
     226             :         int i;
     227             :         const struct gensec_security_ops **backends;
     228             :         const struct gensec_security_ops *backend;
     229       18599 :         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
     230       18599 :         if (!mem_ctx) {
     231           0 :                 return NULL;
     232             :         }
     233       18599 :         backends = gensec_security_mechs(gensec_security, mem_ctx);
     234       19931 :         for (i=0; backends && backends[i]; i++) {
     235       39858 :                 if (gensec_security != NULL &&
     236       19929 :                     !gensec_security_ops_enabled(backends[i], gensec_security)) {
     237         438 :                         continue;
     238             :                 }
     239       19491 :                 if (backends[i]->sasl_name
     240       19041 :                     && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
     241       18597 :                         backend = backends[i];
     242       18597 :                         talloc_free(mem_ctx);
     243       18597 :                         return backend;
     244             :                 }
     245             :         }
     246           2 :         talloc_free(mem_ctx);
     247             : 
     248           2 :         return NULL;
     249             : }
     250             : 
     251      166107 : _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
     252             :                                 struct gensec_security *gensec_security,
     253             :                                 uint32_t auth_type)
     254             : {
     255             :         int i;
     256             :         const struct gensec_security_ops **backends;
     257             :         const struct gensec_security_ops *backend;
     258             :         TALLOC_CTX *mem_ctx;
     259             : 
     260      166107 :         if (auth_type == DCERPC_AUTH_TYPE_NONE) {
     261           2 :                 return NULL;
     262             :         }
     263             : 
     264      166105 :         mem_ctx = talloc_new(gensec_security);
     265      166105 :         if (!mem_ctx) {
     266           0 :                 return NULL;
     267             :         }
     268      166105 :         backends = gensec_security_mechs(gensec_security, mem_ctx);
     269     1049428 :         for (i=0; backends && backends[i]; i++) {
     270     1102142 :                 if (gensec_security != NULL &&
     271       52772 :                     !gensec_security_ops_enabled(backends[i], gensec_security)) {
     272        9670 :                         continue;
     273             :                 }
     274     1039700 :                 if (backends[i]->auth_type == auth_type) {
     275      166047 :                         backend = backends[i];
     276      166047 :                         talloc_free(mem_ctx);
     277      166047 :                         return backend;
     278             :                 }
     279             :         }
     280          58 :         talloc_free(mem_ctx);
     281             : 
     282          58 :         return NULL;
     283             : }
     284             : 
     285      503515 : const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
     286             :                                                           const char *name)
     287             : {
     288             :         int i;
     289             :         const struct gensec_security_ops **backends;
     290             :         const struct gensec_security_ops *backend;
     291      503515 :         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
     292      503515 :         if (!mem_ctx) {
     293           0 :                 return NULL;
     294             :         }
     295      503515 :         backends = gensec_security_mechs(gensec_security, mem_ctx);
     296     3506492 :         for (i=0; backends && backends[i]; i++) {
     297     3037774 :                 if (gensec_security != NULL &&
     298        7521 :                                 !gensec_security_ops_enabled(backends[i], gensec_security))
     299        1466 :                     continue;
     300     3028787 :                 if (backends[i]->name
     301     3028787 :                     && (strcmp(backends[i]->name, name) == 0)) {
     302       27276 :                         backend = backends[i];
     303       27276 :                         talloc_free(mem_ctx);
     304       27276 :                         return backend;
     305             :                 }
     306             :         }
     307      476239 :         talloc_free(mem_ctx);
     308      476239 :         return NULL;
     309             : }
     310             : 
     311       36303 : static const char **gensec_security_sasl_names_from_ops(
     312             :         struct gensec_security *gensec_security,
     313             :         TALLOC_CTX *mem_ctx,
     314             :         const struct gensec_security_ops * const *ops)
     315             : {
     316       36303 :         const char **sasl_names = NULL;
     317       36303 :         size_t i, sasl_names_count = 0;
     318             : 
     319       36303 :         if (ops == NULL) {
     320           0 :                 return NULL;
     321             :         }
     322             : 
     323       36303 :         sasl_names = talloc_array(mem_ctx, const char *, 1);
     324       36303 :         if (sasl_names == NULL) {
     325           0 :                 return NULL;
     326             :         }
     327             : 
     328      544301 :         for (i = 0; ops[i] != NULL; i++) {
     329      508242 :                 enum gensec_role role = GENSEC_SERVER;
     330      508242 :                 const char **tmp = NULL;
     331             : 
     332      508242 :                 if (ops[i]->sasl_name == NULL) {
     333      326727 :                         continue;
     334             :                 }
     335             : 
     336      181515 :                 if (gensec_security != NULL) {
     337      181515 :                         if (!gensec_security_ops_enabled(ops[i],
     338             :                                                          gensec_security)) {
     339       36303 :                                 continue;
     340             :                         }
     341             : 
     342      145212 :                         role = gensec_security->gensec_role;
     343             :                 }
     344             : 
     345      145212 :                 switch (role) {
     346           0 :                 case GENSEC_CLIENT:
     347           0 :                         if (ops[i]->client_start == NULL) {
     348           0 :                                 continue;
     349             :                         }
     350           0 :                         break;
     351      145212 :                 case GENSEC_SERVER:
     352      145212 :                         if (ops[i]->server_start == NULL) {
     353       36303 :                                 continue;
     354             :                         }
     355      108177 :                         break;
     356             :                 }
     357             : 
     358      108909 :                 tmp = talloc_realloc(mem_ctx,
     359             :                                      sasl_names,
     360             :                                      const char *,
     361             :                                      sasl_names_count + 2);
     362      108909 :                 if (tmp == NULL) {
     363           0 :                         TALLOC_FREE(sasl_names);
     364           0 :                         return NULL;
     365             :                 }
     366      108909 :                 sasl_names = tmp;
     367             : 
     368      108909 :                 sasl_names[sasl_names_count] = ops[i]->sasl_name;
     369      108909 :                 sasl_names_count++;
     370             :         }
     371       36303 :         sasl_names[sasl_names_count] = NULL;
     372             : 
     373       36303 :         return sasl_names;
     374             : }
     375             : 
     376             : /**
     377             :  * @brief Get the sasl names from the gensec security context.
     378             :  *
     379             :  * @param[in]  gensec_security The gensec security context.
     380             :  *
     381             :  * @param[in]  mem_ctx The memory context to allocate memory on.
     382             :  *
     383             :  * @return An allocated array with sasl names, NULL on error.
     384             :  */
     385             : _PUBLIC_
     386       36303 : const char **gensec_security_sasl_names(struct gensec_security *gensec_security,
     387             :                                         TALLOC_CTX *mem_ctx)
     388             : {
     389       36303 :         const struct gensec_security_ops **ops = NULL;
     390             : 
     391       36303 :         ops = gensec_security_mechs(gensec_security, mem_ctx);
     392             : 
     393       36303 :         return gensec_security_sasl_names_from_ops(gensec_security,
     394             :                                                    mem_ctx,
     395             :                                                    ops);
     396             : }
     397             : 
     398             : /**
     399             :  * Return a unique list of security subsystems from those specified in
     400             :  * the list of SASL names.
     401             :  *
     402             :  * Use the list of enabled GENSEC mechanisms from the credentials
     403             :  * attached to the gensec_security, and return in our preferred order.
     404             :  */
     405             : 
     406       18260 : static const struct gensec_security_ops **gensec_security_by_sasl_list(
     407             :         struct gensec_security *gensec_security,
     408             :         TALLOC_CTX *mem_ctx,
     409             :         const char **sasl_names)
     410             : {
     411             :         const struct gensec_security_ops **backends_out;
     412             :         const struct gensec_security_ops **backends;
     413             :         int i, k, sasl_idx;
     414       18260 :         int num_backends_out = 0;
     415             : 
     416       18260 :         if (!sasl_names) {
     417           0 :                 return NULL;
     418             :         }
     419             : 
     420       18260 :         backends = gensec_security_mechs(gensec_security, mem_ctx);
     421             : 
     422       18260 :         backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1);
     423       18260 :         if (!backends_out) {
     424           0 :                 return NULL;
     425             :         }
     426       18260 :         backends_out[0] = NULL;
     427             : 
     428             :         /* Find backends in our preferred order, by walking our list,
     429             :          * then looking in the supplied list */
     430      230202 :         for (i=0; backends && backends[i]; i++) {
     431      423884 :                 if (gensec_security != NULL &&
     432      211942 :                                 !gensec_security_ops_enabled(backends[i], gensec_security))
     433       26780 :                     continue;
     434      737816 :                 for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
     435      741360 :                         if (!backends[i]->sasl_name ||
     436      187242 :                             !(strcmp(backends[i]->sasl_name,
     437      185778 :                                      sasl_names[sasl_idx]) == 0)) {
     438      506972 :                                 continue;
     439             :                         }
     440             : 
     441       86634 :                         for (k=0; backends_out[k]; k++) {
     442       39854 :                                 if (backends_out[k] == backends[i]) {
     443           0 :                                         break;
     444             :                                 }
     445             :                         }
     446             : 
     447       47146 :                         if (k < num_backends_out) {
     448             :                                 /* already in there */
     449           0 :                                 continue;
     450             :                         }
     451             : 
     452       47146 :                         backends_out = talloc_realloc(mem_ctx, backends_out,
     453             :                                                       const struct gensec_security_ops *,
     454             :                                                       num_backends_out + 2);
     455       47146 :                         if (!backends_out) {
     456           0 :                                 return NULL;
     457             :                         }
     458             : 
     459       47146 :                         backends_out[num_backends_out] = backends[i];
     460       47146 :                         num_backends_out++;
     461       47146 :                         backends_out[num_backends_out] = NULL;
     462             :                 }
     463             :         }
     464       18138 :         return backends_out;
     465             : }
     466             : 
     467             : /**
     468             :  * Return a unique list of security subsystems from those specified in
     469             :  * the OID list.  That is, where two OIDs refer to the same module,
     470             :  * return that module only once.
     471             :  *
     472             :  * Use the list of enabled GENSEC mechanisms from the credentials
     473             :  * attached to the gensec_security, and return in our preferred order.
     474             :  */
     475             : 
     476      155404 : _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
     477             :                                         struct gensec_security *gensec_security,
     478             :                                         TALLOC_CTX *mem_ctx,
     479             :                                         const char * const *oid_strings,
     480             :                                         const char *skip)
     481             : {
     482             :         struct gensec_security_ops_wrapper *backends_out;
     483             :         const struct gensec_security_ops **backends;
     484             :         int i, j, k, oid_idx;
     485      155404 :         int num_backends_out = 0;
     486             : 
     487      155404 :         if (!oid_strings) {
     488           0 :                 return NULL;
     489             :         }
     490             : 
     491      155404 :         backends = gensec_security_mechs(gensec_security, gensec_security);
     492             : 
     493      155404 :         backends_out = talloc_array(mem_ctx, struct gensec_security_ops_wrapper, 1);
     494      155404 :         if (!backends_out) {
     495           0 :                 return NULL;
     496             :         }
     497      155404 :         backends_out[0].op = NULL;
     498      155404 :         backends_out[0].oid = NULL;
     499             : 
     500             :         /* Find backends in our preferred order, by walking our list,
     501             :          * then looking in the supplied list */
     502     1624442 :         for (i=0; backends && backends[i]; i++) {
     503     2938076 :                 if (gensec_security != NULL &&
     504     1469038 :                                 !gensec_security_ops_enabled(backends[i], gensec_security))
     505      162727 :                     continue;
     506     1306311 :                 if (!backends[i]->oid) {
     507      901439 :                         continue;
     508             :                 }
     509     1306230 :                 for (oid_idx = 0; oid_strings[oid_idx]; oid_idx++) {
     510      908568 :                         if (strcmp(oid_strings[oid_idx], skip) == 0) {
     511           0 :                                 continue;
     512             :                         }
     513             : 
     514     2067519 :                         for (j=0; backends[i]->oid[j]; j++) {
     515     2332310 :                                 if (!backends[i]->oid[j] ||
     516     1180561 :                                     !(strcmp(backends[i]->oid[j],
     517     1151749 :                                             oid_strings[oid_idx]) == 0)) {
     518      854757 :                                         continue;
     519             :                                 }
     520             : 
     521      396660 :                                 for (k=0; backends_out[k].op; k++) {
     522      170402 :                                         if (backends_out[k].op == backends[i]) {
     523       89942 :                                                 break;
     524             :                                         }
     525             :                                 }
     526             : 
     527      325804 :                                 if (k < num_backends_out) {
     528             :                                         /* already in there */
     529       92342 :                                         continue;
     530             :                                 }
     531             : 
     532      233462 :                                 backends_out = talloc_realloc(mem_ctx, backends_out,
     533             :                                                               struct gensec_security_ops_wrapper,
     534             :                                                               num_backends_out + 2);
     535      233462 :                                 if (!backends_out) {
     536           0 :                                         return NULL;
     537             :                                 }
     538             : 
     539      233462 :                                 backends_out[num_backends_out].op = backends[i];
     540      233462 :                                 backends_out[num_backends_out].oid = backends[i]->oid[j];
     541      233462 :                                 num_backends_out++;
     542      233462 :                                 backends_out[num_backends_out].op = NULL;
     543      233462 :                                 backends_out[num_backends_out].oid = NULL;
     544             :                         }
     545             :                 }
     546             :         }
     547      153000 :         return backends_out;
     548             : }
     549             : 
     550             : /**
     551             :  * Return OIDS from the security subsystems listed
     552             :  */
     553             : 
     554      101396 : static const char **gensec_security_oids_from_ops(
     555             :         struct gensec_security *gensec_security,
     556             :         TALLOC_CTX *mem_ctx,
     557             :         const struct gensec_security_ops * const *ops,
     558             :         const char *skip)
     559             : {
     560             :         int i;
     561      101396 :         int j = 0;
     562             :         int k;
     563             :         const char **oid_list;
     564      101396 :         if (!ops) {
     565           0 :                 return NULL;
     566             :         }
     567      101396 :         oid_list = talloc_array(mem_ctx, const char *, 1);
     568      101396 :         if (!oid_list) {
     569           0 :                 return NULL;
     570             :         }
     571             : 
     572     1007090 :         for (i=0; ops && ops[i]; i++) {
     573     1814716 :                 if (gensec_security != NULL &&
     574      907358 :                         !gensec_security_ops_enabled(ops[i], gensec_security)) {
     575       93811 :                         continue;
     576             :                 }
     577      813547 :                 if (!ops[i]->oid) {
     578      552349 :                         continue;
     579             :                 }
     580             : 
     581      583328 :                 for (k = 0; ops[i]->oid[k]; k++) {
     582      327120 :                         if (skip && strcmp(skip, ops[i]->oid[k])==0) {
     583             :                         } else {
     584      225724 :                                 oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
     585      225724 :                                 if (!oid_list) {
     586           0 :                                         return NULL;
     587             :                                 }
     588      225724 :                                 oid_list[j] = ops[i]->oid[k];
     589      225724 :                                 j++;
     590             :                         }
     591             :                 }
     592             :         }
     593      101396 :         oid_list[j] = NULL;
     594      101396 :         return oid_list;
     595             : }
     596             : 
     597             : 
     598             : /**
     599             :  * Return OIDS from the security subsystems listed
     600             :  */
     601             : 
     602       69181 : _PUBLIC_ const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
     603             :                                 const struct gensec_security_ops_wrapper *wops)
     604             : {
     605             :         int i;
     606       69181 :         int j = 0;
     607             :         int k;
     608             :         const char **oid_list;
     609       69181 :         if (!wops) {
     610           0 :                 return NULL;
     611             :         }
     612       69181 :         oid_list = talloc_array(mem_ctx, const char *, 1);
     613       69181 :         if (!oid_list) {
     614           0 :                 return NULL;
     615             :         }
     616             : 
     617      168281 :         for (i=0; wops[i].op; i++) {
     618      100242 :                 if (!wops[i].op->oid) {
     619           0 :                         continue;
     620             :                 }
     621             : 
     622      233260 :                 for (k = 0; wops[i].op->oid[k]; k++) {
     623      135302 :                         oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
     624      135302 :                         if (!oid_list) {
     625           0 :                                 return NULL;
     626             :                         }
     627      135302 :                         oid_list[j] = wops[i].op->oid[k];
     628      135302 :                         j++;
     629             :                 }
     630             :         }
     631       69181 :         oid_list[j] = NULL;
     632       69181 :         return oid_list;
     633             : }
     634             : 
     635             : 
     636             : /**
     637             :  * Return all the security subsystems currently enabled on a GENSEC context.
     638             :  *
     639             :  * This is taken from a list attached to the cli_credentials, and
     640             :  * skips the OID in 'skip'.  (Typically the SPNEGO OID)
     641             :  *
     642             :  */
     643             : 
     644      101396 : _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_security,
     645             :                                            TALLOC_CTX *mem_ctx,
     646             :                                            const char *skip)
     647             : {
     648             :         const struct gensec_security_ops **ops;
     649             : 
     650      101396 :         ops = gensec_security_mechs(gensec_security, mem_ctx);
     651             : 
     652      101396 :         return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
     653             : }
     654             : 
     655      600683 : static int gensec_security_destructor(struct gensec_security *gctx)
     656             : {
     657      600683 :         if (gctx->parent_security != NULL) {
     658         130 :                 if (gctx->parent_security->child_security == gctx) {
     659         130 :                         gctx->parent_security->child_security = NULL;
     660             :                 }
     661         130 :                 gctx->parent_security = NULL;
     662             :         }
     663             : 
     664      600683 :         if (gctx->child_security != NULL) {
     665      104194 :                 if (gctx->child_security->parent_security == gctx) {
     666      104194 :                         gctx->child_security->parent_security = NULL;
     667             :                 }
     668      104194 :                 gctx->child_security = NULL;
     669             :         }
     670             : 
     671      600683 :         return 0;
     672             : }
     673             : 
     674             : /**
     675             :   Start the GENSEC system, returning a context pointer.
     676             :   @param mem_ctx The parent TALLOC memory context.
     677             :   @param gensec_security Returned GENSEC context pointer.
     678             :   @note  The mem_ctx is only a parent and may be NULL.
     679             :   @note, the auth context is moved to be a referenced pointer of the
     680             :   @ gensec_security return
     681             : */
     682      210718 : static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
     683             :                              struct gensec_settings *settings,
     684             :                              struct auth4_context *auth_context,
     685             :                              struct gensec_security **gensec_security)
     686             : {
     687      210718 :         (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
     688      210718 :         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
     689             : 
     690      210718 :         (*gensec_security)->max_update_size = 0;
     691             : 
     692      210718 :         SMB_ASSERT(settings->lp_ctx != NULL);
     693      210718 :         (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
     694             : 
     695             :         /* We need to reference this, not steal, as the caller may be
     696             :          * python, which won't like it if we steal it's object away
     697             :          * from it */
     698      210718 :         (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
     699             : 
     700      210718 :         talloc_set_destructor((*gensec_security), gensec_security_destructor);
     701      210718 :         return NT_STATUS_OK;
     702             : }
     703             : 
     704             : /**
     705             :  * Start a GENSEC subcontext, with a copy of the properties of the parent
     706             :  * @param mem_ctx The parent TALLOC memory context.
     707             :  * @param parent The parent GENSEC context
     708             :  * @param gensec_security Returned GENSEC context pointer.
     709             :  * @note Used by SPNEGO in particular, for the actual implementation mechanism
     710             :  */
     711             : 
     712      176274 : _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
     713             :                                  struct gensec_security *parent,
     714             :                                  struct gensec_security **gensec_security)
     715             : {
     716      176274 :         if (parent->child_security != NULL) {
     717           0 :                 return NT_STATUS_INTERNAL_ERROR;
     718             :         }
     719             : 
     720      176274 :         (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
     721      176274 :         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
     722             : 
     723      176274 :         (**gensec_security) = *parent;
     724      176274 :         (*gensec_security)->ops = NULL;
     725      176274 :         (*gensec_security)->private_data = NULL;
     726      176274 :         (*gensec_security)->update_busy_ptr = NULL;
     727             : 
     728      176274 :         (*gensec_security)->subcontext = true;
     729      176274 :         (*gensec_security)->want_features = parent->want_features;
     730      176274 :         (*gensec_security)->max_update_size = parent->max_update_size;
     731      176274 :         (*gensec_security)->dcerpc_auth_level = parent->dcerpc_auth_level;
     732      176274 :         (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
     733      176274 :         (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
     734      176274 :         (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
     735             : 
     736      176274 :         talloc_set_destructor((*gensec_security), gensec_security_destructor);
     737      176274 :         return NT_STATUS_OK;
     738             : }
     739             : 
     740      104959 : _PUBLIC_ NTSTATUS gensec_child_ready(struct gensec_security *parent,
     741             :                                      struct gensec_security *child)
     742             : {
     743      104959 :         if (parent->child_security != NULL) {
     744           0 :                 return NT_STATUS_INTERNAL_ERROR;
     745             :         }
     746             : 
     747      104959 :         if (child->parent_security != NULL) {
     748           0 :                 return NT_STATUS_INTERNAL_ERROR;
     749             :         }
     750             : 
     751      104959 :         parent->child_security = child;
     752      104959 :         child->parent_security = parent;
     753      104959 :         return NT_STATUS_OK;
     754             : }
     755             : 
     756             : /**
     757             :   Start the GENSEC system, in client mode, returning a context pointer.
     758             :   @param mem_ctx The parent TALLOC memory context.
     759             :   @param gensec_security Returned GENSEC context pointer.
     760             :   @note  The mem_ctx is only a parent and may be NULL.
     761             : */
     762       70621 : _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
     763             :                              struct gensec_security **gensec_security,
     764             :                              struct gensec_settings *settings)
     765             : {
     766             :         NTSTATUS status;
     767             : 
     768       70621 :         if (settings == NULL) {
     769           0 :                 DEBUG(0,("gensec_client_start: no settings given!\n"));
     770           0 :                 return NT_STATUS_INTERNAL_ERROR;
     771             :         }
     772             : 
     773       70621 :         status = gensec_start(mem_ctx, settings, NULL, gensec_security);
     774       70621 :         if (!NT_STATUS_IS_OK(status)) {
     775           0 :                 return status;
     776             :         }
     777       70621 :         (*gensec_security)->gensec_role = GENSEC_CLIENT;
     778             : 
     779       70621 :         return status;
     780             : }
     781             : 
     782             : 
     783             : 
     784             : /**
     785             :   Start the GENSEC system, in server mode, returning a context pointer.
     786             :   @param mem_ctx The parent TALLOC memory context.
     787             :   @param gensec_security Returned GENSEC context pointer.
     788             :   @note  The mem_ctx is only a parent and may be NULL.
     789             : */
     790      140097 : _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
     791             :                                       struct gensec_settings *settings,
     792             :                                       struct auth4_context *auth_context,
     793             :                                       struct gensec_security **gensec_security)
     794             : {
     795             :         NTSTATUS status;
     796             : 
     797      140097 :         if (!settings) {
     798           0 :                 DEBUG(0,("gensec_server_start: no settings given!\n"));
     799           0 :                 return NT_STATUS_INTERNAL_ERROR;
     800             :         }
     801             : 
     802      140097 :         status = gensec_start(mem_ctx, settings, auth_context, gensec_security);
     803      140097 :         if (!NT_STATUS_IS_OK(status)) {
     804           0 :                 return status;
     805             :         }
     806      140097 :         (*gensec_security)->gensec_role = GENSEC_SERVER;
     807             : 
     808      140097 :         return status;
     809             : }
     810             : 
     811      340158 : static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
     812             : {
     813             :         NTSTATUS status;
     814             : 
     815             :         /*
     816             :          * Callers sometimes just reuse a context, we should
     817             :          * clear the internal state before starting it again.
     818             :          */
     819      340158 :         talloc_unlink(gensec_security, gensec_security->private_data);
     820      340158 :         gensec_security->private_data = NULL;
     821             : 
     822      340158 :         if (gensec_security->child_security != NULL) {
     823             :                 /*
     824             :                  * The talloc_unlink(.., gensec_security->private_data)
     825             :                  * should have cleared this via
     826             :                  * gensec_security_destructor().
     827             :                  */
     828           0 :                 return NT_STATUS_INTERNAL_ERROR;
     829             :         }
     830             : 
     831      340158 :         if (gensec_security->credentials) {
     832      340157 :                 const char *forced_mech = cli_credentials_get_forced_sasl_mech(gensec_security->credentials);
     833      340157 :                 if (forced_mech &&
     834           0 :                     (gensec_security->ops->sasl_name == NULL ||
     835           0 :                      strcasecmp(forced_mech, gensec_security->ops->sasl_name) != 0)) {
     836           0 :                         DEBUG(5, ("GENSEC mechanism %s (%s) skipped, as it "
     837             :                                   "did not match forced mechanism %s\n",
     838             :                                   gensec_security->ops->name,
     839             :                                   gensec_security->ops->sasl_name,
     840             :                                   forced_mech));
     841           0 :                         return NT_STATUS_INVALID_PARAMETER;
     842             :                 }
     843             :         }
     844      340158 :         DEBUG(5, ("Starting GENSEC %smechanism %s\n",
     845             :                   gensec_security->subcontext ? "sub" : "",
     846             :                   gensec_security->ops->name));
     847      340158 :         switch (gensec_security->gensec_role) {
     848      136619 :         case GENSEC_CLIENT:
     849      136619 :                 if (gensec_security->ops->client_start) {
     850      136619 :                         status = gensec_security->ops->client_start(gensec_security);
     851      136619 :                         if (!NT_STATUS_IS_OK(status)) {
     852       20130 :                                 DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n",
     853             :                                           gensec_security->ops->name, nt_errstr(status)));
     854             :                         }
     855      136619 :                         return status;
     856             :                 }
     857           0 :                 break;
     858      203539 :         case GENSEC_SERVER:
     859      203539 :                 if (gensec_security->ops->server_start) {
     860      203539 :                         status = gensec_security->ops->server_start(gensec_security);
     861      203539 :                         if (!NT_STATUS_IS_OK(status)) {
     862          10 :                                 DEBUG(1, ("Failed to start GENSEC server mech %s: %s\n",
     863             :                                           gensec_security->ops->name, nt_errstr(status)));
     864             :                         }
     865      203539 :                         return status;
     866             :                 }
     867           0 :                 break;
     868             :         }
     869           0 :         return NT_STATUS_INVALID_PARAMETER;
     870             : }
     871             : 
     872             : /**
     873             :  * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
     874             :  *
     875             :  */
     876             : 
     877      194533 : NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
     878             :                                   const struct gensec_security_ops *ops)
     879             : {
     880      194533 :         gensec_security->ops = ops;
     881      194533 :         return gensec_start_mech(gensec_security);
     882             : }
     883             : 
     884             : 
     885             : /**
     886             :  * Start a GENSEC sub-mechanism by DCERPC allocated 'auth type' number
     887             :  * @param gensec_security GENSEC context pointer.
     888             :  * @param auth_type DCERPC auth type
     889             :  * @param auth_level DCERPC auth level
     890             :  */
     891             : 
     892       17128 : _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
     893             :                                        uint8_t auth_type, uint8_t auth_level)
     894             : {
     895       17128 :         gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
     896       17128 :         if (!gensec_security->ops) {
     897          30 :                 DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
     898          30 :                 return NT_STATUS_INVALID_PARAMETER;
     899             :         }
     900       17098 :         gensec_security->dcerpc_auth_level = auth_level;
     901             :         /*
     902             :          * We need to reset sign/seal in order to reset it.
     903             :          * We may got some default features inherited by the credentials
     904             :          */
     905       17098 :         gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
     906       17098 :         gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
     907       17098 :         gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
     908       17098 :         gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
     909       17098 :         if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
     910        6245 :                 if (gensec_security->gensec_role == GENSEC_CLIENT) {
     911        3257 :                         gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
     912             :                 }
     913       10853 :         } else if (auth_level == DCERPC_AUTH_LEVEL_PACKET) {
     914             :                 /*
     915             :                  * For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4)
     916             :                  * has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5).
     917             :                  */
     918         178 :                 if (gensec_security->gensec_role == GENSEC_CLIENT) {
     919         114 :                         gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
     920             :                 }
     921       10675 :         } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
     922        9046 :                 gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
     923        9046 :                 gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
     924        1629 :         } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
     925             :                 /* Default features */
     926             :         } else {
     927           1 :                 DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
     928             :                          auth_level));
     929           1 :                 return NT_STATUS_INVALID_PARAMETER;
     930             :         }
     931             : 
     932       17097 :         return gensec_start_mech(gensec_security);
     933             : }
     934             : 
     935          31 : _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
     936             : {
     937             :         const struct gensec_security_ops *ops;
     938          31 :         ops = gensec_security_by_auth_type(gensec_security, authtype);
     939          31 :         if (ops) {
     940           1 :                 return ops->name;
     941             :         }
     942          30 :         return NULL;
     943             : }
     944             : 
     945             : 
     946          74 : _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
     947             :                                                                                         const char *oid_string)
     948             : {
     949             :         const struct gensec_security_ops *ops;
     950          74 :         ops = gensec_security_by_oid(gensec_security, oid_string);
     951          74 :         if (ops) {
     952           2 :                 return ops->name;
     953             :         }
     954          72 :         return oid_string;
     955             : }
     956             : 
     957             : /**
     958             :  * Start a GENSEC sub-mechanism by OID, used in SPNEGO
     959             :  *
     960             :  * @note This should also be used when you wish to just start NLTMSSP (for example), as it uses a
     961             :  *       well-known #define to hook it in.
     962             :  */
     963             : 
     964      108475 : _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
     965             :                                   const char *mech_oid)
     966             : {
     967      108475 :         SMB_ASSERT(gensec_security != NULL);
     968             : 
     969      108475 :         gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid);
     970      108475 :         if (!gensec_security->ops) {
     971          72 :                 DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
     972          72 :                 return NT_STATUS_INVALID_PARAMETER;
     973             :         }
     974      108403 :         return gensec_start_mech(gensec_security);
     975             : }
     976             : 
     977             : /**
     978             :  * Start a GENSEC sub-mechanism by a well know SASL name
     979             :  *
     980             :  */
     981             : 
     982       18599 : _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
     983             :                                         const char *sasl_name)
     984             : {
     985       18599 :         gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name);
     986       18599 :         if (!gensec_security->ops) {
     987           2 :                 DEBUG(3, ("Could not find GENSEC backend for sasl_name=%s\n", sasl_name));
     988           2 :                 return NT_STATUS_INVALID_PARAMETER;
     989             :         }
     990       18597 :         return gensec_start_mech(gensec_security);
     991             : }
     992             : 
     993             : /**
     994             :  * Start a GENSEC sub-mechanism with the preferred option from a SASL name list
     995             :  *
     996             :  */
     997             : 
     998       18260 : _PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
     999             :                                                  const char **sasl_names)
    1000             : {
    1001       18260 :         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
    1002       18260 :         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
    1003             :         const struct gensec_security_ops **ops;
    1004             :         int i;
    1005       18260 :         if (!mem_ctx) {
    1006           0 :                 return NT_STATUS_NO_MEMORY;
    1007             :         }
    1008       18260 :         ops = gensec_security_by_sasl_list(gensec_security, mem_ctx, sasl_names);
    1009       18260 :         if (!ops || !*ops) {
    1010           0 :                 DEBUG(3, ("Could not find GENSEC backend for any of sasl_name = %s\n",
    1011             :                           str_list_join(mem_ctx,
    1012             :                                         sasl_names, ' ')));
    1013           0 :                 talloc_free(mem_ctx);
    1014           0 :                 return NT_STATUS_INVALID_PARAMETER;
    1015             :         }
    1016       18138 :         for (i=0; ops[i]; i++) {
    1017       18260 :                 nt_status = gensec_start_mech_by_ops(gensec_security, ops[i]);
    1018       18260 :                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
    1019       18138 :                         break;
    1020             :                 }
    1021             :         }
    1022       18260 :         talloc_free(mem_ctx);
    1023       18260 :         return nt_status;
    1024             : }
    1025             : 
    1026             : /**
    1027             :  * Start a GENSEC sub-mechanism by an internal name
    1028             :  *
    1029             :  */
    1030             : 
    1031        1531 : _PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
    1032             :                                         const char *name)
    1033             : {
    1034        1531 :         gensec_security->ops = gensec_security_by_name(gensec_security, name);
    1035        1531 :         if (!gensec_security->ops) {
    1036           3 :                 DEBUG(3, ("Could not find GENSEC backend for name=%s\n", name));
    1037           3 :                 return NT_STATUS_INVALID_PARAMETER;
    1038             :         }
    1039        1528 :         return gensec_start_mech(gensec_security);
    1040             : }
    1041             : 
    1042             : /**
    1043             :  * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context
    1044             :  *
    1045             :  */
    1046             : 
    1047      211216 : _PUBLIC_ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials)
    1048             : {
    1049      211216 :         gensec_security->credentials = talloc_reference(gensec_security, credentials);
    1050      211216 :         NT_STATUS_HAVE_NO_MEMORY(gensec_security->credentials);
    1051      211216 :         gensec_want_feature(gensec_security, cli_credentials_get_gensec_features(gensec_security->credentials));
    1052      211216 :         return NT_STATUS_OK;
    1053             : }
    1054             : 
    1055             : /*
    1056             :   register a GENSEC backend.
    1057             : 
    1058             :   The 'name' can be later used by other backends to find the operations
    1059             :   structure for this backend.
    1060             : */
    1061      476236 : _PUBLIC_ NTSTATUS gensec_register(TALLOC_CTX *ctx,
    1062             :                         const struct gensec_security_ops *ops)
    1063             : {
    1064      476236 :         if (gensec_security_by_name(NULL, ops->name) != NULL) {
    1065             :                 /* its already registered! */
    1066           0 :                 DEBUG(0,("GENSEC backend '%s' already registered\n",
    1067             :                          ops->name));
    1068           0 :                 return NT_STATUS_OBJECT_NAME_COLLISION;
    1069             :         }
    1070             : 
    1071      476236 :         generic_security_ops = talloc_realloc(ctx,
    1072             :                                               generic_security_ops,
    1073             :                                               const struct gensec_security_ops *,
    1074             :                                               gensec_num_backends+2);
    1075      476236 :         if (!generic_security_ops) {
    1076           0 :                 return NT_STATUS_NO_MEMORY;
    1077             :         }
    1078             : 
    1079      476236 :         generic_security_ops[gensec_num_backends] = ops;
    1080      476236 :         gensec_num_backends++;
    1081      476236 :         generic_security_ops[gensec_num_backends] = NULL;
    1082             : 
    1083      476236 :         DEBUG(3,("GENSEC backend '%s' registered\n",
    1084             :                  ops->name));
    1085             : 
    1086      476236 :         return NT_STATUS_OK;
    1087             : }
    1088             : 
    1089             : /*
    1090             :   return the GENSEC interface version, and the size of some critical types
    1091             :   This can be used by backends to either detect compilation errors, or provide
    1092             :   multiple implementations for different smbd compilation options in one module
    1093             : */
    1094           0 : _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
    1095             : {
    1096             :         static const struct gensec_critical_sizes critical_sizes = {
    1097             :                 GENSEC_INTERFACE_VERSION,
    1098             :                 sizeof(struct gensec_security_ops),
    1099             :                 sizeof(struct gensec_security),
    1100             :         };
    1101             : 
    1102           0 :         return &critical_sizes;
    1103             : }
    1104             : 
    1105     1050159 : static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
    1106     1051023 :         return (*gs2)->priority - (*gs1)->priority;
    1107             : }
    1108             : 
    1109      153298 : int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
    1110             : {
    1111      153298 :         return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
    1112             : }
    1113             : 
    1114     1264600 : bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
    1115             : {
    1116     1264600 :         return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
    1117             : }
    1118             : 
    1119             : /*
    1120             :   initialise the GENSEC subsystem
    1121             : */
    1122      126659 : _PUBLIC_ NTSTATUS gensec_init(void)
    1123             : {
    1124             :         static bool initialized = false;
    1125             : #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
    1126             : #ifdef STATIC_gensec_MODULES
    1127             :         STATIC_gensec_MODULES_PROTO;
    1128      126659 :         init_module_fn static_init[] = { STATIC_gensec_MODULES };
    1129             : #else
    1130             :         init_module_fn *static_init = NULL;
    1131             : #endif
    1132             :         init_module_fn *shared_init;
    1133             : 
    1134      126659 :         if (initialized) return NT_STATUS_OK;
    1135       37127 :         initialized = true;
    1136             : 
    1137       37127 :         shared_init = load_samba_modules(NULL, "gensec");
    1138             : 
    1139       37127 :         run_init_functions(NULL, static_init);
    1140       37127 :         run_init_functions(NULL, shared_init);
    1141             : 
    1142       37127 :         talloc_free(shared_init);
    1143             : 
    1144       37991 :         TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
    1145             : 
    1146       37127 :         return NT_STATUS_OK;
    1147             : }

Generated by: LCOV version 1.13