#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
+#include "auth/credentials/credentials_proto.h"
#include "libcli/auth/libcli_auth.h"
#include "lib/events/events.h"
#include "param/param.h"
* Create a new credentials structure
* @param mem_ctx TALLOC_CTX parent for credentials structure
*/
-struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
+_PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
{
struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
- if (!cred) {
+ if (cred == NULL) {
return cred;
}
- cred->netlogon_creds = NULL;
- cred->machine_account_pending = False;
cred->workstation_obtained = CRED_UNINITIALISED;
cred->username_obtained = CRED_UNINITIALISED;
cred->password_obtained = CRED_UNINITIALISED;
cred->realm_obtained = CRED_UNINITIALISED;
cred->ccache_obtained = CRED_UNINITIALISED;
cred->client_gss_creds_obtained = CRED_UNINITIALISED;
- cred->server_gss_creds_obtained = CRED_UNINITIALISED;
- cred->keytab_obtained = CRED_UNINITIALISED;
cred->principal_obtained = CRED_UNINITIALISED;
+ cred->keytab_obtained = CRED_UNINITIALISED;
+ cred->server_gss_creds_obtained = CRED_UNINITIALISED;
cred->ccache_threshold = CRED_UNINITIALISED;
cred->client_gss_creds_threshold = CRED_UNINITIALISED;
+ cred->workstation = NULL;
+ cred->username = NULL;
+ cred->password = NULL;
cred->old_password = NULL;
- cred->smb_krb5_context = NULL;
+ cred->domain = NULL;
+ cred->realm = NULL;
+ cred->principal = NULL;
cred->salt_principal = NULL;
- cred->machine_account = False;
cred->bind_dn = NULL;
+ cred->nt_hash = NULL;
+
+ cred->ccache = NULL;
+ cred->client_gss_creds = NULL;
+ cred->keytab = NULL;
+ cred->server_gss_creds = NULL;
+
+ cred->workstation_cb = NULL;
+ cred->password_cb = NULL;
+ cred->username_cb = NULL;
+ cred->domain_cb = NULL;
+ cred->realm_cb = NULL;
+ cred->principal_cb = NULL;
+
+ cred->priv_data = NULL;
+
+ cred->netlogon_creds = NULL;
+
+ cred->smb_krb5_context = NULL;
+
+ cred->machine_account_pending = false;
+ cred->machine_account_pending_lp_ctx = NULL;
+
+ cred->machine_account = false;
+
cred->tries = 3;
- cred->callback_running = False;
- cred->ev = NULL;
+
+ cred->callback_running = false;
cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
cli_credentials_set_gensec_features(cred, 0);
* Create a new anonymous credential
* @param mem_ctx TALLOC_CTX parent for credentials structure
*/
-struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
+_PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
{
struct cli_credentials *anon_credentials;
anon_credentials = cli_credentials_init(mem_ctx);
- cli_credentials_set_conf(anon_credentials);
cli_credentials_set_anonymous(anon_credentials);
return anon_credentials;
}
-void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos)
{
creds->use_kerberos = use_kerberos;
}
-enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
+_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
{
return creds->use_kerberos;
}
-void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
+_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
{
creds->gensec_features = gensec_features;
}
-uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
+_PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
{
return creds->gensec_features;
}
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_username(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->username_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->username = cred->username_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->username_obtained = CRED_SPECIFIED;
cli_credentials_invalidate_ccache(cred, cred->username_obtained);
}
return cred->username;
}
-BOOL cli_credentials_set_username(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred,
const char *val, enum credentials_obtained obtained)
{
if (obtained >= cred->username_obtained) {
cred->username = talloc_strdup(cred, val);
cred->username_obtained = obtained;
cli_credentials_invalidate_ccache(cred, cred->username_obtained);
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_username_callback(struct cli_credentials *cred,
+bool cli_credentials_set_username_callback(struct cli_credentials *cred,
const char *(*username_cb) (struct cli_credentials *))
{
if (cred->username_obtained < CRED_CALLBACK) {
cred->username_cb = username_cb;
cred->username_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_bind_dn(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
const char *bind_dn)
{
cred->bind_dn = talloc_strdup(cred, bind_dn);
- return True;
+ return true;
}
/**
* @retval The username set on this context.
* @note Return value will be NULL if not specified explictly
*/
-const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
{
return cred->bind_dn;
}
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
+_PUBLIC_ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->principal_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->principal = cred->principal_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->principal_obtained = CRED_SPECIFIED;
cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
}
return talloc_reference(mem_ctx, cred->principal);
}
-BOOL cli_credentials_set_principal(struct cli_credentials *cred,
+bool cli_credentials_set_principal(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
cred->principal = talloc_strdup(cred, val);
cred->principal_obtained = obtained;
cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
- return True;
+ return true;
}
- return False;
+ return false;
}
/* Set a callback to get the principal. This could be a popup dialog,
* a terminal prompt or similar. */
-
-BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred,
+bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
const char *(*principal_cb) (struct cli_credentials *))
{
if (cred->principal_obtained < CRED_CALLBACK) {
cred->principal_cb = principal_cb;
cred->principal_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/* Some of our tools are 'anonymous by default'. This is a single
* function to determine if authentication has been explicitly
* requested */
-BOOL cli_credentials_authentication_requested(struct cli_credentials *cred)
+_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
{
if (cred->bind_dn) {
- return True;
+ return true;
}
if (cli_credentials_is_anonymous(cred)){
- return False;
+ return false;
}
if (cred->principal_obtained >= CRED_SPECIFIED) {
- return True;
+ return true;
}
if (cred->username_obtained >= CRED_SPECIFIED) {
- return True;
+ return true;
}
if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @param cred credentials context
* @retval If set, the cleartext password, otherwise NULL
*/
-const char *cli_credentials_get_password(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->password_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->password = cred->password_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->password_obtained = CRED_CALLBACK_RESULT;
cli_credentials_invalidate_ccache(cred, cred->password_obtained);
}
/* Set a password on the credentials context, including an indication
* of 'how' the password was obtained */
-BOOL cli_credentials_set_password(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
cli_credentials_invalidate_ccache(cred, cred->password_obtained);
cred->nt_hash = NULL;
- return True;
+ cred->lm_response = data_blob(NULL, 0);
+ cred->nt_response = data_blob(NULL, 0);
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_password_callback(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred,
const char *(*password_cb) (struct cli_credentials *))
{
if (cred->password_obtained < CRED_CALLBACK) {
cred->password_cb = password_cb;
cred->password_obtained = CRED_CALLBACK;
cli_credentials_invalidate_ccache(cred, cred->password_obtained);
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
const char *cli_credentials_get_old_password(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
return cred->old_password;
}
-BOOL cli_credentials_set_old_password(struct cli_credentials *cred,
+bool cli_credentials_set_old_password(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
cred->old_password = talloc_strdup(cred, val);
- return True;
+ return true;
}
/**
* @param cred credentials context
* @retval If set, the cleartext password, otherwise NULL
*/
-const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
+_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx)
{
const char *password = cli_credentials_get_password(cred);
}
}
-BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred,
- const struct samr_Password *nt_hash,
- enum credentials_obtained obtained)
-{
- if (obtained >= cred->password_obtained) {
- cli_credentials_set_password(cred, NULL, obtained);
- if (nt_hash) {
- cred->nt_hash = talloc(cred, struct samr_Password);
- *cred->nt_hash = *nt_hash;
- } else {
- cred->nt_hash = NULL;
- }
- return True;
- }
-
- return False;
-}
-
/**
* Obtain the 'short' or 'NetBIOS' domain for this credentials context.
* @param cred credentials context
* @retval The domain set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_domain(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->domain_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->domain = cred->domain_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->domain_obtained = CRED_SPECIFIED;
cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
}
}
-BOOL cli_credentials_set_domain(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
cred->domain = strupper_talloc(cred, val);
cred->domain_obtained = obtained;
cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred,
+bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
const char *(*domain_cb) (struct cli_credentials *))
{
if (cred->domain_obtained < CRED_CALLBACK) {
cred->domain_cb = domain_cb;
cred->domain_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @retval The realm set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_realm(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->realm_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->realm = cred->realm_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->realm_obtained = CRED_SPECIFIED;
cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
}
* Set the realm for this credentials context, and force it to
* uppercase for the sainity of our local kerberos libraries
*/
-BOOL cli_credentials_set_realm(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
cred->realm = strupper_talloc(cred, val);
cred->realm_obtained = obtained;
cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred,
+bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
const char *(*realm_cb) (struct cli_credentials *))
{
if (cred->realm_obtained < CRED_CALLBACK) {
cred->realm_cb = realm_cb;
cred->realm_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @retval The workstation name set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_workstation(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cred)
{
if (cred->workstation_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->workstation = cred->workstation_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->workstation_obtained = CRED_SPECIFIED;
}
return cred->workstation;
}
-BOOL cli_credentials_set_workstation(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_workstation(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
if (obtained >= cred->workstation_obtained) {
cred->workstation = talloc_strdup(cred, val);
cred->workstation_obtained = obtained;
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred,
+bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
const char *(*workstation_cb) (struct cli_credentials *))
{
if (cred->workstation_obtained < CRED_CALLBACK) {
cred->workstation_cb = workstation_cb;
cred->workstation_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @param obtained This enum describes how 'specified' this password is
*/
-void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
+_PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
{
char *uname, *p;
* @param mem_ctx The memory context to place the result on
*/
-const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
+_PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
{
const char *bind_dn = cli_credentials_get_bind_dn(credentials);
const char *domain;
*
* @param cred Credentials structure to fill in
*/
-void cli_credentials_set_conf(struct cli_credentials *cred)
+_PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
{
cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
- cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED);
- cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED);
- cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED);
+ cli_credentials_set_domain(cred, lp_workgroup(lp_ctx), CRED_UNINITIALISED);
+ cli_credentials_set_workstation(cred, lp_netbios_name(lp_ctx), CRED_UNINITIALISED);
+ cli_credentials_set_realm(cred, lp_realm(lp_ctx), CRED_UNINITIALISED);
}
/**
*
* @param cred Credentials structure to fill in
*/
-void cli_credentials_guess(struct cli_credentials *cred)
+_PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
{
char *p;
- cli_credentials_set_conf(cred);
+ if (lp_ctx != NULL) {
+ cli_credentials_set_conf(cred, lp_ctx);
+ }
if (getenv("LOGNAME")) {
cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV);
}
if (getenv("PASSWD_FD")) {
- cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE);
+ cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")),
+ CRED_GUESS_FILE);
}
p = getenv("PASSWD_FILE");
}
if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
- cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
+ cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE);
}
}
* Attach NETLOGON credentials for use with SCHANNEL
*/
-void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
- struct creds_CredentialState *netlogon_creds)
+_PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
+ struct netlogon_creds_CredentialState *netlogon_creds)
{
cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
}
* Return attached NETLOGON credentials
*/
-struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred)
+struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred)
{
return cred->netlogon_creds;
}
* Set NETLOGON secure channel type
*/
-void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
+_PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
enum netr_SchannelType secure_channel_type)
{
cred->secure_channel_type = secure_channel_type;
* Return NETLOGON secure chanel type
*/
-enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
+_PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
{
return cred->secure_channel_type;
}
/**
* Fill in a credentials structure as the anonymous user
*/
-void cli_credentials_set_anonymous(struct cli_credentials *cred)
+_PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
{
cli_credentials_set_username(cred, "", CRED_SPECIFIED);
cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
+ cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
+ cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
}
/**
* Describe a credentials context as anonymous or authenticated
- * @retval True if anonymous, False if a username is specified
+ * @retval true if anonymous, false if a username is specified
*/
-BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
+_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
{
const char *username;
+ /* if bind dn is set it's not anonymous */
+ if (cred->bind_dn) {
+ return false;
+ }
+
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
username = cli_credentials_get_username(cred);
* here - anonymous is "", not NULL, which is 'never specified,
* never guessed', ie programmer bug */
if (!username[0]) {
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
*
* @retval whether the credentials struct is finished
*/
-BOOL cli_credentials_wrong_password(struct cli_credentials *cred)
+_PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
{
if (cred->password_obtained != CRED_CALLBACK_RESULT) {
- return False;
+ return false;
}
cred->password_obtained = CRED_CALLBACK;
return (cred->tries > 0);
}
-
-/*
- set the common event context for this set of credentials
- */
-void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev)
-{
- cred->ev = ev;
-}
-
-/*
- set the common event context for this set of credentials
- */
-struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred)
-{
- if (cred->ev == NULL) {
- cred->ev = event_context_find(cred);
- }
- return cred->ev;
-}