*/
#include "includes.h"
-#include "auth/auth.h"
+#include "system/network.h"
#include "lib/events/events.h"
+#include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
#include "librpc/rpc/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
/* Return all the registered mechs. Don't modify the return pointer,
* but you may talloc_reference it if convient */
-struct gensec_security_ops **gensec_security_all(void)
+_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
{
return generic_security_ops;
}
+bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
+{
+ return lp_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+}
+
/* Sometimes we want to force only kerberos, sometimes we want to
* force it's avoidance. The old list could be either
* gensec_security_all(), or from cli_credentials_gensec_list() (ie,
* an existing list we have trimmed down) */
-struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
+_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
struct gensec_security_ops **old_gensec_list,
struct cli_credentials *creds)
{
j = 0;
for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
int oid_idx;
+
for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
new_gensec_list[j] = old_gensec_list[i];
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (backends[i]->auth_type == auth_type) {
backend = backends[i];
talloc_free(mem_ctx);
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i],
+ gensec_security))
+ continue;
if (backends[i]->oid) {
for (j=0; backends[i]->oid[j]; j++) {
if (backends[i]->oid[j] &&
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (backends[i]->sasl_name
&& (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
backend = backends[i];
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (backends[i]->name
&& (strcmp(backends[i]->name, name) == 0)) {
backend = backends[i];
/* Find backends in our preferred order, by walking our list,
* then looking in the supplied list */
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
if (!backends[i]->sasl_name ||
!(strcmp(backends[i]->sasl_name,
/* Find backends in our preferred order, by walking our list,
* then looking in the supplied list */
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (!backends[i]->oid) {
continue;
}
* Return OIDS from the security subsystems listed
*/
-const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx,
+const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
struct gensec_security_ops **ops,
const char *skip)
{
}
for (i=0; ops && ops[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(ops[i], gensec_security)) {
+ continue;
+ }
if (!ops[i]->oid) {
continue;
}
{
struct gensec_security_ops **ops
= gensec_security_mechs(gensec_security, mem_ctx);
- return gensec_security_oids_from_ops(mem_ctx, ops, skip);
+ return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
}
@param mem_ctx The parent TALLOC memory context.
@param gensec_security Returned GENSEC context pointer.
@note The mem_ctx is only a parent and may be NULL.
+ @note, the auth context is moved to be a child of the
+ @ gensec_security return
*/
static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
- struct event_context *ev,
- struct loadparm_context *lp_ctx,
- struct messaging_context *msg,
+ struct tevent_context *ev,
+ struct gensec_settings *settings,
+ struct auth_context *auth_context,
struct gensec_security **gensec_security)
{
+ if (ev == NULL) {
+ DEBUG(0, ("No event context available!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
(*gensec_security) = talloc(mem_ctx, struct gensec_security);
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
(*gensec_security)->ops = NULL;
+ (*gensec_security)->local_addr = NULL;
+ (*gensec_security)->remote_addr = NULL;
+ (*gensec_security)->private_data = NULL;
ZERO_STRUCT((*gensec_security)->target);
ZERO_STRUCT((*gensec_security)->peer_addr);
(*gensec_security)->subcontext = false;
(*gensec_security)->want_features = 0;
-
- if (ev == NULL) {
- ev = event_context_init(*gensec_security);
- if (ev == NULL) {
- talloc_free(*gensec_security);
- return NT_STATUS_NO_MEMORY;
- }
- }
(*gensec_security)->event_ctx = ev;
- (*gensec_security)->msg_ctx = msg;
- (*gensec_security)->lp_ctx = lp_ctx;
+ SMB_ASSERT(settings->lp_ctx != NULL);
+ (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
+ (*gensec_security)->auth_context = talloc_steal(*gensec_security, auth_context);
return NT_STATUS_OK;
}
(*gensec_security)->private_data = NULL;
(*gensec_security)->subcontext = true;
+ (*gensec_security)->want_features = parent->want_features;
(*gensec_security)->event_ctx = parent->event_ctx;
- (*gensec_security)->msg_ctx = parent->msg_ctx;
- (*gensec_security)->lp_ctx = parent->lp_ctx;
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
+ (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
return NT_STATUS_OK;
}
*/
_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_security,
- struct event_context *ev,
- struct loadparm_context *lp_ctx)
+ struct tevent_context *ev,
+ struct gensec_settings *settings)
{
NTSTATUS status;
- struct event_context *new_ev = NULL;
- if (ev == NULL) {
- new_ev = event_context_init(mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(new_ev);
- ev = new_ev;
+ if (settings == NULL) {
+ DEBUG(0,("gensec_client_start: no settings given!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
}
- status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security);
+ status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(new_ev);
return status;
}
- talloc_steal((*gensec_security), new_ev);
(*gensec_security)->gensec_role = GENSEC_CLIENT;
return status;
@param gensec_security Returned GENSEC context pointer.
@note The mem_ctx is only a parent and may be NULL.
*/
-NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
- struct event_context *ev,
- struct loadparm_context *lp_ctx,
- struct messaging_context *msg,
- struct gensec_security **gensec_security)
+_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct gensec_settings *settings,
+ struct auth_context *auth_context,
+ struct gensec_security **gensec_security)
{
NTSTATUS status;
return NT_STATUS_INTERNAL_ERROR;
}
- if (!msg) {
- DEBUG(0,("gensec_server_start: no messaging context given!\n"));
+ if (!settings) {
+ DEBUG(0,("gensec_server_start: no settings given!\n"));
return NT_STATUS_INTERNAL_ERROR;
}
- status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security);
+ status = gensec_start(mem_ctx, ev, settings, auth_context, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
* @param auth_level DCERPC auth level
*/
-NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
uint8_t auth_type, uint8_t auth_level)
{
gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
return gensec_start_mech(gensec_security);
}
-const char *gensec_get_name_by_authtype(uint8_t authtype)
+_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
{
const struct gensec_security_ops *ops;
- ops = gensec_security_by_authtype(NULL, authtype);
+ ops = gensec_security_by_authtype(gensec_security, authtype);
if (ops) {
return ops->name;
}
}
-const char *gensec_get_name_by_oid(const char *oid_string)
+_PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
+ const char *oid_string)
{
const struct gensec_security_ops *ops;
- ops = gensec_security_by_oid(NULL, oid_string);
+ ops = gensec_security_by_oid(gensec_security, oid_string);
if (ops) {
return ops->name;
}
* well-known #define to hook it in.
*/
-NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
const char *mech_oid)
{
+ SMB_ASSERT(gensec_security != NULL);
+
gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid);
if (!gensec_security->ops) {
DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
*
*/
-NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
const char *sasl_name)
{
gensec_security->ops = gensec_security_by_sasl_name(gensec_security, sasl_name);
*
*/
-NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
const char *name)
{
gensec_security->ops = gensec_security_by_name(gensec_security, name);
/*
wrappers for the gensec function pointers
*/
-NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
sig);
}
-NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
-NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
-NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
-size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
+_PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
{
if (!gensec_security->ops->sig_size) {
return 0;
return gensec_security->ops->max_input_size(gensec_security);
}
-NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out)
return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
}
-NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out)
return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
}
-NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
DATA_BLOB *session_key)
{
if (!gensec_security->ops->session_key) {
*
*/
-NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
+_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
struct auth_session_info **session_info)
{
if (!gensec_security->ops->session_info) {
return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out);
}
-static void gensec_update_async_timed_handler(struct event_context *ev, struct timed_event *te,
+static void gensec_update_async_timed_handler(struct tevent_context *ev, struct tevent_timer *te,
struct timeval t, void *ptr)
{
struct gensec_update_request *req = talloc_get_type(ptr, struct gensec_update_request);
void *private_data)
{
struct gensec_update_request *req = NULL;
- struct timed_event *te = NULL;
+ struct tevent_timer *te = NULL;
req = talloc(gensec_security, struct gensec_update_request);
if (!req) goto failed;
_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
- gensec_security->want_features |= feature;
+ if (!gensec_security->ops || !gensec_security->ops->want_feature) {
+ gensec_security->want_features |= feature;
+ return;
+ }
+ gensec_security->ops->want_feature(gensec_security, feature);
}
/**
*
*/
-struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
+_PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
{
if (!gensec_security) {
return NULL;
_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
{
/* We allow the target hostname to be overriden for testing purposes */
- const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname");
- if (target_hostname) {
- return target_hostname;
+ if (gensec_security->settings->target_hostname) {
+ return gensec_security->settings->target_hostname;
}
if (gensec_security->target.hostname) {
return NULL;
}
-/**
- * Set (and talloc_reference) local and peer socket addresses onto a socket context on the GENSEC context
+/**
+ * Set (and talloc_reference) local and peer socket addresses onto a socket
+ * context on the GENSEC context.
*
* This is so that kerberos can include these addresses in
* cryptographic tokens, to avoid certain attacks.
*/
-NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr)
+/**
+ * @brief Set the local gensec address.
+ *
+ * @param gensec_security The gensec security context to use.
+ *
+ * @param remote The local address to set.
+ *
+ * @return On success NT_STATUS_OK is returned or an NT_STATUS
+ * error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *local)
+{
+ ssize_t socklen;
+ struct sockaddr_storage ss;
+
+ /* set my_addr */
+ socklen = tsocket_address_bsd_sockaddr(local, (struct sockaddr *) &ss,
+ sizeof(struct sockaddr_storage));
+ if (socklen < 0) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ gensec_security->my_addr = socket_address_from_sockaddr(gensec_security,
+ (struct sockaddr *) &ss, socklen);
+ if (gensec_security->my_addr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* set local */
+ TALLOC_FREE(gensec_security->local_addr);
+ gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
+ if (gensec_security->local_addr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**
+ * @brief Set the remote gensec address.
+ *
+ * @param gensec_security The gensec security context to use.
+ *
+ * @param remote The remote address to set.
+ *
+ * @return On success NT_STATUS_OK is returned or an NT_STATUS
+ * error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *remote)
+{
+ ssize_t socklen;
+ struct sockaddr_storage ss;
+
+ /* set my_addr */
+ socklen = tsocket_address_bsd_sockaddr(remote, (struct sockaddr *) &ss,
+ sizeof(struct sockaddr_storage));
+ if (socklen < 0) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ gensec_security->peer_addr = socket_address_from_sockaddr(gensec_security,
+ (struct sockaddr *) &ss, socklen);
+ if (gensec_security->peer_addr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* set remote */
+ TALLOC_FREE(gensec_security->remote_addr);
+ gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
+ if (gensec_security->remote_addr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**
+ * @brief Get the local address from a gensec security context.
+ *
+ * @param gensec_security The security context to get the address from.
+ *
+ * @return The address as tsocket_address which could be NULL if
+ * no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
+{
+ if (gensec_security == NULL) {
+ return NULL;
+ }
+ return gensec_security->local_addr;
+}
+
+/**
+ * @brief Get the remote address from a gensec security context.
+ *
+ * @param gensec_security The security context to get the address from.
+ *
+ * @return The address as tsocket_address which could be NULL if
+ * no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
+{
+ if (gensec_security == NULL) {
+ return NULL;
+ }
+ return gensec_security->remote_addr;
+}
+
+_PUBLIC_ NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr)
{
gensec_security->my_addr = my_addr;
if (my_addr && !talloc_reference(gensec_security, my_addr)) {
return NT_STATUS_OK;
}
-NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr)
+_PUBLIC_ NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr)
{
gensec_security->peer_addr = peer_addr;
if (peer_addr && !talloc_reference(gensec_security, peer_addr)) {
return NULL;
}
-struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security)
+_PUBLIC_ struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security)
{
if (gensec_security->peer_addr) {
return gensec_security->peer_addr;
}
-
/**
* Set the target principal (assuming it it known, say from the SPNEGO reply)
* - ensures it is talloc()ed
*/
NTSTATUS gensec_register(const struct gensec_security_ops *ops)
{
- if (!lp_parm_bool(global_loadparm, NULL, "gensec", ops->name, ops->enabled)) {
- DEBUG(2,("gensec subsystem %s is disabled\n", ops->name));
- return NT_STATUS_OK;
- }
-
if (gensec_security_by_name(NULL, ops->name) != NULL) {
/* its already registered! */
DEBUG(0,("GENSEC backend '%s' already registered\n",
return (*gs2)->priority - (*gs1)->priority;
}
+int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
+{
+ return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
+bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
+{
+ return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
/*
initialise the GENSEC subsystem
*/
-NTSTATUS gensec_init(struct loadparm_context *lp_ctx)
+_PUBLIC_ NTSTATUS gensec_init(struct loadparm_context *lp_ctx)
{
static bool initialized = false;
extern NTSTATUS gensec_sasl_init(void);