*/
#include "includes.h"
-#include "auth/auth.h"
+#include "system/network.h"
#include "lib/events/events.h"
-#include "build.h"
+#include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
+#include "../lib/util/tevent_ntstatus.h"
#include "librpc/rpc/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
-#include "auth/gensec/gensec_proto.h"
+#include "auth/auth.h"
+#include "auth/system_session_proto.h"
#include "param/param.h"
+#include "lib/util/tsort.h"
/* the list of currently registered GENSEC backends */
static struct gensec_security_ops **generic_security_ops;
return generic_security_ops;
}
+bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
+{
+ return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+}
+
/* Sometimes we want to force only kerberos, sometimes we want to
* force it's avoidance. The old list could be either
* gensec_security_all(), or from cli_credentials_gensec_list() (ie,
j = 0;
for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
int oid_idx;
+
for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
new_gensec_list[j] = old_gensec_list[i];
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (backends[i]->auth_type == auth_type) {
backend = backends[i];
talloc_free(mem_ctx);
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i],
+ gensec_security))
+ continue;
if (backends[i]->oid) {
for (j=0; backends[i]->oid[j]; j++) {
if (backends[i]->oid[j] &&
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (backends[i]->sasl_name
&& (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
backend = backends[i];
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (backends[i]->name
&& (strcmp(backends[i]->name, name) == 0)) {
backend = backends[i];
/* Find backends in our preferred order, by walking our list,
* then looking in the supplied list */
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
if (!backends[i]->sasl_name ||
!(strcmp(backends[i]->sasl_name,
/* Find backends in our preferred order, by walking our list,
* then looking in the supplied list */
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security))
+ continue;
if (!backends[i]->oid) {
continue;
}
* Return OIDS from the security subsystems listed
*/
-const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx,
+const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
struct gensec_security_ops **ops,
const char *skip)
{
}
for (i=0; ops && ops[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(ops[i], gensec_security)) {
+ continue;
+ }
if (!ops[i]->oid) {
continue;
}
{
struct gensec_security_ops **ops
= gensec_security_mechs(gensec_security, mem_ctx);
- return gensec_security_oids_from_ops(mem_ctx, ops, skip);
+ return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
}
@param mem_ctx The parent TALLOC memory context.
@param gensec_security Returned GENSEC context pointer.
@note The mem_ctx is only a parent and may be NULL.
+ @note, the auth context is moved to be a child of the
+ @ gensec_security return
*/
static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
- struct event_context *ev,
- struct loadparm_context *lp_ctx,
- struct messaging_context *msg,
+ struct tevent_context *ev,
+ struct gensec_settings *settings,
+ struct auth_context *auth_context,
struct gensec_security **gensec_security)
{
if (ev == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
- (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+ (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
- (*gensec_security)->ops = NULL;
-
- ZERO_STRUCT((*gensec_security)->target);
- ZERO_STRUCT((*gensec_security)->peer_addr);
- ZERO_STRUCT((*gensec_security)->my_addr);
-
- (*gensec_security)->subcontext = false;
- (*gensec_security)->want_features = 0;
-
(*gensec_security)->event_ctx = ev;
- (*gensec_security)->msg_ctx = msg;
- (*gensec_security)->lp_ctx = lp_ctx;
+ SMB_ASSERT(settings->lp_ctx != NULL);
+ (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
+ (*gensec_security)->auth_context = talloc_steal(*gensec_security, auth_context);
return NT_STATUS_OK;
}
struct gensec_security *parent,
struct gensec_security **gensec_security)
{
- (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+ (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
(**gensec_security) = *parent;
(*gensec_security)->private_data = NULL;
(*gensec_security)->subcontext = true;
+ (*gensec_security)->want_features = parent->want_features;
(*gensec_security)->event_ctx = parent->event_ctx;
- (*gensec_security)->msg_ctx = parent->msg_ctx;
- (*gensec_security)->lp_ctx = parent->lp_ctx;
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
+ (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
return NT_STATUS_OK;
}
*/
_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_security,
- struct event_context *ev,
- struct loadparm_context *lp_ctx)
+ struct tevent_context *ev,
+ struct gensec_settings *settings)
{
NTSTATUS status;
- status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security);
+ if (settings == NULL) {
+ DEBUG(0,("gensec_client_start: no settings given!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return status;
}
+
+
/**
Start the GENSEC system, in server mode, returning a context pointer.
@param mem_ctx The parent TALLOC memory context.
@note The mem_ctx is only a parent and may be NULL.
*/
_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
- struct event_context *ev,
- struct loadparm_context *lp_ctx,
- struct messaging_context *msg,
- struct gensec_security **gensec_security)
+ struct tevent_context *ev,
+ struct gensec_settings *settings,
+ struct auth_context *auth_context,
+ struct gensec_security **gensec_security)
{
NTSTATUS status;
return NT_STATUS_INTERNAL_ERROR;
}
- if (!msg) {
- DEBUG(0,("gensec_server_start: no messaging context given!\n"));
+ if (!settings) {
+ DEBUG(0,("gensec_server_start: no settings given!\n"));
return NT_STATUS_INTERNAL_ERROR;
}
- status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security);
+ status = gensec_start(mem_ctx, ev, settings, auth_context, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return gensec_start_mech(gensec_security);
}
-_PUBLIC_ const char *gensec_get_name_by_authtype(uint8_t authtype)
+_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
{
const struct gensec_security_ops *ops;
- ops = gensec_security_by_authtype(NULL, authtype);
+ ops = gensec_security_by_authtype(gensec_security, authtype);
if (ops) {
return ops->name;
}
}
-_PUBLIC_ const char *gensec_get_name_by_oid(const char *oid_string)
+_PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
+ const char *oid_string)
{
const struct gensec_security_ops *ops;
- ops = gensec_security_by_oid(NULL, oid_string);
+ ops = gensec_security_by_oid(gensec_security, oid_string);
if (ops) {
return ops->name;
}
return oid_string;
}
-
-/**
- * Start a GENSEC sub-mechanism with a specifed mechansim structure, used in SPNEGO
+/**
+ * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
*
*/
_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
const char *mech_oid)
{
+ SMB_ASSERT(gensec_security != NULL);
+
gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid);
if (!gensec_security->ops) {
DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out);
}
-static void gensec_update_async_timed_handler(struct event_context *ev, struct timed_event *te,
- struct timeval t, void *ptr)
-{
- struct gensec_update_request *req = talloc_get_type(ptr, struct gensec_update_request);
- req->status = req->gensec_security->ops->update(req->gensec_security, req, req->in, &req->out);
- req->callback.fn(req, req->callback.private_data);
-}
+struct gensec_update_state {
+ struct tevent_immediate *im;
+ struct gensec_security *gensec_security;
+ DATA_BLOB in;
+ DATA_BLOB out;
+};
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+ struct tevent_immediate *im,
+ void *private_data);
/**
* Next state function for the GENSEC state machine async version
- *
+ *
+ * @param mem_ctx The memory context for the request
+ * @param ev The event context for the request
* @param gensec_security GENSEC State
* @param in The request, as a DATA_BLOB
- * @param callback The function that will be called when the operation is
- * finished, it should return gensec_update_recv() to get output
- * @param private_data A private pointer that will be passed to the callback function
+ *
+ * @return The request handle or NULL on no memory failure
*/
-_PUBLIC_ void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
- void (*callback)(struct gensec_update_request *req, void *private_data),
- void *private_data)
+_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct gensec_security *gensec_security,
+ const DATA_BLOB in)
{
- struct gensec_update_request *req = NULL;
- struct timed_event *te = NULL;
-
- req = talloc(gensec_security, struct gensec_update_request);
- if (!req) goto failed;
- req->gensec_security = gensec_security;
- req->in = in;
- req->out = data_blob(NULL, 0);
- req->callback.fn = callback;
- req->callback.private_data = private_data;
-
- te = event_add_timed(gensec_security->event_ctx, req,
- timeval_zero(),
- gensec_update_async_timed_handler, req);
- if (!te) goto failed;
-
- return;
-
-failed:
- talloc_free(req);
- callback(NULL, private_data);
+ struct tevent_req *req;
+ struct gensec_update_state *state = NULL;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct gensec_update_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->gensec_security = gensec_security;
+ state->in = in;
+ state->out = data_blob(NULL, 0);
+ state->im = tevent_create_immediate(state);
+ if (tevent_req_nomem(state->im, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_schedule_immediate(state->im, ev,
+ gensec_update_async_trigger,
+ req);
+
+ return req;
+}
+
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+ struct tevent_immediate *im,
+ void *private_data)
+{
+ struct tevent_req *req =
+ talloc_get_type_abort(private_data, struct tevent_req);
+ struct gensec_update_state *state =
+ tevent_req_data(req, struct gensec_update_state);
+ NTSTATUS status;
+
+ status = gensec_update(state->gensec_security, state,
+ state->in, &state->out);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ tevent_req_done(req);
}
/**
* Next state function for the GENSEC state machine
*
- * @param req GENSEC update request state
+ * @param req request state
* @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
* @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
* @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
* or NT_STATUS_OK if the user is authenticated.
*/
-_PUBLIC_ NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out)
+_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
{
+ struct gensec_update_state *state =
+ tevent_req_data(req, struct gensec_update_state);
NTSTATUS status;
- NT_STATUS_HAVE_NO_MEMORY(req);
+ if (tevent_req_is_nterror(req, &status)) {
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ tevent_req_received(req);
+ return status;
+ }
+ } else {
+ status = NT_STATUS_OK;
+ }
- *out = req->out;
+ *out = state->out;
talloc_steal(out_mem_ctx, out->data);
- status = req->status;
- talloc_free(req);
+ tevent_req_received(req);
return status;
}
_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
- gensec_security->want_features |= feature;
+ if (!gensec_security->ops || !gensec_security->ops->want_feature) {
+ gensec_security->want_features |= feature;
+ return;
+ }
+ gensec_security->ops->want_feature(gensec_security, feature);
}
/**
_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
{
/* We allow the target hostname to be overriden for testing purposes */
- const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname");
- if (target_hostname) {
- return target_hostname;
+ if (gensec_security->settings->target_hostname) {
+ return gensec_security->settings->target_hostname;
}
if (gensec_security->target.hostname) {
return NULL;
}
-/**
- * Set (and talloc_reference) local and peer socket addresses onto a socket context on the GENSEC context
+/**
+ * Set (and talloc_reference) local and peer socket addresses onto a socket
+ * context on the GENSEC context.
*
* This is so that kerberos can include these addresses in
* cryptographic tokens, to avoid certain attacks.
*/
-_PUBLIC_ NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr)
+/**
+ * @brief Set the local gensec address.
+ *
+ * @param gensec_security The gensec security context to use.
+ *
+ * @param remote The local address to set.
+ *
+ * @return On success NT_STATUS_OK is returned or an NT_STATUS
+ * error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *local)
{
- gensec_security->my_addr = my_addr;
- if (my_addr && !talloc_reference(gensec_security, my_addr)) {
+ TALLOC_FREE(gensec_security->local_addr);
+
+ if (local == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
+ if (gensec_security->local_addr == NULL) {
return NT_STATUS_NO_MEMORY;
}
+
return NT_STATUS_OK;
}
-_PUBLIC_ NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr)
+/**
+ * @brief Set the remote gensec address.
+ *
+ * @param gensec_security The gensec security context to use.
+ *
+ * @param remote The remote address to set.
+ *
+ * @return On success NT_STATUS_OK is returned or an NT_STATUS
+ * error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *remote)
{
- gensec_security->peer_addr = peer_addr;
- if (peer_addr && !talloc_reference(gensec_security, peer_addr)) {
+ TALLOC_FREE(gensec_security->remote_addr);
+
+ if (remote == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
+ if (gensec_security->remote_addr == NULL) {
return NT_STATUS_NO_MEMORY;
}
+
return NT_STATUS_OK;
}
-struct socket_address *gensec_get_my_addr(struct gensec_security *gensec_security)
+/**
+ * @brief Get the local address from a gensec security context.
+ *
+ * @param gensec_security The security context to get the address from.
+ *
+ * @return The address as tsocket_address which could be NULL if
+ * no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
{
- if (gensec_security->my_addr) {
- return gensec_security->my_addr;
+ if (gensec_security == NULL) {
+ return NULL;
}
-
- /* We could add a 'set sockaddr' call, and do a lookup. This
- * would avoid needing to do system calls if nothing asks. */
- return NULL;
+ return gensec_security->local_addr;
}
-_PUBLIC_ struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security)
+/**
+ * @brief Get the remote address from a gensec security context.
+ *
+ * @param gensec_security The security context to get the address from.
+ *
+ * @return The address as tsocket_address which could be NULL if
+ * no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
{
- if (gensec_security->peer_addr) {
- return gensec_security->peer_addr;
+ if (gensec_security == NULL) {
+ return NULL;
}
-
- /* We could add a 'set sockaddr' call, and do a lookup. This
- * would avoid needing to do system calls if nothing asks.
- * However, this is not appropriate for the peer addres on
- * datagram sockets */
- return NULL;
+ return gensec_security->remote_addr;
}
-
-
/**
* Set the target principal (assuming it it known, say from the SPNEGO reply)
* - ensures it is talloc()ed
*
*/
-NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
+_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
{
gensec_security->target.principal = talloc_strdup(gensec_security, principal);
if (!gensec_security->target.principal) {
return NULL;
}
+NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
+ struct gensec_security *gensec_security,
+ struct auth_serversupplied_info *server_info,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS nt_status;
+ if (gensec_security->auth_context) {
+ uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (server_info->authenticated) {
+ flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
+ nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
+ server_info,
+ flags,
+ session_info);
+ } else {
+ nt_status = auth_generate_simple_session_info(mem_ctx,
+ server_info, session_info);
+ }
+ return nt_status;
+}
+
/*
register a GENSEC backend.
*/
NTSTATUS gensec_register(const struct gensec_security_ops *ops)
{
- if (!lp_parm_bool(global_loadparm, NULL, "gensec", ops->name, ops->enabled)) {
- DEBUG(2,("gensec subsystem %s is disabled\n", ops->name));
- return NT_STATUS_OK;
- }
-
if (gensec_security_by_name(NULL, ops->name) != NULL) {
/* its already registered! */
DEBUG(0,("GENSEC backend '%s' already registered\n",
return (*gs2)->priority - (*gs1)->priority;
}
+int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
+{
+ return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
+bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
+{
+ return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
/*
initialise the GENSEC subsystem
*/
_PUBLIC_ NTSTATUS gensec_init(struct loadparm_context *lp_ctx)
{
static bool initialized = false;
- extern NTSTATUS gensec_sasl_init(void);
- extern NTSTATUS gensec_krb5_init(void);
- extern NTSTATUS gensec_schannel_init(void);
- extern NTSTATUS gensec_spnego_init(void);
- extern NTSTATUS gensec_gssapi_init(void);
- extern NTSTATUS gensec_ntlmssp_init(void);
-
+#define _MODULE_PROTO(init) extern NTSTATUS init(void);
+ STATIC_gensec_MODULES_PROTO;
init_module_fn static_init[] = { STATIC_gensec_MODULES };
init_module_fn *shared_init;
talloc_free(shared_init);
- qsort(generic_security_ops, gensec_num_backends, sizeof(*generic_security_ops), QSORT_CAST sort_gensec);
+ TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
return NT_STATUS_OK;
}