Changeset 745 for trunk/server/source4/auth/gensec/gensec.c

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source4/auth/gensec/gensec.c (modified) (17 diffs)

trunk/server/source4/auth/gensec/gensec.c

@@ -22 +22 @@
 
 #include "includes.h"
-#include "auth/auth.h"
+#include "system/network.h"
 #include "lib/events/events.h"
+#include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
+#include "../lib/util/tevent_ntstatus.h"
 #include "librpc/rpc/dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
-#include "auth/gensec/gensec_proto.h"
+#include "auth/auth.h"
+#include "auth/system_session_proto.h"
 #include "param/param.h"
+#include "lib/util/tsort.h"
 
 /* the list of currently registered GENSEC backends */
@@ -43 +48 @@
 bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
 {
-        return lp_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+        return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
 }
 
@@ -503 +508 @@
   @param gensec_security Returned GENSEC context pointer.
   @note  The mem_ctx is only a parent and may be NULL.
-  @note, the auth context is moved to be a child of the
+  @note, the auth context is moved to be a referenced pointer of the
   @ gensec_security return 
 */
@@ -517 +522 @@
         }
 
-        (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+        (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
-
-        (*gensec_security)->ops = NULL;
-        (*gensec_security)->private_data = NULL;
-
-        ZERO_STRUCT((*gensec_security)->target);
-        ZERO_STRUCT((*gensec_security)->peer_addr);
-        ZERO_STRUCT((*gensec_security)->my_addr);
-
-        (*gensec_security)->subcontext = false;
-        (*gensec_security)->want_features = 0;
 
         (*gensec_security)->event_ctx = ev;
         SMB_ASSERT(settings->lp_ctx != NULL);
         (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
-        (*gensec_security)->auth_context = talloc_steal(*gensec_security, auth_context);
+
+        /* We need to reference this, not steal, as the caller may be
+         * python, which won't like it if we steal it's object away
+         * from it */
+        (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
 
         return NT_STATUS_OK;
@@ -550 +549 @@
                                  struct gensec_security **gensec_security)
 {
-        (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+        (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
 
@@ -593 +592 @@
         return status;
 }
+
+
 
 /**
@@ -712 +713 @@
         return oid_string;
 }
-        
-
-/** 
- * Start a GENSEC sub-mechanism with a specifed mechansim structure, used in SPNEGO
+
+/**
+ * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
  *
  */
@@ -982 +982 @@
 }
 
-static void gensec_update_async_timed_handler(struct tevent_context *ev, struct tevent_timer *te,
-                                              struct timeval t, void *ptr)
-{
-        struct gensec_update_request *req = talloc_get_type(ptr, struct gensec_update_request);
-        req->status = req->gensec_security->ops->update(req->gensec_security, req, req->in, &req->out);
-        req->callback.fn(req, req->callback.private_data);
-}
-
+struct gensec_update_state {
+        struct tevent_immediate *im;
+        struct gensec_security *gensec_security;
+        DATA_BLOB in;
+        DATA_BLOB out;
+};
+
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+                                        struct tevent_immediate *im,
+                                        void *private_data);
 /**
  * Next state function for the GENSEC state machine async version
- * 
+ *
+ * @param mem_ctx The memory context for the request
+ * @param ev The event context for the request
  * @param gensec_security GENSEC State
  * @param in The request, as a DATA_BLOB
- * @param callback The function that will be called when the operation is
- *                 finished, it should return gensec_update_recv() to get output
- * @param private_data A private pointer that will be passed to the callback function
- */
-
-_PUBLIC_ void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
-                                 void (*callback)(struct gensec_update_request *req, void *private_data),
-                                 void *private_data)
-{
-        struct gensec_update_request *req = NULL;
-        struct tevent_timer *te = NULL;
-
-        req = talloc(gensec_security, struct gensec_update_request);
-        if (!req) goto failed;
-        req->gensec_security            = gensec_security;
-        req->in                         = in;
-        req->out                        = data_blob(NULL, 0);
-        req->callback.fn                = callback;
-        req->callback.private_data      = private_data;
-
-        te = event_add_timed(gensec_security->event_ctx, req,
-                             timeval_zero(),
-                             gensec_update_async_timed_handler, req);
-        if (!te) goto failed;
-
-        return;
-
-failed:
-        talloc_free(req);
-        callback(NULL, private_data);
+ *
+ * @return The request handle or NULL on no memory failure
+ */
+
+_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+                                               struct tevent_context *ev,
+                                               struct gensec_security *gensec_security,
+                                               const DATA_BLOB in)
+{
+        struct tevent_req *req;
+        struct gensec_update_state *state = NULL;
+
+        req = tevent_req_create(mem_ctx, &state,
+                                struct gensec_update_state);
+        if (req == NULL) {
+                return NULL;
+        }
+
+        state->gensec_security          = gensec_security;
+        state->in                       = in;
+        state->out                      = data_blob(NULL, 0);
+        state->im                       = tevent_create_immediate(state);
+        if (tevent_req_nomem(state->im, req)) {
+                return tevent_req_post(req, ev);
+        }
+
+        tevent_schedule_immediate(state->im, ev,
+                                  gensec_update_async_trigger,
+                                  req);
+
+        return req;
+}
+
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+                                        struct tevent_immediate *im,
+                                        void *private_data)
+{
+        struct tevent_req *req =
+                talloc_get_type_abort(private_data, struct tevent_req);
+        struct gensec_update_state *state =
+                tevent_req_data(req, struct gensec_update_state);
+        NTSTATUS status;
+
+        status = gensec_update(state->gensec_security, state,
+                               state->in, &state->out);
+        if (tevent_req_nterror(req, status)) {
+                return;
+        }
+
+        tevent_req_done(req);
 }
 
@@ -1030 +1054 @@
  * Next state function for the GENSEC state machine
  * 
- * @param req GENSEC update request state
+ * @param req request state
  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
@@ -1036 +1060 @@
  *                or NT_STATUS_OK if the user is authenticated. 
  */
-_PUBLIC_ NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out)
-{
+_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
+                                     TALLOC_CTX *out_mem_ctx,
+                                     DATA_BLOB *out)
+{
+        struct gensec_update_state *state =
+                tevent_req_data(req, struct gensec_update_state);
         NTSTATUS status;
 
-        NT_STATUS_HAVE_NO_MEMORY(req);
-
-        *out = req->out;
+        if (tevent_req_is_nterror(req, &status)) {
+                if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+                        tevent_req_received(req);
+                        return status;
+                }
+        } else {
+                status = NT_STATUS_OK;
+        }
+
+        *out = state->out;
         talloc_steal(out_mem_ctx, out->data);
-        status = req->status;
-
-        talloc_free(req);
+
+        tevent_req_received(req);
         return status;
 }
@@ -1162 +1196 @@
 }
 
-/** 
- * Set (and talloc_reference) local and peer socket addresses onto a socket context on the GENSEC context 
+/**
+ * Set (and talloc_reference) local and peer socket addresses onto a socket
+ * context on the GENSEC context.
  *
  * This is so that kerberos can include these addresses in
@@ -1169 +1204 @@
  */
 
-_PUBLIC_ NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr) 
-{
-        gensec_security->my_addr = my_addr;
-        if (my_addr && !talloc_reference(gensec_security, my_addr)) {
+/**
+ * @brief Set the local gensec address.
+ *
+ * @param  gensec_security   The gensec security context to use.
+ *
+ * @param  remote       The local address to set.
+ *
+ * @return              On success NT_STATUS_OK is returned or an NT_STATUS
+ *                      error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+                const struct tsocket_address *local)
+{
+        TALLOC_FREE(gensec_security->local_addr);
+
+        if (local == NULL) {
+                return NT_STATUS_OK;
+        }
+
+        gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
+        if (gensec_security->local_addr == NULL) {
                 return NT_STATUS_NO_MEMORY;
         }
+
         return NT_STATUS_OK;
 }
 
-_PUBLIC_ NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr) 
-{
-        gensec_security->peer_addr = peer_addr;
-        if (peer_addr && !talloc_reference(gensec_security, peer_addr)) {
+/**
+ * @brief Set the remote gensec address.
+ *
+ * @param  gensec_security   The gensec security context to use.
+ *
+ * @param  remote       The remote address to set.
+ *
+ * @return              On success NT_STATUS_OK is returned or an NT_STATUS
+ *                      error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+                const struct tsocket_address *remote)
+{
+        TALLOC_FREE(gensec_security->remote_addr);
+
+        if (remote == NULL) {
+                return NT_STATUS_OK;
+        }
+
+        gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
+        if (gensec_security->remote_addr == NULL) {
                 return NT_STATUS_NO_MEMORY;
         }
+
         return NT_STATUS_OK;
 }
 
-struct socket_address *gensec_get_my_addr(struct gensec_security *gensec_security) 
-{
-        if (gensec_security->my_addr) {
-                return gensec_security->my_addr;
-        }
-
-        /* We could add a 'set sockaddr' call, and do a lookup.  This
-         * would avoid needing to do system calls if nothing asks. */
-        return NULL;
-}
-
-_PUBLIC_ struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security) 
-{
-        if (gensec_security->peer_addr) {
-                return gensec_security->peer_addr;
-        }
-
-        /* We could add a 'set sockaddr' call, and do a lookup.  This
-         * would avoid needing to do system calls if nothing asks.
-         * However, this is not appropriate for the peer addres on
-         * datagram sockets */
-        return NULL;
-}
-
-
+/**
+ * @brief Get the local address from a gensec security context.
+ *
+ * @param  gensec_security   The security context to get the address from.
+ *
+ * @return              The address as tsocket_address which could be NULL if
+ *                      no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
+{
+        if (gensec_security == NULL) {
+                return NULL;
+        }
+        return gensec_security->local_addr;
+}
+
+/**
+ * @brief Get the remote address from a gensec security context.
+ *
+ * @param  gensec_security   The security context to get the address from.
+ *
+ * @return              The address as tsocket_address which could be NULL if
+ *                      no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
+{
+        if (gensec_security == NULL) {
+                return NULL;
+        }
+        return gensec_security->remote_addr;
+}
 
 /** 
@@ -1219 +1296 @@
  */
 
-NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal) 
+_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
 {
         gensec_security->target.principal = talloc_strdup(gensec_security, principal);
@@ -1235 +1312 @@
 
         return NULL;
+}
+
+NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
+                                      struct gensec_security *gensec_security,
+                                      struct auth_user_info_dc *user_info_dc,
+                                      struct auth_session_info **session_info)
+{
+        NTSTATUS nt_status;
+        uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+        if (user_info_dc->info->authenticated) {
+                flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+        }
+        if (gensec_security->auth_context) {
+                nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
+                                                                                 user_info_dc,
+                                                                                 flags,
+                                                                                 session_info);
+        } else {
+                flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+                nt_status = auth_generate_session_info(mem_ctx,
+                                                       NULL,
+                                                       NULL,
+                                                       user_info_dc, flags,
+                                                       session_info);
+        }
+        return nt_status;
 }
 
@@ -1292 +1395 @@
 int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
 {
-        return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+        return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
 }
 
 bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
 {
-        return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+        return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
 }
 
@@ -1306 +1409 @@
 {
         static bool initialized = false;
-        extern NTSTATUS gensec_sasl_init(void);
-        extern NTSTATUS gensec_krb5_init(void);
-        extern NTSTATUS gensec_schannel_init(void);
-        extern NTSTATUS gensec_spnego_init(void);
-        extern NTSTATUS gensec_gssapi_init(void);
-        extern NTSTATUS gensec_ntlmssp_init(void);
-
+#define _MODULE_PROTO(init) extern NTSTATUS init(void);
+        STATIC_gensec_MODULES_PROTO;
         init_module_fn static_init[] = { STATIC_gensec_MODULES };
         init_module_fn *shared_init;
@@ -1326 +1424 @@
         talloc_free(shared_init);
 
-        qsort(generic_security_ops, gensec_num_backends, sizeof(*generic_security_ops), QSORT_CAST sort_gensec);
+        TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
         
         return NT_STATUS_OK;