diff options
-rw-r--r-- | source4/auth/auth.h | 12 | ||||
-rw-r--r-- | source4/auth/ntlm/auth.c | 242 | ||||
-rw-r--r-- | source4/auth/ntlm/config.mk | 2 | ||||
-rw-r--r-- | source4/smb_server/smb/sesssetup.c | 39 |
4 files changed, 169 insertions, 126 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index c625c87f39..28b955a516 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -275,14 +275,16 @@ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, const char *nt4_username, const char *password, struct auth_session_info **session_info); -NTSTATUS auth_check_password_recv(struct auth_check_password_request *req, + +struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct auth_context *auth_ctx, + const struct auth_usersupplied_info *user_info); +NTSTATUS auth_check_password_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **server_info); -void auth_check_password_send(struct auth_context *auth_ctx, - const struct auth_usersupplied_info *user_info, - void (*callback)(struct auth_check_password_request *req, void *private_data), - void *private_data); + NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index d0c8ed3a68..fafaf9cbb2 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -19,10 +19,11 @@ */ #include "includes.h" +#include <tevent.h> +#include "../lib/util/tevent_ntstatus.h" #include "../lib/util/dlinklist.h" #include "auth/auth.h" #include "auth/ntlm/auth_proto.h" -#include "lib/events/events.h" #include "param/param.h" /*************************************************************************** @@ -124,22 +125,6 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -struct auth_check_password_sync_state { - bool finished; - NTSTATUS status; - struct auth_serversupplied_info *server_info; -}; - -static void auth_check_password_sync_callback(struct auth_check_password_request *req, - void *private_data) -{ - struct auth_check_password_sync_state *s = talloc_get_type(private_data, - struct auth_check_password_sync_state); - - s->finished = true; - s->status = auth_check_password_recv(req, s, &s->server_info); -} - /** * Check a user's Plaintext, LM or NTLM password. * (sync version) @@ -172,48 +157,43 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info) { - struct auth_check_password_sync_state *sync_state; + struct tevent_req *subreq; + struct tevent_context *ev; + bool ok; NTSTATUS status; - sync_state = talloc_zero(auth_ctx, struct auth_check_password_sync_state); - NT_STATUS_HAVE_NO_MEMORY(sync_state); + /*TODO: create a new event context here! */ + ev = auth_ctx->event_ctx; - auth_check_password_send(auth_ctx, user_info, auth_check_password_sync_callback, sync_state); - - while (!sync_state->finished) { - event_loop_once(auth_ctx->event_ctx); + subreq = auth_check_password_send(mem_ctx, + ev, + auth_ctx, + user_info); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; } - status = sync_state->status; - - if (NT_STATUS_IS_OK(status)) { - *server_info = talloc_steal(mem_ctx, sync_state->server_info); + ok = tevent_req_poll(subreq, ev); + if (!ok) { + return NT_STATUS_INTERNAL_ERROR; } - talloc_free(sync_state); + status = auth_check_password_recv(subreq, mem_ctx, server_info); + TALLOC_FREE(subreq); + return status; } -struct auth_check_password_request { +struct auth_check_password_state { struct auth_context *auth_ctx; const struct auth_usersupplied_info *user_info; struct auth_serversupplied_info *server_info; struct auth_method_context *method; - NTSTATUS status; - struct { - void (*fn)(struct auth_check_password_request *req, void *private_data); - void *private_data; - } callback; }; -static void auth_check_password_async_timed_handler(struct tevent_context *ev, struct tevent_timer *te, - struct timeval t, void *ptr) -{ - struct auth_check_password_request *req = talloc_get_type(ptr, struct auth_check_password_request); - req->status = req->method->ops->check_password(req->method, req, req->user_info, &req->server_info); - req->callback.fn(req, req->callback.private_data); -} - +static void auth_check_password_async_trigger(struct tevent_context *ev, + struct tevent_immediate *im, + void *private_data); /** * Check a user's Plaintext, LM or NTLM password. * async send hook @@ -225,6 +205,10 @@ static void auth_check_password_async_timed_handler(struct tevent_context *ev, s * struct. When the return is other than NT_STATUS_OK the contents * of that structure is undefined. * + * @param mem_ctx The memory context the request should operate on + * + * @param ev The tevent context the request should operate on + * * @param auth_ctx Supplies the challenges and some other data. * Must be created with make_auth_context(), and the challenges should be * filled in, either at creation or by calling the challenge geneation @@ -232,93 +216,131 @@ static void auth_check_password_async_timed_handler(struct tevent_context *ev, s * * @param user_info Contains the user supplied components, including the passwords. * - * @param callback A callback function which will be called when the operation is finished. - * The callback function needs to call auth_check_password_recv() to get the return values - * - * @param private_data A private pointer which will ba passed to the callback function + * @return The request handle or NULL on no memory error. * **/ -_PUBLIC_ void auth_check_password_send(struct auth_context *auth_ctx, - const struct auth_usersupplied_info *user_info, - void (*callback)(struct auth_check_password_request *req, void *private_data), - void *private_data) +_PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct auth_context *auth_ctx, + const struct auth_usersupplied_info *user_info) { + struct tevent_req *req; + struct auth_check_password_state *state; /* if all the modules say 'not for me' this is reasonable */ NTSTATUS nt_status; struct auth_method_context *method; uint8_t chal[8]; struct auth_usersupplied_info *user_info_tmp; - struct auth_check_password_request *req = NULL; + struct tevent_immediate *im; - DEBUG(3, ("auth_check_password_send: Checking password for unmapped user [%s]\\[%s]@[%s]\n", - user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); + DEBUG(3,("auth_check_password_send: " + "Checking password for unmapped user [%s]\\[%s]@[%s]\n", + user_info->client.domain_name, user_info->client.account_name, + user_info->workstation_name)); - req = talloc_zero(auth_ctx, struct auth_check_password_request); - if (!req) { - callback(NULL, private_data); - return; + req = tevent_req_create(mem_ctx, &state, + struct auth_check_password_state); + if (req == NULL) { + return NULL; } - req->auth_ctx = auth_ctx; - req->user_info = user_info; - req->callback.fn = callback; - req->callback.private_data = private_data; + + state->auth_ctx = auth_ctx; + state->user_info = user_info; + state->method = NULL; if (!user_info->mapped_state) { - nt_status = map_user_info(req, lp_workgroup(auth_ctx->lp_ctx), user_info, &user_info_tmp); - if (!NT_STATUS_IS_OK(nt_status)) goto failed; + nt_status = map_user_info(req, lp_workgroup(auth_ctx->lp_ctx), + user_info, &user_info_tmp); + if (tevent_req_nterror(req, nt_status)) { + return tevent_req_post(req, ev); + } user_info = user_info_tmp; - req->user_info = user_info_tmp; + state->user_info = user_info_tmp; } - DEBUGADD(3,("auth_check_password_send: mapped user is: [%s]\\[%s]@[%s]\n", - user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name)); + DEBUGADD(3,("auth_check_password_send: " + "mapped user is: [%s]\\[%s]@[%s]\n", + user_info->mapped.domain_name, + user_info->mapped.account_name, + user_info->workstation_name)); nt_status = auth_get_challenge(auth_ctx, chal); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("auth_check_password_send: Invalid challenge (length %u) stored for this auth context set_by %s - cannot continue: %s\n", - (unsigned)auth_ctx->challenge.data.length, auth_ctx->challenge.set_by, nt_errstr(nt_status))); - goto failed; + if (tevent_req_nterror(req, nt_status)) { + DEBUG(0,("auth_check_password_send: " + "Invalid challenge (length %u) stored for " + "this auth context set_by %s - cannot continue: %s\n", + (unsigned)auth_ctx->challenge.data.length, + auth_ctx->challenge.set_by, + nt_errstr(nt_status))); + return tevent_req_post(req, ev); } if (auth_ctx->challenge.set_by) { - DEBUG(10, ("auth_check_password_send: auth_context challenge created by %s\n", - auth_ctx->challenge.set_by)); + DEBUG(10,("auth_check_password_send: " + "auth_context challenge created by %s\n", + auth_ctx->challenge.set_by)); } DEBUG(10, ("auth_check_password_send: challenge is: \n")); - dump_data(5, auth_ctx->challenge.data.data, auth_ctx->challenge.data.length); + dump_data(5, auth_ctx->challenge.data.data, + auth_ctx->challenge.data.length); + + im = tevent_create_immediate(state); + if (tevent_req_nomem(im, req)) { + return tevent_req_post(req, ev); + } - nt_status = NT_STATUS_NO_SUCH_USER; /* If all the modules say 'not for me', then this is reasonable */ for (method = auth_ctx->methods; method; method = method->next) { NTSTATUS result; - struct tevent_timer *te = NULL; /* check if the module wants to chek the password */ result = method->ops->want_check(method, req, user_info); if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { - DEBUG(11,("auth_check_password_send: %s had nothing to say\n", method->ops->name)); + DEBUG(11,("auth_check_password_send: " + "%s had nothing to say\n", + method->ops->name)); continue; } - nt_status = result; - req->method = method; + state->method = method; - if (!NT_STATUS_IS_OK(nt_status)) break; - - te = event_add_timed(auth_ctx->event_ctx, req, - timeval_zero(), - auth_check_password_async_timed_handler, req); - if (!te) { - nt_status = NT_STATUS_NO_MEMORY; - goto failed; + if (tevent_req_nterror(req, result)) { + return tevent_req_post(req, ev); } + + tevent_schedule_immediate(im, + auth_ctx->event_ctx, + auth_check_password_async_trigger, + req); + + return req; + } + + /* If all the modules say 'not for me', then this is reasonable */ + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return tevent_req_post(req, ev); +} + +static void auth_check_password_async_trigger(struct tevent_context *ev, + struct tevent_immediate *im, + void *private_data) +{ + struct tevent_req *req = + talloc_get_type_abort(private_data, struct tevent_req); + struct auth_check_password_state *state = + tevent_req_data(req, struct auth_check_password_state); + NTSTATUS status; + + status = state->method->ops->check_password(state->method, + state, + state->user_info, + &state->server_info); + if (tevent_req_nterror(req, status)) { return; } -failed: - req->status = nt_status; - req->callback.fn(req, req->callback.private_data); + tevent_req_done(req); } /** @@ -330,7 +352,7 @@ failed: * of that structure is undefined. * * - * @param req The async auth_check_password state, passes to the callers callback function + * @param req The async request state * * @param mem_ctx The parent memory context for the server_info structure * @@ -341,30 +363,36 @@ failed: * **/ -_PUBLIC_ NTSTATUS auth_check_password_recv(struct auth_check_password_request *req, +_PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **server_info) { + struct auth_check_password_state *state = + tevent_req_data(req, struct auth_check_password_state); NTSTATUS status; - NT_STATUS_HAVE_NO_MEMORY(req); + if (tevent_req_is_nterror(req, &status)) { + DEBUG(2,("auth_check_password_recv: " + "%s authentication for user [%s\\%s]" + "FAILED with error %s\n", + (state->method ? state->method->ops->name : "NO_METHOD"), + state->user_info->mapped.domain_name, + state->user_info->mapped.account_name, + nt_errstr(status))); + tevent_req_received(req); + return status; + } - if (NT_STATUS_IS_OK(req->status)) { - DEBUG(5,("auth_check_password_recv: %s authentication for user [%s\\%s] succeeded\n", - req->method->ops->name, req->server_info->domain_name, req->server_info->account_name)); + DEBUG(5,("auth_check_password_recv: " + "%s authentication for user [%s\\%s] succeeded\n", + state->method->ops->name, + state->server_info->domain_name, + state->server_info->account_name)); - *server_info = talloc_steal(mem_ctx, req->server_info); - } else { - DEBUG(2,("auth_check_password_recv: %s authentication for user [%s\\%s] FAILED with error %s\n", - (req->method ? req->method->ops->name : "NO_METHOD"), - req->user_info->mapped.domain_name, - req->user_info->mapped.account_name, - nt_errstr(req->status))); - } + *server_info = talloc_move(mem_ctx, &state->server_info); - status = req->status; - talloc_free(req); - return status; + tevent_req_received(req); + return NT_STATUS_OK; } /*************************************************************************** diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk index 82738529cf..6c75ae842d 100644 --- a/source4/auth/ntlm/config.mk +++ b/source4/auth/ntlm/config.mk @@ -71,7 +71,7 @@ PAM_ERRORS_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, pam_errors.o) INIT_FUNCTION = server_service_auth_init SUBSYSTEM = service OUTPUT_TYPE = MERGED_OBJ -PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS +PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS UTIL_TEVENT auth_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth.o auth_util.o auth_simple.o) $(eval $(call proto_header_template,$(authsrcdir)/ntlm/auth_proto.h,$(auth_OBJ_FILES:.o=.c))) diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index e415a47699..aecd49fb0b 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -56,17 +56,18 @@ static void smbsrv_sesssetup_backend_send(struct smbsrv_request *req, smbsrv_reply_sesssetup_send(req, sess, status); } -static void sesssetup_old_send(struct auth_check_password_request *areq, - void *private_data) +static void sesssetup_old_send(struct tevent_req *subreq) { - struct smbsrv_request *req = talloc_get_type(private_data, struct smbsrv_request); + struct smbsrv_request *req = + tevent_req_callback_data(subreq, struct smbsrv_request); union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup); struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info; struct smbsrv_session *smb_sess; NTSTATUS status; - status = auth_check_password_recv(areq, req, &server_info); + status = auth_check_password_recv(subreq, req, &server_info); + TALLOC_FREE(subreq); if (!NT_STATUS_IS_OK(status)) goto failed; /* This references server_info into session_info */ @@ -104,6 +105,7 @@ static void sesssetup_old(struct smbsrv_request *req, union smb_sesssetup *sess) struct auth_usersupplied_info *user_info = NULL; struct tsocket_address *remote_address; const char *remote_machine = NULL; + struct tevent_req *subreq; sess->old.out.vuid = 0; sess->old.out.action = 0; @@ -145,25 +147,30 @@ static void sesssetup_old(struct smbsrv_request *req, union smb_sesssetup *sess) user_info->password.response.lanman.data = talloc_steal(user_info, sess->old.in.password.data); user_info->password.response.nt = data_blob(NULL, 0); - auth_check_password_send(req->smb_conn->negotiate.auth_context, user_info, - sesssetup_old_send, req); + subreq = auth_check_password_send(req, + req->smb_conn->connection->event.ctx, + req->smb_conn->negotiate.auth_context, + user_info); + if (!subreq) goto nomem; + tevent_req_set_callback(subreq, sesssetup_old_send, req); return; nomem: smbsrv_sesssetup_backend_send(req, sess, NT_STATUS_NO_MEMORY); } -static void sesssetup_nt1_send(struct auth_check_password_request *areq, - void *private_data) +static void sesssetup_nt1_send(struct tevent_req *subreq) { - struct smbsrv_request *req = talloc_get_type(private_data, struct smbsrv_request); + struct smbsrv_request *req = + tevent_req_callback_data(subreq, struct smbsrv_request); union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup); struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info; struct smbsrv_session *smb_sess; NTSTATUS status; - status = auth_check_password_recv(areq, req, &server_info); + status = auth_check_password_recv(subreq, req, &server_info); + TALLOC_FREE(subreq); if (!NT_STATUS_IS_OK(status)) goto failed; /* This references server_info into session_info */ @@ -211,7 +218,8 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess) struct auth_usersupplied_info *user_info = NULL; struct tsocket_address *remote_address; const char *remote_machine = NULL; - + struct tevent_req *subreq; + sess->nt1.out.vuid = 0; sess->nt1.out.action = 0; @@ -273,8 +281,13 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess) user_info->password.response.nt = sess->nt1.in.password2; user_info->password.response.nt.data = talloc_steal(user_info, sess->nt1.in.password2.data); - auth_check_password_send(auth_context, user_info, - sesssetup_nt1_send, req); + subreq = auth_check_password_send(req, + req->smb_conn->connection->event.ctx, + auth_context, + user_info); + if (!subreq) goto nomem; + tevent_req_set_callback(subreq, sesssetup_nt1_send, req); + return; nomem: |