diff options
Diffstat (limited to 'source4/auth/gensec/gensec.c')
-rw-r--r-- | source4/auth/gensec/gensec.c | 90 |
1 files changed, 69 insertions, 21 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 5d57383d2a..7a8da71a7d 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -40,6 +40,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_all(void) return generic_security_ops; } +bool gensec_security_ops_enabled(struct gensec_security_ops *ops, + struct loadparm_context *lp_ctx) +{ + return lp_parm_bool(lp_ctx, NULL, "gensec", ops->name, ops->enabled); +} + /* Sometimes we want to force only kerberos, sometimes we want to * force it's avoidance. The old list could be either * gensec_security_all(), or from cli_credentials_gensec_list() (ie, @@ -76,6 +82,7 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ j = 0; for (i=0; old_gensec_list && old_gensec_list[i]; i++) { int oid_idx; + for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) { if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) { new_gensec_list[j] = old_gensec_list[i]; @@ -140,6 +147,9 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (!gensec_security_ops_enabled(backends[i], + gensec_security->settings->lp_ctx)) + continue; if (backends[i]->auth_type == auth_type) { backend = backends[i]; talloc_free(mem_ctx); @@ -163,6 +173,10 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], + gensec_security->settings->lp_ctx)) + continue; if (backends[i]->oid) { for (j=0; backends[i]->oid[j]; j++) { if (backends[i]->oid[j] && @@ -191,6 +205,8 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (!gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; if (backends[i]->sasl_name && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) { backend = backends[i]; @@ -215,6 +231,9 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; if (backends[i]->name && (strcmp(backends[i]->name, name) == 0)) { backend = backends[i]; @@ -258,6 +277,9 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) { if (!backends[i]->sasl_name || !(strcmp(backends[i]->sasl_name, @@ -326,6 +348,9 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; if (!backends[i]->oid) { continue; } @@ -374,7 +399,8 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen * Return OIDS from the security subsystems listed */ -const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx, +const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, struct gensec_security_ops **ops, const char *skip) { @@ -391,6 +417,10 @@ const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx, } for (i=0; ops && ops[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(ops[i], gensec_security->settings->lp_ctx)) { + continue; + } if (!ops[i]->oid) { continue; } @@ -464,7 +494,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, { struct gensec_security_ops **ops = gensec_security_mechs(gensec_security, mem_ctx); - return gensec_security_oids_from_ops(mem_ctx, ops, skip); + return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip); } @@ -477,7 +507,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, */ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security) { @@ -501,7 +531,8 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, (*gensec_security)->event_ctx = ev; (*gensec_security)->msg_ctx = msg; - (*gensec_security)->lp_ctx = lp_ctx; + SMB_ASSERT(settings->lp_ctx != NULL); + (*gensec_security)->settings = talloc_reference(*gensec_security, settings); return NT_STATUS_OK; } @@ -529,7 +560,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, (*gensec_security)->want_features = parent->want_features; (*gensec_security)->event_ctx = parent->event_ctx; (*gensec_security)->msg_ctx = parent->msg_ctx; - (*gensec_security)->lp_ctx = parent->lp_ctx; + (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings); return NT_STATUS_OK; } @@ -543,11 +574,16 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct event_context *ev, - struct loadparm_context *lp_ctx) + struct gensec_settings *settings) { NTSTATUS status; - status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security); + if (settings == NULL) { + DEBUG(0,("gensec_client_start: no settings given!\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -564,7 +600,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, */ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security) { @@ -580,7 +616,12 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } - status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security); + if (!settings) { + DEBUG(0,("gensec_server_start: no settings given!\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = gensec_start(mem_ctx, ev, settings, msg, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -653,10 +694,10 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s return gensec_start_mech(gensec_security); } -_PUBLIC_ const char *gensec_get_name_by_authtype(uint8_t authtype) +_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) { const struct gensec_security_ops *ops; - ops = gensec_security_by_authtype(NULL, authtype); + ops = gensec_security_by_authtype(gensec_security, authtype); if (ops) { return ops->name; } @@ -664,10 +705,11 @@ _PUBLIC_ const char *gensec_get_name_by_authtype(uint8_t authtype) } -_PUBLIC_ const char *gensec_get_name_by_oid(const char *oid_string) +_PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, + const char *oid_string) { const struct gensec_security_ops *ops; - ops = gensec_security_by_oid(NULL, oid_string); + ops = gensec_security_by_oid(gensec_security, oid_string); if (ops) { return ops->name; } @@ -697,6 +739,8 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, const char *mech_oid) { + SMB_ASSERT(gensec_security != NULL); + gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid); if (!gensec_security->ops) { DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid)); @@ -1107,9 +1151,8 @@ _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_secu _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) { /* We allow the target hostname to be overriden for testing purposes */ - const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname"); - if (target_hostname) { - return target_hostname; + if (gensec_security->settings->target_hostname) { + return gensec_security->settings->target_hostname; } if (gensec_security->target.hostname) { @@ -1205,11 +1248,6 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security) */ NTSTATUS gensec_register(const struct gensec_security_ops *ops) { - if (!lp_parm_bool(global_loadparm, NULL, "gensec", ops->name, ops->enabled)) { - DEBUG(2,("gensec subsystem %s is disabled\n", ops->name)); - return NT_STATUS_OK; - } - if (gensec_security_by_name(NULL, ops->name) != NULL) { /* its already registered! */ DEBUG(0,("GENSEC backend '%s' already registered\n", @@ -1255,6 +1293,16 @@ static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ return (*gs2)->priority - (*gs1)->priority; } +int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value) +{ + return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value); +} + +bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value) +{ + return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value); +} + /* initialise the GENSEC subsystem */ |