summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec.c29
-rw-r--r--source4/auth/gensec/gensec.h15
-rw-r--r--source4/auth/gensec/gensec_gssapi.c42
-rw-r--r--source4/auth/gensec/gensec_krb5.c16
-rw-r--r--source4/auth/gensec/schannel.c10
5 files changed, 65 insertions, 47 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 5d57383d2a..3416ee10bc 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -477,7 +477,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security,
*/
static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
struct event_context *ev,
- struct loadparm_context *lp_ctx,
+ struct gensec_settings *settings,
struct messaging_context *msg,
struct gensec_security **gensec_security)
{
@@ -501,7 +501,7 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->event_ctx = ev;
(*gensec_security)->msg_ctx = msg;
- (*gensec_security)->lp_ctx = lp_ctx;
+ (*gensec_security)->settings = settings;
return NT_STATUS_OK;
}
@@ -529,7 +529,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->want_features = parent->want_features;
(*gensec_security)->event_ctx = parent->event_ctx;
(*gensec_security)->msg_ctx = parent->msg_ctx;
- (*gensec_security)->lp_ctx = parent->lp_ctx;
+ (*gensec_security)->settings = parent->settings;
return NT_STATUS_OK;
}
@@ -543,11 +543,11 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_security,
struct event_context *ev,
- struct loadparm_context *lp_ctx)
+ struct gensec_settings *settings)
{
NTSTATUS status;
- status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security);
+ status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -564,7 +564,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
*/
_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
struct event_context *ev,
- struct loadparm_context *lp_ctx,
+ struct gensec_settings *settings,
struct messaging_context *msg,
struct gensec_security **gensec_security)
{
@@ -580,7 +580,7 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
return NT_STATUS_INTERNAL_ERROR;
}
- status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security);
+ status = gensec_start(mem_ctx, ev, settings, msg, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -1107,9 +1107,8 @@ _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_secu
_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
{
/* We allow the target hostname to be overriden for testing purposes */
- const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname");
- if (target_hostname) {
- return target_hostname;
+ if (gensec_security->settings->target_hostname) {
+ return gensec_security->settings->target_hostname;
}
if (gensec_security->target.hostname) {
@@ -1255,6 +1254,16 @@ static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_
return (*gs2)->priority - (*gs1)->priority;
}
+int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
+{
+ return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
+bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
+{
+ return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
/*
initialise the GENSEC subsystem
*/
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 0b31882ddd..2a483171f7 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -64,6 +64,7 @@ enum gensec_role
struct auth_session_info;
struct cli_credentials;
+struct gensec_settings;
struct gensec_update_request {
struct gensec_security *gensec_security;
@@ -77,6 +78,12 @@ struct gensec_update_request {
} callback;
};
+struct gensec_settings {
+ struct loadparm_context *lp_ctx;
+ struct smb_iconv_convenience *iconv_convenience;
+ const char *target_hostname;
+};
+
struct gensec_security_ops {
const char *name;
const char *sasl_name;
@@ -151,7 +158,6 @@ struct gensec_security_ops_wrapper {
struct gensec_security {
const struct gensec_security_ops *ops;
- struct loadparm_context *lp_ctx;
void *private_data;
struct cli_credentials *credentials;
struct gensec_target target;
@@ -161,6 +167,7 @@ struct gensec_security {
struct event_context *event_ctx;
struct messaging_context *msg_ctx; /* only valid as server */
struct socket_address *my_addr, *peer_addr;
+ struct gensec_settings *settings;
};
/* this structure is used by backends to determine the size of some critical types */
@@ -210,7 +217,7 @@ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_security,
struct event_context *ev,
- struct loadparm_context *lp_ctx);
+ struct gensec_settings *settings);
NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
const char **sasl_names);
NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
@@ -262,7 +269,7 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
const char *gensec_get_name_by_authtype(uint8_t authtype);
NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
struct event_context *ev,
- struct loadparm_context *lp_ctx,
+ struct gensec_settings *settings,
struct messaging_context *msg,
struct gensec_security **gensec_security);
NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
@@ -295,5 +302,7 @@ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
const char *sasl_name);
+int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
+bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
#endif /* __GENSEC_H__ */
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e307dbb5cb..dcfffef3df 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -154,7 +154,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->gss_exchange_count = 0;
gensec_gssapi_state->max_wrap_buf_size
- = lp_parm_int(gensec_security->lp_ctx, NULL, "gensec_gssapi", "max wrap buf size", 65536);
+ = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
gensec_gssapi_state->sasl = false;
gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
@@ -170,16 +170,16 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
gensec_gssapi_state->want_flags = 0;
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "mutual", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "replay", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "sequence", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG;
}
@@ -214,10 +214,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
- if (lp_realm(gensec_security->lp_ctx) && *lp_realm(gensec_security->lp_ctx)) {
- char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->lp_ctx));
+ if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) {
+ char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx));
if (!upper_realm) {
- DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->lp_ctx)));
+ DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx)));
talloc_free(gensec_gssapi_state);
return NT_STATUS_NO_MEMORY;
}
@@ -231,7 +231,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
}
/* don't do DNS lookups of any kind, it might/will fail for a netbios name */
- ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(gensec_security->lp_ctx, NULL, "krb5", "set_dns_canonicalize", false));
+ ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
talloc_free(gensec_gssapi_state);
@@ -240,7 +240,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
ret = smb_krb5_init_context(gensec_gssapi_state,
gensec_security->event_ctx,
- gensec_security->lp_ctx,
+ gensec_security->settings->lp_ctx,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
@@ -274,7 +274,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
} else {
ret = cli_credentials_get_server_gss_creds(machine_account,
gensec_security->event_ctx,
- gensec_security->lp_ctx, &gcc);
+ gensec_security->settings->lp_ctx, &gcc);
if (ret) {
DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
error_message(ret)));
@@ -336,7 +336,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
gensec_gssapi_state->gss_oid = gss_mech_krb5;
principal = gensec_get_target_principal(gensec_security);
- if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) {
+ if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
name_type = GSS_C_NULL_OID;
} else {
principal = talloc_asprintf(gensec_gssapi_state, "%s@%s",
@@ -362,7 +362,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
ret = cli_credentials_get_client_gss_creds(creds,
gensec_security->event_ctx,
- gensec_security->lp_ctx, &gcc);
+ gensec_security->settings->lp_ctx, &gcc);
switch (ret) {
case 0:
break;
@@ -1142,10 +1142,10 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
return false;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "force_new_spnego", false)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
return true;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "disable_new_spnego", false)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
return false;
}
@@ -1256,7 +1256,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
*/
if (pac_blob.length) {
nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx),
+ gensec_security->settings->iconv_convenience,
pac_blob,
gensec_gssapi_state->smb_krb5_context->krb5_context,
&server_info);
@@ -1290,11 +1290,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return NT_STATUS_NO_MEMORY;
}
- if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
+ if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx,
- gensec_security->lp_ctx, principal_string,
+ gensec_security->settings->lp_ctx, principal_string,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1311,7 +1311,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
/* references the server_info into the session_info */
nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx,
- gensec_security->lp_ctx, server_info, &session_info);
+ gensec_security->settings->lp_ctx, server_info, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
@@ -1334,13 +1334,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return NT_STATUS_NO_MEMORY;
}
- cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx);
+ cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
/* Just so we don't segfault trying to get at a username */
cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
gensec_security->event_ctx,
- gensec_security->lp_ctx,
+ gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
CRED_SPECIFIED);
if (ret) {
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 1f54043038..16867366a4 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -120,7 +120,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
if (cli_credentials_get_krb5_context(creds,
gensec_security->event_ctx,
- gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
+ gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -252,7 +252,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
gensec_security->event_ctx,
- gensec_security->lp_ctx, &ccache_container);
+ gensec_security->settings->lp_ctx, &ccache_container);
switch (ret) {
case 0:
break;
@@ -267,7 +267,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
}
in_data.length = 0;
- if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) {
+ if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
&target_principal);
@@ -452,7 +452,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
/* Grab the keytab, however generated */
ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
gensec_security->event_ctx,
- gensec_security->lp_ctx, &keytab);
+ gensec_security->settings->lp_ctx, &keytab);
if (ret) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -594,7 +594,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
KRB5_AUTHDATA_WIN2K_PAC,
&pac_data);
- if (ret && lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
+ if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
principal_string,
smb_get_krb5_error_message(context,
@@ -607,7 +607,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
- nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string,
+ nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, principal_string,
&server_info);
krb5_free_principal(context, client_principal);
free(principal_string);
@@ -630,7 +630,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
/* decode and verify the pac */
nt_status = kerberos_pac_logon_info(gensec_krb5_state,
- lp_iconv_convenience(gensec_security->lp_ctx),
+ gensec_security->settings->iconv_convenience,
&logon_info, pac,
gensec_krb5_state->smb_krb5_context->krb5_context,
NULL, gensec_krb5_state->keyblock,
@@ -655,7 +655,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
}
/* references the server_info into the session_info */
- nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info);
+ nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, server_info, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index f21202b86f..e6d38c14a3 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -85,7 +85,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
#endif
ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel,
+ gensec_security->settings->iconv_convenience, &bind_schannel,
(ndr_push_flags_fn_t)ndr_push_schannel_bind);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
@@ -106,7 +106,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
/* parse the schannel startup blob */
ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx),
+ gensec_security->settings->iconv_convenience,
&bind_schannel,
(ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
@@ -126,7 +126,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
/* pull the session key for this client */
status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx,
- gensec_security->lp_ctx, workstation,
+ gensec_security->settings->lp_ctx, workstation,
domain, &creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
@@ -144,7 +144,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
bind_schannel_ack.unknown3 = 0x6c0000;
ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel_ack,
+ gensec_security->settings->iconv_convenience, &bind_schannel_ack,
(ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
@@ -190,7 +190,7 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
struct auth_session_info **_session_info)
{
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
- return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->lp_ctx, _session_info);
+ return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info);
}
static NTSTATUS schannel_start(struct gensec_security *gensec_security)
generated by cgit (git 2.34.1) at 2024-07-08 20:42:49 +0000