summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ipa/ipa_auth.c12
-rw-r--r--src/providers/krb5/krb5_auth.c28
-rw-r--r--src/providers/krb5/krb5_auth.h18
-rw-r--r--src/providers/krb5/krb5_delayed_online_authentication.c11
-rw-r--r--src/providers/krb5/krb5_renew_tgt.c6
-rw-r--r--src/providers/krb5/krb5_wait_queue.c184
6 files changed, 205 insertions, 54 deletions
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 79e891b77..b1bfa3ffe 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -224,8 +224,8 @@ void ipa_auth(struct be_req *be_req)
goto fail;
}
- req = krb5_auth_send(state, state->ev, be_ctx, state->pd,
- state->ipa_auth_ctx->krb5_auth_ctx);
+ req = krb5_auth_queue_send(state, state->ev, be_ctx, state->pd,
+ state->ipa_auth_ctx->krb5_auth_ctx);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_send failed.\n");
goto fail;
@@ -248,7 +248,7 @@ static void ipa_auth_handler_done(struct tevent_req *req)
int pam_status = PAM_SYSTEM_ERR;
int dp_err;
- ret = krb5_auth_recv(req, &pam_status, &dp_err);
+ ret = krb5_auth_queue_recv(req, &pam_status, &dp_err);
talloc_zfree(req);
state->pd->pam_status = pam_status;
if (ret != EOK && pam_status != PAM_CRED_ERR) {
@@ -423,8 +423,8 @@ static void ipa_auth_ldap_done(struct tevent_req *req)
DEBUG(SSSDBG_TRACE_FUNC, "LDAP authentication succeded, "
"trying Kerberos authentication again.\n");
- req = krb5_auth_send(state, state->ev, be_ctx, state->pd,
- state->ipa_auth_ctx->krb5_auth_ctx);
+ req = krb5_auth_queue_send(state, state->ev, be_ctx, state->pd,
+ state->ipa_auth_ctx->krb5_auth_ctx);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_send failed.\n");
goto done;
@@ -445,7 +445,7 @@ static void ipa_auth_handler_retry_done(struct tevent_req *req)
int pam_status;
int dp_err;
- ret = krb5_auth_recv(req, &pam_status, &dp_err);
+ ret = krb5_auth_queue_recv(req, &pam_status, &dp_err);
talloc_zfree(req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv request failed.\n");
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 8c851442b..8886456c0 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1139,7 +1139,6 @@ void krb5_pam_handler(struct be_req *be_req)
struct pam_data *pd;
struct krb5_ctx *krb5_ctx;
int dp_err = DP_ERR_FATAL;
- int ret;
pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
pd->pam_status = PAM_SYSTEM_ERR;
@@ -1155,22 +1154,7 @@ void krb5_pam_handler(struct be_req *be_req)
case SSS_CMD_RENEW:
case SSS_PAM_CHAUTHTOK_PRELIM:
case SSS_PAM_CHAUTHTOK:
- ret = add_to_wait_queue(be_req, pd, krb5_ctx);
- if (ret == EOK) {
- DEBUG(SSSDBG_TRACE_LIBS,
- "Request successfully added to wait queue "
- "of user [%s].\n", pd->user);
- return;
- } else if (ret == ENOENT) {
- DEBUG(SSSDBG_TRACE_LIBS, "Wait queue of user [%s] is empty, "
- "running request immediately.\n", pd->user);
- } else {
- DEBUG(SSSDBG_TRACE_LIBS,
- "Failed to add request to wait queue of user [%s], "
- "running request immediately.\n", pd->user);
- }
-
- req = krb5_auth_send(be_req, be_ctx->ev, be_ctx, pd, krb5_ctx);
+ req = krb5_auth_queue_send(be_req, be_ctx->ev, be_ctx, pd, krb5_ctx);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n");
goto done;
@@ -1215,11 +1199,10 @@ void krb5_pam_handler_auth_done(struct tevent_req *req)
int pam_status;
int dp_err;
struct pam_data *pd;
- struct krb5_ctx *krb5_ctx;
pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
- ret = krb5_auth_recv(req, &pam_status, &dp_err);
+ ret = krb5_auth_queue_recv(req, &pam_status, &dp_err);
talloc_zfree(req);
if (ret) {
pd->pam_status = PAM_SYSTEM_ERR;
@@ -1228,13 +1211,6 @@ void krb5_pam_handler_auth_done(struct tevent_req *req)
pd->pam_status = pam_status;
}
- krb5_ctx = get_krb5_ctx(be_req);
- if (krb5_ctx != NULL) {
- check_wait_queue(krb5_ctx, pd->user);
- } else {
- DEBUG(SSSDBG_CRIT_FAILURE, "Kerberos context not available.\n");
- }
-
be_req_terminate(be_req, dp_err, pd->pam_status, NULL);
}
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index a00f1d9d9..205e70665 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -66,6 +66,11 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
void krb5_pam_handler(struct be_req *be_req);
void krb5_pam_handler_auth_done(struct tevent_req *req);
+/* Please use krb5_auth_send/recv *only* if you're certain there can't
+ * be concurrent logins happening. With some ccache back ends, the ccache
+ * files might clobber one another. Please use krb5_auth_queue_send()
+ * instead that queues the requests
+ */
struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
@@ -114,7 +119,14 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
int krb5_access_recv(struct tevent_req *req, bool *access_allowed);
/* krb5_wait_queue.c */
-errno_t add_to_wait_queue(struct be_req *be_req, struct pam_data *pd,
- struct krb5_ctx *krb5_ctx);
-void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username);
+struct tevent_req *krb5_auth_queue_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ struct pam_data *pd,
+ struct krb5_ctx *krb5_ctx);
+
+int krb5_auth_queue_recv(struct tevent_req *req,
+ int *_pam_status,
+ int *_dp_err);
+
#endif /* __KRB5_AUTH_H__ */
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index 5f13eac8e..bf2ef7755 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -103,8 +103,8 @@ static void authenticate_user(struct tevent_context *ev,
}
#endif
- req = krb5_auth_send(auth_data, ev, auth_data->be_ctx, auth_data->pd,
- auth_data->krb5_ctx);
+ req = krb5_auth_queue_send(auth_data, ev, auth_data->be_ctx,
+ auth_data->pd, auth_data->krb5_ctx);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n");
talloc_free(auth_data);
@@ -114,14 +114,15 @@ static void authenticate_user(struct tevent_context *ev,
tevent_req_set_callback(req, authenticate_user_done, auth_data);
}
-static void authenticate_user_done(struct tevent_req *req) {
+static void authenticate_user_done(struct tevent_req *req)
+{
struct auth_data *auth_data = tevent_req_callback_data(req,
struct auth_data);
int ret;
int pam_status = PAM_SYSTEM_ERR;
- int dp_err;
+ int dp_err = DP_ERR_OK;
- ret = krb5_auth_recv(req, &pam_status, &dp_err);
+ ret = krb5_auth_queue_recv(req, &pam_status, &dp_err);
talloc_free(req);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth request failed.\n");
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
index 5277c0f76..498097792 100644
--- a/src/providers/krb5/krb5_renew_tgt.c
+++ b/src/providers/krb5/krb5_renew_tgt.c
@@ -66,8 +66,8 @@ static void renew_tgt(struct tevent_context *ev, struct tevent_timer *te,
struct auth_data);
struct tevent_req *req;
- req = krb5_auth_send(auth_data, ev, auth_data->be_ctx, auth_data->pd,
- auth_data->krb5_ctx);
+ req = krb5_auth_queue_send(auth_data, ev, auth_data->be_ctx, auth_data->pd,
+ auth_data->krb5_ctx);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n");
/* Give back the pam data to the renewal item to be able to retry at the next
@@ -90,7 +90,7 @@ static void renew_tgt_done(struct tevent_req *req)
int dp_err;
hash_value_t value;
- ret = krb5_auth_recv(req, &pam_status, &dp_err);
+ ret = krb5_auth_queue_recv(req, &pam_status, &dp_err);
talloc_free(req);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth request failed.\n");
diff --git a/src/providers/krb5/krb5_wait_queue.c b/src/providers/krb5/krb5_wait_queue.c
index 10c50d81b..126209620 100644
--- a/src/providers/krb5/krb5_wait_queue.c
+++ b/src/providers/krb5/krb5_wait_queue.c
@@ -25,6 +25,8 @@
#include <tevent.h>
#include <dhash.h>
+#include <security/pam_modules.h>
+
#include "src/providers/krb5/krb5_auth.h"
#define INIT_HASH_SIZE 5
@@ -33,28 +35,53 @@ struct queue_entry {
struct queue_entry *prev;
struct queue_entry *next;
+ struct be_ctx *be_ctx;
struct be_req *be_req;
+ struct tevent_req *parent_req;
struct pam_data *pd;
struct krb5_ctx *krb5_ctx;
};
+static void wait_queue_auth_done(struct tevent_req *req);
+
+static void krb5_auth_queue_finish(struct tevent_req *req, errno_t ret,
+ int pam_status, int dp_err);
+
static void wait_queue_auth(struct tevent_context *ev, struct tevent_timer *te,
- struct timeval current_time, void *private_data)
+ struct timeval current_time, void *private_data)
{
struct queue_entry *qe = talloc_get_type(private_data, struct queue_entry);
- struct be_ctx *be_ctx = be_req_get_be_ctx(qe->be_req);
struct tevent_req *req;
- req = krb5_auth_send(qe->be_req, be_ctx->ev, be_ctx, qe->pd, qe->krb5_ctx);
+ req = krb5_auth_send(qe->parent_req, qe->be_ctx->ev,
+ qe->be_ctx, qe->pd, qe->krb5_ctx);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n");
} else {
- tevent_req_set_callback(req, krb5_pam_handler_auth_done, qe->be_req);
+ tevent_req_set_callback(req, wait_queue_auth_done,
+ qe->parent_req);
}
talloc_zfree(qe);
}
+static void wait_queue_auth_done(struct tevent_req *req)
+{
+ struct tevent_req *parent_req = \
+ tevent_req_callback_data(req, struct tevent_req);
+ int pam_status;
+ int dp_err;
+ errno_t ret;
+
+ ret = krb5_auth_recv(req, &pam_status, &dp_err);
+ talloc_zfree(req);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv failed: %d\n", ret);
+ }
+
+ krb5_auth_queue_finish(parent_req, ret, pam_status, dp_err);
+}
+
static void wait_queue_del_cb(hash_entry_t *entry, hash_destroy_enum type,
void *pvt)
{
@@ -70,8 +97,10 @@ static void wait_queue_del_cb(hash_entry_t *entry, hash_destroy_enum type,
"Unexpected value type [%d].\n", entry->value.type);
}
-errno_t add_to_wait_queue(struct be_req *be_req, struct pam_data *pd,
- struct krb5_ctx *krb5_ctx)
+static errno_t add_to_wait_queue(struct be_ctx *be_ctx,
+ struct tevent_req *parent_req,
+ struct pam_data *pd,
+ struct krb5_ctx *krb5_ctx)
{
int ret;
hash_key_t key;
@@ -108,7 +137,8 @@ errno_t add_to_wait_queue(struct be_req *be_req, struct pam_data *pd,
return ENOMEM;
}
- queue_entry->be_req = be_req;
+ queue_entry->be_ctx = be_ctx;
+ queue_entry->parent_req = parent_req;
queue_entry->pd = pd;
queue_entry->krb5_ctx = krb5_ctx;
@@ -144,7 +174,7 @@ errno_t add_to_wait_queue(struct be_req *be_req, struct pam_data *pd,
}
}
-void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username)
+static void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username)
{
int ret;
hash_key_t key;
@@ -152,7 +182,6 @@ void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username)
struct queue_entry *head;
struct queue_entry *queue_entry;
struct tevent_timer *te;
- struct be_ctx *be_ctx;
if (krb5_ctx->wait_queue_hash == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "No wait queue available.\n");
@@ -181,8 +210,7 @@ void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username)
DLIST_REMOVE(head, queue_entry);
- be_ctx = be_req_get_be_ctx(queue_entry->be_req);
- te = tevent_add_timer(be_ctx->ev, krb5_ctx,
+ te = tevent_add_timer(queue_entry->be_ctx->ev, krb5_ctx,
tevent_timeval_current(), wait_queue_auth,
queue_entry);
if (te == NULL) {
@@ -211,3 +239,137 @@ void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username)
return;
}
+struct krb5_auth_queue_state {
+ struct krb5_ctx *krb5_ctx;
+ struct pam_data *pd;
+
+ int pam_status;
+ int dp_err;
+};
+
+static void krb5_auth_queue_done(struct tevent_req *subreq);
+
+struct tevent_req *krb5_auth_queue_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ struct pam_data *pd,
+ struct krb5_ctx *krb5_ctx)
+{
+ errno_t ret;
+ struct tevent_req *req;
+ struct tevent_req *subreq;
+ struct krb5_auth_queue_state *state;
+
+ req = tevent_req_create(mem_ctx, &state, struct krb5_auth_queue_state);
+ if (req == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
+ return NULL;
+ }
+ state->krb5_ctx = krb5_ctx;
+ state->pd = pd;
+
+ ret = add_to_wait_queue(be_ctx, req, pd, krb5_ctx);
+ if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Request [%p] successfully added to wait queue "
+ "of user [%s].\n", req, pd->user);
+ ret = EOK;
+ goto immediate;
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Wait queue of user [%s] is empty, "
+ "running request [%p] immediately.\n", pd->user, req);
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to add request to wait queue of user [%s], "
+ "running request [%p] immediately.\n", pd->user, req);
+ }
+
+ subreq = krb5_auth_send(req, ev, be_ctx, pd, krb5_ctx);
+ if (req == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n");
+ ret = ENOMEM;
+ goto immediate;
+ }
+
+ tevent_req_set_callback(subreq, krb5_auth_queue_done, req);
+
+ ret = EOK;
+
+immediate:
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ tevent_req_post(req, ev);
+ }
+ return req;
+}
+
+static void krb5_auth_queue_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = \
+ tevent_req_callback_data(subreq, struct tevent_req);
+ struct krb5_auth_queue_state *state = \
+ tevent_req_data(req, struct krb5_auth_queue_state);
+ errno_t ret;
+
+ ret = krb5_auth_recv(subreq, &state->pam_status, &state->dp_err);
+ talloc_zfree(subreq);
+
+ check_wait_queue(state->krb5_ctx, state->pd->user);
+
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv failed with: %d\n", ret);
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ DEBUG(SSSDBG_TRACE_LIBS, "krb5_auth_queue request [%p] done.\n", req);
+ tevent_req_done(req);
+}
+
+/* This is a violation of the tevent_req style. Ideally, the wait queue would
+ * be rewritten to the tevent_req style in the future, expose per-request recv
+ * and not hide the request underneath. But this function allows us to expose
+ * a tevent_req API for users of this module
+ */
+static void krb5_auth_queue_finish(struct tevent_req *req,
+ errno_t ret,
+ int pam_status,
+ int dp_err)
+{
+ struct krb5_auth_queue_state *state = \
+ tevent_req_data(req, struct krb5_auth_queue_state);
+
+ check_wait_queue(state->krb5_ctx, state->pd->user);
+
+ state->pam_status = pam_status;
+ state->dp_err = dp_err;
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ } else {
+ DEBUG(SSSDBG_TRACE_LIBS, "krb5_auth_queue request [%p] done.\n", req);
+ tevent_req_done(req);
+ }
+}
+
+int krb5_auth_queue_recv(struct tevent_req *req,
+ int *_pam_status,
+ int *_dp_err)
+{
+ struct krb5_auth_queue_state *state = \
+ tevent_req_data(req, struct krb5_auth_queue_state);
+
+ /* Returning values even on failure is not typical, but IPA password migration
+ * relies on receiving PAM_CRED_ERR even if the request fails..
+ */
+ if (_pam_status) {
+ *_pam_status = state->pam_status;
+ }
+
+ if (_dp_err) {
+ *_dp_err = state->pam_status;
+ }
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ return EOK;
+}
generated by cgit (git 2.34.1) at 2024-05-08 05:45:01 +0000