|
Collaboration diagram for TLS User server:
|
|
Files | |
| file | gcrypt.c |
| Contain function used to ease authentication task. | |
| file | sasl.c |
| Manage clients authentication. | |
| file | tls_sasl.c |
| Handle phase after authentication and till client is active. | |
Data Structures | |
| struct | pre_client_elt |
Defines | |
| #define | MAX_WAIT_ITER 5 |
Functions | |
| void * | sasl_gthread_mutex_init (void) |
| int | sasl_gthread_mutex_lock (void *lock) |
| int | sasl_gthread_mutex_unlock (void *lock) |
| void | sasl_gthread_mutex_free (void *lock) |
| static int | external_get_opt (void *context, const char *plugin_name, const char *option, const char **result, unsigned *len) |
| static int | internal_get_opt (void *context, const char *plugin_name, const char *option, const char **result, unsigned *len) |
| static int | userdb_checkpass (sasl_conn_t *conn, void *context, const char *user, const char *pass, unsigned passlen, struct propctx *propctx) |
| void | my_sasl_init () |
| static int | samp_send (nussl_session *nussl, const char *buffer, unsigned length) |
| static unsigned | samp_recv (nussl_session *nussl, char *buf, int bufsize) |
| nu_error_t | get_proto_info (user_session_t *c_session) |
| static int | mysasl_negotiate (user_session_t *c_session, sasl_conn_t *conn) |
| int | sasl_parse_user_os (user_session_t *c_session, char *buf, int buf_size) |
| static int | mysasl_negotiate_v3 (user_session_t *c_session, sasl_conn_t *conn) |
| int | sasl_user_check (user_session_t *c_session) |
| static void | policy_refuse_user (user_session_t *c_session, int c, policy_refused_reason_t reason) |
| static void | tls_sasl_connect_ok (user_session_t *c_session, int c) |
| void | tls_sasl_connect (gpointer userdata, gpointer data) |
| Complete all user connection from SSL to authentication. | |
| gboolean | remove_socket_from_pre_client_list (int socket) |
| void * | pre_client_check (GMutex *mutex) |
| nu_error_t | treat_user_request (user_session_t *c_session, struct tls_buffer_read **c_datas) |
| int | tls_user_accept (struct tls_user_context_t *context) |
| void | tls_user_check_activity (struct tls_user_context_t *context, int socket) |
| void | tls_user_update_mx (struct tls_user_context_t *this) |
| void | tls_user_remove_client (int sock) |
| void | tls_user_main_loop (struct tls_user_context_t *context, GMutex *mutex) |
| void | tls_user_servers_init () |
| int | tls_user_setcert_auth_params (int requestcert, int authcert) |
| int | tls_user_init (struct tls_user_context_t *context) |
| void * | push_worker (GMutex *mutex) |
| void * | tls_user_authsrv (struct nuauth_thread_t *thread) |
| void | tls_user_start_servers (GSList *servers) |
Variables | |
| gchar * | mech_string_internal |
| gchar * | mech_string_external |
| nuauth_tls_t | nuauth_tls |
| Handle phase after authentication and till client is active. Defined in tls_sasl.c. | |
| nuauth_tls_t | nuauth_tls |
| Handle phase after authentication and till client is active. Defined in tls_sasl.c. | |
| GSList * | pre_client_list |
| GStaticMutex | pre_client_list_mutex |
| #define MAX_WAIT_ITER 5 |
fetch protocol version (or guess)
| a | user_session_t |
| static int external_get_opt | ( | void * | context, | |
| const char * | plugin_name, | |||
| const char * | option, | |||
| const char ** | result, | |||
| unsigned * | len | |||
| ) | [static] |
Definition at line 89 of file sasl.c.
References mech_string_external.
Referenced by sasl_user_check().
| nu_error_t get_proto_info | ( | user_session_t * | c_session | ) |
Definition at line 250 of file sasl.c.
References user_session_t::client_version, DEBUG_AREA_AUTH, DEBUG_AREA_MAIN, debug_log_message, log_message, NU_EXIT_ERROR, NU_EXIT_OK, nuauthconf, user_session_t::nussl, nussl_get_error(), nussl_read(), PROTO_STRING, PROTO_VERSION_V20, PROTO_VERSION_V22, PROTO_VERSION_V22_1, nuauth_params::proto_wait_delay, and user_session_t::socket.
Referenced by sasl_user_check().
Here is the call graph for this function:
| static int internal_get_opt | ( | void * | context, | |
| const char * | plugin_name, | |||
| const char * | option, | |||
| const char ** | result, | |||
| unsigned * | len | |||
| ) | [static] |
Definition at line 100 of file sasl.c.
References mech_string_internal.
Referenced by sasl_user_check().
| void my_sasl_init | ( | ) |
called in tls_user_init()
Definition at line 171 of file sasl.c.
References DEBUG_AREA_AUTH, log_message, mech_string_external, mech_string_internal, sasl_gthread_mutex_free(), sasl_gthread_mutex_init(), sasl_gthread_mutex_lock(), and sasl_gthread_mutex_unlock().
Referenced by tls_user_servers_init().
Here is the call graph for this function:
| static int mysasl_negotiate | ( | user_session_t * | c_session, | |
| sasl_conn_t * | conn | |||
| ) | [static] |
do the sasl negotiation.
| c_session | A user_session_t | |
| conn | A sasl_conn_t |
Definition at line 347 of file sasl.c.
References user_session_t::client_version, DEBUG_AREA_AUTH, debug_log_message, FALSE, user_session_t::groups, log_message, modules_get_user_groups(), modules_get_user_id(), user_session_t::nussl, nussl_write(), PROTO_VERSION_V22_1, samp_recv(), samp_send(), session, TRUE, user_session_t::user_id, and user_session_t::user_name.
Here is the call graph for this function:
| static int mysasl_negotiate_v3 | ( | user_session_t * | c_session, | |
| sasl_conn_t * | conn | |||
| ) | [static] |
do the sasl negotiation, protocol v3
return -1 if it fails
Definition at line 648 of file sasl.c.
References DEBUG, DEBUG_AREA_AUTH, DEBUG_AREA_USER, debug_log_message, FALSE, user_session_t::groups, log_message, modules_get_user_groups(), modules_get_user_id(), user_session_t::nussl, nussl_get_error(), nussl_read(), nussl_write(), session, TRUE, user_session_t::user_id, and user_session_t::user_name.
Referenced by sasl_user_check().
Here is the call graph for this function:
| static void policy_refuse_user | ( | user_session_t * | c_session, | |
| int | c, | |||
| policy_refused_reason_t | reason | |||
| ) | [static] |
Definition at line 43 of file tls_sasl.c.
References clean_session(), DEBUG_AREA_USER, log_message, PER_IP_TOO_MANY_LOGINS, PER_USER_TOO_MANY_LOGINS, and user_session_t::user_name.
Referenced by tls_sasl_connect_ok().
Here is the call graph for this function:
| void* pre_client_check | ( | GMutex * | mutex | ) |
Check pre client list to disconnect connections that have been open for too long
Definition at line 94 of file tls_user.c.
References DEBUG_AREA_USER, log_message, pre_client_list, and pre_client_list_mutex.
Referenced by tls_user_servers_init().
| void* push_worker | ( | GMutex * | mutex | ) |
Thread which process addresses on tls push queue (tls_push_queue member of nuauthdatas) which need an authentication.
Lock is only needed when modifications are done, because when this thread work (push mode) it's the only one who can modify the hash.
Use a switch:
Definition at line 773 of file tls_user.c.
References add_client(), msg_addr_set::addr, tls_insert_data::data, internal_message::datas, FALSE, msg_addr_set::found, INSERT_MESSAGE, ipv6_equal(), nu_srv_message::length, msg_addr_set::msg, nuauthconf, nuauthdatas, nu_srv_message::option, POP_DELAY, tls_insert_data::socket, SRV_REQUIRED_PACKET, thread_pool_push(), nuauth_datas::tls_push_queue, internal_message::type, nu_srv_message::type, warn_clients(), and WARN_MESSAGE.
Referenced by init_nuauthdata().
Here is the call graph for this function:
| gboolean remove_socket_from_pre_client_list | ( | int | socket | ) |
Drop a client from the pre_client_list.
Definition at line 64 of file tls_user.c.
References pre_client_list, pre_client_list_mutex, and TRUE.
Referenced by tls_sasl_connect().
| static unsigned samp_recv | ( | nussl_session * | nussl, | |
| char * | buf, | |||
| int | bufsize | |||
| ) | [static] |
Definition at line 217 of file sasl.c.
References DEBUG_AREA_AUTH, log_message, nussl_get_error(), and nussl_read().
Here is the call graph for this function:
| static int samp_send | ( | nussl_session * | nussl, | |
| const char * | buffer, | |||
| unsigned | length | |||
| ) | [static] |
Definition at line 191 of file sasl.c.
References DEBUG_AREA_AUTH, log_message, nussl_get_error(), and nussl_write().
Here is the call graph for this function:
| void sasl_gthread_mutex_free | ( | void * | lock | ) |
| void* sasl_gthread_mutex_init | ( | void | ) |
| int sasl_gthread_mutex_lock | ( | void * | lock | ) |
| int sasl_gthread_mutex_unlock | ( | void * | lock | ) |
| int sasl_parse_user_os | ( | user_session_t * | c_session, | |
| char * | buf, | |||
| int | buf_size | |||
| ) |
Definition at line 507 of file sasl.c.
References user_session_t::addr, DEBUG, DEBUG_AREA_AUTH, DEBUG_AREA_USER, DEBUG_LEVEL_DEBUG, DEBUG_OR_NOT, format_ipv6(), nu_authfield::length, log_message, nu_authfield::option, OS_FIELD, OS_SRV, user_session_t::release, string_escape(), user_session_t::sysname, nu_authfield::type, UNKNOWN_STRING, user_session_t::user_name, and user_session_t::version.
Referenced by sasl_user_check().
Here is the call graph for this function:
| int sasl_user_check | ( | user_session_t * | c_session | ) |
realize user negotiation from after TLS to the end.
Definition at line 870 of file sasl.c.
References user_session_t::addr, AUTH_ERROR_CREDENTIALS, AUTH_ERROR_INTERRUPTED, user_session_t::auth_quality, user_session_t::auth_type, AUTH_TYPE_EXTERNAL, AUTH_TYPE_INTERNAL, AUTHQ_SASL, AUTHQ_SSL, user_session_t::client_version, DEBUG, DEBUG_AREA_AUTH, DEBUG_AREA_USER, debug_log_message, err, external_get_opt(), FALSE, format_ipv6(), get_proto_info(), internal_get_opt(), nuauth_params::krb5_hostname, nuauth_params::krb5_realm, nuauth_params::krb5_service, log_message, modules_auth_error_log(), mysasl_negotiate(), mysasl_negotiate_v3(), NU_EXIT_OK, nuauth_params::nuauth_uses_fake_sasl, nuauthconf, user_session_t::nussl, nussl_read(), PROTO_VERSION_V20, PROTO_VERSION_V22, PROTO_VERSION_V22_1, sasl_parse_user_os(), secure_snprintf(), user_session_t::sport, TRUE, user_session_t::user_name, and userdb_checkpass().
Referenced by tls_sasl_connect().
Here is the call graph for this function:
| void tls_sasl_connect | ( | gpointer | userdata, | |
| gpointer | data | |||
| ) |
Complete all user connection from SSL to authentication.
| userdata | A client_connection: | |
| data | Unused |
Definition at line 140 of file tls_sasl.c.
References client_connection::addr, user_session_t::addr, nuauth_tls_t::auth_by_cert, clean_session(), DEBUG, DEBUG_AREA_AUTH, DEBUG_AREA_USER, debug_log_message, format_ipv6(), get_client_sockets_by_ip(), getsockname_ipv6(), user_session_t::groups, log_message, modules_certificate_to_uid(), modules_get_user_groups(), modules_get_user_id(), modules_user_session_modify(), NO_AUTH_BY_CERT, nuauth_tls, nuauthconf, client_connection::nussl, user_session_t::nussl, NUSSL_CERT_REQUIRE, remove_socket_from_pre_client_list(), sasl_user_check(), user_session_t::server_addr, nuauth_params::single_ip_client_limit, user_session_t::socket, client_connection::socket, client_connection::sport, user_session_t::sport, user_session_t::tls_lock, tls_sasl_connect_ok(), user_session_t::user_id, and user_session_t::user_name.
Referenced by tls_user_servers_init().
Here is the call graph for this function:
| static void tls_sasl_connect_ok | ( | user_session_t * | c_session, | |
| int | c | |||
| ) | [static] |
Definition at line 67 of file tls_sasl.c.
References user_session_t::activated, add_client(), clean_session(), user_session_t::connect_timestamp, tls_insert_data::data, internal_message::datas, DEBUG_AREA_USER, debug_log_message, FALSE, get_rid_of_domain(), INSERT_MESSAGE, nu_srv_message::length, log_message, log_user_session(), nuauth_params::log_users_without_realm, mx_queue, nuauthconf, nuauthdatas, user_session_t::nussl, nussl_write(), nu_srv_message::option, PER_USER_TOO_MANY_LOGINS, policy_refuse_user(), nuauth_params::push, SESSION_OPEN, nuauth_params::single_user_client_limit, tls_insert_data::socket, SRV_TYPE, SRV_TYPE_POLL, SRV_TYPE_PUSH, test_username_count_vs_max(), nuauth_datas::tls_push_queue, internal_message::type, nu_srv_message::type, and user_session_t::user_name.
Referenced by tls_sasl_connect().
Here is the call graph for this function:
| int tls_user_accept | ( | struct tls_user_context_t * | context | ) |
Function called on new client connection:
Definition at line 283 of file tls_user.c.
References client_connection::addr, DEBUG, DEBUG_AREA_MAIN, DEBUG_AREA_USER, format_ipv6(), get_number_of_clients(), ipv4_to_ipv6(), log_message, nuauth_datas::need_reload, tls_user_context_t::nuauth_auth_nego_timeout, tls_user_context_t::nuauth_tls_max_clients, nuauthdatas, tls_user_context_t::nussl, client_connection::nussl, nussl_get_error(), NUSSL_OK, nussl_session_accept(), nussl_session_destroy(), nussl_session_get_fd(), nussl_session_getpeer(), nussl_session_handshake(), pre_client_list, pre_client_list_mutex, client_connection::socket, pre_client_elt::socket, client_connection::sport, thread_pool_push(), nuauth_datas::tls_sasl_worker, and pre_client_elt::validity.
Referenced by tls_user_main_loop().
Here is the call graph for this function:
| void* tls_user_authsrv | ( | struct nuauth_thread_t * | thread | ) |
TLS user packet server. Thread function serving user connection.
Definition at line 858 of file tls_user.c.
References nufw_threadtype::mutex, nuauth_ask_exit(), thread, tls_user_init(), and tls_user_main_loop().
Referenced by tls_user_start_servers().
Here is the call graph for this function:
| void tls_user_check_activity | ( | struct tls_user_context_t * | context, | |
| int | socket | |||
| ) |
Process client events:
Definition at line 394 of file tls_user.c.
References DEBUG_AREA_MAIN, DEBUG_AREA_USER, debug_log_message, delete_client_by_socket(), user_session_t::expire, get_client_datas_by_socket(), nuauthconf, nuauthdatas, nuauth_params::session_duration, thread_pool_push(), and nuauth_datas::user_checkers.
Referenced by tls_user_main_loop().
Here is the call graph for this function:
| int tls_user_init | ( | struct tls_user_context_t * | context | ) |
Create TLS user context.
Definition at line 674 of file tls_user.c.
References tls_user_context_t::addr, nuauth_tls_t::ca, nuauth_tls_t::cert, cleanup_func_push(), tls_user_context_t::cmd_queue, nuauth_tls_t::crl_file, DEBUG_AREA_MAIN, DEBUG_AREA_USER, DH_BITS, FALSE, nuauth_tls_t::key, log_message, tls_user_context_t::mx, mx_queue, tls_user_context_t::nuauth_auth_nego_timeout, nuauth_bind(), nuauth_tls, NUAUTH_TLS_MAX_CLIENTS, tls_user_context_t::nuauth_tls_max_clients, nubase_config_table_get_or_default_int(), tls_user_context_t::nussl, nussl_get_error(), NUSSL_OK, nussl_session_create_with_fd(), nussl_session_set_dh_bits(), nussl_ssl_set_keypair(), nussl_ssl_trust_cert_file(), tls_user_context_t::port, refresh_crl_file(), nuauth_tls_t::request_cert, tls_user_context_t::sck_inet, tls_user_context_t::tls_rx_set, and tls_user_setcert_auth_params().
Referenced by tls_user_authsrv().
Here is the call graph for this function:
| void tls_user_main_loop | ( | struct tls_user_context_t * | context, | |
| GMutex * | mutex | |||
| ) |
Wait for new client connection or client event using mx_queue and select().
It calls tls_user_accept() on new client connection, and tls_user_check_activity() on user event.
Definition at line 457 of file tls_user.c.
References activate_client_by_socket(), tls_user_context_t::cmd_queue, DEBUG_AREA_MAIN, DEBUG_AREA_USER, debug_log_message, delete_client_by_socket(), kill_all_clients(), log_message, tls_user_context_t::mx, mx_queue, nuauth_ask_exit(), tls_user_context_t::sck_inet, tls_user_context_t::tls_rx_set, tls_user_accept(), tls_user_check_activity(), tls_user_update_mx(), and user_pipefd.
Referenced by tls_user_authsrv().
Here is the call graph for this function:
| void tls_user_remove_client | ( | int | sock | ) |
Remove a client from rx set
This function has to be called when mutex is locked.
Definition at line 437 of file tls_user.c.
References nuauthdatas, nuauth_datas::tls_auth_servers, and tls_user_update_mx().
Referenced by delete_client_by_socket_ext().
Here is the call graph for this function:
| void tls_user_servers_init | ( | ) |
Definition at line 602 of file tls_user.c.
References FALSE, init_client_struct(), my_sasl_init(), nuauth_params::nb_auth_checkers, nuauthconf, nuauthdatas, pre_client_check(), pre_client_list, nuauth_datas::pre_client_thread, thread_new(), tls_sasl_connect(), and nuauth_datas::tls_sasl_worker.
Referenced by tls_user_start_servers().
Here is the call graph for this function:
| int tls_user_setcert_auth_params | ( | int | requestcert, | |
| int | authcert | |||
| ) |
Set request_cert and auth_by_cert params depending on the configuration
Definition at line 625 of file tls_user.c.
References nuauth_tls_t::auth_by_cert, DEBUG_AREA_AUTH, DEBUG_AREA_USER, FALSE, log_message, MANDATORY_AUTH_BY_CERT, nuauth_tls, nubase_config_table_get_or_default_int(), NUSSL_CERT_REQUIRE, NUSSL_VALID_REQ_TYPE, and nuauth_tls_t::request_cert.
Referenced by tls_user_init().
Here is the call graph for this function:
| void tls_user_start_servers | ( | GSList * | servers | ) |
Definition at line 873 of file tls_user.c.
References nuauth_params::client_srv, DEBUG_AREA_GW, DEBUG_AREA_MAIN, DEBUG_AREA_USER, log_message, nuauth_ask_exit(), nuauthconf, nuauthdatas, parse_addr_port(), thread_new_wdata(), nuauth_datas::tls_auth_servers, tls_user_authsrv(), tls_user_servers_init(), and nuauth_params::userpckt_port.
Referenced by init_nuauthdata().
Here is the call graph for this function:
| void tls_user_update_mx | ( | struct tls_user_context_t * | this | ) |
Fix this->mx value if needed (after changing this->tls_rx_set)
This function has to be called when mutex is locked.
Definition at line 420 of file tls_user.c.
References DEBUG_AREA_USER, debug_log_message, tls_user_context_t::mx, and tls_user_context_t::tls_rx_set.
Referenced by tls_user_main_loop(), and tls_user_remove_client().
| nu_error_t treat_user_request | ( | user_session_t * | c_session, | |
| struct tls_buffer_read ** | c_datas | |||
| ) |
get RX paquet from a TLS client connection and send it to user authentication threads.
| c_session | SSL RX packet | |
| c_datas | pointer that will point to the parsed datas |
Definition at line 149 of file tls_user.c.
References user_session_t::addr, user_session_t::auth_quality, tls_buffer_read::auth_quality, tls_buffer_read::buffer, tls_buffer_read::buffer_len, CLASSIC_NUFW_PACKET_SIZE, user_session_t::client_version, tls_buffer_read::client_version, DEBUG, DEBUG_AREA_USER, debug_log_message, free_buffer_read(), user_session_t::groups, tls_buffer_read::groups, tls_buffer_read::ip_addr, nu_header::length, log_message, MAX_NUFW_PACKET_SIZE, nu_header::msg_type, NU_EXIT_CONTINUE, NU_EXIT_ERROR, NU_EXIT_OK, user_session_t::nussl, nussl_get_error(), nussl_read(), nu_header::option, tls_buffer_read::os_release, tls_buffer_read::os_sysname, tls_buffer_read::os_version, nu_header::proto, PROTO_VERSION, user_session_t::release, tls_buffer_read::socket, user_session_t::sysname, user_session_t::tls_lock, USER_HELLO, user_session_t::user_id, tls_buffer_read::user_id, tls_buffer_read::user_name, user_session_t::user_name, and user_session_t::version.
Referenced by user_check_and_decide().
Here is the call graph for this function:
| static int userdb_checkpass | ( | sasl_conn_t * | conn, | |
| void * | context, | |||
| const char * | user, | |||
| const char * | pass, | |||
| unsigned | passlen, | |||
| struct propctx * | propctx | |||
| ) | [static] |
Definition at line 111 of file sasl.c.
References DEBUG_AREA_AUTH, log_message, modules_user_check(), nuauthconf, and nuauth_params::uses_utf8.
Referenced by sasl_user_check().
Here is the call graph for this function:
| gchar* mech_string_external |
| gchar* mech_string_internal |
| struct nuauth_tls_t nuauth_tls |
Handle phase after authentication and till client is active. Defined in tls_sasl.c.
It also handle preclient list to be able to disconnect user if authentication take too long.
Definition at line 41 of file tls_sasl.c.
| struct nuauth_tls_t nuauth_tls |
Handle phase after authentication and till client is active. Defined in tls_sasl.c.
It also handle preclient list to be able to disconnect user if authentication take too long.
Definition at line 41 of file tls_sasl.c.
| GSList* pre_client_list |
List of new clients which are in authentication state. This list is feeded by tls_user_accept(), and read by pre_client_check() and remove_socket_from_pre_client_list().
Lock pre_client_list_mutex when you access to this list.
Definition at line 49 of file tls_user.c.
Referenced by pre_client_check(), remove_socket_from_pre_client_list(), tls_user_accept(), and tls_user_servers_init().
| GStaticMutex pre_client_list_mutex |
Mutex used to access pre_client_list.
Definition at line 54 of file tls_user.c.
Referenced by pre_client_check(), remove_socket_from_pre_client_list(), and tls_user_accept().
1.4.7