Make per thread winbind context optional

By default proceed to acquire a new context for each operation that
needs it. High performance programs that have full control of their
thread usage and can afford one socket per thread can set the
GSSNTLMSSP_WB_TLS_CTX environment variable.

Signed-off-by: Simo Sorce <[email protected]>

Author: simo5

conf_macros.m4

@@ -85,3 +85,20 @@ AC_DEFUN([WITH_WBCLIENT],
 
           AM_CONDITIONAL([BUILD_WBCLIENT], [test x"$with_wbclient" = xyes])
          ])
+
+AC_DEFUN([WITH_WINBIND_TLS_CONTEXT],
+         [
+          AC_ARG_WITH([winbind-tls-context],
+                      [AC_HELP_STRING([--with-winbind-tls-context],
+                                      [Whether to default to thread local storage for winbind contexts [no]])
+                      ],
+                      [with_winbind_tls_context=$withval],
+                      with_winbind_tls_context=no)
+
+         if test x"$with_winbind_tls_context" = xyes; then
+             AC_DEFINE(DEFAULT_WB_TLS_CTX, 1,
+                       [whether to default to thread local storage for winbind contexts S])
+         fi
+         AM_CONDITIONAL([DEFAULT_WB_TLS_CTX], [test x"$with_winbind_tls_context" = xyes])
+        ])
+

configure.ac

@@ -53,6 +53,7 @@ WITH_TEST_DIR
 WITH_MANPAGES
 WITH_XML_CATALOG
 WITH_WBCLIENT
+WITH_WINBIND_TLS_CONTEXT
 
 m4_include([external/pkg.m4])
 m4_include([external/docbook.m4])

src/external.c

@@ -8,23 +8,54 @@
 #include "gss_ntlmssp_winbind.h"
 #endif
 
-uint32_t external_netbios_get_names(char **computer, char **domain)
+void *external_get_context(void)
 {
 #if HAVE_WBCLIENT
-    return winbind_get_names(computer, domain);
+    return winbind_get_context();
+#else
+    return NULL;
+#endif
+}
+
+void external_free_context(void *ctx)
+{
+#if HAVE_WBCLIENT
+    winbind_free_context(ctx);
+#else
+    return;
+#endif
+}
+
+uint32_t external_netbios_get_names(void *ctx, char **computer, char **domain)
+{
+#if HAVE_WBCLIENT
+    return winbind_get_names(ctx, computer, domain);
 #else
     return ERR_NOTAVAIL;
 #endif
 }
 
-uint32_t external_get_creds(struct gssntlm_name *name,
+uint32_t external_get_creds(void *ctx,
+                            struct gssntlm_name *name,
                             struct gssntlm_cred *cred)
 {
+    void *ectx = NULL;
+    uint32_t ret;
+
+    if (ctx == NULL) {
+        ectx = external_get_context();
+    } else {
+        ectx = ctx;
+    }
 #if HAVE_WBCLIENT
-    return winbind_get_creds(name, cred);
+    ret = winbind_get_creds(ectx, name, cred);
 #else
-    return ERR_NOTAVAIL;
+    ret = ERR_NOTAVAIL;
 #endif
+    if (ctx == NULL) {
+        external_free_context(ectx);
+    }
+    return ret;
 }
 
 uint32_t external_cli_auth(struct gssntlm_ctx *ctx,
@@ -33,7 +64,8 @@ uint32_t external_cli_auth(struct gssntlm_ctx *ctx,
                            gss_channel_bindings_t input_chan_bindings)
 {
 #if HAVE_WBCLIENT
-    return winbind_cli_auth(cred->cred.external.user.data.user.name,
+    return winbind_cli_auth(ctx->external_context,
+                            cred->cred.external.user.data.user.name,
                             cred->cred.external.user.data.user.domain,
                             input_chan_bindings,
                             in_flags, &ctx->neg_flags,
@@ -70,7 +102,8 @@ uint32_t external_srv_auth(struct gssntlm_ctx *ctx,
         chal_ptr = ctx->server_chal;
     }
 
-    return winbind_srv_auth(cred->cred.external.user.data.user.name,
+    return winbind_srv_auth(ctx->external_context,
+                            cred->cred.external.user.data.user.name,
                             cred->cred.external.user.data.user.domain,
                             ctx->workstation, chal_ptr,
                             nt_chal_resp, lm_chal_resp, session_base_key,

src/gss_creds.c

@@ -401,6 +401,7 @@ void gssntlm_int_release_cred(struct gssntlm_cred *cred)
 }
 
 uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status,
+                                   void *external_context,
                                    gss_name_t desired_name,
                                    uint32_t time_req,
                                    gss_OID_set desired_mechs,
@@ -464,7 +465,7 @@ uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status,
             }
             if (retmin) {
                 uint32_t ret;
-                ret = external_get_creds(name, cred);
+                ret = external_get_creds(external_context, name, cred);
                 if (ret != ERR_NOTAVAIL) {
                     retmin = ret;
                 }
@@ -520,7 +521,7 @@ uint32_t gssntlm_acquire_cred(uint32_t *minor_status,
                               gss_OID_set *actual_mechs,
                               uint32_t *time_rec)
 {
-    return gssntlm_acquire_cred_from(minor_status,
+    return gssntlm_acquire_cred_from(minor_status, NULL,
                                      desired_name,
                                      time_req,
                                      desired_mechs,
@@ -563,7 +564,7 @@ uint32_t gssntlm_acquire_cred_with_password(uint32_t *minor_status,
     cred_store.count = 1;
     cred_store.elements = &element;
 
-    return gssntlm_acquire_cred_from(minor_status,
+    return gssntlm_acquire_cred_from(minor_status, NULL,
                                      desired_name,
                                      time_req,
                                      desired_mechs,
@@ -586,7 +587,7 @@ uint32_t gssntlm_inquire_cred(uint32_t *minor_status,
     uint32_t maj, min;
 
     if (cred_handle == GSS_C_NO_CREDENTIAL) {
-        maj = gssntlm_acquire_cred_from(&min,
+        maj = gssntlm_acquire_cred_from(&min, NULL,
                                         NULL, GSS_C_INDEFINITE,
                                         NULL, GSS_C_INITIATE,
                                         GSS_C_NO_CRED_STORE,

src/gss_names.c

@@ -713,7 +713,7 @@ uint32_t gssntlm_localname(uint32_t *minor_status,
     return GSSERR();
 }
 
-uint32_t netbios_get_names(char *computer_name,
+uint32_t netbios_get_names(void *ctx, char *computer_name,
                            char **netbios_host, char **netbios_domain)
 {
     char *nb_computer_name = NULL;
@@ -741,7 +741,7 @@ uint32_t netbios_get_names(char *computer_name,
 
     if (!nb_computer_name || !nb_domain_name) {
         /* fetch only mising ones */
-        ret = external_netbios_get_names(
+        ret = external_netbios_get_names(ctx,
                     nb_computer_name ? NULL : &nb_computer_name,
                     nb_domain_name ? NULL : &nb_domain_name);
         if ((ret != 0) &&

src/gss_ntlmssp.h

@@ -136,6 +136,8 @@ struct gssntlm_ctx {
 
     uint32_t int_flags;
     time_t expiration_time;
+
+    void *external_context;
 };
 
 #define set_GSSERRS(min, maj) \
@@ -189,8 +191,11 @@ void gssntlm_release_attrs(struct gssntlm_name_attribute **attrs);
 int gssntlm_copy_name(struct gssntlm_name *src, struct gssntlm_name *dst);
 int gssntlm_copy_creds(struct gssntlm_cred *in, struct gssntlm_cred *out);
 
-uint32_t external_netbios_get_names(char **computer, char **domain);
-uint32_t external_get_creds(struct gssntlm_name *name,
+void *external_get_context(void);
+void external_free_context(void *ctx);
+uint32_t external_netbios_get_names(void *ctx, char **computer, char **domain);
+uint32_t external_get_creds(void *ctx,
+                            struct gssntlm_name *name,
                             struct gssntlm_cred *cred);
 uint32_t external_cli_auth(struct gssntlm_ctx *ctx,
                            struct gssntlm_cred *cred,
@@ -202,7 +207,7 @@ uint32_t external_srv_auth(struct gssntlm_ctx *ctx,
                            struct ntlm_buffer *lm_chal_resp,
                            struct ntlm_key *session_base_key);
 
-uint32_t netbios_get_names(char *computer_name,
+uint32_t netbios_get_names(void *ctx, char *computer_name,
                            char **netbios_host, char **netbios_domain);
 
 bool is_ntlm_v1(struct ntlm_buffer *nt_chal_resp);
@@ -232,6 +237,7 @@ uint32_t gssntlm_acquire_cred(uint32_t *minor_status,
                               uint32_t *time_rec);
 
 uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status,
+                                   void *external_context,
                                    gss_name_t desired_name,
                                    uint32_t time_req,
                                    gss_OID_set desired_mechs,

src/gss_ntlmssp_winbind.h

@@ -1,19 +1,24 @@
 /* Copyright (C) 2014 GSS-NTLMSSP contributors, see COPYING for License */
 
-uint32_t winbind_get_names(char **computer, char **domain);
+void *winbind_get_context(void);
+void winbind_free_context(void *ectx);
 
-uint32_t winbind_get_creds(struct gssntlm_name *name,
+uint32_t winbind_get_names(void *ectx, char **computer, char **domain);
+
+uint32_t winbind_get_creds(void *ectx,
+                           struct gssntlm_name *name,
                            struct gssntlm_cred *cred);
 
-uint32_t winbind_cli_auth(char *user, char *domain,
+uint32_t winbind_cli_auth(void *ectx, char *user, char *domain,
                           gss_channel_bindings_t input_chan_bindings,
                           uint32_t in_flags,
                           uint32_t *neg_flags,
                           struct ntlm_buffer *nego_msg,
                           struct ntlm_buffer *chal_msg,
                           struct ntlm_buffer *auth_msg,
                           struct ntlm_key *exported_session_key);
-uint32_t winbind_srv_auth(char *user, char *domain,
+
+uint32_t winbind_srv_auth(void *ectx, char *user, char *domain,
                           char *workstation, uint8_t *challenge,
                           struct ntlm_buffer *nt_chal_resp,
                           struct ntlm_buffer *lm_chal_resp,

src/gss_sec_ctx.c

@@ -97,6 +97,8 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
             goto done;
         }
 
+        ctx->external_context = external_get_context();
+
         retmin = gssntlm_copy_name(&cred->cred.user.user,
                                    &ctx->source_name);
         if (retmin) {
@@ -169,7 +171,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
             goto done;
         }
 
-        retmin = netbios_get_names(computer_name,
+        retmin = netbios_get_names(ctx->external_context, computer_name,
                                    &nb_computer_name, &nb_domain_name);
         if (retmin) {
             set_GSSERR(retmin);
@@ -476,6 +478,8 @@ uint32_t gssntlm_delete_sec_context(uint32_t *minor_status,
 
     ntlm_release_rc4_state(&ctx->crypto_state);
 
+    external_free_context(ctx->external_context);
+
     safezero((uint8_t *)ctx, sizeof(struct gssntlm_ctx));
     safefree(*context_handle);
 
@@ -593,6 +597,8 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
             goto done;
         }
 
+        ctx->external_context = external_get_context();
+
         /* acquire our own name */
         if (!server_name) {
             gss_buffer_desc tmpbuf;
@@ -618,7 +624,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
             goto done;
         }
 
-        retmin = netbios_get_names(computer_name,
+        retmin = netbios_get_names(ctx->external_context, computer_name,
                                    &nb_computer_name, &nb_domain_name);
         if (retmin) {
             set_GSSERR(retmin);
@@ -894,7 +900,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
                 cred_store = &cs;
             }
 
-            retmaj = gssntlm_acquire_cred_from(&retmin,
+            retmaj = gssntlm_acquire_cred_from(&retmin, ctx->external_context,
                                                (gss_name_t)gss_usrname,
                                                 GSS_C_INDEFINITE,
                                                 GSS_C_NO_OID_SET,

src/gss_spi.c

@@ -53,7 +53,7 @@ OM_uint32 gss_acquire_cred_from(OM_uint32 *minor_status,
                                 gss_OID_set *actual_mechs,
                                 OM_uint32 *time_rec)
 {
-    return gssntlm_acquire_cred_from(minor_status,
+    return gssntlm_acquire_cred_from(minor_status, NULL,
                                      desired_name,
                                      time_req,
                                      desired_mechs,