diff options
author | Volker Lendecke <vl@samba.org> | 2015-12-18 16:41:41 +0100 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2016-04-15 15:32:11 +0200 |
commit | d5e77a81daef2e6563936c328f784cd27e3aa7b1 (patch) | |
tree | 41996453efb6213a8a8dbcf4fdc01f57b7b71052 /source3 | |
parent | 830fd785a24baab90601d13f2556559f99a416d2 (diff) | |
download | samba-d5e77a81daef2e6563936c328f784cd27e3aa7b1.tar.gz |
tldap: Add tldap_gensec_bind
This enables sasl sign/sealed connections via tldap
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/lib/tldap_gensec_bind.c | 375 | ||||
-rw-r--r-- | source3/lib/tldap_gensec_bind.h | 40 | ||||
-rwxr-xr-x | source3/wscript_build | 1 |
3 files changed, 416 insertions, 0 deletions
diff --git a/source3/lib/tldap_gensec_bind.c b/source3/lib/tldap_gensec_bind.c new file mode 100644 index 00000000000..07f79562bee --- /dev/null +++ b/source3/lib/tldap_gensec_bind.c @@ -0,0 +1,375 @@ +/* + * Unix SMB/CIFS implementation. + * Gensec based tldap auth + * Copyright (C) Volker Lendecke 2015 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "tldap_gensec_bind.h" +#include "tldap_util.h" +#include "lib/util/tevent_unix.h" +#include "lib/util/talloc_stack.h" +#include "lib/util/samba_util.h" +#include "lib/util/debug.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" /* TODO: remove this */ +#include "lib/param/param.h" +#include "source4/auth/gensec/gensec_tstream.h" + +struct tldap_gensec_bind_state { + struct tevent_context *ev; + struct tldap_context *ctx; + struct cli_credentials *creds; + const char *target_service; + const char *target_hostname; + const char *target_principal; + struct loadparm_context *lp_ctx; + uint32_t gensec_features; + + bool first; + struct gensec_security *gensec; + NTSTATUS gensec_status; + DATA_BLOB gensec_output; +}; + +static void tldap_gensec_bind_got_mechs(struct tevent_req *subreq); +static void tldap_gensec_update_done(struct tevent_req *subreq); +static void tldap_gensec_bind_done(struct tevent_req *subreq); + +struct tevent_req *tldap_gensec_bind_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct tldap_context *ctx, struct cli_credentials *creds, + const char *target_service, const char *target_hostname, + const char *target_principal, struct loadparm_context *lp_ctx, + uint32_t gensec_features) +{ + struct tevent_req *req, *subreq; + struct tldap_gensec_bind_state *state; + + const char *attrs[] = { "supportedSASLMechanisms" }; + + req = tevent_req_create(mem_ctx, &state, + struct tldap_gensec_bind_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->ctx = ctx; + state->creds = creds; + state->target_service = target_service; + state->target_hostname = target_hostname; + state->target_principal = target_principal; + state->lp_ctx = lp_ctx; + state->gensec_features = gensec_features; + state->first = true; + + subreq = tldap_search_all_send( + state, state->ev, state->ctx, "", TLDAP_SCOPE_BASE, + "(objectclass=*)", attrs, ARRAY_SIZE(attrs), + false, NULL, 0, NULL, 0, 0, 1 /* sizelimit */, 0); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, tldap_gensec_bind_got_mechs, req); + return req; +} + +static void tldap_gensec_bind_got_mechs(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct tldap_gensec_bind_state *state = tevent_req_data( + req, struct tldap_gensec_bind_state); + struct tldap_message **msgs, *msg, *result; + struct tldap_attribute *attribs, *attrib; + int num_attribs; + size_t num_msgs; + TLDAPRC rc; + int i; + bool ok; + const char **sasl_mechs; + NTSTATUS status; + + rc = tldap_search_all_recv(subreq, state, &msgs, &result); + TALLOC_FREE(subreq); + if (tevent_req_ldap_error(req, rc)) { + return; + } + + /* + * TODO: Inspect "Result" + */ + + num_msgs = talloc_array_length(msgs); + if (num_msgs != 1) { + DBG_DEBUG("num_msgs = %zu\n", num_msgs); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + msg = msgs[0]; + + ok = tldap_entry_attributes(msg, &attribs, &num_attribs); + if (!ok) { + DBG_DEBUG("tldap_entry_attributes failed\n"); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + + if (num_attribs != 1) { + DBG_DEBUG("num_attribs = %d\n", num_attribs); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + attrib = &attribs[0]; + + sasl_mechs = talloc_array(state, const char *, attrib->num_values+1); + if (tevent_req_nomem(sasl_mechs, req)) { + return; + } + + for (i=0; i<attrib->num_values; i++) { + DATA_BLOB *v = &attrib->values[i]; + size_t len; + + ok = convert_string_talloc(sasl_mechs, CH_UTF8, CH_UNIX, + v->data, v->length, + &sasl_mechs[i], &len); + if (!ok) { + DBG_DEBUG("convert_string_talloc failed\n"); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + } + sasl_mechs[attrib->num_values] = NULL; + + gensec_init(); + + status = gensec_client_start( + state, &state->gensec, + lpcfg_gensec_settings(state, state->lp_ctx)); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("gensec_client_start failed: %s\n", + nt_errstr(status)); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + + status = gensec_set_credentials(state->gensec, state->creds); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("gensec_set_credentials failed: %s\n", + nt_errstr(status)); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + + status = gensec_set_target_service(state->gensec, + state->target_service); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("gensec_set_target_service failed: %s\n", + nt_errstr(status)); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + + if (state->target_hostname != NULL) { + status = gensec_set_target_hostname(state->gensec, + state->target_hostname); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("gensec_set_target_hostname failed: %s\n", + nt_errstr(status)); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + } + + if (state->target_principal != NULL) { + status = gensec_set_target_principal(state->gensec, + state->target_principal); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("gensec_set_target_principal failed: %s\n", + nt_errstr(status)); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + } + + gensec_want_feature(state->gensec, state->gensec_features); + + status = gensec_start_mech_by_sasl_list(state->gensec, sasl_mechs); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("gensec_start_mech_by_sasl_list failed: %s\n", + nt_errstr(status)); + tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR); + return; + } + + subreq = gensec_update_send(state, state->ev, state->gensec, + data_blob_null); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, tldap_gensec_update_done, req); +} + +static void tldap_gensec_update_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct tldap_gensec_bind_state *state = tevent_req_data( + req, struct tldap_gensec_bind_state); + + state->gensec_status = gensec_update_recv( + subreq, state, &state->gensec_output); + + TALLOC_FREE(subreq); + + if (!NT_STATUS_IS_OK(state->gensec_status) && + !NT_STATUS_EQUAL(state->gensec_status, + NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DBG_DEBUG("gensec_update failed: %s\n", + nt_errstr(state->gensec_status)); + tevent_req_ldap_error(req, TLDAP_INVALID_CREDENTIALS); + return; + } + + if (NT_STATUS_IS_OK(state->gensec_status) && + (state->gensec_output.length == 0)) { + + if (state->first) { + tevent_req_ldap_error(req, TLDAP_INVALID_CREDENTIALS); + } else { + tevent_req_done(req); + } + return; + } + + state->first = false; + + subreq = tldap_sasl_bind_send( + state, state->ev, state->ctx, "", + state->gensec->ops->sasl_name, &state->gensec_output, + NULL, 0, NULL, 0); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, tldap_gensec_bind_done, req); +} + +static void tldap_gensec_bind_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct tldap_gensec_bind_state *state = tevent_req_data( + req, struct tldap_gensec_bind_state); + DATA_BLOB input; + TLDAPRC rc; + + rc = tldap_sasl_bind_recv(subreq, state, &input); + TALLOC_FREE(subreq); + if (!TLDAP_RC_IS_SUCCESS(rc) && + !TLDAP_RC_EQUAL(rc, TLDAP_SASL_BIND_IN_PROGRESS)) { + tevent_req_ldap_error(req, rc); + return; + } + + if (TLDAP_RC_IS_SUCCESS(rc) && NT_STATUS_IS_OK(state->gensec_status)) { + tevent_req_done(req); + return; + } + + subreq = gensec_update_send(state, state->ev, state->gensec, input); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, tldap_gensec_update_done, req); +} + +TLDAPRC tldap_gensec_bind_recv(struct tevent_req *req) +{ + struct tldap_gensec_bind_state *state = tevent_req_data( + req, struct tldap_gensec_bind_state); + struct tstream_context *plain, *sec; + NTSTATUS status; + TLDAPRC rc; + + if (tevent_req_is_ldap_error(req, &rc)) { + return rc; + } + + if ((state->gensec_features & GENSEC_FEATURE_SIGN) && + !gensec_have_feature(state->gensec, GENSEC_FEATURE_SIGN)) { + return TLDAP_OPERATIONS_ERROR; + } + if ((state->gensec_features & GENSEC_FEATURE_SEAL) && + !gensec_have_feature(state->gensec, GENSEC_FEATURE_SEAL)) { + return TLDAP_OPERATIONS_ERROR; + } + + if (!gensec_have_feature(state->gensec, GENSEC_FEATURE_SIGN) && + !gensec_have_feature(state->gensec, GENSEC_FEATURE_SEAL)) { + return TLDAP_SUCCESS; + } + + /* + * The gensec ctx needs to survive as long as the ldap context + * lives + */ + talloc_steal(state->ctx, state->gensec); + + plain = tldap_get_tstream(state->ctx); + + status = gensec_create_tstream(state->ctx, state->gensec, + plain, &sec); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("gensec_create_tstream failed: %s\n", + nt_errstr(status)); + return TLDAP_OPERATIONS_ERROR; + } + + tldap_set_tstream(state->ctx, sec); + + return TLDAP_SUCCESS; +} + +TLDAPRC tldap_gensec_bind( + struct tldap_context *ctx, struct cli_credentials *creds, + const char *target_service, const char *target_hostname, + const char *target_principal, struct loadparm_context *lp_ctx, + uint32_t gensec_features) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct tevent_context *ev; + struct tevent_req *req; + TLDAPRC rc = TLDAP_NO_MEMORY; + + ev = samba_tevent_context_init(frame); + if (ev == NULL) { + goto fail; + } + req = tldap_gensec_bind_send(frame, ev, ctx, creds, target_service, + target_hostname, target_principal, lp_ctx, + gensec_features); + if (req == NULL) { + goto fail; + } + if (!tevent_req_poll(req, ev)) { + rc = TLDAP_OPERATIONS_ERROR; + goto fail; + } + rc = tldap_gensec_bind_recv(req); + fail: + TALLOC_FREE(frame); + return rc; +} diff --git a/source3/lib/tldap_gensec_bind.h b/source3/lib/tldap_gensec_bind.h new file mode 100644 index 00000000000..deddc23f9e7 --- /dev/null +++ b/source3/lib/tldap_gensec_bind.h @@ -0,0 +1,40 @@ +/* + * Unix SMB/CIFS implementation. + * Gensec based tldap bind + * Copyright (C) Volker Lendecke 2015 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef __TLDAP_GENSEC_BIND_H__ +#define __TLDAP_GENSEC_BIND_H__ + +#include "replace.h" +#include "tldap.h" +#include "auth/credentials/credentials.h" + +struct tevent_req *tldap_gensec_bind_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct tldap_context *ctx, struct cli_credentials *creds, + const char *target_service, const char *target_hostname, + const char *target_principal, struct loadparm_context *lp_ctx, + uint32_t gensec_features); +TLDAPRC tldap_gensec_bind_recv(struct tevent_req *req); +TLDAPRC tldap_gensec_bind( + struct tldap_context *ctx, struct cli_credentials *creds, + const char *target_service, const char *target_hostname, + const char *target_principal, struct loadparm_context *lp_ctx, + uint32_t gensec_features); + +#endif diff --git a/source3/wscript_build b/source3/wscript_build index 436b1125518..ed2424d08e1 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -96,6 +96,7 @@ bld.SAMBA3_SUBSYSTEM('GROUPDB', bld.SAMBA3_SUBSYSTEM('TLDAP', source='''lib/tldap.c lib/tldap_util.c + lib/tldap_gensec_bind.c ''', deps='asn1util LIBTSOCKET samba3util') |