r4459: GENSEC refinements:

In developing a GSSAPI plugin for GENSEC, it became clear that the API needed to change: - GSSAPI exposes only a wrap() and unwrap() interface, and determines the location of the signature itself. - The 'have feature' API did not correctly function in the recursive SPNEGO environment. As such, NTLMSSP has been updated to support these methods. The LDAP client and server have been updated to use the new wrap() and unwrap() methods, and now pass the LDAP-* tests in our smbtorture. (Unfortunely I still get valgrind warnings, in the code that was previously unreachable). Andrew Bartlett (This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
author: Andrew Bartlett <abartlet@samba.org> 2004-12-31 22:45:11 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:07:53 -0500
commit: 9a6671cf9529fd7817c5ef266da3d3bea46a88c0 (patch)
tree: e6e943be7351713665c90f962078ac0676c2d036 /source4/ldap_server
parent: be1bbf317b03b15c21ea0f41accfb285699e153f (diff)
download: samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.tar.gz
samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.tar.bz2
samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.zip
2 files changed, 55 insertions, 79 deletions
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 80d1f51748..f4be5b5242 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -20,7 +20,7 @@
 
 #include "includes.h"
 #include "ldap_server/ldap_server.h"
-
+#include "auth/auth.h"
 
 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 {
@@ -50,11 +50,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 	struct ldap_BindRequest *req = &call->request.r.BindRequest;
 	struct ldapsrv_reply *reply;
 	struct ldap_BindResponse *resp;
+	struct ldapsrv_connection *conn;
 	int result;
 	const char *errstr;
 	NTSTATUS status = NT_STATUS_OK;
 	NTSTATUS sasl_status;
-	/*BOOL ret;*/
+	BOOL ret;
 
 	DEBUG(10, ("BindSASL dn: %s\n",req->dn));
 
@@ -69,7 +70,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 		
 		gensec_set_target_service(call->conn->gensec, "ldap");
 
-		/*gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL);*/
+		gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN);
+		gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL);
 
 		status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -85,6 +87,8 @@ reply:
 		return NT_STATUS_NO_MEMORY;
 	}
 	resp = &reply->msg.r.BindResponse;
+	
+	conn = call->conn;
 
 	if (NT_STATUS_IS_OK(status)) {
 		status = gensec_update(call->conn->gensec, reply,
@@ -118,17 +122,14 @@ reply:
 		return status;
 	}
 
-/*	ret = ldapsrv_append_to_buf(&call->conn->sasl_out_buffer, call->conn->out_buffer.data, call->conn->out_buffer.length);
+	ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length);
 	if (!ret) {
 		return NT_STATUS_NO_MEMORY;
 	}
-	ldapsrv_consumed_from_buf(&call->conn->out_buffer, call->conn->out_buffer.length);
-
-	status = gensec_session_info(call->conn->gensec, &call->conn->session_info);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
+	ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length);
+	if (NT_STATUS_IS_OK(status)) {
+		status = gensec_session_info(conn->gensec, &conn->session_info);
 	}
-*/
 
 	return status;
 }
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index ea1b8cb9b4..0bace4b690 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -131,7 +131,7 @@ static void ldapsrv_init(struct server_service *service,
 void ldapsrv_consumed_from_buf(struct rw_buffer *buf,
 				   size_t length)
 {
-	memcpy(buf->data, buf->data+length, buf->length-length);
+	memmove(buf->data, buf->data+length, buf->length-length);
 	buf->length -= length;
 }
 
@@ -186,7 +186,8 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn)
 {
 	NTSTATUS status;
 	DATA_BLOB tmp_blob;
-	DATA_BLOB creds;
+	DATA_BLOB wrapped;
+	DATA_BLOB unwrapped;
 	BOOL ret;
 	uint8_t *buf;
 	size_t buf_length, sasl_length;
@@ -194,9 +195,14 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn)
 	TALLOC_CTX *mem_ctx;
 	size_t nread;
 
-	if (!conn->gensec || !conn->session_info ||
-	   !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
-	     gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
+	if (!conn->gensec) {
+		return read_into_buf(sock, &conn->in_buffer);
+	}
+	if (!conn->session_info) {
+		return read_into_buf(sock, &conn->in_buffer);
+	}
+	if (!(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) ||
+	      gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
 		return read_into_buf(sock, &conn->in_buffer);
 	}
 
@@ -236,47 +242,25 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn)
 
 	sasl_length = RIVAL(buf, 0);
 
-	if (buf_length < (4 + sasl_length)) {
+	if ((buf_length - 4) < sasl_length) {
 		/* not enough yet */
 		talloc_free(mem_ctx);
 		return True;
 	}
 
-	creds.data = buf + 4;
-	creds.length = gensec_sig_size(conn->gensec);
+	wrapped.data = buf + 4;
+	wrapped.length = sasl_length;
 
-	if (creds.length > sasl_length) {
-		/* invalid packet? */
+	status = gensec_unwrap(conn->gensec, mem_ctx,
+			       &wrapped, 
+			       &unwrapped);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0,("gensec_unwrap: %s\n",nt_errstr(status)));
 		talloc_free(mem_ctx);
 		return False;
 	}
 
-	tmp_blob.data = buf + (4 + creds.length);
-	tmp_blob.length = (4 + sasl_length) - (4 + creds.length);
-
-	if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
-		status = gensec_unseal_packet(conn->gensec, mem_ctx,
-					      tmp_blob.data, tmp_blob.length,
-					      tmp_blob.data, tmp_blob.length,
-					      &creds);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0,("gensec_unseal_packet: %s\n",nt_errstr(status)));
-			talloc_free(mem_ctx);
-			return False;
-		}
-	} else {
-		status = gensec_check_packet(conn->gensec, mem_ctx,
-					      tmp_blob.data, tmp_blob.length,
-					      tmp_blob.data, tmp_blob.length,
-					      &creds);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0,("gensec_check_packet: %s\n",nt_errstr(status)));
-			talloc_free(mem_ctx);
-			return False;
-		}
-	}
-
-	ret = ldapsrv_append_to_buf(&conn->in_buffer, tmp_blob.data, tmp_blob.length);
+	ret = ldapsrv_append_to_buf(&conn->in_buffer, unwrapped.data, unwrapped.length);
 	if (!ret) {
 		talloc_free(mem_ctx);
 		return False;
@@ -311,17 +295,23 @@ static BOOL write_from_buf(struct socket_context *sock, struct rw_buffer *buf)
 static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn)
 {
 	NTSTATUS status;
+	DATA_BLOB wrapped;
 	DATA_BLOB tmp_blob;
-	DATA_BLOB creds;
 	DATA_BLOB sasl;
 	size_t sendlen;
 	BOOL ret;
 	struct socket_context *sock = conn->connection->socket;
 	TALLOC_CTX *mem_ctx;
 
-	if (!conn->gensec || !conn->session_info ||
-	   !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
-	     gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
+
+	if (!conn->gensec) {
+		return write_from_buf(sock, &conn->out_buffer);
+	}
+	if (!conn->session_info) {
+		return write_from_buf(sock, &conn->out_buffer);
+	}
+	if (!(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) ||
+	      gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
 		return write_from_buf(sock, &conn->out_buffer);
 	}
 
@@ -331,52 +321,37 @@ static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn)
 		return False;
 	}
 
-	tmp_blob.data = conn->out_buffer.data;
-	tmp_blob.length = conn->out_buffer.length;
-
-	if (tmp_blob.length == 0) {
+	if (conn->out_buffer.length == 0) {
 		goto nodata;
 	}
 
-	if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
-		status = gensec_seal_packet(conn->gensec, mem_ctx,
-					    tmp_blob.data, tmp_blob.length,
-					    tmp_blob.data, tmp_blob.length,
-					    &creds);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0,("gensec_seal_packet: %s\n",nt_errstr(status)));
-			talloc_free(mem_ctx);
-			return False;
-		}
-	} else {
-		status = gensec_sign_packet(conn->gensec, mem_ctx,
-					    tmp_blob.data, tmp_blob.length,
-					    tmp_blob.data, tmp_blob.length,
-					    &creds);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0,("gensec_sign_packet: %s\n",nt_errstr(status)));
-			talloc_free(mem_ctx);
-			return False;
-		}		
+	tmp_blob.data = conn->out_buffer.data;
+	tmp_blob.length = conn->out_buffer.length;
+	status = gensec_wrap(conn->gensec, mem_ctx,
+			     &tmp_blob,
+			     &wrapped);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0,("gensec_wrap: %s\n",nt_errstr(status)));
+		talloc_free(mem_ctx);
+		return False;
 	}
 
-	sasl = data_blob_talloc(mem_ctx, NULL, 4 + creds.length + tmp_blob.length);
+	sasl = data_blob_talloc(mem_ctx, NULL, 4 + wrapped.length);
 	if (!sasl.data) {
 		DEBUG(0,("no memory\n"));
 		talloc_free(mem_ctx);
 		return False;
 	}
 
-	RSIVAL(sasl.data, 0, creds.length + tmp_blob.length);
-	memcpy(sasl.data + 4, creds.data, creds.length);
-	memcpy(sasl.data + 4 + creds.length, tmp_blob.data, tmp_blob.length);
+	RSIVAL(sasl.data, 0, wrapped.length);
+	memcpy(sasl.data + 4, wrapped.data, wrapped.length);
 
 	ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, sasl.data, sasl.length);
 	if (!ret) {
 		talloc_free(mem_ctx);
 		return False;
 	}
-	ldapsrv_consumed_from_buf(&conn->out_buffer, tmp_blob.length);
+	ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length);
 nodata:
 	tmp_blob.data = conn->sasl_out_buffer.data;
 	tmp_blob.length = conn->sasl_out_buffer.length;
author	Andrew Bartlett <abartlet@samba.org>	2004-12-31 22:45:11 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:07:53 -0500
commit	9a6671cf9529fd7817c5ef266da3d3bea46a88c0 (patch)
tree	e6e943be7351713665c90f962078ac0676c2d036 /source4/ldap_server
parent	be1bbf317b03b15c21ea0f41accfb285699e153f (diff)
download	samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.tar.gz samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.tar.bz2 samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.zip