diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-12-31 22:45:11 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:07:53 -0500 |
commit | 9a6671cf9529fd7817c5ef266da3d3bea46a88c0 (patch) | |
tree | e6e943be7351713665c90f962078ac0676c2d036 /source4/ldap_server | |
parent | be1bbf317b03b15c21ea0f41accfb285699e153f (diff) | |
download | samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.tar.gz samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.tar.bz2 samba-9a6671cf9529fd7817c5ef266da3d3bea46a88c0.zip |
r4459: GENSEC refinements:
In developing a GSSAPI plugin for GENSEC, it became clear that the API
needed to change:
- GSSAPI exposes only a wrap() and unwrap() interface, and determines
the location of the signature itself.
- The 'have feature' API did not correctly function in the recursive
SPNEGO environment.
As such, NTLMSSP has been updated to support these methods.
The LDAP client and server have been updated to use the new wrap() and
unwrap() methods, and now pass the LDAP-* tests in our smbtorture.
(Unfortunely I still get valgrind warnings, in the code that was
previously unreachable).
Andrew Bartlett
(This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
Diffstat (limited to 'source4/ldap_server')
-rw-r--r-- | source4/ldap_server/ldap_bind.c | 21 | ||||
-rw-r--r-- | source4/ldap_server/ldap_server.c | 113 |
2 files changed, 55 insertions, 79 deletions
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 80d1f51748..f4be5b5242 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -20,7 +20,7 @@ #include "includes.h" #include "ldap_server/ldap_server.h" - +#include "auth/auth.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { @@ -50,11 +50,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) struct ldap_BindRequest *req = &call->request.r.BindRequest; struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; + struct ldapsrv_connection *conn; int result; const char *errstr; NTSTATUS status = NT_STATUS_OK; NTSTATUS sasl_status; - /*BOOL ret;*/ + BOOL ret; DEBUG(10, ("BindSASL dn: %s\n",req->dn)); @@ -69,7 +70,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_set_target_service(call->conn->gensec, "ldap"); - /*gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL);*/ + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { @@ -85,6 +87,8 @@ reply: return NT_STATUS_NO_MEMORY; } resp = &reply->msg.r.BindResponse; + + conn = call->conn; if (NT_STATUS_IS_OK(status)) { status = gensec_update(call->conn->gensec, reply, @@ -118,17 +122,14 @@ reply: return status; } -/* ret = ldapsrv_append_to_buf(&call->conn->sasl_out_buffer, call->conn->out_buffer.data, call->conn->out_buffer.length); + ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); if (!ret) { return NT_STATUS_NO_MEMORY; } - ldapsrv_consumed_from_buf(&call->conn->out_buffer, call->conn->out_buffer.length); - - status = gensec_session_info(call->conn->gensec, &call->conn->session_info); - if (!NT_STATUS_IS_OK(status)) { - return status; + ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length); + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(conn->gensec, &conn->session_info); } -*/ return status; } diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index ea1b8cb9b4..0bace4b690 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -131,7 +131,7 @@ static void ldapsrv_init(struct server_service *service, void ldapsrv_consumed_from_buf(struct rw_buffer *buf, size_t length) { - memcpy(buf->data, buf->data+length, buf->length-length); + memmove(buf->data, buf->data+length, buf->length-length); buf->length -= length; } @@ -186,7 +186,8 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) { NTSTATUS status; DATA_BLOB tmp_blob; - DATA_BLOB creds; + DATA_BLOB wrapped; + DATA_BLOB unwrapped; BOOL ret; uint8_t *buf; size_t buf_length, sasl_length; @@ -194,9 +195,14 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) TALLOC_CTX *mem_ctx; size_t nread; - if (!conn->gensec || !conn->session_info || - !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && - gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { + if (!conn->gensec) { + return read_into_buf(sock, &conn->in_buffer); + } + if (!conn->session_info) { + return read_into_buf(sock, &conn->in_buffer); + } + if (!(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { return read_into_buf(sock, &conn->in_buffer); } @@ -236,47 +242,25 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) sasl_length = RIVAL(buf, 0); - if (buf_length < (4 + sasl_length)) { + if ((buf_length - 4) < sasl_length) { /* not enough yet */ talloc_free(mem_ctx); return True; } - creds.data = buf + 4; - creds.length = gensec_sig_size(conn->gensec); + wrapped.data = buf + 4; + wrapped.length = sasl_length; - if (creds.length > sasl_length) { - /* invalid packet? */ + status = gensec_unwrap(conn->gensec, mem_ctx, + &wrapped, + &unwrapped); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("gensec_unwrap: %s\n",nt_errstr(status))); talloc_free(mem_ctx); return False; } - tmp_blob.data = buf + (4 + creds.length); - tmp_blob.length = (4 + sasl_length) - (4 + creds.length); - - if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { - status = gensec_unseal_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_unseal_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } - } else { - status = gensec_check_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_check_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } - } - - ret = ldapsrv_append_to_buf(&conn->in_buffer, tmp_blob.data, tmp_blob.length); + ret = ldapsrv_append_to_buf(&conn->in_buffer, unwrapped.data, unwrapped.length); if (!ret) { talloc_free(mem_ctx); return False; @@ -311,17 +295,23 @@ static BOOL write_from_buf(struct socket_context *sock, struct rw_buffer *buf) static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn) { NTSTATUS status; + DATA_BLOB wrapped; DATA_BLOB tmp_blob; - DATA_BLOB creds; DATA_BLOB sasl; size_t sendlen; BOOL ret; struct socket_context *sock = conn->connection->socket; TALLOC_CTX *mem_ctx; - if (!conn->gensec || !conn->session_info || - !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && - gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { + + if (!conn->gensec) { + return write_from_buf(sock, &conn->out_buffer); + } + if (!conn->session_info) { + return write_from_buf(sock, &conn->out_buffer); + } + if (!(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { return write_from_buf(sock, &conn->out_buffer); } @@ -331,52 +321,37 @@ static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn) return False; } - tmp_blob.data = conn->out_buffer.data; - tmp_blob.length = conn->out_buffer.length; - - if (tmp_blob.length == 0) { + if (conn->out_buffer.length == 0) { goto nodata; } - if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { - status = gensec_seal_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_seal_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } - } else { - status = gensec_sign_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_sign_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } + tmp_blob.data = conn->out_buffer.data; + tmp_blob.length = conn->out_buffer.length; + status = gensec_wrap(conn->gensec, mem_ctx, + &tmp_blob, + &wrapped); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("gensec_wrap: %s\n",nt_errstr(status))); + talloc_free(mem_ctx); + return False; } - sasl = data_blob_talloc(mem_ctx, NULL, 4 + creds.length + tmp_blob.length); + sasl = data_blob_talloc(mem_ctx, NULL, 4 + wrapped.length); if (!sasl.data) { DEBUG(0,("no memory\n")); talloc_free(mem_ctx); return False; } - RSIVAL(sasl.data, 0, creds.length + tmp_blob.length); - memcpy(sasl.data + 4, creds.data, creds.length); - memcpy(sasl.data + 4 + creds.length, tmp_blob.data, tmp_blob.length); + RSIVAL(sasl.data, 0, wrapped.length); + memcpy(sasl.data + 4, wrapped.data, wrapped.length); ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, sasl.data, sasl.length); if (!ret) { talloc_free(mem_ctx); return False; } - ldapsrv_consumed_from_buf(&conn->out_buffer, tmp_blob.length); + ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length); nodata: tmp_blob.data = conn->sasl_out_buffer.data; tmp_blob.length = conn->sasl_out_buffer.length; |