r17197: This patch moves the encryption of bulk data on SASL negotiated security

contexts from the application layer into the socket layer.

This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets.  It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default.  It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.

This patch mirrors the earlier work done to move TLS into the socket
layer.

Unusual in this pstch is the extra read callback argument I take.  As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data.  This would leave the system without an event
to restart the read (as the socket is dry).

As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop.  I believe that
the TLS code does require a similar callback.

In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:

+-----------------+---------------------+
| SASL  Packet #1 | SASL Packet #2      |
----------------------------------------+
| LDAP Packet #1       | LDAP Packet #2 |
----------------------------------------+

In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP.  Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.

Without data on the socket, read events stop.  That is why I add timed
events, until the SASL buffer is drained.

Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).

In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code.  The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length.  (1 + n/2).  This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.

Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)

4 files changed, 26 insertions, 95 deletions

diff --git a/source4/libcli/ldap/config.mk b/source4/libcli/ldap/config.mk
index 88ebc3256f..e5a7133cfa 100644
--- a/source4/libcli/ldap/config.mk
+++ b/source4/libcli/ldap/config.mk
@@ -11,7 +11,7 @@ OBJ_FILES = ldap.o \
 		ldap_ildap.o \
 		ldap_controls.o
 PUBLIC_DEPENDENCIES = LIBSAMBA-ERRORS LIBEVENTS LIBPACKET
-PRIVATE_DEPENDENCIES = LIBCLI_COMPOSITE samba-socket LIBCLI_RESOLVE NDR_SAMR LIBTLS ASN1_UTIL
+PRIVATE_DEPENDENCIES = LIBCLI_COMPOSITE samba-socket LIBCLI_RESOLVE NDR_SAMR LIBTLS ASN1_UTIL GENSEC_SOCKET
 #PRIVATE_DEPENDENCIES = gensec
 # End SUBSYSTEM LIBCLI_LDAP
 #################################
diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index 6714d68b0e..2b209c3871 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -27,6 +27,8 @@
 #include "libcli/ldap/ldap_client.h"
 #include "lib/tls/tls.h"
 #include "auth/auth.h"
+#include "auth/gensec/socket.h"
+#include "lib/stream/packet.h"
 
 struct ldap_simple_creds {
 	const char *dn;
@@ -365,15 +367,23 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr
 		}
 	}
 
-	if (NT_STATUS_IS_OK(status) &&
-	    (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) ||
-	     gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) {
-		conn->enable_wrap = True;
-	}
-
 	talloc_free(tmp_ctx);
 
 	if (NT_STATUS_IS_OK(status)) {
+		struct socket_context *socket = gensec_socket_init(conn->gensec, 
+								   conn->sock,
+								   conn->event.event_ctx, 
+								   ldap_read_io_handler,
+								   conn);
+		if (socket) {
+			conn->sock = socket;
+			talloc_steal(conn->sock, socket);
+			packet_set_socket(conn->packet, socket);
+		} else {
+			status = NT_STATUS_NO_MEMORY;
+			goto failed;
+		}
+		
 		conn->bind.type = LDAP_BIND_SASL;
 		conn->bind.creds = creds;
 	}
diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
index 07b7f2b412..2e834b5244 100644
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -165,25 +165,13 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message
 
 
 /*
-  check if a blob is a complete ldap packet
-  handle wrapper or unwrapped connections
+  decode/process LDAP data
 */
-NTSTATUS ldap_complete_packet(void *private_data, DATA_BLOB blob, size_t *size)
-{
-	struct ldap_connection *conn = talloc_get_type(private_data,
-						       struct ldap_connection);
-	if (conn->enable_wrap) {
-		return packet_full_request_u32(private_data, blob, size);
-	}
-	return ldap_full_packet(private_data, blob, size);
-}
-
-/*
-  decode/process plain data
-*/
-static NTSTATUS ldap_decode_plain(struct ldap_connection *conn, DATA_BLOB blob)
+static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob)
 {
 	struct asn1_data asn1;
+	struct ldap_connection *conn = talloc_get_type(private_data, 
+						       struct ldap_connection);
 	struct ldap_message *msg = talloc(conn, struct ldap_message);
 
 	if (msg == NULL) {
@@ -205,60 +193,14 @@ static NTSTATUS ldap_decode_plain(struct ldap_connection *conn, DATA_BLOB blob)
 	return NT_STATUS_OK;
 }
 
-/*
-  decode/process wrapped data
-*/
-static NTSTATUS ldap_decode_wrapped(struct ldap_connection *conn, DATA_BLOB blob)
-{
-	DATA_BLOB wrapped, unwrapped;
-	struct asn1_data asn1;
-	struct ldap_message *msg = talloc(conn, struct ldap_message);
-	NTSTATUS status;
-
-	if (msg == NULL) {
-		return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
-	}
-
-	wrapped = data_blob_const(blob.data+4, blob.length-4);
-
-	status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
-	if (!NT_STATUS_IS_OK(status)) {
-		return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
-	}
-
-	data_blob_free(&blob);
-
-	if (!asn1_load(&asn1, unwrapped)) {
-		return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
-	}
-
-	while (ldap_decode(&asn1, msg)) {
-		ldap_match_message(conn, msg);
-		msg = talloc(conn, struct ldap_message);
-	}
-		
-	talloc_free(msg);
-	asn1_free(&asn1);
-
-	return NT_STATUS_OK;
-}
-
-
-/*
-  handle ldap recv events
-*/
-static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob)
+/* Handle read events, from the GENSEC socket callback, or real events */
+void ldap_read_io_handler(void *private_data, uint16_t flags) 
 {
 	struct ldap_connection *conn = talloc_get_type(private_data, 
 						       struct ldap_connection);
-	if (conn->enable_wrap) {
-		return ldap_decode_wrapped(conn, blob);
-	}
-
-	return ldap_decode_plain(conn, blob);
+	packet_recv(conn->packet);
 }
 
-
 /*
   handle ldap socket events
 */
@@ -272,7 +214,7 @@ static void ldap_io_handler(struct event_context *ev, struct fd_event *fde,
 		if (!tls_enabled(conn->sock)) return;
 	}
 	if (flags & EVENT_FD_READ) {
-		packet_recv(conn->packet);
+		ldap_read_io_handler(private_data, flags);
 	}
 }
 
@@ -417,7 +359,7 @@ static void ldap_connect_recv_conn(struct composite_context *ctx)
 	packet_set_private(conn->packet, conn);
 	packet_set_socket(conn->packet, conn->sock);
 	packet_set_callback(conn->packet, ldap_recv_handler);
-	packet_set_full_request(conn->packet, ldap_complete_packet);
+	packet_set_full_request(conn->packet, ldap_full_packet);
 	packet_set_error_handler(conn->packet, ldap_error_handler);
 	packet_set_event_context(conn->packet, conn->event.event_ctx);
 	packet_set_fde(conn->packet, conn->event.fde);
@@ -561,24 +503,6 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn,
 		goto failed;		
 	}
 
-	/* possibly encrypt/sign the request */
-	if (conn->enable_wrap) {
-		DATA_BLOB wrapped;
-
-		status = gensec_wrap(conn->gensec, req, &req->data, &wrapped);
-		if (!NT_STATUS_IS_OK(status)) {
-			goto failed;
-		}
-		data_blob_free(&req->data);
-		req->data = data_blob_talloc(req, NULL, wrapped.length + 4);
-		if (req->data.data == NULL) {
-			goto failed;
-		}
-		RSIVAL(req->data.data, 0, wrapped.length);
-		memcpy(req->data.data+4, wrapped.data, wrapped.length);
-		data_blob_free(&wrapped);
-	}
-
 	status = packet_send(conn->packet, req->data);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto failed;
diff --git a/source4/libcli/ldap/ldap_client.h b/source4/libcli/ldap/ldap_client.h
index 28b9f2763c..849737d8a9 100644
--- a/source4/libcli/ldap/ldap_client.h
+++ b/source4/libcli/ldap/ldap_client.h
@@ -80,9 +80,6 @@ struct ldap_connection {
 	/* Let's support SASL */
 	struct gensec_security *gensec;
 
-	/* set if we are wrapping requests */
-	BOOL enable_wrap;
-
 	/* the default timeout for messages */
 	int timeout;