diff options
Diffstat (limited to 'source4/ldap_server')
| -rw-r--r-- | source4/ldap_server/ldap_bind.c | 21 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_server.c | 113 |
2 files changed, 55 insertions, 79 deletions
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 80d1f51748..f4be5b5242 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -20,7 +20,7 @@ #include "includes.h" #include "ldap_server/ldap_server.h" - +#include "auth/auth.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { @@ -50,11 +50,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) struct ldap_BindRequest *req = &call->request.r.BindRequest; struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; + struct ldapsrv_connection *conn; int result; const char *errstr; NTSTATUS status = NT_STATUS_OK; NTSTATUS sasl_status; - /*BOOL ret;*/ + BOOL ret; DEBUG(10, ("BindSASL dn: %s\n",req->dn)); @@ -69,7 +70,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_set_target_service(call->conn->gensec, "ldap"); - /*gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL);*/ + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { @@ -85,6 +87,8 @@ reply: return NT_STATUS_NO_MEMORY; } resp = &reply->msg.r.BindResponse; + + conn = call->conn; if (NT_STATUS_IS_OK(status)) { status = gensec_update(call->conn->gensec, reply, @@ -118,17 +122,14 @@ reply: return status; } -/* ret = ldapsrv_append_to_buf(&call->conn->sasl_out_buffer, call->conn->out_buffer.data, call->conn->out_buffer.length); + ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); if (!ret) { return NT_STATUS_NO_MEMORY; } - ldapsrv_consumed_from_buf(&call->conn->out_buffer, call->conn->out_buffer.length); - - status = gensec_session_info(call->conn->gensec, &call->conn->session_info); - if (!NT_STATUS_IS_OK(status)) { - return status; + ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length); + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(conn->gensec, &conn->session_info); } -*/ return status; } diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index ea1b8cb9b4..0bace4b690 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -131,7 +131,7 @@ static void ldapsrv_init(struct server_service *service, void ldapsrv_consumed_from_buf(struct rw_buffer *buf, size_t length) { - memcpy(buf->data, buf->data+length, buf->length-length); + memmove(buf->data, buf->data+length, buf->length-length); buf->length -= length; } @@ -186,7 +186,8 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) { NTSTATUS status; DATA_BLOB tmp_blob; - DATA_BLOB creds; + DATA_BLOB wrapped; + DATA_BLOB unwrapped; BOOL ret; uint8_t *buf; size_t buf_length, sasl_length; @@ -194,9 +195,14 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) TALLOC_CTX *mem_ctx; size_t nread; - if (!conn->gensec || !conn->session_info || - !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && - gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { + if (!conn->gensec) { + return read_into_buf(sock, &conn->in_buffer); + } + if (!conn->session_info) { + return read_into_buf(sock, &conn->in_buffer); + } + if (!(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { return read_into_buf(sock, &conn->in_buffer); } @@ -236,47 +242,25 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) sasl_length = RIVAL(buf, 0); - if (buf_length < (4 + sasl_length)) { + if ((buf_length - 4) < sasl_length) { /* not enough yet */ talloc_free(mem_ctx); return True; } - creds.data = buf + 4; - creds.length = gensec_sig_size(conn->gensec); + wrapped.data = buf + 4; + wrapped.length = sasl_length; - if (creds.length > sasl_length) { - /* invalid packet? */ + status = gensec_unwrap(conn->gensec, mem_ctx, + &wrapped, + &unwrapped); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("gensec_unwrap: %s\n",nt_errstr(status))); talloc_free(mem_ctx); return False; } - tmp_blob.data = buf + (4 + creds.length); - tmp_blob.length = (4 + sasl_length) - (4 + creds.length); - - if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { - status = gensec_unseal_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_unseal_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } - } else { - status = gensec_check_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_check_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } - } - - ret = ldapsrv_append_to_buf(&conn->in_buffer, tmp_blob.data, tmp_blob.length); + ret = ldapsrv_append_to_buf(&conn->in_buffer, unwrapped.data, unwrapped.length); if (!ret) { talloc_free(mem_ctx); return False; @@ -311,17 +295,23 @@ static BOOL write_from_buf(struct socket_context *sock, struct rw_buffer *buf) static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn) { NTSTATUS status; + DATA_BLOB wrapped; DATA_BLOB tmp_blob; - DATA_BLOB creds; DATA_BLOB sasl; size_t sendlen; BOOL ret; struct socket_context *sock = conn->connection->socket; TALLOC_CTX *mem_ctx; - if (!conn->gensec || !conn->session_info || - !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && - gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { + + if (!conn->gensec) { + return write_from_buf(sock, &conn->out_buffer); + } + if (!conn->session_info) { + return write_from_buf(sock, &conn->out_buffer); + } + if (!(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { return write_from_buf(sock, &conn->out_buffer); } @@ -331,52 +321,37 @@ static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn) return False; } - tmp_blob.data = conn->out_buffer.data; - tmp_blob.length = conn->out_buffer.length; - - if (tmp_blob.length == 0) { + if (conn->out_buffer.length == 0) { goto nodata; } - if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { - status = gensec_seal_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_seal_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } - } else { - status = gensec_sign_packet(conn->gensec, mem_ctx, - tmp_blob.data, tmp_blob.length, - tmp_blob.data, tmp_blob.length, - &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_sign_packet: %s\n",nt_errstr(status))); - talloc_free(mem_ctx); - return False; - } + tmp_blob.data = conn->out_buffer.data; + tmp_blob.length = conn->out_buffer.length; + status = gensec_wrap(conn->gensec, mem_ctx, + &tmp_blob, + &wrapped); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("gensec_wrap: %s\n",nt_errstr(status))); + talloc_free(mem_ctx); + return False; } - sasl = data_blob_talloc(mem_ctx, NULL, 4 + creds.length + tmp_blob.length); + sasl = data_blob_talloc(mem_ctx, NULL, 4 + wrapped.length); if (!sasl.data) { DEBUG(0,("no memory\n")); talloc_free(mem_ctx); return False; } - RSIVAL(sasl.data, 0, creds.length + tmp_blob.length); - memcpy(sasl.data + 4, creds.data, creds.length); - memcpy(sasl.data + 4 + creds.length, tmp_blob.data, tmp_blob.length); + RSIVAL(sasl.data, 0, wrapped.length); + memcpy(sasl.data + 4, wrapped.data, wrapped.length); ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, sasl.data, sasl.length); if (!ret) { talloc_free(mem_ctx); return False; } - ldapsrv_consumed_from_buf(&conn->out_buffer, tmp_blob.length); + ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length); nodata: tmp_blob.data = conn->sasl_out_buffer.data; tmp_blob.length = conn->sasl_out_buffer.length; |