From b53fbc75acc525f2e2450370e704a62791271788 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 22 Sep 2010 14:24:03 +0200
Subject: s4:ldap_server: rewrite to socket layer to use tstream

This should make our sasl and tls handling much more robust
against partial sent pdus.

metze
---
 source4/ldap_server/ldap_bind.c | 99 +++++++++++++++++++++++++++++------------
 1 file changed, 70 insertions(+), 29 deletions(-)

(limited to 'source4/ldap_server/ldap_bind.c')

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index c97211cb2c..5036353a4b 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -25,7 +25,9 @@
 #include "lib/ldb/include/ldb_errors.h"
 #include "dsdb/samdb/samdb.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_tstream.h"
 #include "param/param.h"
+#include "../lib/util/tevent_ntstatus.h"
 
 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 {
@@ -94,20 +96,42 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 	return NT_STATUS_OK;
 }
 
-struct ldapsrv_sasl_context {
+struct ldapsrv_sasl_postprocess_context {
 	struct ldapsrv_connection *conn;
-	struct socket_context *sasl_socket;
+	struct tstream_context *sasl;
 };
 
-static void ldapsrv_set_sasl(void *private_data)
+struct ldapsrv_sasl_postprocess_state {
+	uint8_t dummy;
+};
+
+static struct tevent_req *ldapsrv_sasl_postprocess_send(TALLOC_CTX *mem_ctx,
+						struct tevent_context *ev,
+						void *private_data)
 {
-	struct ldapsrv_sasl_context *ctx = talloc_get_type(private_data, struct ldapsrv_sasl_context);
-	talloc_steal(ctx->conn->connection, ctx->sasl_socket);
-	talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
+	struct ldapsrv_sasl_postprocess_context *context =
+		talloc_get_type_abort(private_data,
+		struct ldapsrv_sasl_postprocess_context);
+	struct tevent_req *req;
+	struct ldapsrv_sasl_postprocess_state *state;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct ldapsrv_sasl_postprocess_state);
+	if (req == NULL) {
+		return NULL;
+	}
 
-	ctx->conn->sockets.sasl = ctx->sasl_socket;
-	ctx->conn->connection->socket = ctx->sasl_socket;
-	packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
+	TALLOC_FREE(context->conn->sockets.sasl);
+	context->conn->sockets.sasl = talloc_move(context->conn, &context->sasl);
+	context->conn->sockets.active = context->conn->sockets.sasl;
+
+	tevent_req_done(req);
+	return tevent_req_post(req, ev);
+}
+
+static NTSTATUS ldapsrv_sasl_postprocess_recv(struct tevent_req *req)
+{
+	return tevent_req_simple_recv_ntstatus(req);
 }
 
 static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
@@ -152,7 +176,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 			errstr = talloc_asprintf(reply, "SASL: Failed to start authentication system: %s", 
 						 nt_errstr(status));
 		} else {
-		
+
 			gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
 			gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
 			gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES);
@@ -193,27 +217,41 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 		errstr = NULL;
 	} else if (NT_STATUS_IS_OK(status)) {
 		struct auth_session_info *old_session_info=NULL;
-		struct ldapsrv_sasl_context *ctx;
+		struct ldapsrv_sasl_postprocess_context *context = NULL;
 
 		result = LDAP_SUCCESS;
 		errstr = NULL;
 
-		ctx = talloc(call, struct ldapsrv_sasl_context); 
+		if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) ||
+		    gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
 
-		if (!ctx) {
-			status = NT_STATUS_NO_MEMORY;
-		} else {
-			ctx->conn = conn;
-			status = gensec_socket_init(conn->gensec, 
-						    conn->connection,
-						    conn->connection->socket,
-						    conn->connection->event.ctx, 
-						    stream_io_handler_callback,
-						    conn->connection,
-						    &ctx->sasl_socket);
-		} 
-
-		if (!ctx || !NT_STATUS_IS_OK(status)) {
+			context = talloc(call, struct ldapsrv_sasl_postprocess_context);
+
+			if (!context) {
+				status = NT_STATUS_NO_MEMORY;
+			}
+		}
+
+		if (context && conn->sockets.tls) {
+			TALLOC_FREE(context);
+			status = NT_STATUS_NOT_SUPPORTED;
+			result = LDAP_UNWILLING_TO_PERFORM;
+			errstr = talloc_asprintf(reply,
+						 "SASL:[%s]: Sign or Seal are not allowed if TLS is used",
+						 req->creds.SASL.mechanism);
+		}
+
+		if (context) {
+			context->conn = conn;
+			status = gensec_create_tstream(context,
+						       context->conn->gensec,
+						       context->conn->sockets.raw,
+						       &context->sasl);
+		}
+
+		if (result != LDAP_SUCCESS) {
+			conn->session_info = old_session_info;
+		} else if (!NT_STATUS_IS_OK(status)) {
 			conn->session_info = old_session_info;
 			result = LDAP_OPERATIONS_ERROR;
 			errstr = talloc_asprintf(reply, 
@@ -221,9 +259,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 						 req->creds.SASL.mechanism, nt_errstr(status));
 		} else {
 
-			call->send_callback = ldapsrv_set_sasl;
-			call->send_private = ctx;
-		
 			old_session_info = conn->session_info;
 			conn->session_info = NULL;
 			status = gensec_session_info(conn->gensec, &conn->session_info);
@@ -251,6 +286,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 				}
 			}
 		}
+
+		if (NT_STATUS_IS_OK(status) && context) {
+			call->postprocess_send = ldapsrv_sasl_postprocess_send;
+			call->postprocess_recv = ldapsrv_sasl_postprocess_recv;
+			call->postprocess_private = context;
+		}
 	} else {
 		status = auth_nt_status_squash(status);
 		if (result == 0) {
-- 
cgit