2005-06-16 09:39:40 +04:00
/*
Unix SMB / CIFS mplementation .
LDAP bind calls
Copyright ( C ) Andrew Tridgell 2005
Copyright ( C ) Volker Lendecke 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2005-06-16 09:39:40 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-06-16 09:39:40 +04:00
*/
# include "includes.h"
2010-05-21 11:39:15 +04:00
# include "libcli/ldap/libcli_ldap.h"
2008-04-02 06:53:27 +04:00
# include "libcli/ldap/ldap_proto.h"
2005-06-16 09:39:40 +04:00
# include "libcli/ldap/ldap_client.h"
2006-04-23 21:22:32 +04:00
# include "lib/tls/tls.h"
2006-11-07 03:48:36 +03:00
# include "auth/gensec/gensec.h"
2006-12-13 01:43:35 +03:00
# include "auth/credentials/credentials.h"
r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2006-07-23 06:50:08 +04:00
# include "lib/stream/packet.h"
2007-12-03 19:41:50 +03:00
# include "param/param.h"
2005-06-16 09:39:40 +04:00
2006-04-25 15:50:32 +04:00
struct ldap_simple_creds {
const char * dn ;
const char * pw ;
} ;
2008-04-02 06:53:27 +04:00
_PUBLIC_ NTSTATUS ldap_rebind ( struct ldap_connection * conn )
2006-04-25 15:50:32 +04:00
{
NTSTATUS status ;
struct ldap_simple_creds * creds ;
switch ( conn - > bind . type ) {
case LDAP_BIND_SASL :
2007-12-09 01:32:43 +03:00
status = ldap_bind_sasl ( conn , ( struct cli_credentials * ) conn - > bind . creds ,
2007-12-10 06:33:16 +03:00
conn - > lp_ctx ) ;
2006-04-25 15:50:32 +04:00
break ;
case LDAP_BIND_SIMPLE :
creds = ( struct ldap_simple_creds * ) conn - > bind . creds ;
if ( creds = = NULL ) {
return NT_STATUS_UNSUCCESSFUL ;
}
status = ldap_bind_simple ( conn , creds - > dn , creds - > pw ) ;
break ;
default :
return NT_STATUS_UNSUCCESSFUL ;
}
return status ;
}
2005-06-16 09:39:40 +04:00
static struct ldap_message * new_ldap_simple_bind_msg ( struct ldap_connection * conn ,
const char * dn , const char * pw )
{
struct ldap_message * res ;
res = new_ldap_message ( conn ) ;
if ( ! res ) {
return NULL ;
}
res - > type = LDAP_TAG_BindRequest ;
res - > r . BindRequest . version = 3 ;
res - > r . BindRequest . dn = talloc_strdup ( res , dn ) ;
res - > r . BindRequest . mechanism = LDAP_AUTH_MECH_SIMPLE ;
res - > r . BindRequest . creds . password = talloc_strdup ( res , pw ) ;
2006-01-06 07:01:23 +03:00
res - > controls = NULL ;
2005-06-16 09:39:40 +04:00
return res ;
}
/*
perform a simple username / password bind
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ NTSTATUS ldap_bind_simple ( struct ldap_connection * conn ,
2005-06-16 09:39:40 +04:00
const char * userdn , const char * password )
{
struct ldap_request * req ;
struct ldap_message * msg ;
const char * dn , * pw ;
NTSTATUS status ;
if ( conn = = NULL ) {
return NT_STATUS_INVALID_CONNECTION ;
}
if ( userdn ) {
dn = userdn ;
} else {
if ( conn - > auth_dn ) {
dn = conn - > auth_dn ;
} else {
dn = " " ;
}
}
if ( password ) {
pw = password ;
} else {
if ( conn - > simple_pw ) {
pw = conn - > simple_pw ;
} else {
pw = " " ;
}
}
msg = new_ldap_simple_bind_msg ( conn , dn , pw ) ;
NT_STATUS_HAVE_NO_MEMORY ( msg ) ;
/* send the request */
req = ldap_request_send ( conn , msg ) ;
talloc_free ( msg ) ;
NT_STATUS_HAVE_NO_MEMORY ( req ) ;
/* wait for replies */
status = ldap_request_wait ( req ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( req ) ;
return status ;
}
/* check its a valid reply */
msg = req - > replies [ 0 ] ;
if ( msg - > type ! = LDAP_TAG_BindResponse ) {
talloc_free ( req ) ;
return NT_STATUS_UNEXPECTED_NETWORK_ERROR ;
}
status = ldap_check_response ( conn , & msg - > r . BindResponse . response ) ;
talloc_free ( req ) ;
2006-04-25 15:50:32 +04:00
if ( NT_STATUS_IS_OK ( status ) ) {
struct ldap_simple_creds * creds = talloc ( conn , struct ldap_simple_creds ) ;
if ( creds = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
creds - > dn = talloc_strdup ( creds , dn ) ;
creds - > pw = talloc_strdup ( creds , pw ) ;
if ( creds - > dn = = NULL | | creds - > pw = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
conn - > bind . type = LDAP_BIND_SIMPLE ;
conn - > bind . creds = creds ;
}
2005-06-16 09:39:40 +04:00
return status ;
}
static struct ldap_message * new_ldap_sasl_bind_msg ( struct ldap_connection * conn ,
const char * sasl_mechanism ,
DATA_BLOB * secblob )
{
struct ldap_message * res ;
res = new_ldap_message ( conn ) ;
if ( ! res ) {
return NULL ;
}
res - > type = LDAP_TAG_BindRequest ;
res - > r . BindRequest . version = 3 ;
res - > r . BindRequest . dn = " " ;
res - > r . BindRequest . mechanism = LDAP_AUTH_MECH_SASL ;
res - > r . BindRequest . creds . SASL . mechanism = talloc_strdup ( res , sasl_mechanism ) ;
2006-02-15 18:19:10 +03:00
if ( secblob ) {
res - > r . BindRequest . creds . SASL . secblob = talloc ( res , DATA_BLOB ) ;
if ( ! res - > r . BindRequest . creds . SASL . secblob ) {
talloc_free ( res ) ;
return NULL ;
}
* res - > r . BindRequest . creds . SASL . secblob = * secblob ;
} else {
res - > r . BindRequest . creds . SASL . secblob = NULL ;
}
2006-01-06 07:01:23 +03:00
res - > controls = NULL ;
2005-06-16 09:39:40 +04:00
return res ;
}
/*
perform a sasl bind using the given credentials
*/
2008-04-22 01:58:23 +04:00
_PUBLIC_ NTSTATUS ldap_bind_sasl ( struct ldap_connection * conn ,
2007-12-09 01:32:43 +03:00
struct cli_credentials * creds ,
struct loadparm_context * lp_ctx )
2005-06-16 09:39:40 +04:00
{
NTSTATUS status ;
TALLOC_CTX * tmp_ctx = NULL ;
2005-08-23 09:29:37 +04:00
2005-06-16 09:39:40 +04:00
DATA_BLOB input = data_blob ( NULL , 0 ) ;
DATA_BLOB output = data_blob ( NULL , 0 ) ;
2005-11-05 14:02:37 +03:00
struct ldap_message * * sasl_mechs_msgs ;
struct ldap_SearchResEntry * search ;
int count , i ;
const char * * sasl_names ;
2006-12-13 01:43:35 +03:00
uint32_t old_gensec_features ;
2007-12-20 02:02:15 +03:00
static const char * supported_sasl_mech_attrs [ ] = {
2005-11-05 14:02:37 +03:00
" supportedSASLMechanisms " ,
NULL
} ;
2007-12-10 20:42:07 +03:00
gensec_init ( lp_ctx ) ;
2008-04-22 01:58:23 +04:00
status = gensec_client_start ( conn , & conn - > gensec ,
2008-11-02 04:05:48 +03:00
conn - > event . event_ctx ,
lp_gensec_settings ( conn , lp_ctx ) ) ;
2005-06-16 09:39:40 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Failed to start GENSEC engine (%s) \n " , nt_errstr ( status ) ) ) ;
goto failed ;
}
2006-04-23 21:22:32 +04:00
/* require Kerberos SIGN/SEAL only if we don't use SSL
* Windows seem not to like double encryption */
2006-12-13 01:43:35 +03:00
old_gensec_features = cli_credentials_get_gensec_features ( creds ) ;
if ( tls_enabled ( conn - > sock ) ) {
2008-07-15 09:08:57 +04:00
cli_credentials_set_gensec_features ( creds , old_gensec_features & ~ ( GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL ) ) ;
2006-04-23 21:22:32 +04:00
}
2005-06-16 09:39:40 +04:00
2006-12-13 01:43:35 +03:00
/* this call also sets the gensec_want_features */
2005-06-16 09:39:40 +04:00
status = gensec_set_credentials ( conn - > gensec , creds ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-06-18 13:09:27 +04:00
DEBUG ( 1 , ( " Failed to set GENSEC creds: %s \n " ,
2005-06-16 09:39:40 +04:00
nt_errstr ( status ) ) ) ;
goto failed ;
}
2008-07-15 09:08:57 +04:00
/* reset the original gensec_features (on the credentials
* context , so we don ' t tatoo it ) */
2006-12-13 01:43:35 +03:00
cli_credentials_set_gensec_features ( creds , old_gensec_features ) ;
2006-09-04 07:59:04 +04:00
if ( conn - > host ) {
status = gensec_set_target_hostname ( conn - > gensec , conn - > host ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " Failed to set GENSEC target hostname: %s \n " ,
nt_errstr ( status ) ) ) ;
goto failed ;
}
2005-06-16 09:39:40 +04:00
}
status = gensec_set_target_service ( conn - > gensec , " ldap " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-06-18 13:09:27 +04:00
DEBUG ( 1 , ( " Failed to set GENSEC target service: %s \n " ,
2005-06-16 09:39:40 +04:00
nt_errstr ( status ) ) ) ;
goto failed ;
}
2005-11-05 14:02:37 +03:00
status = ildap_search ( conn , " " , LDAP_SEARCH_SCOPE_BASE , " " , supported_sasl_mech_attrs ,
2007-10-07 02:28:14 +04:00
false , NULL , NULL , & sasl_mechs_msgs ) ;
2005-06-16 09:39:40 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-11-05 14:02:37 +03:00
DEBUG ( 1 , ( " Failed to inquire of target's available sasl mechs in rootdse search: %s \n " ,
2005-06-16 09:39:40 +04:00
nt_errstr ( status ) ) ) ;
goto failed ;
}
2005-11-05 14:02:37 +03:00
count = ildap_count_entries ( conn , sasl_mechs_msgs ) ;
if ( count ! = 1 ) {
DEBUG ( 1 , ( " Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d \n " ,
count ) ) ;
goto failed ;
}
2005-06-16 09:39:40 +04:00
tmp_ctx = talloc_new ( conn ) ;
if ( tmp_ctx = = NULL ) goto failed ;
2005-11-05 14:02:37 +03:00
search = & sasl_mechs_msgs [ 0 ] - > r . SearchResultEntry ;
if ( search - > num_attributes ! = 1 ) {
2008-11-13 07:58:12 +03:00
DEBUG ( 1 , ( " Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1 \n " ,
2005-11-05 14:02:37 +03:00
search - > num_attributes ) ) ;
goto failed ;
}
sasl_names = talloc_array ( tmp_ctx , const char * , search - > attributes [ 0 ] . num_values + 1 ) ;
if ( ! sasl_names ) {
DEBUG ( 1 , ( " talloc_arry(char *, %d) failed \n " ,
count ) ) ;
goto failed ;
}
for ( i = 0 ; i < search - > attributes [ 0 ] . num_values ; i + + ) {
sasl_names [ i ] = ( const char * ) search - > attributes [ 0 ] . values [ i ] . data ;
}
sasl_names [ i ] = NULL ;
2006-02-04 12:53:50 +03:00
status = gensec_start_mech_by_sasl_list ( conn - > gensec , sasl_names ) ;
2005-11-05 14:02:37 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2006-02-04 12:53:50 +03:00
DEBUG ( 1 , ( " None of the %d proposed SASL mechs were acceptable: %s \n " ,
count , nt_errstr ( status ) ) ) ;
2005-11-05 14:02:37 +03:00
goto failed ;
}
2005-06-16 09:39:40 +04:00
while ( 1 ) {
2005-08-23 09:29:37 +04:00
NTSTATUS gensec_status ;
2005-06-16 09:39:40 +04:00
struct ldap_message * response ;
struct ldap_message * msg ;
struct ldap_request * req ;
int result = LDAP_OTHER ;
2005-08-23 09:29:37 +04:00
status = gensec_update ( conn - > gensec , tmp_ctx ,
input ,
& output ) ;
/* The status value here, from GENSEC is vital to the security
* of the system . Even if the other end accepts , if GENSEC
* claims ' MORE_PROCESSING_REQUIRED ' then you must keep
* feeding it blobs , or else the remote host / attacker might
* avoid mutal authentication requirements .
*
* Likewise , you must not feed GENSEC too much ( after the OK ) ,
* it doesn ' t like that either
*/
gensec_status = status ;
2005-06-16 09:39:40 +04:00
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_MORE_PROCESSING_REQUIRED ) & &
! NT_STATUS_IS_OK ( status ) ) {
break ;
}
2006-02-04 12:53:50 +03:00
if ( NT_STATUS_IS_OK ( status ) & & output . length = = 0 ) {
2005-08-23 09:29:37 +04:00
break ;
}
2005-06-16 09:39:40 +04:00
2006-02-04 12:53:50 +03:00
/* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
2006-02-15 18:19:10 +03:00
msg = new_ldap_sasl_bind_msg ( tmp_ctx , conn - > gensec - > ops - > sasl_name , ( output . data ? & output : NULL ) ) ;
2005-06-16 09:39:40 +04:00
if ( msg = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto failed ;
}
req = ldap_request_send ( conn , msg ) ;
if ( req = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto failed ;
}
talloc_steal ( tmp_ctx , req ) ;
status = ldap_result_n ( req , 0 , & response ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
if ( response - > type ! = LDAP_TAG_BindResponse ) {
status = NT_STATUS_UNEXPECTED_NETWORK_ERROR ;
goto failed ;
}
result = response - > r . BindResponse . response . resultcode ;
if ( result ! = LDAP_SUCCESS & & result ! = LDAP_SASL_BIND_IN_PROGRESS ) {
2005-10-17 15:50:34 +04:00
status = ldap_check_response ( conn ,
& response - > r . BindResponse . response ) ;
2005-06-16 09:39:40 +04:00
break ;
}
2005-08-23 09:29:37 +04:00
/* This is where we check if GENSEC wanted to be fed more data */
if ( ! NT_STATUS_EQUAL ( gensec_status , NT_STATUS_MORE_PROCESSING_REQUIRED ) ) {
break ;
}
2006-02-15 18:19:10 +03:00
if ( response - > r . BindResponse . SASL . secblob ) {
input = * response - > r . BindResponse . SASL . secblob ;
} else {
input = data_blob ( NULL , 0 ) ;
}
2005-06-16 09:39:40 +04:00
}
talloc_free ( tmp_ctx ) ;
2006-04-25 15:50:32 +04:00
if ( NT_STATUS_IS_OK ( status ) ) {
2006-07-25 04:57:27 +04:00
struct socket_context * sasl_socket ;
status = gensec_socket_init ( conn - > gensec ,
2008-09-24 09:37:16 +04:00
conn ,
2006-07-25 04:57:27 +04:00
conn - > sock ,
conn - > event . event_ctx ,
ldap_read_io_handler ,
conn ,
& sasl_socket ) ;
2006-07-25 16:48:40 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) goto failed ;
conn - > sock = sasl_socket ;
packet_set_socket ( conn - > packet , conn - > sock ) ;
2006-04-25 15:50:32 +04:00
conn - > bind . type = LDAP_BIND_SASL ;
conn - > bind . creds = creds ;
}
2005-06-16 09:39:40 +04:00
return status ;
failed :
talloc_free ( tmp_ctx ) ;
talloc_free ( conn - > gensec ) ;
conn - > gensec = NULL ;
return status ;
}
