1 files changed, 366 insertions, 0 deletions
diff --git a/source3/lib/tldap_gensec_bind.c b/source3/lib/tldap_gensec_bind.c
new file mode 100644
index 0000000..c409213
--- /dev/null
+++ b/source3/lib/tldap_gensec_bind.c
@@ -0,0 +1,366 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Gensec based tldap auth
+ * Copyright (C) Volker Lendecke 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "tldap_gensec_bind.h"
+#include "tldap_util.h"
+#include "lib/util/tevent_unix.h"
+#include "lib/util/talloc_stack.h"
+#include "lib/util/samba_util.h"
+#include "lib/util/debug.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+#include "lib/param/param.h"
+#include "source4/auth/gensec/gensec_tstream.h"
+
+struct tldap_gensec_bind_state {
+	struct tevent_context *ev;
+	struct tldap_context *ctx;
+	struct cli_credentials *creds;
+	const char *target_service;
+	const char *target_hostname;
+	const char *target_principal;
+	struct loadparm_context *lp_ctx;
+	uint32_t gensec_features;
+
+	bool first;
+	struct gensec_security *gensec;
+	NTSTATUS gensec_status;
+	DATA_BLOB gensec_output;
+};
+
+static void tldap_gensec_bind_got_mechs(struct tevent_req *subreq);
+static void tldap_gensec_update_done(struct tldap_gensec_bind_state *state,
+				struct tevent_req *subreq);
+static void tldap_gensec_bind_done(struct tevent_req *subreq);
+
+static struct tevent_req *tldap_gensec_bind_send(
+	TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+	struct tldap_context *ctx, struct cli_credentials *creds,
+	const char *target_service, const char *target_hostname,
+	const char *target_principal, struct loadparm_context *lp_ctx,
+	uint32_t gensec_features)
+{
+	struct tevent_req *req, *subreq;
+	struct tldap_gensec_bind_state *state;
+
+	const char *attrs[] = { "supportedSASLMechanisms" };
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct tldap_gensec_bind_state);
+	if (req == NULL) {
+		return NULL;
+	}
+	state->ev = ev;
+	state->ctx = ctx;
+	state->creds = creds;
+	state->target_service = target_service;
+	state->target_hostname = target_hostname;
+	state->target_principal = target_principal;
+	state->lp_ctx = lp_ctx;
+	state->gensec_features = gensec_features;
+	state->first = true;
+
+	subreq = tldap_search_all_send(
+		state, state->ev, state->ctx, "", TLDAP_SCOPE_BASE,
+		"(objectclass=*)", attrs, ARRAY_SIZE(attrs),
+		false, NULL, 0, NULL, 0, 0, 1 /* sizelimit */, 0);
+	if (tevent_req_nomem(subreq, req)) {
+		return tevent_req_post(req, ev);
+	}
+	tevent_req_set_callback(subreq, tldap_gensec_bind_got_mechs, req);
+	return req;
+}
+
+static void tldap_gensec_bind_got_mechs(struct tevent_req *subreq)
+{
+	struct tevent_req *req = tevent_req_callback_data(
+		subreq, struct tevent_req);
+	struct tldap_gensec_bind_state *state = tevent_req_data(
+		req, struct tldap_gensec_bind_state);
+	struct tldap_message **msgs, *msg, *result;
+	struct tldap_attribute *attribs, *attrib;
+	int num_attribs;
+	size_t num_msgs;
+	TLDAPRC rc;
+	int i;
+	bool ok;
+	const char **sasl_mechs;
+	NTSTATUS status;
+
+	rc = tldap_search_all_recv(subreq, state, &msgs, &result);
+	TALLOC_FREE(subreq);
+	if (tevent_req_ldap_error(req, rc)) {
+		return;
+	}
+
+	/*
+	 * TODO: Inspect "Result"
+	 */
+
+	num_msgs = talloc_array_length(msgs);
+	if (num_msgs != 1) {
+		DBG_DEBUG("num_msgs = %zu\n", num_msgs);
+		tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+		return;
+	}
+	msg = msgs[0];
+
+	ok = tldap_entry_attributes(msg, &attribs, &num_attribs);
+	if (!ok) {
+		DBG_DEBUG("tldap_entry_attributes failed\n");
+		tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+		return;
+	}
+
+	if (num_attribs != 1) {
+		DBG_DEBUG("num_attribs = %d\n", num_attribs);
+		tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+		return;
+	}
+	attrib = &attribs[0];
+
+	sasl_mechs = talloc_array(state, const char *, attrib->num_values+1);
+	if (tevent_req_nomem(sasl_mechs, req)) {
+		return;
+	}
+
+	for (i=0; i<attrib->num_values; i++) {
+		DATA_BLOB *v = &attrib->values[i];
+		size_t len;
+
+		ok = convert_string_talloc(sasl_mechs, CH_UTF8, CH_UNIX,
+					   v->data, v->length,
+					   &sasl_mechs[i], &len);
+		if (!ok) {
+			DBG_DEBUG("convert_string_talloc failed\n");
+			tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+			return;
+		}
+	}
+	sasl_mechs[attrib->num_values] = NULL;
+
+	gensec_init();
+
+	status = gensec_client_start(
+		state, &state->gensec,
+		lpcfg_gensec_settings(state, state->lp_ctx));
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("gensec_client_start failed: %s\n",
+			  nt_errstr(status));
+		tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+		return;
+	}
+
+	status = gensec_set_credentials(state->gensec, state->creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("gensec_set_credentials failed: %s\n",
+			  nt_errstr(status));
+		tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+		return;
+	}
+
+	status = gensec_set_target_service(state->gensec,
+					   state->target_service);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("gensec_set_target_service failed: %s\n",
+			  nt_errstr(status));
+		tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+		return;
+	}
+
+	if (state->target_hostname != NULL) {
+		status = gensec_set_target_hostname(state->gensec,
+						    state->target_hostname);
+		if (!NT_STATUS_IS_OK(status)) {
+			DBG_DEBUG("gensec_set_target_hostname failed: %s\n",
+				  nt_errstr(status));
+			tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+			return;
+		}
+	}
+
+	if (state->target_principal != NULL) {
+		status = gensec_set_target_principal(state->gensec,
+						     state->target_principal);
+		if (!NT_STATUS_IS_OK(status)) {
+			DBG_DEBUG("gensec_set_target_principal failed: %s\n",
+				  nt_errstr(status));
+			tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+			return;
+		}
+	}
+
+	gensec_want_feature(state->gensec, state->gensec_features);
+
+	status = gensec_start_mech_by_sasl_list(state->gensec, sasl_mechs);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("gensec_start_mech_by_sasl_list failed: %s\n",
+			  nt_errstr(status));
+		tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
+		return;
+	}
+
+	state->gensec_status = gensec_update(state->gensec, state,
+						data_blob_null,
+						&state->gensec_output);
+	tldap_gensec_update_done(state, req);
+}
+
+static void tldap_gensec_update_done(struct tldap_gensec_bind_state *state,
+					struct tevent_req *req)
+{
+	struct tevent_req *subreq;
+
+	if (!NT_STATUS_IS_OK(state->gensec_status) &&
+	    !NT_STATUS_EQUAL(state->gensec_status,
+			     NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		DBG_DEBUG("gensec_update failed: %s\n",
+			  nt_errstr(state->gensec_status));
+		tevent_req_ldap_error(req, TLDAP_INVALID_CREDENTIALS);
+		return;
+	}
+
+	if (NT_STATUS_IS_OK(state->gensec_status) &&
+	    (state->gensec_output.length == 0)) {
+
+		if (state->first) {
+			tevent_req_ldap_error(req, TLDAP_INVALID_CREDENTIALS);
+		} else {
+			tevent_req_done(req);
+		}
+		return;
+	}
+
+	state->first = false;
+
+	subreq = tldap_sasl_bind_send(
+		state, state->ev, state->ctx, "",
+		state->gensec->ops->sasl_name, &state->gensec_output,
+		NULL, 0, NULL, 0);
+	if (tevent_req_nomem(subreq, req)) {
+		return;
+	}
+	tevent_req_set_callback(subreq, tldap_gensec_bind_done, req);
+}
+
+static void tldap_gensec_bind_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req = tevent_req_callback_data(
+		subreq, struct tevent_req);
+	struct tldap_gensec_bind_state *state = tevent_req_data(
+		req, struct tldap_gensec_bind_state);
+	DATA_BLOB input;
+	TLDAPRC rc;
+
+	rc = tldap_sasl_bind_recv(subreq, state, &input);
+	TALLOC_FREE(subreq);
+	if (!TLDAP_RC_IS_SUCCESS(rc) &&
+	    !TLDAP_RC_EQUAL(rc, TLDAP_SASL_BIND_IN_PROGRESS)) {
+		tevent_req_ldap_error(req, rc);
+		return;
+	}
+
+	if (TLDAP_RC_IS_SUCCESS(rc) && NT_STATUS_IS_OK(state->gensec_status)) {
+		tevent_req_done(req);
+		return;
+	}
+
+	state->gensec_status = gensec_update(state->gensec, state,
+						input,
+						&state->gensec_output);
+	tldap_gensec_update_done(state, req);
+}
+
+static TLDAPRC tldap_gensec_bind_recv(struct tevent_req *req)
+{
+	struct tldap_gensec_bind_state *state = tevent_req_data(
+		req, struct tldap_gensec_bind_state);
+	struct tstream_context *plain, *sec;
+	NTSTATUS status;
+	TLDAPRC rc;
+
+	if (tevent_req_is_ldap_error(req, &rc)) {
+		return rc;
+	}
+
+	if ((state->gensec_features & GENSEC_FEATURE_SIGN) &&
+	    !gensec_have_feature(state->gensec, GENSEC_FEATURE_SIGN)) {
+		return TLDAP_OPERATIONS_ERROR;
+	}
+	if ((state->gensec_features & GENSEC_FEATURE_SEAL) &&
+	    !gensec_have_feature(state->gensec, GENSEC_FEATURE_SEAL)) {
+		return TLDAP_OPERATIONS_ERROR;
+	}
+
+	if (!gensec_have_feature(state->gensec, GENSEC_FEATURE_SIGN) &&
+	    !gensec_have_feature(state->gensec, GENSEC_FEATURE_SEAL)) {
+		return TLDAP_SUCCESS;
+	}
+
+	/*
+	 * The gensec ctx needs to survive as long as the ldap context
+	 * lives
+	 */
+	talloc_steal(state->ctx, state->gensec);
+
+	plain = tldap_get_tstream(state->ctx);
+
+	status = gensec_create_tstream(state->ctx, state->gensec,
+				       plain, &sec);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("gensec_create_tstream failed: %s\n",
+			  nt_errstr(status));
+		return TLDAP_OPERATIONS_ERROR;
+	}
+
+	tldap_set_tstream(state->ctx, sec);
+
+	return TLDAP_SUCCESS;
+}
+
+TLDAPRC tldap_gensec_bind(
+	struct tldap_context *ctx, struct cli_credentials *creds,
+	const char *target_service, const char *target_hostname,
+	const char *target_principal, struct loadparm_context *lp_ctx,
+	uint32_t gensec_features)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	TLDAPRC rc = TLDAP_NO_MEMORY;
+
+	ev = samba_tevent_context_init(frame);
+	if (ev == NULL) {
+		goto fail;
+	}
+	req = tldap_gensec_bind_send(frame, ev, ctx, creds, target_service,
+				     target_hostname, target_principal, lp_ctx,
+				     gensec_features);
+	if (req == NULL) {
+		goto fail;
+	}
+	if (!tevent_req_poll(req, ev)) {
+		rc = TLDAP_OPERATIONS_ERROR;
+		goto fail;
+	}
+	rc = tldap_gensec_bind_recv(req);
+ fail:
+	TALLOC_FREE(frame);
+	return rc;
+}