2 * Unix SMB/CIFS implementation.
3 * Gensec based tldap auth
4 * Copyright (C) Volker Lendecke 2015
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "tldap_gensec_bind.h"
23 #include "auth/credentials/credentials.h"
24 #include "lib/util/tevent_unix.h"
25 #include "lib/util/talloc_stack.h"
26 #include "lib/util/samba_util.h"
27 #include "lib/util/debug.h"
28 #include "auth/gensec/gensec.h"
29 #include "lib/param/param.h"
30 #include "source4/auth/gensec/gensec_tstream.h"
32 struct tldap_gensec_bind_state {
33 struct tevent_context *ev;
34 struct tldap_context *ctx;
35 struct cli_credentials *creds;
36 const char *target_service;
37 const char *target_hostname;
38 const char *target_principal;
39 struct loadparm_context *lp_ctx;
40 uint32_t gensec_features;
43 struct gensec_security *gensec;
44 NTSTATUS gensec_status;
45 DATA_BLOB gensec_input;
46 DATA_BLOB gensec_output;
49 static void tldap_gensec_update_next(struct tevent_req *req);
50 static void tldap_gensec_update_done(struct tevent_req *subreq);
51 static void tldap_gensec_bind_done(struct tevent_req *subreq);
53 static struct tevent_req *tldap_gensec_bind_send(
54 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
55 struct tldap_context *ctx, struct cli_credentials *creds,
56 const char *target_service, const char *target_hostname,
57 const char *target_principal, struct loadparm_context *lp_ctx,
58 uint32_t gensec_features)
60 struct tevent_req *req = NULL;
61 struct tldap_gensec_bind_state *state = NULL;
64 req = tevent_req_create(mem_ctx, &state,
65 struct tldap_gensec_bind_state);
72 state->target_service = target_service;
73 state->target_hostname = target_hostname;
74 state->target_principal = target_principal;
75 state->lp_ctx = lp_ctx;
76 state->gensec_features = gensec_features;
81 status = gensec_client_start(
82 state, &state->gensec,
83 lpcfg_gensec_settings(state, state->lp_ctx));
84 if (!NT_STATUS_IS_OK(status)) {
85 DBG_DEBUG("gensec_client_start failed: %s\n",
87 tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
88 return tevent_req_post(req, ev);
91 status = gensec_set_credentials(state->gensec, state->creds);
92 if (!NT_STATUS_IS_OK(status)) {
93 DBG_DEBUG("gensec_set_credentials failed: %s\n",
95 tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
96 return tevent_req_post(req, ev);
99 status = gensec_set_target_service(state->gensec,
100 state->target_service);
101 if (!NT_STATUS_IS_OK(status)) {
102 DBG_DEBUG("gensec_set_target_service failed: %s\n",
104 tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
105 return tevent_req_post(req, ev);
108 if (state->target_hostname != NULL) {
109 status = gensec_set_target_hostname(state->gensec,
110 state->target_hostname);
111 if (!NT_STATUS_IS_OK(status)) {
112 DBG_DEBUG("gensec_set_target_hostname failed: %s\n",
114 tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
115 return tevent_req_post(req, ev);
119 if (state->target_principal != NULL) {
120 status = gensec_set_target_principal(state->gensec,
121 state->target_principal);
122 if (!NT_STATUS_IS_OK(status)) {
123 DBG_DEBUG("gensec_set_target_principal failed: %s\n",
125 tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
126 return tevent_req_post(req, ev);
130 gensec_want_feature(state->gensec, state->gensec_features);
132 status = gensec_start_mech_by_sasl_name(state->gensec, "GSS-SPNEGO");
133 if (!NT_STATUS_IS_OK(status)) {
134 DBG_ERR("gensec_start_mech_by_sasl_name(GSS-SPNEGO) failed: %s\n",
136 tevent_req_ldap_error(req, TLDAP_OPERATIONS_ERROR);
137 return tevent_req_post(req, ev);
140 tldap_gensec_update_next(req);
141 if (!tevent_req_is_in_progress(req)) {
142 return tevent_req_post(req, ev);
148 static void tldap_gensec_update_next(struct tevent_req *req)
150 struct tldap_gensec_bind_state *state = tevent_req_data(
151 req, struct tldap_gensec_bind_state);
152 struct tevent_req *subreq = NULL;
154 subreq = gensec_update_send(state,
157 state->gensec_input);
158 if (tevent_req_nomem(subreq, req)) {
161 tevent_req_set_callback(subreq,
162 tldap_gensec_update_done,
166 static void tldap_gensec_update_done(struct tevent_req *subreq)
168 struct tevent_req *req = tevent_req_callback_data(
169 subreq, struct tevent_req);
170 struct tldap_gensec_bind_state *state = tevent_req_data(
171 req, struct tldap_gensec_bind_state);
173 state->gensec_status = gensec_update_recv(subreq,
175 &state->gensec_output);
177 data_blob_free(&state->gensec_input);
178 if (!NT_STATUS_IS_OK(state->gensec_status) &&
179 !NT_STATUS_EQUAL(state->gensec_status,
180 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
181 DBG_DEBUG("gensec_update failed: %s\n",
182 nt_errstr(state->gensec_status));
183 tevent_req_ldap_error(req, TLDAP_INVALID_CREDENTIALS);
187 if (NT_STATUS_IS_OK(state->gensec_status) &&
188 (state->gensec_output.length == 0)) {
191 tevent_req_ldap_error(req, TLDAP_INVALID_CREDENTIALS);
193 tevent_req_done(req);
198 state->first = false;
200 subreq = tldap_sasl_bind_send(state,
205 &state->gensec_output,
210 if (tevent_req_nomem(subreq, req)) {
213 tevent_req_set_callback(subreq, tldap_gensec_bind_done, req);
216 static void tldap_gensec_bind_done(struct tevent_req *subreq)
218 struct tevent_req *req = tevent_req_callback_data(
219 subreq, struct tevent_req);
220 struct tldap_gensec_bind_state *state = tevent_req_data(
221 req, struct tldap_gensec_bind_state);
224 rc = tldap_sasl_bind_recv(subreq, state, &state->gensec_input);
226 data_blob_free(&state->gensec_output);
227 if (!TLDAP_RC_IS_SUCCESS(rc) &&
228 !TLDAP_RC_EQUAL(rc, TLDAP_SASL_BIND_IN_PROGRESS)) {
229 tevent_req_ldap_error(req, rc);
233 if (TLDAP_RC_IS_SUCCESS(rc) && NT_STATUS_IS_OK(state->gensec_status)) {
234 tevent_req_done(req);
238 tldap_gensec_update_next(req);
241 static TLDAPRC tldap_gensec_bind_recv(struct tevent_req *req)
243 struct tldap_gensec_bind_state *state = tevent_req_data(
244 req, struct tldap_gensec_bind_state);
245 struct tstream_context *plain, *sec;
249 if (tevent_req_is_ldap_error(req, &rc)) {
253 if ((state->gensec_features & GENSEC_FEATURE_SIGN) &&
254 !gensec_have_feature(state->gensec, GENSEC_FEATURE_SIGN)) {
255 return TLDAP_OPERATIONS_ERROR;
257 if ((state->gensec_features & GENSEC_FEATURE_SEAL) &&
258 !gensec_have_feature(state->gensec, GENSEC_FEATURE_SEAL)) {
259 return TLDAP_OPERATIONS_ERROR;
262 if (!gensec_have_feature(state->gensec, GENSEC_FEATURE_SIGN) &&
263 !gensec_have_feature(state->gensec, GENSEC_FEATURE_SEAL)) {
264 return TLDAP_SUCCESS;
268 * The gensec ctx needs to survive as long as the ldap context
271 talloc_steal(state->ctx, state->gensec);
273 plain = tldap_get_tstream(state->ctx);
275 status = gensec_create_tstream(state->ctx, state->gensec,
277 if (!NT_STATUS_IS_OK(status)) {
278 DBG_DEBUG("gensec_create_tstream failed: %s\n",
280 return TLDAP_OPERATIONS_ERROR;
283 tldap_set_tstream(state->ctx, sec);
285 return TLDAP_SUCCESS;
288 TLDAPRC tldap_gensec_bind(
289 struct tldap_context *ctx, struct cli_credentials *creds,
290 const char *target_service, const char *target_hostname,
291 const char *target_principal, struct loadparm_context *lp_ctx,
292 uint32_t gensec_features)
294 TALLOC_CTX *frame = talloc_stackframe();
295 struct tevent_context *ev;
296 struct tevent_req *req;
297 TLDAPRC rc = TLDAP_NO_MEMORY;
299 ev = samba_tevent_context_init(frame);
303 req = tldap_gensec_bind_send(frame, ev, ctx, creds, target_service,
304 target_hostname, target_principal, lp_ctx,
309 if (!tevent_req_poll(req, ev)) {
310 rc = TLDAP_OPERATIONS_ERROR;
313 rc = tldap_gensec_bind_recv(req);