s4:ldap_server: rewrite to socket layer to use tstream

[mat/samba.git] / source4 / ldap_server / ldap_bind.c

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 529a12d1cabc23432e248894955c5c8474128d2f..5036353a4b34a92cf36ba92126e21e85779dba2e 100644 (file)
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -25,7 +25,9 @@
 #include "lib/ldb/include/ldb_errors.h"
 #include "dsdb/samdb/samdb.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_tstream.h"
 #include "param/param.h"
+#include "../lib/util/tevent_ntstatus.h"
 
 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 {
@@ -94,20 +96,42 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
        return NT_STATUS_OK;
 }
 
-struct ldapsrv_sasl_context {
+struct ldapsrv_sasl_postprocess_context {
        struct ldapsrv_connection *conn;
-       struct socket_context *sasl_socket;
+       struct tstream_context *sasl;
 };
 
-static void ldapsrv_set_sasl(void *private_data)
+struct ldapsrv_sasl_postprocess_state {
+       uint8_t dummy;
+};
+
+static struct tevent_req *ldapsrv_sasl_postprocess_send(TALLOC_CTX *mem_ctx,
+                                               struct tevent_context *ev,
+                                               void *private_data)
 {
-       struct ldapsrv_sasl_context *ctx = talloc_get_type(private_data, struct ldapsrv_sasl_context);
-       talloc_steal(ctx->conn->connection, ctx->sasl_socket);
-       talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
+       struct ldapsrv_sasl_postprocess_context *context =
+               talloc_get_type_abort(private_data,
+               struct ldapsrv_sasl_postprocess_context);
+       struct tevent_req *req;
+       struct ldapsrv_sasl_postprocess_state *state;
+
+       req = tevent_req_create(mem_ctx, &state,
+                               struct ldapsrv_sasl_postprocess_state);
+       if (req == NULL) {
+               return NULL;
+       }
 
-       ctx->conn->sockets.sasl = ctx->sasl_socket;
-       ctx->conn->connection->socket = ctx->sasl_socket;
-       packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
+       TALLOC_FREE(context->conn->sockets.sasl);
+       context->conn->sockets.sasl = talloc_move(context->conn, &context->sasl);
+       context->conn->sockets.active = context->conn->sockets.sasl;
+
+       tevent_req_done(req);
+       return tevent_req_post(req, ev);
+}
+
+static NTSTATUS ldapsrv_sasl_postprocess_recv(struct tevent_req *req)
+{
+       return tevent_req_simple_recv_ntstatus(req);
 }
 
 static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
@@ -193,27 +217,41 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
                errstr = NULL;
        } else if (NT_STATUS_IS_OK(status)) {
                struct auth_session_info *old_session_info=NULL;
-               struct ldapsrv_sasl_context *ctx;
+               struct ldapsrv_sasl_postprocess_context *context = NULL;
 
                result = LDAP_SUCCESS;
                errstr = NULL;
 
-               ctx = talloc(call, struct ldapsrv_sasl_context);
+               if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) ||
+                   gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
 
-               if (!ctx) {
-                       status = NT_STATUS_NO_MEMORY;
-               } else {
-                       ctx->conn = conn;
-                       status = gensec_socket_init(conn->gensec,
-                                                   conn->connection,
-                                                   conn->connection->socket,
-                                                   conn->connection->event.ctx,
-                                                   stream_io_handler_callback,
-                                                   conn->connection,
-                                                   &ctx->sasl_socket);
+                       context = talloc(call, struct ldapsrv_sasl_postprocess_context);
+
+                       if (!context) {
+                               status = NT_STATUS_NO_MEMORY;
+                       }
+               }
+
+               if (context && conn->sockets.tls) {
+                       TALLOC_FREE(context);
+                       status = NT_STATUS_NOT_SUPPORTED;
+                       result = LDAP_UNWILLING_TO_PERFORM;
+                       errstr = talloc_asprintf(reply,
+                                                "SASL:[%s]: Sign or Seal are not allowed if TLS is used",
+                                                req->creds.SASL.mechanism);
+               }
+
+               if (context) {
+                       context->conn = conn;
+                       status = gensec_create_tstream(context,
+                                                      context->conn->gensec,
+                                                      context->conn->sockets.raw,
+                                                      &context->sasl);
                }
 
-               if (!ctx || !NT_STATUS_IS_OK(status)) {
+               if (result != LDAP_SUCCESS) {
+                       conn->session_info = old_session_info;
+               } else if (!NT_STATUS_IS_OK(status)) {
                        conn->session_info = old_session_info;
                        result = LDAP_OPERATIONS_ERROR;
                        errstr = talloc_asprintf(reply, 
@@ -221,9 +259,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
                                                 req->creds.SASL.mechanism, nt_errstr(status));
                } else {
 
-                       call->send_callback = ldapsrv_set_sasl;
-                       call->send_private = ctx;
-
                        old_session_info = conn->session_info;
                        conn->session_info = NULL;
                        status = gensec_session_info(conn->gensec, &conn->session_info);
@@ -251,6 +286,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
                                }
                        }
                }
+
+               if (NT_STATUS_IS_OK(status) && context) {
+                       call->postprocess_send = ldapsrv_sasl_postprocess_send;
+                       call->postprocess_recv = ldapsrv_sasl_postprocess_recv;
+                       call->postprocess_private = context;
+               }
        } else {
                status = auth_nt_status_squash(status);
                if (result == 0) {