Revert "If it is a forced DOS error, nt_errstr should say so"
[Samba.git] / source / libads / sasl_wrapping.c
blob2bfa07923502dad5600d3ba4a776424d893e8c60
1 /*
2 Unix SMB/CIFS implementation.
3 ads sasl wrapping code
4 Copyright (C) Stefan Metzmacher 2007
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
22 #ifdef HAVE_LDAP_SASL_WRAPPING
24 static int ads_saslwrap_setup(Sockbuf_IO_Desc *sbiod, void *arg)
26 ADS_STRUCT *ads = (ADS_STRUCT *)arg;
28 ads->ldap.sbiod = sbiod;
30 sbiod->sbiod_pvt = ads;
32 return 0;
35 static int ads_saslwrap_remove(Sockbuf_IO_Desc *sbiod)
37 return 0;
40 static ber_slen_t ads_saslwrap_prepare_inbuf(ADS_STRUCT *ads)
42 ads->ldap.in.ofs = 0;
43 ads->ldap.in.needed = 0;
44 ads->ldap.in.left = 0;
45 ads->ldap.in.size = 4 + ads->ldap.in.min_wrapped;
46 ads->ldap.in.buf = talloc_array(ads->ldap.mem_ctx,
47 uint8, ads->ldap.in.size);
48 if (!ads->ldap.in.buf) {
49 return -1;
52 return 0;
55 static ber_slen_t ads_saslwrap_grow_inbuf(ADS_STRUCT *ads)
57 if (ads->ldap.in.size == (4 + ads->ldap.in.needed)) {
58 return 0;
61 ads->ldap.in.size = 4 + ads->ldap.in.needed;
62 ads->ldap.in.buf = talloc_realloc(ads->ldap.mem_ctx,
63 ads->ldap.in.buf,
64 uint8, ads->ldap.in.size);
65 if (!ads->ldap.in.buf) {
66 return -1;
69 return 0;
72 static void ads_saslwrap_shrink_inbuf(ADS_STRUCT *ads)
74 talloc_free(ads->ldap.in.buf);
76 ads->ldap.in.buf = NULL;
77 ads->ldap.in.size = 0;
78 ads->ldap.in.ofs = 0;
79 ads->ldap.in.needed = 0;
80 ads->ldap.in.left = 0;
83 static ber_slen_t ads_saslwrap_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
85 ADS_STRUCT *ads = (ADS_STRUCT *)sbiod->sbiod_pvt;
86 ber_slen_t ret;
88 /* If ofs < 4 it means we don't have read the length header yet */
89 if (ads->ldap.in.ofs < 4) {
90 ret = ads_saslwrap_prepare_inbuf(ads);
91 if (ret < 0) return ret;
93 ret = LBER_SBIOD_READ_NEXT(sbiod,
94 ads->ldap.in.buf + ads->ldap.in.ofs,
95 4 - ads->ldap.in.ofs);
96 if (ret <= 0) return ret;
97 ads->ldap.in.ofs += ret;
99 if (ads->ldap.in.ofs < 4) goto eagain;
101 ads->ldap.in.needed = RIVAL(ads->ldap.in.buf, 0);
102 if (ads->ldap.in.needed > ads->ldap.in.max_wrapped) {
103 errno = EINVAL;
104 return -1;
106 if (ads->ldap.in.needed < ads->ldap.in.min_wrapped) {
107 errno = EINVAL;
108 return -1;
111 ret = ads_saslwrap_grow_inbuf(ads);
112 if (ret < 0) return ret;
116 * if there's more data needed from the remote end,
117 * we need to read more
119 if (ads->ldap.in.needed > 0) {
120 ret = LBER_SBIOD_READ_NEXT(sbiod,
121 ads->ldap.in.buf + ads->ldap.in.ofs,
122 ads->ldap.in.needed);
123 if (ret <= 0) return ret;
124 ads->ldap.in.ofs += ret;
125 ads->ldap.in.needed -= ret;
127 if (ads->ldap.in.needed > 0) goto eagain;
131 * if we have a complete packet and have not yet unwrapped it
132 * we need to call the mech specific unwrap() hook
134 if (ads->ldap.in.needed == 0 && ads->ldap.in.left == 0) {
135 ADS_STATUS status;
136 status = ads->ldap.wrap_ops->unwrap(ads);
137 if (!ADS_ERR_OK(status)) {
138 errno = EACCES;
139 return -1;
144 * if we have unwrapped data give it to the caller
146 if (ads->ldap.in.left > 0) {
147 ret = MIN(ads->ldap.in.left, len);
148 memcpy(buf, ads->ldap.in.buf + ads->ldap.in.ofs, ret);
149 ads->ldap.in.ofs += ret;
150 ads->ldap.in.left -= ret;
153 * if no more is left shrink the inbuf,
154 * this will trigger reading a new SASL packet
155 * from the remote stream in the next call
157 if (ads->ldap.in.left == 0) {
158 ads_saslwrap_shrink_inbuf(ads);
161 return ret;
165 * if we don't have anything for the caller yet,
166 * tell him to ask again
168 eagain:
169 errno = EAGAIN;
170 return -1;
173 static ber_slen_t ads_saslwrap_prepare_outbuf(ADS_STRUCT *ads, uint32 len)
175 ads->ldap.out.ofs = 0;
176 ads->ldap.out.left = 0;
177 ads->ldap.out.size = 4 + ads->ldap.out.sig_size + len;
178 ads->ldap.out.buf = talloc_array(ads->ldap.mem_ctx,
179 uint8, ads->ldap.out.size);
180 if (!ads->ldap.out.buf) {
181 return -1;
184 return 0;
187 static void ads_saslwrap_shrink_outbuf(ADS_STRUCT *ads)
189 talloc_free(ads->ldap.out.buf);
191 ads->ldap.out.buf = NULL;
192 ads->ldap.out.size = 0;
193 ads->ldap.out.ofs = 0;
194 ads->ldap.out.left = 0;
197 static ber_slen_t ads_saslwrap_write(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
199 ADS_STRUCT *ads = (ADS_STRUCT *)sbiod->sbiod_pvt;
200 ber_slen_t ret, rlen;
202 /* if the buffer is empty, we need to wrap in incoming buffer */
203 if (ads->ldap.out.left == 0) {
204 ADS_STATUS status;
206 if (len == 0) {
207 errno = EINVAL;
208 return -1;
211 rlen = MIN(len, ads->ldap.out.max_unwrapped);
213 ret = ads_saslwrap_prepare_outbuf(ads, rlen);
214 if (ret < 0) return ret;
216 status = ads->ldap.wrap_ops->wrap(ads, (uint8 *)buf, rlen);
217 if (!ADS_ERR_OK(status)) {
218 errno = EACCES;
219 return -1;
222 RSIVAL(ads->ldap.out.buf, 0, ads->ldap.out.left - 4);
223 } else {
224 rlen = -1;
227 ret = LBER_SBIOD_WRITE_NEXT(sbiod,
228 ads->ldap.out.buf + ads->ldap.out.ofs,
229 ads->ldap.out.left);
230 if (ret <= 0) return ret;
231 ads->ldap.out.ofs += ret;
232 ads->ldap.out.left -= ret;
234 if (ads->ldap.out.left == 0) {
235 ads_saslwrap_shrink_outbuf(ads);
238 if (rlen > 0) return rlen;
240 errno = EAGAIN;
241 return -1;
244 static int ads_saslwrap_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg)
246 ADS_STRUCT *ads = (ADS_STRUCT *)sbiod->sbiod_pvt;
247 int ret;
249 switch (opt) {
250 case LBER_SB_OPT_DATA_READY:
251 if (ads->ldap.in.left > 0) {
252 return 1;
254 ret = LBER_SBIOD_CTRL_NEXT(sbiod, opt, arg);
255 break;
256 default:
257 ret = LBER_SBIOD_CTRL_NEXT(sbiod, opt, arg);
258 break;
261 return ret;
264 static int ads_saslwrap_close(Sockbuf_IO_Desc *sbiod)
266 return 0;
269 static const Sockbuf_IO ads_saslwrap_sockbuf_io = {
270 ads_saslwrap_setup, /* sbi_setup */
271 ads_saslwrap_remove, /* sbi_remove */
272 ads_saslwrap_ctrl, /* sbi_ctrl */
273 ads_saslwrap_read, /* sbi_read */
274 ads_saslwrap_write, /* sbi_write */
275 ads_saslwrap_close /* sbi_close */
278 ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
279 const struct ads_saslwrap_ops *ops,
280 void *private_data)
282 ADS_STATUS status;
283 Sockbuf *sb;
284 Sockbuf_IO *io = discard_const_p(Sockbuf_IO, &ads_saslwrap_sockbuf_io);
285 int rc;
287 rc = ldap_get_option(ads->ldap.ld, LDAP_OPT_SOCKBUF, &sb);
288 status = ADS_ERROR_LDAP(rc);
289 if (!ADS_ERR_OK(status)) {
290 return status;
293 /* setup the real wrapping callbacks */
294 rc = ber_sockbuf_add_io(sb, io, LBER_SBIOD_LEVEL_TRANSPORT, ads);
295 status = ADS_ERROR_LDAP(rc);
296 if (!ADS_ERR_OK(status)) {
297 return status;
300 ads->ldap.wrap_ops = ops;
301 ads->ldap.wrap_private_data = private_data;
303 return ADS_SUCCESS;
305 #else
306 ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
307 const struct ads_saslwrap_ops *ops,
308 void *private_data)
310 return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
312 #endif /* HAVE_LDAP_SASL_WRAPPING */