static int
__pmAuthServerSetProperties(sasl_conn_t *conn, int ssf)
{
int saslsts;
sasl_security_properties_t props;
/* set external security strength factor */
saslsts = sasl_setprop(conn, SASL_SSF_EXTERNAL, &ssf);
if (saslsts != SASL_OK && saslsts != SASL_CONTINUE) {
pmNotifyErr(LOG_ERR, "SASL setting external SSF to %d: %s",
ssf, sasl_errstring(saslsts, NULL, NULL));
return __pmSecureSocketsError(saslsts);
}
/* set general security properties */
memset(&props, 0, sizeof(props));
props.maxbufsize = LIMIT_AUTH_PDU;
props.max_ssf = UINT_MAX;
saslsts = sasl_setprop(conn, SASL_SEC_PROPS, &props);
if (saslsts != SASL_OK && saslsts != SASL_CONTINUE) {
pmNotifyErr(LOG_ERR, "SASL setting security properties: %s",
sasl_errstring(saslsts, NULL, NULL));
return __pmSecureSocketsError(saslsts);
}
return 0;
}
EXPORT_SYM const char *
hdfs_namenode_connect(struct hdfs_namenode *n, const char *host, const char *port)
{
const char *error = NULL;
_lock(&n->nn_lock);
ASSERT(n->nn_sock == -1);
if (n->nn_kerb == HDFS_TRY_KERB || n->nn_kerb == HDFS_REQUIRE_KERB) {
int r = sasl_client_new("hdfs", host, NULL/*localip*/,
NULL/*remoteip*/, NULL/*CBs*/, 0/*sec flags*/, &n->nn_sasl_ctx);
if (r != SASL_OK) {
error = sasl_errstring(r, NULL, NULL);
goto out;
}
}
error = _connect(&n->nn_sock, host, port);
if (error)
goto out;
out:
_unlock(&n->nn_lock);
return error;
}
static int mutt_sasl_conn_read (CONNECTION * conn, char *buf, size_t len)
{
SASL_DATA *sasldata;
int rc;
unsigned int olen;
sasldata = (SASL_DATA *) conn->sockdata;
/* if we still have data in our read buffer, copy it into buf */
if (sasldata->blen > sasldata->bpos) {
olen = (sasldata->blen - sasldata->bpos > len) ? len :
sasldata->blen - sasldata->bpos;
memcpy (buf, sasldata->buf + sasldata->bpos, olen);
sasldata->bpos += olen;
return olen;
}
conn->sockdata = sasldata->sockdata;
mem_free (&sasldata->buf);
sasldata->bpos = 0;
sasldata->blen = 0;
/* and decode the result, if necessary */
if (*sasldata->ssf) {
do {
/* call the underlying read function to fill the buffer */
rc = (sasldata->msasl_read) (conn, buf, len);
if (rc <= 0)
goto out;
rc = sasl_decode (sasldata->saslconn, buf, rc, &sasldata->buf,
&sasldata->blen);
if (rc != SASL_OK) {
debug_print (1, ("SASL decode failed: %s\n",
sasl_errstring (rc, NULL, NULL)));
goto out;
}
}
while (!sasldata->blen);
olen = (sasldata->blen - sasldata->bpos > len) ? len :
sasldata->blen - sasldata->bpos;
memcpy (buf, sasldata->buf, olen);
sasldata->bpos += olen;
rc = olen;
}
else
rc = (sasldata->msasl_read) (conn, buf, len);
out:
conn->sockdata = sasldata;
return rc;
}
string TSasl::getUsername() {
const char* username;
int result =
sasl_getprop(conn, SASL_USERNAME, reinterpret_cast<const void **>(&username));
if (result != SASL_OK) {
stringstream ss;
ss << "Error getting SASL_USERNAME property: " << sasl_errstring(result, NULL, NULL);
throw SaslException(ss.str().c_str());
}
// Copy the username and return it to the caller. There is no cleanup/delete call for
// calls to sasl_getprops, the sasl layer handles the cleanup internally.
string ret(username);
// Temporary fix to auth_to_local-style lowercase mapping from
// USER_NAME/[email protected] -> user_name/[email protected]
//
// TODO: The right fix is probably to use UserGroupInformation in the frontend which
// will use auth_to_local rules to do this.
if (FLAGS_force_lowercase_usernames) {
vector<string> components;
split(components, ret, is_any_of("@"));
if (components.size() > 0 ) {
to_lower(components[0]);
ret = join(components, "@");
}
}
return ret;
}
gboolean
mn_sasl_init (GError **err)
{
/*
* Bad things may happen if we call sasl_client_init() again after
* having called sasl_done(), so we just keep SASL initialized for
* the whole application lifetime.
*/
G_LOCK(init);
if (! attempted)
{
int status;
status = sasl_client_init(NULL);
if (status == SASL_OK)
initialized = TRUE;
else
init_error = g_strdup(sasl_errstring(status, NULL, NULL));
attempted = TRUE;
}
if (! initialized)
{
g_assert(init_error != NULL);
g_set_error(err, 0, 0, "%s", init_error);
}
G_UNLOCK(init);
return initialized;
}
const char *virNetSASLSessionGetIdentity(virNetSASLSessionPtr sasl)
{
const void *val = NULL;
int err;
virObjectLock(sasl);
err = sasl_getprop(sasl->conn, SASL_USERNAME, &val);
if (err != SASL_OK) {
virReportError(VIR_ERR_AUTH_FAILED,
_("cannot query SASL username on connection %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
val = NULL;
goto cleanup;
}
if (val == NULL) {
virReportError(VIR_ERR_AUTH_FAILED, "%s",
_("no client username was found"));
goto cleanup;
}
VIR_DEBUG("SASL client username %s", (const char *)val);
cleanup:
virObjectUnlock(sasl);
return (const char*)val;
}
virNetSASLSessionPtr virNetSASLSessionNewServer(virNetSASLContextPtr ctxt ATTRIBUTE_UNUSED,
const char *service,
const char *localAddr,
const char *remoteAddr)
{
virNetSASLSessionPtr sasl = NULL;
int err;
if (!(sasl = virObjectLockableNew(virNetSASLSessionClass)))
return NULL;
/* Arbitrary size for amount of data we can encode in a single block */
sasl->maxbufsize = 1 << 16;
err = sasl_server_new(service,
NULL,
NULL,
localAddr,
remoteAddr,
NULL,
SASL_SUCCESS_DATA,
&sasl->conn);
if (err != SASL_OK) {
virReportError(VIR_ERR_AUTH_FAILED,
_("Failed to create SASL client context: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
goto cleanup;
}
return sasl;
cleanup:
virObjectUnref(sasl);
return NULL;
}
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist)
{
virNetSASLContextPtr ctxt;
int err;
err = sasl_server_init(NULL, "libvirt");
if (err != SASL_OK) {
virNetError(VIR_ERR_AUTH_FAILED,
_("failed to initialize SASL library: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
return NULL;
}
if (VIR_ALLOC(ctxt) < 0) {
virReportOOMError();
return NULL;
}
if (virMutexInit(&ctxt->lock) < 0) {
virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Failed to initialized mutex"));
VIR_FREE(ctxt);
return NULL;
}
ctxt->usernameWhitelist = usernameWhitelist;
ctxt->refs = 1;
return ctxt;
}
int virNetSASLSessionSecProps(virNetSASLSessionPtr sasl,
int minSSF,
int maxSSF,
bool allowAnonymous)
{
sasl_security_properties_t secprops;
int err;
int ret = -1;
VIR_DEBUG("minSSF=%d maxSSF=%d allowAnonymous=%d maxbufsize=%zu",
minSSF, maxSSF, allowAnonymous, sasl->maxbufsize);
virObjectLock(sasl);
memset(&secprops, 0, sizeof(secprops));
secprops.min_ssf = minSSF;
secprops.max_ssf = maxSSF;
secprops.maxbufsize = sasl->maxbufsize;
secprops.security_flags = allowAnonymous ? 0 :
SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
err = sasl_setprop(sasl->conn, SASL_SEC_PROPS, &secprops);
if (err != SASL_OK) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot set security props %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
goto cleanup;
}
ret = 0;
cleanup:
virObjectUnlock(sasl);
return ret;
}
virNetSASLContextPtr virNetSASLContextNewClient(void)
{
virNetSASLContextPtr ctxt;
int err;
err = sasl_client_init(NULL);
if (err != SASL_OK) {
virNetError(VIR_ERR_AUTH_FAILED,
_("failed to initialize SASL library: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
return NULL;
}
if (VIR_ALLOC(ctxt) < 0) {
virReportOOMError();
return NULL;
}
if (virMutexInit(&ctxt->lock) < 0) {
virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Failed to initialized mutex"));
VIR_FREE(ctxt);
return NULL;
}
ctxt->refs = 1;
return ctxt;
}
TSaslClient::TSaslClient(const string& mechanisms, const string& authenticationId,
const string& protocol, const string& serverName, const map<string,string>& props,
sasl_callback_t* callbacks) {
conn = NULL;
if (!props.empty()) {
throw SaslServerImplException("Properties not yet supported");
}
int result = sasl_client_new(protocol.c_str(), serverName.c_str(),
NULL, NULL, callbacks, 0, &conn);
if (result != SASL_OK) {
if (conn) {
throw SaslServerImplException(sasl_errdetail(conn));
} else {
throw SaslServerImplException(sasl_errstring(result, NULL, NULL));
}
}
if (!authenticationId.empty()) {
/* TODO: setup security property */
/*
sasl_security_properties_t secprops;
// populate secprops
result = sasl_setprop(conn, SASL_AUTH_EXTERNAL, authenticationId.c_str());
*/
}
chosenMech = mechList = mechanisms;
authComplete = false;
clientStarted = false;
}
virNetSASLContextPtr virNetSASLContextNewClient(void)
{
virNetSASLContextPtr ctxt;
int err;
if (virNetSASLContextInitialize() < 0)
return NULL;
err = sasl_client_init(NULL);
if (err != SASL_OK) {
virReportError(VIR_ERR_AUTH_FAILED,
_("failed to initialize SASL library: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
return NULL;
}
if (!(ctxt = virObjectNew(virNetSASLContextClass)))
return NULL;
if (virMutexInit(&ctxt->lock) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Failed to initialized mutex"));
VIR_FREE(ctxt);
return NULL;
}
return ctxt;
}
/* add an auxiliary property plugin */
int sasl_auxprop_add_plugin(const char *plugname,
sasl_auxprop_init_t *auxpropfunc)
{
int result, out_version;
auxprop_plug_list_t *new_item;
sasl_auxprop_plug_t *plug;
result = auxpropfunc(sasl_global_utils, SASL_AUXPROP_PLUG_VERSION,
&out_version, &plug, plugname);
if(result != SASL_OK) {
_sasl_log(NULL, SASL_LOG_ERR, "auxpropfunc error %s\n",
sasl_errstring(result, NULL, NULL));
return result;
}
/* We require that this function is implemented */
if(!plug->auxprop_lookup) return SASL_BADPROT;
new_item = sasl_ALLOC(sizeof(auxprop_plug_list_t));
if(!new_item) return SASL_NOMEM;
/* These will load from least-important to most important */
new_item->plug = plug;
new_item->next = auxprop_head;
auxprop_head = new_item;
return SASL_OK;
}
static int vnc_auth_sasl_check_access(VncState *vs)
{
const void *val;
int err;
int allow;
err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
if (err != SASL_OK) {
VNC_DEBUG("cannot query SASL username on connection %d (%s), denying access\n",
err, sasl_errstring(err, NULL, NULL));
return -1;
}
if (val == NULL) {
VNC_DEBUG("no client username was found, denying access\n");
return -1;
}
VNC_DEBUG("SASL client username %s\n", (const char *)val);
vs->sasl.username = g_strdup((const char*)val);
if (vs->vd->sasl.acl == NULL) {
VNC_DEBUG("no ACL activated, allowing access\n");
return 0;
}
allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username);
VNC_DEBUG("SASL client %s %s by ACL\n", vs->sasl.username,
allow ? "allowed" : "denied");
return allow ? 0 : -1;
}
static bool pni_check_sasl_result(sasl_conn_t *conn, int r, pn_transport_t *logger)
{
if (r!=SASL_OK) {
if (logger->trace & PN_TRACE_DRV)
pn_transport_logf(logger, "sasl error: %s", conn ? sasl_errdetail(conn) : sasl_errstring(r, NULL, NULL));
return false;
}
return true;
}
static bool
_mongoc_cyrus_is_failure (int status, bson_error_t *error)
{
bool ret = (status < 0);
TRACE ("Got status: %d ok is %d, continue=%d interact=%d\n",
status,
SASL_OK,
SASL_CONTINUE,
SASL_INTERACT);
if (ret) {
switch (status) {
case SASL_NOMEM:
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"SASL Failure: insufficient memory.");
break;
case SASL_NOMECH: {
bson_string_t *str = bson_string_new ("available mechanisms: ");
const char **mechs = sasl_global_listmech ();
int i = 0;
for (i = 0; mechs[i]; i++) {
bson_string_append (str, mechs[i]);
if (mechs[i + 1]) {
bson_string_append (str, ",");
}
}
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"SASL Failure: failure to negotiate mechanism (%s)",
str->str);
bson_string_free (str, 0);
} break;
case SASL_BADPARAM:
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"Bad parameter supplied. Please file a bug "
"with mongo-c-driver.");
break;
default:
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"SASL Failure: (%d): %s",
status,
sasl_errstring (status, NULL, NULL));
break;
}
}
return ret;
}
int is_sasl_failure(sasl_conn_t *conn, int result, char **error_message)
{
if (result < 0) {
*error_message = malloc(256);
snprintf(*error_message, 256, "Authentication error: %s", sasl_errstring(result, NULL, NULL));
return 1;
}
return 0;
}
/* add an auxiliary property plugin */
int sasl_auxprop_add_plugin(const char *plugname,
sasl_auxprop_init_t *auxpropfunc)
{
int result = sasl_auxprop_add_plugin_nolog(plugname, auxpropfunc);
if(result != SASL_OK) {
_sasl_log(NULL, SASL_LOG_ERR, "auxpropfunc error %s\n",
sasl_errstring(result, NULL, NULL));
}
return result;
}
/**
* Global SASL init, called once per runtime.
*/
int rd_kafka_sasl_global_init (void) {
int r;
mtx_init(&rd_kafka_sasl_kinit_lock, mtx_plain);
r = sasl_client_init(NULL);
if (r != SASL_OK) {
fprintf(stderr, "librdkafka: sasl_client_init() failed: %s\n",
sasl_errstring(r, NULL, NULL));
return -1;
}
return 0;
}
static int mutt_sasl_conn_write (CONNECTION* conn, const char* buf,
size_t len)
{
SASL_DATA* sasldata;
int rc;
const char *pbuf;
unsigned int olen, plen;
sasldata = (SASL_DATA*) conn->sockdata;
conn->sockdata = sasldata->sockdata;
/* encode data, if necessary */
if (*sasldata->ssf)
{
/* handle data larger than MAXOUTBUF */
do
{
olen = (len > *sasldata->pbufsize) ? *sasldata->pbufsize : len;
rc = sasl_encode (sasldata->saslconn, buf, olen, &pbuf, &plen);
if (rc != SASL_OK)
{
dprint (1, (debugfile, "SASL encoding failed: %s\n",
sasl_errstring (rc, NULL, NULL)));
goto fail;
}
rc = (sasldata->msasl_write) (conn, pbuf, plen);
if (rc != plen)
goto fail;
len -= olen;
buf += olen;
}
while (len > *sasldata->pbufsize);
}
else
/* just write using the underlying socket function */
rc = (sasldata->msasl_write) (conn, buf, len);
conn->sockdata = sasldata;
return rc;
fail:
conn->sockdata = sasldata;
return -1;
}
static svn_error_t *initialize(void *baton, apr_pool_t *pool)
{
int result;
SVN_ERR(svn_ra_svn__sasl_common_init(pool));
/* The second parameter tells SASL to look for a configuration file
named subversion.conf. */
result = sasl_server_init(callbacks, SVN_RA_SVN_SASL_NAME);
if (result != SASL_OK)
{
svn_error_t *err = svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
sasl_errstring(result, NULL, NULL));
return svn_error_quick_wrap(err,
_("Could not initialize the SASL library"));
}
return SVN_NO_ERROR;
}
virNetSASLSessionPtr virNetSASLSessionNewClient(virNetSASLContextPtr ctxt ATTRIBUTE_UNUSED,
const char *service,
const char *hostname,
const char *localAddr,
const char *remoteAddr,
const sasl_callback_t *cbs)
{
virNetSASLSessionPtr sasl = NULL;
int err;
if (VIR_ALLOC(sasl) < 0) {
virReportOOMError();
goto cleanup;
}
if (virMutexInit(&sasl->lock) < 0) {
virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Failed to initialized mutex"));
VIR_FREE(sasl);
return NULL;
}
sasl->refs = 1;
/* Arbitrary size for amount of data we can encode in a single block */
sasl->maxbufsize = 1 << 16;
err = sasl_client_new(service,
hostname,
localAddr,
remoteAddr,
cbs,
SASL_SUCCESS_DATA,
&sasl->conn);
if (err != SASL_OK) {
virNetError(VIR_ERR_AUTH_FAILED,
_("Failed to create SASL client context: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
goto cleanup;
}
return sasl;
cleanup:
virNetSASLSessionFree(sasl);
return NULL;
}
TSaslServer::TSaslServer(const string& service, const string& serverFQDN,
const string& userRealm,
unsigned flags, sasl_callback_t* callbacks) {
conn = NULL;
int result = sasl_server_new(service.c_str(),
serverFQDN.size() == 0 ? NULL : serverFQDN.c_str(),
userRealm.size() == 0 ? NULL :userRealm.c_str(),
NULL, NULL, callbacks, flags, &conn);
if (result != SASL_OK) {
if (conn) {
throw SaslServerImplException(sasl_errdetail(conn));
} else {
throw SaslServerImplException(sasl_errstring(result, NULL, NULL));
}
}
authComplete = false;
serverStarted = false;
}
virNetSASLContextPtr virNetSASLContextNewClient(void)
{
virNetSASLContextPtr ctxt;
int err;
if (virNetSASLContextInitialize() < 0)
return NULL;
err = sasl_client_init(NULL);
if (err != SASL_OK) {
virReportError(VIR_ERR_AUTH_FAILED,
_("failed to initialize SASL library: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
return NULL;
}
if (!(ctxt = virObjectLockableNew(virNetSASLContextClass)))
return NULL;
return ctxt;
}
static int virNetSASLSessionUpdateBufSize(virNetSASLSessionPtr sasl)
{
union {
unsigned *maxbufsize;
const void *ptr;
} u;
int err;
err = sasl_getprop(sasl->conn, SASL_MAXOUTBUF, &u.ptr);
if (err != SASL_OK) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot get security props %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
return -1;
}
VIR_DEBUG("Negotiated bufsize is %u vs requested size %zu",
*u.maxbufsize, sasl->maxbufsize);
sasl->maxbufsize = *u.maxbufsize;
return 0;
}
int virNetSASLSessionGetKeySize(virNetSASLSessionPtr sasl)
{
int err;
int ssf;
const void *val;
virObjectLock(sasl);
err = sasl_getprop(sasl->conn, SASL_SSF, &val);
if (err != SASL_OK) {
virReportError(VIR_ERR_AUTH_FAILED,
_("cannot query SASL ssf on connection %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
ssf = -1;
goto cleanup;
}
ssf = *(const int *)val;
cleanup:
virObjectUnlock(sasl);
return ssf;
}
int virNetSASLSessionExtKeySize(virNetSASLSessionPtr sasl,
int ssf)
{
int err;
int ret = -1;
virObjectLock(sasl);
err = sasl_setprop(sasl->conn, SASL_SSF_EXTERNAL, &ssf);
if (err != SASL_OK) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot set external SSF %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
goto cleanup;
}
ret = 0;
cleanup:
virObjectUnlock(sasl);
return ret;
}
static bool
_mongoc_sasl_is_failure (int status,
bson_error_t *error)
{
bool ret = (status < 0);
if (ret) {
switch (status) {
case SASL_NOMEM:
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"SASL Failrue: insufficient memory.");
break;
case SASL_NOMECH:
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"SASL Failure: failure to negotiate mechanism");
break;
case SASL_BADPARAM:
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"Bad parameter supplied. Please file a bug "
"with mongo-c-driver.");
break;
default:
bson_set_error (error,
MONGOC_ERROR_SASL,
status,
"SASL Failure: (%d): %s",
status,
sasl_errstring (status, NULL, NULL));
break;
}
}
return ret;
}
ssize_t virNetSASLSessionEncode(virNetSASLSessionPtr sasl,
const char *input,
size_t inputLen,
const char **output,
size_t *outputlen)
{
unsigned inlen = inputLen;
unsigned outlen = 0;
int err;
ssize_t ret = -1;
virObjectLock(sasl);
if (inputLen > sasl->maxbufsize) {
virReportSystemError(EINVAL,
_("SASL data length %zu too long, max %zu"),
inputLen, sasl->maxbufsize);
goto cleanup;
}
err = sasl_encode(sasl->conn,
input,
inlen,
output,
&outlen);
*outputlen = outlen;
if (err != SASL_OK) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("failed to encode SASL data: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
goto cleanup;
}
ret = 0;
cleanup:
virObjectUnlock(sasl);
return ret;
}
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist)
{
virNetSASLContextPtr ctxt;
int err;
if (virNetSASLContextInitialize() < 0)
return NULL;
err = sasl_server_init(NULL, "libvirt");
if (err != SASL_OK) {
virReportError(VIR_ERR_AUTH_FAILED,
_("failed to initialize SASL library: %d (%s)"),
err, sasl_errstring(err, NULL, NULL));
return NULL;
}
if (!(ctxt = virObjectLockableNew(virNetSASLContextClass)))
return NULL;
ctxt->usernameWhitelist = usernameWhitelist;
return ctxt;
}
