static int __pmAuthServerSetProperties(sasl_conn_t *conn, int ssf) { int saslsts; sasl_security_properties_t props; /* set external security strength factor */ saslsts = sasl_setprop(conn, SASL_SSF_EXTERNAL, &ssf); if (saslsts != SASL_OK && saslsts != SASL_CONTINUE) { pmNotifyErr(LOG_ERR, "SASL setting external SSF to %d: %s", ssf, sasl_errstring(saslsts, NULL, NULL)); return __pmSecureSocketsError(saslsts); } /* set general security properties */ memset(&props, 0, sizeof(props)); props.maxbufsize = LIMIT_AUTH_PDU; props.max_ssf = UINT_MAX; saslsts = sasl_setprop(conn, SASL_SEC_PROPS, &props); if (saslsts != SASL_OK && saslsts != SASL_CONTINUE) { pmNotifyErr(LOG_ERR, "SASL setting security properties: %s", sasl_errstring(saslsts, NULL, NULL)); return __pmSecureSocketsError(saslsts); } return 0; }
EXPORT_SYM const char * hdfs_namenode_connect(struct hdfs_namenode *n, const char *host, const char *port) { const char *error = NULL; _lock(&n->nn_lock); ASSERT(n->nn_sock == -1); if (n->nn_kerb == HDFS_TRY_KERB || n->nn_kerb == HDFS_REQUIRE_KERB) { int r = sasl_client_new("hdfs", host, NULL/*localip*/, NULL/*remoteip*/, NULL/*CBs*/, 0/*sec flags*/, &n->nn_sasl_ctx); if (r != SASL_OK) { error = sasl_errstring(r, NULL, NULL); goto out; } } error = _connect(&n->nn_sock, host, port); if (error) goto out; out: _unlock(&n->nn_lock); return error; }
static int mutt_sasl_conn_read (CONNECTION * conn, char *buf, size_t len) { SASL_DATA *sasldata; int rc; unsigned int olen; sasldata = (SASL_DATA *) conn->sockdata; /* if we still have data in our read buffer, copy it into buf */ if (sasldata->blen > sasldata->bpos) { olen = (sasldata->blen - sasldata->bpos > len) ? len : sasldata->blen - sasldata->bpos; memcpy (buf, sasldata->buf + sasldata->bpos, olen); sasldata->bpos += olen; return olen; } conn->sockdata = sasldata->sockdata; mem_free (&sasldata->buf); sasldata->bpos = 0; sasldata->blen = 0; /* and decode the result, if necessary */ if (*sasldata->ssf) { do { /* call the underlying read function to fill the buffer */ rc = (sasldata->msasl_read) (conn, buf, len); if (rc <= 0) goto out; rc = sasl_decode (sasldata->saslconn, buf, rc, &sasldata->buf, &sasldata->blen); if (rc != SASL_OK) { debug_print (1, ("SASL decode failed: %s\n", sasl_errstring (rc, NULL, NULL))); goto out; } } while (!sasldata->blen); olen = (sasldata->blen - sasldata->bpos > len) ? len : sasldata->blen - sasldata->bpos; memcpy (buf, sasldata->buf, olen); sasldata->bpos += olen; rc = olen; } else rc = (sasldata->msasl_read) (conn, buf, len); out: conn->sockdata = sasldata; return rc; }
string TSasl::getUsername() { const char* username; int result = sasl_getprop(conn, SASL_USERNAME, reinterpret_cast<const void **>(&username)); if (result != SASL_OK) { stringstream ss; ss << "Error getting SASL_USERNAME property: " << sasl_errstring(result, NULL, NULL); throw SaslException(ss.str().c_str()); } // Copy the username and return it to the caller. There is no cleanup/delete call for // calls to sasl_getprops, the sasl layer handles the cleanup internally. string ret(username); // Temporary fix to auth_to_local-style lowercase mapping from // USER_NAME/[email protected] -> user_name/[email protected] // // TODO: The right fix is probably to use UserGroupInformation in the frontend which // will use auth_to_local rules to do this. if (FLAGS_force_lowercase_usernames) { vector<string> components; split(components, ret, is_any_of("@")); if (components.size() > 0 ) { to_lower(components[0]); ret = join(components, "@"); } } return ret; }
gboolean mn_sasl_init (GError **err) { /* * Bad things may happen if we call sasl_client_init() again after * having called sasl_done(), so we just keep SASL initialized for * the whole application lifetime. */ G_LOCK(init); if (! attempted) { int status; status = sasl_client_init(NULL); if (status == SASL_OK) initialized = TRUE; else init_error = g_strdup(sasl_errstring(status, NULL, NULL)); attempted = TRUE; } if (! initialized) { g_assert(init_error != NULL); g_set_error(err, 0, 0, "%s", init_error); } G_UNLOCK(init); return initialized; }
const char *virNetSASLSessionGetIdentity(virNetSASLSessionPtr sasl) { const void *val = NULL; int err; virObjectLock(sasl); err = sasl_getprop(sasl->conn, SASL_USERNAME, &val); if (err != SASL_OK) { virReportError(VIR_ERR_AUTH_FAILED, _("cannot query SASL username on connection %d (%s)"), err, sasl_errstring(err, NULL, NULL)); val = NULL; goto cleanup; } if (val == NULL) { virReportError(VIR_ERR_AUTH_FAILED, "%s", _("no client username was found")); goto cleanup; } VIR_DEBUG("SASL client username %s", (const char *)val); cleanup: virObjectUnlock(sasl); return (const char*)val; }
virNetSASLSessionPtr virNetSASLSessionNewServer(virNetSASLContextPtr ctxt ATTRIBUTE_UNUSED, const char *service, const char *localAddr, const char *remoteAddr) { virNetSASLSessionPtr sasl = NULL; int err; if (!(sasl = virObjectLockableNew(virNetSASLSessionClass))) return NULL; /* Arbitrary size for amount of data we can encode in a single block */ sasl->maxbufsize = 1 << 16; err = sasl_server_new(service, NULL, NULL, localAddr, remoteAddr, NULL, SASL_SUCCESS_DATA, &sasl->conn); if (err != SASL_OK) { virReportError(VIR_ERR_AUTH_FAILED, _("Failed to create SASL client context: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); goto cleanup; } return sasl; cleanup: virObjectUnref(sasl); return NULL; }
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist) { virNetSASLContextPtr ctxt; int err; err = sasl_server_init(NULL, "libvirt"); if (err != SASL_OK) { virNetError(VIR_ERR_AUTH_FAILED, _("failed to initialize SASL library: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); return NULL; } if (VIR_ALLOC(ctxt) < 0) { virReportOOMError(); return NULL; } if (virMutexInit(&ctxt->lock) < 0) { virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to initialized mutex")); VIR_FREE(ctxt); return NULL; } ctxt->usernameWhitelist = usernameWhitelist; ctxt->refs = 1; return ctxt; }
int virNetSASLSessionSecProps(virNetSASLSessionPtr sasl, int minSSF, int maxSSF, bool allowAnonymous) { sasl_security_properties_t secprops; int err; int ret = -1; VIR_DEBUG("minSSF=%d maxSSF=%d allowAnonymous=%d maxbufsize=%zu", minSSF, maxSSF, allowAnonymous, sasl->maxbufsize); virObjectLock(sasl); memset(&secprops, 0, sizeof(secprops)); secprops.min_ssf = minSSF; secprops.max_ssf = maxSSF; secprops.maxbufsize = sasl->maxbufsize; secprops.security_flags = allowAnonymous ? 0 : SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT; err = sasl_setprop(sasl->conn, SASL_SEC_PROPS, &secprops); if (err != SASL_OK) { virReportError(VIR_ERR_INTERNAL_ERROR, _("cannot set security props %d (%s)"), err, sasl_errstring(err, NULL, NULL)); goto cleanup; } ret = 0; cleanup: virObjectUnlock(sasl); return ret; }
virNetSASLContextPtr virNetSASLContextNewClient(void) { virNetSASLContextPtr ctxt; int err; err = sasl_client_init(NULL); if (err != SASL_OK) { virNetError(VIR_ERR_AUTH_FAILED, _("failed to initialize SASL library: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); return NULL; } if (VIR_ALLOC(ctxt) < 0) { virReportOOMError(); return NULL; } if (virMutexInit(&ctxt->lock) < 0) { virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to initialized mutex")); VIR_FREE(ctxt); return NULL; } ctxt->refs = 1; return ctxt; }
TSaslClient::TSaslClient(const string& mechanisms, const string& authenticationId, const string& protocol, const string& serverName, const map<string,string>& props, sasl_callback_t* callbacks) { conn = NULL; if (!props.empty()) { throw SaslServerImplException("Properties not yet supported"); } int result = sasl_client_new(protocol.c_str(), serverName.c_str(), NULL, NULL, callbacks, 0, &conn); if (result != SASL_OK) { if (conn) { throw SaslServerImplException(sasl_errdetail(conn)); } else { throw SaslServerImplException(sasl_errstring(result, NULL, NULL)); } } if (!authenticationId.empty()) { /* TODO: setup security property */ /* sasl_security_properties_t secprops; // populate secprops result = sasl_setprop(conn, SASL_AUTH_EXTERNAL, authenticationId.c_str()); */ } chosenMech = mechList = mechanisms; authComplete = false; clientStarted = false; }
virNetSASLContextPtr virNetSASLContextNewClient(void) { virNetSASLContextPtr ctxt; int err; if (virNetSASLContextInitialize() < 0) return NULL; err = sasl_client_init(NULL); if (err != SASL_OK) { virReportError(VIR_ERR_AUTH_FAILED, _("failed to initialize SASL library: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); return NULL; } if (!(ctxt = virObjectNew(virNetSASLContextClass))) return NULL; if (virMutexInit(&ctxt->lock) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to initialized mutex")); VIR_FREE(ctxt); return NULL; } return ctxt; }
/* add an auxiliary property plugin */ int sasl_auxprop_add_plugin(const char *plugname, sasl_auxprop_init_t *auxpropfunc) { int result, out_version; auxprop_plug_list_t *new_item; sasl_auxprop_plug_t *plug; result = auxpropfunc(sasl_global_utils, SASL_AUXPROP_PLUG_VERSION, &out_version, &plug, plugname); if(result != SASL_OK) { _sasl_log(NULL, SASL_LOG_ERR, "auxpropfunc error %s\n", sasl_errstring(result, NULL, NULL)); return result; } /* We require that this function is implemented */ if(!plug->auxprop_lookup) return SASL_BADPROT; new_item = sasl_ALLOC(sizeof(auxprop_plug_list_t)); if(!new_item) return SASL_NOMEM; /* These will load from least-important to most important */ new_item->plug = plug; new_item->next = auxprop_head; auxprop_head = new_item; return SASL_OK; }
static int vnc_auth_sasl_check_access(VncState *vs) { const void *val; int err; int allow; err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val); if (err != SASL_OK) { VNC_DEBUG("cannot query SASL username on connection %d (%s), denying access\n", err, sasl_errstring(err, NULL, NULL)); return -1; } if (val == NULL) { VNC_DEBUG("no client username was found, denying access\n"); return -1; } VNC_DEBUG("SASL client username %s\n", (const char *)val); vs->sasl.username = g_strdup((const char*)val); if (vs->vd->sasl.acl == NULL) { VNC_DEBUG("no ACL activated, allowing access\n"); return 0; } allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username); VNC_DEBUG("SASL client %s %s by ACL\n", vs->sasl.username, allow ? "allowed" : "denied"); return allow ? 0 : -1; }
static bool pni_check_sasl_result(sasl_conn_t *conn, int r, pn_transport_t *logger) { if (r!=SASL_OK) { if (logger->trace & PN_TRACE_DRV) pn_transport_logf(logger, "sasl error: %s", conn ? sasl_errdetail(conn) : sasl_errstring(r, NULL, NULL)); return false; } return true; }
static bool _mongoc_cyrus_is_failure (int status, bson_error_t *error) { bool ret = (status < 0); TRACE ("Got status: %d ok is %d, continue=%d interact=%d\n", status, SASL_OK, SASL_CONTINUE, SASL_INTERACT); if (ret) { switch (status) { case SASL_NOMEM: bson_set_error (error, MONGOC_ERROR_SASL, status, "SASL Failure: insufficient memory."); break; case SASL_NOMECH: { bson_string_t *str = bson_string_new ("available mechanisms: "); const char **mechs = sasl_global_listmech (); int i = 0; for (i = 0; mechs[i]; i++) { bson_string_append (str, mechs[i]); if (mechs[i + 1]) { bson_string_append (str, ","); } } bson_set_error (error, MONGOC_ERROR_SASL, status, "SASL Failure: failure to negotiate mechanism (%s)", str->str); bson_string_free (str, 0); } break; case SASL_BADPARAM: bson_set_error (error, MONGOC_ERROR_SASL, status, "Bad parameter supplied. Please file a bug " "with mongo-c-driver."); break; default: bson_set_error (error, MONGOC_ERROR_SASL, status, "SASL Failure: (%d): %s", status, sasl_errstring (status, NULL, NULL)); break; } } return ret; }
int is_sasl_failure(sasl_conn_t *conn, int result, char **error_message) { if (result < 0) { *error_message = malloc(256); snprintf(*error_message, 256, "Authentication error: %s", sasl_errstring(result, NULL, NULL)); return 1; } return 0; }
/* add an auxiliary property plugin */ int sasl_auxprop_add_plugin(const char *plugname, sasl_auxprop_init_t *auxpropfunc) { int result = sasl_auxprop_add_plugin_nolog(plugname, auxpropfunc); if(result != SASL_OK) { _sasl_log(NULL, SASL_LOG_ERR, "auxpropfunc error %s\n", sasl_errstring(result, NULL, NULL)); } return result; }
/** * Global SASL init, called once per runtime. */ int rd_kafka_sasl_global_init (void) { int r; mtx_init(&rd_kafka_sasl_kinit_lock, mtx_plain); r = sasl_client_init(NULL); if (r != SASL_OK) { fprintf(stderr, "librdkafka: sasl_client_init() failed: %s\n", sasl_errstring(r, NULL, NULL)); return -1; } return 0; }
static int mutt_sasl_conn_write (CONNECTION* conn, const char* buf, size_t len) { SASL_DATA* sasldata; int rc; const char *pbuf; unsigned int olen, plen; sasldata = (SASL_DATA*) conn->sockdata; conn->sockdata = sasldata->sockdata; /* encode data, if necessary */ if (*sasldata->ssf) { /* handle data larger than MAXOUTBUF */ do { olen = (len > *sasldata->pbufsize) ? *sasldata->pbufsize : len; rc = sasl_encode (sasldata->saslconn, buf, olen, &pbuf, &plen); if (rc != SASL_OK) { dprint (1, (debugfile, "SASL encoding failed: %s\n", sasl_errstring (rc, NULL, NULL))); goto fail; } rc = (sasldata->msasl_write) (conn, pbuf, plen); if (rc != plen) goto fail; len -= olen; buf += olen; } while (len > *sasldata->pbufsize); } else /* just write using the underlying socket function */ rc = (sasldata->msasl_write) (conn, buf, len); conn->sockdata = sasldata; return rc; fail: conn->sockdata = sasldata; return -1; }
static svn_error_t *initialize(void *baton, apr_pool_t *pool) { int result; SVN_ERR(svn_ra_svn__sasl_common_init(pool)); /* The second parameter tells SASL to look for a configuration file named subversion.conf. */ result = sasl_server_init(callbacks, SVN_RA_SVN_SASL_NAME); if (result != SASL_OK) { svn_error_t *err = svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL, sasl_errstring(result, NULL, NULL)); return svn_error_quick_wrap(err, _("Could not initialize the SASL library")); } return SVN_NO_ERROR; }
virNetSASLSessionPtr virNetSASLSessionNewClient(virNetSASLContextPtr ctxt ATTRIBUTE_UNUSED, const char *service, const char *hostname, const char *localAddr, const char *remoteAddr, const sasl_callback_t *cbs) { virNetSASLSessionPtr sasl = NULL; int err; if (VIR_ALLOC(sasl) < 0) { virReportOOMError(); goto cleanup; } if (virMutexInit(&sasl->lock) < 0) { virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to initialized mutex")); VIR_FREE(sasl); return NULL; } sasl->refs = 1; /* Arbitrary size for amount of data we can encode in a single block */ sasl->maxbufsize = 1 << 16; err = sasl_client_new(service, hostname, localAddr, remoteAddr, cbs, SASL_SUCCESS_DATA, &sasl->conn); if (err != SASL_OK) { virNetError(VIR_ERR_AUTH_FAILED, _("Failed to create SASL client context: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); goto cleanup; } return sasl; cleanup: virNetSASLSessionFree(sasl); return NULL; }
TSaslServer::TSaslServer(const string& service, const string& serverFQDN, const string& userRealm, unsigned flags, sasl_callback_t* callbacks) { conn = NULL; int result = sasl_server_new(service.c_str(), serverFQDN.size() == 0 ? NULL : serverFQDN.c_str(), userRealm.size() == 0 ? NULL :userRealm.c_str(), NULL, NULL, callbacks, flags, &conn); if (result != SASL_OK) { if (conn) { throw SaslServerImplException(sasl_errdetail(conn)); } else { throw SaslServerImplException(sasl_errstring(result, NULL, NULL)); } } authComplete = false; serverStarted = false; }
virNetSASLContextPtr virNetSASLContextNewClient(void) { virNetSASLContextPtr ctxt; int err; if (virNetSASLContextInitialize() < 0) return NULL; err = sasl_client_init(NULL); if (err != SASL_OK) { virReportError(VIR_ERR_AUTH_FAILED, _("failed to initialize SASL library: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); return NULL; } if (!(ctxt = virObjectLockableNew(virNetSASLContextClass))) return NULL; return ctxt; }
static int virNetSASLSessionUpdateBufSize(virNetSASLSessionPtr sasl) { union { unsigned *maxbufsize; const void *ptr; } u; int err; err = sasl_getprop(sasl->conn, SASL_MAXOUTBUF, &u.ptr); if (err != SASL_OK) { virReportError(VIR_ERR_INTERNAL_ERROR, _("cannot get security props %d (%s)"), err, sasl_errstring(err, NULL, NULL)); return -1; } VIR_DEBUG("Negotiated bufsize is %u vs requested size %zu", *u.maxbufsize, sasl->maxbufsize); sasl->maxbufsize = *u.maxbufsize; return 0; }
int virNetSASLSessionGetKeySize(virNetSASLSessionPtr sasl) { int err; int ssf; const void *val; virObjectLock(sasl); err = sasl_getprop(sasl->conn, SASL_SSF, &val); if (err != SASL_OK) { virReportError(VIR_ERR_AUTH_FAILED, _("cannot query SASL ssf on connection %d (%s)"), err, sasl_errstring(err, NULL, NULL)); ssf = -1; goto cleanup; } ssf = *(const int *)val; cleanup: virObjectUnlock(sasl); return ssf; }
int virNetSASLSessionExtKeySize(virNetSASLSessionPtr sasl, int ssf) { int err; int ret = -1; virObjectLock(sasl); err = sasl_setprop(sasl->conn, SASL_SSF_EXTERNAL, &ssf); if (err != SASL_OK) { virReportError(VIR_ERR_INTERNAL_ERROR, _("cannot set external SSF %d (%s)"), err, sasl_errstring(err, NULL, NULL)); goto cleanup; } ret = 0; cleanup: virObjectUnlock(sasl); return ret; }
static bool _mongoc_sasl_is_failure (int status, bson_error_t *error) { bool ret = (status < 0); if (ret) { switch (status) { case SASL_NOMEM: bson_set_error (error, MONGOC_ERROR_SASL, status, "SASL Failrue: insufficient memory."); break; case SASL_NOMECH: bson_set_error (error, MONGOC_ERROR_SASL, status, "SASL Failure: failure to negotiate mechanism"); break; case SASL_BADPARAM: bson_set_error (error, MONGOC_ERROR_SASL, status, "Bad parameter supplied. Please file a bug " "with mongo-c-driver."); break; default: bson_set_error (error, MONGOC_ERROR_SASL, status, "SASL Failure: (%d): %s", status, sasl_errstring (status, NULL, NULL)); break; } } return ret; }
ssize_t virNetSASLSessionEncode(virNetSASLSessionPtr sasl, const char *input, size_t inputLen, const char **output, size_t *outputlen) { unsigned inlen = inputLen; unsigned outlen = 0; int err; ssize_t ret = -1; virObjectLock(sasl); if (inputLen > sasl->maxbufsize) { virReportSystemError(EINVAL, _("SASL data length %zu too long, max %zu"), inputLen, sasl->maxbufsize); goto cleanup; } err = sasl_encode(sasl->conn, input, inlen, output, &outlen); *outputlen = outlen; if (err != SASL_OK) { virReportError(VIR_ERR_INTERNAL_ERROR, _("failed to encode SASL data: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); goto cleanup; } ret = 0; cleanup: virObjectUnlock(sasl); return ret; }
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist) { virNetSASLContextPtr ctxt; int err; if (virNetSASLContextInitialize() < 0) return NULL; err = sasl_server_init(NULL, "libvirt"); if (err != SASL_OK) { virReportError(VIR_ERR_AUTH_FAILED, _("failed to initialize SASL library: %d (%s)"), err, sasl_errstring(err, NULL, NULL)); return NULL; } if (!(ctxt = virObjectLockableNew(virNetSASLContextClass))) return NULL; ctxt->usernameWhitelist = usernameWhitelist; return ctxt; }