]>
Commit | Line | Data |
---|---|---|
ca02e0ec | 1 | /* |
b8ae064d | 2 | * Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
ca02e0ec AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
b1218840 AJ |
9 | /* |
10 | * ----------------------------------------------------------------------------- | |
11 | * | |
12 | * Author: Markus Moeller (markus_moeller at compuserve.com) | |
13 | * | |
14 | * Copyright (C) 2007 Markus Moeller. All rights reserved. | |
15 | * | |
16 | * This program is free software; you can redistribute it and/or modify | |
17 | * it under the terms of the GNU General Public License as published by | |
18 | * the Free Software Foundation; either version 2 of the License, or | |
19 | * (at your option) any later version. | |
20 | * | |
21 | * This program is distributed in the hope that it will be useful, | |
22 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
23 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
24 | * GNU General Public License for more details. | |
25 | * | |
26 | * You should have received a copy of the GNU General Public License | |
27 | * along with this program; if not, write to the Free Software | |
28 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. | |
29 | * | |
30 | * ----------------------------------------------------------------------------- | |
31 | */ | |
32 | ||
f7f3304a | 33 | #include "squid.h" |
b1218840 AJ |
34 | #include "util.h" |
35 | ||
1a22a39e | 36 | #if HAVE_LDAP |
b1218840 AJ |
37 | |
38 | #include "support.h" | |
39 | ||
1a22a39e | 40 | #if HAVE_SASL_H |
b1218840 | 41 | #include <sasl.h> |
1a22a39e | 42 | #elif HAVE_SASL_SASL_H |
b1218840 | 43 | #include <sasl/sasl.h> |
b1218840 AJ |
44 | #endif |
45 | ||
388d024e | 46 | #if HAVE_SASL_H || HAVE_SASL_SASL_H |
b1218840 AJ |
47 | void *lutil_sasl_defaults( |
48 | LDAP * ld, | |
49 | char *mech, | |
50 | char *realm, | |
51 | char *authcid, | |
52 | char *passwd, | |
53 | char *authzid); | |
54 | ||
55 | LDAP_SASL_INTERACT_PROC lutil_sasl_interact; | |
56 | ||
57 | int lutil_sasl_interact( | |
58 | LDAP * ld, | |
59 | unsigned flags, | |
60 | void *defaults, | |
61 | void *in); | |
62 | ||
63 | void lutil_sasl_freedefs( | |
64 | void *defaults); | |
65 | ||
b1218840 AJ |
66 | /* |
67 | * SASL definitions for openldap support | |
68 | */ | |
69 | ||
b1218840 AJ |
70 | typedef struct lutil_sasl_defaults_s { |
71 | char *mech; | |
72 | char *realm; | |
73 | char *authcid; | |
74 | char *passwd; | |
75 | char *authzid; | |
76 | char **resps; | |
77 | int nresps; | |
78 | } lutilSASLdefaults; | |
79 | ||
80 | void * | |
81 | lutil_sasl_defaults( | |
82 | LDAP * ld, | |
83 | char *mech, | |
84 | char *realm, | |
85 | char *authcid, | |
86 | char *passwd, | |
87 | char *authzid) | |
88 | { | |
89 | lutilSASLdefaults *defaults; | |
90 | ||
91 | defaults = (lutilSASLdefaults *) xmalloc(sizeof(lutilSASLdefaults)); | |
92 | ||
aee3523a AR |
93 | if (defaults == nullptr) |
94 | return nullptr; | |
b1218840 | 95 | |
aee3523a AR |
96 | defaults->mech = mech ? xstrdup(mech) : nullptr; |
97 | defaults->realm = realm ? xstrdup(realm) : nullptr; | |
98 | defaults->authcid = authcid ? xstrdup(authcid) : nullptr; | |
99 | defaults->passwd = passwd ? xstrdup(passwd) : nullptr; | |
100 | defaults->authzid = authzid ? xstrdup(authzid) : nullptr; | |
b1218840 | 101 | |
aee3523a | 102 | if (defaults->mech == nullptr) { |
2e881a6f | 103 | ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech); |
b1218840 | 104 | } |
aee3523a | 105 | if (defaults->realm == nullptr) { |
2e881a6f | 106 | ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm); |
b1218840 | 107 | } |
aee3523a | 108 | if (defaults->authcid == nullptr) { |
2e881a6f | 109 | ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid); |
b1218840 | 110 | } |
aee3523a | 111 | if (defaults->authzid == nullptr) { |
2e881a6f | 112 | ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid); |
b1218840 | 113 | } |
aee3523a | 114 | defaults->resps = nullptr; |
b1218840 AJ |
115 | defaults->nresps = 0; |
116 | ||
117 | return defaults; | |
118 | } | |
119 | ||
120 | static int | |
121 | interaction( | |
ced8def3 | 122 | unsigned, |
b1218840 AJ |
123 | sasl_interact_t * interact, |
124 | lutilSASLdefaults * defaults) | |
125 | { | |
126 | const char *dflt = interact->defresult; | |
127 | ||
b1218840 AJ |
128 | switch (interact->id) { |
129 | case SASL_CB_GETREALM: | |
2e881a6f A |
130 | if (defaults) |
131 | dflt = defaults->realm; | |
132 | break; | |
b1218840 | 133 | case SASL_CB_AUTHNAME: |
2e881a6f A |
134 | if (defaults) |
135 | dflt = defaults->authcid; | |
136 | break; | |
b1218840 | 137 | case SASL_CB_PASS: |
2e881a6f A |
138 | if (defaults) |
139 | dflt = defaults->passwd; | |
2e881a6f | 140 | break; |
b1218840 | 141 | case SASL_CB_USER: |
2e881a6f A |
142 | if (defaults) |
143 | dflt = defaults->authzid; | |
144 | break; | |
b1218840 | 145 | case SASL_CB_NOECHOPROMPT: |
2e881a6f | 146 | break; |
b1218840 | 147 | case SASL_CB_ECHOPROMPT: |
2e881a6f | 148 | break; |
b1218840 AJ |
149 | } |
150 | ||
151 | if (dflt && !*dflt) | |
aee3523a | 152 | dflt = nullptr; |
b1218840 AJ |
153 | |
154 | /* input must be empty */ | |
155 | interact->result = (dflt && *dflt) ? dflt : ""; | |
156 | interact->len = (unsigned) strlen((const char *) interact->result); | |
157 | ||
158 | return LDAP_SUCCESS; | |
159 | } | |
160 | ||
161 | int | |
162 | lutil_sasl_interact( | |
163 | LDAP * ld, | |
164 | unsigned flags, | |
165 | void *defaults, | |
166 | void *in) | |
167 | { | |
168 | sasl_interact_t *interact = (sasl_interact_t *) in; | |
169 | ||
aee3523a | 170 | if (ld == nullptr) |
2e881a6f | 171 | return LDAP_PARAM_ERROR; |
b1218840 AJ |
172 | |
173 | while (interact->id != SASL_CB_LIST_END) { | |
2e881a6f | 174 | int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults); |
b1218840 | 175 | |
2e881a6f A |
176 | if (rc) |
177 | return rc; | |
755494da | 178 | ++interact; |
b1218840 AJ |
179 | } |
180 | ||
181 | return LDAP_SUCCESS; | |
182 | } | |
183 | ||
184 | void | |
185 | lutil_sasl_freedefs( | |
186 | void *defaults) | |
187 | { | |
188 | lutilSASLdefaults *defs = (lutilSASLdefaults *) defaults; | |
189 | ||
4ebcf1ce MM |
190 | xfree(defs->mech); |
191 | xfree(defs->realm); | |
192 | xfree(defs->authcid); | |
193 | xfree(defs->passwd); | |
194 | xfree(defs->authzid); | |
195 | xfree(defs->resps); | |
b1218840 AJ |
196 | |
197 | xfree(defs); | |
198 | } | |
199 | ||
200 | int | |
201 | tool_sasl_bind(LDAP * ld, char *binddn, char *ssl) | |
202 | { | |
203 | /* | |
204 | * unsigned sasl_flags = LDAP_SASL_AUTOMATIC; | |
205 | * unsigned sasl_flags = LDAP_SASL_QUIET; | |
206 | */ | |
2e881a6f | 207 | /* |
b1218840 AJ |
208 | * Avoid SASL messages |
209 | */ | |
1a22a39e | 210 | #if HAVE_SUN_LDAP_SDK |
b1218840 AJ |
211 | unsigned sasl_flags = LDAP_SASL_INTERACTIVE; |
212 | #else | |
213 | unsigned sasl_flags = LDAP_SASL_QUIET; | |
214 | #endif | |
aee3523a AR |
215 | char *sasl_realm = nullptr; |
216 | char *sasl_authc_id = nullptr; | |
217 | char *sasl_authz_id = nullptr; | |
b1218840 | 218 | char *sasl_mech = (char *) "GSSAPI"; |
2e881a6f | 219 | /* |
b1218840 AJ |
220 | * Force encryption |
221 | */ | |
222 | char *sasl_secprops; | |
223 | /* | |
224 | * char *sasl_secprops = (char *)"maxssf=56"; | |
a1b1756c | 225 | * char *sasl_secprops = nullptr; |
b1218840 | 226 | */ |
8b082ed9 | 227 | struct berval passwd = {}; |
b1218840 AJ |
228 | void *defaults; |
229 | int rc = LDAP_SUCCESS; | |
230 | ||
231 | if (ssl) | |
2e881a6f | 232 | sasl_secprops = (char *) "maxssf=0"; |
b1218840 | 233 | else |
2e881a6f A |
234 | sasl_secprops = (char *) "maxssf=56"; |
235 | /* sasl_secprops = (char *)"maxssf=0"; */ | |
236 | /* sasl_secprops = (char *)"maxssf=56"; */ | |
b1218840 | 237 | |
aee3523a | 238 | if (sasl_secprops != nullptr) { |
2e881a6f A |
239 | rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, |
240 | (void *) sasl_secprops); | |
241 | if (rc != LDAP_SUCCESS) { | |
242 | error((char *) "%s| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc)); | |
243 | return rc; | |
244 | } | |
b1218840 AJ |
245 | } |
246 | defaults = lutil_sasl_defaults(ld, | |
2e881a6f A |
247 | sasl_mech, |
248 | sasl_realm, | |
249 | sasl_authc_id, | |
250 | passwd.bv_val, | |
251 | sasl_authz_id); | |
b1218840 AJ |
252 | |
253 | rc = ldap_sasl_interactive_bind_s(ld, binddn, | |
aee3523a | 254 | sasl_mech, nullptr, nullptr, |
2e881a6f | 255 | sasl_flags, lutil_sasl_interact, defaults); |
b1218840 AJ |
256 | |
257 | lutil_sasl_freedefs(defaults); | |
258 | if (rc != LDAP_SUCCESS) { | |
2e881a6f | 259 | error((char *) "%s| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); |
b1218840 AJ |
260 | } |
261 | return rc; | |
262 | } | |
263 | #else | |
264 | void dummy(void); | |
265 | void | |
266 | dummy(void) | |
267 | { | |
268 | fprintf(stderr, "%s| %s: ERROR: Dummy function\n", LogTime(), PROGRAM); | |
269 | } | |
270 | ||
271 | #endif | |
272 | #endif | |
f53969cc | 273 |