[thirdparty/squid.git] / src / acl / external / kerberos_ldap_group / support_sasl.cc

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * -----------------------------------------------------------------------------
 *
 * Author: Markus Moeller (markus_moeller at compuserve.com)
 *
 * Copyright (C) 2007 Markus Moeller. All rights reserved.
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
 *
 * -----------------------------------------------------------------------------
 */

#include "squid.h"
#include "util.h"

#if HAVE_LDAP

#include "support.h"

#if HAVE_SASL_H
#include <sasl.h>
#elif HAVE_SASL_SASL_H
#include <sasl/sasl.h>
#endif

#if HAVE_SASL_H || HAVE_SASL_SASL_H
void *lutil_sasl_defaults(
    LDAP * ld,
    char *mech,
    char *realm,
    char *authcid,
    char *passwd,
    char *authzid);

LDAP_SASL_INTERACT_PROC lutil_sasl_interact;

int lutil_sasl_interact(
    LDAP * ld,
    unsigned flags,
    void *defaults,
    void *in);

void lutil_sasl_freedefs(
    void *defaults);

/*
 * SASL definitions for openldap support
 */

typedef struct lutil_sasl_defaults_s {
    char *mech;
    char *realm;
    char *authcid;
    char *passwd;
    char *authzid;
    char **resps;
    int nresps;
} lutilSASLdefaults;

void *
lutil_sasl_defaults(
    LDAP * ld,
    char *mech,
    char *realm,
    char *authcid,
    char *passwd,
    char *authzid)
{
    lutilSASLdefaults *defaults;

    defaults = (lutilSASLdefaults *) xmalloc(sizeof(lutilSASLdefaults));

    if (defaults == nullptr)
        return nullptr;

    defaults->mech = mech ? xstrdup(mech) : nullptr;
    defaults->realm = realm ? xstrdup(realm) : nullptr;
    defaults->authcid = authcid ? xstrdup(authcid) : nullptr;
    defaults->passwd = passwd ? xstrdup(passwd) : nullptr;
    defaults->authzid = authzid ? xstrdup(authzid) : nullptr;

    if (defaults->mech == nullptr) {
        ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech);
    }
    if (defaults->realm == nullptr) {
        ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm);
    }
    if (defaults->authcid == nullptr) {
        ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid);
    }
    if (defaults->authzid == nullptr) {
        ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid);
    }
    defaults->resps = nullptr;
    defaults->nresps = 0;

    return defaults;
}

static int
interaction(
    unsigned,
    sasl_interact_t * interact,
    lutilSASLdefaults * defaults)
{
    const char *dflt = interact->defresult;

    switch (interact->id) {
    case SASL_CB_GETREALM:
        if (defaults)
            dflt = defaults->realm;
        break;
    case SASL_CB_AUTHNAME:
        if (defaults)
            dflt = defaults->authcid;
        break;
    case SASL_CB_PASS:
        if (defaults)
            dflt = defaults->passwd;
        break;
    case SASL_CB_USER:
        if (defaults)
            dflt = defaults->authzid;
        break;
    case SASL_CB_NOECHOPROMPT:
        break;
    case SASL_CB_ECHOPROMPT:
        break;
    }

    if (dflt && !*dflt)
        dflt = nullptr;

    /* input must be empty */
    interact->result = (dflt && *dflt) ? dflt : "";
    interact->len = (unsigned) strlen((const char *) interact->result);

    return LDAP_SUCCESS;
}

int
lutil_sasl_interact(
    LDAP * ld,
    unsigned flags,
    void *defaults,
    void *in)
{
    sasl_interact_t *interact = (sasl_interact_t *) in;

    if (ld == nullptr)
        return LDAP_PARAM_ERROR;

    while (interact->id != SASL_CB_LIST_END) {
        int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults);

        if (rc)
            return rc;
        ++interact;
    }

    return LDAP_SUCCESS;
}

void
lutil_sasl_freedefs(
    void *defaults)
{
    lutilSASLdefaults *defs = (lutilSASLdefaults *) defaults;

    xfree(defs->mech);
    xfree(defs->realm);
    xfree(defs->authcid);
    xfree(defs->passwd);
    xfree(defs->authzid);
    xfree(defs->resps);

    xfree(defs);
}

int
tool_sasl_bind(LDAP * ld, char *binddn, char *ssl)
{
    /*
     * unsigned sasl_flags = LDAP_SASL_AUTOMATIC;
     * unsigned sasl_flags = LDAP_SASL_QUIET;
     */
    /*
     * Avoid SASL messages
     */
#if HAVE_SUN_LDAP_SDK
    unsigned sasl_flags = LDAP_SASL_INTERACTIVE;
#else
    unsigned sasl_flags = LDAP_SASL_QUIET;
#endif
    char *sasl_realm = nullptr;
    char *sasl_authc_id = nullptr;
    char *sasl_authz_id = nullptr;
    char *sasl_mech = (char *) "GSSAPI";
    /*
     * Force encryption
     */
    char *sasl_secprops;
    /*
     * char  *sasl_secprops = (char *)"maxssf=56";
     * char  *sasl_secprops = nullptr;
     */
    struct berval passwd = {};
    void *defaults;
    int rc = LDAP_SUCCESS;

    if (ssl)
        sasl_secprops = (char *) "maxssf=0";
    else
        sasl_secprops = (char *) "maxssf=56";
    /*      sasl_secprops = (char *)"maxssf=0"; */
    /*      sasl_secprops = (char *)"maxssf=56"; */

    if (sasl_secprops != nullptr) {
        rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS,
                             (void *) sasl_secprops);
        if (rc != LDAP_SUCCESS) {
            error((char *) "%s| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc));
            return rc;
        }
    }
    defaults = lutil_sasl_defaults(ld,
                                   sasl_mech,
                                   sasl_realm,
                                   sasl_authc_id,
                                   passwd.bv_val,
                                   sasl_authz_id);

    rc = ldap_sasl_interactive_bind_s(ld, binddn,
                                      sasl_mech, nullptr, nullptr,
                                      sasl_flags, lutil_sasl_interact, defaults);

    lutil_sasl_freedefs(defaults);
    if (rc != LDAP_SUCCESS) {
        error((char *) "%s| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
    }
    return rc;
}
#else
void dummy(void);
void
dummy(void)
{
    fprintf(stderr, "%s| %s: ERROR: Dummy function\n", LogTime(), PROGRAM);
}

#endif
#endif
Commit	Line	Data
ca02e0ec	1	/*
b8ae064d	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
ca02e0ec AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
b1218840 AJ	9	/*
	10	* -----------------------------------------------------------------------------
	11	*
	12	* Author: Markus Moeller (markus_moeller at compuserve.com)
	13	*
	14	* Copyright (C) 2007 Markus Moeller. All rights reserved.
	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License as published by
	18	* the Free Software Foundation; either version 2 of the License, or
	19	* (at your option) any later version.
	20	*
	21	* This program is distributed in the hope that it will be useful,
	22	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	23	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	24	* GNU General Public License for more details.
	25	*
	26	* You should have received a copy of the GNU General Public License
	27	* along with this program; if not, write to the Free Software
	28	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
	29	*
	30	* -----------------------------------------------------------------------------
	31	*/
	32
f7f3304a	33	#include "squid.h"
b1218840 AJ	34	#include "util.h"
b1218840 AJ	35
1a22a39e	36	#if HAVE_LDAP
b1218840 AJ	37
	38	#include "support.h"
	39
1a22a39e	40	#if HAVE_SASL_H
b1218840	41	#include <sasl.h>
1a22a39e	42	#elif HAVE_SASL_SASL_H
b1218840	43	#include <sasl/sasl.h>
b1218840 AJ	44	#endif
b1218840 AJ	45
388d024e	46	#if HAVE_SASL_H \|\| HAVE_SASL_SASL_H
b1218840 AJ	47	void *lutil_sasl_defaults(
	48	LDAP * ld,
	49	char *mech,
	50	char *realm,
	51	char *authcid,
	52	char *passwd,
	53	char *authzid);
	54
	55	LDAP_SASL_INTERACT_PROC lutil_sasl_interact;
	56
	57	int lutil_sasl_interact(
	58	LDAP * ld,
	59	unsigned flags,
	60	void *defaults,
	61	void *in);
	62
	63	void lutil_sasl_freedefs(
	64	void *defaults);
	65
b1218840 AJ	66	/*
	67	* SASL definitions for openldap support
	68	*/
	69
b1218840 AJ	70	typedef struct lutil_sasl_defaults_s {
	71	char *mech;
	72	char *realm;
	73	char *authcid;
	74	char *passwd;
	75	char *authzid;
	76	char **resps;
	77	int nresps;
	78	} lutilSASLdefaults;
	79
	80	void *
	81	lutil_sasl_defaults(
	82	LDAP * ld,
	83	char *mech,
	84	char *realm,
	85	char *authcid,
	86	char *passwd,
	87	char *authzid)
	88	{
	89	lutilSASLdefaults *defaults;
	90
	91	defaults = (lutilSASLdefaults *) xmalloc(sizeof(lutilSASLdefaults));
	92
aee3523a AR	93	if (defaults == nullptr)
aee3523a AR	94	return nullptr;
b1218840	95
aee3523a AR	96	defaults->mech = mech ? xstrdup(mech) : nullptr;
	97	defaults->realm = realm ? xstrdup(realm) : nullptr;
	98	defaults->authcid = authcid ? xstrdup(authcid) : nullptr;
	99	defaults->passwd = passwd ? xstrdup(passwd) : nullptr;
	100	defaults->authzid = authzid ? xstrdup(authzid) : nullptr;
b1218840	101
aee3523a	102	if (defaults->mech == nullptr) {
2e881a6f	103	ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech);
b1218840	104	}
aee3523a	105	if (defaults->realm == nullptr) {
2e881a6f	106	ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm);
b1218840	107	}
aee3523a	108	if (defaults->authcid == nullptr) {
2e881a6f	109	ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid);
b1218840	110	}
aee3523a	111	if (defaults->authzid == nullptr) {
2e881a6f	112	ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid);
b1218840	113	}
aee3523a	114	defaults->resps = nullptr;
b1218840 AJ	115	defaults->nresps = 0;
	116
	117	return defaults;
	118	}
	119
	120	static int
	121	interaction(
ced8def3	122	unsigned,
b1218840 AJ	123	sasl_interact_t * interact,
	124	lutilSASLdefaults * defaults)
	125	{
	126	const char *dflt = interact->defresult;
	127
b1218840 AJ	128	switch (interact->id) {
b1218840 AJ	129	case SASL_CB_GETREALM:
2e881a6f A	130	if (defaults)
	131	dflt = defaults->realm;
	132	break;
b1218840	133	case SASL_CB_AUTHNAME:
2e881a6f A	134	if (defaults)
	135	dflt = defaults->authcid;
	136	break;
b1218840	137	case SASL_CB_PASS:
2e881a6f A	138	if (defaults)
2e881a6f A	139	dflt = defaults->passwd;
2e881a6f	140	break;
b1218840	141	case SASL_CB_USER:
2e881a6f A	142	if (defaults)
	143	dflt = defaults->authzid;
	144	break;
b1218840	145	case SASL_CB_NOECHOPROMPT:
2e881a6f	146	break;
b1218840	147	case SASL_CB_ECHOPROMPT:
2e881a6f	148	break;
b1218840 AJ	149	}
	150
	151	if (dflt && !*dflt)
aee3523a	152	dflt = nullptr;
b1218840 AJ	153
	154	/* input must be empty */
	155	interact->result = (dflt && *dflt) ? dflt : "";
	156	interact->len = (unsigned) strlen((const char *) interact->result);
	157
	158	return LDAP_SUCCESS;
	159	}
	160
	161	int
	162	lutil_sasl_interact(
	163	LDAP * ld,
	164	unsigned flags,
	165	void *defaults,
	166	void *in)
	167	{
	168	sasl_interact_t interact = (sasl_interact_t ) in;
	169
aee3523a	170	if (ld == nullptr)
2e881a6f	171	return LDAP_PARAM_ERROR;
b1218840 AJ	172
b1218840 AJ	173	while (interact->id != SASL_CB_LIST_END) {
2e881a6f	174	int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults);
b1218840	175
2e881a6f A	176	if (rc)
2e881a6f A	177	return rc;
755494da	178	++interact;
b1218840 AJ	179	}
	180
	181	return LDAP_SUCCESS;
	182	}
	183
	184	void
	185	lutil_sasl_freedefs(
	186	void *defaults)
	187	{
	188	lutilSASLdefaults defs = (lutilSASLdefaults ) defaults;
	189
4ebcf1ce MM	190	xfree(defs->mech);
	191	xfree(defs->realm);
	192	xfree(defs->authcid);
	193	xfree(defs->passwd);
	194	xfree(defs->authzid);
	195	xfree(defs->resps);
b1218840 AJ	196
	197	xfree(defs);
	198	}
	199
	200	int
	201	tool_sasl_bind(LDAP * ld, char binddn, char ssl)
	202	{
	203	/*
	204	* unsigned sasl_flags = LDAP_SASL_AUTOMATIC;
	205	* unsigned sasl_flags = LDAP_SASL_QUIET;
	206	*/
2e881a6f	207	/*
b1218840 AJ	208	* Avoid SASL messages
b1218840 AJ	209	*/
1a22a39e	210	#if HAVE_SUN_LDAP_SDK
b1218840 AJ	211	unsigned sasl_flags = LDAP_SASL_INTERACTIVE;
	212	#else
	213	unsigned sasl_flags = LDAP_SASL_QUIET;
	214	#endif
aee3523a AR	215	char *sasl_realm = nullptr;
	216	char *sasl_authc_id = nullptr;
	217	char *sasl_authz_id = nullptr;
b1218840	218	char sasl_mech = (char ) "GSSAPI";
2e881a6f	219	/*
b1218840 AJ	220	* Force encryption
	221	*/
	222	char *sasl_secprops;
	223	/*
	224	* char sasl_secprops = (char )"maxssf=56";
a1b1756c	225	* char *sasl_secprops = nullptr;
b1218840	226	*/
8b082ed9	227	struct berval passwd = {};
b1218840 AJ	228	void *defaults;
	229	int rc = LDAP_SUCCESS;
	230
	231	if (ssl)
2e881a6f	232	sasl_secprops = (char *) "maxssf=0";
b1218840	233	else
2e881a6f A	234	sasl_secprops = (char *) "maxssf=56";
	235	/* sasl_secprops = (char )"maxssf=0"; /
	236	/* sasl_secprops = (char )"maxssf=56"; /
b1218840	237
aee3523a	238	if (sasl_secprops != nullptr) {
2e881a6f A	239	rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS,
	240	(void *) sasl_secprops);
	241	if (rc != LDAP_SUCCESS) {
	242	error((char *) "%s\| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc));
	243	return rc;
	244	}
b1218840 AJ	245	}
b1218840 AJ	246	defaults = lutil_sasl_defaults(ld,
2e881a6f A	247	sasl_mech,
	248	sasl_realm,
	249	sasl_authc_id,
	250	passwd.bv_val,
	251	sasl_authz_id);
b1218840 AJ	252
b1218840 AJ	253	rc = ldap_sasl_interactive_bind_s(ld, binddn,
aee3523a	254	sasl_mech, nullptr, nullptr,
2e881a6f	255	sasl_flags, lutil_sasl_interact, defaults);
b1218840 AJ	256
	257	lutil_sasl_freedefs(defaults);
	258	if (rc != LDAP_SUCCESS) {
2e881a6f	259	error((char *) "%s\| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
b1218840 AJ	260	}
	261	return rc;
	262	}
	263	#else
	264	void dummy(void);
	265	void
	266	dummy(void)
	267	{
	268	fprintf(stderr, "%s\| %s: ERROR: Dummy function\n", LogTime(), PROGRAM);
	269	}
	270
	271	#endif
	272	#endif
f53969cc	273