git.m6w6.name Git - m6w6/libmemcached/blob - libmemcached/sasl.c

   1 /* LibMemcached
   2  * Copyright (C) 2006-2010 Brian Aker
   3  * All rights reserved.
   4  *
   5  * Use and distribution licensed under the BSD license.  See
   6  * the COPYING file in the parent directory for full text.
   7  *
   8  * Summary: interface for memcached server
   9  * Description: main include file for libmemcached
  10  *
  11  */
  12 #include "common.h"
  13
  14 void memcached_set_sasl_callbacks(memcached_st *ptr,
  15                                   const sasl_callback_t *callbacks)
  16 {
  17   ptr->sasl.callbacks= callbacks;
  18   ptr->sasl.is_allocated= false;
  19 }
  20
  21 const sasl_callback_t *memcached_get_sasl_callbacks(memcached_st *ptr)
  22 {
  23   return ptr->sasl.callbacks;
  24 }
  25
  26 /**
  27  * Resolve the names for both ends of a connection
  28  * @param fd socket to check
  29  * @param laddr local address (out)
  30  * @param raddr remote address (out)
  31  * @return true on success false otherwise (errno contains more info)
  32  */
  33 static bool resolve_names(int fd, char *laddr, char *raddr)
  34 {
  35   char host[NI_MAXHOST];
  36   char port[NI_MAXSERV];
  37   struct sockaddr_storage saddr;
  38   socklen_t salen= sizeof(saddr);
  39
  40   if ((getsockname(fd, (struct sockaddr *)&saddr, &salen) < 0) ||
  41       (getnameinfo((struct sockaddr *)&saddr, salen, host, sizeof(host),
  42                    port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV) < 0))
  43   {
  44     return false;
  45   }
  46
  47   (void)sprintf(laddr, "%s;%s", host, port);
  48   salen= sizeof(saddr);
  49
  50   if ((getpeername(fd, (struct sockaddr *)&saddr, &salen) < 0) ||
  51       (getnameinfo((struct sockaddr *)&saddr, salen, host, sizeof(host),
  52                    port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV) < 0))
  53   {
  54     return false;
  55   }
  56
  57   (void)sprintf(raddr, "%s;%s", host, port);
  58
  59   return true;
  60 }
  61
  62 memcached_return_t memcached_sasl_authenticate_connection(memcached_server_st *server)
  63 {
  64   memcached_return_t rc;
  65
  66   /* SANITY CHECK: SASL can only be used with the binary protocol */
  67   unlikely (!server->root->flags.binary_protocol)
  68     return MEMCACHED_FAILURE;
  69
  70   /* Try to get the supported mech from the server. Servers without SASL
  71    * support will return UNKNOWN COMMAND, so we can just treat that
  72    * as authenticated
  73    */
  74   protocol_binary_request_no_extras request= {
  75     .message.header.request= {
  76       .magic= PROTOCOL_BINARY_REQ,
  77       .opcode= PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
  78     }
  79   };
  80
  81   if (memcached_io_write(server, request.bytes,
  82                          sizeof(request.bytes), 1) != sizeof(request.bytes))
  83   {
  84     return MEMCACHED_WRITE_FAILURE;
  85   }
  86
  87   memcached_server_response_increment(server);
  88
  89   char mech[MEMCACHED_MAX_BUFFER];
  90   rc= memcached_response(server, mech, sizeof(mech), NULL);
  91   if (rc != MEMCACHED_SUCCESS)
  92   {
  93     if (rc == MEMCACHED_PROTOCOL_ERROR)
  94     {
  95       /* If the server doesn't support SASL it will return PROTOCOL_ERROR.
  96        * This error may also be returned for other errors, but let's assume
  97        * that the server don't support SASL and treat it as success and
  98        * let the client fail with the next operation if the error was
  99        * caused by another problem....
 100        */
 101       rc= MEMCACHED_SUCCESS;
 102     }
 103
 104     return rc;
 105   }
 106
 107   /* set ip addresses */
 108   char laddr[NI_MAXHOST + NI_MAXSERV];
 109   char raddr[NI_MAXHOST + NI_MAXSERV];
 110
 111   unlikely (!resolve_names(server->fd, laddr, raddr))
 112   {
 113     server->cached_errno= errno;
 114     return MEMCACHED_ERRNO;
 115   }
 116
 117   sasl_conn_t *conn;
 118   int ret= sasl_client_new("memcached", server->hostname, laddr, raddr,
 119                            server->root->sasl.callbacks, 0, &conn);
 120   if (ret != SASL_OK)
 121   {
 122     return MEMCACHED_AUTH_PROBLEM;
 123   }
 124
 125   const char *data;
 126   const char *chosenmech;
 127   unsigned int len;
 128   ret= sasl_client_start(conn, mech, NULL, &data, &len, &chosenmech);
 129
 130   if (ret != SASL_OK && ret != SASL_CONTINUE)
 131   {
 132     rc= MEMCACHED_AUTH_PROBLEM;
 133     goto end;
 134   }
 135
 136   uint16_t keylen= (uint16_t)strlen(chosenmech);
 137   request.message.header.request.opcode= PROTOCOL_BINARY_CMD_SASL_AUTH;
 138   request.message.header.request.keylen= htons(keylen);
 139   request.message.header.request.bodylen= htonl(len + keylen);
 140
 141   do {
 142     /* send the packet */
 143     if (memcached_io_write(server, request.bytes,
 144                            sizeof(request.bytes), 0) != sizeof(request.bytes) ||
 145         memcached_io_write(server, chosenmech, keylen, 0) != keylen ||
 146         memcached_io_write(server, data, len, 1) != (ssize_t)len)
 147     {
 148       rc= MEMCACHED_WRITE_FAILURE;
 149       goto end;
 150     }
 151     memcached_server_response_increment(server);
 152
 153     /* read the response */
 154     rc= memcached_response(server, NULL, 0, NULL);
 155     if (rc != MEMCACHED_AUTH_CONTINUE)
 156     {
 157       goto end;
 158     }
 159
 160     ret= sasl_client_step(conn, memcached_result_value(&server->root->result),
 161                           (unsigned int)memcached_result_length(&server->root->result),
 162                           NULL, &data, &len);
 163
 164     if (ret != SASL_OK && ret != SASL_CONTINUE)
 165     {
 166       rc= MEMCACHED_AUTH_PROBLEM;
 167       goto end;
 168     }
 169
 170     request.message.header.request.opcode= PROTOCOL_BINARY_CMD_SASL_STEP;
 171     request.message.header.request.bodylen= htonl(len + keylen);
 172   } while (true);
 173
 174 end:
 175   /* Release resources */
 176   sasl_dispose(&conn);
 177
 178   return rc;
 179 }
 180
 181 static int get_username(void *context, int id, const char **result,
 182                         unsigned int *len)
 183 {
 184   if (!context || !result || (id != SASL_CB_USER && id != SASL_CB_AUTHNAME))
 185   {
 186     return SASL_BADPARAM;
 187   }
 188
 189   *result= context;
 190   if (len)
 191   {
 192     *len= (unsigned int)strlen(*result);
 193   }
 194
 195   return SASL_OK;
 196 }
 197
 198 static int get_password(sasl_conn_t *conn, void *context, int id,
 199                         sasl_secret_t **psecret)
 200 {
 201   if (!conn || ! psecret || id != SASL_CB_PASS)
 202   {
 203     return SASL_BADPARAM;
 204   }
 205
 206   *psecret= context;
 207
 208   return SASL_OK;
 209 }
 210
 211 memcached_return_t memcached_set_sasl_auth_data(memcached_st *ptr,
 212                                                 const char *username,
 213                                                 const char *password)
 214 {
 215   if (ptr == NULL || username == NULL ||
 216       password == NULL || ptr->sasl.callbacks != NULL)
 217   {
 218     return MEMCACHED_FAILURE;
 219   }
 220
 221   sasl_callback_t *cb= libmemcached_calloc(ptr, 4, sizeof(sasl_callback_t));
 222   char *name= libmemcached_malloc(ptr, strlen(username) + 1);
 223   sasl_secret_t *secret= libmemcached_malloc(ptr, strlen(password) + 1 + sizeof(*secret))
 224 ;
 225   if (cb == NULL || name == NULL || secret == NULL)
 226   {
 227     libmemcached_free(ptr, cb);
 228     libmemcached_free(ptr, name);
 229     libmemcached_free(ptr, secret);
 230     return MEMCACHED_MEMORY_ALLOCATION_FAILURE;
 231   }
 232
 233   secret->len= strlen(password);
 234   strcpy((void*)secret->data, password);
 235
 236   cb[0].id= SASL_CB_USER;
 237   cb[0].proc= get_username;
 238   cb[0].context= strcpy(name, username);
 239   cb[1].id= SASL_CB_AUTHNAME;
 240   cb[1].proc= get_username;
 241   cb[1].context= name;
 242   cb[2].id= SASL_CB_PASS;
 243   cb[2].proc= get_password;
 244   cb[2].context= secret;
 245   cb[3].id= SASL_CB_LIST_END;
 246
 247   ptr->sasl.callbacks= cb;
 248   ptr->sasl.is_allocated= true;
 249
 250   return MEMCACHED_SUCCESS;
 251 }
 252
 253 memcached_return_t memcached_destroy_sasl_auth_data(memcached_st *ptr)
 254 {
 255    if (ptr == NULL || ptr->sasl.callbacks == NULL)
 256    {
 257      return MEMCACHED_FAILURE;
 258    }
 259
 260    if (ptr->sasl.is_allocated)
 261    {
 262      libmemcached_free(ptr, ptr->sasl.callbacks[0].context);
 263      libmemcached_free(ptr, ptr->sasl.callbacks[2].context);
 264      libmemcached_free(ptr, (void*)ptr->sasl.callbacks);
 265      ptr->sasl.is_allocated= false;
 266    }
 267
 268    ptr->sasl.callbacks= NULL;
 269
 270    return MEMCACHED_SUCCESS;
 271 }
 272
 273 memcached_return_t memcached_clone_sasl(memcached_st *clone, const  memcached_st *source)
 274 {
 275   /* Hopefully we are using our own callback mechanisms.. */
 276   if (source->sasl.callbacks[0].id == SASL_CB_USER &&
 277       source->sasl.callbacks[0].proc == get_username &&
 278       source->sasl.callbacks[1].id == SASL_CB_AUTHNAME &&
 279       source->sasl.callbacks[1].proc == get_username &&
 280       source->sasl.callbacks[2].id == SASL_CB_PASS &&
 281       source->sasl.callbacks[2].proc == get_password &&
 282       source->sasl.callbacks[3].id == SASL_CB_LIST_END)
 283   {
 284     sasl_secret_t *secret= source->sasl.callbacks[2].context;
 285     return memcached_set_sasl_auth_data(clone,
 286                                         source->sasl.callbacks[0].context,
 287                                         (const char*)secret->data);
 288   }
 289
 290   /*
 291    * But we're not. It may work if we know what the user tries to pass
 292    * into the list, but if we don't know the ID we don't know how to handle
 293    * the context...
 294    */
 295   size_t total= 0;
 296
 297   while (source->sasl.callbacks[total].id != SASL_CB_LIST_END) {
 298     switch (source->sasl.callbacks[total].id)
 299     {
 300     case SASL_CB_USER:
 301     case SASL_CB_AUTHNAME:
 302     case SASL_CB_PASS:
 303        break;
 304     default:
 305        /* I don't know how to deal with this... */
 306        return MEMCACHED_NOT_SUPPORTED;
 307     }
 308
 309     ++total;
 310   }
 311
 312   sasl_callback_t *cb= libmemcached_calloc(clone, total + 1,
 313                                            sizeof(sasl_callback_t));
 314   if (cb == NULL)
 315   {
 316     return MEMCACHED_MEMORY_ALLOCATION_FAILURE;
 317   }
 318   memcpy(cb, source->sasl.callbacks, (total + 1) * sizeof(sasl_callback_t));
 319
 320   /* Now update the context... */
 321   for (size_t x= 0; x < total; ++x)
 322   {
 323     if (cb[x].id == SASL_CB_USER || cb[x].id == SASL_CB_AUTHNAME)
 324     {
 325       cb[x].context= libmemcached_malloc(clone, strlen(source->sasl.callbacks[x].context));
 326       if (cb[x].context == NULL)
 327       {
 328         /* Failed to allocate memory, clean up previously allocated memory */
 329         for (size_t y= 0; y < x; ++y)
 330         {
 331           libmemcached_free(clone, clone->sasl.callbacks[y].context);
 332         }
 333
 334         libmemcached_free(clone, cb);
 335         return MEMCACHED_MEMORY_ALLOCATION_FAILURE;
 336       }
 337       strcpy(cb[x].context, source->sasl.callbacks[x].context);
 338     }
 339     else
 340     {
 341       sasl_secret_t *src = source->sasl.callbacks[x].context;
 342       sasl_secret_t *n = libmemcached_malloc(clone, src->len + 1 + sizeof(*n));
 343       if (n == NULL)
 344       {
 345         /* Failed to allocate memory, clean up previously allocated memory */
 346         for (size_t y= 0; y < x; ++y)
 347         {
 348           libmemcached_free(clone, clone->sasl.callbacks[y].context);
 349         }
 350
 351         libmemcached_free(clone, cb);
 352         return MEMCACHED_MEMORY_ALLOCATION_FAILURE;
 353       }
 354       memcpy(n, src, src->len + 1 + sizeof(*n));
 355       cb[x].context= n;
 356     }
 357   }
 358
 359   clone->sasl.callbacks= cb;
 360   clone->sasl.is_allocated= true;
 361
 362   return MEMCACHED_SUCCESS;
 363 }