libvirt/src/rpc/virnetsaslcontext.h

/*
 * virnetsaslcontext.h: SASL encryption/auth handling
 *
 * Copyright (C) 2010-2011 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see
 * <http://www.gnu.org/licenses/>.
 */

#ifndef __VIR_NET_CLIENT_SASL_CONTEXT_H__
# define __VIR_NET_CLIENT_SASL_CONTEXT_H__

# include "internal.h"
# include <sasl/sasl.h>

# include "virobject.h"

typedef struct _virNetSASLContext virNetSASLContext;
typedef virNetSASLContext *virNetSASLContextPtr;

typedef struct _virNetSASLSession virNetSASLSession;
typedef virNetSASLSession *virNetSASLSessionPtr;

enum {
    VIR_NET_SASL_COMPLETE,
    VIR_NET_SASL_CONTINUE,
    VIR_NET_SASL_INTERACT,
};

virNetSASLContextPtr virNetSASLContextNewClient(void);
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist);

int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
                                   const char *identity);

virNetSASLSessionPtr virNetSASLSessionNewClient(virNetSASLContextPtr ctxt,
                                                const char *service,
                                                const char *hostname,
                                                const char *localAddr,
                                                const char *remoteAddr,
                                                sasl_callback_t *cbs);
virNetSASLSessionPtr virNetSASLSessionNewServer(virNetSASLContextPtr ctxt,
                                                const char *service,
                                                const char *localAddr,
                                                const char *remoteAddr);

char *virNetSASLSessionListMechanisms(virNetSASLSessionPtr sasl);

int virNetSASLSessionExtKeySize(virNetSASLSessionPtr sasl,
                                int ssf);

int virNetSASLSessionGetKeySize(virNetSASLSessionPtr sasl);

const char *virNetSASLSessionGetIdentity(virNetSASLSessionPtr sasl);

int virNetSASLSessionSecProps(virNetSASLSessionPtr sasl,
                              int minSSF,
                              int maxSSF,
                              bool allowAnonymous);

int virNetSASLSessionClientStart(virNetSASLSessionPtr sasl,
                                 const char *mechlist,
                                 sasl_interact_t **prompt_need,
                                 const char **clientout,
                                 size_t *clientoutlen,
                                 const char **mech);

int virNetSASLSessionClientStep(virNetSASLSessionPtr sasl,
                                const char *serverin,
                                size_t serverinlen,
                                sasl_interact_t **prompt_need,
                                const char **clientout,
                                size_t *clientoutlen);

int virNetSASLSessionServerStart(virNetSASLSessionPtr sasl,
                                 const char *mechname,
                                 const char *clientin,
                                 size_t clientinlen,
                                 const char **serverout,
                                 size_t *serveroutlen);

int virNetSASLSessionServerStep(virNetSASLSessionPtr sasl,
                                const char *clientin,
                                size_t clientinlen,
                                const char **serverout,
                                size_t *serveroutlen);

size_t virNetSASLSessionGetMaxBufSize(virNetSASLSessionPtr sasl);

ssize_t virNetSASLSessionEncode(virNetSASLSessionPtr sasl,
                                const char *input,
                                size_t inputLen,
                                const char **output,
                                size_t *outputlen);

ssize_t virNetSASLSessionDecode(virNetSASLSessionPtr sasl,
                                const char *input,
                                size_t inputLen,
                                const char **output,
                                size_t *outputlen);

#endif /* __VIR_NET_CLIENT_SASL_CONTEXT_H__ */
Generic module for handling SASL authentication & encryption This provides two modules for handling SASL * virNetSASLContext provides the process-wide state, currently just a whitelist of usernames on the server and a one time library init call * virNetTLSSession provides the per-connection state, ie the SASL session itself. This also include APIs for providing data encryption/decryption once the session is established * src/Makefile.am: Add to libvirt-net-rpc.la * src/rpc/virnetsaslcontext.c, src/rpc/virnetsaslcontext.h: Generic SASL handling code 2010-12-10 12:21:18 +00:00			`/*`
			`* virnetsaslcontext.h: SASL encryption/auth handling`
			`*`
			`* Copyright (C) 2010-2011 Red Hat, Inc.`
			`*`
			`* This library is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU Lesser General Public`
			`* License as published by the Free Software Foundation; either`
			`* version 2.1 of the License, or (at your option) any later version.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`* Lesser General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Lesser General Public`
maint: fix up copyright notice inconsistencies https://www.gnu.org/licenses/gpl-howto.html recommends that the 'If not, see <url>.' phrase be a separate sentence. * tests/securityselinuxhelper.c: Remove doubled line. * tests/securityselinuxtest.c: Likewise. * globally: s/; If/. If/ 2012-09-20 22:30:55 +00:00			`* License along with this library. If not, see`
Desert the FSF address in copyright Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c 2012-07-21 10:06:23 +00:00			`* <http://www.gnu.org/licenses/>.`
Generic module for handling SASL authentication & encryption This provides two modules for handling SASL * virNetSASLContext provides the process-wide state, currently just a whitelist of usernames on the server and a one time library init call * virNetTLSSession provides the per-connection state, ie the SASL session itself. This also include APIs for providing data encryption/decryption once the session is established * src/Makefile.am: Add to libvirt-net-rpc.la * src/rpc/virnetsaslcontext.c, src/rpc/virnetsaslcontext.h: Generic SASL handling code 2010-12-10 12:21:18 +00:00			`*/`

			`#ifndef __VIR_NET_CLIENT_SASL_CONTEXT_H__`
			`# define __VIR_NET_CLIENT_SASL_CONTEXT_H__`

build: workaround broken SASL header (again) Compilation for xdg-app failed due to a buggy SASL headers present on the used runtime (org.gnome.Sdk 3.18). In file included from rpc/virnetsaslcontext.h:24:0, from rpc/virnetsaslcontext.c:25: /usr/include/sasl/sasl.h:230:38: error: unknown type name 'size_t' typedef void sasl_realloc_t(void , size_t); ^ /usr/include/sasl/sasl.h:235:5: error: unknown type name 'sasl_realloc_t' sasl_realloc_t *, Use the same workaround as commit 1be3dfd did. Signed-off-by: Ján Tomko <jtomko@redhat.com> 2016-03-30 06:52:38 +00:00			`# include "internal.h"`
Generic module for handling SASL authentication & encryption This provides two modules for handling SASL * virNetSASLContext provides the process-wide state, currently just a whitelist of usernames on the server and a one time library init call * virNetTLSSession provides the per-connection state, ie the SASL session itself. This also include APIs for providing data encryption/decryption once the session is established * src/Makefile.am: Add to libvirt-net-rpc.la * src/rpc/virnetsaslcontext.c, src/rpc/virnetsaslcontext.h: Generic SASL handling code 2010-12-10 12:21:18 +00:00			`# include <sasl/sasl.h>`

Turn virNetSASLContext and virNetSASLSession into virObject instances Make virNetSASLContext and virNetSASLSession use virObject APIs for reference counting Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-07-11 13:35:49 +00:00			`# include "virobject.h"`
Generic module for handling SASL authentication & encryption This provides two modules for handling SASL * virNetSASLContext provides the process-wide state, currently just a whitelist of usernames on the server and a one time library init call * virNetTLSSession provides the per-connection state, ie the SASL session itself. This also include APIs for providing data encryption/decryption once the session is established * src/Makefile.am: Add to libvirt-net-rpc.la * src/rpc/virnetsaslcontext.c, src/rpc/virnetsaslcontext.h: Generic SASL handling code 2010-12-10 12:21:18 +00:00
			`typedef struct _virNetSASLContext virNetSASLContext;`
			`typedef virNetSASLContext *virNetSASLContextPtr;`

			`typedef struct _virNetSASLSession virNetSASLSession;`
			`typedef virNetSASLSession *virNetSASLSessionPtr;`

			`enum {`
			`VIR_NET_SASL_COMPLETE,`
			`VIR_NET_SASL_CONTINUE,`
			`VIR_NET_SASL_INTERACT,`
			`};`

			`virNetSASLContextPtr virNetSASLContextNewClient(void);`
			`virNetSASLContextPtr virNetSASLContextNewServer(const char constusernameWhitelist);`

			`int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,`
			`const char *identity);`

			`virNetSASLSessionPtr virNetSASLSessionNewClient(virNetSASLContextPtr ctxt,`
			`const char *service,`
			`const char *hostname,`
			`const char *localAddr,`
			`const char *remoteAddr,`
Tie SASL callbacks lifecycle to virNetSessionSASLContext The array of sasl_callback_t callbacks which is passed to sasl_client_new() must be kept alive as long as the created sasl_conn_t object is alive as cyrus-sasl uses this structure internally for things like logging, so the memory used for callbacks must only be freed after sasl_dispose() has been called. During testing of successful SASL logins with virsh -c qemu+tls:///system list --all I've been getting invalid read reports from valgrind ==9237== Invalid read of size 8 ==9237== at 0x6E93B6F: _sasl_getcallback (common.c:1745) ==9237== by 0x6E95430: _sasl_log (common.c:1850) ==9237== by 0x16593D87: digestmd5_client_mech_dispose (digestmd5.c:4580) ==9237== by 0x6E91653: client_dispose (client.c:332) ==9237== by 0x6E9476A: sasl_dispose (common.c:851) ==9237== by 0x4E225A1: virNetSASLSessionDispose (virnetsaslcontext.c:678) ==9237== by 0x4CBC551: virObjectUnref (virobject.c:262) ==9237== by 0x4E254D1: virNetSocketDispose (virnetsocket.c:1042) ==9237== by 0x4CBC551: virObjectUnref (virobject.c:262) ==9237== by 0x4E2701C: virNetSocketEventFree (virnetsocket.c:1794) ==9237== by 0x4C965D3: virEventPollCleanupHandles (vireventpoll.c:583) ==9237== by 0x4C96987: virEventPollRunOnce (vireventpoll.c:652) ==9237== by 0x4C94730: virEventRunDefaultImpl (virevent.c:274) ==9237== by 0x12C7BA: vshEventLoop (virsh.c:2407) ==9237== by 0x4CD3D04: virThreadHelper (virthreadpthread.c:161) ==9237== by 0x7DAEF32: start_thread (pthread_create.c:309) ==9237== by 0x8C86EAC: clone (clone.S:111) ==9237== Address 0xe2d61b0 is 0 bytes inside a block of size 168 free'd ==9237== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==9237== by 0x4C73827: virFree (viralloc.c:580) ==9237== by 0x4DE4BC7: remoteAuthSASL (remote_driver.c:4219) ==9237== by 0x4DE33D0: remoteAuthenticate (remote_driver.c:3639) ==9237== by 0x4DDBFAA: doRemoteOpen (remote_driver.c:832) ==9237== by 0x4DDC8DC: remoteConnectOpen (remote_driver.c:1031) ==9237== by 0x4D8595F: do_open (libvirt.c:1239) ==9237== by 0x4D863F3: virConnectOpenAuth (libvirt.c:1481) ==9237== by 0x12762B: vshReconnect (virsh.c:337) ==9237== by 0x12C9B0: vshInit (virsh.c:2470) ==9237== by 0x12E9A5: main (virsh.c:3338) This commit changes virNetSASLSessionNewClient() to take ownership of the SASL callbacks. Then we can free them in virNetSASLSessionDispose() after the corresponding sasl_conn_t has been freed. 2013-11-22 16:27:21 +00:00			`sasl_callback_t *cbs);`
Generic module for handling SASL authentication & encryption This provides two modules for handling SASL * virNetSASLContext provides the process-wide state, currently just a whitelist of usernames on the server and a one time library init call * virNetTLSSession provides the per-connection state, ie the SASL session itself. This also include APIs for providing data encryption/decryption once the session is established * src/Makefile.am: Add to libvirt-net-rpc.la * src/rpc/virnetsaslcontext.c, src/rpc/virnetsaslcontext.h: Generic SASL handling code 2010-12-10 12:21:18 +00:00			`virNetSASLSessionPtr virNetSASLSessionNewServer(virNetSASLContextPtr ctxt,`
			`const char *service,`
			`const char *localAddr,`
			`const char *remoteAddr);`

			`char *virNetSASLSessionListMechanisms(virNetSASLSessionPtr sasl);`

			`int virNetSASLSessionExtKeySize(virNetSASLSessionPtr sasl,`
			`int ssf);`

			`int virNetSASLSessionGetKeySize(virNetSASLSessionPtr sasl);`

			`const char *virNetSASLSessionGetIdentity(virNetSASLSessionPtr sasl);`

			`int virNetSASLSessionSecProps(virNetSASLSessionPtr sasl,`
			`int minSSF,`
			`int maxSSF,`
			`bool allowAnonymous);`

			`int virNetSASLSessionClientStart(virNetSASLSessionPtr sasl,`
			`const char *mechlist,`
			`sasl_interact_t **prompt_need,`
			`const char **clientout,`
			`size_t *clientoutlen,`
			`const char **mech);`

			`int virNetSASLSessionClientStep(virNetSASLSessionPtr sasl,`
			`const char *serverin,`
			`size_t serverinlen,`
			`sasl_interact_t **prompt_need,`
			`const char **clientout,`
			`size_t *clientoutlen);`

			`int virNetSASLSessionServerStart(virNetSASLSessionPtr sasl,`
			`const char *mechname,`
			`const char *clientin,`
			`size_t clientinlen,`
			`const char **serverout,`
			`size_t *serveroutlen);`

			`int virNetSASLSessionServerStep(virNetSASLSessionPtr sasl,`
			`const char *clientin,`
			`size_t clientinlen,`
			`const char **serverout,`
			`size_t *serveroutlen);`

			`size_t virNetSASLSessionGetMaxBufSize(virNetSASLSessionPtr sasl);`

			`ssize_t virNetSASLSessionEncode(virNetSASLSessionPtr sasl,`
			`const char *input,`
			`size_t inputLen,`
			`const char **output,`
			`size_t *outputlen);`

			`ssize_t virNetSASLSessionDecode(virNetSASLSessionPtr sasl,`
			`const char *input,`
			`size_t inputLen,`
			`const char **output,`
			`size_t *outputlen);`

			`#endif /* __VIR_NET_CLIENT_SASL_CONTEXT_H__ */`