search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Fix bug 7578
[Samba/gebeck_regimport.git] / source4 / auth / gensec / cyrus_sasl.c
blobc4f954442c0df90eb26c972967c572d250497d25
1 /*
2 Unix SMB/CIFS implementation.
3
4 Connect GENSEC to an external SASL lib
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/tsocket/tsocket.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_proto.h"
27 #include <sasl/sasl.h>
28
29 struct gensec_sasl_state {
30 sasl_conn_t *conn;
31 int step;
32 };
33
34 static NTSTATUS sasl_nt_status(int sasl_ret)
35 {
36 switch (sasl_ret) {
37 case SASL_CONTINUE:
38 return NT_STATUS_MORE_PROCESSING_REQUIRED;
39 case SASL_NOMEM:
40 return NT_STATUS_NO_MEMORY;
41 case SASL_BADPARAM:
42 case SASL_NOMECH:
43 return NT_STATUS_INVALID_PARAMETER;
44 case SASL_BADMAC:
45 return NT_STATUS_ACCESS_DENIED;
46 case SASL_OK:
47 return NT_STATUS_OK;
48 default:
49 return NT_STATUS_UNSUCCESSFUL;
50 }
51 }
52
53 static int gensec_sasl_get_user(void *context, int id,
54 const char **result, unsigned *len)
55 {
56 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
57 const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
58 if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
59 return SASL_FAIL;
60 }
61
62 *result = username;
63 return SASL_OK;
64 }
65
66 static int gensec_sasl_get_realm(void *context, int id,
67 const char **availrealms,
68 const char **result)
69 {
70 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
71 const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
72 int i;
73 if (id != SASL_CB_GETREALM) {
74 return SASL_FAIL;
75 }
76
77 for (i=0; availrealms && availrealms[i]; i++) {
78 if (strcasecmp_m(realm, availrealms[i]) == 0) {
79 result[i] = availrealms[i];
80 return SASL_OK;
81 }
82 }
83 /* None of the realms match, so lets not specify one */
84 *result = "";
85 return SASL_OK;
86 }
87
88 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
89 sasl_secret_t **psecret)
90 {
91 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
92 const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
93
94 sasl_secret_t *secret;
95 if (!password) {
96 *psecret = NULL;
97 return SASL_OK;
98 }
99 secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
100 if (!secret) {
101 return SASL_NOMEM;
102 }
103 secret->len = strlen(password);
104 safe_strcpy((char*)secret->data, password, secret->len+1);
105 *psecret = secret;
106 return SASL_OK;
107 }
108
109 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
110 {
111 sasl_dispose(&gensec_sasl_state->conn);
112 return SASL_OK;
113 }
114
115 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
116 {
117 struct gensec_sasl_state *gensec_sasl_state;
118 const char *service = gensec_get_target_service(gensec_security);
119 const char *target_name = gensec_get_target_hostname(gensec_security);
120 const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
121 const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
122 char *local_addr = NULL;
123 char *remote_addr = NULL;
124 int sasl_ret;
125
126 sasl_callback_t *callbacks;
127
128 gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
129 if (!gensec_sasl_state) {
130 return NT_STATUS_NO_MEMORY;
131 }
132
133 callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
134 callbacks[0].id = SASL_CB_USER;
135 callbacks[0].proc = gensec_sasl_get_user;
136 callbacks[0].context = gensec_security;
137
138 callbacks[1].id = SASL_CB_AUTHNAME;
139 callbacks[1].proc = gensec_sasl_get_user;
140 callbacks[1].context = gensec_security;
141
142 callbacks[2].id = SASL_CB_GETREALM;
143 callbacks[2].proc = gensec_sasl_get_realm;
144 callbacks[2].context = gensec_security;
145
146 callbacks[3].id = SASL_CB_PASS;
147 callbacks[3].proc = gensec_sasl_get_password;
148 callbacks[3].context = gensec_security;
149
150 callbacks[4].id = SASL_CB_LIST_END;
151 callbacks[4].proc = NULL;
152 callbacks[4].context = NULL;
153
154 gensec_security->private_data = gensec_sasl_state;
155
156 if (tlocal_addr) {
157 local_addr = talloc_asprintf(gensec_sasl_state,
158 "%s;%d",
159 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
160 tsocket_address_inet_port(tlocal_addr));
161 }
162
163 if (tremote_addr) {
164 remote_addr = talloc_asprintf(gensec_sasl_state,
165 "%s;%d",
166 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
167 tsocket_address_inet_port(tremote_addr));
168 }
169 gensec_sasl_state->step = 0;
170
171 sasl_ret = sasl_client_new(service,
172 target_name,
173 local_addr, remote_addr, callbacks, 0,
174 &gensec_sasl_state->conn);
175
176 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
177 sasl_security_properties_t props;
178 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
179
180 ZERO_STRUCT(props);
181 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
182 props.min_ssf = 1;
183 }
184 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
185 props.min_ssf = 40;
186 }
187
188 props.max_ssf = UINT_MAX;
189 props.maxbufsize = 65536;
190 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
191 if (sasl_ret != SASL_OK) {
192 return sasl_nt_status(sasl_ret);
193 }
194
195 } else {
196 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
197 }
198 return sasl_nt_status(sasl_ret);
199 }
200
201 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
202 TALLOC_CTX *out_mem_ctx,
203 const DATA_BLOB in, DATA_BLOB *out)
204 {
205 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
206 struct gensec_sasl_state);
207 int sasl_ret;
208 const char *out_data;
209 unsigned int out_len;
210
211 if (gensec_sasl_state->step == 0) {
212 const char *mech;
213 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
214 NULL, &out_data, &out_len, &mech);
215 } else {
216 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
217 (char*)in.data, in.length, NULL,
218 &out_data, &out_len);
219 }
220 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
221 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
222 } else {
223 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
224 sasl_errdetail(gensec_sasl_state->conn)));
225 }
226 gensec_sasl_state->step++;
227 return sasl_nt_status(sasl_ret);
228 }
229
230 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
231 TALLOC_CTX *out_mem_ctx,
232 const DATA_BLOB *in,
233 DATA_BLOB *out,
234 size_t *len_processed)
235 {
236 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
237 struct gensec_sasl_state);
238 const char *out_data;
239 unsigned int out_len;
240
241 int sasl_ret = sasl_decode(gensec_sasl_state->conn,
242 (char*)in->data, in->length, &out_data,
243 &out_len);
244 if (sasl_ret == SASL_OK) {
245 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
246 *len_processed = in->length;
247 } else {
248 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
249 }
250 return sasl_nt_status(sasl_ret);
251
252 }
253
254 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
255 TALLOC_CTX *out_mem_ctx,
256 const DATA_BLOB *in,
257 DATA_BLOB *out,
258 size_t *len_processed)
259 {
260 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
261 struct gensec_sasl_state);
262 const char *out_data;
263 unsigned int out_len;
264
265 int sasl_ret = sasl_encode(gensec_sasl_state->conn,
266 (char*)in->data, in->length, &out_data,
267 &out_len);
268 if (sasl_ret == SASL_OK) {
269 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
270 *len_processed = in->length;
271 } else {
272 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
273 }
274 return sasl_nt_status(sasl_ret);
275 }
276
277 /* Try to figure out what features we actually got on the connection */
278 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
279 uint32_t feature)
280 {
281 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
282 struct gensec_sasl_state);
283 sasl_ssf_t ssf;
284 int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
285 (const void**)&ssf);
286 if (sasl_ret != SASL_OK) {
287 return false;
288 }
289 if (feature & GENSEC_FEATURE_SIGN) {
290 if (ssf == 0) {
291 return false;
292 }
293 if (ssf >= 1) {
294 return true;
295 }
296 }
297 if (feature & GENSEC_FEATURE_SEAL) {
298 if (ssf <= 1) {
299 return false;
300 }
301 if (ssf > 1) {
302 return true;
303 }
304 }
305 return false;
306 }
307
308 /* This could in theory work with any SASL mech */
309 static const struct gensec_security_ops gensec_sasl_security_ops = {
310 .name = "sasl-DIGEST-MD5",
311 .sasl_name = "DIGEST-MD5",
312 .client_start = gensec_sasl_client_start,
313 .update = gensec_sasl_update,
314 .wrap_packets = gensec_sasl_wrap_packets,
315 .unwrap_packets = gensec_sasl_unwrap_packets,
316 .have_feature = gensec_sasl_have_feature,
317 .enabled = true,
318 .priority = GENSEC_SASL
319 };
320
321 static int gensec_sasl_log(void *context,
322 int sasl_log_level,
323 const char *message)
324 {
325 int dl;
326 switch (sasl_log_level) {
327 case SASL_LOG_NONE:
328 dl = 0;
329 break;
330 case SASL_LOG_ERR:
331 dl = 1;
332 break;
333 case SASL_LOG_FAIL:
334 dl = 2;
335 break;
336 case SASL_LOG_WARN:
337 dl = 3;
338 break;
339 case SASL_LOG_NOTE:
340 dl = 5;
341 break;
342 case SASL_LOG_DEBUG:
343 dl = 10;
344 break;
345 case SASL_LOG_TRACE:
346 dl = 11;
347 break;
348 #if DEBUG_PASSWORD
349 case SASL_LOG_PASS:
350 dl = 100;
351 break;
352 #endif
353 default:
354 dl = 0;
355 break;
356 }
357 DEBUG(dl, ("gensec_sasl: %s\n", message));
358
359 return SASL_OK;
360 }
361
362 NTSTATUS gensec_sasl_init(void)
363 {
364 NTSTATUS ret;
365 int sasl_ret;
366 #if 0
367 int i;
368 const char **sasl_mechs;
369 #endif
370
371 static const sasl_callback_t callbacks[] = {
372 {
373 .id = SASL_CB_LOG,
374 .proc = gensec_sasl_log,
375 .context = NULL,
376 },
377 {
378 .id = SASL_CB_LIST_END,
379 .proc = gensec_sasl_log,
380 .context = NULL,
381 }
382 };
383 sasl_ret = sasl_client_init(callbacks);
384
385 if (sasl_ret == SASL_NOMECH) {
386 /* Nothing to do here */
387 return NT_STATUS_OK;
388 }
389
390 if (sasl_ret != SASL_OK) {
391 return sasl_nt_status(sasl_ret);
392 }
393
394 /* For now, we just register DIGEST-MD5 */
395 #if 1
396 ret = gensec_register(&gensec_sasl_security_ops);
397 if (!NT_STATUS_IS_OK(ret)) {
398 DEBUG(0,("Failed to register '%s' gensec backend!\n",
399 gensec_sasl_security_ops.name));
400 return ret;
401 }
402 #else
403 sasl_mechs = sasl_global_listmech();
404 for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
405 const struct gensec_security_ops *oldmech;
406 struct gensec_security_ops *newmech;
407 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
408 if (oldmech) {
409 continue;
410 }
411 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
412 if (!newmech) {
413 return NT_STATUS_NO_MEMORY;
414 }
415 *newmech = gensec_sasl_security_ops;
416 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
417 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
418 if (!newmech->sasl_name || !newmech->name) {
419 return NT_STATUS_NO_MEMORY;
420 }
421
422 ret = gensec_register(newmech);
423 if (!NT_STATUS_IS_OK(ret)) {
424 DEBUG(0,("Failed to register '%s' gensec backend!\n",
425 gensec_sasl_security_ops.name));
426 return ret;
427 }
428 }
429 #endif
430 return NT_STATUS_OK;
431 }
reg import