search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:smbd/close: remove unused goto out from close_directory()
[Samba/gebeck_regimport.git] / source4 / auth / gensec / cyrus_sasl.c
blob2e733bfe0b9f76f7b9083d999093dc254ceb6536
1 /*
2 Unix SMB/CIFS implementation.
3
4 Connect GENSEC to an external SASL lib
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/tsocket/tsocket.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_proto.h"
27 #include "auth/gensec/gensec_toplevel_proto.h"
28 #include <sasl/sasl.h>
29
30 NTSTATUS gensec_sasl_init(void);
31
32 struct gensec_sasl_state {
33 sasl_conn_t *conn;
34 int step;
35 bool wrap;
36 };
37
38 static NTSTATUS sasl_nt_status(int sasl_ret)
39 {
40 switch (sasl_ret) {
41 case SASL_CONTINUE:
42 return NT_STATUS_MORE_PROCESSING_REQUIRED;
43 case SASL_NOMEM:
44 return NT_STATUS_NO_MEMORY;
45 case SASL_BADPARAM:
46 case SASL_NOMECH:
47 return NT_STATUS_INVALID_PARAMETER;
48 case SASL_BADMAC:
49 return NT_STATUS_ACCESS_DENIED;
50 case SASL_OK:
51 return NT_STATUS_OK;
52 default:
53 return NT_STATUS_UNSUCCESSFUL;
54 }
55 }
56
57 static int gensec_sasl_get_user(void *context, int id,
58 const char **result, unsigned *len)
59 {
60 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
61 const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
62 if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
63 return SASL_FAIL;
64 }
65
66 *result = username;
67 return SASL_OK;
68 }
69
70 static int gensec_sasl_get_realm(void *context, int id,
71 const char **availrealms,
72 const char **result)
73 {
74 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
75 const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
76 int i;
77 if (id != SASL_CB_GETREALM) {
78 return SASL_FAIL;
79 }
80
81 for (i=0; availrealms && availrealms[i]; i++) {
82 if (strcasecmp_m(realm, availrealms[i]) == 0) {
83 result[i] = availrealms[i];
84 return SASL_OK;
85 }
86 }
87 /* None of the realms match, so lets not specify one */
88 *result = "";
89 return SASL_OK;
90 }
91
92 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
93 sasl_secret_t **psecret)
94 {
95 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
96 const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
97
98 sasl_secret_t *secret;
99 if (!password) {
100 *psecret = NULL;
101 return SASL_OK;
102 }
103 secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
104 if (!secret) {
105 return SASL_NOMEM;
106 }
107 secret->len = strlen(password);
108 strlcpy((char*)secret->data, password, secret->len+1);
109 *psecret = secret;
110 return SASL_OK;
111 }
112
113 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
114 {
115 sasl_dispose(&gensec_sasl_state->conn);
116 return SASL_OK;
117 }
118
119 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
120 {
121 struct gensec_sasl_state *gensec_sasl_state;
122 const char *service = gensec_get_target_service(gensec_security);
123 const char *target_name = gensec_get_target_hostname(gensec_security);
124 const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
125 const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
126 char *local_addr = NULL;
127 char *remote_addr = NULL;
128 int sasl_ret;
129
130 sasl_callback_t *callbacks;
131
132 gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
133 if (!gensec_sasl_state) {
134 return NT_STATUS_NO_MEMORY;
135 }
136
137 callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
138 callbacks[0].id = SASL_CB_USER;
139 callbacks[0].proc = gensec_sasl_get_user;
140 callbacks[0].context = gensec_security;
141
142 callbacks[1].id = SASL_CB_AUTHNAME;
143 callbacks[1].proc = gensec_sasl_get_user;
144 callbacks[1].context = gensec_security;
145
146 callbacks[2].id = SASL_CB_GETREALM;
147 callbacks[2].proc = gensec_sasl_get_realm;
148 callbacks[2].context = gensec_security;
149
150 callbacks[3].id = SASL_CB_PASS;
151 callbacks[3].proc = gensec_sasl_get_password;
152 callbacks[3].context = gensec_security;
153
154 callbacks[4].id = SASL_CB_LIST_END;
155 callbacks[4].proc = NULL;
156 callbacks[4].context = NULL;
157
158 gensec_security->private_data = gensec_sasl_state;
159
160 if (tlocal_addr) {
161 local_addr = talloc_asprintf(gensec_sasl_state,
162 "%s;%d",
163 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
164 tsocket_address_inet_port(tlocal_addr));
165 }
166
167 if (tremote_addr) {
168 remote_addr = talloc_asprintf(gensec_sasl_state,
169 "%s;%d",
170 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
171 tsocket_address_inet_port(tremote_addr));
172 }
173 gensec_sasl_state->step = 0;
174
175 sasl_ret = sasl_client_new(service,
176 target_name,
177 local_addr, remote_addr, callbacks, 0,
178 &gensec_sasl_state->conn);
179
180 if (sasl_ret == SASL_OK) {
181 sasl_security_properties_t props;
182 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
183
184 ZERO_STRUCT(props);
185 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
186 props.min_ssf = 1;
187 props.max_ssf = 1;
188 props.maxbufsize = 65536;
189 gensec_sasl_state->wrap = true;
190 }
191 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
192 props.min_ssf = 40;
193 props.max_ssf = UINT_MAX;
194 props.maxbufsize = 65536;
195 gensec_sasl_state->wrap = true;
196 }
197
198 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
199 }
200 if (sasl_ret != SASL_OK) {
201 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
202 }
203 return sasl_nt_status(sasl_ret);
204 }
205
206 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
207 TALLOC_CTX *out_mem_ctx,
208 struct tevent_context *ev,
209 const DATA_BLOB in, DATA_BLOB *out)
210 {
211 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
212 struct gensec_sasl_state);
213 int sasl_ret;
214 const char *out_data;
215 unsigned int out_len;
216
217 if (gensec_sasl_state->step == 0) {
218 const char *mech;
219 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
220 NULL, &out_data, &out_len, &mech);
221 } else {
222 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
223 (char*)in.data, in.length, NULL,
224 &out_data, &out_len);
225 }
226 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
227 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
228 } else {
229 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
230 sasl_errdetail(gensec_sasl_state->conn)));
231 }
232 gensec_sasl_state->step++;
233 return sasl_nt_status(sasl_ret);
234 }
235
236 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
237 TALLOC_CTX *out_mem_ctx,
238 const DATA_BLOB *in,
239 DATA_BLOB *out,
240 size_t *len_processed)
241 {
242 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
243 struct gensec_sasl_state);
244 const char *out_data;
245 unsigned int out_len;
246
247 int sasl_ret = sasl_decode(gensec_sasl_state->conn,
248 (char*)in->data, in->length, &out_data,
249 &out_len);
250 if (sasl_ret == SASL_OK) {
251 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
252 *len_processed = in->length;
253 } else {
254 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
255 }
256 return sasl_nt_status(sasl_ret);
257
258 }
259
260 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
261 TALLOC_CTX *out_mem_ctx,
262 const DATA_BLOB *in,
263 DATA_BLOB *out,
264 size_t *len_processed)
265 {
266 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
267 struct gensec_sasl_state);
268 const char *out_data;
269 unsigned int out_len;
270 unsigned len_permitted;
271 int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
272 (const void**)&len_permitted);
273 if (sasl_ret != SASL_OK) {
274 return sasl_nt_status(sasl_ret);
275 }
276 len_permitted = MIN(len_permitted, in->length);
277
278 sasl_ret = sasl_encode(gensec_sasl_state->conn,
279 (char*)in->data, len_permitted, &out_data,
280 &out_len);
281 if (sasl_ret == SASL_OK) {
282 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
283 *len_processed = in->length;
284 } else {
285 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
286 }
287 return sasl_nt_status(sasl_ret);
288 }
289
290 /* Try to figure out what features we actually got on the connection */
291 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
292 uint32_t feature)
293 {
294 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
295 struct gensec_sasl_state);
296 sasl_ssf_t ssf;
297 int sasl_ret;
298
299 /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
300 if (!gensec_sasl_state->wrap) {
301 return false;
302 }
303
304 sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
305 (const void**)&ssf);
306 if (sasl_ret != SASL_OK) {
307 return false;
308 }
309 if (feature & GENSEC_FEATURE_SIGN) {
310 if (ssf == 0) {
311 return false;
312 }
313 if (ssf >= 1) {
314 return true;
315 }
316 }
317 if (feature & GENSEC_FEATURE_SEAL) {
318 if (ssf <= 1) {
319 return false;
320 }
321 if (ssf > 1) {
322 return true;
323 }
324 }
325 return false;
326 }
327
328 /* This could in theory work with any SASL mech */
329 static const struct gensec_security_ops gensec_sasl_security_ops = {
330 .name = "sasl-DIGEST-MD5",
331 .sasl_name = "DIGEST-MD5",
332 .client_start = gensec_sasl_client_start,
333 .update = gensec_sasl_update,
334 .wrap_packets = gensec_sasl_wrap_packets,
335 .unwrap_packets = gensec_sasl_unwrap_packets,
336 .have_feature = gensec_sasl_have_feature,
337 .enabled = true,
338 .priority = GENSEC_SASL
339 };
340
341 static int gensec_sasl_log(void *context,
342 int sasl_log_level,
343 const char *message)
344 {
345 int dl;
346 switch (sasl_log_level) {
347 case SASL_LOG_NONE:
348 dl = 0;
349 break;
350 case SASL_LOG_ERR:
351 dl = 1;
352 break;
353 case SASL_LOG_FAIL:
354 dl = 2;
355 break;
356 case SASL_LOG_WARN:
357 dl = 3;
358 break;
359 case SASL_LOG_NOTE:
360 dl = 5;
361 break;
362 case SASL_LOG_DEBUG:
363 dl = 10;
364 break;
365 case SASL_LOG_TRACE:
366 dl = 11;
367 break;
368 #if DEBUG_PASSWORD
369 case SASL_LOG_PASS:
370 dl = 100;
371 break;
372 #endif
373 default:
374 dl = 0;
375 break;
376 }
377 DEBUG(dl, ("gensec_sasl: %s\n", message));
378
379 return SASL_OK;
380 }
381
382 NTSTATUS gensec_sasl_init(void)
383 {
384 NTSTATUS ret;
385 int sasl_ret;
386 #if 0
387 int i;
388 const char **sasl_mechs;
389 #endif
390
391 static const sasl_callback_t callbacks[] = {
392 {
393 .id = SASL_CB_LOG,
394 .proc = gensec_sasl_log,
395 .context = NULL,
396 },
397 {
398 .id = SASL_CB_LIST_END,
399 .proc = gensec_sasl_log,
400 .context = NULL,
401 }
402 };
403 sasl_ret = sasl_client_init(callbacks);
404
405 if (sasl_ret == SASL_NOMECH) {
406 /* Nothing to do here */
407 return NT_STATUS_OK;
408 }
409
410 if (sasl_ret != SASL_OK) {
411 return sasl_nt_status(sasl_ret);
412 }
413
414 /* For now, we just register DIGEST-MD5 */
415 #if 1
416 ret = gensec_register(&gensec_sasl_security_ops);
417 if (!NT_STATUS_IS_OK(ret)) {
418 DEBUG(0,("Failed to register '%s' gensec backend!\n",
419 gensec_sasl_security_ops.name));
420 return ret;
421 }
422 #else
423 sasl_mechs = sasl_global_listmech();
424 for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
425 const struct gensec_security_ops *oldmech;
426 struct gensec_security_ops *newmech;
427 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
428 if (oldmech) {
429 continue;
430 }
431 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
432 if (!newmech) {
433 return NT_STATUS_NO_MEMORY;
434 }
435 *newmech = gensec_sasl_security_ops;
436 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
437 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
438 if (!newmech->sasl_name || !newmech->name) {
439 return NT_STATUS_NO_MEMORY;
440 }
441
442 ret = gensec_register(newmech);
443 if (!NT_STATUS_IS_OK(ret)) {
444 DEBUG(0,("Failed to register '%s' gensec backend!\n",
445 gensec_sasl_security_ops.name));
446 return ret;
447 }
448 }
449 #endif
450 return NT_STATUS_OK;
451 }
reg import