search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dns: The QCLASS is called IN, not IP
[Samba/gebeck_regimport.git] / source4 / auth / gensec / cyrus_sasl.c
blob4a4422645d8432a1c6bafe31c0ad68e83e0a94a4
1 /*
2 Unix SMB/CIFS implementation.
3
4 Connect GENSEC to an external SASL lib
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/tsocket/tsocket.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_proto.h"
27 #include <sasl/sasl.h>
28
29 NTSTATUS gensec_sasl_init(void);
30
31 struct gensec_sasl_state {
32 sasl_conn_t *conn;
33 int step;
34 bool wrap;
35 };
36
37 static NTSTATUS sasl_nt_status(int sasl_ret)
38 {
39 switch (sasl_ret) {
40 case SASL_CONTINUE:
41 return NT_STATUS_MORE_PROCESSING_REQUIRED;
42 case SASL_NOMEM:
43 return NT_STATUS_NO_MEMORY;
44 case SASL_BADPARAM:
45 case SASL_NOMECH:
46 return NT_STATUS_INVALID_PARAMETER;
47 case SASL_BADMAC:
48 return NT_STATUS_ACCESS_DENIED;
49 case SASL_OK:
50 return NT_STATUS_OK;
51 default:
52 return NT_STATUS_UNSUCCESSFUL;
53 }
54 }
55
56 static int gensec_sasl_get_user(void *context, int id,
57 const char **result, unsigned *len)
58 {
59 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
60 const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
61 if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
62 return SASL_FAIL;
63 }
64
65 *result = username;
66 return SASL_OK;
67 }
68
69 static int gensec_sasl_get_realm(void *context, int id,
70 const char **availrealms,
71 const char **result)
72 {
73 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
74 const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
75 int i;
76 if (id != SASL_CB_GETREALM) {
77 return SASL_FAIL;
78 }
79
80 for (i=0; availrealms && availrealms[i]; i++) {
81 if (strcasecmp_m(realm, availrealms[i]) == 0) {
82 result[i] = availrealms[i];
83 return SASL_OK;
84 }
85 }
86 /* None of the realms match, so lets not specify one */
87 *result = "";
88 return SASL_OK;
89 }
90
91 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
92 sasl_secret_t **psecret)
93 {
94 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
95 const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
96
97 sasl_secret_t *secret;
98 if (!password) {
99 *psecret = NULL;
100 return SASL_OK;
101 }
102 secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
103 if (!secret) {
104 return SASL_NOMEM;
105 }
106 secret->len = strlen(password);
107 strlcpy((char*)secret->data, password, secret->len+1);
108 *psecret = secret;
109 return SASL_OK;
110 }
111
112 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
113 {
114 sasl_dispose(&gensec_sasl_state->conn);
115 return SASL_OK;
116 }
117
118 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
119 {
120 struct gensec_sasl_state *gensec_sasl_state;
121 const char *service = gensec_get_target_service(gensec_security);
122 const char *target_name = gensec_get_target_hostname(gensec_security);
123 const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
124 const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
125 char *local_addr = NULL;
126 char *remote_addr = NULL;
127 int sasl_ret;
128
129 sasl_callback_t *callbacks;
130
131 gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
132 if (!gensec_sasl_state) {
133 return NT_STATUS_NO_MEMORY;
134 }
135
136 callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
137 callbacks[0].id = SASL_CB_USER;
138 callbacks[0].proc = gensec_sasl_get_user;
139 callbacks[0].context = gensec_security;
140
141 callbacks[1].id = SASL_CB_AUTHNAME;
142 callbacks[1].proc = gensec_sasl_get_user;
143 callbacks[1].context = gensec_security;
144
145 callbacks[2].id = SASL_CB_GETREALM;
146 callbacks[2].proc = gensec_sasl_get_realm;
147 callbacks[2].context = gensec_security;
148
149 callbacks[3].id = SASL_CB_PASS;
150 callbacks[3].proc = gensec_sasl_get_password;
151 callbacks[3].context = gensec_security;
152
153 callbacks[4].id = SASL_CB_LIST_END;
154 callbacks[4].proc = NULL;
155 callbacks[4].context = NULL;
156
157 gensec_security->private_data = gensec_sasl_state;
158
159 if (tlocal_addr) {
160 local_addr = talloc_asprintf(gensec_sasl_state,
161 "%s;%d",
162 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
163 tsocket_address_inet_port(tlocal_addr));
164 }
165
166 if (tremote_addr) {
167 remote_addr = talloc_asprintf(gensec_sasl_state,
168 "%s;%d",
169 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
170 tsocket_address_inet_port(tremote_addr));
171 }
172 gensec_sasl_state->step = 0;
173
174 sasl_ret = sasl_client_new(service,
175 target_name,
176 local_addr, remote_addr, callbacks, 0,
177 &gensec_sasl_state->conn);
178
179 if (sasl_ret == SASL_OK) {
180 sasl_security_properties_t props;
181 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
182
183 ZERO_STRUCT(props);
184 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
185 props.min_ssf = 1;
186 props.max_ssf = 1;
187 props.maxbufsize = 65536;
188 gensec_sasl_state->wrap = true;
189 }
190 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
191 props.min_ssf = 40;
192 props.max_ssf = UINT_MAX;
193 props.maxbufsize = 65536;
194 gensec_sasl_state->wrap = true;
195 }
196
197 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
198 }
199 if (sasl_ret != SASL_OK) {
200 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
201 }
202 return sasl_nt_status(sasl_ret);
203 }
204
205 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
206 TALLOC_CTX *out_mem_ctx,
207 const DATA_BLOB in, DATA_BLOB *out)
208 {
209 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
210 struct gensec_sasl_state);
211 int sasl_ret;
212 const char *out_data;
213 unsigned int out_len;
214
215 if (gensec_sasl_state->step == 0) {
216 const char *mech;
217 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
218 NULL, &out_data, &out_len, &mech);
219 } else {
220 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
221 (char*)in.data, in.length, NULL,
222 &out_data, &out_len);
223 }
224 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
225 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
226 } else {
227 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
228 sasl_errdetail(gensec_sasl_state->conn)));
229 }
230 gensec_sasl_state->step++;
231 return sasl_nt_status(sasl_ret);
232 }
233
234 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
235 TALLOC_CTX *out_mem_ctx,
236 const DATA_BLOB *in,
237 DATA_BLOB *out,
238 size_t *len_processed)
239 {
240 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
241 struct gensec_sasl_state);
242 const char *out_data;
243 unsigned int out_len;
244
245 int sasl_ret = sasl_decode(gensec_sasl_state->conn,
246 (char*)in->data, in->length, &out_data,
247 &out_len);
248 if (sasl_ret == SASL_OK) {
249 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
250 *len_processed = in->length;
251 } else {
252 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
253 }
254 return sasl_nt_status(sasl_ret);
255
256 }
257
258 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
259 TALLOC_CTX *out_mem_ctx,
260 const DATA_BLOB *in,
261 DATA_BLOB *out,
262 size_t *len_processed)
263 {
264 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
265 struct gensec_sasl_state);
266 const char *out_data;
267 unsigned int out_len;
268 unsigned len_permitted;
269 int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
270 (const void**)&len_permitted);
271 if (sasl_ret != SASL_OK) {
272 return sasl_nt_status(sasl_ret);
273 }
274 len_permitted = MIN(len_permitted, in->length);
275
276 sasl_ret = sasl_encode(gensec_sasl_state->conn,
277 (char*)in->data, len_permitted, &out_data,
278 &out_len);
279 if (sasl_ret == SASL_OK) {
280 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
281 *len_processed = in->length;
282 } else {
283 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
284 }
285 return sasl_nt_status(sasl_ret);
286 }
287
288 /* Try to figure out what features we actually got on the connection */
289 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
290 uint32_t feature)
291 {
292 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
293 struct gensec_sasl_state);
294 sasl_ssf_t ssf;
295 int sasl_ret;
296
297 /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
298 if (!gensec_sasl_state->wrap) {
299 return false;
300 }
301
302 sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
303 (const void**)&ssf);
304 if (sasl_ret != SASL_OK) {
305 return false;
306 }
307 if (feature & GENSEC_FEATURE_SIGN) {
308 if (ssf == 0) {
309 return false;
310 }
311 if (ssf >= 1) {
312 return true;
313 }
314 }
315 if (feature & GENSEC_FEATURE_SEAL) {
316 if (ssf <= 1) {
317 return false;
318 }
319 if (ssf > 1) {
320 return true;
321 }
322 }
323 return false;
324 }
325
326 /* This could in theory work with any SASL mech */
327 static const struct gensec_security_ops gensec_sasl_security_ops = {
328 .name = "sasl-DIGEST-MD5",
329 .sasl_name = "DIGEST-MD5",
330 .client_start = gensec_sasl_client_start,
331 .update = gensec_sasl_update,
332 .wrap_packets = gensec_sasl_wrap_packets,
333 .unwrap_packets = gensec_sasl_unwrap_packets,
334 .have_feature = gensec_sasl_have_feature,
335 .enabled = true,
336 .priority = GENSEC_SASL
337 };
338
339 static int gensec_sasl_log(void *context,
340 int sasl_log_level,
341 const char *message)
342 {
343 int dl;
344 switch (sasl_log_level) {
345 case SASL_LOG_NONE:
346 dl = 0;
347 break;
348 case SASL_LOG_ERR:
349 dl = 1;
350 break;
351 case SASL_LOG_FAIL:
352 dl = 2;
353 break;
354 case SASL_LOG_WARN:
355 dl = 3;
356 break;
357 case SASL_LOG_NOTE:
358 dl = 5;
359 break;
360 case SASL_LOG_DEBUG:
361 dl = 10;
362 break;
363 case SASL_LOG_TRACE:
364 dl = 11;
365 break;
366 #if DEBUG_PASSWORD
367 case SASL_LOG_PASS:
368 dl = 100;
369 break;
370 #endif
371 default:
372 dl = 0;
373 break;
374 }
375 DEBUG(dl, ("gensec_sasl: %s\n", message));
376
377 return SASL_OK;
378 }
379
380 NTSTATUS gensec_sasl_init(void)
381 {
382 NTSTATUS ret;
383 int sasl_ret;
384 #if 0
385 int i;
386 const char **sasl_mechs;
387 #endif
388
389 static const sasl_callback_t callbacks[] = {
390 {
391 .id = SASL_CB_LOG,
392 .proc = gensec_sasl_log,
393 .context = NULL,
394 },
395 {
396 .id = SASL_CB_LIST_END,
397 .proc = gensec_sasl_log,
398 .context = NULL,
399 }
400 };
401 sasl_ret = sasl_client_init(callbacks);
402
403 if (sasl_ret == SASL_NOMECH) {
404 /* Nothing to do here */
405 return NT_STATUS_OK;
406 }
407
408 if (sasl_ret != SASL_OK) {
409 return sasl_nt_status(sasl_ret);
410 }
411
412 /* For now, we just register DIGEST-MD5 */
413 #if 1
414 ret = gensec_register(&gensec_sasl_security_ops);
415 if (!NT_STATUS_IS_OK(ret)) {
416 DEBUG(0,("Failed to register '%s' gensec backend!\n",
417 gensec_sasl_security_ops.name));
418 return ret;
419 }
420 #else
421 sasl_mechs = sasl_global_listmech();
422 for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
423 const struct gensec_security_ops *oldmech;
424 struct gensec_security_ops *newmech;
425 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
426 if (oldmech) {
427 continue;
428 }
429 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
430 if (!newmech) {
431 return NT_STATUS_NO_MEMORY;
432 }
433 *newmech = gensec_sasl_security_ops;
434 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
435 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
436 if (!newmech->sasl_name || !newmech->name) {
437 return NT_STATUS_NO_MEMORY;
438 }
439
440 ret = gensec_register(newmech);
441 if (!NT_STATUS_IS_OK(ret)) {
442 DEBUG(0,("Failed to register '%s' gensec backend!\n",
443 gensec_sasl_security_ops.name));
444 return ret;
445 }
446 }
447 #endif
448 return NT_STATUS_OK;
449 }
reg import