search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
build: Do not rely on sys.platform for ACL tests, combine UnixWare and Solaris ACL...
[Samba/wip.git] / source4 / auth / gensec / cyrus_sasl.c
blob08dccd6f5d1c1547b46fa438197e100cf14601ad
1 /*
2 Unix SMB/CIFS implementation.
3
4 Connect GENSEC to an external SASL lib
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/tsocket/tsocket.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_internal.h"
27 #include "auth/gensec/gensec_proto.h"
28 #include "auth/gensec/gensec_toplevel_proto.h"
29 #include <sasl/sasl.h>
30
31 NTSTATUS gensec_sasl_init(void);
32
33 struct gensec_sasl_state {
34 sasl_conn_t *conn;
35 int step;
36 bool wrap;
37 };
38
39 static NTSTATUS sasl_nt_status(int sasl_ret)
40 {
41 switch (sasl_ret) {
42 case SASL_CONTINUE:
43 return NT_STATUS_MORE_PROCESSING_REQUIRED;
44 case SASL_NOMEM:
45 return NT_STATUS_NO_MEMORY;
46 case SASL_BADPARAM:
47 case SASL_NOMECH:
48 return NT_STATUS_INVALID_PARAMETER;
49 case SASL_BADMAC:
50 return NT_STATUS_ACCESS_DENIED;
51 case SASL_OK:
52 return NT_STATUS_OK;
53 default:
54 return NT_STATUS_UNSUCCESSFUL;
55 }
56 }
57
58 static int gensec_sasl_get_user(void *context, int id,
59 const char **result, unsigned *len)
60 {
61 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
62 const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
63 if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
64 return SASL_FAIL;
65 }
66
67 *result = username;
68 return SASL_OK;
69 }
70
71 static int gensec_sasl_get_realm(void *context, int id,
72 const char **availrealms,
73 const char **result)
74 {
75 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
76 const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
77 int i;
78 if (id != SASL_CB_GETREALM) {
79 return SASL_FAIL;
80 }
81
82 for (i=0; availrealms && availrealms[i]; i++) {
83 if (strcasecmp_m(realm, availrealms[i]) == 0) {
84 result[i] = availrealms[i];
85 return SASL_OK;
86 }
87 }
88 /* None of the realms match, so lets not specify one */
89 *result = "";
90 return SASL_OK;
91 }
92
93 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
94 sasl_secret_t **psecret)
95 {
96 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
97 const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
98
99 sasl_secret_t *secret;
100 if (!password) {
101 *psecret = NULL;
102 return SASL_OK;
103 }
104 secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
105 if (!secret) {
106 return SASL_NOMEM;
107 }
108 secret->len = strlen(password);
109 strlcpy((char*)secret->data, password, secret->len+1);
110 *psecret = secret;
111 return SASL_OK;
112 }
113
114 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
115 {
116 sasl_dispose(&gensec_sasl_state->conn);
117 return SASL_OK;
118 }
119
120 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
121 {
122 struct gensec_sasl_state *gensec_sasl_state;
123 const char *service = gensec_get_target_service(gensec_security);
124 const char *target_name = gensec_get_target_hostname(gensec_security);
125 const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
126 const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
127 char *local_addr = NULL;
128 char *remote_addr = NULL;
129 int sasl_ret;
130
131 sasl_callback_t *callbacks;
132
133 gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
134 if (!gensec_sasl_state) {
135 return NT_STATUS_NO_MEMORY;
136 }
137
138 callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
139 callbacks[0].id = SASL_CB_USER;
140 callbacks[0].proc = gensec_sasl_get_user;
141 callbacks[0].context = gensec_security;
142
143 callbacks[1].id = SASL_CB_AUTHNAME;
144 callbacks[1].proc = gensec_sasl_get_user;
145 callbacks[1].context = gensec_security;
146
147 callbacks[2].id = SASL_CB_GETREALM;
148 callbacks[2].proc = gensec_sasl_get_realm;
149 callbacks[2].context = gensec_security;
150
151 callbacks[3].id = SASL_CB_PASS;
152 callbacks[3].proc = gensec_sasl_get_password;
153 callbacks[3].context = gensec_security;
154
155 callbacks[4].id = SASL_CB_LIST_END;
156 callbacks[4].proc = NULL;
157 callbacks[4].context = NULL;
158
159 gensec_security->private_data = gensec_sasl_state;
160
161 if (tlocal_addr) {
162 local_addr = talloc_asprintf(gensec_sasl_state,
163 "%s;%d",
164 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
165 tsocket_address_inet_port(tlocal_addr));
166 }
167
168 if (tremote_addr) {
169 remote_addr = talloc_asprintf(gensec_sasl_state,
170 "%s;%d",
171 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
172 tsocket_address_inet_port(tremote_addr));
173 }
174 gensec_sasl_state->step = 0;
175
176 sasl_ret = sasl_client_new(service,
177 target_name,
178 local_addr, remote_addr, callbacks, 0,
179 &gensec_sasl_state->conn);
180
181 if (sasl_ret == SASL_OK) {
182 sasl_security_properties_t props;
183 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
184
185 ZERO_STRUCT(props);
186 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
187 props.min_ssf = 1;
188 props.max_ssf = 1;
189 props.maxbufsize = 65536;
190 gensec_sasl_state->wrap = true;
191 }
192 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
193 props.min_ssf = 40;
194 props.max_ssf = UINT_MAX;
195 props.maxbufsize = 65536;
196 gensec_sasl_state->wrap = true;
197 }
198
199 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
200 }
201 if (sasl_ret != SASL_OK) {
202 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
203 }
204 return sasl_nt_status(sasl_ret);
205 }
206
207 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
208 TALLOC_CTX *out_mem_ctx,
209 struct tevent_context *ev,
210 const DATA_BLOB in, DATA_BLOB *out)
211 {
212 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
213 struct gensec_sasl_state);
214 int sasl_ret;
215 const char *out_data;
216 unsigned int out_len;
217
218 if (gensec_sasl_state->step == 0) {
219 const char *mech;
220 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
221 NULL, &out_data, &out_len, &mech);
222 } else {
223 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
224 (char*)in.data, in.length, NULL,
225 &out_data, &out_len);
226 }
227 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
228 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
229 } else {
230 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
231 sasl_errdetail(gensec_sasl_state->conn)));
232 }
233 gensec_sasl_state->step++;
234 return sasl_nt_status(sasl_ret);
235 }
236
237 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
238 TALLOC_CTX *out_mem_ctx,
239 const DATA_BLOB *in,
240 DATA_BLOB *out,
241 size_t *len_processed)
242 {
243 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
244 struct gensec_sasl_state);
245 const char *out_data;
246 unsigned int out_len;
247
248 int sasl_ret = sasl_decode(gensec_sasl_state->conn,
249 (char*)in->data, in->length, &out_data,
250 &out_len);
251 if (sasl_ret == SASL_OK) {
252 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
253 *len_processed = in->length;
254 } else {
255 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
256 }
257 return sasl_nt_status(sasl_ret);
258
259 }
260
261 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
262 TALLOC_CTX *out_mem_ctx,
263 const DATA_BLOB *in,
264 DATA_BLOB *out,
265 size_t *len_processed)
266 {
267 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
268 struct gensec_sasl_state);
269 const char *out_data;
270 unsigned int out_len;
271 unsigned len_permitted;
272 int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
273 (const void**)&len_permitted);
274 if (sasl_ret != SASL_OK) {
275 return sasl_nt_status(sasl_ret);
276 }
277 len_permitted = MIN(len_permitted, in->length);
278
279 sasl_ret = sasl_encode(gensec_sasl_state->conn,
280 (char*)in->data, len_permitted, &out_data,
281 &out_len);
282 if (sasl_ret == SASL_OK) {
283 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
284 *len_processed = in->length;
285 } else {
286 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
287 }
288 return sasl_nt_status(sasl_ret);
289 }
290
291 /* Try to figure out what features we actually got on the connection */
292 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
293 uint32_t feature)
294 {
295 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
296 struct gensec_sasl_state);
297 sasl_ssf_t ssf;
298 int sasl_ret;
299
300 /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
301 if (!gensec_sasl_state->wrap) {
302 return false;
303 }
304
305 sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
306 (const void**)&ssf);
307 if (sasl_ret != SASL_OK) {
308 return false;
309 }
310 if (feature & GENSEC_FEATURE_SIGN) {
311 if (ssf == 0) {
312 return false;
313 }
314 if (ssf >= 1) {
315 return true;
316 }
317 }
318 if (feature & GENSEC_FEATURE_SEAL) {
319 if (ssf <= 1) {
320 return false;
321 }
322 if (ssf > 1) {
323 return true;
324 }
325 }
326 return false;
327 }
328
329 /* This could in theory work with any SASL mech */
330 static const struct gensec_security_ops gensec_sasl_security_ops = {
331 .name = "sasl-DIGEST-MD5",
332 .sasl_name = "DIGEST-MD5",
333 .client_start = gensec_sasl_client_start,
334 .update = gensec_sasl_update,
335 .wrap_packets = gensec_sasl_wrap_packets,
336 .unwrap_packets = gensec_sasl_unwrap_packets,
337 .have_feature = gensec_sasl_have_feature,
338 .enabled = true,
339 .priority = GENSEC_SASL
340 };
341
342 static int gensec_sasl_log(void *context,
343 int sasl_log_level,
344 const char *message)
345 {
346 int dl;
347 switch (sasl_log_level) {
348 case SASL_LOG_NONE:
349 dl = 0;
350 break;
351 case SASL_LOG_ERR:
352 dl = 1;
353 break;
354 case SASL_LOG_FAIL:
355 dl = 2;
356 break;
357 case SASL_LOG_WARN:
358 dl = 3;
359 break;
360 case SASL_LOG_NOTE:
361 dl = 5;
362 break;
363 case SASL_LOG_DEBUG:
364 dl = 10;
365 break;
366 case SASL_LOG_TRACE:
367 dl = 11;
368 break;
369 #if DEBUG_PASSWORD
370 case SASL_LOG_PASS:
371 dl = 100;
372 break;
373 #endif
374 default:
375 dl = 0;
376 break;
377 }
378 DEBUG(dl, ("gensec_sasl: %s\n", message));
379
380 return SASL_OK;
381 }
382
383 NTSTATUS gensec_sasl_init(void)
384 {
385 NTSTATUS ret;
386 int sasl_ret;
387 #if 0
388 int i;
389 const char **sasl_mechs;
390 #endif
391
392 static const sasl_callback_t callbacks[] = {
393 {
394 .id = SASL_CB_LOG,
395 .proc = gensec_sasl_log,
396 .context = NULL,
397 },
398 {
399 .id = SASL_CB_LIST_END,
400 .proc = gensec_sasl_log,
401 .context = NULL,
402 }
403 };
404 sasl_ret = sasl_client_init(callbacks);
405
406 if (sasl_ret == SASL_NOMECH) {
407 /* Nothing to do here */
408 return NT_STATUS_OK;
409 }
410
411 if (sasl_ret != SASL_OK) {
412 return sasl_nt_status(sasl_ret);
413 }
414
415 /* For now, we just register DIGEST-MD5 */
416 #if 1
417 ret = gensec_register(&gensec_sasl_security_ops);
418 if (!NT_STATUS_IS_OK(ret)) {
419 DEBUG(0,("Failed to register '%s' gensec backend!\n",
420 gensec_sasl_security_ops.name));
421 return ret;
422 }
423 #else
424 sasl_mechs = sasl_global_listmech();
425 for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
426 const struct gensec_security_ops *oldmech;
427 struct gensec_security_ops *newmech;
428 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
429 if (oldmech) {
430 continue;
431 }
432 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
433 if (!newmech) {
434 return NT_STATUS_NO_MEMORY;
435 }
436 *newmech = gensec_sasl_security_ops;
437 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
438 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
439 if (!newmech->sasl_name || !newmech->name) {
440 return NT_STATUS_NO_MEMORY;
441 }
442
443 ret = gensec_register(newmech);
444 if (!NT_STATUS_IS_OK(ret)) {
445 DEBUG(0,("Failed to register '%s' gensec backend!\n",
446 gensec_sasl_security_ops.name));
447 return ret;
448 }
449 }
450 #endif
451 return NT_STATUS_OK;
452 }
Anubhav's Work In Progress branches