2 Unix SMB/CIFS implementation.
4 Connect GENSEC to an external SASL lib
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "lib/tsocket/tsocket.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_internal.h"
27 #include "auth/gensec/gensec_proto.h"
28 #include "auth/gensec/gensec_toplevel_proto.h"
29 #include <sasl/sasl.h>
31 NTSTATUS
gensec_sasl_init(void);
33 struct gensec_sasl_state
{
39 static NTSTATUS
sasl_nt_status(int sasl_ret
)
43 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
45 return NT_STATUS_NO_MEMORY
;
48 return NT_STATUS_INVALID_PARAMETER
;
50 return NT_STATUS_ACCESS_DENIED
;
54 return NT_STATUS_UNSUCCESSFUL
;
58 static int gensec_sasl_get_user(void *context
, int id
,
59 const char **result
, unsigned *len
)
61 struct gensec_security
*gensec_security
= talloc_get_type(context
, struct gensec_security
);
62 const char *username
= cli_credentials_get_username(gensec_get_credentials(gensec_security
));
63 if (id
!= SASL_CB_USER
&& id
!= SASL_CB_AUTHNAME
) {
71 static int gensec_sasl_get_realm(void *context
, int id
,
72 const char **availrealms
,
75 struct gensec_security
*gensec_security
= talloc_get_type(context
, struct gensec_security
);
76 const char *realm
= cli_credentials_get_realm(gensec_get_credentials(gensec_security
));
78 if (id
!= SASL_CB_GETREALM
) {
82 for (i
=0; availrealms
&& availrealms
[i
]; i
++) {
83 if (strcasecmp_m(realm
, availrealms
[i
]) == 0) {
84 result
[i
] = availrealms
[i
];
88 /* None of the realms match, so lets not specify one */
93 static int gensec_sasl_get_password(sasl_conn_t
*conn
, void *context
, int id
,
94 sasl_secret_t
**psecret
)
96 struct gensec_security
*gensec_security
= talloc_get_type(context
, struct gensec_security
);
97 const char *password
= cli_credentials_get_password(gensec_get_credentials(gensec_security
));
99 sasl_secret_t
*secret
;
104 secret
= talloc_size(gensec_security
, sizeof(sasl_secret_t
)+strlen(password
)+1);
108 secret
->len
= strlen(password
);
109 strlcpy((char*)secret
->data
, password
, secret
->len
+1);
114 static int gensec_sasl_dispose(struct gensec_sasl_state
*gensec_sasl_state
)
116 sasl_dispose(&gensec_sasl_state
->conn
);
120 static NTSTATUS
gensec_sasl_client_start(struct gensec_security
*gensec_security
)
122 struct gensec_sasl_state
*gensec_sasl_state
;
123 const char *service
= gensec_get_target_service(gensec_security
);
124 const char *target_name
= gensec_get_target_hostname(gensec_security
);
125 const struct tsocket_address
*tlocal_addr
= gensec_get_local_address(gensec_security
);
126 const struct tsocket_address
*tremote_addr
= gensec_get_remote_address(gensec_security
);
127 char *local_addr
= NULL
;
128 char *remote_addr
= NULL
;
131 sasl_callback_t
*callbacks
;
133 gensec_sasl_state
= talloc_zero(gensec_security
, struct gensec_sasl_state
);
134 if (!gensec_sasl_state
) {
135 return NT_STATUS_NO_MEMORY
;
138 callbacks
= talloc_array(gensec_sasl_state
, sasl_callback_t
, 5);
139 callbacks
[0].id
= SASL_CB_USER
;
140 callbacks
[0].proc
= gensec_sasl_get_user
;
141 callbacks
[0].context
= gensec_security
;
143 callbacks
[1].id
= SASL_CB_AUTHNAME
;
144 callbacks
[1].proc
= gensec_sasl_get_user
;
145 callbacks
[1].context
= gensec_security
;
147 callbacks
[2].id
= SASL_CB_GETREALM
;
148 callbacks
[2].proc
= gensec_sasl_get_realm
;
149 callbacks
[2].context
= gensec_security
;
151 callbacks
[3].id
= SASL_CB_PASS
;
152 callbacks
[3].proc
= gensec_sasl_get_password
;
153 callbacks
[3].context
= gensec_security
;
155 callbacks
[4].id
= SASL_CB_LIST_END
;
156 callbacks
[4].proc
= NULL
;
157 callbacks
[4].context
= NULL
;
159 gensec_security
->private_data
= gensec_sasl_state
;
162 local_addr
= talloc_asprintf(gensec_sasl_state
,
164 tsocket_address_inet_addr_string(tlocal_addr
, gensec_sasl_state
),
165 tsocket_address_inet_port(tlocal_addr
));
169 remote_addr
= talloc_asprintf(gensec_sasl_state
,
171 tsocket_address_inet_addr_string(tremote_addr
, gensec_sasl_state
),
172 tsocket_address_inet_port(tremote_addr
));
174 gensec_sasl_state
->step
= 0;
176 sasl_ret
= sasl_client_new(service
,
178 local_addr
, remote_addr
, callbacks
, 0,
179 &gensec_sasl_state
->conn
);
181 if (sasl_ret
== SASL_OK
) {
182 sasl_security_properties_t props
;
183 talloc_set_destructor(gensec_sasl_state
, gensec_sasl_dispose
);
186 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
189 props
.maxbufsize
= 65536;
190 gensec_sasl_state
->wrap
= true;
192 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
194 props
.max_ssf
= UINT_MAX
;
195 props
.maxbufsize
= 65536;
196 gensec_sasl_state
->wrap
= true;
199 sasl_ret
= sasl_setprop(gensec_sasl_state
->conn
, SASL_SEC_PROPS
, &props
);
201 if (sasl_ret
!= SASL_OK
) {
202 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state
->conn
)));
204 return sasl_nt_status(sasl_ret
);
207 static NTSTATUS
gensec_sasl_update(struct gensec_security
*gensec_security
,
208 TALLOC_CTX
*out_mem_ctx
,
209 struct tevent_context
*ev
,
210 const DATA_BLOB in
, DATA_BLOB
*out
)
212 struct gensec_sasl_state
*gensec_sasl_state
= talloc_get_type(gensec_security
->private_data
,
213 struct gensec_sasl_state
);
215 const char *out_data
;
216 unsigned int out_len
;
218 if (gensec_sasl_state
->step
== 0) {
220 sasl_ret
= sasl_client_start(gensec_sasl_state
->conn
, gensec_security
->ops
->sasl_name
,
221 NULL
, &out_data
, &out_len
, &mech
);
223 sasl_ret
= sasl_client_step(gensec_sasl_state
->conn
,
224 (char*)in
.data
, in
.length
, NULL
,
225 &out_data
, &out_len
);
227 if (sasl_ret
== SASL_OK
|| sasl_ret
== SASL_CONTINUE
) {
228 *out
= data_blob_talloc(out_mem_ctx
, out_data
, out_len
);
230 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state
->step
,
231 sasl_errdetail(gensec_sasl_state
->conn
)));
233 gensec_sasl_state
->step
++;
234 return sasl_nt_status(sasl_ret
);
237 static NTSTATUS
gensec_sasl_unwrap_packets(struct gensec_security
*gensec_security
,
238 TALLOC_CTX
*out_mem_ctx
,
241 size_t *len_processed
)
243 struct gensec_sasl_state
*gensec_sasl_state
= talloc_get_type(gensec_security
->private_data
,
244 struct gensec_sasl_state
);
245 const char *out_data
;
246 unsigned int out_len
;
248 int sasl_ret
= sasl_decode(gensec_sasl_state
->conn
,
249 (char*)in
->data
, in
->length
, &out_data
,
251 if (sasl_ret
== SASL_OK
) {
252 *out
= data_blob_talloc(out_mem_ctx
, out_data
, out_len
);
253 *len_processed
= in
->length
;
255 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state
->conn
)));
257 return sasl_nt_status(sasl_ret
);
261 static NTSTATUS
gensec_sasl_wrap_packets(struct gensec_security
*gensec_security
,
262 TALLOC_CTX
*out_mem_ctx
,
265 size_t *len_processed
)
267 struct gensec_sasl_state
*gensec_sasl_state
= talloc_get_type(gensec_security
->private_data
,
268 struct gensec_sasl_state
);
269 const char *out_data
;
270 unsigned int out_len
;
271 unsigned len_permitted
;
272 int sasl_ret
= sasl_getprop(gensec_sasl_state
->conn
, SASL_SSF
,
273 (const void**)&len_permitted
);
274 if (sasl_ret
!= SASL_OK
) {
275 return sasl_nt_status(sasl_ret
);
277 len_permitted
= MIN(len_permitted
, in
->length
);
279 sasl_ret
= sasl_encode(gensec_sasl_state
->conn
,
280 (char*)in
->data
, len_permitted
, &out_data
,
282 if (sasl_ret
== SASL_OK
) {
283 *out
= data_blob_talloc(out_mem_ctx
, out_data
, out_len
);
284 *len_processed
= in
->length
;
286 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state
->conn
)));
288 return sasl_nt_status(sasl_ret
);
291 /* Try to figure out what features we actually got on the connection */
292 static bool gensec_sasl_have_feature(struct gensec_security
*gensec_security
,
295 struct gensec_sasl_state
*gensec_sasl_state
= talloc_get_type(gensec_security
->private_data
,
296 struct gensec_sasl_state
);
300 /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
301 if (!gensec_sasl_state
->wrap
) {
305 sasl_ret
= sasl_getprop(gensec_sasl_state
->conn
, SASL_SSF
,
307 if (sasl_ret
!= SASL_OK
) {
310 if (feature
& GENSEC_FEATURE_SIGN
) {
318 if (feature
& GENSEC_FEATURE_SEAL
) {
329 /* This could in theory work with any SASL mech */
330 static const struct gensec_security_ops gensec_sasl_security_ops
= {
331 .name
= "sasl-DIGEST-MD5",
332 .sasl_name
= "DIGEST-MD5",
333 .client_start
= gensec_sasl_client_start
,
334 .update
= gensec_sasl_update
,
335 .wrap_packets
= gensec_sasl_wrap_packets
,
336 .unwrap_packets
= gensec_sasl_unwrap_packets
,
337 .have_feature
= gensec_sasl_have_feature
,
339 .priority
= GENSEC_SASL
342 static int gensec_sasl_log(void *context
,
347 switch (sasl_log_level
) {
378 DEBUG(dl
, ("gensec_sasl: %s\n", message
));
383 NTSTATUS
gensec_sasl_init(void)
389 const char **sasl_mechs
;
392 static const sasl_callback_t callbacks
[] = {
395 .proc
= gensec_sasl_log
,
399 .id
= SASL_CB_LIST_END
,
400 .proc
= gensec_sasl_log
,
404 sasl_ret
= sasl_client_init(callbacks
);
406 if (sasl_ret
== SASL_NOMECH
) {
407 /* Nothing to do here */
411 if (sasl_ret
!= SASL_OK
) {
412 return sasl_nt_status(sasl_ret
);
415 /* For now, we just register DIGEST-MD5 */
417 ret
= gensec_register(&gensec_sasl_security_ops
);
418 if (!NT_STATUS_IS_OK(ret
)) {
419 DEBUG(0,("Failed to register '%s' gensec backend!\n",
420 gensec_sasl_security_ops
.name
));
424 sasl_mechs
= sasl_global_listmech();
425 for (i
= 0; sasl_mechs
&& sasl_mechs
[i
]; i
++) {
426 const struct gensec_security_ops
*oldmech
;
427 struct gensec_security_ops
*newmech
;
428 oldmech
= gensec_security_by_sasl_name(NULL
, sasl_mechs
[i
]);
432 newmech
= talloc(talloc_autofree_context(), struct gensec_security_ops
);
434 return NT_STATUS_NO_MEMORY
;
436 *newmech
= gensec_sasl_security_ops
;
437 newmech
->sasl_name
= talloc_strdup(newmech
, sasl_mechs
[i
]);
438 newmech
->name
= talloc_asprintf(newmech
, "sasl-%s", sasl_mechs
[i
]);
439 if (!newmech
->sasl_name
|| !newmech
->name
) {
440 return NT_STATUS_NO_MEMORY
;
443 ret
= gensec_register(newmech
);
444 if (!NT_STATUS_IS_OK(ret
)) {
445 DEBUG(0,("Failed to register '%s' gensec backend!\n",
446 gensec_sasl_security_ops
.name
));