2 Unix SMB/CIFS implementation.
4 Connect GENSEC to an external SASL lib
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "auth/auth.h"
25 #include "auth/credentials/credentials.h"
26 #include "auth/gensec/gensec.h"
27 #include "lib/socket/socket.h"
28 #include <sasl/sasl.h>
30 struct gensec_sasl_state {
35 static NTSTATUS sasl_nt_status(int sasl_ret)
39 return NT_STATUS_MORE_PROCESSING_REQUIRED;
41 return NT_STATUS_NO_MEMORY;
44 return NT_STATUS_INVALID_PARAMETER;
46 return NT_STATUS_ACCESS_DENIED;
50 return NT_STATUS_UNSUCCESSFUL;
54 static int gensec_sasl_get_user(void *context, int id,
55 const char **result, unsigned *len)
57 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
58 const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
59 if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
67 static int gensec_sasl_get_realm(void *context, int id,
68 const char **availrealms,
71 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
72 const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
74 if (id != SASL_CB_GETREALM) {
78 for (i=0; availrealms && availrealms[i]; i++) {
79 if (strcasecmp_m(realm, availrealms[i]) == 0) {
80 result[i] = availrealms[i];
84 /* None of the realms match, so lets not specify one */
89 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
90 sasl_secret_t **psecret)
92 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
93 const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
95 sasl_secret_t *secret;
100 secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
104 secret->len = strlen(password);
105 safe_strcpy(secret->data, password, secret->len+1);
110 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
112 sasl_dispose(&gensec_sasl_state->conn);
116 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
118 struct gensec_sasl_state *gensec_sasl_state;
119 const char *service = gensec_get_target_service(gensec_security);
120 const char *target_name = gensec_get_target_hostname(gensec_security);
121 struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
122 struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
123 char *local_addr = NULL;
124 char *remote_addr = NULL;
127 sasl_callback_t *callbacks;
129 gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
130 if (!gensec_sasl_state) {
131 return NT_STATUS_NO_MEMORY;
134 callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
135 callbacks[0].id = SASL_CB_USER;
136 callbacks[0].proc = gensec_sasl_get_user;
137 callbacks[0].context = gensec_security;
139 callbacks[1].id = SASL_CB_AUTHNAME;
140 callbacks[1].proc = gensec_sasl_get_user;
141 callbacks[1].context = gensec_security;
143 callbacks[2].id = SASL_CB_GETREALM;
144 callbacks[2].proc = gensec_sasl_get_realm;
145 callbacks[2].context = gensec_security;
147 callbacks[3].id = SASL_CB_PASS;
148 callbacks[3].proc = gensec_sasl_get_password;
149 callbacks[3].context = gensec_security;
151 callbacks[4].id = SASL_CB_LIST_END;
152 callbacks[4].proc = NULL;
153 callbacks[4].context = NULL;
155 gensec_security->private_data = gensec_sasl_state;
157 if (local_socket_addr) {
158 local_addr = talloc_asprintf(gensec_sasl_state,
160 local_socket_addr->addr,
161 local_socket_addr->port);
164 if (remote_socket_addr) {
165 remote_addr = talloc_asprintf(gensec_sasl_state,
167 remote_socket_addr->addr,
168 remote_socket_addr->port);
170 gensec_sasl_state->step = 0;
172 sasl_ret = sasl_client_new(service,
174 local_addr, remote_addr, callbacks, 0,
175 &gensec_sasl_state->conn);
177 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
178 sasl_security_properties_t props;
179 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
182 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
185 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
189 props.max_ssf = UINT_MAX;
190 props.maxbufsize = 65536;
191 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
192 if (sasl_ret != SASL_OK) {
193 return sasl_nt_status(sasl_ret);
197 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
199 return sasl_nt_status(sasl_ret);
202 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
203 TALLOC_CTX *out_mem_ctx,
204 const DATA_BLOB in, DATA_BLOB *out)
206 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
207 struct gensec_sasl_state);
209 const char *out_data;
210 unsigned int out_len;
212 if (gensec_sasl_state->step == 0) {
214 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
215 NULL, &out_data, &out_len, &mech);
217 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
218 in.data, in.length, NULL, &out_data, &out_len);
220 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
221 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
223 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
224 sasl_errdetail(gensec_sasl_state->conn)));
226 gensec_sasl_state->step++;
227 return sasl_nt_status(sasl_ret);
230 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
231 TALLOC_CTX *out_mem_ctx,
234 size_t *len_processed)
236 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
237 struct gensec_sasl_state);
238 const char *out_data;
239 unsigned int out_len;
241 int sasl_ret = sasl_decode(gensec_sasl_state->conn,
242 in->data, in->length, &out_data, &out_len);
243 if (sasl_ret == SASL_OK) {
244 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
245 *len_processed = in->length;
247 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
249 return sasl_nt_status(sasl_ret);
252 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
253 TALLOC_CTX *out_mem_ctx,
256 size_t *len_processed)
258 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
259 struct gensec_sasl_state);
260 const char *out_data;
261 unsigned int out_len;
263 int sasl_ret = sasl_encode(gensec_sasl_state->conn,
264 in->data, in->length, &out_data, &out_len);
265 if (sasl_ret == SASL_OK) {
266 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
267 *len_processed = in->length;
269 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
271 return sasl_nt_status(sasl_ret);
274 /* Try to figure out what features we actually got on the connection */
275 static BOOL gensec_sasl_have_feature(struct gensec_security *gensec_security,
278 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
279 struct gensec_sasl_state);
281 int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF, &ssf);
282 if (sasl_ret != SASL_OK) {
285 if (feature & GENSEC_FEATURE_SIGN) {
293 if (feature & GENSEC_FEATURE_SEAL) {
304 /* This could in theory work with any SASL mech */
305 static const struct gensec_security_ops gensec_sasl_security_ops = {
306 .name = "sasl-DIGEST-MD5",
307 .sasl_name = "DIGEST-MD5",
308 .client_start = gensec_sasl_client_start,
309 .update = gensec_sasl_update,
310 .wrap_packets = gensec_sasl_wrap_packets,
311 .unwrap_packets = gensec_sasl_unwrap_packets,
312 .have_feature = gensec_sasl_have_feature,
314 .priority = GENSEC_SASL
317 int gensec_sasl_log(void *context,
322 switch (sasl_log_level) {
353 DEBUG(debug_level, ("gensec_sasl: %s\n", message));
358 NTSTATUS gensec_sasl_init(void)
362 const char **sasl_mechs;
364 static const sasl_callback_t callbacks[] = {
367 .proc = gensec_sasl_log,
371 .id = SASL_CB_LIST_END,
372 .proc = gensec_sasl_log,
376 sasl_ret = sasl_client_init(callbacks);
378 if (sasl_ret == SASL_NOMECH) {
379 /* Nothing to do here */
383 if (sasl_ret != SASL_OK) {
384 return sasl_nt_status(sasl_ret);
387 /* For now, we just register DIGEST-MD5 */
389 ret = gensec_register(&gensec_sasl_security_ops);
390 if (!NT_STATUS_IS_OK(ret)) {
391 DEBUG(0,("Failed to register '%s' gensec backend!\n",
392 gensec_sasl_security_ops.name));
396 sasl_mechs = sasl_global_listmech();
397 for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
398 const struct gensec_security_ops *oldmech;
399 struct gensec_security_ops *newmech;
400 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
404 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
406 return NT_STATUS_NO_MEMORY;
408 *newmech = gensec_sasl_security_ops;
409 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
410 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
411 if (!newmech->sasl_name || !newmech->name) {
412 return NT_STATUS_NO_MEMORY;
415 ret = gensec_register(newmech);
416 if (!NT_STATUS_IS_OK(ret)) {
417 DEBUG(0,("Failed to register '%s' gensec backend!\n",
418 gensec_sasl_security_ops.name));