git.samba.org / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
r23792: convert Samba4 to GPLv3
[samba.git] / source4 / auth / gensec / cyrus_sasl.c
1 /* 
2    Unix SMB/CIFS implementation.
3  
4    Connect GENSEC to an external SASL lib
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "auth/auth.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "lib/socket/socket.h"
27 #include <sasl/sasl.h>
28
29 struct gensec_sasl_state {
30         sasl_conn_t *conn;
31         int step;
32 };
33
34 static NTSTATUS sasl_nt_status(int sasl_ret) 
35 {
36         switch (sasl_ret) {
37         case SASL_CONTINUE:
38                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
39         case SASL_NOMEM:
40                 return NT_STATUS_NO_MEMORY;
41         case SASL_BADPARAM:
42         case SASL_NOMECH:
43                 return NT_STATUS_INVALID_PARAMETER;
44         case SASL_BADMAC:
45                 return NT_STATUS_ACCESS_DENIED;
46         case SASL_OK:
47                 return NT_STATUS_OK;
48         default:
49                 return NT_STATUS_UNSUCCESSFUL;
50         }
51 }
52
53 static int gensec_sasl_get_user(void *context, int id,
54                                 const char **result, unsigned *len)
55 {
56         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
57         const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
58         if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
59                 return SASL_FAIL;
60         }
61         
62         *result = username;
63         return SASL_OK;
64 }
65
66 static int gensec_sasl_get_realm(void *context, int id,
67                                  const char **availrealms,
68                                  const char **result)
69 {
70         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
71         const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
72         int i;
73         if (id != SASL_CB_GETREALM) {
74                 return SASL_FAIL;
75         }
76
77         for (i=0; availrealms && availrealms[i]; i++) {
78                 if (strcasecmp_m(realm, availrealms[i]) == 0) {
79                         result[i] = availrealms[i];
80                         return SASL_OK;
81                 }
82         }
83         /* None of the realms match, so lets not specify one */
84         *result = "";
85         return SASL_OK;
86 }
87
88 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
89                              sasl_secret_t **psecret)
90 {
91         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
92         const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
93         
94         sasl_secret_t *secret;
95         if (!password) {
96                 *psecret = NULL;
97                 return SASL_OK;
98         }
99         secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
100         if (!secret) {
101                 return SASL_NOMEM;
102         }
103         secret->len = strlen(password);
104         safe_strcpy(secret->data, password, secret->len+1);
105         *psecret = secret;
106         return SASL_OK;
107 }
108
109 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
110 {
111         sasl_dispose(&gensec_sasl_state->conn);
112         return 0;
113 }
114
115 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
116 {
117         struct gensec_sasl_state *gensec_sasl_state;
118         const char *service = gensec_get_target_service(gensec_security);
119         const char *target_name = gensec_get_target_hostname(gensec_security);
120         struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
121         struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
122         char *local_addr = NULL;
123         char *remote_addr = NULL;
124         int sasl_ret;
125
126         sasl_callback_t *callbacks;
127
128         gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
129         if (!gensec_sasl_state) {
130                 return NT_STATUS_NO_MEMORY;
131         }
132
133         callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
134         callbacks[0].id = SASL_CB_USER;
135         callbacks[0].proc = gensec_sasl_get_user;
136         callbacks[0].context = gensec_security;
137
138         callbacks[1].id =  SASL_CB_AUTHNAME;
139         callbacks[1].proc = gensec_sasl_get_user;
140         callbacks[1].context = gensec_security;
141
142         callbacks[2].id = SASL_CB_GETREALM;
143         callbacks[2].proc = gensec_sasl_get_realm;
144         callbacks[2].context = gensec_security;
145
146         callbacks[3].id = SASL_CB_PASS;
147         callbacks[3].proc = gensec_sasl_get_password;
148         callbacks[3].context = gensec_security;
149
150         callbacks[4].id = SASL_CB_LIST_END;
151         callbacks[4].proc = NULL;
152         callbacks[4].context = NULL;
153
154         gensec_security->private_data = gensec_sasl_state;
155
156         if (local_socket_addr) {
157                 local_addr = talloc_asprintf(gensec_sasl_state, 
158                                              "%s;%d",
159                                              local_socket_addr->addr, 
160                                              local_socket_addr->port);
161         }
162
163         if (remote_socket_addr) {
164                 remote_addr = talloc_asprintf(gensec_sasl_state, 
165                                              "%s;%d",
166                                              remote_socket_addr->addr, 
167                                              remote_socket_addr->port);
168         }
169         gensec_sasl_state->step = 0;
170
171         sasl_ret = sasl_client_new(service,
172                                    target_name,
173                                    local_addr, remote_addr, callbacks, 0,
174                                    &gensec_sasl_state->conn);
175         
176         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
177                 sasl_security_properties_t props;
178                 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
179
180                 ZERO_STRUCT(props);
181                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
182                         props.min_ssf = 1;
183                 }
184                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
185                         props.min_ssf = 40;
186                 }
187                 
188                 props.max_ssf = UINT_MAX;
189                 props.maxbufsize = 65536;
190                 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
191                 if (sasl_ret != SASL_OK) {
192                         return sasl_nt_status(sasl_ret);
193                 }
194
195         } else {
196                 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
197         }
198         return sasl_nt_status(sasl_ret);
199 }
200
201 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, 
202                                    TALLOC_CTX *out_mem_ctx, 
203                                    const DATA_BLOB in, DATA_BLOB *out) 
204 {
205         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
206                                                                       struct gensec_sasl_state);
207         int sasl_ret;
208         const char *out_data;
209         unsigned int out_len;
210
211         if (gensec_sasl_state->step == 0) {
212                 const char *mech;
213                 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name, 
214                                              NULL, &out_data, &out_len, &mech);
215         } else {
216                 sasl_ret = sasl_client_step(gensec_sasl_state->conn, 
217                                             in.data, in.length, NULL, &out_data, &out_len);
218         }
219         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
220                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
221         } else {
222                 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step, 
223                           sasl_errdetail(gensec_sasl_state->conn)));
224         }
225         gensec_sasl_state->step++;
226         return sasl_nt_status(sasl_ret);
227 }
228
229 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security, 
230                                         TALLOC_CTX *out_mem_ctx, 
231                                         const DATA_BLOB *in, 
232                                         DATA_BLOB *out,
233                                         size_t *len_processed) 
234 {
235         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
236                                                                       struct gensec_sasl_state);
237         const char *out_data;
238         unsigned int out_len;
239
240         int sasl_ret = sasl_decode(gensec_sasl_state->conn, 
241                                    in->data, in->length, &out_data, &out_len);
242         if (sasl_ret == SASL_OK) {
243                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
244                 *len_processed = in->length;
245         } else {
246                 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
247         }
248         return sasl_nt_status(sasl_ret);
249
250 }
251 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security, 
252                                         TALLOC_CTX *out_mem_ctx, 
253                                         const DATA_BLOB *in, 
254                                         DATA_BLOB *out,
255                                         size_t *len_processed) 
256 {
257         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
258                                                                       struct gensec_sasl_state);
259         const char *out_data;
260         unsigned int out_len;
261
262         int sasl_ret = sasl_encode(gensec_sasl_state->conn, 
263                                    in->data, in->length, &out_data, &out_len);
264         if (sasl_ret == SASL_OK) {
265                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
266                 *len_processed = in->length;
267         } else {
268                 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
269         }
270         return sasl_nt_status(sasl_ret);
271 }
272
273 /* Try to figure out what features we actually got on the connection */
274 static BOOL gensec_sasl_have_feature(struct gensec_security *gensec_security, 
275                                      uint32_t feature) 
276 {
277         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
278                                                                       struct gensec_sasl_state);
279         sasl_ssf_t ssf;
280         int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF, &ssf);
281         if (sasl_ret != SASL_OK) {
282                 return False;
283         }
284         if (feature & GENSEC_FEATURE_SIGN) {
285                 if (ssf == 0) {
286                         return False;
287                 }
288                 if (ssf >= 1) {
289                         return True;
290                 }
291         }
292         if (feature & GENSEC_FEATURE_SEAL) {
293                 if (ssf <= 1) {
294                         return False;
295                 }
296                 if (ssf > 1) {
297                         return True;
298                 }
299         }
300         return False;
301 }
302
303 /* This could in theory work with any SASL mech */
304 static const struct gensec_security_ops gensec_sasl_security_ops = {
305         .name             = "sasl-DIGEST-MD5",
306         .sasl_name        = "DIGEST-MD5",
307         .client_start     = gensec_sasl_client_start,
308         .update           = gensec_sasl_update,
309         .wrap_packets     = gensec_sasl_wrap_packets,
310         .unwrap_packets   = gensec_sasl_unwrap_packets,
311         .have_feature     = gensec_sasl_have_feature,
312         .enabled          = True,
313         .priority         = GENSEC_SASL
314 };
315
316 int gensec_sasl_log(void *context, 
317                     int sasl_log_level,
318                     const char *message) 
319 {
320         int debug_level;
321         switch (sasl_log_level) {
322         case SASL_LOG_NONE:
323                 debug_level = 0;
324                 break;
325         case SASL_LOG_ERR:
326                 debug_level = 1;
327                 break;
328         case SASL_LOG_FAIL:
329                 debug_level = 2;
330                 break;
331         case SASL_LOG_WARN:
332                 debug_level = 3;
333                 break;
334         case SASL_LOG_NOTE:
335                 debug_level = 5;
336                 break;
337         case SASL_LOG_DEBUG:
338                 debug_level = 10;
339                 break;
340         case SASL_LOG_TRACE:
341                 debug_level = 11;
342                 break;
343 #if DEBUG_PASSWORD
344         case SASL_LOG_PASS:
345                 debug_level = 100;
346                 break;
347 #endif
348         default:
349                 debug_level = 0;
350                 break;
351         }
352         DEBUG(debug_level, ("gensec_sasl: %s\n", message));
353
354         return SASL_OK;
355 }
356
357 NTSTATUS gensec_sasl_init(void)
358 {
359         NTSTATUS ret;
360         int sasl_ret, i;
361         const char **sasl_mechs;
362         
363         static const sasl_callback_t callbacks[] = {
364                 { 
365                         .id = SASL_CB_LOG,
366                         .proc = gensec_sasl_log,
367                         .context = NULL,
368                 },
369                 {
370                         .id = SASL_CB_LIST_END,
371                         .proc = gensec_sasl_log,
372                         .context = NULL,
373                 }
374         };
375         sasl_ret = sasl_client_init(callbacks);
376         
377         if (sasl_ret == SASL_NOMECH) {
378                 /* Nothing to do here */
379                 return NT_STATUS_OK;
380         }
381
382         if (sasl_ret != SASL_OK) {
383                 return sasl_nt_status(sasl_ret);
384         }
385
386         /* For now, we just register DIGEST-MD5 */
387 #if 1
388         ret = gensec_register(&gensec_sasl_security_ops);
389         if (!NT_STATUS_IS_OK(ret)) {
390                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
391                          gensec_sasl_security_ops.name));
392                 return ret;
393         }
394 #else
395         sasl_mechs = sasl_global_listmech();
396         for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
397                 const struct gensec_security_ops *oldmech;
398                 struct gensec_security_ops *newmech;
399                 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
400                 if (oldmech) {
401                         continue;
402                 }
403                 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
404                 if (!newmech) {
405                         return NT_STATUS_NO_MEMORY;
406                 }
407                 *newmech = gensec_sasl_security_ops;
408                 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
409                 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
410                 if (!newmech->sasl_name || !newmech->name) {
411                         return NT_STATUS_NO_MEMORY;
412                 }
413
414                 ret = gensec_register(newmech);
415                 if (!NT_STATUS_IS_OK(ret)) {
416                         DEBUG(0,("Failed to register '%s' gensec backend!\n",
417                                  gensec_sasl_security_ops.name));
418                         return ret;
419                 }
420         }
421 #endif
422         return NT_STATUS_OK;
423 }
Samba Shared Repository