source4/auth/gensec/cyrus_sasl.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Connect GENSEC to an external SASL lib
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "lib/tsocket/tsocket.h"
  24 #include "auth/credentials/credentials.h"
  25 #include "auth/gensec/gensec.h"
  26 #include "auth/gensec/gensec_internal.h"
  27 #include "auth/gensec/gensec_proto.h"
  28 #include "auth/gensec/gensec_toplevel_proto.h"
  29 #include <sasl/sasl.h>
  30
  31 NTSTATUS gensec_sasl_init(void);
  32
  33 struct gensec_sasl_state {
  34         sasl_conn_t *conn;
  35         int step;
  36         bool wrap;
  37 };
  38
  39 static NTSTATUS sasl_nt_status(int sasl_ret)
  40 {
  41         switch (sasl_ret) {
  42         case SASL_CONTINUE:
  43                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
  44         case SASL_NOMEM:
  45                 return NT_STATUS_NO_MEMORY;
  46         case SASL_BADPARAM:
  47         case SASL_NOMECH:
  48                 return NT_STATUS_INVALID_PARAMETER;
  49         case SASL_BADMAC:
  50                 return NT_STATUS_ACCESS_DENIED;
  51         case SASL_OK:
  52                 return NT_STATUS_OK;
  53         default:
  54                 return NT_STATUS_UNSUCCESSFUL;
  55         }
  56 }
  57
  58 static int gensec_sasl_get_user(void *context, int id,
  59                                 const char **result, unsigned *len)
  60 {
  61         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  62         const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
  63         if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
  64                 return SASL_FAIL;
  65         }
  66
  67         *result = username;
  68         return SASL_OK;
  69 }
  70
  71 static int gensec_sasl_get_realm(void *context, int id,
  72                                  const char **availrealms,
  73                                  const char **result)
  74 {
  75         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  76         const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
  77         int i;
  78         if (id != SASL_CB_GETREALM) {
  79                 return SASL_FAIL;
  80         }
  81
  82         for (i=0; availrealms && availrealms[i]; i++) {
  83                 if (strcasecmp_m(realm, availrealms[i]) == 0) {
  84                         result[i] = availrealms[i];
  85                         return SASL_OK;
  86                 }
  87         }
  88         /* None of the realms match, so lets not specify one */
  89         *result = "";
  90         return SASL_OK;
  91 }
  92
  93 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
  94                              sasl_secret_t **psecret)
  95 {
  96         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  97         const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
  98
  99         sasl_secret_t *secret;
 100         if (!password) {
 101                 *psecret = NULL;
 102                 return SASL_OK;
 103         }
 104         secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
 105         if (!secret) {
 106                 return SASL_NOMEM;
 107         }
 108         secret->len = strlen(password);
 109         strlcpy((char*)secret->data, password, secret->len+1);
 110         *psecret = secret;
 111         return SASL_OK;
 112 }
 113
 114 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
 115 {
 116         sasl_dispose(&gensec_sasl_state->conn);
 117         return SASL_OK;
 118 }
 119
 120 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
 121 {
 122         struct gensec_sasl_state *gensec_sasl_state;
 123         const char *service = gensec_get_target_service(gensec_security);
 124         const char *target_name = gensec_get_target_hostname(gensec_security);
 125         const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
 126         const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
 127         char *local_addr = NULL;
 128         char *remote_addr = NULL;
 129         int sasl_ret;
 130
 131         sasl_callback_t *callbacks;
 132
 133         gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
 134         if (!gensec_sasl_state) {
 135                 return NT_STATUS_NO_MEMORY;
 136         }
 137
 138         callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
 139         callbacks[0].id = SASL_CB_USER;
 140         callbacks[0].proc = gensec_sasl_get_user;
 141         callbacks[0].context = gensec_security;
 142
 143         callbacks[1].id =  SASL_CB_AUTHNAME;
 144         callbacks[1].proc = gensec_sasl_get_user;
 145         callbacks[1].context = gensec_security;
 146
 147         callbacks[2].id = SASL_CB_GETREALM;
 148         callbacks[2].proc = gensec_sasl_get_realm;
 149         callbacks[2].context = gensec_security;
 150
 151         callbacks[3].id = SASL_CB_PASS;
 152         callbacks[3].proc = gensec_sasl_get_password;
 153         callbacks[3].context = gensec_security;
 154
 155         callbacks[4].id = SASL_CB_LIST_END;
 156         callbacks[4].proc = NULL;
 157         callbacks[4].context = NULL;
 158
 159         gensec_security->private_data = gensec_sasl_state;
 160
 161         if (tlocal_addr) {
 162                 local_addr = talloc_asprintf(gensec_sasl_state,
 163                                 "%s;%d",
 164                                 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
 165                                 tsocket_address_inet_port(tlocal_addr));
 166         }
 167
 168         if (tremote_addr) {
 169                 remote_addr = talloc_asprintf(gensec_sasl_state,
 170                                 "%s;%d",
 171                                 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
 172                                 tsocket_address_inet_port(tremote_addr));
 173         }
 174         gensec_sasl_state->step = 0;
 175
 176         sasl_ret = sasl_client_new(service,
 177                                    target_name,
 178                                    local_addr, remote_addr, callbacks, 0,
 179                                    &gensec_sasl_state->conn);
 180
 181         if (sasl_ret == SASL_OK) {
 182                 sasl_security_properties_t props;
 183                 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
 184
 185                 ZERO_STRUCT(props);
 186                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 187                         props.min_ssf = 1;
 188                         props.max_ssf = 1;
 189                         props.maxbufsize = 65536;
 190                         gensec_sasl_state->wrap = true;
 191                 }
 192                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 193                         props.min_ssf = 40;
 194                         props.max_ssf = UINT_MAX;
 195                         props.maxbufsize = 65536;
 196                         gensec_sasl_state->wrap = true;
 197                 }
 198
 199                 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
 200         }
 201         if (sasl_ret != SASL_OK) {
 202                 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 203         }
 204         return sasl_nt_status(sasl_ret);
 205 }
 206
 207 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
 208                                    TALLOC_CTX *out_mem_ctx,
 209                                    struct tevent_context *ev,
 210                                    const DATA_BLOB in, DATA_BLOB *out)
 211 {
 212         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 213                                                                       struct gensec_sasl_state);
 214         int sasl_ret;
 215         const char *out_data;
 216         unsigned int out_len;
 217
 218         if (gensec_sasl_state->step == 0) {
 219                 const char *mech;
 220                 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
 221                                              NULL, &out_data, &out_len, &mech);
 222         } else {
 223                 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
 224                                             (char*)in.data, in.length, NULL,
 225                                             &out_data, &out_len);
 226         }
 227         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
 228                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 229         } else {
 230                 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
 231                           sasl_errdetail(gensec_sasl_state->conn)));
 232         }
 233         gensec_sasl_state->step++;
 234         return sasl_nt_status(sasl_ret);
 235 }
 236
 237 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
 238                                         TALLOC_CTX *out_mem_ctx,
 239                                         const DATA_BLOB *in,
 240                                         DATA_BLOB *out,
 241                                         size_t *len_processed)
 242 {
 243         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 244                                                                       struct gensec_sasl_state);
 245         const char *out_data;
 246         unsigned int out_len;
 247
 248         int sasl_ret = sasl_decode(gensec_sasl_state->conn,
 249                                    (char*)in->data, in->length, &out_data,
 250                                    &out_len);
 251         if (sasl_ret == SASL_OK) {
 252                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 253                 *len_processed = in->length;
 254         } else {
 255                 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 256         }
 257         return sasl_nt_status(sasl_ret);
 258
 259 }
 260
 261 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
 262                                         TALLOC_CTX *out_mem_ctx,
 263                                         const DATA_BLOB *in,
 264                                         DATA_BLOB *out,
 265                                         size_t *len_processed)
 266 {
 267         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 268                                                                       struct gensec_sasl_state);
 269         const char *out_data;
 270         unsigned int out_len;
 271         unsigned len_permitted;
 272         int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
 273                         (const void**)&len_permitted);
 274         if (sasl_ret != SASL_OK) {
 275                 return sasl_nt_status(sasl_ret);
 276         }
 277         len_permitted = MIN(len_permitted, in->length);
 278
 279         sasl_ret = sasl_encode(gensec_sasl_state->conn,
 280                                (char*)in->data, len_permitted, &out_data,
 281                                &out_len);
 282         if (sasl_ret == SASL_OK) {
 283                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 284                 *len_processed = in->length;
 285         } else {
 286                 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 287         }
 288         return sasl_nt_status(sasl_ret);
 289 }
 290
 291 /* Try to figure out what features we actually got on the connection */
 292 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
 293                                      uint32_t feature)
 294 {
 295         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 296                                                                       struct gensec_sasl_state);
 297         sasl_ssf_t ssf;
 298         int sasl_ret;
 299
 300         /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
 301         if (!gensec_sasl_state->wrap) {
 302                 return false;
 303         }
 304
 305         sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
 306                         (const void**)&ssf);
 307         if (sasl_ret != SASL_OK) {
 308                 return false;
 309         }
 310         if (feature & GENSEC_FEATURE_SIGN) {
 311                 if (ssf == 0) {
 312                         return false;
 313                 }
 314                 if (ssf >= 1) {
 315                         return true;
 316                 }
 317         }
 318         if (feature & GENSEC_FEATURE_SEAL) {
 319                 if (ssf <= 1) {
 320                         return false;
 321                 }
 322                 if (ssf > 1) {
 323                         return true;
 324                 }
 325         }
 326         return false;
 327 }
 328
 329 /* This could in theory work with any SASL mech */
 330 static const struct gensec_security_ops gensec_sasl_security_ops = {
 331         .name             = "sasl-DIGEST-MD5",
 332         .sasl_name        = "DIGEST-MD5",
 333         .client_start     = gensec_sasl_client_start,
 334         .update           = gensec_sasl_update,
 335         .wrap_packets     = gensec_sasl_wrap_packets,
 336         .unwrap_packets   = gensec_sasl_unwrap_packets,
 337         .have_feature     = gensec_sasl_have_feature,
 338         .enabled          = true,
 339         .priority         = GENSEC_SASL
 340 };
 341
 342 static int gensec_sasl_log(void *context,
 343                     int sasl_log_level,
 344                     const char *message)
 345 {
 346         int dl;
 347         switch (sasl_log_level) {
 348         case SASL_LOG_NONE:
 349                 dl = 0;
 350                 break;
 351         case SASL_LOG_ERR:
 352                 dl = 1;
 353                 break;
 354         case SASL_LOG_FAIL:
 355                 dl = 2;
 356                 break;
 357         case SASL_LOG_WARN:
 358                 dl = 3;
 359                 break;
 360         case SASL_LOG_NOTE:
 361                 dl = 5;
 362                 break;
 363         case SASL_LOG_DEBUG:
 364                 dl = 10;
 365                 break;
 366         case SASL_LOG_TRACE:
 367                 dl = 11;
 368                 break;
 369 #if DEBUG_PASSWORD
 370         case SASL_LOG_PASS:
 371                 dl = 100;
 372                 break;
 373 #endif
 374         default:
 375                 dl = 0;
 376                 break;
 377         }
 378         DEBUG(dl, ("gensec_sasl: %s\n", message));
 379
 380         return SASL_OK;
 381 }
 382
 383 NTSTATUS gensec_sasl_init(void)
 384 {
 385         NTSTATUS ret;
 386         int sasl_ret;
 387 #if 0
 388         int i;
 389         const char **sasl_mechs;
 390 #endif
 391
 392         static const sasl_callback_t callbacks[] = {
 393                 {
 394                         .id = SASL_CB_LOG,
 395                         .proc = gensec_sasl_log,
 396                         .context = NULL,
 397                 },
 398                 {
 399                         .id = SASL_CB_LIST_END,
 400                         .proc = gensec_sasl_log,
 401                         .context = NULL,
 402                 }
 403         };
 404         sasl_ret = sasl_client_init(callbacks);
 405
 406         if (sasl_ret == SASL_NOMECH) {
 407                 /* Nothing to do here */
 408                 return NT_STATUS_OK;
 409         }
 410
 411         if (sasl_ret != SASL_OK) {
 412                 return sasl_nt_status(sasl_ret);
 413         }
 414
 415         /* For now, we just register DIGEST-MD5 */
 416 #if 1
 417         ret = gensec_register(&gensec_sasl_security_ops);
 418         if (!NT_STATUS_IS_OK(ret)) {
 419                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 420                          gensec_sasl_security_ops.name));
 421                 return ret;
 422         }
 423 #else
 424         sasl_mechs = sasl_global_listmech();
 425         for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
 426                 const struct gensec_security_ops *oldmech;
 427                 struct gensec_security_ops *newmech;
 428                 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
 429                 if (oldmech) {
 430                         continue;
 431                 }
 432                 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
 433                 if (!newmech) {
 434                         return NT_STATUS_NO_MEMORY;
 435                 }
 436                 *newmech = gensec_sasl_security_ops;
 437                 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
 438                 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
 439                 if (!newmech->sasl_name || !newmech->name) {
 440                         return NT_STATUS_NO_MEMORY;
 441                 }
 442
 443                 ret = gensec_register(newmech);
 444                 if (!NT_STATUS_IS_OK(ret)) {
 445                         DEBUG(0,("Failed to register '%s' gensec backend!\n",
 446                                  gensec_sasl_security_ops.name));
 447                         return ret;
 448                 }
 449         }
 450 #endif
 451         return NT_STATUS_OK;
 452 }