2 Unix SMB/CIFS implementation.
4 Connect GENSEC to an external SASL lib
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "lib/tsocket/tsocket.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_internal.h"
27 #include "auth/gensec/gensec_proto.h"
28 #include "auth/gensec/gensec_toplevel_proto.h"
29 #include <sasl/sasl.h>
31 NTSTATUS gensec_sasl_init(void);
33 struct gensec_sasl_state {
39 static NTSTATUS sasl_nt_status(int sasl_ret)
43 return NT_STATUS_MORE_PROCESSING_REQUIRED;
45 return NT_STATUS_NO_MEMORY;
48 return NT_STATUS_INVALID_PARAMETER;
50 return NT_STATUS_ACCESS_DENIED;
54 return NT_STATUS_UNSUCCESSFUL;
58 static int gensec_sasl_get_user(void *context, int id,
59 const char **result, unsigned *len)
61 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
62 const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
63 if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
71 static int gensec_sasl_get_realm(void *context, int id,
72 const char **availrealms,
75 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
76 const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
78 if (id != SASL_CB_GETREALM) {
82 for (i=0; availrealms && availrealms[i]; i++) {
83 if (strcasecmp_m(realm, availrealms[i]) == 0) {
84 result[i] = availrealms[i];
88 /* None of the realms match, so lets not specify one */
93 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
94 sasl_secret_t **psecret)
96 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
97 const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
99 sasl_secret_t *secret;
104 secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
108 secret->len = strlen(password);
109 strlcpy((char*)secret->data, password, secret->len+1);
114 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
116 sasl_dispose(&gensec_sasl_state->conn);
120 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
122 struct gensec_sasl_state *gensec_sasl_state;
123 const char *service = gensec_get_target_service(gensec_security);
124 const char *target_name = gensec_get_target_hostname(gensec_security);
125 const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
126 const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
127 char *local_addr = NULL;
128 char *remote_addr = NULL;
131 sasl_callback_t *callbacks;
133 gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
134 if (!gensec_sasl_state) {
135 return NT_STATUS_NO_MEMORY;
138 callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
139 callbacks[0].id = SASL_CB_USER;
140 callbacks[0].proc = gensec_sasl_get_user;
141 callbacks[0].context = gensec_security;
143 callbacks[1].id = SASL_CB_AUTHNAME;
144 callbacks[1].proc = gensec_sasl_get_user;
145 callbacks[1].context = gensec_security;
147 callbacks[2].id = SASL_CB_GETREALM;
148 callbacks[2].proc = gensec_sasl_get_realm;
149 callbacks[2].context = gensec_security;
151 callbacks[3].id = SASL_CB_PASS;
152 callbacks[3].proc = gensec_sasl_get_password;
153 callbacks[3].context = gensec_security;
155 callbacks[4].id = SASL_CB_LIST_END;
156 callbacks[4].proc = NULL;
157 callbacks[4].context = NULL;
159 gensec_security->private_data = gensec_sasl_state;
162 local_addr = talloc_asprintf(gensec_sasl_state,
164 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
165 tsocket_address_inet_port(tlocal_addr));
169 remote_addr = talloc_asprintf(gensec_sasl_state,
171 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
172 tsocket_address_inet_port(tremote_addr));
174 gensec_sasl_state->step = 0;
176 sasl_ret = sasl_client_new(service,
178 local_addr, remote_addr, callbacks, 0,
179 &gensec_sasl_state->conn);
181 if (sasl_ret == SASL_OK) {
182 sasl_security_properties_t props;
183 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
186 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
189 props.maxbufsize = 65536;
190 gensec_sasl_state->wrap = true;
192 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
194 props.max_ssf = UINT_MAX;
195 props.maxbufsize = 65536;
196 gensec_sasl_state->wrap = true;
199 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
201 if (sasl_ret != SASL_OK) {
202 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
204 return sasl_nt_status(sasl_ret);
207 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
208 TALLOC_CTX *out_mem_ctx,
209 struct tevent_context *ev,
210 const DATA_BLOB in, DATA_BLOB *out)
212 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
213 struct gensec_sasl_state);
215 const char *out_data;
216 unsigned int out_len;
218 if (gensec_sasl_state->step == 0) {
220 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
221 NULL, &out_data, &out_len, &mech);
223 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
224 (char*)in.data, in.length, NULL,
225 &out_data, &out_len);
227 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
228 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
230 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
231 sasl_errdetail(gensec_sasl_state->conn)));
233 gensec_sasl_state->step++;
234 return sasl_nt_status(sasl_ret);
237 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
238 TALLOC_CTX *out_mem_ctx,
241 size_t *len_processed)
243 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
244 struct gensec_sasl_state);
245 const char *out_data;
246 unsigned int out_len;
248 int sasl_ret = sasl_decode(gensec_sasl_state->conn,
249 (char*)in->data, in->length, &out_data,
251 if (sasl_ret == SASL_OK) {
252 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
253 *len_processed = in->length;
255 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
257 return sasl_nt_status(sasl_ret);
261 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
262 TALLOC_CTX *out_mem_ctx,
265 size_t *len_processed)
267 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
268 struct gensec_sasl_state);
269 const char *out_data;
270 unsigned int out_len;
271 unsigned len_permitted;
272 int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
273 (const void**)&len_permitted);
274 if (sasl_ret != SASL_OK) {
275 return sasl_nt_status(sasl_ret);
277 len_permitted = MIN(len_permitted, in->length);
279 sasl_ret = sasl_encode(gensec_sasl_state->conn,
280 (char*)in->data, len_permitted, &out_data,
282 if (sasl_ret == SASL_OK) {
283 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
284 *len_processed = in->length;
286 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
288 return sasl_nt_status(sasl_ret);
291 /* Try to figure out what features we actually got on the connection */
292 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
295 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
296 struct gensec_sasl_state);
300 /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
301 if (!gensec_sasl_state->wrap) {
305 sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
307 if (sasl_ret != SASL_OK) {
310 if (feature & GENSEC_FEATURE_SIGN) {
318 if (feature & GENSEC_FEATURE_SEAL) {
329 /* This could in theory work with any SASL mech */
330 static const struct gensec_security_ops gensec_sasl_security_ops = {
331 .name = "sasl-DIGEST-MD5",
332 .sasl_name = "DIGEST-MD5",
333 .client_start = gensec_sasl_client_start,
334 .update = gensec_sasl_update,
335 .wrap_packets = gensec_sasl_wrap_packets,
336 .unwrap_packets = gensec_sasl_unwrap_packets,
337 .have_feature = gensec_sasl_have_feature,
339 .priority = GENSEC_SASL
342 static int gensec_sasl_log(void *context,
347 switch (sasl_log_level) {
378 DEBUG(dl, ("gensec_sasl: %s\n", message));
383 NTSTATUS gensec_sasl_init(void)
389 const char **sasl_mechs;
392 static const sasl_callback_t callbacks[] = {
395 .proc = gensec_sasl_log,
399 .id = SASL_CB_LIST_END,
400 .proc = gensec_sasl_log,
404 sasl_ret = sasl_client_init(callbacks);
406 if (sasl_ret == SASL_NOMECH) {
407 /* Nothing to do here */
411 if (sasl_ret != SASL_OK) {
412 return sasl_nt_status(sasl_ret);
415 /* For now, we just register DIGEST-MD5 */
417 ret = gensec_register(&gensec_sasl_security_ops);
418 if (!NT_STATUS_IS_OK(ret)) {
419 DEBUG(0,("Failed to register '%s' gensec backend!\n",
420 gensec_sasl_security_ops.name));
424 sasl_mechs = sasl_global_listmech();
425 for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
426 const struct gensec_security_ops *oldmech;
427 struct gensec_security_ops *newmech;
428 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
432 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
434 return NT_STATUS_NO_MEMORY;
436 *newmech = gensec_sasl_security_ops;
437 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
438 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
439 if (!newmech->sasl_name || !newmech->name) {
440 return NT_STATUS_NO_MEMORY;
443 ret = gensec_register(newmech);
444 if (!NT_STATUS_IS_OK(ret)) {
445 DEBUG(0,("Failed to register '%s' gensec backend!\n",
446 gensec_sasl_security_ops.name));