source: trunk/server/source4/auth/gensec/cyrus_sasl.c

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 12.5 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 Connect GENSEC to an external SASL lib
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20*/
21
22#include "includes.h"
23#include "lib/tsocket/tsocket.h"
24#include "auth/credentials/credentials.h"
25#include "auth/gensec/gensec.h"
26#include "auth/gensec/gensec_proto.h"
27#include <sasl/sasl.h>
28
29struct gensec_sasl_state {
30 sasl_conn_t *conn;
31 int step;
32 bool wrap;
33};
34
35static NTSTATUS sasl_nt_status(int sasl_ret)
36{
37 switch (sasl_ret) {
38 case SASL_CONTINUE:
39 return NT_STATUS_MORE_PROCESSING_REQUIRED;
40 case SASL_NOMEM:
41 return NT_STATUS_NO_MEMORY;
42 case SASL_BADPARAM:
43 case SASL_NOMECH:
44 return NT_STATUS_INVALID_PARAMETER;
45 case SASL_BADMAC:
46 return NT_STATUS_ACCESS_DENIED;
47 case SASL_OK:
48 return NT_STATUS_OK;
49 default:
50 return NT_STATUS_UNSUCCESSFUL;
51 }
52}
53
54static int gensec_sasl_get_user(void *context, int id,
55 const char **result, unsigned *len)
56{
57 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
58 const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
59 if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
60 return SASL_FAIL;
61 }
62
63 *result = username;
64 return SASL_OK;
65}
66
67static int gensec_sasl_get_realm(void *context, int id,
68 const char **availrealms,
69 const char **result)
70{
71 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
72 const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
73 int i;
74 if (id != SASL_CB_GETREALM) {
75 return SASL_FAIL;
76 }
77
78 for (i=0; availrealms && availrealms[i]; i++) {
79 if (strcasecmp_m(realm, availrealms[i]) == 0) {
80 result[i] = availrealms[i];
81 return SASL_OK;
82 }
83 }
84 /* None of the realms match, so lets not specify one */
85 *result = "";
86 return SASL_OK;
87}
88
89static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
90 sasl_secret_t **psecret)
91{
92 struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
93 const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
94
95 sasl_secret_t *secret;
96 if (!password) {
97 *psecret = NULL;
98 return SASL_OK;
99 }
100 secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
101 if (!secret) {
102 return SASL_NOMEM;
103 }
104 secret->len = strlen(password);
105 safe_strcpy((char*)secret->data, password, secret->len+1);
106 *psecret = secret;
107 return SASL_OK;
108}
109
110static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
111{
112 sasl_dispose(&gensec_sasl_state->conn);
113 return SASL_OK;
114}
115
116static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
117{
118 struct gensec_sasl_state *gensec_sasl_state;
119 const char *service = gensec_get_target_service(gensec_security);
120 const char *target_name = gensec_get_target_hostname(gensec_security);
121 const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
122 const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
123 char *local_addr = NULL;
124 char *remote_addr = NULL;
125 int sasl_ret;
126
127 sasl_callback_t *callbacks;
128
129 gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
130 if (!gensec_sasl_state) {
131 return NT_STATUS_NO_MEMORY;
132 }
133
134 callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
135 callbacks[0].id = SASL_CB_USER;
136 callbacks[0].proc = gensec_sasl_get_user;
137 callbacks[0].context = gensec_security;
138
139 callbacks[1].id = SASL_CB_AUTHNAME;
140 callbacks[1].proc = gensec_sasl_get_user;
141 callbacks[1].context = gensec_security;
142
143 callbacks[2].id = SASL_CB_GETREALM;
144 callbacks[2].proc = gensec_sasl_get_realm;
145 callbacks[2].context = gensec_security;
146
147 callbacks[3].id = SASL_CB_PASS;
148 callbacks[3].proc = gensec_sasl_get_password;
149 callbacks[3].context = gensec_security;
150
151 callbacks[4].id = SASL_CB_LIST_END;
152 callbacks[4].proc = NULL;
153 callbacks[4].context = NULL;
154
155 gensec_security->private_data = gensec_sasl_state;
156
157 if (tlocal_addr) {
158 local_addr = talloc_asprintf(gensec_sasl_state,
159 "%s;%d",
160 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
161 tsocket_address_inet_port(tlocal_addr));
162 }
163
164 if (tremote_addr) {
165 remote_addr = talloc_asprintf(gensec_sasl_state,
166 "%s;%d",
167 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
168 tsocket_address_inet_port(tremote_addr));
169 }
170 gensec_sasl_state->step = 0;
171
172 sasl_ret = sasl_client_new(service,
173 target_name,
174 local_addr, remote_addr, callbacks, 0,
175 &gensec_sasl_state->conn);
176
177 if (sasl_ret == SASL_OK) {
178 sasl_security_properties_t props;
179 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
180
181 ZERO_STRUCT(props);
182 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
183 props.min_ssf = 1;
184 props.max_ssf = 1;
185 props.maxbufsize = 65536;
186 gensec_sasl_state->wrap = true;
187 }
188 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
189 props.min_ssf = 40;
190 props.max_ssf = UINT_MAX;
191 props.maxbufsize = 65536;
192 gensec_sasl_state->wrap = true;
193 }
194
195 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
196 }
197 if (sasl_ret != SASL_OK) {
198 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
199 }
200 return sasl_nt_status(sasl_ret);
201}
202
203static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
204 TALLOC_CTX *out_mem_ctx,
205 const DATA_BLOB in, DATA_BLOB *out)
206{
207 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
208 struct gensec_sasl_state);
209 int sasl_ret;
210 const char *out_data;
211 unsigned int out_len;
212
213 if (gensec_sasl_state->step == 0) {
214 const char *mech;
215 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
216 NULL, &out_data, &out_len, &mech);
217 } else {
218 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
219 (char*)in.data, in.length, NULL,
220 &out_data, &out_len);
221 }
222 if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
223 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
224 } else {
225 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
226 sasl_errdetail(gensec_sasl_state->conn)));
227 }
228 gensec_sasl_state->step++;
229 return sasl_nt_status(sasl_ret);
230}
231
232static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
233 TALLOC_CTX *out_mem_ctx,
234 const DATA_BLOB *in,
235 DATA_BLOB *out,
236 size_t *len_processed)
237{
238 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
239 struct gensec_sasl_state);
240 const char *out_data;
241 unsigned int out_len;
242
243 int sasl_ret = sasl_decode(gensec_sasl_state->conn,
244 (char*)in->data, in->length, &out_data,
245 &out_len);
246 if (sasl_ret == SASL_OK) {
247 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
248 *len_processed = in->length;
249 } else {
250 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
251 }
252 return sasl_nt_status(sasl_ret);
253
254}
255
256static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
257 TALLOC_CTX *out_mem_ctx,
258 const DATA_BLOB *in,
259 DATA_BLOB *out,
260 size_t *len_processed)
261{
262 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
263 struct gensec_sasl_state);
264 const char *out_data;
265 unsigned int out_len;
266 unsigned len_permitted;
267 int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
268 (const void**)&len_permitted);
269 if (sasl_ret != SASL_OK) {
270 return sasl_nt_status(sasl_ret);
271 }
272 len_permitted = MIN(len_permitted, in->length);
273
274 sasl_ret = sasl_encode(gensec_sasl_state->conn,
275 (char*)in->data, len_permitted, &out_data,
276 &out_len);
277 if (sasl_ret == SASL_OK) {
278 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
279 *len_processed = in->length;
280 } else {
281 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
282 }
283 return sasl_nt_status(sasl_ret);
284}
285
286/* Try to figure out what features we actually got on the connection */
287static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
288 uint32_t feature)
289{
290 struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
291 struct gensec_sasl_state);
292 sasl_ssf_t ssf;
293 int sasl_ret;
294
295 /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
296 if (!gensec_sasl_state->wrap) {
297 return false;
298 }
299
300 sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
301 (const void**)&ssf);
302 if (sasl_ret != SASL_OK) {
303 return false;
304 }
305 if (feature & GENSEC_FEATURE_SIGN) {
306 if (ssf == 0) {
307 return false;
308 }
309 if (ssf >= 1) {
310 return true;
311 }
312 }
313 if (feature & GENSEC_FEATURE_SEAL) {
314 if (ssf <= 1) {
315 return false;
316 }
317 if (ssf > 1) {
318 return true;
319 }
320 }
321 return false;
322}
323
324/* This could in theory work with any SASL mech */
325static const struct gensec_security_ops gensec_sasl_security_ops = {
326 .name = "sasl-DIGEST-MD5",
327 .sasl_name = "DIGEST-MD5",
328 .client_start = gensec_sasl_client_start,
329 .update = gensec_sasl_update,
330 .wrap_packets = gensec_sasl_wrap_packets,
331 .unwrap_packets = gensec_sasl_unwrap_packets,
332 .have_feature = gensec_sasl_have_feature,
333 .enabled = true,
334 .priority = GENSEC_SASL
335};
336
337static int gensec_sasl_log(void *context,
338 int sasl_log_level,
339 const char *message)
340{
341 int dl;
342 switch (sasl_log_level) {
343 case SASL_LOG_NONE:
344 dl = 0;
345 break;
346 case SASL_LOG_ERR:
347 dl = 1;
348 break;
349 case SASL_LOG_FAIL:
350 dl = 2;
351 break;
352 case SASL_LOG_WARN:
353 dl = 3;
354 break;
355 case SASL_LOG_NOTE:
356 dl = 5;
357 break;
358 case SASL_LOG_DEBUG:
359 dl = 10;
360 break;
361 case SASL_LOG_TRACE:
362 dl = 11;
363 break;
364#if DEBUG_PASSWORD
365 case SASL_LOG_PASS:
366 dl = 100;
367 break;
368#endif
369 default:
370 dl = 0;
371 break;
372 }
373 DEBUG(dl, ("gensec_sasl: %s\n", message));
374
375 return SASL_OK;
376}
377
378NTSTATUS gensec_sasl_init(void)
379{
380 NTSTATUS ret;
381 int sasl_ret;
382#if 0
383 int i;
384 const char **sasl_mechs;
385#endif
386
387 static const sasl_callback_t callbacks[] = {
388 {
389 .id = SASL_CB_LOG,
390 .proc = gensec_sasl_log,
391 .context = NULL,
392 },
393 {
394 .id = SASL_CB_LIST_END,
395 .proc = gensec_sasl_log,
396 .context = NULL,
397 }
398 };
399 sasl_ret = sasl_client_init(callbacks);
400
401 if (sasl_ret == SASL_NOMECH) {
402 /* Nothing to do here */
403 return NT_STATUS_OK;
404 }
405
406 if (sasl_ret != SASL_OK) {
407 return sasl_nt_status(sasl_ret);
408 }
409
410 /* For now, we just register DIGEST-MD5 */
411#if 1
412 ret = gensec_register(&gensec_sasl_security_ops);
413 if (!NT_STATUS_IS_OK(ret)) {
414 DEBUG(0,("Failed to register '%s' gensec backend!\n",
415 gensec_sasl_security_ops.name));
416 return ret;
417 }
418#else
419 sasl_mechs = sasl_global_listmech();
420 for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
421 const struct gensec_security_ops *oldmech;
422 struct gensec_security_ops *newmech;
423 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
424 if (oldmech) {
425 continue;
426 }
427 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
428 if (!newmech) {
429 return NT_STATUS_NO_MEMORY;
430 }
431 *newmech = gensec_sasl_security_ops;
432 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
433 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
434 if (!newmech->sasl_name || !newmech->name) {
435 return NT_STATUS_NO_MEMORY;
436 }
437
438 ret = gensec_register(newmech);
439 if (!NT_STATUS_IS_OK(ret)) {
440 DEBUG(0,("Failed to register '%s' gensec backend!\n",
441 gensec_sasl_security_ops.name));
442 return ret;
443 }
444 }
445#endif
446 return NT_STATUS_OK;
447}
Note: See TracBrowser for help on using the repository browser.