s4: ran minimal_includes.pl on source4/auth/gensec
[ira/wip.git] / source4 / auth / gensec / cyrus_sasl.c
1 /* 
2    Unix SMB/CIFS implementation.
3  
4    Connect GENSEC to an external SASL lib
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "auth/credentials/credentials.h"
24 #include "auth/gensec/gensec.h"
25 #include "auth/gensec/gensec_proto.h"
26 #include "lib/socket/socket.h"
27 #include <sasl/sasl.h>
28
29 struct gensec_sasl_state {
30         sasl_conn_t *conn;
31         int step;
32 };
33
34 static NTSTATUS sasl_nt_status(int sasl_ret) 
35 {
36         switch (sasl_ret) {
37         case SASL_CONTINUE:
38                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
39         case SASL_NOMEM:
40                 return NT_STATUS_NO_MEMORY;
41         case SASL_BADPARAM:
42         case SASL_NOMECH:
43                 return NT_STATUS_INVALID_PARAMETER;
44         case SASL_BADMAC:
45                 return NT_STATUS_ACCESS_DENIED;
46         case SASL_OK:
47                 return NT_STATUS_OK;
48         default:
49                 return NT_STATUS_UNSUCCESSFUL;
50         }
51 }
52
53 static int gensec_sasl_get_user(void *context, int id,
54                                 const char **result, unsigned *len)
55 {
56         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
57         const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
58         if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
59                 return SASL_FAIL;
60         }
61         
62         *result = username;
63         return SASL_OK;
64 }
65
66 static int gensec_sasl_get_realm(void *context, int id,
67                                  const char **availrealms,
68                                  const char **result)
69 {
70         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
71         const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
72         int i;
73         if (id != SASL_CB_GETREALM) {
74                 return SASL_FAIL;
75         }
76
77         for (i=0; availrealms && availrealms[i]; i++) {
78                 if (strcasecmp_m(realm, availrealms[i]) == 0) {
79                         result[i] = availrealms[i];
80                         return SASL_OK;
81                 }
82         }
83         /* None of the realms match, so lets not specify one */
84         *result = "";
85         return SASL_OK;
86 }
87
88 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
89                              sasl_secret_t **psecret)
90 {
91         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
92         const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
93         
94         sasl_secret_t *secret;
95         if (!password) {
96                 *psecret = NULL;
97                 return SASL_OK;
98         }
99         secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
100         if (!secret) {
101                 return SASL_NOMEM;
102         }
103         secret->len = strlen(password);
104         safe_strcpy((char*)secret->data, password, secret->len+1);
105         *psecret = secret;
106         return SASL_OK;
107 }
108
109 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
110 {
111         sasl_dispose(&gensec_sasl_state->conn);
112         return SASL_OK;
113 }
114
115 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
116 {
117         struct gensec_sasl_state *gensec_sasl_state;
118         const char *service = gensec_get_target_service(gensec_security);
119         const char *target_name = gensec_get_target_hostname(gensec_security);
120         struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
121         struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
122         char *local_addr = NULL;
123         char *remote_addr = NULL;
124         int sasl_ret;
125
126         sasl_callback_t *callbacks;
127
128         gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
129         if (!gensec_sasl_state) {
130                 return NT_STATUS_NO_MEMORY;
131         }
132
133         callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
134         callbacks[0].id = SASL_CB_USER;
135         callbacks[0].proc = gensec_sasl_get_user;
136         callbacks[0].context = gensec_security;
137
138         callbacks[1].id =  SASL_CB_AUTHNAME;
139         callbacks[1].proc = gensec_sasl_get_user;
140         callbacks[1].context = gensec_security;
141
142         callbacks[2].id = SASL_CB_GETREALM;
143         callbacks[2].proc = gensec_sasl_get_realm;
144         callbacks[2].context = gensec_security;
145
146         callbacks[3].id = SASL_CB_PASS;
147         callbacks[3].proc = gensec_sasl_get_password;
148         callbacks[3].context = gensec_security;
149
150         callbacks[4].id = SASL_CB_LIST_END;
151         callbacks[4].proc = NULL;
152         callbacks[4].context = NULL;
153
154         gensec_security->private_data = gensec_sasl_state;
155
156         if (local_socket_addr) {
157                 local_addr = talloc_asprintf(gensec_sasl_state, 
158                                              "%s;%d",
159                                              local_socket_addr->addr, 
160                                              local_socket_addr->port);
161         }
162
163         if (remote_socket_addr) {
164                 remote_addr = talloc_asprintf(gensec_sasl_state, 
165                                              "%s;%d",
166                                              remote_socket_addr->addr, 
167                                              remote_socket_addr->port);
168         }
169         gensec_sasl_state->step = 0;
170
171         sasl_ret = sasl_client_new(service,
172                                    target_name,
173                                    local_addr, remote_addr, callbacks, 0,
174                                    &gensec_sasl_state->conn);
175         
176         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
177                 sasl_security_properties_t props;
178                 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
179
180                 ZERO_STRUCT(props);
181                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
182                         props.min_ssf = 1;
183                 }
184                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
185                         props.min_ssf = 40;
186                 }
187                 
188                 props.max_ssf = UINT_MAX;
189                 props.maxbufsize = 65536;
190                 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
191                 if (sasl_ret != SASL_OK) {
192                         return sasl_nt_status(sasl_ret);
193                 }
194
195         } else {
196                 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
197         }
198         return sasl_nt_status(sasl_ret);
199 }
200
201 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, 
202                                    TALLOC_CTX *out_mem_ctx, 
203                                    const DATA_BLOB in, DATA_BLOB *out) 
204 {
205         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
206                                                                       struct gensec_sasl_state);
207         int sasl_ret;
208         const char *out_data;
209         unsigned int out_len;
210
211         if (gensec_sasl_state->step == 0) {
212                 const char *mech;
213                 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name, 
214                                              NULL, &out_data, &out_len, &mech);
215         } else {
216                 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
217                                             (char*)in.data, in.length, NULL,
218                                             &out_data, &out_len);
219         }
220         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
221                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
222         } else {
223                 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step, 
224                           sasl_errdetail(gensec_sasl_state->conn)));
225         }
226         gensec_sasl_state->step++;
227         return sasl_nt_status(sasl_ret);
228 }
229
230 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security, 
231                                         TALLOC_CTX *out_mem_ctx, 
232                                         const DATA_BLOB *in, 
233                                         DATA_BLOB *out,
234                                         size_t *len_processed) 
235 {
236         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
237                                                                       struct gensec_sasl_state);
238         const char *out_data;
239         unsigned int out_len;
240
241         int sasl_ret = sasl_decode(gensec_sasl_state->conn,
242                                    (char*)in->data, in->length, &out_data,
243                                    &out_len);
244         if (sasl_ret == SASL_OK) {
245                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
246                 *len_processed = in->length;
247         } else {
248                 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
249         }
250         return sasl_nt_status(sasl_ret);
251
252 }
253
254 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security, 
255                                         TALLOC_CTX *out_mem_ctx, 
256                                         const DATA_BLOB *in, 
257                                         DATA_BLOB *out,
258                                         size_t *len_processed) 
259 {
260         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
261                                                                       struct gensec_sasl_state);
262         const char *out_data;
263         unsigned int out_len;
264
265         int sasl_ret = sasl_encode(gensec_sasl_state->conn,
266                                    (char*)in->data, in->length, &out_data,
267                                    &out_len);
268         if (sasl_ret == SASL_OK) {
269                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
270                 *len_processed = in->length;
271         } else {
272                 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
273         }
274         return sasl_nt_status(sasl_ret);
275 }
276
277 /* Try to figure out what features we actually got on the connection */
278 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security, 
279                                      uint32_t feature) 
280 {
281         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
282                                                                       struct gensec_sasl_state);
283         sasl_ssf_t ssf;
284         int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
285                         (const void**)&ssf);
286         if (sasl_ret != SASL_OK) {
287                 return false;
288         }
289         if (feature & GENSEC_FEATURE_SIGN) {
290                 if (ssf == 0) {
291                         return false;
292                 }
293                 if (ssf >= 1) {
294                         return true;
295                 }
296         }
297         if (feature & GENSEC_FEATURE_SEAL) {
298                 if (ssf <= 1) {
299                         return false;
300                 }
301                 if (ssf > 1) {
302                         return true;
303                 }
304         }
305         return false;
306 }
307
308 /* This could in theory work with any SASL mech */
309 static const struct gensec_security_ops gensec_sasl_security_ops = {
310         .name             = "sasl-DIGEST-MD5",
311         .sasl_name        = "DIGEST-MD5",
312         .client_start     = gensec_sasl_client_start,
313         .update           = gensec_sasl_update,
314         .wrap_packets     = gensec_sasl_wrap_packets,
315         .unwrap_packets   = gensec_sasl_unwrap_packets,
316         .have_feature     = gensec_sasl_have_feature,
317         .enabled          = true,
318         .priority         = GENSEC_SASL
319 };
320
321 static int gensec_sasl_log(void *context, 
322                     int sasl_log_level,
323                     const char *message) 
324 {
325         int dl;
326         switch (sasl_log_level) {
327         case SASL_LOG_NONE:
328                 dl = 0;
329                 break;
330         case SASL_LOG_ERR:
331                 dl = 1;
332                 break;
333         case SASL_LOG_FAIL:
334                 dl = 2;
335                 break;
336         case SASL_LOG_WARN:
337                 dl = 3;
338                 break;
339         case SASL_LOG_NOTE:
340                 dl = 5;
341                 break;
342         case SASL_LOG_DEBUG:
343                 dl = 10;
344                 break;
345         case SASL_LOG_TRACE:
346                 dl = 11;
347                 break;
348 #if DEBUG_PASSWORD
349         case SASL_LOG_PASS:
350                 dl = 100;
351                 break;
352 #endif
353         default:
354                 dl = 0;
355                 break;
356         }
357         DEBUG(dl, ("gensec_sasl: %s\n", message));
358
359         return SASL_OK;
360 }
361
362 NTSTATUS gensec_sasl_init(void)
363 {
364         NTSTATUS ret;
365         int sasl_ret;
366 #if 0
367         int i;
368         const char **sasl_mechs;
369 #endif
370         
371         static const sasl_callback_t callbacks[] = {
372                 { 
373                         .id = SASL_CB_LOG,
374                         .proc = gensec_sasl_log,
375                         .context = NULL,
376                 },
377                 {
378                         .id = SASL_CB_LIST_END,
379                         .proc = gensec_sasl_log,
380                         .context = NULL,
381                 }
382         };
383         sasl_ret = sasl_client_init(callbacks);
384         
385         if (sasl_ret == SASL_NOMECH) {
386                 /* Nothing to do here */
387                 return NT_STATUS_OK;
388         }
389
390         if (sasl_ret != SASL_OK) {
391                 return sasl_nt_status(sasl_ret);
392         }
393
394         /* For now, we just register DIGEST-MD5 */
395 #if 1
396         ret = gensec_register(&gensec_sasl_security_ops);
397         if (!NT_STATUS_IS_OK(ret)) {
398                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
399                          gensec_sasl_security_ops.name));
400                 return ret;
401         }
402 #else
403         sasl_mechs = sasl_global_listmech();
404         for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
405                 const struct gensec_security_ops *oldmech;
406                 struct gensec_security_ops *newmech;
407                 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
408                 if (oldmech) {
409                         continue;
410                 }
411                 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
412                 if (!newmech) {
413                         return NT_STATUS_NO_MEMORY;
414                 }
415                 *newmech = gensec_sasl_security_ops;
416                 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
417                 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
418                 if (!newmech->sasl_name || !newmech->name) {
419                         return NT_STATUS_NO_MEMORY;
420                 }
421
422                 ret = gensec_register(newmech);
423                 if (!NT_STATUS_IS_OK(ret)) {
424                         DEBUG(0,("Failed to register '%s' gensec backend!\n",
425                                  gensec_sasl_security_ops.name));
426                         return ret;
427                 }
428         }
429 #endif
430         return NT_STATUS_OK;
431 }