s4-gensec Don't give more to sasl_encode() than it will permit
[kai/samba.git] / source4 / auth / gensec / cyrus_sasl.c
1 /* 
2    Unix SMB/CIFS implementation.
3  
4    Connect GENSEC to an external SASL lib
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/tsocket/tsocket.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_proto.h"
27 #include <sasl/sasl.h>
28
29 struct gensec_sasl_state {
30         sasl_conn_t *conn;
31         int step;
32         bool wrap;
33 };
34
35 static NTSTATUS sasl_nt_status(int sasl_ret) 
36 {
37         switch (sasl_ret) {
38         case SASL_CONTINUE:
39                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
40         case SASL_NOMEM:
41                 return NT_STATUS_NO_MEMORY;
42         case SASL_BADPARAM:
43         case SASL_NOMECH:
44                 return NT_STATUS_INVALID_PARAMETER;
45         case SASL_BADMAC:
46                 return NT_STATUS_ACCESS_DENIED;
47         case SASL_OK:
48                 return NT_STATUS_OK;
49         default:
50                 return NT_STATUS_UNSUCCESSFUL;
51         }
52 }
53
54 static int gensec_sasl_get_user(void *context, int id,
55                                 const char **result, unsigned *len)
56 {
57         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
58         const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
59         if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
60                 return SASL_FAIL;
61         }
62         
63         *result = username;
64         return SASL_OK;
65 }
66
67 static int gensec_sasl_get_realm(void *context, int id,
68                                  const char **availrealms,
69                                  const char **result)
70 {
71         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
72         const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
73         int i;
74         if (id != SASL_CB_GETREALM) {
75                 return SASL_FAIL;
76         }
77
78         for (i=0; availrealms && availrealms[i]; i++) {
79                 if (strcasecmp_m(realm, availrealms[i]) == 0) {
80                         result[i] = availrealms[i];
81                         return SASL_OK;
82                 }
83         }
84         /* None of the realms match, so lets not specify one */
85         *result = "";
86         return SASL_OK;
87 }
88
89 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
90                              sasl_secret_t **psecret)
91 {
92         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
93         const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
94         
95         sasl_secret_t *secret;
96         if (!password) {
97                 *psecret = NULL;
98                 return SASL_OK;
99         }
100         secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
101         if (!secret) {
102                 return SASL_NOMEM;
103         }
104         secret->len = strlen(password);
105         safe_strcpy((char*)secret->data, password, secret->len+1);
106         *psecret = secret;
107         return SASL_OK;
108 }
109
110 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
111 {
112         sasl_dispose(&gensec_sasl_state->conn);
113         return SASL_OK;
114 }
115
116 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
117 {
118         struct gensec_sasl_state *gensec_sasl_state;
119         const char *service = gensec_get_target_service(gensec_security);
120         const char *target_name = gensec_get_target_hostname(gensec_security);
121         const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
122         const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
123         char *local_addr = NULL;
124         char *remote_addr = NULL;
125         int sasl_ret;
126
127         sasl_callback_t *callbacks;
128
129         gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
130         if (!gensec_sasl_state) {
131                 return NT_STATUS_NO_MEMORY;
132         }
133
134         callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
135         callbacks[0].id = SASL_CB_USER;
136         callbacks[0].proc = gensec_sasl_get_user;
137         callbacks[0].context = gensec_security;
138
139         callbacks[1].id =  SASL_CB_AUTHNAME;
140         callbacks[1].proc = gensec_sasl_get_user;
141         callbacks[1].context = gensec_security;
142
143         callbacks[2].id = SASL_CB_GETREALM;
144         callbacks[2].proc = gensec_sasl_get_realm;
145         callbacks[2].context = gensec_security;
146
147         callbacks[3].id = SASL_CB_PASS;
148         callbacks[3].proc = gensec_sasl_get_password;
149         callbacks[3].context = gensec_security;
150
151         callbacks[4].id = SASL_CB_LIST_END;
152         callbacks[4].proc = NULL;
153         callbacks[4].context = NULL;
154
155         gensec_security->private_data = gensec_sasl_state;
156
157         if (tlocal_addr) {
158                 local_addr = talloc_asprintf(gensec_sasl_state,
159                                 "%s;%d",
160                                 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
161                                 tsocket_address_inet_port(tlocal_addr));
162         }
163
164         if (tremote_addr) {
165                 remote_addr = talloc_asprintf(gensec_sasl_state,
166                                 "%s;%d",
167                                 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
168                                 tsocket_address_inet_port(tremote_addr));
169         }
170         gensec_sasl_state->step = 0;
171
172         sasl_ret = sasl_client_new(service,
173                                    target_name,
174                                    local_addr, remote_addr, callbacks, 0,
175                                    &gensec_sasl_state->conn);
176         
177         if (sasl_ret == SASL_OK) {
178                 sasl_security_properties_t props;
179                 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
180                 
181                 ZERO_STRUCT(props);
182                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
183                         props.min_ssf = 1;
184                         props.max_ssf = 1;
185                         props.maxbufsize = 65536;
186                         gensec_sasl_state->wrap = true;
187                 }
188                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
189                         props.min_ssf = 40;
190                         props.max_ssf = UINT_MAX;
191                         props.maxbufsize = 65536;
192                         gensec_sasl_state->wrap = true;
193                 }
194
195                 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
196         }
197         if (sasl_ret != SASL_OK) {
198                 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
199         }
200         return sasl_nt_status(sasl_ret);
201 }
202
203 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, 
204                                    TALLOC_CTX *out_mem_ctx, 
205                                    const DATA_BLOB in, DATA_BLOB *out) 
206 {
207         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
208                                                                       struct gensec_sasl_state);
209         int sasl_ret;
210         const char *out_data;
211         unsigned int out_len;
212
213         if (gensec_sasl_state->step == 0) {
214                 const char *mech;
215                 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name, 
216                                              NULL, &out_data, &out_len, &mech);
217         } else {
218                 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
219                                             (char*)in.data, in.length, NULL,
220                                             &out_data, &out_len);
221         }
222         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
223                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
224         } else {
225                 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step, 
226                           sasl_errdetail(gensec_sasl_state->conn)));
227         }
228         gensec_sasl_state->step++;
229         return sasl_nt_status(sasl_ret);
230 }
231
232 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security, 
233                                         TALLOC_CTX *out_mem_ctx, 
234                                         const DATA_BLOB *in, 
235                                         DATA_BLOB *out,
236                                         size_t *len_processed) 
237 {
238         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
239                                                                       struct gensec_sasl_state);
240         const char *out_data;
241         unsigned int out_len;
242
243         int sasl_ret = sasl_decode(gensec_sasl_state->conn,
244                                    (char*)in->data, in->length, &out_data,
245                                    &out_len);
246         if (sasl_ret == SASL_OK) {
247                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
248                 *len_processed = in->length;
249         } else {
250                 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
251         }
252         return sasl_nt_status(sasl_ret);
253
254 }
255
256 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security, 
257                                         TALLOC_CTX *out_mem_ctx, 
258                                         const DATA_BLOB *in, 
259                                         DATA_BLOB *out,
260                                         size_t *len_processed) 
261 {
262         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
263                                                                       struct gensec_sasl_state);
264         const char *out_data;
265         unsigned int out_len;
266         unsigned len_permitted;
267         int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
268                         (const void**)&len_permitted);
269         if (sasl_ret != SASL_OK) {
270                 return sasl_nt_status(sasl_ret);
271         }
272         len_permitted = MIN(len_permitted, in->length);
273
274         sasl_ret = sasl_encode(gensec_sasl_state->conn,
275                                (char*)in->data, len_permitted, &out_data,
276                                &out_len);
277         if (sasl_ret == SASL_OK) {
278                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
279                 *len_processed = in->length;
280         } else {
281                 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
282         }
283         return sasl_nt_status(sasl_ret);
284 }
285
286 /* Try to figure out what features we actually got on the connection */
287 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security, 
288                                      uint32_t feature) 
289 {
290         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
291                                                                       struct gensec_sasl_state);
292         sasl_ssf_t ssf;
293         int sasl_ret;
294
295         /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
296         if (!gensec_sasl_state->wrap) {
297                 return false;
298         }
299         
300         sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
301                         (const void**)&ssf);
302         if (sasl_ret != SASL_OK) {
303                 return false;
304         }
305         if (feature & GENSEC_FEATURE_SIGN) {
306                 if (ssf == 0) {
307                         return false;
308                 }
309                 if (ssf >= 1) {
310                         return true;
311                 }
312         }
313         if (feature & GENSEC_FEATURE_SEAL) {
314                 if (ssf <= 1) {
315                         return false;
316                 }
317                 if (ssf > 1) {
318                         return true;
319                 }
320         }
321         return false;
322 }
323
324 /* This could in theory work with any SASL mech */
325 static const struct gensec_security_ops gensec_sasl_security_ops = {
326         .name             = "sasl-DIGEST-MD5",
327         .sasl_name        = "DIGEST-MD5",
328         .client_start     = gensec_sasl_client_start,
329         .update           = gensec_sasl_update,
330         .wrap_packets     = gensec_sasl_wrap_packets,
331         .unwrap_packets   = gensec_sasl_unwrap_packets,
332         .have_feature     = gensec_sasl_have_feature,
333         .enabled          = true,
334         .priority         = GENSEC_SASL
335 };
336
337 static int gensec_sasl_log(void *context, 
338                     int sasl_log_level,
339                     const char *message) 
340 {
341         int dl;
342         switch (sasl_log_level) {
343         case SASL_LOG_NONE:
344                 dl = 0;
345                 break;
346         case SASL_LOG_ERR:
347                 dl = 1;
348                 break;
349         case SASL_LOG_FAIL:
350                 dl = 2;
351                 break;
352         case SASL_LOG_WARN:
353                 dl = 3;
354                 break;
355         case SASL_LOG_NOTE:
356                 dl = 5;
357                 break;
358         case SASL_LOG_DEBUG:
359                 dl = 10;
360                 break;
361         case SASL_LOG_TRACE:
362                 dl = 11;
363                 break;
364 #if DEBUG_PASSWORD
365         case SASL_LOG_PASS:
366                 dl = 100;
367                 break;
368 #endif
369         default:
370                 dl = 0;
371                 break;
372         }
373         DEBUG(dl, ("gensec_sasl: %s\n", message));
374
375         return SASL_OK;
376 }
377
378 NTSTATUS gensec_sasl_init(void)
379 {
380         NTSTATUS ret;
381         int sasl_ret;
382 #if 0
383         int i;
384         const char **sasl_mechs;
385 #endif
386         
387         static const sasl_callback_t callbacks[] = {
388                 { 
389                         .id = SASL_CB_LOG,
390                         .proc = gensec_sasl_log,
391                         .context = NULL,
392                 },
393                 {
394                         .id = SASL_CB_LIST_END,
395                         .proc = gensec_sasl_log,
396                         .context = NULL,
397                 }
398         };
399         sasl_ret = sasl_client_init(callbacks);
400         
401         if (sasl_ret == SASL_NOMECH) {
402                 /* Nothing to do here */
403                 return NT_STATUS_OK;
404         }
405
406         if (sasl_ret != SASL_OK) {
407                 return sasl_nt_status(sasl_ret);
408         }
409
410         /* For now, we just register DIGEST-MD5 */
411 #if 1
412         ret = gensec_register(&gensec_sasl_security_ops);
413         if (!NT_STATUS_IS_OK(ret)) {
414                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
415                          gensec_sasl_security_ops.name));
416                 return ret;
417         }
418 #else
419         sasl_mechs = sasl_global_listmech();
420         for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
421                 const struct gensec_security_ops *oldmech;
422                 struct gensec_security_ops *newmech;
423                 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
424                 if (oldmech) {
425                         continue;
426                 }
427                 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
428                 if (!newmech) {
429                         return NT_STATUS_NO_MEMORY;
430                 }
431                 *newmech = gensec_sasl_security_ops;
432                 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
433                 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
434                 if (!newmech->sasl_name || !newmech->name) {
435                         return NT_STATUS_NO_MEMORY;
436                 }
437
438                 ret = gensec_register(newmech);
439                 if (!NT_STATUS_IS_OK(ret)) {
440                         DEBUG(0,("Failed to register '%s' gensec backend!\n",
441                                  gensec_sasl_security_ops.name));
442                         return ret;
443                 }
444         }
445 #endif
446         return NT_STATUS_OK;
447 }