source4/auth/gensec/cyrus_sasl.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Connect GENSEC to an external SASL lib
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "lib/tsocket/tsocket.h"
  24 #include "auth/credentials/credentials.h"
  25 #include "auth/gensec/gensec.h"
  26 #include "auth/gensec/gensec_proto.h"
  27 #include <sasl/sasl.h>
  28
  29 NTSTATUS gensec_sasl_init(void);
  30
  31 struct gensec_sasl_state {
  32         sasl_conn_t *conn;
  33         int step;
  34         bool wrap;
  35 };
  36
  37 static NTSTATUS sasl_nt_status(int sasl_ret)
  38 {
  39         switch (sasl_ret) {
  40         case SASL_CONTINUE:
  41                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
  42         case SASL_NOMEM:
  43                 return NT_STATUS_NO_MEMORY;
  44         case SASL_BADPARAM:
  45         case SASL_NOMECH:
  46                 return NT_STATUS_INVALID_PARAMETER;
  47         case SASL_BADMAC:
  48                 return NT_STATUS_ACCESS_DENIED;
  49         case SASL_OK:
  50                 return NT_STATUS_OK;
  51         default:
  52                 return NT_STATUS_UNSUCCESSFUL;
  53         }
  54 }
  55
  56 static int gensec_sasl_get_user(void *context, int id,
  57                                 const char **result, unsigned *len)
  58 {
  59         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  60         const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
  61         if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
  62                 return SASL_FAIL;
  63         }
  64
  65         *result = username;
  66         return SASL_OK;
  67 }
  68
  69 static int gensec_sasl_get_realm(void *context, int id,
  70                                  const char **availrealms,
  71                                  const char **result)
  72 {
  73         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  74         const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
  75         int i;
  76         if (id != SASL_CB_GETREALM) {
  77                 return SASL_FAIL;
  78         }
  79
  80         for (i=0; availrealms && availrealms[i]; i++) {
  81                 if (strcasecmp_m(realm, availrealms[i]) == 0) {
  82                         result[i] = availrealms[i];
  83                         return SASL_OK;
  84                 }
  85         }
  86         /* None of the realms match, so lets not specify one */
  87         *result = "";
  88         return SASL_OK;
  89 }
  90
  91 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
  92                              sasl_secret_t **psecret)
  93 {
  94         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  95         const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
  96
  97         sasl_secret_t *secret;
  98         if (!password) {
  99                 *psecret = NULL;
 100                 return SASL_OK;
 101         }
 102         secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
 103         if (!secret) {
 104                 return SASL_NOMEM;
 105         }
 106         secret->len = strlen(password);
 107         strlcpy((char*)secret->data, password, secret->len+1);
 108         *psecret = secret;
 109         return SASL_OK;
 110 }
 111
 112 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
 113 {
 114         sasl_dispose(&gensec_sasl_state->conn);
 115         return SASL_OK;
 116 }
 117
 118 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
 119 {
 120         struct gensec_sasl_state *gensec_sasl_state;
 121         const char *service = gensec_get_target_service(gensec_security);
 122         const char *target_name = gensec_get_target_hostname(gensec_security);
 123         const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
 124         const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
 125         char *local_addr = NULL;
 126         char *remote_addr = NULL;
 127         int sasl_ret;
 128
 129         sasl_callback_t *callbacks;
 130
 131         gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
 132         if (!gensec_sasl_state) {
 133                 return NT_STATUS_NO_MEMORY;
 134         }
 135
 136         callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
 137         callbacks[0].id = SASL_CB_USER;
 138         callbacks[0].proc = gensec_sasl_get_user;
 139         callbacks[0].context = gensec_security;
 140
 141         callbacks[1].id =  SASL_CB_AUTHNAME;
 142         callbacks[1].proc = gensec_sasl_get_user;
 143         callbacks[1].context = gensec_security;
 144
 145         callbacks[2].id = SASL_CB_GETREALM;
 146         callbacks[2].proc = gensec_sasl_get_realm;
 147         callbacks[2].context = gensec_security;
 148
 149         callbacks[3].id = SASL_CB_PASS;
 150         callbacks[3].proc = gensec_sasl_get_password;
 151         callbacks[3].context = gensec_security;
 152
 153         callbacks[4].id = SASL_CB_LIST_END;
 154         callbacks[4].proc = NULL;
 155         callbacks[4].context = NULL;
 156
 157         gensec_security->private_data = gensec_sasl_state;
 158
 159         if (tlocal_addr) {
 160                 local_addr = talloc_asprintf(gensec_sasl_state,
 161                                 "%s;%d",
 162                                 tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
 163                                 tsocket_address_inet_port(tlocal_addr));
 164         }
 165
 166         if (tremote_addr) {
 167                 remote_addr = talloc_asprintf(gensec_sasl_state,
 168                                 "%s;%d",
 169                                 tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
 170                                 tsocket_address_inet_port(tremote_addr));
 171         }
 172         gensec_sasl_state->step = 0;
 173
 174         sasl_ret = sasl_client_new(service,
 175                                    target_name,
 176                                    local_addr, remote_addr, callbacks, 0,
 177                                    &gensec_sasl_state->conn);
 178
 179         if (sasl_ret == SASL_OK) {
 180                 sasl_security_properties_t props;
 181                 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
 182
 183                 ZERO_STRUCT(props);
 184                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 185                         props.min_ssf = 1;
 186                         props.max_ssf = 1;
 187                         props.maxbufsize = 65536;
 188                         gensec_sasl_state->wrap = true;
 189                 }
 190                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 191                         props.min_ssf = 40;
 192                         props.max_ssf = UINT_MAX;
 193                         props.maxbufsize = 65536;
 194                         gensec_sasl_state->wrap = true;
 195                 }
 196
 197                 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
 198         }
 199         if (sasl_ret != SASL_OK) {
 200                 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 201         }
 202         return sasl_nt_status(sasl_ret);
 203 }
 204
 205 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
 206                                    TALLOC_CTX *out_mem_ctx,
 207                                    const DATA_BLOB in, DATA_BLOB *out)
 208 {
 209         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 210                                                                       struct gensec_sasl_state);
 211         int sasl_ret;
 212         const char *out_data;
 213         unsigned int out_len;
 214
 215         if (gensec_sasl_state->step == 0) {
 216                 const char *mech;
 217                 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
 218                                              NULL, &out_data, &out_len, &mech);
 219         } else {
 220                 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
 221                                             (char*)in.data, in.length, NULL,
 222                                             &out_data, &out_len);
 223         }
 224         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
 225                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 226         } else {
 227                 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
 228                           sasl_errdetail(gensec_sasl_state->conn)));
 229         }
 230         gensec_sasl_state->step++;
 231         return sasl_nt_status(sasl_ret);
 232 }
 233
 234 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
 235                                         TALLOC_CTX *out_mem_ctx,
 236                                         const DATA_BLOB *in,
 237                                         DATA_BLOB *out,
 238                                         size_t *len_processed)
 239 {
 240         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 241                                                                       struct gensec_sasl_state);
 242         const char *out_data;
 243         unsigned int out_len;
 244
 245         int sasl_ret = sasl_decode(gensec_sasl_state->conn,
 246                                    (char*)in->data, in->length, &out_data,
 247                                    &out_len);
 248         if (sasl_ret == SASL_OK) {
 249                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 250                 *len_processed = in->length;
 251         } else {
 252                 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 253         }
 254         return sasl_nt_status(sasl_ret);
 255
 256 }
 257
 258 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
 259                                         TALLOC_CTX *out_mem_ctx,
 260                                         const DATA_BLOB *in,
 261                                         DATA_BLOB *out,
 262                                         size_t *len_processed)
 263 {
 264         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 265                                                                       struct gensec_sasl_state);
 266         const char *out_data;
 267         unsigned int out_len;
 268         unsigned len_permitted;
 269         int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
 270                         (const void**)&len_permitted);
 271         if (sasl_ret != SASL_OK) {
 272                 return sasl_nt_status(sasl_ret);
 273         }
 274         len_permitted = MIN(len_permitted, in->length);
 275
 276         sasl_ret = sasl_encode(gensec_sasl_state->conn,
 277                                (char*)in->data, len_permitted, &out_data,
 278                                &out_len);
 279         if (sasl_ret == SASL_OK) {
 280                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 281                 *len_processed = in->length;
 282         } else {
 283                 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 284         }
 285         return sasl_nt_status(sasl_ret);
 286 }
 287
 288 /* Try to figure out what features we actually got on the connection */
 289 static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
 290                                      uint32_t feature)
 291 {
 292         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 293                                                                       struct gensec_sasl_state);
 294         sasl_ssf_t ssf;
 295         int sasl_ret;
 296
 297         /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
 298         if (!gensec_sasl_state->wrap) {
 299                 return false;
 300         }
 301
 302         sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
 303                         (const void**)&ssf);
 304         if (sasl_ret != SASL_OK) {
 305                 return false;
 306         }
 307         if (feature & GENSEC_FEATURE_SIGN) {
 308                 if (ssf == 0) {
 309                         return false;
 310                 }
 311                 if (ssf >= 1) {
 312                         return true;
 313                 }
 314         }
 315         if (feature & GENSEC_FEATURE_SEAL) {
 316                 if (ssf <= 1) {
 317                         return false;
 318                 }
 319                 if (ssf > 1) {
 320                         return true;
 321                 }
 322         }
 323         return false;
 324 }
 325
 326 /* This could in theory work with any SASL mech */
 327 static const struct gensec_security_ops gensec_sasl_security_ops = {
 328         .name             = "sasl-DIGEST-MD5",
 329         .sasl_name        = "DIGEST-MD5",
 330         .client_start     = gensec_sasl_client_start,
 331         .update           = gensec_sasl_update,
 332         .wrap_packets     = gensec_sasl_wrap_packets,
 333         .unwrap_packets   = gensec_sasl_unwrap_packets,
 334         .have_feature     = gensec_sasl_have_feature,
 335         .enabled          = true,
 336         .priority         = GENSEC_SASL
 337 };
 338
 339 static int gensec_sasl_log(void *context,
 340                     int sasl_log_level,
 341                     const char *message)
 342 {
 343         int dl;
 344         switch (sasl_log_level) {
 345         case SASL_LOG_NONE:
 346                 dl = 0;
 347                 break;
 348         case SASL_LOG_ERR:
 349                 dl = 1;
 350                 break;
 351         case SASL_LOG_FAIL:
 352                 dl = 2;
 353                 break;
 354         case SASL_LOG_WARN:
 355                 dl = 3;
 356                 break;
 357         case SASL_LOG_NOTE:
 358                 dl = 5;
 359                 break;
 360         case SASL_LOG_DEBUG:
 361                 dl = 10;
 362                 break;
 363         case SASL_LOG_TRACE:
 364                 dl = 11;
 365                 break;
 366 #if DEBUG_PASSWORD
 367         case SASL_LOG_PASS:
 368                 dl = 100;
 369                 break;
 370 #endif
 371         default:
 372                 dl = 0;
 373                 break;
 374         }
 375         DEBUG(dl, ("gensec_sasl: %s\n", message));
 376
 377         return SASL_OK;
 378 }
 379
 380 NTSTATUS gensec_sasl_init(void)
 381 {
 382         NTSTATUS ret;
 383         int sasl_ret;
 384 #if 0
 385         int i;
 386         const char **sasl_mechs;
 387 #endif
 388
 389         static const sasl_callback_t callbacks[] = {
 390                 {
 391                         .id = SASL_CB_LOG,
 392                         .proc = gensec_sasl_log,
 393                         .context = NULL,
 394                 },
 395                 {
 396                         .id = SASL_CB_LIST_END,
 397                         .proc = gensec_sasl_log,
 398                         .context = NULL,
 399                 }
 400         };
 401         sasl_ret = sasl_client_init(callbacks);
 402
 403         if (sasl_ret == SASL_NOMECH) {
 404                 /* Nothing to do here */
 405                 return NT_STATUS_OK;
 406         }
 407
 408         if (sasl_ret != SASL_OK) {
 409                 return sasl_nt_status(sasl_ret);
 410         }
 411
 412         /* For now, we just register DIGEST-MD5 */
 413 #if 1
 414         ret = gensec_register(&gensec_sasl_security_ops);
 415         if (!NT_STATUS_IS_OK(ret)) {
 416                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 417                          gensec_sasl_security_ops.name));
 418                 return ret;
 419         }
 420 #else
 421         sasl_mechs = sasl_global_listmech();
 422         for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
 423                 const struct gensec_security_ops *oldmech;
 424                 struct gensec_security_ops *newmech;
 425                 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
 426                 if (oldmech) {
 427                         continue;
 428                 }
 429                 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
 430                 if (!newmech) {
 431                         return NT_STATUS_NO_MEMORY;
 432                 }
 433                 *newmech = gensec_sasl_security_ops;
 434                 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
 435                 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
 436                 if (!newmech->sasl_name || !newmech->name) {
 437                         return NT_STATUS_NO_MEMORY;
 438                 }
 439
 440                 ret = gensec_register(newmech);
 441                 if (!NT_STATUS_IS_OK(ret)) {
 442                         DEBUG(0,("Failed to register '%s' gensec backend!\n",
 443                                  gensec_sasl_security_ops.name));
 444                         return ret;
 445                 }
 446         }
 447 #endif
 448         return NT_STATUS_OK;
 449 }