source4/auth/gensec/cyrus_sasl.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Connect GENSEC to an external SASL lib
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth/auth.h"
  25 #include "lib/socket/socket.h"
  26 #include <sasl/sasl.h>
  27
  28 struct gensec_sasl_state {
  29         sasl_conn_t *conn;
  30         int step;
  31 };
  32
  33 static NTSTATUS sasl_nt_status(int sasl_ret)
  34 {
  35         switch (sasl_ret) {
  36         case SASL_CONTINUE:
  37                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
  38         case SASL_NOMEM:
  39                 return NT_STATUS_NO_MEMORY;
  40         case SASL_BADPARAM:
  41         case SASL_NOMECH:
  42                 return NT_STATUS_INVALID_PARAMETER;
  43         case SASL_BADMAC:
  44                 return NT_STATUS_ACCESS_DENIED;
  45         case SASL_OK:
  46                 return NT_STATUS_OK;
  47         default:
  48                 return NT_STATUS_UNSUCCESSFUL;
  49         }
  50 }
  51
  52 static int gensec_sasl_get_user(void *context, int id,
  53                                 const char **result, unsigned *len)
  54 {
  55         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  56         const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
  57         if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
  58                 return SASL_FAIL;
  59         }
  60
  61         *result = username;
  62         return SASL_OK;
  63 }
  64
  65 static int gensec_sasl_get_realm(void *context, int id,
  66                                  const char **availrealms,
  67                                  const char **result)
  68 {
  69         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  70         const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
  71         int i;
  72         if (id != SASL_CB_GETREALM) {
  73                 return SASL_FAIL;
  74         }
  75
  76         for (i=0; availrealms && availrealms[i]; i++) {
  77                 if (strcasecmp_m(realm, availrealms[i]) == 0) {
  78                         result[i] = availrealms[i];
  79                         return SASL_OK;
  80                 }
  81         }
  82         /* None of the realms match, so lets not specify one */
  83         *result = "";
  84         return SASL_OK;
  85 }
  86
  87 static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
  88                              sasl_secret_t **psecret)
  89 {
  90         struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
  91         const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
  92
  93         sasl_secret_t *secret;
  94         if (!password) {
  95                 *psecret = NULL;
  96                 return SASL_OK;
  97         }
  98         secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
  99         if (!secret) {
 100                 return SASL_NOMEM;
 101         }
 102         secret->len = strlen(password);
 103         safe_strcpy(secret->data, password, secret->len+1);
 104         *psecret = secret;
 105         return SASL_OK;
 106 }
 107
 108 static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
 109 {
 110         sasl_dispose(&gensec_sasl_state->conn);
 111         return 0;
 112 }
 113
 114 static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
 115 {
 116         struct gensec_sasl_state *gensec_sasl_state;
 117         const char *service = gensec_get_target_service(gensec_security);
 118         const char *target_name = gensec_get_target_hostname(gensec_security);
 119         struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
 120         struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
 121         char *local_addr = NULL;
 122         char *remote_addr = NULL;
 123         int sasl_ret;
 124
 125         sasl_callback_t *callbacks;
 126
 127         gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
 128         if (!gensec_sasl_state) {
 129                 return NT_STATUS_NO_MEMORY;
 130         }
 131
 132         callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
 133         callbacks[0].id = SASL_CB_USER;
 134         callbacks[0].proc = gensec_sasl_get_user;
 135         callbacks[0].context = gensec_security;
 136
 137         callbacks[1].id =  SASL_CB_AUTHNAME;
 138         callbacks[1].proc = gensec_sasl_get_user;
 139         callbacks[1].context = gensec_security;
 140
 141         callbacks[2].id = SASL_CB_GETREALM;
 142         callbacks[2].proc = gensec_sasl_get_realm;
 143         callbacks[2].context = gensec_security;
 144
 145         callbacks[3].id = SASL_CB_PASS;
 146         callbacks[3].proc = gensec_sasl_get_password;
 147         callbacks[3].context = gensec_security;
 148
 149         callbacks[4].id = SASL_CB_LIST_END;
 150         callbacks[4].proc = NULL;
 151         callbacks[4].context = NULL;
 152
 153         gensec_security->private_data = gensec_sasl_state;
 154
 155         if (local_socket_addr) {
 156                 local_addr = talloc_asprintf(gensec_sasl_state,
 157                                              "%s;%d",
 158                                              local_socket_addr->addr,
 159                                              local_socket_addr->port);
 160         }
 161
 162         if (remote_socket_addr) {
 163                 remote_addr = talloc_asprintf(gensec_sasl_state,
 164                                              "%s;%d",
 165                                              remote_socket_addr->addr,
 166                                              remote_socket_addr->port);
 167         }
 168         gensec_sasl_state->step = 0;
 169
 170         sasl_ret = sasl_client_new(service,
 171                                    target_name,
 172                                    local_addr, remote_addr, callbacks, 0,
 173                                    &gensec_sasl_state->conn);
 174
 175         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
 176                 sasl_security_properties_t props;
 177                 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
 178
 179                 ZERO_STRUCT(props);
 180                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 181                         props.min_ssf = 1;
 182                 }
 183                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 184                         props.min_ssf = 40;
 185                 }
 186
 187                 props.max_ssf = UINT_MAX;
 188                 props.maxbufsize = 65536;
 189                 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
 190                 if (sasl_ret != SASL_OK) {
 191                         return sasl_nt_status(sasl_ret);
 192                 }
 193
 194         } else {
 195                 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 196         }
 197         return sasl_nt_status(sasl_ret);
 198 }
 199
 200 static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
 201                                    TALLOC_CTX *out_mem_ctx,
 202                                    const DATA_BLOB in, DATA_BLOB *out)
 203 {
 204         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 205                                                                       struct gensec_sasl_state);
 206         int sasl_ret;
 207         const char *out_data;
 208         unsigned int out_len;
 209
 210         if (gensec_sasl_state->step == 0) {
 211                 const char *mech;
 212                 sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
 213                                              NULL, &out_data, &out_len, &mech);
 214         } else {
 215                 sasl_ret = sasl_client_step(gensec_sasl_state->conn,
 216                                             in.data, in.length, NULL, &out_data, &out_len);
 217         }
 218         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
 219                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 220         } else {
 221                 DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
 222                           sasl_errdetail(gensec_sasl_state->conn)));
 223         }
 224         gensec_sasl_state->step++;
 225         return sasl_nt_status(sasl_ret);
 226 }
 227
 228 static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
 229                                         TALLOC_CTX *out_mem_ctx,
 230                                         const DATA_BLOB *in,
 231                                         DATA_BLOB *out,
 232                                         size_t *len_processed)
 233 {
 234         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 235                                                                       struct gensec_sasl_state);
 236         const char *out_data;
 237         unsigned int out_len;
 238
 239         int sasl_ret = sasl_decode(gensec_sasl_state->conn,
 240                                    in->data, in->length, &out_data, &out_len);
 241         if (sasl_ret == SASL_OK) {
 242                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 243                 *len_processed = in->length;
 244         } else {
 245                 DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 246         }
 247         return sasl_nt_status(sasl_ret);
 248
 249 }
 250 static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
 251                                         TALLOC_CTX *out_mem_ctx,
 252                                         const DATA_BLOB *in,
 253                                         DATA_BLOB *out,
 254                                         size_t *len_processed)
 255 {
 256         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 257                                                                       struct gensec_sasl_state);
 258         const char *out_data;
 259         unsigned int out_len;
 260
 261         int sasl_ret = sasl_encode(gensec_sasl_state->conn,
 262                                    in->data, in->length, &out_data, &out_len);
 263         if (sasl_ret == SASL_OK) {
 264                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 265                 *len_processed = in->length;
 266         } else {
 267                 DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
 268         }
 269         return sasl_nt_status(sasl_ret);
 270 }
 271
 272 /* Try to figure out what features we actually got on the connection */
 273 static BOOL gensec_sasl_have_feature(struct gensec_security *gensec_security,
 274                                      uint32_t feature)
 275 {
 276         struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
 277                                                                       struct gensec_sasl_state);
 278         sasl_ssf_t ssf;
 279         int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF, &ssf);
 280         if (sasl_ret != SASL_OK) {
 281                 return False;
 282         }
 283         if (feature & GENSEC_FEATURE_SIGN) {
 284                 if (ssf == 0) {
 285                         return False;
 286                 }
 287                 if (ssf >= 1) {
 288                         return True;
 289                 }
 290         }
 291         if (feature & GENSEC_FEATURE_SEAL) {
 292                 if (ssf <= 1) {
 293                         return False;
 294                 }
 295                 if (ssf > 1) {
 296                         return True;
 297                 }
 298         }
 299         return False;
 300 }
 301
 302 /* This could in theory work with any SASL mech */
 303 static const struct gensec_security_ops gensec_sasl_security_ops = {
 304         .name             = "sasl-DIGEST-MD5",
 305         .sasl_name        = "DIGEST-MD5",
 306         .client_start     = gensec_sasl_client_start,
 307         .update           = gensec_sasl_update,
 308         .wrap_packets     = gensec_sasl_wrap_packets,
 309         .unwrap_packets   = gensec_sasl_unwrap_packets,
 310         .have_feature     = gensec_sasl_have_feature,
 311         .enabled          = True,
 312         .priority         = GENSEC_SASL
 313 };
 314
 315 int gensec_sasl_log(void *context,
 316                     int sasl_log_level,
 317                     const char *message)
 318 {
 319         int debug_level;
 320         switch (sasl_log_level) {
 321         case SASL_LOG_NONE:
 322                 debug_level = 0;
 323                 break;
 324         case SASL_LOG_ERR:
 325                 debug_level = 1;
 326                 break;
 327         case SASL_LOG_FAIL:
 328                 debug_level = 2;
 329                 break;
 330         case SASL_LOG_WARN:
 331                 debug_level = 3;
 332                 break;
 333         case SASL_LOG_NOTE:
 334                 debug_level = 5;
 335                 break;
 336         case SASL_LOG_DEBUG:
 337                 debug_level = 10;
 338                 break;
 339         case SASL_LOG_TRACE:
 340                 debug_level = 11;
 341                 break;
 342 #if DEBUG_PASSWORD
 343         case SASL_LOG_PASS:
 344                 debug_level = 100;
 345                 break;
 346 #endif
 347         default:
 348                 debug_level = 0;
 349                 break;
 350         }
 351         DEBUG(debug_level, ("gensec_sasl: %s\n", message));
 352
 353         return SASL_OK;
 354 }
 355
 356 NTSTATUS gensec_sasl_init(void)
 357 {
 358         NTSTATUS ret;
 359         int sasl_ret, i;
 360         const char **sasl_mechs;
 361
 362         static const sasl_callback_t callbacks[] = {
 363                 {
 364                         .id = SASL_CB_LOG,
 365                         .proc = gensec_sasl_log,
 366                         .context = NULL,
 367                 },
 368                 {
 369                         .id = SASL_CB_LIST_END,
 370                         .proc = gensec_sasl_log,
 371                         .context = NULL,
 372                 }
 373         };
 374         sasl_ret = sasl_client_init(callbacks);
 375
 376         if (sasl_ret == SASL_NOMECH) {
 377                 /* Nothing to do here */
 378                 return NT_STATUS_OK;
 379         }
 380
 381         if (sasl_ret != SASL_OK) {
 382                 return sasl_nt_status(sasl_ret);
 383         }
 384
 385         /* For now, we just register DIGEST-MD5 */
 386 #if 1
 387         ret = gensec_register(&gensec_sasl_security_ops);
 388         if (!NT_STATUS_IS_OK(ret)) {
 389                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 390                          gensec_sasl_security_ops.name));
 391                 return ret;
 392         }
 393 #else
 394         sasl_mechs = sasl_global_listmech();
 395         for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
 396                 const struct gensec_security_ops *oldmech;
 397                 struct gensec_security_ops *newmech;
 398                 oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
 399                 if (oldmech) {
 400                         continue;
 401                 }
 402                 newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
 403                 if (!newmech) {
 404                         return NT_STATUS_NO_MEMORY;
 405                 }
 406                 *newmech = gensec_sasl_security_ops;
 407                 newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
 408                 newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
 409                 if (!newmech->sasl_name || !newmech->name) {
 410                         return NT_STATUS_NO_MEMORY;
 411                 }
 412
 413                 ret = gensec_register(newmech);
 414                 if (!NT_STATUS_IS_OK(ret)) {
 415                         DEBUG(0,("Failed to register '%s' gensec backend!\n",
 416                                  gensec_sasl_security_ops.name));
 417                         return ret;
 418                 }
 419         }
 420 #endif
 421         return NT_STATUS_OK;
 422 }