Context Navigation

cyrus_sasl.c@ 745

Visit:

Last change on this file since 745 was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 12.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Connect GENSEC to an external SASL lib
5
6	Copyright (C) Andrew Bartlett <[email protected]> 2006
7
8	This program is free software; you can redistribute it and/or modify
9	it under the terms of the GNU General Public License as published by
10	the Free Software Foundation; either version 3 of the License, or
11	(at your option) any later version.
12
13	This program is distributed in the hope that it will be useful,
14	but WITHOUT ANY WARRANTY; without even the implied warranty of
15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	GNU General Public License for more details.
17
18	You should have received a copy of the GNU General Public License
19	along with this program. If not, see <http://www.gnu.org/licenses/>.
20	*/
21
22	#include "includes.h"
23	#include "lib/tsocket/tsocket.h"
24	#include "auth/credentials/credentials.h"
25	#include "auth/gensec/gensec.h"
26	#include "auth/gensec/gensec_proto.h"
27	#include <sasl/sasl.h>
28
29	struct gensec_sasl_state {
30	sasl_conn_t *conn;
31	int step;
32	bool wrap;
33	};
34
35	static NTSTATUS sasl_nt_status(int sasl_ret)
36	{
37	switch (sasl_ret) {
38	case SASL_CONTINUE:
39	return NT_STATUS_MORE_PROCESSING_REQUIRED;
40	case SASL_NOMEM:
41	return NT_STATUS_NO_MEMORY;
42	case SASL_BADPARAM:
43	case SASL_NOMECH:
44	return NT_STATUS_INVALID_PARAMETER;
45	case SASL_BADMAC:
46	return NT_STATUS_ACCESS_DENIED;
47	case SASL_OK:
48	return NT_STATUS_OK;
49	default:
50	return NT_STATUS_UNSUCCESSFUL;
51	}
52	}
53
54	static int gensec_sasl_get_user(void *context, int id,
55	const char *result, unsigned len)
56	{
57	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
58	const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
59	if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
60	return SASL_FAIL;
61	}
62
63	*result = username;
64	return SASL_OK;
65	}
66
67	static int gensec_sasl_get_realm(void *context, int id,
68	const char **availrealms,
69	const char **result)
70	{
71	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
72	const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
73	int i;
74	if (id != SASL_CB_GETREALM) {
75	return SASL_FAIL;
76	}
77
78	for (i=0; availrealms && availrealms[i]; i++) {
79	if (strcasecmp_m(realm, availrealms[i]) == 0) {
80	result[i] = availrealms[i];
81	return SASL_OK;
82	}
83	}
84	/* None of the realms match, so lets not specify one */
85	*result = "";
86	return SASL_OK;
87	}
88
89	static int gensec_sasl_get_password(sasl_conn_t conn, void context, int id,
90	sasl_secret_t **psecret)
91	{
92	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
93	const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
94
95	sasl_secret_t *secret;
96	if (!password) {
97	*psecret = NULL;
98	return SASL_OK;
99	}
100	secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
101	if (!secret) {
102	return SASL_NOMEM;
103	}
104	secret->len = strlen(password);
105	safe_strcpy((char*)secret->data, password, secret->len+1);
106	*psecret = secret;
107	return SASL_OK;
108	}
109
110	static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
111	{
112	sasl_dispose(&gensec_sasl_state->conn);
113	return SASL_OK;
114	}
115
116	static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
117	{
118	struct gensec_sasl_state *gensec_sasl_state;
119	const char *service = gensec_get_target_service(gensec_security);
120	const char *target_name = gensec_get_target_hostname(gensec_security);
121	const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
122	const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
123	char *local_addr = NULL;
124	char *remote_addr = NULL;
125	int sasl_ret;
126
127	sasl_callback_t *callbacks;
128
129	gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
130	if (!gensec_sasl_state) {
131	return NT_STATUS_NO_MEMORY;
132	}
133
134	callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
135	callbacks[0].id = SASL_CB_USER;
136	callbacks[0].proc = gensec_sasl_get_user;
137	callbacks[0].context = gensec_security;
138
139	callbacks[1].id = SASL_CB_AUTHNAME;
140	callbacks[1].proc = gensec_sasl_get_user;
141	callbacks[1].context = gensec_security;
142
143	callbacks[2].id = SASL_CB_GETREALM;
144	callbacks[2].proc = gensec_sasl_get_realm;
145	callbacks[2].context = gensec_security;
146
147	callbacks[3].id = SASL_CB_PASS;
148	callbacks[3].proc = gensec_sasl_get_password;
149	callbacks[3].context = gensec_security;
150
151	callbacks[4].id = SASL_CB_LIST_END;
152	callbacks[4].proc = NULL;
153	callbacks[4].context = NULL;
154
155	gensec_security->private_data = gensec_sasl_state;
156
157	if (tlocal_addr) {
158	local_addr = talloc_asprintf(gensec_sasl_state,
159	"%s;%d",
160	tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
161	tsocket_address_inet_port(tlocal_addr));
162	}
163
164	if (tremote_addr) {
165	remote_addr = talloc_asprintf(gensec_sasl_state,
166	"%s;%d",
167	tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
168	tsocket_address_inet_port(tremote_addr));
169	}
170	gensec_sasl_state->step = 0;
171
172	sasl_ret = sasl_client_new(service,
173	target_name,
174	local_addr, remote_addr, callbacks, 0,
175	&gensec_sasl_state->conn);
176
177	if (sasl_ret == SASL_OK) {
178	sasl_security_properties_t props;
179	talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
180
181	ZERO_STRUCT(props);
182	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
183	props.min_ssf = 1;
184	props.max_ssf = 1;
185	props.maxbufsize = 65536;
186	gensec_sasl_state->wrap = true;
187	}
188	if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
189	props.min_ssf = 40;
190	props.max_ssf = UINT_MAX;
191	props.maxbufsize = 65536;
192	gensec_sasl_state->wrap = true;
193	}
194
195	sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
196	}
197	if (sasl_ret != SASL_OK) {
198	DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
199	}
200	return sasl_nt_status(sasl_ret);
201	}
202
203	static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
204	TALLOC_CTX *out_mem_ctx,
205	const DATA_BLOB in, DATA_BLOB *out)
206	{
207	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
208	struct gensec_sasl_state);
209	int sasl_ret;
210	const char *out_data;
211	unsigned int out_len;
212
213	if (gensec_sasl_state->step == 0) {
214	const char *mech;
215	sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
216	NULL, &out_data, &out_len, &mech);
217	} else {
218	sasl_ret = sasl_client_step(gensec_sasl_state->conn,
219	(char*)in.data, in.length, NULL,
220	&out_data, &out_len);
221	}
222	if (sasl_ret == SASL_OK \|\| sasl_ret == SASL_CONTINUE) {
223	*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
224	} else {
225	DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
226	sasl_errdetail(gensec_sasl_state->conn)));
227	}
228	gensec_sasl_state->step++;
229	return sasl_nt_status(sasl_ret);
230	}
231
232	static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
233	TALLOC_CTX *out_mem_ctx,
234	const DATA_BLOB *in,
235	DATA_BLOB *out,
236	size_t *len_processed)
237	{
238	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
239	struct gensec_sasl_state);
240	const char *out_data;
241	unsigned int out_len;
242
243	int sasl_ret = sasl_decode(gensec_sasl_state->conn,
244	(char*)in->data, in->length, &out_data,
245	&out_len);
246	if (sasl_ret == SASL_OK) {
247	*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
248	*len_processed = in->length;
249	} else {
250	DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
251	}
252	return sasl_nt_status(sasl_ret);
253
254	}
255
256	static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
257	TALLOC_CTX *out_mem_ctx,
258	const DATA_BLOB *in,
259	DATA_BLOB *out,
260	size_t *len_processed)
261	{
262	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
263	struct gensec_sasl_state);
264	const char *out_data;
265	unsigned int out_len;
266	unsigned len_permitted;
267	int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
268	(const void**)&len_permitted);
269	if (sasl_ret != SASL_OK) {
270	return sasl_nt_status(sasl_ret);
271	}
272	len_permitted = MIN(len_permitted, in->length);
273
274	sasl_ret = sasl_encode(gensec_sasl_state->conn,
275	(char*)in->data, len_permitted, &out_data,
276	&out_len);
277	if (sasl_ret == SASL_OK) {
278	*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
279	*len_processed = in->length;
280	} else {
281	DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
282	}
283	return sasl_nt_status(sasl_ret);
284	}
285
286	/* Try to figure out what features we actually got on the connection */
287	static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
288	uint32_t feature)
289	{
290	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
291	struct gensec_sasl_state);
292	sasl_ssf_t ssf;
293	int sasl_ret;
294
295	/* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
296	if (!gensec_sasl_state->wrap) {
297	return false;
298	}
299
300	sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
301	(const void**)&ssf);
302	if (sasl_ret != SASL_OK) {
303	return false;
304	}
305	if (feature & GENSEC_FEATURE_SIGN) {
306	if (ssf == 0) {
307	return false;
308	}
309	if (ssf >= 1) {
310	return true;
311	}
312	}
313	if (feature & GENSEC_FEATURE_SEAL) {
314	if (ssf <= 1) {
315	return false;
316	}
317	if (ssf > 1) {
318	return true;
319	}
320	}
321	return false;
322	}
323
324	/* This could in theory work with any SASL mech */
325	static const struct gensec_security_ops gensec_sasl_security_ops = {
326	.name = "sasl-DIGEST-MD5",
327	.sasl_name = "DIGEST-MD5",
328	.client_start = gensec_sasl_client_start,
329	.update = gensec_sasl_update,
330	.wrap_packets = gensec_sasl_wrap_packets,
331	.unwrap_packets = gensec_sasl_unwrap_packets,
332	.have_feature = gensec_sasl_have_feature,
333	.enabled = true,
334	.priority = GENSEC_SASL
335	};
336
337	static int gensec_sasl_log(void *context,
338	int sasl_log_level,
339	const char *message)
340	{
341	int dl;
342	switch (sasl_log_level) {
343	case SASL_LOG_NONE:
344	dl = 0;
345	break;
346	case SASL_LOG_ERR:
347	dl = 1;
348	break;
349	case SASL_LOG_FAIL:
350	dl = 2;
351	break;
352	case SASL_LOG_WARN:
353	dl = 3;
354	break;
355	case SASL_LOG_NOTE:
356	dl = 5;
357	break;
358	case SASL_LOG_DEBUG:
359	dl = 10;
360	break;
361	case SASL_LOG_TRACE:
362	dl = 11;
363	break;
364	#if DEBUG_PASSWORD
365	case SASL_LOG_PASS:
366	dl = 100;
367	break;
368	#endif
369	default:
370	dl = 0;
371	break;
372	}
373	DEBUG(dl, ("gensec_sasl: %s\n", message));
374
375	return SASL_OK;
376	}
377
378	NTSTATUS gensec_sasl_init(void)
379	{
380	NTSTATUS ret;
381	int sasl_ret;
382	#if 0
383	int i;
384	const char **sasl_mechs;
385	#endif
386
387	static const sasl_callback_t callbacks[] = {
388	{
389	.id = SASL_CB_LOG,
390	.proc = gensec_sasl_log,
391	.context = NULL,
392	},
393	{
394	.id = SASL_CB_LIST_END,
395	.proc = gensec_sasl_log,
396	.context = NULL,
397	}
398	};
399	sasl_ret = sasl_client_init(callbacks);
400
401	if (sasl_ret == SASL_NOMECH) {
402	/* Nothing to do here */
403	return NT_STATUS_OK;
404	}
405
406	if (sasl_ret != SASL_OK) {
407	return sasl_nt_status(sasl_ret);
408	}
409
410	/* For now, we just register DIGEST-MD5 */
411	#if 1
412	ret = gensec_register(&gensec_sasl_security_ops);
413	if (!NT_STATUS_IS_OK(ret)) {
414	DEBUG(0,("Failed to register '%s' gensec backend!\n",
415	gensec_sasl_security_ops.name));
416	return ret;
417	}
418	#else
419	sasl_mechs = sasl_global_listmech();
420	for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
421	const struct gensec_security_ops *oldmech;
422	struct gensec_security_ops *newmech;
423	oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
424	if (oldmech) {
425	continue;
426	}
427	newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
428	if (!newmech) {
429	return NT_STATUS_NO_MEMORY;
430	}
431	*newmech = gensec_sasl_security_ops;
432	newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
433	newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
434	if (!newmech->sasl_name \|\| !newmech->name) {
435	return NT_STATUS_NO_MEMORY;
436	}
437
438	ret = gensec_register(newmech);
439	if (!NT_STATUS_IS_OK(ret)) {
440	DEBUG(0,("Failed to register '%s' gensec backend!\n",
441	gensec_sasl_security_ops.name));
442	return ret;
443	}
444	}
445	#endif
446	return NT_STATUS_OK;
447	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source4/auth/gensec/cyrus_sasl.c@ 745

Download in other formats: