2
Unix SMB/CIFS implementation.
4
Connect GENSEC to an external SASL lib
6
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8
This program is free software; you can redistribute it and/or modify
9
it under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 3 of the License, or
11
(at your option) any later version.
13
This program is distributed in the hope that it will be useful,
14
but WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
GNU General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
#include "auth/auth.h"
24
#include "auth/credentials/credentials.h"
25
#include "auth/gensec/gensec.h"
26
#include "auth/gensec/gensec_proto.h"
27
#include "lib/socket/socket.h"
28
#include <sasl/sasl.h>
30
struct gensec_sasl_state {
35
static NTSTATUS sasl_nt_status(int sasl_ret)
39
return NT_STATUS_MORE_PROCESSING_REQUIRED;
41
return NT_STATUS_NO_MEMORY;
44
return NT_STATUS_INVALID_PARAMETER;
46
return NT_STATUS_ACCESS_DENIED;
50
return NT_STATUS_UNSUCCESSFUL;
54
static int gensec_sasl_get_user(void *context, int id,
55
const char **result, unsigned *len)
57
struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
58
const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
59
if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
67
static int gensec_sasl_get_realm(void *context, int id,
68
const char **availrealms,
71
struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
72
const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
74
if (id != SASL_CB_GETREALM) {
78
for (i=0; availrealms && availrealms[i]; i++) {
79
if (strcasecmp_m(realm, availrealms[i]) == 0) {
80
result[i] = availrealms[i];
84
/* None of the realms match, so lets not specify one */
89
static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
90
sasl_secret_t **psecret)
92
struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
93
const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
95
sasl_secret_t *secret;
100
secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
104
secret->len = strlen(password);
105
safe_strcpy((char*)secret->data, password, secret->len+1);
110
static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
112
sasl_dispose(&gensec_sasl_state->conn);
116
static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
118
struct gensec_sasl_state *gensec_sasl_state;
119
const char *service = gensec_get_target_service(gensec_security);
120
const char *target_name = gensec_get_target_hostname(gensec_security);
121
struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
122
struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
123
char *local_addr = NULL;
124
char *remote_addr = NULL;
127
sasl_callback_t *callbacks;
129
gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
130
if (!gensec_sasl_state) {
131
return NT_STATUS_NO_MEMORY;
134
callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
135
callbacks[0].id = SASL_CB_USER;
136
callbacks[0].proc = gensec_sasl_get_user;
137
callbacks[0].context = gensec_security;
139
callbacks[1].id = SASL_CB_AUTHNAME;
140
callbacks[1].proc = gensec_sasl_get_user;
141
callbacks[1].context = gensec_security;
143
callbacks[2].id = SASL_CB_GETREALM;
144
callbacks[2].proc = gensec_sasl_get_realm;
145
callbacks[2].context = gensec_security;
147
callbacks[3].id = SASL_CB_PASS;
148
callbacks[3].proc = gensec_sasl_get_password;
149
callbacks[3].context = gensec_security;
151
callbacks[4].id = SASL_CB_LIST_END;
152
callbacks[4].proc = NULL;
153
callbacks[4].context = NULL;
155
gensec_security->private_data = gensec_sasl_state;
157
if (local_socket_addr) {
158
local_addr = talloc_asprintf(gensec_sasl_state,
160
local_socket_addr->addr,
161
local_socket_addr->port);
164
if (remote_socket_addr) {
165
remote_addr = talloc_asprintf(gensec_sasl_state,
167
remote_socket_addr->addr,
168
remote_socket_addr->port);
170
gensec_sasl_state->step = 0;
172
sasl_ret = sasl_client_new(service,
174
local_addr, remote_addr, callbacks, 0,
175
&gensec_sasl_state->conn);
177
if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
178
sasl_security_properties_t props;
179
talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
182
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
185
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
189
props.max_ssf = UINT_MAX;
190
props.maxbufsize = 65536;
191
sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
192
if (sasl_ret != SASL_OK) {
193
return sasl_nt_status(sasl_ret);
197
DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
199
return sasl_nt_status(sasl_ret);
202
static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
203
TALLOC_CTX *out_mem_ctx,
204
const DATA_BLOB in, DATA_BLOB *out)
206
struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
207
struct gensec_sasl_state);
209
const char *out_data;
210
unsigned int out_len;
212
if (gensec_sasl_state->step == 0) {
214
sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name,
215
NULL, &out_data, &out_len, &mech);
217
sasl_ret = sasl_client_step(gensec_sasl_state->conn,
218
(char*)in.data, in.length, NULL,
219
&out_data, &out_len);
221
if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
222
*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
224
DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step,
225
sasl_errdetail(gensec_sasl_state->conn)));
227
gensec_sasl_state->step++;
228
return sasl_nt_status(sasl_ret);
231
static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security,
232
TALLOC_CTX *out_mem_ctx,
235
size_t *len_processed)
237
struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
238
struct gensec_sasl_state);
239
const char *out_data;
240
unsigned int out_len;
242
int sasl_ret = sasl_decode(gensec_sasl_state->conn,
243
(char*)in->data, in->length, &out_data,
245
if (sasl_ret == SASL_OK) {
246
*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
247
*len_processed = in->length;
249
DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
251
return sasl_nt_status(sasl_ret);
255
static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security,
256
TALLOC_CTX *out_mem_ctx,
259
size_t *len_processed)
261
struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
262
struct gensec_sasl_state);
263
const char *out_data;
264
unsigned int out_len;
266
int sasl_ret = sasl_encode(gensec_sasl_state->conn,
267
(char*)in->data, in->length, &out_data,
269
if (sasl_ret == SASL_OK) {
270
*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
271
*len_processed = in->length;
273
DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
275
return sasl_nt_status(sasl_ret);
278
/* Try to figure out what features we actually got on the connection */
279
static bool gensec_sasl_have_feature(struct gensec_security *gensec_security,
282
struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
283
struct gensec_sasl_state);
285
int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
287
if (sasl_ret != SASL_OK) {
290
if (feature & GENSEC_FEATURE_SIGN) {
298
if (feature & GENSEC_FEATURE_SEAL) {
309
/* This could in theory work with any SASL mech */
310
static const struct gensec_security_ops gensec_sasl_security_ops = {
311
.name = "sasl-DIGEST-MD5",
312
.sasl_name = "DIGEST-MD5",
313
.client_start = gensec_sasl_client_start,
314
.update = gensec_sasl_update,
315
.wrap_packets = gensec_sasl_wrap_packets,
316
.unwrap_packets = gensec_sasl_unwrap_packets,
317
.have_feature = gensec_sasl_have_feature,
319
.priority = GENSEC_SASL
322
static int gensec_sasl_log(void *context,
327
switch (sasl_log_level) {
358
DEBUG(dl, ("gensec_sasl: %s\n", message));
363
NTSTATUS gensec_sasl_init(void)
369
const char **sasl_mechs;
372
static const sasl_callback_t callbacks[] = {
375
.proc = gensec_sasl_log,
379
.id = SASL_CB_LIST_END,
380
.proc = gensec_sasl_log,
384
sasl_ret = sasl_client_init(callbacks);
386
if (sasl_ret == SASL_NOMECH) {
387
/* Nothing to do here */
391
if (sasl_ret != SASL_OK) {
392
return sasl_nt_status(sasl_ret);
395
/* For now, we just register DIGEST-MD5 */
397
ret = gensec_register(&gensec_sasl_security_ops);
398
if (!NT_STATUS_IS_OK(ret)) {
399
DEBUG(0,("Failed to register '%s' gensec backend!\n",
400
gensec_sasl_security_ops.name));
404
sasl_mechs = sasl_global_listmech();
405
for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
406
const struct gensec_security_ops *oldmech;
407
struct gensec_security_ops *newmech;
408
oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
412
newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
414
return NT_STATUS_NO_MEMORY;
416
*newmech = gensec_sasl_security_ops;
417
newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
418
newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
419
if (!newmech->sasl_name || !newmech->name) {
420
return NT_STATUS_NO_MEMORY;
423
ret = gensec_register(newmech);
424
if (!NT_STATUS_IS_OK(ret)) {
425
DEBUG(0,("Failed to register '%s' gensec backend!\n",
426
gensec_sasl_security_ops.name));