r18155: Add my work in progress, a module to link with Cyrus-SASL, for a

DIGEST-MD5 implemenation in particular.

However, I can't make this work:  Cyrus-SASL isn't loading the mech...

Andrew Bartlett
(This used to be commit 0b193d28c896c9d212a536da7d87634543d971a5)

4 files changed, 435 insertions, 2 deletions

diff --git a/source4/auth/config.m4 b/source4/auth/config.m4
index f6500cc1e7..e70df2e400 100644
--- a/source4/auth/config.m4
+++ b/source4/auth/config.m4
@@ -17,3 +17,13 @@ SMB_ENABLE(CRYPT,YES)
 SMB_EXT_LIB(CRYPT, $CRYPT_LIBS)
 
 AC_CHECK_FUNCS(crypt16 getauthuid getpwanam)
+
+AC_CHECK_HEADERS(sasl/sasl.h)
+AC_CHECK_LIB_EXT(sasl2, SASL_LIBS, sasl_client_init)
+SMB_EXT_LIB(SASL, $SASL_LIBS)
+
+if test x"$ac_cv_header_sasl_sasl_h" = x"yes" -a x"$ac_cv_lib_ext_sasl2_sasl_client_init" = x"yes";then
+	SMB_ENABLE(cyrus_sasl,YES)
+else
+	SMB_ENABLE(cyrus_sasl, NO)
+fi
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index 0aaf82949e..cb8b2edc85 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -33,6 +33,16 @@ PUBLIC_DEPENDENCIES = KERBEROS auth HEIMDAL_GSSAPI
 ################################################
 
 ################################################
+# Start MODULE cyrus_sasl
+[MODULE::cyrus_sasl]
+SUBSYSTEM = gensec
+INIT_FUNCTION = gensec_sasl_init
+OBJ_FILES = cyrus_sasl.o 
+PUBLIC_DEPENDENCIES = SASL auth
+# End MODULE cyrus_sasl
+################################################
+
+################################################
 # Start MODULE gensec_spnego
 [MODULE::gensec_spnego]
 SUBSYSTEM = gensec
diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
new file mode 100644
index 0000000000..02b26d3e5f
--- /dev/null
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -0,0 +1,413 @@
+/* 
+   Unix SMB/CIFS implementation.
+ 
+   Connect GENSEC to an external SASL lib
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include "lib/socket/socket.h"
+#include <sasl/sasl.h>
+
+struct gensec_sasl_state {
+	sasl_conn_t *conn;
+	int step;
+};
+
+static NTSTATUS sasl_nt_status(int sasl_ret) 
+{
+	switch (sasl_ret) {
+	case SASL_CONTINUE:
+		return NT_STATUS_MORE_PROCESSING_REQUIRED;
+	case SASL_NOMEM:
+		return NT_STATUS_NO_MEMORY;
+	case SASL_BADPARAM:
+	case SASL_NOMECH:
+		return NT_STATUS_INVALID_PARAMETER;
+	case SASL_BADMAC:
+		return NT_STATUS_ACCESS_DENIED;
+	case SASL_OK:
+		return NT_STATUS_OK;
+	default:
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+}
+
+static int gensec_sasl_get_user(void *context, int id,
+				const char **result, unsigned *len)
+{
+	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
+	const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
+	if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
+		return SASL_FAIL;
+	}
+	
+	*result = username;
+	return SASL_OK;
+}
+
+static int gensec_sasl_get_realm(void *context, int id,
+				 const char **availrealms,
+				 const char **result)
+{
+	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
+	const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
+	int i;
+	if (id != SASL_CB_GETREALM) {
+		return SASL_FAIL;
+	}
+
+	for (i=0; availrealms && availrealms[i]; i++) {
+		if (strcasecmp_m(realm, availrealms[i]) == 0) {
+			result[i] = availrealms[i];
+			return SASL_OK;
+		}
+	}
+	/* None of the realms match, so lets not specify one */
+	*result = "";
+	return SASL_OK;
+}
+
+static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
+			     sasl_secret_t **psecret)
+{
+	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
+	const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
+	
+	sasl_secret_t *secret;
+	if (!password) {
+		*psecret = NULL;
+		return SASL_OK;
+	}
+	secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
+	if (!secret) {
+		return SASL_NOMEM;
+	}
+	secret->len = strlen(password);
+	safe_strcpy(secret->data, password, secret->len+1);
+	return SASL_OK;
+}
+
+static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
+{
+	sasl_dispose(&gensec_sasl_state->conn);
+	return 0;
+}
+
+static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
+{
+	struct gensec_sasl_state *gensec_sasl_state;
+	const char *service = gensec_get_target_service(gensec_security);
+	const char *target_name = gensec_get_target_hostname(gensec_security);
+	struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
+	struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
+	char *local_addr = NULL;
+	char *remote_addr = NULL;
+	sasl_callback_t callbacks[5];
+	int sasl_ret;
+
+	callbacks[0].id = SASL_CB_USER;
+	callbacks[0].proc = gensec_sasl_get_user;
+	callbacks[0].context = gensec_security;
+
+	callbacks[1].id =  SASL_CB_AUTHNAME;
+	callbacks[1].proc = gensec_sasl_get_user;
+	callbacks[1].context = gensec_security;
+
+	callbacks[2].id = SASL_CB_GETREALM;
+	callbacks[2].proc = gensec_sasl_get_realm;
+	callbacks[2].context = gensec_security;
+
+	callbacks[3].id = SASL_CB_PASS;
+	callbacks[3].proc = gensec_sasl_get_password;
+	callbacks[3].context = gensec_security;
+
+	callbacks[4].id = SASL_CB_LIST_END;
+	callbacks[4].proc = NULL;
+	callbacks[4].context = NULL;
+
+	gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
+	if (!gensec_sasl_state) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	gensec_security->private_data = gensec_sasl_state;
+
+	if (local_socket_addr) {
+		local_addr = talloc_asprintf(gensec_sasl_state, 
+					     "%s;%d",
+					     local_socket_addr->addr, 
+					     local_socket_addr->port);
+	}
+
+	if (remote_socket_addr) {
+		remote_addr = talloc_asprintf(gensec_sasl_state, 
+					     "%s;%d",
+					     remote_socket_addr->addr, 
+					     remote_socket_addr->port);
+	}
+	gensec_sasl_state->step = 0;
+
+	sasl_ret = sasl_client_new(service,
+				   target_name,
+				   local_addr, remote_addr, callbacks, 0,
+				   &gensec_sasl_state->conn);
+	
+	if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
+		sasl_security_properties_t props;
+		talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
+
+		ZERO_STRUCT(props);
+		if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+			props.min_ssf = 1;
+		}
+		if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+			props.min_ssf = 40;
+		}
+		
+		props.max_ssf = UINT_MAX;
+		props.maxbufsize = 65536;
+		sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
+		if (sasl_ret != SASL_OK) {
+			return sasl_nt_status(sasl_ret);
+		}
+
+	} else {
+		DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
+	}
+	return sasl_nt_status(sasl_ret);
+}
+
+static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, 
+				   TALLOC_CTX *out_mem_ctx, 
+				   const DATA_BLOB in, DATA_BLOB *out) 
+{
+	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
+								      struct gensec_sasl_state);
+	int sasl_ret;
+	const char *out_data;
+	unsigned int out_len;
+
+	if (gensec_sasl_state->step == 0) {
+		const char *mech;
+		sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name, 
+					     NULL, &out_data, &out_len, &mech);
+	} else {
+		sasl_ret = sasl_client_step(gensec_sasl_state->conn, 
+					    in.data, in.length, NULL, &out_data, &out_len);
+	}
+	if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
+		*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
+	} else {
+		DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step, 
+			  sasl_errdetail(gensec_sasl_state->conn)));
+	}
+	gensec_sasl_state->step++;
+	return sasl_nt_status(sasl_ret);
+}
+
+static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security, 
+					TALLOC_CTX *out_mem_ctx, 
+					const DATA_BLOB *in, 
+					DATA_BLOB *out,
+					size_t *len_processed) 
+{
+	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
+								      struct gensec_sasl_state);
+	const char *out_data;
+	unsigned int out_len;
+
+	int sasl_ret = sasl_decode(gensec_sasl_state->conn, 
+				   in->data, in->length, &out_data, &out_len);
+	if (sasl_ret == SASL_OK) {
+		*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
+	} else {
+		DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
+	}
+	return sasl_nt_status(sasl_ret);
+
+}
+static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security, 
+					TALLOC_CTX *out_mem_ctx, 
+					const DATA_BLOB *in, 
+					DATA_BLOB *out,
+					size_t *len_processed) 
+{
+	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
+								      struct gensec_sasl_state);
+	const char *out_data;
+	unsigned int out_len;
+
+	int sasl_ret = sasl_encode(gensec_sasl_state->conn, 
+				   in->data, in->length, &out_data, &out_len);
+	if (sasl_ret == SASL_OK) {
+		*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
+	} else {
+		DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
+	}
+	return sasl_nt_status(sasl_ret);
+}
+
+/* Try to figure out what features we actually got on the connection */
+static BOOL gensec_sasl_have_feature(struct gensec_security *gensec_security, 
+				     uint32_t feature) 
+{
+	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
+								      struct gensec_sasl_state);
+	sasl_ssf_t ssf;
+	int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF, &ssf);
+	if (sasl_ret != SASL_OK) {
+		return False;
+	}
+	if (feature & GENSEC_FEATURE_SIGN) {
+		if (ssf == 0) {
+			return False;
+		}
+		if (ssf >= 1) {
+			return True;
+		}
+	}
+	if (feature & GENSEC_FEATURE_SEAL) {
+		if (ssf <= 1) {
+			return False;
+		}
+		if (ssf > 1) {
+			return True;
+		}
+	}
+	return False;
+}
+
+/* This could in theory work with any SASL mech */
+static const struct gensec_security_ops gensec_sasl_security_ops = {
+	.name             = "sasl-DIGEST-MD5",
+	.sasl_name        = "DIGEST-MD5",
+	.client_start     = gensec_sasl_client_start,
+	.update 	  = gensec_sasl_update,
+	.wrap_packets     = gensec_sasl_wrap_packets,
+	.unwrap_packets   = gensec_sasl_unwrap_packets,
+	.have_feature     = gensec_sasl_have_feature,
+	.enabled          = False,
+};
+
+int gensec_sasl_log(void *context, 
+		    int sasl_log_level,
+		    const char *message) 
+{
+	int debug_level;
+	switch (sasl_log_level) {
+	case SASL_LOG_NONE:
+		debug_level = 0;
+		break;
+	case SASL_LOG_ERR:
+		debug_level = 1;
+		break;
+	case SASL_LOG_FAIL:
+		debug_level = 2;
+		break;
+	case SASL_LOG_WARN:
+		debug_level = 3;
+		break;
+	case SASL_LOG_NOTE:
+		debug_level = 5;
+		break;
+	case SASL_LOG_DEBUG:
+		debug_level = 10;
+		break;
+	case SASL_LOG_TRACE:
+		debug_level = 11;
+		break;
+#if DEBUG_PASSWORD
+	case SASL_LOG_PASS:
+		debug_level = 100;
+		break;
+#endif
+	default:
+		debug_level = 0;
+		break;
+	}
+	DEBUG(debug_level, ("gensec_sasl: %s", message));
+
+	return SASL_OK;
+}
+
+NTSTATUS gensec_sasl_init(void)
+{
+	NTSTATUS ret;
+	int sasl_ret, i;
+	sasl_callback_t callbacks[2];
+	const char **sasl_mechs;
+	
+	callbacks[0].id = SASL_CB_LOG;
+	callbacks[0].proc = gensec_sasl_log;
+	callbacks[0].context = NULL;
+
+	callbacks[1].id = SASL_CB_LIST_END;
+	callbacks[1].proc = gensec_sasl_log;
+	callbacks[1].context = NULL;
+
+	sasl_ret = sasl_client_init(callbacks);
+	
+	if (sasl_ret == SASL_NOMECH) {
+		/* Nothing to do here */
+		return NT_STATUS_OK;
+	}
+
+	if (sasl_ret != SASL_OK) {
+		return sasl_nt_status(sasl_ret);
+	}
+
+	/* For now, we just register DIGEST-MD5 */
+#if 1
+	ret = gensec_register(&gensec_sasl_security_ops);
+	if (!NT_STATUS_IS_OK(ret)) {
+		DEBUG(0,("Failed to register '%s' gensec backend!\n",
+			 gensec_sasl_security_ops.name));
+		return ret;
+	}
+#else
+	sasl_mechs = sasl_global_listmech();
+	for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
+		const struct gensec_security_ops *oldmech;
+		struct gensec_security_ops *newmech;
+		oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
+		if (oldmech) {
+			continue;
+		}
+		newmech = talloc(NULL, struct gensec_security_ops);
+		if (!newmech) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		*newmech = gensec_sasl_security_ops;
+		newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
+		newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
+		if (!newmech->sasl_name || !newmech->name) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		ret = gensec_register(newmech);
+		if (!NT_STATUS_IS_OK(ret)) {
+			DEBUG(0,("Failed to register '%s' gensec backend!\n",
+				 gensec_sasl_security_ops.name));
+			return ret;
+		}
+	}
+#endif
+	return NT_STATUS_OK;
+}
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 839b538eeb..84d198cb7b 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -174,8 +174,8 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
 	return NULL;
 }
 
-static const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
-								      const char *sasl_name)
+const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
+							       const char *sasl_name)
 {
 	int i;
 	struct gensec_security_ops **backends;