diff options
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/config.mk | 10 | ||||
-rw-r--r-- | source4/auth/gensec/cyrus_sasl.c | 413 | ||||
-rw-r--r-- | source4/auth/gensec/gensec.c | 4 |
3 files changed, 425 insertions, 2 deletions
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk index 0aaf82949e..cb8b2edc85 100644 --- a/source4/auth/gensec/config.mk +++ b/source4/auth/gensec/config.mk @@ -33,6 +33,16 @@ PUBLIC_DEPENDENCIES = KERBEROS auth HEIMDAL_GSSAPI ################################################ ################################################ +# Start MODULE cyrus_sasl +[MODULE::cyrus_sasl] +SUBSYSTEM = gensec +INIT_FUNCTION = gensec_sasl_init +OBJ_FILES = cyrus_sasl.o +PUBLIC_DEPENDENCIES = SASL auth +# End MODULE cyrus_sasl +################################################ + +################################################ # Start MODULE gensec_spnego [MODULE::gensec_spnego] SUBSYSTEM = gensec diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c new file mode 100644 index 0000000000..02b26d3e5f --- /dev/null +++ b/source4/auth/gensec/cyrus_sasl.c @@ -0,0 +1,413 @@ +/* + Unix SMB/CIFS implementation. + + Connect GENSEC to an external SASL lib + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "auth/auth.h" +#include "lib/socket/socket.h" +#include <sasl/sasl.h> + +struct gensec_sasl_state { + sasl_conn_t *conn; + int step; +}; + +static NTSTATUS sasl_nt_status(int sasl_ret) +{ + switch (sasl_ret) { + case SASL_CONTINUE: + return NT_STATUS_MORE_PROCESSING_REQUIRED; + case SASL_NOMEM: + return NT_STATUS_NO_MEMORY; + case SASL_BADPARAM: + case SASL_NOMECH: + return NT_STATUS_INVALID_PARAMETER; + case SASL_BADMAC: + return NT_STATUS_ACCESS_DENIED; + case SASL_OK: + return NT_STATUS_OK; + default: + return NT_STATUS_UNSUCCESSFUL; + } +} + +static int gensec_sasl_get_user(void *context, int id, + const char **result, unsigned *len) +{ + struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security); + const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security)); + if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) { + return SASL_FAIL; + } + + *result = username; + return SASL_OK; +} + +static int gensec_sasl_get_realm(void *context, int id, + const char **availrealms, + const char **result) +{ + struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security); + const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security)); + int i; + if (id != SASL_CB_GETREALM) { + return SASL_FAIL; + } + + for (i=0; availrealms && availrealms[i]; i++) { + if (strcasecmp_m(realm, availrealms[i]) == 0) { + result[i] = availrealms[i]; + return SASL_OK; + } + } + /* None of the realms match, so lets not specify one */ + *result = ""; + return SASL_OK; +} + +static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id, + sasl_secret_t **psecret) +{ + struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security); + const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security)); + + sasl_secret_t *secret; + if (!password) { + *psecret = NULL; + return SASL_OK; + } + secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)); + if (!secret) { + return SASL_NOMEM; + } + secret->len = strlen(password); + safe_strcpy(secret->data, password, secret->len+1); + return SASL_OK; +} + +static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state) +{ + sasl_dispose(&gensec_sasl_state->conn); + return 0; +} + +static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security) +{ + struct gensec_sasl_state *gensec_sasl_state; + const char *service = gensec_get_target_service(gensec_security); + const char *target_name = gensec_get_target_hostname(gensec_security); + struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security); + struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security); + char *local_addr = NULL; + char *remote_addr = NULL; + sasl_callback_t callbacks[5]; + int sasl_ret; + + callbacks[0].id = SASL_CB_USER; + callbacks[0].proc = gensec_sasl_get_user; + callbacks[0].context = gensec_security; + + callbacks[1].id = SASL_CB_AUTHNAME; + callbacks[1].proc = gensec_sasl_get_user; + callbacks[1].context = gensec_security; + + callbacks[2].id = SASL_CB_GETREALM; + callbacks[2].proc = gensec_sasl_get_realm; + callbacks[2].context = gensec_security; + + callbacks[3].id = SASL_CB_PASS; + callbacks[3].proc = gensec_sasl_get_password; + callbacks[3].context = gensec_security; + + callbacks[4].id = SASL_CB_LIST_END; + callbacks[4].proc = NULL; + callbacks[4].context = NULL; + + gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state); + if (!gensec_sasl_state) { + return NT_STATUS_NO_MEMORY; + } + + gensec_security->private_data = gensec_sasl_state; + + if (local_socket_addr) { + local_addr = talloc_asprintf(gensec_sasl_state, + "%s;%d", + local_socket_addr->addr, + local_socket_addr->port); + } + + if (remote_socket_addr) { + remote_addr = talloc_asprintf(gensec_sasl_state, + "%s;%d", + remote_socket_addr->addr, + remote_socket_addr->port); + } + gensec_sasl_state->step = 0; + + sasl_ret = sasl_client_new(service, + target_name, + local_addr, remote_addr, callbacks, 0, + &gensec_sasl_state->conn); + + if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) { + sasl_security_properties_t props; + talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose); + + ZERO_STRUCT(props); + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + props.min_ssf = 1; + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + props.min_ssf = 40; + } + + props.max_ssf = UINT_MAX; + props.maxbufsize = 65536; + sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props); + if (sasl_ret != SASL_OK) { + return sasl_nt_status(sasl_ret); + } + + } else { + DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn))); + } + return sasl_nt_status(sasl_ret); +} + +static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) +{ + struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, + struct gensec_sasl_state); + int sasl_ret; + const char *out_data; + unsigned int out_len; + + if (gensec_sasl_state->step == 0) { + const char *mech; + sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name, + NULL, &out_data, &out_len, &mech); + } else { + sasl_ret = sasl_client_step(gensec_sasl_state->conn, + in.data, in.length, NULL, &out_data, &out_len); + } + if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) { + *out = data_blob_talloc(out_mem_ctx, out_data, out_len); + } else { + DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step, + sasl_errdetail(gensec_sasl_state->conn))); + } + gensec_sasl_state->step++; + return sasl_nt_status(sasl_ret); +} + +static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out, + size_t *len_processed) +{ + struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, + struct gensec_sasl_state); + const char *out_data; + unsigned int out_len; + + int sasl_ret = sasl_decode(gensec_sasl_state->conn, + in->data, in->length, &out_data, &out_len); + if (sasl_ret == SASL_OK) { + *out = data_blob_talloc(out_mem_ctx, out_data, out_len); + } else { + DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn))); + } + return sasl_nt_status(sasl_ret); + +} +static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out, + size_t *len_processed) +{ + struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, + struct gensec_sasl_state); + const char *out_data; + unsigned int out_len; + + int sasl_ret = sasl_encode(gensec_sasl_state->conn, + in->data, in->length, &out_data, &out_len); + if (sasl_ret == SASL_OK) { + *out = data_blob_talloc(out_mem_ctx, out_data, out_len); + } else { + DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn))); + } + return sasl_nt_status(sasl_ret); +} + +/* Try to figure out what features we actually got on the connection */ +static BOOL gensec_sasl_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, + struct gensec_sasl_state); + sasl_ssf_t ssf; + int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF, &ssf); + if (sasl_ret != SASL_OK) { + return False; + } + if (feature & GENSEC_FEATURE_SIGN) { + if (ssf == 0) { + return False; + } + if (ssf >= 1) { + return True; + } + } + if (feature & GENSEC_FEATURE_SEAL) { + if (ssf <= 1) { + return False; + } + if (ssf > 1) { + return True; + } + } + return False; +} + +/* This could in theory work with any SASL mech */ +static const struct gensec_security_ops gensec_sasl_security_ops = { + .name = "sasl-DIGEST-MD5", + .sasl_name = "DIGEST-MD5", + .client_start = gensec_sasl_client_start, + .update = gensec_sasl_update, + .wrap_packets = gensec_sasl_wrap_packets, + .unwrap_packets = gensec_sasl_unwrap_packets, + .have_feature = gensec_sasl_have_feature, + .enabled = False, +}; + +int gensec_sasl_log(void *context, + int sasl_log_level, + const char *message) +{ + int debug_level; + switch (sasl_log_level) { + case SASL_LOG_NONE: + debug_level = 0; + break; + case SASL_LOG_ERR: + debug_level = 1; + break; + case SASL_LOG_FAIL: + debug_level = 2; + break; + case SASL_LOG_WARN: + debug_level = 3; + break; + case SASL_LOG_NOTE: + debug_level = 5; + break; + case SASL_LOG_DEBUG: + debug_level = 10; + break; + case SASL_LOG_TRACE: + debug_level = 11; + break; +#if DEBUG_PASSWORD + case SASL_LOG_PASS: + debug_level = 100; + break; +#endif + default: + debug_level = 0; + break; + } + DEBUG(debug_level, ("gensec_sasl: %s", message)); + + return SASL_OK; +} + +NTSTATUS gensec_sasl_init(void) +{ + NTSTATUS ret; + int sasl_ret, i; + sasl_callback_t callbacks[2]; + const char **sasl_mechs; + + callbacks[0].id = SASL_CB_LOG; + callbacks[0].proc = gensec_sasl_log; + callbacks[0].context = NULL; + + callbacks[1].id = SASL_CB_LIST_END; + callbacks[1].proc = gensec_sasl_log; + callbacks[1].context = NULL; + + sasl_ret = sasl_client_init(callbacks); + + if (sasl_ret == SASL_NOMECH) { + /* Nothing to do here */ + return NT_STATUS_OK; + } + + if (sasl_ret != SASL_OK) { + return sasl_nt_status(sasl_ret); + } + + /* For now, we just register DIGEST-MD5 */ +#if 1 + ret = gensec_register(&gensec_sasl_security_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_sasl_security_ops.name)); + return ret; + } +#else + sasl_mechs = sasl_global_listmech(); + for (i = 0; sasl_mechs && sasl_mechs[i]; i++) { + const struct gensec_security_ops *oldmech; + struct gensec_security_ops *newmech; + oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]); + if (oldmech) { + continue; + } + newmech = talloc(NULL, struct gensec_security_ops); + if (!newmech) { + return NT_STATUS_NO_MEMORY; + } + *newmech = gensec_sasl_security_ops; + newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]); + newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]); + if (!newmech->sasl_name || !newmech->name) { + return NT_STATUS_NO_MEMORY; + } + + ret = gensec_register(newmech); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_sasl_security_ops.name)); + return ret; + } + } +#endif + return NT_STATUS_OK; +} diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 839b538eeb..84d198cb7b 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -174,8 +174,8 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security return NULL; } -static const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security, - const char *sasl_name) +const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security, + const char *sasl_name) { int i; struct gensec_security_ops **backends; |