xref: /illumos-gate/usr/src/lib/sasl_plugins/login/login.c (revision 598f4ceed9327d2d6c2325dd67cae3aa06f7fea6)
1 /*
2  * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
3  */
4 
5 /* LOGIN is a PLAIN-like authenticator, but for older deployments. */
6 
7 /* Login SASL plugin
8  * Rob Siemborski (SASLv2 Conversion)
9  * contributed by Rainer Schoepf <schoepf@uni-mainz.de>
10  * based on PLAIN, by Tim Martin <tmartin@andrew.cmu.edu>
11  * $Id: login.c,v 1.25 2003/02/13 19:56:04 rjs3 Exp $
12  */
13 /*
14  * Copyright (c) 1998-2003 Carnegie Mellon University.  All rights reserved.
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  *
20  * 1. Redistributions of source code must retain the above copyright
21  *    notice, this list of conditions and the following disclaimer.
22  *
23  * 2. Redistributions in binary form must reproduce the above copyright
24  *    notice, this list of conditions and the following disclaimer in
25  *    the documentation and/or other materials provided with the
26  *    distribution.
27  *
28  * 3. The name "Carnegie Mellon University" must not be used to
29  *    endorse or promote products derived from this software without
30  *    prior written permission. For permission or any other legal
31  *    details, please contact
32  *      Office of Technology Transfer
33  *      Carnegie Mellon University
34  *      5000 Forbes Avenue
35  *      Pittsburgh, PA  15213-3890
36  *      (412) 268-4387, fax: (412) 268-7395
37  *      tech-transfer@andrew.cmu.edu
38  *
39  * 4. Redistributions of any form whatsoever must retain the following
40  *    acknowledgment:
41  *    "This product includes software developed by Computing Services
42  *     at Carnegie Mellon University (http://www.cmu.edu/computing/)."
43  *
44  * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
45  * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
46  * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
47  * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
48  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
49  * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
50  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
51  */
52 
53 #include <config.h>
54 #include <stdio.h>
55 #include <ctype.h>
56 #include <sasl.h>
57 #include <saslplug.h>
58 
59 #include "plugin_common.h"
60 
61 #ifndef _SUN_SDK_
62 #ifdef WIN32
63 /* This must be after sasl.h */
64 # include "saslLOGIN.h"
65 #endif /* WIN32 */
66 #endif /* !_SUN_SDK_ */
67 
68 /*****************************  Common Section  *****************************/
69 
70 #ifndef _SUN_SDK_
71 static const char plugin_id[] = "$Id: login.c,v 1.25 2003/02/13 19:56:04 rjs3 Exp $";
72 #endif /* !_SUN_SDK_ */
73 
74 /*****************************  Server Section  *****************************/
75 
76 typedef struct context {
77     int state;
78 
79     char *username;
80     size_t username_len;
81 } server_context_t;
82 
83 static int login_server_mech_new(void *glob_context __attribute__((unused)),
84 				 sasl_server_params_t *sparams,
85 				 const char *challenge __attribute__((unused)),
86 				 unsigned challen __attribute__((unused)),
87 				 void **conn_context)
88 {
89     server_context_t *text;
90 
91     /* holds state are in */
92     text = sparams->utils->malloc(sizeof(server_context_t));
93     if (text == NULL) {
94 	MEMERROR( sparams->utils );
95 	return SASL_NOMEM;
96     }
97 
98     memset(text, 0, sizeof(server_context_t));
99 
100     text->state = 1;
101 
102     *conn_context = text;
103 
104     return SASL_OK;
105 }
106 
107 #define USERNAME_CHALLENGE "Username:"
108 #define PASSWORD_CHALLENGE "Password:"
109 
110 static int login_server_mech_step(void *conn_context,
111 				  sasl_server_params_t *params,
112 				  const char *clientin,
113 				  unsigned clientinlen,
114 				  const char **serverout,
115 				  unsigned *serveroutlen,
116 				  sasl_out_params_t *oparams)
117 {
118     server_context_t *text = (server_context_t *) conn_context;
119 
120     *serverout = NULL;
121     *serveroutlen = 0;
122 
123     switch (text->state) {
124 
125     case 1:
126 	text->state = 2;
127 
128 	/* Check inlen, (possibly we have already the user name) */
129 	/* In this case fall through to state 2 */
130 	if (clientinlen == 0) {
131 	    /* demand username */
132 
133 	    *serveroutlen = strlen(USERNAME_CHALLENGE);
134 	    *serverout = USERNAME_CHALLENGE;
135 
136 	    return SASL_CONTINUE;
137 	}
138 
139 
140     case 2:
141 	/* Catch really long usernames */
142 	if (clientinlen > 1024) {
143 #ifdef _SUN_SDK_
144 	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
145 		"username too long (>1024 characters)");
146 #else
147 	    SETERROR(params->utils, "username too long (>1024 characters)");
148 #endif	/* _SUN_SDK_ */
149 	    return SASL_BADPROT;
150 	}
151 
152 	/* get username */
153 	text->username =
154 	    params->utils->malloc(sizeof(sasl_secret_t) + clientinlen + 1);
155 	if (!text->username) {
156 	    MEMERROR( params->utils );
157 	    return SASL_NOMEM;
158 	}
159 
160 	strncpy(text->username, clientin, clientinlen);
161 	text->username_len = clientinlen;
162 	text->username[clientinlen] = '\0';
163 
164 	/* demand password */
165 	*serveroutlen = strlen(PASSWORD_CHALLENGE);
166 	*serverout = PASSWORD_CHALLENGE;
167 
168 	text->state = 3;
169 
170 	return SASL_CONTINUE;
171 
172 
173     case 3: {
174 	sasl_secret_t *password;
175 	int result;
176 
177 	/* Catch really long passwords */
178 	if (clientinlen > 1024) {
179 #ifdef _SUN_SDK_
180 	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
181 		     "clientinlen is > 1024 characters in LOGIN plugin");
182 #else
183 	    SETERROR(params->utils,
184 		     "clientinlen is > 1024 characters in LOGIN plugin");
185 #endif	/* _SUN_SDK_ */
186 	    return SASL_BADPROT;
187 	}
188 
189 	/* get password */
190 	password =
191 	    params->utils->malloc(sizeof(sasl_secret_t) + clientinlen + 1);
192 	if (!password) {
193 	    MEMERROR(params->utils);
194 	    return SASL_NOMEM;
195 	}
196 
197 	strncpy((char *)password->data, clientin, clientinlen);
198 	password->data[clientinlen] = '\0';
199 	password->len = clientinlen;
200 
201 	/* canonicalize username first, so that password verification is
202 	 * done against the canonical id */
203 	result = params->canon_user(params->utils->conn, text->username,
204 				    text->username_len,
205 				    SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
206 	if (result != SASL_OK) {
207 		_plug_free_secret(params->utils, &password);
208 		return result;
209 	}
210 
211 	/* verify_password - return sasl_ok on success */
212 	result = params->utils->checkpass(params->utils->conn,
213 					oparams->authid, oparams->alen,
214 					(char *)password->data, password->len);
215 
216 	if (result != SASL_OK) {
217 	    _plug_free_secret(params->utils, &password);
218 	    return result;
219 	}
220 
221 	if (params->transition) {
222 	    params->transition(params->utils->conn,
223 			       (char *)password->data, password->len);
224 	}
225 
226 	_plug_free_secret(params->utils, &password);
227 
228 	*serverout = NULL;
229 	*serveroutlen = 0;
230 
231 	oparams->doneflag = 1;
232 	oparams->mech_ssf = 0;
233 	oparams->maxoutbuf = 0;
234 	oparams->encode_context = NULL;
235 	oparams->encode = NULL;
236 	oparams->decode_context = NULL;
237 	oparams->decode = NULL;
238 	oparams->param_version = 0;
239 
240 	return SASL_OK;
241     }
242 
243 
244     default:
245 	params->utils->log(NULL, SASL_LOG_ERR,
246 			   "Invalid LOGIN server step %d\n", text->state);
247 	return SASL_FAIL;
248     }
249 
250     return SASL_FAIL; /* should never get here */
251 }
252 
253 static void login_server_mech_dispose(void *conn_context,
254 				      const sasl_utils_t *utils)
255 {
256     server_context_t *text = (server_context_t *) conn_context;
257 
258     if (!text) return;
259 
260     if (text->username) utils->free(text->username);
261 
262     utils->free(text);
263 }
264 
265 static sasl_server_plug_t login_server_plugins[] =
266 {
267     {
268 	"LOGIN",			/* mech_name */
269 	0,				/* max_ssf */
270 	SASL_SEC_NOANONYMOUS,		/* security_flags */
271 	0,				/* features */
272 	NULL,				/* glob_context */
273 	&login_server_mech_new,		/* mech_new */
274 	&login_server_mech_step,	/* mech_step */
275 	&login_server_mech_dispose,	/* mech_dispose */
276 	NULL,				/* mech_free */
277 	NULL,				/* setpass */
278 	NULL,				/* user_query */
279 	NULL,				/* idle */
280 	NULL,				/* mech_avail */
281 	NULL				/* spare */
282     }
283 };
284 
285 int login_server_plug_init(sasl_utils_t *utils,
286 			   int maxversion,
287 			   int *out_version,
288 			   sasl_server_plug_t **pluglist,
289 			   int *plugcount)
290 {
291     if (maxversion < SASL_SERVER_PLUG_VERSION) {
292 	SETERROR(utils, "LOGIN version mismatch");
293 	return SASL_BADVERS;
294     }
295 
296     *out_version = SASL_SERVER_PLUG_VERSION;
297     *pluglist = login_server_plugins;
298     *plugcount = 1;
299 
300     return SASL_OK;
301 }
302 
303 /*****************************  Client Section  *****************************/
304 
305 typedef struct client_context {
306     int state;
307 
308 #ifdef _INTEGRATED_SOLARIS_
309     void *h;
310 #endif /* _INTEGRATED_SOLARIS_ */
311     sasl_secret_t *password;
312     unsigned int free_password; /* set if we need to free password */
313 } client_context_t;
314 
315 static int login_client_mech_new(void *glob_context __attribute__((unused)),
316 				 sasl_client_params_t *params,
317 				 void **conn_context)
318 {
319     client_context_t *text;
320 
321     /* holds state are in */
322     text = params->utils->malloc(sizeof(client_context_t));
323     if (text == NULL) {
324 	MEMERROR(params->utils);
325 	return SASL_NOMEM;
326     }
327 
328     memset(text, 0, sizeof(client_context_t));
329 
330     text->state = 1;
331 
332     *conn_context = text;
333 
334     return SASL_OK;
335 }
336 
337 static int login_client_mech_step(void *conn_context,
338 				  sasl_client_params_t *params,
339 				  const char *serverin __attribute__((unused)),
340 				  unsigned serverinlen __attribute__((unused)),
341 				  sasl_interact_t **prompt_need,
342 				  const char **clientout,
343 				  unsigned *clientoutlen,
344 				  sasl_out_params_t *oparams)
345 {
346     client_context_t *text = (client_context_t *) conn_context;
347 
348     *clientout = NULL;
349     *clientoutlen = 0;
350 
351     switch (text->state) {
352 
353     case 1: {
354 	const char *user;
355 	int auth_result = SASL_OK;
356 	int pass_result = SASL_OK;
357 	int result;
358 
359 	/* check if sec layer strong enough */
360 	if (params->props.min_ssf > params->external_ssf) {
361 #ifdef _INTEGRATED_SOLARIS_
362 	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
363 		gettext("SSF requested of LOGIN plugin"));
364 #else
365 	    SETERROR( params->utils, "SSF requested of LOGIN plugin");
366 #endif /* _INTEGRATED_SOLARIS_ */
367 	    return SASL_TOOWEAK;
368 	}
369 
370 	/* try to get the userid */
371 	/* Note: we want to grab the authname and not the userid, which is
372 	 *       who we AUTHORIZE as, and will be the same as the authname
373 	 *       for the LOGIN mech.
374 	 */
375 	if (oparams->user == NULL) {
376 	    auth_result = _plug_get_authid(params->utils, &user, prompt_need);
377 
378 	    if ((auth_result != SASL_OK) && (auth_result != SASL_INTERACT))
379 		return auth_result;
380 	}
381 
382 	/* try to get the password */
383 	if (text->password == NULL) {
384 	    pass_result = _plug_get_password(params->utils, &text->password,
385 					     &text->free_password, prompt_need);
386 
387 	    if ((pass_result != SASL_OK) && (pass_result != SASL_INTERACT))
388 		return pass_result;
389 	}
390 
391 	/* free prompts we got */
392 	if (prompt_need && *prompt_need) {
393 	    params->utils->free(*prompt_need);
394 	    *prompt_need = NULL;
395 	}
396 
397 	/* if there are prompts not filled in */
398 	if ((auth_result == SASL_INTERACT) || (pass_result == SASL_INTERACT)) {
399 	    /* make the prompt list */
400 	    result =
401 #ifdef _INTEGRATED_SOLARIS_
402 		_plug_make_prompts(params->utils, &text->h, prompt_need,
403 		    NULL, NULL,
404 		    auth_result == SASL_INTERACT ?
405 		    gettext("Please enter your authentication name") : NULL,
406 		    NULL,
407 		    pass_result == SASL_INTERACT ?
408 		    gettext("Please enter your password") : NULL, NULL,
409 		    NULL, NULL, NULL,
410 		    NULL, NULL, NULL);
411 #else
412 		_plug_make_prompts(params->utils, prompt_need,
413 				   NULL, NULL,
414 				   auth_result == SASL_INTERACT ?
415 				   "Please enter your authentication name" : NULL,
416 				   NULL,
417 				   pass_result == SASL_INTERACT ?
418 				   "Please enter your password" : NULL, NULL,
419 				   NULL, NULL, NULL,
420 				   NULL, NULL, NULL);
421 #endif /* _INTEGRATED_SOLARIS_ */
422 	    if (result != SASL_OK) return result;
423 
424 	    return SASL_INTERACT;
425 	}
426 
427 	if (!text->password) {
428 	    PARAMERROR(params->utils);
429 	    return SASL_BADPARAM;
430 	}
431 
432 	result = params->canon_user(params->utils->conn, user, 0,
433 				    SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
434 	if (result != SASL_OK) return result;
435 
436 	/* server should have sent request for username - we ignore it */
437 	if (!serverin) {
438 #ifdef _SUN_SDK_
439 	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
440 		      "Server didn't issue challenge for USERNAME");
441 #else
442 	    SETERROR( params->utils,
443 		      "Server didn't issue challenge for USERNAME");
444 #endif /* _SUN_SDK_ */
445 	    return SASL_BADPROT;
446 	}
447 
448 	if (!clientout) {
449 	    PARAMERROR( params->utils );
450 	    return SASL_BADPARAM;
451 	}
452 
453 	if (clientoutlen) *clientoutlen = oparams->alen;
454 	*clientout = oparams->authid;
455 
456 	text->state = 2;
457 
458 	return SASL_CONTINUE;
459     }
460 
461     case 2:
462 	/* server should have sent request for password - we ignore it */
463 	if (!serverin) {
464 #ifdef _SUN_SDK_
465 	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
466 		      "Server didn't issue challenge for PASSWORD");
467 #else
468 	    SETERROR( params->utils,
469 		      "Server didn't issue challenge for PASSWORD");
470 #endif /* _SUN_SDK_ */
471 	    return SASL_BADPROT;
472 	}
473 
474 	if (!clientout) {
475 	    PARAMERROR(params->utils);
476 	    return SASL_BADPARAM;
477 	}
478 
479 	if (clientoutlen) *clientoutlen = text->password->len;
480 	*clientout = (char *)text->password->data;
481 
482 	/* set oparams */
483 	oparams->doneflag = 1;
484 	oparams->mech_ssf = 0;
485 	oparams->maxoutbuf = 0;
486 	oparams->encode_context = NULL;
487 	oparams->encode = NULL;
488 	oparams->decode_context = NULL;
489 	oparams->decode = NULL;
490 	oparams->param_version = 0;
491 
492 	return SASL_OK;
493 
494     default:
495 	params->utils->log(NULL, SASL_LOG_ERR,
496 			   "Invalid LOGIN client step %d\n", text->state);
497 	return SASL_FAIL;
498     }
499 
500     return SASL_FAIL; /* should never get here */
501 }
502 
503 static void login_client_mech_dispose(void *conn_context,
504 				      const sasl_utils_t *utils)
505 {
506     client_context_t *text = (client_context_t *) conn_context;
507 
508     if (!text) return;
509 
510     /* free sensitive info */
511     if (text->free_password) _plug_free_secret(utils, &(text->password));
512 #ifdef _INTEGRATED_SOLARIS_
513     convert_prompt(utils, &text->h, NULL);
514 #endif /* _INTEGRATED_SOLARIS_ */
515 
516     utils->free(text);
517 }
518 
519 static sasl_client_plug_t login_client_plugins[] =
520 {
521     {
522 	"LOGIN",			/* mech_name */
523 	0,				/* max_ssf */
524 	SASL_SEC_NOANONYMOUS,		/* security_flags */
525 	SASL_FEAT_SERVER_FIRST,		/* features */
526 	NULL,				/* required_prompts */
527 	NULL,				/* glob_context */
528 	&login_client_mech_new,		/* mech_new */
529 	&login_client_mech_step,	/* mech_step */
530 	&login_client_mech_dispose,	/* mech_dispose */
531 	NULL,				/* mech_free */
532 	NULL,				/* idle */
533 	NULL,				/* spare */
534 	NULL				/* spare */
535     }
536 };
537 
538 int login_client_plug_init(sasl_utils_t *utils,
539 			   int maxversion,
540 			   int *out_version,
541 			   sasl_client_plug_t **pluglist,
542 			   int *plugcount)
543 {
544     if (maxversion < SASL_CLIENT_PLUG_VERSION) {
545 	SETERROR(utils, "Version mismatch in LOGIN");
546 	return SASL_BADVERS;
547     }
548 
549     *out_version = SASL_CLIENT_PLUG_VERSION;
550     *pluglist = login_client_plugins;
551     *plugcount = 1;
552 
553     return SASL_OK;
554 }
555