Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 620 lines (507 sloc) 17.266 kB
14c2920 Imported Upstream version 1.5.18
Antonio Radici authored
1 /*
19304f7 Imported Upstream version 1.5.19
Antonio Radici authored
2 * Copyright (C) 2000-8 Brendan Cully <brendan@kublai.com>
14c2920 Imported Upstream version 1.5.18
Antonio Radici authored
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 */
18
19 /* common SASL helper routines */
20
21 #if HAVE_CONFIG_H
22 # include "config.h"
23 #endif
24
25 #include "mutt.h"
26 #include "account.h"
27 #include "mutt_sasl.h"
28 #include "mutt_socket.h"
29
30 #include <errno.h>
31 #include <netdb.h>
32 #include <sasl/sasl.h>
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35
36 static int getnameinfo_err(int ret)
37 {
38 int err;
39 dprint (1, (debugfile, "getnameinfo: "));
40 switch(ret)
41 {
42 case EAI_AGAIN:
43 dprint (1, (debugfile, "The name could not be resolved at this time. Future attempts may succeed.\n"));
44 err=SASL_TRYAGAIN;
45 break;
46 case EAI_BADFLAGS:
47 dprint (1, (debugfile, "The flags had an invalid value.\n"));
48 err=SASL_BADPARAM;
49 break;
50 case EAI_FAIL:
51 dprint (1, (debugfile, "A non-recoverable error occurred.\n"));
52 err=SASL_FAIL;
53 break;
54 case EAI_FAMILY:
55 dprint (1, (debugfile, "The address family was not recognized or the address length was invalid for the specified family.\n"));
56 err=SASL_BADPROT;
57 break;
58 case EAI_MEMORY:
59 dprint (1, (debugfile, "There was a memory allocation failure.\n"));
60 err=SASL_NOMEM;
61 break;
62 case EAI_NONAME:
63 dprint (1, (debugfile, "The name does not resolve for the supplied parameters. NI_NAMEREQD is set and the host's name cannot be located, or both nodename and servname were null.\n"));
64 err=SASL_FAIL; /* no real equivalent */
65 break;
66 case EAI_SYSTEM:
67 dprint (1, (debugfile, "A system error occurred. The error code can be found in errno(%d,%s)).\n",errno,strerror(errno)));
68 err=SASL_FAIL; /* no real equivalent */
69 break;
70 default:
71 dprint (1, (debugfile, "Unknown error %d\n",ret));
72 err=SASL_FAIL; /* no real equivalent */
73 break;
74 }
75 return err;
76 }
77
78 /* arbitrary. SASL will probably use a smaller buffer anyway. OTOH it's
79 * been a while since I've had access to an SASL server which negotiated
80 * a protection buffer. */
81 #define M_SASL_MAXBUF 65536
82
83 #define IP_PORT_BUFLEN 1024
84
85 static sasl_callback_t mutt_sasl_callbacks[5];
86
87 static int mutt_sasl_start (void);
88
89 /* callbacks */
90 static int mutt_sasl_cb_log (void* context, int priority, const char* message);
91 static int mutt_sasl_cb_authname (void* context, int id, const char** result,
92 unsigned int* len);
93 static int mutt_sasl_cb_pass (sasl_conn_t* conn, void* context, int id,
94 sasl_secret_t** psecret);
95
96 /* socket wrappers for a SASL security layer */
97 static int mutt_sasl_conn_open (CONNECTION* conn);
98 static int mutt_sasl_conn_close (CONNECTION* conn);
99 static int mutt_sasl_conn_read (CONNECTION* conn, char* buf, size_t len);
100 static int mutt_sasl_conn_write (CONNECTION* conn, const char* buf,
101 size_t count);
102 static int mutt_sasl_conn_poll (CONNECTION* conn);
103
104 /* utility function, stolen from sasl2 sample code */
105 static int iptostring(const struct sockaddr *addr, socklen_t addrlen,
106 char *out, unsigned outlen) {
107 char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
108 int ret;
109
110 if(!addr || !out) return SASL_BADPARAM;
111
112 ret=getnameinfo(addr, addrlen, hbuf, sizeof(hbuf), pbuf, sizeof(pbuf),
113 NI_NUMERICHOST |
114 #ifdef NI_WITHSCOPEID
115 NI_WITHSCOPEID |
116 #endif
117 NI_NUMERICSERV);
118 if(ret)
119 return getnameinfo_err(ret);
120
121 if(outlen < strlen(hbuf) + strlen(pbuf) + 2)
122 return SASL_BUFOVER;
123
124 snprintf(out, outlen, "%s;%s", hbuf, pbuf);
125
126 return SASL_OK;
127 }
128
129 /* mutt_sasl_start: called before doing a SASL exchange - initialises library
130 * (if necessary). */
131 int mutt_sasl_start (void)
132 {
133 static unsigned char sasl_init = 0;
134
135 static sasl_callback_t callbacks[2];
136 int rc;
137
138 if (sasl_init)
139 return SASL_OK;
140
141 /* set up default logging callback */
142 callbacks[0].id = SASL_CB_LOG;
143 callbacks[0].proc = mutt_sasl_cb_log;
144 callbacks[0].context = NULL;
145
146 callbacks[1].id = SASL_CB_LIST_END;
147 callbacks[1].proc = NULL;
148 callbacks[1].context = NULL;
149
150 rc = sasl_client_init (callbacks);
151
152 if (rc != SASL_OK)
153 {
154 dprint (1, (debugfile, "mutt_sasl_start: libsasl initialisation failed.\n"));
155 return SASL_FAIL;
156 }
157
158 sasl_init = 1;
159
160 return SASL_OK;
161 }
162
163 /* mutt_sasl_client_new: wrapper for sasl_client_new which also sets various
164 * security properties. If this turns out to be fine for POP too we can
165 * probably stop exporting mutt_sasl_get_callbacks(). */
166 int mutt_sasl_client_new (CONNECTION* conn, sasl_conn_t** saslconn)
167 {
168 sasl_security_properties_t secprops;
169 struct sockaddr_storage local, remote;
170 socklen_t size;
171 char iplocalport[IP_PORT_BUFLEN], ipremoteport[IP_PORT_BUFLEN];
172 char* plp = NULL;
173 char* prp = NULL;
174 const char* service;
175 int rc;
176
177 if (mutt_sasl_start () != SASL_OK)
178 return -1;
179
180 switch (conn->account.type)
181 {
182 case M_ACCT_TYPE_IMAP:
183 service = "imap";
184 break;
185 case M_ACCT_TYPE_POP:
186 service = "pop";
187 break;
188 case M_ACCT_TYPE_SMTP:
189 service = "smtp";
190 break;
191 default:
192 mutt_error (_("Unknown SASL profile"));
193 return -1;
194 }
195
196 size = sizeof (local);
197 if (!getsockname (conn->fd, (struct sockaddr *)&local, &size)) {
198 if (!iptostring((struct sockaddr *)&local, size, iplocalport,
199 IP_PORT_BUFLEN) != SASL_OK)
200 plp = iplocalport;
201 else
202 dprint (2, (debugfile, "SASL failed to parse local IP address\n"));
203 }
204 else
205 dprint (2, (debugfile, "SASL failed to get local IP address\n"));
206
207 size = sizeof (remote);
208 if (!getpeername (conn->fd, (struct sockaddr *)&remote, &size)){
209 if (!iptostring((struct sockaddr *)&remote, size, ipremoteport,
210 IP_PORT_BUFLEN) != SASL_OK)
211 prp = ipremoteport;
212 else
213 dprint (2, (debugfile, "SASL failed to parse remote IP address\n"));
214 }
215 else
216 dprint (2, (debugfile, "SASL failed to get remote IP address\n"));
217
218 dprint (2, (debugfile, "SASL local ip: %s, remote ip:%s\n", NONULL(plp),
219 NONULL(prp)));
220
221 rc = sasl_client_new (service, conn->account.host, plp, prp,
222 mutt_sasl_get_callbacks (&conn->account), 0, saslconn);
223
224 if (rc != SASL_OK)
225 {
226 mutt_error (_("Error allocating SASL connection"));
227 return -1;
228 }
229
230 memset (&secprops, 0, sizeof (secprops));
231 /* Work around a casting bug in the SASL krb4 module */
232 secprops.max_ssf = 0x7fff;
233 secprops.maxbufsize = M_SASL_MAXBUF;
234 if (sasl_setprop (*saslconn, SASL_SEC_PROPS, &secprops) != SASL_OK)
235 {
236 mutt_error (_("Error setting SASL security properties"));
237 return -1;
238 }
239
240 if (conn->ssf)
241 {
242 /* I'm not sure this actually has an effect, at least with SASLv2 */
243 dprint (2, (debugfile, "External SSF: %d\n", conn->ssf));
244 if (sasl_setprop (*saslconn, SASL_SSF_EXTERNAL, &(conn->ssf)) != SASL_OK)
245 {
246 mutt_error (_("Error setting SASL external security strength"));
247 return -1;
248 }
19304f7 Imported Upstream version 1.5.19
Antonio Radici authored
249 }
250 if (conn->account.user[0])
251 {
14c2920 Imported Upstream version 1.5.18
Antonio Radici authored
252 dprint (2, (debugfile, "External authentication name: %s\n", conn->account.user));
253 if (sasl_setprop (*saslconn, SASL_AUTH_EXTERNAL, conn->account.user) != SASL_OK)
254 {
255 mutt_error (_("Error setting SASL external user name"));
256 return -1;
257 }
258 }
259
260 return 0;
261 }
262
263 sasl_callback_t* mutt_sasl_get_callbacks (ACCOUNT* account)
264 {
265 sasl_callback_t* callback;
266
267 callback = mutt_sasl_callbacks;
268
269 callback->id = SASL_CB_USER;
270 callback->proc = mutt_sasl_cb_authname;
271 callback->context = account;
272 callback++;
273
274 callback->id = SASL_CB_AUTHNAME;
275 callback->proc = mutt_sasl_cb_authname;
276 callback->context = account;
277 callback++;
278
279 callback->id = SASL_CB_PASS;
280 callback->proc = mutt_sasl_cb_pass;
281 callback->context = account;
282 callback++;
283
284 callback->id = SASL_CB_GETREALM;
285 callback->proc = NULL;
286 callback->context = NULL;
287 callback++;
288
289 callback->id = SASL_CB_LIST_END;
290 callback->proc = NULL;
291 callback->context = NULL;
292
293 return mutt_sasl_callbacks;
294 }
295
296 int mutt_sasl_interact (sasl_interact_t* interaction)
297 {
298 char prompt[SHORT_STRING];
299 char resp[SHORT_STRING];
300
301 while (interaction->id != SASL_CB_LIST_END)
302 {
303 dprint (2, (debugfile, "mutt_sasl_interact: filling in SASL interaction %ld.\n", interaction->id));
304
305 snprintf (prompt, sizeof (prompt), "%s: ", interaction->prompt);
306 resp[0] = '\0';
307 if (mutt_get_field (prompt, resp, sizeof (resp), 0))
308 return SASL_FAIL;
309
310 interaction->len = mutt_strlen (resp)+1;
311 interaction->result = safe_malloc (interaction->len);
312 memcpy ((char *)interaction->result, resp, interaction->len);
313
314 interaction++;
315 }
316
317 return SASL_OK;
318 }
319
320 /* SASL can stack a protection layer on top of an existing connection.
321 * To handle this, we store a saslconn_t in conn->sockdata, and write
322 * wrappers which en/decode the read/write stream, then replace sockdata
323 * with an embedded copy of the old sockdata and call the underlying
324 * functions (which we've also preserved). I thought about trying to make
325 * a general stackable connection system, but it seemed like overkill -
326 * something is wrong if we have 15 filters on top of a socket. Anyway,
327 * anything else which wishes to stack can use the same method. The only
328 * disadvantage is we have to write wrappers for all the socket methods,
329 * even if we only stack over read and write. Thinking about it, the
330 * abstraction problem is that there is more in CONNECTION than there
331 * needs to be. Ideally it would have only (void*)data and methods. */
332
333 /* mutt_sasl_setup_conn: replace connection methods, sockdata with
334 * SASL wrappers, for protection layers. Also get ssf, as a fastpath
335 * for the read/write methods. */
336 void mutt_sasl_setup_conn (CONNECTION* conn, sasl_conn_t* saslconn)
337 {
338 SASL_DATA* sasldata = (SASL_DATA*) safe_malloc (sizeof (SASL_DATA));
19304f7 Imported Upstream version 1.5.19
Antonio Radici authored
339 /* work around sasl_getprop aliasing issues */
340 const void* tmp;
14c2920 Imported Upstream version 1.5.18
Antonio Radici authored
341
342 sasldata->saslconn = saslconn;
343 /* get ssf so we know whether we have to (en|de)code read/write */
19304f7 Imported Upstream version 1.5.19
Antonio Radici authored
344 sasl_getprop (saslconn, SASL_SSF, &tmp);
345 sasldata->ssf = tmp;
14c2920 Imported Upstream version 1.5.18
Antonio Radici authored
346 dprint (3, (debugfile, "SASL protection strength: %u\n", *sasldata->ssf));
347 /* Add SASL SSF to transport SSF */
348 conn->ssf += *sasldata->ssf;
19304f7 Imported Upstream version 1.5.19
Antonio Radici authored
349 sasl_getprop (saslconn, SASL_MAXOUTBUF, &tmp);
350 sasldata->pbufsize = tmp;
14c2920 Imported Upstream version 1.5.18
Antonio Radici authored
351 dprint (3, (debugfile, "SASL protection buffer size: %u\n", *sasldata->pbufsize));
352
353 /* clear input buffer */
354 sasldata->buf = NULL;
355 sasldata->bpos = 0;
356 sasldata->blen = 0;
357
358 /* preserve old functions */
359 sasldata->sockdata = conn->sockdata;
360 sasldata->msasl_open = conn->conn_open;
361 sasldata->msasl_close = conn->conn_close;
362 sasldata->msasl_read = conn->conn_read;
363 sasldata->msasl_write = conn->conn_write;
364 sasldata->msasl_poll = conn->conn_poll;
365
366 /* and set up new functions */
367 conn->sockdata = sasldata;
368 conn->conn_open = mutt_sasl_conn_open;
369 conn->conn_close = mutt_sasl_conn_close;
370 conn->conn_read = mutt_sasl_conn_read;
371 conn->conn_write = mutt_sasl_conn_write;
372 conn->conn_poll = mutt_sasl_conn_poll;
373 }
374
375 /* mutt_sasl_cb_log: callback to log SASL messages */
376 static int mutt_sasl_cb_log (void* context, int priority, const char* message)
377 {
378 dprint (priority, (debugfile, "SASL: %s\n", message));
379
380 return SASL_OK;
381 }
382
383 void mutt_sasl_done (void)
384 {
385 sasl_done ();
386 }
387
388 /* mutt_sasl_cb_authname: callback to retrieve authname or user from ACCOUNT */
389 static int mutt_sasl_cb_authname (void* context, int id, const char** result,
390 unsigned* len)
391 {
392 ACCOUNT* account = (ACCOUNT*) context;
393
19304f7 Imported Upstream version 1.5.19
Antonio Radici authored
394 if (!result)
395 return SASL_FAIL;
396
14c2920 Imported Upstream version 1.5.18
Antonio Radici authored
397 *result = NULL;
398 if (len)
399 *len = 0;
400
401 if (!account)
402 return SASL_BADPARAM;
403
404 dprint (2, (debugfile, "mutt_sasl_cb_authname: getting %s for %s:%u\n",
405 id == SASL_CB_AUTHNAME ? "authname" : "user",
406 account->host, account->port));
407
408 if (id == SASL_CB_AUTHNAME)
409 {
410 if (mutt_account_getlogin (account))
411 return SASL_FAIL;
412 *result = account->login;
413 }
414 else
415 {
416 if (mutt_account_getuser (account))
417 return SASL_FAIL;
418 *result = account->user;
419 }
420
421 if (len)
422 *len = strlen (*result);
423
424 return SASL_OK;
425 }
426
427 static int mutt_sasl_cb_pass (sasl_conn_t* conn, void* context, int id,
428 sasl_secret_t** psecret)
429 {
430 ACCOUNT* account = (ACCOUNT*) context;
431 int len;
432
433 if (!account || !psecret)
434 return SASL_BADPARAM;
435
436 dprint (2, (debugfile,
437 "mutt_sasl_cb_pass: getting password for %s@%s:%u\n", account->login,
438 account->host, account->port));
439
440 if (mutt_account_getpass (account))
441 return SASL_FAIL;
442
443 len = strlen (account->pass);
444
445 *psecret = (sasl_secret_t*) safe_malloc (sizeof (sasl_secret_t) + len);
446 (*psecret)->len = len;
447 strcpy ((char*)(*psecret)->data, account->pass); /* __STRCPY_CHECKED__ */
448
449 return SASL_OK;
450 }
451
452 /* mutt_sasl_conn_open: empty wrapper for underlying open function. We
453 * don't know in advance that a connection will use SASL, so we
454 * replace conn's methods with sasl methods when authentication
455 * is successful, using mutt_sasl_setup_conn */
456 static int mutt_sasl_conn_open (CONNECTION* conn)
457 {
458 SASL_DATA* sasldata;
459 int rc;
460
461 sasldata = (SASL_DATA*) conn->sockdata;
462 conn->sockdata = sasldata->sockdata;
463 rc = (sasldata->msasl_open) (conn);
464 conn->sockdata = sasldata;
465
466 return rc;
467 }
468
469 /* mutt_sasl_conn_close: calls underlying close function and disposes of
470 * the sasl_conn_t object, then restores connection to pre-sasl state */
471 static int mutt_sasl_conn_close (CONNECTION* conn)
472 {
473 SASL_DATA* sasldata;
474 int rc;
475
476 sasldata = (SASL_DATA*) conn->sockdata;
477
478 /* restore connection's underlying methods */
479 conn->sockdata = sasldata->sockdata;
480 conn->conn_open = sasldata->msasl_open;
481 conn->conn_close = sasldata->msasl_close;
482 conn->conn_read = sasldata->msasl_read;
483 conn->conn_write = sasldata->msasl_write;
484
485 /* release sasl resources */
486 sasl_dispose (&sasldata->saslconn);
487 FREE (&sasldata);
488
489 /* call underlying close */
490 rc = (conn->conn_close) (conn);
491
492 return rc;
493 }
494
495 static int mutt_sasl_conn_read (CONNECTION* conn, char* buf, size_t len)
496 {
497 SASL_DATA* sasldata;
498 int rc;
499
500 unsigned int olen;
501
502 sasldata = (SASL_DATA*) conn->sockdata;
503
504 /* if we still have data in our read buffer, copy it into buf */
505 if (sasldata->blen > sasldata->bpos)
506 {
507 olen = (sasldata->blen - sasldata->bpos > len) ? len :
508 sasldata->blen - sasldata->bpos;
509
510 memcpy (buf, sasldata->buf+sasldata->bpos, olen);
511 sasldata->bpos += olen;
512
513 return olen;
514 }
515
516 conn->sockdata = sasldata->sockdata;
517
518 sasldata->bpos = 0;
519 sasldata->blen = 0;
520
521 /* and decode the result, if necessary */
522 if (*sasldata->ssf)
523 {
524 do
525 {
526 /* call the underlying read function to fill the buffer */
527 rc = (sasldata->msasl_read) (conn, buf, len);
528 if (rc <= 0)
529 goto out;
530
531 rc = sasl_decode (sasldata->saslconn, buf, rc, &sasldata->buf,
532 &sasldata->blen);
533 if (rc != SASL_OK)
534 {
535 dprint (1, (debugfile, "SASL decode failed: %s\n",
536 sasl_errstring (rc, NULL, NULL)));
537 goto out;
538 }
539 }
540 while (!sasldata->blen);
541
542 olen = (sasldata->blen - sasldata->bpos > len) ? len :
543 sasldata->blen - sasldata->bpos;
544
545 memcpy (buf, sasldata->buf, olen);
546 sasldata->bpos += olen;
547
548 rc = olen;
549 }
550 else
551 rc = (sasldata->msasl_read) (conn, buf, len);
552
553 out:
554 conn->sockdata = sasldata;
555
556 return rc;
557 }
558
559 static int mutt_sasl_conn_write (CONNECTION* conn, const char* buf,
560 size_t len)
561 {
562 SASL_DATA* sasldata;
563 int rc;
564
565 const char *pbuf;
566 unsigned int olen, plen;
567
568 sasldata = (SASL_DATA*) conn->sockdata;
569 conn->sockdata = sasldata->sockdata;
570
571 /* encode data, if necessary */
572 if (*sasldata->ssf)
573 {
574 /* handle data larger than MAXOUTBUF */
575 do
576 {
577 olen = (len > *sasldata->pbufsize) ? *sasldata->pbufsize : len;
578
579 rc = sasl_encode (sasldata->saslconn, buf, olen, &pbuf, &plen);
580 if (rc != SASL_OK)
581 {
582 dprint (1, (debugfile, "SASL encoding failed: %s\n",
583 sasl_errstring (rc, NULL, NULL)));
584 goto fail;
585 }
586
587 rc = (sasldata->msasl_write) (conn, pbuf, plen);
588 if (rc != plen)
589 goto fail;
590
591 len -= olen;
592 buf += olen;
593 }
594 while (len > *sasldata->pbufsize);
595 }
596 else
597 /* just write using the underlying socket function */
598 rc = (sasldata->msasl_write) (conn, buf, len);
599
600 conn->sockdata = sasldata;
601
602 return rc;
603
604 fail:
605 conn->sockdata = sasldata;
606 return -1;
607 }
608
609 static int mutt_sasl_conn_poll (CONNECTION* conn)
610 {
611 SASL_DATA* sasldata = conn->sockdata;
612 int rc;
613
614 conn->sockdata = sasldata->sockdata;
615 rc = sasldata->msasl_poll (conn);
616 conn->sockdata = sasldata;
617
618 return rc;
619 }
Something went wrong with that request. Please try again.