static int getauthline(isieve_t *obj, char **line, unsigned int *linelen,
char **errstrp)
{
lexstate_t state;
int res;
size_t len;
char *errstr = NULL;
char *last_send;
int r;
/* now let's see what the server said */
res=yylex(&state, obj->pin);
*line = NULL;
if (res!=STRING)
{
(void)handle_response(res, obj->version,
obj->pin, &last_send, &errstr);
if (res==TOKEN_OK) {
/* Was there a last send from the server? */
if(last_send) {
/* it's base64 encoded */
int last_send_len = strlen(last_send);
len = last_send_len*2+1;
*line = xmalloc(len);
r = sasl_decode64(last_send, last_send_len,
*line, len, linelen);
free(last_send);
if (r != SASL_OK)
return STAT_NO;
}
return STAT_OK;
} else { /* server said no or bye*/
/* xxx handle referrals */
*errstrp = errstr;
return STAT_NO;
}
}
len = strlen(state.str)*2+1;
*line=(char *) xmalloc(len);
r = sasl_decode64(state.str, strlen(state.str),
*line, len, linelen);
if (r != SASL_OK)
return STAT_NO;
if (yylex(&state, obj->pin)!=EOL)
return STAT_NO;
return STAT_CONT;
}
bson_bool_t
_mongoc_sasl_step (mongoc_sasl_t *sasl,
const bson_uint8_t *inbuf,
bson_uint32_t inbuflen,
bson_uint8_t *outbuf,
bson_uint32_t outbufmax,
bson_uint32_t *outbuflen,
bson_error_t *error)
{
const char *raw = NULL;
unsigned rawlen = 0;
int status;
BSON_ASSERT (sasl);
BSON_ASSERT (inbuf);
BSON_ASSERT (outbuf);
BSON_ASSERT (outbuflen);
BSON_ASSERT (*outbuflen);
sasl->step++;
if (sasl->step == 1) {
return _mongoc_sasl_start (sasl, outbuf, outbufmax, outbuflen,
error);
} else if (sasl->step >= 10) {
bson_set_error (error,
MONGOC_ERROR_SASL,
SASL_NOTDONE,
"SASL Failure: maximum steps detected");
return FALSE;
}
if (!inbuflen) {
bson_set_error (error,
MONGOC_ERROR_SASL,
MONGOC_ERROR_CLIENT_AUTHENTICATE,
"SASL Failure: no payload provided from server.");
return FALSE;
}
status = sasl_decode64 ((char *)inbuf, inbuflen, (char *)outbuf, outbufmax,
outbuflen);
if (_mongoc_sasl_is_failure (status, error)) {
return FALSE;
}
status = sasl_client_step (sasl->conn, (char *)outbuf, *outbuflen,
&sasl->interact, &raw, &rawlen);
if (_mongoc_sasl_is_failure (status, error)) {
return FALSE;
}
status = sasl_encode64 (raw, rawlen, (char *)outbuf, outbufmax, outbuflen);
if (_mongoc_sasl_is_failure (status, error)) {
return FALSE;
}
return TRUE;
}
/*
* decode a Base 64 to string
*/
DWORD
VmDecodeToBase64(
PBYTE pEncodedInput,
DWORD dwEncodedLen,
PBYTE *ppBase64Decoded,
DWORD *pDecodedLen
)
{
DWORD dwError = 0;
DWORD dwBase64DecodedByteLen = 0;
PBYTE pBase64Decoded = NULL;
if (!pEncodedInput || !ppBase64Decoded)
{
dwError = VM_COMMON_ERROR_INVALID_PARAMETER;
BAIL_ON_VM_COMMON_ERROR(dwError);
}
dwError = VmAllocateMemory(dwEncodedLen, (PVOID *)&pBase64Decoded);
BAIL_ON_VM_COMMON_ERROR(dwError);
dwError = sasl_decode64((PCSTR)pEncodedInput,
dwEncodedLen,
(PSTR)pBase64Decoded,
dwEncodedLen,
&dwBase64DecodedByteLen
);
BAIL_ON_VM_COMMON_ERROR(dwError);
*ppBase64Decoded = pBase64Decoded;
*pDecodedLen = dwBase64DecodedByteLen;
cleanup:
return dwError;
error:
VM_COMMON_SAFE_FREE_MEMORY(pBase64Decoded);
if (ppBase64Decoded)
{
*ppBase64Decoded = NULL;
}
if (pDecodedLen)
{
*pDecodedLen = 0;
}
goto cleanup;
}
int php_mongo_saslcontinue(mongo_con_manager *manager, mongo_connection *con, mongo_server_options *options, mongo_server_def *server_def, sasl_conn_t *conn, char *step_payload, int step_payload_len, int32_t conversation_id, char **error_message) {
sasl_interact_t *client_interact=NULL;
/*
* Snippet from sasl.h:
* 4. client calls sasl_client_step()
* 4b. If SASL error, goto 7 or 3
* 4c. If SASL_OK, continue or goto 6 if last server response was success
*/
do {
char base_payload[4096], payload[4096];
unsigned int base_payload_len, payload_len;
const char *out;
unsigned int outlen;
unsigned char done = 0;
int result;
step_payload_len--; /* Remove the \0 from the string */
result = sasl_decode64(step_payload, step_payload_len, base_payload, sizeof(base_payload), &base_payload_len);
if (is_sasl_failure(conn, result, error_message)) {
return 0;
}
result = sasl_client_step(conn, (const char *)base_payload, base_payload_len, &client_interact, &out, &outlen);
if (is_sasl_failure(conn, result, error_message)) {
return 0;
}
result = sasl_encode64(out, outlen, payload, sizeof(base_payload), &payload_len);
if (is_sasl_failure(conn, result, error_message)) {
return 0;
}
if (!mongo_connection_authenticate_saslcontinue(manager, con, options, server_def, conversation_id, payload, payload_len + 1, &step_payload, &step_payload_len, &done, error_message)) {
return 0;
}
if (done) {
break;
}
} while (1);
return 1;
}
/* data = cyrussasl.decode64(b64data)
*
* Partner function to encode64().
*/
static int cyrussasl_sasl_decode64(lua_State *l)
{
const char *data = NULL;
char *outdata = NULL;
size_t len;
unsigned outlen;
int err;
int numargs = lua_gettop(l);
if (numargs != 1) {
lua_pushstring(l, "usage: data = cyrussasl.decode64(b64data)");
lua_error(l);
return 0;
}
data = tostring(l, 1);
len = strlen(data);
outdata = malloc(len);
if (!outdata) {
lua_pushstring(l, "failed to malloc in decode64");
lua_error(l);
return 0;
}
/* Perform a decode-in-place, which is kosher according to docs. */
err = sasl_decode64(data, len, outdata, len, &outlen);
if ( err != SASL_OK ) {
free(outdata);
lua_pushstring(l, "sasl_decode64 failed");
lua_error(l);
return 0;
}
if (outdata) {
lua_pushlstring(l, outdata, outlen);
} else {
lua_pushnil(l);
}
free(outdata);
return 1;
}
int php_mongo_saslcontinue(mongo_con_manager *manager, mongo_connection *con, mongo_server_options *options, mongo_server_def *server_def, sasl_conn_t *conn, char *step_payload, int step_payload_len, int32_t conversation_id, char **error_message) {
int result;
sasl_interact_t *client_interact=NULL;
do {
char base_payload[4096], payload[4096];
unsigned int base_payload_len, payload_len;
unsigned char done;
const char *out;
unsigned int outlen;
result = sasl_decode64(step_payload, step_payload_len, base_payload, sizeof(base_payload), &base_payload_len);
if (is_sasl_failure(conn, result, error_message)) {
return result;
}
result = sasl_client_step(conn, (const char *)base_payload, base_payload_len, &client_interact, &out, &outlen);
if (is_sasl_failure(conn, result, error_message)) {
return result;
}
/* TODO : Deal with interaction */
if (result == SASL_OK) {
/* We are all done */
break;
}
result = sasl_encode64(out, outlen, payload, sizeof(base_payload), &payload_len);
if (is_sasl_failure(conn, result, error_message)) {
return result;
}
if (!mongo_connection_authenticate_saslcontinue(manager, con, options, server_def, conversation_id, payload, payload_len + 1, &step_payload, &step_payload_len, &done, (char **)&error_message)) {
*error_message = strdup("saslStart failed miserably");
return result;
}
} while (result == SASL_INTERACT || result == SASL_CONTINUE);
return result;
}
int
ArgusGetSaslString(FILE *f, char *buf, int buflen)
{
unsigned int len = -1;
char *s = NULL;
int result;
if (ferror(f))
clearerr(f);
if ((s = fgets(buf, buflen, f)) != NULL) {
switch (*buf) {
case 'C': {
if (!(strncmp(buf, "C: ", 3))) {
buf[strlen(buf) - 1] = '\0';
result = sasl_decode64(buf + 3, (unsigned) strlen(buf + 3), buf, buflen, &len);
if (result != SASL_OK)
ArgusLog (LOG_ERR, "ArgusGetSaslString: sasl_decode64 error");
buf[len] = '\0';
} else
ArgusLog (LOG_ERR, "ArgusGetSaslString: error %s", strerror(errno));
break;
}
default:
case 'N':
len = -1;
break;
}
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusGetSaslString(0x%x, 0x%x, %d) %s", f, buf, buflen, buf);
#endif
return len;
}
int mailpop3_auth(mailpop3 * f, const char * auth_type,
const char * server_fqdn,
const char * local_ip_port,
const char * remote_ip_port,
const char * login, const char * auth_name,
const char * password, const char * realm)
{
#ifdef USE_SASL
int r;
char command[POP3_STRING_SIZE];
sasl_callback_t sasl_callback[5];
const char * sasl_out;
unsigned sasl_out_len;
const char * mechusing;
sasl_secret_t * secret;
int res;
size_t len;
char * encoded;
unsigned int encoded_len;
unsigned int max_encoded;
sasl_callback[0].id = SASL_CB_GETREALM;
sasl_callback[0].proc = sasl_getrealm;
sasl_callback[0].context = f;
sasl_callback[1].id = SASL_CB_USER;
sasl_callback[1].proc = sasl_getsimple;
sasl_callback[1].context = f;
sasl_callback[2].id = SASL_CB_AUTHNAME;
sasl_callback[2].proc = sasl_getsimple;
sasl_callback[2].context = f;
sasl_callback[3].id = SASL_CB_PASS;
sasl_callback[3].proc = sasl_getsecret;
sasl_callback[3].context = f;
sasl_callback[4].id = SASL_CB_LIST_END;
sasl_callback[4].proc = NULL;
sasl_callback[4].context = NULL;
len = strlen(password);
secret = malloc(sizeof(* secret) + len);
if (secret == NULL) {
res = MAILPOP3_ERROR_MEMORY;
goto err;
}
secret->len = len;
memcpy(secret->data, password, len + 1);
f->pop3_sasl.sasl_server_fqdn = server_fqdn;
f->pop3_sasl.sasl_login = login;
f->pop3_sasl.sasl_auth_name = auth_name;
f->pop3_sasl.sasl_password = password;
f->pop3_sasl.sasl_realm = realm;
f->pop3_sasl.sasl_secret = secret;
/* init SASL */
if (f->pop3_sasl.sasl_conn != NULL) {
sasl_dispose((sasl_conn_t **) &f->pop3_sasl.sasl_conn);
f->pop3_sasl.sasl_conn = NULL;
}
else {
mailsasl_ref();
}
r = sasl_client_new("pop", server_fqdn,
local_ip_port, remote_ip_port, sasl_callback, 0,
(sasl_conn_t **) &f->pop3_sasl.sasl_conn);
if (r != SASL_OK) {
res = MAILPOP3_ERROR_BAD_USER;
goto free_secret;
}
r = sasl_client_start(f->pop3_sasl.sasl_conn,
auth_type, NULL, &sasl_out, &sasl_out_len, &mechusing);
if ((r != SASL_CONTINUE) && (r != SASL_OK)) {
res = MAILPOP3_ERROR_BAD_USER;
goto free_sasl_conn;
}
snprintf(command, POP3_STRING_SIZE, "AUTH %s\r\n", auth_type);
r = send_command(f, command);
if (r == -1) {
res = MAILPOP3_ERROR_STREAM;
goto free_sasl_conn;
}
while (1) {
char * response;
response = read_line(f);
r = parse_auth(f, response);
switch (r) {
case RESPONSE_OK:
f->pop3_state = POP3_STATE_TRANSACTION;
res = MAILPOP3_NO_ERROR;
goto free_sasl_conn;
case RESPONSE_ERR:
res = MAILPOP3_ERROR_BAD_USER;
goto free_sasl_conn;
case RESPONSE_AUTH_CONT:
{
size_t response_len;
char * decoded;
unsigned int decoded_len;
unsigned int max_decoded;
int got_response;
got_response = 1;
if (* f->pop3_response == '\0')
got_response = 0;
if (got_response) {
char * p;
p = strchr(f->pop3_response, '\r');
if (p != NULL) {
* p = '\0';
}
p = strchr(f->pop3_response, '\n');
if (p != NULL) {
* p = '\0';
}
response_len = strlen(f->pop3_response);
max_decoded = response_len * 3 / 4;
decoded = malloc(max_decoded + 1);
if (decoded == NULL) {
res = MAILPOP3_ERROR_MEMORY;
goto free_sasl_conn;
}
r = sasl_decode64(f->pop3_response, response_len,
decoded, max_decoded + 1, &decoded_len);
if (r != SASL_OK) {
free(decoded);
res = MAILPOP3_ERROR_MEMORY;
goto free_sasl_conn;
}
r = sasl_client_step(f->pop3_sasl.sasl_conn,
decoded, decoded_len, NULL, &sasl_out, &sasl_out_len);
free(decoded);
if ((r != SASL_CONTINUE) && (r != SASL_OK)) {
res = MAILPOP3_ERROR_BAD_USER;
goto free_sasl_conn;
}
}
max_encoded = ((sasl_out_len + 2) / 3) * 4;
encoded = malloc(max_encoded + 1);
if (encoded == NULL) {
res = MAILPOP3_ERROR_MEMORY;
goto free_sasl_conn;
}
r = sasl_encode64(sasl_out, sasl_out_len,
encoded, max_encoded + 1, &encoded_len);
if (r != SASL_OK) {
free(encoded);
res = MAILPOP3_ERROR_MEMORY;
goto free_sasl_conn;
}
snprintf(command, POP3_STRING_SIZE, "%s\r\n", encoded);
r = send_command(f, command);
free(encoded);
if (r == -1) {
res = MAILPOP3_ERROR_STREAM;
goto free_sasl_conn;
}
}
break;
}
}
f->pop3_state = POP3_STATE_TRANSACTION;
res = MAILPOP3_NO_ERROR;
free_sasl_conn:
sasl_dispose((sasl_conn_t **) &f->pop3_sasl.sasl_conn);
f->pop3_sasl.sasl_conn = NULL;
mailsasl_unref();
free_secret:
free(f->pop3_sasl.sasl_secret);
f->pop3_sasl.sasl_secret = NULL;
err:
return res;
#else
return MAILPOP3_ERROR_BAD_USER;
#endif
}
/* imap_auth_sasl: Default authenticator if available. */
imap_auth_res_t imap_auth_sasl (IMAP_DATA* idata, const char* method)
{
sasl_conn_t* saslconn;
sasl_interact_t* interaction = NULL;
int rc, irc;
char buf[HUGE_STRING];
const char* mech;
const char *pc = NULL;
unsigned int len, olen;
unsigned char client_start;
if (mutt_sasl_client_new (idata->conn, &saslconn) < 0)
{
dprint (1, (debugfile,
"imap_auth_sasl: Error allocating SASL connection.\n"));
return IMAP_AUTH_FAILURE;
}
rc = SASL_FAIL;
/* If the user hasn't specified a method, use any available */
if (!method)
{
method = idata->capstr;
/* hack for SASL ANONYMOUS support:
* 1. Fetch username. If it's "" or "anonymous" then
* 2. attempt sasl_client_start with only "AUTH=ANONYMOUS" capability
* 3. if sasl_client_start fails, fall through... */
if (mutt_account_getuser (&idata->conn->account))
return IMAP_AUTH_FAILURE;
if (mutt_bit_isset (idata->capabilities, AUTH_ANON) &&
(!idata->conn->account.user[0] ||
!ascii_strncmp (idata->conn->account.user, "anonymous", 9)))
rc = sasl_client_start (saslconn, "AUTH=ANONYMOUS", NULL, &pc, &olen,
&mech);
} else if (!ascii_strcasecmp ("login", method) &&
!strstr (NONULL (idata->capstr), "AUTH=LOGIN"))
/* do not use SASL login for regular IMAP login (#3556) */
return IMAP_AUTH_UNAVAIL;
if (rc != SASL_OK && rc != SASL_CONTINUE)
do
{
rc = sasl_client_start (saslconn, method, &interaction,
&pc, &olen, &mech);
if (rc == SASL_INTERACT)
mutt_sasl_interact (interaction);
}
while (rc == SASL_INTERACT);
client_start = (olen > 0);
if (rc != SASL_OK && rc != SASL_CONTINUE)
{
if (method)
dprint (2, (debugfile, "imap_auth_sasl: %s unavailable\n", method));
else
dprint (1, (debugfile, "imap_auth_sasl: Failure starting authentication exchange. No shared mechanisms?\n"));
/* SASL doesn't support LOGIN, so fall back */
return IMAP_AUTH_UNAVAIL;
}
mutt_message (_("Authenticating (%s)..."), mech);
snprintf (buf, sizeof (buf), "AUTHENTICATE %s", mech);
if (mutt_bit_isset (idata->capabilities, SASL_IR) && client_start)
{
len = mutt_strlen (buf);
buf[len++] = ' ';
if (sasl_encode64 (pc, olen, buf + len, sizeof (buf) - len, &olen) != SASL_OK)
{
dprint (1, (debugfile, "imap_auth_sasl: error base64-encoding client response.\n"));
goto bail;
}
client_start = olen = 0;
}
imap_cmd_start (idata, buf);
irc = IMAP_CMD_CONTINUE;
/* looping protocol */
while (rc == SASL_CONTINUE || olen > 0)
{
do
irc = imap_cmd_step (idata);
while (irc == IMAP_CMD_CONTINUE);
if (irc == IMAP_CMD_BAD || irc == IMAP_CMD_NO)
goto bail;
if (irc == IMAP_CMD_RESPOND)
{
/* Exchange incorrectly returns +\r\n instead of + \r\n */
if (idata->buf[1] == '\0')
{
buf[0] = '\0';
len = 0;
}
else if (sasl_decode64 (idata->buf+2, strlen (idata->buf+2), buf,
LONG_STRING-1, &len) != SASL_OK)
{
dprint (1, (debugfile, "imap_auth_sasl: error base64-decoding server response.\n"));
goto bail;
}
}
/* client-start is only available with the SASL-IR extension, but
* SASL 2.1 seems to want to use it regardless, at least for DIGEST
* fast reauth. Override if the server sent an initial continuation */
if (!client_start || buf[0])
{
do
{
rc = sasl_client_step (saslconn, buf, len, &interaction, &pc, &olen);
if (rc == SASL_INTERACT)
mutt_sasl_interact (interaction);
}
while (rc == SASL_INTERACT);
}
else
client_start = 0;
/* send out response, or line break if none needed */
if (olen)
{
if (sasl_encode64 (pc, olen, buf, sizeof (buf), &olen) != SASL_OK)
{
dprint (1, (debugfile, "imap_auth_sasl: error base64-encoding client response.\n"));
goto bail;
}
}
if (irc == IMAP_CMD_RESPOND)
{
strfcpy (buf + olen, "\r\n", sizeof (buf) - olen);
mutt_socket_write (idata->conn, buf);
}
/* If SASL has errored out, send an abort string to the server */
if (rc < 0)
{
mutt_socket_write (idata->conn, "*\r\n");
dprint (1, (debugfile, "imap_auth_sasl: sasl_client_step error %d\n",rc));
}
olen = 0;
}
while (irc != IMAP_CMD_OK)
if ((irc = imap_cmd_step (idata)) != IMAP_CMD_CONTINUE)
break;
if (rc != SASL_OK)
goto bail;
if (imap_code (idata->buf))
{
mutt_sasl_setup_conn (idata->conn, saslconn);
return IMAP_AUTH_SUCCESS;
}
bail:
sasl_dispose (&saslconn);
if (method)
{
dprint (2, (debugfile, "imap_auth_sasl: %s failed\n", method));
return IMAP_AUTH_UNAVAIL;
}
mutt_error _("SASL authentication failed.");
mutt_sleep(2);
return IMAP_AUTH_FAILURE;
}
/* NOTE: success_data will need to be free()d by the caller */
int saslserver(sasl_conn_t *conn, const char *mech,
const char *init_resp, const char *resp_prefix,
const char *continuation, const char *empty_chal,
struct protstream *pin, struct protstream *pout,
int *sasl_result, char **success_data)
{
char base64[BASE64_BUF_SIZE+1];
char *clientin = NULL;
unsigned int clientinlen = 0;
const char *serverout = NULL;
unsigned int serveroutlen = 0;
int r = SASL_OK;
if (success_data) *success_data = NULL;
/* initial response */
if (init_resp) {
clientin = base64;
if (!strcmp(init_resp, "=")) {
/* zero-length initial response */
base64[0] = '\0';
}
else {
r = sasl_decode64(init_resp, strlen(init_resp),
clientin, BASE64_BUF_SIZE, &clientinlen);
}
}
/* start the exchange */
if (r == SASL_OK)
r = sasl_server_start(conn, mech, clientin, clientinlen,
&serverout, &serveroutlen);
while (r == SASL_CONTINUE) {
char *p;
/* send the challenge to the client */
if (serveroutlen) {
r = sasl_encode64(serverout, serveroutlen,
base64, BASE64_BUF_SIZE, NULL);
if (r != SASL_OK) break;
serverout = base64;
}
else {
serverout = empty_chal;
}
prot_printf(pout, "%s%s\r\n", continuation, serverout);
prot_flush(pout);
/* get response from the client */
if (!prot_fgets(base64, BASE64_BUF_SIZE, pin) ||
strncasecmp(base64, resp_prefix, strlen(resp_prefix))) {
if (sasl_result) *sasl_result = SASL_FAIL;
return IMAP_SASL_PROTERR;
}
/* trim CRLF */
p = base64 + strlen(base64) - 1;
if (p >= base64 && *p == '\n') *p-- = '\0';
if (p >= base64 && *p == '\r') *p-- = '\0';
/* trim prefix */
p = base64 + strlen(resp_prefix);
/* check if client cancelled */
if (p[0] == '*') {
if(sasl_result) *sasl_result = SASL_BADPROT;
return IMAP_SASL_CANCEL;
}
/* decode the response */
clientin = base64;
r = sasl_decode64(p, strlen(p),
clientin, BASE64_BUF_SIZE, &clientinlen);
if (r != SASL_OK) break;
/* do the next step */
r = sasl_server_step(conn, clientin, clientinlen,
&serverout, &serveroutlen);
}
/* success data */
if (r == SASL_OK && serverout && success_data) {
r = sasl_encode64(serverout, serveroutlen,
base64, BASE64_BUF_SIZE, NULL);
if (r == SASL_OK)
*success_data = (char *) xstrdup(base64);
}
if (sasl_result) *sasl_result = r;
return (r == SASL_OK ? 0 : IMAP_SASL_FAIL);
}
static long _get_srp_secret_decoded(
char *username,
srp_p_secret_blob_data srp_data)
{
long sts = 0;
char *srp_secret = NULL;
char *srp_secret_str = NULL;
unsigned int srp_secret_str_len = 0;
unsigned int srp_secret_len_max = 0;
unsigned int srp_secret_len = 0;
uint32_t srp_decode_buf_len = 0;
uint16_t srp_decode_mda_len = 0;
uint16_t srp_decode_v_len = 0;
uint8_t srp_decode_salt_len = 0;
char *srp_decode_ptr = NULL;
char *srp_mda = NULL;
char *srp_v = NULL;
char *srp_salt = NULL;
/*
* This is the implementation of the RPC VmDirGetSRPSecret.
* The public interface VmDirGetSRPSecret() is no longer needed
* by this implementation
*/
sts = VmDirSRPGetIdentityData(
username,
&srp_secret_str,
&srp_secret_str_len);
if (sts)
{
goto error;
}
srp_secret = calloc(srp_secret_str_len, sizeof(char));
if (!srp_secret)
{
sts = rpc_s_no_memory;
goto error;
}
srp_secret_len_max = srp_secret_str_len;
sts = sasl_decode64(srp_secret_str,
srp_secret_str_len,
srp_secret,
srp_secret_len_max,
&srp_secret_len);
if (sts != SASL_OK)
{
sts = rpc_s_coding_error;
goto error;
}
/*
* Encoding of data blob (from common/srp.c):
* calculate buffer size
* mda: Message Digest Algorithm
* v: SRP private "hash" value * salt: random salt generated at "hash" creation time
*
* 0. 4 byte length
* 1. utf8(mda) : 2 bytes + string
* 2. mpi(v) : 2 bytes + verifier
* 3. os(salt) : 1 bytes + salt
*/
srp_decode_ptr = srp_secret;
memcpy(&srp_decode_buf_len, srp_decode_ptr, sizeof(uint32_t));
srp_decode_ptr += sizeof(uint32_t);
srp_decode_buf_len = ntohl(srp_decode_buf_len);
memcpy(&srp_decode_mda_len, srp_decode_ptr, sizeof(uint16_t));
srp_decode_ptr += sizeof(uint16_t);
srp_decode_mda_len = ntohs(srp_decode_mda_len);
srp_mda = srp_decode_ptr;
srp_decode_ptr += srp_decode_mda_len;
memcpy(&srp_decode_v_len, srp_decode_ptr, sizeof(uint16_t));
srp_decode_ptr += sizeof(uint16_t);
srp_decode_v_len = ntohs(srp_decode_v_len);
srp_v = srp_decode_ptr;
srp_decode_ptr += srp_decode_v_len;
memcpy(&srp_decode_salt_len, srp_decode_ptr, sizeof(uint8_t));
srp_decode_ptr += sizeof(uint8_t);
srp_salt = srp_decode_ptr;
/* blob is the buffer, the rest are aliased pointers */
srp_data->blob = srp_secret;
srp_data->blob_len = srp_decode_buf_len;
srp_data->mda = srp_mda;
srp_data->mda_len = srp_decode_mda_len;
srp_data->v = srp_v;
srp_data->v_len = srp_decode_v_len;
srp_data->salt = srp_salt;
srp_data->salt_len = srp_decode_salt_len;
error:
if (sts)
{
if (srp_secret)
{
free(srp_secret);
}
}
if (srp_secret_str)
{
free(srp_secret_str);
}
return sts;
}
int mailesmtp_auth_sasl(mailsmtp * session, const char * auth_type,
const char * server_fqdn,
const char * local_ip_port,
const char * remote_ip_port,
const char * login, const char * auth_name,
const char * password, const char * realm)
{
#ifdef USE_SASL
int r;
char command[SMTP_STRING_SIZE];
sasl_callback_t sasl_callback[5];
const char * sasl_out;
unsigned sasl_out_len;
const char * mechusing;
sasl_secret_t * secret;
int res;
size_t len;
char * encoded;
unsigned int encoded_len;
unsigned int max_encoded;
sasl_callback[0].id = SASL_CB_GETREALM;
sasl_callback[0].proc = (int (*)(void)) sasl_getrealm;
sasl_callback[0].context = session;
sasl_callback[1].id = SASL_CB_USER;
sasl_callback[1].proc = (int (*)(void)) sasl_getsimple;
sasl_callback[1].context = session;
sasl_callback[2].id = SASL_CB_AUTHNAME;
sasl_callback[2].proc = (int (*)(void)) sasl_getsimple;
sasl_callback[2].context = session;
sasl_callback[3].id = SASL_CB_PASS;
sasl_callback[3].proc = (int (*)(void)) sasl_getsecret;
sasl_callback[3].context = session;
sasl_callback[4].id = SASL_CB_LIST_END;
sasl_callback[4].proc = NULL;
sasl_callback[4].context = NULL;
len = strlen(password);
secret = malloc(sizeof(* secret) + len);
if (secret == NULL) {
res = MAILSMTP_ERROR_MEMORY;
goto err;
}
secret->len = len;
memcpy(secret->data, password, len + 1);
session->smtp_sasl.sasl_server_fqdn = server_fqdn;
session->smtp_sasl.sasl_login = login;
session->smtp_sasl.sasl_auth_name = auth_name;
session->smtp_sasl.sasl_password = password;
session->smtp_sasl.sasl_realm = realm;
session->smtp_sasl.sasl_secret = secret;
/* init SASL */
if (session->smtp_sasl.sasl_conn != NULL) {
sasl_dispose((sasl_conn_t **) &session->smtp_sasl.sasl_conn);
session->smtp_sasl.sasl_conn = NULL;
}
else {
mailsasl_ref();
}
r = sasl_client_new("smtp", server_fqdn,
local_ip_port, remote_ip_port, sasl_callback, 0,
(sasl_conn_t **) &session->smtp_sasl.sasl_conn);
if (r != SASL_OK) {
res = MAILSMTP_ERROR_AUTH_LOGIN;
goto free_secret;
}
r = sasl_client_start(session->smtp_sasl.sasl_conn,
auth_type, NULL, &sasl_out, &sasl_out_len, &mechusing);
if ((r != SASL_CONTINUE) && (r != SASL_OK)) {
res = MAILSMTP_ERROR_AUTH_LOGIN;
goto free_sasl_conn;
}
if (sasl_out_len != 0) {
max_encoded = ((sasl_out_len + 2) / 3) * 4;
encoded = malloc(max_encoded + 1);
if (encoded == NULL) {
res = MAILSMTP_ERROR_MEMORY;
goto free_sasl_conn;
}
r = sasl_encode64(sasl_out, sasl_out_len,
encoded, max_encoded + 1, &encoded_len);
if (r != SASL_OK) {
free(encoded);
res = MAILSMTP_ERROR_MEMORY;
goto free_sasl_conn;
}
snprintf(command, SMTP_STRING_SIZE, "AUTH %s %s\r\n", auth_type, encoded);
free(encoded);
}
else {
snprintf(command, SMTP_STRING_SIZE, "AUTH %s\r\n", auth_type);
}
r = send_command_private(session, command, 0);
if (r == -1) {
res = MAILSMTP_ERROR_STREAM;
goto free_sasl_conn;
}
while (1) {
r = read_response(session);
switch (r) {
case 220:
case 235:
res = MAILSMTP_NO_ERROR;
goto free_sasl_conn;
case 535:
res = MAILSMTP_ERROR_AUTH_LOGIN;
goto free_sasl_conn;
case 553:
case 554:
res = MAILSMTP_ERROR_AUTH_AUTHENTICATION_FAILED;
goto free_sasl_conn;
case 334:
{
size_t response_len;
char * decoded;
unsigned int decoded_len;
unsigned int max_decoded;
char * p;
p = strchr(session->response, '\r');
if (p != NULL) {
* p = '\0';
}
p = strchr(session->response, '\n');
if (p != NULL) {
* p = '\0';
}
response_len = strlen(session->response);
max_decoded = response_len * 3 / 4;
decoded = malloc(max_decoded + 1);
if (decoded == NULL) {
res = MAILSMTP_ERROR_MEMORY;
goto free_sasl_conn;
}
r = sasl_decode64(session->response, response_len,
decoded, max_decoded + 1, &decoded_len);
if (r != SASL_OK) {
free(decoded);
res = MAILSMTP_ERROR_MEMORY;
goto free_sasl_conn;
}
r = sasl_client_step(session->smtp_sasl.sasl_conn,
decoded, decoded_len, NULL, &sasl_out, &sasl_out_len);
free(decoded);
if ((r != SASL_CONTINUE) && (r != SASL_OK)) {
res = MAILSMTP_ERROR_AUTH_LOGIN;
goto free_sasl_conn;
}
max_encoded = ((sasl_out_len + 2) / 3) * 4;
encoded = malloc(max_encoded + 1);
if (encoded == NULL) {
res = MAILSMTP_ERROR_MEMORY;
goto free_sasl_conn;
}
r = sasl_encode64(sasl_out, sasl_out_len,
encoded, max_encoded + 1, &encoded_len);
if (r != SASL_OK) {
free(encoded);
res = MAILSMTP_ERROR_MEMORY;
goto free_sasl_conn;
}
snprintf(command, SMTP_STRING_SIZE, "%s\r\n", encoded);
r = send_command(session, command);
free(encoded);
if (r == -1) {
res = MAILSMTP_ERROR_STREAM;
goto free_sasl_conn;
}
}
break;
default:
res = auth_map_errors(r);
goto free_sasl_conn;
}
}
res = MAILSMTP_NO_ERROR;
free_sasl_conn:
sasl_dispose((sasl_conn_t **) &session->smtp_sasl.sasl_conn);
session->smtp_sasl.sasl_conn = NULL;
mailsasl_unref();
free_secret:
free(session->smtp_sasl.sasl_secret);
session->smtp_sasl.sasl_secret = NULL;
err:
return res;
#else
return MAILSMTP_ERROR_NOT_IMPLEMENTED;
#endif
}
static int login(struct backend *s, const char *userid,
sasl_callback_t *cb, const char **status,
int noauth __attribute__((unused)))
{
int r = 0;
socklen_t addrsize;
struct sockaddr_storage saddr_l, saddr_r;
char remoteip[60], localip[60];
static struct buf buf = BUF_INITIALIZER;
sasl_security_properties_t secprops =
{ 0, 0xFF, PROT_BUFSIZE, 0, NULL, NULL }; /* default secprops */
const char *mech_conf, *pass, *clientout = NULL;
struct auth_scheme_t *scheme = NULL;
unsigned need_tls = 0, tls_done = 0, auth_done = 0, clientoutlen;
hdrcache_t hdrs = NULL;
if (status) *status = NULL;
/* set the IP addresses */
addrsize = sizeof(struct sockaddr_storage);
if (getpeername(s->sock, (struct sockaddr *) &saddr_r, &addrsize) ||
iptostring((struct sockaddr *) &saddr_r, addrsize, remoteip, 60)) {
if (status) *status = "Failed to get remote IP address";
return SASL_FAIL;
}
addrsize = sizeof(struct sockaddr_storage);
if (getsockname(s->sock, (struct sockaddr *) &saddr_l, &addrsize) ||
iptostring((struct sockaddr *) &saddr_l, addrsize, localip, 60)) {
if (status) *status = "Failed to get local IP address";
return SASL_FAIL;
}
/* Create callbacks, if necessary */
if (!cb) {
buf_setmap(&buf, s->hostname, strcspn(s->hostname, "."));
buf_appendcstr(&buf, "_password");
pass = config_getoverflowstring(buf_cstring(&buf), NULL);
if (!pass) pass = config_getstring(IMAPOPT_PROXY_PASSWORD);
cb = mysasl_callbacks(NULL, /* userid */
config_getstring(IMAPOPT_PROXY_AUTHNAME),
config_getstring(IMAPOPT_PROXY_REALM),
pass);
s->sasl_cb = cb;
}
/* Create SASL context */
r = sasl_client_new(s->prot->sasl_service, s->hostname,
localip, remoteip, cb, SASL_USAGE_FLAGS, &s->saslconn);
if (r != SASL_OK) goto done;
r = sasl_setprop(s->saslconn, SASL_SEC_PROPS, &secprops);
if (r != SASL_OK) goto done;
/* Get SASL mechanism list. We can force a particular
mechanism using a <shorthost>_mechs option */
buf_setmap(&buf, s->hostname, strcspn(s->hostname, "."));
buf_appendcstr(&buf, "_mechs");
if (!(mech_conf = config_getoverflowstring(buf_cstring(&buf), NULL))) {
mech_conf = config_getstring(IMAPOPT_FORCE_SASL_CLIENT_MECH);
}
do {
unsigned code;
const char **hdr, *errstr, *serverin;
char base64[BASE64_BUF_SIZE+1];
unsigned int serverinlen;
struct body_t resp_body;
#ifdef SASL_HTTP_REQUEST
sasl_http_request_t httpreq = { "OPTIONS", /* Method */
"*", /* URI */
(u_char *) "", /* Empty body */
0, /* Zero-length body */
0 }; /* Persistent cxn? */
#endif
/* Base64 encode any client response, if necessary */
if (clientout && scheme && (scheme->flags & AUTH_BASE64)) {
r = sasl_encode64(clientout, clientoutlen,
base64, BASE64_BUF_SIZE, &clientoutlen);
if (r != SASL_OK) break;
clientout = base64;
}
/* Send Authorization and/or Upgrade request to server */
prot_puts(s->out, "OPTIONS * HTTP/1.1\r\n");
prot_printf(s->out, "Host: %s\r\n", s->hostname);
prot_printf(s->out, "User-Agent: %s\r\n", buf_cstring(&serverinfo));
if (scheme) {
prot_printf(s->out, "Authorization: %s %s\r\n",
scheme->name, clientout ? clientout : "");
prot_printf(s->out, "Authorize-As: %s\r\n",
userid ? userid : "anonymous");
}
else {
prot_printf(s->out, "Upgrade: %s\r\n", TLS_VERSION);
if (need_tls) {
prot_puts(s->out, "Connection: Upgrade\r\n");
need_tls = 0;
}
prot_puts(s->out, "Authorization: \r\n");
}
prot_puts(s->out, "\r\n");
prot_flush(s->out);
serverin = clientout = NULL;
serverinlen = clientoutlen = 0;
/* Read response(s) from backend until final response or error */
do {
resp_body.flags = BODY_DISCARD;
r = http_read_response(s, METH_OPTIONS, &code, NULL,
&hdrs, &resp_body, &errstr);
if (r) {
if (status) *status = errstr;
break;
}
if (code == 101) { /* Switching Protocols */
if (tls_done) {
r = HTTP_BAD_GATEWAY;
if (status) *status = "TLS already active";
break;
}
else if (backend_starttls(s, NULL, NULL, NULL)) {
r = HTTP_SERVER_ERROR;
if (status) *status = "Unable to start TLS";
break;
}
else tls_done = 1;
}
} while (code < 200);
switch (code) {
default: /* Failure */
if (!r) {
r = HTTP_BAD_GATEWAY;
if (status) {
buf_reset(&buf);
buf_printf(&buf,
"Unexpected status code from backend: %u", code);
*status = buf_cstring(&buf);
}
}
break;
case 426: /* Upgrade Required */
if (tls_done) {
r = HTTP_BAD_GATEWAY;
if (status) *status = "TLS already active";
}
else need_tls = 1;
break;
case 200: /* OK */
if (scheme->recv_success &&
(serverin = scheme->recv_success(hdrs))) {
/* Process success data */
serverinlen = strlen(serverin);
goto challenge;
}
break;
case 401: /* Unauthorized */
if (auth_done) {
r = SASL_BADAUTH;
break;
}
if (!serverin) {
int i = 0;
hdr = spool_getheader(hdrs, "WWW-Authenticate");
if (!scheme) {
unsigned avail_auth_schemes = 0;
const char *mech = NULL;
size_t len;
/* Compare authentication schemes offered in
* WWW-Authenticate header(s) to what we support */
buf_reset(&buf);
for (i = 0; hdr && hdr[i]; i++) {
len = strcspn(hdr[i], " ");
for (scheme = auth_schemes; scheme->name; scheme++) {
if (!strncmp(scheme->name, hdr[i], len) &&
!((scheme->flags & AUTH_NEED_PERSIST) &&
(resp_body.flags & BODY_CLOSE))) {
/* Tag the scheme as available */
avail_auth_schemes |= (1 << scheme->idx);
/* Add SASL-based schemes to SASL mech list */
if (scheme->saslmech) {
if (buf_len(&buf)) buf_putc(&buf, ' ');
buf_appendcstr(&buf, scheme->saslmech);
}
break;
}
}
}
/* If we have a mech_conf, use it */
if (mech_conf && buf_len(&buf)) {
char *conf = xstrdup(mech_conf);
char *newmechlist =
intersect_mechlists(conf,
(char *) buf_cstring(&buf));
if (newmechlist) {
buf_setcstr(&buf, newmechlist);
free(newmechlist);
}
else {
syslog(LOG_DEBUG, "%s did not offer %s",
s->hostname, mech_conf);
buf_reset(&buf);
}
free(conf);
}
#ifdef SASL_HTTP_REQUEST
/* Set HTTP request as specified above (REQUIRED) */
httpreq.non_persist = (resp_body.flags & BODY_CLOSE);
sasl_setprop(s->saslconn, SASL_HTTP_REQUEST, &httpreq);
#endif
/* Try to start SASL exchange using available mechs */
r = sasl_client_start(s->saslconn, buf_cstring(&buf),
NULL, /* no prompts */
NULL, NULL, /* no initial resp */
&mech);
if (mech) {
/* Find auth scheme associated with chosen SASL mech */
for (scheme = auth_schemes; scheme->name; scheme++) {
if (scheme->saslmech &&
!strcmp(scheme->saslmech, mech)) break;
}
}
else {
/* No matching SASL mechs - try Basic */
scheme = &auth_schemes[AUTH_BASIC];
if (!(avail_auth_schemes & (1 << scheme->idx))) {
need_tls = !tls_done;
break; /* case 401 */
}
}
/* Find the associated WWW-Authenticate header */
for (i = 0; hdr && hdr[i]; i++) {
len = strcspn(hdr[i], " ");
if (!strncmp(scheme->name, hdr[i], len)) break;
}
}
/* Get server challenge, if any */
if (hdr) {
const char *p = strchr(hdr[i], ' ');
serverin = p ? ++p : "";
serverinlen = strlen(serverin);
}
}
challenge:
if (serverin) {
/* Perform the next step in the auth exchange */
if (scheme->idx == AUTH_BASIC) {
/* Don't care about "realm" in server challenge */
const char *authid =
callback_getdata(s->saslconn, cb, SASL_CB_AUTHNAME);
pass = callback_getdata(s->saslconn, cb, SASL_CB_PASS);
buf_reset(&buf);
buf_printf(&buf, "%s:%s", authid, pass);
clientout = buf_cstring(&buf);
clientoutlen = buf_len(&buf);
auth_done = 1;
}
else {
/* Base64 decode any server challenge, if necessary */
if (serverin && (scheme->flags & AUTH_BASE64)) {
r = sasl_decode64(serverin, serverinlen,
base64, BASE64_BUF_SIZE, &serverinlen);
if (r != SASL_OK) break; /* case 401 */
serverin = base64;
}
/* SASL mech (Digest, Negotiate, NTLM) */
r = sasl_client_step(s->saslconn, serverin, serverinlen,
NULL, /* no prompts */
&clientout, &clientoutlen);
if (r == SASL_OK) auth_done = 1;
}
}
break; /* case 401 */
}
} while (need_tls || clientout);
done:
if (hdrs) spool_free_hdrcache(hdrs);
if (r && status && !*status) *status = sasl_errstring(r, NULL, NULL);
return r;
}
/*
* mgmt_get_main_config() loads main configuration
* from scf into a node tree.
* Main configuration includes: admin/target/tpgt/initiator info.
* admin info is stored in "iscsitgt" property group
* target info is stored in "target_<name>" property group
* initiator info is stored in "initiator_<name>" property group
* tpgt info is stored in "tpgt_<number>" property group
*/
Boolean_t
mgmt_get_main_config(tgt_node_t **node)
{
targ_scf_t *h = NULL;
scf_property_t *prop = NULL;
scf_value_t *value = NULL;
scf_iter_t *iter = NULL;
scf_iter_t *iter_v = NULL;
scf_iter_t *iter_pv = NULL;
char pname[32];
char valuebuf[MAXPATHLEN];
char passcode[32];
unsigned int outlen;
tgt_node_t *n;
tgt_node_t *pn;
tgt_node_t *vn;
Boolean_t status = False;
h = mgmt_handle_init();
if (h == NULL)
return (status);
prop = scf_property_create(h->t_handle);
value = scf_value_create(h->t_handle);
iter = scf_iter_create(h->t_handle);
(void) pthread_mutex_lock(&scf_conf_mutex);
/* Basic Information is stored in iscsitgt pg */
if (scf_service_get_pg(h->t_service, "iscsitgt", h->t_pg) == -1) {
goto error;
}
*node = NULL;
*node = tgt_node_alloc("main_config", String, NULL);
if (*node == NULL)
goto error;
if (scf_iter_pg_properties(iter, h->t_pg) == -1) {
goto error;
}
while (scf_iter_next_property(iter, prop) > 0) {
scf_property_get_value(prop, value);
scf_value_get_as_string(value, valuebuf, MAXPATHLEN);
scf_property_get_name(prop, pname, sizeof (pname));
/* avoid load auth to incore data */
if (strcmp(pname, ISCSI_READ_AUTHNAME) == 0 ||
strcmp(pname, ISCSI_MODIFY_AUTHNAME) == 0 ||
strcmp(pname, ISCSI_VALUE_AUTHNAME) == 0)
continue;
n = tgt_node_alloc(pname, String, valuebuf);
if (n == NULL)
goto error;
/* put version info into root node's attr */
if (strcmp(pname, XML_ELEMENT_VERS) == 0) {
tgt_node_add_attr(*node, n);
} else {
/* add other basic info into root node */
tgt_node_add(*node, n);
}
}
/*
* targets/initiators/tpgt information is
* stored as type "configuration" in scf
* each target's param is stored as type "parameter"
*/
if (scf_iter_service_pgs_typed(iter, h->t_service, "configuration")
== -1) {
goto error;
}
while (scf_iter_next_pg(iter, h->t_pg) > 0) {
char *iname;
scf_pg_get_name(h->t_pg, pname, sizeof (pname));
iname = strchr(pname, '_');
if (iname == NULL) {
/* the pg found here is not a tgt/initiator/tpgt */
continue;
}
*iname = '\0';
iname++;
/*
* now pname is "target" or "initiator" or "tpgt"
* meanwhile iname is the actual name of the item
*/
n = tgt_node_alloc(pname, String, iname);
if (n == NULL)
goto error;
iter_v = scf_iter_create(h->t_handle);
if (scf_iter_pg_properties(iter_v, h->t_pg) == -1) {
goto error;
}
while (scf_iter_next_property(iter_v, prop) > 0) {
/* there may be many values in one property */
char *vname;
scf_property_get_name(prop, pname, sizeof (pname));
/* avoid load auth to incore data */
if (strcmp(pname, ISCSI_READ_AUTHNAME) == 0 ||
strcmp(pname, ISCSI_MODIFY_AUTHNAME) == 0 ||
strcmp(pname, ISCSI_VALUE_AUTHNAME) == 0)
continue;
vname = strstr(pname, "-list");
if (vname == NULL) {
scf_property_get_value(prop, value);
scf_value_get_as_string(value, valuebuf,
MAXPATHLEN);
pn = tgt_node_alloc(pname, String, valuebuf);
if (pn == NULL)
goto error;
tgt_node_add(n, pn);
} else {
pn = tgt_node_alloc(pname, String, NULL);
if (pn == NULL)
goto error;
tgt_node_add(n, pn);
*vname = '\0';
iter_pv = scf_iter_create(h->t_handle);
scf_iter_property_values(iter_pv, prop);
while (scf_iter_next_value(iter_pv, value)
> 0) {
scf_value_get_as_string(value, valuebuf,
MAXPATHLEN);
vn = tgt_node_alloc(pname, String,
valuebuf);
if (vn == NULL)
goto error;
tgt_node_add(pn, vn);
}
scf_iter_destroy(iter_pv);
iter_pv = NULL;
}
}
tgt_node_add(*node, n);
scf_iter_destroy(iter_v);
iter_v = NULL;
}
/* chap-secrets are stored in "passwords" pgroup as "application" */
if (scf_service_get_pg(h->t_service, "passwords", h->t_pg) == 0) {
if (scf_iter_pg_properties(iter, h->t_pg) == -1) {
goto error;
}
while (scf_iter_next_property(iter, prop) > 0) {
scf_property_get_value(prop, value);
scf_value_get_as_string(value, valuebuf, MAXPATHLEN);
scf_property_get_name(prop, pname, sizeof (pname));
/* avoid load auth to incore data */
if (strcmp(pname, ISCSI_READ_AUTHNAME) == 0 ||
strcmp(pname, ISCSI_MODIFY_AUTHNAME) == 0 ||
strcmp(pname, ISCSI_VALUE_AUTHNAME) == 0)
continue;
/* max length of decoded passwd is 16B */
sasl_decode64(valuebuf, strlen(valuebuf), passcode,
sizeof (passcode), &outlen);
if (strcmp(pname, "radius") == 0) {
pn = tgt_node_alloc(XML_ELEMENT_RAD_SECRET,
String, passcode);
tgt_node_add(*node, pn);
} else if (strcmp(pname, "main") == 0) {
pn = tgt_node_alloc(XML_ELEMENT_CHAPSECRET,
String, passcode);
tgt_node_add(*node, pn);
} else {
/* find corresponding initiator */
n = NULL;
while (n = tgt_node_next_child(*node,
XML_ELEMENT_INIT, n)) {
if (strcmp(pname + 2, n->x_value) != 0)
continue;
pn = tgt_node_alloc(
XML_ELEMENT_CHAPSECRET,
String, passcode);
tgt_node_add(n, pn);
}
}
}
}
status = True;
error:
if ((status != True) && (*node != NULL))
tgt_node_free(*node);
(void) pthread_mutex_unlock(&scf_conf_mutex);
if (iter_pv != NULL)
scf_iter_destroy(iter_pv);
if (iter_v != NULL)
scf_iter_destroy(iter_v);
scf_iter_destroy(iter);
scf_value_destroy(value);
scf_property_destroy(prop);
mgmt_handle_fini(h);
return (status);
}
static int smtp_auth_sasl (CONNECTION* conn, const char* mechlist)
{
sasl_conn_t* saslconn;
sasl_interact_t* interaction = NULL;
const char* mech;
const char* data = NULL;
unsigned int len;
char buf[HUGE_STRING];
int rc, saslrc;
if (mutt_sasl_client_new (conn, &saslconn) < 0)
return SMTP_AUTH_FAIL;
do {
rc = sasl_client_start (saslconn, mechlist, &interaction, &data, &len, &mech);
if (rc == SASL_INTERACT)
mutt_sasl_interact (interaction);
}
while (rc == SASL_INTERACT);
if (rc != SASL_OK && rc != SASL_CONTINUE) {
dprint (2, (debugfile, "smtp_auth_sasl: %s unavailable\n", mech));
sasl_dispose (&saslconn);
return SMTP_AUTH_UNAVAIL;
}
if (!option(OPTNOCURSES))
mutt_message (_("Authenticating (%s)..."), mech);
snprintf (buf, sizeof (buf), "AUTH %s", mech);
if (len) {
safe_strcat (buf, sizeof (buf), " ");
if (sasl_encode64 (data, len, buf + mutt_strlen (buf),
sizeof (buf) - mutt_strlen (buf), &len) != SASL_OK) {
dprint (1, (debugfile, "smtp_auth_sasl: error base64-encoding client response.\n"));
goto fail;
}
}
safe_strcat (buf, sizeof (buf), "\r\n");
do {
if (mutt_socket_write (conn, buf) < 0)
goto fail;
if ((rc = mutt_socket_readln (buf, sizeof (buf), conn)) < 0)
goto fail;
if (smtp_code (buf, rc, &rc) < 0)
goto fail;
if (rc != smtp_ready)
break;
if (sasl_decode64 (buf+4, strlen (buf+4), buf, sizeof (buf), &len) != SASL_OK) {
dprint (1, (debugfile, "smtp_auth_sasl: error base64-decoding server response.\n"));
goto fail;
}
do {
saslrc = sasl_client_step (saslconn, buf, len, &interaction, &data, &len);
if (saslrc == SASL_INTERACT)
mutt_sasl_interact (interaction);
}
while (saslrc == SASL_INTERACT);
if (len) {
if (sasl_encode64 (data, len, buf, sizeof (buf), &len) != SASL_OK) {
dprint (1, (debugfile, "smtp_auth_sasl: error base64-encoding client response.\n"));
goto fail;
}
}
strfcpy (buf + len, "\r\n", sizeof (buf) - len);
} while (rc == smtp_ready && saslrc != SASL_FAIL);
if (smtp_success (rc)) {
mutt_sasl_setup_conn (conn, saslconn);
return SMTP_AUTH_SUCCESS;
}
fail:
sasl_dispose (&saslconn);
return SMTP_AUTH_FAIL;
}
bool
_mongoc_cyrus_step (mongoc_cyrus_t *sasl,
const uint8_t *inbuf,
uint32_t inbuflen,
uint8_t *outbuf,
uint32_t outbufmax,
uint32_t *outbuflen,
bson_error_t *error)
{
const char *raw = NULL;
unsigned rawlen = 0;
int status;
BSON_ASSERT (sasl);
BSON_ASSERT (inbuf);
BSON_ASSERT (outbuf);
BSON_ASSERT (outbuflen);
TRACE ("Running %d, inbuflen: %" PRIu32, sasl->step, inbuflen);
sasl->step++;
if (sasl->step == 1) {
return _mongoc_cyrus_start (sasl, outbuf, outbufmax, outbuflen, error);
} else if (sasl->step >= 10) {
bson_set_error (error,
MONGOC_ERROR_SASL,
SASL_NOTDONE,
"SASL Failure: maximum steps detected");
return false;
}
TRACE ("Running %d, inbuflen: %" PRIu32, sasl->step, inbuflen);
if (!inbuflen) {
bson_set_error (error,
MONGOC_ERROR_SASL,
MONGOC_ERROR_CLIENT_AUTHENTICATE,
"SASL Failure: no payload provided from server: %s",
sasl_errdetail (sasl->conn));
return false;
}
status = sasl_decode64 (
(char *) inbuf, inbuflen, (char *) outbuf, outbufmax, outbuflen);
if (_mongoc_cyrus_is_failure (status, error)) {
return false;
}
TRACE ("%s", "Running client_step");
status = sasl_client_step (
sasl->conn, (char *) outbuf, *outbuflen, &sasl->interact, &raw, &rawlen);
TRACE ("%s sent a client step",
status == SASL_OK ? "Successfully" : "UNSUCCESSFULLY");
if (_mongoc_cyrus_is_failure (status, error)) {
return false;
}
status = sasl_encode64 (raw, rawlen, (char *) outbuf, outbufmax, outbuflen);
if (_mongoc_cyrus_is_failure (status, error)) {
return false;
}
return true;
}
