static int getauthline(isieve_t *obj, char **line, unsigned int *linelen, char **errstrp) { lexstate_t state; int res; size_t len; char *errstr = NULL; char *last_send; int r; /* now let's see what the server said */ res=yylex(&state, obj->pin); *line = NULL; if (res!=STRING) { (void)handle_response(res, obj->version, obj->pin, &last_send, &errstr); if (res==TOKEN_OK) { /* Was there a last send from the server? */ if(last_send) { /* it's base64 encoded */ int last_send_len = strlen(last_send); len = last_send_len*2+1; *line = xmalloc(len); r = sasl_decode64(last_send, last_send_len, *line, len, linelen); free(last_send); if (r != SASL_OK) return STAT_NO; } return STAT_OK; } else { /* server said no or bye*/ /* xxx handle referrals */ *errstrp = errstr; return STAT_NO; } } len = strlen(state.str)*2+1; *line=(char *) xmalloc(len); r = sasl_decode64(state.str, strlen(state.str), *line, len, linelen); if (r != SASL_OK) return STAT_NO; if (yylex(&state, obj->pin)!=EOL) return STAT_NO; return STAT_CONT; }
bson_bool_t _mongoc_sasl_step (mongoc_sasl_t *sasl, const bson_uint8_t *inbuf, bson_uint32_t inbuflen, bson_uint8_t *outbuf, bson_uint32_t outbufmax, bson_uint32_t *outbuflen, bson_error_t *error) { const char *raw = NULL; unsigned rawlen = 0; int status; BSON_ASSERT (sasl); BSON_ASSERT (inbuf); BSON_ASSERT (outbuf); BSON_ASSERT (outbuflen); BSON_ASSERT (*outbuflen); sasl->step++; if (sasl->step == 1) { return _mongoc_sasl_start (sasl, outbuf, outbufmax, outbuflen, error); } else if (sasl->step >= 10) { bson_set_error (error, MONGOC_ERROR_SASL, SASL_NOTDONE, "SASL Failure: maximum steps detected"); return FALSE; } if (!inbuflen) { bson_set_error (error, MONGOC_ERROR_SASL, MONGOC_ERROR_CLIENT_AUTHENTICATE, "SASL Failure: no payload provided from server."); return FALSE; } status = sasl_decode64 ((char *)inbuf, inbuflen, (char *)outbuf, outbufmax, outbuflen); if (_mongoc_sasl_is_failure (status, error)) { return FALSE; } status = sasl_client_step (sasl->conn, (char *)outbuf, *outbuflen, &sasl->interact, &raw, &rawlen); if (_mongoc_sasl_is_failure (status, error)) { return FALSE; } status = sasl_encode64 (raw, rawlen, (char *)outbuf, outbufmax, outbuflen); if (_mongoc_sasl_is_failure (status, error)) { return FALSE; } return TRUE; }
/* * decode a Base 64 to string */ DWORD VmDecodeToBase64( PBYTE pEncodedInput, DWORD dwEncodedLen, PBYTE *ppBase64Decoded, DWORD *pDecodedLen ) { DWORD dwError = 0; DWORD dwBase64DecodedByteLen = 0; PBYTE pBase64Decoded = NULL; if (!pEncodedInput || !ppBase64Decoded) { dwError = VM_COMMON_ERROR_INVALID_PARAMETER; BAIL_ON_VM_COMMON_ERROR(dwError); } dwError = VmAllocateMemory(dwEncodedLen, (PVOID *)&pBase64Decoded); BAIL_ON_VM_COMMON_ERROR(dwError); dwError = sasl_decode64((PCSTR)pEncodedInput, dwEncodedLen, (PSTR)pBase64Decoded, dwEncodedLen, &dwBase64DecodedByteLen ); BAIL_ON_VM_COMMON_ERROR(dwError); *ppBase64Decoded = pBase64Decoded; *pDecodedLen = dwBase64DecodedByteLen; cleanup: return dwError; error: VM_COMMON_SAFE_FREE_MEMORY(pBase64Decoded); if (ppBase64Decoded) { *ppBase64Decoded = NULL; } if (pDecodedLen) { *pDecodedLen = 0; } goto cleanup; }
int php_mongo_saslcontinue(mongo_con_manager *manager, mongo_connection *con, mongo_server_options *options, mongo_server_def *server_def, sasl_conn_t *conn, char *step_payload, int step_payload_len, int32_t conversation_id, char **error_message) { sasl_interact_t *client_interact=NULL; /* * Snippet from sasl.h: * 4. client calls sasl_client_step() * 4b. If SASL error, goto 7 or 3 * 4c. If SASL_OK, continue or goto 6 if last server response was success */ do { char base_payload[4096], payload[4096]; unsigned int base_payload_len, payload_len; const char *out; unsigned int outlen; unsigned char done = 0; int result; step_payload_len--; /* Remove the \0 from the string */ result = sasl_decode64(step_payload, step_payload_len, base_payload, sizeof(base_payload), &base_payload_len); if (is_sasl_failure(conn, result, error_message)) { return 0; } result = sasl_client_step(conn, (const char *)base_payload, base_payload_len, &client_interact, &out, &outlen); if (is_sasl_failure(conn, result, error_message)) { return 0; } result = sasl_encode64(out, outlen, payload, sizeof(base_payload), &payload_len); if (is_sasl_failure(conn, result, error_message)) { return 0; } if (!mongo_connection_authenticate_saslcontinue(manager, con, options, server_def, conversation_id, payload, payload_len + 1, &step_payload, &step_payload_len, &done, error_message)) { return 0; } if (done) { break; } } while (1); return 1; }
/* data = cyrussasl.decode64(b64data) * * Partner function to encode64(). */ static int cyrussasl_sasl_decode64(lua_State *l) { const char *data = NULL; char *outdata = NULL; size_t len; unsigned outlen; int err; int numargs = lua_gettop(l); if (numargs != 1) { lua_pushstring(l, "usage: data = cyrussasl.decode64(b64data)"); lua_error(l); return 0; } data = tostring(l, 1); len = strlen(data); outdata = malloc(len); if (!outdata) { lua_pushstring(l, "failed to malloc in decode64"); lua_error(l); return 0; } /* Perform a decode-in-place, which is kosher according to docs. */ err = sasl_decode64(data, len, outdata, len, &outlen); if ( err != SASL_OK ) { free(outdata); lua_pushstring(l, "sasl_decode64 failed"); lua_error(l); return 0; } if (outdata) { lua_pushlstring(l, outdata, outlen); } else { lua_pushnil(l); } free(outdata); return 1; }
int php_mongo_saslcontinue(mongo_con_manager *manager, mongo_connection *con, mongo_server_options *options, mongo_server_def *server_def, sasl_conn_t *conn, char *step_payload, int step_payload_len, int32_t conversation_id, char **error_message) { int result; sasl_interact_t *client_interact=NULL; do { char base_payload[4096], payload[4096]; unsigned int base_payload_len, payload_len; unsigned char done; const char *out; unsigned int outlen; result = sasl_decode64(step_payload, step_payload_len, base_payload, sizeof(base_payload), &base_payload_len); if (is_sasl_failure(conn, result, error_message)) { return result; } result = sasl_client_step(conn, (const char *)base_payload, base_payload_len, &client_interact, &out, &outlen); if (is_sasl_failure(conn, result, error_message)) { return result; } /* TODO : Deal with interaction */ if (result == SASL_OK) { /* We are all done */ break; } result = sasl_encode64(out, outlen, payload, sizeof(base_payload), &payload_len); if (is_sasl_failure(conn, result, error_message)) { return result; } if (!mongo_connection_authenticate_saslcontinue(manager, con, options, server_def, conversation_id, payload, payload_len + 1, &step_payload, &step_payload_len, &done, (char **)&error_message)) { *error_message = strdup("saslStart failed miserably"); return result; } } while (result == SASL_INTERACT || result == SASL_CONTINUE); return result; }
int ArgusGetSaslString(FILE *f, char *buf, int buflen) { unsigned int len = -1; char *s = NULL; int result; if (ferror(f)) clearerr(f); if ((s = fgets(buf, buflen, f)) != NULL) { switch (*buf) { case 'C': { if (!(strncmp(buf, "C: ", 3))) { buf[strlen(buf) - 1] = '\0'; result = sasl_decode64(buf + 3, (unsigned) strlen(buf + 3), buf, buflen, &len); if (result != SASL_OK) ArgusLog (LOG_ERR, "ArgusGetSaslString: sasl_decode64 error"); buf[len] = '\0'; } else ArgusLog (LOG_ERR, "ArgusGetSaslString: error %s", strerror(errno)); break; } default: case 'N': len = -1; break; } } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetSaslString(0x%x, 0x%x, %d) %s", f, buf, buflen, buf); #endif return len; }
int mailpop3_auth(mailpop3 * f, const char * auth_type, const char * server_fqdn, const char * local_ip_port, const char * remote_ip_port, const char * login, const char * auth_name, const char * password, const char * realm) { #ifdef USE_SASL int r; char command[POP3_STRING_SIZE]; sasl_callback_t sasl_callback[5]; const char * sasl_out; unsigned sasl_out_len; const char * mechusing; sasl_secret_t * secret; int res; size_t len; char * encoded; unsigned int encoded_len; unsigned int max_encoded; sasl_callback[0].id = SASL_CB_GETREALM; sasl_callback[0].proc = sasl_getrealm; sasl_callback[0].context = f; sasl_callback[1].id = SASL_CB_USER; sasl_callback[1].proc = sasl_getsimple; sasl_callback[1].context = f; sasl_callback[2].id = SASL_CB_AUTHNAME; sasl_callback[2].proc = sasl_getsimple; sasl_callback[2].context = f; sasl_callback[3].id = SASL_CB_PASS; sasl_callback[3].proc = sasl_getsecret; sasl_callback[3].context = f; sasl_callback[4].id = SASL_CB_LIST_END; sasl_callback[4].proc = NULL; sasl_callback[4].context = NULL; len = strlen(password); secret = malloc(sizeof(* secret) + len); if (secret == NULL) { res = MAILPOP3_ERROR_MEMORY; goto err; } secret->len = len; memcpy(secret->data, password, len + 1); f->pop3_sasl.sasl_server_fqdn = server_fqdn; f->pop3_sasl.sasl_login = login; f->pop3_sasl.sasl_auth_name = auth_name; f->pop3_sasl.sasl_password = password; f->pop3_sasl.sasl_realm = realm; f->pop3_sasl.sasl_secret = secret; /* init SASL */ if (f->pop3_sasl.sasl_conn != NULL) { sasl_dispose((sasl_conn_t **) &f->pop3_sasl.sasl_conn); f->pop3_sasl.sasl_conn = NULL; } else { mailsasl_ref(); } r = sasl_client_new("pop", server_fqdn, local_ip_port, remote_ip_port, sasl_callback, 0, (sasl_conn_t **) &f->pop3_sasl.sasl_conn); if (r != SASL_OK) { res = MAILPOP3_ERROR_BAD_USER; goto free_secret; } r = sasl_client_start(f->pop3_sasl.sasl_conn, auth_type, NULL, &sasl_out, &sasl_out_len, &mechusing); if ((r != SASL_CONTINUE) && (r != SASL_OK)) { res = MAILPOP3_ERROR_BAD_USER; goto free_sasl_conn; } snprintf(command, POP3_STRING_SIZE, "AUTH %s\r\n", auth_type); r = send_command(f, command); if (r == -1) { res = MAILPOP3_ERROR_STREAM; goto free_sasl_conn; } while (1) { char * response; response = read_line(f); r = parse_auth(f, response); switch (r) { case RESPONSE_OK: f->pop3_state = POP3_STATE_TRANSACTION; res = MAILPOP3_NO_ERROR; goto free_sasl_conn; case RESPONSE_ERR: res = MAILPOP3_ERROR_BAD_USER; goto free_sasl_conn; case RESPONSE_AUTH_CONT: { size_t response_len; char * decoded; unsigned int decoded_len; unsigned int max_decoded; int got_response; got_response = 1; if (* f->pop3_response == '\0') got_response = 0; if (got_response) { char * p; p = strchr(f->pop3_response, '\r'); if (p != NULL) { * p = '\0'; } p = strchr(f->pop3_response, '\n'); if (p != NULL) { * p = '\0'; } response_len = strlen(f->pop3_response); max_decoded = response_len * 3 / 4; decoded = malloc(max_decoded + 1); if (decoded == NULL) { res = MAILPOP3_ERROR_MEMORY; goto free_sasl_conn; } r = sasl_decode64(f->pop3_response, response_len, decoded, max_decoded + 1, &decoded_len); if (r != SASL_OK) { free(decoded); res = MAILPOP3_ERROR_MEMORY; goto free_sasl_conn; } r = sasl_client_step(f->pop3_sasl.sasl_conn, decoded, decoded_len, NULL, &sasl_out, &sasl_out_len); free(decoded); if ((r != SASL_CONTINUE) && (r != SASL_OK)) { res = MAILPOP3_ERROR_BAD_USER; goto free_sasl_conn; } } max_encoded = ((sasl_out_len + 2) / 3) * 4; encoded = malloc(max_encoded + 1); if (encoded == NULL) { res = MAILPOP3_ERROR_MEMORY; goto free_sasl_conn; } r = sasl_encode64(sasl_out, sasl_out_len, encoded, max_encoded + 1, &encoded_len); if (r != SASL_OK) { free(encoded); res = MAILPOP3_ERROR_MEMORY; goto free_sasl_conn; } snprintf(command, POP3_STRING_SIZE, "%s\r\n", encoded); r = send_command(f, command); free(encoded); if (r == -1) { res = MAILPOP3_ERROR_STREAM; goto free_sasl_conn; } } break; } } f->pop3_state = POP3_STATE_TRANSACTION; res = MAILPOP3_NO_ERROR; free_sasl_conn: sasl_dispose((sasl_conn_t **) &f->pop3_sasl.sasl_conn); f->pop3_sasl.sasl_conn = NULL; mailsasl_unref(); free_secret: free(f->pop3_sasl.sasl_secret); f->pop3_sasl.sasl_secret = NULL; err: return res; #else return MAILPOP3_ERROR_BAD_USER; #endif }
/* imap_auth_sasl: Default authenticator if available. */ imap_auth_res_t imap_auth_sasl (IMAP_DATA* idata, const char* method) { sasl_conn_t* saslconn; sasl_interact_t* interaction = NULL; int rc, irc; char buf[HUGE_STRING]; const char* mech; const char *pc = NULL; unsigned int len, olen; unsigned char client_start; if (mutt_sasl_client_new (idata->conn, &saslconn) < 0) { dprint (1, (debugfile, "imap_auth_sasl: Error allocating SASL connection.\n")); return IMAP_AUTH_FAILURE; } rc = SASL_FAIL; /* If the user hasn't specified a method, use any available */ if (!method) { method = idata->capstr; /* hack for SASL ANONYMOUS support: * 1. Fetch username. If it's "" or "anonymous" then * 2. attempt sasl_client_start with only "AUTH=ANONYMOUS" capability * 3. if sasl_client_start fails, fall through... */ if (mutt_account_getuser (&idata->conn->account)) return IMAP_AUTH_FAILURE; if (mutt_bit_isset (idata->capabilities, AUTH_ANON) && (!idata->conn->account.user[0] || !ascii_strncmp (idata->conn->account.user, "anonymous", 9))) rc = sasl_client_start (saslconn, "AUTH=ANONYMOUS", NULL, &pc, &olen, &mech); } else if (!ascii_strcasecmp ("login", method) && !strstr (NONULL (idata->capstr), "AUTH=LOGIN")) /* do not use SASL login for regular IMAP login (#3556) */ return IMAP_AUTH_UNAVAIL; if (rc != SASL_OK && rc != SASL_CONTINUE) do { rc = sasl_client_start (saslconn, method, &interaction, &pc, &olen, &mech); if (rc == SASL_INTERACT) mutt_sasl_interact (interaction); } while (rc == SASL_INTERACT); client_start = (olen > 0); if (rc != SASL_OK && rc != SASL_CONTINUE) { if (method) dprint (2, (debugfile, "imap_auth_sasl: %s unavailable\n", method)); else dprint (1, (debugfile, "imap_auth_sasl: Failure starting authentication exchange. No shared mechanisms?\n")); /* SASL doesn't support LOGIN, so fall back */ return IMAP_AUTH_UNAVAIL; } mutt_message (_("Authenticating (%s)..."), mech); snprintf (buf, sizeof (buf), "AUTHENTICATE %s", mech); if (mutt_bit_isset (idata->capabilities, SASL_IR) && client_start) { len = mutt_strlen (buf); buf[len++] = ' '; if (sasl_encode64 (pc, olen, buf + len, sizeof (buf) - len, &olen) != SASL_OK) { dprint (1, (debugfile, "imap_auth_sasl: error base64-encoding client response.\n")); goto bail; } client_start = olen = 0; } imap_cmd_start (idata, buf); irc = IMAP_CMD_CONTINUE; /* looping protocol */ while (rc == SASL_CONTINUE || olen > 0) { do irc = imap_cmd_step (idata); while (irc == IMAP_CMD_CONTINUE); if (irc == IMAP_CMD_BAD || irc == IMAP_CMD_NO) goto bail; if (irc == IMAP_CMD_RESPOND) { /* Exchange incorrectly returns +\r\n instead of + \r\n */ if (idata->buf[1] == '\0') { buf[0] = '\0'; len = 0; } else if (sasl_decode64 (idata->buf+2, strlen (idata->buf+2), buf, LONG_STRING-1, &len) != SASL_OK) { dprint (1, (debugfile, "imap_auth_sasl: error base64-decoding server response.\n")); goto bail; } } /* client-start is only available with the SASL-IR extension, but * SASL 2.1 seems to want to use it regardless, at least for DIGEST * fast reauth. Override if the server sent an initial continuation */ if (!client_start || buf[0]) { do { rc = sasl_client_step (saslconn, buf, len, &interaction, &pc, &olen); if (rc == SASL_INTERACT) mutt_sasl_interact (interaction); } while (rc == SASL_INTERACT); } else client_start = 0; /* send out response, or line break if none needed */ if (olen) { if (sasl_encode64 (pc, olen, buf, sizeof (buf), &olen) != SASL_OK) { dprint (1, (debugfile, "imap_auth_sasl: error base64-encoding client response.\n")); goto bail; } } if (irc == IMAP_CMD_RESPOND) { strfcpy (buf + olen, "\r\n", sizeof (buf) - olen); mutt_socket_write (idata->conn, buf); } /* If SASL has errored out, send an abort string to the server */ if (rc < 0) { mutt_socket_write (idata->conn, "*\r\n"); dprint (1, (debugfile, "imap_auth_sasl: sasl_client_step error %d\n",rc)); } olen = 0; } while (irc != IMAP_CMD_OK) if ((irc = imap_cmd_step (idata)) != IMAP_CMD_CONTINUE) break; if (rc != SASL_OK) goto bail; if (imap_code (idata->buf)) { mutt_sasl_setup_conn (idata->conn, saslconn); return IMAP_AUTH_SUCCESS; } bail: sasl_dispose (&saslconn); if (method) { dprint (2, (debugfile, "imap_auth_sasl: %s failed\n", method)); return IMAP_AUTH_UNAVAIL; } mutt_error _("SASL authentication failed."); mutt_sleep(2); return IMAP_AUTH_FAILURE; }
/* NOTE: success_data will need to be free()d by the caller */ int saslserver(sasl_conn_t *conn, const char *mech, const char *init_resp, const char *resp_prefix, const char *continuation, const char *empty_chal, struct protstream *pin, struct protstream *pout, int *sasl_result, char **success_data) { char base64[BASE64_BUF_SIZE+1]; char *clientin = NULL; unsigned int clientinlen = 0; const char *serverout = NULL; unsigned int serveroutlen = 0; int r = SASL_OK; if (success_data) *success_data = NULL; /* initial response */ if (init_resp) { clientin = base64; if (!strcmp(init_resp, "=")) { /* zero-length initial response */ base64[0] = '\0'; } else { r = sasl_decode64(init_resp, strlen(init_resp), clientin, BASE64_BUF_SIZE, &clientinlen); } } /* start the exchange */ if (r == SASL_OK) r = sasl_server_start(conn, mech, clientin, clientinlen, &serverout, &serveroutlen); while (r == SASL_CONTINUE) { char *p; /* send the challenge to the client */ if (serveroutlen) { r = sasl_encode64(serverout, serveroutlen, base64, BASE64_BUF_SIZE, NULL); if (r != SASL_OK) break; serverout = base64; } else { serverout = empty_chal; } prot_printf(pout, "%s%s\r\n", continuation, serverout); prot_flush(pout); /* get response from the client */ if (!prot_fgets(base64, BASE64_BUF_SIZE, pin) || strncasecmp(base64, resp_prefix, strlen(resp_prefix))) { if (sasl_result) *sasl_result = SASL_FAIL; return IMAP_SASL_PROTERR; } /* trim CRLF */ p = base64 + strlen(base64) - 1; if (p >= base64 && *p == '\n') *p-- = '\0'; if (p >= base64 && *p == '\r') *p-- = '\0'; /* trim prefix */ p = base64 + strlen(resp_prefix); /* check if client cancelled */ if (p[0] == '*') { if(sasl_result) *sasl_result = SASL_BADPROT; return IMAP_SASL_CANCEL; } /* decode the response */ clientin = base64; r = sasl_decode64(p, strlen(p), clientin, BASE64_BUF_SIZE, &clientinlen); if (r != SASL_OK) break; /* do the next step */ r = sasl_server_step(conn, clientin, clientinlen, &serverout, &serveroutlen); } /* success data */ if (r == SASL_OK && serverout && success_data) { r = sasl_encode64(serverout, serveroutlen, base64, BASE64_BUF_SIZE, NULL); if (r == SASL_OK) *success_data = (char *) xstrdup(base64); } if (sasl_result) *sasl_result = r; return (r == SASL_OK ? 0 : IMAP_SASL_FAIL); }
static long _get_srp_secret_decoded( char *username, srp_p_secret_blob_data srp_data) { long sts = 0; char *srp_secret = NULL; char *srp_secret_str = NULL; unsigned int srp_secret_str_len = 0; unsigned int srp_secret_len_max = 0; unsigned int srp_secret_len = 0; uint32_t srp_decode_buf_len = 0; uint16_t srp_decode_mda_len = 0; uint16_t srp_decode_v_len = 0; uint8_t srp_decode_salt_len = 0; char *srp_decode_ptr = NULL; char *srp_mda = NULL; char *srp_v = NULL; char *srp_salt = NULL; /* * This is the implementation of the RPC VmDirGetSRPSecret. * The public interface VmDirGetSRPSecret() is no longer needed * by this implementation */ sts = VmDirSRPGetIdentityData( username, &srp_secret_str, &srp_secret_str_len); if (sts) { goto error; } srp_secret = calloc(srp_secret_str_len, sizeof(char)); if (!srp_secret) { sts = rpc_s_no_memory; goto error; } srp_secret_len_max = srp_secret_str_len; sts = sasl_decode64(srp_secret_str, srp_secret_str_len, srp_secret, srp_secret_len_max, &srp_secret_len); if (sts != SASL_OK) { sts = rpc_s_coding_error; goto error; } /* * Encoding of data blob (from common/srp.c): * calculate buffer size * mda: Message Digest Algorithm * v: SRP private "hash" value * salt: random salt generated at "hash" creation time * * 0. 4 byte length * 1. utf8(mda) : 2 bytes + string * 2. mpi(v) : 2 bytes + verifier * 3. os(salt) : 1 bytes + salt */ srp_decode_ptr = srp_secret; memcpy(&srp_decode_buf_len, srp_decode_ptr, sizeof(uint32_t)); srp_decode_ptr += sizeof(uint32_t); srp_decode_buf_len = ntohl(srp_decode_buf_len); memcpy(&srp_decode_mda_len, srp_decode_ptr, sizeof(uint16_t)); srp_decode_ptr += sizeof(uint16_t); srp_decode_mda_len = ntohs(srp_decode_mda_len); srp_mda = srp_decode_ptr; srp_decode_ptr += srp_decode_mda_len; memcpy(&srp_decode_v_len, srp_decode_ptr, sizeof(uint16_t)); srp_decode_ptr += sizeof(uint16_t); srp_decode_v_len = ntohs(srp_decode_v_len); srp_v = srp_decode_ptr; srp_decode_ptr += srp_decode_v_len; memcpy(&srp_decode_salt_len, srp_decode_ptr, sizeof(uint8_t)); srp_decode_ptr += sizeof(uint8_t); srp_salt = srp_decode_ptr; /* blob is the buffer, the rest are aliased pointers */ srp_data->blob = srp_secret; srp_data->blob_len = srp_decode_buf_len; srp_data->mda = srp_mda; srp_data->mda_len = srp_decode_mda_len; srp_data->v = srp_v; srp_data->v_len = srp_decode_v_len; srp_data->salt = srp_salt; srp_data->salt_len = srp_decode_salt_len; error: if (sts) { if (srp_secret) { free(srp_secret); } } if (srp_secret_str) { free(srp_secret_str); } return sts; }
int mailesmtp_auth_sasl(mailsmtp * session, const char * auth_type, const char * server_fqdn, const char * local_ip_port, const char * remote_ip_port, const char * login, const char * auth_name, const char * password, const char * realm) { #ifdef USE_SASL int r; char command[SMTP_STRING_SIZE]; sasl_callback_t sasl_callback[5]; const char * sasl_out; unsigned sasl_out_len; const char * mechusing; sasl_secret_t * secret; int res; size_t len; char * encoded; unsigned int encoded_len; unsigned int max_encoded; sasl_callback[0].id = SASL_CB_GETREALM; sasl_callback[0].proc = (int (*)(void)) sasl_getrealm; sasl_callback[0].context = session; sasl_callback[1].id = SASL_CB_USER; sasl_callback[1].proc = (int (*)(void)) sasl_getsimple; sasl_callback[1].context = session; sasl_callback[2].id = SASL_CB_AUTHNAME; sasl_callback[2].proc = (int (*)(void)) sasl_getsimple; sasl_callback[2].context = session; sasl_callback[3].id = SASL_CB_PASS; sasl_callback[3].proc = (int (*)(void)) sasl_getsecret; sasl_callback[3].context = session; sasl_callback[4].id = SASL_CB_LIST_END; sasl_callback[4].proc = NULL; sasl_callback[4].context = NULL; len = strlen(password); secret = malloc(sizeof(* secret) + len); if (secret == NULL) { res = MAILSMTP_ERROR_MEMORY; goto err; } secret->len = len; memcpy(secret->data, password, len + 1); session->smtp_sasl.sasl_server_fqdn = server_fqdn; session->smtp_sasl.sasl_login = login; session->smtp_sasl.sasl_auth_name = auth_name; session->smtp_sasl.sasl_password = password; session->smtp_sasl.sasl_realm = realm; session->smtp_sasl.sasl_secret = secret; /* init SASL */ if (session->smtp_sasl.sasl_conn != NULL) { sasl_dispose((sasl_conn_t **) &session->smtp_sasl.sasl_conn); session->smtp_sasl.sasl_conn = NULL; } else { mailsasl_ref(); } r = sasl_client_new("smtp", server_fqdn, local_ip_port, remote_ip_port, sasl_callback, 0, (sasl_conn_t **) &session->smtp_sasl.sasl_conn); if (r != SASL_OK) { res = MAILSMTP_ERROR_AUTH_LOGIN; goto free_secret; } r = sasl_client_start(session->smtp_sasl.sasl_conn, auth_type, NULL, &sasl_out, &sasl_out_len, &mechusing); if ((r != SASL_CONTINUE) && (r != SASL_OK)) { res = MAILSMTP_ERROR_AUTH_LOGIN; goto free_sasl_conn; } if (sasl_out_len != 0) { max_encoded = ((sasl_out_len + 2) / 3) * 4; encoded = malloc(max_encoded + 1); if (encoded == NULL) { res = MAILSMTP_ERROR_MEMORY; goto free_sasl_conn; } r = sasl_encode64(sasl_out, sasl_out_len, encoded, max_encoded + 1, &encoded_len); if (r != SASL_OK) { free(encoded); res = MAILSMTP_ERROR_MEMORY; goto free_sasl_conn; } snprintf(command, SMTP_STRING_SIZE, "AUTH %s %s\r\n", auth_type, encoded); free(encoded); } else { snprintf(command, SMTP_STRING_SIZE, "AUTH %s\r\n", auth_type); } r = send_command_private(session, command, 0); if (r == -1) { res = MAILSMTP_ERROR_STREAM; goto free_sasl_conn; } while (1) { r = read_response(session); switch (r) { case 220: case 235: res = MAILSMTP_NO_ERROR; goto free_sasl_conn; case 535: res = MAILSMTP_ERROR_AUTH_LOGIN; goto free_sasl_conn; case 553: case 554: res = MAILSMTP_ERROR_AUTH_AUTHENTICATION_FAILED; goto free_sasl_conn; case 334: { size_t response_len; char * decoded; unsigned int decoded_len; unsigned int max_decoded; char * p; p = strchr(session->response, '\r'); if (p != NULL) { * p = '\0'; } p = strchr(session->response, '\n'); if (p != NULL) { * p = '\0'; } response_len = strlen(session->response); max_decoded = response_len * 3 / 4; decoded = malloc(max_decoded + 1); if (decoded == NULL) { res = MAILSMTP_ERROR_MEMORY; goto free_sasl_conn; } r = sasl_decode64(session->response, response_len, decoded, max_decoded + 1, &decoded_len); if (r != SASL_OK) { free(decoded); res = MAILSMTP_ERROR_MEMORY; goto free_sasl_conn; } r = sasl_client_step(session->smtp_sasl.sasl_conn, decoded, decoded_len, NULL, &sasl_out, &sasl_out_len); free(decoded); if ((r != SASL_CONTINUE) && (r != SASL_OK)) { res = MAILSMTP_ERROR_AUTH_LOGIN; goto free_sasl_conn; } max_encoded = ((sasl_out_len + 2) / 3) * 4; encoded = malloc(max_encoded + 1); if (encoded == NULL) { res = MAILSMTP_ERROR_MEMORY; goto free_sasl_conn; } r = sasl_encode64(sasl_out, sasl_out_len, encoded, max_encoded + 1, &encoded_len); if (r != SASL_OK) { free(encoded); res = MAILSMTP_ERROR_MEMORY; goto free_sasl_conn; } snprintf(command, SMTP_STRING_SIZE, "%s\r\n", encoded); r = send_command(session, command); free(encoded); if (r == -1) { res = MAILSMTP_ERROR_STREAM; goto free_sasl_conn; } } break; default: res = auth_map_errors(r); goto free_sasl_conn; } } res = MAILSMTP_NO_ERROR; free_sasl_conn: sasl_dispose((sasl_conn_t **) &session->smtp_sasl.sasl_conn); session->smtp_sasl.sasl_conn = NULL; mailsasl_unref(); free_secret: free(session->smtp_sasl.sasl_secret); session->smtp_sasl.sasl_secret = NULL; err: return res; #else return MAILSMTP_ERROR_NOT_IMPLEMENTED; #endif }
static int login(struct backend *s, const char *userid, sasl_callback_t *cb, const char **status, int noauth __attribute__((unused))) { int r = 0; socklen_t addrsize; struct sockaddr_storage saddr_l, saddr_r; char remoteip[60], localip[60]; static struct buf buf = BUF_INITIALIZER; sasl_security_properties_t secprops = { 0, 0xFF, PROT_BUFSIZE, 0, NULL, NULL }; /* default secprops */ const char *mech_conf, *pass, *clientout = NULL; struct auth_scheme_t *scheme = NULL; unsigned need_tls = 0, tls_done = 0, auth_done = 0, clientoutlen; hdrcache_t hdrs = NULL; if (status) *status = NULL; /* set the IP addresses */ addrsize = sizeof(struct sockaddr_storage); if (getpeername(s->sock, (struct sockaddr *) &saddr_r, &addrsize) || iptostring((struct sockaddr *) &saddr_r, addrsize, remoteip, 60)) { if (status) *status = "Failed to get remote IP address"; return SASL_FAIL; } addrsize = sizeof(struct sockaddr_storage); if (getsockname(s->sock, (struct sockaddr *) &saddr_l, &addrsize) || iptostring((struct sockaddr *) &saddr_l, addrsize, localip, 60)) { if (status) *status = "Failed to get local IP address"; return SASL_FAIL; } /* Create callbacks, if necessary */ if (!cb) { buf_setmap(&buf, s->hostname, strcspn(s->hostname, ".")); buf_appendcstr(&buf, "_password"); pass = config_getoverflowstring(buf_cstring(&buf), NULL); if (!pass) pass = config_getstring(IMAPOPT_PROXY_PASSWORD); cb = mysasl_callbacks(NULL, /* userid */ config_getstring(IMAPOPT_PROXY_AUTHNAME), config_getstring(IMAPOPT_PROXY_REALM), pass); s->sasl_cb = cb; } /* Create SASL context */ r = sasl_client_new(s->prot->sasl_service, s->hostname, localip, remoteip, cb, SASL_USAGE_FLAGS, &s->saslconn); if (r != SASL_OK) goto done; r = sasl_setprop(s->saslconn, SASL_SEC_PROPS, &secprops); if (r != SASL_OK) goto done; /* Get SASL mechanism list. We can force a particular mechanism using a <shorthost>_mechs option */ buf_setmap(&buf, s->hostname, strcspn(s->hostname, ".")); buf_appendcstr(&buf, "_mechs"); if (!(mech_conf = config_getoverflowstring(buf_cstring(&buf), NULL))) { mech_conf = config_getstring(IMAPOPT_FORCE_SASL_CLIENT_MECH); } do { unsigned code; const char **hdr, *errstr, *serverin; char base64[BASE64_BUF_SIZE+1]; unsigned int serverinlen; struct body_t resp_body; #ifdef SASL_HTTP_REQUEST sasl_http_request_t httpreq = { "OPTIONS", /* Method */ "*", /* URI */ (u_char *) "", /* Empty body */ 0, /* Zero-length body */ 0 }; /* Persistent cxn? */ #endif /* Base64 encode any client response, if necessary */ if (clientout && scheme && (scheme->flags & AUTH_BASE64)) { r = sasl_encode64(clientout, clientoutlen, base64, BASE64_BUF_SIZE, &clientoutlen); if (r != SASL_OK) break; clientout = base64; } /* Send Authorization and/or Upgrade request to server */ prot_puts(s->out, "OPTIONS * HTTP/1.1\r\n"); prot_printf(s->out, "Host: %s\r\n", s->hostname); prot_printf(s->out, "User-Agent: %s\r\n", buf_cstring(&serverinfo)); if (scheme) { prot_printf(s->out, "Authorization: %s %s\r\n", scheme->name, clientout ? clientout : ""); prot_printf(s->out, "Authorize-As: %s\r\n", userid ? userid : "anonymous"); } else { prot_printf(s->out, "Upgrade: %s\r\n", TLS_VERSION); if (need_tls) { prot_puts(s->out, "Connection: Upgrade\r\n"); need_tls = 0; } prot_puts(s->out, "Authorization: \r\n"); } prot_puts(s->out, "\r\n"); prot_flush(s->out); serverin = clientout = NULL; serverinlen = clientoutlen = 0; /* Read response(s) from backend until final response or error */ do { resp_body.flags = BODY_DISCARD; r = http_read_response(s, METH_OPTIONS, &code, NULL, &hdrs, &resp_body, &errstr); if (r) { if (status) *status = errstr; break; } if (code == 101) { /* Switching Protocols */ if (tls_done) { r = HTTP_BAD_GATEWAY; if (status) *status = "TLS already active"; break; } else if (backend_starttls(s, NULL, NULL, NULL)) { r = HTTP_SERVER_ERROR; if (status) *status = "Unable to start TLS"; break; } else tls_done = 1; } } while (code < 200); switch (code) { default: /* Failure */ if (!r) { r = HTTP_BAD_GATEWAY; if (status) { buf_reset(&buf); buf_printf(&buf, "Unexpected status code from backend: %u", code); *status = buf_cstring(&buf); } } break; case 426: /* Upgrade Required */ if (tls_done) { r = HTTP_BAD_GATEWAY; if (status) *status = "TLS already active"; } else need_tls = 1; break; case 200: /* OK */ if (scheme->recv_success && (serverin = scheme->recv_success(hdrs))) { /* Process success data */ serverinlen = strlen(serverin); goto challenge; } break; case 401: /* Unauthorized */ if (auth_done) { r = SASL_BADAUTH; break; } if (!serverin) { int i = 0; hdr = spool_getheader(hdrs, "WWW-Authenticate"); if (!scheme) { unsigned avail_auth_schemes = 0; const char *mech = NULL; size_t len; /* Compare authentication schemes offered in * WWW-Authenticate header(s) to what we support */ buf_reset(&buf); for (i = 0; hdr && hdr[i]; i++) { len = strcspn(hdr[i], " "); for (scheme = auth_schemes; scheme->name; scheme++) { if (!strncmp(scheme->name, hdr[i], len) && !((scheme->flags & AUTH_NEED_PERSIST) && (resp_body.flags & BODY_CLOSE))) { /* Tag the scheme as available */ avail_auth_schemes |= (1 << scheme->idx); /* Add SASL-based schemes to SASL mech list */ if (scheme->saslmech) { if (buf_len(&buf)) buf_putc(&buf, ' '); buf_appendcstr(&buf, scheme->saslmech); } break; } } } /* If we have a mech_conf, use it */ if (mech_conf && buf_len(&buf)) { char *conf = xstrdup(mech_conf); char *newmechlist = intersect_mechlists(conf, (char *) buf_cstring(&buf)); if (newmechlist) { buf_setcstr(&buf, newmechlist); free(newmechlist); } else { syslog(LOG_DEBUG, "%s did not offer %s", s->hostname, mech_conf); buf_reset(&buf); } free(conf); } #ifdef SASL_HTTP_REQUEST /* Set HTTP request as specified above (REQUIRED) */ httpreq.non_persist = (resp_body.flags & BODY_CLOSE); sasl_setprop(s->saslconn, SASL_HTTP_REQUEST, &httpreq); #endif /* Try to start SASL exchange using available mechs */ r = sasl_client_start(s->saslconn, buf_cstring(&buf), NULL, /* no prompts */ NULL, NULL, /* no initial resp */ &mech); if (mech) { /* Find auth scheme associated with chosen SASL mech */ for (scheme = auth_schemes; scheme->name; scheme++) { if (scheme->saslmech && !strcmp(scheme->saslmech, mech)) break; } } else { /* No matching SASL mechs - try Basic */ scheme = &auth_schemes[AUTH_BASIC]; if (!(avail_auth_schemes & (1 << scheme->idx))) { need_tls = !tls_done; break; /* case 401 */ } } /* Find the associated WWW-Authenticate header */ for (i = 0; hdr && hdr[i]; i++) { len = strcspn(hdr[i], " "); if (!strncmp(scheme->name, hdr[i], len)) break; } } /* Get server challenge, if any */ if (hdr) { const char *p = strchr(hdr[i], ' '); serverin = p ? ++p : ""; serverinlen = strlen(serverin); } } challenge: if (serverin) { /* Perform the next step in the auth exchange */ if (scheme->idx == AUTH_BASIC) { /* Don't care about "realm" in server challenge */ const char *authid = callback_getdata(s->saslconn, cb, SASL_CB_AUTHNAME); pass = callback_getdata(s->saslconn, cb, SASL_CB_PASS); buf_reset(&buf); buf_printf(&buf, "%s:%s", authid, pass); clientout = buf_cstring(&buf); clientoutlen = buf_len(&buf); auth_done = 1; } else { /* Base64 decode any server challenge, if necessary */ if (serverin && (scheme->flags & AUTH_BASE64)) { r = sasl_decode64(serverin, serverinlen, base64, BASE64_BUF_SIZE, &serverinlen); if (r != SASL_OK) break; /* case 401 */ serverin = base64; } /* SASL mech (Digest, Negotiate, NTLM) */ r = sasl_client_step(s->saslconn, serverin, serverinlen, NULL, /* no prompts */ &clientout, &clientoutlen); if (r == SASL_OK) auth_done = 1; } } break; /* case 401 */ } } while (need_tls || clientout); done: if (hdrs) spool_free_hdrcache(hdrs); if (r && status && !*status) *status = sasl_errstring(r, NULL, NULL); return r; }
/* * mgmt_get_main_config() loads main configuration * from scf into a node tree. * Main configuration includes: admin/target/tpgt/initiator info. * admin info is stored in "iscsitgt" property group * target info is stored in "target_<name>" property group * initiator info is stored in "initiator_<name>" property group * tpgt info is stored in "tpgt_<number>" property group */ Boolean_t mgmt_get_main_config(tgt_node_t **node) { targ_scf_t *h = NULL; scf_property_t *prop = NULL; scf_value_t *value = NULL; scf_iter_t *iter = NULL; scf_iter_t *iter_v = NULL; scf_iter_t *iter_pv = NULL; char pname[32]; char valuebuf[MAXPATHLEN]; char passcode[32]; unsigned int outlen; tgt_node_t *n; tgt_node_t *pn; tgt_node_t *vn; Boolean_t status = False; h = mgmt_handle_init(); if (h == NULL) return (status); prop = scf_property_create(h->t_handle); value = scf_value_create(h->t_handle); iter = scf_iter_create(h->t_handle); (void) pthread_mutex_lock(&scf_conf_mutex); /* Basic Information is stored in iscsitgt pg */ if (scf_service_get_pg(h->t_service, "iscsitgt", h->t_pg) == -1) { goto error; } *node = NULL; *node = tgt_node_alloc("main_config", String, NULL); if (*node == NULL) goto error; if (scf_iter_pg_properties(iter, h->t_pg) == -1) { goto error; } while (scf_iter_next_property(iter, prop) > 0) { scf_property_get_value(prop, value); scf_value_get_as_string(value, valuebuf, MAXPATHLEN); scf_property_get_name(prop, pname, sizeof (pname)); /* avoid load auth to incore data */ if (strcmp(pname, ISCSI_READ_AUTHNAME) == 0 || strcmp(pname, ISCSI_MODIFY_AUTHNAME) == 0 || strcmp(pname, ISCSI_VALUE_AUTHNAME) == 0) continue; n = tgt_node_alloc(pname, String, valuebuf); if (n == NULL) goto error; /* put version info into root node's attr */ if (strcmp(pname, XML_ELEMENT_VERS) == 0) { tgt_node_add_attr(*node, n); } else { /* add other basic info into root node */ tgt_node_add(*node, n); } } /* * targets/initiators/tpgt information is * stored as type "configuration" in scf * each target's param is stored as type "parameter" */ if (scf_iter_service_pgs_typed(iter, h->t_service, "configuration") == -1) { goto error; } while (scf_iter_next_pg(iter, h->t_pg) > 0) { char *iname; scf_pg_get_name(h->t_pg, pname, sizeof (pname)); iname = strchr(pname, '_'); if (iname == NULL) { /* the pg found here is not a tgt/initiator/tpgt */ continue; } *iname = '\0'; iname++; /* * now pname is "target" or "initiator" or "tpgt" * meanwhile iname is the actual name of the item */ n = tgt_node_alloc(pname, String, iname); if (n == NULL) goto error; iter_v = scf_iter_create(h->t_handle); if (scf_iter_pg_properties(iter_v, h->t_pg) == -1) { goto error; } while (scf_iter_next_property(iter_v, prop) > 0) { /* there may be many values in one property */ char *vname; scf_property_get_name(prop, pname, sizeof (pname)); /* avoid load auth to incore data */ if (strcmp(pname, ISCSI_READ_AUTHNAME) == 0 || strcmp(pname, ISCSI_MODIFY_AUTHNAME) == 0 || strcmp(pname, ISCSI_VALUE_AUTHNAME) == 0) continue; vname = strstr(pname, "-list"); if (vname == NULL) { scf_property_get_value(prop, value); scf_value_get_as_string(value, valuebuf, MAXPATHLEN); pn = tgt_node_alloc(pname, String, valuebuf); if (pn == NULL) goto error; tgt_node_add(n, pn); } else { pn = tgt_node_alloc(pname, String, NULL); if (pn == NULL) goto error; tgt_node_add(n, pn); *vname = '\0'; iter_pv = scf_iter_create(h->t_handle); scf_iter_property_values(iter_pv, prop); while (scf_iter_next_value(iter_pv, value) > 0) { scf_value_get_as_string(value, valuebuf, MAXPATHLEN); vn = tgt_node_alloc(pname, String, valuebuf); if (vn == NULL) goto error; tgt_node_add(pn, vn); } scf_iter_destroy(iter_pv); iter_pv = NULL; } } tgt_node_add(*node, n); scf_iter_destroy(iter_v); iter_v = NULL; } /* chap-secrets are stored in "passwords" pgroup as "application" */ if (scf_service_get_pg(h->t_service, "passwords", h->t_pg) == 0) { if (scf_iter_pg_properties(iter, h->t_pg) == -1) { goto error; } while (scf_iter_next_property(iter, prop) > 0) { scf_property_get_value(prop, value); scf_value_get_as_string(value, valuebuf, MAXPATHLEN); scf_property_get_name(prop, pname, sizeof (pname)); /* avoid load auth to incore data */ if (strcmp(pname, ISCSI_READ_AUTHNAME) == 0 || strcmp(pname, ISCSI_MODIFY_AUTHNAME) == 0 || strcmp(pname, ISCSI_VALUE_AUTHNAME) == 0) continue; /* max length of decoded passwd is 16B */ sasl_decode64(valuebuf, strlen(valuebuf), passcode, sizeof (passcode), &outlen); if (strcmp(pname, "radius") == 0) { pn = tgt_node_alloc(XML_ELEMENT_RAD_SECRET, String, passcode); tgt_node_add(*node, pn); } else if (strcmp(pname, "main") == 0) { pn = tgt_node_alloc(XML_ELEMENT_CHAPSECRET, String, passcode); tgt_node_add(*node, pn); } else { /* find corresponding initiator */ n = NULL; while (n = tgt_node_next_child(*node, XML_ELEMENT_INIT, n)) { if (strcmp(pname + 2, n->x_value) != 0) continue; pn = tgt_node_alloc( XML_ELEMENT_CHAPSECRET, String, passcode); tgt_node_add(n, pn); } } } } status = True; error: if ((status != True) && (*node != NULL)) tgt_node_free(*node); (void) pthread_mutex_unlock(&scf_conf_mutex); if (iter_pv != NULL) scf_iter_destroy(iter_pv); if (iter_v != NULL) scf_iter_destroy(iter_v); scf_iter_destroy(iter); scf_value_destroy(value); scf_property_destroy(prop); mgmt_handle_fini(h); return (status); }
static int smtp_auth_sasl (CONNECTION* conn, const char* mechlist) { sasl_conn_t* saslconn; sasl_interact_t* interaction = NULL; const char* mech; const char* data = NULL; unsigned int len; char buf[HUGE_STRING]; int rc, saslrc; if (mutt_sasl_client_new (conn, &saslconn) < 0) return SMTP_AUTH_FAIL; do { rc = sasl_client_start (saslconn, mechlist, &interaction, &data, &len, &mech); if (rc == SASL_INTERACT) mutt_sasl_interact (interaction); } while (rc == SASL_INTERACT); if (rc != SASL_OK && rc != SASL_CONTINUE) { dprint (2, (debugfile, "smtp_auth_sasl: %s unavailable\n", mech)); sasl_dispose (&saslconn); return SMTP_AUTH_UNAVAIL; } if (!option(OPTNOCURSES)) mutt_message (_("Authenticating (%s)..."), mech); snprintf (buf, sizeof (buf), "AUTH %s", mech); if (len) { safe_strcat (buf, sizeof (buf), " "); if (sasl_encode64 (data, len, buf + mutt_strlen (buf), sizeof (buf) - mutt_strlen (buf), &len) != SASL_OK) { dprint (1, (debugfile, "smtp_auth_sasl: error base64-encoding client response.\n")); goto fail; } } safe_strcat (buf, sizeof (buf), "\r\n"); do { if (mutt_socket_write (conn, buf) < 0) goto fail; if ((rc = mutt_socket_readln (buf, sizeof (buf), conn)) < 0) goto fail; if (smtp_code (buf, rc, &rc) < 0) goto fail; if (rc != smtp_ready) break; if (sasl_decode64 (buf+4, strlen (buf+4), buf, sizeof (buf), &len) != SASL_OK) { dprint (1, (debugfile, "smtp_auth_sasl: error base64-decoding server response.\n")); goto fail; } do { saslrc = sasl_client_step (saslconn, buf, len, &interaction, &data, &len); if (saslrc == SASL_INTERACT) mutt_sasl_interact (interaction); } while (saslrc == SASL_INTERACT); if (len) { if (sasl_encode64 (data, len, buf, sizeof (buf), &len) != SASL_OK) { dprint (1, (debugfile, "smtp_auth_sasl: error base64-encoding client response.\n")); goto fail; } } strfcpy (buf + len, "\r\n", sizeof (buf) - len); } while (rc == smtp_ready && saslrc != SASL_FAIL); if (smtp_success (rc)) { mutt_sasl_setup_conn (conn, saslconn); return SMTP_AUTH_SUCCESS; } fail: sasl_dispose (&saslconn); return SMTP_AUTH_FAIL; }
bool _mongoc_cyrus_step (mongoc_cyrus_t *sasl, const uint8_t *inbuf, uint32_t inbuflen, uint8_t *outbuf, uint32_t outbufmax, uint32_t *outbuflen, bson_error_t *error) { const char *raw = NULL; unsigned rawlen = 0; int status; BSON_ASSERT (sasl); BSON_ASSERT (inbuf); BSON_ASSERT (outbuf); BSON_ASSERT (outbuflen); TRACE ("Running %d, inbuflen: %" PRIu32, sasl->step, inbuflen); sasl->step++; if (sasl->step == 1) { return _mongoc_cyrus_start (sasl, outbuf, outbufmax, outbuflen, error); } else if (sasl->step >= 10) { bson_set_error (error, MONGOC_ERROR_SASL, SASL_NOTDONE, "SASL Failure: maximum steps detected"); return false; } TRACE ("Running %d, inbuflen: %" PRIu32, sasl->step, inbuflen); if (!inbuflen) { bson_set_error (error, MONGOC_ERROR_SASL, MONGOC_ERROR_CLIENT_AUTHENTICATE, "SASL Failure: no payload provided from server: %s", sasl_errdetail (sasl->conn)); return false; } status = sasl_decode64 ( (char *) inbuf, inbuflen, (char *) outbuf, outbufmax, outbuflen); if (_mongoc_cyrus_is_failure (status, error)) { return false; } TRACE ("%s", "Running client_step"); status = sasl_client_step ( sasl->conn, (char *) outbuf, *outbuflen, &sasl->interact, &raw, &rawlen); TRACE ("%s sent a client step", status == SASL_OK ? "Successfully" : "UNSUCCESSFULLY"); if (_mongoc_cyrus_is_failure (status, error)) { return false; } status = sasl_encode64 (raw, rawlen, (char *) outbuf, outbufmax, outbuflen); if (_mongoc_cyrus_is_failure (status, error)) { return false; } return true; }