/* mutt_sasl_client_new: wrapper for sasl_client_new which also sets various
* security properties. If this turns out to be fine for POP too we can
* probably stop exporting mutt_sasl_get_callbacks(). */
int mutt_sasl_client_new (CONNECTION* conn, sasl_conn_t** saslconn)
{
sasl_security_properties_t secprops;
struct sockaddr_storage local, remote;
socklen_t size;
char iplocalport[IP_PORT_BUFLEN], ipremoteport[IP_PORT_BUFLEN];
char* plp = NULL;
char* prp = NULL;
const char* service;
int rc;
if (mutt_sasl_start () != SASL_OK)
return -1;
switch (conn->account.type)
{
case M_ACCT_TYPE_IMAP:
service = "imap";
break;
case M_ACCT_TYPE_POP:
service = "pop";
break;
case M_ACCT_TYPE_SMTP:
service = "smtp";
break;
default:
mutt_error (_("Unknown SASL profile"));
return -1;
}
size = sizeof (local);
if (!getsockname (conn->fd, (struct sockaddr *)&local, &size)) {
if (!iptostring((struct sockaddr *)&local, size, iplocalport,
IP_PORT_BUFLEN) != SASL_OK)
plp = iplocalport;
else
dprint (2, (debugfile, "SASL failed to parse local IP address\n"));
}
else
dprint (2, (debugfile, "SASL failed to get local IP address\n"));
size = sizeof (remote);
if (!getpeername (conn->fd, (struct sockaddr *)&remote, &size)){
if (!iptostring((struct sockaddr *)&remote, size, ipremoteport,
IP_PORT_BUFLEN) != SASL_OK)
prp = ipremoteport;
else
dprint (2, (debugfile, "SASL failed to parse remote IP address\n"));
}
else
dprint (2, (debugfile, "SASL failed to get remote IP address\n"));
dprint (2, (debugfile, "SASL local ip: %s, remote ip:%s\n", NONULL(plp),
NONULL(prp)));
rc = sasl_client_new (service, conn->account.host, plp, prp,
mutt_sasl_get_callbacks (&conn->account), 0, saslconn);
if (rc != SASL_OK)
{
mutt_error (_("Error allocating SASL connection"));
return -1;
}
memset (&secprops, 0, sizeof (secprops));
/* Work around a casting bug in the SASL krb4 module */
secprops.max_ssf = 0x7fff;
secprops.maxbufsize = M_SASL_MAXBUF;
if (sasl_setprop (*saslconn, SASL_SEC_PROPS, &secprops) != SASL_OK)
{
mutt_error (_("Error setting SASL security properties"));
return -1;
}
if (conn->ssf)
{
/* I'm not sure this actually has an effect, at least with SASLv2 */
dprint (2, (debugfile, "External SSF: %d\n", conn->ssf));
if (sasl_setprop (*saslconn, SASL_SSF_EXTERNAL, &(conn->ssf)) != SASL_OK)
{
mutt_error (_("Error setting SASL external security strength"));
return -1;
}
}
if (conn->account.user[0])
{
dprint (2, (debugfile, "External authentication name: %s\n", conn->account.user));
if (sasl_setprop (*saslconn, SASL_AUTH_EXTERNAL, conn->account.user) != SASL_OK)
{
mutt_error (_("Error setting SASL external user name"));
return -1;
}
}
return 0;
}
static int backend_authenticate(struct backend *s, const char *userid,
sasl_callback_t *cb, const char **status)
{
struct protocol_t *prot = s->prot;
int r;
char *mechlist;
sasl_security_properties_t secprops =
{ 0, 0xFF, PROT_BUFSIZE, 0, NULL, NULL }; /* default secprops */
struct sockaddr_storage saddr_l, saddr_r;
char remoteip[60], localip[60];
socklen_t addrsize;
int local_cb = 0;
char buf[2048], optstr[128], *p;
const char *mech_conf, *pass;
/* set the IP addresses */
addrsize=sizeof(struct sockaddr_storage);
if (getpeername(s->sock, (struct sockaddr *)&saddr_r, &addrsize) != 0)
return SASL_FAIL;
if(iptostring((struct sockaddr *)&saddr_r, addrsize, remoteip, 60) != 0)
return SASL_FAIL;
addrsize=sizeof(struct sockaddr_storage);
if (getsockname(s->sock, (struct sockaddr *)&saddr_l, &addrsize)!=0)
return SASL_FAIL;
if(iptostring((struct sockaddr *)&saddr_l, addrsize, localip, 60) != 0)
return SASL_FAIL;
if (!cb) {
local_cb = 1;
strlcpy(optstr, s->hostname, sizeof(optstr));
p = strchr(optstr, '.');
if (p) *p = '\0';
strlcat(optstr, "_password", sizeof(optstr));
pass = config_getoverflowstring(optstr, NULL);
if(!pass) pass = config_getstring(IMAPOPT_PROXY_PASSWORD);
cb = mysasl_callbacks(userid,
config_getstring(IMAPOPT_PROXY_AUTHNAME),
config_getstring(IMAPOPT_PROXY_REALM),
pass);
}
/* Require proxying if we have an "interesting" userid (authzid) */
r = sasl_client_new(prot->sasl_service, s->hostname, localip, remoteip, cb,
(userid && *userid ? SASL_NEED_PROXY : 0) |
(prot->sasl_cmd.parse_success ? SASL_SUCCESS_DATA : 0),
&s->saslconn);
if (r != SASL_OK)
goto out;
r = sasl_setprop(s->saslconn, SASL_SEC_PROPS, &secprops);
if (r != SASL_OK)
goto out;
/* Get SASL mechanism list. We can force a particular
mechanism using a <shorthost>_mechs option */
strcpy(buf, s->hostname);
p = strchr(buf, '.');
if (p) *p = '\0';
strcat(buf, "_mechs");
mech_conf = config_getoverflowstring(buf, NULL);
if (!mech_conf) {
mech_conf = config_getstring(IMAPOPT_FORCE_SASL_CLIENT_MECH);
}
mechlist = backend_get_cap_params(s, CAPA_AUTH);
do {
/* If we have a mech_conf, use it */
if (mech_conf && mechlist) {
char *conf = xstrdup(mech_conf);
char *newmechlist = intersect_mechlists( conf, mechlist );
if ( newmechlist == NULL ) {
syslog( LOG_INFO, "%s did not offer %s", s->hostname,
mech_conf );
}
free(conf);
free(mechlist);
mechlist = newmechlist;
}
if (mechlist) {
/* we now do the actual SASL exchange */
saslclient(s->saslconn, &prot->sasl_cmd, mechlist,
s->in, s->out, &r, status);
/* garbage collect */
free(mechlist);
mechlist = NULL;
}
else r = SASL_NOMECH;
/* If we don't have a usable mech, do TLS and try again */
} while (r == SASL_NOMECH &&
CAPA(s, CAPA_STARTTLS) &&
do_starttls(s) != -1 &&
(mechlist = backend_get_cap_params(s, CAPA_AUTH)));
if (r == SASL_OK) {
prot_setsasl(s->in, s->saslconn);
prot_setsasl(s->out, s->saslconn);
}
if (mechlist) free(mechlist);
out:
/* r == SASL_OK on success */
if (local_cb) free_callbacks(cb);
return r;
}
/*
* Initialize SASL and set necessary options
*/
int init_sasl(isieve_t *obj,
int ssf,
sasl_callback_t *callbacks)
{
static int sasl_started = 0;
int saslresult = SASL_OK;
sasl_security_properties_t *secprops=NULL;
socklen_t addrsize=sizeof(struct sockaddr_storage);
struct sockaddr_storage saddr_l, saddr_r;
char localip[60], remoteip[60];
/* attempt to start sasl */
if(!sasl_started) {
saslresult=sasl_client_init(NULL);
obj->conn = NULL;
sasl_started = 1;
}
/* Save the callbacks array */
obj->callbacks = callbacks;
if (saslresult!=SASL_OK) return -1;
addrsize=sizeof(struct sockaddr_storage);
if (getpeername(obj->sock,(struct sockaddr *)&saddr_r,&addrsize)!=0)
return -1;
addrsize=sizeof(struct sockaddr_storage);
if (getsockname(obj->sock,(struct sockaddr *)&saddr_l,&addrsize)!=0)
return -1;
#if 0
/* XXX The following line causes problems with KERBEROS_V4 decoding.
* We're not sure why its an issue, but this code isn't used in any of
* our other client code (imtest.c, backend.c), so we're removing it.
*/
/* set the port manually since getsockname is stupid and doesn't */
((struct sockaddr_in *)&saddr_l)->sin_port = htons(obj->port);
#endif
if (iptostring((struct sockaddr *)&saddr_r, addrsize, remoteip, 60))
return -1;
if (iptostring((struct sockaddr *)&saddr_l, addrsize, localip, 60))
return -1;
if(obj->conn) sasl_dispose(&obj->conn);
/* client new connection */
saslresult=sasl_client_new(SIEVE_SERVICE_NAME,
obj->serverFQDN,
localip, remoteip,
callbacks,
SASL_SUCCESS_DATA,
&obj->conn);
if (saslresult!=SASL_OK) return -1;
/* create a security structure and give it to sasl */
secprops = make_secprops(0, ssf);
if (secprops != NULL)
{
sasl_setprop(obj->conn, SASL_SEC_PROPS, secprops);
free(secprops);
}
return 0;
}
static int login(struct backend *s, const char *userid,
sasl_callback_t *cb, const char **status,
int noauth __attribute__((unused)))
{
int r = 0;
socklen_t addrsize;
struct sockaddr_storage saddr_l, saddr_r;
char remoteip[60], localip[60];
static struct buf buf = BUF_INITIALIZER;
sasl_security_properties_t secprops =
{ 0, 0xFF, PROT_BUFSIZE, 0, NULL, NULL }; /* default secprops */
const char *mech_conf, *pass, *clientout = NULL;
struct auth_scheme_t *scheme = NULL;
unsigned need_tls = 0, tls_done = 0, auth_done = 0, clientoutlen;
hdrcache_t hdrs = NULL;
if (status) *status = NULL;
/* set the IP addresses */
addrsize = sizeof(struct sockaddr_storage);
if (getpeername(s->sock, (struct sockaddr *) &saddr_r, &addrsize) ||
iptostring((struct sockaddr *) &saddr_r, addrsize, remoteip, 60)) {
if (status) *status = "Failed to get remote IP address";
return SASL_FAIL;
}
addrsize = sizeof(struct sockaddr_storage);
if (getsockname(s->sock, (struct sockaddr *) &saddr_l, &addrsize) ||
iptostring((struct sockaddr *) &saddr_l, addrsize, localip, 60)) {
if (status) *status = "Failed to get local IP address";
return SASL_FAIL;
}
/* Create callbacks, if necessary */
if (!cb) {
buf_setmap(&buf, s->hostname, strcspn(s->hostname, "."));
buf_appendcstr(&buf, "_password");
pass = config_getoverflowstring(buf_cstring(&buf), NULL);
if (!pass) pass = config_getstring(IMAPOPT_PROXY_PASSWORD);
cb = mysasl_callbacks(NULL, /* userid */
config_getstring(IMAPOPT_PROXY_AUTHNAME),
config_getstring(IMAPOPT_PROXY_REALM),
pass);
s->sasl_cb = cb;
}
/* Create SASL context */
r = sasl_client_new(s->prot->sasl_service, s->hostname,
localip, remoteip, cb, SASL_USAGE_FLAGS, &s->saslconn);
if (r != SASL_OK) goto done;
r = sasl_setprop(s->saslconn, SASL_SEC_PROPS, &secprops);
if (r != SASL_OK) goto done;
/* Get SASL mechanism list. We can force a particular
mechanism using a <shorthost>_mechs option */
buf_setmap(&buf, s->hostname, strcspn(s->hostname, "."));
buf_appendcstr(&buf, "_mechs");
if (!(mech_conf = config_getoverflowstring(buf_cstring(&buf), NULL))) {
mech_conf = config_getstring(IMAPOPT_FORCE_SASL_CLIENT_MECH);
}
do {
unsigned code;
const char **hdr, *errstr, *serverin;
char base64[BASE64_BUF_SIZE+1];
unsigned int serverinlen;
struct body_t resp_body;
#ifdef SASL_HTTP_REQUEST
sasl_http_request_t httpreq = { "OPTIONS", /* Method */
"*", /* URI */
(u_char *) "", /* Empty body */
0, /* Zero-length body */
0 }; /* Persistent cxn? */
#endif
/* Base64 encode any client response, if necessary */
if (clientout && scheme && (scheme->flags & AUTH_BASE64)) {
r = sasl_encode64(clientout, clientoutlen,
base64, BASE64_BUF_SIZE, &clientoutlen);
if (r != SASL_OK) break;
clientout = base64;
}
/* Send Authorization and/or Upgrade request to server */
prot_puts(s->out, "OPTIONS * HTTP/1.1\r\n");
prot_printf(s->out, "Host: %s\r\n", s->hostname);
prot_printf(s->out, "User-Agent: %s\r\n", buf_cstring(&serverinfo));
if (scheme) {
prot_printf(s->out, "Authorization: %s %s\r\n",
scheme->name, clientout ? clientout : "");
prot_printf(s->out, "Authorize-As: %s\r\n",
userid ? userid : "anonymous");
}
else {
prot_printf(s->out, "Upgrade: %s\r\n", TLS_VERSION);
if (need_tls) {
prot_puts(s->out, "Connection: Upgrade\r\n");
need_tls = 0;
}
prot_puts(s->out, "Authorization: \r\n");
}
prot_puts(s->out, "\r\n");
prot_flush(s->out);
serverin = clientout = NULL;
serverinlen = clientoutlen = 0;
/* Read response(s) from backend until final response or error */
do {
resp_body.flags = BODY_DISCARD;
r = http_read_response(s, METH_OPTIONS, &code, NULL,
&hdrs, &resp_body, &errstr);
if (r) {
if (status) *status = errstr;
break;
}
if (code == 101) { /* Switching Protocols */
if (tls_done) {
r = HTTP_BAD_GATEWAY;
if (status) *status = "TLS already active";
break;
}
else if (backend_starttls(s, NULL, NULL, NULL)) {
r = HTTP_SERVER_ERROR;
if (status) *status = "Unable to start TLS";
break;
}
else tls_done = 1;
}
} while (code < 200);
switch (code) {
default: /* Failure */
if (!r) {
r = HTTP_BAD_GATEWAY;
if (status) {
buf_reset(&buf);
buf_printf(&buf,
"Unexpected status code from backend: %u", code);
*status = buf_cstring(&buf);
}
}
break;
case 426: /* Upgrade Required */
if (tls_done) {
r = HTTP_BAD_GATEWAY;
if (status) *status = "TLS already active";
}
else need_tls = 1;
break;
case 200: /* OK */
if (scheme->recv_success &&
(serverin = scheme->recv_success(hdrs))) {
/* Process success data */
serverinlen = strlen(serverin);
goto challenge;
}
break;
case 401: /* Unauthorized */
if (auth_done) {
r = SASL_BADAUTH;
break;
}
if (!serverin) {
int i = 0;
hdr = spool_getheader(hdrs, "WWW-Authenticate");
if (!scheme) {
unsigned avail_auth_schemes = 0;
const char *mech = NULL;
size_t len;
/* Compare authentication schemes offered in
* WWW-Authenticate header(s) to what we support */
buf_reset(&buf);
for (i = 0; hdr && hdr[i]; i++) {
len = strcspn(hdr[i], " ");
for (scheme = auth_schemes; scheme->name; scheme++) {
if (!strncmp(scheme->name, hdr[i], len) &&
!((scheme->flags & AUTH_NEED_PERSIST) &&
(resp_body.flags & BODY_CLOSE))) {
/* Tag the scheme as available */
avail_auth_schemes |= (1 << scheme->idx);
/* Add SASL-based schemes to SASL mech list */
if (scheme->saslmech) {
if (buf_len(&buf)) buf_putc(&buf, ' ');
buf_appendcstr(&buf, scheme->saslmech);
}
break;
}
}
}
/* If we have a mech_conf, use it */
if (mech_conf && buf_len(&buf)) {
char *conf = xstrdup(mech_conf);
char *newmechlist =
intersect_mechlists(conf,
(char *) buf_cstring(&buf));
if (newmechlist) {
buf_setcstr(&buf, newmechlist);
free(newmechlist);
}
else {
syslog(LOG_DEBUG, "%s did not offer %s",
s->hostname, mech_conf);
buf_reset(&buf);
}
free(conf);
}
#ifdef SASL_HTTP_REQUEST
/* Set HTTP request as specified above (REQUIRED) */
httpreq.non_persist = (resp_body.flags & BODY_CLOSE);
sasl_setprop(s->saslconn, SASL_HTTP_REQUEST, &httpreq);
#endif
/* Try to start SASL exchange using available mechs */
r = sasl_client_start(s->saslconn, buf_cstring(&buf),
NULL, /* no prompts */
NULL, NULL, /* no initial resp */
&mech);
if (mech) {
/* Find auth scheme associated with chosen SASL mech */
for (scheme = auth_schemes; scheme->name; scheme++) {
if (scheme->saslmech &&
!strcmp(scheme->saslmech, mech)) break;
}
}
else {
/* No matching SASL mechs - try Basic */
scheme = &auth_schemes[AUTH_BASIC];
if (!(avail_auth_schemes & (1 << scheme->idx))) {
need_tls = !tls_done;
break; /* case 401 */
}
}
/* Find the associated WWW-Authenticate header */
for (i = 0; hdr && hdr[i]; i++) {
len = strcspn(hdr[i], " ");
if (!strncmp(scheme->name, hdr[i], len)) break;
}
}
/* Get server challenge, if any */
if (hdr) {
const char *p = strchr(hdr[i], ' ');
serverin = p ? ++p : "";
serverinlen = strlen(serverin);
}
}
challenge:
if (serverin) {
/* Perform the next step in the auth exchange */
if (scheme->idx == AUTH_BASIC) {
/* Don't care about "realm" in server challenge */
const char *authid =
callback_getdata(s->saslconn, cb, SASL_CB_AUTHNAME);
pass = callback_getdata(s->saslconn, cb, SASL_CB_PASS);
buf_reset(&buf);
buf_printf(&buf, "%s:%s", authid, pass);
clientout = buf_cstring(&buf);
clientoutlen = buf_len(&buf);
auth_done = 1;
}
else {
/* Base64 decode any server challenge, if necessary */
if (serverin && (scheme->flags & AUTH_BASE64)) {
r = sasl_decode64(serverin, serverinlen,
base64, BASE64_BUF_SIZE, &serverinlen);
if (r != SASL_OK) break; /* case 401 */
serverin = base64;
}
/* SASL mech (Digest, Negotiate, NTLM) */
r = sasl_client_step(s->saslconn, serverin, serverinlen,
NULL, /* no prompts */
&clientout, &clientoutlen);
if (r == SASL_OK) auth_done = 1;
}
}
break; /* case 401 */
}
} while (need_tls || clientout);
done:
if (hdrs) spool_free_hdrcache(hdrs);
if (r && status && !*status) *status = sasl_errstring(r, NULL, NULL);
return r;
}
/* mutt_sasl_client_new: wrapper for sasl_client_new which also sets various
* security properties. If this turns out to be fine for POP too we can
* probably stop exporting mutt_sasl_get_callbacks(). */
int mutt_sasl_client_new (CONNECTION * conn, sasl_conn_t ** saslconn)
{
sasl_security_properties_t secprops;
struct sockaddr_storage local, remote;
socklen_t size;
char iplocalport[IP_PORT_BUFLEN], ipremoteport[IP_PORT_BUFLEN];
const char *service;
int rc;
if (mutt_sasl_start () != SASL_OK)
return -1;
switch (conn->account.type) {
case M_ACCT_TYPE_IMAP:
service = "imap";
break;
case M_ACCT_TYPE_POP:
service = "pop";
break;
default:
debug_print (1, ("account type unset\n"));
return -1;
}
size = sizeof (local);
if (getsockname (conn->fd, (struct sockaddr *) &local, &size)) {
debug_print (1, ("getsockname for local failed\n"));
return -1;
}
else
if (iptostring
((struct sockaddr *) &local, size, iplocalport,
IP_PORT_BUFLEN) != SASL_OK) {
debug_print (1, ("iptostring for local failed\n"));
return -1;
}
size = sizeof (remote);
if (getpeername (conn->fd, (struct sockaddr *) &remote, &size)) {
debug_print (1, ("getsockname for remote failed\n"));
return -1;
}
else
if (iptostring
((struct sockaddr *) &remote, size, ipremoteport,
IP_PORT_BUFLEN) != SASL_OK) {
debug_print (1, ("iptostring for remote failed\n"));
return -1;
}
debug_print (1, ("local ip: %s, remote ip:%s\n", iplocalport, ipremoteport));
rc =
sasl_client_new (service, conn->account.host, iplocalport, ipremoteport,
mutt_sasl_get_callbacks (&conn->account), 0, saslconn);
if (rc != SASL_OK) {
debug_print (1, ("Error allocating SASL connection\n"));
return -1;
}
/*** set sasl IP properties, necessary for use with krb4 ***/
/* Do we need to fail if this fails? I would assume having these unset
* would just disable KRB4. Who wrote this code?
*/
{
struct sockaddr_in local, remote;
socklen_t size;
size = sizeof (local);
if (getsockname (conn->fd, (struct sockaddr *) &local, &size))
return -1;
size = sizeof (remote);
if (getpeername (conn->fd, (struct sockaddr *) &remote, &size))
return -1;
#ifdef SASL_IP_LOCAL
if (sasl_setprop (*saslconn, SASL_IP_LOCAL, &local) != SASL_OK) {
debug_print (1, ("Error setting local IP address\n"));
return -1;
}
#endif
#ifdef SASL_IP_REMOTE
if (sasl_setprop (*saslconn, SASL_IP_REMOTE, &remote) != SASL_OK) {
debug_print (1, ("Error setting remote IP address\n"));
return -1;
}
#endif
}
/* set security properties. We use NOPLAINTEXT globally, since we can
* just fall back to LOGIN in the IMAP case anyway. If that doesn't
* work for POP, we can make it a flag or move this code into
* imap/auth_sasl.c */
memset (&secprops, 0, sizeof (secprops));
/* Work around a casting bug in the SASL krb4 module */
secprops.max_ssf = 0x7fff;
secprops.maxbufsize = M_SASL_MAXBUF;
secprops.security_flags |= SASL_SEC_NOPLAINTEXT;
if (sasl_setprop (*saslconn, SASL_SEC_PROPS, &secprops) != SASL_OK) {
debug_print (1, ("Error setting security properties\n"));
return -1;
}
if (conn->ssf) {
debug_print (2, ("External SSF: %d\n", conn->ssf));
if (sasl_setprop (*saslconn, SASL_SSF_EXTERNAL, &(conn->ssf)) != SASL_OK)
{
debug_print (1, ("Error setting external properties\n"));
return -1;
}
debug_print (2, ("External authentication name: %s\n", conn->account.user));
if (sasl_setprop (*saslconn, SASL_AUTH_EXTERNAL, conn->account.user) !=
SASL_OK) {
debug_print (1, ("Error setting external properties\n"));
return -1;
}
}
return 0;
}
