int xsasl_cyrus_server_first(XSASL_SERVER *xp, const char *sasl_method,
const char *init_response, VSTRING *reply)
{
const char *myname = "xsasl_cyrus_server_first";
XSASL_CYRUS_SERVER *server = (XSASL_CYRUS_SERVER *) xp;
char *dec_buffer;
unsigned dec_length;
unsigned reply_len;
unsigned serveroutlen;
int sasl_status;
SERVEROUT_TYPE serverout = 0;
int xsasl_status;
#if SASL_VERSION_MAJOR < 2
const char *errstr = 0;
#endif
#define IFELSE(e1,e2,e3) ((e1) ? (e2) : (e3))
if (msg_verbose)
msg_info("%s: sasl_method %s%s%s", myname, sasl_method,
IFELSE(init_response, ", init_response ", ""),
IFELSE(init_response, init_response, ""));
/*
* SASL authentication protocol start-up. Process any initial client
* response that was sent along in the AUTH command.
*/
if (init_response) {
reply_len = strlen(init_response);
VSTRING_RESET(server->decoded); /* Fix 200512 */
VSTRING_SPACE(server->decoded, reply_len);
if ((sasl_status = SASL_DECODE64(init_response, reply_len,
dec_buffer = STR(server->decoded),
vstring_avail(server->decoded),
&dec_length)) != SASL_OK) {
vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
return (XSASL_AUTH_FORM);
}
if (msg_verbose)
msg_info("%s: decoded initial response %s", myname, dec_buffer);
} else {
dec_buffer = 0;
dec_length = 0;
}
sasl_status = SASL_SERVER_START(server->sasl_conn, sasl_method, dec_buffer,
dec_length, &serverout,
&serveroutlen, &errstr);
xsasl_status = xsasl_cyrus_server_auth_response(sasl_status, serverout,
serveroutlen, reply);
#if SASL_VERSION_MAJOR < 2
/* SASL version 1 doesn't free memory that it allocates. */
free(serverout);
#endif
return (xsasl_status);
}
int xsasl_dovecot_server_first(XSASL_SERVER *xp, const char *sasl_method,
const char *init_response, VSTRING *reply)
{
const char *myname = "xsasl_dovecot_server_first";
XSASL_DOVECOT_SERVER *server = (XSASL_DOVECOT_SERVER *) xp;
int i;
char **cpp;
#define IFELSE(e1,e2,e3) ((e1) ? (e2) : (e3))
if (msg_verbose)
msg_info("%s: sasl_method %s%s%s", myname, sasl_method,
IFELSE(init_response, ", init_response ", ""),
IFELSE(init_response, init_response, ""));
if (server->mechanism_argv == 0)
msg_panic("%s: no mechanism list", myname);
for (cpp = server->mechanism_argv->argv; /* see below */ ; cpp++) {
if (*cpp == 0) {
vstring_strcpy(reply, "Invalid authentication mechanism");
return XSASL_AUTH_FAIL;
}
if (strcasecmp(sasl_method, *cpp) == 0)
break;
}
if (init_response)
if (!is_valid_base64(init_response)) {
vstring_strcpy(reply, "Invalid base64 data in initial response");
return XSASL_AUTH_FAIL;
}
for (i = 0; i < 2; i++) {
if (!server->impl->sasl_stream) {
if (xsasl_dovecot_server_connect(server->impl) < 0)
return XSASL_AUTH_TEMP;
}
/* send the request */
server->last_request_id = ++server->impl->request_id_counter;
/* XXX Encapsulate for logging. */
vstream_fprintf(server->impl->sasl_stream,
"AUTH\t%u\t%s\tservice=%s\tnologin\tlip=%s\trip=%s",
server->last_request_id, sasl_method,
server->service, server->server_addr,
server->client_addr);
if (server->tls_flag)
/* XXX Encapsulate for logging. */
vstream_fputs("\tsecured", server->impl->sasl_stream);
if (init_response) {
/*
* initial response is already base64 encoded, so we can send it
* directly.
*/
/* XXX Encapsulate for logging. */
vstream_fprintf(server->impl->sasl_stream,
"\tresp=%s", init_response);
}
/* XXX Encapsulate for logging. */
VSTREAM_PUTC('\n', server->impl->sasl_stream);
if (vstream_fflush(server->impl->sasl_stream) != VSTREAM_EOF)
break;
if (i == 1) {
vstring_strcpy(reply, "Can't connect to authentication server");
return XSASL_AUTH_TEMP;
}
/*
* Reconnect and try again.
*/
xsasl_dovecot_server_disconnect(server->impl);
}
return xsasl_dovecot_handle_reply(server, reply);
}
