sasl.c File Reference

SASL authentication support. More...

#include "config.h"
#include <errno.h>
#include <netdb.h>
#include <sasl/sasl.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include "mutt/lib.h"
#include "core/lib.h"
#include "sasl.h"
#include "editor/lib.h"
#include "history/lib.h"
#include "connaccount.h"
#include "connection.h"
#include "globals.h"
#include "module_data.h"

Include dependency graph for sasl.c:

Go to the source code of this file.

Data Structures
struct	SaslSockData
	SASL authentication API -. More...

Macros
#define	MUTT_SASL_MAXBUF   65536
	Maximum size for SASL protection buffer.
#define	IP_PORT_BUFLEN   (NI_MAXHOST + NI_MAXSERV)
	Buffer size for "host;port" string (NI_MAXHOST + NI_MAXSERV)

Functions
bool	sasl_auth_validator (const char *authenticator)
	SASL callback functions, e.g. mutt_sasl_cb_authname(), mutt_sasl_cb_pass()
static int	getnameinfo_err (int rc)
	Convert a getaddrinfo() error code into an SASL error code.
static int	iptostring (const struct sockaddr *addr, socklen_t addrlen, char *out, unsigned int outlen)
	Convert IP Address to string.
static int	mutt_sasl_cb_log (void *context, int priority, const char *message)
	Callback to log SASL messages.
int	mutt_sasl_start (void)
	Initialise SASL library.
static int	mutt_sasl_cb_authname (void *context, int id, const char **result, unsigned int *len)
	Callback to retrieve authname or user from ConnAccount.
static int	mutt_sasl_cb_pass (sasl_conn_t *conn, void *context, int id, sasl_secret_t **psecret)
	SASL callback function to get password.
static sasl_callback_t *	mutt_sasl_get_callbacks (struct ConnAccount *cac)
	Get the SASL callback functions.
static int	mutt_sasl_conn_open (struct Connection *conn)
	Empty wrapper for underlying open function - Implements Connection::open() -.
static int	mutt_sasl_conn_close (struct Connection *conn)
	Close SASL connection - Implements Connection::close() -.
static int	mutt_sasl_conn_read (struct Connection *conn, char *buf, size_t count)
	Read data from an SASL connection - Implements Connection::read() -.
static int	mutt_sasl_conn_write (struct Connection *conn, const char *buf, size_t count)
	Write to an SASL connection - Implements Connection::write() -.
static int	mutt_sasl_conn_poll (struct Connection *conn, time_t wait_secs)
	Check if any data is waiting on a socket - Implements Connection::poll() -.
int	mutt_sasl_client_new (struct Connection *conn, sasl_conn_t **saslconn)
	Wrapper for sasl_client_new()
int	mutt_sasl_interact (sasl_interact_t *interaction)
	Perform an SASL interaction with the user.
void	mutt_sasl_setup_conn (struct Connection *conn, sasl_conn_t *saslconn)
	Set up an SASL connection.
void	mutt_sasl_cleanup (void)
	Invoke when processing is complete.

Variables
static const char *const	SaslAuthenticators []
	Authentication methods supported by Cyrus SASL.

Detailed Description

SASL authentication support.

Authors

• Richard Russon
• Ian Zimmerman
• Alejandro Colomar

Copyright

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

Definition in file sasl.c.

Macro Definition Documentation

MUTT_SASL_MAXBUF

#define MUTT_SASL_MAXBUF   65536

Maximum size for SASL protection buffer.

Definition at line 117 of file sasl.c.

IP_PORT_BUFLEN

#define IP_PORT_BUFLEN   (NI_MAXHOST + NI_MAXSERV)

Buffer size for "host;port" string (NI_MAXHOST + NI_MAXSERV)

Definition at line 120 of file sasl.c.

Function Documentation

sasl_auth_validator()

bool sasl_auth_validator

(

const char *

authenticator

)

SASL callback functions, e.g. mutt_sasl_cb_authname(), mutt_sasl_cb_pass()

SASL secret, to store the password Validate an auth method against Cyrus SASL methods

Parameters

authenticator

Name of the authenticator to validate

Return values

true	Argument matches an accepted auth method

Definition at line 133 of file sasl.c.

{
  for (size_t i = 0; i < countof(SaslAuthenticators); i++)
  {
    const char *auth = SaslAuthenticators[i];
    if (mutt_istr_equal(auth, authenticator))
      return true;
  }
 
  return false;
}

Here is the call graph for this function:

Here is the caller graph for this function:

getnameinfo_err()

static int getnameinfo_err ( int rc )

static

Convert a getaddrinfo() error code into an SASL error code.

Parameters

rc	getaddrinfo() error code, e.g. EAI_AGAIN

Return values

num	SASL error code, e.g. SASL_FAIL

Definition at line 150 of file sasl.c.

{
  int err;
  mutt_debug(LL_DEBUG1, "getnameinfo: ");
  switch (rc)
  {
    case EAI_AGAIN:
      mutt_debug(LL_DEBUG1, "The name could not be resolved at this time.  Future attempts may succeed\n");
      err = SASL_TRYAGAIN;
      break;
    case EAI_BADFLAGS:
      mutt_debug(LL_DEBUG1, "The flags had an invalid value\n");
      err = SASL_BADPARAM;
      break;
    case EAI_FAIL:
      mutt_debug(LL_DEBUG1, "A non-recoverable error occurred\n");
      err = SASL_FAIL;
      break;
    case EAI_FAMILY:
      mutt_debug(LL_DEBUG1, "The address family was not recognized or the address length was invalid for the specified family\n");
      err = SASL_BADPROT;
      break;
    case EAI_MEMORY:
      mutt_debug(LL_DEBUG1, "There was a memory allocation failure\n");
      err = SASL_NOMEM;
      break;
    case EAI_NONAME:
      mutt_debug(LL_DEBUG1, "The name does not resolve for the supplied parameters.  "
                            "NI_NAMEREQD is set and the host's name can't be located, or both nodename and servname were null.\n");
      err = SASL_FAIL; /* no real equivalent */
      break;
    case EAI_SYSTEM:
      mutt_debug(LL_DEBUG1, "A system error occurred.  The error code can be found in errno(%d,%s))\n",
                 errno, strerror(errno));
      err = SASL_FAIL; /* no real equivalent */
      break;
    default:
      mutt_debug(LL_DEBUG1, "Unknown error %d\n", rc);
      err = SASL_FAIL; /* no real equivalent */
      break;
  }
  return err;
}

Here is the caller graph for this function:

iptostring()

static int iptostring ( const struct sockaddr * addr, socklen_t addrlen, char * out, unsigned int outlen )

static

Convert IP Address to string.

Parameters

addr	IP address
addrlen	Size of addr struct
out	Buffer for result
outlen	Length of buffer

Return values

num	SASL error code, e.g. SASL_BADPARAM

utility function, copied from sasl2 sample code

Definition at line 204 of file sasl.c.

{
  char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
  int rc;
 
  if (!addr || !out)
    return SASL_BADPARAM;
 
  rc = getnameinfo(addr, addrlen, hbuf, sizeof(hbuf), pbuf, sizeof(pbuf),
                   NI_NUMERICHOST |
#ifdef NI_WITHSCOPEID
                       NI_WITHSCOPEID |
#endif
                       NI_NUMERICSERV);
  if (rc != 0)
    return getnameinfo_err(rc);
 
  if (outlen < strlen(hbuf) + strlen(pbuf) + 2)
    return SASL_BUFOVER;
 
  snprintf(out, outlen, "%s;%s", hbuf, pbuf);
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_cb_log()

static int mutt_sasl_cb_log ( void * context, int priority, const char * message )

static

Callback to log SASL messages.

Parameters

context	Supplied context, always NULL
priority	Debug level
message	Message

Return values

num	SASL_OK, always

Definition at line 237 of file sasl.c.

{
  if (priority == SASL_LOG_NONE)
    return SASL_OK;
 
  int mutt_priority = 0;
  switch (priority)
  {
    case SASL_LOG_TRACE:
    case SASL_LOG_PASS:
      mutt_priority = 5;
      break;
    case SASL_LOG_DEBUG:
    case SASL_LOG_NOTE:
      mutt_priority = 3;
      break;
    case SASL_LOG_FAIL:
    case SASL_LOG_WARN:
      mutt_priority = 2;
      break;
    case SASL_LOG_ERR:
      mutt_priority = 1;
      break;
    default:
      mutt_debug(LL_DEBUG1, "SASL unknown log priority: %s\n", message);
      return SASL_OK;
  }
  mutt_debug(mutt_priority, "SASL: %s\n", message);
  return SASL_OK;
}

Here is the caller graph for this function:

mutt_sasl_start()

int mutt_sasl_start

(

void

)

Initialise SASL library.

Return values

num	SASL error code, e.g. SASL_OK

Call before doing an SASL exchange (initialises library if necessary).

Definition at line 274 of file sasl.c.

{
  static bool sasl_init = false;
 
  static sasl_callback_t callbacks[2];
  int rc;
 
  if (sasl_init)
    return SASL_OK;
 
  /* set up default logging callback */
  callbacks[0].id = SASL_CB_LOG;
  callbacks[0].proc = (int (*)(void))(intptr_t) mutt_sasl_cb_log;
  callbacks[0].context = NULL;
 
  callbacks[1].id = SASL_CB_LIST_END;
  callbacks[1].proc = NULL;
  callbacks[1].context = NULL;
 
  rc = sasl_client_init(callbacks);
 
  if (rc != SASL_OK)
  {
    mutt_debug(LL_DEBUG1, "libsasl initialisation failed\n");
    return SASL_FAIL;
  }
 
  sasl_init = true;
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_cb_authname()

static int mutt_sasl_cb_authname ( void * context, int id, const char ** result, unsigned int * len )

static

Callback to retrieve authname or user from ConnAccount.

Parameters

[in]	context	ConnAccount
[in]	id	Field to get. SASL_CB_USER or SASL_CB_AUTHNAME
[out]	result	Resulting string
[out]	len	Length of result

Return values

num	SASL error code, e.g. SASL_FAIL

Definition at line 314 of file sasl.c.

{
  if (!result)
    return SASL_FAIL;
 
  struct ConnAccount *cac = context;
 
  *result = NULL;
  if (len)
    *len = 0;
 
  if (!cac)
    return SASL_BADPARAM;
 
  mutt_debug(LL_DEBUG2, "getting %s for %s:%u\n",
             (id == SASL_CB_AUTHNAME) ? "authname" : "user", cac->host, cac->port);
 
  if (id == SASL_CB_AUTHNAME)
  {
    if (mutt_account_getlogin(cac) < 0)
      return SASL_FAIL;
    *result = cac->login;
  }
  else
  {
    if (mutt_account_getuser(cac) < 0)
      return SASL_FAIL;
    *result = cac->user;
  }
 
  if (len)
    *len = strlen(*result);
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_cb_pass()

static int mutt_sasl_cb_pass ( sasl_conn_t * conn, void * context, int id, sasl_secret_t ** psecret )

static

SASL callback function to get password.

Parameters

[in]	conn	Connection to a server
[in]	context	ConnAccount
[in]	id	SASL_CB_PASS
[out]	psecret	SASL secret

Return values

num	SASL error code, e.g SASL_FAIL

Definition at line 358 of file sasl.c.

{
  struct ConnAccount *cac = context;
  int len;
 
  if (!cac || !psecret)
    return SASL_BADPARAM;
 
  mutt_debug(LL_DEBUG2, "getting password for %s@%s:%u\n", cac->login, cac->host, cac->port);
 
  if (mutt_account_getpass(cac) < 0)
    return SASL_FAIL;
 
  struct ConnModuleData *mod_data = neomutt_get_module_data(NeoMutt, MODULE_ID_CONN);
  len = strlen(cac->pass);
 
  sasl_secret_t *secret = mod_data->secret_ptr;
  mutt_mem_realloc(&secret, sizeof(sasl_secret_t) + len);
  memcpy((char *) secret->data, cac->pass, (size_t) len);
  secret->len = len;
  mod_data->secret_ptr = secret;
  *psecret = secret;
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_get_callbacks()

static sasl_callback_t * mutt_sasl_get_callbacks ( struct ConnAccount * cac )

static

Get the SASL callback functions.

Parameters

cac	ConnAccount to associate with callbacks

Return values

ptr	Array of callback functions

Definition at line 389 of file sasl.c.

{
  struct ConnModuleData *mod_data = neomutt_get_module_data(NeoMutt, MODULE_ID_CONN);
  if (!mod_data->mutt_sasl_callbacks)
    mod_data->mutt_sasl_callbacks = mutt_mem_calloc(5, sizeof(sasl_callback_t));
 
  sasl_callback_t *callback = mod_data->mutt_sasl_callbacks;
 
  callback->id = SASL_CB_USER;
  callback->proc = (int (*)(void))(intptr_t) mutt_sasl_cb_authname;
  callback->context = cac;
  callback++;
 
  callback->id = SASL_CB_AUTHNAME;
  callback->proc = (int (*)(void))(intptr_t) mutt_sasl_cb_authname;
  callback->context = cac;
  callback++;
 
  callback->id = SASL_CB_PASS;
  callback->proc = (int (*)(void))(intptr_t) mutt_sasl_cb_pass;
  callback->context = cac;
  callback++;
 
  callback->id = SASL_CB_GETREALM;
  callback->proc = NULL;
  callback->context = NULL;
  callback++;
 
  callback->id = SASL_CB_LIST_END;
  callback->proc = NULL;
  callback->context = NULL;
 
  return mod_data->mutt_sasl_callbacks;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_client_new()

int mutt_sasl_client_new	(	struct Connection *	conn,
		sasl_conn_t **	saslconn )

Wrapper for sasl_client_new()

Parameters

[in]	conn	Connection to a server
[out]	saslconn	SASL connection

Return values

0	Success
-1	Error

which also sets various security properties. If this turns out to be fine for POP too we can probably stop exporting mutt_sasl_get_callbacks().

Definition at line 610 of file sasl.c.

{
  if (mutt_sasl_start() != SASL_OK)
    return -1;
 
  if (!conn->account.service)
  {
    mutt_error(_("Unknown SASL profile"));
    return -1;
  }
 
  socklen_t size;
 
  struct sockaddr_storage local = { 0 };
  char iplocalport[IP_PORT_BUFLEN] = { 0 };
  char *plp = NULL;
  size = sizeof(local);
  if (getsockname(conn->fd, (struct sockaddr *) &local, &size) == 0)
  {
    if (iptostring((struct sockaddr *) &local, size, iplocalport, IP_PORT_BUFLEN) == SASL_OK)
      plp = iplocalport;
    else
      mutt_debug(LL_DEBUG2, "SASL failed to parse local IP address\n");
  }
  else
  {
    mutt_debug(LL_DEBUG2, "SASL failed to get local IP address\n");
  }
 
  struct sockaddr_storage remote = { 0 };
  char ipremoteport[IP_PORT_BUFLEN] = { 0 };
  char *prp = NULL;
  size = sizeof(remote);
  if (getpeername(conn->fd, (struct sockaddr *) &remote, &size) == 0)
  {
    if (iptostring((struct sockaddr *) &remote, size, ipremoteport, IP_PORT_BUFLEN) == SASL_OK)
      prp = ipremoteport;
    else
      mutt_debug(LL_DEBUG2, "SASL failed to parse remote IP address\n");
  }
  else
  {
    mutt_debug(LL_DEBUG2, "SASL failed to get remote IP address\n");
  }
 
  mutt_debug(LL_DEBUG2, "SASL local ip: %s, remote ip:%s\n", NONULL(plp), NONULL(prp));
 
  int rc = sasl_client_new(conn->account.service, conn->account.host, plp, prp,
                           mutt_sasl_get_callbacks(&conn->account), 0, saslconn);
  if (rc != SASL_OK)
  {
    mutt_error(_("Error allocating SASL connection"));
    return -1;
  }
 
  /* Work around a casting bug in the SASL krb4 module */
  sasl_security_properties_t secprops = { 0 };
  secprops.max_ssf = 0x7fff;
  secprops.maxbufsize = MUTT_SASL_MAXBUF;
  if (sasl_setprop(*saslconn, SASL_SEC_PROPS, &secprops) != SASL_OK)
  {
    mutt_error(_("Error setting SASL security properties"));
    sasl_dispose(saslconn);
    return -1;
  }
 
  if (conn->ssf != 0)
  {
    /* I'm not sure this actually has an effect, at least with SASLv2 */
    mutt_debug(LL_DEBUG2, "External SSF: %d\n", conn->ssf);
    if (sasl_setprop(*saslconn, SASL_SSF_EXTERNAL, &conn->ssf) != SASL_OK)
    {
      mutt_error(_("Error setting SASL external security strength"));
      sasl_dispose(saslconn);
      return -1;
    }
  }
  if (conn->account.user[0])
  {
    mutt_debug(LL_DEBUG2, "External authentication name: %s\n", conn->account.user);
    if (sasl_setprop(*saslconn, SASL_AUTH_EXTERNAL, conn->account.user) != SASL_OK)
    {
      mutt_error(_("Error setting SASL external user name"));
      sasl_dispose(saslconn);
      return -1;
    }
  }
 
  return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_interact()

int mutt_sasl_interact

(

sasl_interact_t *

interaction

)

Perform an SASL interaction with the user.

Parameters

interaction

Details of interaction

Return values

num	SASL error code: SASL_OK or SASL_FAIL

An example interaction might be asking the user for a password.

Definition at line 708 of file sasl.c.

{
  int rc = SASL_OK;
  char prompt[128] = { 0 };
  struct Buffer *resp = buf_pool_get();
 
  while (interaction->id != SASL_CB_LIST_END)
  {
    mutt_debug(LL_DEBUG2, "filling in SASL interaction %ld\n", interaction->id);
 
    snprintf(prompt, sizeof(prompt), "%s: ", interaction->prompt);
    buf_reset(resp);
 
    if (!OptGui || (mw_get_field(prompt, resp, MUTT_COMP_NONE, HC_OTHER, NULL, NULL) != 0))
    {
      rc = SASL_FAIL;
      break;
    }
 
    interaction->len = buf_len(resp) + 1;
    interaction->result = buf_strdup(resp);
    interaction++;
  }
 
  buf_pool_release(&resp);
  return rc;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_setup_conn()

void mutt_sasl_setup_conn	(	struct Connection *	conn,
		sasl_conn_t *	saslconn )

Set up an SASL connection.

Parameters

conn	Connection to a server
saslconn	SASL connection

Replace connection methods, sockdata with SASL wrappers, for protection layers. Also get ssf, as a fastpath for the read/write methods.

Definition at line 744 of file sasl.c.

{
  struct SaslSockData *sasldata = MUTT_MEM_MALLOC(1, struct SaslSockData);
  /* work around sasl_getprop aliasing issues */
  const void *tmp = NULL;
 
  sasldata->saslconn = saslconn;
  /* get ssf so we know whether we have to (en|de)code read/write */
  sasl_getprop(saslconn, SASL_SSF, &tmp);
  sasldata->ssf = tmp;
  mutt_debug(LL_DEBUG3, "SASL protection strength: %u\n", *sasldata->ssf);
  /* Add SASL SSF to transport SSF */
  conn->ssf += *sasldata->ssf;
  sasl_getprop(saslconn, SASL_MAXOUTBUF, &tmp);
  sasldata->pbufsize = tmp;
  mutt_debug(LL_DEBUG3, "SASL protection buffer size: %u\n", *sasldata->pbufsize);
 
  /* clear input buffer */
  sasldata->buf = NULL;
  sasldata->bpos = 0;
  sasldata->blen = 0;
 
  /* preserve old functions */
  sasldata->sockdata = conn->sockdata;
  sasldata->open = conn->open;
  sasldata->read = conn->read;
  sasldata->write = conn->write;
  sasldata->poll = conn->poll;
  sasldata->close = conn->close;
 
  /* and set up new functions */
  conn->sockdata = sasldata;
  conn->open = mutt_sasl_conn_open;
  conn->read = mutt_sasl_conn_read;
  conn->write = mutt_sasl_conn_write;
  conn->poll = mutt_sasl_conn_poll;
  conn->close = mutt_sasl_conn_close;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_cleanup()

void mutt_sasl_cleanup

(

void

)

Invoke when processing is complete.

This is a cleanup function, used to free all memory used by the library. Invoke when processing is complete.

Definition at line 789 of file sasl.c.

{
  /* As we never use the server-side, the silently ignore the return value */
  sasl_client_done();
}

Here is the caller graph for this function:

Variable Documentation

SaslAuthenticators

const char* const SaslAuthenticators[]

static

Initial value:

= {
  "ANONYMOUS",     "CRAM-MD5",       "DIGEST-MD5",    "EXTERNAL",
  "GS2-IAKERB",    "GS2-KRB5",       "GSS-SPNEGO",    "GSSAPI",
  "LOGIN",         "NTLM",           "OTP-MD4",       "OTP-MD5",
  "OTP-SHA1",      "PASSDSS-3DES-1", "PLAIN",         "SCRAM-SHA-1",
  "SCRAM-SHA-224", "SCRAM-SHA-256",  "SCRAM-SHA-384", "SCRAM-SHA-512",
  "SRP",
}

Authentication methods supported by Cyrus SASL.

Definition at line 107 of file sasl.c.

                                                {
  "ANONYMOUS",     "CRAM-MD5",       "DIGEST-MD5",    "EXTERNAL",
  "GS2-IAKERB",    "GS2-KRB5",       "GSS-SPNEGO",    "GSSAPI",
  "LOGIN",         "NTLM",           "OTP-MD4",       "OTP-MD5",
  "OTP-SHA1",      "PASSDSS-3DES-1", "PLAIN",         "SCRAM-SHA-1",
  "SCRAM-SHA-224", "SCRAM-SHA-256",  "SCRAM-SHA-384", "SCRAM-SHA-512",
  "SRP",
};