SASL authentication support. More...

#include "config.h"
#include <errno.h>
#include <netdb.h>
#include <sasl/sasl.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include "mutt/lib.h"
#include "mutt.h"
#include "sasl.h"
#include "editor/lib.h"
#include "history/lib.h"
#include "connaccount.h"
#include "connection.h"
#include "globals.h"

Include dependency graph for sasl.c:

Go to the source code of this file.

Data Structures
struct	SaslSockData
	SASL authentication API -. More...

Macros
#define	MUTT_SASL_MAXBUF 65536

#define	IP_PORT_BUFLEN (NI_MAXHOST + NI_MAXSERV)

Functions
bool	sasl_auth_validator (const char *authenticator)
	Validate an auth method against Cyrus SASL methods.

static int	getnameinfo_err (int rc)
	Convert a getaddrinfo() error code into an SASL error code.

static int	iptostring (const struct sockaddr addr, socklen_t addrlen, char out, unsigned int outlen)
	Convert IP Address to string.

static int	mutt_sasl_cb_log (void context, int priority, const char message)
	Callback to log SASL messages.

int	mutt_sasl_start (void)
	Initialise SASL library.

static int	mutt_sasl_cb_authname (void context, int id, const char result, unsigned int len)
	Callback to retrieve authname or user from ConnAccount.

static int	mutt_sasl_cb_pass (sasl_conn_t conn, void context, int id, sasl_secret_t **psecret)
	SASL callback function to get password.

static sasl_callback_t *	mutt_sasl_get_callbacks (struct ConnAccount *cac)
	Get the SASL callback functions.

static int	mutt_sasl_conn_open (struct Connection *conn)
	Empty wrapper for underlying open function - Implements Connection::open() -.

static int	mutt_sasl_conn_close (struct Connection *conn)
	Close SASL connection - Implements Connection::close() -.

static int	mutt_sasl_conn_read (struct Connection conn, char buf, size_t count)
	Read data from an SASL connection - Implements Connection::read() -.

static int	mutt_sasl_conn_write (struct Connection conn, const char buf, size_t count)
	Write to an SASL connection - Implements Connection::write() -.

static int	mutt_sasl_conn_poll (struct Connection *conn, time_t wait_secs)
	Check if any data is waiting on a socket - Implements Connection::poll() -.

int	mutt_sasl_client_new (struct Connection conn, sasl_conn_t *saslconn)
	Wrapper for sasl_client_new()

int	mutt_sasl_interact (sasl_interact_t *interaction)
	Perform an SASL interaction with the user.

void	mutt_sasl_setup_conn (struct Connection conn, sasl_conn_t saslconn)
	Set up an SASL connection.

void	mutt_sasl_cleanup (void)
	Invoke when processing is complete.

Variables
static const char *const	SaslAuthenticators []
	Authentication methods supported by Cyrus SASL.

static sasl_callback_t	MuttSaslCallbacks [5]
	SASL callback functions, e.g. mutt_sasl_cb_authname(), mutt_sasl_cb_pass()

static sasl_secret_t *	SecretPtr = NULL
	SASL secret, to store the password.

Detailed Description

SASL authentication support.

Authors

Richard Russon
Ian Zimmerman

Copyright: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

Definition in file sasl.c.

Macro Definition Documentation

◆ MUTT_SASL_MAXBUF

#define MUTT_SASL_MAXBUF 65536

Definition at line 118 of file sasl.c.

◆ IP_PORT_BUFLEN

#define IP_PORT_BUFLEN (NI_MAXHOST + NI_MAXSERV)

Definition at line 123 of file sasl.c.

Function Documentation

◆ sasl_auth_validator()

bool sasl_auth_validator ( const char * authenticator )

Validate an auth method against Cyrus SASL methods.

Parameters

authenticator Name of the authenticator to validate

Return values

true	Argument matches an accepted auth method

Definition at line 136 of file sasl.c.

{
  for (size_t i = 0; i < mutt_array_size(SaslAuthenticators); i++)
  {
    const char *auth = SaslAuthenticators[i];
    if (mutt_istr_equal(auth, authenticator))
      return true;
  }
 
  return false;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getnameinfo_err()

static int getnameinfo_err ( int rc )

static

Convert a getaddrinfo() error code into an SASL error code.

Parameters

rc	getaddrinfo() error code, e.g. EAI_AGAIN

Return values

num	SASL error code, e.g. SASL_FAIL

Definition at line 153 of file sasl.c.

{
  int err;
  mutt_debug(LL_DEBUG1, "getnameinfo: ");
  switch (rc)
  {
    case EAI_AGAIN:
      mutt_debug(LL_DEBUG1, "The name could not be resolved at this time.  Future attempts may succeed\n");
      err = SASL_TRYAGAIN;
      break;
    case EAI_BADFLAGS:
      mutt_debug(LL_DEBUG1, "The flags had an invalid value\n");
      err = SASL_BADPARAM;
      break;
    case EAI_FAIL:
      mutt_debug(LL_DEBUG1, "A non-recoverable error occurred\n");
      err = SASL_FAIL;
      break;
    case EAI_FAMILY:
      mutt_debug(LL_DEBUG1, "The address family was not recognized or the address length was invalid for the specified family\n");
      err = SASL_BADPROT;
      break;
    case EAI_MEMORY:
      mutt_debug(LL_DEBUG1, "There was a memory allocation failure\n");
      err = SASL_NOMEM;
      break;
    case EAI_NONAME:
      mutt_debug(LL_DEBUG1, "The name does not resolve for the supplied parameters.  "
                            "NI_NAMEREQD is set and the host's name can't be located, or both nodename and servname were null.\n");
      err = SASL_FAIL; /* no real equivalent */
      break;
    case EAI_SYSTEM:
      mutt_debug(LL_DEBUG1, "A system error occurred.  The error code can be found in errno(%d,%s))\n",
                 errno, strerror(errno));
      err = SASL_FAIL; /* no real equivalent */
      break;
    default:
      mutt_debug(LL_DEBUG1, "Unknown error %d\n", rc);
      err = SASL_FAIL; /* no real equivalent */
      break;
  }
  return err;
}

Here is the caller graph for this function:

◆ iptostring()

static int iptostring	(	const struct sockaddr *	addr,
		socklen_t	addrlen,
		char *	out,
		unsigned int	outlen
	)

static

Convert IP Address to string.

Parameters

addr	IP address
addrlen	Size of addr struct
out	Buffer for result
outlen	Length of buffer

Return values

num	SASL error code, e.g. SASL_BADPARAM

utility function, copied from sasl2 sample code

Definition at line 207 of file sasl.c.

{
  char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
  int rc;
 
  if (!addr || !out)
    return SASL_BADPARAM;
 
  rc = getnameinfo(addr, addrlen, hbuf, sizeof(hbuf), pbuf, sizeof(pbuf),
                   NI_NUMERICHOST |
#ifdef NI_WITHSCOPEID
                       NI_WITHSCOPEID |
#endif
                       NI_NUMERICSERV);
  if (rc != 0)
    return getnameinfo_err(rc);
 
  if (outlen < strlen(hbuf) + strlen(pbuf) + 2)
    return SASL_BUFOVER;
 
  snprintf(out, outlen, "%s;%s", hbuf, pbuf);
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_cb_log()

static int mutt_sasl_cb_log	(	void *	context,
		int	priority,
		const char *	message
	)

static

Callback to log SASL messages.

Parameters

context	Supplied context, always NULL
priority	Debug level
message	Message

Return values

num	SASL_OK, always

Definition at line 240 of file sasl.c.

{
  if (priority == SASL_LOG_NONE)
    return SASL_OK;
 
  int mutt_priority = 0;
  switch (priority)
  {
    case SASL_LOG_TRACE:
    case SASL_LOG_PASS:
      mutt_priority = 5;
      break;
    case SASL_LOG_DEBUG:
    case SASL_LOG_NOTE:
      mutt_priority = 3;
      break;
    case SASL_LOG_FAIL:
    case SASL_LOG_WARN:
      mutt_priority = 2;
      break;
    case SASL_LOG_ERR:
      mutt_priority = 1;
      break;
    default:
      mutt_debug(LL_DEBUG1, "SASL unknown log priority: %s\n", message);
      return SASL_OK;
  }
  mutt_debug(mutt_priority, "SASL: %s\n", message);
  return SASL_OK;
}

Here is the caller graph for this function:

◆ mutt_sasl_start()

int mutt_sasl_start ( void )

Initialise SASL library.

Return values

num	SASL error code, e.g. SASL_OK

Call before doing an SASL exchange (initialises library if necessary).

Definition at line 277 of file sasl.c.

{
  static bool sasl_init = false;
 
  static sasl_callback_t callbacks[2];
  int rc;
 
  if (sasl_init)
    return SASL_OK;
 
  /* set up default logging callback */
  callbacks[0].id = SASL_CB_LOG;
  callbacks[0].proc = (int (*)(void))(intptr_t) mutt_sasl_cb_log;
  callbacks[0].context = NULL;
 
  callbacks[1].id = SASL_CB_LIST_END;
  callbacks[1].proc = NULL;
  callbacks[1].context = NULL;
 
  rc = sasl_client_init(callbacks);
 
  if (rc != SASL_OK)
  {
    mutt_debug(LL_DEBUG1, "libsasl initialisation failed\n");
    return SASL_FAIL;
  }
 
  sasl_init = true;
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_cb_authname()

static int mutt_sasl_cb_authname	(	void *	context,
		int	id,
		const char **	result,
		unsigned int *	len
	)

static

Callback to retrieve authname or user from ConnAccount.

Parameters

[in]	context	ConnAccount
[in]	id	Field to get. SASL_CB_USER or SASL_CB_AUTHNAME
[out]	result	Resulting string
[out]	len	Length of result

Return values

num	SASL error code, e.g. SASL_FAIL

Definition at line 317 of file sasl.c.

{
  if (!result)
    return SASL_FAIL;
 
  struct ConnAccount *cac = context;
 
  *result = NULL;
  if (len)
    *len = 0;
 
  if (!cac)
    return SASL_BADPARAM;
 
  mutt_debug(LL_DEBUG2, "getting %s for %s:%u\n",
             (id == SASL_CB_AUTHNAME) ? "authname" : "user", cac->host, cac->port);
 
  if (id == SASL_CB_AUTHNAME)
  {
    if (mutt_account_getlogin(cac) < 0)
      return SASL_FAIL;
    *result = cac->login;
  }
  else
  {
    if (mutt_account_getuser(cac) < 0)
      return SASL_FAIL;
    *result = cac->user;
  }
 
  if (len)
    *len = strlen(*result);
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_cb_pass()

static int mutt_sasl_cb_pass	(	sasl_conn_t *	conn,
		void *	context,
		int	id,
		sasl_secret_t **	psecret
	)

static

SASL callback function to get password.

Parameters

[in]	conn	Connection to a server
[in]	context	ConnAccount
[in]	id	SASL_CB_PASS
[out]	psecret	SASL secret

Return values

num	SASL error code, e.g SASL_FAIL

Definition at line 361 of file sasl.c.

{
  struct ConnAccount *cac = context;
  int len;
 
  if (!cac || !psecret)
    return SASL_BADPARAM;
 
  mutt_debug(LL_DEBUG2, "getting password for %s@%s:%u\n", cac->login, cac->host, cac->port);
 
  if (mutt_account_getpass(cac) < 0)
    return SASL_FAIL;
 
  len = strlen(cac->pass);
 
  mutt_mem_realloc(&SecretPtr, sizeof(sasl_secret_t) + len);
  memcpy((char *) SecretPtr->data, cac->pass, (size_t) len);
  SecretPtr->len = len;
  *psecret = SecretPtr;
 
  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_get_callbacks()

static sasl_callback_t * mutt_sasl_get_callbacks ( struct ConnAccount * cac )

static

Get the SASL callback functions.

Parameters

cac	ConnAccount to associate with callbacks

Return values

ptr	Array of callback functions

Definition at line 389 of file sasl.c.

{
  sasl_callback_t *callback = MuttSaslCallbacks;
 
  callback->id = SASL_CB_USER;
  callback->proc = (int (*)(void))(intptr_t) mutt_sasl_cb_authname;
  callback->context = cac;
  callback++;
 
  callback->id = SASL_CB_AUTHNAME;
  callback->proc = (int (*)(void))(intptr_t) mutt_sasl_cb_authname;
  callback->context = cac;
  callback++;
 
  callback->id = SASL_CB_PASS;
  callback->proc = (int (*)(void))(intptr_t) mutt_sasl_cb_pass;
  callback->context = cac;
  callback++;
 
  callback->id = SASL_CB_GETREALM;
  callback->proc = NULL;
  callback->context = NULL;
  callback++;
 
  callback->id = SASL_CB_LIST_END;
  callback->proc = NULL;
  callback->context = NULL;
 
  return MuttSaslCallbacks;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_client_new()

int mutt_sasl_client_new	(	struct Connection *	conn,
		sasl_conn_t **	saslconn
	)

Wrapper for sasl_client_new()

Parameters

[in]	conn	Connection to a server
[out]	saslconn	SASL connection

Return values

0	Success
-1	Error

which also sets various security properties. If this turns out to be fine for POP too we can probably stop exporting mutt_sasl_get_callbacks().

Definition at line 606 of file sasl.c.

{
  if (mutt_sasl_start() != SASL_OK)
    return -1;
 
  if (!conn->account.service)
  {
    mutt_error(_("Unknown SASL profile"));
    return -1;
  }
 
  socklen_t size;
 
  struct sockaddr_storage local = { 0 };
  char iplocalport[IP_PORT_BUFLEN] = { 0 };
  char *plp = NULL;
  size = sizeof(local);
  if (getsockname(conn->fd, (struct sockaddr *) &local, &size) == 0)
  {
    if (iptostring((struct sockaddr *) &local, size, iplocalport, IP_PORT_BUFLEN) == SASL_OK)
      plp = iplocalport;
    else
      mutt_debug(LL_DEBUG2, "SASL failed to parse local IP address\n");
  }
  else
  {
    mutt_debug(LL_DEBUG2, "SASL failed to get local IP address\n");
  }
 
  struct sockaddr_storage remote = { 0 };
  char ipremoteport[IP_PORT_BUFLEN] = { 0 };
  char *prp = NULL;
  size = sizeof(remote);
  if (getpeername(conn->fd, (struct sockaddr *) &remote, &size) == 0)
  {
    if (iptostring((struct sockaddr *) &remote, size, ipremoteport, IP_PORT_BUFLEN) == SASL_OK)
      prp = ipremoteport;
    else
      mutt_debug(LL_DEBUG2, "SASL failed to parse remote IP address\n");
  }
  else
  {
    mutt_debug(LL_DEBUG2, "SASL failed to get remote IP address\n");
  }
 
  mutt_debug(LL_DEBUG2, "SASL local ip: %s, remote ip:%s\n", NONULL(plp), NONULL(prp));
 
  int rc = sasl_client_new(conn->account.service, conn->account.host, plp, prp,
                           mutt_sasl_get_callbacks(&conn->account), 0, saslconn);
  if (rc != SASL_OK)
  {
    mutt_error(_("Error allocating SASL connection"));
    return -1;
  }
 
  /* Work around a casting bug in the SASL krb4 module */
  sasl_security_properties_t secprops = { 0 };
  secprops.max_ssf = 0x7fff;
  secprops.maxbufsize = MUTT_SASL_MAXBUF;
  if (sasl_setprop(*saslconn, SASL_SEC_PROPS, &secprops) != SASL_OK)
  {
    mutt_error(_("Error setting SASL security properties"));
    sasl_dispose(saslconn);
    return -1;
  }
 
  if (conn->ssf != 0)
  {
    /* I'm not sure this actually has an effect, at least with SASLv2 */
    mutt_debug(LL_DEBUG2, "External SSF: %d\n", conn->ssf);
    if (sasl_setprop(*saslconn, SASL_SSF_EXTERNAL, &conn->ssf) != SASL_OK)
    {
      mutt_error(_("Error setting SASL external security strength"));
      sasl_dispose(saslconn);
      return -1;
    }
  }
  if (conn->account.user[0])
  {
    mutt_debug(LL_DEBUG2, "External authentication name: %s\n", conn->account.user);
    if (sasl_setprop(*saslconn, SASL_AUTH_EXTERNAL, conn->account.user) != SASL_OK)
    {
      mutt_error(_("Error setting SASL external user name"));
      sasl_dispose(saslconn);
      return -1;
    }
  }
 
  return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_interact()

int mutt_sasl_interact ( sasl_interact_t * interaction )

Perform an SASL interaction with the user.

Parameters

interaction Details of interaction

Return values

num	SASL error code: SASL_OK or SASL_FAIL

An example interaction might be asking the user for a password.

Definition at line 704 of file sasl.c.

{
  int rc = SASL_OK;
  char prompt[128] = { 0 };
  struct Buffer *resp = buf_pool_get();
 
  while (interaction->id != SASL_CB_LIST_END)
  {
    mutt_debug(LL_DEBUG2, "filling in SASL interaction %ld\n", interaction->id);
 
    snprintf(prompt, sizeof(prompt), "%s: ", interaction->prompt);
    buf_reset(resp);
 
    if (OptNoCurses ||
        (mw_get_field(prompt, resp, MUTT_COMP_NO_FLAGS, HC_OTHER, NULL, NULL) != 0))
    {
      rc = SASL_FAIL;
      break;
    }
 
    interaction->len = buf_len(resp) + 1;
    interaction->result = buf_strdup(resp);
    interaction++;
  }
 
  buf_pool_release(&resp);
  return rc;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_setup_conn()

void mutt_sasl_setup_conn	(	struct Connection *	conn,
		sasl_conn_t *	saslconn
	)

Set up an SASL connection.

Parameters

conn	Connection to a server
saslconn	SASL connection

Replace connection methods, sockdata with SASL wrappers, for protection layers. Also get ssf, as a fastpath for the read/write methods.

Definition at line 741 of file sasl.c.

{
  struct SaslSockData *sasldata = MUTT_MEM_MALLOC(1, struct SaslSockData);
  /* work around sasl_getprop aliasing issues */
  const void *tmp = NULL;
 
  sasldata->saslconn = saslconn;
  /* get ssf so we know whether we have to (en|de)code read/write */
  sasl_getprop(saslconn, SASL_SSF, &tmp);
  sasldata->ssf = tmp;
  mutt_debug(LL_DEBUG3, "SASL protection strength: %u\n", *sasldata->ssf);
  /* Add SASL SSF to transport SSF */
  conn->ssf += *sasldata->ssf;
  sasl_getprop(saslconn, SASL_MAXOUTBUF, &tmp);
  sasldata->pbufsize = tmp;
  mutt_debug(LL_DEBUG3, "SASL protection buffer size: %u\n", *sasldata->pbufsize);
 
  /* clear input buffer */
  sasldata->buf = NULL;
  sasldata->bpos = 0;
  sasldata->blen = 0;
 
  /* preserve old functions */
  sasldata->sockdata = conn->sockdata;
  sasldata->open = conn->open;
  sasldata->read = conn->read;
  sasldata->write = conn->write;
  sasldata->poll = conn->poll;
  sasldata->close = conn->close;
 
  /* and set up new functions */
  conn->sockdata = sasldata;
  conn->open = mutt_sasl_conn_open;
  conn->read = mutt_sasl_conn_read;
  conn->write = mutt_sasl_conn_write;
  conn->poll = mutt_sasl_conn_poll;
  conn->close = mutt_sasl_conn_close;
}

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mutt_sasl_cleanup()

void mutt_sasl_cleanup ( void )

Invoke when processing is complete.

This is a cleanup function, used to free all memory used by the library. Invoke when processing is complete.

Definition at line 786 of file sasl.c.

{
  /* As we never use the server-side, the silently ignore the return value */
  sasl_client_done();
}

Here is the caller graph for this function:

Variable Documentation

◆ SaslAuthenticators

const char* const SaslAuthenticators[]

static

Initial value:

= {
  "ANONYMOUS",     "CRAM-MD5",       "DIGEST-MD5",    "EXTERNAL",
  "GS2-IAKERB",    "GS2-KRB5",       "GSS-SPNEGO",    "GSSAPI",
  "LOGIN",         "NTLM",           "OTP-MD4",       "OTP-MD5",
  "OTP-SHA1",      "PASSDSS-3DES-1", "PLAIN",         "SCRAM-SHA-1",
  "SCRAM-SHA-224", "SCRAM-SHA-256",  "SCRAM-SHA-384", "SCRAM-SHA-512",
  "SRP",
}

Authentication methods supported by Cyrus SASL.

Definition at line 106 of file sasl.c.

◆ MuttSaslCallbacks

sasl_callback_t MuttSaslCallbacks[5]

static

SASL callback functions, e.g. mutt_sasl_cb_authname(), mutt_sasl_cb_pass()

Definition at line 126 of file sasl.c.

◆ SecretPtr

sasl_secret_t* SecretPtr = NULL

static

SASL secret, to store the password.

Definition at line 129 of file sasl.c.

Data Structures

Macros

Functions

Variables

Detailed Description

Macro Definition Documentation

◆ MUTT_SASL_MAXBUF

◆ IP_PORT_BUFLEN

Function Documentation

◆ sasl_auth_validator()

◆ getnameinfo_err()

◆ iptostring()

◆ mutt_sasl_cb_log()

◆ mutt_sasl_start()

◆ mutt_sasl_cb_authname()

◆ mutt_sasl_cb_pass()

◆ mutt_sasl_get_callbacks()

◆ mutt_sasl_client_new()

◆ mutt_sasl_interact()

◆ mutt_sasl_setup_conn()

◆ mutt_sasl_cleanup()

Variable Documentation

◆ SaslAuthenticators

◆ MuttSaslCallbacks

◆ SecretPtr