sasl.c File Reference

SASL authentication support. More...

#include "config.h"
#include <stddef.h>
#include <errno.h>
#include <netdb.h>
#include <sasl/sasl.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include "mutt/lib.h"
#include "gui/lib.h"
#include "mutt.h"
#include "sasl.h"
#include "lib.h"
#include "options.h"

Include dependency graph for sasl.c:

Go to the source code of this file.

Data Structures
struct	SaslSockData
	SASL authentication API -. More...

Macros
#define	MUTT_SASL_MAXBUF   65536
#define	IP_PORT_BUFLEN   1024

Functions
bool	sasl_auth_validator (const char *authenticator)
	Validate an auth method against Cyrus SASL methods. More...
static int	getnameinfo_err (int ret)
	Convert a getaddrinfo() error code into an SASL error code. More...
static int	iptostring (const struct sockaddr *addr, socklen_t addrlen, char *out, unsigned int outlen)
	Convert IP Address to string. More...
static int	mutt_sasl_cb_log (void *context, int priority, const char *message)
	callback to log SASL messages More...
static int	mutt_sasl_start (void)
	Initialise SASL library. More...
static int	mutt_sasl_cb_authname (void *context, int id, const char **result, unsigned int *len)
	callback to retrieve authname or user from ConnAccount More...
static int	mutt_sasl_cb_pass (sasl_conn_t *conn, void *context, int id, sasl_secret_t **psecret)
	SASL callback function to get password. More...
static sasl_callback_t *	mutt_sasl_get_callbacks (struct ConnAccount *cac)
	Get the SASL callback functions. More...
static int	mutt_sasl_conn_open (struct Connection *conn)
	empty wrapper for underlying open function - Implements Connection::open() -We don't know in advance that a connection will use SASL, so we replace conn's methods with sasl methods when authentication is successful, using mutt_sasl_setup_conn More...
static int	mutt_sasl_conn_close (struct Connection *conn)
	close SASL connection - Implements Connection::close() -Calls underlying close function and disposes of the sasl_conn_t object, then restores connection to pre-sasl state More...
static int	mutt_sasl_conn_read (struct Connection *conn, char *buf, size_t count)
	Read data from an SASL connection - Implements Connection::read() -. More...
static int	mutt_sasl_conn_write (struct Connection *conn, const char *buf, size_t count)
	Write to an SASL connection - Implements Connection::write() -. More...
static int	mutt_sasl_conn_poll (struct Connection *conn, time_t wait_secs)
	Check an SASL connection for data - Implements Connection::poll() -. More...
int	mutt_sasl_client_new (struct Connection *conn, sasl_conn_t **saslconn)
	Wrapper for sasl_client_new() More...
int	mutt_sasl_interact (sasl_interact_t *interaction)
	Perform an SASL interaction with the user. More...
void	mutt_sasl_setup_conn (struct Connection *conn, sasl_conn_t *saslconn)
	Set up an SASL connection. More...
void	mutt_sasl_done (void)
	Invoke when processing is complete. More...

Variables
static const char *const	sasl_authenticators []
	Authenticaion methods supported by Cyrus SASL. More...
static sasl_callback_t	MuttSaslCallbacks [5]
static sasl_secret_t *	secret_ptr = NULL

Detailed Description

SASL authentication support.

Authors

• Brendan Cully

Copyright

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

Definition in file sasl.c.

Macro Definition Documentation

MUTT_SASL_MAXBUF

#define MUTT_SASL_MAXBUF   65536

Definition at line 114 of file sasl.c.

IP_PORT_BUFLEN

#define IP_PORT_BUFLEN   1024

Definition at line 116 of file sasl.c.

Function Documentation

sasl_auth_validator()

bool sasl_auth_validator

(

const char *

authenticator

)

Validate an auth method against Cyrus SASL methods.

Parameters

authenticator

Name of the authenticator to validate

Return values

true	Argument matches an accepted auth method

Definition at line 127 of file sasl.c.

{
  for (size_t i = 0; i < mutt_array_size(sasl_authenticators); i++)
  {
    const char *auth = sasl_authenticators[i];
    if (mutt_istr_equal(auth, authenticator))
      return true;
  }

  return false;
}

Here is the call graph for this function:

Here is the caller graph for this function:

getnameinfo_err()

static int getnameinfo_err ( int  ret )

static

Convert a getaddrinfo() error code into an SASL error code.

Parameters

ret	getaddrinfo() error code, e.g. EAI_AGAIN

Return values

num	SASL error code, e.g. SASL_FAIL

Definition at line 144 of file sasl.c.

{
  int err;
  mutt_debug(LL_DEBUG1, "getnameinfo: ");
  switch (ret)
  {
    case EAI_AGAIN:
      mutt_debug(LL_DEBUG1,
                 "The name could not be resolved at this time.  Future "
                 "attempts may succeed\n");
      err = SASL_TRYAGAIN;
      break;
    case EAI_BADFLAGS:
      mutt_debug(LL_DEBUG1, "The flags had an invalid value\n");
      err = SASL_BADPARAM;
      break;
    case EAI_FAIL:
      mutt_debug(LL_DEBUG1, "A non-recoverable error occurred\n");
      err = SASL_FAIL;
      break;
    case EAI_FAMILY:
      mutt_debug(LL_DEBUG1,
                 "The address family was not recognized or the address "
                 "length was invalid for the specified family\n");
      err = SASL_BADPROT;
      break;
    case EAI_MEMORY:
      mutt_debug(LL_DEBUG1, "There was a memory allocation failure\n");
      err = SASL_NOMEM;
      break;
    case EAI_NONAME:
      mutt_debug(LL_DEBUG1,
                 "The name does not resolve for the supplied parameters.  "
                 "NI_NAMEREQD is set and the host's name can't be located, "
                 "or both nodename and servname were null.\n");
      err = SASL_FAIL; /* no real equivalent */
      break;
    case EAI_SYSTEM:
      mutt_debug(LL_DEBUG1,
                 "A system error occurred.  The error code can be found in "
                 "errno(%d,%s))\n",
                 errno, strerror(errno));
      err = SASL_FAIL; /* no real equivalent */
      break;
    default:
      mutt_debug(LL_DEBUG1, "Unknown error %d\n", ret);
      err = SASL_FAIL; /* no real equivalent */
      break;
  }
  return err;
}

Here is the caller graph for this function:

iptostring()

static int iptostring ( const struct sockaddr *  addr, socklen_t  addrlen, char *  out, unsigned int  outlen  )

static

Convert IP Address to string.

Parameters

addr	IP address
addrlen	Size of addr struct
out	Buffer for result
outlen	Length of buffer

Return values

num	SASL error code, e.g. SASL_BADPARAM

utility function, copied from sasl2 sample code

Definition at line 206 of file sasl.c.

{
  char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
  int ret;

  if (!addr || !out)
    return SASL_BADPARAM;

  ret = getnameinfo(addr, addrlen, hbuf, sizeof(hbuf), pbuf, sizeof(pbuf),
                    NI_NUMERICHOST |
#ifdef NI_WITHSCOPEID
                        NI_WITHSCOPEID |
#endif
                        NI_NUMERICSERV);
  if (ret != 0)
    return getnameinfo_err(ret);

  if (outlen < strlen(hbuf) + strlen(pbuf) + 2)
    return SASL_BUFOVER;

  snprintf(out, outlen, "%s;%s", hbuf, pbuf);

  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_cb_log()

static int mutt_sasl_cb_log ( void *  context, int  priority, const char *  message  )

static

callback to log SASL messages

Parameters

context	Supplied context, always NULL
priority	Debug level
message	Message

Return values

num	SASL_OK, always

Definition at line 239 of file sasl.c.

{
  if (priority == SASL_LOG_NONE)
    return SASL_OK;

  int mutt_priority = 0;
  switch (priority)
  {
    case SASL_LOG_TRACE:
    case SASL_LOG_PASS:
      mutt_priority = 5;
      break;
    case SASL_LOG_DEBUG:
    case SASL_LOG_NOTE:
      mutt_priority = 3;
      break;
    case SASL_LOG_FAIL:
    case SASL_LOG_WARN:
      mutt_priority = 2;
      break;
    case SASL_LOG_ERR:
      mutt_priority = 1;
      break;
    default:
      mutt_debug(LL_DEBUG1, "SASL unknown log priority: %s\n", message);
      return SASL_OK;
  }
  mutt_debug(mutt_priority, "SASL: %s\n", message);
  return SASL_OK;
}

Here is the caller graph for this function:

mutt_sasl_start()

static int mutt_sasl_start ( void  )

static

Initialise SASL library.

Return values

num	SASL error code, e.g. SASL_OK

Call before doing an SASL exchange - initialises library (if necessary).

Definition at line 276 of file sasl.c.

{
  static bool sasl_init = false;

  static sasl_callback_t callbacks[2];
  int rc;

  if (sasl_init)
    return SASL_OK;

  /* set up default logging callback */
  callbacks[0].id = SASL_CB_LOG;
  callbacks[0].proc = (int (*)(void)) mutt_sasl_cb_log;
  callbacks[0].context = NULL;

  callbacks[1].id = SASL_CB_LIST_END;
  callbacks[1].proc = NULL;
  callbacks[1].context = NULL;

  rc = sasl_client_init(callbacks);

  if (rc != SASL_OK)
  {
    mutt_debug(LL_DEBUG1, "libsasl initialisation failed\n");
    return SASL_FAIL;
  }

  sasl_init = true;

  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_cb_authname()

static int mutt_sasl_cb_authname ( void *  context, int  id, const char **  result, unsigned int *  len  )

static

callback to retrieve authname or user from ConnAccount

Parameters

[in]	context	ConnAccount
[in]	id	Field to get. SASL_CB_USER or SASL_CB_AUTHNAME
[out]	result	Resulting string
[out]	len	Length of result

Return values

num	SASL error code, e.g. SASL_FAIL

Definition at line 316 of file sasl.c.

{
  if (!result)
    return SASL_FAIL;

  struct ConnAccount *cac = context;

  *result = NULL;
  if (len)
    *len = 0;

  if (!cac)
    return SASL_BADPARAM;

  mutt_debug(LL_DEBUG2, "getting %s for %s:%u\n",
             (id == SASL_CB_AUTHNAME) ? "authname" : "user", cac->host, cac->port);

  if (id == SASL_CB_AUTHNAME)
  {
    if (mutt_account_getlogin(cac) < 0)
      return SASL_FAIL;
    *result = cac->login;
  }
  else
  {
    if (mutt_account_getuser(cac) < 0)
      return SASL_FAIL;
    *result = cac->user;
  }

  if (len)
    *len = strlen(*result);

  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_cb_pass()

static int mutt_sasl_cb_pass ( sasl_conn_t *  conn, void *  context, int  id, sasl_secret_t **  psecret  )

static

SASL callback function to get password.

Parameters

[in]	conn	Connection to a server
[in]	context	ConnAccount
[in]	id	SASL_CB_PASS
[out]	psecret	SASL secret

Return values

num	SASL error code, e.g SASL_FAIL

Definition at line 360 of file sasl.c.

{
  struct ConnAccount *cac = context;
  int len;

  if (!cac || !psecret)
    return SASL_BADPARAM;

  mutt_debug(LL_DEBUG2, "getting password for %s@%s:%u\n", cac->login, cac->host, cac->port);

  if (mutt_account_getpass(cac) < 0)
    return SASL_FAIL;

  len = strlen(cac->pass);

  mutt_mem_realloc(&secret_ptr, sizeof(sasl_secret_t) + len);
  memcpy((char *) secret_ptr->data, cac->pass, (size_t) len);
  secret_ptr->len = len;
  *psecret = secret_ptr;

  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_get_callbacks()

static sasl_callback_t* mutt_sasl_get_callbacks ( struct ConnAccount *  cac )

static

Get the SASL callback functions.

Parameters

cac	ConnAccount to associate with callbacks

Return values

ptr	Array of callback functions

Definition at line 388 of file sasl.c.

{
  sasl_callback_t *callback = MuttSaslCallbacks;

  callback->id = SASL_CB_USER;
  callback->proc = (int (*)(void)) mutt_sasl_cb_authname;
  callback->context = cac;
  callback++;

  callback->id = SASL_CB_AUTHNAME;
  callback->proc = (int (*)(void)) mutt_sasl_cb_authname;
  callback->context = cac;
  callback++;

  callback->id = SASL_CB_PASS;
  callback->proc = (int (*)(void)) mutt_sasl_cb_pass;
  callback->context = cac;
  callback++;

  callback->id = SASL_CB_GETREALM;
  callback->proc = NULL;
  callback->context = NULL;
  callback++;

  callback->id = SASL_CB_LIST_END;
  callback->proc = NULL;
  callback->context = NULL;

  return MuttSaslCallbacks;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_client_new()

int mutt_sasl_client_new	(	struct Connection *	conn,
		sasl_conn_t **	saslconn
	)

Wrapper for sasl_client_new()

Parameters

[in]	conn	Connection to a server
[out]	saslconn	SASL connection

Return values

0	Success
-1	Error

which also sets various security properties. If this turns out to be fine for POP too we can probably stop exporting mutt_sasl_get_callbacks().

Definition at line 603 of file sasl.c.

{
  sasl_security_properties_t secprops;
  struct sockaddr_storage local, remote;
  socklen_t size;
  char iplocalport[IP_PORT_BUFLEN], ipremoteport[IP_PORT_BUFLEN];
  char *plp = NULL;
  char *prp = NULL;
  int rc;

  if (mutt_sasl_start() != SASL_OK)
    return -1;

  if (!conn->account.service)
  {
    mutt_error(_("Unknown SASL profile"));
    return -1;
  }

  size = sizeof(local);
  if (getsockname(conn->fd, (struct sockaddr *) &local, &size) == 0)
  {
    if (iptostring((struct sockaddr *) &local, size, iplocalport, IP_PORT_BUFLEN) == SASL_OK)
      plp = iplocalport;
    else
      mutt_debug(LL_DEBUG2, "SASL failed to parse local IP address\n");
  }
  else
    mutt_debug(LL_DEBUG2, "SASL failed to get local IP address\n");

  size = sizeof(remote);
  if (getpeername(conn->fd, (struct sockaddr *) &remote, &size) == 0)
  {
    if (iptostring((struct sockaddr *) &remote, size, ipremoteport, IP_PORT_BUFLEN) == SASL_OK)
      prp = ipremoteport;
    else
      mutt_debug(LL_DEBUG2, "SASL failed to parse remote IP address\n");
  }
  else
    mutt_debug(LL_DEBUG2, "SASL failed to get remote IP address\n");

  mutt_debug(LL_DEBUG2, "SASL local ip: %s, remote ip:%s\n", NONULL(plp), NONULL(prp));

  rc = sasl_client_new(conn->account.service, conn->account.host, plp, prp,
                       mutt_sasl_get_callbacks(&conn->account), 0, saslconn);

  if (rc != SASL_OK)
  {
    mutt_error(_("Error allocating SASL connection"));
    return -1;
  }

  memset(&secprops, 0, sizeof(secprops));
  /* Work around a casting bug in the SASL krb4 module */
  secprops.max_ssf = 0x7fff;
  secprops.maxbufsize = MUTT_SASL_MAXBUF;
  if (sasl_setprop(*saslconn, SASL_SEC_PROPS, &secprops) != SASL_OK)
  {
    mutt_error(_("Error setting SASL security properties"));
    sasl_dispose(saslconn);
    return -1;
  }

  if (conn->ssf != 0)
  {
    /* I'm not sure this actually has an effect, at least with SASLv2 */
    mutt_debug(LL_DEBUG2, "External SSF: %d\n", conn->ssf);
    if (sasl_setprop(*saslconn, SASL_SSF_EXTERNAL, &conn->ssf) != SASL_OK)
    {
      mutt_error(_("Error setting SASL external security strength"));
      sasl_dispose(saslconn);
      return -1;
    }
  }
  if (conn->account.user[0])
  {
    mutt_debug(LL_DEBUG2, "External authentication name: %s\n", conn->account.user);
    if (sasl_setprop(*saslconn, SASL_AUTH_EXTERNAL, conn->account.user) != SASL_OK)
    {
      mutt_error(_("Error setting SASL external user name"));
      sasl_dispose(saslconn);
      return -1;
    }
  }

  return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_interact()

int mutt_sasl_interact

(

sasl_interact_t *

interaction

)

Perform an SASL interaction with the user.

Parameters

interaction

Details of interaction

Return values

num	SASL error code: SASL_OK or SASL_FAIL

An example interaction might be asking the user for a password.

Definition at line 698 of file sasl.c.

{
  char prompt[128];
  char resp[128];

  while (interaction->id != SASL_CB_LIST_END)
  {
    mutt_debug(LL_DEBUG2, "filling in SASL interaction %ld\n", interaction->id);

    snprintf(prompt, sizeof(prompt), "%s: ", interaction->prompt);
    resp[0] = '\0';
    if (OptNoCurses || mutt_get_field(prompt, resp, sizeof(resp),
                                      MUTT_COMP_NO_FLAGS, false, NULL, NULL))
    {
      return SASL_FAIL;
    }

    interaction->len = mutt_str_len(resp) + 1;
    char *result = mutt_mem_malloc(interaction->len);
    memcpy(result, resp, interaction->len);
    interaction->result = result;

    interaction++;
  }

  return SASL_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_setup_conn()

void mutt_sasl_setup_conn	(	struct Connection *	conn,
		sasl_conn_t *	saslconn
	)

Set up an SASL connection.

Parameters

conn	Connection to a server
saslconn	SASL connection

Replace connection methods, sockdata with SASL wrappers, for protection layers. Also get ssf, as a fastpath for the read/write methods.

Definition at line 734 of file sasl.c.

{
  struct SaslSockData *sasldata = mutt_mem_malloc(sizeof(struct SaslSockData));
  /* work around sasl_getprop aliasing issues */
  const void *tmp = NULL;

  sasldata->saslconn = saslconn;
  /* get ssf so we know whether we have to (en|de)code read/write */
  sasl_getprop(saslconn, SASL_SSF, &tmp);
  sasldata->ssf = tmp;
  mutt_debug(LL_DEBUG3, "SASL protection strength: %u\n", *sasldata->ssf);
  /* Add SASL SSF to transport SSF */
  conn->ssf += *sasldata->ssf;
  sasl_getprop(saslconn, SASL_MAXOUTBUF, &tmp);
  sasldata->pbufsize = tmp;
  mutt_debug(LL_DEBUG3, "SASL protection buffer size: %u\n", *sasldata->pbufsize);

  /* clear input buffer */
  sasldata->buf = NULL;
  sasldata->bpos = 0;
  sasldata->blen = 0;

  /* preserve old functions */
  sasldata->sockdata = conn->sockdata;
  sasldata->open = conn->open;
  sasldata->read = conn->read;
  sasldata->write = conn->write;
  sasldata->poll = conn->poll;
  sasldata->close = conn->close;

  /* and set up new functions */
  conn->sockdata = sasldata;
  conn->open = mutt_sasl_conn_open;
  conn->read = mutt_sasl_conn_read;
  conn->write = mutt_sasl_conn_write;
  conn->poll = mutt_sasl_conn_poll;
  conn->close = mutt_sasl_conn_close;
}

Here is the call graph for this function:

Here is the caller graph for this function:

mutt_sasl_done()

void mutt_sasl_done

(

void

)

Invoke when processing is complete.

This is a cleanup function, used to free all memory used by the library. Invoke when processing is complete.

Definition at line 779 of file sasl.c.

{
#ifdef HAVE_SASL_CLIENT_DONE
  /* As we never use the server-side, the silently ignore the return value */
  sasl_client_done();
#else
  sasl_done();
#endif
}

Here is the caller graph for this function:

Variable Documentation

sasl_authenticators

const char* const sasl_authenticators[]

static

Initial value:

= {
  "ANONYMOUS",     "CRAM-MD5",       "DIGEST-MD5",    "EXTERNAL",
  "GS2-IAKERB",    "GS2-KRB5",       "GSS-SPNEGO",    "GSSAPI",
  "LOGIN",         "NTLM",           "OTP-MD4",       "OTP-MD5",
  "OTP-SHA1",      "PASSDSS-3DES-1", "PLAIN",         "SCRAM-SHA-1",
  "SCRAM-SHA-224", "SCRAM-SHA-256",  "SCRAM-SHA-384", "SCRAM-SHA-512",
  "SRP",
}

Authenticaion methods supported by Cyrus SASL.

Definition at line 102 of file sasl.c.

MuttSaslCallbacks

sasl_callback_t MuttSaslCallbacks[5]

static

Definition at line 118 of file sasl.c.

secret_ptr

sasl_secret_t* secret_ptr = NULL

static

Definition at line 120 of file sasl.c.