2 * Copyright notice from original mutt:
3 * Copyright (C) 2000-5 Brendan Cully <brendan@kublai.com>
5 * This file is part of mutt-ng, see http://www.muttng.org/.
6 * It's licensed under the GNU General Public License,
7 * please see the file GPL in the top level source directory.
10 /* common SASL helper routines */
12 #include <lib-lib/lib-lib.h>
15 #include <sasl/sasl.h>
16 #include <sys/socket.h>
17 #include <netinet/in.h>
19 #include <lib-ui/curses.h>
20 #include <lib-sys/mutt_socket.h>
24 #include "mutt_sasl.h"
26 /* arbitrary. SASL will probably use a smaller buffer anyway. OTOH it's
27 * been a while since I've had access to an SASL server which negotiated
28 * a protection buffer. */
29 #define M_SASL_MAXBUF 65536
32 sasl_conn_t *saslconn;
33 const sasl_ssf_t *ssf;
34 const unsigned int *pbufsize;
41 /* underlying socket data */
43 int (*msasl_open) (CONNECTION * conn);
44 int (*msasl_close) (CONNECTION * conn);
45 int (*msasl_read) (CONNECTION * conn, char *buf, ssize_t len);
46 int (*msasl_write) (CONNECTION * conn, const char *buf, ssize_t count);
49 static sasl_callback_t mutt_sasl_callbacks[5];
52 static int mutt_sasl_cb_authname (void *context, int id, const char **result,
54 static int mutt_sasl_cb_pass (sasl_conn_t * conn, void *context, int id,
55 sasl_secret_t ** psecret);
57 /* socket wrappers for a SASL security layer */
58 static int mutt_sasl_conn_open (CONNECTION * conn);
59 static int mutt_sasl_conn_close (CONNECTION * conn);
60 static int mutt_sasl_conn_read (CONNECTION * conn, char *buf, ssize_t len);
61 static int mutt_sasl_conn_write (CONNECTION * conn, const char *buf,
65 iptostring(const struct sockaddr_storage *addr, char *out, unsigned outlen)
67 char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
69 if (getnameinfo((struct sockaddr*)addr, sizeof(*addr),
70 hbuf, sizeof(hbuf), pbuf, sizeof(pbuf),
71 NI_NUMERICHOST | NI_NUMERICSERV))
74 snprintf(out, outlen, "%s;%s", hbuf, pbuf);
78 /* mutt_sasl_start: called before doing a SASL exchange - initialises library
80 static int mutt_sasl_start (void)
82 static int sasl_init = 0;
87 if (sasl_client_init(NULL) != SASL_OK)
95 static sasl_callback_t *mutt_sasl_get_callbacks (ACCOUNT * account)
97 sasl_callback_t *callback;
99 callback = mutt_sasl_callbacks;
101 callback->id = SASL_CB_USER;
102 callback->proc = mutt_sasl_cb_authname;
103 callback->context = account;
106 callback->id = SASL_CB_AUTHNAME;
107 callback->proc = mutt_sasl_cb_authname;
108 callback->context = account;
111 callback->id = SASL_CB_PASS;
112 callback->proc = mutt_sasl_cb_pass;
113 callback->context = account;
116 callback->id = SASL_CB_GETREALM;
117 callback->proc = NULL;
118 callback->context = NULL;
121 callback->id = SASL_CB_LIST_END;
122 callback->proc = NULL;
123 callback->context = NULL;
125 return mutt_sasl_callbacks;
128 int mutt_sasl_client_new (CONNECTION * conn, sasl_conn_t ** saslconn)
130 sasl_security_properties_t secprops;
132 struct sockaddr_storage local, remote;
134 char iplocalport[STRING], ipremoteport[STRING];
138 if (mutt_sasl_start() != SASL_OK)
141 switch (conn->account.type) {
142 case M_ACCT_TYPE_IMAP:
146 case M_ACCT_TYPE_POP:
154 size = sizeof(local);
155 if (getsockname(conn->fd, (struct sockaddr *) &local, &size)
156 || iptostring(&local, iplocalport, STRING) != SASL_OK)
161 size = sizeof(remote);
162 if (getpeername(conn->fd, (struct sockaddr *) &remote, &size)
163 || iptostring(&remote, ipremoteport, STRING) != SASL_OK)
168 rc = sasl_client_new(service, conn->account.host, iplocalport,
170 mutt_sasl_get_callbacks(&conn->account), 0, saslconn);
176 /* set security properties. We use NOPLAINTEXT globally, since we can
177 * just fall back to LOGIN in the IMAP case anyway. If that doesn't
178 * work for POP, we can make it a flag or move this code into
179 * imap/auth_sasl.c */
180 p_clear(&secprops, 1);
181 /* Work around a casting bug in the SASL krb4 module */
182 secprops.max_ssf = 0x7fff;
183 secprops.maxbufsize = M_SASL_MAXBUF;
184 secprops.security_flags |= SASL_SEC_NOPLAINTEXT;
185 if (sasl_setprop (*saslconn, SASL_SEC_PROPS, &secprops) != SASL_OK) {
190 if (sasl_setprop (*saslconn, SASL_SSF_EXTERNAL, &(conn->ssf)) != SASL_OK)
194 if (sasl_setprop (*saslconn, SASL_AUTH_EXTERNAL, conn->account.user) !=
203 int mutt_sasl_interact (sasl_interact_t * interaction)
208 while (interaction->id != SASL_CB_LIST_END) {
209 snprintf (prompt, sizeof (prompt), "%s: ", interaction->prompt);
211 if (mutt_get_field (prompt, resp, sizeof (resp), 0))
214 interaction->len = m_strlen(resp) + 1;
215 interaction->result = p_dupstr(resp, interaction->len - 1);
222 /* SASL can stack a protection layer on top of an existing connection.
223 * To handle this, we store a saslconn_t in conn->sockdata, and write
224 * wrappers which en/decode the read/write stream, then replace sockdata
225 * with an embedded copy of the old sockdata and call the underlying
226 * functions (which we've also preserved). I thought about trying to make
227 * a general stackable connection system, but it seemed like overkill -
228 * something is wrong if we have 15 filters on top of a socket. Anyway,
229 * anything else which wishes to stack can use the same method. The only
230 * disadvantage is we have to write wrappers for all the socket methods,
231 * even if we only stack over read and write. Thinking about it, the
232 * abstraction problem is that there is more in CONNECTION than there
233 * needs to be. Ideally it would have only (void*)data and methods. */
235 /* mutt_sasl_setup_conn: replace connection methods, sockdata with
236 * SASL wrappers, for protection layers. Also get ssf, as a fastpath
237 * for the read/write methods. */
238 void mutt_sasl_setup_conn (CONNECTION * conn, sasl_conn_t * saslconn)
240 SASL_DATA *sasldata = p_new(SASL_DATA, 1);
242 sasldata->saslconn = saslconn;
243 /* get ssf so we know whether we have to (en|de)code read/write */
244 sasl_getprop (saslconn, SASL_SSF, (const void **)(void *)&sasldata->ssf);
246 /* Add SASL SSF to transport SSF */
247 conn->ssf += *sasldata->ssf;
248 sasl_getprop (saslconn, SASL_MAXOUTBUF,
249 (const void **)(void *)&sasldata->pbufsize);
251 /* clear input buffer */
252 sasldata->buf = NULL;
256 /* preserve old functions */
257 sasldata->sockdata = conn->sockdata;
258 sasldata->msasl_open = conn->conn_open;
259 sasldata->msasl_close = conn->conn_close;
260 sasldata->msasl_read = conn->conn_read;
261 sasldata->msasl_write = conn->conn_write;
263 /* and set up new functions */
264 conn->sockdata = sasldata;
265 conn->conn_open = mutt_sasl_conn_open;
266 conn->conn_close = mutt_sasl_conn_close;
267 conn->conn_read = mutt_sasl_conn_read;
268 conn->conn_write = mutt_sasl_conn_write;
271 void mutt_sasl_shutdown(void) {
275 /* mutt_sasl_cb_authname: callback to retrieve authname or user from ACCOUNT */
276 static int mutt_sasl_cb_authname (void *context, int id, const char **result,
279 ACCOUNT *account = (ACCOUNT *) context;
286 return SASL_BADPARAM;
288 if (id == SASL_CB_AUTHNAME) {
289 if (mutt_account_getlogin (account))
291 *result = account->login;
293 if (mutt_account_getuser (account))
295 *result = account->user;
299 *len = m_strlen(*result);
304 static int mutt_sasl_cb_pass(sasl_conn_t *conn __attribute__ ((unused)),
305 void *context, int id __attribute__ ((unused)),
306 sasl_secret_t **psecret)
308 ACCOUNT *account = (ACCOUNT *) context;
311 if (!account || !psecret)
312 return SASL_BADPARAM;
314 if (mutt_account_getpass (account))
317 len = m_strlen(account->pass);
319 *psecret = xmalloc(sizeof(sasl_secret_t) + len);
320 (*psecret)->len = len;
321 memcpy((char*)(*psecret)->data, account->pass, len);
326 /* mutt_sasl_conn_open: empty wrapper for underlying open function. We
327 * don't know in advance that a connection will use SASL, so we
328 * replace conn's methods with sasl methods when authentication
329 * is successful, using mutt_sasl_setup_conn */
330 static int mutt_sasl_conn_open (CONNECTION * conn)
335 sasldata = (SASL_DATA *) conn->sockdata;
336 conn->sockdata = sasldata->sockdata;
337 rc = (sasldata->msasl_open) (conn);
338 conn->sockdata = sasldata;
343 /* mutt_sasl_conn_close: calls underlying close function and disposes of
344 * the sasl_conn_t object, then restores connection to pre-sasl state */
345 static int mutt_sasl_conn_close(CONNECTION * conn)
350 sasldata = (SASL_DATA *) conn->sockdata;
352 /* restore connection's underlying methods */
353 conn->sockdata = sasldata->sockdata;
354 conn->conn_open = sasldata->msasl_open;
355 conn->conn_close = sasldata->msasl_close;
356 conn->conn_read = sasldata->msasl_read;
357 conn->conn_write = sasldata->msasl_write;
359 /* release sasl resources */
360 sasl_dispose (&sasldata->saslconn);
361 p_delete(&sasldata->buf);
364 /* call underlying close */
365 rc = (conn->conn_close) (conn);
370 static int mutt_sasl_conn_read (CONNECTION * conn, char *buf, ssize_t len)
377 sasldata = (SASL_DATA *) conn->sockdata;
379 /* if we still have data in our read buffer, copy it into buf */
380 if (sasldata->blen > sasldata->bpos) {
381 olen = (sasldata->blen - sasldata->bpos > len) ? len :
382 sasldata->blen - sasldata->bpos;
384 memcpy (buf, sasldata->buf + sasldata->bpos, olen);
385 sasldata->bpos += olen;
390 conn->sockdata = sasldata->sockdata;
392 p_delete(&sasldata->buf);
396 /* and decode the result, if necessary */
397 if (*sasldata->ssf) {
399 /* call the underlying read function to fill the buffer */
400 rc = (sasldata->msasl_read) (conn, buf, len);
404 rc = sasl_decode(sasldata->saslconn, buf, rc,
405 (const char **)&sasldata->buf, &sasldata->blen);
410 while (!sasldata->blen);
412 olen = (sasldata->blen - sasldata->bpos > len) ? len :
413 sasldata->blen - sasldata->bpos;
415 memcpy (buf, sasldata->buf, olen);
416 sasldata->bpos += olen;
421 rc = (sasldata->msasl_read) (conn, buf, len);
424 conn->sockdata = sasldata;
430 mutt_sasl_conn_write(CONNECTION * conn, const char *buf, ssize_t len)
436 unsigned int olen, plen;
438 sasldata = (SASL_DATA *) conn->sockdata;
439 conn->sockdata = sasldata->sockdata;
441 /* encode data, if necessary */
442 if (*sasldata->ssf) {
443 /* handle data larger than MAXOUTBUF */
445 olen = (len > *sasldata->pbufsize) ? *sasldata->pbufsize : len;
447 rc = sasl_encode(sasldata->saslconn, buf, olen,
448 (const char **)&pbuf, &plen);
453 plen -= (sasldata->msasl_write)(conn, pbuf, plen);
460 } while (len > *sasldata->pbufsize);
462 /* just write using the underlying socket function */
463 rc = (sasldata->msasl_write) (conn, buf, len);
466 conn->sockdata = sasldata;
471 conn->sockdata = sasldata;