[exim.git] / src / src / auths / cyrus_sasl.c

/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.1 2004/10/07 13:10:01 ph10 Exp $ */

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2003 */
/* See the file NOTICE for conditions of use and distribution. */

/* This code was contributed by Matthew Byng-Maddick */

/* Copyright (c) A L Digital 2004 */

/* A generic (mechanism independent) Cyrus SASL authenticator. */


#include "../exim.h"


/* We can't just compile this code and allow the library mechanism to omit the
functions if they are not wanted, because we need to have the Cyrus SASL header
available for compiling. Therefore, compile these functions only if
AUTH_CYRUS_SASL is defined. However, some compilers don't like compiling empty
modules, so keep them happy with a dummy when skipping the rest. Make it
reference itself to stop picky compilers complaining that it is unused, and put
in a dummy argument to stop even pickier compilers complaining about infinite
loops. */

#ifndef AUTH_CYRUS_SASL
static void dummy(int x) { dummy(x-1); }
#else


#include <sasl/sasl.h>
#include "cyrus_sasl.h"

/* Options specific to the cyrus_sasl authentication mechanism. */

optionlist auth_cyrus_sasl_options[] = {
  { "server_hostname",      opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_hostname)) },
  { "server_mech",          opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_mech)) },
  { "server_realm",         opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_realm)) },
  { "server_service",       opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_service)) }
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_cyrus_sasl_options_count =
  sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);

/* Default private options block for the contidion authentication method. */

auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
  US"smtp",         /* server_service */
  US"$primary_hostname", /* server_hostname */
  NULL,             /* server_realm */
  NULL              /* server_mech */
};


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

void
auth_cyrus_sasl_init(auth_instance *ablock)
{
auth_cyrus_sasl_options_block *ob =
  (auth_cyrus_sasl_options_block *)(ablock->options_block);
sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
sasl_conn_t *conn;
uschar *list, *listptr, *buffer;
int rc, i;
unsigned int len;
uschar *rs_point;

/* default the mechanism to our "public name" */
if(ob->server_mech == NULL)
  ob->server_mech=string_copy(ablock->public_name);

/* we're going to initialise the library to check that there is an
 * authenticator of type whatever mechanism we're using
 */
rc=sasl_server_init(cbs, "exim");
if( rc != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't initialise Cyrus SASL library.", ablock->name);

rc=sasl_server_new(CS ob->server_service, CS primary_hostname,
                   CS ob->server_realm, NULL, NULL, NULL, 0, &conn);
if( rc != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't initialise Cyrus SASL server connection.", ablock->name);

rc=sasl_listmech(conn, NULL, "", ":", "", (const char **)(&list), &len, &i);
if( rc != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't get Cyrus SASL mechanism list.", ablock->name);

i=':';
listptr=list;

HDEBUG(D_auth) debug_printf("Cyrus SASL knows about: %s\n", list);

/* the store_get / store_reset mechanism is hierarchical
 * the hierarchy is stored for us behind our back. This point
 * creates a hierarchy point for this function.
 */
rs_point=store_get(0);

/* loop until either we get to the end of the list, or we match the
 * public name of this authenticator
 */
while( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
       strcmpic(buffer,ob->server_mech) );

if(!buffer)
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);

store_reset(rs_point);

HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name);

/* make sure that if we get here then we're allowed to advertise. */
ablock->server = TRUE;

sasl_dispose(&conn);
sasl_done();
}

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

/* note, we don't care too much about memory allocation in this, because this is entirely
 * within a shortlived child
 */

int
auth_cyrus_sasl_server(auth_instance *ablock, uschar *data)
{
auth_cyrus_sasl_options_block *ob =
  (auth_cyrus_sasl_options_block *)(ablock->options_block);
uschar *output, *out2, *input, *clear, *hname;
uschar *debug = NULL;   /* Stops compiler complaining */
sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
sasl_conn_t *conn;
int rc, firsttime=1, clen;
unsigned int inlen, outlen;

input=data;
inlen=Ustrlen(data);

HDEBUG(D_auth) debug=string_copy(data);

hname=expand_string(ob->server_hostname);
if(hname == NULL)
  {
  auth_defer_msg = expand_string_message;
  return DEFER;
  }

if(inlen)
  {
  clen=auth_b64decode(input, &clear);
  if(clen < 0)
    {
    return BAD64;
    }
  input=clear;
  inlen=clen;
  }

rc=sasl_server_init(cbs, "exim");
if (rc != SASL_OK)
  {
  auth_defer_msg = US"couldn't initialise Cyrus SASL library";
  return DEFER;
  }

rc=sasl_server_new(CS ob->server_service, CS ob->server_hostname,
                   CS ob->server_realm, NULL, NULL, NULL, 0, &conn);
if( rc != SASL_OK )
  {
  auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
  sasl_done();
  return DEFER;
  }

rc=SASL_CONTINUE;

while(rc==SASL_CONTINUE)
  {
  if(firsttime)
    {
    firsttime=0;
    HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
    rc=sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
           (const char **)(&output), &outlen);
    }
  else
    {
    /* make sure that we have a null-terminated string */
    out2=store_get(outlen+1);
    memcpy(out2,output,outlen);
    out2[outlen]='\0';
    if((rc=auth_get_data(&input, out2, outlen))!=OK)
      {
      /* we couldn't get the data, so free up the library before
       * returning whatever error we get */
      sasl_dispose(&conn);
      sasl_done();
      return rc;
      }
    inlen=Ustrlen(input);

    HDEBUG(D_auth) debug=string_copy(input);
    if(inlen)
      {
      clen=auth_b64decode(input, &clear);
      if(clen < 0)
       {
        sasl_dispose(&conn);
        sasl_done();
       return BAD64;
       }
      input=clear;
      inlen=clen;
      }

    HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
    rc=sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
    }
  if(rc==SASL_BADPROT)
    {
    sasl_dispose(&conn);
    sasl_done();
    return UNEXPECTED;
    }
  else if( rc==SASL_FAIL     || rc==SASL_BUFOVER
       || rc==SASL_BADMAC   || rc==SASL_BADAUTH
       || rc==SASL_NOAUTHZ  || rc==SASL_ENCRYPT
       || rc==SASL_EXPIRED  || rc==SASL_DISABLED
       || rc==SASL_NOUSER   )
    {
    /* these are considered permanent failure codes */
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
    log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
       "Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
       sasl_errstring(rc, NULL, NULL));
    sasl_dispose(&conn);
    sasl_done();
    return FAIL;
    }
  else if(rc==SASL_NOMECH)
    {
    /* this is a temporary failure, because the mechanism is not
     * available for this user. If it wasn't available at all, we
     * shouldn't have got here in the first place...
     */
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
    auth_defer_msg =
        string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
    sasl_dispose(&conn);
    sasl_done();
    return DEFER;
    }
  else if(!(rc==SASL_OK || rc==SASL_CONTINUE))
    {
    /* Anything else is a temporary failure, and we'll let SASL print out
     * the error string for us
     */
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
    auth_defer_msg =
        string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
    sasl_dispose(&conn);
    sasl_done();
    return DEFER;
    }
  else if(rc==SASL_OK)
    {
    /* get the username and copy it into $1 */
    rc=sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2));
    expand_nstring[1]=string_copy(out2);
    expand_nlength[1]=Ustrlen(expand_nstring[1]);
    expand_nmax=1;

    HDEBUG(D_auth)
      debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2);
    /* close down the connection, freeing up library's memory */
    sasl_dispose(&conn);
    sasl_done();
    return OK;
    }
  }
/* NOTREACHED */
return 0;  /* Stop compiler complaints */
}

/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_cyrus_sasl_client(
  auth_instance *ablock,                 /* authenticator block */
  smtp_inblock *inblock,                 /* input connection */
  smtp_outblock *outblock,               /* output connection */
  int timeout,                           /* command timeout */
  uschar *buffer,                          /* for reading response */
  int buffsize)                          /* size of buffer */
{
/* We don't support clients (yet) in this implementation of cyrus_sasl */
return FAIL;
}

#endif  /* AUTH_CYRUS_SASL */

/* End of cyrus_sasl.c */
Commit	Line	Data
0756eb3c PH	1	/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.1 2004/10/07 13:10:01 ph10 Exp $ */
	2
	3	/*************************************************
	4	* Exim - an Internet mail transport agent *
	5	*************************************************/
	6
	7	/* Copyright (c) University of Cambridge 1995 - 2003 */
	8	/* See the file NOTICE for conditions of use and distribution. */
	9
	10	/* This code was contributed by Matthew Byng-Maddick */
	11
	12	/* Copyright (c) A L Digital 2004 */
	13
	14	/* A generic (mechanism independent) Cyrus SASL authenticator. */
	15
	16
	17	#include "../exim.h"
	18
	19
	20	/* We can't just compile this code and allow the library mechanism to omit the
	21	functions if they are not wanted, because we need to have the Cyrus SASL header
	22	available for compiling. Therefore, compile these functions only if
	23	AUTH_CYRUS_SASL is defined. However, some compilers don't like compiling empty
	24	modules, so keep them happy with a dummy when skipping the rest. Make it
	25	reference itself to stop picky compilers complaining that it is unused, and put
	26	in a dummy argument to stop even pickier compilers complaining about infinite
	27	loops. */
	28
	29	#ifndef AUTH_CYRUS_SASL
	30	static void dummy(int x) { dummy(x-1); }
	31	#else
	32
	33
	34	#include <sasl/sasl.h>
	35	#include "cyrus_sasl.h"
	36
	37	/* Options specific to the cyrus_sasl authentication mechanism. */
	38
	39	optionlist auth_cyrus_sasl_options[] = {
	40	{ "server_hostname", opt_stringptr,
	41	(void *)(offsetof(auth_cyrus_sasl_options_block, server_hostname)) },
	42	{ "server_mech", opt_stringptr,
	43	(void *)(offsetof(auth_cyrus_sasl_options_block, server_mech)) },
	44	{ "server_realm", opt_stringptr,
	45	(void *)(offsetof(auth_cyrus_sasl_options_block, server_realm)) },
	46	{ "server_service", opt_stringptr,
	47	(void *)(offsetof(auth_cyrus_sasl_options_block, server_service)) }
	48	};
	49
	50	/* Size of the options list. An extern variable has to be used so that its
	51	address can appear in the tables drtables.c. */
	52
	53	int auth_cyrus_sasl_options_count =
	54	sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
	55
	56	/* Default private options block for the contidion authentication method. */
	57
	58	auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
	59	US"smtp", /* server_service */
	60	US"$primary_hostname", /* server_hostname */
	61	NULL, /* server_realm */
	62	NULL /* server_mech */
	63	};
	64
65
66	/*************************************************
67	* Initialization entry point *
68	*************************************************/
69
70	/* Called for each instance, after its options have been read, to
71	enable consistency checks to be done, or anything else that needs
72	to be set up. */
73
74	void
75	auth_cyrus_sasl_init(auth_instance *ablock)
76	{
77	auth_cyrus_sasl_options_block *ob =
78	(auth_cyrus_sasl_options_block *)(ablock->options_block);
79	sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
80	sasl_conn_t *conn;
81	uschar list, listptr, *buffer;
82	int rc, i;
83	unsigned int len;
84	uschar *rs_point;
85
86	/* default the mechanism to our "public name" */
87	if(ob->server_mech == NULL)
88	ob->server_mech=string_copy(ablock->public_name);
89
90	/* we're going to initialise the library to check that there is an
91	* authenticator of type whatever mechanism we're using
92	*/
93	rc=sasl_server_init(cbs, "exim");
94	if( rc != SASL_OK )
95	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
96	"couldn't initialise Cyrus SASL library.", ablock->name);
97
98	rc=sasl_server_new(CS ob->server_service, CS primary_hostname,
99	CS ob->server_realm, NULL, NULL, NULL, 0, &conn);
100	if( rc != SASL_OK )
101	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
102	"couldn't initialise Cyrus SASL server connection.", ablock->name);
103
104	rc=sasl_listmech(conn, NULL, "", ":", "", (const char **)(&list), &len, &i);
105	if( rc != SASL_OK )
106	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
107	"couldn't get Cyrus SASL mechanism list.", ablock->name);
108
109	i=':';
110	listptr=list;
111
112	HDEBUG(D_auth) debug_printf("Cyrus SASL knows about: %s\n", list);
113
114	/* the store_get / store_reset mechanism is hierarchical
115	* the hierarchy is stored for us behind our back. This point
116	* creates a hierarchy point for this function.
117	*/
118	rs_point=store_get(0);
119
120	/* loop until either we get to the end of the list, or we match the
121	* public name of this authenticator
122	*/
123	while( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
124	strcmpic(buffer,ob->server_mech) );
125
126	if(!buffer)
127	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
128	"Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);
129
130	store_reset(rs_point);
131
132	HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name);
133
134	/* make sure that if we get here then we're allowed to advertise. */
135	ablock->server = TRUE;
136
137	sasl_dispose(&conn);
138	sasl_done();
139	}
140
141	/*************************************************
142	* Server entry point *
143	*************************************************/
144
145	/* For interface, see auths/README */
146
147	/* note, we don't care too much about memory allocation in this, because this is entirely
148	* within a shortlived child
149	*/
150
151	int
152	auth_cyrus_sasl_server(auth_instance ablock, uschar data)
153	{
154	auth_cyrus_sasl_options_block *ob =
155	(auth_cyrus_sasl_options_block *)(ablock->options_block);
156	uschar output, out2, input, clear, *hname;
157	uschar debug = NULL; / Stops compiler complaining */
158	sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
159	sasl_conn_t *conn;
160	int rc, firsttime=1, clen;
161	unsigned int inlen, outlen;
162
163	input=data;
164	inlen=Ustrlen(data);
165
166	HDEBUG(D_auth) debug=string_copy(data);
167
168	hname=expand_string(ob->server_hostname);
169	if(hname == NULL)
170	{
171	auth_defer_msg = expand_string_message;
172	return DEFER;
173	}
174
175	if(inlen)
176	{
177	clen=auth_b64decode(input, &clear);
178	if(clen < 0)
179	{
180	return BAD64;
181	}
182	input=clear;
183	inlen=clen;
184	}
185
186	rc=sasl_server_init(cbs, "exim");
187	if (rc != SASL_OK)
188	{
189	auth_defer_msg = US"couldn't initialise Cyrus SASL library";
190	return DEFER;
191	}
192
193	rc=sasl_server_new(CS ob->server_service, CS ob->server_hostname,
194	CS ob->server_realm, NULL, NULL, NULL, 0, &conn);
195	if( rc != SASL_OK )
196	{
197	auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
198	sasl_done();
199	return DEFER;
200	}
201
202	rc=SASL_CONTINUE;
203
204	while(rc==SASL_CONTINUE)
205	{
206	if(firsttime)
207	{
208	firsttime=0;
209	HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
210	rc=sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
211	(const char **)(&output), &outlen);
212	}
213	else
214	{
215	/* make sure that we have a null-terminated string */
216	out2=store_get(outlen+1);
217	memcpy(out2,output,outlen);
218	out2[outlen]='\0';
219	if((rc=auth_get_data(&input, out2, outlen))!=OK)
220	{
221	/* we couldn't get the data, so free up the library before
222	* returning whatever error we get */
223	sasl_dispose(&conn);
224	sasl_done();
225	return rc;
226	}
227	inlen=Ustrlen(input);
228
229	HDEBUG(D_auth) debug=string_copy(input);
230	if(inlen)
231	{
232	clen=auth_b64decode(input, &clear);
233	if(clen < 0)
234	{
235	sasl_dispose(&conn);
236	sasl_done();
237	return BAD64;
238	}
239	input=clear;
240	inlen=clen;
241	}
242
243	HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
244	rc=sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
245	}
246	if(rc==SASL_BADPROT)
247	{
248	sasl_dispose(&conn);
249	sasl_done();
250	return UNEXPECTED;
251	}
252	else if( rc==SASL_FAIL \|\| rc==SASL_BUFOVER
253	\|\| rc==SASL_BADMAC \|\| rc==SASL_BADAUTH
254	\|\| rc==SASL_NOAUTHZ \|\| rc==SASL_ENCRYPT
255	\|\| rc==SASL_EXPIRED \|\| rc==SASL_DISABLED
256	\|\| rc==SASL_NOUSER )
257	{
258	/* these are considered permanent failure codes */
259	HDEBUG(D_auth)
260	debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
261	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
262	"Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
263	sasl_errstring(rc, NULL, NULL));
264	sasl_dispose(&conn);
265	sasl_done();
266	return FAIL;
267	}
268	else if(rc==SASL_NOMECH)
269	{
270	/* this is a temporary failure, because the mechanism is not
271	* available for this user. If it wasn't available at all, we
272	* shouldn't have got here in the first place...
273	*/
274	HDEBUG(D_auth)
275	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
276	auth_defer_msg =
277	string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
278	sasl_dispose(&conn);
279	sasl_done();
280	return DEFER;
281	}
282	else if(!(rc==SASL_OK \|\| rc==SASL_CONTINUE))
283	{
284	/* Anything else is a temporary failure, and we'll let SASL print out
285	* the error string for us
286	*/
287	HDEBUG(D_auth)
288	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
289	auth_defer_msg =
290	string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
291	sasl_dispose(&conn);
292	sasl_done();
293	return DEFER;
294	}
295	else if(rc==SASL_OK)
296	{
297	/* get the username and copy it into $1 */
298	rc=sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2));
299	expand_nstring[1]=string_copy(out2);
300	expand_nlength[1]=Ustrlen(expand_nstring[1]);
301	expand_nmax=1;
302
303	HDEBUG(D_auth)
304	debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2);
305	/* close down the connection, freeing up library's memory */
306	sasl_dispose(&conn);
307	sasl_done();
308	return OK;
309	}
310	}
311	/* NOTREACHED */
312	return 0; /* Stop compiler complaints */
313	}
314
315	/*************************************************
316	* Client entry point *
317	*************************************************/
318
319	/* For interface, see auths/README */
320
321	int
322	auth_cyrus_sasl_client(
323	auth_instance ablock, / authenticator block */
324	smtp_inblock inblock, / input connection */
325	smtp_outblock outblock, / output connection */
326	int timeout, /* command timeout */
327	uschar buffer, / for reading response */
328	int buffsize) /* size of buffer */
329	{
330	/* We don't support clients (yet) in this implementation of cyrus_sasl */
331	return FAIL;
332	}
333
334	#endif /* AUTH_CYRUS_SASL */
335
336	/* End of cyrus_sasl.c */