[exim.git] / src / src / auths / cyrus_sasl.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */

/* This code was originally contributed by Matthew Byng-Maddick */

/* Copyright (c) A L Digital 2004 */

/* A generic (mechanism independent) Cyrus SASL authenticator. */


#include "../exim.h"


/* We can't just compile this code and allow the library mechanism to omit the
functions if they are not wanted, because we need to have the Cyrus SASL header
available for compiling. Therefore, compile these functions only if
AUTH_CYRUS_SASL is defined. However, some compilers don't like compiling empty
modules, so keep them happy with a dummy when skipping the rest. Make it
reference itself to stop picky compilers complaining that it is unused, and put
in a dummy argument to stop even pickier compilers complaining about infinite
loops. */

#ifndef AUTH_CYRUS_SASL
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
#else


#include <sasl/sasl.h>
#include "cyrus_sasl.h"

/* Options specific to the cyrus_sasl authentication mechanism. */

optionlist auth_cyrus_sasl_options[] = {
  { "server_hostname",      opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_hostname)) },
  { "server_mech",          opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_mech)) },
  { "server_realm",         opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_realm)) },
  { "server_service",       opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_service)) }
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_cyrus_sasl_options_count =
  sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);

/* Default private options block for the cyrus_sasl authentication method. */

auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
  US"smtp",         /* server_service */
  US"$primary_hostname", /* server_hostname */
  NULL,             /* server_realm */
  NULL              /* server_mech */
};


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */


/* Auxiliary function, passed in data to sasl_server_init(). */

static int
mysasl_config(void *context,
              const char *plugin_name,
              const char *option,
              const char **result,
              unsigned int *len)
{
if (context && !strcmp(option, "mech_list"))
  {
  *result = context;
  if (len != NULL) *len = strlen(*result);
  return SASL_OK;
  }
return SASL_FAIL;
}

/* Here's the real function */

void
auth_cyrus_sasl_init(auth_instance *ablock)
{
auth_cyrus_sasl_options_block *ob =
  (auth_cyrus_sasl_options_block *)(ablock->options_block);
const uschar *list, *listptr, *buffer;
int rc, i;
unsigned int len;
uschar *rs_point, *expanded_hostname;
char *realm_expanded;

sasl_conn_t *conn;
sasl_callback_t cbs[]={
  {SASL_CB_GETOPT, NULL, NULL },
  {SASL_CB_LIST_END, NULL, NULL}};

/* default the mechanism to our "public name" */
if(ob->server_mech == NULL)
  ob->server_mech=string_copy(ablock->public_name);

expanded_hostname = expand_string(ob->server_hostname);
if (expanded_hostname == NULL)
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't expand server_hostname [%s]: %s",
      ablock->name, ob->server_hostname, expand_string_message);

realm_expanded=NULL;
if (ob->server_realm != NULL) {
  realm_expanded = CS expand_string(ob->server_realm);
  if (realm_expanded == NULL)
    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
        "couldn't expand server_realm [%s]: %s",
        ablock->name, ob->server_realm, expand_string_message);
}

/* we're going to initialise the library to check that there is an
 * authenticator of type whatever mechanism we're using
 */

cbs[0].proc = (int(*)(void)) &mysasl_config;
cbs[0].context = ob->server_mech;

rc=sasl_server_init(cbs, "exim");

if( rc != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't initialise Cyrus SASL library.", ablock->name);

rc=sasl_server_new(CS ob->server_service, CS expanded_hostname,
                   realm_expanded, NULL, NULL, NULL, 0, &conn);
if( rc != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't initialise Cyrus SASL server connection.", ablock->name);

rc=sasl_listmech(conn, NULL, "", ":", "", (const char **)&list, &len, &i);
if( rc != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't get Cyrus SASL mechanism list.", ablock->name);

i=':';
listptr=list;

HDEBUG(D_auth) {
  debug_printf("Initialised Cyrus SASL service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
      ob->server_service, expanded_hostname, realm_expanded);
  debug_printf("Cyrus SASL knows mechanisms: %s\n", list);
}

/* the store_get / store_reset mechanism is hierarchical
 * the hierarchy is stored for us behind our back. This point
 * creates a hierarchy point for this function.
 */
rs_point=store_get(0);

/* loop until either we get to the end of the list, or we match the
 * public name of this authenticator
 */
while( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
       strcmpic(buffer,ob->server_mech) );

if(!buffer)
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);

store_reset(rs_point);

HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name);

/* make sure that if we get here then we're allowed to advertise. */
ablock->server = TRUE;

sasl_dispose(&conn);
sasl_done();
}

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

/* note, we don't care too much about memory allocation in this, because this is entirely
 * within a shortlived child
 */

int
auth_cyrus_sasl_server(auth_instance *ablock, uschar *data)
{
auth_cyrus_sasl_options_block *ob =
  (auth_cyrus_sasl_options_block *)(ablock->options_block);
uschar *output, *out2, *input, *clear, *hname;
uschar *debug = NULL;   /* Stops compiler complaining */
sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
sasl_conn_t *conn;
char *realm_expanded;
int rc, i, firsttime=1, clen, *negotiated_ssf_ptr=NULL, negotiated_ssf;
unsigned int inlen, outlen;

input=data;
inlen=Ustrlen(data);

HDEBUG(D_auth) debug=string_copy(data);

hname=expand_string(ob->server_hostname);
realm_expanded=NULL;
if (hname && ob->server_realm)
  realm_expanded= CS expand_string(ob->server_realm);
if((hname == NULL) ||
   ((realm_expanded == NULL) && (ob->server_realm != NULL)))
  {
  auth_defer_msg = expand_string_message;
  return DEFER;
  }

if(inlen)
  {
  clen=auth_b64decode(input, &clear);
  if(clen < 0)
    {
    return BAD64;
    }
  input=clear;
  inlen=clen;
  }

rc=sasl_server_init(cbs, "exim");
if (rc != SASL_OK)
  {
  auth_defer_msg = US"couldn't initialise Cyrus SASL library";
  return DEFER;
  }

rc=sasl_server_new(CS ob->server_service, CS hname, realm_expanded, NULL,
  NULL, NULL, 0, &conn);

HDEBUG(D_auth)
  debug_printf("Initialised Cyrus SASL server connection; service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
      ob->server_service, hname, realm_expanded);

if( rc != SASL_OK )
  {
  auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
  sasl_done();
  return DEFER;
  }

if (tls_in.cipher)
  {
  rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits);
  if (rc != SASL_OK)
    {
    HDEBUG(D_auth) debug_printf("Cyrus SASL EXTERNAL SSF set %d failed: %s\n",
        tls_in.bits, sasl_errstring(rc, NULL, NULL));
    auth_defer_msg = US"couldn't set Cyrus SASL EXTERNAL SSF";
    sasl_done();
    return DEFER;
    }
  else
    HDEBUG(D_auth) debug_printf("Cyrus SASL set EXTERNAL SSF to %d\n", tls_in.bits);
  }
else
  HDEBUG(D_auth) debug_printf("Cyrus SASL: no TLS, no EXTERNAL SSF set\n");

/* So sasl_setprop() documents non-shorted IPv6 addresses which is incredibly
annoying; looking at cyrus-imapd-2.3.x source, the IP address is constructed
with their iptostring() function, which just wraps
getnameinfo(..., NI_NUMERICHOST|NI_NUMERICSERV), which is equivalent to the
inet_ntop which we wrap in our host_ntoa() function.

So the docs are too strict and we shouldn't worry about :: contractions. */

/* Set properties for remote and local host-ip;port */
for (i=0; i < 2; ++i)
  {
  struct sockaddr_storage ss;
  int (*query)(int, struct sockaddr *, socklen_t *);
  int propnum, port;
  const uschar *label;
  uschar *address, *address_port;
  const char *s_err;
  socklen_t sslen;

  if (i)
    {
    query = &getpeername;
    propnum = SASL_IPREMOTEPORT;
    label = CUS"peer";
    }
  else
    {
    query = &getsockname;
    propnum = SASL_IPLOCALPORT;
    label = CUS"local";
    }

  sslen = sizeof(ss);
  rc = query(fileno(smtp_in), (struct sockaddr *) &ss, &sslen);
  if (rc < 0)
    {
    HDEBUG(D_auth)
      debug_printf("Failed to get %s address information: %s\n",
          label, strerror(errno));
    break;
    }

  address = host_ntoa(-1, &ss, NULL, &port);
  address_port = string_sprintf("%s;%d", address, port);

  rc = sasl_setprop(conn, propnum, address_port);
  if (rc != SASL_OK)
    {
    s_err = sasl_errdetail(conn);
    HDEBUG(D_auth)
      debug_printf("Failed to set %s SASL property: [%d] %s\n",
          label, rc, s_err ? s_err : "<unknown reason>");
    break;
    }
  HDEBUG(D_auth) debug_printf("Cyrus SASL set %s hostport to: %s\n",
      label, address_port);
  }

rc=SASL_CONTINUE;

while(rc==SASL_CONTINUE)
  {
  if(firsttime)
    {
    firsttime=0;
    HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
    rc=sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
           (const char **)(&output), &outlen);
    }
  else
    {
    /* make sure that we have a null-terminated string */
    out2=store_get(outlen+1);
    memcpy(out2,output,outlen);
    out2[outlen]='\0';
    if((rc=auth_get_data(&input, out2, outlen))!=OK)
      {
      /* we couldn't get the data, so free up the library before
       * returning whatever error we get */
      sasl_dispose(&conn);
      sasl_done();
      return rc;
      }
    inlen=Ustrlen(input);

    HDEBUG(D_auth) debug=string_copy(input);
    if(inlen)
      {
      clen=auth_b64decode(input, &clear);
      if(clen < 0)
       {
        sasl_dispose(&conn);
        sasl_done();
       return BAD64;
       }
      input=clear;
      inlen=clen;
      }

    HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
    rc=sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
    }
  if(rc==SASL_BADPROT)
    {
    sasl_dispose(&conn);
    sasl_done();
    return UNEXPECTED;
    }
  else if( rc==SASL_FAIL     || rc==SASL_BUFOVER
       || rc==SASL_BADMAC   || rc==SASL_BADAUTH
       || rc==SASL_NOAUTHZ  || rc==SASL_ENCRYPT
       || rc==SASL_EXPIRED  || rc==SASL_DISABLED
       || rc==SASL_NOUSER   )
    {
    /* these are considered permanent failure codes */
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
    log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
       "Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
       sasl_errstring(rc, NULL, NULL));
    sasl_dispose(&conn);
    sasl_done();
    return FAIL;
    }
  else if(rc==SASL_NOMECH)
    {
    /* this is a temporary failure, because the mechanism is not
     * available for this user. If it wasn't available at all, we
     * shouldn't have got here in the first place...
     */
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
    auth_defer_msg =
        string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
    sasl_dispose(&conn);
    sasl_done();
    return DEFER;
    }
  else if(!(rc==SASL_OK || rc==SASL_CONTINUE))
    {
    /* Anything else is a temporary failure, and we'll let SASL print out
     * the error string for us
     */
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
    auth_defer_msg =
        string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
    sasl_dispose(&conn);
    sasl_done();
    return DEFER;
    }
  else if(rc==SASL_OK)
    {
    /* Get the username and copy it into $auth1 and $1. The former is now the
    preferred variable; the latter is the original variable. */
    rc = sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2));
    if (rc != SASL_OK)
      {
      HDEBUG(D_auth)
        debug_printf("Cyrus SASL library will not tell us the username: %s\n",
            sasl_errstring(rc, NULL, NULL));
      log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
         "Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech,
         sasl_errstring(rc, NULL, NULL));
      sasl_dispose(&conn);
      sasl_done();
      return FAIL;
      }

    auth_vars[0] = expand_nstring[1] = string_copy(out2);
    expand_nlength[1] = Ustrlen(expand_nstring[1]);
    expand_nmax = 1;

    HDEBUG(D_auth)
      debug_printf("Cyrus SASL %s authentication succeeded for %s\n",
          ob->server_mech, auth_vars[0]);

    rc = sasl_getprop(conn, SASL_SSF, (const void **)(&negotiated_ssf_ptr));
    if (rc != SASL_OK)
      {
      HDEBUG(D_auth)
        debug_printf("Cyrus SASL library will not tell us the SSF: %s\n",
            sasl_errstring(rc, NULL, NULL));
      log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
          "Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech,
          sasl_errstring(rc, NULL, NULL));
      sasl_dispose(&conn);
      sasl_done();
      return FAIL;
      }
    negotiated_ssf = *negotiated_ssf_ptr;
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL %s negotiated SSF: %d\n", ob->server_mech, negotiated_ssf);
    if (negotiated_ssf > 0)
      {
      HDEBUG(D_auth)
        debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf);
      log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
          "Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf);
      sasl_dispose(&conn);
      sasl_done();
      return FAIL;
      }

    /* close down the connection, freeing up library's memory */
    sasl_dispose(&conn);
    sasl_done();

    /* Expand server_condition as an authorization check */
    return auth_check_serv_cond(ablock);
    }
  }
/* NOTREACHED */
return 0;  /* Stop compiler complaints */
}

/*************************************************
*                Diagnostic API                  *
*************************************************/

void
auth_cyrus_sasl_version_report(FILE *f)
{
  const char *implementation, *version;
  sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL);
  fprintf(f, "Library version: Cyrus SASL: Compile: %d.%d.%d\n"
             "                             Runtime: %s [%s]\n",
          SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
          version, implementation);
}

/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_cyrus_sasl_client(
  auth_instance *ablock,                 /* authenticator block */
  smtp_inblock *inblock,                 /* input connection */
  smtp_outblock *outblock,               /* output connection */
  int timeout,                           /* command timeout */
  uschar *buffer,                          /* for reading response */
  int buffsize)                          /* size of buffer */
{
/* We don't support clients (yet) in this implementation of cyrus_sasl */
return FAIL;
}

#endif  /* AUTH_CYRUS_SASL */

/* End of cyrus_sasl.c */
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) University of Cambridge 1995 - 2015 */
	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* This code was originally contributed by Matthew Byng-Maddick */
	9
	10	/* Copyright (c) A L Digital 2004 */
	11
	12	/* A generic (mechanism independent) Cyrus SASL authenticator. */
	13
	14
	15	#include "../exim.h"
	16
	17
	18	/* We can't just compile this code and allow the library mechanism to omit the
	19	functions if they are not wanted, because we need to have the Cyrus SASL header
	20	available for compiling. Therefore, compile these functions only if
	21	AUTH_CYRUS_SASL is defined. However, some compilers don't like compiling empty
	22	modules, so keep them happy with a dummy when skipping the rest. Make it
	23	reference itself to stop picky compilers complaining that it is unused, and put
	24	in a dummy argument to stop even pickier compilers complaining about infinite
	25	loops. */
	26
	27	#ifndef AUTH_CYRUS_SASL
	28	static void dummy(int x);
	29	static void dummy2(int x) { dummy(x-1); }
	30	static void dummy(int x) { dummy2(x-1); }
	31	#else
	32
	33
	34	#include <sasl/sasl.h>
	35	#include "cyrus_sasl.h"
	36
	37	/* Options specific to the cyrus_sasl authentication mechanism. */
	38
	39	optionlist auth_cyrus_sasl_options[] = {
	40	{ "server_hostname", opt_stringptr,
	41	(void *)(offsetof(auth_cyrus_sasl_options_block, server_hostname)) },
	42	{ "server_mech", opt_stringptr,
	43	(void *)(offsetof(auth_cyrus_sasl_options_block, server_mech)) },
	44	{ "server_realm", opt_stringptr,
	45	(void *)(offsetof(auth_cyrus_sasl_options_block, server_realm)) },
	46	{ "server_service", opt_stringptr,
	47	(void *)(offsetof(auth_cyrus_sasl_options_block, server_service)) }
	48	};
	49
	50	/* Size of the options list. An extern variable has to be used so that its
	51	address can appear in the tables drtables.c. */
	52
	53	int auth_cyrus_sasl_options_count =
	54	sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
	55
	56	/* Default private options block for the cyrus_sasl authentication method. */
	57
	58	auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
	59	US"smtp", /* server_service */
	60	US"$primary_hostname", /* server_hostname */
	61	NULL, /* server_realm */
	62	NULL /* server_mech */
	63	};
	64
	65
	66	/*************************************************
	67	* Initialization entry point *
	68	*************************************************/
	69
	70	/* Called for each instance, after its options have been read, to
	71	enable consistency checks to be done, or anything else that needs
	72	to be set up. */
	73
	74
	75	/* Auxiliary function, passed in data to sasl_server_init(). */
	76
	77	static int
	78	mysasl_config(void *context,
	79	const char *plugin_name,
	80	const char *option,
	81	const char **result,
	82	unsigned int *len)
	83	{
	84	if (context && !strcmp(option, "mech_list"))
	85	{
	86	*result = context;
	87	if (len != NULL) len = strlen(result);
	88	return SASL_OK;
	89	}
	90	return SASL_FAIL;
	91	}
	92
	93	/* Here's the real function */
	94
	95	void
	96	auth_cyrus_sasl_init(auth_instance *ablock)
	97	{
	98	auth_cyrus_sasl_options_block *ob =
	99	(auth_cyrus_sasl_options_block *)(ablock->options_block);
	100	const uschar list, listptr, *buffer;
	101	int rc, i;
	102	unsigned int len;
	103	uschar rs_point, expanded_hostname;
	104	char *realm_expanded;
	105
	106	sasl_conn_t *conn;
	107	sasl_callback_t cbs[]={
	108	{SASL_CB_GETOPT, NULL, NULL },
	109	{SASL_CB_LIST_END, NULL, NULL}};
	110
	111	/* default the mechanism to our "public name" */
	112	if(ob->server_mech == NULL)
	113	ob->server_mech=string_copy(ablock->public_name);
	114
	115	expanded_hostname = expand_string(ob->server_hostname);
	116	if (expanded_hostname == NULL)
	117	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	118	"couldn't expand server_hostname [%s]: %s",
	119	ablock->name, ob->server_hostname, expand_string_message);
	120
	121	realm_expanded=NULL;
	122	if (ob->server_realm != NULL) {
	123	realm_expanded = CS expand_string(ob->server_realm);
	124	if (realm_expanded == NULL)
	125	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	126	"couldn't expand server_realm [%s]: %s",
	127	ablock->name, ob->server_realm, expand_string_message);
	128	}
	129
	130	/* we're going to initialise the library to check that there is an
	131	* authenticator of type whatever mechanism we're using
	132	*/
	133
	134	cbs[0].proc = (int(*)(void)) &mysasl_config;
	135	cbs[0].context = ob->server_mech;
	136
	137	rc=sasl_server_init(cbs, "exim");
	138
	139	if( rc != SASL_OK )
	140	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	141	"couldn't initialise Cyrus SASL library.", ablock->name);
	142
	143	rc=sasl_server_new(CS ob->server_service, CS expanded_hostname,
	144	realm_expanded, NULL, NULL, NULL, 0, &conn);
	145	if( rc != SASL_OK )
	146	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	147	"couldn't initialise Cyrus SASL server connection.", ablock->name);
	148
	149	rc=sasl_listmech(conn, NULL, "", ":", "", (const char **)&list, &len, &i);
	150	if( rc != SASL_OK )
	151	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	152	"couldn't get Cyrus SASL mechanism list.", ablock->name);
	153
	154	i=':';
	155	listptr=list;
	156
	157	HDEBUG(D_auth) {
	158	debug_printf("Initialised Cyrus SASL service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
	159	ob->server_service, expanded_hostname, realm_expanded);
	160	debug_printf("Cyrus SASL knows mechanisms: %s\n", list);
	161	}
	162
	163	/* the store_get / store_reset mechanism is hierarchical
	164	* the hierarchy is stored for us behind our back. This point
	165	* creates a hierarchy point for this function.
	166	*/
	167	rs_point=store_get(0);
	168
	169	/* loop until either we get to the end of the list, or we match the
	170	* public name of this authenticator
	171	*/
	172	while( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
	173	strcmpic(buffer,ob->server_mech) );
	174
	175	if(!buffer)
	176	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	177	"Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);
	178
	179	store_reset(rs_point);
	180
	181	HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name);
	182
	183	/* make sure that if we get here then we're allowed to advertise. */
	184	ablock->server = TRUE;
	185
	186	sasl_dispose(&conn);
	187	sasl_done();
	188	}
	189
	190	/*************************************************
	191	* Server entry point *
	192	*************************************************/
	193
	194	/* For interface, see auths/README */
	195
	196	/* note, we don't care too much about memory allocation in this, because this is entirely
	197	* within a shortlived child
	198	*/
	199
	200	int
	201	auth_cyrus_sasl_server(auth_instance ablock, uschar data)
	202	{
	203	auth_cyrus_sasl_options_block *ob =
	204	(auth_cyrus_sasl_options_block *)(ablock->options_block);
	205	uschar output, out2, input, clear, *hname;
	206	uschar debug = NULL; / Stops compiler complaining */
	207	sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
	208	sasl_conn_t *conn;
	209	char *realm_expanded;
	210	int rc, i, firsttime=1, clen, *negotiated_ssf_ptr=NULL, negotiated_ssf;
	211	unsigned int inlen, outlen;
	212
	213	input=data;
	214	inlen=Ustrlen(data);
	215
	216	HDEBUG(D_auth) debug=string_copy(data);
	217
	218	hname=expand_string(ob->server_hostname);
	219	realm_expanded=NULL;
	220	if (hname && ob->server_realm)
	221	realm_expanded= CS expand_string(ob->server_realm);
	222	if((hname == NULL) \|\|
	223	((realm_expanded == NULL) && (ob->server_realm != NULL)))
	224	{
	225	auth_defer_msg = expand_string_message;
	226	return DEFER;
	227	}
	228
	229	if(inlen)
	230	{
	231	clen=auth_b64decode(input, &clear);
	232	if(clen < 0)
	233	{
	234	return BAD64;
	235	}
	236	input=clear;
	237	inlen=clen;
	238	}
	239
	240	rc=sasl_server_init(cbs, "exim");
	241	if (rc != SASL_OK)
	242	{
	243	auth_defer_msg = US"couldn't initialise Cyrus SASL library";
	244	return DEFER;
	245	}
	246
	247	rc=sasl_server_new(CS ob->server_service, CS hname, realm_expanded, NULL,
	248	NULL, NULL, 0, &conn);
	249
	250	HDEBUG(D_auth)
	251	debug_printf("Initialised Cyrus SASL server connection; service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
	252	ob->server_service, hname, realm_expanded);
	253
	254	if( rc != SASL_OK )
	255	{
	256	auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
	257	sasl_done();
	258	return DEFER;
	259	}
	260
	261	if (tls_in.cipher)
	262	{
	263	rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits);
	264	if (rc != SASL_OK)
	265	{
	266	HDEBUG(D_auth) debug_printf("Cyrus SASL EXTERNAL SSF set %d failed: %s\n",
	267	tls_in.bits, sasl_errstring(rc, NULL, NULL));
	268	auth_defer_msg = US"couldn't set Cyrus SASL EXTERNAL SSF";
	269	sasl_done();
	270	return DEFER;
	271	}
	272	else
	273	HDEBUG(D_auth) debug_printf("Cyrus SASL set EXTERNAL SSF to %d\n", tls_in.bits);
	274	}
	275	else
	276	HDEBUG(D_auth) debug_printf("Cyrus SASL: no TLS, no EXTERNAL SSF set\n");
	277
	278	/* So sasl_setprop() documents non-shorted IPv6 addresses which is incredibly
	279	annoying; looking at cyrus-imapd-2.3.x source, the IP address is constructed
	280	with their iptostring() function, which just wraps
	281	getnameinfo(..., NI_NUMERICHOST\|NI_NUMERICSERV), which is equivalent to the
	282	inet_ntop which we wrap in our host_ntoa() function.
	283
	284	So the docs are too strict and we shouldn't worry about :: contractions. */
	285
	286	/* Set properties for remote and local host-ip;port */
	287	for (i=0; i < 2; ++i)
	288	{
	289	struct sockaddr_storage ss;
	290	int (query)(int, struct sockaddr , socklen_t *);
	291	int propnum, port;
	292	const uschar *label;
	293	uschar address, address_port;
	294	const char *s_err;
	295	socklen_t sslen;
	296
	297	if (i)
	298	{
	299	query = &getpeername;
	300	propnum = SASL_IPREMOTEPORT;
	301	label = CUS"peer";
	302	}
	303	else
	304	{
	305	query = &getsockname;
	306	propnum = SASL_IPLOCALPORT;
	307	label = CUS"local";
	308	}
	309
	310	sslen = sizeof(ss);
	311	rc = query(fileno(smtp_in), (struct sockaddr *) &ss, &sslen);
	312	if (rc < 0)
	313	{
	314	HDEBUG(D_auth)
	315	debug_printf("Failed to get %s address information: %s\n",
	316	label, strerror(errno));
	317	break;
	318	}
	319
	320	address = host_ntoa(-1, &ss, NULL, &port);
	321	address_port = string_sprintf("%s;%d", address, port);
	322
	323	rc = sasl_setprop(conn, propnum, address_port);
	324	if (rc != SASL_OK)
	325	{
	326	s_err = sasl_errdetail(conn);
	327	HDEBUG(D_auth)
	328	debug_printf("Failed to set %s SASL property: [%d] %s\n",
	329	label, rc, s_err ? s_err : "<unknown reason>");
	330	break;
	331	}
	332	HDEBUG(D_auth) debug_printf("Cyrus SASL set %s hostport to: %s\n",
	333	label, address_port);
	334	}
	335
	336	rc=SASL_CONTINUE;
	337
	338	while(rc==SASL_CONTINUE)
	339	{
	340	if(firsttime)
	341	{
	342	firsttime=0;
	343	HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
	344	rc=sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
	345	(const char **)(&output), &outlen);
	346	}
	347	else
	348	{
	349	/* make sure that we have a null-terminated string */
	350	out2=store_get(outlen+1);
	351	memcpy(out2,output,outlen);
	352	out2[outlen]='\0';
	353	if((rc=auth_get_data(&input, out2, outlen))!=OK)
	354	{
	355	/* we couldn't get the data, so free up the library before
	356	* returning whatever error we get */
	357	sasl_dispose(&conn);
	358	sasl_done();
	359	return rc;
	360	}
	361	inlen=Ustrlen(input);
	362
	363	HDEBUG(D_auth) debug=string_copy(input);
	364	if(inlen)
	365	{
	366	clen=auth_b64decode(input, &clear);
	367	if(clen < 0)
	368	{
	369	sasl_dispose(&conn);
	370	sasl_done();
	371	return BAD64;
	372	}
	373	input=clear;
	374	inlen=clen;
	375	}
	376
	377	HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
	378	rc=sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
	379	}
	380	if(rc==SASL_BADPROT)
	381	{
	382	sasl_dispose(&conn);
	383	sasl_done();
	384	return UNEXPECTED;
	385	}
	386	else if( rc==SASL_FAIL \|\| rc==SASL_BUFOVER
	387	\|\| rc==SASL_BADMAC \|\| rc==SASL_BADAUTH
	388	\|\| rc==SASL_NOAUTHZ \|\| rc==SASL_ENCRYPT
	389	\|\| rc==SASL_EXPIRED \|\| rc==SASL_DISABLED
	390	\|\| rc==SASL_NOUSER )
	391	{
	392	/* these are considered permanent failure codes */
	393	HDEBUG(D_auth)
	394	debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
	395	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
	396	"Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
	397	sasl_errstring(rc, NULL, NULL));
	398	sasl_dispose(&conn);
	399	sasl_done();
	400	return FAIL;
	401	}
	402	else if(rc==SASL_NOMECH)
	403	{
	404	/* this is a temporary failure, because the mechanism is not
	405	* available for this user. If it wasn't available at all, we
	406	* shouldn't have got here in the first place...
	407	*/
	408	HDEBUG(D_auth)
	409	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
	410	auth_defer_msg =
	411	string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
	412	sasl_dispose(&conn);
	413	sasl_done();
	414	return DEFER;
	415	}
	416	else if(!(rc==SASL_OK \|\| rc==SASL_CONTINUE))
	417	{
	418	/* Anything else is a temporary failure, and we'll let SASL print out
	419	* the error string for us
	420	*/
	421	HDEBUG(D_auth)
	422	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
	423	auth_defer_msg =
	424	string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
	425	sasl_dispose(&conn);
	426	sasl_done();
	427	return DEFER;
	428	}
	429	else if(rc==SASL_OK)
	430	{
	431	/* Get the username and copy it into $auth1 and $1. The former is now the
	432	preferred variable; the latter is the original variable. */
	433	rc = sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2));
	434	if (rc != SASL_OK)
	435	{
	436	HDEBUG(D_auth)
	437	debug_printf("Cyrus SASL library will not tell us the username: %s\n",
	438	sasl_errstring(rc, NULL, NULL));
	439	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
	440	"Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech,
	441	sasl_errstring(rc, NULL, NULL));
	442	sasl_dispose(&conn);
	443	sasl_done();
	444	return FAIL;
	445	}
	446
	447	auth_vars[0] = expand_nstring[1] = string_copy(out2);
	448	expand_nlength[1] = Ustrlen(expand_nstring[1]);
	449	expand_nmax = 1;
	450
	451	HDEBUG(D_auth)
	452	debug_printf("Cyrus SASL %s authentication succeeded for %s\n",
	453	ob->server_mech, auth_vars[0]);
	454
	455	rc = sasl_getprop(conn, SASL_SSF, (const void **)(&negotiated_ssf_ptr));
	456	if (rc != SASL_OK)
	457	{
	458	HDEBUG(D_auth)
	459	debug_printf("Cyrus SASL library will not tell us the SSF: %s\n",
	460	sasl_errstring(rc, NULL, NULL));
	461	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
	462	"Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech,
	463	sasl_errstring(rc, NULL, NULL));
	464	sasl_dispose(&conn);
	465	sasl_done();
	466	return FAIL;
	467	}
	468	negotiated_ssf = *negotiated_ssf_ptr;
	469	HDEBUG(D_auth)
	470	debug_printf("Cyrus SASL %s negotiated SSF: %d\n", ob->server_mech, negotiated_ssf);
	471	if (negotiated_ssf > 0)
	472	{
	473	HDEBUG(D_auth)
	474	debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf);
	475	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
	476	"Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf);
	477	sasl_dispose(&conn);
	478	sasl_done();
	479	return FAIL;
	480	}
	481
	482	/* close down the connection, freeing up library's memory */
	483	sasl_dispose(&conn);
	484	sasl_done();
	485
	486	/* Expand server_condition as an authorization check */
	487	return auth_check_serv_cond(ablock);
	488	}
	489	}
	490	/* NOTREACHED */
	491	return 0; /* Stop compiler complaints */
	492	}
	493
	494	/*************************************************
	495	* Diagnostic API *
	496	*************************************************/
	497
	498	void
	499	auth_cyrus_sasl_version_report(FILE *f)
	500	{
	501	const char implementation, version;
	502	sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL);
	503	fprintf(f, "Library version: Cyrus SASL: Compile: %d.%d.%d\n"
	504	" Runtime: %s [%s]\n",
	505	SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
	506	version, implementation);
	507	}
	508
	509	/*************************************************
	510	* Client entry point *
	511	*************************************************/
	512
	513	/* For interface, see auths/README */
	514
	515	int
	516	auth_cyrus_sasl_client(
	517	auth_instance ablock, / authenticator block */
	518	smtp_inblock inblock, / input connection */
	519	smtp_outblock outblock, / output connection */
	520	int timeout, /* command timeout */
	521	uschar buffer, / for reading response */
	522	int buffsize) /* size of buffer */
	523	{
	524	/* We don't support clients (yet) in this implementation of cyrus_sasl */
	525	return FAIL;
	526	}
	527
	528	#endif /* AUTH_CYRUS_SASL */
	529
	530	/* End of cyrus_sasl.c */