[exim.git] / src / src / auths / cyrus_sasl.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */

/* This code was originally contributed by Matthew Byng-Maddick */

/* Copyright (c) A L Digital 2004 */

/* A generic (mechanism independent) Cyrus SASL authenticator. */


#include "../exim.h"


/* We can't just compile this code and allow the library mechanism to omit the
functions if they are not wanted, because we need to have the Cyrus SASL header
available for compiling. Therefore, compile these functions only if
AUTH_CYRUS_SASL is defined. However, some compilers don't like compiling empty
modules, so keep them happy with a dummy when skipping the rest. Make it
reference itself to stop picky compilers complaining that it is unused, and put
in a dummy argument to stop even pickier compilers complaining about infinite
loops. */

#ifndef AUTH_CYRUS_SASL
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
#else


#include <sasl/sasl.h>
#include "cyrus_sasl.h"

/* Options specific to the cyrus_sasl authentication mechanism. */

optionlist auth_cyrus_sasl_options[] = {
  { "server_hostname",      opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_hostname)) },
  { "server_mech",          opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_mech)) },
  { "server_realm",         opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_realm)) },
  { "server_service",       opt_stringptr,
      (void *)(offsetof(auth_cyrus_sasl_options_block, server_service)) }
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_cyrus_sasl_options_count =
  sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);

/* Default private options block for the cyrus_sasl authentication method. */

auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
  US"smtp",         /* server_service */
  US"$primary_hostname", /* server_hostname */
  NULL,             /* server_realm */
  NULL              /* server_mech */
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_cyrus_sasl_init(auth_instance *ablock) {}
int auth_cyrus_sasl_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_cyrus_sasl_client(auth_instance *ablock, void * sx,
  int timeout, uschar *buffer, int buffsize) {return 0;}
void auth_cyrus_sasl_version_report(FILE *f) {}

#else   /*!MACRO_PREDEF*/


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */


/* Auxiliary function, passed in data to sasl_server_init(). */

static int
mysasl_config(void *context,
              const char *plugin_name,
              const char *option,
              const char **result,
              unsigned int *len)
{
if (context && !strcmp(option, "mech_list"))
  {
  *result = context;
  if (len != NULL) *len = strlen(*result);
  return SASL_OK;
  }
return SASL_FAIL;
}

/* Here's the real function */

void
auth_cyrus_sasl_init(auth_instance *ablock)
{
auth_cyrus_sasl_options_block *ob =
  (auth_cyrus_sasl_options_block *)(ablock->options_block);
const uschar *list, *listptr, *buffer;
int rc, i;
unsigned int len;
uschar *rs_point, *expanded_hostname;
char *realm_expanded;

sasl_conn_t *conn;
sasl_callback_t cbs[] = {
  {SASL_CB_GETOPT, NULL, NULL },
  {SASL_CB_LIST_END, NULL, NULL}};

/* default the mechanism to our "public name" */
if (ob->server_mech == NULL)
  ob->server_mech = string_copy(ablock->public_name);

expanded_hostname = expand_string(ob->server_hostname);
if (expanded_hostname == NULL)
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't expand server_hostname [%s]: %s",
      ablock->name, ob->server_hostname, expand_string_message);

realm_expanded = NULL;
if (ob->server_realm != NULL) {
  realm_expanded = CS expand_string(ob->server_realm);
  if (realm_expanded == NULL)
    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
        "couldn't expand server_realm [%s]: %s",
        ablock->name, ob->server_realm, expand_string_message);
}

/* we're going to initialise the library to check that there is an
 * authenticator of type whatever mechanism we're using
 */

cbs[0].proc = (int(*)(void)) &mysasl_config;
cbs[0].context = ob->server_mech;

if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't initialise Cyrus SASL library.", ablock->name);

if ((rc = sasl_server_new(CS ob->server_service, CS expanded_hostname,
                   realm_expanded, NULL, NULL, NULL, 0, &conn)) != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't initialise Cyrus SASL server connection.", ablock->name);

if ((rc = sasl_listmech(conn, NULL, "", ":", "", (const char **)&list, &len, &i)) != SASL_OK )
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "couldn't get Cyrus SASL mechanism list.", ablock->name);

i = ':';
listptr = list;

HDEBUG(D_auth)
  {
  debug_printf("Initialised Cyrus SASL service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
      ob->server_service, expanded_hostname, realm_expanded);
  debug_printf("Cyrus SASL knows mechanisms: %s\n", list);
  }

/* the store_get / store_reset mechanism is hierarchical
 * the hierarchy is stored for us behind our back. This point
 * creates a hierarchy point for this function.
 */
rs_point = store_get(0);

/* loop until either we get to the end of the list, or we match the
 * public name of this authenticator
 */
while ( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
       strcmpic(buffer,ob->server_mech) );

if (!buffer)
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
      "Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);

store_reset(rs_point);

HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name);

/* make sure that if we get here then we're allowed to advertise. */
ablock->server = TRUE;

sasl_dispose(&conn);
sasl_done();
}

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

/* note, we don't care too much about memory allocation in this, because this is entirely
 * within a shortlived child
 */

int
auth_cyrus_sasl_server(auth_instance *ablock, uschar *data)
{
auth_cyrus_sasl_options_block *ob =
  (auth_cyrus_sasl_options_block *)(ablock->options_block);
uschar *output, *out2, *input, *clear, *hname;
uschar *debug = NULL;   /* Stops compiler complaining */
sasl_callback_t cbs[] = {{SASL_CB_LIST_END, NULL, NULL}};
sasl_conn_t *conn;
char * realm_expanded = NULL;
int rc, i, firsttime = 1, clen, *negotiated_ssf_ptr = NULL, negotiated_ssf;
unsigned int inlen, outlen;

input = data;
inlen = Ustrlen(data);

HDEBUG(D_auth) debug = string_copy(data);

hname = expand_string(ob->server_hostname);
if (hname && ob->server_realm)
  realm_expanded = CS expand_string(ob->server_realm);
if (!hname  ||  !realm_expanded  && ob->server_realm)
  {
  auth_defer_msg = expand_string_message;
  return DEFER;
  }

if (inlen)
  {
  if ((clen = b64decode(input, &clear)) < 0)
    return BAD64;
  input = clear;
  inlen = clen;
  }

if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK)
  {
  auth_defer_msg = US"couldn't initialise Cyrus SASL library";
  return DEFER;
  }

rc = sasl_server_new(CS ob->server_service, CS hname, realm_expanded, NULL,
  NULL, NULL, 0, &conn);

HDEBUG(D_auth)
  debug_printf("Initialised Cyrus SASL server connection; service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
      ob->server_service, hname, realm_expanded);

if (rc != SASL_OK )
  {
  auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
  sasl_done();
  return DEFER;
  }

if (tls_in.cipher)
  {
  if ((rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits)) != SASL_OK)
    {
    HDEBUG(D_auth) debug_printf("Cyrus SASL EXTERNAL SSF set %d failed: %s\n",
        tls_in.bits, sasl_errstring(rc, NULL, NULL));
    auth_defer_msg = US"couldn't set Cyrus SASL EXTERNAL SSF";
    sasl_done();
    return DEFER;
    }
  else
    HDEBUG(D_auth) debug_printf("Cyrus SASL set EXTERNAL SSF to %d\n", tls_in.bits);
  }
else
  HDEBUG(D_auth) debug_printf("Cyrus SASL: no TLS, no EXTERNAL SSF set\n");

/* So sasl_setprop() documents non-shorted IPv6 addresses which is incredibly
annoying; looking at cyrus-imapd-2.3.x source, the IP address is constructed
with their iptostring() function, which just wraps
getnameinfo(..., NI_NUMERICHOST|NI_NUMERICSERV), which is equivalent to the
inet_ntop which we wrap in our host_ntoa() function.

So the docs are too strict and we shouldn't worry about :: contractions. */

/* Set properties for remote and local host-ip;port */
for (i = 0; i < 2; ++i)
  {
  struct sockaddr_storage ss;
  int (*query)(int, struct sockaddr *, socklen_t *);
  int propnum, port;
  const uschar *label;
  uschar *address, *address_port;
  const char *s_err;
  socklen_t sslen;

  if (i)
    {
    query = &getpeername;
    propnum = SASL_IPREMOTEPORT;
    label = CUS"peer";
    }
  else
    {
    query = &getsockname;
    propnum = SASL_IPLOCALPORT;
    label = CUS"local";
    }

  sslen = sizeof(ss);
  if ((rc = query(fileno(smtp_in), (struct sockaddr *) &ss, &sslen)) < 0)
    {
    HDEBUG(D_auth)
      debug_printf("Failed to get %s address information: %s\n",
          label, strerror(errno));
    break;
    }

  address = host_ntoa(-1, &ss, NULL, &port);
  address_port = string_sprintf("%s;%d", address, port);

  if ((rc = sasl_setprop(conn, propnum, address_port)) != SASL_OK)
    {
    s_err = sasl_errdetail(conn);
    HDEBUG(D_auth)
      debug_printf("Failed to set %s SASL property: [%d] %s\n",
          label, rc, s_err ? s_err : "<unknown reason>");
    break;
    }
  HDEBUG(D_auth) debug_printf("Cyrus SASL set %s hostport to: %s\n",
      label, address_port);
  }

for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; )
  {
  if (firsttime)
    {
    firsttime = 0;
    HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
    rc = sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
           (const char **)(&output), &outlen);
    }
  else
    {
    /* make sure that we have a null-terminated string */
    out2 = string_copyn(output, outlen);

    if ((rc = auth_get_data(&input, out2, outlen)) != OK)
      {
      /* we couldn't get the data, so free up the library before
       * returning whatever error we get */
      sasl_dispose(&conn);
      sasl_done();
      return rc;
      }
    inlen = Ustrlen(input);

    HDEBUG(D_auth) debug = string_copy(input);
    if (inlen)
      {
      if ((clen = b64decode(input, &clear)) < 0)
       {
       sasl_dispose(&conn);
       sasl_done();
       return BAD64;
       }
      input = clear;
      inlen = clen;
      }

    HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
    rc = sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
    }

  if (rc == SASL_BADPROT)
    {
    sasl_dispose(&conn);
    sasl_done();
    return UNEXPECTED;
    }
  if (rc == SASL_CONTINUE)
    continue;

  /* Get the username and copy it into $auth1 and $1. The former is now the
  preferred variable; the latter is the original variable. */

  if ((sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2))) != SASL_OK)
    {
    HDEBUG(D_auth)
      debug_printf("Cyrus SASL library will not tell us the username: %s\n",
	  sasl_errstring(rc, NULL, NULL));
    log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
       "Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech,
       sasl_errstring(rc, NULL, NULL));
    sasl_dispose(&conn);
    sasl_done();
    return FAIL;
    }
  auth_vars[0] = expand_nstring[1] = string_copy(out2);
  expand_nlength[1] = Ustrlen(out2);
  expand_nmax = 1;

  switch (rc)
    {
    case SASL_FAIL: case SASL_BUFOVER: case SASL_BADMAC: case SASL_BADAUTH:
    case SASL_NOAUTHZ: case SASL_ENCRYPT: case SASL_EXPIRED:
    case SASL_DISABLED: case SASL_NOUSER:
      /* these are considered permanent failure codes */
      HDEBUG(D_auth)
	debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
      log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
	 "Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
	 sasl_errstring(rc, NULL, NULL));
      sasl_dispose(&conn);
      sasl_done();
      return FAIL;

    case SASL_NOMECH:
      /* this is a temporary failure, because the mechanism is not
       * available for this user. If it wasn't available at all, we
       * shouldn't have got here in the first place...
       */
      HDEBUG(D_auth)
	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
      auth_defer_msg =
	  string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
      sasl_dispose(&conn);
      sasl_done();
      return DEFER;

    case SASL_OK:
      HDEBUG(D_auth)
	debug_printf("Cyrus SASL %s authentication succeeded for %s\n",
	    ob->server_mech, auth_vars[0]);

      if ((rc = sasl_getprop(conn, SASL_SSF, (const void **)(&negotiated_ssf_ptr)))!= SASL_OK)
	{
	HDEBUG(D_auth)
	  debug_printf("Cyrus SASL library will not tell us the SSF: %s\n",
	      sasl_errstring(rc, NULL, NULL));
	log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
	    "Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech,
	    sasl_errstring(rc, NULL, NULL));
	sasl_dispose(&conn);
	sasl_done();
	return FAIL;
	}
      negotiated_ssf = *negotiated_ssf_ptr;
      HDEBUG(D_auth)
	debug_printf("Cyrus SASL %s negotiated SSF: %d\n", ob->server_mech, negotiated_ssf);
      if (negotiated_ssf > 0)
	{
	HDEBUG(D_auth)
	  debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf);
	log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
	    "Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf);
	sasl_dispose(&conn);
	sasl_done();
	return FAIL;
	}

      /* close down the connection, freeing up library's memory */
      sasl_dispose(&conn);
      sasl_done();

      /* Expand server_condition as an authorization check */
      return auth_check_serv_cond(ablock);

    default:
      /* Anything else is a temporary failure, and we'll let SASL print out
       * the error string for us
       */
      HDEBUG(D_auth)
	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
      auth_defer_msg =
	  string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
      sasl_dispose(&conn);
      sasl_done();
      return DEFER;
    }
  }
/* NOTREACHED */
return 0;  /* Stop compiler complaints */
}

/*************************************************
*                Diagnostic API                  *
*************************************************/

void
auth_cyrus_sasl_version_report(FILE *f)
{
const char *implementation, *version;
sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL);
fprintf(f, "Library version: Cyrus SASL: Compile: %d.%d.%d\n"
	   "                             Runtime: %s [%s]\n",
	SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
	version, implementation);
}

/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_cyrus_sasl_client(
  auth_instance *ablock,                 /* authenticator block */
  void * sx,			 	 /* connexction */
  int timeout,                           /* command timeout */
  uschar *buffer,                          /* for reading response */
  int buffsize)                          /* size of buffer */
{
/* We don't support clients (yet) in this implementation of cyrus_sasl */
return FAIL;
}

#endif   /*!MACRO_PREDEF*/
#endif  /* AUTH_CYRUS_SASL */

/* End of cyrus_sasl.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
f9ba5e22	5	/* Copyright (c) University of Cambridge 1995 - 2018 */
0756eb3c PH	6	/* See the file NOTICE for conditions of use and distribution. */
0756eb3c PH	7
c5ddb310	8	/* This code was originally contributed by Matthew Byng-Maddick */
0756eb3c PH	9
	10	/* Copyright (c) A L Digital 2004 */
	11
	12	/* A generic (mechanism independent) Cyrus SASL authenticator. */
	13
	14
	15	#include "../exim.h"
	16
	17
	18	/* We can't just compile this code and allow the library mechanism to omit the
	19	functions if they are not wanted, because we need to have the Cyrus SASL header
	20	available for compiling. Therefore, compile these functions only if
	21	AUTH_CYRUS_SASL is defined. However, some compilers don't like compiling empty
	22	modules, so keep them happy with a dummy when skipping the rest. Make it
	23	reference itself to stop picky compilers complaining that it is unused, and put
	24	in a dummy argument to stop even pickier compilers complaining about infinite
	25	loops. */
	26
	27	#ifndef AUTH_CYRUS_SASL
e1d15f5e JH	28	static void dummy(int x);
	29	static void dummy2(int x) { dummy(x-1); }
	30	static void dummy(int x) { dummy2(x-1); }
0756eb3c PH	31	#else
	32
	33
	34	#include <sasl/sasl.h>
	35	#include "cyrus_sasl.h"
	36
	37	/* Options specific to the cyrus_sasl authentication mechanism. */
	38
	39	optionlist auth_cyrus_sasl_options[] = {
	40	{ "server_hostname", opt_stringptr,
	41	(void *)(offsetof(auth_cyrus_sasl_options_block, server_hostname)) },
	42	{ "server_mech", opt_stringptr,
	43	(void *)(offsetof(auth_cyrus_sasl_options_block, server_mech)) },
	44	{ "server_realm", opt_stringptr,
	45	(void *)(offsetof(auth_cyrus_sasl_options_block, server_realm)) },
	46	{ "server_service", opt_stringptr,
	47	(void *)(offsetof(auth_cyrus_sasl_options_block, server_service)) }
	48	};
	49
	50	/* Size of the options list. An extern variable has to be used so that its
	51	address can appear in the tables drtables.c. */
	52
	53	int auth_cyrus_sasl_options_count =
	54	sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
	55
16ff981e	56	/* Default private options block for the cyrus_sasl authentication method. */
0756eb3c PH	57
	58	auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
	59	US"smtp", /* server_service */
	60	US"$primary_hostname", /* server_hostname */
	61	NULL, /* server_realm */
	62	NULL /* server_mech */
	63	};
	64
	65
d185889f JH	66	#ifdef MACRO_PREDEF
	67
	68	/* Dummy values */
	69	void auth_cyrus_sasl_init(auth_instance *ablock) {}
	70	int auth_cyrus_sasl_server(auth_instance ablock, uschar data) {return 0;}
251b9eb4 JH	71	int auth_cyrus_sasl_client(auth_instance ablock, void sx,
251b9eb4 JH	72	int timeout, uschar *buffer, int buffsize) {return 0;}
f9df71c0	73	void auth_cyrus_sasl_version_report(FILE *f) {}
d185889f JH	74
	75	#else /!MACRO_PREDEF/
	76
	77
	78
	79
0756eb3c PH	80	/*************************************************
	81	* Initialization entry point *
	82	*************************************************/
	83
	84	/* Called for each instance, after its options have been read, to
	85	enable consistency checks to be done, or anything else that needs
	86	to be set up. */
	87
c5ddb310 PH	88
	89	/* Auxiliary function, passed in data to sasl_server_init(). */
	90
	91	static int
	92	mysasl_config(void *context,
	93	const char *plugin_name,
	94	const char *option,
	95	const char **result,
	96	unsigned int *len)
	97	{
	98	if (context && !strcmp(option, "mech_list"))
	99	{
	100	*result = context;
	101	if (len != NULL) len = strlen(result);
	102	return SASL_OK;
	103	}
	104	return SASL_FAIL;
	105	}
	106
	107	/* Here's the real function */
	108
0756eb3c PH	109	void
	110	auth_cyrus_sasl_init(auth_instance *ablock)
	111	{
	112	auth_cyrus_sasl_options_block *ob =
	113	(auth_cyrus_sasl_options_block *)(ablock->options_block);
93a6fce2	114	const uschar list, listptr, *buffer;
0756eb3c PH	115	int rc, i;
0756eb3c PH	116	unsigned int len;
edc33b5f	117	uschar rs_point, expanded_hostname;
4c287009	118	char *realm_expanded;
0756eb3c	119
c5ddb310	120	sasl_conn_t *conn;
c0fb53b7	121	sasl_callback_t cbs[] = {
c5ddb310 PH	122	{SASL_CB_GETOPT, NULL, NULL },
	123	{SASL_CB_LIST_END, NULL, NULL}};
	124
0756eb3c	125	/* default the mechanism to our "public name" */
c0fb53b7 JH	126	if (ob->server_mech == NULL)
c0fb53b7 JH	127	ob->server_mech = string_copy(ablock->public_name);
0756eb3c	128
edc33b5f PP	129	expanded_hostname = expand_string(ob->server_hostname);
	130	if (expanded_hostname == NULL)
	131	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	132	"couldn't expand server_hostname [%s]: %s",
	133	ablock->name, ob->server_hostname, expand_string_message);
	134
c0fb53b7	135	realm_expanded = NULL;
4c287009 PP	136	if (ob->server_realm != NULL) {
	137	realm_expanded = CS expand_string(ob->server_realm);
	138	if (realm_expanded == NULL)
	139	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	140	"couldn't expand server_realm [%s]: %s",
	141	ablock->name, ob->server_realm, expand_string_message);
	142	}
	143
0756eb3c PH	144	/* we're going to initialise the library to check that there is an
	145	* authenticator of type whatever mechanism we're using
	146	*/
c5ddb310	147
edc33b5f	148	cbs[0].proc = (int(*)(void)) &mysasl_config;
c5ddb310 PH	149	cbs[0].context = ob->server_mech;
c5ddb310 PH	150
c0fb53b7	151	if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK )
0756eb3c PH	152	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	153	"couldn't initialise Cyrus SASL library.", ablock->name);
	154
c0fb53b7 JH	155	if ((rc = sasl_server_new(CS ob->server_service, CS expanded_hostname,
c0fb53b7 JH	156	realm_expanded, NULL, NULL, NULL, 0, &conn)) != SASL_OK )
0756eb3c PH	157	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	158	"couldn't initialise Cyrus SASL server connection.", ablock->name);
	159
c0fb53b7	160	if ((rc = sasl_listmech(conn, NULL, "", ":", "", (const char **)&list, &len, &i)) != SASL_OK )
0756eb3c PH	161	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	162	"couldn't get Cyrus SASL mechanism list.", ablock->name);
	163
c0fb53b7 JH	164	i = ':';
c0fb53b7 JH	165	listptr = list;
0756eb3c	166
c0fb53b7 JH	167	HDEBUG(D_auth)
c0fb53b7 JH	168	{
edc33b5f	169	debug_printf("Initialised Cyrus SASL service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
4c287009	170	ob->server_service, expanded_hostname, realm_expanded);
edc33b5f	171	debug_printf("Cyrus SASL knows mechanisms: %s\n", list);
c0fb53b7	172	}
0756eb3c PH	173
	174	/* the store_get / store_reset mechanism is hierarchical
	175	* the hierarchy is stored for us behind our back. This point
	176	* creates a hierarchy point for this function.
	177	*/
c0fb53b7	178	rs_point = store_get(0);
0756eb3c PH	179
	180	/* loop until either we get to the end of the list, or we match the
	181	* public name of this authenticator
	182	*/
c0fb53b7	183	while ( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
0756eb3c PH	184	strcmpic(buffer,ob->server_mech) );
0756eb3c PH	185
c0fb53b7	186	if (!buffer)
0756eb3c PH	187	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator: "
	188	"Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);
	189
	190	store_reset(rs_point);
	191
	192	HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name);
	193
	194	/* make sure that if we get here then we're allowed to advertise. */
	195	ablock->server = TRUE;
	196
	197	sasl_dispose(&conn);
	198	sasl_done();
	199	}
	200
	201	/*************************************************
	202	* Server entry point *
	203	*************************************************/
	204
	205	/* For interface, see auths/README */
	206
	207	/* note, we don't care too much about memory allocation in this, because this is entirely
	208	* within a shortlived child
	209	*/
	210
	211	int
	212	auth_cyrus_sasl_server(auth_instance ablock, uschar data)
	213	{
	214	auth_cyrus_sasl_options_block *ob =
	215	(auth_cyrus_sasl_options_block *)(ablock->options_block);
	216	uschar output, out2, input, clear, *hname;
	217	uschar debug = NULL; / Stops compiler complaining */
c0fb53b7	218	sasl_callback_t cbs[] = {{SASL_CB_LIST_END, NULL, NULL}};
0756eb3c	219	sasl_conn_t *conn;
c0fb53b7 JH	220	char * realm_expanded = NULL;
c0fb53b7 JH	221	int rc, i, firsttime = 1, clen, *negotiated_ssf_ptr = NULL, negotiated_ssf;
0756eb3c PH	222	unsigned int inlen, outlen;
0756eb3c PH	223
c0fb53b7 JH	224	input = data;
c0fb53b7 JH	225	inlen = Ustrlen(data);
0756eb3c	226
c0fb53b7	227	HDEBUG(D_auth) debug = string_copy(data);
0756eb3c	228
c0fb53b7	229	hname = expand_string(ob->server_hostname);
4c287009	230	if (hname && ob->server_realm)
c0fb53b7 JH	231	realm_expanded = CS expand_string(ob->server_realm);
c0fb53b7 JH	232	if (!hname \|\| !realm_expanded && ob->server_realm)
0756eb3c PH	233	{
	234	auth_defer_msg = expand_string_message;
	235	return DEFER;
	236	}
	237
c0fb53b7	238	if (inlen)
0756eb3c	239	{
c0fb53b7	240	if ((clen = b64decode(input, &clear)) < 0)
0756eb3c	241	return BAD64;
c0fb53b7 JH	242	input = clear;
c0fb53b7 JH	243	inlen = clen;
0756eb3c PH	244	}
0756eb3c PH	245
c0fb53b7	246	if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK)
0756eb3c PH	247	{
	248	auth_defer_msg = US"couldn't initialise Cyrus SASL library";
	249	return DEFER;
	250	}
	251
c0fb53b7	252	rc = sasl_server_new(CS ob->server_service, CS hname, realm_expanded, NULL,
acb1b346 PH	253	NULL, NULL, 0, &conn);
acb1b346 PH	254
edc33b5f PP	255	HDEBUG(D_auth)
edc33b5f PP	256	debug_printf("Initialised Cyrus SASL server connection; service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
4c287009	257	ob->server_service, hname, realm_expanded);
edc33b5f	258
c0fb53b7	259	if (rc != SASL_OK )
0756eb3c PH	260	{
	261	auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
	262	sasl_done();
	263	return DEFER;
	264	}
	265
817d9f57	266	if (tls_in.cipher)
edc33b5f	267	{
c0fb53b7	268	if ((rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits)) != SASL_OK)
edc33b5f PP	269	{
edc33b5f PP	270	HDEBUG(D_auth) debug_printf("Cyrus SASL EXTERNAL SSF set %d failed: %s\n",
817d9f57	271	tls_in.bits, sasl_errstring(rc, NULL, NULL));
edc33b5f PP	272	auth_defer_msg = US"couldn't set Cyrus SASL EXTERNAL SSF";
	273	sasl_done();
	274	return DEFER;
	275	}
	276	else
817d9f57	277	HDEBUG(D_auth) debug_printf("Cyrus SASL set EXTERNAL SSF to %d\n", tls_in.bits);
edc33b5f PP	278	}
	279	else
	280	HDEBUG(D_auth) debug_printf("Cyrus SASL: no TLS, no EXTERNAL SSF set\n");
	281
66645890 PP	282	/* So sasl_setprop() documents non-shorted IPv6 addresses which is incredibly
	283	annoying; looking at cyrus-imapd-2.3.x source, the IP address is constructed
	284	with their iptostring() function, which just wraps
	285	getnameinfo(..., NI_NUMERICHOST\|NI_NUMERICSERV), which is equivalent to the
	286	inet_ntop which we wrap in our host_ntoa() function.
	287
	288	So the docs are too strict and we shouldn't worry about :: contractions. */
	289
	290	/* Set properties for remote and local host-ip;port */
c0fb53b7	291	for (i = 0; i < 2; ++i)
66645890 PP	292	{
	293	struct sockaddr_storage ss;
	294	int (query)(int, struct sockaddr , socklen_t *);
	295	int propnum, port;
	296	const uschar *label;
	297	uschar address, address_port;
	298	const char *s_err;
	299	socklen_t sslen;
	300
	301	if (i)
	302	{
	303	query = &getpeername;
	304	propnum = SASL_IPREMOTEPORT;
	305	label = CUS"peer";
	306	}
	307	else
	308	{
	309	query = &getsockname;
	310	propnum = SASL_IPLOCALPORT;
	311	label = CUS"local";
	312	}
	313
	314	sslen = sizeof(ss);
c0fb53b7	315	if ((rc = query(fileno(smtp_in), (struct sockaddr *) &ss, &sslen)) < 0)
66645890 PP	316	{
	317	HDEBUG(D_auth)
	318	debug_printf("Failed to get %s address information: %s\n",
	319	label, strerror(errno));
	320	break;
	321	}
	322
	323	address = host_ntoa(-1, &ss, NULL, &port);
	324	address_port = string_sprintf("%s;%d", address, port);
	325
c0fb53b7	326	if ((rc = sasl_setprop(conn, propnum, address_port)) != SASL_OK)
66645890 PP	327	{
	328	s_err = sasl_errdetail(conn);
	329	HDEBUG(D_auth)
	330	debug_printf("Failed to set %s SASL property: [%d] %s\n",
	331	label, rc, s_err ? s_err : "<unknown reason>");
	332	break;
	333	}
	334	HDEBUG(D_auth) debug_printf("Cyrus SASL set %s hostport to: %s\n",
	335	label, address_port);
	336	}
	337
c0fb53b7	338	for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; )
0756eb3c	339	{
c0fb53b7	340	if (firsttime)
0756eb3c	341	{
c0fb53b7	342	firsttime = 0;
0756eb3c	343	HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
c0fb53b7	344	rc = sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
0756eb3c PH	345	(const char **)(&output), &outlen);
	346	}
	347	else
	348	{
	349	/* make sure that we have a null-terminated string */
c0fb53b7 JH	350	out2 = string_copyn(output, outlen);
	351
	352	if ((rc = auth_get_data(&input, out2, outlen)) != OK)
0756eb3c PH	353	{
	354	/* we couldn't get the data, so free up the library before
	355	* returning whatever error we get */
	356	sasl_dispose(&conn);
	357	sasl_done();
	358	return rc;
	359	}
c0fb53b7	360	inlen = Ustrlen(input);
0756eb3c	361
c0fb53b7 JH	362	HDEBUG(D_auth) debug = string_copy(input);
c0fb53b7 JH	363	if (inlen)
0756eb3c	364	{
c0fb53b7	365	if ((clen = b64decode(input, &clear)) < 0)
0756eb3c	366	{
c0fb53b7 JH	367	sasl_dispose(&conn);
c0fb53b7 JH	368	sasl_done();
0756eb3c PH	369	return BAD64;
0756eb3c PH	370	}
c0fb53b7 JH	371	input = clear;
c0fb53b7 JH	372	inlen = clen;
0756eb3c PH	373	}
	374
	375	HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
c0fb53b7	376	rc = sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
0756eb3c	377	}
c0fb53b7 JH	378
c0fb53b7 JH	379	if (rc == SASL_BADPROT)
0756eb3c PH	380	{
	381	sasl_dispose(&conn);
	382	sasl_done();
	383	return UNEXPECTED;
	384	}
c0fb53b7 JH	385	if (rc == SASL_CONTINUE)
	386	continue;
	387
	388	/* Get the username and copy it into $auth1 and $1. The former is now the
	389	preferred variable; the latter is the original variable. */
	390
	391	if ((sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2))) != SASL_OK)
0756eb3c	392	{
0756eb3c	393	HDEBUG(D_auth)
c0fb53b7 JH	394	debug_printf("Cyrus SASL library will not tell us the username: %s\n",
c0fb53b7 JH	395	sasl_errstring(rc, NULL, NULL));
0756eb3c	396	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
c0fb53b7	397	"Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech,
0756eb3c PH	398	sasl_errstring(rc, NULL, NULL));
	399	sasl_dispose(&conn);
	400	sasl_done();
	401	return FAIL;
	402	}
c0fb53b7 JH	403	auth_vars[0] = expand_nstring[1] = string_copy(out2);
	404	expand_nlength[1] = Ustrlen(out2);
	405	expand_nmax = 1;
	406
	407	switch (rc)
0756eb3c	408	{
c0fb53b7 JH	409	case SASL_FAIL: case SASL_BUFOVER: case SASL_BADMAC: case SASL_BADAUTH:
	410	case SASL_NOAUTHZ: case SASL_ENCRYPT: case SASL_EXPIRED:
	411	case SASL_DISABLED: case SASL_NOUSER:
	412	/* these are considered permanent failure codes */
edc33b5f	413	HDEBUG(D_auth)
c0fb53b7	414	debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
edc33b5f	415	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
c0fb53b7 JH	416	"Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
c0fb53b7 JH	417	sasl_errstring(rc, NULL, NULL));
edc33b5f PP	418	sasl_dispose(&conn);
	419	sasl_done();
	420	return FAIL;
0756eb3c	421
c0fb53b7 JH	422	case SASL_NOMECH:
	423	/* this is a temporary failure, because the mechanism is not
	424	* available for this user. If it wasn't available at all, we
	425	* shouldn't have got here in the first place...
	426	*/
edc33b5f	427	HDEBUG(D_auth)
c0fb53b7 JH	428	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
	429	auth_defer_msg =
	430	string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
edc33b5f PP	431	sasl_dispose(&conn);
edc33b5f PP	432	sasl_done();
c0fb53b7 JH	433	return DEFER;
	434
	435	case SASL_OK:
edc33b5f	436	HDEBUG(D_auth)
c0fb53b7 JH	437	debug_printf("Cyrus SASL %s authentication succeeded for %s\n",
	438	ob->server_mech, auth_vars[0]);
	439
	440	if ((rc = sasl_getprop(conn, SASL_SSF, (const void **)(&negotiated_ssf_ptr)))!= SASL_OK)
	441	{
	442	HDEBUG(D_auth)
	443	debug_printf("Cyrus SASL library will not tell us the SSF: %s\n",
	444	sasl_errstring(rc, NULL, NULL));
	445	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
	446	"Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech,
	447	sasl_errstring(rc, NULL, NULL));
	448	sasl_dispose(&conn);
	449	sasl_done();
	450	return FAIL;
	451	}
	452	negotiated_ssf = *negotiated_ssf_ptr;
	453	HDEBUG(D_auth)
	454	debug_printf("Cyrus SASL %s negotiated SSF: %d\n", ob->server_mech, negotiated_ssf);
	455	if (negotiated_ssf > 0)
	456	{
	457	HDEBUG(D_auth)
	458	debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf);
	459	log_write(0, LOG_REJECT, "%s authenticator (%s):\n "
	460	"Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf);
	461	sasl_dispose(&conn);
	462	sasl_done();
	463	return FAIL;
	464	}
	465
	466	/* close down the connection, freeing up library's memory */
edc33b5f PP	467	sasl_dispose(&conn);
edc33b5f PP	468	sasl_done();
edc33b5f	469
c0fb53b7 JH	470	/* Expand server_condition as an authorization check */
c0fb53b7 JH	471	return auth_check_serv_cond(ablock);
16ff981e	472
c0fb53b7 JH	473	default:
	474	/* Anything else is a temporary failure, and we'll let SASL print out
	475	* the error string for us
	476	*/
	477	HDEBUG(D_auth)
	478	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
	479	auth_defer_msg =
	480	string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
	481	sasl_dispose(&conn);
	482	sasl_done();
	483	return DEFER;
0756eb3c PH	484	}
	485	}
	486	/* NOTREACHED */
	487	return 0; /* Stop compiler complaints */
	488	}
	489
6545de78 PP	490	/*************************************************
	491	* Diagnostic API *
	492	*************************************************/
	493
	494	void
	495	auth_cyrus_sasl_version_report(FILE *f)
	496	{
c0fb53b7 JH	497	const char implementation, version;
	498	sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL);
	499	fprintf(f, "Library version: Cyrus SASL: Compile: %d.%d.%d\n"
	500	" Runtime: %s [%s]\n",
	501	SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
	502	version, implementation);
6545de78 PP	503	}
6545de78 PP	504
0756eb3c PH	505	/*************************************************
	506	* Client entry point *
	507	*************************************************/
	508
	509	/* For interface, see auths/README */
	510
	511	int
	512	auth_cyrus_sasl_client(
	513	auth_instance ablock, / authenticator block */
251b9eb4	514	void * sx, /* connexction */
0756eb3c PH	515	int timeout, /* command timeout */
	516	uschar buffer, / for reading response */
	517	int buffsize) /* size of buffer */
	518	{
	519	/* We don't support clients (yet) in this implementation of cyrus_sasl */
	520	return FAIL;
	521	}
	522
d185889f	523	#endif /!MACRO_PREDEF/
0756eb3c PH	524	#endif /* AUTH_CYRUS_SASL */
	525
	526	/* End of cyrus_sasl.c */