Blame view

imap4d/auth_gsasl.c 8.85 KB
1
/* GNU Mailutils -- a suite of utilities for electronic mail
2 3
   Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009, 2010 Free Software
   Foundation, Inc.
4 5 6

   GNU Mailutils is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
7
   the Free Software Foundation; either version 3, or (at your option)
8 9 10 11 12 13 14 15
   any later version.

   GNU Mailutils is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
16
   along with GNU Mailutils.  If not, see <http://www.gnu.org/licenses/>. */
17 18 19 20

#include "imap4d.h"
#include <gsasl.h>
#include <mailutils/gsasl.h>
21 22 23
#ifdef USE_SQL
# include <mailutils/sql.h>
#endif
24

25 26
static Gsasl *ctx;   
static Gsasl_session *sess_ctx; 
27

28
static void auth_gsasl_capa_init (int disable);
29

30 31
static void
finish_session (void)
32
{
33
  gsasl_finish (sess_ctx);
34
}
35 36

static int
37 38
restore_and_return (struct imap4d_auth *ap, mu_stream_t *str, int resp)
{
39 40
  mu_stream_unref (str[0]);
  mu_stream_unref (str[1]);
41 42 43 44 45 46
  ap->response = resp;
  return imap4d_auth_resp;
}

static enum imap4d_auth_result
auth_gsasl (struct imap4d_auth *ap)
47
{
48 49 50
  char *input_str = NULL;
  size_t input_size = 0;
  size_t input_len;
51
  char *output;
52 53
  int rc;
  
54
  rc = gsasl_server_start (ctx, ap->auth_type, &sess_ctx);
55 56
  if (rc != GSASL_OK)
    {
57
      mu_diag_output (MU_DIAG_NOTICE, _("SASL gsasl_server_start: %s"),
Simon Josefsson authored
58
 	              gsasl_strerror (rc));
59
      return imap4d_auth_fail;
60 61
    }

62
  gsasl_callback_hook_set (ctx, &ap->username);
63

64
  output = NULL;
65 66
  while ((rc = gsasl_step64 (sess_ctx, input_str, &output))
	   == GSASL_NEEDS_MORE)
67
    {
68 69
      io_sendf ("+ %s\n", output);
      io_getline (&input_str, &input_size, &input_len);
70
    }
71
  
72 73
  if (rc != GSASL_OK)
    {
74 75
      mu_diag_output (MU_DIAG_NOTICE, _("GSASL error: %s"),
		      gsasl_strerror (rc));
Simon Josefsson authored
76
      free (input_str);
77
      free (output);
78 79
      ap->response = RESP_NO;
      return imap4d_auth_resp;
80 81
    }

Simon Josefsson authored
82 83
  /* Some SASL mechanisms output additional data when GSASL_OK is
     returned, and clients must respond with an empty response. */
84
  if (output[0])
Simon Josefsson authored
85
    {
86 87
      io_sendf ("+ %s\n", output);
      io_getline (&input_str, &input_size, &input_len);
Simon Josefsson authored
88 89 90
      if (input_len != 0)
	{
	  mu_diag_output (MU_DIAG_NOTICE, _("non-empty client response"));
Simon Josefsson authored
91 92
          free (input_str);
          free (output);
93 94
	  ap->response = RESP_NO;
	  return imap4d_auth_resp;
Simon Josefsson authored
95 96 97
	}
    }

Simon Josefsson authored
98
  free (input_str);
99 100
  free (output);

101
  if (ap->username == NULL)
102
    {
103 104 105 106
      mu_diag_output (MU_DIAG_NOTICE, _("GSASL %s: cannot get username"),
		      ap->auth_type);
      ap->response = RESP_NO;
      return imap4d_auth_resp;
107 108
    }

109
  auth_gsasl_capa_init (1);
110 111
  if (sess_ctx)
    {
112 113
      mu_stream_t stream[2], newstream[2];

114 115
      rc = mu_stream_ioctl (iostream, MU_IOCTL_SUBSTREAM, MU_IOCTL_OP_GET, 
                            stream);
116 117
      if (rc)
	{
118
	  mu_error (_("%s failed: %s"), "MU_IOCTL_GET_STREAM",
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142
		    mu_stream_strerror (iostream, rc));
	  ap->response = RESP_NO;
	  return imap4d_auth_resp;
	}
      rc = gsasl_encoder_stream (&newstream[0], stream[0], sess_ctx,
				 MU_STREAM_READ);
      if (rc)
	{
	  mu_error (_("%s failed: %s"), "gsasl_encoder_stream",
		    mu_strerror (rc));
	  return restore_and_return (ap, stream, RESP_NO);
	}

      rc = gsasl_decoder_stream (&newstream[1], stream[1], sess_ctx,
				 MU_STREAM_WRITE);
      if (rc)
	{
	  mu_error (_("%s failed: %s"), "gsasl_decoder_stream",
		    mu_strerror (rc));
	  mu_stream_destroy (&newstream[0]);
	  return restore_and_return (ap, stream, RESP_NO);
	}
      
      if (ap->username)
143
	{
144
	  if (imap4d_session_setup (ap->username))
145 146 147 148 149
	    {
	      mu_stream_destroy (&newstream[0]);
	      mu_stream_destroy (&newstream[1]);
	      return restore_and_return (ap, stream, RESP_NO);
	    }
150 151
	}

152 153 154 155 156
      /* FIXME: This is not reflected in the transcript. */
      io_stream_completion_response (stream[1], ap->command, RESP_OK,
				     "%s authentication successful",
				     ap->auth_type);
      mu_stream_flush (stream[1]);
157 158 159

      mu_stream_unref (stream[0]);
      mu_stream_unref (stream[1]);
160
      
161 162
      rc = mu_stream_ioctl (iostream, MU_IOCTL_SUBSTREAM, 
                            MU_IOCTL_OP_SET, newstream);
163 164 165
      if (rc)
	{
	  mu_error (_("%s failed when it should not: %s"),
166
		    "MU_IOCTL_SET_STREAM",
167 168 169
		    mu_stream_strerror (iostream, rc));
	  abort ();
	}
170 171 172 173

      mu_stream_unref (newstream[0]);
      mu_stream_unref (newstream[1]);
      
174
      util_atexit (finish_session);
175
      return imap4d_auth_ok;
176
    }
177
  
178 179
  ap->response = RESP_OK;
  return imap4d_auth_resp;
180 181 182 183 184 185
}

static void
auth_gsasl_capa_init (int disable)
{
  int rc;
186 187 188
  char *listmech;
  struct mu_wordsplit ws;
  
189
  rc =  gsasl_server_mechlist (ctx, &listmech);
190 191 192
  if (rc != GSASL_OK)
    return;

193 194 195 196
  ws.ws_delim = " ";
  if (mu_wordsplit (listmech, &ws,
		    MU_WRDSF_DELIM|MU_WRDSF_SQUEEZE_DELIMS|
		    MU_WRDSF_NOVAR|MU_WRDSF_NOCMD))
197
    {
198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
      mu_error (_("cannot split line `%s': %s"), listmech,
		mu_wordsplit_strerror (&ws));
    }
  else
    {
      size_t i;

      for (i = 0; i < ws.ws_wordc; i++)
	{
	  if (disable)
	    auth_remove (ws.ws_wordv[i]);
	  else
	    {
	      auth_add (ws.ws_wordv[i], auth_gsasl);
	      ws.ws_wordv[i] = NULL;
	    }
	}
      mu_wordsplit_free (&ws);
216 217 218 219
    }
  free (listmech);
}

220 221
#define IMAP_GSSAPI_SERVICE "imap"

222
static int
223
retrieve_password (Gsasl *ctx, Gsasl_session *sctx)
224
{
225
  char **username = gsasl_callback_hook_get (ctx);
226
  const char *authid = gsasl_property_get (sctx, GSASL_AUTHID);
227 228 229
  
  if (username && *username == 0)
    *username = strdup (authid);
230

231 232
  if (mu_gsasl_module_data.cram_md5_pwd
      && access (mu_gsasl_module_data.cram_md5_pwd, R_OK) == 0)
233
    {
234 235 236 237 238 239 240 241 242
      char *key;
      int rc = gsasl_simple_getpass (mu_gsasl_module_data.cram_md5_pwd,
				     authid, &key);
      if (rc == GSASL_OK)
	{
	  gsasl_property_set (sctx, GSASL_PASSWORD, key);
	  free (key);
	  return rc;
	}
243
    }
244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259
  
#ifdef USE_SQL
  if (mu_sql_module_config.password_type == password_plaintext)
    {
      char *passwd;
      int status = mu_sql_getpass (*username, &passwd);
      if (status == 0)
	{
	  gsasl_property_set (sctx, GSASL_PASSWORD, passwd);
	  free (passwd);
	  return GSASL_OK;
	}
    }
#endif
  
  return GSASL_AUTHENTICATION_ERROR; 
260 261 262
}

static int
263
cb_validate (Gsasl *ctx, Gsasl_session *sctx)
264
{
265 266
  int rc;
  struct mu_auth_data *auth;
267 268 269 270 271 272 273 274
  char **username = gsasl_callback_hook_get (ctx);
  const char *authid = gsasl_property_get (sctx, GSASL_AUTHID);
  const char *pass = gsasl_property_get (sctx, GSASL_PASSWORD);

  if (!authid)
    return GSASL_NO_AUTHID;
  if (!pass)
    return GSASL_NO_PASSWORD;
275
  
276 277 278
  *username = strdup (authid);
  
  auth = mu_get_auth_by_name (*username);
279

280
  if (auth == NULL)
281 282
    return GSASL_AUTHENTICATION_ERROR;

283
  rc = mu_authenticate (auth, pass);
284 285 286
  mu_auth_data_free (auth);
  
  return rc == 0 ? GSASL_OK : GSASL_AUTHENTICATION_ERROR;
287
}
288
  
289
static int
290
callback (Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop)
291
{
292
    int rc = GSASL_OK;
293

294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328
    switch (prop) {
    case GSASL_PASSWORD:
      rc = retrieve_password (ctx, sctx);
      break;
      
    case GSASL_SERVICE:
      gsasl_property_set (sctx, prop,
			  mu_gsasl_module_data.service ?
			    mu_gsasl_module_data.service :IMAP_GSSAPI_SERVICE);
      break;
      
    case GSASL_REALM:
      gsasl_property_set (sctx, prop,
			  mu_gsasl_module_data.realm ?
			    mu_gsasl_module_data.realm : util_localname ());
      break;
      
    case GSASL_HOSTNAME:
      gsasl_property_set (sctx, prop,
			  mu_gsasl_module_data.hostname ?
			    mu_gsasl_module_data.hostname : util_localname ());
      break;
      
#if 0
    FIXME:
    case GSASL_VALIDATE_EXTERNAL:
    case GSASL_VALIDATE_SECURID:
#endif
      
    case GSASL_VALIDATE_SIMPLE:
      rc = cb_validate (ctx, sctx);
      break;
      
    case GSASL_VALIDATE_ANONYMOUS:
      if (mu_gsasl_module_data.anon_user)
329
	{
330
	  char **username = gsasl_callback_hook_get (ctx);
331
	  mu_diag_output (MU_DIAG_INFO, _("anonymous user %s logged in"),
332 333
			  gsasl_property_get (sctx, GSASL_ANONYMOUS_TOKEN));
	  *username = strdup (mu_gsasl_module_data.anon_user);
334
	}
335 336 337
      else
	{
	  mu_diag_output (MU_DIAG_ERR,
338
			  _("attempt to log in as anonymous user denied"));
339 340 341 342 343 344 345 346 347 348 349 350
	}
      break;
      
    case GSASL_VALIDATE_GSSAPI:
      {
	char **username = gsasl_callback_hook_get (ctx);
	*username = strdup (gsasl_property_get(sctx, GSASL_AUTHZID));
	break;
      }
      
    default:
	rc = GSASL_NO_CALLBACK;
351
	mu_error (_("unsupported callback property %d"), prop);
352
	break;
353
    }
354 355

    return rc;
356 357
}

358 359 360 361
void
auth_gsasl_init ()
{
  int rc;
362

363 364 365
  rc = gsasl_init (&ctx);
  if (rc != GSASL_OK)
    {
366
      mu_diag_output (MU_DIAG_NOTICE, _("cannot initialize libgsasl: %s"),
367 368 369
	      gsasl_strerror (rc));
    }

370
  gsasl_callback_set (ctx, callback);
371
  
372 373 374
  auth_gsasl_capa_init (0);
}