]> diplodocus.org Git - nmh/blob - sbr/netsec.c
projects / nmh / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
forwsbr.c: Move interface declaration to own forwsbr.h.
[nmh] / sbr / netsec.c
1 /* netsec.c -- Network security routines for handling protocols that
2 * require SASL and/or TLS.
3 *
4 * This code is Copyright (c) 2016, by the authors of nmh. See the
5 * COPYRIGHT file in the root directory of the nmh distribution for
6 * complete copyright information.
7 */
8
9 #include <h/mh.h>
10 #include <h/utils.h>
11 #include <h/netsec.h>
12 #include <h/oauth.h>
13 #include <stdarg.h>
14 #include <sys/select.h>
15 #include "base64.h"
16
17 #ifdef CYRUS_SASL
18 #include <sasl/sasl.h>
19 #include <sasl/saslutil.h>
20 # if SASL_VERSION_FULL < 0x020125
21 /* Cyrus SASL 2.1.25 introduced the sasl_callback_ft prototype,
22 which has an explicit void parameter list, according to best
23 practice. So we need to cast to avoid compile warnings.
24 Provide this prototype for earlier versions. */
25 typedef int (*sasl_callback_ft)();
26 # endif /* SASL_VERSION_FULL < 0x020125 */
27
28 static int netsec_get_user(void *context, int id, const char **result,
29 unsigned int *len);
30 static int netsec_get_password(sasl_conn_t *conn, void *context, int id,
31 sasl_secret_t **psecret);
32
33 static bool sasl_initialized;
34
35 #define SASL_MAXRECVBUF 65536
36 #endif /* CYRUS_SASL */
37
38 #ifdef TLS_SUPPORT
39 #include <openssl/ssl.h>
40 #include <openssl/err.h>
41
42 static bool tls_initialized;
43 static SSL_CTX *sslctx = NULL; /* SSL Context */
44
45 #endif /* TLS_SUPPORT */
46
47 /* I'm going to hardcode this for now; maybe make it adjustable later? */
48 #define NETSEC_BUFSIZE 65536
49
50 /*
51 * Our context structure, which holds all of the relevant information
52 * about a connection.
53 */
54
55 struct _netsec_context {
56 int ns_readfd; /* Read descriptor for network connection */
57 int ns_writefd; /* Write descriptor for network connection */
58 int ns_noclose; /* Do not close file descriptors if set */
59 int ns_snoop; /* If true, display network data */
60 netsec_snoop_callback *ns_snoop_cb; /* Snoop output callback */
61 void *ns_snoop_context; /* Context data for snoop function */
62 char *ns_snoop_savebuf; /* Save buffer for snoop data */
63 int ns_timeout; /* Network read timeout, in seconds */
64 char *ns_userid; /* Userid for authentication */
65 char *ns_hostname; /* Hostname we've connected to */
66 unsigned char *ns_inbuffer; /* Our read input buffer */
67 unsigned char *ns_inptr; /* Our read buffer input pointer */
68 unsigned int ns_inbuflen; /* Length of data in input buffer */
69 unsigned int ns_inbufsize; /* Size of input buffer */
70 unsigned char *ns_outbuffer;/* Output buffer */
71 unsigned char *ns_outptr; /* Output buffer pointer */
72 unsigned int ns_outbuflen; /* Output buffer data length */
73 unsigned int ns_outbufsize; /* Output buffer size */
74 char *sasl_mech; /* User-requested mechanism */
75 char *sasl_chosen_mech; /* Mechanism chosen by SASL */
76 netsec_sasl_callback sasl_proto_cb; /* SASL callback we use */
77 void *sasl_proto_context; /* Context to be used by SASL callback */
78 #ifdef OAUTH_SUPPORT
79 char *oauth_service; /* OAuth2 service name */
80 #endif /* OAUTH_SUPPORT */
81 #ifdef CYRUS_SASL
82 sasl_conn_t *sasl_conn; /* SASL connection context */
83 sasl_ssf_t sasl_ssf; /* SASL Security Strength Factor */
84 sasl_callback_t *sasl_cbs; /* Callbacks used by SASL */
85 nmh_creds_t sasl_creds; /* Credentials (username/password) */
86 sasl_secret_t *sasl_secret; /* SASL password structure */
87 int sasl_seclayer; /* If true, SASL security layer is enabled */
88 char *sasl_tmpbuf; /* Temporary read buffer for decodes */
89 size_t sasl_maxbufsize; /* Maximum negotiated SASL buffer size */
90 #endif /* CYRUS_SASL */
91 #ifdef TLS_SUPPORT
92 BIO *ssl_io; /* BIO used for connection I/O */
93 int tls_active; /* If true, TLS is running */
94 #endif /* TLS_SUPPORT */
95 };
96
97 /*
98 * Function to read data from the actual network socket
99 */
100
101 static int netsec_fillread(netsec_context *ns_context, char **errstr);
102
103 /*
104 * Code to check the ASCII content of a byte array.
105 */
106
107 static int checkascii(const unsigned char *byte, size_t len);
108
109 /*
110 * How this code works, in general.
111 *
112 * _If_ we are using no encryption then we buffer the network data
113 * through ns_inbuffer and ns_outbuffer. That should be relatively
114 * self-explanatory.
115 *
116 * If we use encryption, then ns_inbuffer and ns_outbuffer contain the
117 * cleartext data. When it comes time to send the encrypted data on the
118 * (either from a flush or the buffer is full) we either use BIO_write()
119 * for TLS or sasl_encode() (followed by a write() for Cyrus-SASL. For
120 * reads we either use BIO_read() (TLS) or do a network read into a
121 * temporary buffer and use sasl_decode() (Cyrus-SASL). Note that if
122 * negotiate TLS then we disable SASL encryption.
123 *
124 * We used to use a buffering BIO for the reads/writes for TLS, but it
125 * ended up being complicated to special-case the buffering for everything
126 * except TLS, so the buffering is now unified, no matter which encryption
127 * method is being used (even none).
128 *
129 * For SASL authentication, we make use of (for now) the Cyrus-SASL
130 * library. For some mechanisms, we implement those mechanisms directly
131 * since the Cyrus SASL library doesn't support them (like OAuth).
132 */
133
134 /*
135 * Allocate and initialize our security context
136 */
137
138 netsec_context *
139 netsec_init(void)
140 {
141 netsec_context *nsc;
142
143 NEW(nsc);
144 nsc->ns_readfd = -1;
145 nsc->ns_writefd = -1;
146 nsc->ns_noclose = 0;
147 nsc->ns_snoop = 0;
148 nsc->ns_snoop_cb = NULL;
149 nsc->ns_snoop_context = NULL;
150 nsc->ns_snoop_savebuf = NULL;
151 nsc->ns_userid = NULL;
152 nsc->ns_hostname = NULL;
153 nsc->ns_timeout = 60; /* Our default */
154 nsc->ns_inbufsize = NETSEC_BUFSIZE;
155 nsc->ns_inbuffer = mh_xmalloc(nsc->ns_inbufsize);
156 nsc->ns_inptr = nsc->ns_inbuffer;
157 nsc->ns_inbuflen = 0;
158 nsc->ns_outbufsize = NETSEC_BUFSIZE;
159 nsc->ns_outbuffer = mh_xmalloc(nsc->ns_outbufsize);
160 nsc->ns_outptr = nsc->ns_outbuffer;
161 nsc->ns_outbuflen = 0;
162 nsc->sasl_mech = NULL;
163 nsc->sasl_chosen_mech = NULL;
164 nsc->sasl_proto_cb = NULL;
165 nsc->sasl_proto_context = NULL;
166 #ifdef OAUTH_SUPPORT
167 nsc->oauth_service = NULL;
168 #endif /* OAUTH_SUPPORT */
169 #ifdef CYRUS_SASL
170 nsc->sasl_conn = NULL;
171 nsc->sasl_cbs = NULL;
172 nsc->sasl_creds = NULL;
173 nsc->sasl_secret = NULL;
174 nsc->sasl_ssf = 0;
175 nsc->sasl_seclayer = 0;
176 nsc->sasl_tmpbuf = NULL;
177 nsc->sasl_maxbufsize = 0;
178 #endif /* CYRUS_SASL */
179 #ifdef TLS_SUPPORT
180 nsc->ssl_io = NULL;
181 nsc->tls_active = 0;
182 #endif /* TLS_SUPPORT */
183 return nsc;
184 }
185
186 /*
187 * Shutdown the connection completely and free all resources.
188 */
189
190 void
191 netsec_shutdown(netsec_context *nsc)
192 {
193 free(nsc->ns_userid);
194 free(nsc->ns_hostname);
195 free(nsc->ns_inbuffer);
196 free(nsc->ns_outbuffer);
197 free(nsc->sasl_mech);
198 free(nsc->sasl_chosen_mech);
199 free(nsc->ns_snoop_savebuf);
200 #ifdef OAUTH_SERVICE
201 free(nsc->oauth_service);
202 #endif /* OAUTH_SERVICE */
203 #ifdef CYRUS_SASL
204 if (nsc->sasl_conn)
205 sasl_dispose(&nsc->sasl_conn);
206 free(nsc->sasl_cbs);
207 if (nsc->sasl_creds)
208 nmh_credentials_free(nsc->sasl_creds);
209 if (nsc->sasl_secret) {
210 if (nsc->sasl_secret->len > 0) {
211 memset(nsc->sasl_secret->data, 0, nsc->sasl_secret->len);
212 }
213 free(nsc->sasl_secret);
214 }
215 free(nsc->sasl_tmpbuf);
216 #endif /* CYRUS_SASL */
217 #ifdef TLS_SUPPORT
218 if (nsc->ssl_io)
219 /*
220 * I checked; BIO_free_all() will cause SSL_shutdown to be called
221 * on the SSL object in the chain.
222 */
223 BIO_free_all(nsc->ssl_io);
224 #endif /* TLS_SUPPORT */
225
226 if (! nsc->ns_noclose) {
227 if (nsc->ns_readfd != -1)
228 close(nsc->ns_readfd);
229 if (nsc->ns_writefd != -1 && nsc->ns_writefd != nsc->ns_readfd)
230 close(nsc->ns_writefd);
231 }
232
233 free(nsc);
234 }
235
236 /*
237 * Set the file descriptor for our context
238 */
239
240 void
241 netsec_set_fd(netsec_context *nsc, int readfd, int writefd)
242 {
243 nsc->ns_readfd = readfd;
244 nsc->ns_writefd = writefd;
245 }
246
247 /*
248 * Set the userid used for authentication for this context
249 */
250
251 void
252 netsec_set_userid(netsec_context *nsc, const char *userid)
253 {
254 nsc->ns_userid = getcpy(userid);
255 }
256
257 /*
258 * Set the hostname of the remote host we're connecting to.
259 */
260
261 void
262 netsec_set_hostname(netsec_context *nsc, const char *hostname)
263 {
264 nsc->ns_hostname = mh_xstrdup(hostname);
265 }
266
267 /*
268 * Get the snoop flag for this connection
269 */
270
271 int
272 netsec_get_snoop(netsec_context *nsc)
273 {
274 return nsc->ns_snoop;
275 }
276
277 /*
278 * Set the snoop flag for this connection
279 */
280
281 void
282 netsec_set_snoop(netsec_context *nsc, int snoop)
283 {
284 nsc->ns_snoop = snoop;
285 }
286
287 /*
288 * Set the snoop callback for this connection.
289 */
290
291 void
292 netsec_set_snoop_callback(netsec_context *nsc,
293 netsec_snoop_callback callback, void *context)
294 {
295 nsc->ns_snoop_cb = callback;
296 nsc->ns_snoop_context = context;
297 }
298
299 /*
300 * A base64-decoding snoop callback
301 */
302
303 void
304 netsec_b64_snoop_decoder(netsec_context *nsc, const char *string, size_t len,
305 void *context)
306 {
307 unsigned char *decoded;
308 size_t decodedlen;
309 int offset;
310 NMH_UNUSED(nsc);
311
312 offset = context ? *((int *) context) : 0;
313
314 if (offset > 0) {
315 /*
316 * Output non-base64 data first.
317 */
318 fprintf(stderr, "%.*s", offset, string);
319 string += offset;
320 len -= offset;
321 }
322
323 if (decodeBase64(string, &decoded, &decodedlen, 1, NULL) == OK) {
324 /*
325 * Some mechanisms produce large binary tokens, which aren't really
326 * readable. So let's do a simple heuristic. If the token is greater
327 * than 100 characters _and_ the first 100 bytes are more than 50%
328 * non-ASCII, then don't print the decoded buffer, just the
329 * base64 text.
330 */
331 if (decodedlen > 100 && !checkascii(decoded, 100)) {
332 fprintf(stderr, "%.*s\n", (int) len, string);
333 } else {
334 char *hexified;
335 hexify(decoded, decodedlen, &hexified);
336 fprintf(stderr, "b64<%s>\n", hexified);
337 free(hexified);
338 }
339 free(decoded);
340 } else {
341 fprintf(stderr, "%.*s\n", (int) len, string);
342 }
343 }
344
345 /*
346 * If the ASCII content is > 50%, return 1
347 */
348
349 static int
350 checkascii(const unsigned char *bytes, size_t len)
351 {
352 size_t count = 0, half = len / 2;
353
354 while (len-- > 0) {
355 if (isascii(*bytes) && isprint(*bytes) && ++count > half)
356 return 1;
357 bytes++;
358 /* No chance by this point */
359 if (count + len < half)
360 return 0;
361 }
362
363 return 0;
364 }
365
366 /*
367 * Set the read timeout for this connection
368 */
369
370 void
371 netsec_set_timeout(netsec_context *nsc, int timeout)
372 {
373 nsc->ns_timeout = timeout;
374 }
375
376 /*
377 * Read data from the network. Basically, return anything in our buffer,
378 * otherwise fill from the network.
379 */
380
381 ssize_t
382 netsec_read(netsec_context *nsc, void *buffer, size_t size, char **errstr)
383 {
384 int retlen;
385
386 /*
387 * If our buffer is empty, then we should fill it now
388 */
389
390 if (nsc->ns_inbuflen == 0) {
391 if (netsec_fillread(nsc, errstr) != OK)
392 return NOTOK;
393 }
394
395 /*
396 * netsec_fillread only returns if the buffer is full, so we can
397 * assume here that this has something in it.
398 */
399
400 retlen = min(size, nsc->ns_inbuflen);
401
402 memcpy(buffer, nsc->ns_inptr, retlen);
403
404 if (retlen == (int) nsc->ns_inbuflen) {
405 /*
406 * We've emptied our buffer, so reset everything.
407 */
408 nsc->ns_inptr = nsc->ns_inbuffer;
409 nsc->ns_inbuflen = 0;
410 } else {
411 nsc->ns_inptr += size;
412 nsc->ns_inbuflen -= size;
413 }
414
415 return OK;
416 }
417
418 /*
419 * Get a "line" (CR/LF) terminated from the network.
420 *
421 * Okay, we play some games here, so pay attention:
422 *
423 * - Unlike every other function, we return a pointer to the
424 * existing buffer. This pointer is valid until you call another
425 * read function again.
426 * - We NUL-terminate the buffer right at the end, before the CR-LF terminator.
427 * - Technically we look for a LF; if we find a CR right before it, then
428 * we back up one.
429 * - If your data may contain embedded NULs, this won't work. You should
430 * be using netsec_read() in that case.
431 */
432
433 char *
434 netsec_readline(netsec_context *nsc, size_t *len, char **errstr)
435 {
436 unsigned char *ptr = nsc->ns_inptr;
437 size_t count = 0, offset;
438
439 retry:
440 /*
441 * Search through our existing buffer for a LF
442 */
443
444 while (count < nsc->ns_inbuflen) {
445 count++;
446 if (*ptr++ == '\n') {
447 char *sptr = (char *) nsc->ns_inptr;
448 if (count > 1 && *(ptr - 2) == '\r')
449 ptr--;
450 *--ptr = '\0';
451 if (len)
452 *len = ptr - nsc->ns_inptr;
453 nsc->ns_inptr += count;
454 nsc->ns_inbuflen -= count;
455 if (nsc->ns_snoop) {
456 #ifdef CYRUS_SASL
457 if (nsc->sasl_seclayer)
458 fprintf(stderr, "(sasl-decrypted) ");
459 #endif /* CYRUS_SASL */
460 #ifdef TLS_SUPPORT
461 if (nsc->tls_active)
462 fprintf(stderr, "(tls-decrypted) ");
463 #endif /* TLS_SUPPORT */
464 fprintf(stderr, "<= ");
465 if (nsc->ns_snoop_cb)
466 nsc->ns_snoop_cb(nsc, sptr, strlen(sptr),
467 nsc->ns_snoop_context);
468 else {
469 fputs(sptr, stderr);
470 putc('\n', stderr);
471 }
472 }
473 return sptr;
474 }
475 }
476
477 /*
478 * Hm, we didn't find a \n. If we've already searched half of the input
479 * buffer, return an error.
480 */
481
482 if (count >= nsc->ns_inbufsize / 2) {
483 netsec_err(errstr, "Unable to find a line terminator after %zu bytes",
484 count);
485 return NULL;
486 }
487
488 /*
489 * Okay, get some more network data. This may move inptr, so regenerate
490 * our ptr value;
491 */
492
493 offset = ptr - nsc->ns_inptr;
494
495 if (netsec_fillread(nsc, errstr) != OK)
496 return NULL;
497
498 ptr = nsc->ns_inptr + offset;
499
500 goto retry;
501
502 return NULL; /* Should never reach this */
503 }
504
505 /*
506 * Fill our read buffer with some data from the network.
507 */
508
509 static int
510 netsec_fillread(netsec_context *nsc, char **errstr)
511 {
512 unsigned char *end;
513 char *readbuf;
514 size_t readbufsize, remaining, startoffset;
515 int rc;
516
517 /*
518 * If inbuflen is zero, that means the buffer has been emptied
519 * completely. In that case move inptr back to the start.
520 */
521
522 if (nsc->ns_inbuflen == 0) {
523 nsc->ns_inptr = nsc->ns_inbuffer;
524 }
525
526 #if defined(CYRUS_SASL) || defined(TLS_SUPPORT)
527 retry:
528 #endif /* CYRUS_SASL || TLS_SUPPORT */
529 /*
530 * If we are using TLS and there's anything pending, then skip the
531 * select call
532 */
533 #ifdef TLS_SUPPORT
534 if (!nsc->tls_active || BIO_pending(nsc->ssl_io) == 0)
535 #endif /* TLS_SUPPORT */
536 {
537 struct timeval tv;
538 fd_set rfds;
539
540 FD_ZERO(&rfds);
541 FD_SET(nsc->ns_readfd, &rfds);
542
543 tv.tv_sec = nsc->ns_timeout;
544 tv.tv_usec = 0;
545
546 rc = select(nsc->ns_readfd + 1, &rfds, NULL, NULL, &tv);
547
548 if (rc == -1) {
549 netsec_err(errstr, "select() while reading failed: %s",
550 strerror(errno));
551 return NOTOK;
552 }
553
554 if (rc == 0) {
555 netsec_err(errstr, "read() timed out after %d seconds",
556 nsc->ns_timeout);
557 return NOTOK;
558 }
559
560 /*
561 * At this point, we know that rc is 1, so there's not even any
562 * point to check to see if our descriptor is set in rfds.
563 */
564 }
565
566 /*
567 * Some explanation:
568 *
569 * startoffset is the offset from the beginning of the input
570 * buffer to data that is in our input buffer, but has not yet
571 * been consumed. This can be non-zero if functions like
572 * netsec_readline() leave leftover data.
573 *
574 * remaining is the remaining amount of unconsumed data in the input
575 * buffer.
576 *
577 * end is a pointer to the end of the valid data + 1; it's where
578 * the next read should go.
579 */
580
581 startoffset = nsc->ns_inptr - nsc->ns_inbuffer;
582 remaining = nsc->ns_inbufsize - (startoffset + nsc->ns_inbuflen);
583 end = nsc->ns_inptr + nsc->ns_inbuflen;
584
585 /*
586 * If we're past the halfway point in our read buffers, shuffle everything
587 * back to the beginning.
588 */
589
590 if (startoffset > nsc->ns_inbufsize / 2) {
591 memmove(nsc->ns_inbuffer, nsc->ns_inptr, nsc->ns_inbuflen);
592 nsc->ns_inptr = nsc->ns_inbuffer;
593 startoffset = 0;
594 remaining = nsc->ns_inbufsize - nsc->ns_inbuflen;
595 end = nsc->ns_inptr + nsc->ns_inbuflen;
596 }
597
598 /*
599 * If we are using TLS, then just read via the BIO. But we still
600 * use our local buffer.
601 */
602 #ifdef TLS_SUPPORT
603 if (nsc->tls_active) {
604 rc = BIO_read(nsc->ssl_io, end, remaining);
605 if (rc == 0) {
606 SSL *ssl;
607 int errcode;
608
609 /*
610 * Check to see if we're supposed to retry; if so,
611 * then go back and read again.
612 */
613
614 if (BIO_should_retry(nsc->ssl_io))
615 goto retry;
616
617 /*
618 * Okay, fine. Get the real error out of the SSL context.
619 */
620
621 if (BIO_get_ssl(nsc->ssl_io, &ssl) < 1) {
622 netsec_err(errstr, "SSL_read() returned 0, but cannot "
623 "retrieve SSL context");
624 return NOTOK;
625 }
626
627 errcode = SSL_get_error(ssl, rc);
628 if (errcode == SSL_ERROR_ZERO_RETURN) {
629 netsec_err(errstr, "TLS peer closed remote connection");
630 } else {
631 netsec_err(errstr, "TLS network read failed: %s",
632 ERR_error_string(ERR_peek_last_error(), NULL));
633 }
634 if (nsc->ns_snoop)
635 ERR_print_errors_fp(stderr);
636 return NOTOK;
637 }
638 if (rc < 0) {
639 /* Definitely an error */
640 netsec_err(errstr, "Read on TLS connection failed: %s",
641 ERR_error_string(ERR_get_error(), NULL));
642 return NOTOK;
643 }
644
645 nsc->ns_inbuflen += rc;
646
647 return OK;
648 }
649 #endif /* TLS_SUPPORT */
650
651 /*
652 * Okay, time to read some data. Either we're just doing it straight
653 * or we're passing it through sasl_decode() first.
654 */
655
656 #ifdef CYRUS_SASL
657 if (nsc->sasl_seclayer) {
658 readbuf = nsc->sasl_tmpbuf;
659 readbufsize = nsc->sasl_maxbufsize;
660 } else
661 #endif /* CYRUS_SASL */
662 {
663 readbuf = (char *) end;
664 readbufsize = remaining;
665 }
666
667 /*
668 * At this point, we should have active data on the connection (see
669 * select() above) so this read SHOULDN'T block. Hopefully.
670 */
671
672 rc = read(nsc->ns_readfd, readbuf, readbufsize);
673
674 if (rc == 0) {
675 netsec_err(errstr, "Received EOF on network read");
676 return NOTOK;
677 }
678
679 if (rc < 0) {
680 netsec_err(errstr, "Network read failed: %s", strerror(errno));
681 return NOTOK;
682 }
683
684 /*
685 * Okay, so we've had a successful read. If we are doing SASL security
686 * layers, pass this through sasl_decode(). sasl_decode() can return
687 * 0 bytes decoded; if that happens, jump back to the beginning. Otherwise
688 * we can just update our length pointer.
689 */
690
691 #ifdef CYRUS_SASL
692 if (nsc->sasl_seclayer) {
693 const char *tmpout;
694 unsigned int tmpoutlen;
695
696 rc = sasl_decode(nsc->sasl_conn, nsc->sasl_tmpbuf, rc,
697 &tmpout, &tmpoutlen);
698
699 if (rc != SASL_OK) {
700 netsec_err(errstr, "Unable to decode SASL network data: %s",
701 sasl_errdetail(nsc->sasl_conn));
702 return NOTOK;
703 }
704
705 if (tmpoutlen == 0)
706 goto retry;
707
708 /*
709 * Just in case ...
710 */
711
712 if (tmpoutlen > remaining) {
713 netsec_err(errstr, "Internal error: SASL decode buffer overflow!");
714 return NOTOK;
715 }
716
717 memcpy(end, tmpout, tmpoutlen);
718
719 nsc->ns_inbuflen += tmpoutlen;
720 } else
721 #endif /* CYRUS_SASL */
722 nsc->ns_inbuflen += rc;
723
724 return OK;
725 }
726
727 /*
728 * Write data to our network connection. Really, fill up the buffer as
729 * much as we can, and flush it out if necessary. netsec_flush() does
730 * the real work.
731 */
732
733 int
734 netsec_write(netsec_context *nsc, const void *buffer, size_t size,
735 char **errstr)
736 {
737 const unsigned char *bufptr = buffer;
738 int rc, remaining;
739
740 /* Just in case */
741
742 if (size == 0)
743 return OK;
744
745 /*
746 * Run a loop copying in data to our local buffer; when we're done with
747 * any buffer overflows then just copy any remaining data in.
748 */
749
750 while ((int) size >= (remaining = nsc->ns_outbufsize - nsc->ns_outbuflen)) {
751 memcpy(nsc->ns_outptr, bufptr, remaining);
752
753 /*
754 * In theory I should increment outptr, but netsec_flush just resets
755 * it anyway.
756 */
757 nsc->ns_outbuflen = nsc->ns_outbufsize;
758
759 rc = netsec_flush(nsc, errstr);
760
761 if (rc != OK)
762 return NOTOK;
763
764 bufptr += remaining;
765 size -= remaining;
766 }
767
768 /*
769 * Copy any leftover data into the buffer.
770 */
771
772 if (size > 0) {
773 memcpy(nsc->ns_outptr, bufptr, size);
774 nsc->ns_outptr += size;
775 nsc->ns_outbuflen += size;
776 }
777
778 return OK;
779 }
780
781 /*
782 * Our network printf() routine, which really just calls netsec_vprintf().
783 */
784
785 int
786 netsec_printf(netsec_context *nsc, char **errstr, const char *format, ...)
787 {
788 va_list ap;
789 int rc;
790
791 va_start(ap, format);
792 rc = netsec_vprintf(nsc, errstr, format, ap);
793 va_end(ap);
794
795 return rc;
796 }
797
798 /*
799 * Write bytes to the network using printf()-style formatting.
800 *
801 * Again, for the most part copy stuff into our buffer to be flushed
802 * out later.
803 */
804
805 int
806 netsec_vprintf(netsec_context *nsc, char **errstr, const char *format,
807 va_list ap)
808 {
809 int rc;
810
811 /*
812 * Cheat a little. If we can fit the data into our outgoing buffer,
813 * great! If not, generate a flush and retry once.
814 */
815
816 retry:
817 rc = vsnprintf((char *) nsc->ns_outptr,
818 nsc->ns_outbufsize - nsc->ns_outbuflen, format, ap);
819
820 if (rc >= (int) (nsc->ns_outbufsize - nsc->ns_outbuflen)) {
821 /*
822 * This means we have an overflow. Note that we don't actually
823 * make use of the terminating NUL, but according to the spec
824 * vsnprintf() won't write to the last byte in the string; that's
825 * why we have to use >= in the comparison above.
826 */
827 if (nsc->ns_outbuffer == nsc->ns_outptr) {
828 /*
829 * Whoops, if the buffer pointer was the same as the start of the
830 * buffer, that means we overflowed the internal buffer.
831 * At that point, just give up.
832 */
833 netsec_err(errstr, "Internal error: wanted to printf() a total of "
834 "%d bytes, but our buffer size was only %d bytes",
835 rc, nsc->ns_outbufsize);
836 return NOTOK;
837 }
838 /*
839 * Generate a flush (which may be inefficient, but hopefully
840 * it isn't) and then try again.
841 */
842 if (netsec_flush(nsc, errstr) != OK)
843 return NOTOK;
844 /*
845 * After this, outbuffer should == outptr, so we shouldn't
846 * hit this next time around.
847 */
848 goto retry;
849 }
850
851 nsc->ns_outptr += rc;
852 nsc->ns_outbuflen += rc;
853
854 return OK;
855 }
856
857 /*
858 * Flush out any buffered data in our output buffers. This routine is
859 * actually where the real network writes take place.
860 */
861
862 int
863 netsec_flush(netsec_context *nsc, char **errstr)
864 {
865 const char *netoutbuf = (const char *) nsc->ns_outbuffer;
866 unsigned int netoutlen = nsc->ns_outbuflen;
867 int rc;
868
869 /*
870 * Small optimization
871 */
872
873 if (netoutlen == 0)
874 return OK;
875
876 /*
877 * If we have snoop turned on, output the data.
878 *
879 * Note here; if we don't have a CR or LF at the end, save the data
880 * in ns_snoop_savebuf for later and print it next time.
881 */
882
883 if (nsc->ns_snoop) {
884 unsigned int snoopoutlen = netoutlen;
885 const char *snoopoutbuf = (const char *) nsc->ns_outbuffer;
886
887 while (snoopoutlen > 0) {
888 const char *end = strpbrk(snoopoutbuf, "\r\n");
889 unsigned int outlen;
890
891 if (! end) {
892 if (nsc->ns_snoop_savebuf) {
893 nsc->ns_snoop_savebuf = mh_xrealloc(nsc->ns_snoop_savebuf,
894 strlen(nsc->ns_snoop_savebuf) +
895 snoopoutlen + 1);
896 strncat(nsc->ns_snoop_savebuf, snoopoutbuf, snoopoutlen);
897 } else {
898 nsc->ns_snoop_savebuf = mh_xmalloc(snoopoutlen + 1);
899 strncpy(nsc->ns_snoop_savebuf, snoopoutbuf, snoopoutlen);
900 nsc->ns_snoop_savebuf[snoopoutlen] = '\0';
901 }
902 break;
903 }
904
905 outlen = end - snoopoutbuf;
906
907 #ifdef CYRUS_SASL
908 if (nsc->sasl_seclayer)
909 fprintf(stderr, "(sasl-encrypted) ");
910 #endif /* CYRUS_SASL */
911 #ifdef TLS_SUPPORT
912 if (nsc->tls_active)
913 fprintf(stderr, "(tls-encrypted) ");
914 #endif /* TLS_SUPPORT */
915 fprintf(stderr, "=> ");
916 if (nsc->ns_snoop_cb) {
917 const char *ptr;
918 unsigned int cb_len = outlen;
919
920 if (nsc->ns_snoop_savebuf) {
921 cb_len += strlen(nsc->ns_snoop_savebuf);
922 nsc->ns_snoop_savebuf = mh_xrealloc(nsc->ns_snoop_savebuf,
923 outlen);
924 ptr = nsc->ns_snoop_savebuf;
925 } else {
926 ptr = snoopoutbuf;
927 }
928
929 nsc->ns_snoop_cb(nsc, ptr, cb_len, nsc->ns_snoop_context);
930
931 if (nsc->ns_snoop_savebuf) {
932 free(nsc->ns_snoop_savebuf);
933 nsc->ns_snoop_savebuf = NULL;
934 }
935 } else {
936 if (nsc->ns_snoop_savebuf) {
937 fprintf(stderr, "%s", nsc->ns_snoop_savebuf);
938 free(nsc->ns_snoop_savebuf);
939 nsc->ns_snoop_savebuf = NULL;
940 }
941 fprintf(stderr, "%.*s\n", outlen, snoopoutbuf);
942 }
943
944 /*
945 * Alright, hopefully any previous leftover data is done,
946 * and we have the current line output. Move things past the
947 * next CR/LF.
948 */
949
950 snoopoutlen -= outlen;
951 snoopoutbuf += outlen;
952
953 if (snoopoutlen > 0 && *snoopoutbuf == '\r') {
954 snoopoutlen--;
955 snoopoutbuf++;
956 }
957
958 if (snoopoutlen > 0 && *snoopoutbuf == '\n') {
959 snoopoutlen--;
960 snoopoutbuf++;
961 }
962 }
963 }
964
965 /*
966 * If SASL security layers are in effect, run the data through
967 * sasl_encode() first.
968 */
969 #ifdef CYRUS_SASL
970 if (nsc->sasl_seclayer) {
971 rc = sasl_encode(nsc->sasl_conn, (const char *) nsc->ns_outbuffer,
972 nsc->ns_outbuflen, &netoutbuf, &netoutlen);
973
974 if (rc != SASL_OK) {
975 netsec_err(errstr, "SASL data encoding failed: %s",
976 sasl_errdetail(nsc->sasl_conn));
977 return NOTOK;
978 }
979
980 }
981 #endif /* CYRUS_SASL */
982
983 /*
984 * If TLS is active, then use those functions to write out the
985 * data.
986 */
987 #ifdef TLS_SUPPORT
988 if (nsc->tls_active) {
989 if (BIO_write(nsc->ssl_io, netoutbuf, netoutlen) <= 0) {
990 netsec_err(errstr, "Error writing to TLS connection: %s",
991 ERR_error_string(ERR_get_error(), NULL));
992 return NOTOK;
993 }
994 } else
995 #endif /* TLS_SUPPORT */
996 {
997 rc = write(nsc->ns_writefd, netoutbuf, netoutlen);
998
999 if (rc < 0) {
1000 netsec_err(errstr, "write() failed: %s", strerror(errno));
1001 return NOTOK;
1002 }
1003 }
1004
1005 nsc->ns_outptr = nsc->ns_outbuffer;
1006 nsc->ns_outbuflen = 0;
1007
1008 return OK;
1009 }
1010
1011 /*
1012 * Set various SASL protocol parameters
1013 */
1014
1015 int
1016 netsec_set_sasl_params(netsec_context *nsc, const char *service,
1017 const char *mechanism, netsec_sasl_callback callback,
1018 void *context, char **errstr)
1019 {
1020 #ifdef CYRUS_SASL
1021 sasl_callback_t *sasl_cbs;
1022 int retval;
1023
1024 if (!nsc->ns_hostname) {
1025 netsec_err(errstr, "Internal error: ns_hostname is NULL");
1026 return NOTOK;
1027 }
1028
1029 if (! sasl_initialized) {
1030 retval = sasl_client_init(NULL);
1031 if (retval != SASL_OK) {
1032 netsec_err(errstr, "SASL client initialization failed: %s",
1033 sasl_errstring(retval, NULL, NULL));
1034 return NOTOK;
1035 }
1036 sasl_initialized = true;
1037 }
1038
1039 /*
1040 * Allocate an array of SASL callbacks for this connection.
1041 * Right now we just allocate an array of four callbacks.
1042 */
1043
1044 sasl_cbs = mh_xmalloc(sizeof(*sasl_cbs) * 4);
1045
1046 sasl_cbs[0].id = SASL_CB_USER;
1047 sasl_cbs[0].proc = (sasl_callback_ft) netsec_get_user;
1048 sasl_cbs[0].context = nsc;
1049
1050 sasl_cbs[1].id = SASL_CB_AUTHNAME;
1051 sasl_cbs[1].proc = (sasl_callback_ft) netsec_get_user;
1052 sasl_cbs[1].context = nsc;
1053
1054 sasl_cbs[2].id = SASL_CB_PASS;
1055 sasl_cbs[2].proc = (sasl_callback_ft) netsec_get_password;
1056 sasl_cbs[2].context = nsc;
1057
1058 sasl_cbs[3].id = SASL_CB_LIST_END;
1059 sasl_cbs[3].proc = NULL;
1060 sasl_cbs[3].context = NULL;
1061
1062 nsc->sasl_cbs = sasl_cbs;
1063
1064 retval = sasl_client_new(service, nsc->ns_hostname, NULL, NULL,
1065 nsc->sasl_cbs, 0, &nsc->sasl_conn);
1066
1067 if (retval) {
1068 netsec_err(errstr, "SASL new client allocation failed: %s",
1069 sasl_errstring(retval, NULL, NULL));
1070 return NOTOK;
1071 }
1072
1073 /*
1074 * Set up our credentials
1075 */
1076
1077 nsc->sasl_creds = nmh_get_credentials(nsc->ns_hostname, nsc->ns_userid);
1078
1079 #else /* CYRUS_SASL */
1080 NMH_UNUSED(service);
1081 NMH_UNUSED(errstr);
1082 #endif /* CYRUS_SASL */
1083
1084 /*
1085 * According to the RFC, mechanisms can only be uppercase letter, numbers,
1086 * and a hyphen or underscore. So make sure we uppercase any letters
1087 * in case the user passed in lowercase.
1088 */
1089
1090 if (mechanism) {
1091 nsc->sasl_mech = mh_xstrdup(mechanism);
1092 to_upper(nsc->sasl_mech);
1093 }
1094
1095 nsc->sasl_proto_cb = callback;
1096 nsc->sasl_proto_context = context;
1097
1098 return OK;
1099 }
1100
1101 #ifdef CYRUS_SASL
1102 /*
1103 * Our userid callback; return the specified username to the SASL
1104 * library when asked.
1105 */
1106
1107 int
1108 netsec_get_user(void *context, int id, const char **result,
1109 unsigned int *len)
1110 {
1111 netsec_context *nsc = (netsec_context *) context;
1112
1113 if (! result || (id != SASL_CB_USER && id != SASL_CB_AUTHNAME))
1114 return SASL_BADPARAM;
1115
1116 *result = nmh_cred_get_user(nsc->sasl_creds);
1117
1118 if (len)
1119 *len = strlen(*result);
1120
1121 return SASL_OK;
1122 }
1123
1124 /*
1125 * Retrieve a password and return it to SASL
1126 */
1127
1128 static int
1129 netsec_get_password(sasl_conn_t *conn, void *context, int id,
1130 sasl_secret_t **psecret)
1131 {
1132 netsec_context *nsc = (netsec_context *) context;
1133 const char *password;
1134 int len;
1135
1136 NMH_UNUSED(conn);
1137
1138 if (! psecret || id != SASL_CB_PASS)
1139 return SASL_BADPARAM;
1140
1141 password = nmh_cred_get_password(nsc->sasl_creds);
1142
1143 len = strlen(password);
1144
1145 /*
1146 * sasl_secret_t includes 1 bytes for "data" already, so that leaves
1147 * us room for a terminating NUL
1148 */
1149
1150 *psecret = malloc(sizeof(sasl_secret_t) + len);
1151
1152 if (! *psecret)
1153 return SASL_NOMEM;
1154
1155 (*psecret)->len = len;
1156 strcpy((char *) (*psecret)->data, password);
1157
1158 nsc->sasl_secret = *psecret;
1159
1160 return SASL_OK;
1161 }
1162 #endif /* CYRUS_SASL */
1163
1164 /*
1165 * Negotiate SASL on this connection
1166 */
1167
1168 int
1169 netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
1170 {
1171 #ifdef CYRUS_SASL
1172 sasl_security_properties_t secprops;
1173 const char *chosen_mech;
1174 const unsigned char *saslbuf;
1175 unsigned char *outbuf;
1176 unsigned int saslbuflen, outbuflen;
1177 sasl_ssf_t *ssf;
1178 int *outbufmax;
1179 #endif
1180 #ifdef OAUTH_SUPPORT
1181 unsigned char *xoauth_client_res;
1182 size_t xoauth_client_res_len;
1183 #endif /* OAUTH_SUPPORT */
1184 #if defined CYRUS_SASL || defined OAUTH_SUPPORT
1185 int rc;
1186 #endif /* CYRUS_SASL || OAUTH_SUPPORT */
1187
1188 /*
1189 * If we've been passed a requested mechanism, check our mechanism
1190 * list from the protocol. If it's not supported, return an error.
1191 */
1192
1193 if (nsc->sasl_mech) {
1194 char **str, *mlist = getcpy(mechlist);
1195 int i;
1196
1197 str = brkstring(mlist, " ", NULL);
1198
1199 for (i = 0; str[i] != NULL; i++) {
1200 if (strcasecmp(nsc->sasl_mech, str[i]) == 0) {
1201 break;
1202 }
1203 }
1204
1205 i = (str[i] == NULL);
1206
1207 free(mlist);
1208
1209 if (i) {
1210 netsec_err(errstr, "Chosen mechanism %s not supported by server",
1211 nsc->sasl_mech);
1212 return NOTOK;
1213 }
1214 }
1215
1216 #ifdef OAUTH_SUPPORT
1217 if (nsc->sasl_mech && strcasecmp(nsc->sasl_mech, "XOAUTH2") == 0) {
1218 /*
1219 * This should be relatively straightforward, but requires some
1220 * help from the plugin. Basically, if XOAUTH2 is a success,
1221 * the callback has to return success, but no output data. If
1222 * there is output data, it will be assumed that it is the JSON
1223 * error message.
1224 */
1225
1226 if (! nsc->oauth_service) {
1227 netsec_err(errstr, "Internal error: OAuth2 service name not given");
1228 return NOTOK;
1229 }
1230
1231 nsc->sasl_chosen_mech = mh_xstrdup(nsc->sasl_mech);
1232
1233 if (mh_oauth_do_xoauth(nsc->ns_userid, nsc->oauth_service,
1234 &xoauth_client_res, &xoauth_client_res_len,
1235 nsc->ns_snoop ? stderr : NULL) != OK) {
1236 netsec_err(errstr, "Internal error: Unable to get OAuth2 "
1237 "bearer token");
1238 return NOTOK;
1239 }
1240
1241 rc = nsc->sasl_proto_cb(NETSEC_SASL_START, xoauth_client_res,
1242 xoauth_client_res_len, NULL, 0,
1243 nsc->sasl_proto_context, errstr);
1244 free(xoauth_client_res);
1245
1246 if (rc != OK)
1247 return NOTOK;
1248
1249 /*
1250 * Okay, we need to do a NETSEC_SASL_FINISH now. If we return
1251 * success, we indicate that with no output data. But if we
1252 * fail, then send a blank message and get the resulting
1253 * error.
1254 */
1255
1256 rc = nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0,
1257 nsc->sasl_proto_context, errstr);
1258
1259 if (rc != OK) {
1260 /*
1261 * We're going to assume the error here is a JSON response;
1262 * we ignore it and send a blank message in response. We should
1263 * then get a failure messages with a useful error. We should
1264 * NOT get a success message at this point.
1265 */
1266 free(*errstr);
1267 nsc->sasl_proto_cb(NETSEC_SASL_WRITE, NULL, 0, NULL, 0,
1268 nsc->sasl_proto_context, NULL);
1269 rc = nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0,
1270 nsc->sasl_proto_context, errstr);
1271 if (rc == 0) {
1272 netsec_err(errstr, "Unexpected success after OAuth failure!");
1273 }
1274 return NOTOK;
1275 }
1276 return OK;
1277 }
1278 #endif /* OAUTH_SUPPORT */
1279
1280 #ifdef CYRUS_SASL
1281 /*
1282 * In netsec_set_sasl_params, we've already done all of our setup with
1283 * sasl_client_init() and sasl_client_new(). So time to set security
1284 * properties, call sasl_client_start(), and generate the protocol
1285 * messages.
1286 */
1287
1288 ZERO(&secprops);
1289 secprops.maxbufsize = SASL_MAXRECVBUF;
1290
1291 /*
1292 * If we're using TLS, do not negotiate a security layer
1293 */
1294
1295 secprops.max_ssf =
1296 #ifdef TLS_SUPPORT
1297 nsc->tls_active ? 0 :
1298 #endif /* TLS_SUPPORT */
1299 UINT_MAX;
1300
1301 rc = sasl_setprop(nsc->sasl_conn, SASL_SEC_PROPS, &secprops);
1302
1303 if (rc != SASL_OK) {
1304 netsec_err(errstr, "SASL security property initialization failed: %s",
1305 sasl_errstring(rc, NULL, NULL));
1306 return NOTOK;
1307 }
1308
1309 /*
1310 * Start the actual protocol negotiation, and go through the
1311 * sasl_client_step() loop (after sasl_client_start, of course).
1312 */
1313
1314 rc = sasl_client_start(nsc->sasl_conn,
1315 nsc->sasl_mech ? nsc->sasl_mech : mechlist, NULL,
1316 (const char **) &saslbuf, &saslbuflen,
1317 &chosen_mech);
1318
1319 if (rc != SASL_OK && rc != SASL_CONTINUE) {
1320 netsec_err(errstr, "SASL client start failed: %s",
1321 sasl_errdetail(nsc->sasl_conn));
1322 return NOTOK;
1323 }
1324
1325 nsc->sasl_chosen_mech = getcpy(chosen_mech);
1326
1327 if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, NULL, 0,
1328 nsc->sasl_proto_context, errstr) != OK)
1329 return NOTOK;
1330
1331 /*
1332 * We've written out our first message; enter in the step loop
1333 */
1334
1335 while (rc == SASL_CONTINUE) {
1336 /*
1337 * Call our SASL callback, which will handle the details of
1338 * reading data from the network.
1339 */
1340
1341 if (nsc->sasl_proto_cb(NETSEC_SASL_READ, NULL, 0, &outbuf, &outbuflen,
1342 nsc->sasl_proto_context, errstr) != OK) {
1343 nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0,
1344 nsc->sasl_proto_context, NULL);
1345 return NOTOK;
1346 }
1347
1348 rc = sasl_client_step(nsc->sasl_conn, (char *) outbuf, outbuflen, NULL,
1349 (const char **) &saslbuf, &saslbuflen);
1350
1351 free(outbuf);
1352
1353 if (rc != SASL_OK && rc != SASL_CONTINUE) {
1354 netsec_err(errstr, "SASL client negotiation failed: %s",
1355 sasl_errdetail(nsc->sasl_conn));
1356 nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0,
1357 nsc->sasl_proto_context, NULL);
1358 return NOTOK;
1359 }
1360
1361 if (nsc->sasl_proto_cb(NETSEC_SASL_WRITE, saslbuf, saslbuflen,
1362 NULL, 0, nsc->sasl_proto_context,
1363 errstr) != OK) {
1364 nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0,
1365 nsc->sasl_proto_context, NULL);
1366 return NOTOK;
1367 }
1368 }
1369
1370 /*
1371 * SASL exchanges should be complete, process the final response message
1372 * from the server.
1373 */
1374
1375 if (nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0,
1376 nsc->sasl_proto_context, errstr) != OK) {
1377 /*
1378 * At this point we can't really send an abort since the SASL dialog
1379 * has completed, so just bubble back up the error message.
1380 */
1381
1382 return NOTOK;
1383 }
1384
1385 /*
1386 * At this point, SASL should be complete. Get a few properties
1387 * from the authentication exchange.
1388 */
1389
1390 rc = sasl_getprop(nsc->sasl_conn, SASL_SSF, (const void **) &ssf);
1391
1392 if (rc != SASL_OK) {
1393 netsec_err(errstr, "Cannot retrieve SASL negotiated security "
1394 "strength factor: %s", sasl_errstring(rc, NULL, NULL));
1395 return NOTOK;
1396 }
1397
1398 nsc->sasl_ssf = *ssf;
1399
1400 if (nsc->sasl_ssf > 0) {
1401 rc = sasl_getprop(nsc->sasl_conn, SASL_MAXOUTBUF,
1402 (const void **) &outbufmax);
1403
1404 if (rc != SASL_OK) {
1405 netsec_err(errstr, "Cannot retrieve SASL negotiated output "
1406 "buffer size: %s", sasl_errstring(rc, NULL, NULL));
1407 return NOTOK;
1408 }
1409
1410 /*
1411 * If our output buffer isn't the same size as the input buffer,
1412 * reallocate it and set the new size (since we won't encode any
1413 * data larger than that).
1414 */
1415
1416 nsc->sasl_maxbufsize = *outbufmax;
1417
1418 if (nsc->ns_outbufsize != nsc->sasl_maxbufsize) {
1419 nsc->ns_outbufsize = nsc->sasl_maxbufsize;
1420 nsc->ns_outbuffer = mh_xrealloc(nsc->ns_outbuffer,
1421 nsc->ns_outbufsize);
1422 /*
1423 * There shouldn't be any data in the buffer, but for
1424 * consistency's sake discard it.
1425 */
1426 nsc->ns_outptr = nsc->ns_outbuffer;
1427 nsc->ns_outbuflen = 0;
1428 }
1429
1430 /*
1431 * Allocate a buffer to do temporary reads into, before we
1432 * call sasl_decode()
1433 */
1434
1435 nsc->sasl_tmpbuf = mh_xmalloc(nsc->sasl_maxbufsize);
1436
1437 /*
1438 * Okay, this is a bit weird. Make sure that the input buffer
1439 * is at least TWICE the size of the max buffer size. That's
1440 * because if we're consuming data but want to extend the current
1441 * buffer, we want to be sure there's room for another full buffer's
1442 * worth of data.
1443 */
1444
1445 if (nsc->ns_inbufsize < nsc->sasl_maxbufsize * 2) {
1446 size_t offset = nsc->ns_inptr - nsc->ns_inbuffer;
1447 nsc->ns_inbufsize = nsc->sasl_maxbufsize * 2;
1448 nsc->ns_inbuffer = mh_xrealloc(nsc->ns_inbuffer, nsc->ns_inbufsize);
1449 nsc->ns_inptr = nsc->ns_inbuffer + offset;
1450 }
1451
1452 nsc->sasl_seclayer = 1;
1453 }
1454
1455 return OK;
1456 #else
1457 /*
1458 * If we're at this point, then either we have NEITHER OAuth2 or
1459 * Cyrus-SASL compiled in, or have OAuth2 but didn't give the XOAUTH2
1460 * mechanism on the command line.
1461 */
1462
1463 if (! nsc->sasl_mech)
1464 netsec_err(errstr, "SASL library support not available; please "
1465 "specify a SASL mechanism to use");
1466 else
1467 netsec_err(errstr, "No support for the %s SASL mechanism",
1468 nsc->sasl_mech);
1469
1470 return NOTOK;
1471 #endif /* CYRUS_SASL */
1472 }
1473
1474 /*
1475 * Retrieve our chosen SASL mechanism
1476 */
1477
1478 char *
1479 netsec_get_sasl_mechanism(netsec_context *nsc)
1480 {
1481 return nsc->sasl_chosen_mech;
1482 }
1483
1484 /*
1485 * Return the negotiated SASL strength security factor (SSF)
1486 */
1487
1488 int
1489 netsec_get_sasl_ssf(netsec_context *nsc)
1490 {
1491 #ifdef CYRUS_SASL
1492 return nsc->sasl_ssf;
1493 #else /* CYRUS_SASL */
1494 return 0;
1495 #endif /* CYRUS_SASL */
1496 }
1497
1498 /*
1499 * Set an OAuth2 service name, if we support it.
1500 */
1501
1502 int
1503 netsec_set_oauth_service(netsec_context *nsc, const char *service)
1504 {
1505 #ifdef OAUTH_SUPPORT
1506 nsc->oauth_service = getcpy(service);
1507 return OK;
1508 #else /* OAUTH_SUPPORT */
1509 NMH_UNUSED(nsc);
1510 NMH_UNUSED(service);
1511 return NOTOK;
1512 #endif /* OAUTH_SUPPORT */
1513 }
1514
1515 /*
1516 * Initialize (and enable) TLS for this connection
1517 */
1518
1519 int
1520 netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
1521 {
1522 #ifdef TLS_SUPPORT
1523 if (tls) {
1524 SSL *ssl;
1525 BIO *rbio, *wbio, *ssl_bio;
1526
1527 if (! tls_initialized) {
1528 SSL_library_init();
1529 SSL_load_error_strings();
1530
1531 /*
1532 * Create the SSL context; this has the properties for all
1533 * SSL connections (we are only doing one), though. Make sure
1534 * we only support secure (known as of now) TLS protocols.
1535 */
1536
1537 sslctx = SSL_CTX_new(SSLv23_client_method());
1538
1539 if (! sslctx) {
1540 netsec_err(errstr, "Unable to initialize OpenSSL context: %s",
1541 ERR_error_string(ERR_get_error(), NULL));
1542 return NOTOK;
1543 }
1544
1545 SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1546 SSL_OP_NO_TLSv1);
1547
1548 if (!SSL_CTX_set_default_verify_paths(sslctx)) {
1549 netsec_err(errstr, "Unable to set default certificate "
1550 "verification paths: %s",
1551 ERR_error_string(ERR_get_error(), NULL));
1552 return NOTOK;
1553 }
1554
1555 tls_initialized = true;
1556 }
1557
1558 if (nsc->ns_readfd == -1 || nsc->ns_writefd == -1) {
1559 netsec_err(errstr, "Invalid file descriptor in netsec context");
1560 return NOTOK;
1561 }
1562
1563 /*
1564 * Create the SSL structure which holds the data for a single
1565 * TLS connection.
1566 */
1567
1568 ssl = SSL_new(sslctx);
1569
1570 if (! ssl) {
1571 netsec_err(errstr, "Unable to create SSL connection: %s",
1572 ERR_error_string(ERR_get_error(), NULL));
1573 return NOTOK;
1574 }
1575
1576 /*
1577 * Never bother us, since we are using blocking sockets.
1578 */
1579
1580 SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1581
1582 /*
1583 * This is a bit weird, so pay attention.
1584 *
1585 * We create a socket BIO, and bind it to our SSL connection.
1586 * That means reads and writes to the SSL connection will use our
1587 * supplied socket.
1588 *
1589 * Then we create an SSL BIO, and assign our current SSL connection
1590 * to it. This is done so our code stays simple if we want to use
1591 * any buffering BIOs (right now we do our own buffering).
1592 * So the chain looks like:
1593 *
1594 * SSL BIO -> socket BIO.
1595 */
1596
1597 rbio = BIO_new_socket(nsc->ns_readfd, BIO_CLOSE);
1598
1599 if (! rbio) {
1600 netsec_err(errstr, "Unable to create a read socket BIO: %s",
1601 ERR_error_string(ERR_get_error(), NULL));
1602 SSL_free(ssl);
1603 return NOTOK;
1604 }
1605
1606 wbio = BIO_new_socket(nsc->ns_writefd, BIO_CLOSE);
1607
1608 if (! wbio) {
1609 netsec_err(errstr, "Unable to create a write socket BIO: %s",
1610 ERR_error_string(ERR_get_error(), NULL));
1611 SSL_free(ssl);
1612 BIO_free(rbio);
1613 return NOTOK;
1614 }
1615
1616 SSL_set_bio(ssl, rbio, wbio);
1617 SSL_set_connect_state(ssl);
1618
1619 /*
1620 * If noverify is NOT set, then do certificate validation.
1621 * Turning on SSL_VERIFY_PEER will verify the certificate chain
1622 * against locally stored root certificates (the locations are
1623 * set using SSL_CTX_set_default_verify_paths()), and we put
1624 * the hostname in the X509 verification parameters so the OpenSSL
1625 * code will verify that the hostname appears in the server
1626 * certificate.
1627 */
1628
1629 if (! noverify) {
1630 #ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
1631 X509_VERIFY_PARAM *param;
1632 #endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
1633
1634 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
1635 if (! nsc->ns_hostname) {
1636 netsec_err(errstr, "Internal error: hostname not set and "
1637 "certification verification enabled");
1638 SSL_free(ssl);
1639 return NOTOK;
1640 }
1641
1642 #ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
1643 param = SSL_get0_param(ssl);
1644
1645 if (! X509_VERIFY_PARAM_set1_host(param, nsc->ns_hostname, 0)) {
1646 netsec_err(errstr, "Unable to add hostname %s to cert "
1647 "verification parameters: %s", nsc->ns_hostname,
1648 ERR_error_string(ERR_get_error(), NULL));
1649 SSL_free(ssl);
1650 return NOTOK;
1651 }
1652 #endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
1653 }
1654
1655 ssl_bio = BIO_new(BIO_f_ssl());
1656
1657 if (! ssl_bio) {
1658 netsec_err(errstr, "Unable to create a SSL BIO: %s",
1659 ERR_error_string(ERR_get_error(), NULL));
1660 SSL_free(ssl);
1661 return NOTOK;
1662 }
1663
1664 BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
1665 nsc->ssl_io = ssl_bio;
1666
1667 /*
1668 * Since SSL now owns these file descriptors, have it handle the
1669 * closing of them instead of netsec_shutdown().
1670 */
1671
1672 nsc->ns_noclose = 1;
1673
1674 return OK;
1675 }
1676 BIO_free_all(nsc->ssl_io);
1677 nsc->ssl_io = NULL;
1678
1679 #else /* TLS_SUPPORT */
1680 NMH_UNUSED(nsc);
1681 NMH_UNUSED(noverify);
1682
1683 if (tls) {
1684 netsec_err(errstr, "TLS is not supported");
1685 return NOTOK;
1686 }
1687 #endif /* TLS_SUPPORT */
1688
1689 return OK;
1690 }
1691
1692 /*
1693 * Start TLS negotiation on this connection
1694 */
1695
1696 int
1697 netsec_negotiate_tls(netsec_context *nsc, char **errstr)
1698 {
1699 #ifdef TLS_SUPPORT
1700 if (! nsc->ssl_io) {
1701 netsec_err(errstr, "TLS has not been configured for this connection");
1702 return NOTOK;
1703 }
1704
1705 if (BIO_do_handshake(nsc->ssl_io) < 1) {
1706 unsigned long errcode = ERR_get_error();
1707
1708 /*
1709 * Print a more detailed message if it was certificate verification
1710 * failure.
1711 */
1712
1713 if (ERR_GET_LIB(errcode) == ERR_LIB_SSL &&
1714 ERR_GET_REASON(errcode) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
1715 SSL *ssl;
1716
1717 if (BIO_get_ssl(nsc->ssl_io, &ssl) < 1) {
1718 netsec_err(errstr, "Certificate verification failed, but "
1719 "cannot retrieve SSL handle: %s",
1720 ERR_error_string(ERR_get_error(), NULL));
1721 } else {
1722 netsec_err(errstr, "Server certificate verification failed: %s",
1723 X509_verify_cert_error_string(
1724 SSL_get_verify_result(ssl)));
1725 }
1726 } else {
1727 netsec_err(errstr, "TLS negotiation failed: %s",
1728 ERR_error_string(errcode, NULL));
1729 }
1730
1731 /*
1732 * Because negotiation failed, shut down TLS so we don't get any
1733 * garbage on the connection. Because of weirdness with SSL_shutdown,
1734 * we end up calling it twice: once explicitly, once as part of
1735 * BIO_free_all().
1736 */
1737
1738 BIO_ssl_shutdown(nsc->ssl_io);
1739 BIO_free_all(nsc->ssl_io);
1740 nsc->ssl_io = NULL;
1741
1742 return NOTOK;
1743 }
1744
1745 if (nsc->ns_snoop) {
1746 SSL *ssl;
1747
1748 if (BIO_get_ssl(nsc->ssl_io, &ssl) < 1) {
1749 fprintf(stderr, "WARNING: cannot determine SSL ciphers\n");
1750 } else {
1751 const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
1752 fprintf(stderr, "TLS negotiation successful: %s(%d) %s\n",
1753 SSL_CIPHER_get_name(cipher),
1754 SSL_CIPHER_get_bits(cipher, NULL),
1755 SSL_CIPHER_get_version(cipher));
1756 SSL_SESSION_print_fp(stderr, SSL_get_session(ssl));
1757 }
1758 }
1759
1760 nsc->tls_active = 1;
1761
1762 return OK;
1763 #else /* TLS_SUPPORT */
1764 NMH_UNUSED(nsc);
1765 netsec_err(errstr, "TLS not supported");
1766
1767 return NOTOK;
1768 #endif /* TLS_SUPPORT */
1769 }
1770
1771 /*
1772 * Generate an (allocated) error string
1773 */
1774
1775 void
1776 netsec_err(char **errstr, const char *fmt, ...)
1777 {
1778 va_list ap;
1779 size_t errbufsize;
1780 char *errbuf = NULL;
1781 int rc = 127;
1782
1783 if (! errstr)
1784 return;
1785
1786 do {
1787 errbufsize = rc + 1;
1788 errbuf = mh_xrealloc(errbuf, errbufsize);
1789 va_start(ap, fmt);
1790 rc = vsnprintf(errbuf, errbufsize, fmt, ap);
1791 va_end(ap);
1792 } while (rc >= (int) errbufsize);
1793
1794 *errstr = errbuf;
1795 }
Fork of https://git.savannah.nongnu.org/cgit/nmh.git