X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/4ea2f92f36fcf39727438cd55580c99a5a6e6ad8..44c4b1b168d0ac7c860f91495c423f425e8a87d9:/sbr/netsec.c diff --git a/sbr/netsec.c b/sbr/netsec.c index 372732c3..895892a2 100644 --- a/sbr/netsec.c +++ b/sbr/netsec.c @@ -54,8 +54,12 @@ static SSL_CTX *sslctx = NULL; /* SSL Context */ */ struct _netsec_context { - int ns_fd; /* Descriptor for network connection */ + int ns_readfd; /* Read descriptor for network connection */ + int ns_writefd; /* Write descriptor for network connection */ int ns_snoop; /* If true, display network data */ + int ns_snoop_noend; /* If true, didn't get a CR/LF on last line */ + netsec_snoop_callback *ns_snoop_cb; /* Snoop output callback */ + void *ns_snoop_context; /* Context data for snoop function */ int ns_timeout; /* Network read timeout, in seconds */ char *ns_userid; /* Userid for authentication */ unsigned char *ns_inbuffer; /* Our read input buffer */ @@ -89,12 +93,6 @@ struct _netsec_context { #endif /* TLS_SUPPORT */ }; -/* - * Function to allocate error message strings - */ - -static void netsec_err(char **errstr, const char *format, ...); - /* * Function to read data from the actual network socket */ @@ -126,8 +124,12 @@ netsec_init(void) { netsec_context *nsc = mh_xmalloc(sizeof(*nsc)); - nsc->ns_fd = -1; + nsc->ns_readfd = -1; + nsc->ns_writefd = -1; nsc->ns_snoop = 0; + nsc->ns_snoop_noend = 0; + nsc->ns_snoop_cb = NULL; + nsc->ns_snoop_context = NULL; nsc->ns_userid = NULL; nsc->ns_timeout = 60; /* Our default */ nsc->ns_inbufsize = NETSEC_BUFSIZE; @@ -214,8 +216,12 @@ netsec_shutdown(netsec_context *nsc, int closeflag) BIO_free_all(nsc->ssl_io); #endif /* TLS_SUPPORT */ - if (closeflag && nsc->ns_fd != -1) - close(nsc->ns_fd); + if (closeflag) { + if (nsc->ns_readfd != -1) + close(nsc->ns_readfd); + if (nsc->ns_writefd != -1 && nsc->ns_writefd != nsc->ns_readfd) + close(nsc->ns_writefd); + } free(nsc); } @@ -225,9 +231,10 @@ netsec_shutdown(netsec_context *nsc, int closeflag) */ void -netsec_set_fd(netsec_context *nsc, int fd) +netsec_set_fd(netsec_context *nsc, int readfd, int writefd) { - nsc->ns_fd = fd; + nsc->ns_readfd = readfd; + nsc->ns_writefd = writefd; } /* @@ -260,6 +267,52 @@ netsec_set_snoop(netsec_context *nsc, int snoop) nsc->ns_snoop = snoop; } +/* + * Set the snoop callback for this connection. + */ + +void netsec_set_snoop_callback(netsec_context *nsc, + netsec_snoop_callback callback, void *context) +{ + nsc->ns_snoop_cb = callback; + nsc->ns_snoop_context = context; +} + +/* + * A base64-decoding snoop callback + */ + +void +netsec_b64_snoop_decoder(netsec_context *nsc, const char *string, size_t len, + void *context) +{ + const char *decoded; + size_t decodedlen; + NMH_UNUSED(nsc); + int offset; + + offset = context ? *((int *) context) : 0; + + if (offset > 0) { + /* + * Output non-base64 data first. + */ + fprintf(stderr, "%.*s", offset, string); + string += offset; + len -= offset; + } + + if (decodeBase64(string, &decoded, &decodedlen, 1, NULL) == OK) { + char *hexified; + hexify((const unsigned char *) decoded, decodedlen, &hexified); + fprintf(stderr, "b64<%s>\n", hexified); + free(hexified); + free((char *) decoded); + } else { + fprintf(stderr, "%.*s\n", (int) len, string); + } +} + /* * Set the read timeout for this connection */ @@ -327,7 +380,7 @@ netsec_read(netsec_context *nsc, void *buffer, size_t size, char **errstr) */ char * -netsec_readline(netsec_context *nsc, char **errstr) +netsec_readline(netsec_context *nsc, size_t *len, char **errstr) { unsigned char *ptr = nsc->ns_inptr; size_t count = 0, offset; @@ -344,8 +397,26 @@ retry: if (count > 1 && *(ptr - 2) == '\r') ptr--; *--ptr = '\0'; + if (len) + *len = ptr - nsc->ns_inptr; nsc->ns_inptr += count; nsc->ns_inbuflen -= count; + if (nsc->ns_snoop) { +#ifdef CYRUS_SASL + if (nsc->sasl_seclayer) + fprintf(stderr, "(sasl-decrypted) "); +#endif /* CYRUS_SASL */ +#ifdef TLS_SUPPORT + if (nsc->tls_active) + fprintf(stderr, "(tls-decrypted) "); +#endif /* TLS_SUPPORT */ + fprintf(stderr, "<= "); + if (nsc->ns_snoop_cb) + nsc->ns_snoop_cb(nsc, sptr, strlen(sptr), + nsc->ns_snoop_context); + else + fprintf(stderr, "%s\n", sptr); + } return sptr; } } @@ -412,12 +483,12 @@ retry: fd_set rfds; FD_ZERO(&rfds); - FD_SET(nsc->ns_fd, &rfds); + FD_SET(nsc->ns_readfd, &rfds); tv.tv_sec = nsc->ns_timeout; tv.tv_usec = 0; - rc = select(nsc->ns_fd + 1, &rfds, NULL, NULL, &tv); + rc = select(nsc->ns_readfd + 1, &rfds, NULL, NULL, &tv); if (rc == -1) { netsec_err(errstr, "select() while reading failed: %s", @@ -489,7 +560,7 @@ retry: * select() above) so this read SHOULDN'T block. Hopefully. */ - rc = read(nsc->ns_fd, readbuf, readbufsize); + rc = read(nsc->ns_readfd, readbuf, readbufsize); if (rc == 0) { netsec_err(errstr, "Received EOF on network read"); @@ -567,24 +638,10 @@ netsec_write(netsec_context *nsc, const void *buffer, size_t size, const unsigned char *bufptr = buffer; int rc, remaining; - /* - * If TLS is active, then bypass all of our buffering logic; just - * write it directly to our BIO. We have a buffering BIO first in - * our stack, so buffering will take place there. - */ -#ifdef TLS_SUPPORT - if (nsc->tls_active) { - rc = BIO_write(nsc->ssl_io, buffer, size); - - if (rc <= 0) { - netsec_err(errstr, "Error writing to TLS connection: %s", - ERR_error_string(ERR_get_error(), NULL)); - return NOTOK; - } + /* Just in case */ + if (size == 0) return OK; - } -#endif /* TLS_SUPPORT */ /* * Run a loop copying in data to our local buffer; when we're done with @@ -624,6 +681,7 @@ netsec_write(netsec_context *nsc, const void *buffer, size_t size, /* * Our network printf() routine, which really just calls netsec_vprintf(). + */ int netsec_printf(netsec_context *nsc, char **errstr, const char *format, ...) @@ -631,7 +689,7 @@ netsec_printf(netsec_context *nsc, char **errstr, const char *format, ...) va_list ap; int rc; - va_start(format, ap); + va_start(ap, format); rc = netsec_vprintf(nsc, errstr, format, ap); va_end(ap); @@ -651,23 +709,6 @@ netsec_vprintf(netsec_context *nsc, char **errstr, const char *format, { int rc; - /* - * Again, if we're using TLS, then bypass our local buffering - */ -#ifdef TLS_SUPPORT - if (nsc->tls_active) { - rc = BIO_vprintf(nsc->ssl_io, format, ap); - - if (rc <= 0) { - netsec_err(errstr, "Error writing to TLS connection: %s", - ERR_error_string(ERR_get_error(), NULL)); - return NOTOK; - } - - return OK; - } -#endif /* TLS_SUPPORT */ - /* * Cheat a little. If we can fit the data into our outgoing buffer, * great! If not, generate a flush and retry once. @@ -709,6 +750,35 @@ retry: } } + if (nsc->ns_snoop) { + int outlen = rc; + if (outlen > 0 && nsc->ns_outptr[outlen - 1] == '\n') { + outlen--; + if (outlen > 0 && nsc->ns_outptr[outlen - 1] == '\r') + outlen--; + } else { + nsc->ns_snoop_noend = 1; + } + if (outlen > 0 || nsc->ns_snoop_noend == 0) { +#ifdef CYRUS_SASL + if (nsc->sasl_seclayer) + fprintf(stderr, "(sasl-encrypted) "); +#endif /* CYRUS_SASL */ +#ifdef TLS_SUPPORT + if (nsc->tls_active) + fprintf(stderr, "(tls-encrypted) "); +#endif /* TLS_SUPPORT */ + fprintf(stderr, "=> "); + if (nsc->ns_snoop_cb) + nsc->ns_snoop_cb(nsc, (char *) nsc->ns_outptr, outlen, + nsc->ns_snoop_context); + else + fprintf(stderr, "%.*s\n", outlen, nsc->ns_outptr); + } else { + nsc->ns_snoop_noend = 0; + } + } + nsc->ns_outptr += rc; nsc->ns_outbuflen += rc; @@ -728,26 +798,15 @@ netsec_flush(netsec_context *nsc, char **errstr) int rc; /* - * For TLS connections, just call BIO_flush(); we'll let TLS handle - * all of our output buffering. + * Small optimization */ -#ifdef TLS_SUPPORT - if (nsc->tls_active) { - rc = BIO_flush(nsc->ssl_io); - - if (rc <= 0) { - netsec_err(errstr, "Error flushing TLS connection: %s", - ERR_error_string(ERR_get_error(), NULL)); - return NOTOK; - } + if (netoutlen == 0) return OK; - } -#endif /* TLS_SUPPORT */ /* * If SASL security layers are in effect, run the data through - * sasl_encode() first and then write it. + * sasl_encode() first. */ #ifdef CYRUS_SASL if (nsc->sasl_seclayer) { @@ -762,11 +821,27 @@ netsec_flush(netsec_context *nsc, char **errstr) } #endif /* CYRUS_SASL */ - rc = write(nsc->ns_fd, netoutbuf, netoutlen); - if (rc < 0) { - netsec_err(errstr, "write() failed: %s", strerror(errno)); - return NOTOK; + /* + * If TLS is active, then use those functions to write out the + * data. + */ +#ifdef TLS_SUPPORT + if (nsc->tls_active) { + if (BIO_write(nsc->ssl_io, netoutbuf, netoutlen) <= 0) { + netsec_err(errstr, "Error writing to TLS connection: %s", + ERR_error_string(ERR_get_error(), NULL)); + return NOTOK; + } + } else +#endif /* TLS_SUPPORT */ + { + rc = write(nsc->ns_writefd, netoutbuf, netoutlen); + + if (rc < 0) { + netsec_err(errstr, "write() failed: %s", strerror(errno)); + return NOTOK; + } } nsc->ns_outptr = nsc->ns_outbuffer; @@ -832,7 +907,21 @@ netsec_set_sasl_params(netsec_context *nsc, const char *hostname, return NOTOK; } - nsc->sasl_mech = mechanism ? getcpy(mechanism) : NULL; + /* + * According to the RFC, mechanisms can only be uppercase letter, numbers, + * and a hypen or underscore. So make sure we uppercase any letters + * in case the user passed in lowercase. + */ + + if (mechanism) { + char *p; + nsc->sasl_mech = getcpy(mechanism); + + for (p = nsc->sasl_mech; *p; p++) + if (isascii((unsigned char) *p)) /* Just in case */ + *p = toupper((unsigned char) *p); + } + nsc->sasl_proto_cb = callback; nsc->sasl_hostname = getcpy(hostname); @@ -965,7 +1054,8 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) int *outbufmax; #endif #ifdef OAUTH_SUPPORT - const char *xoauth_client_res; + unsigned char *xoauth_client_res; + size_t xoauth_client_res_len; #endif /* OAUTH_SUPPORT */ int rc; @@ -988,7 +1078,6 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) i = (str[i] == NULL); - free(str); free(mlist); if (i) { @@ -999,11 +1088,11 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) } #ifdef OAUTH_SUPPORT - if (strcasecmp(nsc->sasl_mech, "XOAUTH2") == 0) { + if (nsc->sasl_mech && strcasecmp(nsc->sasl_mech, "XOAUTH2") == 0) { /* * This should be relatively straightforward, but requires some * help from the plugin. Basically, if XOAUTH2 is a success, - * the plugin has to return success, but no output data. If + * the callback has to return success, but no output data. If * there is output data, it will be assumed that it is the JSON * error message. */ @@ -1015,19 +1104,46 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) nsc->sasl_chosen_mech = getcpy(nsc->sasl_mech); - xoauth_client_res = mh_oauth_do_xoauth(nsc->ns_userid, - nsc->oauth_service, - nsc->ns_snoop ? stderr : NULL); - - if (xoauth_client_res == NULL) { - netsec_err(errstr, "Internal error: mh_oauth_do_xoauth() " - "returned NULL"); + if (mh_oauth_do_xoauth(nsc->ns_userid, nsc->oauth_service, + &xoauth_client_res, &xoauth_client_res_len, + nsc->ns_snoop ? stderr : NULL) != OK) { + netsec_err(errstr, "Internal error: Unable to get OAuth2 " + "bearer token"); return NOTOK; } -#if 0 - rc = nsc->sasl_proto_cb(NETSEC_SASL_START, -#endif + rc = nsc->sasl_proto_cb(NETSEC_SASL_START, xoauth_client_res, + xoauth_client_res_len, NULL, 0, errstr); + free(xoauth_client_res); + + if (rc != OK) + return NOTOK; + + /* + * Okay, we need to do a NETSEC_SASL_FINISH now. If we return + * success, we indicate that with no output data. But if we + * fail, then send a blank message and get the resulting + * error. + */ + + rc = nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0, errstr); + + if (rc != OK) { + /* + * We're going to assume the error here is a JSON response; + * we ignore it and send a blank message in response. We should + * then get either an +OK or -ERR + */ + free(*errstr); + nsc->sasl_proto_cb(NETSEC_SASL_WRITE, NULL, 0, NULL, 0, NULL); + rc = nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0, + errstr); + if (rc == 0) { + netsec_err(errstr, "Unexpected success after OAuth failure!"); + } + return NOTOK; + } + return OK; } #endif /* OAUTH_SUPPORT */ @@ -1078,18 +1194,8 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) nsc->sasl_chosen_mech = getcpy(chosen_mech); - if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, &outbuf, - &outbuflen, errstr) != OK) - return NOTOK; - - if (netsec_write(nsc, outbuf, outbuflen, errstr) != OK) { - free(outbuf); - return NOTOK; - } - - free(outbuf); - - if (netsec_flush(nsc, errstr) != OK) + if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, NULL, 0, + errstr) != OK) return NOTOK; /* @@ -1104,52 +1210,28 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) if (nsc->sasl_proto_cb(NETSEC_SASL_READ, NULL, 0, &outbuf, &outbuflen, errstr) != OK) { - if (nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, &outbuf, - &outbuflen, NULL) == OK) { - netsec_write(nsc, outbuf, outbuflen, NULL); - netsec_flush(nsc, NULL); - free(outbuf); - } + nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0, NULL); return NOTOK; } rc = sasl_client_step(nsc->sasl_conn, (char *) outbuf, outbuflen, NULL, (const char **) &saslbuf, &saslbuflen); - free(outbuf); + if (outbuf) + free(outbuf); if (rc != SASL_OK && rc != SASL_CONTINUE) { netsec_err(errstr, "SASL client negotiation failed: %s", sasl_errdetail(nsc->sasl_conn)); - if (nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, &outbuf, - &outbuflen, NULL) == OK) { - netsec_write(nsc, outbuf, outbuflen, NULL); - netsec_flush(nsc, NULL); - free(outbuf); - } + nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0, NULL); return NOTOK; } if (nsc->sasl_proto_cb(NETSEC_SASL_WRITE, saslbuf, saslbuflen, - &outbuf, &outbuflen, errstr) != OK) { - if (nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, &outbuf, - &outbuflen, NULL) == OK) { - netsec_write(nsc, outbuf, outbuflen, NULL); - netsec_flush(nsc, NULL); - free(outbuf); - } + NULL, 0, errstr) != OK) { + nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0, NULL); return NOTOK; } - - if (netsec_write(nsc, outbuf, outbuflen, errstr) != OK) { - free(outbuf); - return NOTOK; - } - - free(outbuf); - - if (netsec_flush(nsc, errstr) != OK) - return NOTOK; } /* @@ -1284,7 +1366,7 @@ netsec_set_tls(netsec_context *nsc, int tls, char **errstr) if (tls) { #ifdef TLS_SUPPORT SSL *ssl; - BIO *sbio, *ssl_bio;; + BIO *rbio, *wbio, *ssl_bio;; if (! tls_initialized) { SSL_library_init(); @@ -1310,7 +1392,7 @@ netsec_set_tls(netsec_context *nsc, int tls, char **errstr) tls_initialized++; } - if (nsc->ns_fd == -1) { + if (nsc->ns_readfd == -1 || nsc->ns_writefd == -1) { netsec_err(errstr, "Invalid file descriptor in netsec context"); return NOTOK; } @@ -1350,27 +1432,28 @@ netsec_set_tls(netsec_context *nsc, int tls, char **errstr) * So writes and reads are buffered (we mostly care about writes). */ - sbio = BIO_new_socket(nsc->ns_fd, BIO_NOCLOSE); + rbio = BIO_new_socket(nsc->ns_readfd, BIO_NOCLOSE); - if (! sbio) { - netsec_err(errstr, "Unable to create a socket BIO: %s", + if (! rbio) { + netsec_err(errstr, "Unable to create a read socket BIO: %s", ERR_error_string(ERR_get_error(), NULL)); SSL_free(ssl); return NOTOK; } - SSL_set_bio(ssl, sbio, sbio); - SSL_set_connect_state(ssl); - - nsc->ssl_io = BIO_new(BIO_f_buffer()); + wbio = BIO_new_socket(nsc->ns_writefd, BIO_NOCLOSE); - if (! nsc->ssl_io) { - netsec_err(errstr, "Unable to create a buffer BIO: %s", + if (! wbio) { + netsec_err(errstr, "Unable to create a write socket BIO: %s", ERR_error_string(ERR_get_error(), NULL)); SSL_free(ssl); + BIO_free(rbio); return NOTOK; } + SSL_set_bio(ssl, rbio, wbio); + SSL_set_connect_state(ssl); + ssl_bio = BIO_new(BIO_f_ssl()); if (! ssl_bio) { @@ -1381,7 +1464,7 @@ netsec_set_tls(netsec_context *nsc, int tls, char **errstr) } BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); - BIO_push(nsc->ssl_io, ssl_bio); + nsc->ssl_io = ssl_bio; return OK; } else { @@ -1424,7 +1507,7 @@ netsec_negotiate_tls(netsec_context *nsc, char **errstr) fprintf(stderr, "WARNING: cannot determine SSL ciphers\n"); } else { const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); - fprintf(stderr, "TLS negotation successful: %s(%d) %s\n", + fprintf(stderr, "TLS negotiation successful: %s(%d) %s\n", SSL_CIPHER_get_name(cipher), SSL_CIPHER_get_bits(cipher, NULL), SSL_CIPHER_get_version(cipher)); @@ -1433,16 +1516,6 @@ netsec_negotiate_tls(netsec_context *nsc, char **errstr) nsc->tls_active = 1; - /* - * At this point, TLS has been activated; we're not going to use - * the output buffer, so free it now to save a little bit of memory. - */ - - if (nsc->ns_outbuffer) { - free(nsc->ns_outbuffer); - nsc->ns_outbuffer = NULL; - } - return OK; #else /* TLS_SUPPORT */ netsec_err(errstr, "TLS not supported"); @@ -1455,7 +1528,7 @@ netsec_negotiate_tls(netsec_context *nsc, char **errstr) * Generate an (allocated) error string */ -static void +void netsec_err(char **errstr, const char *fmt, ...) { va_list ap;