X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/cff807ba1e4bf89c3dd0d3c746caba61211cf5c2..6648309573e82f1e4c6f441dcd616b59b8eaad71:/sbr/netsec.c diff --git a/sbr/netsec.c b/sbr/netsec.c index 0333bf20..97d306b4 100644 --- a/sbr/netsec.c +++ b/sbr/netsec.c @@ -71,6 +71,8 @@ struct _netsec_context { unsigned int ns_outbuflen; /* Output buffer data length */ unsigned int ns_outbufsize; /* Output buffer size */ char *sasl_mech; /* User-requested mechanism */ + char *sasl_chosen_mech; /* Mechanism chosen by SASL */ + netsec_sasl_callback sasl_proto_cb; /* SASL callback we use */ #ifdef OAUTH_SUPPORT char *oauth_service; /* OAuth2 service name */ #endif /* OAUTH_SUPPORT */ @@ -78,11 +80,9 @@ struct _netsec_context { char *sasl_hostname; /* Hostname we've connected to */ sasl_conn_t *sasl_conn; /* SASL connection context */ sasl_ssf_t sasl_ssf; /* SASL Security Strength Factor */ - netsec_sasl_callback sasl_proto_cb; /* SASL callback we use */ sasl_callback_t *sasl_cbs; /* Callbacks used by SASL */ nmh_creds_t sasl_creds; /* Credentials (username/password) */ sasl_secret_t *sasl_secret; /* SASL password structure */ - char *sasl_chosen_mech; /* Mechanism chosen by SASL */ int sasl_seclayer; /* If true, SASL security layer is enabled */ char *sasl_tmpbuf; /* Temporary read buffer for decodes */ size_t sasl_maxbufsize; /* Maximum negotiated SASL buffer size */ @@ -99,6 +99,12 @@ struct _netsec_context { static int netsec_fillread(netsec_context *ns_context, char **errstr); +/* + * Code to check the ASCII content of a byte array. + */ + +static int checkascii(const unsigned char *byte, size_t len); + /* * How this code works, in general. * @@ -141,6 +147,8 @@ netsec_init(void) nsc->ns_outptr = nsc->ns_outbuffer; nsc->ns_outbuflen = 0; nsc->sasl_mech = NULL; + nsc->sasl_chosen_mech = NULL; + nsc->sasl_proto_cb = NULL; #ifdef OAUTH_SUPPORT nsc->oauth_service = NULL; #endif /* OAUTH_SUPPORT */ @@ -150,7 +158,6 @@ netsec_init(void) nsc->sasl_cbs = NULL; nsc->sasl_creds = NULL; nsc->sasl_secret = NULL; - nsc->sasl_chosen_mech = NULL; nsc->sasl_ssf = 0; nsc->sasl_seclayer = 0; nsc->sasl_tmpbuf = NULL; @@ -179,6 +186,8 @@ netsec_shutdown(netsec_context *nsc, int closeflag) free(nsc->ns_outbuffer); if (nsc->sasl_mech) free(nsc->sasl_mech); + if (nsc->sasl_chosen_mech) + free(nsc->sasl_chosen_mech); #ifdef OAUTH_SERVICE if (nsc->oauth_service) free(nsc->oauth_service); @@ -202,8 +211,6 @@ netsec_shutdown(netsec_context *nsc, int closeflag) } free(nsc->sasl_secret); } - if (nsc->sasl_chosen_mech) - free(nsc->sasl_chosen_mech); if (nsc->sasl_tmpbuf) free(nsc->sasl_tmpbuf); #endif /* CYRUS_SASL */ @@ -231,7 +238,7 @@ netsec_shutdown(netsec_context *nsc, int closeflag) */ void -netsec_set_fd(netsec_context *nsc, int readfd, writefd) +netsec_set_fd(netsec_context *nsc, int readfd, int writefd) { nsc->ns_readfd = readfd; nsc->ns_writefd = writefd; @@ -286,10 +293,12 @@ void netsec_b64_snoop_decoder(netsec_context *nsc, const char *string, size_t len, void *context) { - const char *decoded; + unsigned char *decoded; size_t decodedlen; + int offset; + NMH_UNUSED(nsc); - int offset = context ? *((int *) context) : 0; + offset = context ? *((int *) context) : 0; if (offset > 0) { /* @@ -301,16 +310,48 @@ netsec_b64_snoop_decoder(netsec_context *nsc, const char *string, size_t len, } if (decodeBase64(string, &decoded, &decodedlen, 1, NULL) == OK) { - char *hexified; - hexify((const unsigned char *) decoded, decodedlen, &hexified); - fprintf(stderr, "b64<%s>\n", hexified); - free(hexified); - free((char *) decoded); + /* + * Some mechanisms preoduce large binary tokens, which aren't really + * readable. So let's do a simple heuristic. If the token is greater + * than 100 characters _and_ the first 100 bytes are more than 50% + * non-ASCII, then don't print the decoded buffer, just the + * base64 text. + */ + if (decodedlen > 100 && !checkascii(decoded, 100)) { + fprintf(stderr, "%.*s\n", (int) len, string); + } else { + char *hexified; + hexify(decoded, decodedlen, &hexified); + fprintf(stderr, "b64<%s>\n", hexified); + free(hexified); + } + free(decoded); } else { fprintf(stderr, "%.*s\n", (int) len, string); } } +/* + * If the ASCII content is > 50%, return 1 + */ + +static int +checkascii(const unsigned char *bytes, size_t len) +{ + size_t count = 0, half = len / 2; + + while (len-- > 0) { + if (isascii(*bytes) && isprint(*bytes) && ++count > half) + return 1; + bytes++; + /* No chance by this point */ + if (count + len < half) + return 0; + } + + return 0; +} + /* * Set the read timeout for this connection */ @@ -370,11 +411,12 @@ netsec_read(netsec_context *nsc, void *buffer, size_t size, char **errstr) * * - Unlike every other function, we return a pointer to the * existing buffer. This pointer is valid until you call another - * read functiona again. - * - We NUL-terminated the buffer right at the end, before the terminator. + * read function again. + * - We NUL-terminate the buffer right at the end, before the CR-LF terminator. * - Technically we look for a LF; if we find a CR right before it, then * we back up one. - * - If your data may contain embedded NULs, this won't work. + * - If your data may contain embedded NULs, this won't work. You should + * be using netsec_read() in that case. */ char * @@ -402,11 +444,11 @@ retry: if (nsc->ns_snoop) { #ifdef CYRUS_SASL if (nsc->sasl_seclayer) - fprintf(stderr, "(sasl-encrypted) "); + fprintf(stderr, "(sasl-decrypted) "); #endif /* CYRUS_SASL */ #ifdef TLS_SUPPORT if (nsc->tls_active) - fprintf(stderr, "(tls-encrypted) "); + fprintf(stderr, "(tls-decrypted) "); #endif /* TLS_SUPPORT */ fprintf(stderr, "<= "); if (nsc->ns_snoop_cb) @@ -468,7 +510,9 @@ netsec_fillread(netsec_context *nsc, char **errstr) nsc->ns_inptr = nsc->ns_inbuffer; } +#ifdef CYRUS_SASL retry: +#endif /* CYRUS_SASL */ /* * If we are using TLS and there's anything pending, then skip the * select call @@ -641,25 +685,6 @@ netsec_write(netsec_context *nsc, const void *buffer, size_t size, if (size == 0) return OK; - /* - * If TLS is active, then bypass all of our buffering logic; just - * write it directly to our BIO. We have a buffering BIO first in - * our stack, so buffering will take place there. - */ -#ifdef TLS_SUPPORT - if (nsc->tls_active) { - rc = BIO_write(nsc->ssl_io, buffer, size); - - if (rc <= 0) { - netsec_err(errstr, "Error writing to TLS connection: %s", - ERR_error_string(ERR_get_error(), NULL)); - return NOTOK; - } - - return OK; - } -#endif /* TLS_SUPPORT */ - /* * Run a loop copying in data to our local buffer; when we're done with * any buffer overflows then just copy any remaining data in. @@ -726,23 +751,6 @@ netsec_vprintf(netsec_context *nsc, char **errstr, const char *format, { int rc; - /* - * Again, if we're using TLS, then bypass our local buffering - */ -#ifdef TLS_SUPPORT - if (nsc->tls_active) { - rc = BIO_vprintf(nsc->ssl_io, format, ap); - - if (rc <= 0) { - netsec_err(errstr, "Error writing to TLS connection: %s", - ERR_error_string(ERR_get_error(), NULL)); - return NOTOK; - } - - return OK; - } -#endif /* TLS_SUPPORT */ - /* * Cheat a little. If we can fit the data into our outgoing buffer, * great! If not, generate a flush and retry once. @@ -804,7 +812,7 @@ retry: #endif /* TLS_SUPPORT */ fprintf(stderr, "=> "); if (nsc->ns_snoop_cb) - nsc->ns_snoop_cb(nsc, nsc->ns_outptr, outlen, + nsc->ns_snoop_cb(nsc, (char *) nsc->ns_outptr, outlen, nsc->ns_snoop_context); else fprintf(stderr, "%.*s\n", outlen, nsc->ns_outptr); @@ -831,24 +839,6 @@ netsec_flush(netsec_context *nsc, char **errstr) unsigned int netoutlen = nsc->ns_outbuflen; int rc; - /* - * For TLS connections, just call BIO_flush(); we'll let TLS handle - * all of our output buffering. - */ -#ifdef TLS_SUPPORT - if (nsc->tls_active) { - rc = BIO_flush(nsc->ssl_io); - - if (rc <= 0) { - netsec_err(errstr, "Error flushing TLS connection: %s", - ERR_error_string(ERR_get_error(), NULL)); - return NOTOK; - } - - return OK; - } -#endif /* TLS_SUPPORT */ - /* * Small optimization */ @@ -858,7 +848,7 @@ netsec_flush(netsec_context *nsc, char **errstr) /* * If SASL security layers are in effect, run the data through - * sasl_encode() first and then write it. + * sasl_encode() first. */ #ifdef CYRUS_SASL if (nsc->sasl_seclayer) { @@ -873,11 +863,27 @@ netsec_flush(netsec_context *nsc, char **errstr) } #endif /* CYRUS_SASL */ - rc = write(nsc->ns_writefd, netoutbuf, netoutlen); - if (rc < 0) { - netsec_err(errstr, "write() failed: %s", strerror(errno)); - return NOTOK; + /* + * If TLS is active, then use those functions to write out the + * data. + */ +#ifdef TLS_SUPPORT + if (nsc->tls_active) { + if (BIO_write(nsc->ssl_io, netoutbuf, netoutlen) <= 0) { + netsec_err(errstr, "Error writing to TLS connection: %s", + ERR_error_string(ERR_get_error(), NULL)); + return NOTOK; + } + } else +#endif /* TLS_SUPPORT */ + { + rc = write(nsc->ns_writefd, netoutbuf, netoutlen); + + if (rc < 0) { + netsec_err(errstr, "write() failed: %s", strerror(errno)); + return NOTOK; + } } nsc->ns_outptr = nsc->ns_outbuffer; @@ -943,16 +949,31 @@ netsec_set_sasl_params(netsec_context *nsc, const char *hostname, return NOTOK; } - nsc->sasl_mech = mechanism ? getcpy(mechanism) : NULL; - nsc->sasl_proto_cb = callback; nsc->sasl_hostname = getcpy(hostname); - - return OK; #else /* CYRUS_SASL */ - netsec_err(errstr, "SASL is not supported"); - - return NOTOK; + NMH_UNUSED(hostname); + NMH_UNUSED(service); + NMH_UNUSED(errstr); #endif /* CYRUS_SASL */ + + /* + * According to the RFC, mechanisms can only be uppercase letter, numbers, + * and a hypen or underscore. So make sure we uppercase any letters + * in case the user passed in lowercase. + */ + + if (mechanism) { + char *p; + nsc->sasl_mech = getcpy(mechanism); + + for (p = nsc->sasl_mech; *p; p++) + if (isascii((unsigned char) *p)) /* Just in case */ + *p = toupper((unsigned char) *p); + } + + nsc->sasl_proto_cb = callback; + + return OK; } #ifdef CYRUS_SASL @@ -1079,7 +1100,9 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) unsigned char *xoauth_client_res; size_t xoauth_client_res_len; #endif /* OAUTH_SUPPORT */ +#if defined CYRUS_SASL || defined OAUTH_SUPPORT int rc; +#endif /* CYRUS_SASL || OAUTH_SUPPORT */ /* * If we've been passed a requested mechanism, check our mechanism @@ -1100,7 +1123,6 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) i = (str[i] == NULL); - free(str); free(mlist); if (i) { @@ -1155,9 +1177,10 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) /* * We're going to assume the error here is a JSON response; * we ignore it and send a blank message in response. We should - * then get either an +OK or -ERR + * then get a failure messages with a useful error. We should + * NOT get a success message at this point. */ - free(errstr); + free(*errstr); nsc->sasl_proto_cb(NETSEC_SASL_WRITE, NULL, 0, NULL, 0, NULL); rc = nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0, errstr); @@ -1344,7 +1367,18 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) return OK; #else - netsec_err(errstr, "SASL not supported"); + /* + * If we're at this point, then either we have NEITHER OAuth2 or + * Cyrus-SASL compiled in, or have OAuth2 but didn't give the XOAUTH2 + * mechanism on the command line. + */ + + if (! nsc->sasl_mech) + netsec_err(errstr, "SASL library support not available; please " + "specify a SASL mechanism to use"); + else + netsec_err(errstr, "No support for the %s SASL mechanism", + nsc->sasl_mech); return NOTOK; #endif /* CYRUS_SASL */ @@ -1357,11 +1391,7 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) char * netsec_get_sasl_mechanism(netsec_context *nsc) { -#ifdef CYRUS_SASL return nsc->sasl_chosen_mech; -#else /* CYRUS_SASL */ - return NULL; -#endif /* CYRUS_SASL */ } /* @@ -1375,6 +1405,8 @@ netsec_set_oauth_service(netsec_context *nsc, const char *service) nsc->oauth_service = getcpy(service); return OK; #else /* OAUTH_SUPPORT */ + NMH_UNUSED(nsc); + NMH_UNUSED(service); return NOTOK; #endif /* OAUTH_SUPPORT */ } @@ -1447,12 +1479,11 @@ netsec_set_tls(netsec_context *nsc, int tls, char **errstr) * supplied socket. * * Then we create an SSL BIO, and assign our current SSL connection - * to it. We then create a buffer BIO and push it in front of our - * SSL BIO. So the chain looks like: + * to it. This is done so our code stays simple if we want to use + * any buffering BIOs (right now we do our own buffering). + * So the chain looks like: * - * buffer BIO -> SSL BIO -> socket BIO. - * - * So writes and reads are buffered (we mostly care about writes). + * SSL BIO -> socket BIO. */ rbio = BIO_new_socket(nsc->ns_readfd, BIO_NOCLOSE); @@ -1477,15 +1508,6 @@ netsec_set_tls(netsec_context *nsc, int tls, char **errstr) SSL_set_bio(ssl, rbio, wbio); SSL_set_connect_state(ssl); - nsc->ssl_io = BIO_new(BIO_f_buffer()); - - if (! nsc->ssl_io) { - netsec_err(errstr, "Unable to create a buffer BIO: %s", - ERR_error_string(ERR_get_error(), NULL)); - SSL_free(ssl); - return NOTOK; - } - ssl_bio = BIO_new(BIO_f_ssl()); if (! ssl_bio) { @@ -1496,7 +1518,7 @@ netsec_set_tls(netsec_context *nsc, int tls, char **errstr) } BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); - BIO_push(nsc->ssl_io, ssl_bio); + nsc->ssl_io = ssl_bio; return OK; } else { @@ -1539,7 +1561,7 @@ netsec_negotiate_tls(netsec_context *nsc, char **errstr) fprintf(stderr, "WARNING: cannot determine SSL ciphers\n"); } else { const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); - fprintf(stderr, "TLS negotation successful: %s(%d) %s\n", + fprintf(stderr, "TLS negotiation successful: %s(%d) %s\n", SSL_CIPHER_get_name(cipher), SSL_CIPHER_get_bits(cipher, NULL), SSL_CIPHER_get_version(cipher)); @@ -1548,16 +1570,6 @@ netsec_negotiate_tls(netsec_context *nsc, char **errstr) nsc->tls_active = 1; - /* - * At this point, TLS has been activated; we're not going to use - * the output buffer, so free it now to save a little bit of memory. - */ - - if (nsc->ns_outbuffer) { - free(nsc->ns_outbuffer); - nsc->ns_outbuffer = NULL; - } - return OK; #else /* TLS_SUPPORT */ netsec_err(errstr, "TLS not supported");