X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/1d717e1c110562fd6bf28478c79f180cafeba776..HEAD:/src/src/auths/cyrus_sasl.c diff --git a/src/src/auths/cyrus_sasl.c b/src/src/auths/cyrus_sasl.c index 4b4f45b94..ed0995637 100644 --- a/src/src/auths/cyrus_sasl.c +++ b/src/src/auths/cyrus_sasl.c @@ -2,8 +2,10 @@ * Exim - an Internet mail transport agent * *************************************************/ +/* Copyright (c) The Exim Maintainers 2020 - 2023 */ /* Copyright (c) University of Cambridge 1995 - 2018 */ /* See the file NOTICE for conditions of use and distribution. */ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* This code was originally contributed by Matthew Byng-Maddick */ @@ -38,13 +40,13 @@ static void dummy(int x) { dummy2(x-1); } optionlist auth_cyrus_sasl_options[] = { { "server_hostname", opt_stringptr, - (void *)(offsetof(auth_cyrus_sasl_options_block, server_hostname)) }, + OPT_OFF(auth_cyrus_sasl_options_block, server_hostname) }, { "server_mech", opt_stringptr, - (void *)(offsetof(auth_cyrus_sasl_options_block, server_mech)) }, + OPT_OFF(auth_cyrus_sasl_options_block, server_mech) }, { "server_realm", opt_stringptr, - (void *)(offsetof(auth_cyrus_sasl_options_block, server_realm)) }, + OPT_OFF(auth_cyrus_sasl_options_block, server_realm) }, { "server_service", opt_stringptr, - (void *)(offsetof(auth_cyrus_sasl_options_block, server_service)) } + OPT_OFF(auth_cyrus_sasl_options_block, server_service) } }; /* Size of the options list. An extern variable has to be used so that its @@ -66,11 +68,11 @@ auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = { #ifdef MACRO_PREDEF /* Dummy values */ -void auth_cyrus_sasl_init(auth_instance *ablock) {} +void auth_cyrus_sasl_init(driver_instance *ablock) {} int auth_cyrus_sasl_server(auth_instance *ablock, uschar *data) {return 0;} int auth_cyrus_sasl_client(auth_instance *ablock, void * sx, int timeout, uschar *buffer, int buffsize) {return 0;} -void auth_cyrus_sasl_version_report(FILE *f) {} +gstring * auth_cyrus_sasl_version_report(gstring * g) {return NULL;} #else /*!MACRO_PREDEF*/ @@ -104,10 +106,10 @@ return SASL_FAIL; /* Here's the real function */ void -auth_cyrus_sasl_init(auth_instance *ablock) +auth_cyrus_sasl_init(driver_instance * a) { -auth_cyrus_sasl_options_block *ob = - (auth_cyrus_sasl_options_block *)(ablock->options_block); +auth_instance * ablock = (auth_instance *)a; +auth_cyrus_sasl_options_block * ob = a->options_block; const uschar *list, *listptr, *buffer; int rc, i; unsigned int len; @@ -127,14 +129,14 @@ if (!ob->server_mech) ob->server_mech = string_copy(ablock->public_name); if (!(expanded_hostname = expand_string(ob->server_hostname))) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " "couldn't expand server_hostname [%s]: %s", - ablock->name, ob->server_hostname, expand_string_message); + a->name, ob->server_hostname, expand_string_message); realm_expanded = NULL; if ( ob->server_realm && !(realm_expanded = CS expand_string(ob->server_realm))) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " "couldn't expand server_realm [%s]: %s", - ablock->name, ob->server_realm, expand_string_message); + a->name, ob->server_realm, expand_string_message); /* we're going to initialise the library to check that there is an authenticator of type whatever mechanism we're using */ @@ -144,16 +146,16 @@ cbs[0].context = ob->server_mech; if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " - "couldn't initialise Cyrus SASL library.", ablock->name); + "couldn't initialise Cyrus SASL library.", a->name); if ((rc = sasl_server_new(CS ob->server_service, CS expanded_hostname, realm_expanded, NULL, NULL, NULL, 0, &conn)) != SASL_OK) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " - "couldn't initialise Cyrus SASL server connection.", ablock->name); + "couldn't initialise Cyrus SASL server connection.", a->name); -if ((rc = sasl_listmech(conn, NULL, "", ":", "", (const char **)&list, &len, &i)) != SASL_OK) +if ((rc = sasl_listmech(conn, NULL, "", ":", "", CCSS &list, &len, &i)) != SASL_OK) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " - "couldn't get Cyrus SASL mechanism list.", ablock->name); + "couldn't get Cyrus SASL mechanism list.", a->name); i = ':'; listptr = list; @@ -179,11 +181,11 @@ while ( (buffer = string_nextinlist(&listptr, &i, NULL, 0)) if (!buffer) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " - "Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech); + "Cyrus SASL doesn't know about mechanism %s.", a->name, ob->server_mech); store_reset(rs_point); -HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name); +HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", a->name, ablock->public_name); /* make sure that if we get here then we're allowed to advertise. */ ablock->server = TRUE; @@ -202,16 +204,16 @@ sasl_done(); within a shortlived child */ int -auth_cyrus_sasl_server(auth_instance *ablock, uschar *data) +auth_cyrus_sasl_server(auth_instance * ablock, uschar * data) { -auth_cyrus_sasl_options_block *ob = - (auth_cyrus_sasl_options_block *)(ablock->options_block); -uschar *output, *out2, *input, *clear, *hname; -uschar *debug = NULL; /* Stops compiler complaining */ +auth_cyrus_sasl_options_block * ob = ablock->drinst.options_block; +const uschar * auname = ablock->drinst.name; +uschar * output, * out2, * input, * clear, * hname; +uschar * debug = NULL; /* Stops compiler complaining */ sasl_callback_t cbs[] = {{SASL_CB_LIST_END, NULL, NULL}}; -sasl_conn_t *conn; +sasl_conn_t * conn; char * realm_expanded = NULL; -int rc, firsttime = 1, clen, *negotiated_ssf_ptr = NULL, negotiated_ssf; +int rc, firsttime = 1, clen, * negotiated_ssf_ptr = NULL, negotiated_ssf; unsigned int inlen, outlen; input = data; @@ -230,7 +232,7 @@ if (!hname || !realm_expanded && ob->server_realm) if (inlen) { - if ((clen = b64decode(input, &clear)) < 0) + if ((clen = b64decode(input, &clear, input)) < 0) return BAD64; input = clear; inlen = clen; @@ -290,7 +292,6 @@ for (int i = 0; i < 2; ++i) const uschar * label; uschar * address_port; const char *s_err; - socklen_t sslen; if (i) { @@ -326,15 +327,15 @@ for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; ) { firsttime = 0; HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug); - rc = sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen, - (const char **)(&output), &outlen); + rc = sasl_server_start(conn, CS ob->server_mech, inlen ? CS input : NULL, inlen, + CCSS &output, &outlen); } else { - /* make sure that we have a null-terminated string */ - out2 = string_copyn(output, outlen); + /* auth_get_data() takes a length-specfied block of binary + which can include zeroes; no terminating NUL is needed */ - if ((rc = auth_get_data(&input, out2, outlen)) != OK) + if ((rc = auth_get_data(&input, output, outlen)) != OK) { /* we couldn't get the data, so free up the library before returning whatever error we get */ @@ -344,10 +345,10 @@ for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; ) } inlen = Ustrlen(input); - HDEBUG(D_auth) debug = string_copy(input); + HDEBUG(D_auth) debug = string_copy_taint(input, GET_TAINTED); if (inlen) { - if ((clen = b64decode(input, &clear)) < 0) + if ((clen = b64decode(input, &clear, GET_TAINTED)) < 0) { sasl_dispose(&conn); sasl_done(); @@ -358,7 +359,7 @@ for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; ) } HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug); - rc = sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen); + rc = sasl_server_step(conn, CS input, inlen, CCSS &output, &outlen); } if (rc == SASL_BADPROT) @@ -373,13 +374,13 @@ for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; ) /* Get the username and copy it into $auth1 and $1. The former is now the preferred variable; the latter is the original variable. */ - if ((sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2))) != SASL_OK) + if ((sasl_getprop(conn, SASL_USERNAME, (const void **)&out2)) != SASL_OK) { HDEBUG(D_auth) debug_printf("Cyrus SASL library will not tell us the username: %s\n", sasl_errstring(rc, NULL, NULL)); - log_write(0, LOG_REJECT, "%s authenticator (%s):\n " - "Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech, + log_write(0, LOG_REJECT, "%s authenticator (%s): " + "Cyrus SASL username fetch problem: %s", auname, ob->server_mech, sasl_errstring(rc, NULL, NULL)); sasl_dispose(&conn); sasl_done(); @@ -397,8 +398,8 @@ for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; ) /* these are considered permanent failure codes */ HDEBUG(D_auth) debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL)); - log_write(0, LOG_REJECT, "%s authenticator (%s):\n " - "Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech, + log_write(0, LOG_REJECT, "%s authenticator (%s): " + "Cyrus SASL permanent failure: %s", auname, ob->server_mech, sasl_errstring(rc, NULL, NULL)); sasl_dispose(&conn); sasl_done(); @@ -427,8 +428,8 @@ for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; ) HDEBUG(D_auth) debug_printf("Cyrus SASL library will not tell us the SSF: %s\n", sasl_errstring(rc, NULL, NULL)); - log_write(0, LOG_REJECT, "%s authenticator (%s):\n " - "Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech, + log_write(0, LOG_REJECT, "%s authenticator (%s): " + "Cyrus SASL SSF value not available: %s", auname, ob->server_mech, sasl_errstring(rc, NULL, NULL)); sasl_dispose(&conn); sasl_done(); @@ -441,8 +442,8 @@ for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; ) { HDEBUG(D_auth) debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf); - log_write(0, LOG_REJECT, "%s authenticator (%s):\n " - "Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf); + log_write(0, LOG_REJECT, "%s authenticator (%s): " + "Cyrus SASL SSF %d not supported by Exim", auname, ob->server_mech, negotiated_ssf); sasl_dispose(&conn); sasl_done(); return FAIL; @@ -476,15 +477,17 @@ return 0; /* Stop compiler complaints */ * Diagnostic API * *************************************************/ -void -auth_cyrus_sasl_version_report(FILE *f) +gstring * +auth_cyrus_sasl_version_report(gstring * g) { -const char *implementation, *version; +const char * implementation, * version; sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL); -fprintf(f, "Library version: Cyrus SASL: Compile: %d.%d.%d\n" - " Runtime: %s [%s]\n", +g = string_fmt_append(g, + "Library version: Cyrus SASL: Compile: %d.%d.%d\n" + " Runtime: %s [%s]\n", SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP, version, implementation); +return g; } /************************************************* @@ -505,6 +508,29 @@ auth_cyrus_sasl_client( return FAIL; } + +# ifdef DYNLOOKUP +# define cyrus_sasl_auth_info _auth_info +# endif + +auth_info cyrus_sasl_auth_info = { +.drinfo = { + .driver_name = US"cyrus_sasl", /* lookup name */ + .options = auth_cyrus_sasl_options, + .options_count = &auth_cyrus_sasl_options_count, + .options_block = &auth_cyrus_sasl_option_defaults, + .options_len = sizeof(auth_cyrus_sasl_options_block), + .init = auth_cyrus_sasl_init, +# ifdef DYNLOOKUP + .dyn_magic = AUTH_MAGIC, +# endif + }, +.servercode = auth_cyrus_sasl_server, +.clientcode = NULL, +.version_report = auth_cyrus_sasl_version_report, +.macros_create = NULL, +}; + #endif /*!MACRO_PREDEF*/ #endif /* AUTH_CYRUS_SASL */