| blob | 82d72974862a14d3379024bda76843f76943984e |
1 /*
2 * cyrus_auth.c : functions for Cyrus SASL-based authentication
3 *
4 * ====================================================================
5 * Copyright (c) 2006-2007 CollabNet. All rights reserved.
6 *
7 * This software is licensed as described in the file COPYING, which
8 * you should have received as part of this distribution. The terms
9 * are also available at http://subversion.tigris.org/license-1.html.
10 * If newer versions of this license are posted there, you may use a
11 * newer version instead, at your option.
12 *
13 * This software consists of voluntary contributions made by many
14 * individuals. For exact contribution history, see the revision
15 * history and logs, available at http://subversion.tigris.org/.
16 * ====================================================================
17 */
20 #ifdef SVN_HAVE_SASL
22 #define APR_WANT_STRFUNC
23 #include <apr_want.h>
24 #include <apr_general.h>
25 #include <apr_strings.h>
26 #include <apr_atomic.h>
27 #include <apr_thread_mutex.h>
28 #include <apr_version.h>
43 /* Note: In addition to being used via svn_atomic__init_once to control
44 * initialization of the SASL code this will also be referenced in
45 * the various functions that work with sasl mutexes to determine
46 * if the sasl pool has been destroyed. This should be safe, since
47 * it is only set back to zero in the sasl pool's cleanups, which
48 * only happens during apr_terminate, which we assume is occurring
49 * in atexit processing, at which point we are already running in
50 * single threaded mode.
51 */
59 /* Pool cleanup called when sasl_pool is destroyed. */
61 {
62 /* Reset svn_ra_svn__sasl_status, in case the client calls
63 apr_initialize()/apr_terminate() more than once. */
68 }
70 #if APR_HAS_THREADS
71 /* Cyrus SASL is thread-safe only if we supply it with mutex functions
72 * (with sasl_set_mutex()). To make this work with APR, we need to use the
73 * global sasl_pool for the mutex allocations. Freeing a mutex actually
74 * returns it to a global array. We allocate mutexes from this
75 * array if it is non-empty, or directly from the pool otherwise.
76 * We also need a mutex to serialize accesses to the array itself.
77 */
79 /* An array of allocated, but unused, apr_thread_mutex_t's. */
82 /* A mutex to serialize access to the array. */
85 /* Callbacks we pass to sasl_set_mutex(). */
88 {
90 apr_status_t apr_err;
100 {
102 APR_THREAD_MUTEX_DEFAULT,
103 sasl_pool);
106 }
107 else
115 }
118 {
122 }
125 {
129 }
132 {
134 {
137 {
140 }
141 }
142 }
146 {
152 apr_pool_cleanup_null);
153 #if APR_HAS_THREADS
155 sasl_mutex_lock_cb,
156 sasl_mutex_unlock_cb,
157 sasl_mutex_free_cb);
160 APR_THREAD_MUTEX_DEFAULT,
161 sasl_pool);
164 }
167 {
173 }
176 {
179 }
182 {
188 }
191 {
192 /* The minimum and maximum security strength factors that the chosen
193 SASL mechanism should provide. 0 means 'no encryption', 256 means
194 '256-bit encryption', which is about the best that any SASL
195 mechanism can provide. Using these values effectively means 'use
196 whatever encryption the other side wants'. Note that SASL will try
197 to use better encryption whenever possible, so if both the server and
198 the client use these values the highest possible encryption strength
199 will be used. */
203 /* Set maxbufsize to the maximum amount of data we can read at any one time.
204 This value needs to be commmunicated to the peer if a security layer
205 is negotiated. */
210 }
212 /* A baton type used by the SASL username and password callbacks. */
218 /* Unfortunately SASL uses two separate callbacks for the username and
219 password, but we must fetch both of them at the same time. So we cache
220 their values in the baton, set them to NULL individually when SASL
221 demands them, and fetch the next pair when both are NULL. */
225 /* Any errors we receive from svn_auth_{first,next}_credentials
226 are saved here. */
229 /* This flag is set when we run out of credential providers. */
230 svn_boolean_t no_more_creds;
232 /* Were the auth callbacks ever called? */
233 svn_boolean_t was_used;
238 /* Call svn_auth_{first,next}_credentials. If successful, set BATON->username
239 and BATON->password to the new username and password and return TRUE,
240 otherwise return FALSE. If there are no more credentials, set
241 BATON->no_more_creds to TRUE. Any errors are saved in BATON->err. */
242 static svn_boolean_t
244 {
250 else
252 SVN_AUTH_CRED_SIMPLE,
259 {
262 }
269 }
271 /* The username callback. Implements the sasl_getsimple_t interface. */
272 static int
274 {
278 {
285 }
288 }
290 /* The password callback. Implements the sasl_getsecret_t interface. */
291 static int
293 {
297 {
301 /* sasl_secret_t is a struct with a variable-sized array as a final
302 member, which means we need to allocate len-1 supplementary bytes
303 (one byte is part of sasl_secret_t, and we don't need a NULL
304 terminator). */
312 }
315 }
317 /* Create a new SASL context. */
319 svn_boolean_t is_tunneled,
325 {
326 sasl_security_properties_t secprops;
331 sasl_ctx);
338 apr_pool_cleanup_null);
341 {
342 /* We need to tell SASL that this connection is tunneled,
343 otherwise it will ignore EXTERNAL. The third paramater
344 should be the username, but since SASL doesn't seem
345 to use it on the client side, any non-empty string will do. */
351 }
353 /* Set security properties. Don't allow PLAIN or LOGIN, since we
354 don't support TLS yet. */
360 }
362 /* Perform an authentication exchange */
369 {
375 svn_boolean_t again;
377 do
378 {
381 mechstring,
387 {
390 /* Success. */
396 /* Fatal error. Fail the authentication. */
400 /* For anything else, delete the mech from the list
401 and try again. */
402 {
406 ;
408 }
409 }
410 }
413 /* Prepare the initial authentication token. */
416 pool);
418 /* Send the initial client response */
423 {
424 /* Read the server response */
429 {
430 /* Authentication failed. Use the next set of credentials */
432 /* Remember the message sent by the server because we'll want to
433 return a meaningful error if we run out of auth providers. */
436 }
444 /* If the mech is CRAM-MD5 we don't base64-decode the server response. */
460 {
462 /* Write our response. */
463 /* For CRAM-MD5, we don't use base64-encoding. */
467 }
468 }
471 {
472 /* This is a client-send-last mech. Read the last server response. */
477 {
480 }
482 {
483 /* We're done */
485 }
486 else
490 }
491 else
494 }
496 /* Baton for a SASL encrypted svn_ra_svn__stream_t. */
507 /* Functions to implement a SASL encrypted svn_ra_svn__stream_t. */
509 /* Implements svn_read_fn_t. */
511 {
514 /* A copy of *len, used by the wrapped stream. */
517 /* sasl_decode might need more data than a single read can provide,
518 hence the need to put a loop around the decoding. */
520 {
523 {
526 }
533 }
535 /* The buffer returned by sasl_decode might be larger than what the
536 caller wants. If this is the case, we only copy back *len bytes now
537 (the rest will be returned by subsequent calls to this function).
538 If not, we just copy back the whole thing. */
540 {
545 }
546 else
547 {
551 }
554 }
556 /* Implements svn_write_fn_t. */
559 {
564 {
565 /* Make sure we don't write too much. */
574 }
576 do
577 {
583 {
584 /* The output buffer and its length will be preserved in sasl_baton
585 and will be written out during the next call to this function
586 (which will have the same arguments). */
589 }
592 }
599 }
601 /* Implements ra_svn_timeout_fn_t. */
603 {
606 }
608 /* Implements ra_svn_pending_fn_t. */
610 {
613 }
618 {
625 {
626 /* Get the strength of the security layer. */
633 {
634 /* Flush the connection, as we're about to replace its stream. */
637 /* Create and initialize the stream baton. */
641 /* Find out the maximum input size for sasl_encode. */
648 /* If there is any data left in the read buffer at this point,
649 we need to decrypt it. */
651 {
660 }
662 /* Wrap the existing stream. */
666 sasl_write_cb,
667 sasl_timeout_cb,
669 /* Yay, we have a security layer! */
671 }
672 }
674 }
680 {
682 {
683 apr_status_t apr_err;
703 /* Format the IP address and port number like this: a.b.c.d;port */
708 }
710 }
712 svn_error_t *
716 {
721 svn_boolean_t success;
722 /* Reserve space for 3 callbacks (for the username, password and the
723 array terminator). */
725 cred_baton_t cred_baton;
729 {
732 }
734 /* Create a string containing the list of mechanisms, separated by spaces. */
736 {
739 /* Force the client to use ANONYMOUS or EXTERNAL if they are available.*/
742 {
745 }
747 mechstring,
750 }
754 /* Initialize the credential baton. */
760 /* Initialize the callbacks array. */
762 /* The username callback. */
767 /* The password callback. */
772 /* Mark the end of the array. */
778 do
779 {
782 /* If last_err was set to a non-empty string, it needs to be duplicated
783 to the parent pool before the subpool is cleared. */
792 subpool);
794 /* If we encountered an error while fetching credentials, that error
795 has priority. */
797 {
800 }
803 {
805 /* If we ran out of authentication providers, or if we got a server
806 error and our callbacks were never called, there's no point in
807 retrying authentication. Return the last error sent by the
808 server. */
812 last_err);
813 /* Hmm, we don't have a server error. Return a generic error. */
816 }
818 {
820 {
823 /* We could not find a supported mechanism in the list sent by the
824 server. In many cases this happens because the client is missing
825 the CRAM-MD5 or ANONYMOUS plugins, in which case we can simply use
826 the built-in implementation. In all other cases this call will be
827 useless, but hey, at least we'll get consistent error messages. */
830 }
832 }
833 }
842 }