subject:"\\\\\\\[PATCH\\\\\\\] Mail\\\\\\\: Support SASL EXTERNAL \\\\\\\(RFC 4422\\\\\\\)"

Re: [PATCH] Mail: Support SASL EXTERNAL (RFC 4422)

2016-10-13 Thread Rob N ★

On Thu, 13 Oct 2016, at 04:50 PM, Maxim Dounin wrote:
> Thank you for the patch.  Overral it looks good, though there are
> some things I would like to do differently in the pop3 module.
> See below.

Thanks, both of the things you addressed (the single list of methods,
and splitting it into two patches) are things that I thought about but
did end up doing. I'm glad you did!

I don't anticipate any issues with swapping LOGIN and PLAIN either..

I've read both patches and both look good to me!

Cheers,
Rob N.
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [PATCH] Mail: Support SASL EXTERNAL (RFC 4422)

2016-10-12 Thread Maxim Dounin

Hello!

On Sat, Oct 08, 2016 at 06:31:02PM +1100, Rob N ★ wrote:

> # HG changeset patch
> # User Rob N ★ 
> # Date 1475910300 -39600
> #  Sat Oct 08 18:05:00 2016 +1100
> # Node ID 205f2148260460379f9b0889cdb8015994028c73
> # Parent  1606a817c1d48ed351f1dd7d9cb9c996e2c77b9a
> Mail: Support SASL EXTERNAL (RFC 4422)
> 
> This is needed to allow TLS client certificate auth to work. With
> ssl_verify_client configured, the auth daemon can choose to allow the
> connection to proceed based on the certificate data.
> 
> This has been tested with Thunderbird for IMAP only. I've not yet found a
> client that will do client certificate auth for POP3 or SMTP, and the method 
> is
> not really documented anywhere that I can find. That said, its simple enough
> that the way I've done is probably right.

Thank you for the patch.  Overral it looks good, though there are 
some things I would like to do differently in the pop3 module.  
See below.

[...]

> diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_pop3_module.c
> --- a/src/mail/ngx_mail_pop3_module.c Fri Oct 07 16:59:14 2016 +0300
> +++ b/src/mail/ngx_mail_pop3_module.c Sat Oct 08 18:05:00 2016 +1100
> @@ -29,23 +29,33 @@
>  { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
>  { ngx_string("apop"), NGX_MAIL_AUTH_APOP_ENABLED },
>  { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
> +{ ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
>  { ngx_null_string, 0 }
>  };
>  
>  
> -static ngx_str_t  ngx_mail_pop3_auth_plain_capability =
> -ngx_string("+OK methods supported:" CRLF
> -   "LOGIN" CRLF
> -   "PLAIN" CRLF
> -   "." CRLF);
> +static ngx_str_t  ngx_mail_pop3_auth_methods_capabilities[] = {
> +ngx_string("LOGIN PLAIN"),
> +ngx_null_string,  /* LOGIN */
> +ngx_null_string,  /* APOP */
> +ngx_string("CRAM-MD5"),
> +ngx_string("EXTERNAL"),
> +ngx_null_string   /* NONE */
> +};
>  
>  
> -static ngx_str_t  ngx_mail_pop3_auth_cram_md5_capability =
> -ngx_string("+OK methods supported:" CRLF
> -   "LOGIN" CRLF
> -   "PLAIN" CRLF
> -   "CRAM-MD5" CRLF
> -   "." CRLF);
> +static ngx_str_t  ngx_mail_pop3_auth_methods_authnames[] = {
> +ngx_string("LOGIN" CRLF "PLAIN" CRLF),
> +ngx_null_string,  /* LOGIN */
> +ngx_null_string,  /* APOP */
> +ngx_string("CRAM-MD5" CRLF),
> +ngx_string("EXTERNAL" CRLF),
> +ngx_null_string   /* NONE */
> +};
> +
> +
> +static ngx_str_t  ngx_mail_pop3_auth_capability =
> +ngx_string("+OK methods supported:" CRLF);

It would be much easier to just have a list of method names 
instead, much like IMAP module do.  The fact that that LOGIN is 
expected to be switched on along with PLAIN can be easily handled 
elsewhere in the code.

This will result in switched order of methods ("PLAIN LOGIN" 
instead of "LOGIN PLAIN" used to be previously), but I don't think 
this is important for any reasonable client.

Also, this probably should be a separate preparatory patch to 
simplify things.

Below is the pop3 part rewritten to use just a method names (and 
few other style issues fixed), and your patch on top of it.

# HG changeset patch
# User Maxim Dounin 
# Date 1476333412 -10800
#  Thu Oct 13 07:36:52 2016 +0300
# Node ID 6c5362af49924af0e6f478a89ffa3f1dbdae3ddd
# Parent  7cdf69d012f02a80c94d930b29c71847e203e4d6
Mail: extensible auth methods in pop3 module.

diff --git a/src/mail/ngx_mail_pop3_module.c b/src/mail/ngx_mail_pop3_module.c
--- a/src/mail/ngx_mail_pop3_module.c
+++ b/src/mail/ngx_mail_pop3_module.c
@@ -33,19 +33,13 @@ static ngx_conf_bitmask_t  ngx_mail_pop3
 };
 
 
-static ngx_str_t  ngx_mail_pop3_auth_plain_capability =
-ngx_string("+OK methods supported:" CRLF
-   "LOGIN" CRLF
-   "PLAIN" CRLF
-   "." CRLF);
-
-
-static ngx_str_t  ngx_mail_pop3_auth_cram_md5_capability =
-ngx_string("+OK methods supported:" CRLF
-   "LOGIN" CRLF
-   "PLAIN" CRLF
-   "CRAM-MD5" CRLF
-   "." CRLF);
+static ngx_str_t  ngx_mail_pop3_auth_methods_names[] = {
+ngx_string("PLAIN"),
+ngx_string("LOGIN"),
+ngx_null_string,  /* APOP */
+ngx_string("CRAM-MD5"),
+ngx_null_string   /* NONE */
+};
 
 
 static ngx_mail_protocol_t  ngx_mail_pop3_protocol = {
@@ -140,13 +134,17 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
 u_char  *p;
 size_t   size, stls_only_size;
 ngx_str_t   *c, *d;
-ngx_uint_t   i;
+ngx_uint_t   i, m;
 
 ngx_conf_merge_bitmask_value(conf->auth_methods,
  prev->auth_methods,
  (NGX_CONF_BITMASK_SET
   |NGX_MAIL_AUTH_PLAIN_ENABLED));
 
+if (conf->auth_methods & NGX_MAIL_AUTH_PLAIN_ENABLED) {
+conf->auth_methods |= NGX_MAIL_AUTH_LOGIN_ENABLED;
+}
+
 if

[PATCH] Mail: Support SASL EXTERNAL (RFC 4422)

2016-10-08 Thread Rob N ★

# HG changeset patch
# User Rob N ★ 
# Date 1475910300 -39600
#  Sat Oct 08 18:05:00 2016 +1100
# Node ID 205f2148260460379f9b0889cdb8015994028c73
# Parent  1606a817c1d48ed351f1dd7d9cb9c996e2c77b9a
Mail: Support SASL EXTERNAL (RFC 4422)

This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.

diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail.h
--- a/src/mail/ngx_mail.h   Fri Oct 07 16:59:14 2016 +0300
+++ b/src/mail/ngx_mail.h   Sat Oct 08 18:05:00 2016 +1100
@@ -136,7 +136,8 @@
 ngx_pop3_auth_login_username,
 ngx_pop3_auth_login_password,
 ngx_pop3_auth_plain,
-ngx_pop3_auth_cram_md5
+ngx_pop3_auth_cram_md5,
+ngx_pop3_auth_external
 } ngx_pop3_state_e;
 
 
@@ -146,6 +147,7 @@
 ngx_imap_auth_login_password,
 ngx_imap_auth_plain,
 ngx_imap_auth_cram_md5,
+ngx_imap_auth_external,
 ngx_imap_login,
 ngx_imap_user,
 ngx_imap_passwd
@@ -158,6 +160,7 @@
 ngx_smtp_auth_login_password,
 ngx_smtp_auth_plain,
 ngx_smtp_auth_cram_md5,
+ngx_smtp_auth_external,
 ngx_smtp_helo,
 ngx_smtp_helo_xclient,
 ngx_smtp_helo_from,
@@ -289,14 +292,16 @@
 #define NGX_MAIL_AUTH_LOGIN_USERNAME2
 #define NGX_MAIL_AUTH_APOP  3
 #define NGX_MAIL_AUTH_CRAM_MD5  4
-#define NGX_MAIL_AUTH_NONE  5
+#define NGX_MAIL_AUTH_EXTERNAL  5
+#define NGX_MAIL_AUTH_NONE  6
 
 
 #define NGX_MAIL_AUTH_PLAIN_ENABLED 0x0002
 #define NGX_MAIL_AUTH_LOGIN_ENABLED 0x0004
 #define NGX_MAIL_AUTH_APOP_ENABLED  0x0008
 #define NGX_MAIL_AUTH_CRAM_MD5_ENABLED  0x0010
-#define NGX_MAIL_AUTH_NONE_ENABLED  0x0020
+#define NGX_MAIL_AUTH_EXTERNAL_ENABLED  0x0020
+#define NGX_MAIL_AUTH_NONE_ENABLED  0x0040
 
 
 #define NGX_MAIL_PARSE_INVALID_COMMAND  20
@@ -381,6 +386,8 @@
 ngx_int_t ngx_mail_auth_cram_md5_salt(ngx_mail_session_t *s,
 ngx_connection_t *c, char *prefix, size_t len);
 ngx_int_t ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c);
+ngx_int_t ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
+ngx_uint_t n);
 ngx_int_t ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c);
 
 void ngx_mail_send(ngx_event_t *wev);
diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c  Fri Oct 07 16:59:14 2016 +0300
+++ b/src/mail/ngx_mail_auth_http_module.c  Sat Oct 08 18:05:00 2016 +1100
@@ -151,6 +151,7 @@
 ngx_string("plain"),
 ngx_string("apop"),
 ngx_string("cram-md5"),
+ngx_string("external"),
 ngx_string("none")
 };
 
diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c   Fri Oct 07 16:59:14 2016 +0300
+++ b/src/mail/ngx_mail_handler.c   Sat Oct 08 18:05:00 2016 +1100
@@ -612,6 +612,40 @@
 }
 
 
+ngx_int_t
+ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
+ngx_uint_t n)
+{
+ngx_str_t  *arg, external;
+
+arg = s->args.elts;
+
+ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+   "mail auth external: \"%V\"", [n]);
+
+external.data = ngx_pnalloc(c->pool, 
ngx_base64_decoded_length(arg[n].len));
+if (external.data == NULL) {
+return NGX_ERROR;
+}
+
+if (ngx_decode_base64(, [n]) != NGX_OK) {
+ngx_log_error(NGX_LOG_INFO, c->log, 0,
+"client sent invalid base64 encoding in AUTH EXTERNAL command");
+return NGX_MAIL_PARSE_INVALID_COMMAND;
+}
+
+s->login.len = external.len;
+s->login.data = external.data;
+
+ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+   "mail auth external: \"%V\"", >login);
+
+s->auth_method = NGX_MAIL_AUTH_EXTERNAL;
+
+return NGX_DONE;
+}
+
+
 void
 ngx_mail_send(ngx_event_t *wev)
 {
diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_imap_handler.c
--- a/src/mail/ngx_mail_imap_handler.c  Fri Oct 07 16:59:14 2016 +0300
+++ b/src/mail/ngx_mail_imap_handler.c  Sat Oct 08 18:05:00 2016 +1100
@@ -222,6 +222,10 @@
 case ngx_imap_auth_cram_md5:
 rc = ngx_mail_auth_cram_md5(s, c);
 break;
+
+case ngx_imap_auth_external:
+rc = ngx_mail_auth_external(s, c, 0);
+break;
 }
 
 } else if (rc == NGX_IMAP_NEXT) {
@@ -399,6 +403,13 @@
 }
 
 return NGX_ERROR;
+
+case NGX_MAIL_AUTH_EXTERNAL:
+
+ngx_str_set(>out, imap_username);
+s->mail_state = ngx_imap_auth_external;
+
+return NGX_OK;
 }
 
 return rc;
diff -r 1606a817c1d4 -r

Re: [PATCH] Mail: Support SASL EXTERNAL (RFC 4422)

Re: [PATCH] Mail: Support SASL EXTERNAL (RFC 4422)

[PATCH] Mail: Support SASL EXTERNAL (RFC 4422)

3 matches

Site Navigation

Mail list logo

Footer information