Re: [PATCH] Mail: Support SASL EXTERNAL (RFC 4422)
On Thu, 13 Oct 2016, at 04:50 PM, Maxim Dounin wrote: > Thank you for the patch. Overral it looks good, though there are > some things I would like to do differently in the pop3 module. > See below. Thanks, both of the things you addressed (the single list of methods, and splitting it into two patches) are things that I thought about but did end up doing. I'm glad you did! I don't anticipate any issues with swapping LOGIN and PLAIN either.. I've read both patches and both look good to me! Cheers, Rob N. ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Mail: Support SASL EXTERNAL (RFC 4422)
Hello! On Sat, Oct 08, 2016 at 06:31:02PM +1100, Rob N ★ wrote: > # HG changeset patch > # User Rob N ★> # Date 1475910300 -39600 > # Sat Oct 08 18:05:00 2016 +1100 > # Node ID 205f2148260460379f9b0889cdb8015994028c73 > # Parent 1606a817c1d48ed351f1dd7d9cb9c996e2c77b9a > Mail: Support SASL EXTERNAL (RFC 4422) > > This is needed to allow TLS client certificate auth to work. With > ssl_verify_client configured, the auth daemon can choose to allow the > connection to proceed based on the certificate data. > > This has been tested with Thunderbird for IMAP only. I've not yet found a > client that will do client certificate auth for POP3 or SMTP, and the method > is > not really documented anywhere that I can find. That said, its simple enough > that the way I've done is probably right. Thank you for the patch. Overral it looks good, though there are some things I would like to do differently in the pop3 module. See below. [...] > diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_pop3_module.c > --- a/src/mail/ngx_mail_pop3_module.c Fri Oct 07 16:59:14 2016 +0300 > +++ b/src/mail/ngx_mail_pop3_module.c Sat Oct 08 18:05:00 2016 +1100 > @@ -29,23 +29,33 @@ > { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED }, > { ngx_string("apop"), NGX_MAIL_AUTH_APOP_ENABLED }, > { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED }, > +{ ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED }, > { ngx_null_string, 0 } > }; > > > -static ngx_str_t ngx_mail_pop3_auth_plain_capability = > -ngx_string("+OK methods supported:" CRLF > - "LOGIN" CRLF > - "PLAIN" CRLF > - "." CRLF); > +static ngx_str_t ngx_mail_pop3_auth_methods_capabilities[] = { > +ngx_string("LOGIN PLAIN"), > +ngx_null_string, /* LOGIN */ > +ngx_null_string, /* APOP */ > +ngx_string("CRAM-MD5"), > +ngx_string("EXTERNAL"), > +ngx_null_string /* NONE */ > +}; > > > -static ngx_str_t ngx_mail_pop3_auth_cram_md5_capability = > -ngx_string("+OK methods supported:" CRLF > - "LOGIN" CRLF > - "PLAIN" CRLF > - "CRAM-MD5" CRLF > - "." CRLF); > +static ngx_str_t ngx_mail_pop3_auth_methods_authnames[] = { > +ngx_string("LOGIN" CRLF "PLAIN" CRLF), > +ngx_null_string, /* LOGIN */ > +ngx_null_string, /* APOP */ > +ngx_string("CRAM-MD5" CRLF), > +ngx_string("EXTERNAL" CRLF), > +ngx_null_string /* NONE */ > +}; > + > + > +static ngx_str_t ngx_mail_pop3_auth_capability = > +ngx_string("+OK methods supported:" CRLF); It would be much easier to just have a list of method names instead, much like IMAP module do. The fact that that LOGIN is expected to be switched on along with PLAIN can be easily handled elsewhere in the code. This will result in switched order of methods ("PLAIN LOGIN" instead of "LOGIN PLAIN" used to be previously), but I don't think this is important for any reasonable client. Also, this probably should be a separate preparatory patch to simplify things. Below is the pop3 part rewritten to use just a method names (and few other style issues fixed), and your patch on top of it. # HG changeset patch # User Maxim Dounin # Date 1476333412 -10800 # Thu Oct 13 07:36:52 2016 +0300 # Node ID 6c5362af49924af0e6f478a89ffa3f1dbdae3ddd # Parent 7cdf69d012f02a80c94d930b29c71847e203e4d6 Mail: extensible auth methods in pop3 module. diff --git a/src/mail/ngx_mail_pop3_module.c b/src/mail/ngx_mail_pop3_module.c --- a/src/mail/ngx_mail_pop3_module.c +++ b/src/mail/ngx_mail_pop3_module.c @@ -33,19 +33,13 @@ static ngx_conf_bitmask_t ngx_mail_pop3 }; -static ngx_str_t ngx_mail_pop3_auth_plain_capability = -ngx_string("+OK methods supported:" CRLF - "LOGIN" CRLF - "PLAIN" CRLF - "." CRLF); - - -static ngx_str_t ngx_mail_pop3_auth_cram_md5_capability = -ngx_string("+OK methods supported:" CRLF - "LOGIN" CRLF - "PLAIN" CRLF - "CRAM-MD5" CRLF - "." CRLF); +static ngx_str_t ngx_mail_pop3_auth_methods_names[] = { +ngx_string("PLAIN"), +ngx_string("LOGIN"), +ngx_null_string, /* APOP */ +ngx_string("CRAM-MD5"), +ngx_null_string /* NONE */ +}; static ngx_mail_protocol_t ngx_mail_pop3_protocol = { @@ -140,13 +134,17 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t u_char *p; size_t size, stls_only_size; ngx_str_t *c, *d; -ngx_uint_t i; +ngx_uint_t i, m; ngx_conf_merge_bitmask_value(conf->auth_methods, prev->auth_methods, (NGX_CONF_BITMASK_SET |NGX_MAIL_AUTH_PLAIN_ENABLED)); +if (conf->auth_methods & NGX_MAIL_AUTH_PLAIN_ENABLED) { +conf->auth_methods |= NGX_MAIL_AUTH_LOGIN_ENABLED; +} + if
[PATCH] Mail: Support SASL EXTERNAL (RFC 4422)
# HG changeset patch # User Rob N ★# Date 1475910300 -39600 # Sat Oct 08 18:05:00 2016 +1100 # Node ID 205f2148260460379f9b0889cdb8015994028c73 # Parent 1606a817c1d48ed351f1dd7d9cb9c996e2c77b9a Mail: Support SASL EXTERNAL (RFC 4422) This is needed to allow TLS client certificate auth to work. With ssl_verify_client configured, the auth daemon can choose to allow the connection to proceed based on the certificate data. This has been tested with Thunderbird for IMAP only. I've not yet found a client that will do client certificate auth for POP3 or SMTP, and the method is not really documented anywhere that I can find. That said, its simple enough that the way I've done is probably right. diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail.h --- a/src/mail/ngx_mail.h Fri Oct 07 16:59:14 2016 +0300 +++ b/src/mail/ngx_mail.h Sat Oct 08 18:05:00 2016 +1100 @@ -136,7 +136,8 @@ ngx_pop3_auth_login_username, ngx_pop3_auth_login_password, ngx_pop3_auth_plain, -ngx_pop3_auth_cram_md5 +ngx_pop3_auth_cram_md5, +ngx_pop3_auth_external } ngx_pop3_state_e; @@ -146,6 +147,7 @@ ngx_imap_auth_login_password, ngx_imap_auth_plain, ngx_imap_auth_cram_md5, +ngx_imap_auth_external, ngx_imap_login, ngx_imap_user, ngx_imap_passwd @@ -158,6 +160,7 @@ ngx_smtp_auth_login_password, ngx_smtp_auth_plain, ngx_smtp_auth_cram_md5, +ngx_smtp_auth_external, ngx_smtp_helo, ngx_smtp_helo_xclient, ngx_smtp_helo_from, @@ -289,14 +292,16 @@ #define NGX_MAIL_AUTH_LOGIN_USERNAME2 #define NGX_MAIL_AUTH_APOP 3 #define NGX_MAIL_AUTH_CRAM_MD5 4 -#define NGX_MAIL_AUTH_NONE 5 +#define NGX_MAIL_AUTH_EXTERNAL 5 +#define NGX_MAIL_AUTH_NONE 6 #define NGX_MAIL_AUTH_PLAIN_ENABLED 0x0002 #define NGX_MAIL_AUTH_LOGIN_ENABLED 0x0004 #define NGX_MAIL_AUTH_APOP_ENABLED 0x0008 #define NGX_MAIL_AUTH_CRAM_MD5_ENABLED 0x0010 -#define NGX_MAIL_AUTH_NONE_ENABLED 0x0020 +#define NGX_MAIL_AUTH_EXTERNAL_ENABLED 0x0020 +#define NGX_MAIL_AUTH_NONE_ENABLED 0x0040 #define NGX_MAIL_PARSE_INVALID_COMMAND 20 @@ -381,6 +386,8 @@ ngx_int_t ngx_mail_auth_cram_md5_salt(ngx_mail_session_t *s, ngx_connection_t *c, char *prefix, size_t len); ngx_int_t ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c); +ngx_int_t ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c, +ngx_uint_t n); ngx_int_t ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c); void ngx_mail_send(ngx_event_t *wev); diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_auth_http_module.c --- a/src/mail/ngx_mail_auth_http_module.c Fri Oct 07 16:59:14 2016 +0300 +++ b/src/mail/ngx_mail_auth_http_module.c Sat Oct 08 18:05:00 2016 +1100 @@ -151,6 +151,7 @@ ngx_string("plain"), ngx_string("apop"), ngx_string("cram-md5"), +ngx_string("external"), ngx_string("none") }; diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_handler.c --- a/src/mail/ngx_mail_handler.c Fri Oct 07 16:59:14 2016 +0300 +++ b/src/mail/ngx_mail_handler.c Sat Oct 08 18:05:00 2016 +1100 @@ -612,6 +612,40 @@ } +ngx_int_t +ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c, +ngx_uint_t n) +{ +ngx_str_t *arg, external; + +arg = s->args.elts; + +ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth external: \"%V\"", [n]); + +external.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); +if (external.data == NULL) { +return NGX_ERROR; +} + +if (ngx_decode_base64(, [n]) != NGX_OK) { +ngx_log_error(NGX_LOG_INFO, c->log, 0, +"client sent invalid base64 encoding in AUTH EXTERNAL command"); +return NGX_MAIL_PARSE_INVALID_COMMAND; +} + +s->login.len = external.len; +s->login.data = external.data; + +ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth external: \"%V\"", >login); + +s->auth_method = NGX_MAIL_AUTH_EXTERNAL; + +return NGX_DONE; +} + + void ngx_mail_send(ngx_event_t *wev) { diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_imap_handler.c --- a/src/mail/ngx_mail_imap_handler.c Fri Oct 07 16:59:14 2016 +0300 +++ b/src/mail/ngx_mail_imap_handler.c Sat Oct 08 18:05:00 2016 +1100 @@ -222,6 +222,10 @@ case ngx_imap_auth_cram_md5: rc = ngx_mail_auth_cram_md5(s, c); break; + +case ngx_imap_auth_external: +rc = ngx_mail_auth_external(s, c, 0); +break; } } else if (rc == NGX_IMAP_NEXT) { @@ -399,6 +403,13 @@ } return NGX_ERROR; + +case NGX_MAIL_AUTH_EXTERNAL: + +ngx_str_set(>out, imap_username); +s->mail_state = ngx_imap_auth_external; + +return NGX_OK; } return rc; diff -r 1606a817c1d4 -r