IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Mail: support SASL EXTERNAL (RFC 4422).

Browse Source 
This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.
This commit is contained in:
Rob N ★ 2016-10-08 18:05:00 +11:00
parent a747089a1d
commit 66c23edf63
10 changed files with 110 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/mail/ngx_mail.h
View File

@ -132,7 +132,8 @@ typedef enum {
ngx_pop3_auth_login_username,
ngx_pop3_auth_login_password,
ngx_pop3_auth_plain,
ngx_pop3_auth_cram_md5
ngx_pop3_auth_cram_md5,
ngx_pop3_auth_external
} ngx_pop3_state_e;
@ -142,6 +143,7 @@ typedef enum {
ngx_imap_auth_login_password,
ngx_imap_auth_plain,
ngx_imap_auth_cram_md5,
ngx_imap_auth_external,
ngx_imap_login,
ngx_imap_user,
ngx_imap_passwd
@ -154,6 +156,7 @@ typedef enum {
ngx_smtp_auth_login_password,
ngx_smtp_auth_plain,
ngx_smtp_auth_cram_md5,
ngx_smtp_auth_external,
ngx_smtp_helo,
ngx_smtp_helo_xclient,
ngx_smtp_helo_from,
@ -285,14 +288,16 @@ typedef struct {
#define NGX_MAIL_AUTH_LOGIN_USERNAME 2
#define NGX_MAIL_AUTH_APOP 3
#define NGX_MAIL_AUTH_CRAM_MD5 4
#define NGX_MAIL_AUTH_NONE 5
#define NGX_MAIL_AUTH_EXTERNAL 5
#define NGX_MAIL_AUTH_NONE 6
#define NGX_MAIL_AUTH_PLAIN_ENABLED 0x0002
#define NGX_MAIL_AUTH_LOGIN_ENABLED 0x0004
#define NGX_MAIL_AUTH_APOP_ENABLED 0x0008
#define NGX_MAIL_AUTH_CRAM_MD5_ENABLED 0x0010
#define NGX_MAIL_AUTH_NONE_ENABLED 0x0020
#define NGX_MAIL_AUTH_EXTERNAL_ENABLED 0x0020
#define NGX_MAIL_AUTH_NONE_ENABLED 0x0040
#define NGX_MAIL_PARSE_INVALID_COMMAND 20
@ -377,6 +382,8 @@ ngx_int_t ngx_mail_auth_login_password(ngx_mail_session_t *s,
ngx_int_t ngx_mail_auth_cram_md5_salt(ngx_mail_session_t *s,
ngx_connection_t *c, char *prefix, size_t len);
ngx_int_t ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c);
ngx_int_t ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
ngx_uint_t n);
ngx_int_t ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c);
void ngx_mail_send(ngx_event_t *wev);

1
src/mail/ngx_mail_auth_http_module.c
View File

@ -151,6 +151,7 @@ static ngx_str_t ngx_mail_auth_http_method[] = {
ngx_string("plain"),
ngx_string("apop"),
ngx_string("cram-md5"),
ngx_string("external"),
ngx_string("none")
};

34
src/mail/ngx_mail_handler.c
View File

@ -612,6 +612,40 @@ ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
}
ngx_int_t
ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
ngx_uint_t n)
{
ngx_str_t *arg, external;
arg = s->args.elts;
ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
"mail auth external: \"%V\"", &arg[n]);
external.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
if (external.data == NULL) {
return NGX_ERROR;
}
if (ngx_decode_base64(&external, &arg[n]) != NGX_OK) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client sent invalid base64 encoding in AUTH EXTERNAL command");
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
s->login.len = external.len;
s->login.data = external.data;
ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
"mail auth external: \"%V\"", &s->login);
s->auth_method = NGX_MAIL_AUTH_EXTERNAL;
return NGX_DONE;
}
void
ngx_mail_send(ngx_event_t *wev)
{

11
src/mail/ngx_mail_imap_handler.c
View File

@ -222,6 +222,10 @@ ngx_mail_imap_auth_state(ngx_event_t *rev)
case ngx_imap_auth_cram_md5:
rc = ngx_mail_auth_cram_md5(s, c);
break;
case ngx_imap_auth_external:
rc = ngx_mail_auth_external(s, c, 0);
break;
}
} else if (rc == NGX_IMAP_NEXT) {
@ -399,6 +403,13 @@ ngx_mail_imap_authenticate(ngx_mail_session_t *s, ngx_connection_t *c)
}
return NGX_ERROR;
case NGX_MAIL_AUTH_EXTERNAL:
ngx_str_set(&s->out, imap_username);
s->mail_state = ngx_imap_auth_external;
return NGX_OK;
}
return rc;

6
src/mail/ngx_mail_imap_module.c
View File

@ -29,6 +29,7 @@ static ngx_conf_bitmask_t ngx_mail_imap_auth_methods[] = {
{ ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
{ ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED },
{ ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
{ ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
{ ngx_null_string, 0 }
};
@ -38,6 +39,7 @@ static ngx_str_t ngx_mail_imap_auth_methods_names[] = {
ngx_string("AUTH=LOGIN"),
ngx_null_string, /* APOP */
ngx_string("AUTH=CRAM-MD5"),
ngx_string("AUTH=EXTERNAL"),
ngx_null_string /* NONE */
};
@ -179,7 +181,7 @@ ngx_mail_imap_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
}
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@ -205,7 +207,7 @@ ngx_mail_imap_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
auth = p;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {

22
src/mail/ngx_mail_parse.c
View File

@ -905,13 +905,27 @@ ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c)
if (arg[0].len == 8) {
if (s->args.nelts != 1) {
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
if (ngx_strncasecmp(arg[0].data, (u_char *) "CRAM-MD5", 8) == 0) {
if (s->args.nelts != 1) {
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
return NGX_MAIL_AUTH_CRAM_MD5;
}
if (ngx_strncasecmp(arg[0].data, (u_char *) "EXTERNAL", 8) == 0) {
if (s->args.nelts == 1) {
return NGX_MAIL_AUTH_EXTERNAL;
}
if (s->args.nelts == 2) {
return ngx_mail_auth_external(s, c, 1);
}
}
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
return NGX_MAIL_PARSE_INVALID_COMMAND;

11
src/mail/ngx_mail_pop3_handler.c
View File

@ -240,6 +240,10 @@ ngx_mail_pop3_auth_state(ngx_event_t *rev)
case ngx_pop3_auth_cram_md5:
rc = ngx_mail_auth_cram_md5(s, c);
break;
case ngx_pop3_auth_external:
rc = ngx_mail_auth_external(s, c, 0);
break;
}
}
@ -494,6 +498,13 @@ ngx_mail_pop3_auth(ngx_mail_session_t *s, ngx_connection_t *c)
}
return NGX_ERROR;
case NGX_MAIL_AUTH_EXTERNAL:
ngx_str_set(&s->out, pop3_username);
s->mail_state = ngx_pop3_auth_external;
return NGX_OK;
}
return rc;

10
src/mail/ngx_mail_pop3_module.c
View File

@ -29,6 +29,7 @@ static ngx_conf_bitmask_t ngx_mail_pop3_auth_methods[] = {
{ ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
{ ngx_string("apop"), NGX_MAIL_AUTH_APOP_ENABLED },
{ ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
{ ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
{ ngx_null_string, 0 }
};
@ -38,6 +39,7 @@ static ngx_str_t ngx_mail_pop3_auth_methods_names[] = {
ngx_string("LOGIN"),
ngx_null_string, /* APOP */
ngx_string("CRAM-MD5"),
ngx_string("EXTERNAL"),
ngx_null_string /* NONE */
};
@ -180,7 +182,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
size += sizeof("SASL") - 1 + sizeof(CRLF) - 1;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@ -207,7 +209,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
p = ngx_cpymem(p, "SASL", sizeof("SASL") - 1);
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@ -243,7 +245,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+ sizeof("." CRLF) - 1;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@ -264,7 +266,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
sizeof("+OK methods supported:" CRLF) - 1);
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {

11
src/mail/ngx_mail_smtp_handler.c
View File

@ -485,6 +485,10 @@ ngx_mail_smtp_auth_state(ngx_event_t *rev)
case ngx_smtp_auth_cram_md5:
rc = ngx_mail_auth_cram_md5(s, c);
break;
case ngx_smtp_auth_external:
rc = ngx_mail_auth_external(s, c, 0);
break;
}
}
@ -652,6 +656,13 @@ ngx_mail_smtp_auth(ngx_mail_session_t *s, ngx_connection_t *c)
}
return NGX_ERROR;
case NGX_MAIL_AUTH_EXTERNAL:
ngx_str_set(&s->out, smtp_username);
s->mail_state = ngx_smtp_auth_external;
return NGX_OK;
}
return rc;

6
src/mail/ngx_mail_smtp_module.c
View File

@ -21,6 +21,7 @@ static ngx_conf_bitmask_t ngx_mail_smtp_auth_methods[] = {
{ ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
{ ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED },
{ ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
{ ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
{ ngx_string("none"), NGX_MAIL_AUTH_NONE_ENABLED },
{ ngx_null_string, 0 }
};
@ -31,6 +32,7 @@ static ngx_str_t ngx_mail_smtp_auth_methods_names[] = {
ngx_string("LOGIN"),
ngx_null_string, /* APOP */
ngx_string("CRAM-MD5"),
ngx_string("EXTERNAL"),
ngx_null_string /* NONE */
};
@ -207,7 +209,7 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
auth_enabled = 0;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@ -250,7 +252,7 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
*p++ = 'A'; *p++ = 'U'; *p++ = 'T'; *p++ = 'H';
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {