Search code examples
cauthenticationsaslcyrus

Using EXTERNAL mechanism with Cyrus SASL


Does the Cyrus SASL api not support the EXTERNAL mechanism? I'm trying to use it as a client, but it returns SASL_NOMECH when asked.

% cat cyrus_sal_ex.c
/* cyrus_sasl_ex.c: Example of using the Cyrus SASL api */
#include <stdio.h>      /* for printf() */
#include <sasl/sasl.h>  /* for sasl_client_*(), SASL_*, sasl_*_t */

static char const * SASL_return_code(int const code) 
{
  switch(code) 
  {
    /* ... */
    case SASL_OK:     return "SASL_OK[0]: successful result";
    /* ... */
    case SASL_NOMECH: return "SASL_NOMECH[-4]: mechanism not supported";
    /* ... */
  }
  return "unrecognized";
}

int main()
{
  char const *  output = NULL;
  unsigned      outlen = 0;
  char const *  mechanism = NULL;
  sasl_conn_t * conn;

# define PRINT_RESULT( x ) do\
  {\
    int const __result = (x);\
    printf("%s == %d\n\t%s\n", #x, __result, SASL_return_code(__result));\
    if (__result < 0) goto done;\
  }\
  while (0)

  PRINT_RESULT( sasl_client_init( NULL ) );
  PRINT_RESULT( sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) );
  PRINT_RESULT( sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) );

done:
# undef PRINT_RESULT
  printf("output: [%d bytes] : %s\n", outlen, (output ? output : "NULL") );
  printf("mechanism: %s\n", (mechanism ? mechanism : "NULL"));

  return 0;
}
% gcc -I/sw/include -L/sw/lib -lsasl2 cyrus_sasl_ex.c -o cyrus_sasl_ex # your header/library locations may vary
% ./cyrus_sasl_ex
sasl_client_init( NULL ) == 0
        SASL_OK[0]: successful result
sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) == 0
        SASL_OK[0]: successful result
sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) == -4
        SASL_NOMECH[-4]: mechanism not supported
output: [0 bytes] : NULL
mechanism: EXTERNAL
%

I browsed through the source though, and it looks like all the clients should support the EXTERNAL mechanism:

cyrus-sasl-2.1.22/lib/client.c:
196 int sasl_client_init(const sasl_callback_t *callbacks)
197 {
...
227
228   sasl_client_add_plugin("EXTERNAL", &external_client_plug_init);
229

So I'm guessing I'm doing something wrong here. I tried adding all the sasl_callback_ts I could think of to sasl_client_*(), but none of them even got called. Is there some argument I should pass that asserts that EXTERNAL is an acceptable mechanism? Or is SASL_NOMECH always returned for EXTERNAL - b/c that doesn't seem right.

Can anyone help me out?


Solution

  • Ok, I found the left out step.

    According to sasl/sasl.h, I needed to set the SASL_AUTH_EXTERNAL property for my sasl_conn_t first:

    /* set property in SASL connection state
     * returns:
     *  SASL_OK       -- value set
     *  SASL_BADPARAM -- invalid property or value
     */
    LIBSASL_API int sasl_setprop(sasl_conn_t *conn,
                     int propnum,
                     const void *value);
    #define SASL_SSF_EXTERNAL  100  /* external SSF active (sasl_ssf_t *) */
    #define SASL_SEC_PROPS     101  /* sasl_security_properties_t */
    #define SASL_AUTH_EXTERNAL 102  /* external authentication ID (const char *) */
    
    /* If the SASL_AUTH_EXTERNAL value is non-NULL, then a special version of the
     * EXTERNAL mechanism is enabled (one for server-embedded EXTERNAL mechanisms).
     * Otherwise, the EXTERNAL mechanism will be absent unless a plug-in
     * including EXTERNAL is present.
     */
    

    Once I did that, the rest worked out:

    % cat cyrus_sasl_ex.c
    /* Example of using the Cyrus SASL api */
    #include <stdio.h>          /* for printf() */
    #include <sasl/sasl.h>  /* for sasl_client_*(), SASL_*, sasl_*_t */
    
    int main()
    {
        char const *    output = NULL;
        unsigned            outlen = 0;
        char const *    mechanism = NULL;
        sasl_conn_t * conn;
    
    #   define PRINT_RESULT( x ) do\
        {\
            int const __result = (x);\
            printf("%s == %d\n\t%s\n", #x, __result, sasl_errstring(__result,NULL,NULL));\
            if (__result < 0) goto done;\
        }\
        while (0)
    
        PRINT_RESULT( sasl_client_init( NULL ) );
        PRINT_RESULT( sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) );
        PRINT_RESULT( sasl_setprop( conn, SASL_AUTH_EXTERNAL, "fake authority" ) );
        PRINT_RESULT( sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) );
    
    done:
    #   undef PRINT_RESULT
        printf("output: [%d bytes] : %s\n", outlen, (output ? output : "NULL") );
        printf("mechanism: %s\n", (mechanism ? mechanism : "NULL"));
    
        return 0;
    }
    % gcc -I/sw/include -L/sw/lib -lsasl2 cyrus_sasl_ex.c -o cyrus_sasl_ex
    % ./cyrus_sasl_ex
    sasl_client_init( NULL ) == 0
            successful result
    sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) == 0
            successful result
    sasl_setprop( conn, SASL_AUTH_EXTERNAL, "fake authority" ) == 0
            successful result
    sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) == 0
            successful result
    output: [0 bytes] :
    mechanism: EXTERNAL
    

    However, since the version of Cyrus SASL that comes pre-installed on OS X 10.5 has a bug in it that makes the external plugin require a SASL_CB_USER callback and passes it a NULL pointer to store its return value in, this still means I'll have to update Cyrus SASL on all those machines.

    Or maybe I'll just code around the bug.