Commit | Line | Data |
---|---|---|
b53c265b JH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
5 | /* Copyright (c) Jeremy Harris 2019 */ | |
6 | /* See the file NOTICE for conditions of use and distribution. */ | |
7 | ||
8 | /* This file provides an Exim authenticator driver for | |
9 | a server to verify a client SSL certificate, using the EXTERNAL | |
10 | method defined in RFC 4422 Appendix A. | |
11 | */ | |
12 | ||
13 | ||
14 | #include "../exim.h" | |
15 | #include "external.h" | |
16 | ||
17 | /* Options specific to the external authentication mechanism. */ | |
18 | ||
19 | optionlist auth_external_options[] = { | |
20 | { "client_send", opt_stringptr, | |
21 | (void *)(offsetof(auth_external_options_block, client_send)) }, | |
22 | { "server_param2", opt_stringptr, | |
23 | (void *)(offsetof(auth_external_options_block, server_param2)) }, | |
24 | { "server_param3", opt_stringptr, | |
25 | (void *)(offsetof(auth_external_options_block, server_param3)) }, | |
26 | }; | |
27 | ||
28 | /* Size of the options list. An extern variable has to be used so that its | |
29 | address can appear in the tables drtables.c. */ | |
30 | ||
31 | int auth_external_options_count = nelem(auth_external_options); | |
32 | ||
33 | /* Default private options block for the authentication method. */ | |
34 | ||
35 | auth_external_options_block auth_external_option_defaults = { | |
36 | .server_param2 = NULL, | |
37 | .server_param3 = NULL, | |
38 | ||
39 | .client_send = NULL, | |
40 | }; | |
41 | ||
42 | ||
43 | #ifdef MACRO_PREDEF | |
44 | ||
45 | /* Dummy values */ | |
46 | void auth_external_init(auth_instance *ablock) {} | |
47 | int auth_external_server(auth_instance *ablock, uschar *data) {return 0;} | |
48 | int auth_external_client(auth_instance *ablock, void * sx, | |
49 | int timeout, uschar *buffer, int buffsize) {return 0;} | |
50 | ||
51 | #else /*!MACRO_PREDEF*/ | |
52 | ||
53 | ||
54 | ||
55 | ||
56 | /************************************************* | |
57 | * Initialization entry point * | |
58 | *************************************************/ | |
59 | ||
60 | /* Called for each instance, after its options have been read, to | |
61 | enable consistency checks to be done, or anything else that needs | |
62 | to be set up. */ | |
63 | ||
64 | void | |
65 | auth_external_init(auth_instance *ablock) | |
66 | { | |
67 | auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block; | |
68 | if (!ablock->public_name) ablock->public_name = ablock->name; | |
69 | if (ablock->server_condition) ablock->server = TRUE; | |
70 | if (ob->client_send) ablock->client = TRUE; | |
71 | } | |
72 | ||
73 | ||
74 | ||
75 | /************************************************* | |
76 | * Server entry point * | |
77 | *************************************************/ | |
78 | ||
79 | /* For interface, see auths/README */ | |
80 | ||
81 | int | |
82 | auth_external_server(auth_instance * ablock, uschar * data) | |
83 | { | |
84 | auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block; | |
85 | int rc; | |
86 | ||
87 | /* If data was supplied on the AUTH command, decode it, and split it up into | |
88 | multiple items at binary zeros. The strings are put into $auth1, $auth2, etc, | |
89 | up to a maximum. To retain backwards compatibility, they are also put int $1, | |
90 | $2, etc. If the data consists of the string "=" it indicates a single, empty | |
91 | string. */ | |
92 | ||
93 | if (*data) | |
94 | if ((rc = auth_read_input(data)) != OK) | |
95 | return rc; | |
96 | ||
97 | /* Now go through the list of prompt strings. Skip over any whose data has | |
98 | already been provided as part of the AUTH command. For the rest, send them | |
99 | out as prompts, and get a data item back. If the data item is "*", abandon the | |
100 | authentication attempt. Otherwise, split it into items as above. */ | |
101 | ||
102 | if (expand_nmax == 0) /* skip if rxd data */ | |
103 | if ((rc = auth_prompt(CUS"")) != OK) | |
104 | return rc; | |
105 | ||
106 | if (ob->server_param2) | |
107 | { | |
108 | uschar * s = expand_string(ob->server_param2); | |
109 | auth_vars[expand_nmax] = s; | |
110 | expand_nstring[++expand_nmax] = s; | |
111 | expand_nlength[expand_nmax] = Ustrlen(s); | |
112 | if (ob->server_param3) | |
113 | { | |
114 | s = expand_string(ob->server_param3); | |
115 | auth_vars[expand_nmax] = s; | |
116 | expand_nstring[++expand_nmax] = s; | |
117 | expand_nlength[expand_nmax] = Ustrlen(s); | |
118 | } | |
119 | } | |
120 | ||
121 | return auth_check_serv_cond(ablock); | |
122 | } | |
123 | ||
124 | ||
125 | ||
126 | /************************************************* | |
127 | * Client entry point * | |
128 | *************************************************/ | |
129 | ||
130 | /* For interface, see auths/README */ | |
131 | ||
132 | int | |
133 | auth_external_client( | |
134 | auth_instance *ablock, /* authenticator block */ | |
135 | void * sx, /* smtp connextion */ | |
136 | int timeout, /* command timeout */ | |
137 | uschar *buffer, /* buffer for reading response */ | |
138 | int buffsize) /* size of buffer */ | |
139 | { | |
140 | auth_external_options_block *ob = | |
141 | (auth_external_options_block *)(ablock->options_block); | |
142 | const uschar * text = ob->client_send; | |
143 | int rc; | |
144 | ||
145 | /* We output an AUTH command with one expanded argument, the client_send option */ | |
146 | ||
147 | if ((rc = auth_client_item(sx, ablock, &text, AUTH_ITEM_FIRST | AUTH_ITEM_LAST, | |
148 | timeout, buffer, buffsize)) != OK) | |
149 | return rc == DEFER ? FAIL : rc; | |
150 | ||
151 | if (text) auth_vars[0] = string_copy(text); | |
152 | return OK; | |
153 | } | |
154 | ||
155 | ||
156 | ||
157 | #endif /*!MACRO_PREDEF*/ | |
158 | /* End of external.c */ |