src/src/auths/spa.c

   1 /*************************************************
   2 *     Exim - an Internet mail transport agent    *
   3 *************************************************/
   4
   5 /* Copyright (c) University of Cambridge 1995 - 2009 */
   6 /* See the file NOTICE for conditions of use and distribution. */
   7
   8 /* This file, which provides support for Microsoft's Secure Password
   9 Authentication, was contributed by Marc Prud'hommeaux. Tom Kistner added SPA
  10 server support. I (PH) have only modified it in very trivial ways.
  11
  12 References:
  13   http://www.innovation.ch/java/ntlm.html
  14   http://www.kuro5hin.org/story/2002/4/28/1436/66154
  15   http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5bMS-SMTP%5d.pdf
  16
  17  * It seems that some systems have existing but different definitions of some
  18  * of the following types. I received a complaint about "int16" causing
  19  * compilation problems. So I (PH) have renamed them all, to be on the safe
  20  * side, by adding 'x' on the end. See auths/auth-spa.h.
  21
  22  * typedef signed short int16;
  23  * typedef unsigned short uint16;
  24  * typedef unsigned uint32;
  25  * typedef unsigned char  uint8;
  26
  27 07-August-2003:  PH: Patched up the code to avoid assert bombouts for stupid
  28                      input data. Find appropriate comment by grepping for "PH".
  29 16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
  30 05-June-2010:    PP: handle SASL initial response
  31 */
  32
  33
  34 #include "../exim.h"
  35 #include "spa.h"
  36
  37 /* #define DEBUG_SPA */
  38
  39 #ifdef DEBUG_SPA
  40 #define DSPA(x,y,z)   debug_printf(x,y,z)
  41 #else
  42 #define DSPA(x,y,z)
  43 #endif
  44
  45 /* Options specific to the spa authentication mechanism. */
  46
  47 optionlist auth_spa_options[] = {
  48   { "client_domain",             opt_stringptr,
  49       (void *)(offsetof(auth_spa_options_block, spa_domain)) },
  50   { "client_password",           opt_stringptr,
  51       (void *)(offsetof(auth_spa_options_block, spa_password)) },
  52   { "client_username",           opt_stringptr,
  53       (void *)(offsetof(auth_spa_options_block, spa_username)) },
  54   { "server_password",           opt_stringptr,
  55       (void *)(offsetof(auth_spa_options_block, spa_serverpassword)) }
  56 };
  57
  58 /* Size of the options list. An extern variable has to be used so that its
  59 address can appear in the tables drtables.c. */
  60
  61 int auth_spa_options_count =
  62   sizeof(auth_spa_options)/sizeof(optionlist);
  63
  64 /* Default private options block for the contidion authentication method. */
  65
  66 auth_spa_options_block auth_spa_option_defaults = {
  67   NULL,              /* spa_password */
  68   NULL,              /* spa_username */
  69   NULL,              /* spa_domain */
  70   NULL               /* spa_serverpassword (for server side use) */
  71 };
  72
  73
  74 /*************************************************
  75 *          Initialization entry point            *
  76 *************************************************/
  77
  78 /* Called for each instance, after its options have been read, to
  79 enable consistency checks to be done, or anything else that needs
  80 to be set up. */
  81
  82 void
  83 auth_spa_init(auth_instance *ablock)
  84 {
  85 auth_spa_options_block *ob =
  86   (auth_spa_options_block *)(ablock->options_block);
  87
  88 /* The public name defaults to the authenticator name */
  89
  90 if (ablock->public_name == NULL) ablock->public_name = ablock->name;
  91
  92 /* Both username and password must be set for a client */
  93
  94 if ((ob->spa_username == NULL) != (ob->spa_password == NULL))
  95   log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:\n  "
  96       "one of client_username and client_password cannot be set without "
  97       "the other", ablock->name);
  98 ablock->client = ob->spa_username != NULL;
  99
 100 /* For a server we have just one option */
 101
 102 ablock->server = ob->spa_serverpassword != NULL;
 103 }
 104
 105
 106
 107 /*************************************************
 108 *             Server entry point                 *
 109 *************************************************/
 110
 111 /* For interface, see auths/README */
 112
 113 #define CVAL(buf,pos) (((unsigned char *)(buf))[pos])
 114 #define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
 115 #define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
 116 #define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)
 117
 118 int
 119 auth_spa_server(auth_instance *ablock, uschar *data)
 120 {
 121 auth_spa_options_block *ob = (auth_spa_options_block *)(ablock->options_block);
 122 uint8x lmRespData[24];
 123 uint8x ntRespData[24];
 124 SPAAuthRequest request;
 125 SPAAuthChallenge challenge;
 126 SPAAuthResponse  response;
 127 SPAAuthResponse  *responseptr = &response;
 128 uschar msgbuf[2048];
 129 uschar *clearpass;
 130
 131 /* send a 334, MS Exchange style, and grab the client's request,
 132 unless we already have it via an initial response. */
 133
 134 if ((*data == '\0') &&
 135     (auth_get_no64_data(&data, US"NTLM supported") != OK))
 136   {
 137   /* something borked */
 138   return FAIL;
 139   }
 140
 141 if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0)
 142   {
 143   DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
 144   "request: %s\n", data);
 145   return FAIL;
 146   }
 147
 148 /* create a challenge and send it back */
 149
 150 spa_build_auth_challenge(&request,&challenge);
 151 spa_bits_to_base64 (msgbuf, (unsigned char*)&challenge,
 152     spa_request_length(&challenge));
 153
 154 if (auth_get_no64_data(&data, msgbuf) != OK)
 155   {
 156   /* something borked */
 157   return FAIL;
 158   }
 159
 160 /* dump client response */
 161 if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0)
 162   {
 163   DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
 164   "response: %s\n", data);
 165   return FAIL;
 166   }
 167
 168 /***************************************************************
 169 PH 07-Aug-2003: The original code here was this:
 170
 171 Ustrcpy(msgbuf, unicodeToString(((char*)responseptr) +
 172   IVAL(&responseptr->uUser.offset,0),
 173   SVAL(&responseptr->uUser.len,0)/2) );
 174
 175 However, if the response data is too long, unicodeToString bombs out on
 176 an assertion failure. It uses a 1024 fixed buffer. Bombing out is not a good
 177 idea. It's too messy to try to rework that function to return an error because
 178 it is called from a number of other places in the auth-spa.c module. Instead,
 179 since it is a very small function, I reproduce its code here, with a size check
 180 that causes failure if the size of msgbuf is exceeded. ****/
 181
 182   {
 183   int i;
 184   char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
 185   int len = SVAL(&responseptr->uUser.len,0)/2;
 186
 187   if (len + 1 >= sizeof(msgbuf)) return FAIL;
 188   for (i = 0; i < len; ++i)
 189     {
 190     msgbuf[i] = *p & 0x7f;
 191     p += 2;
 192     }
 193   msgbuf[i] = 0;
 194   }
 195
 196 /***************************************************************/
 197
 198 /* Put the username in $auth1 and $1. The former is now the preferred variable;
 199 the latter is the original variable. */
 200
 201 auth_vars[0] = expand_nstring[1] = msgbuf;
 202 expand_nlength[1] = Ustrlen(msgbuf);
 203 expand_nmax = 1;
 204
 205 /* clean up globals which aren't referenced, but still shouldn't be left
 206 pointing to stack memory */
 207 #define CLEANUP_RETURN(Code) do { auth_vars[0] = expand_nstring[1] = NULL; \
 208   expand_nlength[1] = expand_nmax = 0; return (Code); } while (0);
 209
 210 debug_print_string(ablock->server_debug_string);    /* customized debug */
 211
 212 /* look up password */
 213
 214 clearpass = expand_string(ob->spa_serverpassword);
 215 if (clearpass == NULL)
 216   {
 217   if (expand_string_forcedfail)
 218     {
 219     DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
 220       "expanding spa_serverpassword\n");
 221     CLEANUP_RETURN(FAIL);
 222     }
 223   else
 224     {
 225     DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
 226       "spa_serverpassword: %s\n", expand_string_message);
 227     CLEANUP_RETURN(DEFER);
 228     }
 229   }
 230
 231 /* create local hash copy */
 232
 233 spa_smb_encrypt (clearpass, challenge.challengeData, lmRespData);
 234 spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
 235
 236 /* compare NT hash (LM may not be available) */
 237
 238 if (memcmp(ntRespData,
 239       ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
 240       24) == 0)
 241   /* success. we have a winner. */
 242   {
 243   int rc = auth_check_serv_cond(ablock);
 244   CLEANUP_RETURN(rc);
 245   }
 246
 247   /* Expand server_condition as an authorization check (PH) */
 248
 249 CLEANUP_RETURN(FAIL);
 250 }
 251
 252
 253 /*************************************************
 254 *              Client entry point                *
 255 *************************************************/
 256
 257 /* For interface, see auths/README */
 258
 259 int
 260 auth_spa_client(
 261   auth_instance *ablock,                 /* authenticator block */
 262   smtp_inblock *inblock,                 /* connection inblock */
 263   smtp_outblock *outblock,               /* connection outblock */
 264   int timeout,                           /* command timeout */
 265   uschar *buffer,                        /* buffer for reading response */
 266   int buffsize)                          /* size of buffer */
 267 {
 268        auth_spa_options_block *ob =
 269                (auth_spa_options_block *)(ablock->options_block);
 270        SPAAuthRequest   request;
 271        SPAAuthChallenge challenge;
 272        SPAAuthResponse  response;
 273        char msgbuf[2048];
 274        char *domain = NULL;
 275        char *username, *password;
 276
 277        /* Code added by PH to expand the options */
 278
 279        *buffer = 0;    /* Default no message when cancelled */
 280
 281        username = CS expand_string(ob->spa_username);
 282        if (username == NULL)
 283          {
 284          if (expand_string_forcedfail) return CANCELLED;
 285          string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
 286            "authenticator: %s", ob->spa_username, ablock->name,
 287            expand_string_message);
 288          return ERROR;
 289          }
 290
 291        password = CS expand_string(ob->spa_password);
 292        if (password == NULL)
 293          {
 294          if (expand_string_forcedfail) return CANCELLED;
 295          string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
 296            "authenticator: %s", ob->spa_password, ablock->name,
 297            expand_string_message);
 298          return ERROR;
 299          }
 300
 301        if (ob->spa_domain != NULL)
 302          {
 303          domain = CS expand_string(ob->spa_domain);
 304          if (domain == NULL)
 305            {
 306            if (expand_string_forcedfail) return CANCELLED;
 307            string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
 308              "authenticator: %s", ob->spa_domain, ablock->name,
 309              expand_string_message);
 310            return ERROR;
 311            }
 312          }
 313
 314        /* Original code */
 315
 316     if (smtp_write_command(outblock, FALSE, "AUTH %s\r\n",
 317          ablock->public_name) < 0)
 318                return FAIL_SEND;
 319
 320        /* wait for the 3XX OK message */
 321        if (!smtp_read_response(inblock, (uschar *)buffer, buffsize, '3', timeout))
 322                return FAIL;
 323
 324        DSPA("\n\n%s authenticator: using domain %s\n\n",
 325                ablock->name, domain);
 326
 327        spa_build_auth_request (&request, CS username, domain);
 328        spa_bits_to_base64 (US msgbuf, (unsigned char*)&request,
 329                spa_request_length(&request));
 330
 331        DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name,
 332                msgbuf);
 333
 334        /* send the encrypted password */
 335        if (smtp_write_command(outblock, FALSE, "%s\r\n", msgbuf) < 0)
 336                return FAIL_SEND;
 337
 338        /* wait for the auth challenge */
 339        if (!smtp_read_response(inblock, (uschar *)buffer, buffsize, '3', timeout))
 340                return FAIL;
 341
 342        /* convert the challenge into the challenge struct */
 343        DSPA("\n\n%s authenticator: challenge (%s)\n\n",
 344                ablock->name, buffer + 4);
 345        spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4));
 346
 347        spa_build_auth_response (&challenge, &response,
 348                CS username, CS password);
 349        spa_bits_to_base64 (US msgbuf, (unsigned char*)&response,
 350                spa_request_length(&response));
 351        DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name,
 352                msgbuf);
 353
 354        /* send the challenge response */
 355        if (smtp_write_command(outblock, FALSE, "%s\r\n", msgbuf) < 0)
 356                return FAIL_SEND;
 357
 358        /* If we receive a success response from the server, authentication
 359        has succeeded. There may be more data to send, but is there any point
 360        in provoking an error here? */
 361        if (smtp_read_response(inblock, US buffer, buffsize, '2', timeout))
 362                return OK;
 363
 364        /* Not a success response. If errno != 0 there is some kind of transmission
 365        error. Otherwise, check the response code in the buffer. If it starts with
 366        '3', more data is expected. */
 367        if (errno != 0 || buffer[0] != '3')
 368                return FAIL;
 369
 370        return FAIL;
 371 }
 372
 373 /* End of spa.c */