[exim.git] / src / src / auths / cram_md5.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2018 */
/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */


/* The stand-alone version just tests the algorithm. We have to drag
in the MD5 computation functions, without their own stand-alone main
program. */

#ifdef STAND_ALONE
#define CRAM_STAND_ALONE
#include "md5.c"


/* This is the normal, non-stand-alone case */

#else
#include "../exim.h"
#include "cram_md5.h"

/* Options specific to the cram_md5 authentication mechanism. */

optionlist auth_cram_md5_options[] = {
  { "client_name",        opt_stringptr,
      OPT_OFF(auth_cram_md5_options_block, client_name) },
  { "client_secret",      opt_stringptr,
      OPT_OFF(auth_cram_md5_options_block, client_secret) },
  { "server_secret",      opt_stringptr,
      OPT_OFF(auth_cram_md5_options_block, server_secret) }
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_cram_md5_options_count =
  sizeof(auth_cram_md5_options)/sizeof(optionlist);

/* Default private options block for the condition authentication method. */

auth_cram_md5_options_block auth_cram_md5_option_defaults = {
  NULL,             /* server_secret */
  NULL,             /* client_secret */
  NULL              /* client_name */
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_cram_md5_init(auth_instance *ablock) {}
int auth_cram_md5_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_cram_md5_client(auth_instance *ablock, void *sx, int timeout,
    uschar *buffer, int buffsize) {return 0;}

#else	/*!MACRO_PREDEF*/


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

void
auth_cram_md5_init(auth_instance *ablock)
{
auth_cram_md5_options_block *ob =
  (auth_cram_md5_options_block *)(ablock->options_block);
if (ob->server_secret != NULL) ablock->server = TRUE;
if (ob->client_secret != NULL)
  {
  ablock->client = TRUE;
  if (ob->client_name == NULL) ob->client_name = primary_hostname;
  }
}

#endif	/*!MACRO_PREDEF*/
#endif  /* STAND_ALONE */


#ifndef MACRO_PREDEF
/*************************************************
*      Perform the CRAM-MD5 algorithm            *
*************************************************/

/* The CRAM-MD5 algorithm is described in RFC 2195. It computes

  MD5((secret XOR opad), MD5((secret XOR ipad), challenge))

where secret is padded out to 64 characters (after being reduced to an MD5
digest if longer than 64) and ipad and opad are 64-byte strings of 0x36 and
0x5c respectively, and comma means concatenation.

Arguments:
  secret         the shared secret
  challenge      the challenge text
  digest         16-byte slot to put the answer in

Returns:         nothing
*/

static void
compute_cram_md5(uschar *secret, uschar *challenge, uschar *digestptr)
{
md5 base;
int len = Ustrlen(secret);
uschar isecret[64];
uschar osecret[64];
uschar md5secret[16];

/* If the secret is longer than 64 characters, we compute its MD5 digest
and use that. */

if (len > 64)
  {
  md5_start(&base);
  md5_end(&base, US secret, len, md5secret);
  secret = US md5secret;
  len = 16;
  }

/* The key length is now known to be <= 64. Set up the padded and xor'ed
versions. */

memcpy(isecret, secret, len);
memset(isecret+len, 0, 64-len);
memcpy(osecret, isecret, 64);

for (int i = 0; i < 64; i++)
  {
  isecret[i] ^= 0x36;
  osecret[i] ^= 0x5c;
  }

/* Compute the inner MD5 digest */

md5_start(&base);
md5_mid(&base, isecret);
md5_end(&base, US challenge, Ustrlen(challenge), md5secret);

/* Compute the outer MD5 digest */

md5_start(&base);
md5_mid(&base, osecret);
md5_end(&base, md5secret, 16, digestptr);
}


#ifndef STAND_ALONE

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

int
auth_cram_md5_server(auth_instance *ablock, uschar *data)
{
auth_cram_md5_options_block *ob =
  (auth_cram_md5_options_block *)(ablock->options_block);
uschar *challenge = string_sprintf("<%d.%ld@%s>", getpid(),
    (long int) time(NULL), primary_hostname);
uschar *clear, *secret;
uschar digest[16];
int i, rc, len;

/* If we are running in the test harness, always send the same challenge,
an example string taken from the RFC. */

if (f.running_in_test_harness)
  challenge = US"<1896.697170952@postoffice.reston.mci.net>";

/* No data should have been sent with the AUTH command */

if (*data) return UNEXPECTED;

/* Send the challenge, read the return */

if ((rc = auth_get_data(&data, challenge, Ustrlen(challenge))) != OK) return rc;
if ((len = b64decode(data, &clear)) < 0) return BAD64;

/* The return consists of a user name, space-separated from the CRAM-MD5
digest, expressed in hex. Extract the user name and put it in $auth1 and $1.
The former is now the preferred variable; the latter is the original one. Then
check that the remaining length is 32. */

auth_vars[0] = expand_nstring[1] = clear;
while (*clear && !isspace(*clear)) clear++;
if (!isspace(*clear)) return FAIL;
*clear++ = 0;

expand_nlength[1] = clear - expand_nstring[1] - 1;
if (len - expand_nlength[1] - 1 != 32) return FAIL;
expand_nmax = 1;

/* Expand the server_secret string so that it can compute a value dependent on
the user name if necessary. */

debug_print_string(ablock->server_debug_string);    /* customized debugging */
secret = expand_string(ob->server_secret);

/* A forced fail implies failure of authentication - i.e. we have no secret for
the given name. */

if (secret == NULL)
  {
  if (f.expand_string_forcedfail) return FAIL;
  auth_defer_msg = expand_string_message;
  return DEFER;
  }

/* Compute the CRAM-MD5 digest that we should have received from the client. */

compute_cram_md5(secret, challenge, digest);

HDEBUG(D_auth)
  {
  uschar buff[64];
  debug_printf("CRAM-MD5: user name = %s\n", auth_vars[0]);
  debug_printf("          challenge = %s\n", challenge);
  debug_printf("          received  = %s\n", clear);
  Ustrcpy(buff, US"          digest    = ");
  for (i = 0; i < 16; i++) sprintf(CS buff+22+2*i, "%02x", digest[i]);
  debug_printf("%.54s\n", buff);
  }

/* We now have to compare the digest, which is 16 bytes in binary, with the
data received, which is expressed in lower case hex. We checked above that
there were 32 characters of data left. */

for (i = 0; i < 16; i++)
  {
  int a = *clear++;
  int b = *clear++;
  if (((((a >= 'a')? a - 'a' + 10 : a - '0') << 4) +
        ((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
  }

/* Expand server_condition as an authorization check */
return auth_check_serv_cond(ablock);
}


/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_cram_md5_client(
  auth_instance *ablock,                 /* authenticator block */
  void * sx,				 /* smtp connextion */
  int timeout,                           /* command timeout */
  uschar *buffer,                        /* for reading response */
  int buffsize)                          /* size of buffer */
{
auth_cram_md5_options_block *ob =
  (auth_cram_md5_options_block *)(ablock->options_block);
uschar *secret = expand_string(ob->client_secret);
uschar *name = expand_string(ob->client_name);
uschar *challenge, *p;
int i;
uschar digest[16];

/* If expansion of either the secret or the user name failed, return CANCELLED
or ERROR, as appropriate. */

if (!secret || !name)
  {
  if (f.expand_string_forcedfail)
    {
    *buffer = 0;           /* No message */
    return CANCELLED;
    }
  string_format(buffer, buffsize, "expansion of \"%s\" failed in "
    "%s authenticator: %s",
    !secret ? ob->client_secret : ob->client_name,
    ablock->name, expand_string_message);
  return ERROR;
  }

/* Initiate the authentication exchange and read the challenge, which arrives
in base 64. */

if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
  return FAIL_SEND;
if (!smtp_read_response(sx, buffer, buffsize, '3', timeout))
  return FAIL;

if (b64decode(buffer + 4, &challenge) < 0)
  {
  string_format(buffer, buffsize, "bad base 64 string in challenge: %s",
    big_buffer + 4);
  return ERROR;
  }

/* Run the CRAM-MD5 algorithm on the secret and the challenge */

compute_cram_md5(secret, challenge, digest);

/* Create the response from the user name plus the CRAM-MD5 digest */

string_format(big_buffer, big_buffer_size - 36, "%s", name);
for (p = big_buffer; *p; ) p++;
*p++ = ' ';

for (i = 0; i < 16; i++)
  p += sprintf(CS p, "%02x", digest[i]);

/* Send the response, in base 64, and check the result. The response is
in big_buffer, but b64encode() returns its result in working store,
so calling smtp_write_command(), which uses big_buffer, is OK. */

buffer[0] = 0;
if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(CUS big_buffer,
  p - big_buffer)) < 0) return FAIL_SEND;

return smtp_read_response(sx, US buffer, buffsize, '2', timeout)
  ? OK : FAIL;
}
#endif  /* STAND_ALONE */


/*************************************************
**************************************************
*             Stand-alone test program           *
**************************************************
*************************************************/

#ifdef STAND_ALONE

int main(int argc, char **argv)
{
int i;
uschar *secret = US argv[1];
uschar *challenge = US argv[2];
uschar digest[16];

compute_cram_md5(secret, challenge, digest);

for (i = 0; i < 16; i++) printf("%02x", digest[i]);
printf("\n");

return 0;
}

#endif

#endif	/*!MACRO_PREDEF*/
/* End of cram_md5.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
f9ba5e22	5	/* Copyright (c) University of Cambridge 1995 - 2018 */
1e1ddfac	6	/* Copyright (c) The Exim Maintainers 2020 */
0756eb3c PH	7	/* See the file NOTICE for conditions of use and distribution. */
	8
	9
	10	/* The stand-alone version just tests the algorithm. We have to drag
	11	in the MD5 computation functions, without their own stand-alone main
	12	program. */
	13
	14	#ifdef STAND_ALONE
	15	#define CRAM_STAND_ALONE
	16	#include "md5.c"
	17
	18
	19	/* This is the normal, non-stand-alone case */
	20
	21	#else
	22	#include "../exim.h"
	23	#include "cram_md5.h"
	24
	25	/* Options specific to the cram_md5 authentication mechanism. */
	26
	27	optionlist auth_cram_md5_options[] = {
	28	{ "client_name", opt_stringptr,
13a4b4c1	29	OPT_OFF(auth_cram_md5_options_block, client_name) },
0756eb3c	30	{ "client_secret", opt_stringptr,
13a4b4c1	31	OPT_OFF(auth_cram_md5_options_block, client_secret) },
0756eb3c	32	{ "server_secret", opt_stringptr,
13a4b4c1	33	OPT_OFF(auth_cram_md5_options_block, server_secret) }
0756eb3c PH	34	};
	35
	36	/* Size of the options list. An extern variable has to be used so that its
	37	address can appear in the tables drtables.c. */
	38
	39	int auth_cram_md5_options_count =
	40	sizeof(auth_cram_md5_options)/sizeof(optionlist);
	41
4c04137d	42	/* Default private options block for the condition authentication method. */
0756eb3c PH	43
	44	auth_cram_md5_options_block auth_cram_md5_option_defaults = {
	45	NULL, /* server_secret */
	46	NULL, /* client_secret */
	47	NULL /* client_name */
	48	};
	49
	50
d185889f JH	51	#ifdef MACRO_PREDEF
	52
	53	/* Dummy values */
	54	void auth_cram_md5_init(auth_instance *ablock) {}
	55	int auth_cram_md5_server(auth_instance ablock, uschar data) {return 0;}
251b9eb4 JH	56	int auth_cram_md5_client(auth_instance ablock, void sx, int timeout,
251b9eb4 JH	57	uschar *buffer, int buffsize) {return 0;}
d185889f JH	58
	59	#else /!MACRO_PREDEF/
	60
	61
0756eb3c PH	62	/*************************************************
	63	* Initialization entry point *
	64	*************************************************/
	65
	66	/* Called for each instance, after its options have been read, to
	67	enable consistency checks to be done, or anything else that needs
	68	to be set up. */
	69
	70	void
	71	auth_cram_md5_init(auth_instance *ablock)
	72	{
	73	auth_cram_md5_options_block *ob =
	74	(auth_cram_md5_options_block *)(ablock->options_block);
	75	if (ob->server_secret != NULL) ablock->server = TRUE;
	76	if (ob->client_secret != NULL)
	77	{
	78	ablock->client = TRUE;
	79	if (ob->client_name == NULL) ob->client_name = primary_hostname;
	80	}
	81	}
	82
d185889f	83	#endif /!MACRO_PREDEF/
0756eb3c PH	84	#endif /* STAND_ALONE */
	85
	86
	87
d185889f	88	#ifndef MACRO_PREDEF
0756eb3c	89	/*************************************************
4c04137d	90	* Perform the CRAM-MD5 algorithm *
0756eb3c PH	91	*************************************************/
	92
	93	/* The CRAM-MD5 algorithm is described in RFC 2195. It computes
	94
	95	MD5((secret XOR opad), MD5((secret XOR ipad), challenge))
	96
	97	where secret is padded out to 64 characters (after being reduced to an MD5
	98	digest if longer than 64) and ipad and opad are 64-byte strings of 0x36 and
	99	0x5c respectively, and comma means concatenation.
	100
	101	Arguments:
	102	secret the shared secret
	103	challenge the challenge text
	104	digest 16-byte slot to put the answer in
	105
	106	Returns: nothing
	107	*/
	108
	109	static void
	110	compute_cram_md5(uschar secret, uschar challenge, uschar *digestptr)
	111	{
	112	md5 base;
0756eb3c PH	113	int len = Ustrlen(secret);
	114	uschar isecret[64];
	115	uschar osecret[64];
	116	uschar md5secret[16];
	117
	118	/* If the secret is longer than 64 characters, we compute its MD5 digest
	119	and use that. */
	120
	121	if (len > 64)
	122	{
	123	md5_start(&base);
5903c6ff JH	124	md5_end(&base, US secret, len, md5secret);
5903c6ff JH	125	secret = US md5secret;
0756eb3c PH	126	len = 16;
	127	}
	128
	129	/* The key length is now known to be <= 64. Set up the padded and xor'ed
	130	versions. */
	131
	132	memcpy(isecret, secret, len);
	133	memset(isecret+len, 0, 64-len);
	134	memcpy(osecret, isecret, 64);
	135
d7978c0f	136	for (int i = 0; i < 64; i++)
0756eb3c PH	137	{
	138	isecret[i] ^= 0x36;
	139	osecret[i] ^= 0x5c;
	140	}
	141
	142	/* Compute the inner MD5 digest */
	143
	144	md5_start(&base);
	145	md5_mid(&base, isecret);
5903c6ff	146	md5_end(&base, US challenge, Ustrlen(challenge), md5secret);
0756eb3c PH	147
	148	/* Compute the outer MD5 digest */
	149
	150	md5_start(&base);
	151	md5_mid(&base, osecret);
	152	md5_end(&base, md5secret, 16, digestptr);
	153	}
	154
	155
	156	#ifndef STAND_ALONE
	157
	158	/*************************************************
	159	* Server entry point *
	160	*************************************************/
	161
	162	/* For interface, see auths/README */
	163
	164	int
	165	auth_cram_md5_server(auth_instance ablock, uschar data)
	166	{
	167	auth_cram_md5_options_block *ob =
	168	(auth_cram_md5_options_block *)(ablock->options_block);
438257ba PP	169	uschar *challenge = string_sprintf("<%d.%ld@%s>", getpid(),
438257ba PP	170	(long int) time(NULL), primary_hostname);
0756eb3c PH	171	uschar clear, secret;
	172	uschar digest[16];
	173	int i, rc, len;
	174
	175	/* If we are running in the test harness, always send the same challenge,
	176	an example string taken from the RFC. */
	177
8768d548	178	if (f.running_in_test_harness)
0756eb3c PH	179	challenge = US"<1896.697170952@postoffice.reston.mci.net>";
	180
	181	/* No data should have been sent with the AUTH command */
	182
5c329a43	183	if (*data) return UNEXPECTED;
0756eb3c PH	184
	185	/* Send the challenge, read the return */
	186
	187	if ((rc = auth_get_data(&data, challenge, Ustrlen(challenge))) != OK) return rc;
f4d091fb	188	if ((len = b64decode(data, &clear)) < 0) return BAD64;
0756eb3c PH	189
0756eb3c PH	190	/* The return consists of a user name, space-separated from the CRAM-MD5
f78eb7c6 PH	191	digest, expressed in hex. Extract the user name and put it in $auth1 and $1.
	192	The former is now the preferred variable; the latter is the original one. Then
	193	check that the remaining length is 32. */
0756eb3c	194
f78eb7c6	195	auth_vars[0] = expand_nstring[1] = clear;
5c329a43	196	while (clear && !isspace(clear)) clear++;
0756eb3c PH	197	if (!isspace(*clear)) return FAIL;
	198	*clear++ = 0;
	199
	200	expand_nlength[1] = clear - expand_nstring[1] - 1;
	201	if (len - expand_nlength[1] - 1 != 32) return FAIL;
	202	expand_nmax = 1;
	203
	204	/* Expand the server_secret string so that it can compute a value dependent on
	205	the user name if necessary. */
	206
	207	debug_print_string(ablock->server_debug_string); /* customized debugging */
	208	secret = expand_string(ob->server_secret);
	209
	210	/* A forced fail implies failure of authentication - i.e. we have no secret for
	211	the given name. */
	212
	213	if (secret == NULL)
	214	{
8768d548	215	if (f.expand_string_forcedfail) return FAIL;
0756eb3c PH	216	auth_defer_msg = expand_string_message;
	217	return DEFER;
	218	}
	219
	220	/* Compute the CRAM-MD5 digest that we should have received from the client. */
	221
	222	compute_cram_md5(secret, challenge, digest);
	223
	224	HDEBUG(D_auth)
	225	{
	226	uschar buff[64];
f78eb7c6	227	debug_printf("CRAM-MD5: user name = %s\n", auth_vars[0]);
0756eb3c PH	228	debug_printf(" challenge = %s\n", challenge);
0756eb3c PH	229	debug_printf(" received = %s\n", clear);
f3ebb786	230	Ustrcpy(buff, US" digest = ");
0756eb3c PH	231	for (i = 0; i < 16; i++) sprintf(CS buff+22+2*i, "%02x", digest[i]);
	232	debug_printf("%.54s\n", buff);
	233	}
	234
	235	/* We now have to compare the digest, which is 16 bytes in binary, with the
	236	data received, which is expressed in lower case hex. We checked above that
	237	there were 32 characters of data left. */
	238
	239	for (i = 0; i < 16; i++)
	240	{
	241	int a = *clear++;
	242	int b = *clear++;
	243	if (((((a >= 'a')? a - 'a' + 10 : a - '0') << 4) +
	244	((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
	245	}
	246
16ff981e PH	247	/* Expand server_condition as an authorization check */
16ff981e PH	248	return auth_check_serv_cond(ablock);
0756eb3c PH	249	}
	250
	251
	252
	253	/*************************************************
	254	* Client entry point *
	255	*************************************************/
	256
	257	/* For interface, see auths/README */
	258
	259	int
	260	auth_cram_md5_client(
	261	auth_instance ablock, / authenticator block */
251b9eb4	262	void * sx, /* smtp connextion */
0756eb3c	263	int timeout, /* command timeout */
4730f942	264	uschar buffer, / for reading response */
0756eb3c PH	265	int buffsize) /* size of buffer */
	266	{
	267	auth_cram_md5_options_block *ob =
	268	(auth_cram_md5_options_block *)(ablock->options_block);
	269	uschar *secret = expand_string(ob->client_secret);
	270	uschar *name = expand_string(ob->client_name);
	271	uschar challenge, p;
	272	int i;
	273	uschar digest[16];
	274
	275	/* If expansion of either the secret or the user name failed, return CANCELLED
4c04137d	276	or ERROR, as appropriate. */
0756eb3c	277
d129bdf7	278	if (!secret \|\| !name)
0756eb3c	279	{
8768d548	280	if (f.expand_string_forcedfail)
4730f942 PH	281	{
	282	buffer = 0; / No message */
	283	return CANCELLED;
	284	}
0756eb3c PH	285	string_format(buffer, buffsize, "expansion of \"%s\" failed in "
0756eb3c PH	286	"%s authenticator: %s",
d129bdf7	287	!secret ? ob->client_secret : ob->client_name,
0756eb3c PH	288	ablock->name, expand_string_message);
	289	return ERROR;
	290	}
	291
	292	/* Initiate the authentication exchange and read the challenge, which arrives
	293	in base 64. */
	294
251b9eb4	295	if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
0756eb3c	296	return FAIL_SEND;
251b9eb4	297	if (!smtp_read_response(sx, buffer, buffsize, '3', timeout))
0756eb3c PH	298	return FAIL;
0756eb3c PH	299
f4d091fb	300	if (b64decode(buffer + 4, &challenge) < 0)
0756eb3c PH	301	{
	302	string_format(buffer, buffsize, "bad base 64 string in challenge: %s",
	303	big_buffer + 4);
	304	return ERROR;
	305	}
	306
	307	/* Run the CRAM-MD5 algorithm on the secret and the challenge */
	308
	309	compute_cram_md5(secret, challenge, digest);
	310
	311	/* Create the response from the user name plus the CRAM-MD5 digest */
	312
	313	string_format(big_buffer, big_buffer_size - 36, "%s", name);
d129bdf7	314	for (p = big_buffer; *p; ) p++;
0756eb3c PH	315	*p++ = ' ';
	316
	317	for (i = 0; i < 16; i++)
5976eb99	318	p += sprintf(CS p, "%02x", digest[i]);
0756eb3c PH	319
0756eb3c PH	320	/* Send the response, in base 64, and check the result. The response is
f4d091fb	321	in big_buffer, but b64encode() returns its result in working store,
0756eb3c PH	322	so calling smtp_write_command(), which uses big_buffer, is OK. */
	323
	324	buffer[0] = 0;
1f20760b	325	if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(CUS big_buffer,
0756eb3c PH	326	p - big_buffer)) < 0) return FAIL_SEND;
0756eb3c PH	327
251b9eb4	328	return smtp_read_response(sx, US buffer, buffsize, '2', timeout)
d129bdf7	329	? OK : FAIL;
0756eb3c PH	330	}
	331	#endif /* STAND_ALONE */
	332
	333
	334	/*************************************************
	335	**************************************************
	336	* Stand-alone test program *
	337	**************************************************
	338	*************************************************/
	339
	340	#ifdef STAND_ALONE
	341
	342	int main(int argc, char **argv)
	343	{
	344	int i;
	345	uschar *secret = US argv[1];
	346	uschar *challenge = US argv[2];
	347	uschar digest[16];
	348
	349	compute_cram_md5(secret, challenge, digest);
	350
	351	for (i = 0; i < 16; i++) printf("%02x", digest[i]);
	352	printf("\n");
	353
	354	return 0;
	355	}
	356
	357	#endif
	358
d185889f	359	#endif /!MACRO_PREDEF/
0756eb3c	360	/* End of cram_md5.c */