Commit | Line | Data |
---|---|---|
b53c265b JH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
1e1ddfac | 5 | /* Copyright (c) Jeremy Harris 2019-2020 */ |
b53c265b JH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* This file provides an Exim authenticator driver for | |
9 | a server to verify a client SSL certificate, using the EXTERNAL | |
10 | method defined in RFC 4422 Appendix A. | |
11 | */ | |
12 | ||
13 | ||
14 | #include "../exim.h" | |
15 | #include "external.h" | |
16 | ||
17 | /* Options specific to the external authentication mechanism. */ | |
18 | ||
19 | optionlist auth_external_options[] = { | |
23f2e90d JH |
20 | { "client_send", opt_stringptr, OPT_OFF(auth_external_options_block, client_send) }, |
21 | { "server_param2", opt_stringptr, OPT_OFF(auth_external_options_block, server_param2) }, | |
22 | { "server_param3", opt_stringptr, OPT_OFF(auth_external_options_block, server_param3) }, | |
b53c265b JH |
23 | }; |
24 | ||
25 | /* Size of the options list. An extern variable has to be used so that its | |
26 | address can appear in the tables drtables.c. */ | |
27 | ||
28 | int auth_external_options_count = nelem(auth_external_options); | |
29 | ||
30 | /* Default private options block for the authentication method. */ | |
31 | ||
32 | auth_external_options_block auth_external_option_defaults = { | |
33 | .server_param2 = NULL, | |
34 | .server_param3 = NULL, | |
35 | ||
36 | .client_send = NULL, | |
37 | }; | |
38 | ||
39 | ||
40 | #ifdef MACRO_PREDEF | |
41 | ||
42 | /* Dummy values */ | |
43 | void auth_external_init(auth_instance *ablock) {} | |
44 | int auth_external_server(auth_instance *ablock, uschar *data) {return 0;} | |
45 | int auth_external_client(auth_instance *ablock, void * sx, | |
46 | int timeout, uschar *buffer, int buffsize) {return 0;} | |
47 | ||
48 | #else /*!MACRO_PREDEF*/ | |
49 | ||
50 | ||
51 | ||
52 | ||
53 | /************************************************* | |
54 | * Initialization entry point * | |
55 | *************************************************/ | |
56 | ||
57 | /* Called for each instance, after its options have been read, to | |
58 | enable consistency checks to be done, or anything else that needs | |
59 | to be set up. */ | |
60 | ||
61 | void | |
62 | auth_external_init(auth_instance *ablock) | |
63 | { | |
64 | auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block; | |
65 | if (!ablock->public_name) ablock->public_name = ablock->name; | |
66 | if (ablock->server_condition) ablock->server = TRUE; | |
67 | if (ob->client_send) ablock->client = TRUE; | |
68 | } | |
69 | ||
70 | ||
71 | ||
72 | /************************************************* | |
73 | * Server entry point * | |
74 | *************************************************/ | |
75 | ||
76 | /* For interface, see auths/README */ | |
77 | ||
78 | int | |
79 | auth_external_server(auth_instance * ablock, uschar * data) | |
80 | { | |
81 | auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block; | |
82 | int rc; | |
83 | ||
84 | /* If data was supplied on the AUTH command, decode it, and split it up into | |
85 | multiple items at binary zeros. The strings are put into $auth1, $auth2, etc, | |
86 | up to a maximum. To retain backwards compatibility, they are also put int $1, | |
87 | $2, etc. If the data consists of the string "=" it indicates a single, empty | |
88 | string. */ | |
89 | ||
90 | if (*data) | |
91 | if ((rc = auth_read_input(data)) != OK) | |
92 | return rc; | |
93 | ||
94 | /* Now go through the list of prompt strings. Skip over any whose data has | |
95 | already been provided as part of the AUTH command. For the rest, send them | |
96 | out as prompts, and get a data item back. If the data item is "*", abandon the | |
97 | authentication attempt. Otherwise, split it into items as above. */ | |
98 | ||
99 | if (expand_nmax == 0) /* skip if rxd data */ | |
100 | if ((rc = auth_prompt(CUS"")) != OK) | |
101 | return rc; | |
102 | ||
103 | if (ob->server_param2) | |
104 | { | |
105 | uschar * s = expand_string(ob->server_param2); | |
106 | auth_vars[expand_nmax] = s; | |
107 | expand_nstring[++expand_nmax] = s; | |
108 | expand_nlength[expand_nmax] = Ustrlen(s); | |
109 | if (ob->server_param3) | |
110 | { | |
111 | s = expand_string(ob->server_param3); | |
112 | auth_vars[expand_nmax] = s; | |
113 | expand_nstring[++expand_nmax] = s; | |
114 | expand_nlength[expand_nmax] = Ustrlen(s); | |
115 | } | |
116 | } | |
117 | ||
118 | return auth_check_serv_cond(ablock); | |
119 | } | |
120 | ||
121 | ||
122 | ||
123 | /************************************************* | |
124 | * Client entry point * | |
125 | *************************************************/ | |
126 | ||
127 | /* For interface, see auths/README */ | |
128 | ||
129 | int | |
130 | auth_external_client( | |
131 | auth_instance *ablock, /* authenticator block */ | |
132 | void * sx, /* smtp connextion */ | |
133 | int timeout, /* command timeout */ | |
134 | uschar *buffer, /* buffer for reading response */ | |
135 | int buffsize) /* size of buffer */ | |
136 | { | |
137 | auth_external_options_block *ob = | |
138 | (auth_external_options_block *)(ablock->options_block); | |
139 | const uschar * text = ob->client_send; | |
140 | int rc; | |
141 | ||
142 | /* We output an AUTH command with one expanded argument, the client_send option */ | |
143 | ||
144 | if ((rc = auth_client_item(sx, ablock, &text, AUTH_ITEM_FIRST | AUTH_ITEM_LAST, | |
145 | timeout, buffer, buffsize)) != OK) | |
146 | return rc == DEFER ? FAIL : rc; | |
147 | ||
148 | if (text) auth_vars[0] = string_copy(text); | |
149 | return OK; | |
150 | } | |
151 | ||
152 | ||
153 | ||
154 | #endif /*!MACRO_PREDEF*/ | |
155 | /* End of external.c */ |