Commit | Line | Data |
---|---|---|
c988f1f4 | 1 | /* $Cambridge: exim/src/src/auths/spa.c,v 1.4 2005/01/04 10:00:43 ph10 Exp $ */ |
0756eb3c PH |
2 | |
3 | /************************************************* | |
4 | * Exim - an Internet mail transport agent * | |
5 | *************************************************/ | |
6 | ||
c988f1f4 | 7 | /* Copyright (c) University of Cambridge 1995 - 2005 */ |
0756eb3c PH |
8 | /* See the file NOTICE for conditions of use and distribution. */ |
9 | ||
10 | /* This file, which provides support for Microsoft's Secure Password | |
11 | Authentication, was contributed by Marc Prud'hommeaux. Tom Kistner added SPA | |
12 | server support. I (PH) have only modified it in very trivial ways. | |
13 | ||
14 | References: | |
15 | http://www.innovation.ch/java/ntlm.html | |
16 | http://www.kuro5hin.org/story/2002/4/28/1436/66154 | |
17 | ||
18 | * It seems that some systems have existing but different definitions of some | |
19 | * of the following types. I received a complaint about "int16" causing | |
20 | * compilation problems. So I (PH) have renamed them all, to be on the safe | |
21 | * side, by adding 'x' on the end. See auths/auth-spa.h. | |
22 | ||
23 | * typedef signed short int16; | |
24 | * typedef unsigned short uint16; | |
25 | * typedef unsigned uint32; | |
26 | * typedef unsigned char uint8; | |
27 | ||
28 | 07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid | |
29 | input data. Find appropriate comment by grepping for "PH". | |
30 | */ | |
31 | ||
32 | ||
33 | #include "../exim.h" | |
34 | #include "spa.h" | |
35 | ||
36 | /* #define DEBUG_SPA */ | |
37 | ||
38 | #ifdef DEBUG_SPA | |
39 | #define DSPA(x,y,z) debug_printf(x,y,z) | |
40 | #else | |
41 | #define DSPA(x,y,z) | |
42 | #endif | |
43 | ||
44 | /* Options specific to the spa authentication mechanism. */ | |
45 | ||
46 | optionlist auth_spa_options[] = { | |
47 | { "client_domain", opt_stringptr, | |
48 | (void *)(offsetof(auth_spa_options_block, spa_domain)) }, | |
49 | { "client_password", opt_stringptr, | |
50 | (void *)(offsetof(auth_spa_options_block, spa_password)) }, | |
51 | { "client_username", opt_stringptr, | |
52 | (void *)(offsetof(auth_spa_options_block, spa_username)) }, | |
53 | { "server_password", opt_stringptr, | |
54 | (void *)(offsetof(auth_spa_options_block, spa_serverpassword)) } | |
55 | }; | |
56 | ||
57 | /* Size of the options list. An extern variable has to be used so that its | |
58 | address can appear in the tables drtables.c. */ | |
59 | ||
60 | int auth_spa_options_count = | |
61 | sizeof(auth_spa_options)/sizeof(optionlist); | |
62 | ||
63 | /* Default private options block for the contidion authentication method. */ | |
64 | ||
65 | auth_spa_options_block auth_spa_option_defaults = { | |
66 | NULL, /* spa_password */ | |
67 | NULL, /* spa_username */ | |
68 | NULL, /* spa_domain */ | |
69 | NULL /* spa_serverpassword (for server side use) */ | |
70 | }; | |
71 | ||
72 | ||
73 | /************************************************* | |
74 | * Initialization entry point * | |
75 | *************************************************/ | |
76 | ||
77 | /* Called for each instance, after its options have been read, to | |
78 | enable consistency checks to be done, or anything else that needs | |
79 | to be set up. */ | |
80 | ||
81 | void | |
82 | auth_spa_init(auth_instance *ablock) | |
83 | { | |
84 | auth_spa_options_block *ob = | |
85 | (auth_spa_options_block *)(ablock->options_block); | |
86 | ||
87 | /* The public name defaults to the authenticator name */ | |
88 | ||
89 | if (ablock->public_name == NULL) ablock->public_name = ablock->name; | |
90 | ||
91 | /* Both username and password must be set for a client */ | |
92 | ||
93 | if ((ob->spa_username == NULL) != (ob->spa_password == NULL)) | |
94 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:\n " | |
95 | "one of client_username and client_password cannot be set without " | |
96 | "the other", ablock->name); | |
97 | ablock->client = ob->spa_username != NULL; | |
98 | ||
99 | /* For a server we have just one option */ | |
100 | ||
101 | ablock->server = ob->spa_serverpassword != NULL; | |
102 | } | |
103 | ||
104 | ||
105 | ||
106 | /************************************************* | |
107 | * Server entry point * | |
108 | *************************************************/ | |
109 | ||
110 | /* For interface, see auths/README */ | |
111 | ||
112 | #define CVAL(buf,pos) (((unsigned char *)(buf))[pos]) | |
113 | #define PVAL(buf,pos) ((unsigned)CVAL(buf,pos)) | |
114 | #define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8) | |
115 | #define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16) | |
116 | ||
117 | int | |
118 | auth_spa_server(auth_instance *ablock, uschar *data) | |
119 | { | |
120 | auth_spa_options_block *ob = (auth_spa_options_block *)(ablock->options_block); | |
121 | uint8x lmRespData[24]; | |
122 | uint8x ntRespData[24]; | |
123 | SPAAuthRequest request; | |
124 | SPAAuthChallenge challenge; | |
125 | SPAAuthResponse response; | |
126 | SPAAuthResponse *responseptr = &response; | |
127 | uschar msgbuf[2048]; | |
128 | uschar *clearpass; | |
129 | ||
130 | /* send a 334, MS Exchange style, and grab the client's request */ | |
131 | ||
132 | if (auth_get_no64_data(&data, US"NTLM supported") != OK) | |
133 | { | |
134 | /* something borked */ | |
135 | return FAIL; | |
136 | } | |
137 | ||
85b87bc2 | 138 | if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0) |
0756eb3c PH |
139 | { |
140 | DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " | |
141 | "request: %s\n", data); | |
142 | return FAIL; | |
143 | } | |
144 | ||
145 | /* create a challenge and send it back */ | |
146 | ||
147 | spa_build_auth_challenge(&request,&challenge); | |
148 | spa_bits_to_base64 (msgbuf, (unsigned char*)&challenge, | |
149 | spa_request_length(&challenge)); | |
150 | ||
151 | if (auth_get_no64_data(&data, msgbuf) != OK) | |
152 | { | |
153 | /* something borked */ | |
154 | return FAIL; | |
155 | } | |
156 | ||
157 | /* dump client response */ | |
85b87bc2 | 158 | if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0) |
0756eb3c PH |
159 | { |
160 | DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " | |
161 | "response: %s\n", data); | |
162 | return FAIL; | |
163 | } | |
164 | ||
165 | /* get username and put it in $1 */ | |
166 | ||
167 | /*************************************************************** | |
168 | PH 07-Aug-2003: The original code here was this: | |
169 | ||
170 | Ustrcpy(msgbuf, unicodeToString(((char*)responseptr) + | |
171 | IVAL(&responseptr->uUser.offset,0), | |
172 | SVAL(&responseptr->uUser.len,0)/2) ); | |
173 | ||
174 | However, if the response data is too long, unicodeToString bombs out on | |
175 | an assertion failure. It uses a 1024 fixed buffer. Bombing out is not a good | |
176 | idea. It's too messy to try to rework that function to return an error because | |
177 | it is called from a number of other places in the auth-spa.c module. Instead, | |
178 | since it is a very small function, I reproduce its code here, with a size check | |
179 | that causes failure if the size of msgbuf is exceeded. ****/ | |
180 | ||
181 | { | |
182 | int i; | |
183 | char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0); | |
184 | int len = SVAL(&responseptr->uUser.len,0)/2; | |
185 | ||
186 | if (len + 1 >= sizeof(msgbuf)) return FAIL; | |
187 | for (i = 0; i < len; ++i) | |
188 | { | |
189 | msgbuf[i] = *p & 0x7f; | |
190 | p += 2; | |
191 | } | |
192 | msgbuf[i] = 0; | |
193 | } | |
194 | ||
195 | /***************************************************************/ | |
196 | ||
197 | expand_nstring[1] = msgbuf; | |
198 | expand_nlength[1] = Ustrlen(msgbuf); | |
199 | expand_nmax = 1; | |
200 | ||
201 | /* look up password */ | |
202 | ||
203 | clearpass = expand_string(ob->spa_serverpassword); | |
204 | if (clearpass == NULL) | |
205 | { | |
206 | if (expand_string_forcedfail) | |
207 | { | |
208 | DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while " | |
209 | "expanding spa_serverpassword\n"); | |
210 | return FAIL; | |
211 | } | |
212 | else | |
213 | { | |
214 | DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding " | |
215 | "spa_serverpassword: %s\n", expand_string_message); | |
216 | return DEFER; | |
217 | } | |
218 | } | |
219 | ||
220 | /* create local hash copy */ | |
221 | ||
222 | spa_smb_encrypt (clearpass, challenge.challengeData, lmRespData); | |
223 | spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData); | |
224 | ||
225 | /* compare NT hash (LM may not be available) */ | |
226 | ||
227 | if (memcmp(ntRespData, | |
228 | ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0), | |
229 | 24) == 0) | |
230 | /* success. we have a winner. */ | |
231 | return OK; | |
232 | ||
233 | return FAIL; | |
234 | } | |
235 | ||
236 | ||
237 | /************************************************* | |
238 | * Client entry point * | |
239 | *************************************************/ | |
240 | ||
241 | /* For interface, see auths/README */ | |
242 | ||
243 | int | |
244 | auth_spa_client( | |
245 | auth_instance *ablock, /* authenticator block */ | |
246 | smtp_inblock *inblock, /* connection inblock */ | |
247 | smtp_outblock *outblock, /* connection outblock */ | |
248 | int timeout, /* command timeout */ | |
249 | uschar *buffer, /* buffer for reading response */ | |
250 | int buffsize) /* size of buffer */ | |
251 | { | |
252 | auth_spa_options_block *ob = | |
253 | (auth_spa_options_block *)(ablock->options_block); | |
254 | SPAAuthRequest request; | |
255 | SPAAuthChallenge challenge; | |
256 | SPAAuthResponse response; | |
257 | char msgbuf[2048]; | |
258 | char *domain = NULL; | |
259 | char *username, *password; | |
260 | ||
0756eb3c PH |
261 | /* Code added by PH to expand the options */ |
262 | ||
263 | username = CS expand_string(ob->spa_username); | |
264 | if (username == NULL) | |
265 | { | |
b1206957 | 266 | if (expand_string_forcedfail) return CANCELLED; |
0756eb3c PH |
267 | string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " |
268 | "authenticator: %s", ob->spa_username, ablock->name, | |
269 | expand_string_message); | |
270 | return ERROR; | |
271 | } | |
272 | ||
273 | password = CS expand_string(ob->spa_password); | |
274 | if (password == NULL) | |
275 | { | |
b1206957 | 276 | if (expand_string_forcedfail) return CANCELLED; |
0756eb3c PH |
277 | string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " |
278 | "authenticator: %s", ob->spa_password, ablock->name, | |
279 | expand_string_message); | |
280 | return ERROR; | |
281 | } | |
282 | ||
283 | if (ob->spa_domain != NULL) | |
284 | { | |
285 | domain = CS expand_string(ob->spa_domain); | |
286 | if (domain == NULL) | |
287 | { | |
b1206957 | 288 | if (expand_string_forcedfail) return CANCELLED; |
0756eb3c PH |
289 | string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " |
290 | "authenticator: %s", ob->spa_domain, ablock->name, | |
291 | expand_string_message); | |
292 | return ERROR; | |
293 | } | |
294 | } | |
295 | ||
296 | /* Original code */ | |
297 | ||
b1206957 PH |
298 | if (smtp_write_command(outblock, FALSE, "AUTH %s\r\n", |
299 | ablock->public_name) < 0) | |
300 | return FAIL_SEND; | |
301 | ||
302 | /* wait for the 3XX OK message */ | |
303 | if (!smtp_read_response(inblock, (uschar *)buffer, buffsize, '3', timeout)) | |
304 | return FAIL; | |
305 | ||
0756eb3c PH |
306 | DSPA("\n\n%s authenticator: using domain %s\n\n", |
307 | ablock->name, domain); | |
308 | ||
309 | spa_build_auth_request (&request, CS username, domain); | |
310 | spa_bits_to_base64 (US msgbuf, (unsigned char*)&request, | |
311 | spa_request_length(&request)); | |
312 | ||
313 | DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, | |
314 | msgbuf); | |
315 | ||
316 | /* send the encrypted password */ | |
317 | if (smtp_write_command(outblock, FALSE, "%s\r\n", msgbuf) < 0) | |
318 | return FAIL_SEND; | |
319 | ||
320 | /* wait for the auth challenge */ | |
321 | if (!smtp_read_response(inblock, (uschar *)buffer, buffsize, '3', timeout)) | |
322 | return FAIL; | |
323 | ||
324 | /* convert the challenge into the challenge struct */ | |
325 | DSPA("\n\n%s authenticator: challenge (%s)\n\n", | |
326 | ablock->name, buffer + 4); | |
85b87bc2 | 327 | spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4)); |
0756eb3c PH |
328 | |
329 | spa_build_auth_response (&challenge, &response, | |
330 | CS username, CS password); | |
331 | spa_bits_to_base64 (US msgbuf, (unsigned char*)&response, | |
332 | spa_request_length(&response)); | |
333 | DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, | |
334 | msgbuf); | |
335 | ||
336 | /* send the challenge response */ | |
337 | if (smtp_write_command(outblock, FALSE, "%s\r\n", msgbuf) < 0) | |
338 | return FAIL_SEND; | |
339 | ||
340 | /* If we receive a success response from the server, authentication | |
341 | has succeeded. There may be more data to send, but is there any point | |
342 | in provoking an error here? */ | |
343 | if (smtp_read_response(inblock, US buffer, buffsize, '2', timeout)) | |
344 | return OK; | |
345 | ||
346 | /* Not a success response. If errno != 0 there is some kind of transmission | |
347 | error. Otherwise, check the response code in the buffer. If it starts with | |
348 | '3', more data is expected. */ | |
349 | if (errno != 0 || buffer[0] != '3') | |
350 | return FAIL; | |
351 | ||
352 | return FAIL; | |
353 | } | |
354 | ||
355 | /* End of spa.c */ |