| 1 | /************************************************* |
| 2 | * Exim - an Internet mail transport agent * |
| 3 | *************************************************/ |
| 4 | |
| 5 | /* Copyright (c) Jeremy Harris 2019-2020 */ |
| 6 | /* See the file NOTICE for conditions of use and distribution. */ |
| 7 | |
| 8 | /* This file provides an Exim authenticator driver for |
| 9 | a server to verify a client SSL certificate, using the EXTERNAL |
| 10 | method defined in RFC 4422 Appendix A. |
| 11 | */ |
| 12 | |
| 13 | |
| 14 | #include "../exim.h" |
| 15 | #include "external.h" |
| 16 | |
| 17 | /* Options specific to the external authentication mechanism. */ |
| 18 | |
| 19 | optionlist auth_external_options[] = { |
| 20 | { "client_send", opt_stringptr, OPT_OFF(auth_external_options_block, client_send) }, |
| 21 | { "server_param2", opt_stringptr, OPT_OFF(auth_external_options_block, server_param2) }, |
| 22 | { "server_param3", opt_stringptr, OPT_OFF(auth_external_options_block, server_param3) }, |
| 23 | }; |
| 24 | |
| 25 | /* Size of the options list. An extern variable has to be used so that its |
| 26 | address can appear in the tables drtables.c. */ |
| 27 | |
| 28 | int auth_external_options_count = nelem(auth_external_options); |
| 29 | |
| 30 | /* Default private options block for the authentication method. */ |
| 31 | |
| 32 | auth_external_options_block auth_external_option_defaults = { |
| 33 | .server_param2 = NULL, |
| 34 | .server_param3 = NULL, |
| 35 | |
| 36 | .client_send = NULL, |
| 37 | }; |
| 38 | |
| 39 | |
| 40 | #ifdef MACRO_PREDEF |
| 41 | |
| 42 | /* Dummy values */ |
| 43 | void auth_external_init(auth_instance *ablock) {} |
| 44 | int auth_external_server(auth_instance *ablock, uschar *data) {return 0;} |
| 45 | int auth_external_client(auth_instance *ablock, void * sx, |
| 46 | int timeout, uschar *buffer, int buffsize) {return 0;} |
| 47 | |
| 48 | #else /*!MACRO_PREDEF*/ |
| 49 | |
| 50 | |
| 51 | |
| 52 | |
| 53 | /************************************************* |
| 54 | * Initialization entry point * |
| 55 | *************************************************/ |
| 56 | |
| 57 | /* Called for each instance, after its options have been read, to |
| 58 | enable consistency checks to be done, or anything else that needs |
| 59 | to be set up. */ |
| 60 | |
| 61 | void |
| 62 | auth_external_init(auth_instance *ablock) |
| 63 | { |
| 64 | auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block; |
| 65 | if (!ablock->public_name) ablock->public_name = ablock->name; |
| 66 | if (ablock->server_condition) ablock->server = TRUE; |
| 67 | if (ob->client_send) ablock->client = TRUE; |
| 68 | } |
| 69 | |
| 70 | |
| 71 | |
| 72 | /************************************************* |
| 73 | * Server entry point * |
| 74 | *************************************************/ |
| 75 | |
| 76 | /* For interface, see auths/README */ |
| 77 | |
| 78 | int |
| 79 | auth_external_server(auth_instance * ablock, uschar * data) |
| 80 | { |
| 81 | auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block; |
| 82 | int rc; |
| 83 | |
| 84 | /* If data was supplied on the AUTH command, decode it, and split it up into |
| 85 | multiple items at binary zeros. The strings are put into $auth1, $auth2, etc, |
| 86 | up to a maximum. To retain backwards compatibility, they are also put int $1, |
| 87 | $2, etc. If the data consists of the string "=" it indicates a single, empty |
| 88 | string. */ |
| 89 | |
| 90 | if (*data) |
| 91 | if ((rc = auth_read_input(data)) != OK) |
| 92 | return rc; |
| 93 | |
| 94 | /* Now go through the list of prompt strings. Skip over any whose data has |
| 95 | already been provided as part of the AUTH command. For the rest, send them |
| 96 | out as prompts, and get a data item back. If the data item is "*", abandon the |
| 97 | authentication attempt. Otherwise, split it into items as above. */ |
| 98 | |
| 99 | if (expand_nmax == 0) /* skip if rxd data */ |
| 100 | if ((rc = auth_prompt(CUS"")) != OK) |
| 101 | return rc; |
| 102 | |
| 103 | if (ob->server_param2) |
| 104 | { |
| 105 | uschar * s = expand_string(ob->server_param2); |
| 106 | auth_vars[expand_nmax] = s; |
| 107 | expand_nstring[++expand_nmax] = s; |
| 108 | expand_nlength[expand_nmax] = Ustrlen(s); |
| 109 | if (ob->server_param3) |
| 110 | { |
| 111 | s = expand_string(ob->server_param3); |
| 112 | auth_vars[expand_nmax] = s; |
| 113 | expand_nstring[++expand_nmax] = s; |
| 114 | expand_nlength[expand_nmax] = Ustrlen(s); |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | return auth_check_serv_cond(ablock); |
| 119 | } |
| 120 | |
| 121 | |
| 122 | |
| 123 | /************************************************* |
| 124 | * Client entry point * |
| 125 | *************************************************/ |
| 126 | |
| 127 | /* For interface, see auths/README */ |
| 128 | |
| 129 | int |
| 130 | auth_external_client( |
| 131 | auth_instance *ablock, /* authenticator block */ |
| 132 | void * sx, /* smtp connextion */ |
| 133 | int timeout, /* command timeout */ |
| 134 | uschar *buffer, /* buffer for reading response */ |
| 135 | int buffsize) /* size of buffer */ |
| 136 | { |
| 137 | auth_external_options_block *ob = |
| 138 | (auth_external_options_block *)(ablock->options_block); |
| 139 | const uschar * text = ob->client_send; |
| 140 | int rc; |
| 141 | |
| 142 | /* We output an AUTH command with one expanded argument, the client_send option */ |
| 143 | |
| 144 | if ((rc = auth_client_item(sx, ablock, &text, AUTH_ITEM_FIRST | AUTH_ITEM_LAST, |
| 145 | timeout, buffer, buffsize)) != OK) |
| 146 | return rc == DEFER ? FAIL : rc; |
| 147 | |
| 148 | if (text) auth_vars[0] = string_copy(text); |
| 149 | return OK; |
| 150 | } |
| 151 | |
| 152 | |
| 153 | |
| 154 | #endif /*!MACRO_PREDEF*/ |
| 155 | /* End of external.c */ |