#include "auth-common.h"
#include "mech.h"
#include "passdb.h"
#include "md5.h"
#include "buffer.h"
#include "auth-client-connection.h"
#include "auth-master-connection.h"
#include <stdio.h>
#include <unistd.h>
struct apop_auth_request {
struct auth_request auth_request;
pool_t pool;
char *challenge;
unsigned char response_digest[16];
};
#ifdef APPLE_OS_X_SERVER
#include "db-od.h"
static bool verify_credentials(struct apop_auth_request *request ATTR_UNUSED,
const unsigned char *credentials, size_t size)
{
if ( (size != 0) && (strcmp( (const char *)credentials, kCRAM_APOP_AuthSuccess ) == 0) )
{
return( TRUE );
}
return( FALSE );
}
#else
static bool verify_credentials(struct apop_auth_request *request,
const unsigned char *credentials, size_t size)
{
unsigned char digest[16];
struct md5_context ctx;
md5_init(&ctx);
md5_update(&ctx, request->challenge, strlen(request->challenge));
md5_update(&ctx, credentials, size);
md5_final(&ctx, digest);
return memcmp(digest, request->response_digest, 16) == 0;
}
#endif
static void
apop_credentials_callback(enum passdb_result result,
const unsigned char *credentials, size_t size,
struct auth_request *auth_request)
{
struct apop_auth_request *request =
(struct apop_auth_request *)auth_request;
switch (result) {
case PASSDB_RESULT_OK:
if (verify_credentials(request, credentials, size))
auth_request_success(auth_request, NULL, 0);
else
auth_request_fail(auth_request);
break;
case PASSDB_RESULT_INTERNAL_FAILURE:
auth_request_internal_failure(auth_request);
break;
default:
auth_request_fail(auth_request);
break;
}
}
static void
mech_apop_auth_initial(struct auth_request *auth_request,
const unsigned char *data, size_t data_size)
{
struct apop_auth_request *request =
(struct apop_auth_request *)auth_request;
const unsigned char *tmp, *end, *username = NULL;
unsigned long pid, connect_uid, timestamp;
const char *error;
if (data_size == 0) {
auth_request_log_info(auth_request, "apop",
"no initial respone");
auth_request_fail(auth_request);
return;
}
tmp = data;
end = data + data_size;
while (tmp != end && *tmp != '\0')
tmp++;
request->challenge = p_strdup_until(request->pool, data, tmp);
if (tmp != end) {
username = ++tmp;
while (tmp != end && *tmp != '\0')
tmp++;
}
if (tmp + 1 + 16 != end) {
auth_request_log_info(auth_request, "apop", "malformed data");
auth_request_fail(auth_request);
return;
}
memcpy(request->response_digest, tmp + 1,
sizeof(request->response_digest));
if (sscanf(request->challenge, "<%lx.%lx.%lx.",
&pid, &connect_uid, ×tamp) != 3 ||
connect_uid != auth_request->connect_uid ||
pid != (unsigned long)getpid() ||
(time_t)timestamp < process_start_time) {
auth_request_log_info(auth_request, "apop",
"invalid challenge");
auth_request_fail(auth_request);
return;
}
if (!auth_request_set_username(auth_request, (const char *)username,
&error)) {
auth_request_log_info(auth_request, "apop", "%s", error);
auth_request_fail(auth_request);
return;
}
auth_request_lookup_credentials(auth_request, "PLAIN",
apop_credentials_callback);
}
static struct auth_request *mech_apop_auth_new(void)
{
struct apop_auth_request *request;
pool_t pool;
pool = pool_alloconly_create("apop_auth_request", 1024);
request = p_new(pool, struct apop_auth_request, 1);
request->pool = pool;
request->auth_request.pool = pool;
return &request->auth_request;
}
const struct mech_module mech_apop = {
"APOP",
.flags = MECH_SEC_PRIVATE | MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
.passdb_need = MECH_PASSDB_NEED_VERIFY_RESPONSE,
mech_apop_auth_new,
mech_apop_auth_initial,
NULL,
mech_generic_auth_free
};