#include <sys_defs.h>
#include <stdlib.h>
#include <string.h>
#ifdef __APPLE_OS_X_SERVER__
#include <syslog.h>
#include <stdio.h>
#include <sys/stat.h>
#endif
#include <msg.h>
#include <mymalloc.h>
#include <stringops.h>
#include <mail_params.h>
#include <xsasl.h>
#include "smtpd.h"
#include "smtpd_sasl_glue.h"
#include "smtpd_chat.h"
#ifdef __APPLE_OS_X_SERVER__
#include <DirectoryService/DirServices.h>
#include <DirectoryService/DirServicesUtils.h>
#include <DirectoryService/DirServicesConst.h>
#include <CoreFoundation/CFData.h>
#include <CoreFoundation/CFString.h>
#include <CoreFoundation/CFNumber.h>
#include <CoreFoundation/CFPropertyList.h>
#include <Kerberos/gssapi_krb5.h>
#include <mach/boolean.h>
#endif
#ifdef USE_SASL_AUTH
#define STR(s) vstring_str(s)
static XSASL_SERVER_IMPL *smtpd_sasl_impl;
#ifdef __APPLE_OS_X_SERVER__
void log_errors ( char *inName, OM_uint32 inMajor, OM_uint32 inMinor );
static NAME_MASK smtpd_pw_server_mask[] = {
"none", PW_SERVER_NONE,
"login", PW_SERVER_LOGIN,
"plain", PW_SERVER_PLAIN,
"cram-md5", PW_SERVER_CRAM_MD5,
"gssapi", PW_SERVER_GSSAPI,
0,
};
#endif
#ifdef __APPLE_OS_X_SERVER__
void smtpd_sasl_initialize( int in_use_pw_server )
{
if ( in_use_pw_server )
{
smtpd_pw_server_sasl_opts = name_mask( VAR_SMTPD_PW_SERVER_OPTS, smtpd_pw_server_mask,
var_smtpd_pw_server_opts );
}
#else
void smtpd_sasl_initialize(void)
{
#endif
if (smtpd_sasl_impl)
msg_panic("smtpd_sasl_initialize: repeated call");
if ((smtpd_sasl_impl = xsasl_server_init(var_smtpd_sasl_type,
var_smtpd_sasl_path)) == 0)
msg_fatal("SASL per-process initialization failed");
}
void smtpd_sasl_connect(SMTPD_STATE *state, const char *sasl_opts_name,
const char *sasl_opts_val)
{
const char *mechanism_list;
state->sasl_reply = vstring_alloc(20);
state->sasl_mechanism_list = 0;
state->sasl_username = 0;
state->sasl_method = 0;
state->sasl_sender = 0;
#define SMTPD_SASL_SERVICE "smtp"
if ((state->sasl_server =
xsasl_server_create(smtpd_sasl_impl, state->client,
SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
var_smtpd_sasl_realm : (char *) 0,
sasl_opts_val)) == 0)
msg_fatal("SASL per-connection initialization failed");
if ((mechanism_list =
xsasl_server_get_mechanism_list(state->sasl_server)) == 0)
msg_fatal("no SASL authentication mechanisms");
state->sasl_mechanism_list = mystrdup(mechanism_list);
}
void smtpd_sasl_disconnect(SMTPD_STATE *state)
{
if (state->sasl_reply) {
vstring_free(state->sasl_reply);
state->sasl_reply = 0;
}
if (state->sasl_mechanism_list) {
myfree(state->sasl_mechanism_list);
state->sasl_mechanism_list = 0;
}
if (state->sasl_username) {
myfree(state->sasl_username);
state->sasl_username = 0;
}
if (state->sasl_method) {
myfree(state->sasl_method);
state->sasl_method = 0;
}
if (state->sasl_sender) {
myfree(state->sasl_sender);
state->sasl_sender = 0;
}
if (state->sasl_server) {
xsasl_server_free(state->sasl_server);
state->sasl_server = 0;
}
}
int smtpd_sasl_authenticate(SMTPD_STATE *state,
const char *sasl_method,
const char *init_response)
{
int status;
const char *sasl_username;
for (status = xsasl_server_first(state->sasl_server, sasl_method,
init_response, state->sasl_reply);
status == XSASL_AUTH_MORE;
status = xsasl_server_next(state->sasl_server, STR(state->buffer),
state->sasl_reply)) {
smtpd_chat_reply(state, "334 %s", STR(state->sasl_reply));
smtpd_chat_query(state);
if (strcmp(STR(state->buffer), "*") == 0) {
msg_warn("%s[%s]: SASL %s authentication aborted",
state->name, state->addr, sasl_method);
smtpd_chat_reply(state, "501 5.7.0 Authentication aborted");
return (-1);
}
}
if (status != XSASL_AUTH_DONE) {
msg_warn("%s[%s]: SASL %s authentication failed: %s",
state->name, state->addr, sasl_method,
STR(state->sasl_reply));
smtpd_chat_reply(state, "535 5.7.0 Error: authentication failed: %s",
STR(state->sasl_reply));
return (-1);
}
smtpd_chat_reply(state, "235 2.0.0 Authentication successful");
if ((sasl_username = xsasl_server_get_username(state->sasl_server)) == 0)
msg_panic("cannot look up the authenticated SASL username");
state->sasl_username = mystrdup(sasl_username);
printable(state->sasl_username, '?');
state->sasl_method = mystrdup(sasl_method);
printable(state->sasl_method, '?');
return (0);
}
void smtpd_sasl_logout(SMTPD_STATE *state)
{
if (state->sasl_username) {
myfree(state->sasl_username);
state->sasl_username = 0;
}
if (state->sasl_method) {
myfree(state->sasl_method);
state->sasl_method = 0;
}
}
#ifdef __APPLE_OS_X_SERVER__
static tDirStatus sOpen_ds ( tDirReference *inOutDirRef );
static tDirStatus sGet_search_node ( tDirReference inDirRef, tDirNodeReference *outSearchNodeRef );
static tDirStatus sLook_up_user ( tDirReference inDirRef, tDirNodeReference inSearchNodeRef, const char *inUserID, char **outUserLocation );
static tDirStatus sOpen_user_node ( tDirReference inDirRef, const char *inUserLoc, tDirNodeReference *outUserNodeRef );
static int sValidateResponse ( const char *inUserID, const char *inChallenge, const char *inResponse, const char *inAuthType );
static int sDoCryptAuth ( tDirReference inDirRef, tDirNodeReference inUserNodeRef, const char *inUserID, const char *inPasswd );
static int sEncodeBase64 ( const char *inStr, const int inLen, char *outStr, int outLen );
static int sDecodeBase64 ( const char *inStr, const int inLen, char *outStr, int outLen, int *destLen );
static int sClearTextCrypt ( const char *inUserID, const char *inPasswd );
static int gss_Init ( void );
static int get_principal_str ( char *inOutBuf, int inSize );
static int get_realm_form_creds( char *inBuffer, int inSize );
static char * get_server_principal( void );
static OM_uint32 display_name ( const gss_name_t principalName );
#define MAX_USER_BUF_SIZE 512
#define MAX_CHAL_BUF_SIZE 2048
#define MAX_IO_BUF_SIZE 21848
static gss_cred_id_t stCredentials;
#include <sys/param.h>
char * do_login_auth ( SMTPD_STATE *state,
const char *sasl_method,
const char *init_response )
{
unsigned len = 0;
int respLen = 0;
char userBuf[ MAX_USER_BUF_SIZE ];
char chalBuf[ MAX_CHAL_BUF_SIZE ];
char respBuf[ MAX_IO_BUF_SIZE ];
char pwdBuf[ MAX_USER_BUF_SIZE ];
memset( userBuf, 0, MAX_USER_BUF_SIZE );
memset( chalBuf, 0, MAX_CHAL_BUF_SIZE );
memset( respBuf, 0, MAX_IO_BUF_SIZE );
memset( pwdBuf, 0, MAX_USER_BUF_SIZE );
if ( !(smtpd_pw_server_sasl_opts & PW_SERVER_LOGIN) )
{
return ( "504 Authentication method not enabled" );
}
strcpy( chalBuf, "Username:" );
sEncodeBase64( chalBuf, strlen( chalBuf ), respBuf, MAX_IO_BUF_SIZE );
smtpd_chat_reply( state, "334 %s", respBuf );
memset( respBuf, 0, MAX_IO_BUF_SIZE );
smtpd_chat_query( state );
len = VSTRING_LEN( state->buffer );
if ( sDecodeBase64( vstring_str( state->buffer ), len, userBuf, MAX_USER_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed initial response" );
}
if ( strcmp(vstring_str( state->buffer ), "*") == 0 )
{
return ( "501 Authentication aborted" );
}
strcpy( chalBuf, "Password:" );
sEncodeBase64( chalBuf, strlen( chalBuf ), respBuf, MAX_IO_BUF_SIZE );
smtpd_chat_reply( state, "334 %s", respBuf );
smtpd_chat_query( state );
len = VSTRING_LEN( state->buffer );
if ( sDecodeBase64( vstring_str( state->buffer ), len, pwdBuf, MAX_USER_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed response" );
}
if ( sClearTextCrypt( userBuf, pwdBuf ) == eAODNoErr )
{
state->sasl_username = mystrdup( userBuf );
state->sasl_method = mystrdup(sasl_method);
return( 0 );
}
else
{
return ( "535 Error: authentication failed" );
}
}
char *do_plain_auth ( SMTPD_STATE *state,
const char *sasl_method,
const char *init_response )
{
char *ptr = NULL;
unsigned len = 0;
int respLen = 0;
char userBuf[ MAX_USER_BUF_SIZE ];
char respBuf[ MAX_IO_BUF_SIZE ];
char pwdBuf[ MAX_USER_BUF_SIZE ];
memset( userBuf, 0, MAX_USER_BUF_SIZE );
memset( respBuf, 0, MAX_IO_BUF_SIZE );
memset( pwdBuf, 0, MAX_USER_BUF_SIZE );
if ( !(smtpd_pw_server_sasl_opts & PW_SERVER_PLAIN) )
{
return ( "504 Authentication method not enabled" );
}
if ( init_response == NULL )
{
return ( "501 Authentication failed: malformed initial response" );
}
len = strlen( init_response );
if ( sDecodeBase64( init_response, len, respBuf, MAX_USER_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed initial response" );
}
ptr = respBuf;
if ( *ptr == '\0' )
{
ptr++;
}
if ( ptr != NULL )
{
if ( strlen( ptr ) < MAX_USER_BUF_SIZE )
{
strcpy( userBuf, ptr );
ptr = ptr + (strlen( userBuf ) + 1 );
if ( ptr != NULL )
{
if ( strlen( ptr ) < MAX_USER_BUF_SIZE )
{
strcpy( pwdBuf, ptr );
if ( sClearTextCrypt( userBuf, pwdBuf ) == eAODNoErr )
{
state->sasl_username = mystrdup( userBuf );
state->sasl_method = mystrdup(sasl_method);
return( 0 );
}
}
}
}
}
return ( "535 Error: authentication failed" );
}
void get_random_chars ( char *out_buf, int in_len )
{
int count = 0;
int file;
unsigned long long microseconds = 0ULL;
struct timeval tv;
struct timezone tz;
memset( out_buf, 0, in_len );
file = open( "/dev/urandom", O_RDONLY, 0 );
if ( file == -1 )
{
syslog( LOG_ERR, "Cannot open /dev/urandom" );
file = open( "/dev/random", O_RDONLY, 0 );
}
if ( file == -1 )
{
syslog( LOG_ERR, "Cannot open /dev/random" );
gettimeofday( &tv, &tz );
microseconds = (unsigned long long)tv.tv_sec;
microseconds *= 1000000ULL;
microseconds += (unsigned long long)tv.tv_usec;
snprintf( out_buf, in_len, "%llu", microseconds );
}
else
{
while ( count < (in_len - 1) )
{
read( file, &out_buf[ count ], 1 );
if ( isalnum( out_buf[ count ] ) )
{
count++;
}
}
close( file );
}
}
char *do_cram_md5_auth ( SMTPD_STATE *state,
const char *sasl_method,
const char *init_response )
{
char *ptr = NULL;
unsigned len = 0;
int respLen = 0;
const char *host_name = NULL;
char userBuf[ MAX_USER_BUF_SIZE ];
char chalBuf[ MAX_USER_BUF_SIZE ];
char respBuf[ MAX_IO_BUF_SIZE ];
char randbuf[ 17 ];
memset( userBuf, 0, MAX_USER_BUF_SIZE );
memset( chalBuf, 0, MAX_USER_BUF_SIZE );
memset( respBuf, 0, MAX_IO_BUF_SIZE );
if ( !(smtpd_pw_server_sasl_opts & PW_SERVER_CRAM_MD5) )
{
return ( "504 Authentication method not enabled" );
}
host_name = (const char *)get_hostname();
get_random_chars( randbuf, 17 );
snprintf( chalBuf, sizeof( chalBuf ),
"<%lu.%s.%lu@%s>",
(unsigned long) getpid(),
randbuf,
(unsigned long)time(0),
host_name );
sEncodeBase64( chalBuf, strlen( chalBuf ), respBuf, MAX_IO_BUF_SIZE );
smtpd_chat_reply( state, "334 %s", respBuf );
smtpd_chat_query( state );
if ( strcmp( vstring_str( state->buffer ), "*" ) == 0 )
{
return ( "501 Authentication aborted" );
}
memset( respBuf, 0, MAX_IO_BUF_SIZE );
len = VSTRING_LEN( state->buffer );
if ( sDecodeBase64( vstring_str( state->buffer ), len, respBuf, MAX_IO_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed initial response" );
}
ptr = strchr( respBuf, ' ' );
if ( ptr != NULL )
{
len = ptr - respBuf;
if ( len < MAX_USER_BUF_SIZE )
{
memset( userBuf, 0, MAX_USER_BUF_SIZE );
strncpy( userBuf, respBuf, len );
ptr++;
if ( ptr != NULL )
{
if ( sValidateResponse( userBuf, chalBuf, ptr, kDSStdAuthCRAM_MD5 ) == eAODNoErr )
{
state->sasl_username = mystrdup( userBuf );
state->sasl_method = mystrdup(sasl_method);
return( 0 );
}
}
}
}
return ( "535 Error: authentication failed" );
}
char *do_gssapi_auth ( SMTPD_STATE *state,
const char *sasl_method,
const char *init_response )
{
int r = ODA_AUTH_FAILED;
unsigned len = 0;
int respLen = 0;
gss_buffer_desc in_token;
gss_buffer_desc out_token;
OM_uint32 minStatus = 0;
OM_uint32 majStatus = 0;
OM_uint32 ret_flags = 0;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_OID mechTypes;
gss_name_t clientName;
unsigned long maxsize = htonl( MAX_IO_BUF_SIZE );
char userBuf[ MAX_USER_BUF_SIZE ];
char respBuf[ MAX_IO_BUF_SIZE ];
char pwdBuf[ MAX_USER_BUF_SIZE ];
memset( userBuf, 0, MAX_USER_BUF_SIZE );
memset( respBuf, 0, MAX_IO_BUF_SIZE );
memset( pwdBuf, 0, MAX_USER_BUF_SIZE );
if ( !(smtpd_pw_server_sasl_opts & PW_SERVER_GSSAPI) )
{
return ( "504 Authentication method not enabled" );
}
if ( gss_Init() == GSS_S_COMPLETE )
{
if ( init_response == NULL )
{
smtpd_chat_reply( state, "334 " );
smtpd_chat_query( state );
if ( strcmp( vstring_str( state->buffer ), "*" ) == 0 )
{
return ( "501 Authentication aborted" );
}
memset( respBuf, 0, MAX_IO_BUF_SIZE );
len = VSTRING_LEN( state->buffer );
if ( sDecodeBase64( vstring_str( state->buffer ), len, respBuf, MAX_IO_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed initial response" );
}
}
else
{
memset( respBuf, 0, MAX_IO_BUF_SIZE );
len = strlen( init_response );
if ( sDecodeBase64( init_response, len, respBuf, MAX_IO_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed initial response" );
}
}
in_token.value = respBuf;
in_token.length = respLen;
do {
majStatus = gss_accept_sec_context( &minStatus,
&context,
stCredentials,
&in_token,
GSS_C_NO_CHANNEL_BINDINGS,
&clientName,
NULL,
&out_token,
&ret_flags,
NULL,
NULL );
switch ( majStatus )
{
case GSS_S_COMPLETE:
case GSS_S_CONTINUE_NEEDED:
{
if ( out_token.value )
{
memset( respBuf, 0, MAX_IO_BUF_SIZE );
sEncodeBase64( (char *)out_token.value, out_token.length, respBuf, MAX_IO_BUF_SIZE );
smtpd_chat_reply( state, "334 %s", respBuf );
smtpd_chat_query( state );
if ( strcmp( vstring_str( state->buffer ), "*" ) == 0 )
{
return ( "501 Authentication aborted" );
}
memset( respBuf, 0, MAX_IO_BUF_SIZE );
len = VSTRING_LEN( state->buffer );
if ( len != 0 )
{
if ( sDecodeBase64( vstring_str( state->buffer ), len, respBuf, MAX_IO_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed response" );
}
}
in_token.value = respBuf;
in_token.length = respLen;
gss_release_buffer( &minStatus, &out_token );
}
break;
}
default:
log_errors( "gss_accept_sec_context", majStatus, minStatus );
break;
}
} while ( in_token.value && in_token.length && (majStatus == GSS_S_CONTINUE_NEEDED) );
if ( majStatus == GSS_S_COMPLETE )
{
gss_buffer_desc inToken;
gss_buffer_desc outToken;
memcpy( pwdBuf, (void *)&maxsize, 4 );
inToken.value = pwdBuf;
inToken.length = 4;
pwdBuf[ 0 ] = 1;
majStatus = gss_wrap( &minStatus, context, 0, GSS_C_QOP_DEFAULT, &inToken, NULL, &outToken );
if ( majStatus == GSS_S_COMPLETE )
{
sEncodeBase64( (char *)outToken.value, outToken.length, respBuf, MAX_IO_BUF_SIZE );
smtpd_chat_reply( state, "334 %s", respBuf );
smtpd_chat_query( state );
if ( strcmp( vstring_str( state->buffer ), "*" ) == 0 )
{
return ( "501 Authentication aborted" );
}
memset( respBuf, 0, MAX_IO_BUF_SIZE );
len = VSTRING_LEN( state->buffer );
if ( sDecodeBase64( vstring_str( state->buffer ), len, respBuf, MAX_IO_BUF_SIZE, &respLen ) != 0 )
{
return ( "501 Authentication failed: malformed response" );
}
inToken.value = respBuf;
inToken.length = respLen;
gss_release_buffer( &minStatus, &outToken );
majStatus = gss_unwrap( &minStatus, context, &inToken, &outToken, NULL, NULL );
if ( majStatus == GSS_S_COMPLETE )
{
if ( (outToken.value != NULL) &&
(outToken.length > 4) &&
(outToken.length < MAX_USER_BUF_SIZE) )
{
memcpy( userBuf, outToken.value, outToken.length );
if ( userBuf[0] & 1 )
{
userBuf[ outToken.length ] = '\0';
state->sasl_username = mystrdup( userBuf + 4 );
state->sasl_method = mystrdup(sasl_method);
return( 0 );
}
}
}
else
{
log_errors( "gss_unwrap", majStatus, minStatus );
}
gss_release_buffer( &minStatus, &outToken );
}
else
{
log_errors( "gss_wrap", majStatus, minStatus );
}
}
}
return ( "504 Authentication failed" );
}
char *smtpd_pw_server_authenticate ( SMTPD_STATE *state,
const char *sasl_method,
const char *init_response )
{
char *myname = "smtpd_pw_server_authenticate";
if ( state->sasl_username || state->sasl_method )
{
msg_panic( "%s: already authenticated", myname );
}
if ( strcasecmp( sasl_method, "LOGIN" ) == 0 )
{
return( do_login_auth( state, sasl_method, init_response ) );
}
else if ( strcasecmp( sasl_method, "PLAIN" ) == 0 )
{
return( do_plain_auth( state, sasl_method, init_response ) );
}
else if ( strcasecmp( sasl_method, "CRAM-MD5" ) == 0 )
{
return( do_cram_md5_auth( state, sasl_method, init_response ) );
}
else if ( strcasecmp( sasl_method, "GSSAPI" ) == 0 )
{
return( do_gssapi_auth( state, sasl_method, init_response ) );
}
return ( "504 Unsupported authentication method" );
}
int gss_Init ( void )
{
int iResult = GSS_S_COMPLETE;
char *pService = NULL;
gss_buffer_desc nameToken;
gss_name_t principalName;
gss_OID mechid;
OM_uint32 majStatus = 0;
OM_uint32 minStatus = 0;
pService = get_server_principal();
if ( pService == NULL )
{
syslog( LOG_ERR, "No service principal found" );
return( GSS_S_NO_CRED );
}
nameToken.value = pService;
nameToken.length = strlen( pService );
majStatus = gss_import_name( &minStatus,
&nameToken,
GSS_KRB5_NT_PRINCIPAL_NAME, &principalName );
if ( majStatus != GSS_S_COMPLETE )
{
log_errors( "gss_import_name", majStatus, minStatus );
iResult = kSGSSImportNameErr;
}
else
{
(void)gss_display_name( &minStatus, principalName, &nameToken, &mechid );
(void)gss_release_buffer( &minStatus, &nameToken );
majStatus = gss_acquire_cred( &minStatus,
principalName,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
&stCredentials,
NULL,
NULL );
if ( majStatus != GSS_S_COMPLETE )
{
log_errors( "gss_acquire_cred", majStatus, minStatus );
iResult = kSGSSAquireCredErr;
}
else
{
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
}
(void)gss_release_name( &minStatus, &principalName );
}
free( pService );
return( iResult );
}
int get_realm_form_creds ( char *inBuffer, int inSize )
{
int iResult = GSS_S_COMPLETE;
char buffer[256] = {0};
char *token1 = NULL;
iResult = get_principal_str( buffer, 256 );
if ( iResult == 0 )
{
token1 = strrchr( buffer, '@' );
if ( token1 != NULL )
{
++token1;
if ( strlen( token1 ) > inSize - 1 )
{
iResult = kSGSSBufferSizeErr;
}
else
{
strncpy( inBuffer, token1, inSize - 1 );
inBuffer[ strlen( token1 ) ] = 0;
}
}
else
{
iResult = kUnknownErr;
}
}
return( iResult );
}
int get_principal_str ( char *inOutBuf, int inSize )
{
OM_uint32 minStatus = 0;
OM_uint32 majStatus = 0;
gss_name_t principalName;
gss_buffer_desc token;
gss_OID id;
majStatus = gss_inquire_cred(&minStatus, stCredentials, &principalName, NULL, NULL, NULL);
if ( majStatus != GSS_S_COMPLETE )
{
return( kSGSSInquireCredErr );
}
majStatus = gss_display_name( &minStatus, principalName, &token, &id );
if ( majStatus != GSS_S_COMPLETE )
{
return( kSGSSInquireCredErr );
}
majStatus = gss_release_name( &minStatus, &principalName );
if ( inSize - 1 < token.length )
{
return( kSGSSBufferSizeErr );
}
strncpy( inOutBuf, (char *)token.value, token.length );
inOutBuf[ token.length ] = 0;
(void)gss_release_buffer( &minStatus, &token );
return( GSS_S_COMPLETE );
}
OM_uint32 display_name ( const gss_name_t principalName )
{
OM_uint32 minStatus = 0;
OM_uint32 majStatus = 0;
gss_OID mechid;
gss_buffer_desc nameToken;
majStatus = gss_display_name( &minStatus, principalName, &nameToken, &mechid );
(void)gss_release_buffer( &minStatus, &nameToken );
return( majStatus );
}
#define CHAR64(c) (((c) < 0 || (c) > 127) ? -1 : index_64[(c)])
static char basis_64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????";
static char index_64[ 128 ] =
{
-1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1,
-1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1,
-1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,62, -1,-1,-1,63,
52,53,54,55, 56,57,58,59, 60,61,-1,-1, -1,-1,-1,-1,
-1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10, 11,12,13,14,
15,16,17,18, 19,20,21,22, 23,24,25,-1, -1,-1,-1,-1,
-1,26,27,28, 29,30,31,32, 33,34,35,36, 37,38,39,40,
41,42,43,44, 45,46,47,48, 49,50,51,-1, -1,-1,-1,-1
};
int sEncodeBase64 ( const char *inStr, const int inLen, char *outStr, int outLen )
{
int i = 0;
const unsigned char *pStr = NULL;
unsigned long uiInLen = 0;
unsigned char ucVal = 0;
if ( (inStr == NULL) || (outStr == NULL) || (inLen <= 0) || (outLen <= 0) )
{
return( -1 );
}
pStr = (const unsigned char *)inStr;
uiInLen = inLen;
memset( outStr, 0, outLen );
while ( uiInLen >= 3 )
{
if ( (i + 4) > outLen )
{
return( -1 );
}
outStr[ i++ ] = ( basis_64[ pStr[ 0 ] >> 2 ] );
outStr[ i++ ] = ( basis_64[ ((pStr[ 0 ] << 4) & 0x30) | (pStr[ 1 ] >> 4) ] );
outStr[ i++ ] = ( basis_64[ ((pStr[ 1 ] << 2) & 0x3c) | (pStr[ 2 ] >> 6) ] );
outStr[ i++ ] = ( basis_64[ pStr[ 2 ] & 0x3f ] );
pStr += 3;
uiInLen -= 3;
}
if ( uiInLen > 0 )
{
if ( (i + 4) > outLen )
{
return( -1 );
}
outStr[ i++ ] = ( basis_64[ pStr[0] >> 2] );
ucVal = (pStr[0] << 4) & 0x30;
if ( uiInLen > 1 )
{
ucVal |= pStr[1] >> 4;
}
outStr[ i++ ] = ( basis_64[ ucVal ] );
outStr[ i++ ] = ( (uiInLen < 2) ? '=' : basis_64[ (pStr[ 1 ] << 2) & 0x3c ] );
outStr[ i++ ] = ( '=' );
}
return( 0 );
}
int sDecodeBase64 ( const char *inStr, const int inLen, char *outStr, int outLen, int *destLen )
{
int iResult = 0;
unsigned long i = 0;
unsigned long j = 0;
unsigned long c1 = 0;
unsigned long c2 = 0;
unsigned long c3 = 0;
unsigned long c4 = 0;
const char *pStr = NULL;
if ( (inStr == NULL) || (outStr == NULL) || (inLen <= 0) || (outLen <= 0) )
{
return( -1 );
}
pStr = (const unsigned char *)inStr;
if ( (pStr[ 0 ] == '+') && (pStr[ 1 ] == ' ') )
{
pStr += 2;
}
if ( *pStr == '\r')
{
iResult = -1;
}
else
{
for ( i = 0; i < inLen / 4; i++ )
{
c1 = pStr[ 0 ];
if ( CHAR64( c1 ) == -1 )
{
iResult = -1;
break;
}
c2 = pStr[ 1 ];
if ( CHAR64( c2 ) == -1 )
{
iResult = -1;
break;
}
c3 = pStr[ 2 ];
if ( (c3 != '=') && (CHAR64( c3 ) == -1) )
{
iResult = -1;
break;
}
c4 = pStr[ 3 ];
if (c4 != '=' && CHAR64( c4 ) == -1)
{
iResult = -1;
break;
}
pStr += 4;
outStr[ j++ ] = ( (CHAR64(c1) << 2) | (CHAR64(c2) >> 4) );
if ( j >= outLen )
{
return( -1 );
}
if ( c3 != '=' )
{
outStr[ j++ ] = ( ((CHAR64(c2) << 4) & 0xf0) | (CHAR64(c3) >> 2) );
if ( j >= outLen )
{
return( -1 );
}
if ( c4 != '=' )
{
outStr[ j++ ] = ( ((CHAR64(c3) << 6) & 0xc0) | CHAR64(c4) );
if ( j >= outLen )
{
return( -1 );
}
}
}
}
outStr[ j ] = 0;
}
if ( destLen )
{
*destLen = j;
}
return( iResult );
}
int sClearTextCrypt ( const char *inUserID, const char *inPasswd )
{
int iResult = eAODNoErr;
tDirStatus dsStatus = eDSNoErr;
tDirReference dirRef = 0;
tDirNodeReference searchNodeRef = 0;
tDirNodeReference userNodeRef = 0;
char *userLoc = NULL;
if ( (inUserID == NULL) || (inPasswd == NULL) )
{
return( eAODParamErr );
}
dsStatus = sOpen_ds( &dirRef );
if ( dsStatus == eDSNoErr )
{
dsStatus = sGet_search_node( dirRef, &searchNodeRef );
if ( dsStatus == eDSNoErr )
{
dsStatus = sLook_up_user( dirRef, searchNodeRef, inUserID, &userLoc );
if ( dsStatus == eDSNoErr )
{
dsStatus = sOpen_user_node( dirRef, userLoc, &userNodeRef );
if ( dsStatus == eDSNoErr )
{
dsStatus = sDoCryptAuth( dirRef, userNodeRef, inUserID, inPasswd );
switch ( dsStatus )
{
case eDSNoErr:
case eDSAuthNewPasswordRequired:
case eDSAuthPasswordExpired:
iResult = eAODNoErr;
break;
default:
iResult = eAODAuthFailed;
break;
}
(void)dsCloseDirNode( userNodeRef );
}
else
{
iResult = eAODCantOpenUserNode;
}
}
else
{
iResult = eAODUserNotFound;
}
(void)dsCloseDirNode( searchNodeRef );
}
else
{
iResult = eAODOpenSearchFailed;
}
(void)dsCloseDirService( dirRef );
}
else
{
iResult = eAODOpenDSFailed;
}
return( iResult );
}
tDirStatus sOpen_ds ( tDirReference *inOutDirRef )
{
tDirStatus dsStatus = eDSNoErr;
dsStatus = dsOpenDirService( inOutDirRef );
return( dsStatus );
}
tDirStatus sGet_search_node ( tDirReference inDirRef,
tDirNodeReference *outSearchNodeRef )
{
tDirStatus dsStatus = eMemoryAllocError;
unsigned long uiCount = 0;
tDataBuffer *pTDataBuff = NULL;
tDataList *pDataList = NULL;
pTDataBuff = dsDataBufferAllocate( inDirRef, 8192 );
if ( pTDataBuff != NULL )
{
dsStatus = dsFindDirNodes( inDirRef, pTDataBuff, NULL, eDSSearchNodeName, &uiCount, NULL );
if ( dsStatus == eDSNoErr )
{
dsStatus = eDSNodeNotFound;
if ( uiCount == 1 )
{
dsStatus = dsGetDirNodeName( inDirRef, pTDataBuff, 1, &pDataList );
if ( dsStatus == eDSNoErr )
{
dsStatus = dsOpenDirNode( inDirRef, pDataList, outSearchNodeRef );
}
if ( pDataList != NULL )
{
(void)dsDataListDeAllocate( inDirRef, pDataList, TRUE );
free( pDataList );
pDataList = NULL;
}
}
}
(void)dsDataBufferDeAllocate( inDirRef, pTDataBuff );
pTDataBuff = NULL;
}
return( dsStatus );
}
tDirStatus sLook_up_user ( tDirReference inDirRef,
tDirNodeReference inSearchNodeRef,
const char *inUserID,
char **outUserLocation )
{
tDirStatus dsStatus = eMemoryAllocError;
int done = FALSE;
char *pAcctName = NULL;
unsigned long uiRecCount = 0;
tDataBuffer *pTDataBuff = NULL;
tDataList *pUserRecType = NULL;
tDataList *pUserAttrType = NULL;
tRecordEntry *pRecEntry = NULL;
tAttributeEntry *pAttrEntry = NULL;
tAttributeValueEntry *pValueEntry = NULL;
tAttributeValueListRef valueRef = 0;
tAttributeListRef attrListRef = 0;
tContextData pContext = NULL;
tDataList tdlRecName;
memset( &tdlRecName, 0, sizeof( tDataList ) );
pTDataBuff = dsDataBufferAllocate( inDirRef, 8192 );
if ( pTDataBuff != NULL )
{
dsStatus = dsBuildListFromStringsAlloc( inDirRef, &tdlRecName, inUserID, NULL );
if ( dsStatus == eDSNoErr )
{
dsStatus = eMemoryAllocError;
pUserRecType = dsBuildListFromStrings( inDirRef, kDSStdRecordTypeUsers, NULL );
if ( pUserRecType != NULL )
{
pUserAttrType = dsBuildListFromStrings( inDirRef, kDSNAttrMetaNodeLocation, NULL );
if ( pUserAttrType != NULL );
{
do {
dsStatus = dsGetRecordList( inSearchNodeRef, pTDataBuff, &tdlRecName, eDSiExact, pUserRecType,
pUserAttrType, FALSE, &uiRecCount, &pContext );
if ( dsStatus == eDSNoErr )
{
dsStatus = eDSInvalidName;
if ( uiRecCount == 1 )
{
dsStatus = dsGetRecordEntry( inSearchNodeRef, pTDataBuff, 1, &attrListRef, &pRecEntry );
if ( dsStatus == eDSNoErr )
{
(void)dsGetRecordNameFromEntry( pRecEntry, &pAcctName );
dsStatus = dsGetAttributeEntry( inSearchNodeRef, pTDataBuff, attrListRef, 1, &valueRef, &pAttrEntry );
if ( (dsStatus == eDSNoErr) && (pAttrEntry != NULL) )
{
dsStatus = dsGetAttributeValue( inSearchNodeRef, pTDataBuff, 1, valueRef, &pValueEntry );
if ( (dsStatus == eDSNoErr) && (pValueEntry != NULL) )
{
if ( strcmp( pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrMetaNodeLocation ) == 0 )
{
*outUserLocation = (char *)calloc( pValueEntry->fAttributeValueData.fBufferLength + 1, sizeof( char ) );
memcpy( *outUserLocation, pValueEntry->fAttributeValueData.fBufferData, pValueEntry->fAttributeValueData.fBufferLength );
done = TRUE;
}
(void)dsCloseAttributeValueList( valueRef );
}
(void)dsDeallocAttributeEntry( inSearchNodeRef, pAttrEntry );
pAttrEntry = NULL;
(void)dsCloseAttributeList( attrListRef );
}
if ( pRecEntry != NULL )
{
(void)dsDeallocRecordEntry( inSearchNodeRef, pRecEntry );
pRecEntry = NULL;
}
}
}
else
{
done = TRUE;
dsStatus = eDSAuthInvalidUserName;
}
}
} while ( (pContext != NULL) && (dsStatus == eDSNoErr) && (!done) );
if ( pContext != NULL )
{
(void)dsReleaseContinueData( inSearchNodeRef, pContext );
pContext = NULL;
}
(void)dsDataListDeallocate( inDirRef, pUserAttrType );
pUserAttrType = NULL;
}
(void)dsDataListDeallocate( inDirRef, pUserRecType );
pUserRecType = NULL;
}
(void)dsDataListDeAllocate( inDirRef, &tdlRecName, TRUE );
}
(void)dsDataBufferDeAllocate( inDirRef, pTDataBuff );
pTDataBuff = NULL;
}
if ( pAcctName != NULL )
{
free( pAcctName );
pAcctName = NULL;
}
return( dsStatus );
}
tDirStatus sOpen_user_node ( tDirReference inDirRef, const char *inUserLoc, tDirNodeReference *outUserNodeRef )
{
tDirStatus dsStatus = eMemoryAllocError;
tDataList *pUserNode = NULL;
pUserNode = dsBuildFromPath( inDirRef, inUserLoc, "/" );
if ( pUserNode != NULL )
{
dsStatus = dsOpenDirNode( inDirRef, pUserNode, outUserNodeRef );
(void)dsDataListDeAllocate( inDirRef, pUserNode, TRUE );
free( pUserNode );
pUserNode = NULL;
}
return( dsStatus );
}
static int sDoCryptAuth ( tDirReference inDirRef, tDirNodeReference inUserNodeRef, const char *inUserID, const char *inPasswd )
{
tDirStatus dsStatus = eDSNoErr;
int iResult = -1;
long nameLen = 0;
long passwdLen = 0;
unsigned long curr = 0;
unsigned long len = 0;
unsigned long uiBuffSzie = 0;
tDataBuffer *pAuthBuff = NULL;
tDataBuffer *pStepBuff = NULL;
tDataNode *pAuthType = NULL;
if ( (inUserID == NULL) || (inPasswd == NULL) )
{
return( eDSAuthParameterError );
}
nameLen = strlen( inUserID );
passwdLen = strlen( inPasswd );
uiBuffSzie = nameLen + passwdLen + 32;
pAuthBuff = dsDataBufferAllocate( inDirRef, uiBuffSzie );
if ( pAuthBuff != NULL )
{
pStepBuff = dsDataBufferAllocate( inDirRef, 256 );
if ( pStepBuff != NULL )
{
pAuthType = dsDataNodeAllocateString( inDirRef, kDSStdAuthNodeNativeClearTextOK );
if ( pAuthType != NULL )
{
len = nameLen;
memcpy( &(pAuthBuff->fBufferData[ curr ]), &len, sizeof( unsigned long ) );
curr += sizeof( unsigned long );
memcpy( &(pAuthBuff->fBufferData[ curr ]), inUserID, len );
curr += len;
len = passwdLen;
memcpy( &(pAuthBuff->fBufferData[ curr ]), &len, sizeof( unsigned long ) );
curr += sizeof( unsigned long );
memcpy( &(pAuthBuff->fBufferData[ curr ]), inPasswd, len );
curr += len;
pAuthBuff->fBufferLength = curr;
dsStatus = dsDoDirNodeAuth( inUserNodeRef, pAuthType, TRUE, pAuthBuff, pStepBuff, NULL );
if ( dsStatus == eDSNoErr )
{
iResult = 0;
}
else
{
msg_warn( "AOD: Authentication failed for user %s. (Open Directory error: %d)", inUserID, dsStatus );
iResult = -7;
}
(void)dsDataNodeDeAllocate( inDirRef, pAuthType );
pAuthType = NULL;
}
else
{
msg_warn( "AOD: Authentication failed for user %s. Unable to allocate memory.", inUserID );
iResult = -6;
}
(void)dsDataNodeDeAllocate( inDirRef, pStepBuff );
pStepBuff = NULL;
}
else
{
msg_warn( "AOD: Authentication failed for user %s. Unable to allocate memory.", inUserID );
iResult = -5;
}
(void)dsDataNodeDeAllocate( inDirRef, pAuthBuff );
pAuthBuff = NULL;
}
return( iResult );
}
int sValidateResponse ( const char *inUserID, const char *inChallenge, const char *inResponse, const char *inAuthType )
{
int iResult = -1;
tDirStatus dsStatus = eDSNoErr;
tDirReference dirRef = 0;
tDirNodeReference searchNodeRef = 0;
tDirNodeReference userNodeRef = 0;
tDataBuffer *pAuthBuff = NULL;
tDataBuffer *pStepBuff = NULL;
tDataNode *pAuthType = NULL;
char *userLoc = NULL;
unsigned long uiNameLen = 0;
unsigned long uiChalLen = 0;
unsigned long uiRespLen = 0;
unsigned long uiBuffSzie = 0;
unsigned long uiCurr = 0;
unsigned long uiLen = 0;
if ( (inUserID == NULL) || (inChallenge == NULL) || (inResponse == NULL) || (inAuthType == NULL) )
{
return( -1 );
}
uiNameLen = strlen( inUserID );
uiChalLen = strlen( inChallenge );
uiRespLen = strlen( inResponse );
uiBuffSzie = uiNameLen + uiChalLen + uiRespLen + 32;
dsStatus = sOpen_ds( &dirRef );
if ( dsStatus == eDSNoErr )
{
dsStatus = sGet_search_node( dirRef, &searchNodeRef );
if ( dsStatus == eDSNoErr )
{
dsStatus = sLook_up_user( dirRef, searchNodeRef, inUserID, &userLoc );
if ( dsStatus == eDSNoErr )
{
dsStatus = sOpen_user_node( dirRef, userLoc, &userNodeRef );
if ( dsStatus == eDSNoErr )
{
pAuthBuff = dsDataBufferAllocate( dirRef, uiBuffSzie );
if ( pAuthBuff != NULL )
{
pStepBuff = dsDataBufferAllocate( dirRef, 256 );
if ( pStepBuff != NULL )
{
pAuthType = dsDataNodeAllocateString( dirRef, inAuthType );
if ( pAuthType != NULL )
{
uiLen = uiNameLen;
memcpy( &(pAuthBuff->fBufferData[ uiCurr ]), &uiLen, sizeof( unsigned long ) );
uiCurr += sizeof( unsigned long );
memcpy( &(pAuthBuff->fBufferData[ uiCurr ]), inUserID, uiLen );
uiCurr += uiLen;
uiLen = uiChalLen;
memcpy( &(pAuthBuff->fBufferData[ uiCurr ]), &uiLen, sizeof( unsigned long ) );
uiCurr += sizeof( unsigned long );
memcpy( &(pAuthBuff->fBufferData[ uiCurr ]), inChallenge, uiLen );
uiCurr += uiLen;
uiLen = uiRespLen;
memcpy( &(pAuthBuff->fBufferData[ uiCurr ]), &uiLen, sizeof( unsigned long ) );
uiCurr += sizeof( unsigned long );
memcpy( &(pAuthBuff->fBufferData[ uiCurr ]), inResponse, uiLen );
uiCurr += uiLen;
pAuthBuff->fBufferLength = uiCurr;
dsStatus = dsDoDirNodeAuth( userNodeRef, pAuthType, TRUE, pAuthBuff, pStepBuff, NULL );
if ( dsStatus == eDSNoErr )
{
iResult = 0;
}
else
{
iResult = -7;
}
(void)dsDataNodeDeAllocate( dirRef, pAuthType );
pAuthType = NULL;
}
else
{
msg_warn( "AOD: Authentication failed for user %s. Unable to allocate memory.", inUserID );
iResult = -6;
}
(void)dsDataNodeDeAllocate( dirRef, pStepBuff );
pStepBuff = NULL;
}
else
{
msg_warn( "AOD: Authentication failed for user %s. Unable to allocate memory.", inUserID );
iResult = -5;
}
(void)dsDataNodeDeAllocate( dirRef, pAuthBuff );
pAuthBuff = NULL;
}
else
{
msg_warn( "AOD: Authentication failed for user %s. Unable to allocate memory.", inUserID );
iResult = -4;
}
(void)dsCloseDirNode( userNodeRef );
userNodeRef = 0;
}
else
{
msg_warn( "AOD: Unable to open user directory node for user %s. (Open Directory error: %d)", inUserID, dsStatus );
iResult = -1;
}
}
else
{
msg_warn( "AOD: Unable to find user %s. (Open Directory error: %d)", inUserID, dsStatus );
iResult = -1;
}
(void)dsCloseDirNode( searchNodeRef );
searchNodeRef = 0;
}
else
{
msg_warn( "AOD: Unable to open directroy search node. (Open Directory error: %d)", dsStatus );
iResult = -1;
}
(void)dsCloseDirService( dirRef );
dirRef = 0;
}
else
{
msg_warn( "AOD: Unable to open directroy. (Open Directory error: %d)", dsStatus );
iResult = -1;
}
return( iResult );
}
#define kPlistFilePath "/etc/MailServicesOther.plist"
#define kXMLDictionary "postfix"
#define kXMLSMTP_Principal "smtp_principal"
char * get_server_principal ( void )
{
FILE *pFile = NULL;
char *outStr = NULL;
char *buf = NULL;
ssize_t bytes = 0;
struct stat fileStat;
bool bFound = FALSE;
CFStringRef cfStringRef = NULL;
char *pValue = NULL;
CFDataRef cfDataRef = NULL;
CFPropertyListRef cfPlistRef = NULL;
CFDictionaryRef cfDictRef = NULL;
CFDictionaryRef cfDictPost = NULL;
pFile = fopen( kPlistFilePath, "r" );
if ( pFile == NULL )
{
syslog( LOG_ERR, "Cannot open principal file" );
return( NULL );
}
if ( -1 == fstat( fileno( pFile ), &fileStat ) )
{
fclose( pFile );
syslog( LOG_ERR, "Cannot get stat on principal file" );
return( NULL );
}
buf = (char *)malloc( fileStat.st_size + 1 );
if ( buf == NULL )
{
fclose( pFile );
syslog( LOG_ERR, "Cannot alloc principal buffer" );
return( NULL );
}
memset( buf, 0, fileStat.st_size + 1 );
bytes = read( fileno( pFile ), buf, fileStat.st_size );
if ( -1 == bytes )
{
fclose( pFile );
free( buf );
syslog( LOG_ERR, "Cannot read principal file" );
return( NULL );
}
cfDataRef = CFDataCreate( NULL, (const UInt8 *)buf, fileStat.st_size );
if ( cfDataRef != NULL )
{
cfPlistRef = CFPropertyListCreateFromXMLData( kCFAllocatorDefault, cfDataRef, kCFPropertyListImmutable, NULL );
if ( cfPlistRef != NULL )
{
if ( CFDictionaryGetTypeID() == CFGetTypeID( cfPlistRef ) )
{
cfDictRef = (CFDictionaryRef)cfPlistRef;
bFound = CFDictionaryContainsKey( cfDictRef, CFSTR( kXMLDictionary ) );
if ( bFound == true )
{
cfDictPost = (CFDictionaryRef)CFDictionaryGetValue( cfDictRef, CFSTR( kXMLDictionary ) );
if ( cfDictPost != NULL )
{
cfStringRef = (CFStringRef)CFDictionaryGetValue( cfDictPost, CFSTR( kXMLSMTP_Principal ) );
if ( cfStringRef != NULL )
{
if ( CFGetTypeID( cfStringRef ) == CFStringGetTypeID() )
{
pValue = (char *)CFStringGetCStringPtr( cfStringRef, kCFStringEncodingMacRoman );
if ( pValue != NULL )
{
outStr = malloc( strlen( pValue ) + 1 );
if ( outStr != NULL )
{
strcpy( outStr, pValue );
}
}
}
}
}
}
}
CFRelease( cfPlistRef );
}
CFRelease( cfDataRef );
}
return( outStr );
}
void log_errors ( char *inName, OM_uint32 inMajor, OM_uint32 inMinor )
{
OM_uint32 msg_context = 0;
OM_uint32 minStatus = 0;
OM_uint32 majStatus = 0;
gss_buffer_desc errBuf;
int count = 1;
do {
majStatus = gss_display_status( &minStatus, inMajor, GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_context, &errBuf );
syslog( LOG_ERR, " Major Error (%d): %s (%s)", count, (char *)errBuf.value, inName );
majStatus = gss_release_buffer( &minStatus, &errBuf );
++count;
} while ( msg_context != 0 );
count = 1;
msg_context = 0;
do {
majStatus = gss_display_status( &minStatus, inMinor, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_context, &errBuf );
syslog( LOG_ERR, " Minor Error (%d): %s (%s)", count, (char *)errBuf.value, inName );
majStatus = gss_release_buffer( &minStatus, &errBuf );
++count;
} while ( msg_context != 0 );
} #endif
#endif