2N/A/*
2N/A * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A/* DIGEST-MD5 SASL plugin
2N/A * Rob Siemborski
2N/A * Tim Martin
2N/A * Alexey Melnikov
2N/A * $Id: digestmd5.c,v 1.153 2003/03/30 22:17:06 leg Exp $
2N/A */
2N/A/*
2N/A * Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved.
2N/A *
2N/A * Redistribution and use in source and binary forms, with or without
2N/A * modification, are permitted provided that the following conditions
2N/A * are met:
2N/A *
2N/A * 1. Redistributions of source code must retain the above copyright
2N/A * notice, this list of conditions and the following disclaimer.
2N/A *
2N/A * 2. Redistributions in binary form must reproduce the above copyright
2N/A * notice, this list of conditions and the following disclaimer in
2N/A * the documentation and/or other materials provided with the
2N/A * distribution.
2N/A *
2N/A * 3. The name "Carnegie Mellon University" must not be used to
2N/A * endorse or promote products derived from this software without
2N/A * prior written permission. For permission or any other legal
2N/A * details, please contact
2N/A * Office of Technology Transfer
2N/A * Carnegie Mellon University
2N/A * 5000 Forbes Avenue
2N/A * Pittsburgh, PA 15213-3890
2N/A * (412) 268-4387, fax: (412) 268-7395
2N/A * tech-transfer@andrew.cmu.edu
2N/A *
2N/A * 4. Redistributions of any form whatsoever must retain the following
2N/A * acknowledgment:
2N/A * "This product includes software developed by Computing Services
2N/A * at Carnegie Mellon University (http://www.cmu.edu/computing/)."
2N/A *
2N/A * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
2N/A * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2N/A * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
2N/A * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2N/A * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
2N/A * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
2N/A * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2N/A */
2N/A
2N/A#include <config.h>
2N/A
2N/A#include <stdlib.h>
2N/A#include <stdio.h>
2N/A#include <string.h>
2N/A#ifndef macintosh
2N/A#include <sys/types.h>
2N/A#include <sys/stat.h>
2N/A#endif
2N/A#include <fcntl.h>
2N/A#include <ctype.h>
2N/A
2N/A/* EXPORT DELETE START */
2N/A/* DES support */
2N/A#ifdef WITH_DES
2N/A# ifdef WITH_SSL_DES
2N/A# include <openssl/des.h>
2N/A# else /* system DES library */
2N/A# include <des.h>
2N/A# endif
2N/A#endif /* WITH_DES */
2N/A/* EXPORT DELETE END */
2N/A
2N/A#ifdef WIN32
2N/A# include <winsock.h>
2N/A#else /* Unix */
2N/A# include <netinet/in.h>
2N/A#endif /* WIN32 */
2N/A
2N/A#ifdef _SUN_SDK_
2N/A#include <unistd.h>
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A#include <sasl.h>
2N/A#include <saslplug.h>
2N/A
2N/A#include "plugin_common.h"
2N/A
2N/A#if defined _SUN_SDK_ && defined USE_UEF
2N/A#include <security/cryptoki.h>
2N/Astatic int uef_init(const sasl_utils_t *utils);
2N/A#endif /* _SUN_SDK_ && USE_UEF */
2N/A
2N/A#ifndef WIN32
2N/Aextern int strcasecmp(const char *s1, const char *s2);
2N/A#endif /* end WIN32 */
2N/A
2N/A#ifdef macintosh
2N/A#include <sasl_md5_plugin_decl.h>
2N/A#endif
2N/A
2N/A/* external definitions */
2N/A
2N/A#ifndef _SUN_SDK_
2N/A#ifdef sun
2N/A/* gotta define gethostname ourselves on suns */
2N/Aextern int gethostname(char *, int);
2N/A#endif
2N/A#endif /* !_SUN_SDK_ */
2N/A
2N/A#define bool int
2N/A
2N/A#ifndef TRUE
2N/A#define TRUE (1)
2N/A#define FALSE (0)
2N/A#endif
2N/A
2N/A#define DEFAULT_BUFSIZE 0xFFFF
2N/A
2N/A/***************************** Common Section *****************************/
2N/A
2N/A#ifndef _SUN_SDK_
2N/Astatic const char plugin_id[] = "$Id: digestmd5.c,v 1.153 2003/03/30 22:17:06 leg Exp $";
2N/A#endif /* !_SUN_SDK_ */
2N/A
2N/A/* Definitions */
2N/A#define NONCE_SIZE (32) /* arbitrary */
2N/A
2N/A/* Layer Flags */
2N/A#define DIGEST_NOLAYER (1)
2N/A#define DIGEST_INTEGRITY (2)
2N/A#define DIGEST_PRIVACY (4)
2N/A
2N/A/* defines */
2N/A#define HASHLEN 16
2N/Atypedef unsigned char HASH[HASHLEN + 1];
2N/A#define HASHHEXLEN 32
2N/Atypedef unsigned char HASHHEX[HASHHEXLEN + 1];
2N/A
2N/A#define MAC_SIZE 10
2N/A#define MAC_OFFS 2
2N/A
2N/Aconst char *SEALING_CLIENT_SERVER="Digest H(A1) to client-to-server sealing key magic constant";
2N/Aconst char *SEALING_SERVER_CLIENT="Digest H(A1) to server-to-client sealing key magic constant";
2N/A
2N/Aconst char *SIGNING_CLIENT_SERVER="Digest session key to client-to-server signing key magic constant";
2N/Aconst char *SIGNING_SERVER_CLIENT="Digest session key to server-to-client signing key magic constant";
2N/A
2N/A#define HT (9)
2N/A#define CR (13)
2N/A#define LF (10)
2N/A#define SP (32)
2N/A#define DEL (127)
2N/A
2N/Astruct context;
2N/A
2N/A/* function definitions for cipher encode/decode */
2N/Atypedef int cipher_function_t(struct context *,
2N/A const char *,
2N/A unsigned,
2N/A unsigned char[],
2N/A char *,
2N/A unsigned *);
2N/A
2N/A#ifdef _SUN_SDK_
2N/Atypedef int cipher_init_t(struct context *, char [16],
2N/A char [16]);
2N/A#else
2N/Atypedef int cipher_init_t(struct context *, unsigned char [16],
2N/A unsigned char [16]);
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/Atypedef void cipher_free_t(struct context *);
2N/A
2N/Aenum Context_type { SERVER = 0, CLIENT = 1 };
2N/A
2N/Atypedef struct cipher_context cipher_context_t;
2N/A
2N/A/* cached auth info used for fast reauth */
2N/Atypedef struct reauth_entry {
2N/A char *authid;
2N/A char *realm;
2N/A unsigned char *nonce;
2N/A unsigned int nonce_count;
2N/A unsigned char *cnonce;
2N/A
2N/A union {
2N/A struct {
2N/A time_t timestamp;
2N/A } s; /* server stuff */
2N/A
2N/A struct {
2N/A char *serverFQDN;
2N/A int protection;
2N/A struct digest_cipher *cipher;
2N/A unsigned int server_maxbuf;
2N/A } c; /* client stuff */
2N/A } u;
2N/A} reauth_entry_t;
2N/A
2N/Atypedef struct reauth_cache {
2N/A /* static stuff */
2N/A enum Context_type i_am; /* are we the client or server? */
2N/A time_t timeout;
2N/A void *mutex;
2N/A size_t size;
2N/A
2N/A reauth_entry_t *e; /* fixed-size hash table of entries */
2N/A} reauth_cache_t;
2N/A
2N/A/* context that stores info */
2N/Atypedef struct context {
2N/A int state; /* state in the authentication we are in */
2N/A enum Context_type i_am; /* are we the client or server? */
2N/A
2N/A reauth_cache_t *reauth;
2N/A
2N/A char *authid;
2N/A char *realm;
2N/A unsigned char *nonce;
2N/A unsigned int nonce_count;
2N/A unsigned char *cnonce;
2N/A
2N/A char *response_value;
2N/A
2N/A unsigned int seqnum;
2N/A unsigned int rec_seqnum; /* for checking integrity */
2N/A
2N/A HASH Ki_send;
2N/A HASH Ki_receive;
2N/A
2N/A HASH HA1; /* Kcc or Kcs */
2N/A
2N/A /* copy of utils from the params structures */
2N/A const sasl_utils_t *utils;
2N/A
2N/A /* For general use */
2N/A char *out_buf;
2N/A unsigned out_buf_len;
2N/A
2N/A /* for encoding/decoding */
2N/A buffer_info_t *enc_in_buf;
2N/A char *encode_buf, *decode_buf, *decode_once_buf;
2N/A unsigned encode_buf_len, decode_buf_len, decode_once_buf_len;
2N/A char *decode_tmp_buf;
2N/A unsigned decode_tmp_buf_len;
2N/A char *MAC_buf;
2N/A unsigned MAC_buf_len;
2N/A
2N/A char *buffer;
2N/A char sizebuf[4];
2N/A int cursize;
2N/A
2N/A /* Layer info */
2N/A unsigned int size; /* Absolute size of buffer */
2N/A unsigned int needsize; /* How much of the size of the buffer is left */
2N/A
2N/A /* Server MaxBuf for Client or Client MaxBuf For Server */
2N/A /* INCOMING */
2N/A unsigned int in_maxbuf;
2N/A
2N/A /* if privacy mode is used use these functions for encode and decode */
2N/A cipher_function_t *cipher_enc;
2N/A cipher_function_t *cipher_dec;
2N/A cipher_init_t *cipher_init;
2N/A cipher_free_t *cipher_free;
2N/A struct cipher_context *cipher_enc_context;
2N/A struct cipher_context *cipher_dec_context;
2N/A} context_t;
2N/A
2N/Astruct digest_cipher {
2N/A char *name;
2N/A sasl_ssf_t ssf;
2N/A int n; /* bits to make privacy key */
2N/A int flag; /* a bitmask to make things easier for us */
2N/A
2N/A cipher_function_t *cipher_enc;
2N/A cipher_function_t *cipher_dec;
2N/A cipher_init_t *cipher_init;
2N/A cipher_free_t *cipher_free;
2N/A};
2N/A
2N/A#ifdef _SUN_SDK_
2N/Astatic const unsigned char *COLON = (unsigned char *)":";
2N/A#else
2N/Astatic const unsigned char *COLON = ":";
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A/* Hashes a string to produce an unsigned short */
2N/Astatic unsigned hash(const char *str)
2N/A{
2N/A unsigned val = 0;
2N/A int i;
2N/A
2N/A while (str && *str) {
2N/A i = (int) *str;
2N/A val ^= i;
2N/A val <<= 1;
2N/A str++;
2N/A }
2N/A
2N/A return val;
2N/A}
2N/A
2N/Astatic void CvtHex(HASH Bin, HASHHEX Hex)
2N/A{
2N/A unsigned short i;
2N/A unsigned char j;
2N/A
2N/A for (i = 0; i < HASHLEN; i++) {
2N/A j = (Bin[i] >> 4) & 0xf;
2N/A if (j <= 9)
2N/A Hex[i * 2] = (j + '0');
2N/A else
2N/A Hex[i * 2] = (j + 'a' - 10);
2N/A j = Bin[i] & 0xf;
2N/A if (j <= 9)
2N/A Hex[i * 2 + 1] = (j + '0');
2N/A else
2N/A Hex[i * 2 + 1] = (j + 'a' - 10);
2N/A }
2N/A Hex[HASHHEXLEN] = '\0';
2N/A}
2N/A
2N/A/*
2N/A * calculate request-digest/response-digest as per HTTP Digest spec
2N/A */
2N/Avoid
2N/ADigestCalcResponse(const sasl_utils_t * utils,
2N/A HASHHEX HA1, /* H(A1) */
2N/A unsigned char *pszNonce, /* nonce from server */
2N/A unsigned int pszNonceCount, /* 8 hex digits */
2N/A unsigned char *pszCNonce, /* client nonce */
2N/A unsigned char *pszQop, /* qop-value: "", "auth",
2N/A * "auth-int" */
2N/A unsigned char *pszDigestUri, /* requested URL */
2N/A unsigned char *pszMethod,
2N/A HASHHEX HEntity, /* H(entity body) if qop="auth-int" */
2N/A HASHHEX Response /* request-digest or response-digest */
2N/A )
2N/A{
2N/A MD5_CTX Md5Ctx;
2N/A HASH HA2;
2N/A HASH RespHash;
2N/A HASHHEX HA2Hex;
2N/A char ncvalue[10];
2N/A
2N/A /* calculate H(A2) */
2N/A utils->MD5Init(&Md5Ctx);
2N/A
2N/A if (pszMethod != NULL) {
2N/A utils->MD5Update(&Md5Ctx, pszMethod, strlen((char *) pszMethod));
2N/A }
2N/A utils->MD5Update(&Md5Ctx, (unsigned char *) COLON, 1);
2N/A
2N/A /* utils->MD5Update(&Md5Ctx, (unsigned char *) "AUTHENTICATE:", 13); */
2N/A utils->MD5Update(&Md5Ctx, pszDigestUri, strlen((char *) pszDigestUri));
2N/A if (strcasecmp((char *) pszQop, "auth") != 0) {
2N/A /* append ":00000000000000000000000000000000" */
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, HEntity, HASHHEXLEN);
2N/A }
2N/A utils->MD5Final(HA2, &Md5Ctx);
2N/A CvtHex(HA2, HA2Hex);
2N/A
2N/A /* calculate response */
2N/A utils->MD5Init(&Md5Ctx);
2N/A utils->MD5Update(&Md5Ctx, HA1, HASHHEXLEN);
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszNonce, strlen((char *) pszNonce));
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A if (*pszQop) {
2N/A sprintf(ncvalue, "%08x", pszNonceCount);
2N/A#ifdef _SUN_SDK_
2N/A utils->MD5Update(&Md5Ctx, (unsigned char *)ncvalue, strlen(ncvalue));
2N/A#else
2N/A utils->MD5Update(&Md5Ctx, ncvalue, strlen(ncvalue));
2N/A#endif /* _SUN_SDK_ */
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszCNonce, strlen((char *) pszCNonce));
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszQop, strlen((char *) pszQop));
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A }
2N/A utils->MD5Update(&Md5Ctx, HA2Hex, HASHHEXLEN);
2N/A utils->MD5Final(RespHash, &Md5Ctx);
2N/A CvtHex(RespHash, Response);
2N/A}
2N/A
2N/Astatic bool UTF8_In_8859_1(const unsigned char *base, int len)
2N/A{
2N/A const unsigned char *scan, *end;
2N/A
2N/A end = base + len;
2N/A for (scan = base; scan < end; ++scan) {
2N/A if (*scan > 0xC3)
2N/A break; /* abort if outside 8859-1 */
2N/A if (*scan >= 0xC0 && *scan <= 0xC3) {
2N/A if (++scan == end || *scan < 0x80 || *scan > 0xBF)
2N/A break;
2N/A }
2N/A }
2N/A
2N/A /* if scan >= end, then this is a 8859-1 string. */
2N/A return (scan >= end);
2N/A}
2N/A
2N/A/*
2N/A * if the string is entirely in the 8859-1 subset of UTF-8, then translate to
2N/A * 8859-1 prior to MD5
2N/A */
2N/Avoid MD5_UTF8_8859_1(const sasl_utils_t * utils,
2N/A MD5_CTX * ctx,
2N/A bool In_ISO_8859_1,
2N/A const unsigned char *base,
2N/A int len)
2N/A{
2N/A const unsigned char *scan, *end;
2N/A unsigned char cbuf;
2N/A
2N/A end = base + len;
2N/A
2N/A /* if we found a character outside 8859-1, don't alter string */
2N/A if (!In_ISO_8859_1) {
2N/A utils->MD5Update(ctx, base, len);
2N/A return;
2N/A }
2N/A /* convert to 8859-1 prior to applying hash */
2N/A do {
2N/A for (scan = base; scan < end && *scan < 0xC0; ++scan);
2N/A if (scan != base)
2N/A utils->MD5Update(ctx, base, scan - base);
2N/A if (scan + 1 >= end)
2N/A break;
2N/A cbuf = ((scan[0] & 0x3) << 6) | (scan[1] & 0x3f);
2N/A utils->MD5Update(ctx, &cbuf, 1);
2N/A base = scan + 2;
2N/A }
2N/A while (base < end);
2N/A}
2N/A
2N/Astatic void DigestCalcSecret(const sasl_utils_t * utils,
2N/A unsigned char *pszUserName,
2N/A unsigned char *pszRealm,
2N/A unsigned char *Password,
2N/A int PasswordLen,
2N/A HASH HA1)
2N/A{
2N/A bool In_8859_1;
2N/A
2N/A MD5_CTX Md5Ctx;
2N/A
2N/A /* Chris Newman clarified that the following text in DIGEST-MD5 spec
2N/A is bogus: "if name and password are both in ISO 8859-1 charset"
2N/A We should use code example instead */
2N/A
2N/A utils->MD5Init(&Md5Ctx);
2N/A
2N/A /* We have to convert UTF-8 to ISO-8859-1 if possible */
2N/A In_8859_1 = UTF8_In_8859_1(pszUserName, strlen((char *) pszUserName));
2N/A MD5_UTF8_8859_1(utils, &Md5Ctx, In_8859_1,
2N/A pszUserName, strlen((char *) pszUserName));
2N/A
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A
2N/A if (pszRealm != NULL && pszRealm[0] != '\0') {
2N/A /* a NULL realm is equivalent to the empty string */
2N/A utils->MD5Update(&Md5Ctx, pszRealm, strlen((char *) pszRealm));
2N/A }
2N/A
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A
2N/A /* We have to convert UTF-8 to ISO-8859-1 if possible */
2N/A In_8859_1 = UTF8_In_8859_1(Password, PasswordLen);
2N/A MD5_UTF8_8859_1(utils, &Md5Ctx, In_8859_1,
2N/A Password, PasswordLen);
2N/A
2N/A utils->MD5Final(HA1, &Md5Ctx);
2N/A}
2N/A
2N/Astatic unsigned char *create_nonce(const sasl_utils_t * utils)
2N/A{
2N/A unsigned char *base64buf;
2N/A int base64len;
2N/A
2N/A char *ret = (char *) utils->malloc(NONCE_SIZE);
2N/A if (ret == NULL)
2N/A return NULL;
2N/A
2N/A#if defined _DEV_URANDOM && defined _SUN_SDK_
2N/A {
2N/A int fd = open(_DEV_URANDOM, O_RDONLY);
2N/A int nread = 0;
2N/A
2N/A if (fd != -1) {
2N/A nread = read(fd, ret, NONCE_SIZE);
2N/A close(fd);
2N/A }
2N/A if (nread != NONCE_SIZE)
2N/A utils->rand(utils->rpool, (char *) ret, NONCE_SIZE);
2N/A }
2N/A#else
2N/A utils->rand(utils->rpool, (char *) ret, NONCE_SIZE);
2N/A#endif /* _DEV_URANDOM && _SUN_SDK_ */
2N/A
2N/A /* base 64 encode it so it has valid chars */
2N/A base64len = (NONCE_SIZE * 4 / 3) + (NONCE_SIZE % 3 ? 4 : 0);
2N/A
2N/A base64buf = (unsigned char *) utils->malloc(base64len + 1);
2N/A if (base64buf == NULL) {
2N/A#ifdef _SUN_SDK_
2N/A utils->log(utils->conn, SASL_LOG_ERR,
2N/A "Unable to allocate final buffer");
2N/A#else
2N/A utils->seterror(utils->conn, 0, "Unable to allocate final buffer");
2N/A#endif /* _SUN_SDK_ */
2N/A return NULL;
2N/A }
2N/A
2N/A /*
2N/A * Returns SASL_OK on success, SASL_BUFOVER if result won't fit
2N/A */
2N/A if (utils->encode64(ret, NONCE_SIZE,
2N/A (char *) base64buf, base64len, NULL) != SASL_OK) {
2N/A utils->free(ret);
2N/A return NULL;
2N/A }
2N/A utils->free(ret);
2N/A
2N/A return base64buf;
2N/A}
2N/A
2N/Astatic int add_to_challenge(const sasl_utils_t *utils,
2N/A char **str, unsigned *buflen, unsigned *curlen,
2N/A char *name,
2N/A unsigned char *value,
2N/A bool need_quotes)
2N/A{
2N/A int namesize = strlen(name);
2N/A int valuesize = strlen((char *) value);
2N/A int ret;
2N/A
2N/A ret = _plug_buf_alloc(utils, str, buflen,
2N/A *curlen + 1 + namesize + 2 + valuesize + 2);
2N/A if(ret != SASL_OK) return ret;
2N/A
2N/A *curlen = *curlen + 1 + namesize + 2 + valuesize + 2;
2N/A
2N/A strcat(*str, ",");
2N/A strcat(*str, name);
2N/A
2N/A if (need_quotes) {
2N/A strcat(*str, "=\"");
2N/A strcat(*str, (char *) value); /* XXX. What about quoting??? */
2N/A strcat(*str, "\"");
2N/A } else {
2N/A strcat(*str, "=");
2N/A strcat(*str, (char *) value);
2N/A }
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic char *skip_lws (char *s)
2N/A{
2N/A if(!s) return NULL;
2N/A
2N/A /* skipping spaces: */
2N/A while (s[0] == ' ' || s[0] == HT || s[0] == CR || s[0] == LF) {
2N/A if (s[0]=='\0') break;
2N/A s++;
2N/A }
2N/A
2N/A return s;
2N/A}
2N/A
2N/A#ifdef __SUN_SDK_
2N/Astatic char *skip_token (char *s, int caseinsensitive __attribute__((unused)))
2N/A#else
2N/Astatic char *skip_token (char *s, int caseinsensitive)
2N/A#endif /* _SUN_SDK_ */
2N/A{
2N/A if(!s) return NULL;
2N/A
2N/A#ifdef __SUN_SDK_
2N/A while (((unsigned char *)s)[0]>SP) {
2N/A#else
2N/A while (s[0]>SP) {
2N/A#endif /* _SUN_SDK_ */
2N/A if (s[0]==DEL || s[0]=='(' || s[0]==')' || s[0]=='<' || s[0]=='>' ||
2N/A s[0]=='@' || s[0]==',' || s[0]==';' || s[0]==':' || s[0]=='\\' ||
2N/A s[0]=='\'' || s[0]=='/' || s[0]=='[' || s[0]==']' || s[0]== '?' ||
2N/A s[0]=='=' || s[0]== '{' || s[0]== '}') {
2N/A#ifdef __SUN_SDK_
2N/A /* the above chars are never uppercase */
2N/A break;
2N/A#else
2N/A if (caseinsensitive == 1) {
2N/A if (!isupper((unsigned char) s[0]))
2N/A break;
2N/A } else {
2N/A break;
2N/A }
2N/A#endif /* _SUN_SDK_ */
2N/A }
2N/A s++;
2N/A }
2N/A return s;
2N/A}
2N/A
2N/A/* NULL - error (unbalanced quotes),
2N/A otherwise pointer to the first character after value */
2N/Astatic char *unquote (char *qstr)
2N/A{
2N/A char *endvalue;
2N/A int escaped = 0;
2N/A char *outptr;
2N/A
2N/A if(!qstr) return NULL;
2N/A
2N/A if (qstr[0] == '"') {
2N/A qstr++;
2N/A outptr = qstr;
2N/A
2N/A for (endvalue = qstr; endvalue[0] != '\0'; endvalue++, outptr++) {
2N/A if (escaped) {
2N/A outptr[0] = endvalue[0];
2N/A escaped = 0;
2N/A }
2N/A else if (endvalue[0] == '\\') {
2N/A escaped = 1;
2N/A outptr--; /* Will be incremented at the end of the loop */
2N/A }
2N/A else if (endvalue[0] == '"') {
2N/A break;
2N/A }
2N/A else {
2N/A outptr[0] = endvalue[0];
2N/A }
2N/A }
2N/A
2N/A if (endvalue[0] != '"') {
2N/A return NULL;
2N/A }
2N/A
2N/A while (outptr <= endvalue) {
2N/A outptr[0] = '\0';
2N/A outptr++;
2N/A }
2N/A endvalue++;
2N/A }
2N/A else { /* not qouted value (token) */
2N/A endvalue = skip_token(qstr,0);
2N/A };
2N/A
2N/A return endvalue;
2N/A}
2N/A
2N/Astatic void get_pair(char **in, char **name, char **value)
2N/A{
2N/A char *endpair;
2N/A /* int inQuotes; */
2N/A char *curp = *in;
2N/A *name = NULL;
2N/A *value = NULL;
2N/A
2N/A if (curp == NULL) return;
2N/A if (curp[0] == '\0') return;
2N/A
2N/A /* skipping spaces: */
2N/A curp = skip_lws(curp);
2N/A
2N/A *name = curp;
2N/A
2N/A curp = skip_token(curp,1);
2N/A
2N/A /* strip wierd chars */
2N/A if (curp[0] != '=' && curp[0] != '\0') {
2N/A *curp++ = '\0';
2N/A };
2N/A
2N/A curp = skip_lws(curp);
2N/A
2N/A if (curp[0] != '=') { /* No '=' sign */
2N/A *name = NULL;
2N/A return;
2N/A }
2N/A
2N/A curp[0] = '\0';
2N/A curp++;
2N/A
2N/A curp = skip_lws(curp);
2N/A
2N/A *value = (curp[0] == '"') ? curp+1 : curp;
2N/A
2N/A endpair = unquote (curp);
2N/A if (endpair == NULL) { /* Unbalanced quotes */
2N/A *name = NULL;
2N/A return;
2N/A }
2N/A if (endpair[0] != ',') {
2N/A if (endpair[0]!='\0') {
2N/A *endpair++ = '\0';
2N/A }
2N/A }
2N/A
2N/A endpair = skip_lws(endpair);
2N/A
2N/A /* syntax check: MUST be '\0' or ',' */
2N/A if (endpair[0] == ',') {
2N/A endpair[0] = '\0';
2N/A endpair++; /* skipping <,> */
2N/A } else if (endpair[0] != '\0') {
2N/A *name = NULL;
2N/A return;
2N/A }
2N/A
2N/A *in = endpair;
2N/A}
2N/A
2N/A/* EXPORT DELETE START */
2N/A#ifdef WITH_DES
2N/Astruct des_context_s {
2N/A des_key_schedule keysched; /* key schedule for des initialization */
2N/A des_cblock ivec; /* initial vector for encoding */
2N/A des_key_schedule keysched2; /* key schedule for 3des initialization */
2N/A};
2N/A
2N/Atypedef struct des_context_s des_context_t;
2N/A
2N/A/* slide the first 7 bytes of 'inbuf' into the high seven bits of the
2N/A first 8 bytes of 'keybuf'. 'keybuf' better be 8 bytes long or longer. */
2N/Astatic void slidebits(unsigned char *keybuf, unsigned char *inbuf)
2N/A{
2N/A keybuf[0] = inbuf[0];
2N/A keybuf[1] = (inbuf[0]<<7) | (inbuf[1]>>1);
2N/A keybuf[2] = (inbuf[1]<<6) | (inbuf[2]>>2);
2N/A keybuf[3] = (inbuf[2]<<5) | (inbuf[3]>>3);
2N/A keybuf[4] = (inbuf[3]<<4) | (inbuf[4]>>4);
2N/A keybuf[5] = (inbuf[4]<<3) | (inbuf[5]>>5);
2N/A keybuf[6] = (inbuf[5]<<2) | (inbuf[6]>>6);
2N/A keybuf[7] = (inbuf[6]<<1);
2N/A}
2N/A
2N/A/******************************
2N/A *
2N/A * 3DES functions
2N/A *
2N/A *****************************/
2N/A
2N/Astatic int dec_3des(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A des_context_t *c = (des_context_t *) text->cipher_dec_context;
2N/A int padding, p;
2N/A
2N/A des_ede2_cbc_encrypt((void *) input,
2N/A (void *) output,
2N/A inputlen,
2N/A c->keysched,
2N/A c->keysched2,
2N/A &c->ivec,
2N/A DES_DECRYPT);
2N/A
2N/A /* now chop off the padding */
2N/A padding = output[inputlen - 11];
2N/A if (padding < 1 || padding > 8) {
2N/A /* invalid padding length */
2N/A return SASL_FAIL;
2N/A }
2N/A /* verify all padding is correct */
2N/A for (p = 1; p <= padding; p++) {
2N/A if (output[inputlen - 10 - p] != padding) {
2N/A return SASL_FAIL;
2N/A }
2N/A }
2N/A
2N/A /* chop off the padding */
2N/A *outputlen = inputlen - padding - 10;
2N/A
2N/A /* copy in the HMAC to digest */
2N/A memcpy(digest, output + inputlen - 10, 10);
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int enc_3des(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A des_context_t *c = (des_context_t *) text->cipher_enc_context;
2N/A int len;
2N/A int paddinglen;
2N/A
2N/A /* determine padding length */
2N/A paddinglen = 8 - ((inputlen + 10) % 8);
2N/A
2N/A /* now construct the full stuff to be ciphered */
2N/A memcpy(output, input, inputlen); /* text */
2N/A memset(output+inputlen, paddinglen, paddinglen);/* pad */
2N/A memcpy(output+inputlen+paddinglen, digest, 10); /* hmac */
2N/A
2N/A len=inputlen+paddinglen+10;
2N/A
2N/A des_ede2_cbc_encrypt((void *) output,
2N/A (void *) output,
2N/A len,
2N/A c->keysched,
2N/A c->keysched2,
2N/A &c->ivec,
2N/A DES_ENCRYPT);
2N/A
2N/A *outputlen=len;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int init_3des(context_t *text,
2N/A unsigned char enckey[16],
2N/A unsigned char deckey[16])
2N/A{
2N/A des_context_t *c;
2N/A unsigned char keybuf[8];
2N/A
2N/A /* allocate enc & dec context */
2N/A c = (des_context_t *) text->utils->malloc(2 * sizeof(des_context_t));
2N/A if (c == NULL) return SASL_NOMEM;
2N/A
2N/A /* setup enc context */
2N/A slidebits(keybuf, enckey);
2N/A if (des_key_sched((des_cblock *) keybuf, c->keysched) < 0)
2N/A return SASL_FAIL;
2N/A
2N/A slidebits(keybuf, enckey + 7);
2N/A if (des_key_sched((des_cblock *) keybuf, c->keysched2) < 0)
2N/A return SASL_FAIL;
2N/A memcpy(c->ivec, ((char *) enckey) + 8, 8);
2N/A
2N/A text->cipher_enc_context = (cipher_context_t *) c;
2N/A
2N/A /* setup dec context */
2N/A c++;
2N/A slidebits(keybuf, deckey);
2N/A if (des_key_sched((des_cblock *) keybuf, c->keysched) < 0)
2N/A return SASL_FAIL;
2N/A
2N/A slidebits(keybuf, deckey + 7);
2N/A if (des_key_sched((des_cblock *) keybuf, c->keysched2) < 0)
2N/A return SASL_FAIL;
2N/A
2N/A memcpy(c->ivec, ((char *) deckey) + 8, 8);
2N/A
2N/A text->cipher_dec_context = (cipher_context_t *) c;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/A
2N/A/******************************
2N/A *
2N/A * DES functions
2N/A *
2N/A *****************************/
2N/A
2N/Astatic int dec_des(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A des_context_t *c = (des_context_t *) text->cipher_dec_context;
2N/A int p, padding = 0;
2N/A
2N/A des_cbc_encrypt((void *) input,
2N/A (void *) output,
2N/A inputlen,
2N/A c->keysched,
2N/A &c->ivec,
2N/A DES_DECRYPT);
2N/A
2N/A /* Update the ivec (des_cbc_encrypt implementations tend to be broken in
2N/A this way) */
2N/A memcpy(c->ivec, input + (inputlen - 8), 8);
2N/A
2N/A /* now chop off the padding */
2N/A padding = output[inputlen - 11];
2N/A if (padding < 1 || padding > 8) {
2N/A /* invalid padding length */
2N/A return SASL_FAIL;
2N/A }
2N/A /* verify all padding is correct */
2N/A for (p = 1; p <= padding; p++) {
2N/A if (output[inputlen - 10 - p] != padding) {
2N/A return SASL_FAIL;
2N/A }
2N/A }
2N/A
2N/A /* chop off the padding */
2N/A *outputlen = inputlen - padding - 10;
2N/A
2N/A /* copy in the HMAC to digest */
2N/A memcpy(digest, output + inputlen - 10, 10);
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int enc_des(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A des_context_t *c = (des_context_t *) text->cipher_enc_context;
2N/A int len;
2N/A int paddinglen;
2N/A
2N/A /* determine padding length */
2N/A paddinglen = 8 - ((inputlen+10) % 8);
2N/A
2N/A /* now construct the full stuff to be ciphered */
2N/A memcpy(output, input, inputlen); /* text */
2N/A memset(output+inputlen, paddinglen, paddinglen);/* pad */
2N/A memcpy(output+inputlen+paddinglen, digest, 10); /* hmac */
2N/A
2N/A len = inputlen + paddinglen + 10;
2N/A
2N/A des_cbc_encrypt((void *) output,
2N/A (void *) output,
2N/A len,
2N/A c->keysched,
2N/A &c->ivec,
2N/A DES_ENCRYPT);
2N/A
2N/A /* Update the ivec (des_cbc_encrypt implementations tend to be broken in
2N/A this way) */
2N/A memcpy(c->ivec, output + (len - 8), 8);
2N/A
2N/A *outputlen = len;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int init_des(context_t *text,
2N/A unsigned char enckey[16],
2N/A unsigned char deckey[16])
2N/A{
2N/A des_context_t *c;
2N/A unsigned char keybuf[8];
2N/A
2N/A /* allocate enc context */
2N/A c = (des_context_t *) text->utils->malloc(2 * sizeof(des_context_t));
2N/A if (c == NULL) return SASL_NOMEM;
2N/A
2N/A /* setup enc context */
2N/A slidebits(keybuf, enckey);
2N/A des_key_sched((des_cblock *) keybuf, c->keysched);
2N/A
2N/A memcpy(c->ivec, ((char *) enckey) + 8, 8);
2N/A
2N/A text->cipher_enc_context = (cipher_context_t *) c;
2N/A
2N/A /* setup dec context */
2N/A c++;
2N/A slidebits(keybuf, deckey);
2N/A des_key_sched((des_cblock *) keybuf, c->keysched);
2N/A
2N/A memcpy(c->ivec, ((char *) deckey) + 8, 8);
2N/A
2N/A text->cipher_dec_context = (cipher_context_t *) c;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic void free_des(context_t *text)
2N/A{
2N/A /* free des contextss. only cipher_enc_context needs to be free'd,
2N/A since cipher_dec_context was allocated at the same time. */
2N/A if (text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
2N/A}
2N/A
2N/A#endif /* WITH_DES */
2N/A
2N/A#ifdef WITH_RC4
2N/A/* quick generic implementation of RC4 */
2N/Astruct rc4_context_s {
2N/A unsigned char sbox[256];
2N/A int i, j;
2N/A};
2N/A
2N/Atypedef struct rc4_context_s rc4_context_t;
2N/A
2N/Astatic void rc4_init(rc4_context_t *text,
2N/A const unsigned char *key,
2N/A unsigned keylen)
2N/A{
2N/A int i, j;
2N/A
2N/A /* fill in linearly s0=0 s1=1... */
2N/A for (i=0;i<256;i++)
2N/A text->sbox[i]=i;
2N/A
2N/A j=0;
2N/A for (i = 0; i < 256; i++) {
2N/A unsigned char tmp;
2N/A /* j = (j + Si + Ki) mod 256 */
2N/A j = (j + text->sbox[i] + key[i % keylen]) % 256;
2N/A
2N/A /* swap Si and Sj */
2N/A tmp = text->sbox[i];
2N/A text->sbox[i] = text->sbox[j];
2N/A text->sbox[j] = tmp;
2N/A }
2N/A
2N/A /* counters initialized to 0 */
2N/A text->i = 0;
2N/A text->j = 0;
2N/A}
2N/A
2N/Astatic void rc4_encrypt(rc4_context_t *text,
2N/A const char *input,
2N/A char *output,
2N/A unsigned len)
2N/A{
2N/A int tmp;
2N/A int i = text->i;
2N/A int j = text->j;
2N/A int t;
2N/A int K;
2N/A const char *input_end = input + len;
2N/A
2N/A while (input < input_end) {
2N/A i = (i + 1) % 256;
2N/A
2N/A j = (j + text->sbox[i]) % 256;
2N/A
2N/A /* swap Si and Sj */
2N/A tmp = text->sbox[i];
2N/A text->sbox[i] = text->sbox[j];
2N/A text->sbox[j] = tmp;
2N/A
2N/A t = (text->sbox[i] + text->sbox[j]) % 256;
2N/A
2N/A K = text->sbox[t];
2N/A
2N/A /* byte K is Xor'ed with plaintext */
2N/A *output++ = *input++ ^ K;
2N/A }
2N/A
2N/A text->i = i;
2N/A text->j = j;
2N/A}
2N/A
2N/Astatic void rc4_decrypt(rc4_context_t *text,
2N/A const char *input,
2N/A char *output,
2N/A unsigned len)
2N/A{
2N/A int tmp;
2N/A int i = text->i;
2N/A int j = text->j;
2N/A int t;
2N/A int K;
2N/A const char *input_end = input + len;
2N/A
2N/A while (input < input_end) {
2N/A i = (i + 1) % 256;
2N/A
2N/A j = (j + text->sbox[i]) % 256;
2N/A
2N/A /* swap Si and Sj */
2N/A tmp = text->sbox[i];
2N/A text->sbox[i] = text->sbox[j];
2N/A text->sbox[j] = tmp;
2N/A
2N/A t = (text->sbox[i] + text->sbox[j]) % 256;
2N/A
2N/A K = text->sbox[t];
2N/A
2N/A /* byte K is Xor'ed with plaintext */
2N/A *output++ = *input++ ^ K;
2N/A }
2N/A
2N/A text->i = i;
2N/A text->j = j;
2N/A}
2N/A
2N/Astatic void free_rc4(context_t *text)
2N/A{
2N/A /* free rc4 context structures */
2N/A
2N/A if(text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
2N/A if(text->cipher_dec_context) text->utils->free(text->cipher_dec_context);
2N/A#ifdef _SUN_SDK_
2N/A text->cipher_enc_context = NULL;
2N/A text->cipher_dec_context = NULL;
2N/A#endif /* _SUN_SDK_ */
2N/A}
2N/A
2N/Astatic int init_rc4(context_t *text,
2N/A#ifdef _SUN_SDK_
2N/A char enckey[16],
2N/A char deckey[16])
2N/A#else
2N/A unsigned char enckey[16],
2N/A unsigned char deckey[16])
2N/A#endif /* _SUN_SDK_ */
2N/A{
2N/A /* allocate rc4 context structures */
2N/A text->cipher_enc_context=
2N/A (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
2N/A if (text->cipher_enc_context == NULL) return SASL_NOMEM;
2N/A
2N/A text->cipher_dec_context=
2N/A (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
2N/A#ifdef _SUN_SDK_
2N/A if (text->cipher_dec_context == NULL) {
2N/A text->utils->free(text->cipher_enc_context);
2N/A text->cipher_enc_context = NULL;
2N/A return SASL_NOMEM;
2N/A }
2N/A#else
2N/A if (text->cipher_dec_context == NULL) return SASL_NOMEM;
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /* initialize them */
2N/A rc4_init((rc4_context_t *) text->cipher_enc_context,
2N/A (const unsigned char *) enckey, 16);
2N/A rc4_init((rc4_context_t *) text->cipher_dec_context,
2N/A (const unsigned char *) deckey, 16);
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int dec_rc4(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A /* decrypt the text part */
2N/A rc4_decrypt((rc4_context_t *) text->cipher_dec_context,
2N/A input, output, inputlen-10);
2N/A
2N/A /* decrypt the HMAC part */
2N/A rc4_decrypt((rc4_context_t *) text->cipher_dec_context,
2N/A input+(inputlen-10), (char *) digest, 10);
2N/A
2N/A /* no padding so we just subtract the HMAC to get the text length */
2N/A *outputlen = inputlen - 10;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int enc_rc4(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A /* pad is zero */
2N/A *outputlen = inputlen+10;
2N/A
2N/A /* encrypt the text part */
2N/A rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
2N/A input,
2N/A output,
2N/A inputlen);
2N/A
2N/A /* encrypt the HMAC part */
2N/A rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
2N/A (const char *) digest,
2N/A (output)+inputlen, 10);
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/A#endif /* WITH_RC4 */
2N/A/* EXPORT DELETE END */
2N/A
2N/Astruct digest_cipher available_ciphers[] =
2N/A{
2N/A /* EXPORT DELETE START */
2N/A#ifdef WITH_RC4
2N/A { "rc4-40", 40, 5, 0x01, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
2N/A { "rc4-56", 56, 7, 0x02, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
2N/A { "rc4", 128, 16, 0x04, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
2N/A#endif
2N/A#ifdef WITH_DES
2N/A { "des", 55, 16, 0x08, &enc_des, &dec_des, &init_des, &free_des },
2N/A { "3des", 112, 16, 0x10, &enc_3des, &dec_3des, &init_3des, &free_des },
2N/A#endif
2N/A /* EXPORT DELETE END */
2N/A { NULL, 0, 0, 0, NULL, NULL, NULL, NULL }
2N/A};
2N/A
2N/A
2N/A#ifdef USE_UEF
2N/ADEFINE_STATIC_MUTEX(uef_init_mutex);
2N/A#define DES_CIPHER_INDEX 3
2N/A#define DES3_CIPHER_INDEX 4
2N/A
2N/Astatic int got_uef_slot = FALSE;
2N/Astatic sasl_ssf_t uef_max_ssf = 0;
2N/Astatic CK_SLOT_ID rc4_slot_id;
2N/Astatic CK_SLOT_ID des_slot_id;
2N/Astatic CK_SLOT_ID des3_slot_id;
2N/A
2N/Astruct uef_context_s {
2N/A CK_SESSION_HANDLE hSession;
2N/A CK_OBJECT_HANDLE hKey;
2N/A};
2N/A
2N/Atypedef struct uef_context_s uef_context_t;
2N/A
2N/A/*
2N/A * slide the first 7 bytes of 'inbuf' into the high seven bits of the
2N/A * first 8 bytes of 'keybuf'. 'inbuf' better be 8 bytes long or longer.
2N/A *
2N/A * This is used to compute the IV for "des" and "3des" as described in
2N/A * draft-ietf-sasl-rfc2831bis-00.txt - The IV for "des"
2N/A * and "3des" is the last 8 bytes of Kcc or Kcs - the encryption keys.
2N/A */
2N/A
2N/Astatic void slidebits(unsigned char *keybuf, unsigned char *inbuf)
2N/A{
2N/A keybuf[0] = inbuf[0];
2N/A keybuf[1] = (inbuf[0]<<7) | (inbuf[1]>>1);
2N/A keybuf[2] = (inbuf[1]<<6) | (inbuf[2]>>2);
2N/A keybuf[3] = (inbuf[2]<<5) | (inbuf[3]>>3);
2N/A keybuf[4] = (inbuf[3]<<4) | (inbuf[4]>>4);
2N/A keybuf[5] = (inbuf[4]<<3) | (inbuf[5]>>5);
2N/A keybuf[6] = (inbuf[5]<<2) | (inbuf[6]>>6);
2N/A keybuf[7] = (inbuf[6]<<1);
2N/A}
2N/A
2N/A/*
2N/A * Create encryption and decryption session handle handles for later use.
2N/A * Returns SASL_OK on success - any other return indicates failure.
2N/A *
2N/A * free_uef is called to release associated resources by
2N/A * digestmd5_common_mech_dispose
2N/A */
2N/A
2N/Astatic int init_uef(context_t *text,
2N/A CK_KEY_TYPE keyType,
2N/A CK_MECHANISM_TYPE mech_type,
2N/A CK_SLOT_ID slot_id,
2N/A char enckey[16],
2N/A char deckey[16])
2N/A{
2N/A CK_RV rv;
2N/A uef_context_t *enc_context;
2N/A uef_context_t *dec_context;
2N/A CK_OBJECT_CLASS class = CKO_SECRET_KEY;
2N/A CK_BBOOL true = TRUE;
2N/A static CK_MECHANISM mechanism = {CKM_RC4, NULL, 0};
2N/A unsigned char keybuf[24];
2N/A CK_ATTRIBUTE template[] = {
2N/A {CKA_CLASS, NULL, sizeof (class)},
2N/A {CKA_KEY_TYPE, NULL, sizeof (keyType)},
2N/A {CKA_ENCRYPT, NULL, sizeof (true)},
2N/A {CKA_VALUE, NULL, 16}};
2N/A
2N/A template[0].pValue = &class;
2N/A template[1].pValue = &keyType;
2N/A template[2].pValue = &true;
2N/A if (keyType == CKK_DES || keyType == CKK_DES3) {
2N/A slidebits(keybuf, (unsigned char *)enckey);
2N/A if (keyType == CKK_DES3) {
2N/A slidebits(keybuf + 8, (unsigned char *)enckey + 7);
2N/A (void) memcpy(keybuf + 16, keybuf, 8);
2N/A template[3].ulValueLen = 24;
2N/A } else {
2N/A template[3].ulValueLen = 8;
2N/A }
2N/A template[3].pValue = keybuf;
2N/A mechanism.pParameter = enckey + 8;
2N/A mechanism.ulParameterLen = 8;
2N/A } else {
2N/A template[3].pValue = enckey;
2N/A }
2N/A mechanism.mechanism = mech_type;
2N/A
2N/A /* allocate rc4 context structures */
2N/A enc_context = text->utils->malloc(sizeof (uef_context_t));
2N/A if (enc_context == NULL)
2N/A return SASL_NOMEM;
2N/A
2N/A rv = C_OpenSession(slot_id, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR,
2N/A &enc_context->hSession);
2N/A if (rv != CKR_OK) {
2N/A text->utils->free(enc_context);
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "enc C_OpenSession Failed:0x%.8X\n", rv);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A rv = C_CreateObject(enc_context->hSession, template,
2N/A sizeof (template)/sizeof (template[0]), &enc_context->hKey);
2N/A if (rv != CKR_OK) {
2N/A text->utils->free(enc_context);
2N/A (void) C_CloseSession(enc_context->hSession);
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "enc C_CreateObject: rv = 0x%.8X\n", rv);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A text->cipher_enc_context = (cipher_context_t *)enc_context;
2N/A
2N/A /* Initialize the encryption operation in the session */
2N/A rv = C_EncryptInit(enc_context->hSession, &mechanism, enc_context->hKey);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_EncryptInit: rv = 0x%.8X\n", rv);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A dec_context = text->utils->malloc(sizeof(uef_context_t));
2N/A if (dec_context == NULL)
2N/A return SASL_NOMEM;
2N/A
2N/A rv = C_OpenSession(slot_id, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR,
2N/A &dec_context->hSession);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "dec C_OpenSession Failed:0x%.8X\n", rv);
2N/A#endif
2N/A text->utils->free(dec_context);
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A template[2].type = CKA_DECRYPT;
2N/A if (keyType == CKK_DES || keyType == CKK_DES3) {
2N/A slidebits(keybuf, (unsigned char *)deckey);
2N/A if (keyType == CKK_DES3) {
2N/A slidebits(keybuf + 8, (unsigned char *)deckey + 7);
2N/A (void) memcpy(keybuf + 16, keybuf, 8);
2N/A }
2N/A mechanism.pParameter = deckey + 8;
2N/A } else {
2N/A template[3].pValue = deckey;
2N/A }
2N/A
2N/A rv = C_CreateObject(dec_context->hSession, template,
2N/A sizeof (template)/sizeof (template[0]), &dec_context->hKey);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "dec C_CreateObject: rv = 0x%.8X\n", rv);
2N/A#endif
2N/A (void) C_CloseSession(dec_context->hSession);
2N/A text->utils->free(dec_context);
2N/A return SASL_FAIL;
2N/A }
2N/A text->cipher_dec_context = (cipher_context_t *)dec_context;
2N/A
2N/A /* Initialize the decryption operation in the session */
2N/A rv = C_DecryptInit(dec_context->hSession, &mechanism, dec_context->hKey);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DecryptInit: rv = 0x%.8X\n", rv);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int init_rc4_uef(context_t *text,
2N/A char enckey[16],
2N/A char deckey[16])
2N/A{
2N/A return init_uef(text, CKK_RC4, CKM_RC4, rc4_slot_id, enckey, deckey);
2N/A}
2N/A
2N/Astatic int init_des_uef(context_t *text,
2N/A char enckey[16],
2N/A char deckey[16])
2N/A{
2N/A return init_uef(text, CKK_DES, CKM_DES_CBC, des_slot_id, enckey, deckey);
2N/A}
2N/A
2N/Astatic int init_3des_uef(context_t *text,
2N/A char enckey[16],
2N/A char deckey[16])
2N/A{
2N/A return init_uef(text, CKK_DES3, CKM_DES3_CBC, des3_slot_id, enckey, deckey);
2N/A}
2N/A
2N/Astatic void
2N/Afree_uef(context_t *text)
2N/A{
2N/A uef_context_t *enc_context =
2N/A (uef_context_t *)text->cipher_enc_context;
2N/A uef_context_t *dec_context =
2N/A (uef_context_t *)text->cipher_dec_context;
2N/A CK_RV rv;
2N/A unsigned char buf[1];
2N/A CK_ULONG ulLen = 0;
2N/A
2N/A
2N/A if (enc_context != NULL) {
2N/A rv = C_EncryptFinal(enc_context->hSession, buf, &ulLen);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_EncryptFinal failed:0x%.8X\n", rv);
2N/A#endif
2N/A }
2N/A rv = C_DestroyObject(enc_context->hSession, enc_context->hKey);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DestroyObject failed:0x%.8X\n", rv);
2N/A#endif
2N/A }
2N/A rv = C_CloseSession(enc_context->hSession);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_CloseSession failed:0x%.8X\n", rv);
2N/A#endif
2N/A }
2N/A text->utils->free(enc_context);
2N/A }
2N/A if (dec_context != NULL) {
2N/A rv = C_DecryptFinal(dec_context->hSession, buf, &ulLen);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DecryptFinal failed:0x%.8X\n", rv);
2N/A#endif
2N/A }
2N/A rv = C_DestroyObject(dec_context->hSession, dec_context->hKey);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DestroyObject failed:0x%.8X\n", rv);
2N/A#endif
2N/A }
2N/A
2N/A rv = C_CloseSession(dec_context->hSession);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_CloseSession failed:0x%.8X\n", rv);
2N/A#endif
2N/A }
2N/A text->utils->free(dec_context);
2N/A }
2N/A text->cipher_enc_context = NULL;
2N/A text->cipher_dec_context = NULL;
2N/A}
2N/A
2N/Astatic int
2N/Adec_rc4_uef(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A CK_RV rv;
2N/A uef_context_t *dec_context =
2N/A (uef_context_t *)text->cipher_dec_context;
2N/A CK_ULONG ulDataLen = *outputlen - MAC_SIZE;
2N/A CK_ULONG ulDigestLen = MAC_SIZE;
2N/A
2N/A rv = C_DecryptUpdate(dec_context->hSession, (CK_BYTE_PTR)input,
2N/A inputlen - MAC_SIZE, (CK_BYTE_PTR)output, &ulDataLen);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DecryptUpdate failed:0x%.8X\n", rv);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A *outputlen = (unsigned)ulDataLen;
2N/A
2N/A rv = C_DecryptUpdate(dec_context->hSession,
2N/A (CK_BYTE_PTR)input+(inputlen-MAC_SIZE), MAC_SIZE, (CK_BYTE_PTR)digest,
2N/A &ulDigestLen);
2N/A if (rv != CKR_OK || ulDigestLen != MAC_SIZE) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DecryptUpdate:0x%.8X, digestLen:%d\n",
2N/A rv, ulDigestLen);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Aenc_rc4_uef(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A CK_RV rv;
2N/A uef_context_t *enc_context =
2N/A (uef_context_t *)text->cipher_enc_context;
2N/A CK_ULONG ulDataLen = inputlen;
2N/A CK_ULONG ulDigestLen = MAC_SIZE;
2N/A
2N/A rv = C_EncryptUpdate(enc_context->hSession, (CK_BYTE_PTR)input, inputlen,
2N/A (CK_BYTE_PTR)output, &ulDataLen);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_EncryptUpdate failed: 0x%.8X "
2N/A "inputlen:%d outputlen:%d\n",
2N/A rv, inputlen, ulDataLen);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A rv = C_EncryptUpdate(enc_context->hSession, (CK_BYTE_PTR)digest, MAC_SIZE,
2N/A (CK_BYTE_PTR)output + inputlen, &ulDigestLen);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_EncryptUpdate failed: 0x%.8X ulDigestLen:%d\n",
2N/A rv, ulDigestLen);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A *outputlen = ulDataLen + ulDigestLen;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Adec_des_uef(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A CK_RV rv;
2N/A uef_context_t *dec_context =
2N/A (uef_context_t *)text->cipher_dec_context;
2N/A CK_ULONG ulDataLen = inputlen;
2N/A int padding, p;
2N/A
2N/A rv = C_DecryptUpdate(dec_context->hSession, (CK_BYTE_PTR)input,
2N/A inputlen, (CK_BYTE_PTR)output, &ulDataLen);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DecryptUpdate failed:0x%.8X\n", rv);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A if (ulDataLen != inputlen) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_DecryptUpdate unexpected data len:%d !=%d\n",
2N/A inputlen, ulDataLen);
2N/A#endif
2N/A return SASL_BUFOVER;
2N/A }
2N/A
2N/A /* now chop off the padding */
2N/A padding = output[inputlen - 11];
2N/A if (padding < 1 || padding > 8) {
2N/A /* invalid padding length */
2N/A return SASL_BADMAC;
2N/A }
2N/A /* verify all padding is correct */
2N/A for (p = 1; p <= padding; p++) {
2N/A if (output[inputlen - MAC_SIZE - p] != padding) {
2N/A return SASL_BADMAC;
2N/A }
2N/A }
2N/A
2N/A /* chop off the padding */
2N/A *outputlen = inputlen - padding - MAC_SIZE;
2N/A
2N/A /* copy in the HMAC to digest */
2N/A memcpy(digest, output + inputlen - MAC_SIZE, MAC_SIZE);
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Aenc_des_uef(context_t *text,
2N/A const char *input,
2N/A unsigned inputlen,
2N/A unsigned char digest[16],
2N/A char *output,
2N/A unsigned *outputlen)
2N/A{
2N/A CK_RV rv;
2N/A uef_context_t *enc_context =
2N/A (uef_context_t *)text->cipher_enc_context;
2N/A CK_ULONG ulDataLen;
2N/A int paddinglen;
2N/A
2N/A /* determine padding length */
2N/A paddinglen = 8 - ((inputlen + MAC_SIZE) % 8);
2N/A
2N/A /* now construct the full stuff to be ciphered */
2N/A memcpy(output, input, inputlen); /* text */
2N/A memset(output+inputlen, paddinglen, paddinglen);/* pad */
2N/A memcpy(output+inputlen+paddinglen, digest, MAC_SIZE); /* hmac */
2N/A
2N/A ulDataLen=inputlen+paddinglen+MAC_SIZE;
2N/A
2N/A rv = C_EncryptUpdate(enc_context->hSession, (CK_BYTE_PTR)output, ulDataLen,
2N/A (CK_BYTE_PTR)output, &ulDataLen);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A text->utils->log(text->utils->conn, SASL_LOG_DEBUG,
2N/A "C_EncryptUpdate failed: 0x%.8X "
2N/A "inputlen:%d outputlen:%d\n",
2N/A rv, ulDataLen, ulDataLen);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A *outputlen = (unsigned)ulDataLen;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astruct digest_cipher uef_ciphers[] =
2N/A{
2N/A { "rc4-40", 40, 5, 0x01, &enc_rc4_uef, &dec_rc4_uef, &init_rc4_uef,
2N/A &free_uef },
2N/A { "rc4-56", 56, 7, 0x02, &enc_rc4_uef, &dec_rc4_uef, &init_rc4_uef,
2N/A &free_uef },
2N/A { "rc4", 128, 16, 0x04, &enc_rc4_uef, &dec_rc4_uef, &init_rc4_uef,
2N/A &free_uef },
2N/A { "des", 55, 16, 0x08, &enc_des_uef, &dec_des_uef, &init_des_uef,
2N/A &free_uef },
2N/A { "3des", 112, 16, 0x10, &enc_des_uef, &dec_des_uef, &init_3des_uef,
2N/A &free_uef },
2N/A { NULL, 0, 0, 0, NULL, NULL, NULL, NULL }
2N/A};
2N/A
2N/Astruct digest_cipher *available_ciphers1 = uef_ciphers;
2N/A#endif /* USE_UEF */
2N/A
2N/Astatic int create_layer_keys(context_t *text,
2N/A const sasl_utils_t *utils,
2N/A HASH key, int keylen,
2N/A char enckey[16], char deckey[16])
2N/A{
2N/A MD5_CTX Md5Ctx;
2N/A
2N/A utils->MD5Init(&Md5Ctx);
2N/A utils->MD5Update(&Md5Ctx, key, keylen);
2N/A if (text->i_am == SERVER) {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *) SEALING_SERVER_CLIENT,
2N/A strlen(SEALING_SERVER_CLIENT));
2N/A } else {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *) SEALING_CLIENT_SERVER,
2N/A strlen(SEALING_CLIENT_SERVER));
2N/A }
2N/A utils->MD5Final((unsigned char *) enckey, &Md5Ctx);
2N/A
2N/A utils->MD5Init(&Md5Ctx);
2N/A utils->MD5Update(&Md5Ctx, key, keylen);
2N/A if (text->i_am != SERVER) {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *)SEALING_SERVER_CLIENT,
2N/A strlen(SEALING_SERVER_CLIENT));
2N/A } else {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *)SEALING_CLIENT_SERVER,
2N/A strlen(SEALING_CLIENT_SERVER));
2N/A }
2N/A utils->MD5Final((unsigned char *) deckey, &Md5Ctx);
2N/A
2N/A /* create integrity keys */
2N/A /* sending */
2N/A utils->MD5Init(&Md5Ctx);
2N/A utils->MD5Update(&Md5Ctx, text->HA1, HASHLEN);
2N/A if (text->i_am == SERVER) {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *)SIGNING_SERVER_CLIENT,
2N/A strlen(SIGNING_SERVER_CLIENT));
2N/A } else {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *)SIGNING_CLIENT_SERVER,
2N/A strlen(SIGNING_CLIENT_SERVER));
2N/A }
2N/A utils->MD5Final(text->Ki_send, &Md5Ctx);
2N/A
2N/A /* receiving */
2N/A utils->MD5Init(&Md5Ctx);
2N/A utils->MD5Update(&Md5Ctx, text->HA1, HASHLEN);
2N/A if (text->i_am != SERVER) {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *)SIGNING_SERVER_CLIENT,
2N/A strlen(SIGNING_SERVER_CLIENT));
2N/A } else {
2N/A utils->MD5Update(&Md5Ctx, (const unsigned char *)SIGNING_CLIENT_SERVER,
2N/A strlen(SIGNING_CLIENT_SERVER));
2N/A }
2N/A utils->MD5Final(text->Ki_receive, &Md5Ctx);
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic const unsigned short version = 1;
2N/A
2N/A/* len, CIPHER(Kc, {msg, pag, HMAC(ki, {SeqNum, msg})[0..9]}), x0001, SeqNum */
2N/A
2N/Astatic int
2N/Adigestmd5_privacy_encode(void *context,
2N/A const struct iovec *invec,
2N/A unsigned numiov,
2N/A const char **output,
2N/A unsigned *outputlen)
2N/A{
2N/A context_t *text = (context_t *) context;
2N/A int tmp;
2N/A unsigned int tmpnum;
2N/A unsigned short int tmpshort;
2N/A int ret;
2N/A char *out;
2N/A unsigned char digest[16];
2N/A struct buffer_info *inblob, bufinfo;
2N/A
2N/A if(!context || !invec || !numiov || !output || !outputlen) {
2N/A PARAMERROR(text->utils);
2N/A return SASL_BADPARAM;
2N/A }
2N/A
2N/A if (numiov > 1) {
2N/A ret = _plug_iovec_to_buf(text->utils, invec, numiov, &text->enc_in_buf);
2N/A if (ret != SASL_OK) return ret;
2N/A inblob = text->enc_in_buf;
2N/A } else {
2N/A /* avoid the data copy */
2N/A bufinfo.data = invec[0].iov_base;
2N/A bufinfo.curlen = invec[0].iov_len;
2N/A inblob = &bufinfo;
2N/A }
2N/A
2N/A /* make sure the output buffer is big enough for this blob */
2N/A ret = _plug_buf_alloc(text->utils, &(text->encode_buf),
2N/A &(text->encode_buf_len),
2N/A (4 + /* for length */
2N/A inblob->curlen + /* for content */
2N/A 10 + /* for MAC */
2N/A 8 + /* maximum pad */
2N/A 6 + /* for padding */
2N/A 1)); /* trailing null */
2N/A if(ret != SASL_OK) return ret;
2N/A
2N/A /* skip by the length for now */
2N/A out = (text->encode_buf)+4;
2N/A
2N/A /* construct (seqnum, msg) */
2N/A /* We can just use the output buffer because it's big enough */
2N/A tmpnum = htonl(text->seqnum);
2N/A memcpy(text->encode_buf, &tmpnum, 4);
2N/A memcpy(text->encode_buf + 4, inblob->data, inblob->curlen);
2N/A
2N/A /* HMAC(ki, (seqnum, msg) ) */
2N/A text->utils->hmac_md5((const unsigned char *) text->encode_buf,
2N/A inblob->curlen + 4,
2N/A text->Ki_send, HASHLEN, digest);
2N/A
2N/A /* calculate the encrypted part */
2N/A text->cipher_enc(text, inblob->data, inblob->curlen,
2N/A digest, out, outputlen);
2N/A out+=(*outputlen);
2N/A
2N/A /* copy in version */
2N/A tmpshort = htons(version);
2N/A memcpy(out, &tmpshort, 2); /* 2 bytes = version */
2N/A
2N/A out+=2;
2N/A (*outputlen)+=2; /* for version */
2N/A
2N/A /* put in seqnum */
2N/A tmpnum = htonl(text->seqnum);
2N/A memcpy(out, &tmpnum, 4); /* 4 bytes = seq # */
2N/A
2N/A (*outputlen)+=4; /* for seqnum */
2N/A
2N/A /* put the 1st 4 bytes in */
2N/A tmp=htonl(*outputlen);
2N/A memcpy(text->encode_buf, &tmp, 4);
2N/A
2N/A (*outputlen)+=4;
2N/A
2N/A *output = text->encode_buf;
2N/A text->seqnum++;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_privacy_decode_once(void *context,
2N/A const char **input,
2N/A unsigned *inputlen,
2N/A char **output,
2N/A unsigned *outputlen)
2N/A{
2N/A context_t *text = (context_t *) context;
2N/A unsigned int tocopy;
2N/A unsigned diff;
2N/A int result;
2N/A unsigned char digest[16];
2N/A int tmpnum;
2N/A int lup;
2N/A
2N/A if (text->needsize>0) /* 4 bytes for how long message is */
2N/A {
2N/A /* if less than 4 bytes just copy those we have into text->size */
2N/A if (*inputlen<4)
2N/A tocopy=*inputlen;
2N/A else
2N/A tocopy=4;
2N/A
2N/A if (tocopy>text->needsize)
2N/A tocopy=text->needsize;
2N/A
2N/A memcpy(text->sizebuf+4-text->needsize, *input, tocopy);
2N/A text->needsize-=tocopy;
2N/A
2N/A *input+=tocopy;
2N/A *inputlen-=tocopy;
2N/A
2N/A if (text->needsize==0) /* got all of size */
2N/A {
2N/A memcpy(&(text->size), text->sizebuf, 4);
2N/A text->cursize=0;
2N/A text->size=ntohl(text->size);
2N/A
2N/A if (text->size > text->in_maxbuf) {
2N/A return SASL_FAIL; /* too big probably error */
2N/A }
2N/A
2N/A if(!text->buffer)
2N/A text->buffer=text->utils->malloc(text->size+5);
2N/A else
2N/A text->buffer=text->utils->realloc(text->buffer,
2N/A text->size+5);
2N/A if (text->buffer == NULL) return SASL_NOMEM;
2N/A }
2N/A
2N/A *outputlen=0;
2N/A *output=NULL;
2N/A if (*inputlen==0) /* have to wait until next time for data */
2N/A return SASL_OK;
2N/A
2N/A if (text->size==0) /* should never happen */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A diff=text->size - text->cursize; /* bytes need for full message */
2N/A
2N/A if (! text->buffer)
2N/A return SASL_FAIL;
2N/A
2N/A if (*inputlen < diff) /* not enough for a decode */
2N/A {
2N/A memcpy(text->buffer+text->cursize, *input, *inputlen);
2N/A text->cursize+=*inputlen;
2N/A *inputlen=0;
2N/A *outputlen=0;
2N/A *output=NULL;
2N/A return SASL_OK;
2N/A } else {
2N/A memcpy(text->buffer+text->cursize, *input, diff);
2N/A *input+=diff;
2N/A *inputlen-=diff;
2N/A }
2N/A
2N/A {
2N/A unsigned short ver;
2N/A unsigned int seqnum;
2N/A unsigned char checkdigest[16];
2N/A
2N/A result = _plug_buf_alloc(text->utils, &text->decode_once_buf,
2N/A &text->decode_once_buf_len,
2N/A text->size-6);
2N/A if (result != SASL_OK)
2N/A return result;
2N/A
2N/A *output = text->decode_once_buf;
2N/A *outputlen = *inputlen;
2N/A
2N/A result=text->cipher_dec(text,text->buffer,text->size-6,digest,
2N/A *output, outputlen);
2N/A
2N/A if (result!=SASL_OK)
2N/A return result;
2N/A
2N/A {
2N/A int i;
2N/A for(i=10; i; i--) {
2N/A memcpy(&ver, text->buffer+text->size-i,2);
2N/A ver=ntohs(ver);
2N/A }
2N/A }
2N/A
2N/A /* check the version number */
2N/A memcpy(&ver, text->buffer+text->size-6, 2);
2N/A ver=ntohs(ver);
2N/A if (ver != version)
2N/A {
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A text->utils->seterror(text->utils->conn, 0,
2N/A gettext("Wrong Version"));
2N/A#else
2N/A text->utils->seterror(text->utils->conn, 0, "Wrong Version");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A /* check the CMAC */
2N/A
2N/A /* construct (seqnum, msg) */
2N/A result = _plug_buf_alloc(text->utils, &text->decode_tmp_buf,
2N/A &text->decode_tmp_buf_len, *outputlen + 4);
2N/A if(result != SASL_OK) return result;
2N/A
2N/A tmpnum = htonl(text->rec_seqnum);
2N/A memcpy(text->decode_tmp_buf, &tmpnum, 4);
2N/A memcpy(text->decode_tmp_buf + 4, *output, *outputlen);
2N/A
2N/A /* HMAC(ki, (seqnum, msg) ) */
2N/A text->utils->hmac_md5((const unsigned char *) text->decode_tmp_buf,
2N/A (*outputlen) + 4,
2N/A text->Ki_receive, HASHLEN, checkdigest);
2N/A
2N/A /* now check it */
2N/A for (lup=0;lup<10;lup++)
2N/A if (checkdigest[lup]!=digest[lup])
2N/A {
2N/A#ifdef _SUN_SDK_
2N/A text->utils->log(text->utils->conn, SASL_LOG_ERR,
2N/A "CMAC doesn't match at byte %d!", lup);
2N/A return SASL_BADMAC;
2N/A#else
2N/A text->utils->seterror(text->utils->conn, 0,
2N/A "CMAC doesn't match at byte %d!", lup);
2N/A return SASL_FAIL;
2N/A#endif /* _SUN_SDK_ */
2N/A }
2N/A
2N/A /* check the sequence number */
2N/A memcpy(&seqnum, text->buffer+text->size-4,4);
2N/A seqnum=ntohl(seqnum);
2N/A
2N/A if (seqnum!=text->rec_seqnum)
2N/A {
2N/A#ifdef _SUN_SDK_
2N/A text->utils->log(text->utils->conn, SASL_LOG_ERR,
2N/A "Incorrect Sequence Number");
2N/A#else
2N/A text->utils->seterror(text->utils->conn, 0,
2N/A "Incorrect Sequence Number");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A text->rec_seqnum++; /* now increment it */
2N/A }
2N/A
2N/A text->needsize=4;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int digestmd5_privacy_decode(void *context,
2N/A const char *input, unsigned inputlen,
2N/A const char **output, unsigned *outputlen)
2N/A{
2N/A context_t *text = (context_t *) context;
2N/A int ret;
2N/A
2N/A ret = _plug_decode(text->utils, context, input, inputlen,
2N/A &text->decode_buf, &text->decode_buf_len, outputlen,
2N/A digestmd5_privacy_decode_once);
2N/A
2N/A *output = text->decode_buf;
2N/A
2N/A return ret;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_integrity_encode(void *context,
2N/A const struct iovec *invec,
2N/A unsigned numiov,
2N/A const char **output,
2N/A unsigned *outputlen)
2N/A{
2N/A context_t *text = (context_t *) context;
2N/A unsigned char MAC[16];
2N/A unsigned int tmpnum;
2N/A unsigned short int tmpshort;
2N/A struct buffer_info *inblob, bufinfo;
2N/A int ret;
2N/A
2N/A if(!context || !invec || !numiov || !output || !outputlen) {
2N/A PARAMERROR( text->utils );
2N/A return SASL_BADPARAM;
2N/A }
2N/A
2N/A if (numiov > 1) {
2N/A ret = _plug_iovec_to_buf(text->utils, invec, numiov,
2N/A &text->enc_in_buf);
2N/A if (ret != SASL_OK) return ret;
2N/A inblob = text->enc_in_buf;
2N/A } else {
2N/A /* avoid the data copy */
2N/A bufinfo.data = invec[0].iov_base;
2N/A bufinfo.curlen = invec[0].iov_len;
2N/A inblob = &bufinfo;
2N/A }
2N/A
2N/A /* construct output */
2N/A *outputlen = 4 + inblob->curlen + 16;
2N/A
2N/A ret = _plug_buf_alloc(text->utils, &(text->encode_buf),
2N/A &(text->encode_buf_len), *outputlen);
2N/A if(ret != SASL_OK) return ret;
2N/A
2N/A /* construct (seqnum, msg) */
2N/A /* we can just use the output buffer */
2N/A tmpnum = htonl(text->seqnum);
2N/A memcpy(text->encode_buf, &tmpnum, 4);
2N/A memcpy(text->encode_buf + 4, inblob->data, inblob->curlen);
2N/A
2N/A /* HMAC(ki, (seqnum, msg) ) */
2N/A#ifdef _SUN_SDK_
2N/A text->utils->hmac_md5((unsigned char *)text->encode_buf,
2N/A inblob->curlen + 4,
2N/A text->Ki_send, HASHLEN, MAC);
2N/A#else
2N/A text->utils->hmac_md5(text->encode_buf, inblob->curlen + 4,
2N/A text->Ki_send, HASHLEN, MAC);
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /* create MAC */
2N/A tmpshort = htons(version);
2N/A memcpy(MAC + 10, &tmpshort, MAC_OFFS); /* 2 bytes = version */
2N/A
2N/A tmpnum = htonl(text->seqnum);
2N/A memcpy(MAC + 12, &tmpnum, 4); /* 4 bytes = sequence number */
2N/A
2N/A /* copy into output */
2N/A tmpnum = htonl((*outputlen) - 4);
2N/A
2N/A /* length of message in network byte order */
2N/A memcpy(text->encode_buf, &tmpnum, 4);
2N/A /* the message text */
2N/A memcpy(text->encode_buf + 4, inblob->data, inblob->curlen);
2N/A /* the MAC */
2N/A memcpy(text->encode_buf + 4 + inblob->curlen, MAC, 16);
2N/A
2N/A text->seqnum++; /* add one to sequence number */
2N/A
2N/A *output = text->encode_buf;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Acreate_MAC(context_t * text,
2N/A char *input,
2N/A int inputlen,
2N/A int seqnum,
2N/A unsigned char MAC[16])
2N/A{
2N/A unsigned int tmpnum;
2N/A unsigned short int tmpshort;
2N/A int ret;
2N/A
2N/A if (inputlen < 0)
2N/A return SASL_FAIL;
2N/A
2N/A ret = _plug_buf_alloc(text->utils, &(text->MAC_buf),
2N/A &(text->MAC_buf_len), inputlen + 4);
2N/A if(ret != SASL_OK) return ret;
2N/A
2N/A /* construct (seqnum, msg) */
2N/A tmpnum = htonl(seqnum);
2N/A memcpy(text->MAC_buf, &tmpnum, 4);
2N/A memcpy(text->MAC_buf + 4, input, inputlen);
2N/A
2N/A /* HMAC(ki, (seqnum, msg) ) */
2N/A#ifdef _SUN_SDK_
2N/A text->utils->hmac_md5((unsigned char *)text->MAC_buf, inputlen + 4,
2N/A text->Ki_receive, HASHLEN,
2N/A MAC);
2N/A#else
2N/A text->utils->hmac_md5(text->MAC_buf, inputlen + 4,
2N/A text->Ki_receive, HASHLEN,
2N/A MAC);
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /* create MAC */
2N/A tmpshort = htons(version);
2N/A memcpy(MAC + 10, &tmpshort, 2); /* 2 bytes = version */
2N/A
2N/A tmpnum = htonl(seqnum);
2N/A memcpy(MAC + 12, &tmpnum, 4); /* 4 bytes = sequence number */
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Acheck_integrity(context_t * text,
2N/A char *buf, int bufsize,
2N/A char **output, unsigned *outputlen)
2N/A{
2N/A unsigned char MAC[16];
2N/A int result;
2N/A
2N/A result = create_MAC(text, buf, bufsize - 16, text->rec_seqnum, MAC);
2N/A if (result != SASL_OK)
2N/A return result;
2N/A
2N/A /* make sure the MAC is right */
2N/A if (strncmp((char *) MAC, buf + bufsize - 16, 16) != 0)
2N/A {
2N/A#ifdef _SUN_SDK_
2N/A text->utils->log(text->utils->conn, SASL_LOG_ERR,
2N/A "MAC doesn't match");
2N/A return SASL_BADMAC;
2N/A#else
2N/A text->utils->seterror(text->utils->conn, 0, "MAC doesn't match");
2N/A return SASL_FAIL;
2N/A#endif /* _SUN_SDK_ */
2N/A }
2N/A
2N/A text->rec_seqnum++;
2N/A
2N/A /* ok make output message */
2N/A result = _plug_buf_alloc(text->utils, &text->decode_once_buf,
2N/A &text->decode_once_buf_len,
2N/A bufsize - 15);
2N/A if (result != SASL_OK)
2N/A return result;
2N/A
2N/A *output = text->decode_once_buf;
2N/A memcpy(*output, buf, bufsize - 16);
2N/A *outputlen = bufsize - 16;
2N/A (*output)[*outputlen] = 0;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_integrity_decode_once(void *context,
2N/A const char **input,
2N/A unsigned *inputlen,
2N/A char **output,
2N/A unsigned *outputlen)
2N/A{
2N/A context_t *text = (context_t *) context;
2N/A unsigned int tocopy;
2N/A unsigned diff;
2N/A int result;
2N/A
2N/A if (text->needsize > 0) { /* 4 bytes for how long message is */
2N/A /*
2N/A * if less than 4 bytes just copy those we have into text->size
2N/A */
2N/A if (*inputlen < 4)
2N/A tocopy = *inputlen;
2N/A else
2N/A tocopy = 4;
2N/A
2N/A if (tocopy > text->needsize)
2N/A tocopy = text->needsize;
2N/A
2N/A memcpy(text->sizebuf + 4 - text->needsize, *input, tocopy);
2N/A text->needsize -= tocopy;
2N/A
2N/A *input += tocopy;
2N/A *inputlen -= tocopy;
2N/A
2N/A if (text->needsize == 0) { /* got all of size */
2N/A memcpy(&(text->size), text->sizebuf, 4);
2N/A text->cursize = 0;
2N/A text->size = ntohl(text->size);
2N/A
2N/A if (text->size > text->in_maxbuf)
2N/A return SASL_FAIL; /* too big probably error */
2N/A
2N/A if(!text->buffer)
2N/A text->buffer=text->utils->malloc(text->size+5);
2N/A else
2N/A text->buffer=text->utils->realloc(text->buffer,text->size+5);
2N/A if (text->buffer == NULL) return SASL_NOMEM;
2N/A }
2N/A *outputlen = 0;
2N/A *output = NULL;
2N/A if (*inputlen == 0) /* have to wait until next time for data */
2N/A return SASL_OK;
2N/A
2N/A if (text->size == 0) /* should never happen */
2N/A return SASL_FAIL;
2N/A }
2N/A diff = text->size - text->cursize; /* bytes need for full message */
2N/A
2N/A if(! text->buffer)
2N/A return SASL_FAIL;
2N/A
2N/A if (*inputlen < diff) { /* not enough for a decode */
2N/A memcpy(text->buffer + text->cursize, *input, *inputlen);
2N/A text->cursize += *inputlen;
2N/A *inputlen = 0;
2N/A *outputlen = 0;
2N/A *output = NULL;
2N/A return SASL_OK;
2N/A } else {
2N/A memcpy(text->buffer + text->cursize, *input, diff);
2N/A *input += diff;
2N/A *inputlen -= diff;
2N/A }
2N/A
2N/A result = check_integrity(text, text->buffer, text->size,
2N/A output, outputlen);
2N/A if (result != SASL_OK)
2N/A return result;
2N/A
2N/A /* Reset State */
2N/A text->needsize = 4;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int digestmd5_integrity_decode(void *context,
2N/A const char *input, unsigned inputlen,
2N/A const char **output, unsigned *outputlen)
2N/A{
2N/A context_t *text = (context_t *) context;
2N/A int ret;
2N/A
2N/A ret = _plug_decode(text->utils, context, input, inputlen,
2N/A &text->decode_buf, &text->decode_buf_len, outputlen,
2N/A digestmd5_integrity_decode_once);
2N/A
2N/A *output = text->decode_buf;
2N/A
2N/A return ret;
2N/A}
2N/A
2N/Astatic void
2N/Adigestmd5_common_mech_dispose(void *conn_context, const sasl_utils_t *utils)
2N/A{
2N/A context_t *text = (context_t *) conn_context;
2N/A
2N/A if (!text || !utils) return;
2N/A
2N/A if (text->authid) utils->free(text->authid);
2N/A if (text->realm) utils->free(text->realm);
2N/A if (text->nonce) utils->free(text->nonce);
2N/A if (text->cnonce) utils->free(text->cnonce);
2N/A
2N/A if (text->cipher_free) text->cipher_free(text);
2N/A
2N/A /* free the stuff in the context */
2N/A if (text->response_value) utils->free(text->response_value);
2N/A
2N/A if (text->buffer) utils->free(text->buffer);
2N/A if (text->encode_buf) utils->free(text->encode_buf);
2N/A if (text->decode_buf) utils->free(text->decode_buf);
2N/A if (text->decode_once_buf) utils->free(text->decode_once_buf);
2N/A if (text->decode_tmp_buf) utils->free(text->decode_tmp_buf);
2N/A if (text->out_buf) utils->free(text->out_buf);
2N/A if (text->MAC_buf) utils->free(text->MAC_buf);
2N/A
2N/A if (text->enc_in_buf) {
2N/A if (text->enc_in_buf->data) utils->free(text->enc_in_buf->data);
2N/A utils->free(text->enc_in_buf);
2N/A }
2N/A
2N/A utils->free(conn_context);
2N/A}
2N/A
2N/Astatic void
2N/Aclear_reauth_entry(reauth_entry_t *reauth, enum Context_type type,
2N/A const sasl_utils_t *utils)
2N/A{
2N/A if (!reauth) return;
2N/A
2N/A if (reauth->authid) utils->free(reauth->authid);
2N/A if (reauth->realm) utils->free(reauth->realm);
2N/A if (reauth->nonce) utils->free(reauth->nonce);
2N/A if (reauth->cnonce) utils->free(reauth->cnonce);
2N/A
2N/A if (type == CLIENT) {
2N/A if (reauth->u.c.serverFQDN) utils->free(reauth->u.c.serverFQDN);
2N/A }
2N/A
2N/A memset(reauth, 0, sizeof(reauth_entry_t));
2N/A}
2N/A
2N/Astatic void
2N/Adigestmd5_common_mech_free(void *glob_context, const sasl_utils_t *utils)
2N/A{
2N/A reauth_cache_t *reauth_cache = (reauth_cache_t *) glob_context;
2N/A size_t n;
2N/A
2N/A if (!reauth_cache) return;
2N/A
2N/A for (n = 0; n < reauth_cache->size; n++)
2N/A clear_reauth_entry(&reauth_cache->e[n], reauth_cache->i_am, utils);
2N/A if (reauth_cache->e) utils->free(reauth_cache->e);
2N/A
2N/A if (reauth_cache->mutex) utils->mutex_free(reauth_cache->mutex);
2N/A
2N/A utils->free(reauth_cache);
2N/A}
2N/A
2N/A/***************************** Server Section *****************************/
2N/A
2N/Atypedef struct server_context {
2N/A context_t common;
2N/A
2N/A time_t timestamp;
2N/A int stale; /* last nonce is stale */
2N/A sasl_ssf_t limitssf, requiressf; /* application defined bounds */
2N/A} server_context_t;
2N/A
2N/Astatic void
2N/ADigestCalcHA1FromSecret(context_t * text,
2N/A const sasl_utils_t * utils,
2N/A HASH HA1,
2N/A unsigned char *authorization_id,
2N/A unsigned char *pszNonce,
2N/A unsigned char *pszCNonce,
2N/A HASHHEX SessionKey)
2N/A{
2N/A MD5_CTX Md5Ctx;
2N/A
2N/A /* calculate session key */
2N/A utils->MD5Init(&Md5Ctx);
2N/A utils->MD5Update(&Md5Ctx, HA1, HASHLEN);
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszNonce, strlen((char *) pszNonce));
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszCNonce, strlen((char *) pszCNonce));
2N/A if (authorization_id != NULL) {
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, authorization_id, strlen((char *) authorization_id));
2N/A }
2N/A utils->MD5Final(HA1, &Md5Ctx);
2N/A
2N/A CvtHex(HA1, SessionKey);
2N/A
2N/A
2N/A /* save HA1 because we need it to make the privacy and integrity keys */
2N/A memcpy(text->HA1, HA1, sizeof(HASH));
2N/A}
2N/A
2N/Astatic char *create_response(context_t * text,
2N/A const sasl_utils_t * utils,
2N/A unsigned char *nonce,
2N/A unsigned int ncvalue,
2N/A unsigned char *cnonce,
2N/A char *qop,
2N/A char *digesturi,
2N/A HASH Secret,
2N/A char *authorization_id,
2N/A char **response_value)
2N/A{
2N/A HASHHEX SessionKey;
2N/A HASHHEX HEntity = "00000000000000000000000000000000";
2N/A HASHHEX Response;
2N/A char *result;
2N/A
2N/A if (qop == NULL)
2N/A qop = "auth";
2N/A
2N/A DigestCalcHA1FromSecret(text,
2N/A utils,
2N/A Secret,
2N/A (unsigned char *) authorization_id,
2N/A nonce,
2N/A cnonce,
2N/A SessionKey);
2N/A
2N/A DigestCalcResponse(utils,
2N/A SessionKey,/* H(A1) */
2N/A nonce, /* nonce from server */
2N/A ncvalue, /* 8 hex digits */
2N/A cnonce, /* client nonce */
2N/A (unsigned char *) qop, /* qop-value: "", "auth",
2N/A * "auth-int" */
2N/A (unsigned char *) digesturi, /* requested URL */
2N/A (unsigned char *) "AUTHENTICATE",
2N/A HEntity, /* H(entity body) if qop="auth-int" */
2N/A Response /* request-digest or response-digest */
2N/A );
2N/A
2N/A result = utils->malloc(HASHHEXLEN + 1);
2N/A#ifdef _SUN_SDK_
2N/A if (result == NULL)
2N/A return NULL;
2N/A#endif /* _SUN_SDK_ */
2N/A/* TODO */
2N/A memcpy(result, Response, HASHHEXLEN);
2N/A result[HASHHEXLEN] = 0;
2N/A
2N/A /* response_value (used for reauth i think */
2N/A if (response_value != NULL) {
2N/A DigestCalcResponse(utils,
2N/A SessionKey, /* H(A1) */
2N/A nonce, /* nonce from server */
2N/A ncvalue, /* 8 hex digits */
2N/A cnonce, /* client nonce */
2N/A (unsigned char *) qop, /* qop-value: "", "auth",
2N/A * "auth-int" */
2N/A (unsigned char *) digesturi, /* requested URL */
2N/A NULL,
2N/A HEntity, /* H(entity body) if qop="auth-int" */
2N/A Response /* request-digest or response-digest */
2N/A );
2N/A
2N/A *response_value = utils->malloc(HASHHEXLEN + 1);
2N/A if (*response_value == NULL)
2N/A return NULL;
2N/A memcpy(*response_value, Response, HASHHEXLEN);
2N/A (*response_value)[HASHHEXLEN] = 0;
2N/A }
2N/A return result;
2N/A}
2N/A
2N/Astatic int
2N/Aget_server_realm(sasl_server_params_t * params,
2N/A char **realm)
2N/A{
2N/A /* look at user realm first */
2N/A if (params->user_realm != NULL) {
2N/A if(params->user_realm[0] != '\0') {
2N/A *realm = (char *) params->user_realm;
2N/A } else {
2N/A /* Catch improperly converted apps */
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "user_realm is an empty string!");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "user_realm is an empty string!");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_BADPARAM;
2N/A }
2N/A } else if (params->serverFQDN != NULL) {
2N/A *realm = (char *) params->serverFQDN;
2N/A } else {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "no way to obtain domain");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "no way to obtain domain");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/A/*
2N/A * Convert hex string to int
2N/A */
2N/Astatic int htoi(unsigned char *hexin, unsigned int *res)
2N/A{
2N/A int lup, inlen;
2N/A inlen = strlen((char *) hexin);
2N/A
2N/A *res = 0;
2N/A for (lup = 0; lup < inlen; lup++) {
2N/A switch (hexin[lup]) {
2N/A case '0':
2N/A case '1':
2N/A case '2':
2N/A case '3':
2N/A case '4':
2N/A case '5':
2N/A case '6':
2N/A case '7':
2N/A case '8':
2N/A case '9':
2N/A *res = (*res << 4) + (hexin[lup] - '0');
2N/A break;
2N/A
2N/A case 'a':
2N/A case 'b':
2N/A case 'c':
2N/A case 'd':
2N/A case 'e':
2N/A case 'f':
2N/A *res = (*res << 4) + (hexin[lup] - 'a' + 10);
2N/A break;
2N/A
2N/A case 'A':
2N/A case 'B':
2N/A case 'C':
2N/A case 'D':
2N/A case 'E':
2N/A case 'F':
2N/A *res = (*res << 4) + (hexin[lup] - 'A' + 10);
2N/A break;
2N/A
2N/A default:
2N/A return SASL_BADPARAM;
2N/A }
2N/A
2N/A }
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int digestmd5_server_mech_new(void *glob_context,
2N/A sasl_server_params_t * sparams,
2N/A const char *challenge __attribute__((unused)),
2N/A unsigned challen __attribute__((unused)),
2N/A void **conn_context)
2N/A{
2N/A context_t *text;
2N/A
2N/A /* holds state are in -- allocate server size */
2N/A text = sparams->utils->malloc(sizeof(server_context_t));
2N/A if (text == NULL)
2N/A return SASL_NOMEM;
2N/A memset(text, 0, sizeof(server_context_t));
2N/A
2N/A text->state = 1;
2N/A text->i_am = SERVER;
2N/A text->reauth = glob_context;
2N/A
2N/A *conn_context = text;
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_server_mech_step1(server_context_t *stext,
2N/A sasl_server_params_t *sparams,
2N/A const char *clientin __attribute__((unused)),
2N/A unsigned clientinlen __attribute__((unused)),
2N/A const char **serverout,
2N/A unsigned *serveroutlen,
2N/A sasl_out_params_t * oparams __attribute__((unused)))
2N/A{
2N/A context_t *text = (context_t *) stext;
2N/A int result;
2N/A char *realm;
2N/A unsigned char *nonce;
2N/A char *charset = "utf-8";
2N/A char qop[1024], cipheropts[1024];
2N/A struct digest_cipher *cipher;
2N/A unsigned resplen;
2N/A int added_conf = 0;
2N/A char maxbufstr[64];
2N/A
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 server step 1");
2N/A
2N/A /* get realm */
2N/A result = get_server_realm(sparams, &realm);
2N/A if(result != SASL_OK) return result;
2N/A
2N/A /* what options should we offer the client? */
2N/A qop[0] = '\0';
2N/A cipheropts[0] = '\0';
2N/A if (stext->requiressf == 0) {
2N/A if (*qop) strcat(qop, ",");
2N/A strcat(qop, "auth");
2N/A }
2N/A if (stext->requiressf <= 1 && stext->limitssf >= 1) {
2N/A if (*qop) strcat(qop, ",");
2N/A strcat(qop, "auth-int");
2N/A }
2N/A
2N/A#ifdef USE_UEF_SERVER
2N/A cipher = available_ciphers1;
2N/A#else
2N/A cipher = available_ciphers;
2N/A#endif
2N/A while (cipher->name) {
2N/A /* do we allow this particular cipher? */
2N/A if (stext->requiressf <= cipher->ssf &&
2N/A stext->limitssf >= cipher->ssf) {
2N/A if (!added_conf) {
2N/A if (*qop) strcat(qop, ",");
2N/A strcat(qop, "auth-conf");
2N/A added_conf = 1;
2N/A }
2N/A#ifdef _SUN_SDK_
2N/A if(strlen(cipheropts) + strlen(cipher->name) + 1 >=
2N/A sizeof (cipheropts)) {
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: cipheropts too big");
2N/A return SASL_FAIL;
2N/A }
2N/A#endif /* _SUN_SDK_ */
2N/A if (*cipheropts) strcat(cipheropts, ",");
2N/A strcat(cipheropts, cipher->name);
2N/A }
2N/A cipher++;
2N/A }
2N/A
2N/A if (*qop == '\0') {
2N/A /* we didn't allow anything?!? we'll return SASL_TOOWEAK, since
2N/A that's close enough */
2N/A return SASL_TOOWEAK;
2N/A }
2N/A
2N/A /*
2N/A * digest-challenge = 1#( realm | nonce | qop-options | stale | maxbuf |
2N/A * charset | cipher-opts | auth-param )
2N/A */
2N/A
2N/A#ifndef _SUN_SDK_
2N/A /* FIXME: get nonce XXX have to clean up after self if fail */
2N/A#endif /* !_SUN_SDK_ */
2N/A nonce = create_nonce(sparams->utils);
2N/A if (nonce == NULL) {
2N/A#ifdef _SUN_SDK_
2N/A /* Note typo below */
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: failed creating a nonce");
2N/A#else
2N/A SETERROR(sparams->utils, "internal erorr: failed creating a nonce");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A#ifdef _SUN_SDK_
2N/A resplen = strlen((char *)nonce) + strlen("nonce") + 5;
2N/A#else
2N/A resplen = strlen(nonce) + strlen("nonce") + 5;
2N/A#endif /* _SUN_SDK_ */
2N/A result = _plug_buf_alloc(sparams->utils, &(text->out_buf),
2N/A &(text->out_buf_len), resplen);
2N/A#ifdef _SUN_SDK_
2N/A if(result != SASL_OK) {
2N/A sparams->utils->free(nonce);
2N/A return result;
2N/A }
2N/A#else
2N/A if(result != SASL_OK) return result;
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A sprintf(text->out_buf, "nonce=\"%s\"", nonce);
2N/A
2N/A /* add to challenge; if we chose not to specify a realm, we won't
2N/A * send one to the client */
2N/A if (realm && add_to_challenge(sparams->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "realm", (unsigned char *) realm,
2N/A TRUE) != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge failed");
2N/A sparams->utils->free(nonce);
2N/A#else
2N/A SETERROR(sparams->utils, "internal error: add_to_challenge failed");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A /*
2N/A * qop-options A quoted string of one or more tokens indicating the
2N/A * "quality of protection" values supported by the server. The value
2N/A * "auth" indicates authentication; the value "auth-int" indicates
2N/A * authentication with integrity protection; the value "auth-conf"
2N/A * indicates authentication with integrity protection and encryption.
2N/A */
2N/A
2N/A /* add qop to challenge */
2N/A if (add_to_challenge(sparams->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "qop",
2N/A (unsigned char *) qop, TRUE) != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge 3 failed");
2N/A sparams->utils->free(nonce);
2N/A#else
2N/A SETERROR(sparams->utils, "internal error: add_to_challenge 3 failed");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A /*
2N/A * Cipheropts - list of ciphers server supports
2N/A */
2N/A /* add cipher-opts to challenge; only add if there are some */
2N/A if (strcmp(cipheropts,"")!=0)
2N/A {
2N/A if (add_to_challenge(sparams->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "cipher", (unsigned char *) cipheropts,
2N/A TRUE) != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge 4 failed");
2N/A sparams->utils->free(nonce);
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "internal error: add_to_challenge 4 failed");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A }
2N/A
2N/A /* "stale" is true if a reauth failed because of a nonce timeout */
2N/A if (stext->stale &&
2N/A add_to_challenge(sparams->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A#ifdef _SUN_SDK_
2N/A "stale", (unsigned char *)"true", FALSE) != SASL_OK) {
2N/A sparams->utils->free(nonce);
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge failed");
2N/A#else
2N/A "stale", "true", FALSE) != SASL_OK) {
2N/A SETERROR(sparams->utils, "internal error: add_to_challenge failed");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A /*
2N/A * maxbuf A number indicating the size of the largest buffer the server
2N/A * is able to receive when using "auth-int". If this directive is
2N/A * missing, the default value is 65536. This directive may appear at most
2N/A * once; if multiple instances are present, the client should abort the
2N/A * authentication exchange.
2N/A */
2N/A if(sparams->props.maxbufsize) {
2N/A snprintf(maxbufstr, sizeof(maxbufstr), "%d",
2N/A sparams->props.maxbufsize);
2N/A if (add_to_challenge(sparams->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "maxbuf",
2N/A (unsigned char *) maxbufstr, FALSE) != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge 5 failed");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "internal error: add_to_challenge 5 failed");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A }
2N/A
2N/A
2N/A if (add_to_challenge(sparams->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "charset",
2N/A (unsigned char *) charset, FALSE) != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge 6 failed");
2N/A sparams->utils->free(nonce);
2N/A#else
2N/A SETERROR(sparams->utils, "internal error: add_to_challenge 6 failed");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A
2N/A /*
2N/A * algorithm
2N/A * This directive is required for backwards compatibility with HTTP
2N/A * Digest., which supports other algorithms. . This directive is
2N/A * required and MUST appear exactly once; if not present, or if multiple
2N/A * instances are present, the client should abort the authentication
2N/A * exchange.
2N/A *
2N/A * algorithm = "algorithm" "=" "md5-sess"
2N/A */
2N/A
2N/A if (add_to_challenge(sparams->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "algorithm",
2N/A (unsigned char *) "md5-sess", FALSE)!=SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge 7 failed");
2N/A sparams->utils->free(nonce);
2N/A#else
2N/A SETERROR(sparams->utils, "internal error: add_to_challenge 7 failed");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A /*
2N/A * The size of a digest-challenge MUST be less than 2048 bytes!!!
2N/A */
2N/A if (*serveroutlen > 2048) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->free(nonce);
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "internal error: challenge larger than 2048 bytes");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "internal error: challenge larger than 2048 bytes");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A text->authid = NULL;
2N/A _plug_strdup(sparams->utils, realm, &text->realm, NULL);
2N/A text->nonce = nonce;
2N/A text->nonce_count = 1;
2N/A text->cnonce = NULL;
2N/A stext->timestamp = time(0);
2N/A
2N/A *serveroutlen = strlen(text->out_buf);
2N/A *serverout = text->out_buf;
2N/A
2N/A text->state = 2;
2N/A
2N/A return SASL_CONTINUE;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_server_mech_step2(server_context_t *stext,
2N/A sasl_server_params_t *sparams,
2N/A const char *clientin,
2N/A unsigned clientinlen,
2N/A const char **serverout,
2N/A unsigned *serveroutlen,
2N/A sasl_out_params_t * oparams)
2N/A{
2N/A context_t *text = (context_t *) stext;
2N/A /* verify digest */
2N/A sasl_secret_t *sec = NULL;
2N/A int result;
2N/A char *serverresponse = NULL;
2N/A char *username = NULL;
2N/A char *authorization_id = NULL;
2N/A char *realm = NULL;
2N/A unsigned char *nonce = NULL, *cnonce = NULL;
2N/A unsigned int noncecount = 0;
2N/A char *qop = NULL;
2N/A char *digesturi = NULL;
2N/A char *response = NULL;
2N/A
2N/A /* setting the default value (65536) */
2N/A unsigned int client_maxbuf = 65536;
2N/A int maxbuf_count = 0; /* How many maxbuf instaces was found */
2N/A
2N/A char *charset = NULL;
2N/A char *cipher = NULL;
2N/A unsigned int n=0;
2N/A
2N/A HASH A1;
2N/A
2N/A /* password prop_request */
2N/A const char *password_request[] = { SASL_AUX_PASSWORD,
2N/A "*cmusaslsecretDIGEST-MD5",
2N/A NULL };
2N/A unsigned len;
2N/A struct propval auxprop_values[2];
2N/A
2N/A /* can we mess with clientin? copy it to be safe */
2N/A char *in_start = NULL;
2N/A char *in = NULL;
2N/A
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 server step 2");
2N/A
2N/A in = sparams->utils->malloc(clientinlen + 1);
2N/A#ifdef _SUN_SDK_
2N/A if (!in) return SASL_NOMEM;
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A memcpy(in, clientin, clientinlen);
2N/A in[clientinlen] = 0;
2N/A
2N/A in_start = in;
2N/A
2N/A
2N/A /* parse what we got */
2N/A while (in[0] != '\0') {
2N/A char *name = NULL, *value = NULL;
2N/A get_pair(&in, &name, &value);
2N/A
2N/A if (name == NULL)
2N/A break;
2N/A
2N/A /* Extracting parameters */
2N/A
2N/A /*
2N/A * digest-response = 1#( username | realm | nonce | cnonce |
2N/A * nonce-count | qop | digest-uri | response | maxbuf | charset |
2N/A * cipher | auth-param )
2N/A */
2N/A
2N/A if (strcasecmp(name, "username") == 0) {
2N/A _plug_strdup(sparams->utils, value, &username, NULL);
2N/A } else if (strcasecmp(name, "authzid") == 0) {
2N/A _plug_strdup(sparams->utils, value, &authorization_id, NULL);
2N/A } else if (strcasecmp(name, "cnonce") == 0) {
2N/A _plug_strdup(sparams->utils, value, (char **) &cnonce, NULL);
2N/A } else if (strcasecmp(name, "nc") == 0) {
2N/A if (htoi((unsigned char *) value, &noncecount) != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "error converting hex to int");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "error converting hex to int");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_BADAUTH;
2N/A goto FreeAllMem;
2N/A }
2N/A } else if (strcasecmp(name, "realm") == 0) {
2N/A if (realm) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "duplicate realm: authentication aborted");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "duplicate realm: authentication aborted");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A _plug_strdup(sparams->utils, value, &realm, NULL);
2N/A } else if (strcasecmp(name, "nonce") == 0) {
2N/A _plug_strdup(sparams->utils, value, (char **) &nonce, NULL);
2N/A } else if (strcasecmp(name, "qop") == 0) {
2N/A _plug_strdup(sparams->utils, value, &qop, NULL);
2N/A } else if (strcasecmp(name, "digest-uri") == 0) {
2N/A size_t service_len;
2N/A
2N/A /*
2N/A * digest-uri-value = serv-type "/" host [ "/" serv-name ]
2N/A */
2N/A
2N/A _plug_strdup(sparams->utils, value, &digesturi, NULL);
2N/A
2N/A /* verify digest-uri format */
2N/A
2N/A /* make sure it's the service that we're expecting */
2N/A service_len = strlen(sparams->service);
2N/A if (strncasecmp(digesturi, sparams->service, service_len) ||
2N/A digesturi[service_len] != '/') {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "bad digest-uri: doesn't match service");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "bad digest-uri: doesn't match service");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A /* xxx we don't verify the hostname component */
2N/A
2N/A } else if (strcasecmp(name, "response") == 0) {
2N/A _plug_strdup(sparams->utils, value, &response, NULL);
2N/A } else if (strcasecmp(name, "cipher") == 0) {
2N/A _plug_strdup(sparams->utils, value, &cipher, NULL);
2N/A } else if (strcasecmp(name, "maxbuf") == 0) {
2N/A maxbuf_count++;
2N/A if (maxbuf_count != 1) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "duplicate maxbuf: authentication aborted");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "duplicate maxbuf: authentication aborted");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllMem;
2N/A } else if (sscanf(value, "%u", &client_maxbuf) != 1) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "invalid maxbuf parameter");
2N/A#else
2N/A SETERROR(sparams->utils, "invalid maxbuf parameter");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllMem;
2N/A } else {
2N/A if (client_maxbuf <= 16) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "maxbuf parameter too small");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "maxbuf parameter too small");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllMem;
2N/A }
2N/A }
2N/A } else if (strcasecmp(name, "charset") == 0) {
2N/A if (strcasecmp(value, "utf-8") != 0) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "client doesn't support UTF-8");
2N/A#else
2N/A SETERROR(sparams->utils, "client doesn't support UTF-8");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A _plug_strdup(sparams->utils, value, &charset, NULL);
2N/A } else {
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 unrecognized pair %s/%s: ignoring",
2N/A name, value);
2N/A }
2N/A }
2N/A
2N/A /*
2N/A * username = "username" "=" <"> username-value <">
2N/A * username-value = qdstr-val cnonce = "cnonce" "=" <">
2N/A * cnonce-value <"> cnonce-value = qdstr-val nonce-count = "nc"
2N/A * "=" nc-value nc-value = 8LHEX qop = "qop" "="
2N/A * qop-value digest-uri = "digest-uri" "=" digest-uri-value
2N/A * digest-uri-value = serv-type "/" host [ "/" serv-name ] serv-type
2N/A * = 1*ALPHA host = 1*( ALPHA | DIGIT | "-" | "." ) service
2N/A * = host response = "response" "=" <"> response-value <">
2N/A * response-value = 32LHEX LHEX = "0" | "1" | "2" | "3" | "4" | "5" |
2N/A * "6" | "7" | "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f" cipher =
2N/A * "cipher" "=" cipher-value
2N/A */
2N/A /* Verifing that all parameters was defined */
2N/A if ((username == NULL) ||
2N/A (nonce == NULL) ||
2N/A (noncecount == 0) ||
2N/A (cnonce == NULL) ||
2N/A (digesturi == NULL) ||
2N/A (response == NULL)) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "required parameters missing");
2N/A#else
2N/A SETERROR(sparams->utils, "required parameters missing");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_BADAUTH;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A if (text->state == 1) {
2N/A unsigned val = hash(username) % text->reauth->size;
2N/A
2N/A /* reauth attempt, see if we have any info for this user */
2N/A if (sparams->utils->mutex_lock(text->reauth->mutex) == SASL_OK) { /* LOCK */
2N/A if (text->reauth->e[val].authid &&
2N/A !strcmp(username, text->reauth->e[val].authid)) {
2N/A
2N/A _plug_strdup(sparams->utils, text->reauth->e[val].realm,
2N/A &text->realm, NULL);
2N/A#ifdef _SUN_SDK_
2N/A _plug_strdup(sparams->utils, (char *)text->reauth->e[val].nonce,
2N/A (char **) &text->nonce, NULL);
2N/A#else
2N/A _plug_strdup(sparams->utils, text->reauth->e[val].nonce,
2N/A (char **) &text->nonce, NULL);
2N/A#endif /* _SUN_SDK_ */
2N/A text->nonce_count = ++text->reauth->e[val].nonce_count;
2N/A#ifdef _SUN_SDK_
2N/A _plug_strdup(sparams->utils, (char *)text->reauth->e[val].cnonce,
2N/A (char **) &text->cnonce, NULL);
2N/A#else
2N/A _plug_strdup(sparams->utils, text->reauth->e[val].cnonce,
2N/A (char **) &text->cnonce, NULL);
2N/A#endif /* _SUN_SDK_ */
2N/A stext->timestamp = text->reauth->e[val].u.s.timestamp;
2N/A }
2N/A sparams->utils->mutex_unlock(text->reauth->mutex); /* UNLOCK */
2N/A }
2N/A
2N/A if (!text->nonce) {
2N/A /* we don't have any reauth info, so bail */
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A }
2N/A
2N/A /* Sanity check the parameters */
2N/A#ifdef _SUN_SDK_
2N/A if ((realm != NULL && text->realm != NULL &&
2N/A strcmp(realm, text->realm) != 0) ||
2N/A (realm == NULL && text->realm != NULL) ||
2N/A (realm != NULL && text->realm == NULL)) {
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "realm changed: authentication aborted");
2N/A#else
2N/A if (strcmp(realm, text->realm) != 0) {
2N/A SETERROR(sparams->utils,
2N/A "realm changed: authentication aborted");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_BADAUTH;
2N/A goto FreeAllMem;
2N/A }
2N/A#ifdef _SUN_SDK_
2N/A if (strcmp((char *)nonce, (char *) text->nonce) != 0) {
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "nonce changed: authentication aborted");
2N/A#else
2N/A if (strcmp(nonce, (char *) text->nonce) != 0) {
2N/A SETERROR(sparams->utils,
2N/A "nonce changed: authentication aborted");
2N/A#endif /* _SUN_SKD_ */
2N/A result = SASL_BADAUTH;
2N/A goto FreeAllMem;
2N/A }
2N/A if (noncecount != text->nonce_count) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "incorrect nonce-count: authentication aborted");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "incorrect nonce-count: authentication aborted");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_BADAUTH;
2N/A goto FreeAllMem;
2N/A }
2N/A#ifdef _SUN_SDK_
2N/A if (text->cnonce && strcmp((char *)cnonce, (char *)text->cnonce) != 0) {
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "cnonce changed: authentication aborted");
2N/A#else
2N/A if (text->cnonce && strcmp(cnonce, text->cnonce) != 0) {
2N/A SETERROR(sparams->utils,
2N/A "cnonce changed: authentication aborted");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_BADAUTH;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A result = sparams->utils->prop_request(sparams->propctx, password_request);
2N/A if(result != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "unable to request user password");
2N/A#else
2N/A SETERROR(sparams->utils, "unable to resquest user password");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A /* this will trigger the getting of the aux properties */
2N/A /* Note that if we don't have an authorization id, we don't use it... */
2N/A result = sparams->canon_user(sparams->utils->conn,
2N/A username, 0, SASL_CU_AUTHID, oparams);
2N/A if (result != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "unable canonify user and get auxprops");
2N/A#else
2N/A SETERROR(sparams->utils, "unable canonify user and get auxprops");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A if (!authorization_id || !*authorization_id) {
2N/A result = sparams->canon_user(sparams->utils->conn,
2N/A username, 0, SASL_CU_AUTHZID, oparams);
2N/A } else {
2N/A result = sparams->canon_user(sparams->utils->conn,
2N/A authorization_id, 0, SASL_CU_AUTHZID,
2N/A oparams);
2N/A }
2N/A
2N/A if (result != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "unable to canonicalize authorization ID");
2N/A#else
2N/A SETERROR(sparams->utils, "unable authorization ID");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A result = sparams->utils->prop_getnames(sparams->propctx, password_request,
2N/A auxprop_values);
2N/A if (result < 0 ||
2N/A ((!auxprop_values[0].name || !auxprop_values[0].values) &&
2N/A (!auxprop_values[1].name || !auxprop_values[1].values))) {
2N/A /* We didn't find this username */
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A sparams->utils->seterror(sparams->utils->conn, 0,
2N/A gettext("no secret in database"));
2N/A#else
2N/A sparams->utils->seterror(sparams->utils->conn, 0,
2N/A "no secret in database");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A result = SASL_NOUSER;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A if (auxprop_values[0].name && auxprop_values[0].values) {
2N/A len = strlen(auxprop_values[0].values[0]);
2N/A if (len == 0) {
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A sparams->utils->seterror(sparams->utils->conn,0,
2N/A gettext("empty secret"));
2N/A#else
2N/A sparams->utils->seterror(sparams->utils->conn,0,
2N/A "empty secret");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A sec = sparams->utils->malloc(sizeof(sasl_secret_t) + len);
2N/A if (!sec) {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "unable to allocate secret");
2N/A#else
2N/A SETERROR(sparams->utils, "unable to allocate secret");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A sec->len = len;
2N/A#ifdef _SUN_SDK_
2N/A strncpy((char *)sec->data, auxprop_values[0].values[0], len + 1);
2N/A#else
2N/A strncpy(sec->data, auxprop_values[0].values[0], len + 1);
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /*
2N/A * Verifying response obtained from client
2N/A *
2N/A * H_URP = H({ username-value,":",realm-value,":",passwd}) sec->data
2N/A * contains H_URP
2N/A */
2N/A
2N/A /* Calculate the secret from the plaintext password */
2N/A {
2N/A HASH HA1;
2N/A
2N/A#ifdef _SUN_SDK_
2N/A DigestCalcSecret(sparams->utils, (unsigned char *)username,
2N/A (unsigned char *)text->realm, sec->data,
2N/A sec->len, HA1);
2N/A#else
2N/A DigestCalcSecret(sparams->utils, username,
2N/A text->realm, sec->data, sec->len, HA1);
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /*
2N/A * A1 = { H( { username-value, ":", realm-value, ":", passwd } ),
2N/A * ":", nonce-value, ":", cnonce-value }
2N/A */
2N/A
2N/A memcpy(A1, HA1, HASHLEN);
2N/A A1[HASHLEN] = '\0';
2N/A }
2N/A
2N/A /* We're done with sec now. Let's get rid of it */
2N/A _plug_free_secret(sparams->utils, &sec);
2N/A } else if (auxprop_values[1].name && auxprop_values[1].values) {
2N/A memcpy(A1, auxprop_values[1].values[0], HASHLEN);
2N/A A1[HASHLEN] = '\0';
2N/A } else {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "Have neither type of secret");
2N/A#else
2N/A sparams->utils->seterror(sparams->utils->conn, 0,
2N/A "Have neither type of secret");
2N/A#endif /* _SUN_SDK_ */
2N/A#ifdef _SUN_SDK_
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A#else
2N/A return SASL_FAIL;
2N/A#endif /* _SUN_SDK_ */
2N/A }
2N/A
2N/A /* defaulting qop to "auth" if not specified */
2N/A if (qop == NULL) {
2N/A _plug_strdup(sparams->utils, "auth", &qop, NULL);
2N/A }
2N/A
2N/A /* check which layer/cipher to use */
2N/A if ((!strcasecmp(qop, "auth-conf")) && (cipher != NULL)) {
2N/A /* see what cipher was requested */
2N/A struct digest_cipher *cptr;
2N/A
2N/A#ifdef USE_UEF_SERVER
2N/A cptr = available_ciphers1;
2N/A#else
2N/A cptr = available_ciphers;
2N/A#endif
2N/A while (cptr->name) {
2N/A /* find the cipher requested & make sure it's one we're happy
2N/A with by policy */
2N/A if (!strcasecmp(cipher, cptr->name) &&
2N/A stext->requiressf <= cptr->ssf &&
2N/A stext->limitssf >= cptr->ssf) {
2N/A /* found it! */
2N/A break;
2N/A }
2N/A cptr++;
2N/A }
2N/A
2N/A if (cptr->name) {
2N/A text->cipher_enc = cptr->cipher_enc;
2N/A text->cipher_dec = cptr->cipher_dec;
2N/A text->cipher_init = cptr->cipher_init;
2N/A text->cipher_free = cptr->cipher_free;
2N/A oparams->mech_ssf = cptr->ssf;
2N/A n = cptr->n;
2N/A } else {
2N/A /* erg? client requested something we didn't advertise! */
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_WARN,
2N/A "protocol violation: client requested invalid cipher");
2N/A#ifndef _SUN_SDK_
2N/A SETERROR(sparams->utils, "client requested invalid cipher");
2N/A#endif /* !_SUN_SDK_ */
2N/A /* Mark that we attempted security layer negotiation */
2N/A oparams->mech_ssf = 2;
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A oparams->encode=&digestmd5_privacy_encode;
2N/A oparams->decode=&digestmd5_privacy_decode;
2N/A } else if (!strcasecmp(qop, "auth-int") &&
2N/A stext->requiressf <= 1 && stext->limitssf >= 1) {
2N/A oparams->encode = &digestmd5_integrity_encode;
2N/A oparams->decode = &digestmd5_integrity_decode;
2N/A oparams->mech_ssf = 1;
2N/A } else if (!strcasecmp(qop, "auth") && stext->requiressf == 0) {
2N/A oparams->encode = NULL;
2N/A oparams->decode = NULL;
2N/A oparams->mech_ssf = 0;
2N/A } else {
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "protocol violation: client requested invalid qop");
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "protocol violation: client requested invalid qop");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A serverresponse = create_response(text,
2N/A sparams->utils,
2N/A text->nonce,
2N/A text->nonce_count,
2N/A cnonce,
2N/A qop,
2N/A digesturi,
2N/A A1,
2N/A authorization_id,
2N/A &text->response_value);
2N/A
2N/A if (serverresponse == NULL) {
2N/A#ifndef _SUN_SDK_
2N/A SETERROR(sparams->utils, "internal error: unable to create response");
2N/A#endif /* !_SUN_SDK_ */
2N/A result = SASL_NOMEM;
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A /* if ok verified */
2N/A if (strcmp(serverresponse, response) != 0) {
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A SETERROR(sparams->utils,
2N/A gettext("client response doesn't match what we generated"));
2N/A#else
2N/A SETERROR(sparams->utils,
2N/A "client response doesn't match what we generated");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A result = SASL_BADAUTH;
2N/A
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A /* see if our nonce expired */
2N/A if (text->reauth->timeout &&
2N/A time(0) - stext->timestamp > text->reauth->timeout) {
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A SETERROR(sparams->utils, gettext("server nonce expired"));
2N/A#else
2N/A SETERROR(sparams->utils, "server nonce expired");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A stext->stale = 1;
2N/A result = SASL_BADAUTH;
2N/A
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A /*
2N/A * nothing more to do; authenticated set oparams information
2N/A */
2N/A oparams->doneflag = 1;
2N/A oparams->maxoutbuf = client_maxbuf - 4;
2N/A if (oparams->mech_ssf > 1) {
2N/A#ifdef _SUN_SDK_
2N/A if (oparams->maxoutbuf <= 25) {
2N/A result = SASL_BADPARAM;
2N/A goto FreeAllMem;
2N/A }
2N/A#endif
2N/A /* MAC block (privacy) */
2N/A oparams->maxoutbuf -= 25;
2N/A } else if(oparams->mech_ssf == 1) {
2N/A#ifdef _SUN_SDK_
2N/A if (oparams->maxoutbuf <= 16) {
2N/A result = SASL_BADPARAM;
2N/A goto FreeAllMem;
2N/A }
2N/A#endif
2N/A /* MAC block (integrity) */
2N/A oparams->maxoutbuf -= 16;
2N/A }
2N/A
2N/A oparams->param_version = 0;
2N/A
2N/A text->seqnum = 0; /* for integrity/privacy */
2N/A text->rec_seqnum = 0; /* for integrity/privacy */
2N/A text->in_maxbuf =
2N/A sparams->props.maxbufsize ? sparams->props.maxbufsize : DEFAULT_BUFSIZE;
2N/A text->utils = sparams->utils;
2N/A
2N/A /* used by layers */
2N/A text->needsize = 4;
2N/A text->buffer = NULL;
2N/A
2N/A if (oparams->mech_ssf > 0) {
2N/A char enckey[16];
2N/A char deckey[16];
2N/A
2N/A create_layer_keys(text, sparams->utils,text->HA1,n,enckey,deckey);
2N/A
2N/A /* initialize cipher if need be */
2N/A#ifdef _SUN_SDK_
2N/A if (text->cipher_init) {
2N/A if (text->cipher_free)
2N/A text->cipher_free(text);
2N/A if ((result = text->cipher_init(text, enckey, deckey)) != SASL_OK) {
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "couldn't init cipher");
2N/A goto FreeAllMem;
2N/A }
2N/A }
2N/A#else
2N/A if (text->cipher_init)
2N/A if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
2N/A sparams->utils->seterror(sparams->utils->conn, 0,
2N/A "couldn't init cipher");
2N/A }
2N/A#endif /* _SUN_SDK_ */
2N/A }
2N/A
2N/A /*
2N/A * The server receives and validates the "digest-response". The server
2N/A * checks that the nonce-count is "00000001". If it supports subsequent
2N/A * authentication, it saves the value of the nonce and the nonce-count.
2N/A */
2N/A
2N/A /*
2N/A * The "username-value", "realm-value" and "passwd" are encoded according
2N/A * to the value of the "charset" directive. If "charset=UTF-8" is
2N/A * present, and all the characters of either "username-value" or "passwd"
2N/A * are in the ISO 8859-1 character set, then it must be converted to
2N/A * UTF-8 before being hashed. A sample implementation of this conversion
2N/A * is in section 8.
2N/A */
2N/A
2N/A /* add to challenge */
2N/A {
2N/A unsigned resplen =
2N/A strlen(text->response_value) + strlen("rspauth") + 3;
2N/A
2N/A result = _plug_buf_alloc(sparams->utils, &(text->out_buf),
2N/A &(text->out_buf_len), resplen);
2N/A if(result != SASL_OK) {
2N/A goto FreeAllMem;
2N/A }
2N/A
2N/A sprintf(text->out_buf, "rspauth=%s", text->response_value);
2N/A
2N/A /* self check */
2N/A if (strlen(text->out_buf) > 2048) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllMem;
2N/A }
2N/A }
2N/A
2N/A *serveroutlen = strlen(text->out_buf);
2N/A *serverout = text->out_buf;
2N/A
2N/A result = SASL_OK;
2N/A
2N/A FreeAllMem:
2N/A if (text->reauth->timeout &&
2N/A sparams->utils->mutex_lock(text->reauth->mutex) == SASL_OK) { /* LOCK */
2N/A unsigned val = hash(username) % text->reauth->size;
2N/A
2N/A switch (result) {
2N/A case SASL_OK:
2N/A /* successful auth, setup for future reauth */
2N/A if (text->nonce_count == 1) {
2N/A /* successful initial auth, create new entry */
2N/A clear_reauth_entry(&text->reauth->e[val], SERVER, sparams->utils);
2N/A text->reauth->e[val].authid = username; username = NULL;
2N/A text->reauth->e[val].realm = text->realm; text->realm = NULL;
2N/A text->reauth->e[val].nonce = text->nonce; text->nonce = NULL;
2N/A text->reauth->e[val].cnonce = cnonce; cnonce = NULL;
2N/A }
2N/A if (text->nonce_count <= text->reauth->e[val].nonce_count) {
2N/A /* paranoia. prevent replay attacks */
2N/A clear_reauth_entry(&text->reauth->e[val], SERVER, sparams->utils);
2N/A }
2N/A else {
2N/A text->reauth->e[val].nonce_count = text->nonce_count;
2N/A text->reauth->e[val].u.s.timestamp = time(0);
2N/A }
2N/A break;
2N/A default:
2N/A if (text->nonce_count > 1) {
2N/A /* failed reauth, clear entry */
2N/A clear_reauth_entry(&text->reauth->e[val], SERVER, sparams->utils);
2N/A }
2N/A else {
2N/A /* failed initial auth, leave existing cache */
2N/A }
2N/A }
2N/A sparams->utils->mutex_unlock(text->reauth->mutex); /* UNLOCK */
2N/A }
2N/A
2N/A /* free everything */
2N/A if (in_start) sparams->utils->free (in_start);
2N/A
2N/A if (username != NULL)
2N/A sparams->utils->free (username);
2N/A#ifdef _SUN_SDK_
2N/A if (authorization_id != NULL)
2N/A sparams->utils->free (authorization_id);
2N/A#endif /* _SUN_SDK_ */
2N/A if (realm != NULL)
2N/A sparams->utils->free (realm);
2N/A if (nonce != NULL)
2N/A sparams->utils->free (nonce);
2N/A if (cnonce != NULL)
2N/A sparams->utils->free (cnonce);
2N/A if (response != NULL)
2N/A sparams->utils->free (response);
2N/A if (cipher != NULL)
2N/A sparams->utils->free (cipher);
2N/A if (serverresponse != NULL)
2N/A sparams->utils->free(serverresponse);
2N/A if (charset != NULL)
2N/A sparams->utils->free (charset);
2N/A if (digesturi != NULL)
2N/A sparams->utils->free (digesturi);
2N/A if (qop!=NULL)
2N/A sparams->utils->free (qop);
2N/A if (sec)
2N/A _plug_free_secret(sparams->utils, &sec);
2N/A
2N/A return result;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_server_mech_step(void *conn_context,
2N/A sasl_server_params_t *sparams,
2N/A const char *clientin,
2N/A unsigned clientinlen,
2N/A const char **serverout,
2N/A unsigned *serveroutlen,
2N/A sasl_out_params_t *oparams)
2N/A{
2N/A context_t *text = (context_t *) conn_context;
2N/A server_context_t *stext = (server_context_t *) conn_context;
2N/A
2N/A if (clientinlen > 4096) return SASL_BADPROT;
2N/A
2N/A *serverout = NULL;
2N/A *serveroutlen = 0;
2N/A
2N/A switch (text->state) {
2N/A
2N/A case 1:
2N/A /* setup SSF limits */
2N/A if (!sparams->props.maxbufsize) {
2N/A stext->limitssf = 0;
2N/A stext->requiressf = 0;
2N/A } else {
2N/A if (sparams->props.max_ssf < sparams->external_ssf) {
2N/A stext->limitssf = 0;
2N/A } else {
2N/A stext->limitssf =
2N/A sparams->props.max_ssf - sparams->external_ssf;
2N/A }
2N/A if (sparams->props.min_ssf < sparams->external_ssf) {
2N/A stext->requiressf = 0;
2N/A } else {
2N/A stext->requiressf =
2N/A sparams->props.min_ssf - sparams->external_ssf;
2N/A }
2N/A }
2N/A
2N/A if (clientin && text->reauth->timeout) {
2N/A /* here's where we attempt fast reauth if possible */
2N/A if (digestmd5_server_mech_step2(stext, sparams,
2N/A clientin, clientinlen,
2N/A serverout, serveroutlen,
2N/A oparams) == SASL_OK) {
2N/A return SASL_OK;
2N/A }
2N/A
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_WARN,
2N/A "DIGEST-MD5 reauth failed");
2N/A#else
2N/A sparams->utils->log(NULL, SASL_LOG_WARN,
2N/A "DIGEST-MD5 reauth failed\n");
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /* re-initialize everything for a fresh start */
2N/A memset(oparams, 0, sizeof(sasl_out_params_t));
2N/A
2N/A /* fall through and issue challenge */
2N/A }
2N/A
2N/A return digestmd5_server_mech_step1(stext, sparams,
2N/A clientin, clientinlen,
2N/A serverout, serveroutlen, oparams);
2N/A
2N/A case 2:
2N/A return digestmd5_server_mech_step2(stext, sparams,
2N/A clientin, clientinlen,
2N/A serverout, serveroutlen, oparams);
2N/A
2N/A default:
2N/A#ifdef _SUN_SDK_
2N/A sparams->utils->log(sparams->utils->conn, SASL_LOG_ERR,
2N/A "Invalid DIGEST-MD5 server step %d", text->state);
2N/A#else
2N/A sparams->utils->log(NULL, SASL_LOG_ERR,
2N/A "Invalid DIGEST-MD5 server step %d\n", text->state);
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A#ifndef _SUN_SDK_
2N/A return SASL_FAIL; /* should never get here */
2N/A#endif /* !_SUN_SDK_ */
2N/A}
2N/A
2N/Astatic void
2N/Adigestmd5_server_mech_dispose(void *conn_context, const sasl_utils_t *utils)
2N/A{
2N/A server_context_t *stext = (server_context_t *) conn_context;
2N/A
2N/A if (!stext || !utils) return;
2N/A
2N/A digestmd5_common_mech_dispose(conn_context, utils);
2N/A}
2N/A
2N/Astatic sasl_server_plug_t digestmd5_server_plugins[] =
2N/A{
2N/A {
2N/A "DIGEST-MD5", /* mech_name */
2N/A /* EXPORT DELETE START */
2N/A#ifdef WITH_RC4
2N/A 128, /* max_ssf */
2N/A#elif WITH_DES
2N/A 112,
2N/A#else
2N/A /* EXPORT DELETE END */
2N/A 0,
2N/A /* EXPORT DELETE START */
2N/A#endif
2N/A /* EXPORT DELETE END */
2N/A SASL_SEC_NOPLAINTEXT
2N/A | SASL_SEC_NOANONYMOUS
2N/A | SASL_SEC_MUTUAL_AUTH, /* security_flags */
2N/A SASL_FEAT_ALLOWS_PROXY, /* features */
2N/A NULL, /* glob_context */
2N/A &digestmd5_server_mech_new, /* mech_new */
2N/A &digestmd5_server_mech_step, /* mech_step */
2N/A &digestmd5_server_mech_dispose, /* mech_dispose */
2N/A &digestmd5_common_mech_free, /* mech_free */
2N/A NULL, /* setpass */
2N/A NULL, /* user_query */
2N/A NULL, /* idle */
2N/A NULL, /* mech avail */
2N/A NULL /* spare */
2N/A }
2N/A};
2N/A
2N/Aint digestmd5_server_plug_init(sasl_utils_t *utils,
2N/A int maxversion,
2N/A int *out_version,
2N/A sasl_server_plug_t **pluglist,
2N/A int *plugcount)
2N/A{
2N/A reauth_cache_t *reauth_cache;
2N/A const char *timeout = NULL;
2N/A unsigned int len;
2N/A#if defined _SUN_SDK_ && defined USE_UEF
2N/A int ret;
2N/A#endif /* _SUN_SDK_ && USE_UEF */
2N/A
2N/A if (maxversion < SASL_SERVER_PLUG_VERSION)
2N/A return SASL_BADVERS;
2N/A
2N/A#if defined _SUN_SDK_ && defined USE_UEF
2N/A if ((ret = uef_init(utils)) != SASL_OK)
2N/A return ret;
2N/A#endif /* _SUN_SDK_ && USE_UEF */
2N/A
2N/A /* reauth cache */
2N/A reauth_cache = utils->malloc(sizeof(reauth_cache_t));
2N/A if (reauth_cache == NULL)
2N/A return SASL_NOMEM;
2N/A memset(reauth_cache, 0, sizeof(reauth_cache_t));
2N/A reauth_cache->i_am = SERVER;
2N/A
2N/A /* fetch and canonify the reauth_timeout */
2N/A utils->getopt(utils->getopt_context, "DIGEST-MD5", "reauth_timeout",
2N/A &timeout, &len);
2N/A if (timeout)
2N/A reauth_cache->timeout = (time_t) 60 * strtol(timeout, NULL, 10);
2N/A#ifdef _SUN_SDK_
2N/A else
2N/A reauth_cache->timeout = 0;
2N/A#endif /* _SUN_SDK_ */
2N/A if (reauth_cache->timeout < 0)
2N/A reauth_cache->timeout = 0;
2N/A
2N/A if (reauth_cache->timeout) {
2N/A /* mutex */
2N/A reauth_cache->mutex = utils->mutex_alloc();
2N/A if (!reauth_cache->mutex)
2N/A return SASL_FAIL;
2N/A
2N/A /* entries */
2N/A reauth_cache->size = 100;
2N/A reauth_cache->e = utils->malloc(reauth_cache->size *
2N/A sizeof(reauth_entry_t));
2N/A if (reauth_cache->e == NULL)
2N/A return SASL_NOMEM;
2N/A memset(reauth_cache->e, 0, reauth_cache->size * sizeof(reauth_entry_t));
2N/A }
2N/A
2N/A digestmd5_server_plugins[0].glob_context = reauth_cache;
2N/A
2N/A#ifdef _SUN_SDK_
2N/A#ifdef USE_UEF_CLIENT
2N/A digestmd5_server_plugins[0].max_ssf = uef_max_ssf;
2N/A#endif /* USE_UEF_CLIENT */
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /* EXPORT DELETE START */
2N/A /* CRYPT DELETE START */
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A /*
2N/A * Let libsasl know that we are a "Sun" plugin so that privacy
2N/A * and integrity will be allowed.
2N/A */
2N/A REG_PLUG("DIGEST-MD5", digestmd5_server_plugins);
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A /* CRYPT DELETE END */
2N/A /* EXPORT DELETE END */
2N/A
2N/A *out_version = SASL_SERVER_PLUG_VERSION;
2N/A *pluglist = digestmd5_server_plugins;
2N/A *plugcount = 1;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/A/***************************** Client Section *****************************/
2N/A
2N/Atypedef struct client_context {
2N/A context_t common;
2N/A
2N/A sasl_secret_t *password; /* user password */
2N/A unsigned int free_password; /* set if we need to free password */
2N/A
2N/A int protection;
2N/A struct digest_cipher *cipher;
2N/A unsigned int server_maxbuf;
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A void *h;
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A} client_context_t;
2N/A
2N/A/* calculate H(A1) as per spec */
2N/Astatic void
2N/ADigestCalcHA1(context_t * text,
2N/A const sasl_utils_t * utils,
2N/A unsigned char *pszUserName,
2N/A unsigned char *pszRealm,
2N/A sasl_secret_t * pszPassword,
2N/A unsigned char *pszAuthorization_id,
2N/A unsigned char *pszNonce,
2N/A unsigned char *pszCNonce,
2N/A HASHHEX SessionKey)
2N/A{
2N/A MD5_CTX Md5Ctx;
2N/A HASH HA1;
2N/A
2N/A DigestCalcSecret(utils,
2N/A pszUserName,
2N/A pszRealm,
2N/A (unsigned char *) pszPassword->data,
2N/A pszPassword->len,
2N/A HA1);
2N/A
2N/A /* calculate the session key */
2N/A utils->MD5Init(&Md5Ctx);
2N/A utils->MD5Update(&Md5Ctx, HA1, HASHLEN);
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszNonce, strlen((char *) pszNonce));
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszCNonce, strlen((char *) pszCNonce));
2N/A if (pszAuthorization_id != NULL) {
2N/A utils->MD5Update(&Md5Ctx, COLON, 1);
2N/A utils->MD5Update(&Md5Ctx, pszAuthorization_id,
2N/A strlen((char *) pszAuthorization_id));
2N/A }
2N/A utils->MD5Final(HA1, &Md5Ctx);
2N/A
2N/A CvtHex(HA1, SessionKey);
2N/A
2N/A /* xxx rc-* use different n */
2N/A
2N/A /* save HA1 because we'll need it for the privacy and integrity keys */
2N/A memcpy(text->HA1, HA1, sizeof(HASH));
2N/A
2N/A}
2N/A
2N/Astatic char *calculate_response(context_t * text,
2N/A const sasl_utils_t * utils,
2N/A unsigned char *username,
2N/A unsigned char *realm,
2N/A unsigned char *nonce,
2N/A unsigned int ncvalue,
2N/A unsigned char *cnonce,
2N/A char *qop,
2N/A unsigned char *digesturi,
2N/A sasl_secret_t * passwd,
2N/A unsigned char *authorization_id,
2N/A char **response_value)
2N/A{
2N/A HASHHEX SessionKey;
2N/A HASHHEX HEntity = "00000000000000000000000000000000";
2N/A HASHHEX Response;
2N/A char *result;
2N/A
2N/A /* Verifing that all parameters was defined */
2N/A if(!username || !cnonce || !nonce || !ncvalue || !digesturi || !passwd) {
2N/A PARAMERROR( utils );
2N/A return NULL;
2N/A }
2N/A
2N/A if (realm == NULL) {
2N/A /* a NULL realm is equivalent to the empty string */
2N/A realm = (unsigned char *) "";
2N/A }
2N/A
2N/A if (qop == NULL) {
2N/A /* default to a qop of just authentication */
2N/A qop = "auth";
2N/A }
2N/A
2N/A DigestCalcHA1(text,
2N/A utils,
2N/A username,
2N/A realm,
2N/A passwd,
2N/A authorization_id,
2N/A nonce,
2N/A cnonce,
2N/A SessionKey);
2N/A
2N/A DigestCalcResponse(utils,
2N/A SessionKey,/* H(A1) */
2N/A nonce, /* nonce from server */
2N/A ncvalue, /* 8 hex digits */
2N/A cnonce, /* client nonce */
2N/A (unsigned char *) qop, /* qop-value: "", "auth",
2N/A * "auth-int" */
2N/A digesturi, /* requested URL */
2N/A (unsigned char *) "AUTHENTICATE",
2N/A HEntity, /* H(entity body) if qop="auth-int" */
2N/A Response /* request-digest or response-digest */
2N/A );
2N/A
2N/A result = utils->malloc(HASHHEXLEN + 1);
2N/A#ifdef _SUN_SDK_
2N/A if (result == NULL)
2N/A return NULL;
2N/A#endif /* _SUN_SDK_ */
2N/A memcpy(result, Response, HASHHEXLEN);
2N/A result[HASHHEXLEN] = 0;
2N/A
2N/A if (response_value != NULL) {
2N/A DigestCalcResponse(utils,
2N/A SessionKey, /* H(A1) */
2N/A nonce, /* nonce from server */
2N/A ncvalue, /* 8 hex digits */
2N/A cnonce, /* client nonce */
2N/A (unsigned char *) qop, /* qop-value: "", "auth",
2N/A * "auth-int" */
2N/A (unsigned char *) digesturi, /* requested URL */
2N/A NULL,
2N/A HEntity, /* H(entity body) if qop="auth-int" */
2N/A Response /* request-digest or response-digest */
2N/A );
2N/A
2N/A#ifdef _SUN_SDK_
2N/A if (*response_value != NULL)
2N/A utils->free(*response_value);
2N/A#endif /* _SUN_SDK_ */
2N/A *response_value = utils->malloc(HASHHEXLEN + 1);
2N/A if (*response_value == NULL)
2N/A return NULL;
2N/A
2N/A memcpy(*response_value, Response, HASHHEXLEN);
2N/A (*response_value)[HASHHEXLEN] = 0;
2N/A
2N/A }
2N/A
2N/A return result;
2N/A}
2N/A
2N/Astatic int
2N/Amake_client_response(context_t *text,
2N/A sasl_client_params_t *params,
2N/A sasl_out_params_t *oparams)
2N/A{
2N/A client_context_t *ctext = (client_context_t *) text;
2N/A char *qop = NULL;
2N/A unsigned nbits = 0;
2N/A unsigned char *digesturi = NULL;
2N/A bool IsUTF8 = FALSE;
2N/A char ncvalue[10];
2N/A char maxbufstr[64];
2N/A char *response = NULL;
2N/A unsigned resplen = 0;
2N/A int result;
2N/A
2N/A switch (ctext->protection) {
2N/A case DIGEST_PRIVACY:
2N/A qop = "auth-conf";
2N/A oparams->encode = &digestmd5_privacy_encode;
2N/A oparams->decode = &digestmd5_privacy_decode;
2N/A oparams->mech_ssf = ctext->cipher->ssf;
2N/A
2N/A nbits = ctext->cipher->n;
2N/A text->cipher_enc = ctext->cipher->cipher_enc;
2N/A text->cipher_dec = ctext->cipher->cipher_dec;
2N/A text->cipher_free = ctext->cipher->cipher_free;
2N/A text->cipher_init = ctext->cipher->cipher_init;
2N/A break;
2N/A case DIGEST_INTEGRITY:
2N/A qop = "auth-int";
2N/A oparams->encode = &digestmd5_integrity_encode;
2N/A oparams->decode = &digestmd5_integrity_decode;
2N/A oparams->mech_ssf = 1;
2N/A break;
2N/A case DIGEST_NOLAYER:
2N/A default:
2N/A qop = "auth";
2N/A oparams->encode = NULL;
2N/A oparams->decode = NULL;
2N/A oparams->mech_ssf = 0;
2N/A }
2N/A
2N/A digesturi = params->utils->malloc(strlen(params->service) + 1 +
2N/A strlen(params->serverFQDN) + 1 +
2N/A 1);
2N/A if (digesturi == NULL) {
2N/A result = SASL_NOMEM;
2N/A goto FreeAllocatedMem;
2N/A };
2N/A
2N/A /* allocated exactly this. safe */
2N/A strcpy((char *) digesturi, params->service);
2N/A strcat((char *) digesturi, "/");
2N/A strcat((char *) digesturi, params->serverFQDN);
2N/A /*
2N/A * strcat (digesturi, "/"); strcat (digesturi, params->serverFQDN);
2N/A */
2N/A
2N/A /* response */
2N/A response =
2N/A calculate_response(text,
2N/A params->utils,
2N/A#ifdef _SUN_SDK_
2N/A (unsigned char *) oparams->authid,
2N/A#else
2N/A (char *) oparams->authid,
2N/A#endif /* _SUN_SDK_ */
2N/A (unsigned char *) text->realm,
2N/A text->nonce,
2N/A text->nonce_count,
2N/A text->cnonce,
2N/A qop,
2N/A digesturi,
2N/A ctext->password,
2N/A strcmp(oparams->user, oparams->authid) ?
2N/A#ifdef _SUN_SDK_
2N/A (unsigned char *) oparams->user : NULL,
2N/A#else
2N/A (char *) oparams->user : NULL,
2N/A#endif /* _SUN_SDK_ */
2N/A &text->response_value);
2N/A
2N/A#ifdef _SUN_SDK_
2N/A if (response == NULL) {
2N/A result = SASL_NOMEM;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A resplen = strlen(oparams->authid) + strlen("username") + 5;
2N/A result =_plug_buf_alloc(params->utils, &(text->out_buf),
2N/A &(text->out_buf_len),
2N/A resplen);
2N/A if (result != SASL_OK) goto FreeAllocatedMem;
2N/A
2N/A sprintf(text->out_buf, "username=\"%s\"", oparams->authid);
2N/A
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "realm", (unsigned char *) text->realm,
2N/A TRUE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A if (strcmp(oparams->user, oparams->authid)) {
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A#ifdef _SUN_SDK_
2N/A "authzid", (unsigned char *) oparams->user,
2N/A TRUE) != SASL_OK) {
2N/A#else
2N/A "authzid", (char *) oparams->user, TRUE) != SASL_OK) {
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A }
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "nonce", text->nonce, TRUE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "cnonce", text->cnonce, TRUE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A snprintf(ncvalue, sizeof(ncvalue), "%08x", text->nonce_count);
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "nc", (unsigned char *) ncvalue, FALSE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "qop", (unsigned char *) qop, FALSE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A if (ctext->cipher != NULL) {
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "cipher",
2N/A (unsigned char *) ctext->cipher->name,
2N/A TRUE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A }
2N/A
2N/A if (params->props.maxbufsize) {
2N/A snprintf(maxbufstr, sizeof(maxbufstr), "%d", params->props.maxbufsize);
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "maxbuf", (unsigned char *) maxbufstr,
2N/A FALSE) != SASL_OK) {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "internal error: add_to_challenge maxbuf failed");
2N/A#else
2N/A SETERROR(params->utils,
2N/A "internal error: add_to_challenge maxbuf failed");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllocatedMem;
2N/A }
2N/A }
2N/A
2N/A if (IsUTF8) {
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "charset", (unsigned char *) "utf-8",
2N/A FALSE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A }
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "digest-uri", digesturi, TRUE) != SASL_OK) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A if (add_to_challenge(params->utils,
2N/A &text->out_buf, &text->out_buf_len, &resplen,
2N/A "response", (unsigned char *) response,
2N/A FALSE) != SASL_OK) {
2N/A
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A /* self check */
2N/A if (strlen(text->out_buf) > 2048) {
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A /* set oparams */
2N/A#ifdef _SUN_SDK_
2N/A oparams->maxoutbuf = ctext->server_maxbuf - 4;
2N/A#else
2N/A oparams->maxoutbuf = ctext->server_maxbuf;
2N/A#endif /* _SUN_SDK_ */
2N/A if(oparams->mech_ssf > 1) {
2N/A#ifdef _SUN_SDK_
2N/A if (oparams->maxoutbuf <= 25)
2N/A return (SASL_BADPARAM);
2N/A#endif
2N/A /* MAC block (privacy) */
2N/A oparams->maxoutbuf -= 25;
2N/A } else if(oparams->mech_ssf == 1) {
2N/A#ifdef _SUN_SDK_
2N/A if (oparams->maxoutbuf <= 16)
2N/A return (SASL_BADPARAM);
2N/A#endif
2N/A /* MAC block (integrity) */
2N/A oparams->maxoutbuf -= 16;
2N/A }
2N/A
2N/A text->seqnum = 0; /* for integrity/privacy */
2N/A text->rec_seqnum = 0; /* for integrity/privacy */
2N/A text->utils = params->utils;
2N/A
2N/A text->in_maxbuf =
2N/A params->props.maxbufsize ? params->props.maxbufsize : DEFAULT_BUFSIZE;
2N/A
2N/A /* used by layers */
2N/A text->needsize = 4;
2N/A text->buffer = NULL;
2N/A
2N/A if (oparams->mech_ssf > 0) {
2N/A char enckey[16];
2N/A char deckey[16];
2N/A
2N/A create_layer_keys(text, params->utils, text->HA1, nbits,
2N/A enckey, deckey);
2N/A
2N/A /* initialize cipher if need be */
2N/A#ifdef _SUN_SDK_
2N/A if (text->cipher_init) {
2N/A if (text->cipher_free)
2N/A text->cipher_free(text);
2N/A if((result = text->cipher_init(text, enckey, deckey)) != SASL_OK) {
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "couldn't init cipher");
2N/A goto FreeAllocatedMem;
2N/A }
2N/A }
2N/A#else
2N/A if (text->cipher_init)
2N/A text->cipher_init(text, enckey, deckey);
2N/A#endif /* _SUN_SDK_ */
2N/A }
2N/A
2N/A result = SASL_OK;
2N/A
2N/A FreeAllocatedMem:
2N/A if (digesturi) params->utils->free(digesturi);
2N/A if (response) params->utils->free(response);
2N/A
2N/A return result;
2N/A}
2N/A
2N/Astatic int parse_server_challenge(client_context_t *ctext,
2N/A sasl_client_params_t *params,
2N/A const char *serverin, unsigned serverinlen,
2N/A char ***outrealms, int *noutrealm)
2N/A{
2N/A context_t *text = (context_t *) ctext;
2N/A int result = SASL_OK;
2N/A char *in_start = NULL;
2N/A char *in = NULL;
2N/A char **realms = NULL;
2N/A int nrealm = 0;
2N/A sasl_ssf_t limit, musthave = 0;
2N/A sasl_ssf_t external;
2N/A int protection = 0;
2N/A int ciphers = 0;
2N/A int maxbuf_count = 0;
2N/A#ifndef _SUN_SDK_
2N/A bool IsUTF8 = FALSE;
2N/A#endif /* !_SUN_SDK_ */
2N/A int algorithm_count = 0;
2N/A
2N/A if (!serverin || !serverinlen) {
2N/A#ifndef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "no server challenge");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "no server challenge");
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A in_start = in = params->utils->malloc(serverinlen + 1);
2N/A if (in == NULL) return SASL_NOMEM;
2N/A
2N/A memcpy(in, serverin, serverinlen);
2N/A in[serverinlen] = 0;
2N/A
2N/A ctext->server_maxbuf = 65536; /* Default value for maxbuf */
2N/A
2N/A /* create a new cnonce */
2N/A text->cnonce = create_nonce(params->utils);
2N/A if (text->cnonce == NULL) {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "failed to create cnonce");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "failed to create cnonce");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A /* parse the challenge */
2N/A while (in[0] != '\0') {
2N/A char *name, *value;
2N/A
2N/A get_pair(&in, &name, &value);
2N/A
2N/A /* if parse error */
2N/A if (name == NULL) {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Parse error");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0, "Parse error");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A if (strcasecmp(name, "realm") == 0) {
2N/A nrealm++;
2N/A
2N/A if(!realms)
2N/A realms = params->utils->malloc(sizeof(char *) * (nrealm + 1));
2N/A else
2N/A realms = params->utils->realloc(realms,
2N/A sizeof(char *) * (nrealm + 1));
2N/A
2N/A if (realms == NULL) {
2N/A result = SASL_NOMEM;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A _plug_strdup(params->utils, value, &realms[nrealm-1], NULL);
2N/A realms[nrealm] = NULL;
2N/A } else if (strcasecmp(name, "nonce") == 0) {
2N/A _plug_strdup(params->utils, value, (char **) &text->nonce,
2N/A NULL);
2N/A text->nonce_count = 1;
2N/A } else if (strcasecmp(name, "qop") == 0) {
2N/A while (value && *value) {
2N/A char *comma = strchr(value, ',');
2N/A if (comma != NULL) {
2N/A *comma++ = '\0';
2N/A }
2N/A
2N/A if (strcasecmp(value, "auth-conf") == 0) {
2N/A protection |= DIGEST_PRIVACY;
2N/A } else if (strcasecmp(value, "auth-int") == 0) {
2N/A protection |= DIGEST_INTEGRITY;
2N/A } else if (strcasecmp(value, "auth") == 0) {
2N/A protection |= DIGEST_NOLAYER;
2N/A } else {
2N/A params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
2N/A "Server supports unknown layer: %s\n",
2N/A value);
2N/A }
2N/A
2N/A value = comma;
2N/A }
2N/A
2N/A if (protection == 0) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A gettext("Server doesn't support known qop level"));
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Server doesn't support known qop level");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A goto FreeAllocatedMem;
2N/A }
2N/A } else if (strcasecmp(name, "cipher") == 0) {
2N/A while (value && *value) {
2N/A char *comma = strchr(value, ',');
2N/A#ifdef USE_UEF_CLIENT
2N/A struct digest_cipher *cipher = available_ciphers1;
2N/A#else
2N/A struct digest_cipher *cipher = available_ciphers;
2N/A#endif
2N/A
2N/A if (comma != NULL) {
2N/A *comma++ = '\0';
2N/A }
2N/A
2N/A /* do we support this cipher? */
2N/A while (cipher->name) {
2N/A if (!strcasecmp(value, cipher->name)) break;
2N/A cipher++;
2N/A }
2N/A if (cipher->name) {
2N/A ciphers |= cipher->flag;
2N/A } else {
2N/A params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
2N/A "Server supports unknown cipher: %s\n",
2N/A value);
2N/A }
2N/A
2N/A value = comma;
2N/A }
2N/A } else if (strcasecmp(name, "stale") == 0 && ctext->password) {
2N/A /* clear any cached password */
2N/A if (ctext->free_password)
2N/A _plug_free_secret(params->utils, &ctext->password);
2N/A ctext->password = NULL;
2N/A } else if (strcasecmp(name, "maxbuf") == 0) {
2N/A /* maxbuf A number indicating the size of the largest
2N/A * buffer the server is able to receive when using
2N/A * "auth-int". If this directive is missing, the default
2N/A * value is 65536. This directive may appear at most once;
2N/A * if multiple instances are present, the client should
2N/A * abort the authentication exchange.
2N/A */
2N/A maxbuf_count++;
2N/A
2N/A if (maxbuf_count != 1) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "At least two maxbuf directives found."
2N/A " Authentication aborted");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "At least two maxbuf directives found. Authentication aborted");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllocatedMem;
2N/A } else if (sscanf(value, "%u", &ctext->server_maxbuf) != 1) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Invalid maxbuf parameter received from server");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Invalid maxbuf parameter received from server");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllocatedMem;
2N/A } else {
2N/A if (ctext->server_maxbuf<=16) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Invalid maxbuf parameter received from server"
2N/A " (too small: %s)", value);
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Invalid maxbuf parameter received from server (too small: %s)", value);
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllocatedMem;
2N/A }
2N/A }
2N/A } else if (strcasecmp(name, "charset") == 0) {
2N/A if (strcasecmp(value, "utf-8") != 0) {
2N/A result = SASL_BADAUTH;
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Charset must be UTF-8");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Charset must be UTF-8");
2N/A#endif /* _SUN_SDK_ */
2N/A goto FreeAllocatedMem;
2N/A } else {
2N/A#ifndef _SUN_SDK_
2N/A IsUTF8 = TRUE;
2N/A#endif /* !_SUN_SDK_ */
2N/A }
2N/A } else if (strcasecmp(name,"algorithm")==0) {
2N/A if (strcasecmp(value, "md5-sess") != 0)
2N/A {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "'algorithm' isn't 'md5-sess'");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "'algorithm' isn't 'md5-sess'");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A algorithm_count++;
2N/A if (algorithm_count > 1)
2N/A {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Must see 'algorithm' only once");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Must see 'algorithm' only once");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A } else {
2N/A params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 unrecognized pair %s/%s: ignoring",
2N/A name, value);
2N/A }
2N/A }
2N/A
2N/A if (algorithm_count != 1) {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Must see 'algorithm' once. Didn't see at all");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Must see 'algorithm' once. Didn't see at all");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A /* make sure we have everything we require */
2N/A if (text->nonce == NULL) {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Don't have nonce.");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Don't have nonce.");
2N/A#endif /* _SUN_SDK_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A
2N/A /* get requested ssf */
2N/A external = params->external_ssf;
2N/A
2N/A /* what do we _need_? how much is too much? */
2N/A if (params->props.maxbufsize == 0) {
2N/A musthave = 0;
2N/A limit = 0;
2N/A } else {
2N/A if (params->props.max_ssf > external) {
2N/A limit = params->props.max_ssf - external;
2N/A } else {
2N/A limit = 0;
2N/A }
2N/A if (params->props.min_ssf > external) {
2N/A musthave = params->props.min_ssf - external;
2N/A } else {
2N/A musthave = 0;
2N/A }
2N/A }
2N/A
2N/A /* we now go searching for an option that gives us at least "musthave"
2N/A and at most "limit" bits of ssf. */
2N/A if ((limit > 1) && (protection & DIGEST_PRIVACY)) {
2N/A struct digest_cipher *cipher;
2N/A
2N/A /* let's find an encryption scheme that we like */
2N/A#ifdef USE_UEF_CLIENT
2N/A cipher = available_ciphers1;
2N/A#else
2N/A cipher = available_ciphers;
2N/A#endif
2N/A while (cipher->name) {
2N/A /* examine each cipher we support, see if it meets our security
2N/A requirements, and see if the server supports it.
2N/A choose the best one of these */
2N/A if ((limit >= cipher->ssf) && (musthave <= cipher->ssf) &&
2N/A (ciphers & cipher->flag) &&
2N/A (!ctext->cipher || (cipher->ssf > ctext->cipher->ssf))) {
2N/A ctext->cipher = cipher;
2N/A }
2N/A cipher++;
2N/A }
2N/A
2N/A if (ctext->cipher) {
2N/A /* we found a cipher we like */
2N/A ctext->protection = DIGEST_PRIVACY;
2N/A } else {
2N/A /* we didn't find any ciphers we like */
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A gettext("No good privacy layers"));
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "No good privacy layers");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A }
2N/A }
2N/A
2N/A if (ctext->cipher == NULL) {
2N/A /* we failed to find an encryption layer we liked;
2N/A can we use integrity or nothing? */
2N/A
2N/A if ((limit >= 1) && (musthave <= 1)
2N/A && (protection & DIGEST_INTEGRITY)) {
2N/A /* integrity */
2N/A ctext->protection = DIGEST_INTEGRITY;
2N/A#ifdef _SUN_SDK_
2N/A } else if (musthave == 0) {
2N/A#else
2N/A } else if (musthave <= 0) {
2N/A#endif /* _SUN_SDK_ */
2N/A /* no layer */
2N/A ctext->protection = DIGEST_NOLAYER;
2N/A
2N/A /* See if server supports not having a layer */
2N/A if ((protection & DIGEST_NOLAYER) != DIGEST_NOLAYER) {
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A gettext("Server doesn't support \"no layer\""));
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Server doesn't support \"no layer\"");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A result = SASL_FAIL;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A } else {
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A gettext("Can't find an acceptable layer"));
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "Can't find an acceptable layer");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A result = SASL_TOOWEAK;
2N/A goto FreeAllocatedMem;
2N/A }
2N/A }
2N/A
2N/A *outrealms = realms;
2N/A *noutrealm = nrealm;
2N/A
2N/A FreeAllocatedMem:
2N/A if (in_start) params->utils->free(in_start);
2N/A
2N/A if (result != SASL_OK && realms) {
2N/A int lup;
2N/A
2N/A /* need to free all the realms */
2N/A for (lup = 0;lup < nrealm; lup++)
2N/A params->utils->free(realms[lup]);
2N/A
2N/A params->utils->free(realms);
2N/A }
2N/A
2N/A return result;
2N/A}
2N/A
2N/Astatic int ask_user_info(client_context_t *ctext,
2N/A sasl_client_params_t *params,
2N/A char **realms, int nrealm,
2N/A sasl_interact_t **prompt_need,
2N/A sasl_out_params_t *oparams)
2N/A{
2N/A context_t *text = (context_t *) ctext;
2N/A int result = SASL_OK;
2N/A const char *authid = NULL, *userid = NULL, *realm = NULL;
2N/A char *realm_chal = NULL;
2N/A int user_result = SASL_OK;
2N/A int auth_result = SASL_OK;
2N/A int pass_result = SASL_OK;
2N/A int realm_result = SASL_FAIL;
2N/A
2N/A /* try to get the authid */
2N/A if (oparams->authid == NULL) {
2N/A auth_result = _plug_get_authid(params->utils, &authid, prompt_need);
2N/A
2N/A if ((auth_result != SASL_OK) && (auth_result != SASL_INTERACT)) {
2N/A return auth_result;
2N/A }
2N/A }
2N/A
2N/A /* try to get the userid */
2N/A if (oparams->user == NULL) {
2N/A user_result = _plug_get_userid(params->utils, &userid, prompt_need);
2N/A
2N/A if ((user_result != SASL_OK) && (user_result != SASL_INTERACT)) {
2N/A return user_result;
2N/A }
2N/A }
2N/A
2N/A /* try to get the password */
2N/A if (ctext->password == NULL) {
2N/A pass_result = _plug_get_password(params->utils, &ctext->password,
2N/A &ctext->free_password, prompt_need);
2N/A if ((pass_result != SASL_OK) && (pass_result != SASL_INTERACT)) {
2N/A return pass_result;
2N/A }
2N/A }
2N/A
2N/A /* try to get the realm */
2N/A if (text->realm == NULL) {
2N/A if (realms) {
2N/A if(nrealm == 1) {
2N/A /* only one choice */
2N/A realm = realms[0];
2N/A realm_result = SASL_OK;
2N/A } else {
2N/A /* ask the user */
2N/A realm_result = _plug_get_realm(params->utils,
2N/A (const char **) realms,
2N/A (const char **) &realm,
2N/A prompt_need);
2N/A }
2N/A }
2N/A
2N/A /* fake the realm if we must */
2N/A if ((realm_result != SASL_OK) && (realm_result != SASL_INTERACT)) {
2N/A if (params->serverFQDN) {
2N/A realm = params->serverFQDN;
2N/A } else {
2N/A return realm_result;
2N/A }
2N/A }
2N/A }
2N/A
2N/A /* free prompts we got */
2N/A if (prompt_need && *prompt_need) {
2N/A params->utils->free(*prompt_need);
2N/A *prompt_need = NULL;
2N/A }
2N/A
2N/A /* if there are prompts not filled in */
2N/A if ((user_result == SASL_INTERACT) || (auth_result == SASL_INTERACT) ||
2N/A (pass_result == SASL_INTERACT) || (realm_result == SASL_INTERACT)) {
2N/A
2N/A /* make our default realm */
2N/A if ((realm_result == SASL_INTERACT) && params->serverFQDN) {
2N/A realm_chal = params->utils->malloc(3+strlen(params->serverFQDN));
2N/A if (realm_chal) {
2N/A sprintf(realm_chal, "{%s}", params->serverFQDN);
2N/A } else {
2N/A return SASL_NOMEM;
2N/A }
2N/A }
2N/A
2N/A /* make the prompt list */
2N/A result =
2N/A#if defined _INTEGRATED_SOLARIS_
2N/A _plug_make_prompts(params->utils, &ctext->h, prompt_need,
2N/A user_result == SASL_INTERACT ?
2N/A convert_prompt(params->utils, &ctext->h,
2N/A gettext("Please enter your authorization name"))
2N/A : NULL,
2N/A NULL,
2N/A auth_result == SASL_INTERACT ?
2N/A convert_prompt(params->utils, &ctext->h,
2N/A gettext("Please enter your authentication name"))
2N/A : NULL,
2N/A NULL,
2N/A pass_result == SASL_INTERACT ?
2N/A convert_prompt(params->utils, &ctext->h,
2N/A gettext("Please enter your password"))
2N/A : NULL, NULL,
2N/A NULL, NULL, NULL,
2N/A realm_chal ? realm_chal : "{}",
2N/A realm_result == SASL_INTERACT ?
2N/A convert_prompt(params->utils, &ctext->h,
2N/A gettext("Please enter your realm")) : NULL,
2N/A params->serverFQDN ? params->serverFQDN : NULL);
2N/A#else
2N/A _plug_make_prompts(params->utils, prompt_need,
2N/A user_result == SASL_INTERACT ?
2N/A "Please enter your authorization name" : NULL,
2N/A NULL,
2N/A auth_result == SASL_INTERACT ?
2N/A "Please enter your authentication name" : NULL,
2N/A NULL,
2N/A pass_result == SASL_INTERACT ?
2N/A "Please enter your password" : NULL, NULL,
2N/A NULL, NULL, NULL,
2N/A realm_chal ? realm_chal : "{}",
2N/A realm_result == SASL_INTERACT ?
2N/A "Please enter your realm" : NULL,
2N/A params->serverFQDN ? params->serverFQDN : NULL);
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A
2N/A if (result == SASL_OK) return SASL_INTERACT;
2N/A
2N/A return result;
2N/A }
2N/A
2N/A if (oparams->authid == NULL) {
2N/A if (!userid || !*userid) {
2N/A result = params->canon_user(params->utils->conn, authid, 0,
2N/A SASL_CU_AUTHID | SASL_CU_AUTHZID,
2N/A oparams);
2N/A }
2N/A else {
2N/A result = params->canon_user(params->utils->conn,
2N/A authid, 0, SASL_CU_AUTHID, oparams);
2N/A if (result != SASL_OK) return result;
2N/A
2N/A result = params->canon_user(params->utils->conn,
2N/A userid, 0, SASL_CU_AUTHZID, oparams);
2N/A }
2N/A if (result != SASL_OK) return result;
2N/A }
2N/A
2N/A /* Get an allocated version of the realm into the structure */
2N/A if (realm && text->realm == NULL) {
2N/A _plug_strdup(params->utils, realm, (char **) &text->realm, NULL);
2N/A }
2N/A
2N/A return result;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_client_mech_new(void *glob_context,
2N/A sasl_client_params_t * params,
2N/A void **conn_context)
2N/A{
2N/A context_t *text;
2N/A
2N/A /* holds state are in -- allocate client size */
2N/A text = params->utils->malloc(sizeof(client_context_t));
2N/A if (text == NULL)
2N/A return SASL_NOMEM;
2N/A memset(text, 0, sizeof(client_context_t));
2N/A
2N/A text->state = 1;
2N/A text->i_am = CLIENT;
2N/A text->reauth = glob_context;
2N/A
2N/A *conn_context = text;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_client_mech_step1(client_context_t *ctext,
2N/A sasl_client_params_t *params,
2N/A const char *serverin __attribute__((unused)),
2N/A unsigned serverinlen __attribute__((unused)),
2N/A sasl_interact_t **prompt_need,
2N/A const char **clientout,
2N/A unsigned *clientoutlen,
2N/A sasl_out_params_t *oparams)
2N/A{
2N/A context_t *text = (context_t *) ctext;
2N/A int result = SASL_FAIL;
2N/A unsigned val;
2N/A
2N/A params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 client step 1");
2N/A
2N/A result = ask_user_info(ctext, params, NULL, 0, prompt_need, oparams);
2N/A if (result != SASL_OK) return result;
2N/A
2N/A /* check if we have cached info for this user on this server */
2N/A val = hash(params->serverFQDN) % text->reauth->size;
2N/A if (params->utils->mutex_lock(text->reauth->mutex) == SASL_OK) { /* LOCK */
2N/A if (text->reauth->e[val].u.c.serverFQDN &&
2N/A !strcasecmp(text->reauth->e[val].u.c.serverFQDN,
2N/A params->serverFQDN) &&
2N/A !strcmp(text->reauth->e[val].authid, oparams->authid)) {
2N/A
2N/A#ifdef _SUN_SDK_
2N/A if (text->realm) params->utils->free(text->realm);
2N/A if (text->nonce) params->utils->free(text->nonce);
2N/A if (text->cnonce) params->utils->free(text->cnonce);
2N/A#endif /* _SUN_SDK_ */
2N/A /* we have info, so use it */
2N/A _plug_strdup(params->utils, text->reauth->e[val].realm,
2N/A &text->realm, NULL);
2N/A#ifdef _SUN_SDK_
2N/A _plug_strdup(params->utils, (char *)text->reauth->e[val].nonce,
2N/A (char **) &text->nonce, NULL);
2N/A#else
2N/A _plug_strdup(params->utils, text->reauth->e[val].nonce,
2N/A (char **) &text->nonce, NULL);
2N/A#endif /* _SUN_SDK_ */
2N/A text->nonce_count = ++text->reauth->e[val].nonce_count;
2N/A#ifdef _SUN_SDK_
2N/A _plug_strdup(params->utils, (char *)text->reauth->e[val].cnonce,
2N/A (char **) &text->cnonce, NULL);
2N/A#else
2N/A _plug_strdup(params->utils, text->reauth->e[val].cnonce,
2N/A (char **) &text->cnonce, NULL);
2N/A#endif /* _SUN_SDK_ */
2N/A ctext->protection = text->reauth->e[val].u.c.protection;
2N/A ctext->cipher = text->reauth->e[val].u.c.cipher;
2N/A ctext->server_maxbuf = text->reauth->e[val].u.c.server_maxbuf;
2N/A }
2N/A params->utils->mutex_unlock(text->reauth->mutex); /* UNLOCK */
2N/A }
2N/A
2N/A if (!text->nonce) {
2N/A /* we don't have any reauth info, so just return
2N/A * that there is no initial client send */
2N/A text->state = 2;
2N/A return SASL_CONTINUE;
2N/A }
2N/A
2N/A /*
2N/A * (username | realm | nonce | cnonce | nonce-count | qop digest-uri |
2N/A * response | maxbuf | charset | auth-param )
2N/A */
2N/A
2N/A result = make_client_response(text, params, oparams);
2N/A if (result != SASL_OK) return result;
2N/A
2N/A *clientoutlen = strlen(text->out_buf);
2N/A *clientout = text->out_buf;
2N/A
2N/A text->state = 3;
2N/A return SASL_CONTINUE;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_client_mech_step2(client_context_t *ctext,
2N/A sasl_client_params_t *params,
2N/A const char *serverin,
2N/A unsigned serverinlen,
2N/A sasl_interact_t **prompt_need,
2N/A const char **clientout,
2N/A unsigned *clientoutlen,
2N/A sasl_out_params_t *oparams)
2N/A{
2N/A context_t *text = (context_t *) ctext;
2N/A int result = SASL_FAIL;
2N/A char **realms = NULL;
2N/A int nrealm = 0;
2N/A
2N/A params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 client step 2");
2N/A
2N/A if (params->props.min_ssf > params->props.max_ssf) {
2N/A return SASL_BADPARAM;
2N/A }
2N/A
2N/A /* don't bother parsing the challenge more than once */
2N/A if (text->nonce == NULL) {
2N/A result = parse_server_challenge(ctext, params, serverin, serverinlen,
2N/A &realms, &nrealm);
2N/A if (result != SASL_OK) goto FreeAllocatedMem;
2N/A
2N/A if (nrealm == 1) {
2N/A /* only one choice! */
2N/A text->realm = realms[0];
2N/A
2N/A /* free realms */
2N/A params->utils->free(realms);
2N/A realms = NULL;
2N/A }
2N/A }
2N/A
2N/A result = ask_user_info(ctext, params, realms, nrealm,
2N/A prompt_need, oparams);
2N/A if (result != SASL_OK) goto FreeAllocatedMem;
2N/A
2N/A /*
2N/A * (username | realm | nonce | cnonce | nonce-count | qop digest-uri |
2N/A * response | maxbuf | charset | auth-param )
2N/A */
2N/A
2N/A result = make_client_response(text, params, oparams);
2N/A if (result != SASL_OK) goto FreeAllocatedMem;
2N/A
2N/A *clientoutlen = strlen(text->out_buf);
2N/A *clientout = text->out_buf;
2N/A
2N/A text->state = 3;
2N/A
2N/A result = SASL_CONTINUE;
2N/A
2N/A FreeAllocatedMem:
2N/A if (realms) {
2N/A int lup;
2N/A
2N/A /* need to free all the realms */
2N/A for (lup = 0;lup < nrealm; lup++)
2N/A params->utils->free(realms[lup]);
2N/A
2N/A params->utils->free(realms);
2N/A }
2N/A
2N/A return result;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_client_mech_step3(client_context_t *ctext,
2N/A sasl_client_params_t *params,
2N/A const char *serverin,
2N/A unsigned serverinlen,
2N/A sasl_interact_t **prompt_need __attribute__((unused)),
2N/A const char **clientout __attribute__((unused)),
2N/A unsigned *clientoutlen __attribute__((unused)),
2N/A sasl_out_params_t *oparams)
2N/A{
2N/A context_t *text = (context_t *) ctext;
2N/A char *in = NULL;
2N/A char *in_start;
2N/A int result = SASL_FAIL;
2N/A
2N/A params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 client step 3");
2N/A
2N/A /* Verify that server is really what he claims to be */
2N/A in_start = in = params->utils->malloc(serverinlen + 1);
2N/A if (in == NULL) return SASL_NOMEM;
2N/A
2N/A memcpy(in, serverin, serverinlen);
2N/A in[serverinlen] = 0;
2N/A
2N/A /* parse the response */
2N/A while (in[0] != '\0') {
2N/A char *name, *value;
2N/A get_pair(&in, &name, &value);
2N/A
2N/A if (name == NULL) {
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "DIGEST-MD5 Received Garbage");
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "DIGEST-MD5 Received Garbage");
2N/A#endif /* _SUN_SDK_ */
2N/A break;
2N/A }
2N/A
2N/A if (strcasecmp(name, "rspauth") == 0) {
2N/A
2N/A if (strcmp(text->response_value, value) != 0) {
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A gettext("Server authentication failed"));
2N/A#else
2N/A params->utils->seterror(params->utils->conn, 0,
2N/A "DIGEST-MD5: This server wants us to believe that he knows shared secret");
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A result = SASL_FAIL;
2N/A } else {
2N/A oparams->doneflag = 1;
2N/A oparams->param_version = 0;
2N/A
2N/A result = SASL_OK;
2N/A }
2N/A break;
2N/A } else {
2N/A params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
2N/A "DIGEST-MD5 unrecognized pair %s/%s: ignoring",
2N/A name, value);
2N/A }
2N/A }
2N/A
2N/A params->utils->free(in_start);
2N/A
2N/A if (params->utils->mutex_lock(text->reauth->mutex) == SASL_OK) { /* LOCK */
2N/A unsigned val = hash(params->serverFQDN) % text->reauth->size;
2N/A switch (result) {
2N/A case SASL_OK:
2N/A if (text->nonce_count == 1) {
2N/A /* successful initial auth, setup for future reauth */
2N/A clear_reauth_entry(&text->reauth->e[val], CLIENT, params->utils);
2N/A _plug_strdup(params->utils, oparams->authid,
2N/A &text->reauth->e[val].authid, NULL);
2N/A text->reauth->e[val].realm = text->realm; text->realm = NULL;
2N/A text->reauth->e[val].nonce = text->nonce; text->nonce = NULL;
2N/A text->reauth->e[val].nonce_count = text->nonce_count;
2N/A text->reauth->e[val].cnonce = text->cnonce; text->cnonce = NULL;
2N/A _plug_strdup(params->utils, params->serverFQDN,
2N/A &text->reauth->e[val].u.c.serverFQDN, NULL);
2N/A text->reauth->e[val].u.c.protection = ctext->protection;
2N/A text->reauth->e[val].u.c.cipher = ctext->cipher;
2N/A text->reauth->e[val].u.c.server_maxbuf = ctext->server_maxbuf;
2N/A }
2N/A#ifndef _SUN_SDK_
2N/A else {
2N/A /* reauth, we already incremented nonce_count */
2N/A }
2N/A#endif /* !_SUN_SDK_ */
2N/A break;
2N/A default:
2N/A if (text->nonce_count > 1) {
2N/A /* failed reauth, clear cache */
2N/A clear_reauth_entry(&text->reauth->e[val], CLIENT, params->utils);
2N/A }
2N/A else {
2N/A /* failed initial auth, leave existing cache */
2N/A }
2N/A }
2N/A params->utils->mutex_unlock(text->reauth->mutex); /* UNLOCK */
2N/A }
2N/A
2N/A return result;
2N/A}
2N/A
2N/Astatic int
2N/Adigestmd5_client_mech_step(void *conn_context,
2N/A sasl_client_params_t *params,
2N/A const char *serverin,
2N/A unsigned serverinlen,
2N/A sasl_interact_t **prompt_need,
2N/A const char **clientout,
2N/A unsigned *clientoutlen,
2N/A sasl_out_params_t *oparams)
2N/A{
2N/A context_t *text = (context_t *) conn_context;
2N/A client_context_t *ctext = (client_context_t *) conn_context;
2N/A unsigned val = hash(params->serverFQDN) % text->reauth->size;
2N/A
2N/A if (serverinlen > 2048) return SASL_BADPROT;
2N/A
2N/A *clientout = NULL;
2N/A *clientoutlen = 0;
2N/A
2N/A switch (text->state) {
2N/A
2N/A case 1:
2N/A if (!serverin) {
2N/A /* here's where we attempt fast reauth if possible */
2N/A int reauth = 0;
2N/A
2N/A /* check if we have saved info for this server */
2N/A if (params->utils->mutex_lock(text->reauth->mutex) == SASL_OK) { /* LOCK */
2N/A reauth = text->reauth->e[val].u.c.serverFQDN &&
2N/A !strcasecmp(text->reauth->e[val].u.c.serverFQDN,
2N/A params->serverFQDN);
2N/A params->utils->mutex_unlock(text->reauth->mutex); /* UNLOCK */
2N/A }
2N/A if (reauth) {
2N/A return digestmd5_client_mech_step1(ctext, params,
2N/A serverin, serverinlen,
2N/A prompt_need,
2N/A clientout, clientoutlen,
2N/A oparams);
2N/A }
2N/A else {
2N/A /* we don't have any reauth info, so just return
2N/A * that there is no initial client send */
2N/A text->state = 2;
2N/A return SASL_CONTINUE;
2N/A }
2N/A }
2N/A
2N/A /* fall through and respond to challenge */
2N/A
2N/A case 3:
2N/A if (serverin && !strncasecmp(serverin, "rspauth=", 8)) {
2N/A return digestmd5_client_mech_step3(ctext, params,
2N/A serverin, serverinlen,
2N/A prompt_need,
2N/A clientout, clientoutlen,
2N/A oparams);
2N/A }
2N/A
2N/A /* fall through and respond to challenge */
2N/A text->state = 2;
2N/A
2N/A /* cleanup after a failed reauth attempt */
2N/A if (params->utils->mutex_lock(text->reauth->mutex) == SASL_OK) { /* LOCK */
2N/A clear_reauth_entry(&text->reauth->e[val], CLIENT, params->utils);
2N/A
2N/A params->utils->mutex_unlock(text->reauth->mutex); /* UNLOCK */
2N/A }
2N/A
2N/A if (text->realm) params->utils->free(text->realm);
2N/A if (text->nonce) params->utils->free(text->nonce);
2N/A if (text->cnonce) params->utils->free(text->cnonce);
2N/A#ifdef _SUN_SDK_
2N/A text->realm = NULL;
2N/A text->nonce = text->cnonce = NULL;
2N/A#else
2N/A text->realm = text->nonce = text->cnonce = NULL;
2N/A#endif /* _SUN_SDK_ */
2N/A ctext->cipher = NULL;
2N/A
2N/A case 2:
2N/A return digestmd5_client_mech_step2(ctext, params,
2N/A serverin, serverinlen,
2N/A prompt_need,
2N/A clientout, clientoutlen,
2N/A oparams);
2N/A
2N/A default:
2N/A#ifdef _SUN_SDK_
2N/A params->utils->log(params->utils->conn, SASL_LOG_ERR,
2N/A "Invalid DIGEST-MD5 client step %d", text->state);
2N/A#else
2N/A params->utils->log(NULL, SASL_LOG_ERR,
2N/A "Invalid DIGEST-MD5 client step %d\n", text->state);
2N/A#endif /* _SUN_SDK_ */
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A return SASL_FAIL; /* should never get here */
2N/A}
2N/A
2N/Astatic void
2N/Adigestmd5_client_mech_dispose(void *conn_context, const sasl_utils_t *utils)
2N/A{
2N/A client_context_t *ctext = (client_context_t *) conn_context;
2N/A
2N/A if (!ctext || !utils) return;
2N/A
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A convert_prompt(utils, &ctext->h, NULL);
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A
2N/A if (ctext->free_password) _plug_free_secret(utils, &ctext->password);
2N/A
2N/A digestmd5_common_mech_dispose(conn_context, utils);
2N/A}
2N/A
2N/Astatic sasl_client_plug_t digestmd5_client_plugins[] =
2N/A{
2N/A {
2N/A "DIGEST-MD5",
2N/A /* EXPORT DELETE START */
2N/A#ifdef WITH_RC4 /* mech_name */
2N/A 128, /* max ssf */
2N/A#elif WITH_DES
2N/A 112,
2N/A#else
2N/A /* EXPORT DELETE END */
2N/A 0,
2N/A /* EXPORT DELETE START */
2N/A#endif
2N/A /* EXPORT DELETE END */
2N/A SASL_SEC_NOPLAINTEXT
2N/A | SASL_SEC_NOANONYMOUS
2N/A | SASL_SEC_MUTUAL_AUTH, /* security_flags */
2N/A SASL_FEAT_ALLOWS_PROXY, /* features */
2N/A NULL, /* required_prompts */
2N/A NULL, /* glob_context */
2N/A &digestmd5_client_mech_new, /* mech_new */
2N/A &digestmd5_client_mech_step, /* mech_step */
2N/A &digestmd5_client_mech_dispose, /* mech_dispose */
2N/A &digestmd5_common_mech_free, /* mech_free */
2N/A NULL, /* idle */
2N/A NULL, /* spare1 */
2N/A NULL /* spare2 */
2N/A }
2N/A};
2N/A
2N/Aint digestmd5_client_plug_init(sasl_utils_t *utils,
2N/A int maxversion,
2N/A int *out_version,
2N/A sasl_client_plug_t **pluglist,
2N/A int *plugcount)
2N/A{
2N/A reauth_cache_t *reauth_cache;
2N/A#if defined _SUN_SDK_ && defined USE_UEF
2N/A int ret;
2N/A#endif /* _SUN_SDK_ && USE_UEF */
2N/A
2N/A if (maxversion < SASL_CLIENT_PLUG_VERSION)
2N/A return SASL_BADVERS;
2N/A
2N/A#if defined _SUN_SDK_ && defined USE_UEF
2N/A if ((ret = uef_init(utils)) != SASL_OK)
2N/A return ret;
2N/A#endif /* _SUN_SDK_ && USE_UEF */
2N/A
2N/A /* reauth cache */
2N/A reauth_cache = utils->malloc(sizeof(reauth_cache_t));
2N/A if (reauth_cache == NULL)
2N/A return SASL_NOMEM;
2N/A memset(reauth_cache, 0, sizeof(reauth_cache_t));
2N/A reauth_cache->i_am = CLIENT;
2N/A
2N/A /* mutex */
2N/A reauth_cache->mutex = utils->mutex_alloc();
2N/A if (!reauth_cache->mutex)
2N/A return SASL_FAIL;
2N/A
2N/A /* entries */
2N/A reauth_cache->size = 10;
2N/A reauth_cache->e = utils->malloc(reauth_cache->size *
2N/A sizeof(reauth_entry_t));
2N/A if (reauth_cache->e == NULL)
2N/A return SASL_NOMEM;
2N/A memset(reauth_cache->e, 0, reauth_cache->size * sizeof(reauth_entry_t));
2N/A
2N/A digestmd5_client_plugins[0].glob_context = reauth_cache;
2N/A#ifdef _SUN_SDK_
2N/A#ifdef USE_UEF_CLIENT
2N/A digestmd5_client_plugins[0].max_ssf = uef_max_ssf;
2N/A#endif /* USE_UEF_CLIENT */
2N/A#endif /* _SUN_SDK_ */
2N/A
2N/A /* EXPORT DELETE START */
2N/A /* CRYPT DELETE START */
2N/A#ifdef _INTEGRATED_SOLARIS_
2N/A /*
2N/A * Let libsasl know that we are a "Sun" plugin so that privacy
2N/A * and integrity will be allowed.
2N/A */
2N/A REG_PLUG("DIGEST-MD5", digestmd5_client_plugins);
2N/A#endif /* _INTEGRATED_SOLARIS_ */
2N/A /* CRYPT DELETE END */
2N/A /* EXPORT DELETE END */
2N/A
2N/A *out_version = SASL_CLIENT_PLUG_VERSION;
2N/A *pluglist = digestmd5_client_plugins;
2N/A *plugcount = 1;
2N/A
2N/A return SASL_OK;
2N/A}
2N/A
2N/A#ifdef _SUN_SDK_
2N/A#ifdef USE_UEF
2N/A/* If we fail here - we should just not offer privacy or integrity */
2N/Astatic int
2N/AgetSlotID(const sasl_utils_t *utils, CK_MECHANISM_TYPE mech_type,
2N/A CK_SLOT_ID *slot_id)
2N/A{
2N/A CK_RV rv;
2N/A CK_ULONG ulSlotCount;
2N/A CK_ULONG ulMechTypeCount;
2N/A CK_SLOT_ID *pSlotList = NULL;
2N/A CK_SLOT_ID slotID;
2N/A CK_MECHANISM_TYPE_PTR pMechTypeList = NULL;
2N/A int i, m;
2N/A
2N/A rv = C_GetSlotList(CK_FALSE, NULL_PTR, &ulSlotCount);
2N/A if (rv != CKR_OK || ulSlotCount == 0) {
2N/A#ifdef DEBUG
2N/A utils->log(utils->conn, SASL_LOG_DEBUG,
2N/A "C_GetSlotList: 0x%.8X count:%d\n", rv, ulSlotCount);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A pSlotList = utils->calloc(sizeof (CK_SLOT_ID), ulSlotCount);
2N/A if (pSlotList == NULL)
2N/A return SASL_NOMEM;
2N/A
2N/A rv = C_GetSlotList(CK_FALSE, pSlotList, &ulSlotCount);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A utils->log(utils->conn, SASL_LOG_DEBUG,
2N/A "C_GetSlotList: 0x%.8X count:%d\n", rv, ulSlotCount);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A for (i = 0; i < ulSlotCount; i++) {
2N/A slotID = pSlotList[i];
2N/A rv = C_GetMechanismList(slotID, NULL_PTR, &ulMechTypeCount);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A utils->log(utils->conn, SASL_LOG_DEBUG,
2N/A "C_GetMechanismList returned 0x%.8X count:%d\n", rv,
2N/A ulMechTypeCount);
2N/A#endif
2N/A utils->free(pSlotList);
2N/A return SASL_FAIL;
2N/A }
2N/A pMechTypeList =
2N/A utils->calloc(sizeof (CK_MECHANISM_TYPE), ulMechTypeCount);
2N/A if (pMechTypeList == NULL_PTR) {
2N/A utils->free(pSlotList);
2N/A return SASL_NOMEM;
2N/A }
2N/A rv = C_GetMechanismList(slotID, pMechTypeList, &ulMechTypeCount);
2N/A if (rv != CKR_OK) {
2N/A#ifdef DEBUG
2N/A utils->log(utils->conn, SASL_LOG_DEBUG,
2N/A "C_GetMechanismList returned 0x%.8X count:%d\n", rv,
2N/A ulMechTypeCount);
2N/A#endif
2N/A utils->free(pMechTypeList);
2N/A utils->free(pSlotList);
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A for (m = 0; m < ulMechTypeCount; m++) {
2N/A if (pMechTypeList[m] == mech_type)
2N/A break;
2N/A }
2N/A utils->free(pMechTypeList);
2N/A pMechTypeList = NULL;
2N/A if (m < ulMechTypeCount)
2N/A break;
2N/A }
2N/A utils->free(pSlotList);
2N/A if (i < ulSlotCount) {
2N/A *slot_id = slotID;
2N/A return SASL_OK;
2N/A }
2N/A return SASL_FAIL;
2N/A}
2N/A
2N/Astatic int
2N/Auef_init(const sasl_utils_t *utils)
2N/A{
2N/A int got_rc4;
2N/A int got_des;
2N/A int got_3des;
2N/A int next_c;
2N/A CK_RV rv;
2N/A
2N/A if (got_uef_slot)
2N/A return (SASL_OK);
2N/A
2N/A if (LOCK_MUTEX(&uef_init_mutex) < 0)
2N/A return (SASL_FAIL);
2N/A
2N/A rv = C_Initialize(NULL_PTR);
2N/A if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) {
2N/A#ifdef DEBUG
2N/A utils->log(utils->conn, SASL_LOG_DEBUG,
2N/A "C_Initialize returned 0x%.8X\n", rv);
2N/A#endif
2N/A return SASL_FAIL;
2N/A }
2N/A
2N/A got_rc4 = getSlotID(utils, CKM_RC4, &rc4_slot_id) == SASL_OK;
2N/A if (!got_rc4)
2N/A utils->log(utils->conn, SASL_LOG_WARN, "Could not get rc4");
2N/A
2N/A got_des = getSlotID(utils, CKM_DES_CBC, &des_slot_id) == SASL_OK;
2N/A if (!got_des)
2N/A utils->log(utils->conn, SASL_LOG_WARN, "Could not get des");
2N/A
2N/A got_3des = getSlotID(utils, CKM_DES3_CBC, &des3_slot_id) == SASL_OK;
2N/A if (!got_3des)
2N/A utils->log(utils->conn, SASL_LOG_WARN, "Could not get 3des");
2N/A
2N/A uef_max_ssf = got_rc4 ? 128 : got_3des ? 112 : got_des ? 55 : 0;
2N/A
2N/A /* adjust the available ciphers */
2N/A next_c = (got_rc4) ? 3 : 0;
2N/A
2N/A if (got_des) {
2N/A uef_ciphers[next_c].name = uef_ciphers[DES_CIPHER_INDEX].name;
2N/A uef_ciphers[next_c].ssf = uef_ciphers[DES_CIPHER_INDEX].ssf;
2N/A uef_ciphers[next_c].n = uef_ciphers[DES_CIPHER_INDEX].n;
2N/A uef_ciphers[next_c].flag = uef_ciphers[DES_CIPHER_INDEX].flag;
2N/A uef_ciphers[next_c].cipher_enc =
2N/A uef_ciphers[DES_CIPHER_INDEX].cipher_enc;
2N/A uef_ciphers[next_c].cipher_dec =
2N/A uef_ciphers[DES_CIPHER_INDEX].cipher_dec;
2N/A uef_ciphers[next_c].cipher_init =
2N/A uef_ciphers[DES_CIPHER_INDEX].cipher_init;
2N/A next_c++;
2N/A }
2N/A
2N/A if (got_3des) {
2N/A uef_ciphers[next_c].name = uef_ciphers[DES3_CIPHER_INDEX].name;
2N/A uef_ciphers[next_c].ssf = uef_ciphers[DES3_CIPHER_INDEX].ssf;
2N/A uef_ciphers[next_c].n = uef_ciphers[DES3_CIPHER_INDEX].n;
2N/A uef_ciphers[next_c].flag = uef_ciphers[DES3_CIPHER_INDEX].flag;
2N/A uef_ciphers[next_c].cipher_enc =
2N/A uef_ciphers[DES3_CIPHER_INDEX].cipher_enc;
2N/A uef_ciphers[next_c].cipher_dec =
2N/A uef_ciphers[DES3_CIPHER_INDEX].cipher_dec;
2N/A uef_ciphers[next_c].cipher_init =
2N/A uef_ciphers[DES3_CIPHER_INDEX].cipher_init;
2N/A next_c++;
2N/A }
2N/A uef_ciphers[next_c].name = NULL;
2N/A
2N/A got_uef_slot = TRUE;
2N/A UNLOCK_MUTEX(&uef_init_mutex);
2N/A
2N/A return (SASL_OK);
2N/A}
2N/A#endif /* USE_UEF */
2N/A#endif /* _SUN_SDK_ */