1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
/* ========================================================================
* Copyright 1988-2006 University of Washington
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* ========================================================================
*/
/*
* Program: Plain authenticator
*
* Author: Mark Crispin
* Networks and Distributed Computing
* Computing & Communications
* University of Washington
* Administration Building, AG-44
* Seattle, WA 98195
* Internet: MRC@CAC.Washington.EDU
*
* Date: 22 September 1998
* Last Edited: 30 August 2006
*/
long auth_plain_client (authchallenge_t challenger,authrespond_t responder,
char *service,NETMBX *mb,void *stream,
unsigned long *trial,char *user);
char *auth_plain_server (authresponse_t responder,int argc,char *argv[]);
AUTHENTICATOR auth_pla = {
AU_AUTHUSER | AU_HIDE, /* allow authuser, hidden */
"PLAIN", /* authenticator name */
NIL, /* always valid */
auth_plain_client, /* client method */
auth_plain_server, /* server method */
NIL /* next authenticator */
};
/* Client authenticator
* Accepts: challenger function
* responder function
* SASL service name
* parsed network mailbox structure
* stream argument for functions
* pointer to current trial count
* returned user name
* Returns: T if success, NIL otherwise, number of trials incremented if retry
*/
long auth_plain_client (authchallenge_t challenger,authrespond_t responder,
char *service,NETMBX *mb,void *stream,
unsigned long *trial,char *user)
{
char *u,pwd[MAILTMPLEN];
void *challenge;
unsigned long clen;
long ret = NIL;
/* snarl if not SSL/TLS session */
if (!mb->sslflag && !mb->tlsflag)
mm_log ("SECURITY PROBLEM: insecure server advertised AUTH=PLAIN",WARN);
/* get initial (empty) challenge */
if (challenge = (*challenger) (stream,&clen)) {
fs_give ((void **) &challenge);
if (clen) { /* abort if challenge non-empty */
mm_log ("Server bug: non-empty initial PLAIN challenge",WARN);
(*responder) (stream,NIL,0);
ret = LONGT; /* will get a BAD response back */
}
pwd[0] = NIL; /* prompt user if empty challenge */
mm_login (mb,user,pwd,*trial);
if (!pwd[0]) { /* empty challenge or user requested abort */
(*responder) (stream,NIL,0);
*trial = 0; /* cancel subsequent attempts */
ret = LONGT; /* will get a BAD response back */
}
else {
unsigned long rlen =
strlen (mb->authuser) + strlen (user) + strlen (pwd) + 2;
char *response = (char *) fs_get (rlen);
char *t = response; /* copy authorization id */
if (mb->authuser[0]) for (u = user; *u; *t++ = *u++);
*t++ = '\0'; /* delimiting NUL */
/* copy authentication id */
for (u = mb->authuser[0] ? mb->authuser : user; *u; *t++ = *u++);
*t++ = '\0'; /* delimiting NUL */
/* copy password */
for (u = pwd; *u; *t++ = *u++);
/* send credentials */
if ((*responder) (stream,response,rlen)) {
if (challenge = (*challenger) (stream,&clen))
fs_give ((void **) &challenge);
else {
++*trial; /* can try again if necessary */
ret = LONGT; /* check the authentication */
}
}
memset (response,0,rlen); /* erase credentials */
fs_give ((void **) &response);
}
}
memset (pwd,0,MAILTMPLEN); /* erase password */
if (!ret) *trial = 65535; /* don't retry if bad protocol */
return ret;
}
/* Server authenticator
* Accepts: responder function
* argument count
* argument vector
* Returns: authenticated user name or NIL
*/
char *auth_plain_server (authresponse_t responder,int argc,char *argv[])
{
char *ret = NIL;
char *user,*aid,*pass;
unsigned long len;
/* get user name */
if (aid = (*responder) ("",0,&len)) {
/* note: responders null-terminate */
if ((((unsigned long) ((user = aid + strlen (aid) + 1) - aid)) < len) &&
(((unsigned long) ((pass = user + strlen (user) + 1) - aid)) < len) &&
(((unsigned long) ((pass + strlen (pass)) - aid)) == len) &&
(*aid ? server_login (aid,pass,user,argc,argv) :
server_login (user,pass,NIL,argc,argv))) ret = myusername ();
fs_give ((void **) &aid);
}
return ret;
}
|