diff options
| author | Pierre POMES <pierre.pomes@gmail.com> | 2011-01-02 15:30:44 -0500 |
|---|---|---|
| committer | Pierre POMES <pierre.pomes@gmail.com> | 2011-01-02 15:30:44 -0500 |
| commit | 2cd8d942d64d090e5672dd963eb75012a8242330 (patch) | |
| tree | efcc1e136a978e94e7c9e7bb319ebca3d436590b | |
| parent | 76d11a57802be53c7cbb274c49ec8646279d0f40 (diff) | |
| download | pfsense-2cd8d942d64d090e5672dd963eb75012a8242330.zip pfsense-2cd8d942d64d090e5672dd963eb75012a8242330.tar.gz | |
Ticket #1141. Add necessary stuff for smtp auth using sasl
| -rw-r--r-- | etc/inc/basic_sasl_client.inc | 61 | ||||
| -rw-r--r-- | etc/inc/cram_md5_sasl_client.inc | 67 | ||||
| -rw-r--r-- | etc/inc/digest_sasl_client.inc | 135 | ||||
| -rw-r--r-- | etc/inc/login_sasl_client.inc | 69 | ||||
| -rw-r--r-- | etc/inc/notices.inc | 3 | ||||
| -rw-r--r-- | etc/inc/ntlm_sasl_client.inc | 180 | ||||
| -rw-r--r-- | etc/inc/plain_sasl_client.inc | 99 |
7 files changed, 613 insertions, 1 deletions
diff --git a/etc/inc/basic_sasl_client.inc b/etc/inc/basic_sasl_client.inc new file mode 100644 index 0000000..b2972b5 --- /dev/null +++ b/etc/inc/basic_sasl_client.inc @@ -0,0 +1,61 @@ +<?php +/* + * basic_sasl_client.php + * + * @(#) $Id: basic_sasl_client.php,v 1.1 2004/11/17 08:01:23 mlemos Exp $ + * + */ + +define("SASL_BASIC_STATE_START", 0); +define("SASL_BASIC_STATE_DONE", 1); + +class basic_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_BASIC_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_BASIC_STATE_START) + { + $client->error="Basic authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"" + ); + $defaults=array( + ); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + { + $message=$this->credentials["user"].":".$this->credentials["password"]; + $this->state=SASL_BASIC_STATE_DONE; + } + else + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_BASIC_STATE_DONE: + $client->error="Basic authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid Basic authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/cram_md5_sasl_client.inc b/etc/inc/cram_md5_sasl_client.inc new file mode 100644 index 0000000..69bd625 --- /dev/null +++ b/etc/inc/cram_md5_sasl_client.inc @@ -0,0 +1,67 @@ +<?php +/* + * cram_md5_sasl_client.php + * + * @(#) $Id: cram_md5_sasl_client.php,v 1.3 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_CRAM_MD5_STATE_START", 0); +define("SASL_CRAM_MD5_STATE_RESPOND_CHALLENGE", 1); +define("SASL_CRAM_MD5_STATE_DONE", 2); + +class cram_md5_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_CRAM_MD5_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function HMACMD5($key,$text) + { + $key=(strlen($key)<64 ? str_pad($key,64,"\0") : substr($key,0,64)); + return(md5((str_repeat("\x5c", 64)^$key).pack("H32", md5((str_repeat("\x36", 64)^$key).$text)))); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_CRAM_MD5_STATE_START) + { + $client->error="CRAM-MD5 authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"" + ); + $defaults=array(); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_CRAM_MD5_STATE_RESPOND_CHALLENGE; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_CRAM_MD5_STATE_RESPOND_CHALLENGE: + $message=$this->credentials["user"]." ".$this->HMACMD5($this->credentials["password"], $response); + $this->state=SASL_CRAM_MD5_STATE_DONE; + break; + case SASL_CRAM_MD5_STATE_DONE: + $client->error="CRAM-MD5 authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid CRAM-MD5 authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/digest_sasl_client.inc b/etc/inc/digest_sasl_client.inc new file mode 100644 index 0000000..924887d --- /dev/null +++ b/etc/inc/digest_sasl_client.inc @@ -0,0 +1,135 @@ +<?php +/* + * digest_sasl_client.php + * + * @(#) $Id: digest_sasl_client.php,v 1.1 2005/10/27 05:24:15 mlemos Exp $ + * + */ + +define('SASL_DIGEST_STATE_START', 0); +define('SASL_DIGEST_STATE_RESPOND_CHALLENGE', 1); +define('SASL_DIGEST_STATE_DONE', 2); + +class digest_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_DIGEST_STATE_START; + + Function unq($string) + { + return(($string[0]=='"' && $string[strlen($string)-1]=='"') ? substr($string, 1, strlen($string)-2) : $string); + } + + Function H($data) + { + return md5($data); + } + + Function KD($secret, $data) + { + return $this->H($secret.':'.$data); + } + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_DIGEST_STATE_START) + { + $client->error='Digest authentication state is not at the start'; + return(SASL_FAIL); + } + $this->credentials=array( + 'user'=>'', + 'password'=>'', + 'uri'=>'', + 'method'=>'', + 'session'=>'' + ); + $defaults=array(); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_DIGEST_STATE_RESPOND_CHALLENGE; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_DIGEST_STATE_RESPOND_CHALLENGE: + $values=explode(',',$response); + $parameters=array(); + for($v=0; $v<count($values); $v++) + $parameters[strtok(trim($values[$v]), '=')]=strtok(''); + + $message='username="'.$this->credentials['user'].'"'; + if(!IsSet($parameters[$p='realm']) + && !IsSet($parameters[$p='nonce'])) + { + $client->error='Digest authentication parameter '.$p.' is missing from the server response'; + return(SASL_FAIL); + } + $message.=', realm='.$parameters['realm']; + $message.=', nonce='.$parameters['nonce']; + $message.=', uri="'.$this->credentials['uri'].'"'; + if(IsSet($parameters['algorithm'])) + { + $algorithm=$this->unq($parameters['algorithm']); + $message.=', algorithm='.$parameters['algorithm']; + } + else + $algorithm=''; + + $realm=$this->unq($parameters['realm']); + $nonce=$this->unq($parameters['nonce']); + if(IsSet($parameters['qop'])) + { + switch($qop=$this->unq($parameters['qop'])) + { + case "auth": + $cnonce=$this->credentials['session']; + break; + default: + $client->error='Digest authentication quality of protection '.$qop.' is not yet supported'; + return(SASL_FAIL); + } + } + $nc_value='00000001'; + if(IsSet($parameters['qop']) + && !strcmp($algorithm, 'MD5-sess')) + $A1=$this->H($this->credentials['user'].':'. $realm.':'. $this->credentials['password']).':'.$nonce.':'.$cnonce; + else + $A1=$this->credentials['user'].':'. $realm.':'. $this->credentials['password']; + $A2=$this->credentials['method'].':'.$this->credentials['uri']; + if(IsSet($parameters['qop'])) + $response=$this->KD($this->H($A1), $nonce.':'. $nc_value.':'. $cnonce.':'. $qop.':'. $this->H($A2)); + else + $response=$this->KD($this->H($A1), $nonce.':'. $this->H($A2)); + $message.=', response="'.$response.'"'; + if(IsSet($parameters['opaque'])) + $message.=', opaque='.$parameters['opaque']; + if(IsSet($parameters['qop'])) + $message.=', qop="'.$qop.'"'; + $message.=', nc='.$nc_value; + if(IsSet($parameters['qop'])) + $message.=', cnonce="'.$cnonce.'"'; + $client->encode_response=0; + $this->state=SASL_DIGEST_STATE_DONE; + break; + case SASL_DIGEST_STATE_DONE: + $client->error='Digest authentication was finished without success'; + return(SASL_FAIL); + default: + $client->error='invalid Digest authentication step state'; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/login_sasl_client.inc b/etc/inc/login_sasl_client.inc new file mode 100644 index 0000000..923d16e --- /dev/null +++ b/etc/inc/login_sasl_client.inc @@ -0,0 +1,69 @@ +<?php +/* + * login_sasl_client.php + * + * @(#) $Id: login_sasl_client.php,v 1.2 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_LOGIN_STATE_START", 0); +define("SASL_LOGIN_STATE_IDENTIFY_USER", 1); +define("SASL_LOGIN_STATE_IDENTIFY_PASSWORD", 2); +define("SASL_LOGIN_STATE_DONE", 3); + +class login_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_LOGIN_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_LOGIN_STATE_START) + { + $client->error="LOGIN authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"", + "realm"=>"" + ); + $defaults=array( + "realm"=>"" + ); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_LOGIN_STATE_IDENTIFY_USER; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_LOGIN_STATE_IDENTIFY_USER: + $message=$this->credentials["user"].(strlen($this->credentials["realm"]) ? "@".$this->credentials["realm"] : ""); + $this->state=SASL_LOGIN_STATE_IDENTIFY_PASSWORD; + break; + case SASL_LOGIN_STATE_IDENTIFY_PASSWORD: + $message=$this->credentials["password"]; + $this->state=SASL_LOGIN_STATE_DONE; + break; + case SASL_LOGIN_STATE_DONE: + $client->error="LOGIN authentication was finished without success"; + break; + default: + $client->error="invalid LOGIN authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/notices.inc b/etc/inc/notices.inc index 34cbd82..aa3a33e 100644 --- a/etc/inc/notices.inc +++ b/etc/inc/notices.inc @@ -283,6 +283,7 @@ function notify_via_smtp($message) { return; } + require_once("sasl.inc"); require_once("smtp.inc"); $smtp = new smtp_class; @@ -379,4 +380,4 @@ function register_via_growl() { } } -?>
\ No newline at end of file +?> diff --git a/etc/inc/ntlm_sasl_client.inc b/etc/inc/ntlm_sasl_client.inc new file mode 100644 index 0000000..406edf2 --- /dev/null +++ b/etc/inc/ntlm_sasl_client.inc @@ -0,0 +1,180 @@ +<?php +/* + * ntlm_sasl_client.php + * + * @(#) $Id: ntlm_sasl_client.php,v 1.3 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_NTLM_STATE_START", 0); +define("SASL_NTLM_STATE_IDENTIFY_DOMAIN", 1); +define("SASL_NTLM_STATE_RESPOND_CHALLENGE", 2); +define("SASL_NTLM_STATE_DONE", 3); + +class ntlm_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_NTLM_STATE_START; + + Function Initialize(&$client) + { + if(!function_exists($function="mcrypt_encrypt") + || !function_exists($function="mhash")) + { + $extensions=array( + "mcrypt_encrypt"=>"mcrypt", + "mhash"=>"mhash" + ); + $client->error="the extension ".$extensions[$function]." required by the NTLM SASL client class is not available in this PHP configuration"; + return(0); + } + return(1); + } + + Function ASCIIToUnicode($ascii) + { + for($unicode="",$a=0;$a<strlen($ascii);$a++) + $unicode.=substr($ascii,$a,1).chr(0); + return($unicode); + } + + Function TypeMsg1($domain,$workstation) + { + $domain_length=strlen($domain); + $workstation_length=strlen($workstation); + $workstation_offset=32; + $domain_offset=$workstation_offset+$workstation_length; + return( + "NTLMSSP\0". + "\x01\x00\x00\x00". + "\x07\x32\x00\x00". + pack("v",$domain_length). + pack("v",$domain_length). + pack("V",$domain_offset). + pack("v",$workstation_length). + pack("v",$workstation_length). + pack("V",$workstation_offset). + $workstation. + $domain + ); + } + + Function NTLMResponse($challenge,$password) + { + $unicode=$this->ASCIIToUnicode($password); + $md4=mhash(MHASH_MD4,$unicode); + $padded=$md4.str_repeat(chr(0),21-strlen($md4)); + $iv_size=mcrypt_get_iv_size(MCRYPT_DES,MCRYPT_MODE_ECB); + $iv=mcrypt_create_iv($iv_size,MCRYPT_RAND); + for($response="",$third=0;$third<21;$third+=7) + { + for($packed="",$p=$third;$p<$third+7;$p++) + $packed.=str_pad(decbin(ord(substr($padded,$p,1))),8,"0",STR_PAD_LEFT); + for($key="",$p=0;$p<strlen($packed);$p+=7) + { + $s=substr($packed,$p,7); + $b=$s.((substr_count($s,"1") % 2) ? "0" : "1"); + $key.=chr(bindec($b)); + } + $ciphertext=mcrypt_encrypt(MCRYPT_DES,$key,$challenge,MCRYPT_MODE_ECB,$iv); + $response.=$ciphertext; + } + return $response; + } + + Function TypeMsg3($ntlm_response,$user,$domain,$workstation) + { + $domain_unicode=$this->ASCIIToUnicode($domain); + $domain_length=strlen($domain_unicode); + $domain_offset=64; + $user_unicode=$this->ASCIIToUnicode($user); + $user_length=strlen($user_unicode); + $user_offset=$domain_offset+$domain_length; + $workstation_unicode=$this->ASCIIToUnicode($workstation); + $workstation_length=strlen($workstation_unicode); + $workstation_offset=$user_offset+$user_length; + $lm=""; + $lm_length=strlen($lm); + $lm_offset=$workstation_offset+$workstation_length; + $ntlm=$ntlm_response; + $ntlm_length=strlen($ntlm); + $ntlm_offset=$lm_offset+$lm_length; + $session=""; + $session_length=strlen($session); + $session_offset=$ntlm_offset+$ntlm_length; + return( + "NTLMSSP\0". + "\x03\x00\x00\x00". + pack("v",$lm_length). + pack("v",$lm_length). + pack("V",$lm_offset). + pack("v",$ntlm_length). + pack("v",$ntlm_length). + pack("V",$ntlm_offset). + pack("v",$domain_length). + pack("v",$domain_length). + pack("V",$domain_offset). + pack("v",$user_length). + pack("v",$user_length). + pack("V",$user_offset). + pack("v",$workstation_length). + pack("v",$workstation_length). + pack("V",$workstation_offset). + pack("v",$session_length). + pack("v",$session_length). + pack("V",$session_offset). + "\x01\x02\x00\x00". + $domain_unicode. + $user_unicode. + $workstation_unicode. + $lm. + $ntlm + ); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_NTLM_STATE_START) + { + $client->error="NTLM authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"", + "realm"=>"", + "workstation"=>"" + ); + $defaults=array(); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_NTLM_STATE_IDENTIFY_DOMAIN; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_NTLM_STATE_IDENTIFY_DOMAIN: + $message=$this->TypeMsg1($this->credentials["realm"],$this->credentials["workstation"]); + $this->state=SASL_NTLM_STATE_RESPOND_CHALLENGE; + break; + case SASL_NTLM_STATE_RESPOND_CHALLENGE: + $ntlm_response=$this->NTLMResponse(substr($response,24,8),$this->credentials["password"]); + $message=$this->TypeMsg3($ntlm_response,$this->credentials["user"],$this->credentials["realm"],$this->credentials["workstation"]); + $this->state=SASL_NTLM_STATE_DONE; + break; + case SASL_NTLM_STATE_DONE: + $client->error="NTLM authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid NTLM authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/plain_sasl_client.inc b/etc/inc/plain_sasl_client.inc new file mode 100644 index 0000000..c7feed0 --- /dev/null +++ b/etc/inc/plain_sasl_client.inc @@ -0,0 +1,99 @@ +<?php +/* + * plain_sasl_client.php + * + * @(#) $Id: plain_sasl_client.php,v 1.2 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_PLAIN_STATE_START", 0); +define("SASL_PLAIN_STATE_IDENTIFY", 1); +define("SASL_PLAIN_STATE_DONE", 2); + +define("SASL_PLAIN_DEFAULT_MODE", 0); +define("SASL_PLAIN_EXIM_MODE", 1); +define("SASL_PLAIN_EXIM_DOCUMENTATION_MODE", 2); + +class plain_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_PLAIN_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_PLAIN_STATE_START) + { + $client->error="PLAIN authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"", + "realm"=>"", + "mode"=>"" + ); + $defaults=array( + "realm"=>"", + "mode"=>"" + ); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + { + switch($this->credentials["mode"]) + { + case SASL_PLAIN_EXIM_MODE: + $message=$this->credentials["user"]."\0".$this->credentials["password"]."\0"; + break; + case SASL_PLAIN_EXIM_DOCUMENTATION_MODE: + $message="\0".$this->credentials["user"]."\0".$this->credentials["password"]; + break; + default: + $message=$this->credentials["user"]."\0".$this->credentials["user"].(strlen($this->credentials["realm"]) ? "@".$this->credentials["realm"] : "")."\0".$this->credentials["password"]; + break; + } + $this->state=SASL_PLAIN_STATE_DONE; + } + else + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { +/* + case SASL_PLAIN_STATE_IDENTIFY: + switch($this->credentials["mode"]) + { + case SASL_PLAIN_EXIM_MODE: + $message=$this->credentials["user"]."\0".$this->credentials["password"]."\0"; + break; + case SASL_PLAIN_EXIM_DOCUMENTATION_MODE: + $message="\0".$this->credentials["user"]."\0".$this->credentials["password"]; + break; + default: + $message=$this->credentials["user"]."\0".$this->credentials["user"].(strlen($this->credentials["realm"]) ? "@".$this->credentials["realm"] : "")."\0".$this->credentials["password"]; + break; + } + var_dump($message); + $this->state=SASL_PLAIN_STATE_DONE; + break; +*/ + case SASL_PLAIN_STATE_DONE: + $client->error="PLAIN authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid PLAIN authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file |
