From 47388f99e7663fc17cda728e5465e7be984e8ff1 Mon Sep 17 00:00:00 2001 From: gilles Date: Sun, 9 Jun 2024 10:13:05 +0000 Subject: [PATCH] introduce a new K_AUTH service to allow offloading the credentials to a table for non-crypt(3) authentication. tables configured with auth that support K_AUTH are asked to check if a user and passwd are valid rather than asked to provide the password for a user so smtpd does crypt(3) on its side. helps with cases like ldap or custom auth. ok op@ --- usr.sbin/smtpd/lka.c | 23 ++++++++++++++++++++++- usr.sbin/smtpd/smtpd-api.h | 5 +++-- usr.sbin/smtpd/smtpd-tables.7 | 8 ++++++-- usr.sbin/smtpd/table.c | 5 ++++- 4 files changed, 35 insertions(+), 6 deletions(-) diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c index bd757985dbb..7ecf67d1359 100644 --- a/usr.sbin/smtpd/lka.c +++ b/usr.sbin/smtpd/lka.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka.c,v 1.248 2024/01/20 09:01:03 claudio Exp $ */ +/* $OpenBSD: lka.c,v 1.249 2024/06/09 10:13:05 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -720,6 +720,7 @@ static int lka_authenticate(const char *tablename, const char *user, const char *password) { struct table *table; + char offloadkey[LINE_MAX]; union lookup lk; log_debug("debug: lka: authenticating for %s:%s", tablename, user); @@ -730,6 +731,26 @@ lka_authenticate(const char *tablename, const char *user, const char *password) return (LKA_TEMPFAIL); } + /* table backend supports authentication offloading */ + if (table_check_service(table, K_AUTH)) { + if (!bsnprintf(offloadkey, sizeof(offloadkey), "%s:%s", + user, password)) { + log_warnx("warn: key serialization failed for %s:%s", + tablename, user); + return (LKA_TEMPFAIL); + } + switch (table_match(table, K_AUTH, offloadkey)) { + case -1: + log_warnx("warn: user credentials lookup fail for %s:%s", + tablename, user); + return (LKA_TEMPFAIL); + case 0: + return (LKA_PERMFAIL); + default: + return (LKA_OK); + } + } + switch (table_lookup(table, K_CREDENTIALS, user, &lk)) { case -1: log_warnx("warn: user credentials lookup fail for %s:%s", diff --git a/usr.sbin/smtpd/smtpd-api.h b/usr.sbin/smtpd/smtpd-api.h index f83edd05854..4f362dc7ad5 100644 --- a/usr.sbin/smtpd/smtpd-api.h +++ b/usr.sbin/smtpd/smtpd-api.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd-api.h,v 1.36 2018/12/23 16:06:24 gilles Exp $ */ +/* $OpenBSD: smtpd-api.h,v 1.37 2024/06/09 10:13:05 gilles Exp $ */ /* * Copyright (c) 2013 Eric Faurot @@ -135,8 +135,9 @@ enum table_service { K_RELAYHOST = 0x200, /* returns struct relayhost */ K_STRING = 0x400, K_REGEX = 0x800, + K_AUTH = 0x1000, }; -#define K_ANY 0xfff +#define K_ANY 0xffff enum { PROC_TABLE_OK, diff --git a/usr.sbin/smtpd/smtpd-tables.7 b/usr.sbin/smtpd/smtpd-tables.7 index c5cd954e232..42056f9ef65 100644 --- a/usr.sbin/smtpd/smtpd-tables.7 +++ b/usr.sbin/smtpd/smtpd-tables.7 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd-tables.7,v 1.3 2024/05/23 17:10:00 op Exp $ +.\" $OpenBSD: smtpd-tables.7,v 1.4 2024/06/09 10:13:05 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson .\" Copyright (c) 2009 Jacek Masiulaniec @@ -18,7 +18,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: May 23 2024 $ +.Dd $Mdocdate: June 9 2024 $ .Dt SMTPD-TABLES 7 .Os .Sh NAME @@ -191,6 +191,10 @@ The services and their result format are as follows: .Bl -tag -width mailaddrmap -compact .It Ic alias One or more aliases separated by a comma. +.It Ic auth +Only usable for check. +Lookup key is username and cleartext password separated by +.Sq \&: . .It Ic domain A domain name. .\" XXX are wildcards allowed? diff --git a/usr.sbin/smtpd/table.c b/usr.sbin/smtpd/table.c index 2b9c9cf2511..aca013debea 100644 --- a/usr.sbin/smtpd/table.c +++ b/usr.sbin/smtpd/table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: table.c,v 1.53 2024/05/28 07:10:30 op Exp $ */ +/* $OpenBSD: table.c,v 1.54 2024/06/09 10:13:05 gilles Exp $ */ /* * Copyright (c) 2013 Eric Faurot @@ -83,6 +83,7 @@ table_service_name(enum table_service s) case K_RELAYHOST: return "relayhost"; case K_STRING: return "string"; case K_REGEX: return "regex"; + case K_AUTH: return "auth"; } return "???"; } @@ -116,6 +117,8 @@ table_service_from_name(const char *service) return K_STRING; if (!strcmp(service, "regex")) return K_REGEX; + if (!strcmp(service, "auth")) + return K_AUTH; return (-1); } -- 2.20.1