From 0a3c9b00e50a4bd4a7cfca5c9640d8f3c7333cd3 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 24 Oct 2021 14:13:46 +0100
Subject: [PATCH] Fix client-only use of gsasl authenticator.  Bug 2818

---
 src/src/auths/gsasl_exim.c | 34 +++++++++++++++++++---------------
 src/src/macros.h           |  5 -----
 2 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index f5c2afd60..2d060d4da 100644
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -57,6 +57,10 @@ static void dummy(int x) { dummy2(x-1); }
 # define CHANNELBIND_HACK
 #endif
 
+/* Convenience for testing strings */
+
+#define STREQIC(Foo, Bar) (strcmpic((Foo), (Bar)) == 0)
+
 
 /* Authenticator-specific options. */
 /* I did have server_*_condition options for various mechanisms, but since
@@ -200,15 +204,21 @@ if (!gsasl_client_support_p(gsasl_ctx, CCS ob->server_mech))
 	    "GNU SASL does not support mechanism \"%s\"",
 	    ablock->name, ob->server_mech);
 
-ablock->server = TRUE;
-
-if (  !ablock->server_condition
-   && (  streqic(ob->server_mech, US"EXTERNAL")
-      || streqic(ob->server_mech, US"ANONYMOUS")
-      || streqic(ob->server_mech, US"PLAIN")
-      || streqic(ob->server_mech, US"LOGIN")
-   )  )
+if (ablock->server_condition)
+  ablock->server = TRUE;
+else if(  ob->server_mech
+       && !STREQIC(ob->server_mech, US"EXTERNAL")
+       && !STREQIC(ob->server_mech, US"ANONYMOUS")
+       && !STREQIC(ob->server_mech, US"PLAIN")
+       && !STREQIC(ob->server_mech, US"LOGIN")
+       )
   {
+  /* At present, for mechanisms we don't panic on absence of server_condition;
+  need to figure out the most generically correct approach to deciding when
+  it's critical and when it isn't.  Eg, for simple validation (PLAIN mechanism,
+  etc) it clearly is critical.
+  */
+
   ablock->server = FALSE;
   HDEBUG(D_auth) debug_printf("%s authenticator:  "
 	    "Need server_condition for %s mechanism\n",
@@ -219,7 +229,7 @@ if (  !ablock->server_condition
 which properties will be needed. */
 
 if (  !ob->server_realm
-   && streqic(ob->server_mech, US"DIGEST-MD5"))
+   && STREQIC(ob->server_mech, US"DIGEST-MD5"))
   {
   ablock->server = FALSE;
   HDEBUG(D_auth) debug_printf("%s authenticator:  "
@@ -227,12 +237,6 @@ if (  !ob->server_realm
 	    ablock->name, ob->server_mech);
   }
 
-/* At present, for mechanisms we don't panic on absence of server_condition;
-need to figure out the most generically correct approach to deciding when
-it's critical and when it isn't.  Eg, for simple validation (PLAIN mechanism,
-etc) it clearly is critical.
-*/
-
 ablock->client = ob->client_username && ob->client_password;
 }
 
diff --git a/src/src/macros.h b/src/src/macros.h
index bf5241e10..80e0ecbe1 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -79,11 +79,6 @@ as unsigned. */
   ((uschar)(c) > 127 && print_topbitchars))
 
 
-/* Convenience for testing strings */
-
-#define streqic(Foo, Bar) (strcmpic(Foo, Bar) == 0)
-
-
 /* When built with TLS support, the act of flushing SMTP output becomes
 a no-op once an SSL session is in progress. */
 
-- 
2.30.2