Fix the variables set by gsasl authenticator

author Jeremy Harris <jgh146exb@wizmail.org>

Tue, 24 Dec 2019 15:43:00 +0000 (15:43 +0000)

committer Jeremy Harris <jgh146exb@wizmail.org>

Tue, 24 Dec 2019 15:49:46 +0000 (15:49 +0000)
author Jeremy Harris <jgh146exb@wizmail.org>
Tue, 24 Dec 2019 15:43:00 +0000 (15:43 +0000)
committer Jeremy Harris <jgh146exb@wizmail.org>
Tue, 24 Dec 2019 15:49:46 +0000 (15:49 +0000)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog

index 528021268a995c6817b5470779826d7759380563..f1db06451049f7f8f0a1c49dc3a00b5078b60619 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -66,6 +66,10 @@ JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and
        a fast-retry of all 452'd recipients using a new MAIL FROM on the same
        connection.  The new facility is not tunable at this time.
  
        a fast-retry of all 452'd recipients using a new MAIL FROM on the same
        connection.  The new facility is not tunable at this time.
  
+JH/16 Fix the variables set by the gsasl authenticator.  Previously a pointer to
+      library live data was being used, so the results became garbage.  Make
+      copies while it is still usable.
+
  
  Exim version 4.93
  -----------------
  
  Exim version 4.93
  -----------------
diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c

index 78a63cd0ee4f60538dcc02bac8691c52ce531b0c..614c179b770319f24d24deeafb4512d6987170f3 100644 (file)
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -456,11 +456,11 @@ switch (prop)
    case GSASL_VALIDATE_SIMPLE:
      /* GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD */
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHID);
    case GSASL_VALIDATE_SIMPLE:
      /* GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD */
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHID);
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
-    auth_vars[1] = expand_nstring[2] = propval ? propval : US"";
+    auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US"";
      propval = US  gsasl_property_fast(sctx, GSASL_PASSWORD);
      propval = US  gsasl_property_fast(sctx, GSASL_PASSWORD);
-    auth_vars[2] = expand_nstring[3] = propval ? propval : US"";
+    auth_vars[2] = expand_nstring[3] = propval ? string_copy(propval) : US"";
      expand_nmax = 3;
      for (int i = 1; i <= 3; ++i)
        expand_nlength[i] = Ustrlen(expand_nstring[i]);
      expand_nmax = 3;
      for (int i = 1; i <= 3; ++i)
        expand_nlength[i] = Ustrlen(expand_nstring[i]);
@@ -479,7 +479,7 @@ switch (prop)
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
  
      /* We always set $auth1, even if only to empty string. */
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
  
      /* We always set $auth1, even if only to empty string. */
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
      expand_nlength[1] = Ustrlen(expand_nstring[1]);
      expand_nmax = 1;
  
      expand_nlength[1] = Ustrlen(expand_nstring[1]);
      expand_nmax = 1;
  
@@ -499,7 +499,7 @@ switch (prop)
  
      /* We always set $auth1, even if only to empty string. */
  
  
      /* We always set $auth1, even if only to empty string. */
  
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
      expand_nlength[1] = Ustrlen(expand_nstring[1]);
      expand_nmax = 1;
  
      expand_nlength[1] = Ustrlen(expand_nstring[1]);
      expand_nmax = 1;
  
@@ -519,9 +519,9 @@ switch (prop)
      switched to match the ordering of GSASL_VALIDATE_SIMPLE. */
  
      propval = US  gsasl_property_fast(sctx, GSASL_GSSAPI_DISPLAY_NAME);
      switched to match the ordering of GSASL_VALIDATE_SIMPLE. */
  
      propval = US  gsasl_property_fast(sctx, GSASL_GSSAPI_DISPLAY_NAME);
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
-    auth_vars[1] = expand_nstring[2] = propval ? propval : US"";
+    auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US"";
      expand_nmax = 2;
      for (int i = 1; i <= 2; ++i)
        expand_nlength[i] = Ustrlen(expand_nstring[i]);
      expand_nmax = 2;
      for (int i = 1; i <= 2; ++i)
        expand_nlength[i] = Ustrlen(expand_nstring[i]);
@@ -534,6 +534,24 @@ switch (prop)
      checked_server_condition = TRUE;
      break;
  
      checked_server_condition = TRUE;
      break;
  
+  case GSASL_SCRAM_ITER:
+    if (ob->server_scram_iter)
+      {
+      tmps = CS expand_string(ob->server_scram_iter);
+      gsasl_property_set(sctx, GSASL_SCRAM_ITER, tmps);
+      cbrc = GSASL_OK;
+      }
+    break;
+
+  case GSASL_SCRAM_SALT:
+    if (ob->server_scram_iter)
+      {
+      tmps = CS expand_string(ob->server_scram_salt);
+      gsasl_property_set(sctx, GSASL_SCRAM_SALT, tmps);
+      cbrc = GSASL_OK;
+      }
+    break;
+
    case GSASL_PASSWORD:
      /* DIGEST-MD5: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM
         CRAM-MD5: GSASL_AUTHID
    case GSASL_PASSWORD:
      /* DIGEST-MD5: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM
         CRAM-MD5: GSASL_AUTHID
@@ -559,11 +577,11 @@ switch (prop)
      point of SASL. */
  
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHID);
      point of SASL. */
  
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHID);
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
      propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
-    auth_vars[1] = expand_nstring[2] = propval ? propval : US"";
+    auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US"";
      propval = US  gsasl_property_fast(sctx, GSASL_REALM);
      propval = US  gsasl_property_fast(sctx, GSASL_REALM);
-    auth_vars[2] = expand_nstring[3] = propval ? propval : US"";
+    auth_vars[2] = expand_nstring[3] = propval ? string_copy(propval) : US"";
      expand_nmax = 3;
      for (int i = 1; i <= 3; ++i)
        expand_nlength[i] = Ustrlen(expand_nstring[i]);
      expand_nmax = 3;
      for (int i = 1; i <= 3; ++i)
        expand_nlength[i] = Ustrlen(expand_nstring[i]);
diff --git a/test/confs/3820 b/test/confs/3820

new file mode 100644 (file)

index 0000000..a0206f3
--- /dev/null
+++ b/test/confs/3820
@@ -0,0 +1,47 @@
+# Exim test configuration 3820
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+
+# ----- Authentication -----
+
+begin authenticators
+
+sasl1:
+  driver = gsasl
+  public_name = ANONYMOUS
+  server_set_id =      $auth1
+  server_condition =   true
+
+sasl2:
+  driver = gsasl
+  public_name = PLAIN
+  server_set_id =      $auth1
+  server_condition =   false
+
+sasl3:
+  driver = gsasl
+  public_name = SCRAM-SHA-1
+
+  # will need to give library salt, stored-key, server-key, itercount
+  #
+  # sigh
+  # gsasl takes props: GSASL_SCRAM_ITER, GSASL_SCRAM_SALT.  It _might_ take
+  # a GSASL_SCRAM_SALTED_PASSWORD - but that is only documented for client mode.
+
+  server_scram_iter =  4096
+  # unclear if the salt is given in binary or base64 to the library
+  server_scram_salt =  QSXCR+Q6sek8bf92
+  server_password =    pencil
+
+  server_condition =   true
+  server_set_id =      $auth1
+
+
+# End
diff --git a/test/scripts/3820-Gnu-SASL/3820 b/test/scripts/3820-Gnu-SASL/3820

new file mode 100644 (file)

index 0000000..d9fb80b
--- /dev/null
+++ b/test/scripts/3820-Gnu-SASL/3820
@@ -0,0 +1,26 @@
+# GSASL authentication (server only)
+#
+# An ANONYMOUS ath seems to want the username b64'd.  Which is consistent with
+# other SASL stuff, but inconsistent vs. cyrus-sasl.  It also wants the username
+# on the AUTH line, otherwise it GSASL_MECHANISM_PARSE_ERROR, and 435.
+#
+exim -d+all -DSERVER=server -bd -oX PORT_D
+****
+client 127.0.0.1 PORT_D
+??? 220
+EHLO xxxx
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+AUTH PLAIN AHBoMTAAc2VjcmV0
+??? 535
+AUTH ANONYMOUS cGgxMA==
+??? 235
+QUIT
+??? 221
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/3820-Gnu-SASL/REQUIRES b/test/scripts/3820-Gnu-SASL/REQUIRES

new file mode 100644 (file)

index 0000000..4614489
--- /dev/null
+++ b/test/scripts/3820-Gnu-SASL/REQUIRES
@@ -0,0 +1 @@
+authenticator gsasl
author	Jeremy Harris <jgh146exb@wizmail.org>
	Tue, 24 Dec 2019 15:43:00 +0000 (15:43 +0000)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Tue, 24 Dec 2019 15:49:46 +0000 (15:49 +0000)
doc/doc-txt/ChangeLog		patch \| blob \| history
src/src/auths/gsasl_exim.c		patch \| blob \| history
test/confs/3820	[new file with mode: 0644]	patch \| blob
test/scripts/3820-Gnu-SASL/3820	[new file with mode: 0644]	patch \| blob
test/scripts/3820-Gnu-SASL/REQUIRES	[new file with mode: 0644]	patch \| blob