From 98eb95929140ee1e2b2b367b12abb45762d155e9 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 24 Dec 2019 15:43:00 +0000 Subject: [PATCH] Fix the variables set by gsasl authenticator --- doc/doc-txt/ChangeLog | 4 +++ src/src/auths/gsasl_exim.c | 38 +++++++++++++++++------ test/confs/3820 | 47 +++++++++++++++++++++++++++++ test/scripts/3820-Gnu-SASL/3820 | 26 ++++++++++++++++ test/scripts/3820-Gnu-SASL/REQUIRES | 1 + 5 files changed, 106 insertions(+), 10 deletions(-) create mode 100644 test/confs/3820 create mode 100644 test/scripts/3820-Gnu-SASL/3820 create mode 100644 test/scripts/3820-Gnu-SASL/REQUIRES diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 528021268..f1db06451 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -66,6 +66,10 @@ JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and a fast-retry of all 452'd recipients using a new MAIL FROM on the same connection. The new facility is not tunable at this time. +JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to + library live data was being used, so the results became garbage. Make + copies while it is still usable. + Exim version 4.93 ----------------- diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c index 78a63cd0e..614c179b7 100644 --- a/src/src/auths/gsasl_exim.c +++ b/src/src/auths/gsasl_exim.c @@ -456,11 +456,11 @@ switch (prop) case GSASL_VALIDATE_SIMPLE: /* GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD */ propval = US gsasl_property_fast(sctx, GSASL_AUTHID); - auth_vars[0] = expand_nstring[1] = propval ? propval : US""; + auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US""; propval = US gsasl_property_fast(sctx, GSASL_AUTHZID); - auth_vars[1] = expand_nstring[2] = propval ? propval : US""; + auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US""; propval = US gsasl_property_fast(sctx, GSASL_PASSWORD); - auth_vars[2] = expand_nstring[3] = propval ? propval : US""; + auth_vars[2] = expand_nstring[3] = propval ? string_copy(propval) : US""; expand_nmax = 3; for (int i = 1; i <= 3; ++i) expand_nlength[i] = Ustrlen(expand_nstring[i]); @@ -479,7 +479,7 @@ switch (prop) propval = US gsasl_property_fast(sctx, GSASL_AUTHZID); /* We always set $auth1, even if only to empty string. */ - auth_vars[0] = expand_nstring[1] = propval ? propval : US""; + auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US""; expand_nlength[1] = Ustrlen(expand_nstring[1]); expand_nmax = 1; @@ -499,7 +499,7 @@ switch (prop) /* We always set $auth1, even if only to empty string. */ - auth_vars[0] = expand_nstring[1] = propval ? propval : US""; + auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US""; expand_nlength[1] = Ustrlen(expand_nstring[1]); expand_nmax = 1; @@ -519,9 +519,9 @@ switch (prop) switched to match the ordering of GSASL_VALIDATE_SIMPLE. */ propval = US gsasl_property_fast(sctx, GSASL_GSSAPI_DISPLAY_NAME); - auth_vars[0] = expand_nstring[1] = propval ? propval : US""; + auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US""; propval = US gsasl_property_fast(sctx, GSASL_AUTHZID); - auth_vars[1] = expand_nstring[2] = propval ? propval : US""; + auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US""; expand_nmax = 2; for (int i = 1; i <= 2; ++i) expand_nlength[i] = Ustrlen(expand_nstring[i]); @@ -534,6 +534,24 @@ switch (prop) checked_server_condition = TRUE; break; + case GSASL_SCRAM_ITER: + if (ob->server_scram_iter) + { + tmps = CS expand_string(ob->server_scram_iter); + gsasl_property_set(sctx, GSASL_SCRAM_ITER, tmps); + cbrc = GSASL_OK; + } + break; + + case GSASL_SCRAM_SALT: + if (ob->server_scram_iter) + { + tmps = CS expand_string(ob->server_scram_salt); + gsasl_property_set(sctx, GSASL_SCRAM_SALT, tmps); + cbrc = GSASL_OK; + } + break; + case GSASL_PASSWORD: /* DIGEST-MD5: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM CRAM-MD5: GSASL_AUTHID @@ -559,11 +577,11 @@ switch (prop) point of SASL. */ propval = US gsasl_property_fast(sctx, GSASL_AUTHID); - auth_vars[0] = expand_nstring[1] = propval ? propval : US""; + auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US""; propval = US gsasl_property_fast(sctx, GSASL_AUTHZID); - auth_vars[1] = expand_nstring[2] = propval ? propval : US""; + auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US""; propval = US gsasl_property_fast(sctx, GSASL_REALM); - auth_vars[2] = expand_nstring[3] = propval ? propval : US""; + auth_vars[2] = expand_nstring[3] = propval ? string_copy(propval) : US""; expand_nmax = 3; for (int i = 1; i <= 3; ++i) expand_nlength[i] = Ustrlen(expand_nstring[i]); diff --git a/test/confs/3820 b/test/confs/3820 new file mode 100644 index 000000000..a0206f3a0 --- /dev/null +++ b/test/confs/3820 @@ -0,0 +1,47 @@ +# Exim test configuration 3820 + +SERVER= + +.include DIR/aux-var/std_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + + +# ----- Authentication ----- + +begin authenticators + +sasl1: + driver = gsasl + public_name = ANONYMOUS + server_set_id = $auth1 + server_condition = true + +sasl2: + driver = gsasl + public_name = PLAIN + server_set_id = $auth1 + server_condition = false + +sasl3: + driver = gsasl + public_name = SCRAM-SHA-1 + + # will need to give library salt, stored-key, server-key, itercount + # + # sigh + # gsasl takes props: GSASL_SCRAM_ITER, GSASL_SCRAM_SALT. It _might_ take + # a GSASL_SCRAM_SALTED_PASSWORD - but that is only documented for client mode. + + server_scram_iter = 4096 + # unclear if the salt is given in binary or base64 to the library + server_scram_salt = QSXCR+Q6sek8bf92 + server_password = pencil + + server_condition = true + server_set_id = $auth1 + + +# End diff --git a/test/scripts/3820-Gnu-SASL/3820 b/test/scripts/3820-Gnu-SASL/3820 new file mode 100644 index 000000000..d9fb80b55 --- /dev/null +++ b/test/scripts/3820-Gnu-SASL/3820 @@ -0,0 +1,26 @@ +# GSASL authentication (server only) +# +# An ANONYMOUS ath seems to want the username b64'd. Which is consistent with +# other SASL stuff, but inconsistent vs. cyrus-sasl. It also wants the username +# on the AUTH line, otherwise it GSASL_MECHANISM_PARSE_ERROR, and 435. +# +exim -d+all -DSERVER=server -bd -oX PORT_D +**** +client 127.0.0.1 PORT_D +??? 220 +EHLO xxxx +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +AUTH PLAIN AHBoMTAAc2VjcmV0 +??? 535 +AUTH ANONYMOUS cGgxMA== +??? 235 +QUIT +??? 221 +**** +killdaemon +no_msglog_check diff --git a/test/scripts/3820-Gnu-SASL/REQUIRES b/test/scripts/3820-Gnu-SASL/REQUIRES new file mode 100644 index 000000000..46144894c --- /dev/null +++ b/test/scripts/3820-Gnu-SASL/REQUIRES @@ -0,0 +1 @@ +authenticator gsasl -- 2.30.2