[Exim] More AUTH related patches

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: michael
Data:  
Para: exim-users
Asunto: [Exim] More AUTH related patches
Hello,

here is a patch against 3.20 that contains the code from yesterday for
multiple authenticators and new code that adds an optional condition
which must expand to true for the AUTH= value to be accepted. As such,
it realises this paragraph of RFC 2554:

       If the server does not sufficiently trust the authenticated
       identity of the client, or if the client is not authenticated,
       then the server MUST behave as if the AUTH=<> parameter was
       supplied.  The server MAY, however, write the value of the AUTH
       parameter to a log file.


And that's what it does, if the condition expands to false. Perhaps
something fancier than a simple condition is needed, but I think it
suffices for now.

Note: You need to add "*result='\0';" in xtextdecode.c before
returning the result. Consider that addition as well as any usage of
$authenticated_sender as experimental until it is clear how Exim should
deal with binary arguments.

Michael
----------------------------------------------------------------------
--- src/structs.h.orig    Thu Jan 11 12:20:01 2001
+++ src/structs.h    Thu Jan 11 12:20:54 2001
@@ -386,6 +386,7 @@
   char *driver_name;             /* Must be first */
   char *public_name;             /* Advertised name */
   char *set_id;                  /* String to set as authenticated id */
+  char *auth_condition;          /* Condition for AUTH= value */
   BOOL  client;                  /* TRUE if client option(s) set */
   BOOL  server;                  /* TRUE if server options(s) set */
 } auth_instance;
--- src/globals.c.orig    Thu Jan 11 12:21:01 2001
+++ src/globals.c    Thu Jan 11 13:06:36 2001
@@ -49,6 +49,8 @@
 data blocks and hence have the opt_public flag set. */


 optionlist optionlist_auths[] = {
+  { "auth_condition", opt_stringptr | opt_public,
+                 (void *)(offsetof(auth_instance, auth_condition)) },
   { "driver",        opt_stringptr | opt_public,
                  (void *)(offsetof(auth_instance, driver_name)) },
   { "public_name",   opt_stringptr | opt_public,
@@ -145,6 +147,7 @@
    NULL,                      /* name */
    NULL,                      /* info */
    NULL,                      /* private options block pointer */
+   NULL,                      /* auth_condition */
    NULL,                      /* driver_name */
    NULL,                      /* public_name */
    NULL,                      /* set_id */
--- src/smtp_in.c.orig    Wed Jan 10 15:38:50 2001
+++ src/smtp_in.c    Thu Jan 11 14:27:09 2001
@@ -1816,6 +1816,7 @@
   #ifdef HAVE_AUTH
   auth_instance *au;
   int c;
+  int foundAuthenticator;
   #endif


   switch(smtp_read_command())
@@ -1872,17 +1873,12 @@
     /* Search for an authentication mechanism which is configured for use
     as a server. */


-    for (au = auths; au != NULL; au = au->next)
+    for (foundAuthenticator = 0, au = auths; au != NULL; au = au->next)
       {
-      if (strcmpic(s, au->public_name) == 0 && au->server) break;
-      }
-
-    if (au == NULL)
-      {
-      smtp_printf("504 %s mechanism not supported\r\n", s);
-      break;
-      }
+      if (strcmpic(s, au->public_name) == 0 && au->server)
+        {


+        foundAuthenticator=1;
     /* Run the checking code, passing the remainder of the command
     line as data. Initialize $0 empty. The authenticator may set up
     other numeric variables. If authentication succeeds, expand the
@@ -1914,6 +1910,16 @@


     expand_nmax = -1;  /* Reset numeric variables */


+      if (c!=FAIL) break;
+    }
+    }
+    if (!foundAuthenticator)
+      {
+      smtp_printf("504 %s mechanism not supported\r\n", s);
+      break;
+      }
+
+
     switch(c)
       {
       case OK:
@@ -2375,6 +2381,11 @@
             {
             smtp_printf("501 %s: invalid AUTH=%s\r\n", smtp_data, value);
             goto COMMAND_LOOP;
+            }
+          if (au->auth_condition != NULL && !expand_check_condition(au->auth_condition, au->name, "authenticator"))
+            {
+            authenticated_sender = NULL;
+            log_write(2, LOG_MAIN, "ignoring AUTH=%s from authenticated ID %s",value,authenticated_id);
             }
           }
         }