Re: [exim-dev] [PATCH] allow to use server responses in clie…

Top Page
Delete this message
Reply to this message
Author: Johannes Berg
Date:  
To: exim-dev
Subject: Re: [exim-dev] [PATCH] allow to use server responses in client plaintext authenticator
On Mon, 2006-02-20 at 17:14 +0100, Johannes Berg wrote:

> I'll take a look and update the patch if I can.


Below. Note that for longer SASL methods, it might make sense to
increase AUTH_MAX. This patch, however, does not do that.

I also dropped the patch to the spec since that doesn't seem to exist in
the CVS snapshot. It would only need to be changed from the $n to
$auth_<n> and include the AUTH_MAX limitation (I had not bothered to
include the limitation for $n since 20 seemed high enough, 3 looks like
it might be encountered in practice, hence I also suggest increasing it)

This patch also fixes a compile warning over the old one.

johannes

--- exim-snapshot/doc/OptionLists.txt    2006-02-20 04:15:57.000000000 +0100
+++ exim-snapshot.mod/doc/OptionLists.txt    2006-02-20 17:39:15.610369000 +0100
@@ -124,6 +124,7 @@
 check_string                         string          "From "       appendfile        3.03
                                                      unset         pipe              3.03
 check_srv                            string*         unset         dnslookup         4.31
+client_ignore_invalid_base64         boolean         true          plaintext         XXXX
 client_name                          string*         +             cram_md5          3.10
 client_secret                        string*         unset         cram_md5          3.10
 client_send                          string*         unset         plaintext         3.10
--- exim-snapshot/src/auths/plaintext.c    2006-02-20 04:15:50.000000000 +0100
+++ exim-snapshot.mod/src/auths/plaintext.c    2006-02-20 17:53:33.096364000 +0100
@@ -14,6 +14,8 @@
 /* Options specific to the plaintext authentication mechanism. */


 optionlist auth_plaintext_options[] = {
+  { "client_ignore_invalid_base64", opt_bool,
+      (void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) },
   { "client_send",        opt_stringptr,
       (void *)(offsetof(auth_plaintext_options_block, client_send)) },
   { "server_condition",   opt_stringptr,
@@ -33,7 +35,8 @@
 auth_plaintext_options_block auth_plaintext_option_defaults = {
   NULL,              /* server_condition */
   NULL,              /* server_prompts */
-  NULL               /* client_send */
+  NULL,              /* client_send */
+  FALSE              /* client_ignore_invalid_base64 */
 };



@@ -223,8 +226,9 @@

while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)) != NULL)
{
- int i, len;
+ int i, len, clear_len, auth_var_idx = -1;
uschar *ss = expand_string(s);
+ uschar *clear, *errorclear = US"";

   /* Forced expansion failure is not an error; authentication is abandoned. On
   all but the first string, we have to abandon the authentication attempt by
@@ -304,6 +308,27 @@
       "authenticator", ablock->name);
     return ERROR;
     }
+
+  /* now that we know we'll continue, we put the received data into $auth_<n>,
+   * if possible. buffer+4 skips over the SMTP status code. */
+  clear_len = auth_b64decode(buffer+4, &clear);
+  if (clear_len < 0) {
+    if (!ob->client_ignore_invalid_base64) {
+      /* the server sent an invalid base64 string...
+       * we should explicitly terminate this AUTH anyway */
+      if (smtp_write_command(outblock, FALSE, "*\r\n") >= 0)
+        (void) smtp_read_response(inblock, US buffer, buffsize, '2', timeout);
+      return FAIL;
+    }
+    /* ignore error and put an empty string into the $auth_<n> var */
+    clear_len = 0;
+    clear = errorclear;
+  }
+  if ((clear_len >= 0) && (auth_var_idx+1 < AUTH_VARS)) {
+    auth_var_idx++;
+    auth_vars[auth_var_idx] = string_copy(clear);
+  }
+
   }


 /* Control should never actually get here. */
--- exim-snapshot/src/auths/plaintext.h    2006-02-20 04:15:50.000000000 +0100
+++ exim-snapshot.mod/src/auths/plaintext.h    2006-02-20 17:39:17.247369000 +0100
@@ -13,6 +13,7 @@
   uschar *server_condition;
   uschar *server_prompts;
   uschar *client_send;
+  BOOL    client_ignore_invalid_base64;
 } auth_plaintext_options_block;


/* Data for reading the private options. */