ph10 2006/10/16 16:44:36 BST
Modified files:
exim-doc/doc-txt ChangeLog NewStuff OptionLists.txt
exim-src/scripts MakeLinks
exim-src/src functions.h globals.c structs.h
exim-src/src/auths Makefile README cram_md5.c cyrus_sasl.c
dovecot.c plaintext.c plaintext.h spa.c
exim-test/confs 3500
exim-test/scripts/3500-CRAM-MD5 3500
exim-test/stderr 3500
exim-test/stdout 3407 3500
Added files:
exim-src/src/auths check_serv_cond.c
Log:
Add server_condition to all authenticators, to allow for additional
conditions (and thereby implement authorization).
Revision Changes Path
1.410 +5 -0 exim/exim-doc/doc-txt/ChangeLog
1.117 +7 -0 exim/exim-doc/doc-txt/NewStuff
1.25 +1 -1 exim/exim-doc/doc-txt/OptionLists.txt
1.8 +1 -0 exim/exim-src/scripts/MakeLinks
1.5 +23 -22 exim/exim-src/src/auths/Makefile
1.6 +1 -1 exim/exim-src/src/auths/README
1.1 +99 -0 exim/exim-src/src/auths/check_serv_cond.c (new)
1.6 +2 -1 exim/exim-src/src/auths/cram_md5.c
1.5 +5 -3 exim/exim-src/src/auths/cyrus_sasl.c
1.3 +3 -1 exim/exim-src/src/auths/dovecot.c
1.6 +7 -57 exim/exim-src/src/auths/plaintext.c
1.5 +0 -1 exim/exim-src/src/auths/plaintext.h
1.8 +6 -3 exim/exim-src/src/auths/spa.c
1.29 +1 -0 exim/exim-src/src/functions.h
1.60 +3 -0 exim/exim-src/src/globals.c
1.13 +1 -0 exim/exim-src/src/structs.h
1.3 +2 -1 exim/exim-test/confs/3500
1.2 +11 -0 exim/exim-test/scripts/3500-CRAM-MD5/3500
1.3 +41 -2 exim/exim-test/stderr/3500
1.3 +4 -4 exim/exim-test/stdout/3407
1.2 +23 -0 exim/exim-test/stdout/3500
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.409
retrieving revision 1.410
diff -u -r1.409 -r1.410
--- ChangeLog 16 Oct 2006 13:43:21 -0000 1.409
+++ ChangeLog 16 Oct 2006 15:44:36 -0000 1.410
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.409 2006/10/16 13:43:21 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.410 2006/10/16 15:44:36 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -149,6 +149,11 @@
if the connection is using TLS or if the remote IP is the same as the
local IP, and the "valid-client-cert option" if a client certificate has
been verified.
+
+PH/22 As suggested by Denis Davies, added a server_condition option to *all*
+ authenticators. This can be used for authorization after authentication
+ succeeds. (In the case of plaintext, it servers for both authentication
+ and authorization.)
Exim version 4.63
Index: NewStuff
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117
--- NewStuff 16 Oct 2006 13:43:21 -0000 1.116
+++ NewStuff 16 Oct 2006 15:44:36 -0000 1.117
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.116 2006/10/16 13:43:21 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.117 2006/10/16 15:44:36 ph10 Exp $
New Features in Exim
--------------------
@@ -123,6 +123,13 @@
In this case there is a lookup in dnsbl.sorbs.net, and if none of the IP
values matches (or if no record is found), this is the only lookup that is
done. Only if there is a match is one of the more specific lists consulted.
+
+6. All authenticators now have a server_condition option. Previously, only
+ plaintext had this, and this has not changed: it must be set to the
+ authenticator as a server. For the others, if server_condition is set, it is
+ expanded if authentication is successful, and treated exactly as it is in
+ plaintext. This can serve as a means of adding authorization to an
+ authenticator.
Version 4.63
Index: OptionLists.txt
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/OptionLists.txt,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- OptionLists.txt 22 Sep 2006 14:01:12 -0000 1.24
+++ OptionLists.txt 16 Oct 2006 15:44:36 -0000 1.25
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/OptionLists.txt,v 1.24 2006/09/22 14:01:12 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/OptionLists.txt,v 1.25 2006/10/16 15:44:36 ph10 Exp $
LISTS OF EXIM OPTIONS
---------------------
@@ -442,7 +442,7 @@
senders address list unset routers 4.00
serialize_hosts host list unset smtp 1.60
server_advertise_condition string* unset authenticators 4.14
-server_condition string* unset plaintext 3.10
+server_condition string* unset authenticators 3.10 (plaintext) 4.64 (others)
server_hostname string* "$primary_hostname" cyrus_sasl 4.43
server_mail_auth_condition string* unset authenticators 3.22
server_mech string public_name cyrus_sasl 4.43
Index: MakeLinks
===================================================================
RCS file: /home/cvs/exim/exim-src/scripts/MakeLinks,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- MakeLinks 2 Oct 2006 13:38:18 -0000 1.7
+++ MakeLinks 16 Oct 2006 15:44:36 -0000 1.8
@@ -1,5 +1,5 @@
#!/bin/sh
-# $Cambridge: exim/exim-src/scripts/MakeLinks,v 1.7 2006/10/02 13:38:18 ph10 Exp $
+# $Cambridge: exim/exim-src/scripts/MakeLinks,v 1.8 2006/10/16 15:44:36 ph10 Exp $
# Script to build links for all the exim source files from the system-
# specific build directory. It should be run from within that directory.
@@ -162,6 +162,7 @@
ln -s ../../src/auths/call_pam.c call_pam.c
ln -s ../../src/auths/call_pwcheck.c call_pwcheck.c
ln -s ../../src/auths/call_radius.c call_radius.c
+ln -s ../../src/auths/check_serv_cond.c check_serv_cond.c
ln -s ../../src/auths/cyrus_sasl.c cyrus_sasl.c
ln -s ../../src/auths/cyrus_sasl.h cyrus_sasl.h
ln -s ../../src/auths/get_data.c get_data.c
Index: functions.h
===================================================================
RCS file: /home/cvs/exim/exim-src/src/functions.h,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- functions.h 9 Oct 2006 14:36:25 -0000 1.28
+++ functions.h 16 Oct 2006 15:44:36 -0000 1.29
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/functions.h,v 1.28 2006/10/09 14:36:25 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/functions.h,v 1.29 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -49,6 +49,7 @@
extern int auth_call_radius(uschar *, uschar **);
extern int auth_call_saslauthd(uschar *, uschar *, uschar *, uschar *,
uschar **);
+extern int auth_check_serv_cond(auth_instance *);
extern int auth_get_data(uschar **, uschar *, int);
extern int auth_get_no64_data(uschar **, uschar *);
extern uschar *auth_xtextencode(uschar *, int);
Index: globals.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/globals.c,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -r1.59 -r1.60
--- globals.c 25 Sep 2006 10:14:20 -0000 1.59
+++ globals.c 16 Oct 2006 15:44:36 -0000 1.60
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/globals.c,v 1.59 2006/09/25 10:14:20 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/globals.c,v 1.60 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -38,6 +38,8 @@
(void *)(offsetof(auth_instance, public_name)) },
{ "server_advertise_condition", opt_stringptr | opt_public,
(void *)(offsetof(auth_instance, advertise_condition))},
+ { "server_condition", opt_stringptr | opt_public,
+ (void *)(offsetof(auth_instance, server_condition)) },
{ "server_debug_print", opt_stringptr | opt_public,
(void *)(offsetof(auth_instance, server_debug_string)) },
{ "server_mail_auth_condition", opt_stringptr | opt_public,
@@ -325,6 +327,7 @@
NULL, /* set_id */
NULL, /* server_mail_auth_condition */
NULL, /* server_debug_string */
+ NULL, /* server_condition */
FALSE, /* client */
FALSE, /* server */
FALSE /* advertised */
Index: structs.h
===================================================================
RCS file: /home/cvs/exim/exim-src/src/structs.h,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- structs.h 25 Sep 2006 11:25:37 -0000 1.12
+++ structs.h 16 Oct 2006 15:44:36 -0000 1.13
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/structs.h,v 1.12 2006/09/25 11:25:37 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/structs.h,v 1.13 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -367,6 +367,7 @@
uschar *set_id; /* String to set as authenticated id */
uschar *mail_auth_condition; /* Condition for AUTH on MAIL command */
uschar *server_debug_string; /* Debugging output */
+ uschar *server_condition; /* Authorization condition */
BOOL client; /* TRUE if client option(s) set */
BOOL server; /* TRUE if server options(s) set */
BOOL advertised; /* Set TRUE when advertised */
Index: check_serv_cond.c
====================================================================
/* $Cambridge: exim/exim-src/src/auths/check_serv_cond.c,v 1.1 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
/* Copyright (c) University of Cambridge 1995 - 2006 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
/* This module contains the function server_condition(), which is used
by all authenticators. */
/*************************************************
* Check server_condition *
*************************************************/
/* This function is called from the server code of all authenticators. For
plaintext, it is always called: the argument cannot be empty, because for
plaintext, setting server_condition is what enables it as a server
authenticator. For all the other authenticators, this function is called after
they have authenticated, to enable additional authorization to be done.
Argument: the authenticator's instance block
Returns:
OK NULL argument, or success
DEFER couldn't complete the check
FAIL authentication failed
*/
int
auth_check_serv_cond(auth_instance *ablock)
{
uschar *cond;
HDEBUG(D_auth)
{
int i;
debug_printf("%s authenticator:\n", ablock->name);
for (i = 0; i < AUTH_VARS; i++)
{
if (auth_vars[i] != NULL)
debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
}
for (i = 1; i <= expand_nmax; i++)
debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
debug_print_string(ablock->server_debug_string); /* customized debug */
}
/* For the plaintext authenticator, server_condition is never NULL. For the
rest, an unset condition lets everything through. */
if (ablock->server_condition == NULL) return OK;
cond = expand_string(ablock->server_condition);
HDEBUG(D_auth)
{
if (cond == NULL)
debug_printf("expansion failed: %s\n", expand_string_message);
else
debug_printf("expanded string: %s\n", cond);
}
/* A forced expansion failure causes authentication to fail. Other expansion
failures yield DEFER, which will cause a temporary error code to be returned to
the AUTH command. The problem is at the server end, so the client should try
again later. */
if (cond == NULL)
{
if (expand_string_forcedfail) return FAIL;
auth_defer_msg = expand_string_message;
return DEFER;
}
/* Return FAIL for empty string, "0", "no", and "false"; return OK for
"1", "yes", and "true"; return DEFER for anything else, with the string
available as an error text for the user. */
if (*cond == 0 ||
Ustrcmp(cond, "0") == 0 ||
strcmpic(cond, US"no") == 0 ||
strcmpic(cond, US"false") == 0)
return FAIL;
if (Ustrcmp(cond, "1") == 0 ||
strcmpic(cond, US"yes") == 0 ||
strcmpic(cond, US"true") == 0)
return OK;
auth_defer_msg = cond;
auth_defer_user_msg = string_sprintf(": %s", cond);
return DEFER;
}
/* End of check_serv_cond.c */
Index: Makefile
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/Makefile,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- Makefile 2 Oct 2006 13:38:18 -0000 1.4
+++ Makefile 16 Oct 2006 15:44:36 -0000 1.5
@@ -1,4 +1,4 @@
-# $Cambridge: exim/exim-src/src/auths/Makefile,v 1.4 2006/10/02 13:38:18 ph10 Exp $
+# $Cambridge: exim/exim-src/src/auths/Makefile,v 1.5 2006/10/16 15:44:36 ph10 Exp $
# Make file for building a library containing all the available authorization
# methods, and calling it auths.a. In addition, there are functions that are
@@ -7,10 +7,10 @@
# after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are
# defined, the equivalent modules herein is not included in the final binary.
-OBJ = b64encode.o b64decode.o call_pam.o call_pwcheck.o call_radius.o \
- xtextencode.o xtextdecode.o get_data.o get_no64_data.o md5.o \
- cram_md5.o cyrus_sasl.o dovecot.o plaintext.o pwcheck.o sha1.o \
- auth-spa.o spa.o
+OBJ = auth-spa.o b64decode.o b64encode.o call_pam.o call_pwcheck.o \
+ call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \
+ get_data.o get_no64_data.o md5.o plaintext.o pwcheck.o sha1.o \
+ spa.o xtextdecode.o xtextencode.o
auths.a: $(OBJ)
@$(RM_COMMAND) -f auths.a
@@ -23,24 +23,25 @@
.c.o:; @echo "$(CC) $*.c"
$(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
-auth-spa.o: $(HDRS) auth-spa.c
-b64encode.o: $(HDRS) b64encode.c
-b64decode.o: $(HDRS) b64decode.c
-call_pam.o: $(HDRS) call_pam.c
-call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h
-call_radius.o: $(HDRS) call_radius.c
-get_data.o: $(HDRS) get_data.c
-get_no64_data.o: $(HDRS) get_no64_data.c
-md5.o: $(HDRS) md5.c
-pwcheck.o: $(HDRS) pwcheck.c pwcheck.h
-sha1.o: $(HDRS) sha1.c
-xtextencode.o: $(HDRS) xtextencode.c
-xtextdecode.o: $(HDRS) xtextdecode.c
-
-cram_md5.o: $(HDRS) cram_md5.c cram_md5.h
-cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h
-dovecot.o: $(HDRS) dovecot.c dovecot.h
-plaintext.o: $(HDRS) plaintext.c plaintext.h
-spa.o: $(HDRS) spa.c spa.h
+auth-spa.o: $(HDRS) auth-spa.c
+b64encode.o: $(HDRS) b64encode.c
+b64decode.o: $(HDRS) b64decode.c
+call_pam.o: $(HDRS) call_pam.c
+call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h
+call_radius.o: $(HDRS) call_radius.c
+check_serv_cond.o: $(HDRS) check_serv_cond.c
+get_data.o: $(HDRS) get_data.c
+get_no64_data.o: $(HDRS) get_no64_data.c
+md5.o: $(HDRS) md5.c
+pwcheck.o: $(HDRS) pwcheck.c pwcheck.h
+sha1.o: $(HDRS) sha1.c
+xtextdecode.o: $(HDRS) xtextdecode.c
+xtextencode.o: $(HDRS) xtextencode.c
+
+cram_md5.o: $(HDRS) cram_md5.c cram_md5.h
+cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h
+dovecot.o: $(HDRS) dovecot.c dovecot.h
+plaintext.o: $(HDRS) plaintext.c plaintext.h
+spa.o: $(HDRS) spa.c spa.h
# End
Index: README
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/README,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- README 23 Feb 2006 12:41:22 -0000 1.5
+++ README 16 Oct 2006 15:44:36 -0000 1.6
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-src/src/auths/README,v 1.5 2006/02/23 12:41:22 ph10 Exp $
+$Cambridge: exim/exim-src/src/auths/README,v 1.6 2006/10/16 15:44:36 ph10 Exp $
AUTHS
@@ -59,7 +59,7 @@
DEFER couldn't complete the check
FAIL authentication failed
CANCELLED authentication forced to fail by "*" response to challenge,
- or by a forced string expansion failure
+ or by certain forced string expansion failures
BAD64 bad base64 data received
UNEXPECTED unexpected data received
Index: cram_md5.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/cram_md5.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- cram_md5.c 23 Feb 2006 12:41:22 -0000 1.5
+++ cram_md5.c 16 Oct 2006 15:44:36 -0000 1.6
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/cram_md5.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/cram_md5.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -233,7 +233,8 @@
((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
}
-return OK;
+/* Expand server_condition as an authorization check */
+return auth_check_serv_cond(ablock);
}
Index: cyrus_sasl.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/cyrus_sasl.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- cyrus_sasl.c 10 Feb 2006 14:25:43 -0000 1.4
+++ cyrus_sasl.c 16 Oct 2006 15:44:36 -0000 1.5
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/cyrus_sasl.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/cyrus_sasl.c,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -53,7 +53,7 @@
int auth_cyrus_sasl_options_count =
sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
-/* Default private options block for the contidion authentication method. */
+/* Default private options block for the cyrus_sasl authentication method. */
auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
US"smtp", /* server_service */
@@ -332,11 +332,13 @@
expand_nmax = 1;
HDEBUG(D_auth)
- debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2);
+ debug_printf("Cyrus SASL %s authentication succeeded for %s\n", ob->server_mech, out2);
/* close down the connection, freeing up library's memory */
sasl_dispose(&conn);
sasl_done();
- return OK;
+
+ /* Expand server_condition as an authorization check */
+ return auth_check_serv_cond(ablock);
}
}
/* NOTREACHED */
Index: dovecot.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/dovecot.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- dovecot.c 16 Oct 2006 13:43:22 -0000 1.2
+++ dovecot.c 16 Oct 2006 15:44:36 -0000 1.3
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/dovecot.c,v 1.2 2006/10/16 13:43:22 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/dovecot.c,v 1.3 2006/10/16 15:44:36 ph10 Exp $ */
/*
* Copyright (c) 2004 Andrey Panin <pazke@???>
@@ -309,5 +309,7 @@
}
out: close(fd);
- return ret;
+
+ /* Expand server_condition as an authorization check */
+ return (ret == OK)? auth_check_serv_cond(ablock) : ret;
}
Index: plaintext.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/plaintext.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- plaintext.c 23 Feb 2006 12:41:22 -0000 1.5
+++ plaintext.c 16 Oct 2006 15:44:36 -0000 1.6
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/plaintext.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/plaintext.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -18,8 +18,6 @@
(void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) },
{ "client_send", opt_stringptr,
(void *)(offsetof(auth_plaintext_options_block, client_send)) },
- { "server_condition", opt_stringptr,
- (void *)(offsetof(auth_plaintext_options_block, server_condition)) },
{ "server_prompts", opt_stringptr,
(void *)(offsetof(auth_plaintext_options_block, server_prompts)) }
};
@@ -33,7 +31,6 @@
/* Default private options block for the plaintext authentication method. */
auth_plaintext_options_block auth_plaintext_option_defaults = {
- NULL, /* server_condition */
NULL, /* server_prompts */
NULL, /* client_send */
FALSE /* client_ignore_invalid_base64 */
@@ -54,7 +51,7 @@
auth_plaintext_options_block *ob =
(auth_plaintext_options_block *)(ablock->options_block);
if (ablock->public_name == NULL) ablock->public_name = ablock->name;
-if (ob->server_condition != NULL) ablock->server = TRUE;
+if (ablock->server_condition != NULL) ablock->server = TRUE;
if (ob->client_send != NULL) ablock->client = TRUE;
}
@@ -72,7 +69,7 @@
auth_plaintext_options_block *ob =
(auth_plaintext_options_block *)(ablock->options_block);
uschar *prompts = ob->server_prompts;
-uschar *clear, *cond, *end, *s;
+uschar *clear, *end, *s;
int number = 1;
int len, rc;
int sep = 0;
@@ -141,59 +138,12 @@
}
/* We now have a number of items of data in $auth1, $auth2, etc (and also, for
-compatibility, in $1, $2, etc). Match against the decoded data by expanding the
-condition. */
+compatibility, in $1, $2, etc). Authentication and authorization are handled
+together for this authenticator by expanding the server_condition option. Note
+that ablock->server_condition is always non-NULL because that's what configures
+this authenticator as a server. */
-cond = expand_string(ob->server_condition);
-
-HDEBUG(D_auth)
- {
- int i;
- debug_printf("%s authenticator:\n", ablock->name);
- for (i = 0; i < AUTH_VARS; i++)
- {
- if (auth_vars[i] != NULL)
- debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
- }
- for (i = 1; i <= expand_nmax; i++)
- debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
- debug_print_string(ablock->server_debug_string); /* customized debug */
- if (cond == NULL)
- debug_printf("expansion failed: %s\n", expand_string_message);
- else
- debug_printf("expanded string: %s\n", cond);
- }
-
-/* A forced expansion failure causes authentication to fail. Other expansion
-failures yield DEFER, which will cause a temporary error code to be returned to
-the AUTH command. The problem is at the server end, so the client should try
-again later. */
-
-if (cond == NULL)
- {
- if (expand_string_forcedfail) return FAIL;
- auth_defer_msg = expand_string_message;
- return DEFER;
- }
-
-/* Return FAIL for empty string, "0", "no", and "false"; return OK for
-"1", "yes", and "true"; return DEFER for anything else, with the string
-available as an error text for the user. */
-
-if (*cond == 0 ||
- Ustrcmp(cond, "0") == 0 ||
- strcmpic(cond, US"no") == 0 ||
- strcmpic(cond, US"false") == 0)
- return FAIL;
-
-if (Ustrcmp(cond, "1") == 0 ||
- strcmpic(cond, US"yes") == 0 ||
- strcmpic(cond, US"true") == 0)
- return OK;
-
-auth_defer_msg = cond;
-auth_defer_user_msg = string_sprintf(": %s", cond);
-return DEFER;
+return auth_check_serv_cond(ablock);
}
Index: plaintext.h
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/plaintext.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- plaintext.h 23 Feb 2006 12:41:22 -0000 1.4
+++ plaintext.h 16 Oct 2006 15:44:36 -0000 1.5
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/plaintext.h,v 1.4 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/plaintext.h,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -10,7 +10,6 @@
/* Private structure for the private options. */
typedef struct {
- uschar *server_condition;
uschar *server_prompts;
uschar *client_send;
BOOL client_ignore_invalid_base64;
Index: spa.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/spa.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- spa.c 23 Feb 2006 12:41:22 -0000 1.7
+++ spa.c 16 Oct 2006 15:44:36 -0000 1.8
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/spa.c,v 1.7 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/spa.c,v 1.8 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -25,8 +25,9 @@
* typedef unsigned uint32;
* typedef unsigned char uint8;
-07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
- input data. Find appropriate comment by grepping for "PH".
+07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
+ input data. Find appropriate comment by grepping for "PH".
+16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
*/
@@ -231,7 +232,9 @@
((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
24) == 0)
/* success. we have a winner. */
- return OK;
+
+ /* Expand server_condition as an authorization check (PH) */
+ return auth_check_serv_cond(ablock);
return FAIL;
}
Index: 3500
===================================================================
RCS file: /home/cvs/exim/exim-test/confs/3500,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- 3500 10 Feb 2006 14:25:43 -0000 1.2
+++ 3500 16 Oct 2006 15:44:36 -0000 1.3
@@ -13,7 +13,7 @@
domainlist local_domains = test.ex : *.test.ex
-hostlist auth_hosts = 10.0.0.1
+hostlist auth_hosts = 10.0.0.1 : 10.0.0.5
hostlist relay_hosts = 10.0.0.4
hostlist auth_relay_hosts = 10.0.0.3 : 10.0.0.4
@@ -80,6 +80,7 @@
server_secret = "${if eq{$auth1}{tim}{tanstaaftanstaaf}\
{${if eq{$auth1}{userx}{secret}fail}}}"
server_set_id = $auth1
+ server_condition = ${if !eq {$sender_host_address}{10.0.0.5}}
Index: 3500
===================================================================
RCS file: /home/cvs/exim/exim-test/scripts/3500-CRAM-MD5/3500,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 3500 7 Feb 2006 10:54:49 -0000 1.1
+++ 3500 16 Oct 2006 15:44:36 -0000 1.2
@@ -32,4 +32,15 @@
.
quit
****
+exim -bh 10.0.0.5
+ehlo test.host
+AUTH CRAM-MD5
+dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw
+mail from:<userx@???>
+rcpt to:<userx@???>
+data
+Testing authenticated CRAM-MD5.
+.
+quit
+****
no_msglog_check
Index: 3500
===================================================================
RCS file: /home/cvs/exim/exim-test/stderr/3500,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- 3500 10 Feb 2006 14:25:44 -0000 1.2
+++ 3500 16 Oct 2006 15:44:36 -0000 1.3
@@ -8,7 +8,7 @@
>>> host in helo_accept_junk_hosts? no (option unset)
>>> test.host in helo_lookup_domains? no (end of list)
>>> host in pipelining_advertise_hosts? yes (matched "*")
->>> host in "10.0.0.1"? no (end of list)
+>>> host in "10.0.0.1 : 10.0.0.5"? no (end of list)
>>> host in "10.0.0.4"? yes (matched "10.0.0.4")
>>> host in auth_advertise_hosts? no (matched "!+relay_hosts")
>>> host in hosts_connection_nolog? no (option unset)
@@ -21,13 +21,18 @@
>>> host in helo_accept_junk_hosts? no (option unset)
>>> test.host in helo_lookup_domains? no (end of list)
>>> host in pipelining_advertise_hosts? yes (matched "*")
->>> host in "10.0.0.1"? yes (matched "10.0.0.1")
+>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.1")
>>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
>>> CRAM-MD5: user name = tim
>>> challenge = <1896.697170952@???>
>>> received = b913a602c7eda7a495b4e6e7334d3890
>>> digest = b913a602c7eda7a495b4e6e7334d3890
+>>> cram_md5 authenticator:
+>>> $auth1 = tim
+>>> $1 = tim
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> expanded string: true
>>> using ACL "check_recipient"
>>> processing "warn"
>>> check hosts = 10.0.0.5
@@ -54,3 +59,37 @@
>>> accept: condition test succeeded
>>> host in ignore_fromline_hosts? no (option unset)
LOG: 10HmaY-0005vi-00 <= userx@??? H=(test.host) [10.0.0.1] P=esmtpa A=cram_md5:tim S=sss
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> test.host in helo_lookup_domains? no (end of list)
+>>> host in pipelining_advertise_hosts? yes (matched "*")
+>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.5")
+>>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> CRAM-MD5: user name = tim
+>>> challenge = <1896.697170952@???>
+>>> received = b913a602c7eda7a495b4e6e7334d3890
+>>> digest = b913a602c7eda7a495b4e6e7334d3890
+>>> cram_md5 authenticator:
+>>> $auth1 = tim
+>>> $1 = tim
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> expanded string:
+LOG: cram_md5 authenticator failed for (test.host) [10.0.0.5]: 535 Incorrect authentication data (set_id=tim)
+>>> using ACL "check_recipient"
+>>> processing "warn"
+>>> check hosts = 10.0.0.5
+>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
+>>> warn: condition test succeeded
+>>> processing "accept"
+>>> check hosts = 10.0.0.5
+>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
+>>> accept: condition test succeeded
+>>> host in ignore_fromline_hosts? no (option unset)
+LOG: 10HmaZ-0005vi-00 <= userx@??? H=(test.host) [10.0.0.5] P=esmtp S=sss
Index: 3407
===================================================================
RCS file: /home/cvs/exim/exim-test/stdout/3407,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- 3407 23 Feb 2006 12:41:23 -0000 1.2
+++ 3407 16 Oct 2006 15:44:36 -0000 1.3
@@ -3,46 +3,46 @@
driver = plaintext
public_name = PLAIN
server_advertise_condition =
+server_condition = xxx
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition = xxx
server_prompts =
a2 authenticator:
driver = plaintext
public_name = PLAIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =
a3 authenticator:
driver = plaintext
public_name = LOGIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =
a4 authenticator:
driver = plaintext
public_name = LOGIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =
Index: 3500
===================================================================
RCS file: /home/cvs/exim/exim-test/stdout/3500,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 3500 7 Feb 2006 10:47:37 -0000 1.1
+++ 3500 16 Oct 2006 15:44:36 -0000 1.2
@@ -60,3 +60,26 @@
**** SMTP testing: that is not a real message id!
221 myhost.test.ex closing connection
+
+**** SMTP testing session as if from host 10.0.0.5
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello test.host [10.0.0.5]
+250-SIZE 52428800
+250-ETRN
+250-EXPN
+250-PIPELINING
+250-AUTH CRAM-MD5
+250 HELP
+334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+
+535 Incorrect authentication data
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaZ-0005vi-00
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection
