[exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog NewSt…

Góra strony
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
Dla: exim-cvs
Temat: [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog NewStuff OptionLists.txt exim/exim-src/scripts MakeLinks exim/exim-src/src functions.h globals.c structs.h exim/exim-src/src/auths Makefile REA
ph10 2006/10/16 16:44:36 BST

  Modified files:
    exim-doc/doc-txt     ChangeLog NewStuff OptionLists.txt 
    exim-src/scripts     MakeLinks 
    exim-src/src         functions.h globals.c structs.h 
    exim-src/src/auths   Makefile README cram_md5.c cyrus_sasl.c 
                         dovecot.c plaintext.c plaintext.h spa.c 
    exim-test/confs      3500 
    exim-test/scripts/3500-CRAM-MD5 3500 
    exim-test/stderr     3500 
    exim-test/stdout     3407 3500 
  Added files:
    exim-src/src/auths   check_serv_cond.c 
  Log:
  Add server_condition to all authenticators, to allow for additional
  conditions (and thereby implement authorization).


  Revision  Changes    Path
  1.410     +5 -0      exim/exim-doc/doc-txt/ChangeLog
  1.117     +7 -0      exim/exim-doc/doc-txt/NewStuff
  1.25      +1 -1      exim/exim-doc/doc-txt/OptionLists.txt
  1.8       +1 -0      exim/exim-src/scripts/MakeLinks
  1.5       +23 -22    exim/exim-src/src/auths/Makefile
  1.6       +1 -1      exim/exim-src/src/auths/README
  1.1       +99 -0     exim/exim-src/src/auths/check_serv_cond.c (new)
  1.6       +2 -1      exim/exim-src/src/auths/cram_md5.c
  1.5       +5 -3      exim/exim-src/src/auths/cyrus_sasl.c
  1.3       +3 -1      exim/exim-src/src/auths/dovecot.c
  1.6       +7 -57     exim/exim-src/src/auths/plaintext.c
  1.5       +0 -1      exim/exim-src/src/auths/plaintext.h
  1.8       +6 -3      exim/exim-src/src/auths/spa.c
  1.29      +1 -0      exim/exim-src/src/functions.h
  1.60      +3 -0      exim/exim-src/src/globals.c
  1.13      +1 -0      exim/exim-src/src/structs.h
  1.3       +2 -1      exim/exim-test/confs/3500
  1.2       +11 -0     exim/exim-test/scripts/3500-CRAM-MD5/3500
  1.3       +41 -2     exim/exim-test/stderr/3500
  1.3       +4 -4      exim/exim-test/stdout/3407
  1.2       +23 -0     exim/exim-test/stdout/3500


  Index: ChangeLog
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
  retrieving revision 1.409
  retrieving revision 1.410
  diff -u -r1.409 -r1.410
  --- ChangeLog    16 Oct 2006 13:43:21 -0000    1.409
  +++ ChangeLog    16 Oct 2006 15:44:36 -0000    1.410
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.409 2006/10/16 13:43:21 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.410 2006/10/16 15:44:36 ph10 Exp $


   Change log file for Exim from version 4.21
   -------------------------------------------
  @@ -149,6 +149,11 @@
         if the connection is using TLS or if the remote IP is the same as the
         local IP, and the "valid-client-cert option" if a client certificate has
         been verified.
  +
  +PH/22 As suggested by Denis Davies, added a server_condition option to *all*
  +      authenticators. This can be used for authorization after authentication
  +      succeeds. (In the case of plaintext, it servers for both authentication
  +      and authorization.)



Exim version 4.63

  Index: NewStuff
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
  retrieving revision 1.116
  retrieving revision 1.117
  diff -u -r1.116 -r1.117
  --- NewStuff    16 Oct 2006 13:43:21 -0000    1.116
  +++ NewStuff    16 Oct 2006 15:44:36 -0000    1.117
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.116 2006/10/16 13:43:21 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.117 2006/10/16 15:44:36 ph10 Exp $


   New Features in Exim
   --------------------
  @@ -123,6 +123,13 @@
      In this case there is a lookup in dnsbl.sorbs.net, and if none of the IP
      values matches (or if no record is found), this is the only lookup that is
      done. Only if there is a match is one of the more specific lists consulted.
  +
  +6. All authenticators now have a server_condition option. Previously, only
  +   plaintext had this, and this has not changed: it must be set to the
  +   authenticator as a server. For the others, if server_condition is set, it is
  +   expanded if authentication is successful, and treated exactly as it is in
  +   plaintext. This can serve as a means of adding authorization to an
  +   authenticator.



Version 4.63

  Index: OptionLists.txt
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/OptionLists.txt,v
  retrieving revision 1.24
  retrieving revision 1.25
  diff -u -r1.24 -r1.25
  --- OptionLists.txt    22 Sep 2006 14:01:12 -0000    1.24
  +++ OptionLists.txt    16 Oct 2006 15:44:36 -0000    1.25
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/OptionLists.txt,v 1.24 2006/09/22 14:01:12 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/OptionLists.txt,v 1.25 2006/10/16 15:44:36 ph10 Exp $


   LISTS OF EXIM OPTIONS
   ---------------------
  @@ -442,7 +442,7 @@
   senders                              address list    unset         routers           4.00
   serialize_hosts                      host list       unset         smtp              1.60
   server_advertise_condition           string*         unset         authenticators    4.14
  -server_condition                     string*         unset         plaintext         3.10
  +server_condition                     string*         unset         authenticators    3.10 (plaintext) 4.64 (others)
   server_hostname                      string*   "$primary_hostname" cyrus_sasl        4.43
   server_mail_auth_condition           string*         unset         authenticators    3.22
   server_mech                          string          public_name   cyrus_sasl        4.43


  Index: MakeLinks
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/scripts/MakeLinks,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- MakeLinks    2 Oct 2006 13:38:18 -0000    1.7
  +++ MakeLinks    16 Oct 2006 15:44:36 -0000    1.8
  @@ -1,5 +1,5 @@
   #!/bin/sh
  -# $Cambridge: exim/exim-src/scripts/MakeLinks,v 1.7 2006/10/02 13:38:18 ph10 Exp $
  +# $Cambridge: exim/exim-src/scripts/MakeLinks,v 1.8 2006/10/16 15:44:36 ph10 Exp $


   # Script to build links for all the exim source files from the system-
   # specific build directory. It should be run from within that directory.
  @@ -162,6 +162,7 @@
   ln -s ../../src/auths/call_pam.c         call_pam.c
   ln -s ../../src/auths/call_pwcheck.c     call_pwcheck.c
   ln -s ../../src/auths/call_radius.c      call_radius.c
  +ln -s ../../src/auths/check_serv_cond.c  check_serv_cond.c
   ln -s ../../src/auths/cyrus_sasl.c       cyrus_sasl.c
   ln -s ../../src/auths/cyrus_sasl.h       cyrus_sasl.h
   ln -s ../../src/auths/get_data.c         get_data.c


  Index: functions.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/functions.h,v
  retrieving revision 1.28
  retrieving revision 1.29
  diff -u -r1.28 -r1.29
  --- functions.h    9 Oct 2006 14:36:25 -0000    1.28
  +++ functions.h    16 Oct 2006 15:44:36 -0000    1.29
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/functions.h,v 1.28 2006/10/09 14:36:25 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/functions.h,v 1.29 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -49,6 +49,7 @@
   extern int     auth_call_radius(uschar *, uschar **);
   extern int     auth_call_saslauthd(uschar *, uschar *, uschar *, uschar *,
                    uschar **);
  +extern int     auth_check_serv_cond(auth_instance *);
   extern int     auth_get_data(uschar **, uschar *, int);
   extern int     auth_get_no64_data(uschar **, uschar *);
   extern uschar *auth_xtextencode(uschar *, int);


  Index: globals.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/globals.c,v
  retrieving revision 1.59
  retrieving revision 1.60
  diff -u -r1.59 -r1.60
  --- globals.c    25 Sep 2006 10:14:20 -0000    1.59
  +++ globals.c    16 Oct 2006 15:44:36 -0000    1.60
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/globals.c,v 1.59 2006/09/25 10:14:20 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/globals.c,v 1.60 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -38,6 +38,8 @@
                    (void *)(offsetof(auth_instance, public_name)) },
     { "server_advertise_condition", opt_stringptr | opt_public,
                    (void *)(offsetof(auth_instance, advertise_condition))},
  +  { "server_condition", opt_stringptr | opt_public,
  +                 (void *)(offsetof(auth_instance, server_condition)) },
     { "server_debug_print", opt_stringptr | opt_public,
                    (void *)(offsetof(auth_instance, server_debug_string)) },
     { "server_mail_auth_condition", opt_stringptr | opt_public,
  @@ -325,6 +327,7 @@
       NULL,                      /* set_id */
       NULL,                      /* server_mail_auth_condition */
       NULL,                      /* server_debug_string */
  +    NULL,                      /* server_condition */
       FALSE,                     /* client */
       FALSE,                     /* server */
       FALSE                      /* advertised */


  Index: structs.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/structs.h,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- structs.h    25 Sep 2006 11:25:37 -0000    1.12
  +++ structs.h    16 Oct 2006 15:44:36 -0000    1.13
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/structs.h,v 1.12 2006/09/25 11:25:37 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/structs.h,v 1.13 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -367,6 +367,7 @@
     uschar *set_id;                 /* String to set as authenticated id */
     uschar *mail_auth_condition;    /* Condition for AUTH on MAIL command */
     uschar *server_debug_string;    /* Debugging output */
  +  uschar *server_condition;       /* Authorization condition */
     BOOL    client;                 /* TRUE if client option(s) set */
     BOOL    server;                 /* TRUE if server options(s) set */
     BOOL    advertised;             /* Set TRUE when advertised */


Index: check_serv_cond.c
====================================================================
/* $Cambridge: exim/exim-src/src/auths/check_serv_cond.c,v 1.1 2006/10/16 15:44:36 ph10 Exp $ */

  /*************************************************
  *     Exim - an Internet mail transport agent    *
  *************************************************/


/* Copyright (c) University of Cambridge 1995 - 2006 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"

/* This module contains the function server_condition(), which is used
by all authenticators. */


  /*************************************************
  *              Check server_condition            *
  *************************************************/


/* This function is called from the server code of all authenticators. For
plaintext, it is always called: the argument cannot be empty, because for
plaintext, setting server_condition is what enables it as a server
authenticator. For all the other authenticators, this function is called after
they have authenticated, to enable additional authorization to be done.

  Argument:     the authenticator's instance block


  Returns:
    OK          NULL argument, or success
    DEFER       couldn't complete the check
    FAIL        authentication failed
  */


int
auth_check_serv_cond(auth_instance *ablock)
{
uschar *cond;

  HDEBUG(D_auth)
    {
    int i;
    debug_printf("%s authenticator:\n", ablock->name);
    for (i = 0; i < AUTH_VARS; i++)
      {
      if (auth_vars[i] != NULL)
        debug_printf("  $auth%d = %s\n", i + 1, auth_vars[i]);
      }
    for (i = 1; i <= expand_nmax; i++)
      debug_printf("  $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
    debug_print_string(ablock->server_debug_string);    /* customized debug */
    }


/* For the plaintext authenticator, server_condition is never NULL. For the
rest, an unset condition lets everything through. */

if (ablock->server_condition == NULL) return OK;
cond = expand_string(ablock->server_condition);

  HDEBUG(D_auth)
    {
    if (cond == NULL)
      debug_printf("expansion failed: %s\n", expand_string_message);
    else
      debug_printf("expanded string: %s\n", cond);
    }


/* A forced expansion failure causes authentication to fail. Other expansion
failures yield DEFER, which will cause a temporary error code to be returned to
the AUTH command. The problem is at the server end, so the client should try
again later. */

  if (cond == NULL)
    {
    if (expand_string_forcedfail) return FAIL;
    auth_defer_msg = expand_string_message;
    return DEFER;
    }


/* Return FAIL for empty string, "0", "no", and "false"; return OK for
"1", "yes", and "true"; return DEFER for anything else, with the string
available as an error text for the user. */

  if (*cond == 0 ||
      Ustrcmp(cond, "0") == 0 ||
      strcmpic(cond, US"no") == 0 ||
      strcmpic(cond, US"false") == 0)
    return FAIL;


  if (Ustrcmp(cond, "1") == 0 ||
      strcmpic(cond, US"yes") == 0 ||
      strcmpic(cond, US"true") == 0)
    return OK;


auth_defer_msg = cond;
auth_defer_user_msg = string_sprintf(": %s", cond);
return DEFER;
}

/* End of check_serv_cond.c */

  Index: Makefile
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/Makefile,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- Makefile    2 Oct 2006 13:38:18 -0000    1.4
  +++ Makefile    16 Oct 2006 15:44:36 -0000    1.5
  @@ -1,4 +1,4 @@
  -# $Cambridge: exim/exim-src/src/auths/Makefile,v 1.4 2006/10/02 13:38:18 ph10 Exp $
  +# $Cambridge: exim/exim-src/src/auths/Makefile,v 1.5 2006/10/16 15:44:36 ph10 Exp $


# Make file for building a library containing all the available authorization
# methods, and calling it auths.a. In addition, there are functions that are
@@ -7,10 +7,10 @@
# after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are
# defined, the equivalent modules herein is not included in the final binary.

  -OBJ = b64encode.o b64decode.o call_pam.o call_pwcheck.o call_radius.o \
  -      xtextencode.o xtextdecode.o get_data.o get_no64_data.o md5.o \
  -      cram_md5.o cyrus_sasl.o dovecot.o plaintext.o pwcheck.o sha1.o \
  -      auth-spa.o spa.o
  +OBJ = auth-spa.o b64decode.o b64encode.o call_pam.o call_pwcheck.o \
  +      call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \
  +      get_data.o get_no64_data.o md5.o plaintext.o pwcheck.o sha1.o \
  +      spa.o xtextdecode.o xtextencode.o


   auths.a:         $(OBJ)
            @$(RM_COMMAND) -f auths.a
  @@ -23,24 +23,25 @@
   .c.o:;           @echo "$(CC) $*.c"
            $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c


  -auth-spa.o:      $(HDRS) auth-spa.c
  -b64encode.o:     $(HDRS) b64encode.c
  -b64decode.o:     $(HDRS) b64decode.c
  -call_pam.o:      $(HDRS) call_pam.c
  -call_pwcheck.o:  $(HDRS) call_pwcheck.c pwcheck.h
  -call_radius.o:   $(HDRS) call_radius.c
  -get_data.o:      $(HDRS) get_data.c
  -get_no64_data.o: $(HDRS) get_no64_data.c
  -md5.o:           $(HDRS) md5.c
  -pwcheck.o:       $(HDRS) pwcheck.c pwcheck.h
  -sha1.o:          $(HDRS) sha1.c
  -xtextencode.o:   $(HDRS) xtextencode.c
  -xtextdecode.o:   $(HDRS) xtextdecode.c
  -
  -cram_md5.o:      $(HDRS) cram_md5.c cram_md5.h
  -cyrus_sasl.o:    $(HDRS) cyrus_sasl.c cyrus_sasl.h
  -dovecot.o:       $(HDRS) dovecot.c dovecot.h
  -plaintext.o:     $(HDRS) plaintext.c plaintext.h
  -spa.o:           $(HDRS) spa.c spa.h
  +auth-spa.o:         $(HDRS) auth-spa.c
  +b64encode.o:        $(HDRS) b64encode.c
  +b64decode.o:        $(HDRS) b64decode.c
  +call_pam.o:         $(HDRS) call_pam.c
  +call_pwcheck.o:     $(HDRS) call_pwcheck.c pwcheck.h
  +call_radius.o:      $(HDRS) call_radius.c
  +check_serv_cond.o:  $(HDRS) check_serv_cond.c
  +get_data.o:         $(HDRS) get_data.c
  +get_no64_data.o:    $(HDRS) get_no64_data.c
  +md5.o:              $(HDRS) md5.c
  +pwcheck.o:          $(HDRS) pwcheck.c pwcheck.h
  +sha1.o:             $(HDRS) sha1.c
  +xtextdecode.o:      $(HDRS) xtextdecode.c
  +xtextencode.o:      $(HDRS) xtextencode.c
  +
  +cram_md5.o:         $(HDRS) cram_md5.c cram_md5.h
  +cyrus_sasl.o:       $(HDRS) cyrus_sasl.c cyrus_sasl.h
  +dovecot.o:          $(HDRS) dovecot.c dovecot.h
  +plaintext.o:        $(HDRS) plaintext.c plaintext.h
  +spa.o:              $(HDRS) spa.c spa.h


# End

  Index: README
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/README,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- README    23 Feb 2006 12:41:22 -0000    1.5
  +++ README    16 Oct 2006 15:44:36 -0000    1.6
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-src/src/auths/README,v 1.5 2006/02/23 12:41:22 ph10 Exp $
  +$Cambridge: exim/exim-src/src/auths/README,v 1.6 2006/10/16 15:44:36 ph10 Exp $


AUTHS

  @@ -59,7 +59,7 @@
     DEFER       couldn't complete the check
     FAIL        authentication failed
     CANCELLED   authentication forced to fail by "*" response to challenge,
  -                or by a forced string expansion failure
  +                or by certain forced string expansion failures
     BAD64       bad base64 data received
     UNEXPECTED  unexpected data received



  Index: cram_md5.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/cram_md5.c,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- cram_md5.c    23 Feb 2006 12:41:22 -0000    1.5
  +++ cram_md5.c    16 Oct 2006 15:44:36 -0000    1.6
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/cram_md5.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/cram_md5.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -233,7 +233,8 @@
           ((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
     }


-return OK;
+/* Expand server_condition as an authorization check */
+return auth_check_serv_cond(ablock);
}



  Index: cyrus_sasl.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/cyrus_sasl.c,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- cyrus_sasl.c    10 Feb 2006 14:25:43 -0000    1.4
  +++ cyrus_sasl.c    16 Oct 2006 15:44:36 -0000    1.5
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/cyrus_sasl.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/cyrus_sasl.c,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -53,7 +53,7 @@
   int auth_cyrus_sasl_options_count =
     sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);


-/* Default private options block for the contidion authentication method. */
+/* Default private options block for the cyrus_sasl authentication method. */

   auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
     US"smtp",         /* server_service */
  @@ -332,11 +332,13 @@
       expand_nmax = 1;


       HDEBUG(D_auth)
  -      debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2);
  +      debug_printf("Cyrus SASL %s authentication succeeded for %s\n", ob->server_mech, out2);
       /* close down the connection, freeing up library's memory */
       sasl_dispose(&conn);
       sasl_done();
  -    return OK;
  +
  +    /* Expand server_condition as an authorization check */
  +    return auth_check_serv_cond(ablock);
       }
     }
   /* NOTREACHED */


  Index: dovecot.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/dovecot.c,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- dovecot.c    16 Oct 2006 13:43:22 -0000    1.2
  +++ dovecot.c    16 Oct 2006 15:44:36 -0000    1.3
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/dovecot.c,v 1.2 2006/10/16 13:43:22 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/dovecot.c,v 1.3 2006/10/16 15:44:36 ph10 Exp $ */


   /*
    * Copyright (c) 2004 Andrey Panin <pazke@???>
  @@ -309,5 +309,7 @@
          }


   out:   close(fd);
  -       return ret;
  +
  +       /* Expand server_condition as an authorization check */
  +       return (ret == OK)? auth_check_serv_cond(ablock) : ret;
   }


  Index: plaintext.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/plaintext.c,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- plaintext.c    23 Feb 2006 12:41:22 -0000    1.5
  +++ plaintext.c    16 Oct 2006 15:44:36 -0000    1.6
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/plaintext.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/plaintext.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -18,8 +18,6 @@
         (void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) },
     { "client_send",        opt_stringptr,
         (void *)(offsetof(auth_plaintext_options_block, client_send)) },
  -  { "server_condition",   opt_stringptr,
  -      (void *)(offsetof(auth_plaintext_options_block, server_condition)) },
     { "server_prompts",     opt_stringptr,
         (void *)(offsetof(auth_plaintext_options_block, server_prompts)) }
   };
  @@ -33,7 +31,6 @@
   /* Default private options block for the plaintext authentication method. */


   auth_plaintext_options_block auth_plaintext_option_defaults = {
  -  NULL,              /* server_condition */
     NULL,              /* server_prompts */
     NULL,              /* client_send */
     FALSE              /* client_ignore_invalid_base64 */
  @@ -54,7 +51,7 @@
   auth_plaintext_options_block *ob =
     (auth_plaintext_options_block *)(ablock->options_block);
   if (ablock->public_name == NULL) ablock->public_name = ablock->name;
  -if (ob->server_condition != NULL) ablock->server = TRUE;
  +if (ablock->server_condition != NULL) ablock->server = TRUE;
   if (ob->client_send != NULL) ablock->client = TRUE;
   }


  @@ -72,7 +69,7 @@
   auth_plaintext_options_block *ob =
     (auth_plaintext_options_block *)(ablock->options_block);
   uschar *prompts = ob->server_prompts;
  -uschar *clear, *cond, *end, *s;
  +uschar *clear, *end, *s;
   int number = 1;
   int len, rc;
   int sep = 0;
  @@ -141,59 +138,12 @@
     }


/* We now have a number of items of data in $auth1, $auth2, etc (and also, for
-compatibility, in $1, $2, etc). Match against the decoded data by expanding the
-condition. */
+compatibility, in $1, $2, etc). Authentication and authorization are handled
+together for this authenticator by expanding the server_condition option. Note
+that ablock->server_condition is always non-NULL because that's what configures
+this authenticator as a server. */

  -cond = expand_string(ob->server_condition);
  -
  -HDEBUG(D_auth)
  -  {
  -  int i;
  -  debug_printf("%s authenticator:\n", ablock->name);
  -  for (i = 0; i < AUTH_VARS; i++)
  -    {
  -    if (auth_vars[i] != NULL)
  -      debug_printf("  $auth%d = %s\n", i + 1, auth_vars[i]);
  -    }
  -  for (i = 1; i <= expand_nmax; i++)
  -    debug_printf("  $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
  -  debug_print_string(ablock->server_debug_string);    /* customized debug */
  -  if (cond == NULL)
  -    debug_printf("expansion failed: %s\n", expand_string_message);
  -  else
  -    debug_printf("expanded string: %s\n", cond);
  -  }
  -
  -/* A forced expansion failure causes authentication to fail. Other expansion
  -failures yield DEFER, which will cause a temporary error code to be returned to
  -the AUTH command. The problem is at the server end, so the client should try
  -again later. */
  -
  -if (cond == NULL)
  -  {
  -  if (expand_string_forcedfail) return FAIL;
  -  auth_defer_msg = expand_string_message;
  -  return DEFER;
  -  }
  -
  -/* Return FAIL for empty string, "0", "no", and "false"; return OK for
  -"1", "yes", and "true"; return DEFER for anything else, with the string
  -available as an error text for the user. */
  -
  -if (*cond == 0 ||
  -    Ustrcmp(cond, "0") == 0 ||
  -    strcmpic(cond, US"no") == 0 ||
  -    strcmpic(cond, US"false") == 0)
  -  return FAIL;
  -
  -if (Ustrcmp(cond, "1") == 0 ||
  -    strcmpic(cond, US"yes") == 0 ||
  -    strcmpic(cond, US"true") == 0)
  -  return OK;
  -
  -auth_defer_msg = cond;
  -auth_defer_user_msg = string_sprintf(": %s", cond);
  -return DEFER;
  +return auth_check_serv_cond(ablock);
   }




  Index: plaintext.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/plaintext.h,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- plaintext.h    23 Feb 2006 12:41:22 -0000    1.4
  +++ plaintext.h    16 Oct 2006 15:44:36 -0000    1.5
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/plaintext.h,v 1.4 2006/02/23 12:41:22 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/plaintext.h,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -10,7 +10,6 @@
   /* Private structure for the private options. */


   typedef struct {
  -  uschar *server_condition;
     uschar *server_prompts;
     uschar *client_send;
     BOOL    client_ignore_invalid_base64;


  Index: spa.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/spa.c,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- spa.c    23 Feb 2006 12:41:22 -0000    1.7
  +++ spa.c    16 Oct 2006 15:44:36 -0000    1.8
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/spa.c,v 1.7 2006/02/23 12:41:22 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/spa.c,v 1.8 2006/10/16 15:44:36 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -25,8 +25,9 @@
    * typedef unsigned uint32;
    * typedef unsigned char  uint8;


  -07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
  -                    input data. Find appropriate comment by grepping for "PH".
  +07-August-2003:  PH: Patched up the code to avoid assert bombouts for stupid
  +                     input data. Find appropriate comment by grepping for "PH".
  +16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
   */



  @@ -231,7 +232,9 @@
         ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
         24) == 0)
     /* success. we have a winner. */
  -  return OK;
  +
  +  /* Expand server_condition as an authorization check (PH) */
  +  return auth_check_serv_cond(ablock);


return FAIL;
}

  Index: 3500
  ===================================================================
  RCS file: /home/cvs/exim/exim-test/confs/3500,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- 3500    10 Feb 2006 14:25:43 -0000    1.2
  +++ 3500    16 Oct 2006 15:44:36 -0000    1.3
  @@ -13,7 +13,7 @@


domainlist local_domains = test.ex : *.test.ex

-hostlist auth_hosts = 10.0.0.1
+hostlist auth_hosts = 10.0.0.1 : 10.0.0.5
hostlist relay_hosts = 10.0.0.4
hostlist auth_relay_hosts = 10.0.0.3 : 10.0.0.4

  @@ -80,6 +80,7 @@
     server_secret = "${if eq{$auth1}{tim}{tanstaaftanstaaf}\
       {${if eq{$auth1}{userx}{secret}fail}}}"
     server_set_id = $auth1
  +  server_condition = ${if !eq {$sender_host_address}{10.0.0.5}}





  Index: 3500
  ===================================================================
  RCS file: /home/cvs/exim/exim-test/scripts/3500-CRAM-MD5/3500,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- 3500    7 Feb 2006 10:54:49 -0000    1.1
  +++ 3500    16 Oct 2006 15:44:36 -0000    1.2
  @@ -32,4 +32,15 @@
   .
   quit
   ****
  +exim -bh 10.0.0.5
  +ehlo test.host
  +AUTH CRAM-MD5
  +dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw
  +mail from:<userx@???>
  +rcpt to:<userx@???>
  +data
  +Testing authenticated CRAM-MD5.
  +.
  +quit
  +****
   no_msglog_check


  Index: 3500
  ===================================================================
  RCS file: /home/cvs/exim/exim-test/stderr/3500,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- 3500    10 Feb 2006 14:25:44 -0000    1.2
  +++ 3500    16 Oct 2006 15:44:36 -0000    1.3
  @@ -8,7 +8,7 @@
   >>> host in helo_accept_junk_hosts? no (option unset)
   >>> test.host in helo_lookup_domains? no (end of list)
   >>> host in pipelining_advertise_hosts? yes (matched "*")
  ->>> host in "10.0.0.1"? no (end of list)
  +>>> host in "10.0.0.1 : 10.0.0.5"? no (end of list)
   >>> host in "10.0.0.4"? yes (matched "10.0.0.4")
   >>> host in auth_advertise_hosts? no (matched "!+relay_hosts")
   >>> host in hosts_connection_nolog? no (option unset)
  @@ -21,13 +21,18 @@
   >>> host in helo_accept_junk_hosts? no (option unset)
   >>> test.host in helo_lookup_domains? no (end of list)
   >>> host in pipelining_advertise_hosts? yes (matched "*")
  ->>> host in "10.0.0.1"? yes (matched "10.0.0.1")
  +>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.1")
   >>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
   >>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
   >>> CRAM-MD5: user name = tim
   >>>           challenge = <1896.697170952@???>
   >>>           received  = b913a602c7eda7a495b4e6e7334d3890
   >>>           digest    = b913a602c7eda7a495b4e6e7334d3890
  +>>> cram_md5 authenticator:
  +>>>   $auth1 = tim
  +>>>   $1 = tim
  +>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
  +>>> expanded string: true
   >>> using ACL "check_recipient"
   >>> processing "warn"
   >>> check hosts = 10.0.0.5
  @@ -54,3 +59,37 @@
   >>> accept: condition test succeeded
   >>> host in ignore_fromline_hosts? no (option unset)
   LOG: 10HmaY-0005vi-00 <= userx@??? H=(test.host) [10.0.0.1] P=esmtpa A=cram_md5:tim S=sss
  +>>> host in hosts_connection_nolog? no (option unset)
  +>>> host in host_lookup? no (option unset)
  +>>> host in host_reject_connection? no (option unset)
  +>>> host in sender_unqualified_hosts? no (option unset)
  +>>> host in recipient_unqualified_hosts? no (option unset)
  +>>> host in helo_verify_hosts? no (option unset)
  +>>> host in helo_try_verify_hosts? no (option unset)
  +>>> host in helo_accept_junk_hosts? no (option unset)
  +>>> test.host in helo_lookup_domains? no (end of list)
  +>>> host in pipelining_advertise_hosts? yes (matched "*")
  +>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.5")
  +>>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
  +>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
  +>>> CRAM-MD5: user name = tim
  +>>>           challenge = <1896.697170952@???>
  +>>>           received  = b913a602c7eda7a495b4e6e7334d3890
  +>>>           digest    = b913a602c7eda7a495b4e6e7334d3890
  +>>> cram_md5 authenticator:
  +>>>   $auth1 = tim
  +>>>   $1 = tim
  +>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
  +>>> expanded string: 
  +LOG: cram_md5 authenticator failed for (test.host) [10.0.0.5]: 535 Incorrect authentication data (set_id=tim)
  +>>> using ACL "check_recipient"
  +>>> processing "warn"
  +>>> check hosts = 10.0.0.5
  +>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
  +>>> warn: condition test succeeded
  +>>> processing "accept"
  +>>> check hosts = 10.0.0.5
  +>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
  +>>> accept: condition test succeeded
  +>>> host in ignore_fromline_hosts? no (option unset)
  +LOG: 10HmaZ-0005vi-00 <= userx@??? H=(test.host) [10.0.0.5] P=esmtp S=sss


  Index: 3407
  ===================================================================
  RCS file: /home/cvs/exim/exim-test/stdout/3407,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- 3407    23 Feb 2006 12:41:23 -0000    1.2
  +++ 3407    16 Oct 2006 15:44:36 -0000    1.3
  @@ -3,46 +3,46 @@
   driver = plaintext
   public_name = PLAIN
   server_advertise_condition = 
  +server_condition = xxx
   server_debug_print = 
   server_mail_auth_condition = 
   server_set_id = 
   no_client_ignore_invalid_base64
   client_send = 
  -server_condition = xxx
   server_prompts = 


a2 authenticator:
driver = plaintext
public_name = PLAIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =

a3 authenticator:
driver = plaintext
public_name = LOGIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =

a4 authenticator:
driver = plaintext
public_name = LOGIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =

  Index: 3500
  ===================================================================
  RCS file: /home/cvs/exim/exim-test/stdout/3500,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- 3500    7 Feb 2006 10:47:37 -0000    1.1
  +++ 3500    16 Oct 2006 15:44:36 -0000    1.2
  @@ -60,3 +60,26 @@
   **** SMTP testing: that is not a real message id!


221 myhost.test.ex closing connection
+
+**** SMTP testing session as if from host 10.0.0.5
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello test.host [10.0.0.5]
+250-SIZE 52428800
+250-ETRN
+250-EXPN
+250-PIPELINING
+250-AUTH CRAM-MD5
+250 HELP
+334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+
+535 Incorrect authentication data
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaZ-0005vi-00
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection