[exim-cvs] Fix server_set_id for SPA/NTLM auth.

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Asunto: [exim-cvs] Fix server_set_id for SPA/NTLM auth.
Gitweb: http://git.exim.org/exim.git/commitdiff/f68fe5f62128effcce35efca90d74bc6df066765
Commit:     f68fe5f62128effcce35efca90d74bc6df066765
Parent:     c8e2fc1e846d1c9bee207d162182fb770b9ae1bd
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Nov 7 01:53:37 2012 -0500
Committer:  Phil Pennock <pdp@???>
CommitDate: Wed Nov 7 02:05:20 2012 -0500


    Fix server_set_id for SPA/NTLM auth.


    Broken in 4.80 release, commit 08488c86.


    We need to leave $auth1 available after the authenticator returns, so
    that server_set_id can be evaluated by the caller.  We need to do this
    whether we succeed or fail, because server_set_id only makes it into
    $authenticated_id if we return OK, but is logged regardless.


    Updated test config to set server_set_id; updated logs.
---
 src/src/auths/spa.c |   20 ++++++++------------
 test/confs/3600     |    2 ++
 test/log/3600       |    4 ++--
 test/rejectlog/3600 |    2 +-
 4 files changed, 13 insertions(+), 15 deletions(-)


diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index 1abd657..0bf7b04 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -196,17 +196,14 @@ that causes failure if the size of msgbuf is exceeded. ****/
/***************************************************************/

/* Put the username in $auth1 and $1. The former is now the preferred variable;
-the latter is the original variable. */
+the latter is the original variable. These have to be out of stack memory, and
+need to be available once known even if not authenticated, for error messages
+(server_set_id, which only makes it to authenticated_id if we return OK) */

-auth_vars[0] = expand_nstring[1] = msgbuf;
+auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
expand_nlength[1] = Ustrlen(msgbuf);
expand_nmax = 1;

-/* clean up globals which aren't referenced, but still shouldn't be left
-pointing to stack memory */
-#define CLEANUP_RETURN(Code) do { auth_vars[0] = expand_nstring[1] = NULL; \
-  expand_nlength[1] = expand_nmax = 0; return (Code); } while (0);
-
 debug_print_string(ablock->server_debug_string);    /* customized debug */


 /* look up password */
@@ -218,13 +215,13 @@ if (clearpass == NULL)
     {
     DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
       "expanding spa_serverpassword\n");
-    CLEANUP_RETURN(FAIL);
+    return FAIL;
     }
   else
     {
     DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
       "spa_serverpassword: %s\n", expand_string_message);
-    CLEANUP_RETURN(DEFER);
+    return DEFER;
     }
   }


@@ -240,13 +237,12 @@ if (memcmp(ntRespData,
       24) == 0)
   /* success. we have a winner. */
   {
-  int rc = auth_check_serv_cond(ablock);
-  CLEANUP_RETURN(rc);
+  return auth_check_serv_cond(ablock);
   }


/* Expand server_condition as an authorization check (PH) */

-CLEANUP_RETURN(FAIL);
+return FAIL;
}


diff --git a/test/confs/3600 b/test/confs/3600
index c70fa19..fca55ff 100644
--- a/test/confs/3600
+++ b/test/confs/3600
@@ -39,6 +39,7 @@ spabad:
client_password = ${if eq{1}{0}{xxx}fail}
client_username = username
server_password = ok@???
+ server_set_id = $auth1

spa:
driver = spa
@@ -47,6 +48,7 @@ spa:
client_username = username
server_debug_print = +++SPA \$auth1="$auth1"
server_password = ok@???
+ server_set_id = $auth1


# ----- Routers -----
diff --git a/test/log/3600 b/test/log/3600
index 43549c6..16c59f3 100644
--- a/test/log/3600
+++ b/test/log/3600
@@ -11,7 +11,7 @@

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=spa S=sss id=E10HmaX-0005vi-00@???
-1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=spa:username S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data (set_id=username)
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data
diff --git a/test/rejectlog/3600 b/test/rejectlog/3600
index 629d314..4398a40 100644
--- a/test/rejectlog/3600
+++ b/test/rejectlog/3600
@@ -1,5 +1,5 @@

******** SERVER ********
-1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data
+1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data (set_id=username)
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data