Gitweb:
http://git.exim.org/exim.git/commitdiff/f68fe5f62128effcce35efca90d74bc6df066765
Commit: f68fe5f62128effcce35efca90d74bc6df066765
Parent: c8e2fc1e846d1c9bee207d162182fb770b9ae1bd
Author: Phil Pennock <pdp@???>
AuthorDate: Wed Nov 7 01:53:37 2012 -0500
Committer: Phil Pennock <pdp@???>
CommitDate: Wed Nov 7 02:05:20 2012 -0500
Fix server_set_id for SPA/NTLM auth.
Broken in 4.80 release, commit 08488c86.
We need to leave $auth1 available after the authenticator returns, so
that server_set_id can be evaluated by the caller. We need to do this
whether we succeed or fail, because server_set_id only makes it into
$authenticated_id if we return OK, but is logged regardless.
Updated test config to set server_set_id; updated logs.
---
src/src/auths/spa.c | 20 ++++++++------------
test/confs/3600 | 2 ++
test/log/3600 | 4 ++--
test/rejectlog/3600 | 2 +-
4 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index 1abd657..0bf7b04 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -196,17 +196,14 @@ that causes failure if the size of msgbuf is exceeded. ****/
/***************************************************************/
/* Put the username in $auth1 and $1. The former is now the preferred variable;
-the latter is the original variable. */
+the latter is the original variable. These have to be out of stack memory, and
+need to be available once known even if not authenticated, for error messages
+(server_set_id, which only makes it to authenticated_id if we return OK) */
-auth_vars[0] = expand_nstring[1] = msgbuf;
+auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
expand_nlength[1] = Ustrlen(msgbuf);
expand_nmax = 1;
-/* clean up globals which aren't referenced, but still shouldn't be left
-pointing to stack memory */
-#define CLEANUP_RETURN(Code) do { auth_vars[0] = expand_nstring[1] = NULL; \
- expand_nlength[1] = expand_nmax = 0; return (Code); } while (0);
-
debug_print_string(ablock->server_debug_string); /* customized debug */
/* look up password */
@@ -218,13 +215,13 @@ if (clearpass == NULL)
{
DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
"expanding spa_serverpassword\n");
- CLEANUP_RETURN(FAIL);
+ return FAIL;
}
else
{
DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
"spa_serverpassword: %s\n", expand_string_message);
- CLEANUP_RETURN(DEFER);
+ return DEFER;
}
}
@@ -240,13 +237,12 @@ if (memcmp(ntRespData,
24) == 0)
/* success. we have a winner. */
{
- int rc = auth_check_serv_cond(ablock);
- CLEANUP_RETURN(rc);
+ return auth_check_serv_cond(ablock);
}
/* Expand server_condition as an authorization check (PH) */
-CLEANUP_RETURN(FAIL);
+return FAIL;
}
diff --git a/test/confs/3600 b/test/confs/3600
index c70fa19..fca55ff 100644
--- a/test/confs/3600
+++ b/test/confs/3600
@@ -39,6 +39,7 @@ spabad:
client_password = ${if eq{1}{0}{xxx}fail}
client_username = username
server_password = ok@???
+ server_set_id = $auth1
spa:
driver = spa
@@ -47,6 +48,7 @@ spa:
client_username = username
server_debug_print = +++SPA \$auth1="$auth1"
server_password = ok@???
+ server_set_id = $auth1
# ----- Routers -----
diff --git a/test/log/3600 b/test/log/3600
index 43549c6..16c59f3 100644
--- a/test/log/3600
+++ b/test/log/3600
@@ -11,7 +11,7 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=spa S=sss id=E10HmaX-0005vi-00@???
-1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=spa:username S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data (set_id=username)
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data
diff --git a/test/rejectlog/3600 b/test/rejectlog/3600
index 629d314..4398a40 100644
--- a/test/rejectlog/3600
+++ b/test/rejectlog/3600
@@ -1,5 +1,5 @@
******** SERVER ********
-1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data
+1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data (set_id=username)
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data
1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data
