Gitweb:
https://git.exim.org/exim.git/commitdiff/a310a8d09c56e6049714ae4e4070c16ecb6aa2b1
Commit: a310a8d09c56e6049714ae4e4070c16ecb6aa2b1
Parent: e8a25e05698e39a45cf5f188476808ef3609dbdd
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Jan 5 17:57:01 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sat Jan 5 18:56:23 2019 +0000
Authenticators: refactor SASL support code
---
doc/doc-docbook/spec.xfpt | 15 ++-
src/scripts/MakeLinks | 2 +-
src/src/auths/README | 2 +-
src/src/auths/check_serv_cond.c | 15 +--
src/src/auths/get_data.c | 211 +++++++++++++++++++++++++++++++++++++++-
src/src/auths/plaintext.c | 176 +++++----------------------------
src/src/auths/tls.h | 2 +-
src/src/functions.h | 3 +
src/src/macros.h | 8 ++
test/stderr/3400 | 1 +
10 files changed, 264 insertions(+), 171 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c0b84aa..c8f5a60 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -26490,7 +26490,7 @@ to be returned. If the result of a successful expansion is an empty string,
expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the
generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&.
For any other result, a temporary error code is returned, with the expanded
-string as the error text
+string as the error text.
&*Warning*&: If you use a lookup in the expansion to find the user's
password, be sure to make the authentication fail if the user is unknown.
@@ -27315,20 +27315,25 @@ tls:
driver = tls
server_param1 = ${certextract {subj_altname,mail,>:} \
{$tls_in_peercert}}
- server_condition = ${if forany {$auth1} \
+ server_condition = ${if and { {eq{$tls_in_certificate_verified}{1}} \
+ {forany {$auth1} \
{!= {0} \
{${lookup ldap{ldap:///\
mailname=${quote_ldap_dn:${lc:$item}},\
ou=users,LDAP_DC?mailid} {$value}{0} \
- } } } }
+ } } } }}}
server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}}
.endd
This accepts a client certificate that is verifiable against any
of your configured trust-anchors
(which usually means the full set of public CAs)
and which has a SAN with a good account name.
-Note that the client cert is on the wire in-clear, including the SAN,
-whereas a plaintext SMTP AUTH done inside TLS is not.
+
+Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN,
+The account name is therefore guessable by an opponent.
+TLS 1.3 protects both server and client certificates, and is not vulnerable
+in this way.
+Likewise, a traditional plaintext SMTP AUTH done inside TLS is not.
. An alternative might use
. .code
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index f5a4e50..08f4ff1 100755
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -67,7 +67,7 @@ done
cd ..
-# Likewise for the code for the authorization functions
+# Likewise for the code for the authentication drivers
mkdir auths
cd auths
for f in README Makefile call_pam.c call_pwcheck.c \
diff --git a/src/src/auths/README b/src/src/auths/README
index 0e0c097..d4f125c 100644
--- a/src/src/auths/README
+++ b/src/src/auths/README
@@ -21,7 +21,7 @@ The API for each of these functions is documented with the function's code.
INTERFACE TO SMTP AUTHENTICATION MECHANISMS
-These are general SSL mechanisms, adapted for use with SMTP. Each
+These are general SASL mechanisms, adapted for use with SMTP. Each
authentication mechanism has three functions, for initialization, server
authentication, and client authentication.
diff --git a/src/src/auths/check_serv_cond.c b/src/src/auths/check_serv_cond.c
index a698cdc..457a715 100644
--- a/src/src/auths/check_serv_cond.c
+++ b/src/src/auths/check_serv_cond.c
@@ -65,11 +65,8 @@ uschar *cond;
HDEBUG(D_auth)
{
debug_printf("%s authenticator %s:\n", ablock->name, label);
- for (int i = 0; i < AUTH_VARS; i++)
- {
- if (auth_vars[i] != NULL)
- debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
- }
+ for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
+ debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
for (int i = 1; i <= expand_nmax; i++)
debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
debug_print_string(ablock->server_debug_string); /* customized debug */
@@ -83,23 +80,21 @@ For plaintext/gsasl authenticators, it will have been pre-checked to prevent
this. We return the unset scenario value given to us, which for
server_condition will be OK and otherwise will typically be FAIL. */
-if (condition == NULL) return unset;
+if (!condition) return unset;
cond = expand_string(condition);
HDEBUG(D_auth)
- {
- if (cond == NULL)
+ if (!cond)
debug_printf("expansion failed: %s\n", expand_string_message);
else
debug_printf("expanded string: %s\n", cond);
- }
/* A forced expansion failure causes authentication to fail. Other expansion
failures yield DEFER, which will cause a temporary error code to be returned to
the AUTH command. The problem is at the server end, so the client should try
again later. */
-if (cond == NULL)
+if (!cond)
{
if (f.expand_string_forcedfail) return FAIL;
auth_defer_msg = expand_string_message;
diff --git a/src/src/auths/get_data.c b/src/src/auths/get_data.c
index 00ea9e5..37dcd37 100644
--- a/src/src/auths/get_data.c
+++ b/src/src/auths/get_data.c
@@ -8,6 +8,47 @@
#include "../exim.h"
+/****************************************************************
+* Decode and split the argument of an AUTH command *
+****************************************************************/
+
+/* If data was supplied on the AUTH command, decode it, and split it up into
+multiple items at binary zeros. The strings are put into $auth1, $auth2, etc,
+up to a maximum. To retain backwards compatibility, they are also put int $1,
+$2, etc. If the data consists of the string "=" it indicates a single, empty
+string. */
+
+int
+auth_read_input(const uschar * data)
+{
+if (Ustrcmp(data, "=") == 0)
+ {
+ auth_vars[0] = expand_nstring[++expand_nmax] = US"";
+ expand_nlength[expand_nmax] = 0;
+ }
+else
+ {
+ uschar * clear, * end;
+ int len;
+
+ if ((len = b64decode(data, &clear)) < 0) return BAD64;
+ DEBUG(D_auth) debug_printf("auth input decode:");
+ for (end = clear + len; clear < end && expand_nmax < EXPAND_MAXN; )
+ {
+ DEBUG(D_auth) debug_printf(" '%s'", clear);
+ if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
+ expand_nstring[++expand_nmax] = clear;
+ while (*clear != 0) clear++;
+ expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
+ }
+ DEBUG(D_auth) debug_printf("\n");
+ }
+return OK;
+}
+
+
+
+
/*************************************************
* Issue a challenge and get a response *
*************************************************/
@@ -26,7 +67,7 @@ Returns: OK on success
*/
int
-auth_get_data(uschar **aptr, const uschar * challenge, int challen)
+auth_get_data(uschar ** aptr, const uschar * challenge, int challen)
{
int c;
int p = 0;
@@ -44,4 +85,172 @@ if (Ustrcmp(big_buffer, "*") == 0) return CANCELLED;
return OK;
}
+
+
+int
+auth_prompt(const uschar * challenge)
+{
+int rc, len;
+uschar * resp, * clear, * end;
+
+if ((rc = auth_get_data(&resp, challenge, Ustrlen(challenge))) != OK)
+ return rc;
+if ((len = b64decode(resp, &clear)) < 0)
+ return BAD64;
+end = clear + len;
+
+/* This loop must run at least once, in case the length is zero */
+do
+ {
+ if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
+ expand_nstring[++expand_nmax] = clear;
+ while (*clear != 0) clear++;
+ expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
+ }
+while (clear < end && expand_nmax < EXPAND_MAXN);
+return OK;
+}
+
+
+/***********************************************
+* Send an AUTH-negotiation item *
+************************************************/
+
+/* Expand and send one client auth item and read the response.
+Include the AUTH command and method if tagged as "first". Use the given buffer
+for receiving the b6-encoded reply; decode it it return it in the string arg.
+
+Return:
+ OK success
+ FAIL_SEND error after writing a command; errno is set
+ FAIL failed after reading a response;
+ either errno is set (for timeouts, I/O failures) or
+ the buffer contains the SMTP response line
+ CANCELLED the client cancelled authentication (often "fail" in expansion)
+ the buffer may contain a message; if not, *buffer = 0
+ ERROR local problem (typically expansion error); message in buffer
+ DEFER more items expected
+*/
+
+int
+auth_client_item(void * sx, auth_instance * ablock, const uschar ** inout,
+ unsigned flags, int timeout, uschar * buffer, int buffsize)
+{
+int len, clear_len;
+uschar * ss, * clear;
+
+ss = US expand_cstring(*inout);
+if (ss == *inout) ss = string_copy(ss);
+
+/* Forced expansion failure is not an error; authentication is abandoned. On
+all but the first string, we have to abandon the authentication attempt by
+sending a line containing "*". Save the failed expansion string, because it
+is in big_buffer, and that gets used by the sending function. */
+
+if (!ss)
+ {
+ if (!(flags & AUTH_ITEM_FIRST))
+ {
+ if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+ (void) smtp_read_response(sx, US buffer, buffsize, '2', timeout);
+ }
+ if (f.expand_string_forcedfail)
+ {
+ *buffer = 0; /* No message */
+ return CANCELLED;
+ }
+ string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+ "authenticator: %s", *inout, ablock->name, expand_string_message);
+ return ERROR;
+ }
+
+len = Ustrlen(ss);
+
+/* The character ^ is used as an escape for a binary zero character, which is
+needed for the PLAIN mechanism. It must be doubled if really needed. */
+
+for (int i = 0; i < len; i++)
+ if (ss[i] == '^')
+ if (ss[i+1] != '^')
+ ss[i] = 0;
+ else
+ {
+ i++;
+ len--;
+ memmove(ss + i, ss + i + 1, len - i);
+ }
+
+/* The first string is attached to the AUTH command; others are sent
+unembellished. */
+
+if (flags & AUTH_ITEM_FIRST)
+ {
+ if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s%s%s\r\n",
+ ablock->public_name, len == 0 ? "" : " ", b64encode(CUS ss, len)) < 0)
+ return FAIL_SEND;
+ }
+else
+ if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(CUS ss, len)) < 0)
+ return FAIL_SEND;
+
+/* If we receive a success response from the server, authentication
+has succeeded. There may be more data to send, but is there any point
+in provoking an error here? */
+
+if (smtp_read_response(sx, US buffer, buffsize, '2', timeout))
+ {
+ *inout = NULL;
+ return OK;
+ }
+
+/* Not a success response. If errno != 0 there is some kind of transmission
+error. Otherwise, check the response code in the buffer. If it starts with
+'3', more data is expected. */
+
+if (errno != 0 || buffer[0] != '3') return FAIL;
+
+/* If there is no more data to send, we have to cancel the authentication
+exchange and return ERROR. */
+
+if (flags & AUTH_ITEM_LAST)
+ {
+ if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+ (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
+ string_format(buffer, buffsize, "Too few items in client_send in %s "
+ "authenticator", ablock->name);
+ return ERROR;
+ }
+
+/* Now that we know we'll continue, we put the received data into $auth<n>,
+if possible. First, decode it: buffer+4 skips over the SMTP status code. */
+
+clear_len = b64decode(buffer+4, &clear);
+
+/* If decoding failed, the default is to terminate the authentication, and
+return FAIL, with the SMTP response still in the buffer. However, if client_
+ignore_invalid_base64 is set, we ignore the error, and put an empty string
+into $auth<n>. */
+
+if (clear_len < 0)
+ {
+ uschar *save_bad = string_copy(buffer);
+ if (!(flags & AUTH_ITEM_IGN64))
+ {
+ if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+ (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
+ string_format(buffer, buffsize, "Invalid base64 string in server "
+ "response \"%s\"", save_bad);
+ return CANCELLED;
+ }
+ DEBUG(D_auth) debug_printf("bad b64 decode for '%s';"
+ " ignoring due to client_ignore_invalid_base64\n", save_bad);
+ clear = string_copy(US"");
+ clear_len = 0;
+ }
+
+*inout = clear;
+return DEFER;
+}
+
+
/* End of get_data.c */
diff --git a/src/src/auths/plaintext.c b/src/src/auths/plaintext.c
index cbafd3a..6c97035 100644
--- a/src/src/auths/plaintext.c
+++ b/src/src/auths/plaintext.c
@@ -86,15 +86,12 @@ int sep = 0;
/* Expand a non-empty list of prompt strings */
-if (prompts != NULL)
- {
- prompts = expand_cstring(prompts);
- if (prompts == NULL)
+if (prompts)
+ if (!(prompts = expand_cstring(prompts)))
{
auth_defer_msg = expand_string_message;
return DEFER;
}
- }
/* If data was supplied on the AUTH command, decode it, and split it up into
multiple items at binary zeros. The strings are put into $auth1, $auth2, etc,
@@ -102,50 +99,20 @@ up to a maximum. To retain backwards compatibility, they are also put int $1,
$2, etc. If the data consists of the string "=" it indicates a single, empty
string. */
-if (*data != 0)
- {
- if (Ustrcmp(data, "=") == 0)
- {
- auth_vars[0] = expand_nstring[++expand_nmax] = US"";
- expand_nlength[expand_nmax] = 0;
- }
- else
- {
- if ((len = b64decode(data, &clear)) < 0) return BAD64;
- end = clear + len;
- while (clear < end && expand_nmax < EXPAND_MAXN)
- {
- if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
- expand_nstring[++expand_nmax] = clear;
- while (*clear != 0) clear++;
- expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
- }
- }
- }
+if (*data)
+ if ((rc = auth_read_input(data)) != OK)
+ return rc;
/* Now go through the list of prompt strings. Skip over any whose data has
already been provided as part of the AUTH command. For the rest, send them
out as prompts, and get a data item back. If the data item is "*", abandon the
authentication attempt. Otherwise, split it into items as above. */
-while ((s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size))
- != NULL && expand_nmax < EXPAND_MAXN)
- {
- if (number++ <= expand_nmax) continue;
- if ((rc = auth_get_data(&data, s, Ustrlen(s))) != OK) return rc;
- if ((len = b64decode(data, &clear)) < 0) return BAD64;
- end = clear + len;
-
- /* This loop must run at least once, in case the length is zero */
- do
- {
- if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
- expand_nstring[++expand_nmax] = clear;
- while (*clear != 0) clear++;
- expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
- }
- while (clear < end && expand_nmax < EXPAND_MAXN);
- }
+while ( (s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size))
+ && expand_nmax < EXPAND_MAXN)
+ if (number++ > expand_nmax)
+ if ((rc = auth_prompt(CUS s)) != OK)
+ return rc;
/* We now have a number of items of data in $auth1, $auth2, etc (and also, for
compatibility, in $1, $2, etc). Authentication and authorization are handled
@@ -174,128 +141,33 @@ auth_plaintext_client(
{
auth_plaintext_options_block *ob =
(auth_plaintext_options_block *)(ablock->options_block);
-const uschar *text = ob->client_send;
-uschar *s;
+const uschar * text = ob->client_send;
+const uschar * s;
BOOL first = TRUE;
int sep = 0;
-int auth_var_idx = 0;
+int auth_var_idx = 0, rc;
+int flags = AUTH_ITEM_FIRST;
+
+if (ob->client_ignore_invalid_base64)
+ flags |= AUTH_ITEM_IGN64;
/* The text is broken up into a number of different data items, which are
sent one by one. The first one is sent with the AUTH command; the remainder are
sent in response to subsequent prompts. Each is expanded before being sent. */
-while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)))
+while ((s = string_nextinlist(&text, &sep, NULL, 0)))
{
- int len, clear_len;
- uschar *ss = expand_string(s);
- uschar *clear;
-
- /* Forced expansion failure is not an error; authentication is abandoned. On
- all but the first string, we have to abandon the authentication attempt by
- sending a line containing "*". Save the failed expansion string, because it
- is in big_buffer, and that gets used by the sending function. */
-
- if (!ss)
- {
- uschar *ssave = string_copy(s);
- if (!first)
- {
- if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
- (void) smtp_read_response(sx, US buffer, buffsize, '2', timeout);
- }
- if (f.expand_string_forcedfail)
- {
- *buffer = 0; /* No message */
- return CANCELLED;
- }
- string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
- "authenticator: %s", ssave, ablock->name, expand_string_message);
- return ERROR;
- }
-
- len = Ustrlen(ss);
-
- /* The character ^ is used as an escape for a binary zero character, which is
- needed for the PLAIN mechanism. It must be doubled if really needed. */
-
- for (int i = 0; i < len; i++)
- if (ss[i] == '^')
- if (ss[i+1] != '^')
- ss[i] = 0;
- else
- {
- i++;
- len--;
- memmove(ss + i, ss + i + 1, len - i);
- }
-
- /* The first string is attached to the AUTH command; others are sent
- unembellished. */
-
- if (first)
- {
- first = FALSE;
- if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s%s%s\r\n",
- ablock->public_name, len == 0 ? "" : " ", b64encode(ss, len)) < 0)
- return FAIL_SEND;
- }
- else
- {
- if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(ss, len)) < 0)
- return FAIL_SEND;
- }
-
- /* If we receive a success response from the server, authentication
- has succeeded. There may be more data to send, but is there any point
- in provoking an error here? */
-
- if (smtp_read_response(sx, US buffer, buffsize, '2', timeout)) return OK;
-
- /* Not a success response. If errno != 0 there is some kind of transmission
- error. Otherwise, check the response code in the buffer. If it starts with
- '3', more data is expected. */
-
- if (errno != 0 || buffer[0] != '3') return FAIL;
-
- /* If there is no more data to send, we have to cancel the authentication
- exchange and return ERROR. */
-
if (!text)
- {
- if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
- (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
- string_format(buffer, buffsize, "Too few items in client_send in %s "
- "authenticator", ablock->name);
- return ERROR;
- }
+ flags |= AUTH_ITEM_LAST;
- /* Now that we know we'll continue, we put the received data into $auth<n>,
- if possible. First, decode it: buffer+4 skips over the SMTP status code. */
+ if ((rc = auth_client_item(sx, ablock, &s, flags, timeout, buffer, buffsize))
+ != DEFER)
+ return rc;
- clear_len = b64decode(buffer+4, &clear);
-
- /* If decoding failed, the default is to terminate the authentication, and
- return FAIL, with the SMTP response still in the buffer. However, if client_
- ignore_invalid_base64 is set, we ignore the error, and put an empty string
- into $auth<n>. */
-
- if (clear_len < 0)
- {
- uschar *save_bad = string_copy(buffer);
- if (!ob->client_ignore_invalid_base64)
- {
- if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
- (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
- string_format(buffer, buffsize, "Invalid base64 string in server "
- "response \"%s\"", save_bad);
- return CANCELLED;
- }
- clear = US"";
- clear_len = 0;
- }
+ flags &= ~AUTH_ITEM_FIRST;
if (auth_var_idx < AUTH_VARS)
- auth_vars[auth_var_idx++] = string_copy(clear);
+ auth_vars[auth_var_idx++] = string_copy(s);
}
/* Control should never actually get here. */
diff --git a/src/src/auths/tls.h b/src/src/auths/tls.h
index bf2a2a1..7aa95b6 100644
--- a/src/src/auths/tls.h
+++ b/src/src/auths/tls.h
@@ -27,4 +27,4 @@ extern auth_tls_options_block auth_tls_option_defaults;
extern void auth_tls_init(auth_instance *);
extern int auth_tls_server(auth_instance *, uschar *);
-/* End of sa.h */
+/* End of tls.h */
diff --git a/src/src/functions.h b/src/src/functions.h
index 8668656..853a5fd 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -106,10 +106,13 @@ extern int auth_call_saslauthd(const uschar *, const uschar *,
const uschar *, const uschar *, uschar **);
extern int auth_check_serv_cond(auth_instance *);
extern int auth_check_some_cond(auth_instance *, uschar *, uschar *, int);
+extern int auth_client_item(void *, auth_instance *, const uschar **,
+ unsigned, int, uschar *, int);
extern int auth_get_data(uschar **, const uschar *, int);
extern int auth_get_no64_data(uschar **, uschar *);
+extern int auth_read_input(const uschar *);
extern void auth_show_supported(FILE *);
extern uschar *auth_xtextencode(uschar *, int);
extern int auth_xtextdecode(uschar *, uschar **);
diff --git a/src/src/macros.h b/src/src/macros.h
index 0f93543..e797615 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -1072,4 +1072,12 @@ should not be one active. */
#define EARLY_PIPE_FEATURE_LEN 14
+/* Flags for auth_client_item() */
+
+#define AUTH_ITEM_FIRST BIT(0)
+#define AUTH_ITEM_LAST BIT(1)
+#define AUTH_ITEM_IGN64 BIT(2)
+
+
+
/* End of macros.h */
diff --git a/test/stderr/3400 b/test/stderr/3400
index a57621a..a166c26 100644
--- a/test/stderr/3400
+++ b/test/stderr/3400
@@ -456,6 +456,7 @@ SMTP>> 250-myhost.test.ex Hello CALLER at testing.testing [10.0.0.5]
250-AUTH MYLOGIN PLAIN EXPLAIN EXPANDED EXPANDFAIL DEFER LOGIN
250 HELP
SMTP<< auth mylogin dXNlcnggc2VjcmV0
+auth input decode: 'userx secret'
mylogin authenticator server_condition:
$auth1 = userx secret
$1 = userx secret
