Gitweb:
https://git.exim.org/exim.git/commitdiff/3b960f51c877fe70f66515e3df1e7c4e6883720f
Commit: 3b960f51c877fe70f66515e3df1e7c4e6883720f
Parent: 5f4ca3541f228b0b9b880406e70342dea5a2a7a9
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Dec 27 20:51:42 2020 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Dec 27 20:51:42 2020 +0000
GSASL: More recent versions of the library no longer need a hack for channel-binding
---
src/src/auths/gsasl_exim.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index 708957f..1aee4f7 100644
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -27,7 +27,6 @@ sense in all contexts. For some, we can do checks at init time.
*/
#include "../exim.h"
-#define CHANNELBIND_HACK
#ifndef AUTH_GSASL
/* dummy function to satisfy compilers when we link in an "empty" file. */
@@ -46,6 +45,11 @@ static void dummy(int x) { dummy2(x-1); }
# if GSASL_VERSION_PATCH >= 1
# define EXIM_GSASL_SCRAM_S_KEY
# endif
+# if GSASL_VERSION_PATCH < 2
+# define CHANNELBIND_HACK
+# endif
+#else
+# define CHANNELBIND_HACK
#endif
@@ -374,9 +378,9 @@ if (tls_in.channelbinding && ob->server_channelbinding)
}
# endif
# ifdef CHANNELBIND_HACK
-/* This is a gross hack to get around the library a) requiring that
-c-b was already set, at the _start() call, and b) caching a b64'd
-version of the binding then which it never updates. */
+/* This is a gross hack to get around the library before 1.9.2
+a) requiring that c-b was already set, at the _start() call, and
+b) caching a b64'd version of the binding then which it never updates. */
gsasl_callback_hook_set(gsasl_ctx, tls_in.channelbinding);
# endif
@@ -429,6 +433,12 @@ if (tls_in.channelbinding)
would then result in mechanism name changes on a library update, we
have little choice but to default it off and let the admin choose to
enable it. *sigh*
+
+ Earlier library versions need this set early, during the _start() call,
+ so we had to misuse gsasl_callback_hook_set/get() as a data transfer
+ mech for the callback done at that time to get the bind-data. More recently
+ the callback is done (if needed) during the first gsasl_stop(). We know
+ the bind-data here so can set it (and should not get a callback).
*/
if (ob->server_channelbinding)
{
@@ -823,9 +833,9 @@ if (tls_out.channelbinding && ob->client_channelbinding)
}
# endif
# ifdef CHANNELBIND_HACK
- /* This is a gross hack to get around the library a) requiring that
- c-b was already set, at the _start() call, and b) caching a b64'd
- version of the binding then which it never updates. */
+ /* This is a gross hack to get around the library before 1.9.2
+ a) requiring that c-b was already set, at the _start() call, and
+ b) caching a b64'd version of the binding then which it never updates. */
gsasl_callback_hook_set(gsasl_ctx, tls_out.channelbinding);
# endif
@@ -944,7 +954,7 @@ HDEBUG(D_auth) debug_printf("GNU SASL callback %s for %s/%s as client\n",
gsasl_prop_code_to_name(prop), ablock->name, ablock->public_name);
switch (prop)
{
- case GSASL_CB_TLS_UNIQUE:
+ case GSASL_CB_TLS_UNIQUE: /*XXX should never get called for this */
HDEBUG(D_auth)
debug_printf(" filling in\n");
gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, CCS tls_out.channelbinding);