From f68fe5f62128effcce35efca90d74bc6df066765 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 7 Nov 2012 01:53:37 -0500 Subject: [PATCH] Fix server_set_id for SPA/NTLM auth. Broken in 4.80 release, commit 08488c86. We need to leave $auth1 available after the authenticator returns, so that server_set_id can be evaluated by the caller. We need to do this whether we succeed or fail, because server_set_id only makes it into $authenticated_id if we return OK, but is logged regardless. Updated test config to set server_set_id; updated logs. --- src/src/auths/spa.c | 20 ++++++++------------ test/confs/3600 | 2 ++ test/log/3600 | 4 ++-- test/rejectlog/3600 | 2 +- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c index 1abd65781..0bf7b0428 100644 --- a/src/src/auths/spa.c +++ b/src/src/auths/spa.c @@ -196,17 +196,14 @@ that causes failure if the size of msgbuf is exceeded. ****/ /***************************************************************/ /* Put the username in $auth1 and $1. The former is now the preferred variable; -the latter is the original variable. */ +the latter is the original variable. These have to be out of stack memory, and +need to be available once known even if not authenticated, for error messages +(server_set_id, which only makes it to authenticated_id if we return OK) */ -auth_vars[0] = expand_nstring[1] = msgbuf; +auth_vars[0] = expand_nstring[1] = string_copy(msgbuf); expand_nlength[1] = Ustrlen(msgbuf); expand_nmax = 1; -/* clean up globals which aren't referenced, but still shouldn't be left -pointing to stack memory */ -#define CLEANUP_RETURN(Code) do { auth_vars[0] = expand_nstring[1] = NULL; \ - expand_nlength[1] = expand_nmax = 0; return (Code); } while (0); - debug_print_string(ablock->server_debug_string); /* customized debug */ /* look up password */ @@ -218,13 +215,13 @@ if (clearpass == NULL) { DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while " "expanding spa_serverpassword\n"); - CLEANUP_RETURN(FAIL); + return FAIL; } else { DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding " "spa_serverpassword: %s\n", expand_string_message); - CLEANUP_RETURN(DEFER); + return DEFER; } } @@ -240,13 +237,12 @@ if (memcmp(ntRespData, 24) == 0) /* success. we have a winner. */ { - int rc = auth_check_serv_cond(ablock); - CLEANUP_RETURN(rc); + return auth_check_serv_cond(ablock); } /* Expand server_condition as an authorization check (PH) */ -CLEANUP_RETURN(FAIL); +return FAIL; } diff --git a/test/confs/3600 b/test/confs/3600 index c70fa19d7..fca55ff51 100644 --- a/test/confs/3600 +++ b/test/confs/3600 @@ -39,6 +39,7 @@ spabad: client_password = ${if eq{1}{0}{xxx}fail} client_username = username server_password = ok@test.ex + server_set_id = $auth1 spa: driver = spa @@ -47,6 +48,7 @@ spa: client_username = username server_debug_print = +++SPA \$auth1="$auth1" server_password = ok@test.ex + server_set_id = $auth1 # ----- Routers ----- diff --git a/test/log/3600 b/test/log/3600 index 43549c63a..16c59f368 100644 --- a/test/log/3600 +++ b/test/log/3600 @@ -11,7 +11,7 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=spa S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data +1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=spa:username S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data (set_id=username) 1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data 1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data diff --git a/test/rejectlog/3600 b/test/rejectlog/3600 index 629d314e2..4398a403a 100644 --- a/test/rejectlog/3600 +++ b/test/rejectlog/3600 @@ -1,5 +1,5 @@ ******** SERVER ******** -1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data +1999-03-02 09:44:33 spa authenticator failed for localhost (myhost.test.ex) [127.0.0.1]: 535 Incorrect authentication data (set_id=username) 1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data 1999-03-02 09:44:33 spa authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data -- 2.25.1