Add server_condition to all authenticators, to allow for additional

conditions (and thereby implement authorization).

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 124101d784f89c00308bd067afd271922beaefe2..19a3ae0ddec476e53db84aefc94cddb80e2330a4 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.409 2006/10/16 13:43:21 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.410 2006/10/16 15:44:36 ph10 Exp $

 
 Change log file for Exim from version 4.21
 -------------------------------------------
 
 Change log file for Exim from version 4.21
 -------------------------------------------


@@ -150,6 +150,11 @@ PH/21 On the advice of Timo Sirainen, added a check to the dovecot
       local IP, and the "valid-client-cert option" if a client certificate has
       been verified.
 
       local IP, and the "valid-client-cert option" if a client certificate has
       been verified.
 

+PH/22 As suggested by Denis Davies, added a server_condition option to *all*
+      authenticators. This can be used for authorization after authentication
+      succeeds. (In the case of plaintext, it servers for both authentication
+      and authorization.)
+

 
 Exim version 4.63
 -----------------
 
 Exim version 4.63
 -----------------

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b66cfb59325e5781d616e1f079ebdfd7f092516b..267fc9adc9baaa580c57687c145df279583720ca 100644 (file)
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/NewStuff,v 1.116 2006/10/16 13:43:21 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/NewStuff,v 1.117 2006/10/16 15:44:36 ph10 Exp $

 
 New Features in Exim
 --------------------
 
 New Features in Exim
 --------------------


@@ -124,6 +124,13 @@ Version 4.64
    values matches (or if no record is found), this is the only lookup that is
    done. Only if there is a match is one of the more specific lists consulted.
 
    values matches (or if no record is found), this is the only lookup that is
    done. Only if there is a match is one of the more specific lists consulted.
 

+6. All authenticators now have a server_condition option. Previously, only
+   plaintext had this, and this has not changed: it must be set to the
+   authenticator as a server. For the others, if server_condition is set, it is
+   expanded if authentication is successful, and treated exactly as it is in
+   plaintext. This can serve as a means of adding authorization to an
+   authenticator.
+

 
 Version 4.63
 ------------
 
 Version 4.63
 ------------

diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 2d0f160a205fa353ef11f3617fe61f6079cff60c..69f2370e065467310a7eebf8360c7f01aa661770 100644 (file)
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.24 2006/09/22 14:01:12 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.25 2006/10/16 15:44:36 ph10 Exp $

 
 LISTS OF EXIM OPTIONS
 ---------------------
 
 LISTS OF EXIM OPTIONS
 ---------------------


@@ -442,7 +442,7 @@ sender_unqualified_hosts             host list       unset         main
 senders                              address list    unset         routers           4.00
 serialize_hosts                      host list       unset         smtp              1.60
 server_advertise_condition           string*         unset         authenticators    4.14
 senders                              address list    unset         routers           4.00
 serialize_hosts                      host list       unset         smtp              1.60
 server_advertise_condition           string*         unset         authenticators    4.14

-server_condition                     string*         unset         plaintext         3.10
+server_condition                     string*         unset         authenticators    3.10 (plaintext) 4.64 (others)

 server_hostname                      string*   "$primary_hostname" cyrus_sasl        4.43
 server_mail_auth_condition           string*         unset         authenticators    3.22
 server_mech                          string          public_name   cyrus_sasl        4.43
 server_hostname                      string*   "$primary_hostname" cyrus_sasl        4.43
 server_mail_auth_condition           string*         unset         authenticators    3.22
 server_mech                          string          public_name   cyrus_sasl        4.43

diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index d38f8b00c6f42e1069ba6b5549ba919b7fa72aeb..b0b513c8bf52304d2dea99b93dd642b73a9a5867 100755 (executable)
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -1,5 +1,5 @@
 #!/bin/sh
 #!/bin/sh

-# $Cambridge: exim/src/scripts/MakeLinks,v 1.7 2006/10/02 13:38:18 ph10 Exp $
+# $Cambridge: exim/src/scripts/MakeLinks,v 1.8 2006/10/16 15:44:36 ph10 Exp $

 
 # Script to build links for all the exim source files from the system-
 # specific build directory. It should be run from within that directory.
 
 # Script to build links for all the exim source files from the system-
 # specific build directory. It should be run from within that directory.


@@ -162,6 +162,7 @@ ln -s ../../src/auths/b64decode.c        b64decode.c
 ln -s ../../src/auths/call_pam.c         call_pam.c
 ln -s ../../src/auths/call_pwcheck.c     call_pwcheck.c
 ln -s ../../src/auths/call_radius.c      call_radius.c
 ln -s ../../src/auths/call_pam.c         call_pam.c
 ln -s ../../src/auths/call_pwcheck.c     call_pwcheck.c
 ln -s ../../src/auths/call_radius.c      call_radius.c

+ln -s ../../src/auths/check_serv_cond.c  check_serv_cond.c

 ln -s ../../src/auths/cyrus_sasl.c       cyrus_sasl.c
 ln -s ../../src/auths/cyrus_sasl.h       cyrus_sasl.h
 ln -s ../../src/auths/get_data.c         get_data.c
 ln -s ../../src/auths/cyrus_sasl.c       cyrus_sasl.c
 ln -s ../../src/auths/cyrus_sasl.h       cyrus_sasl.h
 ln -s ../../src/auths/get_data.c         get_data.c

diff --git a/src/src/auths/Makefile b/src/src/auths/Makefile
index 889e24b8c0ee3968164460c3b32d94153ac3faf1..3df035dd39dabcf00a1d2f690639fa8fee040b74 100644 (file)
--- a/src/src/auths/Makefile
+++ b/src/src/auths/Makefile
@@ -1,4 +1,4 @@
-# $Cambridge: exim/src/src/auths/Makefile,v 1.4 2006/10/02 13:38:18 ph10 Exp $
+# $Cambridge: exim/src/src/auths/Makefile,v 1.5 2006/10/16 15:44:36 ph10 Exp $

 
 # Make file for building a library containing all the available authorization
 # methods, and calling it auths.a. In addition, there are functions that are
 
 # Make file for building a library containing all the available authorization
 # methods, and calling it auths.a. In addition, there are functions that are


@@ -7,10 +7,10 @@
 # after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are
 # defined, the equivalent modules herein is not included in the final binary.
 
 # after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are
 # defined, the equivalent modules herein is not included in the final binary.
 

-OBJ = b64encode.o b64decode.o call_pam.o call_pwcheck.o call_radius.o \
-      xtextencode.o xtextdecode.o get_data.o get_no64_data.o md5.o \
-      cram_md5.o cyrus_sasl.o dovecot.o plaintext.o pwcheck.o sha1.o \
-      auth-spa.o spa.o
+OBJ = auth-spa.o b64decode.o b64encode.o call_pam.o call_pwcheck.o \
+      call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \
+      get_data.o get_no64_data.o md5.o plaintext.o pwcheck.o sha1.o \
+      spa.o xtextdecode.o xtextencode.o

 
 auths.a:         $(OBJ)
                 @$(RM_COMMAND) -f auths.a
 
 auths.a:         $(OBJ)
                 @$(RM_COMMAND) -f auths.a


@@ -23,24 +23,25 @@ auths.a:         $(OBJ)
 .c.o:;           @echo "$(CC) $*.c"
                 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
 
 .c.o:;           @echo "$(CC) $*.c"
                 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
 

-auth-spa.o:      $(HDRS) auth-spa.c
-b64encode.o:     $(HDRS) b64encode.c
-b64decode.o:     $(HDRS) b64decode.c
-call_pam.o:      $(HDRS) call_pam.c
-call_pwcheck.o:  $(HDRS) call_pwcheck.c pwcheck.h
-call_radius.o:   $(HDRS) call_radius.c
-get_data.o:      $(HDRS) get_data.c
-get_no64_data.o: $(HDRS) get_no64_data.c
-md5.o:           $(HDRS) md5.c
-pwcheck.o:       $(HDRS) pwcheck.c pwcheck.h
-sha1.o:          $(HDRS) sha1.c
-xtextencode.o:   $(HDRS) xtextencode.c
-xtextdecode.o:   $(HDRS) xtextdecode.c
+auth-spa.o:         $(HDRS) auth-spa.c
+b64encode.o:        $(HDRS) b64encode.c
+b64decode.o:        $(HDRS) b64decode.c
+call_pam.o:         $(HDRS) call_pam.c
+call_pwcheck.o:     $(HDRS) call_pwcheck.c pwcheck.h
+call_radius.o:      $(HDRS) call_radius.c
+check_serv_cond.o:  $(HDRS) check_serv_cond.c
+get_data.o:         $(HDRS) get_data.c
+get_no64_data.o:    $(HDRS) get_no64_data.c
+md5.o:              $(HDRS) md5.c
+pwcheck.o:          $(HDRS) pwcheck.c pwcheck.h
+sha1.o:             $(HDRS) sha1.c
+xtextdecode.o:      $(HDRS) xtextdecode.c
+xtextencode.o:      $(HDRS) xtextencode.c

 
 

-cram_md5.o:      $(HDRS) cram_md5.c cram_md5.h
-cyrus_sasl.o:    $(HDRS) cyrus_sasl.c cyrus_sasl.h
-dovecot.o:       $(HDRS) dovecot.c dovecot.h
-plaintext.o:     $(HDRS) plaintext.c plaintext.h
-spa.o:           $(HDRS) spa.c spa.h
+cram_md5.o:         $(HDRS) cram_md5.c cram_md5.h
+cyrus_sasl.o:       $(HDRS) cyrus_sasl.c cyrus_sasl.h
+dovecot.o:          $(HDRS) dovecot.c dovecot.h
+plaintext.o:        $(HDRS) plaintext.c plaintext.h
+spa.o:              $(HDRS) spa.c spa.h

 
 # End
 
 # End

diff --git a/src/src/auths/README b/src/src/auths/README
index 780e15dc4bc6e20c9bdd773dff663fc685487781..83fcab44890123f6040e9b72104f81c2b9dbf0e0 100644 (file)
--- a/src/src/auths/README
+++ b/src/src/auths/README
@@ -1,4 +1,4 @@
-$Cambridge: exim/src/src/auths/README,v 1.5 2006/02/23 12:41:22 ph10 Exp $
+$Cambridge: exim/src/src/auths/README,v 1.6 2006/10/16 15:44:36 ph10 Exp $

 
 AUTHS
 
 
 AUTHS
 


@@ -59,7 +59,7 @@ The yield of a server authentication check must be one of:
   DEFER       couldn't complete the check
   FAIL        authentication failed
   CANCELLED   authentication forced to fail by "*" response to challenge,
   DEFER       couldn't complete the check
   FAIL        authentication failed
   CANCELLED   authentication forced to fail by "*" response to challenge,

-                or by a forced string expansion failure
+                or by certain forced string expansion failures

   BAD64       bad base64 data received
   UNEXPECTED  unexpected data received
 
   BAD64       bad base64 data received
   UNEXPECTED  unexpected data received
 

diff --git a/src/src/auths/check_serv_cond.c b/src/src/auths/check_serv_cond.c
new file mode 100644 (file)
index 0000000..1e77530
--- /dev/null
+++ b/src/src/auths/check_serv_cond.c
@@ -0,0 +1,99 @@
+/* $Cambridge: exim/src/src/auths/check_serv_cond.c,v 1.1 2006/10/16 15:44:36 ph10 Exp $ */
+
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2006 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+/* This module contains the function server_condition(), which is used
+by all authenticators. */
+
+
+/*************************************************
+*              Check server_condition            *
+*************************************************/
+
+/* This function is called from the server code of all authenticators. For
+plaintext, it is always called: the argument cannot be empty, because for
+plaintext, setting server_condition is what enables it as a server
+authenticator. For all the other authenticators, this function is called after
+they have authenticated, to enable additional authorization to be done.
+
+Argument:     the authenticator's instance block
+
+Returns:
+  OK          NULL argument, or success
+  DEFER       couldn't complete the check
+  FAIL        authentication failed
+*/
+
+int
+auth_check_serv_cond(auth_instance *ablock)
+{
+uschar *cond;
+
+HDEBUG(D_auth)
+  {
+  int i;
+  debug_printf("%s authenticator:\n", ablock->name);
+  for (i = 0; i < AUTH_VARS; i++)
+    {
+    if (auth_vars[i] != NULL)
+      debug_printf("  $auth%d = %s\n", i + 1, auth_vars[i]);
+    }
+  for (i = 1; i <= expand_nmax; i++)
+    debug_printf("  $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
+  debug_print_string(ablock->server_debug_string);    /* customized debug */
+  }
+
+/* For the plaintext authenticator, server_condition is never NULL. For the
+rest, an unset condition lets everything through. */
+
+if (ablock->server_condition == NULL) return OK;
+cond = expand_string(ablock->server_condition);
+
+HDEBUG(D_auth)
+  {
+  if (cond == NULL)
+    debug_printf("expansion failed: %s\n", expand_string_message);
+  else
+    debug_printf("expanded string: %s\n", cond);
+  }
+
+/* A forced expansion failure causes authentication to fail. Other expansion
+failures yield DEFER, which will cause a temporary error code to be returned to
+the AUTH command. The problem is at the server end, so the client should try
+again later. */
+
+if (cond == NULL)
+  {
+  if (expand_string_forcedfail) return FAIL;
+  auth_defer_msg = expand_string_message;
+  return DEFER;
+  }
+
+/* Return FAIL for empty string, "0", "no", and "false"; return OK for
+"1", "yes", and "true"; return DEFER for anything else, with the string
+available as an error text for the user. */
+
+if (*cond == 0 ||
+    Ustrcmp(cond, "0") == 0 ||
+    strcmpic(cond, US"no") == 0 ||
+    strcmpic(cond, US"false") == 0)
+  return FAIL;
+
+if (Ustrcmp(cond, "1") == 0 ||
+    strcmpic(cond, US"yes") == 0 ||
+    strcmpic(cond, US"true") == 0)
+  return OK;
+
+auth_defer_msg = cond;
+auth_defer_user_msg = string_sprintf(": %s", cond);
+return DEFER;
+}
+
+/* End of check_serv_cond.c */

diff --git a/src/src/auths/cram_md5.c b/src/src/auths/cram_md5.c
index 26521fbe9b3cf6f3677b9d1e366eb225ad733609..6686d5f1ca5c739b4d2bc07cac29adf9d2fedb3f 100644 (file)
--- a/src/src/auths/cram_md5.c
+++ b/src/src/auths/cram_md5.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -233,7 +233,8 @@ for (i = 0; i < 16; i++)
         ((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
   }
 
         ((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
   }
 

-return OK;
+/* Expand server_condition as an authorization check */
+return auth_check_serv_cond(ablock);

 }
 
 
 }
 
 

diff --git a/src/src/auths/cyrus_sasl.c b/src/src/auths/cyrus_sasl.c
index 7e6603988b3fff0d67e9740182954c57c6df205f..284194e0054c1a596b83952f650bab5db8aedc03 100644 (file)
--- a/src/src/auths/cyrus_sasl.c
+++ b/src/src/auths/cyrus_sasl.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -53,7 +53,7 @@ address can appear in the tables drtables.c. */
 int auth_cyrus_sasl_options_count =
   sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
 
 int auth_cyrus_sasl_options_count =
   sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
 

-/* Default private options block for the contidion authentication method. */
+/* Default private options block for the cyrus_sasl authentication method. */

 
 auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
   US"smtp",         /* server_service */
 
 auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
   US"smtp",         /* server_service */


@@ -332,11 +332,13 @@ while(rc==SASL_CONTINUE)
     expand_nmax = 1;
 
     HDEBUG(D_auth)
     expand_nmax = 1;
 
     HDEBUG(D_auth)

-      debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2);
+      debug_printf("Cyrus SASL %s authentication succeeded for %s\n", ob->server_mech, out2);

     /* close down the connection, freeing up library's memory */
     sasl_dispose(&conn);
     sasl_done();
     /* close down the connection, freeing up library's memory */
     sasl_dispose(&conn);
     sasl_done();

-    return OK;
+
+    /* Expand server_condition as an authorization check */
+    return auth_check_serv_cond(ablock);

     }
   }
 /* NOTREACHED */
     }
   }
 /* NOTREACHED */

diff --git a/src/src/auths/dovecot.c b/src/src/auths/dovecot.c
index c11b2fe9b274b02c8bf47c823572bdf00d2c2ae9..e040bcf937d52d0a3226af833311e22d782986f1 100644 (file)
--- a/src/src/auths/dovecot.c
+++ b/src/src/auths/dovecot.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.2 2006/10/16 13:43:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.3 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*
  * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
 
 /*
  * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>


@@ -309,5 +309,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data)
        }
 
 out:   close(fd);
        }
 
 out:   close(fd);

-       return ret;
+
+       /* Expand server_condition as an authorization check */
+       return (ret == OK)? auth_check_serv_cond(ablock) : ret;

 }
 }

diff --git a/src/src/auths/plaintext.c b/src/src/auths/plaintext.c
index 2aea4a4921538c6aa5b6d4f75ee909ffc55570ae..e4fec348ef5729bcde47ef8b1dca4cf6f09d2cd1 100644 (file)
--- a/src/src/auths/plaintext.c
+++ b/src/src/auths/plaintext.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -18,8 +18,6 @@ optionlist auth_plaintext_options[] = {
       (void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) },
   { "client_send",        opt_stringptr,
       (void *)(offsetof(auth_plaintext_options_block, client_send)) },
       (void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) },
   { "client_send",        opt_stringptr,
       (void *)(offsetof(auth_plaintext_options_block, client_send)) },

-  { "server_condition",   opt_stringptr,
-      (void *)(offsetof(auth_plaintext_options_block, server_condition)) },

   { "server_prompts",     opt_stringptr,
       (void *)(offsetof(auth_plaintext_options_block, server_prompts)) }
 };
   { "server_prompts",     opt_stringptr,
       (void *)(offsetof(auth_plaintext_options_block, server_prompts)) }
 };


@@ -33,7 +31,6 @@ int auth_plaintext_options_count =
 /* Default private options block for the plaintext authentication method. */
 
 auth_plaintext_options_block auth_plaintext_option_defaults = {
 /* Default private options block for the plaintext authentication method. */
 
 auth_plaintext_options_block auth_plaintext_option_defaults = {

-  NULL,              /* server_condition */

   NULL,              /* server_prompts */
   NULL,              /* client_send */
   FALSE              /* client_ignore_invalid_base64 */
   NULL,              /* server_prompts */
   NULL,              /* client_send */
   FALSE              /* client_ignore_invalid_base64 */


@@ -54,7 +51,7 @@ auth_plaintext_init(auth_instance *ablock)
 auth_plaintext_options_block *ob =
   (auth_plaintext_options_block *)(ablock->options_block);
 if (ablock->public_name == NULL) ablock->public_name = ablock->name;
 auth_plaintext_options_block *ob =
   (auth_plaintext_options_block *)(ablock->options_block);
 if (ablock->public_name == NULL) ablock->public_name = ablock->name;

-if (ob->server_condition != NULL) ablock->server = TRUE;
+if (ablock->server_condition != NULL) ablock->server = TRUE;

 if (ob->client_send != NULL) ablock->client = TRUE;
 }
 
 if (ob->client_send != NULL) ablock->client = TRUE;
 }
 


@@ -72,7 +69,7 @@ auth_plaintext_server(auth_instance *ablock, uschar *data)
 auth_plaintext_options_block *ob =
   (auth_plaintext_options_block *)(ablock->options_block);
 uschar *prompts = ob->server_prompts;
 auth_plaintext_options_block *ob =
   (auth_plaintext_options_block *)(ablock->options_block);
 uschar *prompts = ob->server_prompts;

-uschar *clear, *cond, *end, *s;
+uschar *clear, *end, *s;

 int number = 1;
 int len, rc;
 int sep = 0;
 int number = 1;
 int len, rc;
 int sep = 0;


@@ -141,59 +138,12 @@ while ((s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size))
   }
 
 /* We now have a number of items of data in $auth1, $auth2, etc (and also, for
   }
 
 /* We now have a number of items of data in $auth1, $auth2, etc (and also, for

-compatibility, in $1, $2, etc). Match against the decoded data by expanding the
-condition. */
+compatibility, in $1, $2, etc). Authentication and authorization are handled
+together for this authenticator by expanding the server_condition option. Note
+that ablock->server_condition is always non-NULL because that's what configures
+this authenticator as a server. */

 
 

-cond = expand_string(ob->server_condition);
-
-HDEBUG(D_auth)
-  {
-  int i;
-  debug_printf("%s authenticator:\n", ablock->name);
-  for (i = 0; i < AUTH_VARS; i++)
-    {
-    if (auth_vars[i] != NULL)
-      debug_printf("  $auth%d = %s\n", i + 1, auth_vars[i]);
-    }
-  for (i = 1; i <= expand_nmax; i++)
-    debug_printf("  $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
-  debug_print_string(ablock->server_debug_string);    /* customized debug */
-  if (cond == NULL)
-    debug_printf("expansion failed: %s\n", expand_string_message);
-  else
-    debug_printf("expanded string: %s\n", cond);
-  }
-
-/* A forced expansion failure causes authentication to fail. Other expansion
-failures yield DEFER, which will cause a temporary error code to be returned to
-the AUTH command. The problem is at the server end, so the client should try
-again later. */
-
-if (cond == NULL)
-  {
-  if (expand_string_forcedfail) return FAIL;
-  auth_defer_msg = expand_string_message;
-  return DEFER;
-  }
-
-/* Return FAIL for empty string, "0", "no", and "false"; return OK for
-"1", "yes", and "true"; return DEFER for anything else, with the string
-available as an error text for the user. */
-
-if (*cond == 0 ||
-    Ustrcmp(cond, "0") == 0 ||
-    strcmpic(cond, US"no") == 0 ||
-    strcmpic(cond, US"false") == 0)
-  return FAIL;
-
-if (Ustrcmp(cond, "1") == 0 ||
-    strcmpic(cond, US"yes") == 0 ||
-    strcmpic(cond, US"true") == 0)
-  return OK;
-
-auth_defer_msg = cond;
-auth_defer_user_msg = string_sprintf(": %s", cond);
-return DEFER;
+return auth_check_serv_cond(ablock);

 }
 
 
 }
 
 

diff --git a/src/src/auths/plaintext.h b/src/src/auths/plaintext.h
index 7499a01d81fccc1fc2b08a25c82afe13e277cc17..c35f3e49892f81159d94e94fee545a6678f3da3a 100644 (file)
--- a/src/src/auths/plaintext.h
+++ b/src/src/auths/plaintext.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.4 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -10,7 +10,6 @@
 /* Private structure for the private options. */
 
 typedef struct {
 /* Private structure for the private options. */
 
 typedef struct {

-  uschar *server_condition;

   uschar *server_prompts;
   uschar *client_send;
   BOOL    client_ignore_invalid_base64;
   uschar *server_prompts;
   uschar *client_send;
   BOOL    client_ignore_invalid_base64;

diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index 3fd4bde6a11906a8953a4a42abfad14b529c55ef..6cc281a1b4cf71cb2e2f011343fbd37eab844a06 100644 (file)
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/spa.c,v 1.7 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/spa.c,v 1.8 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -25,8 +25,9 @@ References:
  * typedef unsigned uint32;
  * typedef unsigned char  uint8;
 
  * typedef unsigned uint32;
  * typedef unsigned char  uint8;
 

-07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
-                    input data. Find appropriate comment by grepping for "PH".
+07-August-2003:  PH: Patched up the code to avoid assert bombouts for stupid
+                     input data. Find appropriate comment by grepping for "PH".
+16-October-2006: PH: Added a call to auth_check_serv_cond() at the end

 */
 
 
 */
 
 


@@ -231,7 +232,9 @@ if (memcmp(ntRespData,
       ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
       24) == 0)
   /* success. we have a winner. */
       ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
       24) == 0)
   /* success. we have a winner. */

-  return OK;
+
+  /* Expand server_condition as an authorization check (PH) */
+  return auth_check_serv_cond(ablock);

 
 return FAIL;
 }
 
 return FAIL;
 }

diff --git a/src/src/functions.h b/src/src/functions.h
index 302f8b6d16f5ba38ec21f32bd99ecde702455698..170a84411d68c29663a736c196f1237c009070c9 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/functions.h,v 1.28 2006/10/09 14:36:25 ph10 Exp $ */
+/* $Cambridge: exim/src/src/functions.h,v 1.29 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -49,6 +49,7 @@ extern int     auth_call_pwcheck(uschar *, uschar **);
 extern int     auth_call_radius(uschar *, uschar **);
 extern int     auth_call_saslauthd(uschar *, uschar *, uschar *, uschar *,
                  uschar **);
 extern int     auth_call_radius(uschar *, uschar **);
 extern int     auth_call_saslauthd(uschar *, uschar *, uschar *, uschar *,
                  uschar **);

+extern int     auth_check_serv_cond(auth_instance *);

 extern int     auth_get_data(uschar **, uschar *, int);
 extern int     auth_get_no64_data(uschar **, uschar *);
 extern uschar *auth_xtextencode(uschar *, int);
 extern int     auth_get_data(uschar **, uschar *, int);
 extern int     auth_get_no64_data(uschar **, uschar *);
 extern uschar *auth_xtextencode(uschar *, int);

diff --git a/src/src/globals.c b/src/src/globals.c
index 7c3f8e9f1011babe7971ad8b7f9c534a8d73f09d..35cac0f6ff8c2f62745d1b7f047ce92299992aca 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/globals.c,v 1.59 2006/09/25 10:14:20 ph10 Exp $ */
+/* $Cambridge: exim/src/src/globals.c,v 1.60 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -38,6 +38,8 @@ optionlist optionlist_auths[] = {
                  (void *)(offsetof(auth_instance, public_name)) },
   { "server_advertise_condition", opt_stringptr | opt_public,
                  (void *)(offsetof(auth_instance, advertise_condition))},
                  (void *)(offsetof(auth_instance, public_name)) },
   { "server_advertise_condition", opt_stringptr | opt_public,
                  (void *)(offsetof(auth_instance, advertise_condition))},

+  { "server_condition", opt_stringptr | opt_public,
+                 (void *)(offsetof(auth_instance, server_condition)) },

   { "server_debug_print", opt_stringptr | opt_public,
                  (void *)(offsetof(auth_instance, server_debug_string)) },
   { "server_mail_auth_condition", opt_stringptr | opt_public,
   { "server_debug_print", opt_stringptr | opt_public,
                  (void *)(offsetof(auth_instance, server_debug_string)) },
   { "server_mail_auth_condition", opt_stringptr | opt_public,


@@ -325,6 +327,7 @@ auth_instance auth_defaults    = {
     NULL,                      /* set_id */
     NULL,                      /* server_mail_auth_condition */
     NULL,                      /* server_debug_string */
     NULL,                      /* set_id */
     NULL,                      /* server_mail_auth_condition */
     NULL,                      /* server_debug_string */

+    NULL,                      /* server_condition */

     FALSE,                     /* client */
     FALSE,                     /* server */
     FALSE                      /* advertised */
     FALSE,                     /* client */
     FALSE,                     /* server */
     FALSE                      /* advertised */

diff --git a/src/src/structs.h b/src/src/structs.h
index c5bb3b3215614faa94f63f8254dbce29f0f06e9d..d160aee4a54fee19471124ac0eedb7831ddc4685 100644 (file)
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/structs.h,v 1.12 2006/09/25 11:25:37 ph10 Exp $ */
+/* $Cambridge: exim/src/src/structs.h,v 1.13 2006/10/16 15:44:36 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -367,6 +367,7 @@ typedef struct auth_instance {
   uschar *set_id;                 /* String to set as authenticated id */
   uschar *mail_auth_condition;    /* Condition for AUTH on MAIL command */
   uschar *server_debug_string;    /* Debugging output */
   uschar *set_id;                 /* String to set as authenticated id */
   uschar *mail_auth_condition;    /* Condition for AUTH on MAIL command */
   uschar *server_debug_string;    /* Debugging output */

+  uschar *server_condition;       /* Authorization condition */

   BOOL    client;                 /* TRUE if client option(s) set */
   BOOL    server;                 /* TRUE if server options(s) set */
   BOOL    advertised;             /* Set TRUE when advertised */
   BOOL    client;                 /* TRUE if client option(s) set */
   BOOL    server;                 /* TRUE if server options(s) set */
   BOOL    advertised;             /* Set TRUE when advertised */

diff --git a/test/confs/3500 b/test/confs/3500
index b83b1c33fa9802ffdf1f571432c463cbbc0c8350..343a0b3e1b284c7e20544117c807e0c7d44b690d 100644 (file)
--- a/test/confs/3500
+++ b/test/confs/3500
@@ -13,7 +13,7 @@ gecos_name = CALLER_NAME
 
 domainlist local_domains = test.ex : *.test.ex
 
 
 domainlist local_domains = test.ex : *.test.ex
 

-hostlist auth_hosts = 10.0.0.1
+hostlist auth_hosts = 10.0.0.1 : 10.0.0.5

 hostlist relay_hosts = 10.0.0.4
 hostlist auth_relay_hosts = 10.0.0.3 : 10.0.0.4
 
 hostlist relay_hosts = 10.0.0.4
 hostlist auth_relay_hosts = 10.0.0.3 : 10.0.0.4
 


@@ -80,6 +80,7 @@ cram_md5:
   server_secret = "${if eq{$auth1}{tim}{tanstaaftanstaaf}\
     {${if eq{$auth1}{userx}{secret}fail}}}"
   server_set_id = $auth1
   server_secret = "${if eq{$auth1}{tim}{tanstaaftanstaaf}\
     {${if eq{$auth1}{userx}{secret}fail}}}"
   server_set_id = $auth1

+  server_condition = ${if !eq {$sender_host_address}{10.0.0.5}}

 
 
 
 
 
 

diff --git a/test/scripts/3500-CRAM-MD5/3500 b/test/scripts/3500-CRAM-MD5/3500
index b3d2c05aa6cc75d056f4d365c479b1b27ba580fa..637852f643d92a0de10c0db08be18f2249b1e496 100644 (file)
--- a/test/scripts/3500-CRAM-MD5/3500
+++ b/test/scripts/3500-CRAM-MD5/3500
@@ -32,4 +32,15 @@ Testing authenticated CRAM-MD5.
 .
 quit
 ****
 .
 quit
 ****

+exim -bh 10.0.0.5
+ehlo test.host
+AUTH CRAM-MD5
+dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw
+mail from:<userx@some.domain>
+rcpt to:<userx@test.ex>
+data
+Testing authenticated CRAM-MD5.
+.
+quit
+****

 no_msglog_check
 no_msglog_check

diff --git a/test/stderr/3500 b/test/stderr/3500
index b0432c58c5c6cfbd75d1b7e18e65a15334ffa466..87179790de0466df40cd158eec2719baccf81e2e 100644 (file)
--- a/test/stderr/3500
+++ b/test/stderr/3500
@@ -8,7 +8,7 @@
 >>> host in helo_accept_junk_hosts? no (option unset)
 >>> test.host in helo_lookup_domains? no (end of list)
 >>> host in pipelining_advertise_hosts? yes (matched "*")
 >>> host in helo_accept_junk_hosts? no (option unset)
 >>> test.host in helo_lookup_domains? no (end of list)
 >>> host in pipelining_advertise_hosts? yes (matched "*")

->>> host in "10.0.0.1"? no (end of list)
+>>> host in "10.0.0.1 : 10.0.0.5"? no (end of list)

 >>> host in "10.0.0.4"? yes (matched "10.0.0.4")
 >>> host in auth_advertise_hosts? no (matched "!+relay_hosts")
 >>> host in hosts_connection_nolog? no (option unset)
 >>> host in "10.0.0.4"? yes (matched "10.0.0.4")
 >>> host in auth_advertise_hosts? no (matched "!+relay_hosts")
 >>> host in hosts_connection_nolog? no (option unset)


@@ -21,13 +21,18 @@
 >>> host in helo_accept_junk_hosts? no (option unset)
 >>> test.host in helo_lookup_domains? no (end of list)
 >>> host in pipelining_advertise_hosts? yes (matched "*")
 >>> host in helo_accept_junk_hosts? no (option unset)
 >>> test.host in helo_lookup_domains? no (end of list)
 >>> host in pipelining_advertise_hosts? yes (matched "*")

->>> host in "10.0.0.1"? yes (matched "10.0.0.1")
+>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.1")

 >>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
 >>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
 >>> CRAM-MD5: user name = tim
 >>>           challenge = <1896.697170952@postoffice.reston.mci.net>
 >>>           received  = b913a602c7eda7a495b4e6e7334d3890
 >>>           digest    = b913a602c7eda7a495b4e6e7334d3890
 >>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
 >>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
 >>> CRAM-MD5: user name = tim
 >>>           challenge = <1896.697170952@postoffice.reston.mci.net>
 >>>           received  = b913a602c7eda7a495b4e6e7334d3890
 >>>           digest    = b913a602c7eda7a495b4e6e7334d3890

+>>> cram_md5 authenticator:
+>>>   $auth1 = tim
+>>>   $1 = tim
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> expanded string: true

 >>> using ACL "check_recipient"
 >>> processing "warn"
 >>> check hosts = 10.0.0.5
 >>> using ACL "check_recipient"
 >>> processing "warn"
 >>> check hosts = 10.0.0.5


@@ -54,3 +59,37 @@
 >>> accept: condition test succeeded
 >>> host in ignore_fromline_hosts? no (option unset)
 LOG: 10HmaY-0005vi-00 <= userx@some.domain H=(test.host) [10.0.0.1] P=esmtpa A=cram_md5:tim S=sss
 >>> accept: condition test succeeded
 >>> host in ignore_fromline_hosts? no (option unset)
 LOG: 10HmaY-0005vi-00 <= userx@some.domain H=(test.host) [10.0.0.1] P=esmtpa A=cram_md5:tim S=sss

+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> test.host in helo_lookup_domains? no (end of list)
+>>> host in pipelining_advertise_hosts? yes (matched "*")
+>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.5")
+>>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> CRAM-MD5: user name = tim
+>>>           challenge = <1896.697170952@postoffice.reston.mci.net>
+>>>           received  = b913a602c7eda7a495b4e6e7334d3890
+>>>           digest    = b913a602c7eda7a495b4e6e7334d3890
+>>> cram_md5 authenticator:
+>>>   $auth1 = tim
+>>>   $1 = tim
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> expanded string: 
+LOG: cram_md5 authenticator failed for (test.host) [10.0.0.5]: 535 Incorrect authentication data (set_id=tim)
+>>> using ACL "check_recipient"
+>>> processing "warn"
+>>> check hosts = 10.0.0.5
+>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
+>>> warn: condition test succeeded
+>>> processing "accept"
+>>> check hosts = 10.0.0.5
+>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
+>>> accept: condition test succeeded
+>>> host in ignore_fromline_hosts? no (option unset)
+LOG: 10HmaZ-0005vi-00 <= userx@some.domain H=(test.host) [10.0.0.5] P=esmtp S=sss

diff --git a/test/stdout/3407 b/test/stdout/3407
index d08999e28fc5520f46fe900a3486ca1c595b89cf..274c68c1a34b9b4a99a331ffa76a1f324e00191e 100644 (file)
--- a/test/stdout/3407
+++ b/test/stdout/3407
@@ -3,46 +3,46 @@ a1 authenticator:
 driver = plaintext
 public_name = PLAIN
 server_advertise_condition = 
 driver = plaintext
 public_name = PLAIN
 server_advertise_condition = 

+server_condition = xxx

 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 
 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 

-server_condition = xxx

 server_prompts = 
 
 a2 authenticator:
 driver = plaintext
 public_name = PLAIN
 server_advertise_condition = 
 server_prompts = 
 
 a2 authenticator:
 driver = plaintext
 public_name = PLAIN
 server_advertise_condition = 

+server_condition = 

 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 
 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 

-server_condition = 

 server_prompts = 
 
 a3 authenticator:
 driver = plaintext
 public_name = LOGIN
 server_advertise_condition = 
 server_prompts = 
 
 a3 authenticator:
 driver = plaintext
 public_name = LOGIN
 server_advertise_condition = 

+server_condition = 

 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 
 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 

-server_condition = 

 server_prompts = 
 
 a4 authenticator:
 driver = plaintext
 public_name = LOGIN
 server_advertise_condition = 
 server_prompts = 
 
 a4 authenticator:
 driver = plaintext
 public_name = LOGIN
 server_advertise_condition = 

+server_condition = 

 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 
 server_debug_print = 
 server_mail_auth_condition = 
 server_set_id = 
 no_client_ignore_invalid_base64
 client_send = 

-server_condition = 

 server_prompts = 
 server_prompts = 

diff --git a/test/stdout/3500 b/test/stdout/3500
index deaae921b851b7f8a7ded6b791da44da376968a3..87377d644466e4075662bc6d824eaaa0f27c4f8f 100644 (file)
--- a/test/stdout/3500
+++ b/test/stdout/3500
@@ -60,3 +60,26 @@
 **** SMTP testing: that is not a real message id!
 
 221 myhost.test.ex closing connection\r
 **** SMTP testing: that is not a real message id!
 
 221 myhost.test.ex closing connection\r

+
+**** SMTP testing session as if from host 10.0.0.5
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello test.host [10.0.0.5]\r
+250-SIZE 52428800\r
+250-ETRN\r
+250-EXPN\r
+250-PIPELINING\r
+250-AUTH CRAM-MD5\r
+250 HELP\r
+334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+\r
+535 Incorrect authentication data\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaZ-0005vi-00\r
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection\r