Fix the variables set by gsasl authenticator
authorJeremy Harris <jgh146exb@wizmail.org>
Sun, 29 Dec 2019 14:34:12 +0000 (14:34 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Sun, 29 Dec 2019 14:43:08 +0000 (14:43 +0000)
(cherry picked from commit 98eb95929140ee1e2b2b367b12abb45762d155e9)

doc/doc-txt/ChangeLog
src/src/auths/gsasl_exim.c
test/confs/3820 [new file with mode: 0644]
test/log/3820 [new file with mode: 0644]
test/rejectlog/3820 [new file with mode: 0644]
test/scripts/3820-Gnu-SASL/3820 [new file with mode: 0644]
test/scripts/3820-Gnu-SASL/REQUIRES [new file with mode: 0644]
test/stdout/3820 [new file with mode: 0644]

index 727221f..32febe1 100644 (file)
@@ -45,6 +45,10 @@ JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
       tracking also did many adjustments to string handling.  Since then, eximon
       frequently terminated with an assert failure.
 
+JH/16 Fix the variables set by the gsasl authenticator.  Previously a pointer to
+      library live data was being used, so the results became garbage.  Make
+      copies while it is still usable.
+
 
 Exim version 4.93
 -----------------
index faf30bb..ee6cb4f 100644 (file)
@@ -461,11 +461,11 @@ switch (prop)
   case GSASL_VALIDATE_SIMPLE:
     /* GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD */
     propval = US  gsasl_property_fast(sctx, GSASL_AUTHID);
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
     propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
-    auth_vars[1] = expand_nstring[2] = propval ? propval : US"";
+    auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US"";
     propval = US  gsasl_property_fast(sctx, GSASL_PASSWORD);
-    auth_vars[2] = expand_nstring[3] = propval ? propval : US"";
+    auth_vars[2] = expand_nstring[3] = propval ? string_copy(propval) : US"";
     expand_nmax = 3;
     for (int i = 1; i <= 3; ++i)
       expand_nlength[i] = Ustrlen(expand_nstring[i]);
@@ -483,7 +483,7 @@ switch (prop)
       }
     propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
     /* We always set $auth1, even if only to empty string. */
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
     expand_nlength[1] = Ustrlen(expand_nstring[1]);
     expand_nmax = 1;
 
@@ -501,7 +501,7 @@ switch (prop)
       }
     propval = US  gsasl_property_fast(sctx, GSASL_ANONYMOUS_TOKEN);
     /* We always set $auth1, even if only to empty string. */
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
     expand_nlength[1] = Ustrlen(expand_nstring[1]);
     expand_nmax = 1;
 
@@ -521,9 +521,9 @@ switch (prop)
     to the first release of Exim with this authenticator, they've been
     switched to match the ordering of GSASL_VALIDATE_SIMPLE. */
     propval = US  gsasl_property_fast(sctx, GSASL_GSSAPI_DISPLAY_NAME);
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
     propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
-    auth_vars[1] = expand_nstring[2] = propval ? propval : US"";
+    auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US"";
     expand_nmax = 2;
     for (int i = 1; i <= 2; ++i)
       expand_nlength[i] = Ustrlen(expand_nstring[i]);
@@ -558,11 +558,11 @@ switch (prop)
     needing to add more glue, since avoiding that is a large part of the
     point of SASL. */
     propval = US  gsasl_property_fast(sctx, GSASL_AUTHID);
-    auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+    auth_vars[0] = expand_nstring[1] = propval ? string_copy(propval) : US"";
     propval = US  gsasl_property_fast(sctx, GSASL_AUTHZID);
-    auth_vars[1] = expand_nstring[2] = propval ? propval : US"";
+    auth_vars[1] = expand_nstring[2] = propval ? string_copy(propval) : US"";
     propval = US  gsasl_property_fast(sctx, GSASL_REALM);
-    auth_vars[2] = expand_nstring[3] = propval ? propval : US"";
+    auth_vars[2] = expand_nstring[3] = propval ? string_copy(propval) : US"";
     expand_nmax = 3;
     for (int i = 1; i <= 3; ++i)
       expand_nlength[i] = Ustrlen(expand_nstring[i]);
diff --git a/test/confs/3820 b/test/confs/3820
new file mode 100644 (file)
index 0000000..a0206f3
--- /dev/null
@@ -0,0 +1,47 @@
+# Exim test configuration 3820
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+
+# ----- Authentication -----
+
+begin authenticators
+
+sasl1:
+  driver = gsasl
+  public_name = ANONYMOUS
+  server_set_id =      $auth1
+  server_condition =   true
+
+sasl2:
+  driver = gsasl
+  public_name = PLAIN
+  server_set_id =      $auth1
+  server_condition =   false
+
+sasl3:
+  driver = gsasl
+  public_name = SCRAM-SHA-1
+
+  # will need to give library salt, stored-key, server-key, itercount
+  #
+  # sigh
+  # gsasl takes props: GSASL_SCRAM_ITER, GSASL_SCRAM_SALT.  It _might_ take
+  # a GSASL_SCRAM_SALTED_PASSWORD - but that is only documented for client mode.
+
+  server_scram_iter =  4096
+  # unclear if the salt is given in binary or base64 to the library
+  server_scram_salt =  QSXCR+Q6sek8bf92
+  server_password =    pencil
+
+  server_condition =   true
+  server_set_id =      $auth1
+
+
+# End
diff --git a/test/log/3820 b/test/log/3820
new file mode 100644 (file)
index 0000000..bc49c4a
--- /dev/null
@@ -0,0 +1,4 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 sasl2 authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data (set_id=ph10)
diff --git a/test/rejectlog/3820 b/test/rejectlog/3820
new file mode 100644 (file)
index 0000000..50092c8
--- /dev/null
@@ -0,0 +1,5 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 sasl2 authenticator (PLAIN):
+  GNU SASL permanent failure: GSASL_AUTHENTICATION_ERROR (Error authenticating user)
+1999-03-02 09:44:33 sasl2 authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data (set_id=ph10)
diff --git a/test/scripts/3820-Gnu-SASL/3820 b/test/scripts/3820-Gnu-SASL/3820
new file mode 100644 (file)
index 0000000..83ade63
--- /dev/null
@@ -0,0 +1,26 @@
+# GSASL authentication (server only)
+#
+# An ANONYMOUS ath seems to want the username b64'd.  Which is consistent with
+# other SASL stuff, but inconsistent vs. cyrus-sasl.  It also wants the username
+# on the AUTH line, otherwise it GSASL_MECHANISM_PARSE_ERROR, and 435.
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+client 127.0.0.1 PORT_D
+??? 220
+EHLO xxxx
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+AUTH PLAIN AHBoMTAAc2VjcmV0
+??? 535
+AUTH ANONYMOUS cGgxMA==
+??? 235
+QUIT
+??? 221
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/3820-Gnu-SASL/REQUIRES b/test/scripts/3820-Gnu-SASL/REQUIRES
new file mode 100644 (file)
index 0000000..4614489
--- /dev/null
@@ -0,0 +1 @@
+authenticator gsasl
diff --git a/test/stdout/3820 b/test/stdout/3820
new file mode 100644 (file)
index 0000000..2572313
--- /dev/null
@@ -0,0 +1,26 @@
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> EHLO xxxx
+??? 250-
+<<< 250-myhost.test.ex Hello xxxx [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-AUTH ANONYMOUS PLAIN SCRAM-SHA-1
+??? 250
+<<< 250 HELP
+>>> AUTH PLAIN AHBoMTAAc2VjcmV0
+??? 535
+<<< 535 Incorrect authentication data
+>>> AUTH ANONYMOUS cGgxMA==
+??? 235
+<<< 235 Authentication succeeded
+>>> QUIT
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script