diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/ACKNOWLEDGMENTS | 5 | ||||
-rw-r--r-- | src/src/auths/README | 5 | ||||
-rw-r--r-- | src/src/auths/cram_md5.c | 10 | ||||
-rw-r--r-- | src/src/auths/plaintext.c | 45 | ||||
-rw-r--r-- | src/src/auths/plaintext.h | 3 | ||||
-rw-r--r-- | src/src/auths/spa.c | 4 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 9 |
7 files changed, 66 insertions, 15 deletions
diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS index b0285c65e..ce145ce21 100644 --- a/src/ACKNOWLEDGMENTS +++ b/src/ACKNOWLEDGMENTS @@ -1,4 +1,4 @@ -$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.41 2006/02/14 15:24:10 ph10 Exp $ +$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.42 2006/02/23 12:41:22 ph10 Exp $ EXIM ACKNOWLEDGEMENTS @@ -20,7 +20,7 @@ relatively small patches. Philip Hazel Lists created: 20 November 2002 -Last updated: 13 February 2006 +Last updated: 23 February 2006 THE OLD LIST @@ -71,6 +71,7 @@ Claus Assmann Example code for OpenSSL CRL support Ian Bell Analysis of a bug and an infelicity in clock tick code Patch for ${quote_local_part Peter Benie A number mistakes found by analysing the code +Johannes Berg Suggested patch for authentication client $auth<n> support Matt Bernstein LMTP over socket Suggested patch for dnslists '&' feature Mike Bethune Help with debugging an elusive ALRM signal bug diff --git a/src/src/auths/README b/src/src/auths/README index 9143b9e91..780e15dc4 100644 --- a/src/src/auths/README +++ b/src/src/auths/README @@ -1,4 +1,4 @@ -$Cambridge: exim/src/src/auths/README,v 1.4 2006/02/10 14:25:43 ph10 Exp $ +$Cambridge: exim/src/src/auths/README,v 1.5 2006/02/23 12:41:22 ph10 Exp $ AUTHS @@ -87,7 +87,8 @@ The yield of a client authentication check must be one of: FAIL failed after reading a response; either errno is set (for timeouts, I/O failures) or the buffer contains the SMTP response line - FORCEFAIL failed without reading a response (often "fail" in expansion) + CANCELLED the client cancelled authentication (often "fail" in expansion) + the buffer may contain a message; if not, *buffer = 0 ERROR local problem (typically expansion error); message in buffer To communicate with the remote host the client should call diff --git a/src/src/auths/cram_md5.c b/src/src/auths/cram_md5.c index 7b5598762..26521fbe9 100644 --- a/src/src/auths/cram_md5.c +++ b/src/src/auths/cram_md5.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -250,7 +250,7 @@ auth_cram_md5_client( smtp_inblock *inblock, /* input connection */ smtp_outblock *outblock, /* output connection */ int timeout, /* command timeout */ - uschar *buffer, /* for reading response */ + uschar *buffer, /* for reading response */ int buffsize) /* size of buffer */ { auth_cram_md5_options_block *ob = @@ -266,7 +266,11 @@ or ERROR, as approriate. */ if (secret == NULL || name == NULL) { - if (expand_string_forcedfail) return CANCELLED; + if (expand_string_forcedfail) + { + *buffer = 0; /* No message */ + return CANCELLED; + } string_format(buffer, buffsize, "expansion of \"%s\" failed in " "%s authenticator: %s", (secret == NULL)? ob->client_secret : ob->client_name, diff --git a/src/src/auths/plaintext.c b/src/src/auths/plaintext.c index e5f261a16..2aea4a492 100644 --- a/src/src/auths/plaintext.c +++ b/src/src/auths/plaintext.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -14,6 +14,8 @@ /* Options specific to the plaintext authentication mechanism. */ optionlist auth_plaintext_options[] = { + { "client_ignore_invalid_base64", opt_bool, + (void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) }, { "client_send", opt_stringptr, (void *)(offsetof(auth_plaintext_options_block, client_send)) }, { "server_condition", opt_stringptr, @@ -33,7 +35,8 @@ int auth_plaintext_options_count = auth_plaintext_options_block auth_plaintext_option_defaults = { NULL, /* server_condition */ NULL, /* server_prompts */ - NULL /* client_send */ + NULL, /* client_send */ + FALSE /* client_ignore_invalid_base64 */ }; @@ -216,6 +219,7 @@ uschar *text = ob->client_send; uschar *s; BOOL first = TRUE; int sep = 0; +int auth_var_idx = 0; /* The text is broken up into a number of different data items, which are sent one by one. The first one is sent with the AUTH command; the remainder are @@ -223,8 +227,9 @@ sent in response to subsequent prompts. Each is expanded before being sent. */ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)) != NULL) { - int i, len; + int i, len, clear_len; uschar *ss = expand_string(s); + uschar *clear; /* Forced expansion failure is not an error; authentication is abandoned. On all but the first string, we have to abandon the authentication attempt by @@ -239,7 +244,11 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)) != NULL if (smtp_write_command(outblock, FALSE, "*\r\n") >= 0) (void) smtp_read_response(inblock, US buffer, buffsize, '2', timeout); } - if (expand_string_forcedfail) return CANCELLED; + if (expand_string_forcedfail) + { + *buffer = 0; /* No message */ + return CANCELLED; + } string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " "authenticator: %s", ssave, ablock->name, expand_string_message); return ERROR; @@ -304,6 +313,34 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)) != NULL "authenticator", ablock->name); return ERROR; } + + /* Now that we know we'll continue, we put the received data into $auth<n>, + if possible. First, decode it: buffer+4 skips over the SMTP status code. */ + + clear_len = auth_b64decode(buffer+4, &clear); + + /* If decoding failed, the default is to terminate the authentication, and + return FAIL, with the SMTP response still in the buffer. However, if client_ + ignore_invalid_base64 is set, we ignore the error, and put an empty string + into $auth<n>. */ + + if (clear_len < 0) + { + uschar *save_bad = string_copy(buffer); + if (!ob->client_ignore_invalid_base64) + { + if (smtp_write_command(outblock, FALSE, "*\r\n") >= 0) + (void)smtp_read_response(inblock, US buffer, buffsize, '2', timeout); + string_format(buffer, buffsize, "Invalid base64 string in server " + "response \"%s\"", save_bad); + return CANCELLED; + } + clear = US""; + clear_len = 0; + } + + if (auth_var_idx < AUTH_VARS) + auth_vars[auth_var_idx++] = string_copy(clear); } /* Control should never actually get here. */ diff --git a/src/src/auths/plaintext.h b/src/src/auths/plaintext.h index 46983d044..7499a01d8 100644 --- a/src/src/auths/plaintext.h +++ b/src/src/auths/plaintext.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.3 2006/02/07 11:19:01 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.4 2006/02/23 12:41:22 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -13,6 +13,7 @@ typedef struct { uschar *server_condition; uschar *server_prompts; uschar *client_send; + BOOL client_ignore_invalid_base64; } auth_plaintext_options_block; /* Data for reading the private options. */ diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c index 264887607..3fd4bde6a 100644 --- a/src/src/auths/spa.c +++ b/src/src/auths/spa.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/spa.c,v 1.6 2006/02/10 14:25:43 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/spa.c,v 1.7 2006/02/23 12:41:22 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -263,6 +263,8 @@ auth_spa_client( /* Code added by PH to expand the options */ + *buffer = 0; /* Default no message when cancelled */ + username = CS expand_string(ob->spa_username); if (username == NULL) { diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 3c915a4e1..93cbd221f 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/transports/smtp.c,v 1.21 2006/02/21 16:24:20 ph10 Exp $ */ +/* $Cambridge: exim/src/src/transports/smtp.c,v 1.22 2006/02/23 12:41:23 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -1211,9 +1211,14 @@ if (continue_hostname == NULL /* Failure by some other means. In effect, the authenticator decided it wasn't prepared to handle this case. Typically this is the result of "fail" in an expansion string. Do we need to - log anything here? */ + log anything here? Feb 2006: a message is now put in the buffer + if logging is required. */ case CANCELLED: + if (*buffer != 0) + log_write(0, LOG_MAIN, "%s authenticator cancelled " + "authentication H=%s [%s] %s", au->name, host->name, + host->address, buffer); break; /* Internal problem, message in buffer. */ |