diff options
Diffstat (limited to 'src')
-rwxr-xr-x | src/scripts/MakeLinks | 3 | ||||
-rw-r--r-- | src/src/auths/Makefile | 47 | ||||
-rw-r--r-- | src/src/auths/README | 4 | ||||
-rw-r--r-- | src/src/auths/check_serv_cond.c | 99 | ||||
-rw-r--r-- | src/src/auths/cram_md5.c | 5 | ||||
-rw-r--r-- | src/src/auths/cyrus_sasl.c | 10 | ||||
-rw-r--r-- | src/src/auths/dovecot.c | 6 | ||||
-rw-r--r-- | src/src/auths/plaintext.c | 66 | ||||
-rw-r--r-- | src/src/auths/plaintext.h | 3 | ||||
-rw-r--r-- | src/src/auths/spa.c | 11 | ||||
-rw-r--r-- | src/src/functions.h | 3 | ||||
-rw-r--r-- | src/src/globals.c | 5 | ||||
-rw-r--r-- | src/src/structs.h | 3 |
13 files changed, 164 insertions, 101 deletions
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks index d38f8b00c..b0b513c8b 100755 --- a/src/scripts/MakeLinks +++ b/src/scripts/MakeLinks @@ -1,5 +1,5 @@ #!/bin/sh -# $Cambridge: exim/src/scripts/MakeLinks,v 1.7 2006/10/02 13:38:18 ph10 Exp $ +# $Cambridge: exim/src/scripts/MakeLinks,v 1.8 2006/10/16 15:44:36 ph10 Exp $ # Script to build links for all the exim source files from the system- # specific build directory. It should be run from within that directory. @@ -162,6 +162,7 @@ ln -s ../../src/auths/b64decode.c b64decode.c ln -s ../../src/auths/call_pam.c call_pam.c ln -s ../../src/auths/call_pwcheck.c call_pwcheck.c ln -s ../../src/auths/call_radius.c call_radius.c +ln -s ../../src/auths/check_serv_cond.c check_serv_cond.c ln -s ../../src/auths/cyrus_sasl.c cyrus_sasl.c ln -s ../../src/auths/cyrus_sasl.h cyrus_sasl.h ln -s ../../src/auths/get_data.c get_data.c diff --git a/src/src/auths/Makefile b/src/src/auths/Makefile index 889e24b8c..3df035dd3 100644 --- a/src/src/auths/Makefile +++ b/src/src/auths/Makefile @@ -1,4 +1,4 @@ -# $Cambridge: exim/src/src/auths/Makefile,v 1.4 2006/10/02 13:38:18 ph10 Exp $ +# $Cambridge: exim/src/src/auths/Makefile,v 1.5 2006/10/16 15:44:36 ph10 Exp $ # Make file for building a library containing all the available authorization # methods, and calling it auths.a. In addition, there are functions that are @@ -7,10 +7,10 @@ # after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are # defined, the equivalent modules herein is not included in the final binary. -OBJ = b64encode.o b64decode.o call_pam.o call_pwcheck.o call_radius.o \ - xtextencode.o xtextdecode.o get_data.o get_no64_data.o md5.o \ - cram_md5.o cyrus_sasl.o dovecot.o plaintext.o pwcheck.o sha1.o \ - auth-spa.o spa.o +OBJ = auth-spa.o b64decode.o b64encode.o call_pam.o call_pwcheck.o \ + call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \ + get_data.o get_no64_data.o md5.o plaintext.o pwcheck.o sha1.o \ + spa.o xtextdecode.o xtextencode.o auths.a: $(OBJ) @$(RM_COMMAND) -f auths.a @@ -23,24 +23,25 @@ auths.a: $(OBJ) .c.o:; @echo "$(CC) $*.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c -auth-spa.o: $(HDRS) auth-spa.c -b64encode.o: $(HDRS) b64encode.c -b64decode.o: $(HDRS) b64decode.c -call_pam.o: $(HDRS) call_pam.c -call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h -call_radius.o: $(HDRS) call_radius.c -get_data.o: $(HDRS) get_data.c -get_no64_data.o: $(HDRS) get_no64_data.c -md5.o: $(HDRS) md5.c -pwcheck.o: $(HDRS) pwcheck.c pwcheck.h -sha1.o: $(HDRS) sha1.c -xtextencode.o: $(HDRS) xtextencode.c -xtextdecode.o: $(HDRS) xtextdecode.c +auth-spa.o: $(HDRS) auth-spa.c +b64encode.o: $(HDRS) b64encode.c +b64decode.o: $(HDRS) b64decode.c +call_pam.o: $(HDRS) call_pam.c +call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h +call_radius.o: $(HDRS) call_radius.c +check_serv_cond.o: $(HDRS) check_serv_cond.c +get_data.o: $(HDRS) get_data.c +get_no64_data.o: $(HDRS) get_no64_data.c +md5.o: $(HDRS) md5.c +pwcheck.o: $(HDRS) pwcheck.c pwcheck.h +sha1.o: $(HDRS) sha1.c +xtextdecode.o: $(HDRS) xtextdecode.c +xtextencode.o: $(HDRS) xtextencode.c -cram_md5.o: $(HDRS) cram_md5.c cram_md5.h -cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h -dovecot.o: $(HDRS) dovecot.c dovecot.h -plaintext.o: $(HDRS) plaintext.c plaintext.h -spa.o: $(HDRS) spa.c spa.h +cram_md5.o: $(HDRS) cram_md5.c cram_md5.h +cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h +dovecot.o: $(HDRS) dovecot.c dovecot.h +plaintext.o: $(HDRS) plaintext.c plaintext.h +spa.o: $(HDRS) spa.c spa.h # End diff --git a/src/src/auths/README b/src/src/auths/README index 780e15dc4..83fcab448 100644 --- a/src/src/auths/README +++ b/src/src/auths/README @@ -1,4 +1,4 @@ -$Cambridge: exim/src/src/auths/README,v 1.5 2006/02/23 12:41:22 ph10 Exp $ +$Cambridge: exim/src/src/auths/README,v 1.6 2006/10/16 15:44:36 ph10 Exp $ AUTHS @@ -59,7 +59,7 @@ The yield of a server authentication check must be one of: DEFER couldn't complete the check FAIL authentication failed CANCELLED authentication forced to fail by "*" response to challenge, - or by a forced string expansion failure + or by certain forced string expansion failures BAD64 bad base64 data received UNEXPECTED unexpected data received diff --git a/src/src/auths/check_serv_cond.c b/src/src/auths/check_serv_cond.c new file mode 100644 index 000000000..1e775300c --- /dev/null +++ b/src/src/auths/check_serv_cond.c @@ -0,0 +1,99 @@ +/* $Cambridge: exim/src/src/auths/check_serv_cond.c,v 1.1 2006/10/16 15:44:36 ph10 Exp $ */ + +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) University of Cambridge 1995 - 2006 */ +/* See the file NOTICE for conditions of use and distribution. */ + +#include "../exim.h" + +/* This module contains the function server_condition(), which is used +by all authenticators. */ + + +/************************************************* +* Check server_condition * +*************************************************/ + +/* This function is called from the server code of all authenticators. For +plaintext, it is always called: the argument cannot be empty, because for +plaintext, setting server_condition is what enables it as a server +authenticator. For all the other authenticators, this function is called after +they have authenticated, to enable additional authorization to be done. + +Argument: the authenticator's instance block + +Returns: + OK NULL argument, or success + DEFER couldn't complete the check + FAIL authentication failed +*/ + +int +auth_check_serv_cond(auth_instance *ablock) +{ +uschar *cond; + +HDEBUG(D_auth) + { + int i; + debug_printf("%s authenticator:\n", ablock->name); + for (i = 0; i < AUTH_VARS; i++) + { + if (auth_vars[i] != NULL) + debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]); + } + for (i = 1; i <= expand_nmax; i++) + debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]); + debug_print_string(ablock->server_debug_string); /* customized debug */ + } + +/* For the plaintext authenticator, server_condition is never NULL. For the +rest, an unset condition lets everything through. */ + +if (ablock->server_condition == NULL) return OK; +cond = expand_string(ablock->server_condition); + +HDEBUG(D_auth) + { + if (cond == NULL) + debug_printf("expansion failed: %s\n", expand_string_message); + else + debug_printf("expanded string: %s\n", cond); + } + +/* A forced expansion failure causes authentication to fail. Other expansion +failures yield DEFER, which will cause a temporary error code to be returned to +the AUTH command. The problem is at the server end, so the client should try +again later. */ + +if (cond == NULL) + { + if (expand_string_forcedfail) return FAIL; + auth_defer_msg = expand_string_message; + return DEFER; + } + +/* Return FAIL for empty string, "0", "no", and "false"; return OK for +"1", "yes", and "true"; return DEFER for anything else, with the string +available as an error text for the user. */ + +if (*cond == 0 || + Ustrcmp(cond, "0") == 0 || + strcmpic(cond, US"no") == 0 || + strcmpic(cond, US"false") == 0) + return FAIL; + +if (Ustrcmp(cond, "1") == 0 || + strcmpic(cond, US"yes") == 0 || + strcmpic(cond, US"true") == 0) + return OK; + +auth_defer_msg = cond; +auth_defer_user_msg = string_sprintf(": %s", cond); +return DEFER; +} + +/* End of check_serv_cond.c */ diff --git a/src/src/auths/cram_md5.c b/src/src/auths/cram_md5.c index 26521fbe9..6686d5f1c 100644 --- a/src/src/auths/cram_md5.c +++ b/src/src/auths/cram_md5.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -233,7 +233,8 @@ for (i = 0; i < 16; i++) ((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL; } -return OK; +/* Expand server_condition as an authorization check */ +return auth_check_serv_cond(ablock); } diff --git a/src/src/auths/cyrus_sasl.c b/src/src/auths/cyrus_sasl.c index 7e6603988..284194e00 100644 --- a/src/src/auths/cyrus_sasl.c +++ b/src/src/auths/cyrus_sasl.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -53,7 +53,7 @@ address can appear in the tables drtables.c. */ int auth_cyrus_sasl_options_count = sizeof(auth_cyrus_sasl_options)/sizeof(optionlist); -/* Default private options block for the contidion authentication method. */ +/* Default private options block for the cyrus_sasl authentication method. */ auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = { US"smtp", /* server_service */ @@ -332,11 +332,13 @@ while(rc==SASL_CONTINUE) expand_nmax = 1; HDEBUG(D_auth) - debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2); + debug_printf("Cyrus SASL %s authentication succeeded for %s\n", ob->server_mech, out2); /* close down the connection, freeing up library's memory */ sasl_dispose(&conn); sasl_done(); - return OK; + + /* Expand server_condition as an authorization check */ + return auth_check_serv_cond(ablock); } } /* NOTREACHED */ diff --git a/src/src/auths/dovecot.c b/src/src/auths/dovecot.c index c11b2fe9b..e040bcf93 100644 --- a/src/src/auths/dovecot.c +++ b/src/src/auths/dovecot.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.2 2006/10/16 13:43:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.3 2006/10/16 15:44:36 ph10 Exp $ */ /* * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru> @@ -309,5 +309,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data) } out: close(fd); - return ret; + + /* Expand server_condition as an authorization check */ + return (ret == OK)? auth_check_serv_cond(ablock) : ret; } diff --git a/src/src/auths/plaintext.c b/src/src/auths/plaintext.c index 2aea4a492..e4fec348e 100644 --- a/src/src/auths/plaintext.c +++ b/src/src/auths/plaintext.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -18,8 +18,6 @@ optionlist auth_plaintext_options[] = { (void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) }, { "client_send", opt_stringptr, (void *)(offsetof(auth_plaintext_options_block, client_send)) }, - { "server_condition", opt_stringptr, - (void *)(offsetof(auth_plaintext_options_block, server_condition)) }, { "server_prompts", opt_stringptr, (void *)(offsetof(auth_plaintext_options_block, server_prompts)) } }; @@ -33,7 +31,6 @@ int auth_plaintext_options_count = /* Default private options block for the plaintext authentication method. */ auth_plaintext_options_block auth_plaintext_option_defaults = { - NULL, /* server_condition */ NULL, /* server_prompts */ NULL, /* client_send */ FALSE /* client_ignore_invalid_base64 */ @@ -54,7 +51,7 @@ auth_plaintext_init(auth_instance *ablock) auth_plaintext_options_block *ob = (auth_plaintext_options_block *)(ablock->options_block); if (ablock->public_name == NULL) ablock->public_name = ablock->name; -if (ob->server_condition != NULL) ablock->server = TRUE; +if (ablock->server_condition != NULL) ablock->server = TRUE; if (ob->client_send != NULL) ablock->client = TRUE; } @@ -72,7 +69,7 @@ auth_plaintext_server(auth_instance *ablock, uschar *data) auth_plaintext_options_block *ob = (auth_plaintext_options_block *)(ablock->options_block); uschar *prompts = ob->server_prompts; -uschar *clear, *cond, *end, *s; +uschar *clear, *end, *s; int number = 1; int len, rc; int sep = 0; @@ -141,59 +138,12 @@ while ((s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size)) } /* We now have a number of items of data in $auth1, $auth2, etc (and also, for -compatibility, in $1, $2, etc). Match against the decoded data by expanding the -condition. */ +compatibility, in $1, $2, etc). Authentication and authorization are handled +together for this authenticator by expanding the server_condition option. Note +that ablock->server_condition is always non-NULL because that's what configures +this authenticator as a server. */ -cond = expand_string(ob->server_condition); - -HDEBUG(D_auth) - { - int i; - debug_printf("%s authenticator:\n", ablock->name); - for (i = 0; i < AUTH_VARS; i++) - { - if (auth_vars[i] != NULL) - debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]); - } - for (i = 1; i <= expand_nmax; i++) - debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]); - debug_print_string(ablock->server_debug_string); /* customized debug */ - if (cond == NULL) - debug_printf("expansion failed: %s\n", expand_string_message); - else - debug_printf("expanded string: %s\n", cond); - } - -/* A forced expansion failure causes authentication to fail. Other expansion -failures yield DEFER, which will cause a temporary error code to be returned to -the AUTH command. The problem is at the server end, so the client should try -again later. */ - -if (cond == NULL) - { - if (expand_string_forcedfail) return FAIL; - auth_defer_msg = expand_string_message; - return DEFER; - } - -/* Return FAIL for empty string, "0", "no", and "false"; return OK for -"1", "yes", and "true"; return DEFER for anything else, with the string -available as an error text for the user. */ - -if (*cond == 0 || - Ustrcmp(cond, "0") == 0 || - strcmpic(cond, US"no") == 0 || - strcmpic(cond, US"false") == 0) - return FAIL; - -if (Ustrcmp(cond, "1") == 0 || - strcmpic(cond, US"yes") == 0 || - strcmpic(cond, US"true") == 0) - return OK; - -auth_defer_msg = cond; -auth_defer_user_msg = string_sprintf(": %s", cond); -return DEFER; +return auth_check_serv_cond(ablock); } diff --git a/src/src/auths/plaintext.h b/src/src/auths/plaintext.h index 7499a01d8..c35f3e498 100644 --- a/src/src/auths/plaintext.h +++ b/src/src/auths/plaintext.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.4 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -10,7 +10,6 @@ /* Private structure for the private options. */ typedef struct { - uschar *server_condition; uschar *server_prompts; uschar *client_send; BOOL client_ignore_invalid_base64; diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c index 3fd4bde6a..6cc281a1b 100644 --- a/src/src/auths/spa.c +++ b/src/src/auths/spa.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/spa.c,v 1.7 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/spa.c,v 1.8 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -25,8 +25,9 @@ References: * typedef unsigned uint32; * typedef unsigned char uint8; -07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid - input data. Find appropriate comment by grepping for "PH". +07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid + input data. Find appropriate comment by grepping for "PH". +16-October-2006: PH: Added a call to auth_check_serv_cond() at the end */ @@ -231,7 +232,9 @@ if (memcmp(ntRespData, ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0), 24) == 0) /* success. we have a winner. */ - return OK; + + /* Expand server_condition as an authorization check (PH) */ + return auth_check_serv_cond(ablock); return FAIL; } diff --git a/src/src/functions.h b/src/src/functions.h index 302f8b6d1..170a84411 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/functions.h,v 1.28 2006/10/09 14:36:25 ph10 Exp $ */ +/* $Cambridge: exim/src/src/functions.h,v 1.29 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -49,6 +49,7 @@ extern int auth_call_pwcheck(uschar *, uschar **); extern int auth_call_radius(uschar *, uschar **); extern int auth_call_saslauthd(uschar *, uschar *, uschar *, uschar *, uschar **); +extern int auth_check_serv_cond(auth_instance *); extern int auth_get_data(uschar **, uschar *, int); extern int auth_get_no64_data(uschar **, uschar *); extern uschar *auth_xtextencode(uschar *, int); diff --git a/src/src/globals.c b/src/src/globals.c index 7c3f8e9f1..35cac0f6f 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/globals.c,v 1.59 2006/09/25 10:14:20 ph10 Exp $ */ +/* $Cambridge: exim/src/src/globals.c,v 1.60 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -38,6 +38,8 @@ optionlist optionlist_auths[] = { (void *)(offsetof(auth_instance, public_name)) }, { "server_advertise_condition", opt_stringptr | opt_public, (void *)(offsetof(auth_instance, advertise_condition))}, + { "server_condition", opt_stringptr | opt_public, + (void *)(offsetof(auth_instance, server_condition)) }, { "server_debug_print", opt_stringptr | opt_public, (void *)(offsetof(auth_instance, server_debug_string)) }, { "server_mail_auth_condition", opt_stringptr | opt_public, @@ -325,6 +327,7 @@ auth_instance auth_defaults = { NULL, /* set_id */ NULL, /* server_mail_auth_condition */ NULL, /* server_debug_string */ + NULL, /* server_condition */ FALSE, /* client */ FALSE, /* server */ FALSE /* advertised */ diff --git a/src/src/structs.h b/src/src/structs.h index c5bb3b321..d160aee4a 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/structs.h,v 1.12 2006/09/25 11:25:37 ph10 Exp $ */ +/* $Cambridge: exim/src/src/structs.h,v 1.13 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -367,6 +367,7 @@ typedef struct auth_instance { uschar *set_id; /* String to set as authenticated id */ uschar *mail_auth_condition; /* Condition for AUTH on MAIL command */ uschar *server_debug_string; /* Debugging output */ + uschar *server_condition; /* Authorization condition */ BOOL client; /* TRUE if client option(s) set */ BOOL server; /* TRUE if server options(s) set */ BOOL advertised; /* Set TRUE when advertised */ |