Bug#299743: exim4: Only try configured mechs in cyrus_sasl authenticator

Juergen Kreileder Juergen Kreileder <jk@blackdown.de>, 299743@bugs.debian.org
Wed, 16 Mar 2005 20:21:12 +0100


I've looked at this a bit more:

auth_cyrus_sasl_init() calls sasl_listmech() just to look if
ob->server_mech is in the returned list.
The following patch limits the lookup to just ob->server_mech,
ie. server_listmech() will either return just ob->server_mech or
nothing.  SASL will not try other mechs.

The patch is untested but it should give you an idea how to fix this.
(The test whether SASL supports the requested mech or not could also
be simplified with this, the patch doesn't touch that however.)

--- src/auths/cyrus_sasl.c.orig	2005-03-16 19:58:56.000000000 +0100
+++ src/auths/cyrus_sasl.c	2005-03-16 20:06:18.000000000 +0100
@@ -67,6 +67,22 @@ auth_cyrus_sasl_options_block auth_cyrus
 *          Initialization entry point            *
 *************************************************/
 
+static int mysasl_config(void *context, 
+                         const char *plugin_name,
+                         const char *option,
+                         const char **result,
+                         unsigned int *len)
+{
+  if (context && !strcmp(option, "mech_list")) {
+    *result = context;
+    if (len) {
+        *len = strlen(*result);
+    }
+    return SASL_OK;
+  }
+  return SASL_FAIL;
+}
+
 /* Called for each instance, after its options have been read, to
 enable consistency checks to be done, or anything else that needs
 to be set up. */
@@ -76,7 +92,6 @@ auth_cyrus_sasl_init(auth_instance *ablo
 {
 auth_cyrus_sasl_options_block *ob =
   (auth_cyrus_sasl_options_block *)(ablock->options_block);
-sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
 sasl_conn_t *conn;
 uschar *list, *listptr, *buffer;
 int rc, i;
@@ -90,7 +105,13 @@ if(ob->server_mech == NULL)
 /* we're going to initialise the library to check that there is an
  * authenticator of type whatever mechanism we're using
  */
-rc=sasl_server_init(cbs, "exim");
+{
+  sasl_callback_t cbs[]={
+    {SASL_CB_GETOPT, &mysasl_config, ob->server_mech },
+    {SASL_CB_LIST_END, NULL, NULL}
+  };
+  rc=sasl_server_init(cbs, "exim");
+}
 if( rc != SASL_OK )
   log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
       "couldn't initialise Cyrus SASL library.", ablock->name);
=


        Juergen

-- 
Juergen Kreileder, Blackdown Java-Linux Team
http://blog.blackdown.de/