From: Aki Tuomi Date: Wed, 6 May 2020 10:07:01 +0000 (+0300) Subject: auth: mech - Add MECH_SEC_ALLOW_NULS flag X-Git-Tag: 2.3.11.2~108 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d196f4c83c7383c17440d39eb994b4cd9ff5af52;p=thirdparty%2Fdovecot%2Fcore.git auth: mech - Add MECH_SEC_ALLOW_NULS flag Prevent embedded NULs for any mechs that do not have this flag --- diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index 8420c84329..a1fa51d412 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -635,6 +635,11 @@ void auth_request_initial(struct auth_request *request) i_assert(request->state == AUTH_REQUEST_STATE_NEW); auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE); + + if (auth_request_fail_on_nuls(request, request->initial_response, + request->initial_response_len)) + return; + request->mech->auth_initial(request, request->initial_response, request->initial_response_len); } @@ -649,6 +654,9 @@ void auth_request_continue(struct auth_request *request, return; } + if (auth_request_fail_on_nuls(request, data, data_size)) + return; + auth_request_refresh_last_access(request); request->mech->auth_continue(request, data, data_size); } diff --git a/src/auth/mech-anonymous.c b/src/auth/mech-anonymous.c index 05b89236a6..8c1ca21d2f 100644 --- a/src/auth/mech-anonymous.c +++ b/src/auth/mech-anonymous.c @@ -38,7 +38,7 @@ static struct auth_request *mech_anonymous_auth_new(void) const struct mech_module mech_anonymous = { "ANONYMOUS", - .flags = MECH_SEC_ANONYMOUS, + .flags = MECH_SEC_ANONYMOUS | MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, mech_anonymous_auth_new, diff --git a/src/auth/mech-apop.c b/src/auth/mech-apop.c index 86533db083..f28171fba8 100644 --- a/src/auth/mech-apop.c +++ b/src/auth/mech-apop.c @@ -162,7 +162,8 @@ static struct auth_request *mech_apop_auth_new(void) const struct mech_module mech_apop = { "APOP", - .flags = MECH_SEC_PRIVATE | MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE, + .flags = MECH_SEC_PRIVATE | MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | + MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_VERIFY_RESPONSE, mech_apop_auth_new, diff --git a/src/auth/mech-dovecot-token.c b/src/auth/mech-dovecot-token.c index 9b70a4e918..9813a96724 100644 --- a/src/auth/mech-dovecot-token.c +++ b/src/auth/mech-dovecot-token.c @@ -81,7 +81,7 @@ static struct auth_request *mech_dovecot_token_auth_new(void) const struct mech_module mech_dovecot_token = { "DOVECOT-TOKEN", - .flags = MECH_SEC_PRIVATE, + .flags = MECH_SEC_PRIVATE | MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, mech_dovecot_token_auth_new, diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c index d6b199cb3b..f29e48da88 100644 --- a/src/auth/mech-gssapi.c +++ b/src/auth/mech-gssapi.c @@ -750,7 +750,7 @@ const struct mech_module mech_gssapi = { const struct mech_module mech_gssapi_spnego = { "GSS-SPNEGO", - .flags = 0, + .flags = MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, mech_gssapi_auth_new, diff --git a/src/auth/mech-ntlm.c b/src/auth/mech-ntlm.c index 43afd896f9..f782999c6b 100644 --- a/src/auth/mech-ntlm.c +++ b/src/auth/mech-ntlm.c @@ -249,7 +249,8 @@ static struct auth_request *mech_ntlm_auth_new(void) const struct mech_module mech_ntlm = { "NTLM", - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE, + .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | + MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, mech_ntlm_auth_new, diff --git a/src/auth/mech-otp.c b/src/auth/mech-otp.c index 0d4a51bdef..16aec961eb 100644 --- a/src/auth/mech-otp.c +++ b/src/auth/mech-otp.c @@ -256,7 +256,7 @@ static struct auth_request *mech_otp_auth_new(void) const struct mech_module mech_otp = { "OTP", - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE, + .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_SET_CREDENTIALS, mech_otp_auth_new, diff --git a/src/auth/mech-plain.c b/src/auth/mech-plain.c index 1e21e7e326..444b0ff4b8 100644 --- a/src/auth/mech-plain.c +++ b/src/auth/mech-plain.c @@ -78,7 +78,7 @@ static struct auth_request *mech_plain_auth_new(void) const struct mech_module mech_plain = { "PLAIN", - .flags = MECH_SEC_PLAINTEXT, + .flags = MECH_SEC_PLAINTEXT | MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_VERIFY_PLAIN, mech_plain_auth_new, diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c index 94fca52ec0..08298ebdd6 100644 --- a/src/auth/mech-rpa.c +++ b/src/auth/mech-rpa.c @@ -580,7 +580,7 @@ const struct mech_module mech_rpa = { "RPA", .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | - MECH_SEC_MUTUAL_AUTH, + MECH_SEC_MUTUAL_AUTH | MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, mech_rpa_auth_new, diff --git a/src/auth/mech-winbind.c b/src/auth/mech-winbind.c index 6be16e79c3..1710116d7d 100644 --- a/src/auth/mech-winbind.c +++ b/src/auth/mech-winbind.c @@ -339,7 +339,8 @@ static struct auth_request *mech_winbind_spnego_auth_new(void) const struct mech_module mech_winbind_ntlm = { "NTLM", - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE, + .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | + MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, mech_winbind_ntlm_auth_new, diff --git a/src/auth/mech.c b/src/auth/mech.c index 77c9f437c2..8f4d8a6464 100644 --- a/src/auth/mech.c +++ b/src/auth/mech.c @@ -68,6 +68,8 @@ void mech_generic_auth_free(struct auth_request *request) bool auth_request_fail_on_nuls(struct auth_request *request, const unsigned char *data, size_t data_size) { + if ((request->mech->flags & MECH_SEC_ALLOW_NULS) != 0) + return FALSE; if (memchr(data, '\0', data_size) != NULL) { e_debug(request->mech_event, "Unexpected NUL in auth data"); auth_request_fail(request); diff --git a/src/lib-auth/auth-client-interface.h b/src/lib-auth/auth-client-interface.h index cdccbee38b..2367a00a20 100644 --- a/src/lib-auth/auth-client-interface.h +++ b/src/lib-auth/auth-client-interface.h @@ -23,7 +23,9 @@ enum mech_security_flags { /* Provides forward secrecy between sessions */ MECH_SEC_FORWARD_SECRECY = 0x0020, /* Provides mutual authentication */ - MECH_SEC_MUTUAL_AUTH = 0x0040 + MECH_SEC_MUTUAL_AUTH = 0x0040, + /* Allow NULs in input data */ + MECH_SEC_ALLOW_NULS = 0x0080, }; /* auth failure codes */