rpms / dovecot

Clone
Source Code
GIT

Blame SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   70765bf1dc3b1cf71aa518e09e6468a477d03aac
  2.   SOURCES
  3.   dovecot-2.2.36-cve_2019_3814part1of3.patch
Blob History Raw
70765b 
From eb5ffe2641febe0fa5e9038f2e216c130e1e7519 Mon Sep 17 00:00:00 2001
70765b 
From: Aki Tuomi <aki.tuomi@open-xchange.com>
70765b 
Date: Mon, 21 Jan 2019 11:36:30 +0200
70765b 
Subject: [PATCH] login-common: Ensure we get username from certificate
70765b
70765b 
---
70765b 
 src/login-common/sasl-server.c | 42 ++++++++++++++++++++++++++++++++--
70765b 
 1 file changed, 40 insertions(+), 2 deletions(-)
70765b
70765b 
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
70765b 
index a833c9a6d4..9465da9657 100644
70765b 
--- a/src/login-common/sasl-server.c
70765b 
+++ b/src/login-common/sasl-server.c
70765b 
@@ -321,6 +321,37 @@ authenticate_callback(struct auth_client_request *request,
70765b 
 	}
70765b 
 }
70765b
70765b 
+static bool get_cert_username(struct client *client, const char **username_r,
70765b 
+			      const char **error_r)
70765b 
+{
70765b 
+	/* no SSL */
70765b 
+	if (client->ssl_proxy == NULL) {
70765b 
+		*username_r = NULL;
70765b 
+		return TRUE;
70765b 
+	}
70765b 
+
70765b 
+	/* no client certificate */
70765b 
+	if (!ssl_proxy_has_valid_client_cert(client->ssl_proxy)) {
70765b 
+		*username_r = NULL;
70765b 
+		return TRUE;
70765b 
+	}
70765b 
+
70765b 
+	/* get peer name */
70765b 
+	const char *username = ssl_proxy_get_peer_name(client->ssl_proxy);
70765b 
+
70765b 
+	/* if we wanted peer name, but it was not there, fail */
70765b 
+	if (client->set->auth_ssl_username_from_cert &&
70765b 
+	    (username == NULL || *username == '\0')) {
70765b 
+		if (client->set->auth_ssl_require_client_cert) {
70765b 
+			*error_r = "Missing username in certificate";
70765b 
+			return FALSE;
70765b 
+		}
70765b 
+	}
70765b 
+
70765b 
+	*username_r = username;
70765b 
+	return TRUE;
70765b 
+}
70765b 
+
70765b 
 void sasl_server_auth_begin(struct client *client,
70765b 
 			    const char *service, const char *mech_name,
70765b 
 			    const char *initial_resp_base64,
70765b 
@@ -359,8 +390,15 @@ void sasl_server_auth_begin(struct client *client,
70765b 
 	info.mech = mech->name;
70765b 
 	info.service = service;
70765b 
 	info.session_id = client_get_session_id(client);
70765b 
-	info.cert_username = client->ssl_proxy == NULL ? NULL :
70765b 
-		ssl_proxy_get_peer_name(client->ssl_proxy);
70765b 
+	if (client->set->auth_ssl_username_from_cert) {
70765b 
+		const char *error;
70765b 
+		if (!get_cert_username(client, &info.cert_username, &error)) {
70765b 
+			client_log_err(client, t_strdup_printf("Cannot get username "
70765b 
+							       "from certificate: %s", error));
70765b 
+			sasl_server_auth_failed(client, "Unable to validate certificate");
70765b 
+			return;
70765b 
+		}
70765b 
+	}
70765b 
 	info.flags = client_get_auth_flags(client);
70765b 
 	info.local_ip = client->local_ip;
70765b 
 	info.remote_ip = client->ip;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation