Blame SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch

ae961a
From 7525fece60f01b52deb13df3620976ee1d616837 Mon Sep 17 00:00:00 2001
ae961a
From: Aki Tuomi <aki.tuomi@open-xchange.com>
ae961a
Date: Mon, 21 Jan 2019 10:54:06 +0200
ae961a
Subject: [PATCH] auth: Fail authentication if certificate username was
ae961a
 unexpectedly missing
ae961a
ae961a
---
ae961a
 src/auth/auth-request-handler.c | 8 ++++++++
ae961a
 1 file changed, 8 insertions(+)
ae961a
ae961a
diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
ae961a
index 617dc1883d..3044e94f91 100644
ae961a
--- a/src/auth/auth-request-handler.c
ae961a
+++ b/src/auth/auth-request-handler.c
ae961a
@@ -560,6 +560,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
ae961a
 		return TRUE;
ae961a
 	}
ae961a
 
ae961a
+	if (request->set->ssl_require_client_cert &&
ae961a
+	    request->set->ssl_username_from_cert &&
ae961a
+	    !request->cert_username) {
ae961a
+		 auth_request_handler_auth_fail(handler, request,
ae961a
+			"SSL certificate didn't contain username");
ae961a
+		return TRUE;
ae961a
+	}
ae961a
+
ae961a
 	/* Empty initial response is a "=" base64 string. Completely empty
ae961a
 	   string shouldn't really be sent, but at least Exim does it,
ae961a
 	   so just allow it for backwards compatibility.. */