From: Markus Koschany Date: Sun, 1 Oct 2023 10:56:15 +0200 Subject: use uschar more in spa authenticator Originally created by Jermey Harris. Part of the patch series to fix CVE-2023-42114 and CVE-2023-42116. --- src/auths/auth-spa.c | 70 +++++++++++++++++++++++++++------------------------- src/auths/auth-spa.h | 8 +++--- src/auths/spa.c | 13 +++++----- 3 files changed, 46 insertions(+), 45 deletions(-) diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c index d2c95c3..dea6a89 100644 --- a/src/auths/auth-spa.c +++ b/src/auths/auth-spa.c @@ -153,6 +153,9 @@ int main (int argc, char ** argv) up with a different answer to the one above) */ +#ifndef MACRO_PREDEF + + #define DEBUG_X(a,b) ; extern int DEBUGLEVEL; @@ -1238,21 +1241,21 @@ else \ #define spa_string_add(ptr, header, string) \ { \ -char *p = string; \ +uschar * p = string; \ int len = 0; \ -if (p) len = strlen(p); \ -spa_bytes_add(ptr, header, (US p), len); \ +if (p) len = Ustrlen(p); \ +spa_bytes_add(ptr, header, p, len); \ } #define spa_unicode_add_string(ptr, header, string) \ { \ -char *p = string; \ -uschar *b = NULL; \ +uschar * p = string; \ +uschar * b = NULL; \ int len = 0; \ if (p) \ { \ - len = strlen(p); \ - b = strToUnicode(p); \ + len = Ustrlen(p); \ + b = US strToUnicode(CS p); \ } \ spa_bytes_add(ptr, header, b, len*2); \ } @@ -1375,10 +1378,10 @@ dumpSmbNtlmAuthResponse (FILE * fp, SPAAuthResponse * response) #endif void -spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain) +spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain) { - char *u = strdup (user); - char *p = strchr (u, '@'); + uschar * u = string_copy(user); + uschar * p = Ustrchr(u, '@'); if (p) { @@ -1393,7 +1396,6 @@ spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain) SIVAL (&request->flags, 0, 0x0000b207); /* have to figure out what these mean */ spa_string_add (request, user, u); spa_string_add (request, domain, domain); - free (u); } @@ -1485,16 +1487,16 @@ spa_build_auth_response (SPAAuthChallenge * challenge, void spa_build_auth_response (SPAAuthChallenge * challenge, - SPAAuthResponse * response, char *user, - char *password) + SPAAuthResponse * response, uschar * user, + uschar * password) { uint8x lmRespData[24]; uint8x ntRespData[24]; uint32x cf = IVAL(&challenge->flags, 0); - char *u = strdup (user); - char *p = strchr (u, '@'); - char *d = NULL; - char *domain; + uschar * u = string_copy(user); + uschar * p = Ustrchr(u, '@'); + uschar * d = NULL; + uschar * domain; if (p) { @@ -1502,33 +1504,33 @@ spa_build_auth_response (SPAAuthChallenge * challenge, *p = '\0'; } - else domain = d = strdup((cf & 0x1)? - CCS GetUnicodeString(challenge, uDomain) : - CCS GetString(challenge, uDomain)); + else domain = d = string_copy(cf & 0x1 + ? CUS GetUnicodeString(challenge, uDomain) + : CUS GetString(challenge, uDomain)); - spa_smb_encrypt (US password, challenge->challengeData, lmRespData); - spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData); + spa_smb_encrypt(password, challenge->challengeData, lmRespData); + spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); response->bufIndex = 0; memcpy (response->ident, "NTLMSSP\0\0\0", 8); SIVAL (&response->msgType, 0, 3); - spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0); - spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0); + spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0); + spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0); if (cf & 0x1) { /* Unicode Text */ - spa_unicode_add_string (response, uDomain, domain); - spa_unicode_add_string (response, uUser, u); - spa_unicode_add_string (response, uWks, u); + spa_unicode_add_string(response, uDomain, domain); + spa_unicode_add_string(response, uUser, u); + spa_unicode_add_string(response, uWks, u); } else { /* OEM Text */ - spa_string_add (response, uDomain, domain); - spa_string_add (response, uUser, u); - spa_string_add (response, uWks, u); + spa_string_add(response, uDomain, domain); + spa_string_add(response, uUser, u); + spa_string_add(response, uWks, u); } - spa_string_add (response, sessionKey, NULL); + spa_string_add(response, sessionKey, NULL); response->flags = challenge->flags; - - if (d != NULL) free (d); - free (u); } + + +#endif /*!MACRO_PREDEF*/ diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h index cfe1b08..3b0b3a9 100644 --- a/src/auths/auth-spa.h +++ b/src/auths/auth-spa.h @@ -79,10 +79,10 @@ typedef struct void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); int spa_base64_to_bits(char *, int, const char *); -void spa_build_auth_response (SPAAuthChallenge *challenge, - SPAAuthResponse *response, char *user, char *password); -void spa_build_auth_request (SPAAuthRequest *request, char *user, - char *domain); +void spa_build_auth_response (SPAAuthChallenge * challenge, + SPAAuthResponse * response, uschar * user, uschar * password); +void spa_build_auth_request (SPAAuthRequest * request, uschar * user, + uschar * domain); extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8, unsigned char * p24); extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8, diff --git a/src/auths/spa.c b/src/auths/spa.c index 4e3aef8..ff77cc5 100644 --- a/src/auths/spa.c +++ b/src/auths/spa.c @@ -294,14 +294,13 @@ SPAAuthRequest request; SPAAuthChallenge challenge; SPAAuthResponse response; char msgbuf[2048]; -char *domain = NULL; -char *username, *password; +uschar * domain = NULL, * username, * password; /* Code added by PH to expand the options */ *buffer = 0; /* Default no message when cancelled */ -if (!(username = CS expand_string(ob->spa_username))) +if (!(username = expand_string(ob->spa_username))) { if (f.expand_string_forcedfail) return CANCELLED; string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " @@ -310,7 +309,7 @@ if (!(username = CS expand_string(ob->spa_username))) return ERROR; } -if (!(password = CS expand_string(ob->spa_password))) +if (!(password = expand_string(ob->spa_password))) { if (f.expand_string_forcedfail) return CANCELLED; string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " @@ -320,7 +319,7 @@ if (!(password = CS expand_string(ob->spa_password))) } if (ob->spa_domain) - if (!(domain = CS expand_string(ob->spa_domain))) + if (!(domain = expand_string(ob->spa_domain))) { if (f.expand_string_forcedfail) return CANCELLED; string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " @@ -340,7 +339,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain); -spa_build_auth_request (&request, CS username, domain); +spa_build_auth_request(&request, username, domain); spa_bits_to_base64 (US msgbuf, (unsigned char*)&request, spa_request_length(&request)); @@ -358,7 +357,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4); spa_base64_to_bits (CS (&challenge), sizeof(challenge), CCS (buffer + 4)); -spa_build_auth_response (&challenge, &response, CS username, CS password); +spa_build_auth_response(&challenge, &response, username, password); spa_bits_to_base64 (US msgbuf, (unsigned char*)&response, spa_request_length(&response)); DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);