path: root/debian/patches/use-uschar-more-in-spa-authenticator.patch

From: Markus Koschany <apo@debian.org>
Date: Sun, 1 Oct 2023 10:56:15 +0200
Subject: use uschar more in spa authenticator

Originally created by Jermey Harris. Part of the patch series to fix
CVE-2023-42114 and CVE-2023-42116.
---
 src/auths/auth-spa.c | 70 +++++++++++++++++++++++++++-------------------------
 src/auths/auth-spa.h |  8 +++---
 src/auths/spa.c      | 13 +++++-----
 3 files changed, 46 insertions(+), 45 deletions(-)

diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
index d2c95c3..dea6a89 100644
--- a/src/auths/auth-spa.c
+++ b/src/auths/auth-spa.c
@@ -153,6 +153,9 @@ int main (int argc, char ** argv)
    up with a different answer to the one above)
 */
 
+#ifndef MACRO_PREDEF
+
+
 #define DEBUG_X(a,b) ;
 
 extern int DEBUGLEVEL;
@@ -1238,21 +1241,21 @@ else \
 
 #define spa_string_add(ptr, header, string) \
 { \
-char *p = string; \
+uschar * p = string; \
 int len = 0; \
-if (p) len = strlen(p); \
-spa_bytes_add(ptr, header, (US p), len); \
+if (p) len = Ustrlen(p); \
+spa_bytes_add(ptr, header, p, len); \
 }
 
 #define spa_unicode_add_string(ptr, header, string) \
 { \
-char *p = string; \
-uschar *b = NULL; \
+uschar * p = string; \
+uschar * b = NULL; \
 int len = 0; \
 if (p) \
   { \
-  len = strlen(p); \
-  b = strToUnicode(p); \
+  len = Ustrlen(p); \
+  b = US strToUnicode(CS p); \
   } \
 spa_bytes_add(ptr, header, b, len*2); \
 }
@@ -1375,10 +1378,10 @@ dumpSmbNtlmAuthResponse (FILE * fp, SPAAuthResponse * response)
 #endif
 
 void
-spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
+spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain)
 {
-  char *u = strdup (user);
-  char *p = strchr (u, '@');
+  uschar * u = string_copy(user);
+  uschar * p = Ustrchr(u, '@');
 
   if (p)
     {
@@ -1393,7 +1396,6 @@ spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
   SIVAL (&request->flags, 0, 0x0000b207);      /* have to figure out what these mean */
   spa_string_add (request, user, u);
   spa_string_add (request, domain, domain);
-  free (u);
 }
 
 
@@ -1485,16 +1487,16 @@ spa_build_auth_response (SPAAuthChallenge * challenge,
 
 void
 spa_build_auth_response (SPAAuthChallenge * challenge,
-                        SPAAuthResponse * response, char *user,
-                        char *password)
+                        SPAAuthResponse * response, uschar * user,
+                        uschar * password)
 {
   uint8x lmRespData[24];
   uint8x ntRespData[24];
   uint32x cf = IVAL(&challenge->flags, 0);
-  char *u = strdup (user);
-  char *p = strchr (u, '@');
-  char *d = NULL;
-  char *domain;
+  uschar * u = string_copy(user);
+  uschar * p = Ustrchr(u, '@');
+  uschar * d = NULL;
+  uschar * domain;
 
   if (p)
     {
@@ -1502,33 +1504,33 @@ spa_build_auth_response (SPAAuthChallenge * challenge,
     *p = '\0';
     }
 
-  else domain = d = strdup((cf & 0x1)?
-    CCS GetUnicodeString(challenge, uDomain) :
-    CCS GetString(challenge, uDomain));
+  else domain = d = string_copy(cf & 0x1
+    ? CUS GetUnicodeString(challenge, uDomain)
+    : CUS GetString(challenge, uDomain));
 
-  spa_smb_encrypt (US password, challenge->challengeData, lmRespData);
-  spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData);
+  spa_smb_encrypt(password, challenge->challengeData, lmRespData);
+  spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);
 
   response->bufIndex = 0;
   memcpy (response->ident, "NTLMSSP\0\0\0", 8);
   SIVAL (&response->msgType, 0, 3);
 
-  spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0);
-  spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0);
+  spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0);
+  spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0);
 
   if (cf & 0x1) {      /* Unicode Text */
-       spa_unicode_add_string (response, uDomain, domain);
-       spa_unicode_add_string (response, uUser, u);
-       spa_unicode_add_string (response, uWks, u);
+       spa_unicode_add_string(response, uDomain, domain);
+       spa_unicode_add_string(response, uUser, u);
+       spa_unicode_add_string(response, uWks, u);
   } else {             /* OEM Text */
-       spa_string_add (response, uDomain, domain);
-       spa_string_add (response, uUser, u);
-       spa_string_add (response, uWks, u);
+       spa_string_add(response, uDomain, domain);
+       spa_string_add(response, uUser, u);
+       spa_string_add(response, uWks, u);
   }
 
-  spa_string_add (response, sessionKey, NULL);
+  spa_string_add(response, sessionKey, NULL);
   response->flags = challenge->flags;
-
-  if (d != NULL) free (d);
-  free (u);
 }
+
+
+#endif   /*!MACRO_PREDEF*/
diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h
index cfe1b08..3b0b3a9 100644
--- a/src/auths/auth-spa.h
+++ b/src/auths/auth-spa.h
@@ -79,10 +79,10 @@ typedef struct
 
 void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
 int spa_base64_to_bits(char *, int, const char *);
-void spa_build_auth_response (SPAAuthChallenge *challenge,
-       SPAAuthResponse *response, char *user, char *password);
-void spa_build_auth_request (SPAAuthRequest *request, char *user,
-       char *domain);
+void spa_build_auth_response (SPAAuthChallenge * challenge,
+       SPAAuthResponse * response, uschar * user, uschar * password);
+void spa_build_auth_request (SPAAuthRequest * request, uschar * user,
+       uschar * domain);
 extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8,
                              unsigned char * p24);
 extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8,
diff --git a/src/auths/spa.c b/src/auths/spa.c
index 4e3aef8..ff77cc5 100644
--- a/src/auths/spa.c
+++ b/src/auths/spa.c
@@ -294,14 +294,13 @@ SPAAuthRequest   request;
 SPAAuthChallenge challenge;
 SPAAuthResponse  response;
 char msgbuf[2048];
-char *domain = NULL;
-char *username, *password;
+uschar * domain = NULL, * username, * password;
 
 /* Code added by PH to expand the options */
 
 *buffer = 0;    /* Default no message when cancelled */
 
-if (!(username = CS expand_string(ob->spa_username)))
+if (!(username = expand_string(ob->spa_username)))
   {
   if (f.expand_string_forcedfail) return CANCELLED;
   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
@@ -310,7 +309,7 @@ if (!(username = CS expand_string(ob->spa_username)))
   return ERROR;
   }
 
-if (!(password = CS expand_string(ob->spa_password)))
+if (!(password = expand_string(ob->spa_password)))
   {
   if (f.expand_string_forcedfail) return CANCELLED;
   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
@@ -320,7 +319,7 @@ if (!(password = CS expand_string(ob->spa_password)))
   }
 
 if (ob->spa_domain)
-  if (!(domain = CS expand_string(ob->spa_domain)))
+  if (!(domain = expand_string(ob->spa_domain)))
     {
     if (f.expand_string_forcedfail) return CANCELLED;
     string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
@@ -340,7 +339,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
 
 DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
 
-spa_build_auth_request (&request, CS username, domain);
+spa_build_auth_request(&request, username, domain);
 spa_bits_to_base64 (US msgbuf, (unsigned char*)&request,
        spa_request_length(&request));
 
@@ -358,7 +357,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
 DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
 spa_base64_to_bits (CS (&challenge), sizeof(challenge), CCS (buffer + 4));
 
-spa_build_auth_response (&challenge, &response, CS username, CS password);
+spa_build_auth_response(&challenge, &response, username, password);
 spa_bits_to_base64 (US msgbuf, (unsigned char*)&response,
        spa_request_length(&response));
 DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);