Summary: | mail-mta/qmail-1.03-r16 AUTH CRAM-MD5 broken | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | petre rodan (RETIRED) <kaiowas> |
Component: | Current packages | Assignee: | Qmail Team (OBSOLETE) <qmail-bugs+disabled> |
Status: | VERIFIED TEST-REQUEST | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 100886 | ||
Bug Blocks: | |||
Attachments: |
tcpserver strace
cram.patch |
Description
petre rodan (RETIRED)
2005-07-29 04:52:28 UTC
Created attachment 64633 [details]
tcpserver strace
strace -o /tmp/trace -f -p 30247 -s 65000
I think I found a lead. if one compares the strace output between -r15 and -r16 in the moment cmd5checkpw receives data on descriptor 3 (man 8 cmd5checkpw), this will come up: using qmail-1.03-r15: 11132 read(3, "test\0<31492.1122660986@muttley.sunspire.org>\00072ec577fe31557f5a2eaaa4d3c7f8b3b\0", 513) = 78 using qmail-1.03-r16: 15822 read(3, "test\000477cc55b4d80a7da69428c55113f5720\0<28139.1122659275@muttley.sunspire.org>\0", 513) = 78 so it looks like -r16 is sending the data in the wrong order. Created attachment 64668 [details, diff]
cram.patch
this patch fixes my problem
my proposed patch breaks non-CRAM-MD5 authentications, so do not use it as it is now. substdio_put(&ssauth,chal.s,chal.len) should only happen if auth_cram has taken place, otherwise it won't play nice with other authentication techniques. I will let you find the best way to do that. an easier way out would be to provide an update of our net-mail/cmd5checkpw. Erwin Hoffmann has a version of cmd5checkpw that actually works with his authpatch that you started using in -r16. see http://www.fehcom.de/qmail/smtpauth.html for details. I will provide an ebuild soon for that cmd5checkpw-0.30 if cmd5checkpw-0.30 from bug #100886 will get into portage then you can close this one /me will stop talking to himself now cmd5checkpw-0.30 is now in portage. Can you test again, please? thumbs up cheers, peter Thanks for testing. |