sendmail / Re: Cyrus SASL 2.1.28 testing

Tue, 04 Jan 2022 22:52:16 -0800 

Dear all,

the change in include/sasl.h

-#define SASL_SEC_MAXIMUM          0x00FF
+#define SASL_SEC_MAXIMUM          0xFFFF

breaks sendmail’s AuthOptions, when it has the “A” flag set.


Following text is for users compiling Sendmail using unreleased Cyrus
SASL.

Sendmail/sendmail.h has these definitions:
# define SASL_AUTH_AUTH 0x1000 /* use auth= only if authenticated */
# if SASL >= 20101
#  define SASL_SEC_MASK SASL_SEC_MAXIMUM
# endif

and SASL_SEC_MAXIMUM is 0xFFFF.

The “A” flag sets sets the 0x1000 bit in SASLOpts and later calls:
ssp.security_flags = SASLOpts & SASL_SEC_MASK;

Now within Cyrus SASL code the 0x1000 bit is set for security_flags.

lib/server.c:mech_permitted() has this code:

/* do we want to special case SASL_SEC_PASS_CREDENTIALS? nah.. */
if ((myflags &= (myflags ^ plug->security_flags)) != 0) {
  sasl_seterror(conn, SASL_NOLOG,
                  "security flags do not match required");
  return (myflags & SASL_SEC_NOPLAINTEXT) ? SASL_ENCRYPT : SASL_NOMECH;
}

myflags has values like 4112 or 4113, where the 0x1000 bit is set. 
This flag is not cleared, so no mechanism have the required
security_flags.  In turn, on EHLO sendmail prints no 250-AUTH line, as
no mechanism matches the security criteria.

Removing the A Option from AuthOption solves the problem.  Appending a
zero to “# define SASL_AUTH_AUTH 0x1000” might also help.

Greetings
  Дилян

On Tue, 2021-11-16 at 14:50 -0800, Quanah Gibson-Mount wrote:
> Hi everyone,
> 
> The cyrus-sasl-2.1 branch is ready for testing for the proposed
>  2.1.28
> Cyrus SASL release.  For those who know how to build from source, it
>  would
> be great if you can test and verify things work as expected.  If you
>  have a
> kerberos based environment that makes use of SASL/GSSAPI for a
>  variety of
> purposes, please note that in any feedback.
> 
> A general list of fixed issues for this release can be found at:
> 
> <https://github.com/cyrusimap/cyrus-sasl/milestone/2?closed=1>
> 
> Thanks in advance!
> 
> Regards,
> Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by
> OpenLDAP:
> <http://www.symas.com>

------------------------------------------
Cyrus: SASL
Permalink: 
https://cyrus.topicbox.com/groups/sasl/T12590cab045ba314-M83aad54a0f32a8060b84588e
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription

Reply via email to