Package: cyrus-sasl2
Version: 2.1.22.dfsg1-19
Severity: wishlist

Shortdescription: Patch fixes NTLM authentication bug introduced with Outlook 2007 (where digest-md5 also fails), when connecting to any sasl enabled system with realm support, where username is matched against [EMAIL PROTECTED] in any sasl backend ([EMAIL PROTECTED] via postfix, cyrus-imapd, courier, etc...).
Bugdescription:
Outlook Express, Outlook 2000, 2003, XP using the following method (which is covered by cyrus-sasl2 2.1.22). First ntlm request username and client domain (where the client domain is the workgroup/domain of the windows workstation), and if that fails the second ntlm request without client domain, but with a fully qualified email address [EMAIL PROTECTED] Outlook 2007 uses a different way: it directly sends in the first ntlm request: client user: username and client domain: maildomain.tld. There is no fallback mechanism, and therefore this fails in sasl2 with "username not found"
Solution:
This patch adds the logic to distinguish between the old method and the new method and supports both. The new logic is: if there is a client domain available, build a fully qualified username and send it to the sasl backend for verification (this works for Outlook 2007, the older versions fail here). If there is no client domain, send the handed over username for verification (which is then the fully qualified username, handed over by the older Outlook versions).
license:
The patch is under the same license as the patched program, i.e. cyrus-sasl2

--
kind regards
Christoph Christ
Head of Development/Research

MCP-Softworks s.r.o., Freiungsstrasse 8/1, A-2410 Hainburg an der Donau
Tel: +43-664-9307044, Fax: +43-664-779307044
http://www.mcpsoftworks.com



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c 
cyrus-sasl-2.1.22-patch/plugins/ntlm.c
--- cyrus-sasl-2.1.22/plugins/ntlm.c    2005-07-07 18:10:14.000000000 +0200
+++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c      2008-05-06 11:38:34.000000000 
+0200
@@ -1525,14 +1525,45 @@ static int ntlm_server_mech_step2(server
        struct propval auxprop_values[2];
        unsigned char hash[NTLM_HASH_LENGTH];
        unsigned char resp[NTLM_RESP_LENGTH];
+       
+       unsigned char *combined_username = NULL;
 
        /* fetch user's password */
        result = sparams->utils->prop_request(sparams->propctx, 
password_request);
        if (result != SASL_OK) goto cleanup;
     
-       /* this will trigger the getting of the aux properties */
-       result = sparams->canon_user(sparams->utils->conn, authid, authid_len,
+       ///////////////////////////////////////////////////////////////////
+       // patch by [EMAIL PROTECTED]
+       // older pop3, imap, smtp ntlm clients are sending first
+       // client-user: usernamex
+       // client-domain: NTDOMAIN/WORKGROUP
+       // and if thats denied by us, they retry with
+       // client-user: [EMAIL PROTECTED]
+       // without a client domain
+       // outlook 2007 changed that behaviour to support properly
+       // also other mail servers. They are thus sending already (hurray!)
+       // as the first try: client-user: username
+       // and as client domain: the users emaildomain
+       ///////////////////////////////////////////////////////////////////
+       if (domain) {
+           // to match the outlook 2007 method
+           combined_username = sparams->utils->malloc(authid_len + domain_len 
+ 1);    
+           if (combined_username == NULL) {
+               MEMERROR(sparams->utils);
+               return SASL_NOMEM;
+           }
+           sprintf(combined_username, "[EMAIL PROTECTED]", authid, domain);
+           result = sparams->canon_user(sparams->utils->conn, 
combined_username, strlen(combined_username),
                                     SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
+           sparams->utils->free(combined_username);
+       }
+       else {
+           // use old method (ignore the first try and match the second
+           result = sparams->canon_user(sparams->utils->conn, authid, 
authid_len,
+                                    SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
+       }
+
+       /* this will trigger the getting of the aux properties */
        if (result != SASL_OK) goto cleanup;
 
        result = sparams->utils->prop_getnames(sparams->propctx,

Reply via email to