From: Jean-Marc Pigeon (Delson) <jmp@safe.ca>
Date: Tue, 8 Jul 2025 20:13:16 +0000 (-0400)
Subject: Authentication plain is working (no leak)
X-Git-Tag: tag-0.13~21
X-Git-Url: https://jmp-git.ovh.safe.ca/?a=commitdiff_plain;h=a0aad34f119b08ab72edc4816cc41dd71cbee068;p=jmp%2Fmailleur

Authentication plain is working (no leak)
---

diff --git a/lib/lvleml.c b/lib/lvleml.c
index 6db3a6d..920403f 100644
--- a/lib/lvleml.c
+++ b/lib/lvleml.c
@@ -352,7 +352,7 @@ dup=rou_freestr(dup);
 /*      Match with the user provided.                   */
 /*                                                      */
 /********************************************************/
-static _Bool checklogin(SQLPTR *sqlptr,char *sequence)
+static _Bool checklogin(CONTYP *contact,char **rmtpass,char *sequence)
 
 {
 #define OPEP    "lvleml.c:checklogin,"
@@ -386,14 +386,18 @@ while (proceed==true) {
       USRTYP *usr;
 
       usr=(USRTYP *)0;
-      if (sql_mngusr(sqlptr,sql_select,data[1],&usr)==true) {
-        char *crypted;
+      contact->authname=rou_freestr(contact->authname);
+      contact->authname=strdup(data[1]);
+      if (sql_mngusr(contact->sqlptr,sql_select,data[1],&usr)==true) {
+        char *givenpass;
   
-        crypted=data[2];
-        if (usr->passwd[0]=='$')
-          crypted=crypt(data[2],usr->passwd); 
-        if ((crypted!=(char *)0)&&(strcmp(crypted,usr->passwd)==0)) 
-          isok=true;      //Passord match
+        givenpass=data[2];
+        if (givenpass!=(char *)0) {
+          *rmtpass=strdup(givenpass);
+          if (strncmp(usr->passwd,"$1",2)==0) 
+            givenpass=crypt("$1",givenpass); 
+          isok=(strcmp(givenpass,usr->passwd)==0);
+          }
         usr=sql_freeusr(usr);
         }
       }
@@ -419,15 +423,13 @@ return isok;
 /*      mode, return "decoded", NULL if not extracted   */
 /*                                                      */
 /********************************************************/
-static _Bool get_auth_plain(CONTYP *contact,char *received,char **rmtpass)
+static void get_auth_plain(CONTYP *contact,char *received,char **rmtpass)
 
 {
 #define OPEP    "lvleml.c:get_auth_plain,"
 
-_Bool goodpass;
 char *decoded;
 
-goodpass=false;
 *rmtpass=(char *)0;
 decoded=(char *)0;
 if ((received==(char *)0)||(strlen(received)==0)) {
@@ -446,10 +448,9 @@ if ((received==(char *)0)||(strlen(received)==0)) {
 else 
   decoded=cnv_getb64(received);
 if (decoded!=(char *)0) {
-  goodpass=checklogin(contact->sqlptr,decoded);
+  contact->authenticated=checklogin(contact,rmtpass,decoded);
   decoded=rou_freestr(decoded);
   }
-return goodpass;
 
 #undef  OPEP
 }
@@ -494,7 +495,7 @@ for (int i=0;i<2;i++) {
   line=rou_freestr(line);
   }
 if (strlen(local)>0)
-  goodpass=checklogin(contact->sqlptr,local);
+  goodpass=checklogin(contact,rmtpass,local);
 return goodpass;
 }
 /*
@@ -845,7 +846,7 @@ while (proceed==true) {
         (void) transmit(contact,true,"%d 5.7.4 authentication failed",BADAUTH);
         }
       else {
-        (void) log_fprintlog(contact->logptr,true,fmt,auth[1]);
+        (void) log_fprintlog(contact->logptr,true,fmt,auth);
         (void) transmit(contact,true,"%d 5.7.5 Authentication successful",IDOK);
         }
       }
diff --git a/sql/datatest.sql b/sql/datatest.sql
index 6670e47..ae8443e 100644
--- a/sql/datatest.sql
+++ b/sql/datatest.sql
@@ -9,20 +9,20 @@ DELETE FROM emails;
 //adding a list of local email
 
 INSERT INTO emails (email,password)		\
-	 values ('postmaster@example.com','mailleur1');
+	 values ('postmaster@example.com','postmaster');
 INSERT INTO emails (email,password)		\
-	 values ('webmaster@example.com','mailleur2');
+	 values ('webmaster@example.com','webmaster');
 INSERT INTO emails (email,password)		\
-	 values ('utf8-áö_üñ@example.com','mailleur3');
+	 values ('utf8-áö_üñ@example.com','utf8-áö_üñ');
 
 //Set for Postgresql database
 INSERT INTO emails (email,password)               \
-         values ('user1@posdb.example.com','$1$cBO23lDG$7l.Ooe7pF.gf8t6tD2mKp0');
+         values ('user1@posdb.example.com','user1');
 INSERT INTO emails (email,password)               \
-         values ('user2@posdb.example.com','$1$cBO23lDG$7l.Ooe7pF.gf8t6tD2mKp0');
+         values ('user2@posdb.example.com','user2');
 
 //Set for MySQL database
 INSERT INTO emails (email,password)               \
-         values ('user1@mardb.example.com','$1$cBO23lDG$7l.Ooe7pF.gf8t6tD2mKp0');
+         values ('user1@mardb.example.com','user1');
 INSERT INTO emails (email,password)               \
-         values ('user2@mardb.example.com','$1$cBO23lDG$7l.Ooe7pF.gf8t6tD2mKp0');
+         values ('user2@mardb.example.com','user2');
diff --git a/sql/mailleur.sql b/sql/mailleur.sql
index 95201dd..41e0c29 100644
--- a/sql/mailleur.sql
+++ b/sql/mailleur.sql
@@ -74,7 +74,7 @@ CREATE FUNCTION updpass()
   RETURNS trigger AS $$
 	BEGIN
 	NEW.hash = md5(concat (NEW.email,':',NEW.realm,':',new.password));
-	NEW.password = crypt(new.password, gen_salt('md5'));
+//	NEW.password = crypt(new.password, gen_salt('md5'));
 	RETURN NEW;
 	END
   $$ LANGUAGE 'plpgsql';