web/SOURCES/dovecot-2.3.8-CVE_2020_12674.patch

From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 6 May 2020 13:40:36 +0300
Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer

---
 src/auth/mech-rpa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
index 08298ebdd6..2de8705b4f 100644
--- a/src/auth/mech-rpa.c
+++ b/src/auth/mech-rpa.c
@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
 		return 0;
 
 	len = *p++;
-	if (p + len > end)
+	if (p + len > end || len == 0)
 		return 0;
 
 	*buffer = p_malloc(pool, len);
-- 
2.11.0

From 98c39fd633adf9b1d11a7bad58ef0784a25042e6 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 18 May 2020 13:08:45 +0300
Subject: [PATCH 3/3] auth: test-mech - Add tests for RPA and NTLM bug

---
 src/auth/test-mech.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff -up dovecot-2.3.8/src/auth/test-mech.c.CVE_2020_12674prereq dovecot-2.3.8/src/auth/test-mech.c
--- dovecot-2.3.8/src/auth/test-mech.c.CVE_2020_12674prereq	2020-08-07 20:46:56.095295825 +0200
+++ dovecot-2.3.8/src/auth/test-mech.c	2020-08-07 20:47:08.742124304 +0200
@@ -0,0 +1,199 @@
+/* Copyright (c) 2020 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "auth.h"
+#include "array.h"
+#include "str.h"
+#include "auth-common.h"
+#include "auth-request.h"
+#include "auth-request-handler-private.h"
+#include "auth-settings.h"
+#include "otp.h"
+#include "mech-otp-skey-common.h"
+#include "settings-parser.h"
+#include "password-scheme.h"
+#include "test-common.h"
+#include "test-auth.h"
+#include "auth-token.h"
+
+#include <unistd.h>
+#include <time.h>
+
+#define UCHAR_LEN(str) (const unsigned char *)(str), sizeof(str)-1
+
+extern const struct mech_module mech_oauthbearer;
+extern const struct mech_module mech_otp;
+extern const struct mech_module mech_ntlm;
+extern const struct mech_module mech_rpa;
+
+static struct auth_settings set;
+static struct mechanisms_register *mech_reg;
+
+struct test_case {
+	const struct mech_module *mech;
+	const unsigned char *in;
+	size_t len;
+	const char *username;
+	const char *expect_error;
+	bool success;
+	bool set_username_before_test;
+	bool set_cert_username;
+};
+
+static void
+verify_plain_continue_mock_callback(struct auth_request *request,
+				    verify_plain_callback_t *callback)
+{
+	request->passdb_success = TRUE;
+	callback(PASSDB_RESULT_OK, request);
+}
+
+static void
+request_handler_reply_mock_callback(struct auth_request *request,
+				    enum auth_client_result result,
+				    const void *auth_reply ATTR_UNUSED,
+				    size_t reply_size ATTR_UNUSED)
+{
+	request->failed = result != AUTH_CLIENT_RESULT_SUCCESS;
+
+	if (request->passdb_result == PASSDB_RESULT_OK)
+		request->failed = FALSE;
+	else if (request->mech == &mech_otp) {
+		if (null_strcmp(request->user, "otp_phase_2") == 0)
+			request->failed = FALSE;
+	} else if (request->mech == &mech_oauthbearer) {
+	}
+};
+
+static void
+request_handler_reply_continue_mock_callback(struct auth_request *request,
+					     const void *reply,
+					     size_t reply_size)
+{
+	request->context = p_strndup(request->pool, reply, reply_size);
+}
+
+static void
+auth_client_request_mock_callback(const char *reply ATTR_UNUSED,
+				  struct auth_client_connection *conn ATTR_UNUSED)
+{
+}
+
+static void test_mechs_init(void)
+{
+	const char *const services[] = {NULL};
+	process_start_time = time(NULL);
+
+	/* Copy default settings */
+	set = *(struct auth_settings *) auth_setting_parser_info.defaults;
+	global_auth_settings = &set;
+	global_auth_settings->base_dir = ".";
+	memset((&set)->username_chars_map, 1, sizeof((&set)->username_chars_map));
+	set.username_format = "";
+
+	t_array_init(&set.passdbs, 2);
+	struct auth_passdb_settings *mock_set = t_new(struct auth_passdb_settings, 1);
+	*mock_set = mock_passdb_set;
+	array_push_back(&set.passdbs, &mock_set);
+	mock_set = t_new(struct auth_passdb_settings, 1);
+	*mock_set = mock_passdb_set;
+	mock_set->master = TRUE;
+	array_push_back(&set.passdbs, &mock_set);
+	t_array_init(&set.userdbs, 1);
+
+	/* Disable stats */
+	set.stats = FALSE;
+
+	/* For tests of digest-md5. */
+	set.realms_arr = t_strsplit_spaces("example.com ", " ");
+	/* For tests of mech-anonymous. */
+	set.anonymous_username = "anonuser";
+
+	mech_init(global_auth_settings);
+	mech_reg = mech_register_init(global_auth_settings);
+	passdbs_init();
+	userdbs_init();
+	passdb_mock_mod_init();
+	password_schemes_init();
+
+	auths_preinit(&set, pool_datastack_create(), mech_reg, services);
+	auths_init();
+	auth_token_init();
+}
+
+
+static void test_rpa(void)
+{
+	static struct auth_request_handler handler = {
+		.callback = auth_client_request_mock_callback,
+		.reply_callback = request_handler_reply_mock_callback,
+		.reply_continue_callback = request_handler_reply_continue_mock_callback,
+		.verify_plain_continue_callback = verify_plain_continue_mock_callback,
+	};
+
+	const struct mech_module *mech = &mech_rpa;
+	test_begin("test rpa");
+	struct auth_request *req = mech->auth_new();
+	global_auth_settings->realms_arr = t_strsplit("example.com", " ");
+	req->set = global_auth_settings;
+	req->service = "login";
+	req->handler = &handler;
+	//req->mech_event = event_create(NULL);
+	//req->event = event_create(NULL);
+	req->mech = mech;
+	req->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
+	auth_request_state_count[AUTH_REQUEST_STATE_MECH_CONTINUE] = 1;
+	mech->auth_initial(req, UCHAR_LEN("\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x00\x01"));
+	mech->auth_continue(req, UCHAR_LEN("\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00"));
+	test_assert(req->failed == TRUE);
+	test_assert(req->passdb_success == FALSE);
+	//event_unref(&req->mech_event);
+	//event_unref(&req->event);
+	mech->auth_free(req);
+	test_end();
+}
+
+static void test_ntlm(void)
+{
+	static struct auth_request_handler handler = {
+		.callback = auth_client_request_mock_callback,
+		.reply_callback = request_handler_reply_mock_callback,
+		.reply_continue_callback = request_handler_reply_continue_mock_callback,
+		.verify_plain_continue_callback = verify_plain_continue_mock_callback,
+	};
+
+	const struct mech_module *mech = &mech_ntlm;
+	test_begin("test ntlm");
+	struct auth_request *req = mech->auth_new();
+	global_auth_settings->realms_arr = t_strsplit("example.com", " ");
+	req->set = global_auth_settings;
+	req->service = "login";
+	req->handler = &handler;
+	//req->mech_event = event_create(NULL);
+	//req->event = event_create(NULL);
+	req->mech = mech;
+	req->state = AUTH_REQUEST_STATE_MECH_CONTINUE;
+	auth_request_state_count[AUTH_REQUEST_STATE_MECH_CONTINUE] = 1;
+	mech->auth_initial(req, UCHAR_LEN("NTLMSSP\x00\x01\x00\x00\x00\x00\x02\x00\x00""AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"));
+	mech->auth_continue(req, UCHAR_LEN("NTLMSSP\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00""AA\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00""orange""\x00"));
+	test_assert(req->failed == TRUE);
+	test_assert(req->passdb_success == FALSE);
+	//event_unref(&req->mech_event);
+	//event_unref(&req->event);
+	mech->auth_free(req);
+	test_end();
+}
+
+int main(void)
+{
+	static void (*const test_functions[])(void) = {
+		test_rpa,
+		test_ntlm,
+		NULL
+	};
+	lib_init();
+	test_mechs_init();
+	int ret = test_run(test_functions);
+	mech_register_deinit(&mech_reg);
+	return ret;
+}