diff options
author | Ladar Levison <ladar@lavabit.com> | 2018-12-07 22:58:48 +0300 |
---|---|---|
committer | Ladar Levison <ladar@lavabit.com> | 2018-12-07 22:58:48 +0300 |
commit | 94e8e72cefd1a422a227b92ee45ba912cf36f59d (patch) | |
tree | bc72924a1052d5b7b7c73dfef7d816b1fd45f8d6 | |
parent | f66654e9af3cbfd972753dcc4c3d4a77ff46523d (diff) |
Properly bypass SMTP checks using the bypass_addr setting.
-rw-r--r-- | check/magma/users/users_check.c | 2 | ||||
-rwxr-xr-x | sandbox/etc/magma.sandbox.config | 1 | ||||
-rw-r--r-- | src/core/host/ip.c | 3 | ||||
-rw-r--r-- | src/network/addresses.c | 16 | ||||
-rw-r--r-- | src/servers/smtp/checkers.c | 11 | ||||
-rw-r--r-- | src/servers/smtp/smtp.c | 2 |
6 files changed, 29 insertions, 6 deletions
diff --git a/check/magma/users/users_check.c b/check/magma/users/users_check.c index e1c167d3..85850ced 100644 --- a/check/magma/users/users_check.c +++ b/check/magma/users/users_check.c @@ -11,8 +11,8 @@ START_TEST (check_users_register_s) { log_disable(); uint16_t plan; - connection_t con; time_t stamp; + connection_t con; uint64_t usernum = 0; bool_t outcome = true; int64_t transaction = -1; diff --git a/sandbox/etc/magma.sandbox.config b/sandbox/etc/magma.sandbox.config index 1f53033f..a52dcd34 100755 --- a/sandbox/etc/magma.sandbox.config +++ b/sandbox/etc/magma.sandbox.config @@ -21,6 +21,7 @@ magma.log.stack = false magma.log.time = false magma.system.domain = lavabit.com +magma.smtp.bypass_addr = 127.0.0.1 magma.web.tls_redirect = 127.0.0.1:10500 magma.web.statistics = true diff --git a/src/core/host/ip.c b/src/core/host/ip.c index 4258a675..06ab1fe0 100644 --- a/src/core/host/ip.c +++ b/src/core/host/ip.c @@ -567,7 +567,8 @@ bool_t ip_subnet_st(chr_t *substr, subnet_t *out) { if (!i || i > 2) { return false; - } else if (i == 1) { + } + else if (i == 1) { if (!ip_addr_st(substr, &addr)) { return false; diff --git a/src/network/addresses.c b/src/network/addresses.c index 9ec452e3..0d51b6f5 100644 --- a/src/network/addresses.c +++ b/src/network/addresses.c @@ -46,8 +46,20 @@ ip_t * con_addr(connection_t *con, ip_t *output) { ip_t *result = NULL; - if (con) { - result = con->network.reverse.ip; + // We only attempt the copy if a valid IP address is available. + if (con && con->network.reverse.ip) { + + // If the output pointer is NULL, we need to allocate a buffer. + if (!output && (result = mm_alloc(sizeof(ip_t)))) { + ip_copy(result, con->network.reverse.ip); + } + // Otherwise, if the output buffer is valid, we use that instead. We could also end up + // here if the allocation attempt, fails. So we check that output isn't NULL to avoid an error. + else if (output) { + result = ip_copy(output, con->network.reverse.ip); + } + + } return result; diff --git a/src/servers/smtp/checkers.c b/src/servers/smtp/checkers.c index 726a0c0f..13cf1a43 100644 --- a/src/servers/smtp/checkers.c +++ b/src/servers/smtp/checkers.c @@ -301,7 +301,16 @@ bool_t smtp_bypass_check(connection_t *con) { } while (!result && (subnet = inx_cursor_value_next(cursor))) { - if (ip_matches_subnet(subnet, &remote)) result = true; + + // If the subnet mask is 32 for a v4 address, or 128 for v6 address, do a straight comparison. + if (((subnet->address.family == AF_INET && subnet->mask == 32) || + (subnet->address.family == AF_INET6 && subnet->mask == 128)) && + ip_addr_eq(&(subnet->address), &remote)) result = true; + + // Otherwise do a subnet comparison. + else if (((subnet->address.family == AF_INET && subnet->mask != 32) || + (subnet->address.family == AF_INET6 && subnet->mask != 128)) && + ip_matches_subnet(subnet, &remote)) result = true; } inx_cursor_free(cursor); diff --git a/src/servers/smtp/smtp.c b/src/servers/smtp/smtp.c index 25343587..be2297da 100644 --- a/src/servers/smtp/smtp.c +++ b/src/servers/smtp/smtp.c @@ -772,7 +772,7 @@ void smtp_rcpt_to(connection_t *con) { // If this user is enforcing SPF. if (result->spf == 1) { // Perform the SPF check. - if (con->smtp.checked.spf == 0) { + if (!con->smtp.bypass && con->smtp.checked.spf == 0) { con->smtp.checked.spf = spf_check(con_addr(con, MEMORYBUF(sizeof(ip_t))), con->smtp.helo, con->smtp.mailfrom); } |