From: Martijn van Duren Subject: Re: smtpd: do not lowercase creds for K_AUTH To: Omar Polo , tech@openbsd.org Date: Thu, 26 Mar 2026 01:04:41 +0100 On 3/21/26 18:14, Omar Polo wrote: > Hello tech, > > some time ago we've introduced a K_AUTH table lookup method, to offload > the authentication handling to a proc table. This is different from the > previous credentials tables because they are supposed to return the hash > of a password for the given user. > > The only problem with this is that we have a lowercase() before reaching > the table itself, so for K_AUTH we end up lowercasing both the username > and the password. > > The cautious reader will realize that this will leave also the username > with the original casing. I'm a bit unsure about what to do. For > K_AUTH the caller code will construct a string "username:password" > without changing the casing, then calls table_lookup(). Being pedantic, > the username *could* be case-sensitive, so there's a small argument for > keeping the case as-is. > > okay? > From a quick look through the opensmtpd-tables in ports, I'm unable to find support for K_AUTH in any of them. And if there are tables out in the wild who support this I would have expected someone to shout that their users can't login (or someone needs to reconsider their password policy if none of their users have an upper case in their password). Considering the above I would suggest to remove K_AUTH entirely, instead of adding more tentacles. If we want auth offloading at some point a better API might be considered, but I reckon simply catting username and password with a ':' isn't the most convenient for a consumer. Maybe something like a challenge-response interface to allow for more SASL mechanisms might be a better option. martijn@ diff 561bf2d2294adbcad0c55924d4a54e4b0537e497 2939e4fdab3ed9289084c247c1f595b1b39f0adc commit - 561bf2d2294adbcad0c55924d4a54e4b0537e497 commit + 2939e4fdab3ed9289084c247c1f595b1b39f0adc blob - 2c04f2bee62cc67e01e8247405b96f5faf12ef04 blob + fd692bbf39368c0ac566d64daafe97067f8089b2 --- usr.sbin/smtpd/lka.c +++ usr.sbin/smtpd/lka.c @@ -722,7 +722,6 @@ static int lka_authenticate(const char *tablename, const char *user, const char *password) { struct table *table; - char offloadkey[LINE_MAX]; union lookup lk; log_debug("debug: lka: authenticating for %s:%s", tablename, user); @@ -733,26 +732,6 @@ lka_authenticate(const char *tablename, const char *us return (LKA_TEMPFAIL); } - /* table backend supports authentication offloading */ - if (table_check_service(table, K_AUTH)) { - if (!bsnprintf(offloadkey, sizeof(offloadkey), "%s:%s", - user, password)) { - log_warnx("warn: key serialization failed for %s:%s", - tablename, user); - return (LKA_TEMPFAIL); - } - switch (table_match(table, K_AUTH, offloadkey)) { - case -1: - log_warnx("warn: user credentials lookup fail for %s:%s", - tablename, user); - return (LKA_TEMPFAIL); - case 0: - return (LKA_PERMFAIL); - default: - return (LKA_OK); - } - } - switch (table_lookup(table, K_CREDENTIALS, user, &lk)) { case -1: log_warnx("warn: user credentials lookup fail for %s:%s", blob - 4f362dc7ad555afd2c73419d44991ee31da743b1 blob + 305303a7461ac62595a89fb8b889237f70608978 --- usr.sbin/smtpd/smtpd-api.h +++ usr.sbin/smtpd/smtpd-api.h @@ -135,7 +135,6 @@ enum table_service { K_RELAYHOST = 0x200, /* returns struct relayhost */ K_STRING = 0x400, K_REGEX = 0x800, - K_AUTH = 0x1000, }; #define K_ANY 0xffff blob - aca013debeab51e319144b92b5ac154bb6dca1ec blob + a9c724d91ddbf4290fac7ad503390562277f929d --- usr.sbin/smtpd/table.c +++ usr.sbin/smtpd/table.c @@ -83,7 +83,6 @@ table_service_name(enum table_service s) case K_RELAYHOST: return "relayhost"; case K_STRING: return "string"; case K_REGEX: return "regex"; - case K_AUTH: return "auth"; } return "???"; } @@ -117,8 +116,6 @@ table_service_from_name(const char *service) return K_STRING; if (!strcmp(service, "regex")) return K_REGEX; - if (!strcmp(service, "auth")) - return K_AUTH; return (-1); }