From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 18 Jul 2025 11:02:36 +0000 (+0300)
Subject: lib-sasl: Add more results to enum dsasl_client_result
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=25e213febd618993820c255becf76ae9bacce9bb;p=thirdparty%2Fdovecot%2Fcore.git

lib-sasl: Add more results to enum dsasl_client_result
---

diff --git a/src/lib-sasl/dsasl-client.h b/src/lib-sasl/dsasl-client.h
index 38b2d345c9..cb3c3d1b0f 100644
--- a/src/lib-sasl/dsasl-client.h
+++ b/src/lib-sasl/dsasl-client.h
@@ -15,8 +15,13 @@ struct dsasl_client_settings {
 
 enum dsasl_client_result {
 	DSASL_CLIENT_RESULT_OK,
-	/* Client sent invalid SASL protocol input */
+	/* The final response from server returned a failed authentication.
+	   The error string contains details. */
+	DSASL_CLIENT_RESULT_AUTH_FAILED,
+	/* Remote server sent invalid SASL protocol input */
 	DSASL_CLIENT_RESULT_ERR_PROTOCOL,
+	/* Internal client error */
+	DSASL_CLIENT_RESULT_ERR_INTERNAL,
 };
 
 typedef int
diff --git a/src/lib-sasl/mech-login.c b/src/lib-sasl/mech-login.c
index 66d7a4e831..1b39d809d8 100644
--- a/src/lib-sasl/mech-login.c
+++ b/src/lib-sasl/mech-login.c
@@ -42,11 +42,11 @@ mech_login_output(struct dsasl_client *_client,
 
 	if (_client->set.authid == NULL) {
 		*error_r = "authid not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 	if (_client->password == NULL) {
 		*error_r = "password not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 
 	switch (client->state) {
diff --git a/src/lib-sasl/mech-oauthbearer.c b/src/lib-sasl/mech-oauthbearer.c
index 0d8c839fea..48d0e9f347 100644
--- a/src/lib-sasl/mech-oauthbearer.c
+++ b/src/lib-sasl/mech-oauthbearer.c
@@ -82,7 +82,7 @@ mech_oauthbearer_input(struct dsasl_client *_client,
 
 		*error_r = t_strdup_printf("Failed to authenticate: %s",
 					   client->status);
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_AUTH_FAILED;
 	}
 	return DSASL_CLIENT_RESULT_OK;
 }
@@ -98,11 +98,11 @@ mech_oauthbearer_output(struct dsasl_client *_client,
 
 	if (_client->set.authid == NULL) {
 		*error_r = "authid not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 	if (_client->password == NULL) {
 		*error_r = "password not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 
 	str = str_new(_client->pool, 64);
@@ -132,11 +132,11 @@ mech_xoauth2_output(struct dsasl_client *_client,
 
 	if (_client->set.authid == NULL) {
 		*error_r = "authid not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 	if (_client->password == NULL) {
 		*error_r = "password not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 
 	str = str_new(_client->pool, 64);
diff --git a/src/lib-sasl/mech-plain.c b/src/lib-sasl/mech-plain.c
index 95fe4fa1ef..e755fe498b 100644
--- a/src/lib-sasl/mech-plain.c
+++ b/src/lib-sasl/mech-plain.c
@@ -40,11 +40,11 @@ mech_plain_output(struct dsasl_client *_client,
 
 	if (_client->set.authid == NULL) {
 		*error_r = "authid not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 	if (_client->password == NULL) {
 		*error_r = "password not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 
 	str = str_new(_client->pool, 64);
diff --git a/src/lib-sasl/mech-scram.c b/src/lib-sasl/mech-scram.c
index 94a5e37216..8b89ec59ab 100644
--- a/src/lib-sasl/mech-scram.c
+++ b/src/lib-sasl/mech-scram.c
@@ -118,16 +118,16 @@ mech_scram_output(struct dsasl_client *client,
 
 	if (client->set.authid == NULL) {
 		*error_r = "authid not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 	if (client->password == NULL) {
 		*error_r = "password not set";
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
 
 	if (sclient->scram_client.state == AUTH_SCRAM_CLIENT_STATE_INIT &&
 	    mech_scram_init(sclient, error_r) < 0)
-		return DSASL_CLIENT_RESULT_ERR_PROTOCOL;
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 
 	auth_scram_client_output(&sclient->scram_client,
 				 output_r, output_len_r);
diff --git a/src/lib-sasl/test-sasl-client.c b/src/lib-sasl/test-sasl-client.c
index 8fec4ebd6e..11b38428cf 100644
--- a/src/lib-sasl/test-sasl-client.c
+++ b/src/lib-sasl/test-sasl-client.c
@@ -80,7 +80,7 @@ static void test_sasl_client_login(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "authid not set");
 	dsasl_client_free(&client);
 
@@ -89,7 +89,7 @@ static void test_sasl_client_login(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "password not set");
 	dsasl_client_free(&client);
 
@@ -166,7 +166,7 @@ static void test_sasl_client_plain(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "authid not set");
 	dsasl_client_free(&client);
 
@@ -175,7 +175,7 @@ static void test_sasl_client_plain(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "password not set");
 	dsasl_client_free(&client);
 
@@ -299,7 +299,7 @@ static void test_sasl_client_oauthbearer(void)
 	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_OK);
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
 	str_append(input, "{\"status\":\"401\",\"schemes\":\"bearer\",\"scope\":\"mail\"}");
-	test_assert(dsasl_client_input(client, input->data, input->used, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_input(client, input->data, input->used, &error) == DSASL_CLIENT_RESULT_AUTH_FAILED);
 	test_assert_strcmp(error, "Failed to authenticate: 401");
 	test_assert(dsasl_client_get_result(client, "status", &value, &error) == 1);
 	test_assert_strcmp(value, "401");
@@ -311,7 +311,7 @@ static void test_sasl_client_oauthbearer(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "authid not set");
 	dsasl_client_free(&client);
 
@@ -320,7 +320,7 @@ static void test_sasl_client_oauthbearer(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "password not set");
 	dsasl_client_free(&client);
 
@@ -367,7 +367,7 @@ static void test_sasl_client_xoauth2(void)
 	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_OK);
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
 	str_append(input, "{\"status\":\"401\",\"schemes\":\"bearer\",\"scope\":\"mail\"}");
-	test_assert(dsasl_client_input(client, input->data, input->used, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_input(client, input->data, input->used, &error) == DSASL_CLIENT_RESULT_AUTH_FAILED);
 	test_assert_strcmp(error, "Failed to authenticate: 401");
 
 	dsasl_client_free(&client);
@@ -377,7 +377,7 @@ static void test_sasl_client_xoauth2(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "authid not set");
 	dsasl_client_free(&client);
 
@@ -386,7 +386,7 @@ static void test_sasl_client_xoauth2(void)
 	i_assert(client != NULL);
 
 	test_assert(dsasl_client_input(client, uchar_empty_ptr, 0, &error) == DSASL_CLIENT_RESULT_OK);
-	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_PROTOCOL);
+	test_assert(dsasl_client_output(client, &output, &olen, &error) == DSASL_CLIENT_RESULT_ERR_INTERNAL);
 	test_assert_strcmp(error, "password not set");
 	dsasl_client_free(&client);