From: Timo Sirainen Date: Tue, 4 Aug 2020 14:29:32 +0000 (+0300) Subject: auth: Rename auth_request.credentials_scheme to wanted_credentials_scheme X-Git-Tag: 2.3.13~307 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=764265bfdfda8e855b249231727349ec552fd242;p=thirdparty%2Fdovecot%2Fcore.git auth: Rename auth_request.credentials_scheme to wanted_credentials_scheme Also add comments explaining what it actually does. --- diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index 5452bf0bad..f82326e38d 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -237,7 +237,7 @@ auth_request_finished_event(struct auth_request *request, struct event *event) if (request->userdb_lookup) { return e; } - e->add_str("credentials_scheme", request->credentials_scheme); + e->add_str("credentials_scheme", request->wanted_credentials_scheme); e->add_str("realm", request->fields.realm); if (request->policy_penalty > 0) e->add_int("policy_penalty", request->policy_penalty); @@ -1110,7 +1110,10 @@ void auth_request_default_verify_plain_continue(struct auth_request *request, } auth_request_set_state(request, AUTH_REQUEST_STATE_PASSDB); - request->credentials_scheme = NULL; + /* In case this request had already done a credentials lookup (is it + even possible?), make sure wanted_credentials_scheme is cleared + so passdbs don't think we're doing a credentials lookup. */ + request->wanted_credentials_scheme = NULL; if (passdb->passdb->iface.verify_plain == NULL) { /* we're deinitializing and just want to get rid of this @@ -1155,7 +1158,7 @@ auth_request_lookup_credentials_finish(enum passdb_result result, credentials, size); } auth_request_lookup_credentials(request, - request->credentials_scheme, + request->wanted_credentials_scheme, request->private_callback.lookup_credentials); } else { if (request->fields.delayed_credentials != NULL && size == 0) { @@ -1234,8 +1237,9 @@ void auth_request_lookup_credentials(struct auth_request *request, i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE); - if (request->credentials_scheme == NULL) - request->credentials_scheme = p_strdup(request->pool, scheme); + if (request->wanted_credentials_scheme == NULL) + request->wanted_credentials_scheme = + p_strdup(request->pool, scheme); request->user_changed_by_lookup = FALSE; if (request->policy_processed || !request->set->policy_check_before_auth) diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h index 9a1f2cd55c..814326a47f 100644 --- a/src/auth/auth-request.h +++ b/src/auth/auth-request.h @@ -143,7 +143,17 @@ struct auth_request { set_credentials_callback_t *set_credentials; userdb_callback_t *userdb; } private_callback; - const char *credentials_scheme; + /* Used by passdb's credentials lookup to determine which scheme is + wanted by the caller. For example CRAM-MD5 SASL mechanism wants + CRAM-MD5 scheme for passwords. + + When doing a PASS lookup (without authenticating), this is set to "" + to imply that caller accepts any kind of credentials. After the + credentials lookup is finished, this is set to the scheme that was + actually received. + + Otherwise, this is kept as NULL. */ + const char *wanted_credentials_scheme; void *context; diff --git a/src/auth/auth-worker-client.c b/src/auth/auth-worker-client.c index af7cddf46d..f27a998b02 100644 --- a/src/auth/auth-worker-client.c +++ b/src/auth/auth-worker-client.c @@ -350,8 +350,8 @@ lookup_credentials_callback(enum passdb_result result, if (request->user_changed_by_lookup) str_append_tabescaped(str, request->fields.user); str_append_c(str, '\t'); - if (request->credentials_scheme[0] != '\0') { - str_printfa(str, "{%s.b64}", request->credentials_scheme); + if (request->wanted_credentials_scheme[0] != '\0') { + str_printfa(str, "{%s.b64}", request->wanted_credentials_scheme); base64_encode(credentials, size, str); } else { i_assert(size == 0); @@ -389,7 +389,8 @@ auth_worker_handle_passl(struct auth_worker_command *cmd, *error_r = "BUG: PASSL had missing parameters"; return FALSE; } - auth_request->credentials_scheme = p_strdup(auth_request->pool, scheme); + auth_request->wanted_credentials_scheme = + p_strdup(auth_request->pool, scheme); while (auth_request->passdb->passdb->id != passdb_id) { auth_request->passdb = auth_request->passdb->next; diff --git a/src/auth/db-checkpassword.c b/src/auth/db-checkpassword.c index 60b24df259..6d795b252f 100644 --- a/src/auth/db-checkpassword.c +++ b/src/auth/db-checkpassword.c @@ -406,11 +406,11 @@ checkpassword_exec(struct db_checkpassword *db, struct auth_request *request, special checkpassword program which knows how to handle this. */ env_put("AUTHORIZED=1"); - if (request->credentials_scheme != NULL) { + if (request->wanted_credentials_scheme != NULL) { /* passdb credentials lookup */ env_put("CREDENTIALS_LOOKUP=1"); env_put(t_strdup_printf("SCHEME=%s", - request->credentials_scheme)); + request->wanted_credentials_scheme)); } } checkpassword_setup_env(request); diff --git a/src/auth/passdb-blocking.c b/src/auth/passdb-blocking.c index 2f2668d4af..a030e8f4ef 100644 --- a/src/auth/passdb-blocking.c +++ b/src/auth/passdb-blocking.c @@ -131,7 +131,7 @@ void passdb_blocking_lookup_credentials(struct auth_request *request) str = t_str_new(128); str_printfa(str, "PASSL\t%u\t", request->passdb->passdb->id); - str_append_tabescaped(str, request->credentials_scheme); + str_append_tabescaped(str, request->wanted_credentials_scheme); str_append_c(str, '\t'); auth_request_export(request, str); diff --git a/src/auth/passdb-checkpassword.c b/src/auth/passdb-checkpassword.c index b1e5a368b3..101c7f0c57 100644 --- a/src/auth/passdb-checkpassword.c +++ b/src/auth/passdb-checkpassword.c @@ -95,7 +95,7 @@ credentials_checkpassword_callback(struct auth_request *request, } scheme = password_get_scheme(&crypted_pass); if (scheme == NULL) - scheme = request->credentials_scheme; + scheme = request->wanted_credentials_scheme; passdb_handle_credentials(PASSDB_RESULT_OK, crypted_pass, scheme, callback, request); diff --git a/src/auth/passdb-dict.c b/src/auth/passdb-dict.c index d2644e19e6..f264035fcf 100644 --- a/src/auth/passdb-dict.c +++ b/src/auth/passdb-dict.c @@ -105,7 +105,7 @@ static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request) i_assert(password == NULL || scheme != NULL); } - if (auth_request->credentials_scheme != NULL) { + if (auth_request->wanted_credentials_scheme != NULL) { passdb_handle_credentials(passdb_result, password, scheme, dict_request->callback.lookup_credentials, auth_request); diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c index dddc65ba23..11b9ae891a 100644 --- a/src/auth/passdb-ldap.c +++ b/src/auth/passdb-ldap.c @@ -96,7 +96,7 @@ ldap_lookup_finish(struct auth_request *auth_request, /* auth_request_set_field() sets scheme */ i_assert(password == NULL || scheme != NULL); - if (auth_request->credentials_scheme != NULL) { + if (auth_request->wanted_credentials_scheme != NULL) { passdb_handle_credentials(passdb_result, password, scheme, ldap_request->callback.lookup_credentials, auth_request); @@ -200,7 +200,7 @@ static void passdb_ldap_request_fail(struct passdb_ldap_request *request, { struct auth_request *auth_request = request->request.ldap.auth_request; - if (auth_request->credentials_scheme != NULL) { + if (auth_request->wanted_credentials_scheme != NULL) { request->callback.lookup_credentials(passdb_result, NULL, 0, auth_request); } else { diff --git a/src/auth/passdb-sql.c b/src/auth/passdb-sql.c index 376e3cded2..2c8b131a2e 100644 --- a/src/auth/passdb-sql.c +++ b/src/auth/passdb-sql.c @@ -114,7 +114,7 @@ static void sql_query_callback(struct sql_result *result, /* auth_request_set_field() sets scheme */ i_assert(password == NULL || scheme != NULL); - if (auth_request->credentials_scheme != NULL) { + if (auth_request->wanted_credentials_scheme != NULL) { passdb_handle_credentials(passdb_result, password, scheme, sql_request->callback.lookup_credentials, auth_request); diff --git a/src/auth/passdb.c b/src/auth/passdb.c index ad1e0f384e..93ba84a9ac 100644 --- a/src/auth/passdb.c +++ b/src/auth/passdb.c @@ -60,7 +60,7 @@ bool passdb_get_credentials(struct auth_request *auth_request, const char *input, const char *input_scheme, const unsigned char **credentials_r, size_t *size_r) { - const char *wanted_scheme = auth_request->credentials_scheme; + const char *wanted_scheme = auth_request->wanted_credentials_scheme; const char *plaintext, *error; int ret; struct password_generate_params pwd_gen_params; @@ -87,9 +87,9 @@ bool passdb_get_credentials(struct auth_request *auth_request, } if (*wanted_scheme == '\0') { - /* anything goes. change the credentials_scheme to what we - actually got, so blocking passdbs work. */ - auth_request->credentials_scheme = + /* anything goes. change the wanted_credentials_scheme to what + we actually got, so blocking passdbs work. */ + auth_request->wanted_credentials_scheme = p_strdup(auth_request->pool, t_strcut(input_scheme, '.')); return TRUE; } @@ -155,7 +155,7 @@ void passdb_handle_credentials(enum passdb_result result, if (!passdb_get_credentials(auth_request, password, scheme, &credentials, &size)) result = PASSDB_RESULT_SCHEME_NOT_AVAILABLE; - } else if (*auth_request->credentials_scheme == '\0') { + } else if (*auth_request->wanted_credentials_scheme == '\0') { /* We're doing a passdb lookup (not authenticating). Pass through a NULL password without an error. */ } else if (auth_request->fields.delayed_credentials != NULL) { @@ -165,7 +165,7 @@ void passdb_handle_credentials(enum passdb_result result, } else { e_info(authdb_event(auth_request), "Requested %s scheme, but we have a NULL password", - auth_request->credentials_scheme); + auth_request->wanted_credentials_scheme); result = PASSDB_RESULT_SCHEME_NOT_AVAILABLE; }