From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue, 4 Aug 2020 09:42:22 +0000 (+0300)
Subject: auth: Add and use auth_request_set_password_verified()
X-Git-Tag: 2.3.13~318
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1797aaf874c479116eaae8844e44572b31c8cf45;p=thirdparty%2Fdovecot%2Fcore.git

auth: Add and use auth_request_set_password_verified()
---

diff --git a/src/auth/auth-request-fields.c b/src/auth/auth-request-fields.c
index cd64098091..e824d25b26 100644
--- a/src/auth/auth-request-fields.c
+++ b/src/auth/auth-request-fields.c
@@ -232,7 +232,7 @@ bool auth_request_import(struct auth_request *request,
 	else if (strcmp(key, "successful") == 0)
 		auth_request_set_auth_successful(request);
 	else if (strcmp(key, "skip-password-check") == 0)
-		fields->skip_password_check = TRUE;
+		auth_request_set_password_verified(request);
 	else if (strcmp(key, "delayed-credentials") == 0) {
 		/* just make passdb_handle_credentials() work identically in
 		   auth-worker as it does in auth-master. the worker shouldn't
@@ -437,3 +437,8 @@ void auth_request_set_auth_successful(struct auth_request *request)
 {
 	request->fields.successful = TRUE;
 }
+
+void auth_request_set_password_verified(struct auth_request *request)
+{
+	request->fields.skip_password_check = TRUE;
+}
diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index 27eae077c4..6cb3479bc4 100644
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -812,7 +812,7 @@ auth_request_handle_passdb_callback(enum passdb_result *result,
 		if (*result == PASSDB_RESULT_OK) {
 			/* password was successfully verified. don't bother
 			   checking it again. */
-			request->fields.skip_password_check = TRUE;
+			auth_request_set_password_verified(request);
 		}
 		break;
 	case AUTH_DB_RULE_CONTINUE_OK:
@@ -820,7 +820,7 @@ auth_request_handle_passdb_callback(enum passdb_result *result,
 		request->passdb_success = TRUE;
 		/* password was successfully verified. don't bother
 		   checking it again. */
-		request->fields.skip_password_check = TRUE;
+		auth_request_set_password_verified(request);
 		break;
 	case AUTH_DB_RULE_CONTINUE_FAIL:
 		passdb_continue = TRUE;
diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h
index af682a6e9a..94caecf6c6 100644
--- a/src/auth/auth-request.h
+++ b/src/auth/auth-request.h
@@ -69,6 +69,10 @@ struct auth_request_fields {
 	   and such. There may still be some final delay or final SASL
 	   response. */
 	bool successful:1;
+	/* Password was verified successfully by a passdb. The following
+	   passdbs shouldn't attempt to verify the password again. Note that
+	   this differs from passdb_success, which may be set to FALSE due to
+	   the result_* rules. */
 	bool skip_password_check:1;
 
 	/* flags received from auth client: */
@@ -242,6 +246,8 @@ bool auth_request_set_login_username(struct auth_request *request,
 void auth_request_set_realm(struct auth_request *request, const char *realm);
 /* Request was fully successfully authenticated, including policy checks etc. */
 void auth_request_set_auth_successful(struct auth_request *request);
+/* Password was successfully verified by a passdb. */
+void auth_request_set_password_verified(struct auth_request *request);
 
 void auth_request_set_field(struct auth_request *request,
 			    const char *name, const char *value,