From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 28 Dec 2022 10:19:11 +0000 (+0200)
Subject: auth: Fix auth_request_password_verify() result handling
X-Git-Tag: 2.4.0~3247
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fb85c75b129b97ab0ac4337e0f46c01738ae718;p=thirdparty%2Fdovecot%2Fcore.git

auth: Fix auth_request_password_verify() result handling

Pass the result directly to caller, as auth_request_password_verify()
returns passdb result already.
---

diff --git a/src/auth/auth-worker-server.c b/src/auth/auth-worker-server.c
index d326bcac97..15b8202298 100644
--- a/src/auth/auth-worker-server.c
+++ b/src/auth/auth-worker-server.c
@@ -309,7 +309,7 @@ auth_worker_handle_passw(struct auth_worker_command *cmd,
 	const char *password;
 	const char *crypted, *scheme, *error;
 	unsigned int passdb_id;
-	int ret;
+	enum passdb_result ret;
 
 	if (str_to_uint(args[0], &passdb_id) < 0 || args[1] == NULL ||
 	    args[2] == NULL) {
@@ -336,15 +336,12 @@ auth_worker_handle_passw(struct auth_worker_command *cmd,
 	str = t_str_new(128);
 	str_printfa(str, "%u\t", request->id);
 
-	if (ret == 1) {
+	if (ret == PASSDB_RESULT_OK) {
 		str_printfa(str, "OK\t\t");
 		error = NULL;
-	} else if (ret == 0) {
-		str_printfa(str, "FAIL\t%d", PASSDB_RESULT_PASSWORD_MISMATCH);
-		error = passdb_result_to_string(PASSDB_RESULT_PASSWORD_MISMATCH);
 	} else {
-		str_printfa(str, "FAIL\t%d", PASSDB_RESULT_INTERNAL_FAILURE);
-		error = passdb_result_to_string(PASSDB_RESULT_INTERNAL_FAILURE);
+		str_printfa(str, "FAIL\t%d", ret);
+		error = passdb_result_to_string(ret);
 	}
 
 	str_append_c(str, '\n');
diff --git a/src/auth/passdb-cache.c b/src/auth/passdb-cache.c
index 45c8071df9..3cab11aeb1 100644
--- a/src/auth/passdb-cache.c
+++ b/src/auth/passdb-cache.c
@@ -74,7 +74,7 @@ bool passdb_cache_verify_plain(struct auth_request *request, const char *key,
 {
 	const char *value, *cached_pw, *scheme, *const *list;
 	struct auth_cache_node *node;
-	int ret;
+	enum passdb_result ret;
 	bool neg_expired;
 
 	if (passdb_cache == NULL || key == NULL)
@@ -99,7 +99,7 @@ bool passdb_cache_verify_plain(struct auth_request *request, const char *key,
 		/* NULL password */
 		e_info(authdb_event(request),
 		       "Cached NULL password access");
-		ret = 1;
+		ret = PASSDB_RESULT_OK;
 	} else if (request->set->cache_verify_password_with_worker) {
 		string_t *str;
 
@@ -129,7 +129,8 @@ bool passdb_cache_verify_plain(struct auth_request *request, const char *key,
 						   scheme, AUTH_SUBSYS_DB,
 						   !(node->last_success || neg_expired));
 
-		if (ret == 0 && (node->last_success || neg_expired)) {
+		if (ret == PASSDB_RESULT_PASSWORD_MISMATCH &&
+		    (node->last_success || neg_expired)) {
 			/* a) the last authentication was successful. assume
 			   that the password was changed and cache is expired.
 			   b) negative TTL reached, use it for password
@@ -138,14 +139,13 @@ bool passdb_cache_verify_plain(struct auth_request *request, const char *key,
 			return FALSE;
 		}
 	}
-	node->last_success = ret > 0;
+	node->last_success = ret == PASSDB_RESULT_OK;
 
 	/* save the extra_fields only after we know we're using the
 	   cached data */
 	auth_request_set_fields(request, list + 1, NULL);
 
-	*result_r = ret > 0 ? PASSDB_RESULT_OK :
-		PASSDB_RESULT_PASSWORD_MISMATCH;
+	*result_r = ret;
 
 	auth_request_verify_plain_callback_finish(*result_r, request);
 	return TRUE;
diff --git a/src/auth/passdb-dict.c b/src/auth/passdb-dict.c
index 97201ca459..26b0c29cc2 100644
--- a/src/auth/passdb-dict.c
+++ b/src/auth/passdb-dict.c
@@ -85,7 +85,6 @@ static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request)
 		(struct dict_passdb_module *)_module;
 	const char *password = NULL, *scheme = NULL;
 	enum passdb_result passdb_result;
-	int ret;
 
 	if (array_count(&module->conn->set.passdb_fields) == 0 &&
 	    array_count(&module->conn->set.parsed_passdb_objects) == 0) {
@@ -111,11 +110,10 @@ static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request)
 			auth_request);
 	} else {
 		if (password != NULL) {
-			ret = auth_request_password_verify(auth_request,
+			passdb_result =
+				auth_request_password_verify(auth_request,
 					auth_request->mech_password,
 					password, scheme, AUTH_SUBSYS_DB);
-			passdb_result = ret > 0 ? PASSDB_RESULT_OK :
-				PASSDB_RESULT_PASSWORD_MISMATCH;
 		}
 
 		dict_request->callback.verify_plain(passdb_result,
diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c
index 11b9ae891a..1aa4b28804 100644
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -70,7 +70,6 @@ ldap_lookup_finish(struct auth_request *auth_request,
 {
 	enum passdb_result passdb_result;
 	const char *password = NULL, *scheme;
-	int ret;
 
 	if (res == NULL) {
 		passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
@@ -102,11 +101,10 @@ ldap_lookup_finish(struct auth_request *auth_request,
 			auth_request);
 	} else {
 		if (password != NULL) {
-			ret = auth_request_password_verify(auth_request,
+			passdb_result =
+				auth_request_password_verify(auth_request,
 					auth_request->mech_password,
 					password, scheme, AUTH_SUBSYS_DB);
-			passdb_result = ret > 0 ? PASSDB_RESULT_OK :
-				PASSDB_RESULT_PASSWORD_MISMATCH;
 		}
 
 		ldap_request->callback.verify_plain(passdb_result,
diff --git a/src/auth/passdb-lua.c b/src/auth/passdb-lua.c
index 1b39146efc..b67ab0667a 100644
--- a/src/auth/passdb-lua.c
+++ b/src/auth/passdb-lua.c
@@ -94,10 +94,10 @@ passdb_lua_verify_plain(struct auth_request *request, const char *password,
 		if (result == PASSDB_RESULT_OK) {
 			if (lua_scheme == NULL)
 				lua_scheme = "PLAIN";
-			if ((auth_request_password_verify(request, password, lua_password,
-							  lua_scheme, AUTH_SUBSYS_DB)) <=0) {
-				result = PASSDB_RESULT_PASSWORD_MISMATCH;
-			}
+			result = auth_request_password_verify(request, password,
+							      lua_password,
+							      lua_scheme,
+							      AUTH_SUBSYS_DB);
 		}
 	}
 	callback(result, request);
diff --git a/src/auth/passdb-passwd-file.c b/src/auth/passdb-passwd-file.c
index 227fab3771..1f45fab182 100644
--- a/src/auth/passdb-passwd-file.c
+++ b/src/auth/passdb-passwd-file.c
@@ -79,6 +79,7 @@ passwd_file_verify_plain(struct auth_request *request, const char *password,
 		(struct passwd_file_passdb_module *)_module;
 	struct passwd_user *pu;
 	const char *scheme, *crypted_pass;
+	enum passdb_result result;
         int ret;
 
 	ret = db_passwd_file_lookup(module->pwf, request,
@@ -94,11 +95,10 @@ passwd_file_verify_plain(struct auth_request *request, const char *password,
 		return;
 	}
 
-	ret = auth_request_password_verify(request, password, crypted_pass,
-					   scheme, AUTH_SUBSYS_DB);
+	result = auth_request_password_verify(request, password, crypted_pass,
+					      scheme, AUTH_SUBSYS_DB);
 
-	callback(ret > 0 ? PASSDB_RESULT_OK : PASSDB_RESULT_PASSWORD_MISMATCH,
-		 request);
+	callback(result, request);
 }
 
 static void
diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c
index e09f9ede59..89c54eb01e 100644
--- a/src/auth/passdb-passwd.c
+++ b/src/auth/passdb-passwd.c
@@ -44,7 +44,6 @@ passwd_verify_plain(struct auth_request *request, const char *password,
 {
 	struct passwd pw;
 	enum passdb_result res;
-	int ret;
 
 	res = passwd_lookup(request, &pw);
 	if (res != PASSDB_RESULT_OK) {
@@ -52,21 +51,21 @@ passwd_verify_plain(struct auth_request *request, const char *password,
 		return;
 	}
 	/* check if the password is valid */
-	ret = auth_request_password_verify(request, password, pw.pw_passwd,
+	res = auth_request_password_verify(request, password, pw.pw_passwd,
 					   PASSWD_PASS_SCHEME, AUTH_SUBSYS_DB);
 
 	/* clear the passwords from memory */
 	safe_memset(pw.pw_passwd, 0, strlen(pw.pw_passwd));
 
-	if (ret <= 0) {
-		callback(PASSDB_RESULT_PASSWORD_MISMATCH, request);
+	if (res != PASSDB_RESULT_OK) {
+		callback(res, request);
 		return;
 	}
 
 	/* make sure we're using the username exactly as it's in the database */
         auth_request_set_field(request, "user", pw.pw_name, NULL);
 
-	callback(PASSDB_RESULT_OK, request);
+	callback(res, request);
 }
 
 static void
diff --git a/src/auth/passdb-sql.c b/src/auth/passdb-sql.c
index 8596cac3a6..41321e6a2a 100644
--- a/src/auth/passdb-sql.c
+++ b/src/auth/passdb-sql.c
@@ -133,13 +133,11 @@ static void sql_query_callback(struct sql_result *result,
 		return;
 	}
 
-	ret = auth_request_password_verify(auth_request,
-					   auth_request->mech_password,
-					   password, scheme, AUTH_SUBSYS_DB);
+	passdb_result = auth_request_password_verify(auth_request,
+						     auth_request->mech_password,
+						     password, scheme, AUTH_SUBSYS_DB);
 
-	sql_request->callback.verify_plain(ret > 0 ? PASSDB_RESULT_OK :
-					   PASSDB_RESULT_PASSWORD_MISMATCH,
-					   auth_request);
+	sql_request->callback.verify_plain(passdb_result, auth_request);
 	i_assert(dup_password != NULL);
 	safe_memset(dup_password, 0, strlen(dup_password));
 	auth_request_unref(&auth_request);
diff --git a/src/auth/passdb-static.c b/src/auth/passdb-static.c
index f43123fbcd..2b99fabb36 100644
--- a/src/auth/passdb-static.c
+++ b/src/auth/passdb-static.c
@@ -62,22 +62,15 @@ static_verify_plain(struct auth_request *request, const char *password,
 	const char *static_password;
 	const char *static_scheme;
 
-	int ret;
-
 	result = static_save_fields(request, &static_password, &static_scheme);
 	if (result != PASSDB_RESULT_OK) {
 		callback(result, request);
 		return;
 	}
 
-	ret = auth_request_password_verify(request, password, static_password,
-					   static_scheme, AUTH_SUBSYS_DB);
-	if (ret <= 0) {
-		callback(PASSDB_RESULT_PASSWORD_MISMATCH, request);
-		return;
-	}
-
-	callback(PASSDB_RESULT_OK, request);
+	result = auth_request_password_verify(request, password, static_password,
+					      static_scheme, AUTH_SUBSYS_DB);
+	callback(result, request);
 }
 
 static void