From: Stephan Bosch Date: Sat, 4 Mar 2023 03:00:51 +0000 (+0100) Subject: auth: sasl-server - Add sasl_server_request_failure() X-Git-Tag: 2.4.2~273 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab78c1b54bee506476a69b39fe8a5b97e4966ceb;p=thirdparty%2Fdovecot%2Fcore.git auth: sasl-server - Add sasl_server_request_failure() Wraps auth_request_fail(). --- diff --git a/src/auth/auth-sasl-mech-apop.c b/src/auth/auth-sasl-mech-apop.c index c1dc95febc..f3dd6f6f50 100644 --- a/src/auth/auth-sasl-mech-apop.c +++ b/src/auth/auth-sasl-mech-apop.c @@ -55,13 +55,13 @@ apop_credentials_callback(enum passdb_result result, if (verify_credentials(request, credentials, size)) sasl_server_request_success(auth_request, "", 0); else - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); break; case PASSDB_RESULT_INTERNAL_FAILURE: auth_request_internal_failure(auth_request); break; default: - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); break; } } @@ -84,7 +84,7 @@ mech_apop_auth_initial(struct auth_request *auth_request, /* Should never happen */ e_info(auth_request->mech_event, "no initial response"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -105,7 +105,7 @@ mech_apop_auth_initial(struct auth_request *auth_request, /* should never happen */ e_info(auth_request->mech_event, "malformed data"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -113,7 +113,7 @@ mech_apop_auth_initial(struct auth_request *auth_request, /* Should never happen */ e_info(auth_request->mech_event, "malformed data"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } memcpy(request->response_digest, tmp + 1, @@ -131,14 +131,14 @@ mech_apop_auth_initial(struct auth_request *auth_request, (time_t)timestamp < process_start_time) { e_info(auth_request->mech_event, "invalid challenge"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } if (!auth_request_set_username(auth_request, (const char *)username, &error)) { e_info(auth_request->mech_event, "%s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } diff --git a/src/auth/auth-sasl-mech-dovecot-token.c b/src/auth/auth-sasl-mech-dovecot-token.c index 358200d882..08815ac106 100644 --- a/src/auth/auth-sasl-mech-dovecot-token.c +++ b/src/auth/auth-sasl-mech-dovecot-token.c @@ -43,11 +43,11 @@ mech_dovecot_token_auth_continue(struct auth_request *request, if (count != 4) { /* invalid input */ e_info(request->mech_event, "invalid input"); - auth_request_fail(request); + sasl_server_request_failure(request); } else if (!auth_request_set_username(request, username, &error)) { /* invalid username */ e_info(request->mech_event, "%s", error); - auth_request_fail(request); + sasl_server_request_failure(request); } else { const char *valid_token = auth_token_get(service, pid, request->fields.user, @@ -59,7 +59,7 @@ mech_dovecot_token_auth_continue(struct auth_request *request, auth_request_set_field(request, "userdb_client_service", service, ""); sasl_server_request_success(request, NULL, 0); } else { - auth_request_fail(request); + sasl_server_request_failure(request); } } diff --git a/src/auth/sasl-server-mech-cram-md5.c b/src/auth/sasl-server-mech-cram-md5.c index 2d40123fca..143f11af34 100644 --- a/src/auth/sasl-server-mech-cram-md5.c +++ b/src/auth/sasl-server-mech-cram-md5.c @@ -57,7 +57,7 @@ verify_credentials(struct auth_request *auth_request, if (size != CRAM_MD5_CONTEXTLEN) { e_error(auth_request->mech_event, "invalid credentials length"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -72,7 +72,7 @@ verify_credentials(struct auth_request *auth_request, sizeof(digest) * 2)) { e_info(auth_request->mech_event, AUTH_LOG_MSG_PASSWORD_MISMATCH); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -122,7 +122,7 @@ credentials_callback(enum passdb_result result, auth_request_internal_failure(auth_request); break; default: - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); break; } } @@ -137,13 +137,13 @@ mech_cram_md5_auth_continue(struct auth_request *auth_request, const char *error; if (!parse_cram_response(request, data, data_size)) { - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } if (!auth_request_set_username(auth_request, request->username, &error)) { e_info(auth_request->mech_event, "%s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } diff --git a/src/auth/sasl-server-mech-digest-md5.c b/src/auth/sasl-server-mech-digest-md5.c index 66c2af4e92..c4bad4d104 100644 --- a/src/auth/sasl-server-mech-digest-md5.c +++ b/src/auth/sasl-server-mech-digest-md5.c @@ -126,7 +126,7 @@ verify_credentials(struct auth_request *auth_request, if (size != MD5_RESULTLEN) { e_error(auth_request->mech_event, "invalid credentials length"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -216,7 +216,7 @@ verify_credentials(struct auth_request *auth_request, request->response, 32)) { e_info(auth_request->mech_event, AUTH_LOG_MSG_PASSWORD_MISMATCH); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } } else { @@ -541,7 +541,7 @@ credentials_callback(enum passdb_result result, auth_request_internal_failure(auth_request); break; default: - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); break; } } @@ -557,7 +557,7 @@ mech_digest_md5_auth_continue(struct auth_request *auth_request, if (!parse_digest_response(request, data, data_size, &error)) { e_info(auth_request->mech_event, "%s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -571,14 +571,14 @@ mech_digest_md5_auth_continue(struct auth_request *auth_request, } if (!auth_request_set_username(auth_request, username, &error)) { e_info(auth_request->mech_event, "%s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } if (request->authzid != NULL && !auth_request_set_login_username(auth_request, request->authzid, &error)) { e_info(auth_request->mech_event, "login user: %s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } diff --git a/src/auth/sasl-server-mech-external.c b/src/auth/sasl-server-mech-external.c index ac71d70158..3b32774be9 100644 --- a/src/auth/sasl-server-mech-external.c +++ b/src/auth/sasl-server-mech-external.c @@ -15,7 +15,7 @@ mech_external_auth_continue(struct auth_request *request, if (request->fields.user == NULL) { e_info(request->mech_event, "username not known"); - auth_request_fail(request); + sasl_server_request_failure(request); return; } @@ -24,7 +24,7 @@ mech_external_auth_continue(struct auth_request *request, if (!auth_request_set_username(request, "", &error)) { e_info(request->mech_event, "Invalid username"); - auth_request_fail(request); + sasl_server_request_failure(request); return; } @@ -33,7 +33,7 @@ mech_external_auth_continue(struct auth_request *request, /* invalid login username */ e_info(request->mech_event, "login user: %s", error); - auth_request_fail(request); + sasl_server_request_failure(request); } else { auth_request_verify_plain( request, "", sasl_server_mech_plain_verify_callback); diff --git a/src/auth/sasl-server-mech-login.c b/src/auth/sasl-server-mech-login.c index a7e0a9118b..d7d3f0106d 100644 --- a/src/auth/sasl-server-mech-login.c +++ b/src/auth/sasl-server-mech-login.c @@ -24,7 +24,7 @@ mech_login_auth_continue(struct auth_request *request, if (!auth_request_set_username(request, username, &error)) { e_info(request->mech_event, "%s", error); - auth_request_fail(request); + sasl_server_request_failure(request); return; } diff --git a/src/auth/sasl-server-mech-oauth2.c b/src/auth/sasl-server-mech-oauth2.c index bbdcfe492c..5cd53c979b 100644 --- a/src/auth/sasl-server-mech-oauth2.c +++ b/src/auth/sasl-server-mech-oauth2.c @@ -68,7 +68,8 @@ oauth2_fail(struct oauth2_auth_request *oauth2_req, json_ostream_nfinish_destroy(&joutput); oauth2_req->failed = TRUE; - auth_request_fail_with_reply(request, str_data(reply), str_len(reply)); + sasl_server_request_failure_with_reply(request, + str_data(reply), str_len(reply)); } static void diff --git a/src/auth/sasl-server-mech-otp.c b/src/auth/sasl-server-mech-otp.c index 81f839d61c..e7a45a390a 100644 --- a/src/auth/sasl-server-mech-otp.c +++ b/src/auth/sasl-server-mech-otp.c @@ -83,21 +83,21 @@ otp_send_challenge(struct otp_auth_request *request, &request->state) != 0) { e_error(auth_request->mech_event, "invalid OTP data in passdb"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } if (--request->state.seq < 1) { e_error(auth_request->mech_event, "sequence number < 1"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } if (!otp_try_lock(request)) { e_error(auth_request->mech_event, "user is locked, race attack?"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -125,7 +125,7 @@ otp_credentials_callback(enum passdb_result result, auth_request_internal_failure(auth_request); break; default: - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); break; } } @@ -152,13 +152,13 @@ mech_otp_auth_phase1(struct otp_auth_request *request, if (count != 1) { e_info(auth_request->mech_event, "invalid input"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } if (!auth_request_set_username(auth_request, authenid, &error)) { e_info(auth_request->mech_event, "%s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } @@ -194,7 +194,7 @@ mech_otp_verify(struct otp_auth_request *request, const char *data, bool hex) ret = otp_parse_response(data, hash, hex); if (ret < 0) { e_info(auth_request->mech_event, "invalid response"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); otp_unlock(request); return; } @@ -203,7 +203,7 @@ mech_otp_verify(struct otp_auth_request *request, const char *data, bool hex) ret = memcmp(cur_hash, state->hash, OTP_HASH_SIZE); if (ret != 0) { - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); otp_unlock(request); return; } @@ -229,7 +229,7 @@ mech_otp_verify_init(struct otp_auth_request *request, const char *data, if (ret < 0) { e_info(auth_request->mech_event, "invalid init response, %s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); otp_unlock(request); return; } @@ -238,7 +238,7 @@ mech_otp_verify_init(struct otp_auth_request *request, const char *data, ret = memcmp(hash, request->state.hash, OTP_HASH_SIZE); if (ret != 0) { - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); otp_unlock(request); return; } @@ -266,7 +266,7 @@ mech_otp_auth_phase2(struct otp_auth_request *request, else { e_info(auth_request->mech_event, "unsupported response type"); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); otp_unlock(request); } } diff --git a/src/auth/sasl-server-mech-plain-common.c b/src/auth/sasl-server-mech-plain-common.c index 9d2a9bbf2f..ce7b82524c 100644 --- a/src/auth/sasl-server-mech-plain-common.c +++ b/src/auth/sasl-server-mech-plain-common.c @@ -16,7 +16,7 @@ void sasl_server_mech_plain_verify_callback(enum passdb_result result, auth_request_internal_failure(request); break; default: - auth_request_fail(request); + sasl_server_request_failure(request); break; } } diff --git a/src/auth/sasl-server-mech-plain.c b/src/auth/sasl-server-mech-plain.c index 6dda531bb9..79b0ad08e3 100644 --- a/src/auth/sasl-server-mech-plain.c +++ b/src/auth/sasl-server-mech-plain.c @@ -43,17 +43,17 @@ mech_plain_auth_continue(struct auth_request *request, if (count != 2) { /* invalid input */ e_info(request->mech_event, "invalid input"); - auth_request_fail(request); + sasl_server_request_failure(request); } else if (!auth_request_set_username(request, authenid, &error)) { /* invalid username */ e_info(request->mech_event, "%s", error); - auth_request_fail(request); + sasl_server_request_failure(request); } else if (*authid != '\0' && !auth_request_set_login_username(request, authid, &error)) { /* invalid login username */ e_info(request->mech_event, "login user: %s", error); - auth_request_fail(request); + sasl_server_request_failure(request); } else { auth_request_verify_plain( request, pass, sasl_server_mech_plain_verify_callback); diff --git a/src/auth/sasl-server-mech-scram.c b/src/auth/sasl-server-mech-scram.c index da05460f5b..ad8525c970 100644 --- a/src/auth/sasl-server-mech-scram.c +++ b/src/auth/sasl-server-mech-scram.c @@ -42,7 +42,7 @@ credentials_callback(enum passdb_result result, key_data->server_key, &error) < 0) { e_info(auth_request->mech_event, "%s", error); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); break; } @@ -55,7 +55,7 @@ credentials_callback(enum passdb_result result, auth_request_internal_failure(auth_request); break; default: - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); break; } } @@ -150,7 +150,7 @@ void mech_scram_auth_continue(struct auth_request *auth_request, } else { e_info(auth_request->mech_event, "%s", error); } - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); return; } if (ret == 0) diff --git a/src/auth/sasl-server-mech-winbind.c b/src/auth/sasl-server-mech-winbind.c index 7a35af7754..ed508a6184 100644 --- a/src/auth/sasl-server-mech-winbind.c +++ b/src/auth/sasl-server-mech-winbind.c @@ -311,7 +311,7 @@ mech_winbind_auth_continue(struct auth_request *auth_request, if (res != HR_OK) { if (res == HR_RESTART) winbind_helper_disconnect(request->winbind); - auth_request_fail(auth_request); + sasl_server_request_failure(auth_request); } } diff --git a/src/auth/sasl-server-protected.h b/src/auth/sasl-server-protected.h index 2bd3d3ebeb..96e6b56033 100644 --- a/src/auth/sasl-server-protected.h +++ b/src/auth/sasl-server-protected.h @@ -71,5 +71,8 @@ void sasl_server_request_output(struct auth_request *request, const void *data, size_t data_size); void sasl_server_request_success(struct auth_request *request, const void *data, size_t data_size); +void sasl_server_request_failure_with_reply(struct auth_request *request, + const void *data, size_t data_size); +void sasl_server_request_failure(struct auth_request *request); #endif diff --git a/src/auth/sasl-server-request.c b/src/auth/sasl-server-request.c index 6e5efc5ee6..b989717926 100644 --- a/src/auth/sasl-server-request.c +++ b/src/auth/sasl-server-request.c @@ -30,3 +30,19 @@ void sasl_server_request_success(struct auth_request *request, }; auth_sasl_request_output(request, &output); } + +void sasl_server_request_failure_with_reply(struct auth_request *request, + const void *data, size_t data_size) +{ + const struct sasl_server_output output = { + .status = SASL_SERVER_OUTPUT_FAILURE, + .data = data, + .data_size = data_size, + }; + auth_sasl_request_output(request, &output); +} + +void sasl_server_request_failure(struct auth_request *request) +{ + sasl_server_request_failure_with_reply(request, "", 0); +}