From: Stephan Bosch Date: Sun, 22 Oct 2023 14:37:02 +0000 (+0200) Subject: auth: sasl-server-request - Rename struct sasl_server_mech_request mech_event to... X-Git-Tag: 2.4.2~168 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b943759acfdf8a18cffaad8d15118f8d6a331d26;p=thirdparty%2Fdovecot%2Fcore.git auth: sasl-server-request - Rename struct sasl_server_mech_request mech_event to event --- diff --git a/src/auth/auth-sasl-mech-apop.c b/src/auth/auth-sasl-mech-apop.c index 62de4a0a9a..71745fcc67 100644 --- a/src/auth/auth-sasl-mech-apop.c +++ b/src/auth/auth-sasl-mech-apop.c @@ -84,8 +84,7 @@ mech_apop_auth_initial(struct sasl_server_mech_request *req, if (data_size == 0) { /* Should never happen */ - e_info(req->mech_event, - "no initial response"); + e_info(req->event, "no initial response"); sasl_server_request_failure(req); return; } @@ -105,16 +104,14 @@ mech_apop_auth_initial(struct sasl_server_mech_request *req, tmp++; } else { /* should never happen */ - e_info(req->mech_event, - "malformed data"); + e_info(req->event, "malformed data"); sasl_server_request_failure(req); return; } if (tmp + 1 + 16 != end) { /* Should never happen */ - e_info(req->mech_event, - "malformed data"); + e_info(req->event, "malformed data"); sasl_server_request_failure(req); return; } @@ -131,8 +128,7 @@ mech_apop_auth_initial(struct sasl_server_mech_request *req, connect_uid != auth_request->connect_uid || pid != (unsigned long)getpid() || (time_t)timestamp < process_start_time) { - e_info(req->mech_event, - "invalid challenge"); + e_info(req->event, "invalid challenge"); sasl_server_request_failure(req); return; } diff --git a/src/auth/auth-sasl-mech-dovecot-token.c b/src/auth/auth-sasl-mech-dovecot-token.c index b51269d174..60310af26f 100644 --- a/src/auth/auth-sasl-mech-dovecot-token.c +++ b/src/auth/auth-sasl-mech-dovecot-token.c @@ -48,7 +48,7 @@ mech_dovecot_token_auth_continue(struct sasl_server_mech_request *request, if (count != 4) { /* invalid input */ - e_info(request->mech_event, "invalid input"); + e_info(request->event, "invalid input"); sasl_server_request_failure(request); } else if (!sasl_server_request_set_authid( request, SASL_SERVER_AUTHID_TYPE_USERNAME, username)) { diff --git a/src/auth/sasl-server-mech-cram-md5.c b/src/auth/sasl-server-mech-cram-md5.c index 19880aed02..f1ce8b4cbf 100644 --- a/src/auth/sasl-server-mech-cram-md5.c +++ b/src/auth/sasl-server-mech-cram-md5.c @@ -57,7 +57,7 @@ verify_credentials(struct sasl_server_mech_request *auth_request, const char *response_hex; if (size != CRAM_MD5_CONTEXTLEN) { - e_error(auth_request->mech_event, "invalid credentials length"); + e_error(auth_request->event, "invalid credentials length"); sasl_server_request_failure(auth_request); return; } @@ -71,8 +71,7 @@ verify_credentials(struct sasl_server_mech_request *auth_request, if (!mem_equals_timing_safe(response_hex, request->response, sizeof(digest) * 2)) { - e_info(auth_request->mech_event, - AUTH_LOG_MSG_PASSWORD_MISMATCH); + e_info(auth_request->event, AUTH_LOG_MSG_PASSWORD_MISMATCH); sasl_server_request_failure(auth_request); return; } @@ -91,7 +90,7 @@ parse_cram_response(struct cram_auth_request *request, the rightmost space is the response separator. */ for (i = space = 0; i < size; i++) { if (data[i] == '\0') { - e_info(auth_request->mech_event, "NULs in response"); + e_info(auth_request->event, "NULs in response"); return FALSE; } if (data[i] == ' ') @@ -99,7 +98,7 @@ parse_cram_response(struct cram_auth_request *request, } if (space == 0) { - e_info(auth_request->mech_event, "missing digest"); + e_info(auth_request->event, "missing digest"); return FALSE; } diff --git a/src/auth/sasl-server-mech-digest-md5.c b/src/auth/sasl-server-mech-digest-md5.c index 056b25f7ef..8f5ad5dfba 100644 --- a/src/auth/sasl-server-mech-digest-md5.c +++ b/src/auth/sasl-server-mech-digest-md5.c @@ -124,8 +124,7 @@ verify_credentials(struct sasl_server_mech_request *auth_request, /* get the MD5 password */ if (size != MD5_RESULTLEN) { - e_error(auth_request->mech_event, - "invalid credentials length"); + e_error(auth_request->event, "invalid credentials length"); sasl_server_request_failure(auth_request); return; } @@ -214,7 +213,7 @@ verify_credentials(struct sasl_server_mech_request *auth_request, /* verify response */ if (!mem_equals_timing_safe(response_hex, request->response, 32)) { - e_info(auth_request->mech_event, + e_info(auth_request->event, AUTH_LOG_MSG_PASSWORD_MISMATCH); sasl_server_request_failure(auth_request); return; @@ -556,7 +555,7 @@ mech_digest_md5_auth_continue(struct sasl_server_mech_request *auth_request, const char *error; if (!parse_digest_response(request, data, data_size, &error)) { - e_info(auth_request->mech_event, "%s", error); + e_info(auth_request->event, "%s", error); sasl_server_request_failure(auth_request); return; } diff --git a/src/auth/sasl-server-mech-gssapi.c b/src/auth/sasl-server-mech-gssapi.c index fb141c068e..6c6ba2d01d 100644 --- a/src/auth/sasl-server-mech-gssapi.c +++ b/src/auth/sasl-server-mech-gssapi.c @@ -90,8 +90,7 @@ mech_gssapi_log_error(struct gssapi_auth_request *request, status_type, GSS_C_NO_OID, &message_context, &status_string); - e_info(auth_request->mech_event, - "While %s: %s", description, + e_info(auth_request->event, "While %s: %s", description, str_sanitize(status_string.value, SIZE_MAX)); (void)gss_release_buffer(&minor_status, &status_string); @@ -125,8 +124,7 @@ obtain_service_credentials(struct gssapi_auth_request *request, gss_name_t gss_principal; if (strcmp(gss_mech->hostname, "$ALL") == 0) { - e_debug(auth_request->mech_event, - "Using all keytab entries"); + e_debug(auth_request->event, "Using all keytab entries"); *ret_r = GSS_C_NO_CREDENTIAL; return GSS_S_COMPLETE; } @@ -136,8 +134,8 @@ obtain_service_credentials(struct gssapi_auth_request *request, str_append_c(principal_name, '@'); str_append(principal_name, gss_mech->hostname); - e_debug(auth_request->mech_event, - "Obtaining credentials for %s", str_c(principal_name)); + e_debug(auth_request->event, "Obtaining credentials for %s", + str_c(principal_name)); inbuf.length = str_len(principal_name); inbuf.value = str_c_modifiable(principal_name); @@ -234,7 +232,7 @@ get_display_name(struct gssapi_auth_request *request, gss_name_t name, return -1; } if (data_has_nuls(buf.value, buf.length)) { - e_info(auth_request->mech_event, "authn_name has NULs"); + e_info(auth_request->event, "authn_name has NULs"); return -1; } *display_name_r = t_strndup(buf.value, buf.length); @@ -287,7 +285,7 @@ mech_gssapi_sec_context(struct gssapi_auth_request *request, switch (major_status) { case GSS_S_COMPLETE: if (!mech_gssapi_oid_cmp(mech_type, &mech_gssapi_krb5_oid)) { - e_info(auth_request->mech_event, + e_info(auth_request->event, "GSSAPI mechanism not Kerberos5"); ret = -1; } else if (get_display_name(request, request->authn_name, @@ -299,17 +297,17 @@ mech_gssapi_sec_context(struct gssapi_auth_request *request, ret = -1; } else { request->sasl_gssapi_state = GSS_STATE_WRAP; - e_debug(auth_request->mech_event, + e_debug(auth_request->event, "security context state completed."); } break; case GSS_S_CONTINUE_NEEDED: - e_debug(auth_request->mech_event, + e_debug(auth_request->event, "Processed incoming packet correctly, " "waiting for another."); break; default: - e_error(auth_request->mech_event, + e_error(auth_request->event, "Received unexpected major status %d", major_status); break; } @@ -361,7 +359,7 @@ mech_gssapi_wrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) return -1; } - e_debug(auth_request->mech_event, "Negotiated security layer"); + e_debug(auth_request->event, "Negotiated security layer"); sasl_server_request_output(auth_request, outbuf.value, outbuf.length); @@ -383,7 +381,7 @@ k5_principal_is_authorized(struct gssapi_auth_request *request, const char *name authorized_names = t_strsplit_spaces(value, ","); for (tmp = authorized_names; *tmp != NULL; tmp++) { if (strcmp(*tmp, name) == 0) { - e_debug(auth_request->mech_event, + e_debug(auth_request->event, "authorized by k5principals field: %s", name); return TRUE; } @@ -411,16 +409,15 @@ mech_gssapi_krb5_userok(struct gssapi_auth_request *request, if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) && check_name_type) { - e_info(auth_request->mech_event, - "OID not kerberos principal name"); + e_info(auth_request->event, "OID not kerberos principal name"); return FALSE; } /* Init a krb5 context and parse the principal username */ krb5_err = krb5_init_context(&ctx); if (krb5_err != 0) { - e_error(auth_request->mech_event, - "krb5_init_context() failed: %d", (int)krb5_err); + e_error(auth_request->event, "krb5_init_context() failed: %d", + (int)krb5_err); return FALSE; } krb5_err = krb5_parse_name(ctx, princ_display_name, &princ); @@ -428,8 +425,8 @@ mech_gssapi_krb5_userok(struct gssapi_auth_request *request, /* writing the error string would be better, but we probably rarely get here and there doesn't seem to be a standard way of getting it */ - e_info(auth_request->mech_event, - "krb5_parse_name() failed: %d", (int)krb5_err); + e_info(auth_request->event, "krb5_parse_name() failed: %d", + (int)krb5_err); } else { /* See if the principal is in the list of authorized principals for the user */ @@ -472,7 +469,7 @@ mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user) if (!mech_gssapi_krb5_userok(request, request->authn_name, login_user, TRUE)) { - e_info(auth_request->mech_event, + e_info(auth_request->event, "User not authorized to log in as %s", login_user); return -1; } @@ -519,7 +516,7 @@ mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) struct sasl_server_mech_request *auth_request = &request->auth_request; OM_uint32 major_status, minor_status; gss_buffer_desc outbuf; - const char *login_user, *error; + const char *login_user; unsigned char *name; size_t name_len; @@ -535,8 +532,7 @@ mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) /* outbuf[0] contains bitmask for selected security layer, outbuf[1..3] contains maximum output_message size */ if (outbuf.length < 4) { - e_error(auth_request->mech_event, - "Invalid response length"); + e_error(auth_request->event, "Invalid response length"); (void)gss_release_buffer(&minor_status, &outbuf); return -1; } @@ -546,8 +542,7 @@ mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) name_len = outbuf.length - 4; if (data_has_nuls(name, name_len)) { - e_info(auth_request->mech_event, - "authz_name has NULs"); + e_info(auth_request->event, "authz_name has NULs"); (void)gss_release_buffer(&minor_status, &outbuf); return -1; } @@ -565,8 +560,7 @@ mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) } if (request->authz_name == GSS_C_NO_NAME) { - e_info(auth_request->mech_event, - "no authz_name"); + e_info(auth_request->event, "no authz_name"); (void)gss_release_buffer(&minor_status, &outbuf); return -1; } @@ -579,8 +573,6 @@ mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) if (!sasl_server_request_set_authid(auth_request, SASL_SERVER_AUTHID_TYPE_USERNAME, login_user)) { - e_info(auth_request->mech_event, - "authz_name: %s", error); (void)gss_release_buffer(&minor_status, &outbuf); return -1; } diff --git a/src/auth/sasl-server-mech-oauth2.c b/src/auth/sasl-server-mech-oauth2.c index 154e94965c..3c679b79a9 100644 --- a/src/auth/sasl-server-mech-oauth2.c +++ b/src/auth/sasl-server-mech-oauth2.c @@ -212,14 +212,14 @@ mech_oauthbearer_auth_continue(struct sasl_server_mech_request *request, if (auth_gs2_header_decode(data, data_size, FALSE, &gs2_header, &gs2_header_end, &error) < 0) { - e_info(request->mech_event, "Invalid gs2-header in request: %s", + e_info(request->event, "Invalid gs2-header in request: %s", error); oauth2_fail_invalid_request(oauth2_req); return; } if (gs2_header.authzid == NULL) { - e_info(request->mech_event, "Missing username"); + e_info(request->event, "Missing username"); oauth2_fail_invalid_request(oauth2_req); return; } @@ -231,7 +231,7 @@ mech_oauthbearer_auth_continue(struct sasl_server_mech_request *request, } if (gs2_header.cbind.status == AUTH_GS2_CBIND_STATUS_PROVIDED) { /* channel binding is not supported */ - e_info(request->mech_event, + e_info(request->event, "Client requested and used channel-binding"); oauth2_fail_invalid_request(oauth2_req); return; @@ -241,12 +241,12 @@ mech_oauthbearer_auth_continue(struct sasl_server_mech_request *request, size_t payload_size = data_size - gs2_header_size; if (payload_size == 0) { - e_info(request->mech_event, "Response payload is missing"); + e_info(request->event, "Response payload is missing"); oauth2_fail_invalid_request(oauth2_req); return; } if (*gs2_header_end != '\x01') { - e_info(request->mech_event, "Invalid gs2-header in request: " + e_info(request->event, "Invalid gs2-header in request: " "Spurious data at end of header"); oauth2_fail_invalid_request(oauth2_req); return; @@ -265,7 +265,7 @@ mech_oauthbearer_auth_continue(struct sasl_server_mech_request *request, oauth2_valid_token(value)) { token = value; } else { - e_info(request->mech_event, + e_info(request->event, "Invalid response payload"); oauth2_fail_invalid_token(oauth2_req); return; @@ -274,7 +274,7 @@ mech_oauthbearer_auth_continue(struct sasl_server_mech_request *request, /* do not fail on unexpected fields */ } if (token == NULL) { - e_info(request->mech_event, "Missing token"); + e_info(request->event, "Missing token"); oauth2_fail_invalid_token(oauth2_req); return; } @@ -317,8 +317,7 @@ mech_xoauth2_auth_continue(struct sasl_server_mech_request *request, oauth2_valid_token(value)) { token = value; } else { - e_info(request->mech_event, - "Invalid response data"); + e_info(request->event, "Invalid response data"); oauth2_fail_invalid_token(oauth2_req); return; } @@ -334,11 +333,11 @@ mech_xoauth2_auth_continue(struct sasl_server_mech_request *request, return; } if (token == NULL) { - e_info(request->mech_event, "Missing token"); + e_info(request->event, "Missing token"); oauth2_fail_invalid_request(oauth2_req); return; } else if (!user_given) { - e_info(request->mech_event, "Missing username"); + e_info(request->event, "Missing username"); oauth2_fail_invalid_request(oauth2_req); return; } diff --git a/src/auth/sasl-server-mech-otp.c b/src/auth/sasl-server-mech-otp.c index ce2ec560b5..6582af98fd 100644 --- a/src/auth/sasl-server-mech-otp.c +++ b/src/auth/sasl-server-mech-otp.c @@ -77,22 +77,19 @@ otp_send_challenge(struct otp_auth_request *request, if (otp_parse_dbentry(t_strndup(credentials, size), &request->state) != 0) { - e_error(auth_request->mech_event, - "invalid OTP data in passdb"); + e_error(auth_request->event, "invalid OTP data in passdb"); sasl_server_request_failure(auth_request); return; } if (--request->state.seq < 1) { - e_error(auth_request->mech_event, - "sequence number < 1"); + e_error(auth_request->event, "sequence number < 1"); sasl_server_request_failure(auth_request); return; } if (!otp_try_lock(request)) { - e_error(auth_request->mech_event, - "user is locked, race attack?"); + e_error(auth_request->event, "user is locked, race attack?"); sasl_server_request_failure(auth_request); return; } @@ -147,7 +144,7 @@ mech_otp_auth_phase1(struct otp_auth_request *request, } if (count != 1) { - e_info(auth_request->mech_event, "invalid input"); + e_info(auth_request->event, "invalid input"); sasl_server_request_failure(auth_request); return; } @@ -189,7 +186,7 @@ mech_otp_verify(struct otp_auth_request *request, const char *data, bool hex) ret = otp_parse_response(data, hash, hex); if (ret < 0) { - e_info(auth_request->mech_event, "invalid response"); + e_info(auth_request->event, "invalid response"); sasl_server_request_failure(auth_request); otp_unlock(request); return; @@ -223,8 +220,7 @@ mech_otp_verify_init(struct otp_auth_request *request, const char *data, ret = otp_parse_init_response(data, &new_state, cur_hash, hex, &error); if (ret < 0) { - e_info(auth_request->mech_event, - "invalid init response, %s", error); + e_info(auth_request->event, "invalid init response, %s", error); sasl_server_request_failure(auth_request); otp_unlock(request); return; @@ -260,8 +256,7 @@ mech_otp_auth_phase2(struct otp_auth_request *request, else if (str_begins(str, "init-word:", &value)) mech_otp_verify_init(request, value, FALSE); else { - e_info(auth_request->mech_event, - "unsupported response type"); + e_info(auth_request->event, "unsupported response type"); sasl_server_request_failure(auth_request); otp_unlock(request); } diff --git a/src/auth/sasl-server-mech-plain.c b/src/auth/sasl-server-mech-plain.c index f27bb5e98f..66ff1689eb 100644 --- a/src/auth/sasl-server-mech-plain.c +++ b/src/auth/sasl-server-mech-plain.c @@ -42,7 +42,7 @@ mech_plain_auth_continue(struct sasl_server_mech_request *request, if (count != 2) { /* invalid input */ - e_info(request->mech_event, "invalid input"); + e_info(request->event, "invalid input"); sasl_server_request_failure(request); } else if (!sasl_server_request_set_authid( request, SASL_SERVER_AUTHID_TYPE_USERNAME, authenid)) { diff --git a/src/auth/sasl-server-mech-scram.c b/src/auth/sasl-server-mech-scram.c index b1734be3a8..f0e2733910 100644 --- a/src/auth/sasl-server-mech-scram.c +++ b/src/auth/sasl-server-mech-scram.c @@ -51,7 +51,7 @@ credentials_callback(struct sasl_server_mech_request *auth_request, key_data->stored_key, key_data->server_key, &error) < 0) { - e_info(auth_request->mech_event, "%s", error); + e_info(auth_request->event, "%s", error); sasl_server_request_failure(auth_request); break; } @@ -165,14 +165,14 @@ mech_scram_auth_continue(struct sasl_server_mech_request *auth_request, case AUTH_SCRAM_SERVER_ERROR_NONE: i_unreached(); case AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION: - e_info(auth_request->mech_event, "%s", error); + e_info(auth_request->event, "%s", error); break; case AUTH_SCRAM_SERVER_ERROR_BAD_USERNAME: case AUTH_SCRAM_SERVER_ERROR_BAD_LOGIN_USERNAME: case AUTH_SCRAM_SERVER_ERROR_LOOKUP_FAILED: break; case AUTH_SCRAM_SERVER_ERROR_VERIFICATION_FAILED: - e_info(auth_request->mech_event, + e_info(auth_request->event, AUTH_LOG_MSG_PASSWORD_MISMATCH); break; } diff --git a/src/auth/sasl-server-mech-winbind.c b/src/auth/sasl-server-mech-winbind.c index fec802d558..0816c128c2 100644 --- a/src/auth/sasl-server-mech-winbind.c +++ b/src/auth/sasl-server-mech-winbind.c @@ -184,7 +184,7 @@ do_auth_continue(struct winbind_auth_request *request, if (o_stream_send(request->winbind->out_pipe, str_data(str), str_len(str)) < 0 || o_stream_flush(request->winbind->out_pipe) < 0) { - e_error(auth_request->mech_event, + e_error(auth_request->event, "write(out_pipe) failed: %s", o_stream_get_error(request->winbind->out_pipe)); return HR_RESTART; @@ -197,10 +197,10 @@ do_auth_continue(struct winbind_auth_request *request, } if (answer == NULL) { if (in_pipe->stream_errno != 0) { - e_error(auth_request->mech_event, + e_error(auth_request->event, "read(in_pipe) failed: %m"); } else { - e_error(auth_request->mech_event, + e_error(auth_request->event, "read(in_pipe) failed: " "unexpected end of file"); } @@ -211,8 +211,8 @@ do_auth_continue(struct winbind_auth_request *request, if (token[0] == NULL || (token[1] == NULL && strcmp(token[0], "BH") != 0) || (gss_spnego && (token[1] == NULL || token[2] == NULL))) { - e_error(auth_request->mech_event, - "Invalid input from helper: %s", answer); + e_error(auth_request->event, "Invalid input from helper: %s", + answer); return HR_RESTART; } @@ -246,8 +246,8 @@ do_auth_continue(struct winbind_auth_request *request, } else if (strcmp(token[0], "NA") == 0) { const char *error = gss_spnego ? token[2] : token[1]; - e_info(auth_request->mech_event, - "user not authenticated: %s", error); + e_info(auth_request->event, "user not authenticated: %s", + error); return HR_FAIL; } else if (strcmp(token[0], "AF") == 0) { const char *user, *p; @@ -280,12 +280,12 @@ do_auth_continue(struct winbind_auth_request *request, } return HR_OK; } else if (strcmp(token[0], "BH") == 0) { - e_info(auth_request->mech_event, + e_info(auth_request->event, "ntlm_auth reports broken helper: %s", token[1] != NULL ? token[1] : ""); return HR_RESTART; } else { - e_error(auth_request->mech_event, + e_error(auth_request->event, "Invalid input from helper: %s", answer); return HR_RESTART; } @@ -302,8 +302,7 @@ mech_winbind_auth_initial(struct sasl_server_mech_request *auth_request, container_of(auth_request, struct winbind_auth_request, auth_request); - winbind_helper_connect(request->winbind, wb_mech, - auth_request->mech_event); + winbind_helper_connect(request->winbind, wb_mech, auth_request->event); sasl_server_mech_generic_auth_initial(auth_request, data, data_size); } diff --git a/src/auth/sasl-server-protected.h b/src/auth/sasl-server-protected.h index 5e7dfbc550..f654b7398c 100644 --- a/src/auth/sasl-server-protected.h +++ b/src/auth/sasl-server-protected.h @@ -63,7 +63,7 @@ struct sasl_server_mech_request { pool_t pool; const struct sasl_server_mech *mech; struct sasl_server_request *req; - struct event *mech_event; + struct event *event; const char *protocol; const char *authid; diff --git a/src/auth/sasl-server-request.c b/src/auth/sasl-server-request.c index dbd79d0486..a685ef83b8 100644 --- a/src/auth/sasl-server-request.c +++ b/src/auth/sasl-server-request.c @@ -54,7 +54,7 @@ void sasl_server_request_create(struct sasl_server_req_ctx *rctx, mreq->req = req; mreq->set = &sinst->set; mreq->mech = mech; - mreq->mech_event = req->event; + mreq->event = req->event; mreq->protocol = p_strdup(pool, protocol); req->mech = mreq; @@ -143,7 +143,7 @@ sasl_server_request_fail_on_nuls(struct sasl_server_request *req, if ((mech->def->flags & SASL_MECH_SEC_ALLOW_NULS) != 0) return FALSE; if (memchr(data, '\0', data_size) != NULL) { - e_debug(req->mech->mech_event, "Unexpected NUL in auth data"); + e_debug(req->mech->event, "Unexpected NUL in auth data"); sasl_server_request_failure(req->mech); return TRUE; }