From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Thu, 26 Oct 2023 22:36:23 +0000 (+0200)
Subject: auth: auth-request - Restore final-resp-ok support
X-Git-Tag: 2.4.0~2423
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5a9de5c7ec94229ba1dbdf737bfe61d483b98b0;p=thirdparty%2Fdovecot%2Fcore.git

auth: auth-request - Restore final-resp-ok support

Auth clients other than Dovecot itself will still not handle a final success
response correctly.

Was removed by 73ea09d00148edd2db2a59a71ec91f7bab06697b.
---

diff --git a/src/auth/auth-request-fields.c b/src/auth/auth-request-fields.c
index 4e57fa4175..22cc1cccd6 100644
--- a/src/auth/auth-request-fields.c
+++ b/src/auth/auth-request-fields.c
@@ -226,6 +226,8 @@ bool auth_request_import_auth(struct auth_request *request,
 			event_add_str(request->event, "transport", "secured");
 		}
 	}
+	else if (strcmp(key, "final-resp-ok") == 0)
+		fields->final_resp_ok = TRUE;
 	else if (strcmp(key, "no-penalty") == 0)
 		fields->no_penalty = TRUE;
 	else if (strcmp(key, "valid-client-cert") == 0)
diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index 0c4653376f..a7db045f8a 100644
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -273,6 +273,14 @@ static void auth_request_success_continue(struct auth_policy_check_ctx *ctx)
 		return;
 	}
 
+	if (ctx->success_data->used > 0 && !request->fields.final_resp_ok) {
+		/* we'll need one more SASL round, since client doesn't support
+		   the final SASL response */
+		auth_request_handler_reply_continue(request,
+			ctx->success_data->data, ctx->success_data->used);
+		return;
+	}
+
 	auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);
 	auth_request_refresh_last_access(request);
 	auth_request_handler_reply(request, AUTH_CLIENT_RESULT_SUCCESS,
diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h
index 4663faec0c..4ed95dcbdf 100644
--- a/src/auth/auth-request.h
+++ b/src/auth/auth-request.h
@@ -91,6 +91,7 @@ struct auth_request_fields {
 	bool skip_password_check:1;
 
 	/* flags received from auth client: */
+	bool final_resp_ok:1;
 	bool no_penalty:1;
 	bool valid_client_cert:1;
 	bool cert_username:1;
diff --git a/src/lib-auth-client/auth-client-request.c b/src/lib-auth-client/auth-client-request.c
index a8bc2c2d6c..a20ebcc5ee 100644
--- a/src/lib-auth-client/auth-client-request.c
+++ b/src/lib-auth-client/auth-client-request.c
@@ -27,6 +27,7 @@ auth_server_send_new_request(struct auth_client_connection *conn,
 	event_add_str(request->event, "mechanism", info->mech);
 	event_add_str(request->event, "service", info->service);
 
+	str_append(str, "\tfinal-resp-ok");
 	if ((info->flags & AUTH_REQUEST_FLAG_CONN_SECURED) != 0) {
 		str_append(str, "\tsecured");
 		if ((info->flags & AUTH_REQUEST_FLAG_CONN_SECURED_TLS) != 0) {