From: Stephan Bosch Date: Sun, 5 Oct 2025 01:57:54 +0000 (+0200) Subject: auth: sasl-server - Add sasl_server_request_set_authid() X-Git-Tag: 2.4.2~263 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6816f5e1df96409330f5a88222c19dd26e4a833;p=thirdparty%2Fdovecot%2Fcore.git auth: sasl-server - Add sasl_server_request_set_authid() Wraps auth_request_set_username() in normal, anonymous and external contexts. --- diff --git a/src/auth/auth-sasl-mech-apop.c b/src/auth/auth-sasl-mech-apop.c index fe4ae9a97a..78c512285b 100644 --- a/src/auth/auth-sasl-mech-apop.c +++ b/src/auth/auth-sasl-mech-apop.c @@ -75,7 +75,6 @@ mech_apop_auth_initial(struct auth_request *auth_request, auth_request); const unsigned char *tmp, *end, *username = NULL; unsigned long pid, connect_uid, timestamp; - const char *error; /* pop3-login handles sending the challenge and getting the response. Our input here is: \0 \0 */ @@ -135,9 +134,9 @@ mech_apop_auth_initial(struct auth_request *auth_request, return; } - if (!auth_request_set_username(auth_request, (const char *)username, - &error)) { - e_info(auth_request->mech_event, "%s", error); + if (!sasl_server_request_set_authid(auth_request, + SASL_SERVER_AUTHID_TYPE_USERNAME, + (const char *)username)) { sasl_server_request_failure(auth_request); return; } diff --git a/src/auth/auth-sasl-mech-dovecot-token.c b/src/auth/auth-sasl-mech-dovecot-token.c index ead0feb044..e64514b3f9 100644 --- a/src/auth/auth-sasl-mech-dovecot-token.c +++ b/src/auth/auth-sasl-mech-dovecot-token.c @@ -12,7 +12,7 @@ static void mech_dovecot_token_auth_continue(struct auth_request *request, const unsigned char *data, size_t data_size) { - const char *session_id, *username, *pid, *service, *error; + const char *session_id, *username, *pid, *service; char *auth_token; size_t i, len; int count; @@ -44,9 +44,9 @@ mech_dovecot_token_auth_continue(struct auth_request *request, /* invalid input */ e_info(request->mech_event, "invalid input"); sasl_server_request_failure(request); - } else if (!auth_request_set_username(request, username, &error)) { + } else if (!sasl_server_request_set_authid( + request, SASL_SERVER_AUTHID_TYPE_USERNAME, username)) { /* invalid username */ - e_info(request->mech_event, "%s", error); sasl_server_request_failure(request); } else { const char *valid_token = diff --git a/src/auth/sasl-server-mech-anonymous.c b/src/auth/sasl-server-mech-anonymous.c index 82a3e93be7..cc66f869b8 100644 --- a/src/auth/sasl-server-mech-anonymous.c +++ b/src/auth/sasl-server-mech-anonymous.c @@ -10,12 +10,12 @@ mech_anonymous_auth_continue(struct auth_request *request, { i_assert(*request->set->anonymous_username != '\0'); - /* temporarily set the user to the one that was given, so that the log - message goes right */ - auth_request_set_username_forced(request, t_strndup(data, data_size)); - e_info(request->mech_event, "login"); - auth_request_set_username_forced(request, - request->set->anonymous_username); + if (!sasl_server_request_set_authid(request, + SASL_SERVER_AUTHID_TYPE_ANONYMOUS, + t_strndup(data, data_size))) { + sasl_server_request_failure(request); + return; + } request->passdb_success = TRUE; sasl_server_request_success(request, "", 0); diff --git a/src/auth/sasl-server-mech-cram-md5.c b/src/auth/sasl-server-mech-cram-md5.c index c57b5bdee8..593bcaff5b 100644 --- a/src/auth/sasl-server-mech-cram-md5.c +++ b/src/auth/sasl-server-mech-cram-md5.c @@ -134,15 +134,14 @@ mech_cram_md5_auth_continue(struct auth_request *auth_request, struct cram_auth_request *request = container_of(auth_request, struct cram_auth_request, auth_request); - const char *error; if (!parse_cram_response(request, data, data_size)) { sasl_server_request_failure(auth_request); return; } - if (!auth_request_set_username(auth_request, request->username, - &error)) { - e_info(auth_request->mech_event, "%s", error); + if (!sasl_server_request_set_authid(auth_request, + SASL_SERVER_AUTHID_TYPE_USERNAME, + request->username)) { sasl_server_request_failure(auth_request); return; } diff --git a/src/auth/sasl-server-mech-digest-md5.c b/src/auth/sasl-server-mech-digest-md5.c index 082d0d562f..5d8ead7a8c 100644 --- a/src/auth/sasl-server-mech-digest-md5.c +++ b/src/auth/sasl-server-mech-digest-md5.c @@ -569,14 +569,15 @@ mech_digest_md5_auth_continue(struct auth_request *auth_request, } else { username = request->username; } - if (!auth_request_set_username(auth_request, username, &error)) { - e_info(auth_request->mech_event, "%s", error); + if (!sasl_server_request_set_authid(auth_request, + SASL_SERVER_AUTHID_TYPE_USERNAME, + username)) { sasl_server_request_failure(auth_request); return; } if (request->authzid != NULL && - !auth_request_set_login_username(auth_request, request->authzid, - &error)) { + !auth_request_set_login_username(auth_request, request->authzid, + &error)) { e_info(auth_request->mech_event, "login user: %s", error); sasl_server_request_failure(auth_request); return; diff --git a/src/auth/sasl-server-mech-external.c b/src/auth/sasl-server-mech-external.c index 25cd47aad7..119f1d58e8 100644 --- a/src/auth/sasl-server-mech-external.c +++ b/src/auth/sasl-server-mech-external.c @@ -12,32 +12,22 @@ mech_external_auth_continue(struct auth_request *request, const char *authzid, *error; authzid = t_strndup(data, data_size); - if (request->fields.user == NULL) { - e_info(request->mech_event, - "username not known"); - sasl_server_request_failure(request); - return; - } - /* this call is done simply to put the username through translation - settings */ - if (!auth_request_set_username(request, "", &error)) { - e_info(request->mech_event, - "Invalid username"); + if (!sasl_server_request_set_authid(request, + SASL_SERVER_AUTHID_TYPE_EXTERNAL, + "")) { sasl_server_request_failure(request); return; } - if (*authzid != '\0' && !auth_request_set_login_username(request, authzid, &error)) { - /* invalid login username */ e_info(request->mech_event, "login user: %s", error); sasl_server_request_failure(request); - } else { - sasl_server_request_verify_plain( - request, "", sasl_server_mech_plain_verify_callback); + return; } + sasl_server_request_verify_plain( + request, "", sasl_server_mech_plain_verify_callback); } static struct auth_request *mech_external_auth_new(void) diff --git a/src/auth/sasl-server-mech-gssapi.c b/src/auth/sasl-server-mech-gssapi.c index 55e05109d1..f045aee829 100644 --- a/src/auth/sasl-server-mech-gssapi.c +++ b/src/auth/sasl-server-mech-gssapi.c @@ -270,7 +270,7 @@ mech_gssapi_sec_context(struct gssapi_auth_request *request, gss_buffer_desc output_token; gss_OID name_type; gss_OID mech_type; - const char *username, *error; + const char *username; int ret = 0; major_status = gss_accept_sec_context ( @@ -304,10 +304,9 @@ mech_gssapi_sec_context(struct gssapi_auth_request *request, } else if (get_display_name(request, request->authn_name, &name_type, &username) < 0) ret = -1; - else if (!auth_request_set_username(auth_request, username, - &error)) { - e_info(auth_request->mech_event, - "authn_name: %s", error); + else if (!sasl_server_request_set_authid( + auth_request, SASL_SERVER_AUTHID_TYPE_USERNAME, + username)) { ret = -1; } else { request->sasl_gssapi_state = GSS_STATE_WRAP; @@ -592,7 +591,9 @@ mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf) will be the authorization name, not the authentication name, which may mean that future log messages should be adjusted to log the right thing. */ - if (!auth_request_set_username(auth_request, login_user, &error)) { + if (!sasl_server_request_set_authid(auth_request, + SASL_SERVER_AUTHID_TYPE_USERNAME, + login_user)) { e_info(auth_request->mech_event, "authz_name: %s", error); (void)gss_release_buffer(&minor_status, &outbuf); diff --git a/src/auth/sasl-server-mech-login.c b/src/auth/sasl-server-mech-login.c index 7b8cb980a0..bf52b9151d 100644 --- a/src/auth/sasl-server-mech-login.c +++ b/src/auth/sasl-server-mech-login.c @@ -17,13 +17,14 @@ mech_login_auth_continue(struct auth_request *request, const unsigned char *data, size_t data_size) { static const char prompt2[] = "Password:"; - const char *username, *error; + const char *username; if (request->fields.user == NULL) { username = t_strndup(data, data_size); - if (!auth_request_set_username(request, username, &error)) { - e_info(request->mech_event, "%s", error); + if (!sasl_server_request_set_authid( + request, SASL_SERVER_AUTHID_TYPE_USERNAME, + username)) { sasl_server_request_failure(request); return; } diff --git a/src/auth/sasl-server-mech-oauth2.c b/src/auth/sasl-server-mech-oauth2.c index 3ccfc3a207..a84118d09c 100644 --- a/src/auth/sasl-server-mech-oauth2.c +++ b/src/auth/sasl-server-mech-oauth2.c @@ -167,8 +167,9 @@ mech_oauthbearer_auth_continue(struct auth_request *request, oauth2_fail_invalid_request(oauth2_req); return; } - if (!auth_request_set_username(request, gs2_header.authzid, &error)) { - e_info(request->mech_event, "%s", error); + if (!sasl_server_request_set_authid(request, + SASL_SERVER_AUTHID_TYPE_USERNAME, + gs2_header.authzid)) { oauth2_fail_invalid_request(oauth2_req); return; } @@ -248,7 +249,6 @@ mech_xoauth2_auth_continue(struct auth_request *request, /* split the data from ^A */ bool user_given = FALSE; const char *value; - const char *error; const char *token = NULL; const char *const *ptr; const char *username; @@ -276,8 +276,9 @@ mech_xoauth2_auth_continue(struct auth_request *request, } if (user_given && - !auth_request_set_username(request, username, &error)) { - e_info(request->mech_event, "%s", error); + !sasl_server_request_set_authid(request, + SASL_SERVER_AUTHID_TYPE_USERNAME, + username)) { oauth2_fail_invalid_request(oauth2_req); return; } diff --git a/src/auth/sasl-server-mech-otp.c b/src/auth/sasl-server-mech-otp.c index 330a0cf586..a1eca5716d 100644 --- a/src/auth/sasl-server-mech-otp.c +++ b/src/auth/sasl-server-mech-otp.c @@ -135,7 +135,7 @@ mech_otp_auth_phase1(struct otp_auth_request *request, const unsigned char *data, size_t data_size) { struct auth_request *auth_request = &request->auth_request; - const char *authenid, *error; + const char *authenid; size_t i, count; /* authorization ID \0 authentication ID @@ -156,8 +156,9 @@ mech_otp_auth_phase1(struct otp_auth_request *request, return; } - if (!auth_request_set_username(auth_request, authenid, &error)) { - e_info(auth_request->mech_event, "%s", error); + if (!sasl_server_request_set_authid( + auth_request, SASL_SERVER_AUTHID_TYPE_USERNAME, + authenid)) { sasl_server_request_failure(auth_request); return; } diff --git a/src/auth/sasl-server-mech-plain.c b/src/auth/sasl-server-mech-plain.c index 098fc1d7e7..db5de3e065 100644 --- a/src/auth/sasl-server-mech-plain.c +++ b/src/auth/sasl-server-mech-plain.c @@ -44,9 +44,9 @@ mech_plain_auth_continue(struct auth_request *request, /* invalid input */ e_info(request->mech_event, "invalid input"); sasl_server_request_failure(request); - } else if (!auth_request_set_username(request, authenid, &error)) { + } else if (!sasl_server_request_set_authid( + request, SASL_SERVER_AUTHID_TYPE_USERNAME, authenid)) { /* invalid username */ - e_info(request->mech_event, "%s", error); sasl_server_request_failure(request); } else if (*authid != '\0' && !auth_request_set_login_username(request, authid, &error)) { diff --git a/src/auth/sasl-server-mech-scram.c b/src/auth/sasl-server-mech-scram.c index 3735e70f70..fa4485f7db 100644 --- a/src/auth/sasl-server-mech-scram.c +++ b/src/auth/sasl-server-mech-scram.c @@ -67,13 +67,10 @@ mech_scram_set_username(struct auth_scram_server *asserver, struct scram_auth_request *request = container_of(asserver, struct scram_auth_request, scram_server); struct auth_request *auth_request = &request->auth_request; - const char *error; - if (!auth_request_set_username(auth_request, username, &error)) { - e_info(auth_request->mech_event, "%s", error); - return FALSE; - } - return TRUE; + return sasl_server_request_set_authid(auth_request, + SASL_SERVER_AUTHID_TYPE_USERNAME, + username); } static bool @@ -86,7 +83,7 @@ mech_scram_set_login_username(struct auth_scram_server *asserver, const char *error; if (!auth_request_set_login_username(auth_request, username, &error)) { - e_info(auth_request->mech_event, "login user: %s", error); + e_info(auth_request->event, "%s", error); return FALSE; } return TRUE; diff --git a/src/auth/sasl-server-mech-winbind.c b/src/auth/sasl-server-mech-winbind.c index edf1f75670..c366ae8c5d 100644 --- a/src/auth/sasl-server-mech-winbind.c +++ b/src/auth/sasl-server-mech-winbind.c @@ -244,7 +244,7 @@ do_auth_continue(struct winbind_auth_request *request, "user not authenticated: %s", error); return HR_FAIL; } else if (strcmp(token[0], "AF") == 0) { - const char *user, *p, *error; + const char *user, *p; user = t_strarray_join(gss_spnego ? token+2 : token+1, " "); i_assert(user != NULL); @@ -257,11 +257,10 @@ do_auth_continue(struct winbind_auth_request *request, t_strdup_until(user, p), NULL); } - if (!auth_request_set_username(auth_request, user, &error)) { - e_info(auth_request->mech_event, - "%s", error); + if (!sasl_server_request_set_authid( + auth_request, SASL_SERVER_AUTHID_TYPE_USERNAME, + user)) return HR_FAIL; - } request->auth_request.passdb_success = TRUE; if (gss_spnego && strcmp(token[1], "*") != 0) { diff --git a/src/auth/sasl-server-protected.h b/src/auth/sasl-server-protected.h index c8dd77b8e6..48112c3872 100644 --- a/src/auth/sasl-server-protected.h +++ b/src/auth/sasl-server-protected.h @@ -67,6 +67,10 @@ void mech_oauth2_initialize(void); * Request */ +bool sasl_server_request_set_authid(struct auth_request *request, + enum sasl_server_authid_type authid_type, + const char *authid); + void sasl_server_request_output(struct auth_request *request, const void *data, size_t data_size); void sasl_server_request_success(struct auth_request *request, diff --git a/src/auth/sasl-server-request.c b/src/auth/sasl-server-request.c index c982c72e82..c06a5a8357 100644 --- a/src/auth/sasl-server-request.c +++ b/src/auth/sasl-server-request.c @@ -9,6 +9,13 @@ * Mechanism API */ +bool sasl_server_request_set_authid(struct auth_request *request, + enum sasl_server_authid_type authid_type, + const char *authid) +{ + return auth_sasl_request_set_authid(request, authid_type, authid); +} + void sasl_server_request_output(struct auth_request *request, const void *data, size_t data_size) {