From 73ea09d00148edd2db2a59a71ec91f7bab06697b Mon Sep 17 00:00:00 2001 From: Stephan Bosch Date: Tue, 3 Oct 2023 01:29:25 +0200 Subject: [PATCH] auth: Move all final SASL response handling to login-common Success response was still handled in auth service, which makes little sense. --- src/auth/auth-request-fields.c | 2 -- src/auth/auth-request.c | 8 ------ src/auth/auth-request.h | 1 - src/lib-auth-client/auth-client-request.c | 2 -- src/lib-auth-client/auth-client.h | 2 -- src/login-common/sasl-server.c | 30 +++++++++++++++++++---- 6 files changed, 25 insertions(+), 20 deletions(-) diff --git a/src/auth/auth-request-fields.c b/src/auth/auth-request-fields.c index 22cc1cccd6..4e57fa4175 100644 --- a/src/auth/auth-request-fields.c +++ b/src/auth/auth-request-fields.c @@ -226,8 +226,6 @@ bool auth_request_import_auth(struct auth_request *request, event_add_str(request->event, "transport", "secured"); } } - else if (strcmp(key, "final-resp-ok") == 0) - fields->final_resp_ok = TRUE; else if (strcmp(key, "no-penalty") == 0) fields->no_penalty = TRUE; else if (strcmp(key, "valid-client-cert") == 0) diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index a40158cfc5..dabb8bd02b 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -271,14 +271,6 @@ void auth_request_success_continue(struct auth_policy_check_ctx *ctx) return; } - if (ctx->success_data->used > 0 && !request->fields.final_resp_ok) { - /* we'll need one more SASL round, since client doesn't support - the final SASL response */ - auth_request_handler_reply_continue(request, - ctx->success_data->data, ctx->success_data->used); - return; - } - auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED); auth_request_refresh_last_access(request); auth_request_handler_reply(request, AUTH_CLIENT_RESULT_SUCCESS, diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h index a394112893..d19c4296f7 100644 --- a/src/auth/auth-request.h +++ b/src/auth/auth-request.h @@ -91,7 +91,6 @@ struct auth_request_fields { bool skip_password_check:1; /* flags received from auth client: */ - bool final_resp_ok:1; bool no_penalty:1; bool valid_client_cert:1; bool cert_username:1; diff --git a/src/lib-auth-client/auth-client-request.c b/src/lib-auth-client/auth-client-request.c index 6f6e749b58..de879e73c3 100644 --- a/src/lib-auth-client/auth-client-request.c +++ b/src/lib-auth-client/auth-client-request.c @@ -25,8 +25,6 @@ static void auth_server_send_new_request(struct auth_client_connection *conn, event_add_str(request->event, "mechanism", info->mech); event_add_str(request->event, "service", info->service); - if ((info->flags & AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP) != 0) - str_append(str, "\tfinal-resp-ok"); if ((info->flags & AUTH_REQUEST_FLAG_CONN_SECURED) != 0) { str_append(str, "\tsecured"); if ((info->flags & AUTH_REQUEST_FLAG_CONN_SECURED_TLS) != 0) { diff --git a/src/lib-auth-client/auth-client.h b/src/lib-auth-client/auth-client.h index d54448e79c..79b23bd848 100644 --- a/src/lib-auth-client/auth-client.h +++ b/src/lib-auth-client/auth-client.h @@ -17,8 +17,6 @@ enum auth_request_flags { AUTH_REQUEST_FLAG_VALID_CLIENT_CERT = 0x02, /* Skip penalty checks for this request */ AUTH_REQUEST_FLAG_NO_PENALTY = 0x04, - /* Support final SASL response */ - AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP = 0x08, /* Enable auth_debug=yes logging for this request */ AUTH_REQUEST_FLAG_DEBUG = 0x10, /* Connection from the previous hop is secured by TLS. */ diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index cb0370884a..147474fc69 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -113,8 +113,6 @@ client_get_auth_flags(struct client *client) auth_flags |= AUTH_REQUEST_FLAG_CONN_SECURED_TLS; if (client->connection_secured) auth_flags |= AUTH_REQUEST_FLAG_CONN_SECURED; - if (login_binary->sasl_support_final_reply) - auth_flags |= AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP; return auth_flags; } @@ -345,6 +343,7 @@ authenticate_callback(struct auth_client_request *request, const char *const *args, void *context) { struct client *client = context; + const char *sasl_final_delayed_resp; unsigned int i; if (!client->authenticating) { @@ -367,6 +366,7 @@ authenticate_callback(struct auth_client_request *request, client->auth_passdb_args = p_strarray_dup(client->pool, args); client->postlogin_socket_path = NULL; + sasl_final_delayed_resp = NULL; for (i = 0; args[i] != NULL; i++) { const char *key, *value; t_split_key_value_eq(args[i], &key, &value); @@ -385,10 +385,22 @@ authenticate_callback(struct auth_client_request *request, client->auth_anonymous = TRUE; } else if (str_begins(args[i], "event_", &key)) { event_add_str(client->event_auth, key, value); + } else if (strcmp(key, "resp") == 0) { + sasl_final_delayed_resp = + p_strdup(client->preproxy_pool, value); } } - sasl_server_auth_success_finish(client, args); + if (sasl_final_delayed_resp != NULL && + !login_binary->sasl_support_final_reply) { + client->final_response = TRUE; + client->final_args = p_strarray_dup(client->preproxy_pool, args); + client->delayed_final_reply = SASL_SERVER_REPLY_SUCCESS; + client->sasl_callback(client, SASL_SERVER_REPLY_CONTINUE, + sasl_final_delayed_resp, NULL); + } else { + sasl_server_auth_success_finish(client, args); + } break; case AUTH_REQUEST_STATUS_INTERNAL_FAIL: client->auth_process_comm_fail = TRUE; @@ -397,7 +409,7 @@ authenticate_callback(struct auth_client_request *request, case AUTH_REQUEST_STATUS_ABORT: client->auth_request = NULL; - const char *sasl_final_delayed_resp = NULL; + sasl_final_delayed_resp = NULL; if (args != NULL) { /* parse our username if it's there */ for (i = 0; args[i] != NULL; i++) { @@ -640,8 +652,16 @@ bool sasl_server_auth_handle_delayed_final(struct client *client) if (!client->final_response) return FALSE; client->final_response = FALSE; - client->authenticating = FALSE; client->auth_client_continue_pending = FALSE; + + if (client->delayed_final_reply == SASL_SERVER_REPLY_SUCCESS) { + const char *const *args = client->final_args; + + sasl_server_auth_success_finish(client, args); + return TRUE; + } + + client->authenticating = FALSE; call_client_callback(client, client->delayed_final_reply, NULL, client->final_args); -- 2.47.3