if (data_size == 0) {
/* Should never happen */
- e_info(req->mech_event,
- "no initial response");
+ e_info(req->event, "no initial response");
sasl_server_request_failure(req);
return;
}
tmp++;
} else {
/* should never happen */
- e_info(req->mech_event,
- "malformed data");
+ e_info(req->event, "malformed data");
sasl_server_request_failure(req);
return;
}
if (tmp + 1 + 16 != end) {
/* Should never happen */
- e_info(req->mech_event,
- "malformed data");
+ e_info(req->event, "malformed data");
sasl_server_request_failure(req);
return;
}
connect_uid != auth_request->connect_uid ||
pid != (unsigned long)getpid() ||
(time_t)timestamp < process_start_time) {
- e_info(req->mech_event,
- "invalid challenge");
+ e_info(req->event, "invalid challenge");
sasl_server_request_failure(req);
return;
}
if (count != 4) {
/* invalid input */
- e_info(request->mech_event, "invalid input");
+ e_info(request->event, "invalid input");
sasl_server_request_failure(request);
} else if (!sasl_server_request_set_authid(
request, SASL_SERVER_AUTHID_TYPE_USERNAME, username)) {
const char *response_hex;
if (size != CRAM_MD5_CONTEXTLEN) {
- e_error(auth_request->mech_event, "invalid credentials length");
+ e_error(auth_request->event, "invalid credentials length");
sasl_server_request_failure(auth_request);
return;
}
if (!mem_equals_timing_safe(response_hex, request->response,
sizeof(digest) * 2)) {
- e_info(auth_request->mech_event,
- AUTH_LOG_MSG_PASSWORD_MISMATCH);
+ e_info(auth_request->event, AUTH_LOG_MSG_PASSWORD_MISMATCH);
sasl_server_request_failure(auth_request);
return;
}
the rightmost space is the response separator. */
for (i = space = 0; i < size; i++) {
if (data[i] == '\0') {
- e_info(auth_request->mech_event, "NULs in response");
+ e_info(auth_request->event, "NULs in response");
return FALSE;
}
if (data[i] == ' ')
}
if (space == 0) {
- e_info(auth_request->mech_event, "missing digest");
+ e_info(auth_request->event, "missing digest");
return FALSE;
}
/* get the MD5 password */
if (size != MD5_RESULTLEN) {
- e_error(auth_request->mech_event,
- "invalid credentials length");
+ e_error(auth_request->event, "invalid credentials length");
sasl_server_request_failure(auth_request);
return;
}
/* verify response */
if (!mem_equals_timing_safe(response_hex,
request->response, 32)) {
- e_info(auth_request->mech_event,
+ e_info(auth_request->event,
AUTH_LOG_MSG_PASSWORD_MISMATCH);
sasl_server_request_failure(auth_request);
return;
const char *error;
if (!parse_digest_response(request, data, data_size, &error)) {
- e_info(auth_request->mech_event, "%s", error);
+ e_info(auth_request->event, "%s", error);
sasl_server_request_failure(auth_request);
return;
}
status_type, GSS_C_NO_OID,
&message_context, &status_string);
- e_info(auth_request->mech_event,
- "While %s: %s", description,
+ e_info(auth_request->event, "While %s: %s", description,
str_sanitize(status_string.value, SIZE_MAX));
(void)gss_release_buffer(&minor_status, &status_string);
gss_name_t gss_principal;
if (strcmp(gss_mech->hostname, "$ALL") == 0) {
- e_debug(auth_request->mech_event,
- "Using all keytab entries");
+ e_debug(auth_request->event, "Using all keytab entries");
*ret_r = GSS_C_NO_CREDENTIAL;
return GSS_S_COMPLETE;
}
str_append_c(principal_name, '@');
str_append(principal_name, gss_mech->hostname);
- e_debug(auth_request->mech_event,
- "Obtaining credentials for %s", str_c(principal_name));
+ e_debug(auth_request->event, "Obtaining credentials for %s",
+ str_c(principal_name));
inbuf.length = str_len(principal_name);
inbuf.value = str_c_modifiable(principal_name);
return -1;
}
if (data_has_nuls(buf.value, buf.length)) {
- e_info(auth_request->mech_event, "authn_name has NULs");
+ e_info(auth_request->event, "authn_name has NULs");
return -1;
}
*display_name_r = t_strndup(buf.value, buf.length);
switch (major_status) {
case GSS_S_COMPLETE:
if (!mech_gssapi_oid_cmp(mech_type, &mech_gssapi_krb5_oid)) {
- e_info(auth_request->mech_event,
+ e_info(auth_request->event,
"GSSAPI mechanism not Kerberos5");
ret = -1;
} else if (get_display_name(request, request->authn_name,
ret = -1;
} else {
request->sasl_gssapi_state = GSS_STATE_WRAP;
- e_debug(auth_request->mech_event,
+ e_debug(auth_request->event,
"security context state completed.");
}
break;
case GSS_S_CONTINUE_NEEDED:
- e_debug(auth_request->mech_event,
+ e_debug(auth_request->event,
"Processed incoming packet correctly, "
"waiting for another.");
break;
default:
- e_error(auth_request->mech_event,
+ e_error(auth_request->event,
"Received unexpected major status %d", major_status);
break;
}
return -1;
}
- e_debug(auth_request->mech_event, "Negotiated security layer");
+ e_debug(auth_request->event, "Negotiated security layer");
sasl_server_request_output(auth_request, outbuf.value, outbuf.length);
authorized_names = t_strsplit_spaces(value, ",");
for (tmp = authorized_names; *tmp != NULL; tmp++) {
if (strcmp(*tmp, name) == 0) {
- e_debug(auth_request->mech_event,
+ e_debug(auth_request->event,
"authorized by k5principals field: %s", name);
return TRUE;
}
if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
check_name_type) {
- e_info(auth_request->mech_event,
- "OID not kerberos principal name");
+ e_info(auth_request->event, "OID not kerberos principal name");
return FALSE;
}
/* Init a krb5 context and parse the principal username */
krb5_err = krb5_init_context(&ctx);
if (krb5_err != 0) {
- e_error(auth_request->mech_event,
- "krb5_init_context() failed: %d", (int)krb5_err);
+ e_error(auth_request->event, "krb5_init_context() failed: %d",
+ (int)krb5_err);
return FALSE;
}
krb5_err = krb5_parse_name(ctx, princ_display_name, &princ);
/* writing the error string would be better, but we probably
rarely get here and there doesn't seem to be a standard
way of getting it */
- e_info(auth_request->mech_event,
- "krb5_parse_name() failed: %d", (int)krb5_err);
+ e_info(auth_request->event, "krb5_parse_name() failed: %d",
+ (int)krb5_err);
} else {
/* See if the principal is in the list of authorized principals
for the user */
if (!mech_gssapi_krb5_userok(request, request->authn_name,
login_user, TRUE)) {
- e_info(auth_request->mech_event,
+ e_info(auth_request->event,
"User not authorized to log in as %s", login_user);
return -1;
}
struct sasl_server_mech_request *auth_request = &request->auth_request;
OM_uint32 major_status, minor_status;
gss_buffer_desc outbuf;
- const char *login_user, *error;
+ const char *login_user;
unsigned char *name;
size_t name_len;
/* outbuf[0] contains bitmask for selected security layer,
outbuf[1..3] contains maximum output_message size */
if (outbuf.length < 4) {
- e_error(auth_request->mech_event,
- "Invalid response length");
+ e_error(auth_request->event, "Invalid response length");
(void)gss_release_buffer(&minor_status, &outbuf);
return -1;
}
name_len = outbuf.length - 4;
if (data_has_nuls(name, name_len)) {
- e_info(auth_request->mech_event,
- "authz_name has NULs");
+ e_info(auth_request->event, "authz_name has NULs");
(void)gss_release_buffer(&minor_status, &outbuf);
return -1;
}
}
if (request->authz_name == GSS_C_NO_NAME) {
- e_info(auth_request->mech_event,
- "no authz_name");
+ e_info(auth_request->event, "no authz_name");
(void)gss_release_buffer(&minor_status, &outbuf);
return -1;
}
if (!sasl_server_request_set_authid(auth_request,
SASL_SERVER_AUTHID_TYPE_USERNAME,
login_user)) {
- e_info(auth_request->mech_event,
- "authz_name: %s", error);
(void)gss_release_buffer(&minor_status, &outbuf);
return -1;
}
if (auth_gs2_header_decode(data, data_size, FALSE,
&gs2_header, &gs2_header_end, &error) < 0) {
- e_info(request->mech_event, "Invalid gs2-header in request: %s",
+ e_info(request->event, "Invalid gs2-header in request: %s",
error);
oauth2_fail_invalid_request(oauth2_req);
return;
}
if (gs2_header.authzid == NULL) {
- e_info(request->mech_event, "Missing username");
+ e_info(request->event, "Missing username");
oauth2_fail_invalid_request(oauth2_req);
return;
}
}
if (gs2_header.cbind.status == AUTH_GS2_CBIND_STATUS_PROVIDED) {
/* channel binding is not supported */
- e_info(request->mech_event,
+ e_info(request->event,
"Client requested and used channel-binding");
oauth2_fail_invalid_request(oauth2_req);
return;
size_t payload_size = data_size - gs2_header_size;
if (payload_size == 0) {
- e_info(request->mech_event, "Response payload is missing");
+ e_info(request->event, "Response payload is missing");
oauth2_fail_invalid_request(oauth2_req);
return;
}
if (*gs2_header_end != '\x01') {
- e_info(request->mech_event, "Invalid gs2-header in request: "
+ e_info(request->event, "Invalid gs2-header in request: "
"Spurious data at end of header");
oauth2_fail_invalid_request(oauth2_req);
return;
oauth2_valid_token(value)) {
token = value;
} else {
- e_info(request->mech_event,
+ e_info(request->event,
"Invalid response payload");
oauth2_fail_invalid_token(oauth2_req);
return;
/* do not fail on unexpected fields */
}
if (token == NULL) {
- e_info(request->mech_event, "Missing token");
+ e_info(request->event, "Missing token");
oauth2_fail_invalid_token(oauth2_req);
return;
}
oauth2_valid_token(value)) {
token = value;
} else {
- e_info(request->mech_event,
- "Invalid response data");
+ e_info(request->event, "Invalid response data");
oauth2_fail_invalid_token(oauth2_req);
return;
}
return;
}
if (token == NULL) {
- e_info(request->mech_event, "Missing token");
+ e_info(request->event, "Missing token");
oauth2_fail_invalid_request(oauth2_req);
return;
} else if (!user_given) {
- e_info(request->mech_event, "Missing username");
+ e_info(request->event, "Missing username");
oauth2_fail_invalid_request(oauth2_req);
return;
}
if (otp_parse_dbentry(t_strndup(credentials, size),
&request->state) != 0) {
- e_error(auth_request->mech_event,
- "invalid OTP data in passdb");
+ e_error(auth_request->event, "invalid OTP data in passdb");
sasl_server_request_failure(auth_request);
return;
}
if (--request->state.seq < 1) {
- e_error(auth_request->mech_event,
- "sequence number < 1");
+ e_error(auth_request->event, "sequence number < 1");
sasl_server_request_failure(auth_request);
return;
}
if (!otp_try_lock(request)) {
- e_error(auth_request->mech_event,
- "user is locked, race attack?");
+ e_error(auth_request->event, "user is locked, race attack?");
sasl_server_request_failure(auth_request);
return;
}
}
if (count != 1) {
- e_info(auth_request->mech_event, "invalid input");
+ e_info(auth_request->event, "invalid input");
sasl_server_request_failure(auth_request);
return;
}
ret = otp_parse_response(data, hash, hex);
if (ret < 0) {
- e_info(auth_request->mech_event, "invalid response");
+ e_info(auth_request->event, "invalid response");
sasl_server_request_failure(auth_request);
otp_unlock(request);
return;
ret = otp_parse_init_response(data, &new_state, cur_hash, hex, &error);
if (ret < 0) {
- e_info(auth_request->mech_event,
- "invalid init response, %s", error);
+ e_info(auth_request->event, "invalid init response, %s", error);
sasl_server_request_failure(auth_request);
otp_unlock(request);
return;
else if (str_begins(str, "init-word:", &value))
mech_otp_verify_init(request, value, FALSE);
else {
- e_info(auth_request->mech_event,
- "unsupported response type");
+ e_info(auth_request->event, "unsupported response type");
sasl_server_request_failure(auth_request);
otp_unlock(request);
}
if (count != 2) {
/* invalid input */
- e_info(request->mech_event, "invalid input");
+ e_info(request->event, "invalid input");
sasl_server_request_failure(request);
} else if (!sasl_server_request_set_authid(
request, SASL_SERVER_AUTHID_TYPE_USERNAME, authenid)) {
key_data->stored_key,
key_data->server_key,
&error) < 0) {
- e_info(auth_request->mech_event, "%s", error);
+ e_info(auth_request->event, "%s", error);
sasl_server_request_failure(auth_request);
break;
}
case AUTH_SCRAM_SERVER_ERROR_NONE:
i_unreached();
case AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION:
- e_info(auth_request->mech_event, "%s", error);
+ e_info(auth_request->event, "%s", error);
break;
case AUTH_SCRAM_SERVER_ERROR_BAD_USERNAME:
case AUTH_SCRAM_SERVER_ERROR_BAD_LOGIN_USERNAME:
case AUTH_SCRAM_SERVER_ERROR_LOOKUP_FAILED:
break;
case AUTH_SCRAM_SERVER_ERROR_VERIFICATION_FAILED:
- e_info(auth_request->mech_event,
+ e_info(auth_request->event,
AUTH_LOG_MSG_PASSWORD_MISMATCH);
break;
}
if (o_stream_send(request->winbind->out_pipe,
str_data(str), str_len(str)) < 0 ||
o_stream_flush(request->winbind->out_pipe) < 0) {
- e_error(auth_request->mech_event,
+ e_error(auth_request->event,
"write(out_pipe) failed: %s",
o_stream_get_error(request->winbind->out_pipe));
return HR_RESTART;
}
if (answer == NULL) {
if (in_pipe->stream_errno != 0) {
- e_error(auth_request->mech_event,
+ e_error(auth_request->event,
"read(in_pipe) failed: %m");
} else {
- e_error(auth_request->mech_event,
+ e_error(auth_request->event,
"read(in_pipe) failed: "
"unexpected end of file");
}
if (token[0] == NULL ||
(token[1] == NULL && strcmp(token[0], "BH") != 0) ||
(gss_spnego && (token[1] == NULL || token[2] == NULL))) {
- e_error(auth_request->mech_event,
- "Invalid input from helper: %s", answer);
+ e_error(auth_request->event, "Invalid input from helper: %s",
+ answer);
return HR_RESTART;
}
} else if (strcmp(token[0], "NA") == 0) {
const char *error = gss_spnego ? token[2] : token[1];
- e_info(auth_request->mech_event,
- "user not authenticated: %s", error);
+ e_info(auth_request->event, "user not authenticated: %s",
+ error);
return HR_FAIL;
} else if (strcmp(token[0], "AF") == 0) {
const char *user, *p;
}
return HR_OK;
} else if (strcmp(token[0], "BH") == 0) {
- e_info(auth_request->mech_event,
+ e_info(auth_request->event,
"ntlm_auth reports broken helper: %s",
token[1] != NULL ? token[1] : "");
return HR_RESTART;
} else {
- e_error(auth_request->mech_event,
+ e_error(auth_request->event,
"Invalid input from helper: %s", answer);
return HR_RESTART;
}
container_of(auth_request,
struct winbind_auth_request, auth_request);
- winbind_helper_connect(request->winbind, wb_mech,
- auth_request->mech_event);
+ winbind_helper_connect(request->winbind, wb_mech, auth_request->event);
sasl_server_mech_generic_auth_initial(auth_request, data, data_size);
}
pool_t pool;
const struct sasl_server_mech *mech;
struct sasl_server_request *req;
- struct event *mech_event;
+ struct event *event;
const char *protocol;
const char *authid;
mreq->req = req;
mreq->set = &sinst->set;
mreq->mech = mech;
- mreq->mech_event = req->event;
+ mreq->event = req->event;
mreq->protocol = p_strdup(pool, protocol);
req->mech = mreq;
if ((mech->def->flags & SASL_MECH_SEC_ALLOW_NULS) != 0)
return FALSE;
if (memchr(data, '\0', data_size) != NULL) {
- e_debug(req->mech->mech_event, "Unexpected NUL in auth data");
+ e_debug(req->mech->event, "Unexpected NUL in auth data");
sasl_server_request_failure(req->mech);
return TRUE;
}
projects / thirdparty / dovecot / core.git / commitdiff
