static struct auth_request *
worker_auth_request_new(struct auth_worker_client *client, unsigned int id,
const char *const *args)
{
struct auth_request *auth_request;
const char *key, *value;
auth_request = auth_request_new_dummy();
client->refcount++;
auth_request->context = client;
auth_request->id = id;
for (; *args != NULL; args++) {
value = strchr(*args, '=');
if (value == NULL)
(void)auth_request_import(auth_request, *args, NULL);
else {
key = t_strdup_until(*args, value++);
(void)auth_request_import(auth_request, key, value);
}
}
auth_request_init(auth_request);
return auth_request;
}
static int
master_input_auth_request(struct auth_master_connection *conn, const char *args,
const char *cmd, struct auth_request **request_r,
const char **error_r)
{
struct auth_request *auth_request;
const char *const *list, *name, *arg, *username;
unsigned int id;
/* <id> <userid> [<parameters>] */
list = t_strsplit_tab(args);
if (list[0] == NULL || list[1] == NULL ||
str_to_uint(list[0], &id) < 0) {
i_error("BUG: Master sent broken %s", cmd);
return -1;
}
auth_request = auth_request_new_dummy();
auth_request->id = id;
auth_request->master = conn;
auth_master_connection_ref(conn);
username = list[1];
for (list += 2; *list != NULL; list++) {
arg = strchr(*list, '=');
if (arg == NULL) {
name = *list;
arg = "";
} else {
name = t_strdup_until(*list, arg);
arg++;
}
(void)auth_request_import_info(auth_request, name, arg);
}
if (auth_request->service == NULL) {
i_error("BUG: Master sent %s request without service", cmd);
auth_request_unref(&auth_request);
auth_master_connection_unref(&conn);
return -1;
}
auth_request_init(auth_request);
if (!auth_request_set_username(auth_request, username, error_r)) {
*request_r = auth_request;
return 0;
}
*request_r = auth_request;
return 1;
}
static int
postfix_input_auth_request(struct auth_postfix_connection *conn,
const char *username,
struct auth_request **request_r, const char **error_r)
{
struct auth_request *auth_request;
auth_request = auth_request_new_dummy();
auth_request->id = 1;
auth_request->context = conn;
auth_postfix_connection_ref(conn);
if (!auth_request_set_username(auth_request, username, error_r)) {
*request_r = auth_request;
return FALSE;
}
(void)auth_request_import_info(auth_request, "service", "postfix");
auth_request_init(auth_request);
*request_r = auth_request;
return TRUE;
}
bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
const char *args)
{
const struct mech_module *mech;
struct auth_request *request;
const char *const *list, *name, *arg, *initial_resp;
void *initial_resp_data;
unsigned int id;
buffer_t *buf;
i_assert(!handler->destroyed);
/* <id> <mechanism> [...] */
list = t_strsplit_tab(args);
if (list[0] == NULL || list[1] == NULL ||
str_to_uint(list[0], &id) < 0) {
i_error("BUG: Authentication client %u "
"sent broken AUTH request", handler->client_pid);
return FALSE;
}
if (handler->token_auth) {
mech = &mech_dovecot_token;
if (strcmp(list[1], mech->mech_name) != 0) {
/* unsupported mechanism */
i_error("BUG: Authentication client %u requested invalid "
"authentication mechanism %s (DOVECOT-TOKEN required)",
handler->client_pid, str_sanitize(list[1], MAX_MECH_NAME_LEN));
return FALSE;
}
} else {
mech = mech_module_find(list[1]);
if (mech == NULL) {
/* unsupported mechanism */
i_error("BUG: Authentication client %u requested unsupported "
"authentication mechanism %s", handler->client_pid,
str_sanitize(list[1], MAX_MECH_NAME_LEN));
return FALSE;
}
}
request = auth_request_new(mech);
request->handler = handler;
request->connect_uid = handler->connect_uid;
request->client_pid = handler->client_pid;
request->id = id;
request->auth_only = handler->master_callback == NULL;
/* parse optional parameters */
initial_resp = NULL;
for (list += 2; *list != NULL; list++) {
arg = strchr(*list, '=');
if (arg == NULL) {
name = *list;
arg = "";
} else {
name = t_strdup_until(*list, arg);
arg++;
}
if (auth_request_import_auth(request, name, arg))
;
else if (strcmp(name, "resp") == 0) {
initial_resp = arg;
/* this must be the last parameter */
list++;
break;
}
}
if (*list != NULL) {
i_error("BUG: Authentication client %u "
"sent AUTH parameters after 'resp'",
handler->client_pid);
auth_request_unref(&request);
return FALSE;
}
if (request->service == NULL) {
i_error("BUG: Authentication client %u "
"didn't specify service in request",
handler->client_pid);
auth_request_unref(&request);
return FALSE;
}
if (hash_table_lookup(handler->requests, POINTER_CAST(id)) != NULL) {
i_error("BUG: Authentication client %u "
"sent a duplicate ID %u", handler->client_pid, id);
auth_request_unref(&request);
return FALSE;
}
auth_request_init(request);
request->to_abort = timeout_add(MASTER_AUTH_SERVER_TIMEOUT_SECS * 1000,
auth_request_timeout, request);
hash_table_insert(handler->requests, POINTER_CAST(id), request);
if (request->set->ssl_require_client_cert &&
!request->valid_client_cert) {
/* we fail without valid certificate */
auth_request_handler_auth_fail(handler, request,
"Client didn't present valid SSL certificate");
return TRUE;
}
/* Empty initial response is a "=" base64 string. Completely empty
string shouldn't really be sent, but at least Exim does it,
so just allow it for backwards compatibility.. */
if (initial_resp != NULL && *initial_resp != '\0') {
size_t len = strlen(initial_resp);
buf = buffer_create_dynamic(pool_datastack_create(),
MAX_BASE64_DECODED_SIZE(len));
if (base64_decode(initial_resp, len, NULL, buf) < 0) {
auth_request_handler_auth_fail(handler, request,
"Invalid base64 data in initial response");
return TRUE;
}
initial_resp_data =
p_malloc(request->pool, I_MAX(buf->used, 1));
memcpy(initial_resp_data, buf->data, buf->used);
request->initial_response = initial_resp_data;
request->initial_response_len = buf->used;
}
/* handler is referenced until auth_request_handler_reply()
is called. */
handler->refcount++;
/* before we start authenticating, see if we need to wait first */
auth_penalty_lookup(auth_penalty, request, auth_penalty_callback);
return TRUE;
}
