static void prefetch_lookup(struct auth_request *auth_request,
userdb_callback_t *callback)
{
/* auth_request_set_field() should have already placed the userdb_*
values to userdb_reply. */
if (!auth_request->userdb_prefetch_set) {
if (auth_request_get_auth(auth_request)->userdbs->next == NULL) {
/* no other userdbs */
if (auth_request->userdb_lookup) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"userdb lookup not possible with only userdb prefetch");
} else {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"passdb didn't return userdb entries");
}
callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request);
return;
}
if (!auth_request->userdb_lookup || auth_request->set->debug) {
/* more userdbs, they may know the user */
auth_request_log_debug(auth_request, AUTH_SUBSYS_DB,
"passdb didn't return userdb entries, "
"trying the next userdb");
}
callback(USERDB_RESULT_USER_UNKNOWN, auth_request);
return;
}
auth_request_log_debug(auth_request, AUTH_SUBSYS_DB, "success");
callback(USERDB_RESULT_OK, auth_request);
}
static void
userdb_nss_lookup(struct auth_request *auth_request,
userdb_callback_t *callback)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct nss_userdb_module *module = (struct nss_userdb_module *)_module;
struct passwd pw;
enum nss_status status;
enum userdb_result result = USERDB_RESULT_INTERNAL_FAILURE;
int err;
auth_request_log_debug(auth_request, "nss", "lookup");
status = module->getpwnam_r(auth_request->user, &pw,
module->buf, module->bufsize, &err);
switch (status) {
case NSS_STATUS_TRYAGAIN:
auth_request_log_error(auth_request, "nss",
"returned tryagain (err=%d)", err);
break;
case NSS_STATUS_UNAVAIL:
auth_request_log_error(auth_request, "nss",
"unavailable (err=%d)", err);
break;
case NSS_STATUS_NOTFOUND:
auth_request_log_info(auth_request, "nss", "unknown user");
result = USERDB_RESULT_USER_UNKNOWN;
break;
case NSS_STATUS_SUCCESS:
result = USERDB_RESULT_OK;
break;
default:
auth_request_log_info(auth_request, "nss",
"returned %d (err=%d)", status, err);
break;
}
if (result != USERDB_RESULT_OK) {
callback(result, auth_request);
return;
}
auth_request_set_field(auth_request, "user", pw.pw_name, NULL);
auth_request_init_userdb_reply(auth_request);
auth_request_set_userdb_field(auth_request, "system_groups_user",
pw.pw_name);
auth_request_set_userdb_field(auth_request, "uid", dec2str(pw.pw_uid));
auth_request_set_userdb_field(auth_request, "gid", dec2str(pw.pw_gid));
auth_request_set_userdb_field(auth_request, "home", pw.pw_dir);
callback(USERDB_RESULT_OK, auth_request);
}
void checkpassword_child_output(struct chkpw_auth_request *request)
{
/* Send: username \0 password \0 timestamp \0.
Must be 512 bytes or less. The "timestamp" parameter is actually
useful only for APOP authentication. We don't support it, so
keep it empty */
struct auth_request *auth_request = request->request;
buffer_t *buf;
const unsigned char *data;
size_t size;
ssize_t ret;
buf = buffer_create_dynamic(pool_datastack_create(), 512+1);
buffer_append(buf, auth_request->user, strlen(auth_request->user)+1);
if (request->password != NULL)
buffer_append(buf, request->password, strlen(request->password)+1);
else
buffer_append_c(buf, '\0');
buffer_append_c(buf, '\0');
data = buffer_get_data(buf, &size);
if (size > 512) {
auth_request_log_error(request->request, "checkpassword",
"output larger than 512 bytes: %"PRIuSIZE_T, size);
request->finish_callback(request,
request->internal_failure_code);
return;
}
ret = write(request->fd_out, data + request->write_pos,
size - request->write_pos);
if (ret <= 0) {
if (ret < 0) {
auth_request_log_error(request->request,
"checkpassword", "write() failed: %m");
}
request->finish_callback(request,
request->internal_failure_code);
return;
}
request->write_pos += ret;
if (request->write_pos < size)
return;
io_remove(&request->io_out);
if (close(request->fd_out) < 0)
i_error("checkpassword: close() failed: %m");
request->fd_out = -1;
}
static void userdb_dict_lookup(struct auth_request *auth_request,
userdb_callback_t *callback)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct dict_userdb_module *module =
(struct dict_userdb_module *)_module;
struct db_dict_value_iter *iter;
enum userdb_result userdb_result;
int ret;
if (array_count(&module->conn->set.userdb_fields) == 0 &&
array_count(&module->conn->set.parsed_userdb_objects) == 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"No userdb_objects or userdb_fields specified");
callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request);
return;
}
ret = db_dict_value_iter_init(module->conn, auth_request,
&module->conn->set.userdb_fields,
&module->conn->set.parsed_userdb_objects,
&iter);
if (ret < 0)
userdb_result = USERDB_RESULT_INTERNAL_FAILURE;
else if (ret == 0) {
auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB);
userdb_result = USERDB_RESULT_USER_UNKNOWN;
} else {
if (dict_query_save_results(auth_request, iter) < 0)
userdb_result = USERDB_RESULT_INTERNAL_FAILURE;
else
userdb_result = USERDB_RESULT_OK;
}
callback(userdb_result, auth_request);
}
static void ATTR_NORETURN
checkpassword_lookup_child(struct auth_request *request,
struct checkpassword_userdb_module *module,
int fd_in, int fd_out)
{
const char *cmd, *const *args;
if (dup2(fd_out, 3) < 0 || dup2(fd_in, 4) < 0) {
auth_request_log_error(request, "userdb-checkpassword",
"dup2() failed: %m");
} else {
/* We want to retrieve user data and don't do
authorization, so we need to signalize the
checkpassword program that the password shall be
ignored by setting AUTHORIZED. This needs a
special checkpassword program which knows how to
handle this. */
env_put("AUTHORIZED=1");
checkpassword_setup_env(request);
cmd = checkpassword_get_cmd(request, module->checkpassword_path,
module->checkpassword_reply_path);
auth_request_log_debug(request, "userdb-checkpassword",
"execute: %s", cmd);
/* very simple argument splitting. */
args = t_strsplit(cmd, " ");
execv_const(args[0], args);
}
exit(2);
}
static void checkpassword_request_finish(struct chkpw_auth_request *request,
enum userdb_result result)
{
struct userdb_module *_module = request->request->userdb->userdb;
struct checkpassword_userdb_module *module =
(struct checkpassword_userdb_module *)_module;
userdb_callback_t *callback =
(userdb_callback_t *)request->callback;
hash_table_remove(module->clients, POINTER_CAST(request->pid));
if (result == USERDB_RESULT_OK) {
if (strchr(str_c(request->input_buf), '\n') != NULL) {
auth_request_log_error(request->request,
"userdb-checkpassword",
"LF characters in checkpassword reply");
result = USERDB_RESULT_INTERNAL_FAILURE;
} else {
auth_request_init_userdb_reply(request->request);
auth_request_set_fields(request->request,
t_strsplit(str_c(request->input_buf), "\t"),
NULL);
}
}
callback(result, request->request);
auth_request_unref(&request->request);
checkpassword_request_free(request);
}
static void
checkpassword_request_half_finish(struct chkpw_auth_request *request)
{
if (!request->exited || request->fd_in != -1)
return;
switch (request->exit_status) {
case 3:
/* User does not exist. */
auth_request_log_info(request->request, "userdb-checkpassword",
"User unknown");
checkpassword_request_finish(request,
USERDB_RESULT_USER_UNKNOWN);
break;
case 2:
/* This is intentionally not 0. checkpassword-reply exits with
2 on success when AUTHORIZED is set. */
if (request->input_buf != NULL) {
checkpassword_request_finish(request, USERDB_RESULT_OK);
break;
}
/* missing input - fall through */
default:
/* whatever error... */
auth_request_log_error(request->request, "userdb-checkpassword",
"Child %s exited with status %d",
dec2str(request->pid), request->exit_status);
checkpassword_request_finish(request,
USERDB_RESULT_INTERNAL_FAILURE);
break;
}
}
static bool verify_credentials(struct cram_auth_request *request,
const unsigned char *credentials, size_t size)
{
unsigned char digest[MD5_RESULTLEN];
struct hmac_context ctx;
const char *response_hex;
if (size != CRAM_MD5_CONTEXTLEN) {
auth_request_log_error(&request->auth_request, AUTH_SUBSYS_MECH,
"invalid credentials length");
return FALSE;
}
hmac_init(&ctx, NULL, 0, &hash_method_md5);
hmac_md5_set_cram_context(&ctx, credentials);
hmac_update(&ctx, request->challenge, strlen(request->challenge));
hmac_final(&ctx, digest);
response_hex = binary_to_hex(digest, sizeof(digest));
if (memcmp(response_hex, request->response, sizeof(digest)*2) != 0) {
auth_request_log_info(&request->auth_request, AUTH_SUBSYS_MECH,
"password mismatch");
return FALSE;
}
return TRUE;
}
void checkpassword_child_input(struct chkpw_auth_request *request)
{
unsigned char buf[1024];
ssize_t ret;
ret = read(request->fd_in, buf, sizeof(buf));
if (ret <= 0) {
if (ret < 0) {
auth_request_log_error(request->request,
"checkpassword", "read() failed: %m");
}
auth_request_log_debug(request->request, "checkpassword",
"Received no input");
checkpassword_request_close(request);
request->half_finish_callback(request);
} else {
if (request->input_buf == NULL)
request->input_buf = str_new(default_pool, 512);
str_append_n(request->input_buf, buf, ret);
auth_request_log_debug(request->request, "checkpassword",
"Received input: %s", str_c(request->input_buf));
}
}
static int
user_verify_restricted_uid(struct auth_request *auth_request)
{
struct auth_master_connection *conn = auth_request->master;
struct auth_fields *reply = auth_request->userdb_reply;
const char *value, *reason;
uid_t uid;
if (conn->userdb_restricted_uid == 0)
return 0;
value = auth_fields_find(reply, "uid");
if (value == NULL)
reason = "userdb reply doesn't contain uid";
else if (str_to_uid(value, &uid) < 0)
reason = "userdb reply contains invalid uid";
else if (uid != conn->userdb_restricted_uid) {
reason = t_strdup_printf(
"userdb uid (%s) doesn't match peer uid (%s)",
dec2str(uid), dec2str(conn->userdb_restricted_uid));
} else {
return 0;
}
auth_request_log_error(auth_request, "userdb",
"client doesn't have lookup permissions for this user: %s "
"(to bypass this check, set: service auth { unix_listener %s { mode=0777 } })",
reason, conn->path);
return -1;
}
static void
passdb_imap_login_callback(const struct imapc_command_reply *reply,
void *context)
{
struct imap_auth_request *request = context;
struct imapc_client *client = request->client;
enum passdb_result result = PASSDB_RESULT_INTERNAL_FAILURE;
switch (reply->state) {
case IMAPC_COMMAND_STATE_OK:
result = PASSDB_RESULT_OK;
break;
case IMAPC_COMMAND_STATE_NO:
result = passdb_imap_get_failure_result(reply);
auth_request_log_info(request->auth_request, AUTH_SUBSYS_DB,
"%s", reply->text_full);
break;
case IMAPC_COMMAND_STATE_BAD:
case IMAPC_COMMAND_STATE_DISCONNECTED:
auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
"%s", reply->text_full);
break;
}
request->verify_callback(result, request->auth_request);
imapc_client_deinit(&client);
auth_request_unref(&request->auth_request);
}
static void
ldap_bind_lookup_dn_fail(struct auth_request *auth_request,
struct passdb_ldap_request *request,
LDAPMessage *res)
{
enum passdb_result passdb_result;
if (res == NULL)
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
else if (request->entries == 0) {
passdb_result = PASSDB_RESULT_USER_UNKNOWN;
auth_request_log_info(auth_request, "ldap",
"unknown user");
} else {
i_assert(request->entries > 1);
auth_request_log_error(auth_request, "ldap",
"pass_filter matched multiple objects, aborting");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
}
if (auth_request->credentials_scheme != NULL) {
request->callback.lookup_credentials(passdb_result, NULL, 0,
auth_request);
} else {
request->callback.verify_plain(passdb_result, auth_request);
}
auth_request_unref(&auth_request);
}
static enum passdb_result
passdb_dict_lookup_key(struct auth_request *auth_request,
struct dict_passdb_module *module, const char *key)
{
const char *value;
int ret;
auth_request_log_debug(auth_request, "dict", "lookup %s", key);
ret = dict_lookup(module->conn->dict, pool_datastack_create(),
key, &value);
if (ret < 0) {
auth_request_log_error(auth_request, "dict", "Lookup failed");
return PASSDB_RESULT_INTERNAL_FAILURE;
} else if (ret == 0) {
auth_request_log_unknown_user(auth_request, "dict");
return PASSDB_RESULT_USER_UNKNOWN;
} else {
auth_request_log_debug(auth_request, "dict",
"result: %s", value);
if (dict_query_save_results(auth_request, module->conn, value) < 0)
return PASSDB_RESULT_INTERNAL_FAILURE;
if (auth_request->passdb_password == NULL &&
!auth_fields_exists(auth_request->extra_fields, "nopassword")) {
auth_request_log_info(auth_request, "dict",
"No password returned (and no nopassword)");
return PASSDB_RESULT_PASSWORD_MISMATCH;
} else {
return PASSDB_RESULT_OK;
}
}
}
static enum passdb_result
passwd_lookup(struct auth_request *request, struct passwd *pw_r)
{
auth_request_log_debug(request, AUTH_SUBSYS_DB, "lookup");
switch (i_getpwnam(request->user, pw_r)) {
case -1:
auth_request_log_error(request, AUTH_SUBSYS_DB,
"getpwnam() failed: %m");
return PASSDB_RESULT_INTERNAL_FAILURE;
case 0:
auth_request_log_unknown_user(request, AUTH_SUBSYS_DB);
return PASSDB_RESULT_USER_UNKNOWN;
}
if (!IS_VALID_PASSWD(pw_r->pw_passwd)) {
auth_request_log_info(request, AUTH_SUBSYS_DB,
"invalid password field '%s'", pw_r->pw_passwd);
return PASSDB_RESULT_USER_DISABLED;
}
/* save the password so cache can use it */
auth_request_set_field(request, "password", pw_r->pw_passwd,
PASSWD_PASS_SCHEME);
return PASSDB_RESULT_OK;
}
static struct userdb_iterate_context *
userdb_dict_iterate_init(struct auth_request *auth_request,
userdb_iter_callback_t *callback, void *context)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct dict_userdb_module *module =
(struct dict_userdb_module *)_module;
struct dict_userdb_iterate_context *ctx;
string_t *path;
const char *error;
ctx = i_new(struct dict_userdb_iterate_context, 1);
ctx->ctx.auth_request = auth_request;
ctx->ctx.callback = callback;
ctx->ctx.context = context;
auth_request_ref(auth_request);
if (*module->conn->set.iterate_prefix == '\0') {
if (!module->conn->set.iterate_disable) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"iterate: iterate_prefix not set");
ctx->ctx.failed = TRUE;
}
return &ctx->ctx;
}
path = t_str_new(128);
str_append(path, DICT_PATH_SHARED);
if (auth_request_var_expand(path, module->conn->set.iterate_prefix,
auth_request, NULL, &error) <= 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Failed to expand iterate_prefix=%s: %s",
module->conn->set.iterate_prefix, error);
ctx->ctx.failed = TRUE;
return &ctx->ctx;
}
ctx->key_prefix = p_strdup(auth_request->pool, str_c(path));
ctx->key_prefix_len = strlen(ctx->key_prefix);
ctx->iter = dict_iterate_init(module->conn->dict, ctx->key_prefix, 0);
auth_request_log_debug(auth_request, AUTH_SUBSYS_DB,
"iterate: prefix=%s", ctx->key_prefix);
return &ctx->ctx;
}
static enum passdb_result
static_save_fields(struct auth_request *request, const char **password_r,
const char **scheme_r)
{
struct static_passdb_module *module =
(struct static_passdb_module *)request->passdb->passdb;
const char *error;
*password_r = NULL;
*scheme_r = NULL;
auth_request_log_debug(request, AUTH_SUBSYS_DB, "lookup");
if (passdb_template_export(module->tmpl, request, &error) < 0) {
auth_request_log_error(request, AUTH_SUBSYS_DB,
"Failed to expand template: %s", error);
return PASSDB_RESULT_INTERNAL_FAILURE;
}
if (module->static_password_tmpl != NULL) {
if (t_auth_request_var_expand(module->static_password_tmpl,
request, NULL, password_r, &error) <= 0) {
auth_request_log_error(request, AUTH_SUBSYS_DB,
"Failed to expand password=%s: %s",
module->static_password_tmpl, error);
return PASSDB_RESULT_INTERNAL_FAILURE;
}
} else if (auth_fields_exists(request->extra_fields, "nopassword")) {
*password_r = "";
} else {
auth_request_log_info(request, AUTH_SUBSYS_DB,
"No password returned (and no nopassword)");
return PASSDB_RESULT_PASSWORD_MISMATCH;
}
*scheme_r = password_get_scheme(password_r);
if (*scheme_r == NULL)
*scheme_r = STATIC_PASS_SCHEME;
auth_request_set_field(request, "password",
*password_r, *scheme_r);
return PASSDB_RESULT_OK;
}
static void
ldap_lookup_finish(struct auth_request *auth_request,
struct passdb_ldap_request *ldap_request,
LDAPMessage *res)
{
enum passdb_result passdb_result;
const char *password = NULL, *scheme;
int ret;
if (res == NULL) {
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else if (ldap_request->entries == 0) {
passdb_result = PASSDB_RESULT_USER_UNKNOWN;
auth_request_log_info(auth_request, "ldap",
"unknown user");
} else if (ldap_request->entries > 1) {
auth_request_log_error(auth_request, "ldap",
"pass_filter matched multiple objects, aborting");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else if (auth_request->passdb_password == NULL &&
!auth_fields_exists(auth_request->extra_fields, "nopassword")) {
auth_request_log_info(auth_request, "ldap",
"No password returned (and no nopassword)");
passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
} else {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
passdb_result = PASSDB_RESULT_OK;
}
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
ldap_request->callback.lookup_credentials,
auth_request);
} else {
if (password != NULL) {
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, "ldap");
passdb_result = ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH;
}
ldap_request->callback.verify_plain(passdb_result,
auth_request);
}
}
static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request)
{
struct auth_request *auth_request = dict_request->auth_request;
struct passdb_module *_module = auth_request->passdb->passdb;
struct dict_passdb_module *module =
(struct dict_passdb_module *)_module;
string_t *key;
const char *password = NULL, *scheme = NULL;
enum passdb_result passdb_result;
int ret;
key = t_str_new(512);
str_append(key, DICT_PATH_SHARED);
var_expand(key, module->conn->set.password_key,
auth_request_get_var_expand_table(auth_request, NULL));
if (*module->conn->set.password_key == '\0') {
auth_request_log_error(auth_request, "dict",
"password_key not specified");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else {
passdb_result = passdb_dict_lookup_key(auth_request, module,
str_c(key));
}
if (passdb_result == PASSDB_RESULT_OK) {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
}
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
dict_request->callback.lookup_credentials,
auth_request);
} else {
if (password != NULL) {
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, "dict");
passdb_result = ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH;
}
dict_request->callback.verify_plain(passdb_result,
auth_request);
}
}
static void userdb_lua_lookup(struct auth_request *auth_request,
userdb_callback_t *callback)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct dlua_userdb_module *module =
(struct dlua_userdb_module *)_module;
const char *error;
enum userdb_result result =
auth_lua_call_userdb_lookup(module->script, auth_request, &error);
if (result == USERDB_RESULT_INTERNAL_FAILURE)
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"userdb-lua: %s", error);
callback(result, auth_request);
}
static void sql_query_callback(struct sql_result *sql_result,
struct userdb_sql_request *sql_request)
{
struct auth_request *auth_request = sql_request->auth_request;
struct userdb_module *_module = auth_request->userdb->userdb;
struct sql_userdb_module *module =
(struct sql_userdb_module *)_module;
enum userdb_result result = USERDB_RESULT_INTERNAL_FAILURE;
int ret;
ret = sql_result_next_row(sql_result);
if (ret >= 0)
db_sql_success(module->conn);
if (ret < 0) {
if (!module->conn->default_user_query) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"User query failed: %s",
sql_result_get_error(sql_result));
} else {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"User query failed: %s "
"(using built-in default user_query: %s)",
sql_result_get_error(sql_result),
module->conn->set.user_query);
}
} else if (ret == 0) {
result = USERDB_RESULT_USER_UNKNOWN;
auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB);
} else {
sql_query_get_result(sql_result, auth_request);
result = USERDB_RESULT_OK;
}
sql_request->callback(result, auth_request);
auth_request_unref(&auth_request);
i_free(sql_request);
}
static void
passwd_verify_plain(struct auth_request *request, const char *password,
verify_plain_callback_t *callback)
{
struct passwd pw;
int ret;
auth_request_log_debug(request, "passwd", "lookup");
switch (i_getpwnam(request->user, &pw)) {
case -1:
auth_request_log_error(request, "passwd",
"getpwnam() failed: %m");
callback(PASSDB_RESULT_INTERNAL_FAILURE, request);
return;
case 0:
auth_request_log_unknown_user(request, "passwd");
callback(PASSDB_RESULT_USER_UNKNOWN, request);
return;
}
if (!IS_VALID_PASSWD(pw.pw_passwd)) {
auth_request_log_info(request, "passwd",
"invalid password field '%s'", pw.pw_passwd);
callback(PASSDB_RESULT_USER_DISABLED, request);
return;
}
/* save the password so cache can use it */
auth_request_set_field(request, "password", pw.pw_passwd,
PASSWD_PASS_SCHEME);
/* check if the password is valid */
ret = auth_request_password_verify(request, password, pw.pw_passwd,
PASSWD_PASS_SCHEME, "passwd");
/* clear the passwords from memory */
safe_memset(pw.pw_passwd, 0, strlen(pw.pw_passwd));
if (ret <= 0) {
callback(PASSDB_RESULT_PASSWORD_MISMATCH, request);
return;
}
/* make sure we're using the username exactly as it's in the database */
auth_request_set_field(request, "user", pw.pw_name, NULL);
callback(PASSDB_RESULT_OK, request);
}
static enum passdb_result
auth_worker_reply_parse(struct auth_request *request, const char *reply)
{
enum passdb_result ret;
const char *const *args;
args = t_strsplit_tabescaped(reply);
if (strcmp(*args, "OK") == 0 && args[1] != NULL && args[2] != NULL) {
/* OK \t user \t password [\t extra] */
auth_request_set_field(request, "user", args[1], NULL);
auth_worker_reply_parse_args(request, args + 2);
return PASSDB_RESULT_OK;
}
if (strcmp(*args, "NEXT") == 0 && args[1] != NULL) {
/* NEXT \t user [\t extra] */
auth_request_set_field(request, "user", args[1], NULL);
auth_worker_reply_parse_args(request, args + 1);
return PASSDB_RESULT_NEXT;
}
if (strcmp(*args, "FAIL") == 0 && args[1] != NULL) {
int result;
/* FAIL \t result [\t user \t password [\t extra]] */
if (str_to_int(args[1], &result) < 0) {
/* shouldn't happen */
} else {
ret = (enum passdb_result)result;
if (ret == PASSDB_RESULT_OK) {
/* shouldn't happen */
} else if (args[2] == NULL) {
/* internal failure most likely */
return ret;
} else if (args[3] != NULL) {
if (*args[2] != '\0') {
auth_request_set_field(request, "user",
args[2], NULL);
}
auth_worker_reply_parse_args(request, args + 3);
return ret;
}
}
}
auth_request_log_error(request, AUTH_SUBSYS_DB,
"Received invalid reply from worker: %s", reply);
return PASSDB_RESULT_INTERNAL_FAILURE;
}
static void static_lookup_real(struct auth_request *auth_request,
userdb_callback_t *callback)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct static_userdb_module *module =
(struct static_userdb_module *)_module;
const char *error;
if (userdb_template_export(module->tmpl, auth_request, &error) < 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Failed to expand template: %s", error);
callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request);
}
callback(USERDB_RESULT_OK, auth_request);
}
static int passwd_file_sync(struct auth_request *request,
struct passwd_file *pw)
{
struct stat st;
const char *error;
if (pw->last_sync_time == ioloop_time)
return hash_table_is_created(pw->users) ? 0 : -1;
pw->last_sync_time = ioloop_time;
if (stat(pw->path, &st) < 0) {
/* with variables don't give hard errors, or errors about
nonexistent files */
if (errno == EACCES) {
auth_request_log_error(request, AUTH_SUBSYS_DB,
"%s", eacces_error_get("stat", pw->path));
} else {
auth_request_log_error(request, AUTH_SUBSYS_DB,
"stat(%s) failed: %m", pw->path);
}
if (pw->db->default_file != pw)
passwd_file_free(pw);
return -1;
}
if (st.st_mtime != pw->stamp || st.st_size != pw->size) {
passwd_file_close(pw);
if (passwd_file_open(pw, FALSE, &error) < 0) {
auth_request_log_error(request, AUTH_SUBSYS_DB,
"%s", error);
return -1;
}
}
return 0;
}
static int
dict_query_save_results(struct auth_request *auth_request,
struct db_dict_value_iter *iter)
{
const char *key, *value, *error;
while (db_dict_value_iter_next(iter, &key, &value)) {
if (value != NULL)
auth_request_set_userdb_field(auth_request, key, value);
}
if (db_dict_value_iter_deinit(&iter, &error) < 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "%s", error);
return -1;
}
return 0;
}
static void auth_request_timeout(struct auth_request *request)
{
unsigned int secs = (unsigned int)(time(NULL) - request->last_access);
if (request->state != AUTH_REQUEST_STATE_MECH_CONTINUE) {
/* client's fault */
auth_request_log_error(request, request->mech->mech_name,
"Request %u.%u timed out after %u secs, state=%d",
request->handler->client_pid, request->id,
secs, request->state);
} else if (request->set->verbose) {
auth_request_log_info(request, request->mech->mech_name,
"Request timed out waiting for client to continue authentication "
"(%u secs)", secs);
}
auth_request_handler_remove(request->handler, request);
}
static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request)
{
struct auth_request *auth_request = dict_request->auth_request;
struct passdb_module *_module = auth_request->passdb->passdb;
struct dict_passdb_module *module =
(struct dict_passdb_module *)_module;
const char *password = NULL, *scheme = NULL;
enum passdb_result passdb_result;
int ret;
if (array_count(&module->conn->set.passdb_fields) == 0 &&
array_count(&module->conn->set.parsed_passdb_objects) == 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"No passdb_objects or passdb_fields specified");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else {
passdb_result = passdb_dict_lookup_key(auth_request, module);
}
if (passdb_result == PASSDB_RESULT_OK) {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
}
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
dict_request->callback.lookup_credentials,
auth_request);
} else {
if (password != NULL) {
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, AUTH_SUBSYS_DB);
passdb_result = ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH;
}
dict_request->callback.verify_plain(passdb_result,
auth_request);
}
}
static void passwd_lookup(struct auth_request *auth_request,
userdb_callback_t *callback)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct passwd_userdb_module *module =
(struct passwd_userdb_module *)_module;
struct passwd pw;
struct timeval start_tv;
int ret;
auth_request_log_debug(auth_request, "passwd", "lookup");
if (gettimeofday(&start_tv, NULL) < 0)
start_tv.tv_sec = 0;
ret = i_getpwnam(auth_request->user, &pw);
if (start_tv.tv_sec != 0)
passwd_check_warnings(auth_request, module, &start_tv);
switch (ret) {
case -1:
auth_request_log_error(auth_request, "passwd",
"getpwnam() failed: %m");
callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request);
return;
case 0:
auth_request_log_info(auth_request, "passwd", "unknown user");
callback(USERDB_RESULT_USER_UNKNOWN, auth_request);
return;
}
auth_request_set_field(auth_request, "user", pw.pw_name, NULL);
auth_request_init_userdb_reply(auth_request);
auth_request_set_userdb_field(auth_request, "system_groups_user",
pw.pw_name);
auth_request_set_userdb_field(auth_request, "uid", dec2str(pw.pw_uid));
auth_request_set_userdb_field(auth_request, "gid", dec2str(pw.pw_gid));
auth_request_set_userdb_field(auth_request, "home", pw.pw_dir);
userdb_template_export(module->tmpl, auth_request);
callback(USERDB_RESULT_OK, auth_request);
}
static void
ldap_auth_bind_callback(struct ldap_connection *conn,
struct ldap_request *ldap_request, LDAPMessage *res)
{
struct passdb_ldap_request *passdb_ldap_request =
(struct passdb_ldap_request *)ldap_request;
struct auth_request *auth_request = ldap_request->auth_request;
enum passdb_result passdb_result;
const char *str;
int ret;
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
if (res != NULL) {
ret = ldap_result2error(conn->ld, res, 0);
if (ret == LDAP_SUCCESS)
passdb_result = PASSDB_RESULT_OK;
else if (ret == LDAP_INVALID_CREDENTIALS) {
str = "invalid credentials";
if (auth_request->set->debug_passwords) {
str = t_strconcat(str, " (given password: "******")", NULL);
}
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"%s", str);
passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
} else if (ret == LDAP_NO_SUCH_OBJECT) {
passdb_result = PASSDB_RESULT_USER_UNKNOWN;
auth_request_log_unknown_user(auth_request,
AUTH_SUBSYS_DB);
} else {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"ldap_bind() failed: %s",
ldap_err2string(ret));
}
}
passdb_ldap_request->callback.
verify_plain(passdb_result, auth_request);
auth_request_unref(&auth_request);
}
static void
bsdauth_verify_plain(struct auth_request *request, const char *password,
verify_plain_callback_t *callback)
{
struct passwd pw;
const char *type;
int result;
auth_request_log_debug(request, "bsdauth", "lookup");
switch (i_getpwnam(request->user, &pw)) {
case -1:
auth_request_log_error(request, "bsdauth",
"getpwnam() failed: %m");
callback(PASSDB_RESULT_INTERNAL_FAILURE, request);
return;
case 0:
auth_request_log_unknown_user(request, "bsdauth");
callback(PASSDB_RESULT_USER_UNKNOWN, request);
return;
}
/* check if the password is valid */
type = t_strdup_printf("auth-%s", request->service);
result = auth_userokay(request->user, NULL, t_strdup_noconst(type),
t_strdup_noconst(password));
/* clear the passwords from memory */
safe_memset(pw.pw_passwd, 0, strlen(pw.pw_passwd));
if (result == 0) {
auth_request_log_password_mismatch(request, "bsdauth");
callback(PASSDB_RESULT_PASSWORD_MISMATCH, request);
return;
}
/* make sure we're using the username exactly as it's in the database */
auth_request_set_field(request, "user", pw.pw_name, NULL);
callback(PASSDB_RESULT_OK, request);
}
