static void prefetch_lookup(struct auth_request *auth_request, userdb_callback_t *callback) { /* auth_request_set_field() should have already placed the userdb_* values to userdb_reply. */ if (!auth_request->userdb_prefetch_set) { if (auth_request_get_auth(auth_request)->userdbs->next == NULL) { /* no other userdbs */ if (auth_request->userdb_lookup) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "userdb lookup not possible with only userdb prefetch"); } else { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "passdb didn't return userdb entries"); } callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request); return; } if (!auth_request->userdb_lookup || auth_request->set->debug) { /* more userdbs, they may know the user */ auth_request_log_debug(auth_request, AUTH_SUBSYS_DB, "passdb didn't return userdb entries, " "trying the next userdb"); } callback(USERDB_RESULT_USER_UNKNOWN, auth_request); return; } auth_request_log_debug(auth_request, AUTH_SUBSYS_DB, "success"); callback(USERDB_RESULT_OK, auth_request); }
static void userdb_nss_lookup(struct auth_request *auth_request, userdb_callback_t *callback) { struct userdb_module *_module = auth_request->userdb->userdb; struct nss_userdb_module *module = (struct nss_userdb_module *)_module; struct passwd pw; enum nss_status status; enum userdb_result result = USERDB_RESULT_INTERNAL_FAILURE; int err; auth_request_log_debug(auth_request, "nss", "lookup"); status = module->getpwnam_r(auth_request->user, &pw, module->buf, module->bufsize, &err); switch (status) { case NSS_STATUS_TRYAGAIN: auth_request_log_error(auth_request, "nss", "returned tryagain (err=%d)", err); break; case NSS_STATUS_UNAVAIL: auth_request_log_error(auth_request, "nss", "unavailable (err=%d)", err); break; case NSS_STATUS_NOTFOUND: auth_request_log_info(auth_request, "nss", "unknown user"); result = USERDB_RESULT_USER_UNKNOWN; break; case NSS_STATUS_SUCCESS: result = USERDB_RESULT_OK; break; default: auth_request_log_info(auth_request, "nss", "returned %d (err=%d)", status, err); break; } if (result != USERDB_RESULT_OK) { callback(result, auth_request); return; } auth_request_set_field(auth_request, "user", pw.pw_name, NULL); auth_request_init_userdb_reply(auth_request); auth_request_set_userdb_field(auth_request, "system_groups_user", pw.pw_name); auth_request_set_userdb_field(auth_request, "uid", dec2str(pw.pw_uid)); auth_request_set_userdb_field(auth_request, "gid", dec2str(pw.pw_gid)); auth_request_set_userdb_field(auth_request, "home", pw.pw_dir); callback(USERDB_RESULT_OK, auth_request); }
void checkpassword_child_output(struct chkpw_auth_request *request) { /* Send: username \0 password \0 timestamp \0. Must be 512 bytes or less. The "timestamp" parameter is actually useful only for APOP authentication. We don't support it, so keep it empty */ struct auth_request *auth_request = request->request; buffer_t *buf; const unsigned char *data; size_t size; ssize_t ret; buf = buffer_create_dynamic(pool_datastack_create(), 512+1); buffer_append(buf, auth_request->user, strlen(auth_request->user)+1); if (request->password != NULL) buffer_append(buf, request->password, strlen(request->password)+1); else buffer_append_c(buf, '\0'); buffer_append_c(buf, '\0'); data = buffer_get_data(buf, &size); if (size > 512) { auth_request_log_error(request->request, "checkpassword", "output larger than 512 bytes: %"PRIuSIZE_T, size); request->finish_callback(request, request->internal_failure_code); return; } ret = write(request->fd_out, data + request->write_pos, size - request->write_pos); if (ret <= 0) { if (ret < 0) { auth_request_log_error(request->request, "checkpassword", "write() failed: %m"); } request->finish_callback(request, request->internal_failure_code); return; } request->write_pos += ret; if (request->write_pos < size) return; io_remove(&request->io_out); if (close(request->fd_out) < 0) i_error("checkpassword: close() failed: %m"); request->fd_out = -1; }
static void userdb_dict_lookup(struct auth_request *auth_request, userdb_callback_t *callback) { struct userdb_module *_module = auth_request->userdb->userdb; struct dict_userdb_module *module = (struct dict_userdb_module *)_module; struct db_dict_value_iter *iter; enum userdb_result userdb_result; int ret; if (array_count(&module->conn->set.userdb_fields) == 0 && array_count(&module->conn->set.parsed_userdb_objects) == 0) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "No userdb_objects or userdb_fields specified"); callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request); return; } ret = db_dict_value_iter_init(module->conn, auth_request, &module->conn->set.userdb_fields, &module->conn->set.parsed_userdb_objects, &iter); if (ret < 0) userdb_result = USERDB_RESULT_INTERNAL_FAILURE; else if (ret == 0) { auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB); userdb_result = USERDB_RESULT_USER_UNKNOWN; } else { if (dict_query_save_results(auth_request, iter) < 0) userdb_result = USERDB_RESULT_INTERNAL_FAILURE; else userdb_result = USERDB_RESULT_OK; } callback(userdb_result, auth_request); }
static void ATTR_NORETURN checkpassword_lookup_child(struct auth_request *request, struct checkpassword_userdb_module *module, int fd_in, int fd_out) { const char *cmd, *const *args; if (dup2(fd_out, 3) < 0 || dup2(fd_in, 4) < 0) { auth_request_log_error(request, "userdb-checkpassword", "dup2() failed: %m"); } else { /* We want to retrieve user data and don't do authorization, so we need to signalize the checkpassword program that the password shall be ignored by setting AUTHORIZED. This needs a special checkpassword program which knows how to handle this. */ env_put("AUTHORIZED=1"); checkpassword_setup_env(request); cmd = checkpassword_get_cmd(request, module->checkpassword_path, module->checkpassword_reply_path); auth_request_log_debug(request, "userdb-checkpassword", "execute: %s", cmd); /* very simple argument splitting. */ args = t_strsplit(cmd, " "); execv_const(args[0], args); } exit(2); }
static void checkpassword_request_finish(struct chkpw_auth_request *request, enum userdb_result result) { struct userdb_module *_module = request->request->userdb->userdb; struct checkpassword_userdb_module *module = (struct checkpassword_userdb_module *)_module; userdb_callback_t *callback = (userdb_callback_t *)request->callback; hash_table_remove(module->clients, POINTER_CAST(request->pid)); if (result == USERDB_RESULT_OK) { if (strchr(str_c(request->input_buf), '\n') != NULL) { auth_request_log_error(request->request, "userdb-checkpassword", "LF characters in checkpassword reply"); result = USERDB_RESULT_INTERNAL_FAILURE; } else { auth_request_init_userdb_reply(request->request); auth_request_set_fields(request->request, t_strsplit(str_c(request->input_buf), "\t"), NULL); } } callback(result, request->request); auth_request_unref(&request->request); checkpassword_request_free(request); }
static void checkpassword_request_half_finish(struct chkpw_auth_request *request) { if (!request->exited || request->fd_in != -1) return; switch (request->exit_status) { case 3: /* User does not exist. */ auth_request_log_info(request->request, "userdb-checkpassword", "User unknown"); checkpassword_request_finish(request, USERDB_RESULT_USER_UNKNOWN); break; case 2: /* This is intentionally not 0. checkpassword-reply exits with 2 on success when AUTHORIZED is set. */ if (request->input_buf != NULL) { checkpassword_request_finish(request, USERDB_RESULT_OK); break; } /* missing input - fall through */ default: /* whatever error... */ auth_request_log_error(request->request, "userdb-checkpassword", "Child %s exited with status %d", dec2str(request->pid), request->exit_status); checkpassword_request_finish(request, USERDB_RESULT_INTERNAL_FAILURE); break; } }
static bool verify_credentials(struct cram_auth_request *request, const unsigned char *credentials, size_t size) { unsigned char digest[MD5_RESULTLEN]; struct hmac_context ctx; const char *response_hex; if (size != CRAM_MD5_CONTEXTLEN) { auth_request_log_error(&request->auth_request, AUTH_SUBSYS_MECH, "invalid credentials length"); return FALSE; } hmac_init(&ctx, NULL, 0, &hash_method_md5); hmac_md5_set_cram_context(&ctx, credentials); hmac_update(&ctx, request->challenge, strlen(request->challenge)); hmac_final(&ctx, digest); response_hex = binary_to_hex(digest, sizeof(digest)); if (memcmp(response_hex, request->response, sizeof(digest)*2) != 0) { auth_request_log_info(&request->auth_request, AUTH_SUBSYS_MECH, "password mismatch"); return FALSE; } return TRUE; }
void checkpassword_child_input(struct chkpw_auth_request *request) { unsigned char buf[1024]; ssize_t ret; ret = read(request->fd_in, buf, sizeof(buf)); if (ret <= 0) { if (ret < 0) { auth_request_log_error(request->request, "checkpassword", "read() failed: %m"); } auth_request_log_debug(request->request, "checkpassword", "Received no input"); checkpassword_request_close(request); request->half_finish_callback(request); } else { if (request->input_buf == NULL) request->input_buf = str_new(default_pool, 512); str_append_n(request->input_buf, buf, ret); auth_request_log_debug(request->request, "checkpassword", "Received input: %s", str_c(request->input_buf)); } }
static int user_verify_restricted_uid(struct auth_request *auth_request) { struct auth_master_connection *conn = auth_request->master; struct auth_fields *reply = auth_request->userdb_reply; const char *value, *reason; uid_t uid; if (conn->userdb_restricted_uid == 0) return 0; value = auth_fields_find(reply, "uid"); if (value == NULL) reason = "userdb reply doesn't contain uid"; else if (str_to_uid(value, &uid) < 0) reason = "userdb reply contains invalid uid"; else if (uid != conn->userdb_restricted_uid) { reason = t_strdup_printf( "userdb uid (%s) doesn't match peer uid (%s)", dec2str(uid), dec2str(conn->userdb_restricted_uid)); } else { return 0; } auth_request_log_error(auth_request, "userdb", "client doesn't have lookup permissions for this user: %s " "(to bypass this check, set: service auth { unix_listener %s { mode=0777 } })", reason, conn->path); return -1; }
static void passdb_imap_login_callback(const struct imapc_command_reply *reply, void *context) { struct imap_auth_request *request = context; struct imapc_client *client = request->client; enum passdb_result result = PASSDB_RESULT_INTERNAL_FAILURE; switch (reply->state) { case IMAPC_COMMAND_STATE_OK: result = PASSDB_RESULT_OK; break; case IMAPC_COMMAND_STATE_NO: result = passdb_imap_get_failure_result(reply); auth_request_log_info(request->auth_request, AUTH_SUBSYS_DB, "%s", reply->text_full); break; case IMAPC_COMMAND_STATE_BAD: case IMAPC_COMMAND_STATE_DISCONNECTED: auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB, "%s", reply->text_full); break; } request->verify_callback(result, request->auth_request); imapc_client_deinit(&client); auth_request_unref(&request->auth_request); }
static void ldap_bind_lookup_dn_fail(struct auth_request *auth_request, struct passdb_ldap_request *request, LDAPMessage *res) { enum passdb_result passdb_result; if (res == NULL) passdb_result = PASSDB_RESULT_INTERNAL_FAILURE; else if (request->entries == 0) { passdb_result = PASSDB_RESULT_USER_UNKNOWN; auth_request_log_info(auth_request, "ldap", "unknown user"); } else { i_assert(request->entries > 1); auth_request_log_error(auth_request, "ldap", "pass_filter matched multiple objects, aborting"); passdb_result = PASSDB_RESULT_INTERNAL_FAILURE; } if (auth_request->credentials_scheme != NULL) { request->callback.lookup_credentials(passdb_result, NULL, 0, auth_request); } else { request->callback.verify_plain(passdb_result, auth_request); } auth_request_unref(&auth_request); }
static enum passdb_result passdb_dict_lookup_key(struct auth_request *auth_request, struct dict_passdb_module *module, const char *key) { const char *value; int ret; auth_request_log_debug(auth_request, "dict", "lookup %s", key); ret = dict_lookup(module->conn->dict, pool_datastack_create(), key, &value); if (ret < 0) { auth_request_log_error(auth_request, "dict", "Lookup failed"); return PASSDB_RESULT_INTERNAL_FAILURE; } else if (ret == 0) { auth_request_log_unknown_user(auth_request, "dict"); return PASSDB_RESULT_USER_UNKNOWN; } else { auth_request_log_debug(auth_request, "dict", "result: %s", value); if (dict_query_save_results(auth_request, module->conn, value) < 0) return PASSDB_RESULT_INTERNAL_FAILURE; if (auth_request->passdb_password == NULL && !auth_fields_exists(auth_request->extra_fields, "nopassword")) { auth_request_log_info(auth_request, "dict", "No password returned (and no nopassword)"); return PASSDB_RESULT_PASSWORD_MISMATCH; } else { return PASSDB_RESULT_OK; } } }
static enum passdb_result passwd_lookup(struct auth_request *request, struct passwd *pw_r) { auth_request_log_debug(request, AUTH_SUBSYS_DB, "lookup"); switch (i_getpwnam(request->user, pw_r)) { case -1: auth_request_log_error(request, AUTH_SUBSYS_DB, "getpwnam() failed: %m"); return PASSDB_RESULT_INTERNAL_FAILURE; case 0: auth_request_log_unknown_user(request, AUTH_SUBSYS_DB); return PASSDB_RESULT_USER_UNKNOWN; } if (!IS_VALID_PASSWD(pw_r->pw_passwd)) { auth_request_log_info(request, AUTH_SUBSYS_DB, "invalid password field '%s'", pw_r->pw_passwd); return PASSDB_RESULT_USER_DISABLED; } /* save the password so cache can use it */ auth_request_set_field(request, "password", pw_r->pw_passwd, PASSWD_PASS_SCHEME); return PASSDB_RESULT_OK; }
static struct userdb_iterate_context * userdb_dict_iterate_init(struct auth_request *auth_request, userdb_iter_callback_t *callback, void *context) { struct userdb_module *_module = auth_request->userdb->userdb; struct dict_userdb_module *module = (struct dict_userdb_module *)_module; struct dict_userdb_iterate_context *ctx; string_t *path; const char *error; ctx = i_new(struct dict_userdb_iterate_context, 1); ctx->ctx.auth_request = auth_request; ctx->ctx.callback = callback; ctx->ctx.context = context; auth_request_ref(auth_request); if (*module->conn->set.iterate_prefix == '\0') { if (!module->conn->set.iterate_disable) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "iterate: iterate_prefix not set"); ctx->ctx.failed = TRUE; } return &ctx->ctx; } path = t_str_new(128); str_append(path, DICT_PATH_SHARED); if (auth_request_var_expand(path, module->conn->set.iterate_prefix, auth_request, NULL, &error) <= 0) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "Failed to expand iterate_prefix=%s: %s", module->conn->set.iterate_prefix, error); ctx->ctx.failed = TRUE; return &ctx->ctx; } ctx->key_prefix = p_strdup(auth_request->pool, str_c(path)); ctx->key_prefix_len = strlen(ctx->key_prefix); ctx->iter = dict_iterate_init(module->conn->dict, ctx->key_prefix, 0); auth_request_log_debug(auth_request, AUTH_SUBSYS_DB, "iterate: prefix=%s", ctx->key_prefix); return &ctx->ctx; }
static enum passdb_result static_save_fields(struct auth_request *request, const char **password_r, const char **scheme_r) { struct static_passdb_module *module = (struct static_passdb_module *)request->passdb->passdb; const char *error; *password_r = NULL; *scheme_r = NULL; auth_request_log_debug(request, AUTH_SUBSYS_DB, "lookup"); if (passdb_template_export(module->tmpl, request, &error) < 0) { auth_request_log_error(request, AUTH_SUBSYS_DB, "Failed to expand template: %s", error); return PASSDB_RESULT_INTERNAL_FAILURE; } if (module->static_password_tmpl != NULL) { if (t_auth_request_var_expand(module->static_password_tmpl, request, NULL, password_r, &error) <= 0) { auth_request_log_error(request, AUTH_SUBSYS_DB, "Failed to expand password=%s: %s", module->static_password_tmpl, error); return PASSDB_RESULT_INTERNAL_FAILURE; } } else if (auth_fields_exists(request->extra_fields, "nopassword")) { *password_r = ""; } else { auth_request_log_info(request, AUTH_SUBSYS_DB, "No password returned (and no nopassword)"); return PASSDB_RESULT_PASSWORD_MISMATCH; } *scheme_r = password_get_scheme(password_r); if (*scheme_r == NULL) *scheme_r = STATIC_PASS_SCHEME; auth_request_set_field(request, "password", *password_r, *scheme_r); return PASSDB_RESULT_OK; }
static void ldap_lookup_finish(struct auth_request *auth_request, struct passdb_ldap_request *ldap_request, LDAPMessage *res) { enum passdb_result passdb_result; const char *password = NULL, *scheme; int ret; if (res == NULL) { passdb_result = PASSDB_RESULT_INTERNAL_FAILURE; } else if (ldap_request->entries == 0) { passdb_result = PASSDB_RESULT_USER_UNKNOWN; auth_request_log_info(auth_request, "ldap", "unknown user"); } else if (ldap_request->entries > 1) { auth_request_log_error(auth_request, "ldap", "pass_filter matched multiple objects, aborting"); passdb_result = PASSDB_RESULT_INTERNAL_FAILURE; } else if (auth_request->passdb_password == NULL && !auth_fields_exists(auth_request->extra_fields, "nopassword")) { auth_request_log_info(auth_request, "ldap", "No password returned (and no nopassword)"); passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH; } else { /* passdb_password may change on the way, so we'll need to strdup. */ password = t_strdup(auth_request->passdb_password); passdb_result = PASSDB_RESULT_OK; } scheme = password_get_scheme(&password); /* auth_request_set_field() sets scheme */ i_assert(password == NULL || scheme != NULL); if (auth_request->credentials_scheme != NULL) { passdb_handle_credentials(passdb_result, password, scheme, ldap_request->callback.lookup_credentials, auth_request); } else { if (password != NULL) { ret = auth_request_password_verify(auth_request, auth_request->mech_password, password, scheme, "ldap"); passdb_result = ret > 0 ? PASSDB_RESULT_OK : PASSDB_RESULT_PASSWORD_MISMATCH; } ldap_request->callback.verify_plain(passdb_result, auth_request); } }
static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request) { struct auth_request *auth_request = dict_request->auth_request; struct passdb_module *_module = auth_request->passdb->passdb; struct dict_passdb_module *module = (struct dict_passdb_module *)_module; string_t *key; const char *password = NULL, *scheme = NULL; enum passdb_result passdb_result; int ret; key = t_str_new(512); str_append(key, DICT_PATH_SHARED); var_expand(key, module->conn->set.password_key, auth_request_get_var_expand_table(auth_request, NULL)); if (*module->conn->set.password_key == '\0') { auth_request_log_error(auth_request, "dict", "password_key not specified"); passdb_result = PASSDB_RESULT_INTERNAL_FAILURE; } else { passdb_result = passdb_dict_lookup_key(auth_request, module, str_c(key)); } if (passdb_result == PASSDB_RESULT_OK) { /* passdb_password may change on the way, so we'll need to strdup. */ password = t_strdup(auth_request->passdb_password); scheme = password_get_scheme(&password); /* auth_request_set_field() sets scheme */ i_assert(password == NULL || scheme != NULL); } if (auth_request->credentials_scheme != NULL) { passdb_handle_credentials(passdb_result, password, scheme, dict_request->callback.lookup_credentials, auth_request); } else { if (password != NULL) { ret = auth_request_password_verify(auth_request, auth_request->mech_password, password, scheme, "dict"); passdb_result = ret > 0 ? PASSDB_RESULT_OK : PASSDB_RESULT_PASSWORD_MISMATCH; } dict_request->callback.verify_plain(passdb_result, auth_request); } }
static void userdb_lua_lookup(struct auth_request *auth_request, userdb_callback_t *callback) { struct userdb_module *_module = auth_request->userdb->userdb; struct dlua_userdb_module *module = (struct dlua_userdb_module *)_module; const char *error; enum userdb_result result = auth_lua_call_userdb_lookup(module->script, auth_request, &error); if (result == USERDB_RESULT_INTERNAL_FAILURE) auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "userdb-lua: %s", error); callback(result, auth_request); }
static void sql_query_callback(struct sql_result *sql_result, struct userdb_sql_request *sql_request) { struct auth_request *auth_request = sql_request->auth_request; struct userdb_module *_module = auth_request->userdb->userdb; struct sql_userdb_module *module = (struct sql_userdb_module *)_module; enum userdb_result result = USERDB_RESULT_INTERNAL_FAILURE; int ret; ret = sql_result_next_row(sql_result); if (ret >= 0) db_sql_success(module->conn); if (ret < 0) { if (!module->conn->default_user_query) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "User query failed: %s", sql_result_get_error(sql_result)); } else { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "User query failed: %s " "(using built-in default user_query: %s)", sql_result_get_error(sql_result), module->conn->set.user_query); } } else if (ret == 0) { result = USERDB_RESULT_USER_UNKNOWN; auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB); } else { sql_query_get_result(sql_result, auth_request); result = USERDB_RESULT_OK; } sql_request->callback(result, auth_request); auth_request_unref(&auth_request); i_free(sql_request); }
static void passwd_verify_plain(struct auth_request *request, const char *password, verify_plain_callback_t *callback) { struct passwd pw; int ret; auth_request_log_debug(request, "passwd", "lookup"); switch (i_getpwnam(request->user, &pw)) { case -1: auth_request_log_error(request, "passwd", "getpwnam() failed: %m"); callback(PASSDB_RESULT_INTERNAL_FAILURE, request); return; case 0: auth_request_log_unknown_user(request, "passwd"); callback(PASSDB_RESULT_USER_UNKNOWN, request); return; } if (!IS_VALID_PASSWD(pw.pw_passwd)) { auth_request_log_info(request, "passwd", "invalid password field '%s'", pw.pw_passwd); callback(PASSDB_RESULT_USER_DISABLED, request); return; } /* save the password so cache can use it */ auth_request_set_field(request, "password", pw.pw_passwd, PASSWD_PASS_SCHEME); /* check if the password is valid */ ret = auth_request_password_verify(request, password, pw.pw_passwd, PASSWD_PASS_SCHEME, "passwd"); /* clear the passwords from memory */ safe_memset(pw.pw_passwd, 0, strlen(pw.pw_passwd)); if (ret <= 0) { callback(PASSDB_RESULT_PASSWORD_MISMATCH, request); return; } /* make sure we're using the username exactly as it's in the database */ auth_request_set_field(request, "user", pw.pw_name, NULL); callback(PASSDB_RESULT_OK, request); }
static enum passdb_result auth_worker_reply_parse(struct auth_request *request, const char *reply) { enum passdb_result ret; const char *const *args; args = t_strsplit_tabescaped(reply); if (strcmp(*args, "OK") == 0 && args[1] != NULL && args[2] != NULL) { /* OK \t user \t password [\t extra] */ auth_request_set_field(request, "user", args[1], NULL); auth_worker_reply_parse_args(request, args + 2); return PASSDB_RESULT_OK; } if (strcmp(*args, "NEXT") == 0 && args[1] != NULL) { /* NEXT \t user [\t extra] */ auth_request_set_field(request, "user", args[1], NULL); auth_worker_reply_parse_args(request, args + 1); return PASSDB_RESULT_NEXT; } if (strcmp(*args, "FAIL") == 0 && args[1] != NULL) { int result; /* FAIL \t result [\t user \t password [\t extra]] */ if (str_to_int(args[1], &result) < 0) { /* shouldn't happen */ } else { ret = (enum passdb_result)result; if (ret == PASSDB_RESULT_OK) { /* shouldn't happen */ } else if (args[2] == NULL) { /* internal failure most likely */ return ret; } else if (args[3] != NULL) { if (*args[2] != '\0') { auth_request_set_field(request, "user", args[2], NULL); } auth_worker_reply_parse_args(request, args + 3); return ret; } } } auth_request_log_error(request, AUTH_SUBSYS_DB, "Received invalid reply from worker: %s", reply); return PASSDB_RESULT_INTERNAL_FAILURE; }
static void static_lookup_real(struct auth_request *auth_request, userdb_callback_t *callback) { struct userdb_module *_module = auth_request->userdb->userdb; struct static_userdb_module *module = (struct static_userdb_module *)_module; const char *error; if (userdb_template_export(module->tmpl, auth_request, &error) < 0) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "Failed to expand template: %s", error); callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request); } callback(USERDB_RESULT_OK, auth_request); }
static int passwd_file_sync(struct auth_request *request, struct passwd_file *pw) { struct stat st; const char *error; if (pw->last_sync_time == ioloop_time) return hash_table_is_created(pw->users) ? 0 : -1; pw->last_sync_time = ioloop_time; if (stat(pw->path, &st) < 0) { /* with variables don't give hard errors, or errors about nonexistent files */ if (errno == EACCES) { auth_request_log_error(request, AUTH_SUBSYS_DB, "%s", eacces_error_get("stat", pw->path)); } else { auth_request_log_error(request, AUTH_SUBSYS_DB, "stat(%s) failed: %m", pw->path); } if (pw->db->default_file != pw) passwd_file_free(pw); return -1; } if (st.st_mtime != pw->stamp || st.st_size != pw->size) { passwd_file_close(pw); if (passwd_file_open(pw, FALSE, &error) < 0) { auth_request_log_error(request, AUTH_SUBSYS_DB, "%s", error); return -1; } } return 0; }
static int dict_query_save_results(struct auth_request *auth_request, struct db_dict_value_iter *iter) { const char *key, *value, *error; while (db_dict_value_iter_next(iter, &key, &value)) { if (value != NULL) auth_request_set_userdb_field(auth_request, key, value); } if (db_dict_value_iter_deinit(&iter, &error) < 0) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "%s", error); return -1; } return 0; }
static void auth_request_timeout(struct auth_request *request) { unsigned int secs = (unsigned int)(time(NULL) - request->last_access); if (request->state != AUTH_REQUEST_STATE_MECH_CONTINUE) { /* client's fault */ auth_request_log_error(request, request->mech->mech_name, "Request %u.%u timed out after %u secs, state=%d", request->handler->client_pid, request->id, secs, request->state); } else if (request->set->verbose) { auth_request_log_info(request, request->mech->mech_name, "Request timed out waiting for client to continue authentication " "(%u secs)", secs); } auth_request_handler_remove(request->handler, request); }
static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request) { struct auth_request *auth_request = dict_request->auth_request; struct passdb_module *_module = auth_request->passdb->passdb; struct dict_passdb_module *module = (struct dict_passdb_module *)_module; const char *password = NULL, *scheme = NULL; enum passdb_result passdb_result; int ret; if (array_count(&module->conn->set.passdb_fields) == 0 && array_count(&module->conn->set.parsed_passdb_objects) == 0) { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "No passdb_objects or passdb_fields specified"); passdb_result = PASSDB_RESULT_INTERNAL_FAILURE; } else { passdb_result = passdb_dict_lookup_key(auth_request, module); } if (passdb_result == PASSDB_RESULT_OK) { /* passdb_password may change on the way, so we'll need to strdup. */ password = t_strdup(auth_request->passdb_password); scheme = password_get_scheme(&password); /* auth_request_set_field() sets scheme */ i_assert(password == NULL || scheme != NULL); } if (auth_request->credentials_scheme != NULL) { passdb_handle_credentials(passdb_result, password, scheme, dict_request->callback.lookup_credentials, auth_request); } else { if (password != NULL) { ret = auth_request_password_verify(auth_request, auth_request->mech_password, password, scheme, AUTH_SUBSYS_DB); passdb_result = ret > 0 ? PASSDB_RESULT_OK : PASSDB_RESULT_PASSWORD_MISMATCH; } dict_request->callback.verify_plain(passdb_result, auth_request); } }
static void passwd_lookup(struct auth_request *auth_request, userdb_callback_t *callback) { struct userdb_module *_module = auth_request->userdb->userdb; struct passwd_userdb_module *module = (struct passwd_userdb_module *)_module; struct passwd pw; struct timeval start_tv; int ret; auth_request_log_debug(auth_request, "passwd", "lookup"); if (gettimeofday(&start_tv, NULL) < 0) start_tv.tv_sec = 0; ret = i_getpwnam(auth_request->user, &pw); if (start_tv.tv_sec != 0) passwd_check_warnings(auth_request, module, &start_tv); switch (ret) { case -1: auth_request_log_error(auth_request, "passwd", "getpwnam() failed: %m"); callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request); return; case 0: auth_request_log_info(auth_request, "passwd", "unknown user"); callback(USERDB_RESULT_USER_UNKNOWN, auth_request); return; } auth_request_set_field(auth_request, "user", pw.pw_name, NULL); auth_request_init_userdb_reply(auth_request); auth_request_set_userdb_field(auth_request, "system_groups_user", pw.pw_name); auth_request_set_userdb_field(auth_request, "uid", dec2str(pw.pw_uid)); auth_request_set_userdb_field(auth_request, "gid", dec2str(pw.pw_gid)); auth_request_set_userdb_field(auth_request, "home", pw.pw_dir); userdb_template_export(module->tmpl, auth_request); callback(USERDB_RESULT_OK, auth_request); }
static void ldap_auth_bind_callback(struct ldap_connection *conn, struct ldap_request *ldap_request, LDAPMessage *res) { struct passdb_ldap_request *passdb_ldap_request = (struct passdb_ldap_request *)ldap_request; struct auth_request *auth_request = ldap_request->auth_request; enum passdb_result passdb_result; const char *str; int ret; passdb_result = PASSDB_RESULT_INTERNAL_FAILURE; if (res != NULL) { ret = ldap_result2error(conn->ld, res, 0); if (ret == LDAP_SUCCESS) passdb_result = PASSDB_RESULT_OK; else if (ret == LDAP_INVALID_CREDENTIALS) { str = "invalid credentials"; if (auth_request->set->debug_passwords) { str = t_strconcat(str, " (given password: "******")", NULL); } auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s", str); passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH; } else if (ret == LDAP_NO_SUCH_OBJECT) { passdb_result = PASSDB_RESULT_USER_UNKNOWN; auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB); } else { auth_request_log_error(auth_request, AUTH_SUBSYS_DB, "ldap_bind() failed: %s", ldap_err2string(ret)); } } passdb_ldap_request->callback. verify_plain(passdb_result, auth_request); auth_request_unref(&auth_request); }
static void bsdauth_verify_plain(struct auth_request *request, const char *password, verify_plain_callback_t *callback) { struct passwd pw; const char *type; int result; auth_request_log_debug(request, "bsdauth", "lookup"); switch (i_getpwnam(request->user, &pw)) { case -1: auth_request_log_error(request, "bsdauth", "getpwnam() failed: %m"); callback(PASSDB_RESULT_INTERNAL_FAILURE, request); return; case 0: auth_request_log_unknown_user(request, "bsdauth"); callback(PASSDB_RESULT_USER_UNKNOWN, request); return; } /* check if the password is valid */ type = t_strdup_printf("auth-%s", request->service); result = auth_userokay(request->user, NULL, t_strdup_noconst(type), t_strdup_noconst(password)); /* clear the passwords from memory */ safe_memset(pw.pw_passwd, 0, strlen(pw.pw_passwd)); if (result == 0) { auth_request_log_password_mismatch(request, "bsdauth"); callback(PASSDB_RESULT_PASSWORD_MISMATCH, request); return; } /* make sure we're using the username exactly as it's in the database */ auth_request_set_field(request, "user", pw.pw_name, NULL); callback(PASSDB_RESULT_OK, request); }