static void
ldap_lookup_finish(struct auth_request *auth_request,
struct passdb_ldap_request *ldap_request,
LDAPMessage *res)
{
enum passdb_result passdb_result;
const char *password = NULL, *scheme;
int ret;
if (res == NULL) {
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else if (ldap_request->entries == 0) {
passdb_result = PASSDB_RESULT_USER_UNKNOWN;
auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB);
} else if (ldap_request->entries > 1) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"pass_filter matched multiple objects, aborting");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else if (auth_request->passdb_password == NULL &&
ldap_request->require_password &&
!auth_fields_exists(auth_request->extra_fields, "nopassword")) {
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"No password returned (and no nopassword)");
passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
} else {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
passdb_result = PASSDB_RESULT_OK;
}
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
ldap_request->callback.lookup_credentials,
auth_request);
} else {
if (password != NULL) {
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, AUTH_SUBSYS_DB);
passdb_result = ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH;
}
ldap_request->callback.verify_plain(passdb_result,
auth_request);
}
}
static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request)
{
struct auth_request *auth_request = dict_request->auth_request;
struct passdb_module *_module = auth_request->passdb->passdb;
struct dict_passdb_module *module =
(struct dict_passdb_module *)_module;
string_t *key;
const char *password = NULL, *scheme = NULL;
enum passdb_result passdb_result;
int ret;
key = t_str_new(512);
str_append(key, DICT_PATH_SHARED);
var_expand(key, module->conn->set.password_key,
auth_request_get_var_expand_table(auth_request, NULL));
if (*module->conn->set.password_key == '\0') {
auth_request_log_error(auth_request, "dict",
"password_key not specified");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else {
passdb_result = passdb_dict_lookup_key(auth_request, module,
str_c(key));
}
if (passdb_result == PASSDB_RESULT_OK) {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
}
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
dict_request->callback.lookup_credentials,
auth_request);
} else {
if (password != NULL) {
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, "dict");
passdb_result = ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH;
}
dict_request->callback.verify_plain(passdb_result,
auth_request);
}
}
static void vpopmail_lookup_credentials(struct auth_request *request,
lookup_credentials_callback_t *callback)
{
enum passdb_result result;
char *password;
bool cleartext = TRUE;
password = vpopmail_password_lookup(request, &cleartext, &result);
if (password == NULL) {
callback(result, NULL, 0, request);
return;
}
passdb_handle_credentials(PASSDB_RESULT_OK, password, "CLEARTEXT",
callback, request);
safe_memset(password, 0, strlen(password));
}
static void
passwd_lookup_credentials(struct auth_request *request,
lookup_credentials_callback_t *callback)
{
struct passwd pw;
enum passdb_result res;
res = passwd_lookup(request, &pw);
if (res != PASSDB_RESULT_OK) {
callback(res, NULL, 0, request);
return;
}
/* make sure we're using the username exactly as it's in the database */
auth_request_set_field(request, "user", pw.pw_name, NULL);
passdb_handle_credentials(PASSDB_RESULT_OK, pw.pw_passwd,
PASSWD_PASS_SCHEME, callback, request);
}
static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request)
{
struct auth_request *auth_request = dict_request->auth_request;
struct passdb_module *_module = auth_request->passdb->passdb;
struct dict_passdb_module *module =
(struct dict_passdb_module *)_module;
const char *password = NULL, *scheme = NULL;
enum passdb_result passdb_result;
int ret;
if (array_count(&module->conn->set.passdb_fields) == 0 &&
array_count(&module->conn->set.parsed_passdb_objects) == 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"No passdb_objects or passdb_fields specified");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else {
passdb_result = passdb_dict_lookup_key(auth_request, module);
}
if (passdb_result == PASSDB_RESULT_OK) {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
}
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
dict_request->callback.lookup_credentials,
auth_request);
} else {
if (password != NULL) {
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, AUTH_SUBSYS_DB);
passdb_result = ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH;
}
dict_request->callback.verify_plain(passdb_result,
auth_request);
}
}
static void
passwd_file_lookup_credentials(struct auth_request *request,
lookup_credentials_callback_t *callback)
{
struct passdb_module *_module = request->passdb->passdb;
struct passwd_file_passdb_module *module =
(struct passwd_file_passdb_module *)_module;
struct passwd_user *pu;
const char *crypted_pass, *scheme;
pu = db_passwd_file_lookup(module->pwf, request,
module->username_format);
if (pu == NULL) {
callback(PASSDB_RESULT_USER_UNKNOWN, NULL, 0, request);
return;
}
passwd_file_save_results(request, pu, &crypted_pass, &scheme);
passdb_handle_credentials(PASSDB_RESULT_OK, crypted_pass, scheme,
callback, request);
}
static bool lookup_credentials_callback(const char *reply, void *context)
{
struct auth_request *request = context;
enum passdb_result result;
const char *password = NULL, *scheme = NULL;
result = auth_worker_reply_parse(request, reply);
if (result == PASSDB_RESULT_OK && request->passdb_password != NULL) {
password = request->passdb_password;
scheme = password_get_scheme(&password);
if (scheme == NULL) {
auth_request_log_error(request, AUTH_SUBSYS_DB,
"Received reply from worker without "
"password scheme");
result = PASSDB_RESULT_INTERNAL_FAILURE;
}
}
passdb_handle_credentials(result, password, scheme,
auth_request_lookup_credentials_callback,
request);
auth_request_unref(&request);
return TRUE;
}
static void sql_query_callback(struct sql_result *result,
struct passdb_sql_request *sql_request)
{
struct auth_request *auth_request = sql_request->auth_request;
struct passdb_module *_module = auth_request->passdb->passdb;
struct sql_passdb_module *module = (struct sql_passdb_module *)_module;
enum passdb_result passdb_result;
const char *password, *scheme;
int ret;
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
password = NULL;
ret = sql_result_next_row(result);
if (ret >= 0)
db_sql_success(module->conn);
if (ret < 0) {
if (!module->conn->default_password_query) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query failed: %s",
sql_result_get_error(result));
} else {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query failed: %s "
"(using built-in default password_query: %s)",
sql_result_get_error(result),
module->conn->set.password_query);
}
} else if (ret == 0) {
auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB);
passdb_result = PASSDB_RESULT_USER_UNKNOWN;
} else {
sql_query_save_results(result, sql_request);
/* Note that we really want to check if the password field is
found. Just checking if password is set isn't enough,
because with proxies we might want to return NULL as
password. */
if (sql_result_find_field(result, "password") < 0 &&
sql_result_find_field(result, "password_noscheme") < 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query must return a field named "
"'password'");
} else if (sql_result_next_row(result) > 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query returned multiple matches");
} else if (auth_request->passdb_password == NULL &&
!auth_fields_exists(auth_request->extra_fields, "nopassword") &&
!auth_fields_exists(auth_request->extra_fields, "noauthenticate")) {
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"Empty password returned without nopassword");
passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
} else {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
passdb_result = PASSDB_RESULT_OK;
}
}
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
sql_request->callback.lookup_credentials,
auth_request);
auth_request_unref(&auth_request);
return;
}
/* verify plain */
if (password == NULL) {
sql_request->callback.verify_plain(passdb_result, auth_request);
auth_request_unref(&auth_request);
return;
}
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, AUTH_SUBSYS_DB);
sql_request->callback.verify_plain(ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH,
auth_request);
auth_request_unref(&auth_request);
}
