示例#1
0
static void credentials_callback(enum passdb_result result,
				 const unsigned char *credentials, size_t size,
				 struct auth_request *auth_request)
{
	struct digest_auth_request *request =
		(struct digest_auth_request *)auth_request;

	switch (result) {
	case PASSDB_RESULT_OK:
		if (!verify_credentials(request, credentials, size)) {
			auth_request_fail(auth_request);
			return;
		}

		auth_request_success(auth_request, request->rspauth,
				     strlen(request->rspauth));
		break;
	case PASSDB_RESULT_INTERNAL_FAILURE:
		auth_request_internal_failure(auth_request);
		break;
	default:
		auth_request_fail(auth_request);
		break;
	}
}
示例#2
0
static void
mech_external_auth_continue(struct auth_request *request,
			    const unsigned char *data, size_t data_size)
{
	const char *authzid, *error;

	authzid = t_strndup(data, data_size);
	if (request->user == NULL) {
		auth_request_log_info(request, AUTH_SUBSYS_MECH,
				      "username not known");
		auth_request_fail(request);
		return;
	}

	/* this call is done simply to put the username through translation
	   settings */
	if (!auth_request_set_username(request, "", &error)) {
		auth_request_log_info(request, AUTH_SUBSYS_MECH,
				      "Invalid username");
		auth_request_fail(request);
		return;
	}

	if (*authzid != '\0' &&
	    !auth_request_set_login_username(request, authzid, &error)) {
		/* invalid login username */
		auth_request_log_info(request, AUTH_SUBSYS_MECH,
				      "login user: %s", error);
		auth_request_fail(request);
	} else {
                auth_request_verify_plain(request, "",
                                          plain_verify_callback);
	}
}
示例#3
0
static void
mech_plain_auth_continue(struct auth_request *request,
			 const unsigned char *data, size_t data_size)
{
	const char *authid, *authenid, *error;
	char *pass;
	size_t i, len;
	int count;

	/* authorization ID \0 authentication ID \0 pass. */
	authid = (const char *) data;
	authenid = NULL; pass = NULL;

	count = 0;
	for (i = 0; i < data_size; i++) {
		if (data[i] == '\0') {
			if (++count == 1)
				authenid = (const char *) data + i+1;
			else {
				i++;
				len = data_size - i;
				pass = p_strndup(unsafe_data_stack_pool,
						 data+i, len);
				break;
			}
		}
	}

	if (authenid != NULL && strcmp(authid, authenid) == 0) {
		/* the login username isn't different */
		authid = "";
	}

	if (count != 2) {
		/* invalid input */
		auth_request_log_info(request, AUTH_SUBSYS_MECH, "invalid input");
		auth_request_fail(request);
	} else if (!auth_request_set_username(request, authenid, &error)) {
                /* invalid username */
                auth_request_log_info(request, AUTH_SUBSYS_MECH, "%s", error);
                auth_request_fail(request);
        } else if (*authid != '\0' &&
                   !auth_request_set_login_username(request, authid, &error)) {
                /* invalid login username */
                auth_request_log_info(request, AUTH_SUBSYS_MECH,
                                      "login user: %s", error);
                auth_request_fail(request);
        } else {
                auth_request_verify_plain(request, pass,
                                          plain_verify_callback);
	}

        /* make sure it's cleared */
	if (pass != NULL)
		safe_memset(pass, 0, strlen(pass));
}
示例#4
0
static void
mech_dovecot_token_auth_continue(struct auth_request *request,
			     const unsigned char *data, size_t data_size)
{
	const char *session_id, *username, *pid, *service, *error;
	char *auth_token;
	size_t i, len;
	int count;

	/* service \0 pid \0 username \0 session_id \0 auth_token */
	service = (const char *) data;
	session_id = username = pid = auth_token = NULL;
	count = 0;
	for (i = 0; i < data_size; i++) {
		if (data[i] == '\0') {
			count++; i++;
			if (count == 1)
				pid = (const char *)data + i;
			else if (count == 2)
				username = (const char *)data + i;
			else if (count == 3)
				session_id = (const char *)data + i;
			else {
				len = data_size - i;
				auth_token = p_strndup(unsafe_data_stack_pool,
						       data+i, len);
				break;
			}
		}
	}	

	if (count != 4) {
		/* invalid input */
		auth_request_log_info(request, AUTH_SUBSYS_MECH, "invalid input");
		auth_request_fail(request);
	} else if (!auth_request_set_username(request, username, &error)) {
		/* invalid username */
		auth_request_log_info(request, AUTH_SUBSYS_MECH, "%s", error);
		auth_request_fail(request);
	} else {
		const char *valid_token =
			auth_token_get(service, pid, request->user, session_id);

		if (auth_token != NULL &&
		    strcmp(auth_token, valid_token) == 0) {
			request->passdb_success = TRUE;
			auth_request_success(request, NULL, 0);
		} else {
			auth_request_fail(request);
		}
	}

	/* make sure it's cleared */
	if (auth_token != NULL)
		safe_memset(auth_token, 0, strlen(auth_token));
}
示例#5
0
static void
mech_digest_md5_auth_continue(struct auth_request *auth_request,
			      const unsigned char *data, size_t data_size)
{
	struct digest_auth_request *request =
		(struct digest_auth_request *)auth_request;
	const char *username, *error;

	if (parse_digest_response(request, data, data_size, &error)) {
		if (auth_request->realm != NULL &&
		    strchr(request->username, '@') == NULL) {
			username = t_strconcat(request->username, "@",
					       auth_request->realm, NULL);
			auth_request->domain_is_realm = TRUE;
		} else {
			username = request->username;
		}

		if (auth_request_set_username(auth_request, username, &error) &&
				(request->authzid == NULL ||
				 auth_request_set_login_username(auth_request,
								 request->authzid,
								 &error))) {
			auth_request_lookup_credentials(auth_request,
					"DIGEST-MD5", credentials_callback);
			return;
		}
	}

	if (error != NULL)
                auth_request_log_info(auth_request, AUTH_SUBSYS_MECH, "%s", error);

	auth_request_fail(auth_request);
}
示例#6
0
static void credentials_callback(enum passdb_result result,
                                 const unsigned char *credentials, size_t size,
                                 struct auth_request *auth_request)
{
    struct cram_auth_request *request =
        (struct cram_auth_request *)auth_request;

    switch (result) {
    case PASSDB_RESULT_OK:
        if (verify_credentials(request, credentials, size))
            auth_request_success(auth_request, "", 0);
        else
            auth_request_fail(auth_request);
        break;
    case PASSDB_RESULT_INTERNAL_FAILURE:
        auth_request_internal_failure(auth_request);
        break;
    default:
        auth_request_fail(auth_request);
        break;
    }
}
示例#7
0
void plain_verify_callback(enum passdb_result result,
			   struct auth_request *request)
{
	switch (result) {
	case PASSDB_RESULT_OK:
		auth_request_success(request, NULL, 0);
		break;
	case PASSDB_RESULT_INTERNAL_FAILURE:
		auth_request_internal_failure(request);
		break;
	default:
		auth_request_fail(request);
		break;
	}
}
示例#8
0
static void
mech_cram_md5_auth_continue(struct auth_request *auth_request,
                            const unsigned char *data, size_t data_size)
{
    struct cram_auth_request *request =
        (struct cram_auth_request *)auth_request;
    const char *error;

    if (parse_cram_response(request, data, data_size, &error)) {
        if (auth_request_set_username(auth_request, request->username,
                                      &error)) {
            auth_request_lookup_credentials(auth_request,
                                            "CRAM-MD5", credentials_callback);
            return;
        }
    }

    if (error == NULL)
        error = "authentication failed";

    auth_request_log_info(auth_request, AUTH_SUBSYS_MECH, "%s", error);
    auth_request_fail(auth_request);
}
示例#9
0
static void
mech_apop_auth_initial(struct auth_request *auth_request,
		       const unsigned char *data, size_t data_size)
{
	struct apop_auth_request *request =
		(struct apop_auth_request *)auth_request;
	const unsigned char *tmp, *end, *username = NULL;
	unsigned long pid, connect_uid, timestamp;
	const char *error;

	/* pop3-login handles sending the challenge and getting the response.
	   Our input here is: <challenge> \0 <username> \0 <response> */

	if (data_size == 0) {
		/* Should never happen */
		auth_request_log_info(auth_request, "apop",
				      "no initial respone");
		auth_request_fail(auth_request);
		return;
	}

	tmp = data;
	end = data + data_size;

	/* get the challenge */
	while (tmp != end && *tmp != '\0')
		tmp++;
	request->challenge = p_strdup_until(request->pool, data, tmp);

	if (tmp != end) {
		/* get the username */
		username = ++tmp;
		while (tmp != end && *tmp != '\0')
			tmp++;
	}

	if (tmp + 1 + 16 != end) {
		/* Should never happen */
		auth_request_log_info(auth_request, "apop", "malformed data");
		auth_request_fail(auth_request);
		return;
	}
	memcpy(request->response_digest, tmp + 1,
	       sizeof(request->response_digest));

	/* the challenge must begin with trusted unique ID. we trust only
	   ourself, so make sure it matches our connection specific UID
	   which we told to client in handshake. Also require a timestamp
	   which is later than this process's start time. */

	if (sscanf(request->challenge, "<%lx.%lx.%lx.",
		   &pid, &connect_uid, &timestamp) != 3 ||
	    connect_uid != auth_request->connect_uid ||
            pid != (unsigned long)getpid() ||
	    (time_t)timestamp < process_start_time) {
		auth_request_log_info(auth_request, "apop",
				      "invalid challenge");
		auth_request_fail(auth_request);
		return;
	}

	if (!auth_request_set_username(auth_request, (const char *)username,
				       &error)) {
		auth_request_log_info(auth_request, "apop", "%s", error);
		auth_request_fail(auth_request);
		return;
	}

	auth_request_lookup_credentials(auth_request, "PLAIN",
					apop_credentials_callback);
}