auth: Set correct context type when bypassing reporting in auth_success Broken in 41ff6e6a4a085786d4c15a58c7c50a28e2110c3f

auth: Add policy check configuration options Allows disabling before/after auth checks, or reporting.

auth: passdb-cache - Verify credentials with worker when enabled

auth: Expose auth_request_verify_plain_callback_finish

Updated copyright notices to include the year 2018.

auth: Support secured=tls

auth: Fix 'Password mismatch' casing consistency

auth: Fix auth_request_is_disabled_master_user I assumed that lack of passdb means master authentication, but e.g. gssapi does not require a passdb. Instead, check that if requested_login_uset is non-null then check passdb is non-null too. Fixes auth: Panic: file auth-request.c: line 716 (auth_request_is_disabled_master_user): assertion failed: (request->requested_login_user != NULL)

auth: global rounds parameter replaced with argument to password_generate() username and rounds parameter moved to a single password_generate_params structure.

global: start relying on timeout_remove(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - timeout_remove(&E); - } + timeout_remove(&E);

global: use i_rand_limit() and i_rand_minmax() when possible

auth: Avoid DNS lookup for "host" if passdb returns also "hostip"

global: Replace rand with i_rand

auth: Rename overlooked "original_username" after c3e50b In c3e50b854dec3f9a51dbaecf2ee56197125a003f "original_username" field got renamed to "original-username".

auth: cache: don't log password mismatch twice If auth cache is enabled and the last auth was successful dovecot assumes the password has been changed and invalidates the cache which results in double logging of the same password mismatch. This also applies to expired negative cache entries.

auth: auth_request_log_unknown_user() to call common auth_request_log_login_failure() Separate implementation of auth_request_log_unknown_user() is replaced with call to auth_request_log_login_failure() NOTE: behavior of the auth_request_log_unknown_user() is changed and is in line with auth_request_log_password_mismatch()

auth: auth_request_log_password_mismatch() to call common auth_request_log_login_failure() Separate implementation of auth_request_log_password_mismatch() is replaced with call to auth_request_log_login_failure()

auth: Added auth_request_log_login_failure() New function implementing functionality of auth_request_log_unknown_user() and auth_request_log_password_mismatch()

auth: Don't lose all forward_ fields if the first passdb lookup fails.

auth: Fix crash on passdb lookup when all passdbs were skipped Finishes the fix in 614f5b6febaf3c825f9200ab3b62d9d047197b0e Fixes: auth: Panic: file auth-request.c: line 2493 (get_log_prefix): assertion failed: (auth_request->mech != NULL)

auth: Do not use AUTH_SUBSYS_MECH in logging when request->mech is NULL This can happen when a lookup is done instead of authentication. Fixes auth: Panic: file auth-request.c: line 2560 (get_log_prefix): assertion failed: (auth_request->mech != NULL)

auth: Log reason for skipping passdb

auth: Add username_filter for passdb block username_filter lets you specify one or more pattern(s) for including or excluding users. exclusion patterns are denoted with ! prefix. if any exclude matches the username, passdb will be skipped. if any inclusions is specified, and the username does not match one of them, passdb will be skipped.

auth: Use MECH subsystem when logging error about skipping all password databases Otherwise it will assert-crash because all password databases were skipped.

auth: Filter passdbs on credentials lookup start Consistency with how plain verify works.

auth: Fix mechanism filter to support `none` Otherwise credentials lookup can fail. None indicates that it should match when no mech is specified.

auth: Do not cache username unless it was changed by lookup This could've caused usernames to be unexpectedly changed because they were cached by a lookup that did not include username in the cache key.

auth: Mark username changed if it's changes in auth_request_try_update_username It was forgotten in by 865a82c1

auth: Accept forward_fields from auth client

auth: Accept client_id from auth client Client ID contains the ID client request string for IMAP.

auth: Auth workers shouldn't return username if it wasn't changed This continues the previous fix where username was always added to passdb/userdb cache, even if the username wasn't changed. That could have resulted in wrongly changing usernames if the cache key didn't uniquely identify the user.

auth: Apply skips to first passdb This is required to apply filters to first passdb, so that mechanism filters can be applied.

auth: Add mechanism filter for passdbs

auth: Handle delayed credentials identically in auth-workers

auth: Pass through passdb extra fields to auth-worker requests

auth: Code cleanup - Move userdb extra fields exporting to its own function

Updated copyright notices to include the year 2017.

global: Replaced all instances of memset(p, 0, sizeof(*p)) with the new i_zero() macro. Used the following script: C_FILES=`git ls-files *.c` H_FILES=`git ls-files *.h` for F in "$C_FILES $H_FILES"; do echo "$F" perl -p -i -e 's/safe_memset\(&\(?([^,]*)\)?,\s*0,\s*sizeof\(\g1\)\)/i_zero_safe(&$1)/g' $F perl -p -i -e 's/safe_memset\(([^,]*),\s*0,\s*sizeof\(\*\g1\)\)/i_zero_safe($1)/g' $F perl -p -i -e 's/memset\(&\(?([^,]*)\)?,\s*0,\s*sizeof\(\g1\)\)/i_zero(&$1)/g' $F perl -p -i -e 's/memset\(([^,]*),\s*0,\s*sizeof\(\*\g1\)\)/i_zero($1)/g' $F done

global: Change string position/length from unsigned int to size_t Mainly to avoid truncating >4GB strings, which might potentially cause some security holes. Normally there are other limits, which prevent such excessive strings from being created in the first place. I'm sure this didn't find everything. Maybe everything could be found with compiler warnings. -Wconversion kind of does it, but it gives way too many unnecessary warnings. These were mainly found with: grep " = strlen" egrep "unsigned int.*(size|len)"

auth: Fixes to previous var_expand() change.

lib: API change - var_expand*() now returns error string. This allows callers to fail properly if the format string is invalid.

auth: If uidgid_file doesn't exist, fail the userdb lookup.

auth-worker: Fix potential crash when importing passdb/userdb fields without value. These were being converted to NULL values in auth-worker, while elsewhere they were converted to "". Changed to "" here as well and added asserts to make sure they won't happen again. Most of the NULL values would have been fine, but overriding any IP/port fields would have caused a crash when trying to parse the value.

auth: Fix crash when exporting passdb fields to auth-worker that have NULL values

auth: Escape local_name

auth: Pass local_name to auth-request This allows using local_name in various places, such as passdb/userdb queries.

auth: Pass userdb fields to worker If this is not done, then those userdb handlers that need access to userdb variables for e.g. interpolation, cannot access them.

auth: Don't re-insert userdb results from auth cache data back to cache. This was also breaking TTLs for the cached userdb results, because each re-insert reset the TTL.

auth: Make sure auth_request_log_info() doesn't crash when there are no passdbs auth_request_is_disabled_master_user() could have caused such crash.

global: Added uchar_empty_ptr and use it instead of &uchar_nul. This makes Coverity happier about not treating a char as an array. For now this is a pointer to a 0, but could as well become a pointer that crashes if dereferenced. Shouldn't be NULL anyway because clang's -fsanitize=nonnull-attribute will complain about them.

auth: Removed redundant noauthenticate checks. Now that noauthenticate also adds nopassword field.

auth: When setting noauthenticate=yes, also set nopassword=yes There are various places which check only "nopassword", but not "noauthenticate".

auth: Remove i_assert for credentials scheme

auth: Fail request if last passdb is noauthenticate

auth: Skip authentication with noauthenticate

auth-request: Whitespace fix

auth-request: Correctly allocate mech_password and credentials_scheme

auth: delay_until can optionally now have +<max random secs> suffix.

auth: Fixed checking if delay_until is too large

auth: Added delay_until passdb extra field.

auth: Fixed plaintext authentication when auth policy was already processed. Broken by e82511362.

auth: Added ":remove" suffix for passdb/userdb extra fields to remove fields.

auth-policy: Do not do policy checks every time

auth: Finish policy.[ch] renaming..

auth-policy: Hook auth policy to auth code

auth: Fixed final result in multiple userdbs We don't want to return the last result's success/failure, but the entire userdb chain's success/failure.

auth: Session ID wasn't exported to auth workers. Most importantly this means that log messages didn't contain them.

auth: Added passdb/userdb { auth_verbose } setting. If this is explicitly set to yes or no, it overrides the global auth_verbose setting. However, auth_debug=yes overrides all of the auth_verbose settings.

auth: If user is unknown and there are more passdbs/userdb, log about it.

auth: If auth request contains "debug" field, enable auth_debug=yes for the request.

auth: Moved all passdb/userdb template handling to auth_passdb/userdb. This is because passdb_find() and userdb_find() attempts to avoid duplicating passdbs and userdbs when they have identical driver+args. This deduplication is useful when using multiple protocol { .. } blocks that duplicate some passdb/userdb backends. For example we might want to have only a single SQL connection regardless of how the protocol-specific passdbs and userdbs are being set up. All the default/override_fields and result_* settings aren't relevant to the passdb/userdb backends, so removing them will again allow the deduplication to work correctly.

auth: Moved cache_key from passdb_module to auth_passdb. This is in preparation for the next changeset, which moves default/override_fields also to auth_passdb.

auth: Added "fail" parameter, which fails the passdb lookup.

auth: Don't revert any previous failed=TRUE status if allow_nets check succeeds

auth: If auth_stats=yes, send statistics to stats process.

auth: Apply override_fields to userdb also when continuing to the next userdb.

auth: If userdb result was found from cache, its result_* rules were ignored.

auth: Apply passdb/userdb { override_fields } only after caching Now they're not be unnecessarily saved to cache to waste memory. More importantly they will always override the cached fields, which is required for %variables to work.

global: freshen copyright git ls-files | xargs perl -p -i -e 's/(\d+)-201[0-5]/$1-2016/g;s/ (201[0-5]) Dovecot/ $1-2016 Dovecot/'

auth: Fixed allow_nets=local to work correctly with non-local remote IP

auth: If allow_nets has an invalid value, don't attempt to compare it anymore. This fixes a potential crash because net_is_in_network() was called with garbage net_ip.

auth: Avoid a crash by not trying to save empty delayed credentials.

auth: nopassword field is specific to a single passdb, remove before next passdb is processed

Remove now-unnecessary direct stdlib.h #includes.

auth: Remove redundant if

auth: If userdb lookup was found from auth cache, don't clear the earlier userdb fields.

auth: If multiple userdbs are used, default_fields was ignored for all but the first one.

auth: Fixed passdb skip_password_check / result_success=continue-fail handling If passdb returned success, but result_success=continue-fail, it means that the authentication didn't succeed. So we still want to check the password again and in general treat the request as unauthenticated (especially for the passdb { skip } setting). So the current logic means that there are 2 ways for the request to be treated as authenticated and skipping any password checking: 1) passdb lookup succeeding, with result_success=continue, continue-ok, return or return-ok 2) passdb lookup not succeeding, with result_failure=continue-ok or return-ok It's a bit questionable though if 2) should be allowed.

auth: Aborting auth request didn't abort a pending proxy DNS lookup.

auth: Added ":protected" suffix to passdb and userdb field names. This means that if the field is set only if it hasn't already been set. Usually an earlier passdb/userdb would have set the field and this is setting a default (e.g. per-user settings override per-domain settings).

Changed type of internet port values to in_port_t everywhere. Created special SET_IN_PORT setting type for internet port values. Created net_str2port() for parsing internet port values. Removed several atoi() invocations in the process.

auth: Added allow_real_nets setting. The difference to allow_nets is that it matches against the connection's "real IP" rather than what the connection told was the original client's IP address (%{rip} vs %{real_rip})

auth: Added %{passdb:field} and %{userdb:field} variables The field expands to either the passdb or userdb extra field. You can also use %{passdb:field:defaultvalue} where if field doesn't exist, it's expanded to defaultvalue. Note that an empty value means that the field still exists and it's not expanded to defaultvalue.

auth: Moved var_expand() related code to its own file.

auth: Don't crash if trying to add password with TAB or LF to auth cache. This would happen only if the passwords were stored as plaintext in passdb and the valid password actually contained TAB or LF.

auth: If passdb has non-matching allow_nets, don't fail the other passdb lookups also. We might want to use e.g.: passdb { driver = static args = password=secretmasterpass allow_nets=10.1.2.3 } passdb { ... } If allow_nets didn't match in the first passdb, we should just ignore it and continue to the next passdb.

director: Implemented director_proxy_maybe passdb extra field. This allows running director and backend in the same Dovecot instance. It was implemented into director instead of login-common to allow doveadm and lmtp proxying to work as well (although currently lmtp can't handle mixed proxying and non-proxying destinations, which makes this a bit less useful).

auth: Don't assert-crash if master user login attempts to use empty login username.

auth: If passdb/userdb changes the username, add the changed username also to the cache.

auth: Setting userdb fields from cache didn't set handle any special fields. The special fields were relatively rarely used though.

auth: Changed passdb { continue-ok } handling for credentials lookups. If the last passdb after it doesn't return credentials, use the first passdb's credentials. This allows implementing plugins that modify the passdb result without actually changing the credentials.

global: freshen copyright Robomatically: git ls-files | xargs perl -p -i -e 's/(\d+)-201[0-4]/$1-2015/g;s/ (201[0-4]) Dovecot/ $1-2015 Dovecot/' Happy 2015 everyone! Signed-off-by: Phil Carmody <phil@dovecot.fi>

auth: Don't crash if master user login is attempted without master=yes passdbs

auth: Don't allow changing username to an empty string. This is most likely always accidental and Dovecot in general hasn't been designed to support empty usernames.

auth: allow_nets=local matches now connections without any IP address

auth: Minor fix to previous commit.

auth: Check for empty username after doing all the username changes.

auth: Mark memory pools as growing and use the same sizes for all mechanisms. Mainly to have DEBUG log fewer warnings.

auth: Internal passdb failures were always failing the request even if another passdb succeeded later.

auth: Fixed wrong assert added by recent commit.

auth: Fixed handling userdb_userdb_import passdb extra field. Looks like some hg merging went wrong. Found by Coverity

Added various asserts to try to silence Coverity false positives.

auth: Invalid userdb passwd-file and userdb templates may have caused crashes. Using just "key" parameter instead of "key=value" usually worked, but for some keys the code assumed that there was a value and it dereferenced NULL. We'll solve this by just using value="" instead of value=NULL. Found by Coverity

auth: set_credentials callback being passed an enum, not a bool This changes the behaviour, as the error case is now mapped onto FALSE. All non-zero values of course get squashed into true. Found by sparse. Signed-off-by: Phil Carmody <phil@dovecot.fi>

auth: Added %{orig_user}, %{orig_username} and %{orig_domain} variables

auth: Fixed userdb extra fields handling in passdb failure. userdb prefetch -flag wasn't correctly set, causing the prefetch userdb in some situations incorrectly either to be called or not be called. This also fixes a crash when using userdb static and multiple passdbs. The userdb_reply was set to NULL, which caused a crash later.

auth: If passdb/userdb has a name, use it for the log prefix instead of the driver name.

auth: Use special AUTH_SUBSYS_DB/MECH parameters as auth_request_log*() subsystem. This avoids hardcoded strings all over the place and also allows assigning the correct passdb/userdb name for log messages generated by generic passdb/userdb code, which doesn't know exactly where it was called from.

auth: Added login_user extra field to change the username in master passdb.

Updated copyright notices to include year 2014.