auth-request-handler.c revision ba00293b85c7fb4e7a2d100991c716e17b9daaae
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
657afb33796f8216c568ad813627da89970760beTimo Sirainen/* Copyright (C) 2005 Timo Sirainen */
657afb33796f8216c568ad813627da89970760beTimo Sirainen auth_request_callback_t *callback, void *context,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen pool = pool_alloconly_create("auth request handler", 4096);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler = p_new(pool, struct auth_request_handler, 1);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->requests = hash_create(default_pool, pool, 0, NULL, NULL);
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainenvoid auth_request_handler_unref(struct auth_request_handler **_handler)
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen struct auth_request_handler *handler = *_handler;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* notify parent that we're done with all requests */
70905e51a5148bd5613cb04720807177474a2496Timo Sirainenvoid auth_request_handler_set(struct auth_request_handler *handler,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainenstatic void auth_request_handler_remove(struct auth_request_handler *handler,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen hash_remove(handler->requests, POINTER_CAST(request->id));
70905e51a5148bd5613cb04720807177474a2496Timo Sirainenvoid auth_request_handler_check_timeouts(struct auth_request_handler *handler)
fda2c460c58f50bf035680187be606542a8c1dacTimo Sirainen if (request->last_access + AUTH_REQUEST_TIMEOUT < ioloop_time)
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_remove(handler, request);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainenstatic const char *get_client_extra_fields(struct auth_request *request)
bbf81c8fc6f21382707673dc6bd7b87ffc27981bTimo Sirainen if (auth_stream_is_empty(request->extra_fields))
bbf81c8fc6f21382707673dc6bd7b87ffc27981bTimo Sirainen extra_fields = auth_stream_reply_export(request->extra_fields);
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen /* we only wish to remove all fields prefixed with "userdb_" */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen for (src = dest = 0; fields[src] != NULL; src++) {
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen if (strncmp(fields[src], "userdb_", 7) != 0) {
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen if (!seen_pass && strncmp(fields[src], "pass=", 5) == 0)
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen if (request->proxy && !seen_pass && request->mech_password != NULL) {
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen /* we're proxying - send back the password that was
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen sent by user (not the password in passdb). */
52d3cbc21e8fe482b9b8c832f3921824a7aa6ebeTimo Sirainen str_printfa(str, "\tpass=%s", request->mech_password);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainenstatic void auth_callback(struct auth_request *request,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen struct auth_request_handler *handler = request->context;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen str = t_str_new(128 + MAX_BASE64_ENCODED_SIZE(reply_size));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->callback(str_c(str), handler->context);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen str_printfa(str, "OK\t%u\tuser=%s", request->id, request->user);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen if (request->no_login || handler->master_callback == NULL) {
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* this request doesn't have to wait for master
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen process to pick it up. delete it */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_remove(handler, request);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->callback(str_c(str), handler->context);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* we came here from flush_failures() */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->callback(str_c(str), handler->context);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* remove the request from requests-list */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_remove(handler, request);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* passdb specifically requested not to delay the
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->callback(str_c(str), handler->context);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* failure. don't announce it immediately to avoid
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen a) timing attacks, b) flooding */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* NOTE: request may be destroyed now */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainenstatic void auth_request_handler_auth_fail(struct auth_request_handler *handler,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_log_info(request, request->mech->mech_name, "%s", reason);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen str_printfa(reply, "FAIL\t%u\treason=%s", request->id, reason);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->callback(str_c(reply), handler->context);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_remove(handler, request);
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainenbool auth_request_handler_auth_begin(struct auth_request_handler *handler,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen const char *const *list, *name, *arg, *initial_resp;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen unsigned int id;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* <id> <mechanism> [...] */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "sent broken AUTH request", handler->client_pid);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen id = (unsigned int)strtoul(list[0], NULL, 10);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* unsupported mechanism */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen i_error("BUG: Authentication client %u requested unsupported "
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "authentication mechanism %s", handler->client_pid,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen request = auth_request_new(handler->auth, mech, auth_callback, handler);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* parse optional parameters */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen else if (strcmp(name, "valid-client-cert") == 0)
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen /* this must be the last parameter */
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen "sent AUTH parameters after 'resp'",
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "didn't specify service in request",
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen hash_insert(handler->requests, POINTER_CAST(id), request);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen if (request->auth->ssl_require_client_cert && !valid_client_cert) {
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* we fail without valid certificate */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_auth_fail(handler, request,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "Client didn't present valid SSL certificate");
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen buf = buffer_create_dynamic(pool_datastack_create(),
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen if (base64_decode(initial_resp, len, NULL, buf) < 0) {
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_auth_fail(handler, request,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "Invalid base64 data in initial response");
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* handler is referenced until auth_callback is called. */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_initial(request, initial_resp_data, initial_resp_len);
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainenbool auth_request_handler_auth_continue(struct auth_request_handler *handler,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen unsigned int id;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen i_error("BUG: Authentication client sent broken CONT request");
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen request = hash_lookup(handler->requests, POINTER_CAST(id));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen str_printfa(reply, "FAIL\t%u\treason=Timeouted", id);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->callback(str_c(reply), handler->context);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* accept input only once after mechanism has sent a CONT reply */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_auth_fail(handler, request,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "Unexpected continuation");
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen buf = buffer_create_dynamic(pool_datastack_create(),
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen if (base64_decode(data, data_len, NULL, buf) < 0) {
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_auth_fail(handler, request,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "Invalid base64 data in continued response");
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* handler is referenced until auth_callback is called. */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_continue(request, buf->data, buf->used);
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainenstatic void userdb_callback(enum userdb_result result,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen struct auth_request_handler *handler = request->context;
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen struct auth_stream_reply *reply = request->userdb_reply;
615c4aba4cc0b17eefba3263b85972adaba04586Timo Sirainen i_assert(request->state == AUTH_REQUEST_STATE_USERDB);
137ea7ca34005345aa2304a940149b7f3774d727Timo Sirainen str_printfa(str, "NOTFOUND\t%u", request->id);
137ea7ca34005345aa2304a940149b7f3774d727Timo Sirainen str_append(str, auth_stream_reply_export(reply));
137ea7ca34005345aa2304a940149b7f3774d727Timo Sirainen handler->master_callback(str_c(str), request->master);
ecb1b2d6236942bf82f822e8d0167f0e160b206dTimo Sirainen auth_master_connection_unref(&request->master);
657afb33796f8216c568ad813627da89970760beTimo Sirainenvoid auth_request_handler_master_request(struct auth_request_handler *handler,
657afb33796f8216c568ad813627da89970760beTimo Sirainen unsigned int id,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen request = hash_lookup(handler->requests, POINTER_CAST(client_id));
ad49932dae8ba31e07544b66bbc4f4de707a751cTimo Sirainen handler->master_callback(str_c(reply), master);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_remove(handler, request);
615c4aba4cc0b17eefba3263b85972adaba04586Timo Sirainen if (request->state != AUTH_REQUEST_STATE_FINISHED ||
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen i_error("Master requested unfinished authentication request "
ad49932dae8ba31e07544b66bbc4f4de707a751cTimo Sirainen handler->master_callback(str_c(reply), master);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* the request isn't being referenced anywhere anymore,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen so we can do a bit of kludging.. replace the request's
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen old client_id with master's id. */
ecb1b2d6236942bf82f822e8d0167f0e160b206dTimo Sirainen /* master and handler are referenced until userdb_callback i
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_lookup_user(request, userdb_callback);
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen auth_request = buffer_get_modifiable_data(auth_failures_buf, &size);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen for (i = 0; i < size; i++) {
615c4aba4cc0b17eefba3263b85972adaba04586Timo Sirainen i_assert(auth_request[i]->state == AUTH_REQUEST_STATE_FINISHED);
43d32cbe60fdaef2699d99f1ca259053e9350411Timo Sirainenstatic void auth_failure_timeout(void *context ATTR_UNUSED)
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_failures_buf = buffer_create_dynamic(default_pool, 1024);