src/login-common/sasl-server.c

	sasl-server.c revision 325d17cdbb7a338f7c413788f5e8e42d2e80a7f8
a8c5a86d183db25a57bf193c06b41e092ec2e151Timo Sirainen/* Copyright (c) 2002-2013 Dovecot authors, see the included COPYING file */
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "login-common.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "base64.h"
5dd05e966ffd69181ab3067f6939b03ced68ebc3Timo Sirainen#include "buffer.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "hex-binary.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "ioloop.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "istream.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "write-full.h"
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen#include "strescape.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "str-sanitize.h"
93ae7fcd39c6982f7e338adfe71139942d9bbad1Timo Sirainen#include "anvil-client.h"
93ae7fcd39c6982f7e338adfe71139942d9bbad1Timo Sirainen#include "auth-client.h"
93ae7fcd39c6982f7e338adfe71139942d9bbad1Timo Sirainen#include "ssl-proxy.h"
93ae7fcd39c6982f7e338adfe71139942d9bbad1Timo Sirainen#include "master-service.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "master-interface.h"
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#include "master-auth.h"
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen#include "client-common.h"
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen#include <stdlib.h>
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen#include <unistd.h>
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen
8e361d2906b0e44f7175a20981f8d2280645b58bTimo Sirainen#define ERR_TOO_MANY_USERIP_CONNECTIONS \
8e361d2906b0e44f7175a20981f8d2280645b58bTimo Sirainen    "Maximum number of connections from user+IP exceeded " \
3281669db44d09a087a203201248abbc81b3cc1aTimo Sirainen    "(mail_max_userip_connections=%u)"
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainenstruct anvil_request {
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen    struct client *client;
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen    unsigned int auth_pid, auth_id;
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen    unsigned char cookie[MASTER_AUTH_COOKIE_SIZE];
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen};
cd466fe7b84b0223735a6469c7f7bc225f65996dTimo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainenconst struct auth_mech_desc *
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainensasl_server_get_advertised_mechs(struct client *client, unsigned int *count_r)
0e3f8c6edad565112d91f0a53568c0313d657e48Timo Sirainen{
0e3f8c6edad565112d91f0a53568c0313d657e48Timo Sirainen    const struct auth_mech_desc *mech;
0e3f8c6edad565112d91f0a53568c0313d657e48Timo Sirainen    struct auth_mech_desc *ret_mech;
0e3f8c6edad565112d91f0a53568c0313d657e48Timo Sirainen    unsigned int i, j, count;
0e3f8c6edad565112d91f0a53568c0313d657e48Timo Sirainen
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen    mech = auth_client_get_available_mechs(auth_client, &count);
d56384d5226c8860079d0d0b08b83404e8c42986Timo Sirainen    if (count == 0) {
0f66f12eb4cdbf47670975044c88d8f388bf92dfTimo Sirainen        *count_r = 0;
d56384d5226c8860079d0d0b08b83404e8c42986Timo Sirainen        return NULL;
d56384d5226c8860079d0d0b08b83404e8c42986Timo Sirainen    }
4b058f90f9e8a2c6b2eed275de4eb8cc5195a71dTimo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    ret_mech = t_new(struct auth_mech_desc, count);
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen    for (i = j = 0; i < count; i++) {
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen        /* a) transport is secured
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen           b) auth mechanism isn't plaintext
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen           c) we allow insecure authentication
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen        */
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen        if ((mech[i].flags & MECH_SEC_PRIVATE) == 0 &&
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen            (client->secured || !client->set->disable_plaintext_auth ||
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen             (mech[i].flags & MECH_SEC_PLAINTEXT) == 0))
d6af1e63bc7824f1cc5b9b73a1c5f8f8789788d6Timo Sirainen            ret_mech[j++] = mech[i];
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    }
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    *count_r = j;
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen    return ret_mech;
6a9f9a5101b665fd2ef80c9e048a5eace78e01efTimo Sirainen}
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen
0f66f12eb4cdbf47670975044c88d8f388bf92dfTimo Sirainenstatic enum auth_request_flags
6a9f9a5101b665fd2ef80c9e048a5eace78e01efTimo Sirainenclient_get_auth_flags(struct client *client)
6a9f9a5101b665fd2ef80c9e048a5eace78e01efTimo Sirainen{
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen        enum auth_request_flags auth_flags = 0;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
4b058f90f9e8a2c6b2eed275de4eb8cc5195a71dTimo Sirainen    if (client->ssl_proxy != NULL &&
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        ssl_proxy_has_valid_client_cert(client->ssl_proxy))
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    if (client->secured)
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen        auth_flags |= AUTH_REQUEST_FLAG_SECURED;
a3ea111cfdbfd4f32baeb0bd7f1d72568c60a023Timo Sirainen    if (client->trusted) {
a3ea111cfdbfd4f32baeb0bd7f1d72568c60a023Timo Sirainen        /* e.g. webmail */
a3ea111cfdbfd4f32baeb0bd7f1d72568c60a023Timo Sirainen        auth_flags |= AUTH_REQUEST_FLAG_NO_PENALTY;
a3ea111cfdbfd4f32baeb0bd7f1d72568c60a023Timo Sirainen    }
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen    if (login_binary->sasl_support_final_reply)
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        auth_flags |= AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP;
4b058f90f9e8a2c6b2eed275de4eb8cc5195a71dTimo Sirainen    return auth_flags;
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen}
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainenstatic void ATTR_NULL(3, 4)
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainencall_client_callback(struct client *client, enum sasl_server_reply reply,
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen             const char *data, const char *const *args)
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen{
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    sasl_server_callback_t *sasl_callback;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen    i_assert(reply != SASL_SERVER_REPLY_CONTINUE);
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen    sasl_callback = client->sasl_callback;
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen    client->sasl_callback = NULL;
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen    sasl_callback(client, reply, data, args);
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen    /* NOTE: client may be destroyed now */
1f57716285d4c5bc9bf2fd5569e3c85fd496afd9Timo Sirainen}
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainenstatic void
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainenmaster_auth_callback(const struct master_auth_reply *reply, void *context)
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen{
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    struct client *client = context;
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen    enum sasl_server_reply sasl_reply = SASL_SERVER_REPLY_MASTER_FAILED;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    const char *data = NULL;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    client->master_tag = 0;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    client->authenticating = FALSE;
a3ea111cfdbfd4f32baeb0bd7f1d72568c60a023Timo Sirainen    if (reply != NULL) {
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        switch (reply->status) {
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        case MASTER_AUTH_STATUS_OK:
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen            sasl_reply = SASL_SERVER_REPLY_SUCCESS;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen            break;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        case MASTER_AUTH_STATUS_INTERNAL_ERROR:
a29a5b7520f7b8d6cdaf97e66d184b6a9e4f4ecfTimo Sirainen            sasl_reply = SASL_SERVER_REPLY_MASTER_FAILED;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen            break;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        }
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        client->mail_pid = reply->mail_pid;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    } else {
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen        auth_client_send_cancel(auth_client, client->master_auth_id);
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    }
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    call_client_callback(client, sasl_reply, data, NULL);
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen}
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainenstatic void master_send_request(struct anvil_request *anvil_request)
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen{
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    struct client *client = anvil_request->client;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    struct master_auth_request req;
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen    const unsigned char *data;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    size_t size;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    buffer_t *buf;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    const char *session_id = client_get_session_id(client);
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    memset(&req, 0, sizeof(req));
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    req.auth_pid = anvil_request->auth_pid;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    req.auth_id = anvil_request->auth_id;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    req.local_ip = client->local_ip;
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen    req.remote_ip = client->ip;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    req.client_pid = getpid();
af208f4a43a81a39a2ec44e68d65d12b95f1b386Timo Sirainen    if (client->ssl_proxy != NULL &&
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen        ssl_proxy_get_compression(client->ssl_proxy))
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen        req.flags |= MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION;
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    memcpy(req.cookie, anvil_request->cookie, sizeof(req.cookie));
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    buf = buffer_create_dynamic(pool_datastack_create(), 256);
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    /* session ID */
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    buffer_append(buf, session_id, strlen(session_id)+1);
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    /* protocol specific data (e.g. IMAP tag) */
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    buffer_append(buf, client->master_data_prefix,
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen              client->master_data_prefix_len);
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    /* buffered client input */
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    data = i_stream_get_data(client->input, &size);
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    buffer_append(buf, data, size);
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    req.data_size = buf->used;
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen
743c3ba9d4b06d4797d06136ec53a4a652422a57Timo Sirainen    client->auth_finished = ioloop_time;
743c3ba9d4b06d4797d06136ec53a4a652422a57Timo Sirainen    client->master_auth_id = req.auth_id;
22c1ec434d7323e125c150e3fd237316c74de6d5Timo Sirainen    master_auth_request(master_auth, client->fd, &req, buf->data,
22c1ec434d7323e125c150e3fd237316c74de6d5Timo Sirainen                master_auth_callback, client, &client->master_tag);
743c3ba9d4b06d4797d06136ec53a4a652422a57Timo Sirainen}
22c1ec434d7323e125c150e3fd237316c74de6d5Timo Sirainen
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainenstatic void ATTR_NULL(1)
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainenanvil_lookup_callback(const char *reply, void *context)
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen{
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    struct anvil_request *req = context;
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    struct client *client = req->client;
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    const struct login_settings *set = client->set;
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    const char *errmsg;
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    if (reply == NULL ||
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen        strtoul(reply, NULL, 10) < set->mail_max_userip_connections)
5dd05e966ffd69181ab3067f6939b03ced68ebc3Timo Sirainen        master_send_request(req);
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen    else {
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen        client->authenticating = FALSE;
b09be485e9373be4288f5615bbce6ebed65a425aTimo Sirainen        auth_client_send_cancel(auth_client, req->auth_id);
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen        errmsg = t_strdup_printf(ERR_TOO_MANY_USERIP_CONNECTIONS,
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen                     set->mail_max_userip_connections);
9453e8d75cfd8fab2232cf772e9b120f308fb3eeTimo Sirainen        call_client_callback(client, SASL_SERVER_REPLY_MASTER_FAILED,
9453e8d75cfd8fab2232cf772e9b120f308fb3eeTimo Sirainen                     errmsg, NULL);
9453e8d75cfd8fab2232cf772e9b120f308fb3eeTimo Sirainen    }
9453e8d75cfd8fab2232cf772e9b120f308fb3eeTimo Sirainen    i_free(req);
9453e8d75cfd8fab2232cf772e9b120f308fb3eeTimo Sirainen}
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainenstatic void
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainenanvil_check_too_many_connections(struct client *client,
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen                 struct auth_client_request *request)
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen{
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen    struct anvil_request *req;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    const char *query, *cookie;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen    buffer_t buf;
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen
    req = i_new(struct anvil_request, 1);
    req->client = client;
    req->auth_pid = auth_client_request_get_server_pid(request);
    req->auth_id = auth_client_request_get_id(request);

    buffer_create_from_data(&buf, req->cookie, sizeof(req->cookie));
    cookie = auth_client_request_get_cookie(request);
    if (strlen(cookie) == MASTER_AUTH_COOKIE_SIZE*2)
        (void)hex_to_binary(cookie, &buf);

    if (client->virtual_user == NULL ||
        client->set->mail_max_userip_connections == 0) {
        anvil_lookup_callback(NULL, req);
        return;
    }

    query = t_strconcat("LOOKUP\t", login_binary->protocol, "/",
                net_ip2addr(&client->ip), "/",
                str_tabescape(client->virtual_user), NULL);
    anvil_client_query(anvil, query, anvil_lookup_callback, req);
}

static void
authenticate_callback(struct auth_client_request *request,
              enum auth_request_status status, const char *data_base64,
              const char *const *args, void *context)
{
    struct client *client = context;
    unsigned int i;
    bool nologin;

    if (!client->authenticating) {
        /* client aborted */
        i_assert(status < 0);
        return;
    }
    client->auth_waiting = FALSE;

    i_assert(client->auth_request == request);
    switch (status) {
    case AUTH_REQUEST_STATUS_CONTINUE:
        /* continue */
        client->sasl_callback(client, SASL_SERVER_REPLY_CONTINUE,
                      data_base64, NULL);
        break;
    case AUTH_REQUEST_STATUS_OK:
        client->auth_request = NULL;
        client->auth_successes++;

        nologin = FALSE;
        for (i = 0; args[i] != NULL; i++) {
            if (strncmp(args[i], "user=", 5) == 0) {
                i_free(client->virtual_user);
                client->virtual_user = i_strdup(args[i] + 5);
            } else if (strcmp(args[i], "nologin") == 0 ||
                   strcmp(args[i], "proxy") == 0) {
                /* user can't login */
                nologin = TRUE;
            } else if (strncmp(args[i], "resp=", 5) == 0 &&
                   login_binary->sasl_support_final_reply) {
                client->sasl_final_resp =
                    p_strdup(client->pool, args[i] + 5);
            }
        }

        if (nologin) {
            client->authenticating = FALSE;
            call_client_callback(client, SASL_SERVER_REPLY_SUCCESS,
                         NULL, args);
        } else {
            anvil_check_too_many_connections(client, request);
        }
        break;
    case AUTH_REQUEST_STATUS_INTERNAL_FAIL:
        client->auth_process_comm_fail = TRUE;
        /* fall through */
    case AUTH_REQUEST_STATUS_FAIL:
    case AUTH_REQUEST_STATUS_ABORT:
        client->auth_request = NULL;

        if (args != NULL) {
            /* parse our username if it's there */
            for (i = 0; args[i] != NULL; i++) {
                if (strncmp(args[i], "user=", 5) == 0) {
                    i_free(client->virtual_user);
                    client->virtual_user =
                        i_strdup(args[i] + 5);
                }
            }
        }

        client->authenticating = FALSE;
        call_client_callback(client, SASL_SERVER_REPLY_AUTH_FAILED,
                     NULL, args);
        break;
    }
}

void sasl_server_auth_begin(struct client *client,
                const char *service, const char *mech_name,
                const char *initial_resp_base64,
                sasl_server_callback_t *callback)
{
    struct auth_request_info info;
    const struct auth_mech_desc *mech;

    i_assert(auth_client_is_connected(auth_client));

    client->auth_attempts++;
    client->authenticating = TRUE;
    if (client->auth_first_started == 0)
        client->auth_first_started = ioloop_time;
    i_free(client->auth_mech_name);
    client->auth_mech_name = str_ucase(i_strdup(mech_name));
    client->sasl_callback = callback;

    mech = auth_client_find_mech(auth_client, mech_name);
    if (mech == NULL) {
        client->auth_tried_unsupported_mech = TRUE;
        sasl_server_auth_failed(client,
            "Unsupported authentication mechanism.");
        return;
    }

    if (!client->secured && client->set->disable_plaintext_auth &&
        (mech->flags & MECH_SEC_PLAINTEXT) != 0) {
        client->auth_tried_disabled_plaintext = TRUE;
        sasl_server_auth_failed(client,
            "Plaintext authentication disabled.");
        return;
    }

    memset(&info, 0, sizeof(info));
    info.mech = mech->name;
    info.service = service;
    info.session_id = client_get_session_id(client);
    info.cert_username = client->ssl_proxy == NULL ? NULL :
        ssl_proxy_get_peer_name(client->ssl_proxy);
    info.flags = client_get_auth_flags(client);
    info.local_ip = client->local_ip;
    info.remote_ip = client->ip;
    info.local_port = client->local_port;
    info.remote_port = client->remote_port;
    info.real_local_ip = client->real_local_ip;
    info.real_remote_ip = client->real_remote_ip;
    info.real_local_port = client->real_local_port;
    info.real_remote_port = client->real_remote_port;
    info.initial_resp_base64 = initial_resp_base64;

    client->auth_request =
        auth_client_request_new(auth_client, &info,
                    authenticate_callback, client);
}

static void ATTR_NULL(2)
sasl_server_auth_cancel(struct client *client, const char *reason,
            enum sasl_server_reply reply)
{
    i_assert(client->authenticating);

    if (client->set->auth_verbose && reason != NULL) {
        const char *auth_name =
            str_sanitize(client->auth_mech_name, MAX_MECH_NAME);
        client_log(client, t_strdup_printf(
            "Authenticate %s failed: %s", auth_name, reason));
    }

    client->authenticating = FALSE;
    if (client->auth_request != NULL)
        auth_client_request_abort(&client->auth_request);

    call_client_callback(client, reply, reason, NULL);
}

void sasl_server_auth_failed(struct client *client, const char *reason)
{
    sasl_server_auth_cancel(client, reason, SASL_SERVER_REPLY_AUTH_FAILED);
}

void sasl_server_auth_abort(struct client *client)
{
    client->auth_try_aborted = TRUE;
    sasl_server_auth_cancel(client, NULL, SASL_SERVER_REPLY_AUTH_ABORTED);
}