summaryrefslogtreecommitdiffstats
path: root/src/lib-auth
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
commitf7548d6d28c313cf80e6f3ef89aed16a19815df1 (patch)
treea3f6f2a3f247293bee59ecd28e8cd8ceb6ca064a /src/lib-auth
parentInitial commit. (diff)
downloaddovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.tar.xz
dovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.zip
Adding upstream version 1:2.3.19.1+dfsg1.upstream/1%2.3.19.1+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/lib-auth')
-rw-r--r--src/lib-auth/Makefile.am46
-rw-r--r--src/lib-auth/Makefile.in877
-rw-r--r--src/lib-auth/auth-client-connection.c552
-rw-r--r--src/lib-auth/auth-client-interface.h43
-rw-r--r--src/lib-auth/auth-client-private.h88
-rw-r--r--src/lib-auth/auth-client-request.c359
-rw-r--r--src/lib-auth/auth-client.c112
-rw-r--r--src/lib-auth/auth-client.h124
-rw-r--r--src/lib-auth/auth-master.c1030
-rw-r--r--src/lib-auth/auth-master.h76
-rw-r--r--src/lib-auth/test-auth-master.c74
11 files changed, 3381 insertions, 0 deletions
diff --git a/src/lib-auth/Makefile.am b/src/lib-auth/Makefile.am
new file mode 100644
index 0000000..4aff5f8
--- /dev/null
+++ b/src/lib-auth/Makefile.am
@@ -0,0 +1,46 @@
+noinst_LTLIBRARIES = libauth.la
+
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/lib \
+ -I$(top_srcdir)/src/lib-master \
+ -I$(top_srcdir)/src/lib-test
+
+libauth_la_SOURCES = \
+ auth-client.c \
+ auth-client-request.c \
+ auth-client-connection.c \
+ auth-master.c
+
+headers = \
+ auth-client.h \
+ auth-client-interface.h \
+ auth-client-private.h \
+ auth-master.h
+
+pkginc_libdir=$(pkgincludedir)
+pkginc_lib_HEADERS = $(headers)
+
+test_programs = \
+ test-auth-master
+
+noinst_PROGRAMS = $(test_programs)
+
+test_libs = \
+ $(noinst_LTLIBRARIES) \
+ ../lib-test/libtest.la \
+ ../lib/liblib.la \
+ $(MODULE_LIBS)
+
+test_deps = \
+ $(noinst_LTLIBRARIES) \
+ ../lib-test/libtest.la \
+ ../lib/liblib.la
+
+test_auth_master_SOURCES = test-auth-master.c
+test_auth_master_LDADD = $(test_libs)
+test_auth_master_DEPENDENCIES = $(test_deps)
+
+check-local:
+ for bin in $(test_programs); do \
+ if ! $(RUN_TEST) ./$$bin; then exit 1; fi; \
+ done
diff --git a/src/lib-auth/Makefile.in b/src/lib-auth/Makefile.in
new file mode 100644
index 0000000..d3653d8
--- /dev/null
+++ b/src/lib-auth/Makefile.in
@@ -0,0 +1,877 @@
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+noinst_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/lib-auth
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/ac_checktype2.m4 \
+ $(top_srcdir)/m4/ac_typeof.m4 $(top_srcdir)/m4/arc4random.m4 \
+ $(top_srcdir)/m4/blockdev.m4 $(top_srcdir)/m4/c99_vsnprintf.m4 \
+ $(top_srcdir)/m4/clock_gettime.m4 $(top_srcdir)/m4/crypt.m4 \
+ $(top_srcdir)/m4/crypt_xpg6.m4 $(top_srcdir)/m4/dbqlk.m4 \
+ $(top_srcdir)/m4/dirent_dtype.m4 $(top_srcdir)/m4/dovecot.m4 \
+ $(top_srcdir)/m4/fd_passing.m4 $(top_srcdir)/m4/fdatasync.m4 \
+ $(top_srcdir)/m4/flexible_array_member.m4 \
+ $(top_srcdir)/m4/glibc.m4 $(top_srcdir)/m4/gmtime_max.m4 \
+ $(top_srcdir)/m4/gmtime_tm_gmtoff.m4 \
+ $(top_srcdir)/m4/ioloop.m4 $(top_srcdir)/m4/iovec.m4 \
+ $(top_srcdir)/m4/ipv6.m4 $(top_srcdir)/m4/libcap.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/libwrap.m4 \
+ $(top_srcdir)/m4/linux_mremap.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/mmap_write.m4 \
+ $(top_srcdir)/m4/mntctl.m4 $(top_srcdir)/m4/modules.m4 \
+ $(top_srcdir)/m4/notify.m4 $(top_srcdir)/m4/nsl.m4 \
+ $(top_srcdir)/m4/off_t_max.m4 $(top_srcdir)/m4/pkg.m4 \
+ $(top_srcdir)/m4/pr_set_dumpable.m4 \
+ $(top_srcdir)/m4/q_quotactl.m4 $(top_srcdir)/m4/quota.m4 \
+ $(top_srcdir)/m4/random.m4 $(top_srcdir)/m4/rlimit.m4 \
+ $(top_srcdir)/m4/sendfile.m4 $(top_srcdir)/m4/size_t_signed.m4 \
+ $(top_srcdir)/m4/sockpeercred.m4 $(top_srcdir)/m4/sql.m4 \
+ $(top_srcdir)/m4/ssl.m4 $(top_srcdir)/m4/st_tim.m4 \
+ $(top_srcdir)/m4/static_array.m4 $(top_srcdir)/m4/test_with.m4 \
+ $(top_srcdir)/m4/time_t.m4 $(top_srcdir)/m4/typeof.m4 \
+ $(top_srcdir)/m4/typeof_dev_t.m4 \
+ $(top_srcdir)/m4/uoff_t_max.m4 $(top_srcdir)/m4/vararg.m4 \
+ $(top_srcdir)/m4/want_apparmor.m4 \
+ $(top_srcdir)/m4/want_bsdauth.m4 \
+ $(top_srcdir)/m4/want_bzlib.m4 \
+ $(top_srcdir)/m4/want_cassandra.m4 \
+ $(top_srcdir)/m4/want_cdb.m4 \
+ $(top_srcdir)/m4/want_checkpassword.m4 \
+ $(top_srcdir)/m4/want_clucene.m4 $(top_srcdir)/m4/want_db.m4 \
+ $(top_srcdir)/m4/want_gssapi.m4 $(top_srcdir)/m4/want_icu.m4 \
+ $(top_srcdir)/m4/want_ldap.m4 $(top_srcdir)/m4/want_lua.m4 \
+ $(top_srcdir)/m4/want_lz4.m4 $(top_srcdir)/m4/want_lzma.m4 \
+ $(top_srcdir)/m4/want_mysql.m4 $(top_srcdir)/m4/want_pam.m4 \
+ $(top_srcdir)/m4/want_passwd.m4 $(top_srcdir)/m4/want_pgsql.m4 \
+ $(top_srcdir)/m4/want_prefetch.m4 \
+ $(top_srcdir)/m4/want_shadow.m4 \
+ $(top_srcdir)/m4/want_sodium.m4 $(top_srcdir)/m4/want_solr.m4 \
+ $(top_srcdir)/m4/want_sqlite.m4 \
+ $(top_srcdir)/m4/want_stemmer.m4 \
+ $(top_srcdir)/m4/want_systemd.m4 \
+ $(top_srcdir)/m4/want_textcat.m4 \
+ $(top_srcdir)/m4/want_unwind.m4 $(top_srcdir)/m4/want_zlib.m4 \
+ $(top_srcdir)/m4/want_zstd.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(pkginc_lib_HEADERS) \
+ $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = test-auth-master$(EXEEXT)
+PROGRAMS = $(noinst_PROGRAMS)
+LTLIBRARIES = $(noinst_LTLIBRARIES)
+libauth_la_LIBADD =
+am_libauth_la_OBJECTS = auth-client.lo auth-client-request.lo \
+ auth-client-connection.lo auth-master.lo
+libauth_la_OBJECTS = $(am_libauth_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+am_test_auth_master_OBJECTS = test-auth-master.$(OBJEXT)
+test_auth_master_OBJECTS = $(am_test_auth_master_OBJECTS)
+am__DEPENDENCIES_1 =
+am__DEPENDENCIES_2 = $(noinst_LTLIBRARIES) ../lib-test/libtest.la \
+ ../lib/liblib.la $(am__DEPENDENCIES_1)
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/auth-client-connection.Plo \
+ ./$(DEPDIR)/auth-client-request.Plo \
+ ./$(DEPDIR)/auth-client.Plo ./$(DEPDIR)/auth-master.Plo \
+ ./$(DEPDIR)/test-auth-master.Po
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libauth_la_SOURCES) $(test_auth_master_SOURCES)
+DIST_SOURCES = $(libauth_la_SOURCES) $(test_auth_master_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(pkginc_libdir)"
+HEADERS = $(pkginc_lib_HEADERS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ACLOCAL_AMFLAGS = @ACLOCAL_AMFLAGS@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+APPARMOR_LIBS = @APPARMOR_LIBS@
+AR = @AR@
+AUTH_CFLAGS = @AUTH_CFLAGS@
+AUTH_LIBS = @AUTH_LIBS@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BINARY_CFLAGS = @BINARY_CFLAGS@
+BINARY_LDFLAGS = @BINARY_LDFLAGS@
+BISON = @BISON@
+CASSANDRA_CFLAGS = @CASSANDRA_CFLAGS@
+CASSANDRA_LIBS = @CASSANDRA_LIBS@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CDB_LIBS = @CDB_LIBS@
+CFLAGS = @CFLAGS@
+CLUCENE_CFLAGS = @CLUCENE_CFLAGS@
+CLUCENE_LIBS = @CLUCENE_LIBS@
+COMPRESS_LIBS = @COMPRESS_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CRYPT_LIBS = @CRYPT_LIBS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DICT_LIBS = @DICT_LIBS@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FLEX = @FLEX@
+FUZZER_CPPFLAGS = @FUZZER_CPPFLAGS@
+FUZZER_LDFLAGS = @FUZZER_LDFLAGS@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+KRB5CONFIG = @KRB5CONFIG@
+KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_LIBS = @KRB5_LIBS@
+LD = @LD@
+LDAP_LIBS = @LDAP_LIBS@
+LDFLAGS = @LDFLAGS@
+LD_NO_WHOLE_ARCHIVE = @LD_NO_WHOLE_ARCHIVE@
+LD_WHOLE_ARCHIVE = @LD_WHOLE_ARCHIVE@
+LIBCAP = @LIBCAP@
+LIBDOVECOT = @LIBDOVECOT@
+LIBDOVECOT_COMPRESS = @LIBDOVECOT_COMPRESS@
+LIBDOVECOT_DEPS = @LIBDOVECOT_DEPS@
+LIBDOVECOT_DSYNC = @LIBDOVECOT_DSYNC@
+LIBDOVECOT_LA_LIBS = @LIBDOVECOT_LA_LIBS@
+LIBDOVECOT_LDA = @LIBDOVECOT_LDA@
+LIBDOVECOT_LDAP = @LIBDOVECOT_LDAP@
+LIBDOVECOT_LIBFTS = @LIBDOVECOT_LIBFTS@
+LIBDOVECOT_LIBFTS_DEPS = @LIBDOVECOT_LIBFTS_DEPS@
+LIBDOVECOT_LOGIN = @LIBDOVECOT_LOGIN@
+LIBDOVECOT_LUA = @LIBDOVECOT_LUA@
+LIBDOVECOT_LUA_DEPS = @LIBDOVECOT_LUA_DEPS@
+LIBDOVECOT_SQL = @LIBDOVECOT_SQL@
+LIBDOVECOT_STORAGE = @LIBDOVECOT_STORAGE@
+LIBDOVECOT_STORAGE_DEPS = @LIBDOVECOT_STORAGE_DEPS@
+LIBEXTTEXTCAT_CFLAGS = @LIBEXTTEXTCAT_CFLAGS@
+LIBEXTTEXTCAT_LIBS = @LIBEXTTEXTCAT_LIBS@
+LIBICONV = @LIBICONV@
+LIBICU_CFLAGS = @LIBICU_CFLAGS@
+LIBICU_LIBS = @LIBICU_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBSODIUM_CFLAGS = @LIBSODIUM_CFLAGS@
+LIBSODIUM_LIBS = @LIBSODIUM_LIBS@
+LIBTIRPC_CFLAGS = @LIBTIRPC_CFLAGS@
+LIBTIRPC_LIBS = @LIBTIRPC_LIBS@
+LIBTOOL = @LIBTOOL@
+LIBUNWIND_CFLAGS = @LIBUNWIND_CFLAGS@
+LIBUNWIND_LIBS = @LIBUNWIND_LIBS@
+LIBWRAP_LIBS = @LIBWRAP_LIBS@
+LINKED_STORAGE_LDADD = @LINKED_STORAGE_LDADD@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+LUA_CFLAGS = @LUA_CFLAGS@
+LUA_LIBS = @LUA_LIBS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MODULE_LIBS = @MODULE_LIBS@
+MODULE_SUFFIX = @MODULE_SUFFIX@
+MYSQL_CFLAGS = @MYSQL_CFLAGS@
+MYSQL_CONFIG = @MYSQL_CONFIG@
+MYSQL_LIBS = @MYSQL_LIBS@
+NM = @NM@
+NMEDIT = @NMEDIT@
+NOPLUGIN_LDFLAGS = @NOPLUGIN_LDFLAGS@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PANDOC = @PANDOC@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PGSQL_CFLAGS = @PGSQL_CFLAGS@
+PGSQL_LIBS = @PGSQL_LIBS@
+PG_CONFIG = @PG_CONFIG@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+QUOTA_LIBS = @QUOTA_LIBS@
+RANLIB = @RANLIB@
+RELRO_LDFLAGS = @RELRO_LDFLAGS@
+RPCGEN = @RPCGEN@
+RUN_TEST = @RUN_TEST@
+SED = @SED@
+SETTING_FILES = @SETTING_FILES@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SQLITE_CFLAGS = @SQLITE_CFLAGS@
+SQLITE_LIBS = @SQLITE_LIBS@
+SQL_CFLAGS = @SQL_CFLAGS@
+SQL_LIBS = @SQL_LIBS@
+SSL_CFLAGS = @SSL_CFLAGS@
+SSL_LIBS = @SSL_LIBS@
+STRIP = @STRIP@
+SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@
+SYSTEMD_LIBS = @SYSTEMD_LIBS@
+VALGRIND = @VALGRIND@
+VERSION = @VERSION@
+ZSTD_CFLAGS = @ZSTD_CFLAGS@
+ZSTD_LIBS = @ZSTD_LIBS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dict_drivers = @dict_drivers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+moduledir = @moduledir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+rundir = @rundir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sql_drivers = @sql_drivers@
+srcdir = @srcdir@
+ssldir = @ssldir@
+statedir = @statedir@
+sysconfdir = @sysconfdir@
+systemdservicetype = @systemdservicetype@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+noinst_LTLIBRARIES = libauth.la
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/lib \
+ -I$(top_srcdir)/src/lib-master \
+ -I$(top_srcdir)/src/lib-test
+
+libauth_la_SOURCES = \
+ auth-client.c \
+ auth-client-request.c \
+ auth-client-connection.c \
+ auth-master.c
+
+headers = \
+ auth-client.h \
+ auth-client-interface.h \
+ auth-client-private.h \
+ auth-master.h
+
+pkginc_libdir = $(pkgincludedir)
+pkginc_lib_HEADERS = $(headers)
+test_programs = \
+ test-auth-master
+
+test_libs = \
+ $(noinst_LTLIBRARIES) \
+ ../lib-test/libtest.la \
+ ../lib/liblib.la \
+ $(MODULE_LIBS)
+
+test_deps = \
+ $(noinst_LTLIBRARIES) \
+ ../lib-test/libtest.la \
+ ../lib/liblib.la
+
+test_auth_master_SOURCES = test-auth-master.c
+test_auth_master_LDADD = $(test_libs)
+test_auth_master_DEPENDENCIES = $(test_deps)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/lib-auth/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --foreign src/lib-auth/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstPROGRAMS:
+ @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libauth.la: $(libauth_la_OBJECTS) $(libauth_la_DEPENDENCIES) $(EXTRA_libauth_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(LINK) $(libauth_la_OBJECTS) $(libauth_la_LIBADD) $(LIBS)
+
+test-auth-master$(EXEEXT): $(test_auth_master_OBJECTS) $(test_auth_master_DEPENDENCIES) $(EXTRA_test_auth_master_DEPENDENCIES)
+ @rm -f test-auth-master$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(test_auth_master_OBJECTS) $(test_auth_master_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-client-connection.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-client-request.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-client.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-master.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-auth-master.Po@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+ @$(MKDIR_P) $(@D)
+ @echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+install-pkginc_libHEADERS: $(pkginc_lib_HEADERS)
+ @$(NORMAL_INSTALL)
+ @list='$(pkginc_lib_HEADERS)'; test -n "$(pkginc_libdir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(pkginc_libdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(pkginc_libdir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(pkginc_libdir)'"; \
+ $(INSTALL_HEADER) $$files "$(DESTDIR)$(pkginc_libdir)" || exit $$?; \
+ done
+
+uninstall-pkginc_libHEADERS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(pkginc_lib_HEADERS)'; test -n "$(pkginc_libdir)" || list=; \
+ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+ dir='$(DESTDIR)$(pkginc_libdir)'; $(am__uninstall_files_from_dir)
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(HEADERS)
+installdirs:
+ for dir in "$(DESTDIR)$(pkginc_libdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-noinstPROGRAMS mostlyclean-am
+
+distclean: distclean-am
+ -rm -f ./$(DEPDIR)/auth-client-connection.Plo
+ -rm -f ./$(DEPDIR)/auth-client-request.Plo
+ -rm -f ./$(DEPDIR)/auth-client.Plo
+ -rm -f ./$(DEPDIR)/auth-master.Plo
+ -rm -f ./$(DEPDIR)/test-auth-master.Po
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pkginc_libHEADERS
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -f ./$(DEPDIR)/auth-client-connection.Plo
+ -rm -f ./$(DEPDIR)/auth-client-request.Plo
+ -rm -f ./$(DEPDIR)/auth-client.Plo
+ -rm -f ./$(DEPDIR)/auth-master.Plo
+ -rm -f ./$(DEPDIR)/test-auth-master.Po
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pkginc_libHEADERS
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am \
+ check-local clean clean-generic clean-libtool \
+ clean-noinstLTLIBRARIES clean-noinstPROGRAMS cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pkginc_libHEADERS install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
+ uninstall-pkginc_libHEADERS
+
+.PRECIOUS: Makefile
+
+
+check-local:
+ for bin in $(test_programs); do \
+ if ! $(RUN_TEST) ./$$bin; then exit 1; fi; \
+ done
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/lib-auth/auth-client-connection.c b/src/lib-auth/auth-client-connection.c
new file mode 100644
index 0000000..3a1e82c
--- /dev/null
+++ b/src/lib-auth/auth-client-connection.c
@@ -0,0 +1,552 @@
+/* Copyright (c) 2003-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "array.h"
+#include "hash.h"
+#include "hostpid.h"
+#include "ioloop.h"
+#include "istream.h"
+#include "ostream.h"
+#include "net.h"
+#include "strescape.h"
+#include "eacces-error.h"
+#include "auth-client-private.h"
+
+#include <unistd.h>
+
+#define AUTH_SERVER_CONN_MAX_LINE_LENGTH AUTH_CLIENT_MAX_LINE_LENGTH
+#define AUTH_SERVER_RECONNECT_TIMEOUT_SECS 5
+
+static void auth_client_connection_connected(struct connection *_conn,
+ bool success);
+static int
+auth_client_connection_input_line(struct connection *_conn,
+ const char *line);
+static int
+auth_client_connection_handshake_line(struct connection *_conn,
+ const char *line);
+static void auth_client_connection_handshake_ready(struct connection *_conn);
+static void auth_client_connection_destroy(struct connection *_conn);
+static void
+auth_client_connection_reconnect(struct auth_client_connection *conn,
+ const char *disconnect_reason);
+
+static const struct connection_vfuncs auth_client_connection_vfuncs = {
+ .destroy = auth_client_connection_destroy,
+ .handshake_line = auth_client_connection_handshake_line,
+ .handshake_ready = auth_client_connection_handshake_ready,
+ .input_line = auth_client_connection_input_line,
+ .client_connected = auth_client_connection_connected,
+};
+
+static const struct connection_settings auth_client_connection_set = {
+ .dont_send_version = TRUE,
+ .service_name_in = "auth-client",
+ .service_name_out = "auth-client",
+ .major_version = AUTH_CLIENT_PROTOCOL_MAJOR_VERSION,
+ .minor_version = AUTH_CLIENT_PROTOCOL_MINOR_VERSION,
+ .unix_client_connect_msecs = 1000,
+ .input_max_size = AUTH_SERVER_CONN_MAX_LINE_LENGTH,
+ .output_max_size = SIZE_MAX,
+ .client = TRUE,
+};
+
+struct connection_list *
+auth_client_connection_list_init(void)
+{
+ return connection_list_init(&auth_client_connection_set,
+ &auth_client_connection_vfuncs);
+}
+
+static int
+auth_server_input_mech(struct auth_client_connection *conn,
+ const char *const *args)
+{
+ struct auth_mech_desc mech_desc;
+
+ if (args[0] == NULL) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server sent broken MECH line");
+ return -1;
+ }
+
+ i_zero(&mech_desc);
+ mech_desc.name = p_strdup(conn->pool, args[0]);
+
+ if (strcmp(mech_desc.name, "PLAIN") == 0)
+ conn->has_plain_mech = TRUE;
+
+ for (args++; *args != NULL; args++) {
+ if (strcmp(*args, "private") == 0)
+ mech_desc.flags |= MECH_SEC_PRIVATE;
+ else if (strcmp(*args, "anonymous") == 0)
+ mech_desc.flags |= MECH_SEC_ANONYMOUS;
+ else if (strcmp(*args, "plaintext") == 0)
+ mech_desc.flags |= MECH_SEC_PLAINTEXT;
+ else if (strcmp(*args, "dictionary") == 0)
+ mech_desc.flags |= MECH_SEC_DICTIONARY;
+ else if (strcmp(*args, "active") == 0)
+ mech_desc.flags |= MECH_SEC_ACTIVE;
+ else if (strcmp(*args, "forward-secrecy") == 0)
+ mech_desc.flags |= MECH_SEC_FORWARD_SECRECY;
+ else if (strcmp(*args, "mutual-auth") == 0)
+ mech_desc.flags |= MECH_SEC_MUTUAL_AUTH;
+ }
+ array_push_back(&conn->available_auth_mechs, &mech_desc);
+ return 0;
+}
+
+static int
+auth_server_input_spid(struct auth_client_connection *conn,
+ const char *const *args)
+{
+ if (str_to_uint(args[0], &conn->server_pid) < 0) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server sent invalid PID");
+ return -1;
+ }
+ return 0;
+}
+
+static int
+auth_server_input_cuid(struct auth_client_connection *conn,
+ const char *const *args)
+{
+ if (args[0] == NULL ||
+ str_to_uint(args[0], &conn->connect_uid) < 0) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server sent broken CUID line");
+ return -1;
+ }
+ return 0;
+}
+
+static int
+auth_server_input_cookie(struct auth_client_connection *conn,
+ const char *const *args)
+{
+ if (conn->cookie != NULL) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server already sent cookie");
+ return -1;
+ }
+ conn->cookie = p_strdup(conn->pool, args[0]);
+ return 0;
+}
+
+static int auth_server_input_done(struct auth_client_connection *conn)
+{
+ if (array_count(&conn->available_auth_mechs) == 0) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server returned no mechanisms");
+ return -1;
+ }
+ if (conn->cookie == NULL) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server didn't send a cookie");
+ return -1;
+ }
+ return 1;
+}
+
+static int
+auth_client_connection_handshake_line(struct connection *_conn,
+ const char *line)
+{
+ struct auth_client_connection *conn =
+ container_of(_conn, struct auth_client_connection, conn);
+ unsigned int major_version, minor_version;
+ const char *const *args;
+
+ args = t_strsplit_tabescaped(line);
+ if (strcmp(args[0], "VERSION") == 0 &&
+ args[1] != NULL && args[2] != NULL) {
+ if (str_to_uint(args[1], &major_version) < 0 ||
+ str_to_uint(args[2], &minor_version) < 0) {
+ e_error(conn->conn.event,
+ "Auth server sent invalid version line: %s",
+ line);
+ return -1;
+ }
+
+ if (connection_verify_version(_conn, "auth-client",
+ major_version,
+ minor_version) < 0) {
+ return -1;
+ }
+
+ return 0;
+ } else if (strcmp(args[0], "MECH") == 0) {
+ return auth_server_input_mech(conn, args + 1);
+ } else if (strcmp(args[0], "SPID") == 0) {
+ return auth_server_input_spid(conn, args + 1);
+ } else if (strcmp(args[0], "CUID") == 0) {
+ return auth_server_input_cuid(conn, args + 1);
+ } else if (strcmp(args[0], "COOKIE") == 0) {
+ return auth_server_input_cookie(conn, args + 1);
+ } else if (strcmp(args[0], "DONE") == 0) {
+ return auth_server_input_done(conn);
+ }
+
+ e_error(conn->conn.event, "Auth server sent unknown handshake: %s", line);
+ return -1;
+}
+
+static void auth_client_connection_handshake_ready(struct connection *_conn)
+{
+ struct auth_client_connection *conn =
+ container_of(_conn, struct auth_client_connection, conn);
+
+ timeout_remove(&conn->to);
+ if (conn->client->connect_notify_callback != NULL) {
+ conn->client->connect_notify_callback(conn->client, TRUE,
+ conn->client->connect_notify_context);
+ }
+}
+
+static int
+auth_server_lookup_request(struct auth_client_connection *conn,
+ const char *id_arg, bool remove,
+ struct auth_client_request **request_r)
+{
+ struct auth_client_request *request;
+ unsigned int id;
+
+ if (id_arg == NULL || str_to_uint(id_arg, &id) < 0) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server input missing ID");
+ return -1;
+ }
+
+ request = hash_table_lookup(conn->requests, POINTER_CAST(id));
+ if (request == NULL) {
+ e_error(conn->conn.event,
+ "Authentication server sent unknown id %u", id);
+ return 0;
+ }
+ if (remove || auth_client_request_is_aborted(request))
+ hash_table_remove(conn->requests, POINTER_CAST(id));
+
+ *request_r = request;
+ return 1;
+}
+
+static int
+auth_server_input_ok(struct auth_client_connection *conn,
+ const char *const *args)
+{
+ struct auth_client_request *request;
+ int ret;
+
+ if ((ret = auth_server_lookup_request(conn, args[0], TRUE, &request)) <= 0)
+ return ret;
+ auth_client_request_server_input(request, AUTH_REQUEST_STATUS_OK,
+ args + 1);
+ return 0;
+}
+
+static int auth_server_input_cont(struct auth_client_connection *conn,
+ const char *const *args)
+{
+ struct auth_client_request *request;
+ int ret;
+
+ if (str_array_length(args) < 2) {
+ e_error(conn->conn.event,
+ "BUG: Authentication server sent broken CONT line");
+ return -1;
+ }
+
+ if ((ret = auth_server_lookup_request(conn, args[0], FALSE, &request)) <= 0)
+ return ret;
+ auth_client_request_server_input(request, AUTH_REQUEST_STATUS_CONTINUE,
+ args + 1);
+ return 0;
+}
+
+static int auth_server_input_fail(struct auth_client_connection *conn,
+ const char *const *args)
+{
+ struct auth_client_request *request;
+ int ret;
+
+ if ((ret = auth_server_lookup_request(conn, args[0], TRUE, &request)) <= 0)
+ return ret;
+ auth_client_request_server_input(request, AUTH_REQUEST_STATUS_FAIL,
+ args + 1);
+ return 0;
+}
+
+static int
+auth_client_connection_handle_line(struct auth_client_connection *conn,
+ const char *line)
+{
+ const char *const *args;
+
+ e_debug(conn->conn.event, "auth input: %s", line);
+
+ args = t_strsplit_tabescaped(line);
+ if (args[0] == NULL) {
+ e_error(conn->conn.event, "Auth server sent empty line");
+ return -1;
+ }
+ if (strcmp(args[0], "OK") == 0)
+ return auth_server_input_ok(conn, args + 1);
+ else if (strcmp(args[0], "CONT") == 0)
+ return auth_server_input_cont(conn, args + 1);
+ else if (strcmp(args[0], "FAIL") == 0)
+ return auth_server_input_fail(conn, args + 1);
+ else {
+ e_error(conn->conn.event,
+ "Auth server sent unknown response: %s", args[0]);
+ return -1;
+ }
+}
+
+static int
+auth_client_connection_input_line(struct connection *_conn,
+ const char *line)
+{
+ struct auth_client_connection *conn =
+ container_of(_conn, struct auth_client_connection, conn);
+ int ret;
+
+ ret = auth_client_connection_handle_line(conn, line);
+ if (ret < 0) {
+ auth_client_connection_disconnect(conn, t_strdup_printf(
+ "Received broken input: %s", line));
+ return -1;
+ }
+ return 1;
+}
+
+struct auth_client_connection *
+auth_client_connection_init(struct auth_client *client)
+{
+ struct auth_client_connection *conn;
+ pool_t pool;
+
+ pool = pool_alloconly_create("auth server connection", 1024);
+ conn = p_new(pool, struct auth_client_connection, 1);
+ conn->pool = pool;
+
+ conn->client = client;
+
+ conn->conn.event_parent = client->event;
+ connection_init_client_unix(client->clist, &conn->conn,
+ client->auth_socket_path);
+
+ hash_table_create_direct(&conn->requests, pool, 100);
+ i_array_init(&conn->available_auth_mechs, 8);
+ return conn;
+}
+
+static void
+auth_client_connection_remove_requests(struct auth_client_connection *conn,
+ const char *disconnect_reason)
+{
+ static const char *const temp_failure_args[] = { "temp", NULL };
+ struct hash_iterate_context *iter;
+ void *key;
+ struct auth_client_request *request;
+ time_t created, oldest = 0;
+ unsigned int request_count = 0;
+
+ if (hash_table_count(conn->requests) == 0)
+ return;
+
+ iter = hash_table_iterate_init(conn->requests);
+ while (hash_table_iterate(iter, conn->requests, &key, &request)) {
+ if (!auth_client_request_is_aborted(request)) {
+ request_count++;
+ created = auth_client_request_get_create_time(request);
+ if (oldest > created || oldest == 0)
+ oldest = created;
+ }
+
+ auth_client_request_server_input(request,
+ AUTH_REQUEST_STATUS_INTERNAL_FAIL,
+ temp_failure_args);
+ }
+ hash_table_iterate_deinit(&iter);
+ hash_table_clear(conn->requests, FALSE);
+
+ if (request_count > 0) {
+ e_warning(conn->conn.event,
+ "Auth connection closed with %u pending requests "
+ "(max %u secs, pid=%s, %s)", request_count,
+ (unsigned int)(ioloop_time - oldest),
+ my_pid, disconnect_reason);
+ }
+}
+
+void auth_client_connection_disconnect(struct auth_client_connection *conn,
+ const char *reason) ATTR_NULL(2)
+{
+ if (reason == NULL)
+ reason = "Disconnected from auth server, aborting";
+
+ if (conn->connected)
+ connection_disconnect(&conn->conn);
+ conn->connected = FALSE;
+
+ conn->has_plain_mech = FALSE;
+ conn->server_pid = 0;
+ conn->connect_uid = 0;
+ conn->cookie = NULL;
+ array_clear(&conn->available_auth_mechs);
+
+ timeout_remove(&conn->to);
+
+ auth_client_connection_remove_requests(conn, reason);
+
+ if (conn->client->connect_notify_callback != NULL) {
+ conn->client->connect_notify_callback(conn->client, FALSE,
+ conn->client->connect_notify_context);
+ }
+}
+
+static void auth_client_connection_destroy(struct connection *_conn)
+{
+ struct auth_client_connection *conn =
+ container_of(_conn, struct auth_client_connection, conn);
+
+ switch (_conn->disconnect_reason) {
+ case CONNECTION_DISCONNECT_HANDSHAKE_FAILED:
+ auth_client_connection_disconnect(
+ conn, "Handshake with auth service failed");
+ break;
+ case CONNECTION_DISCONNECT_BUFFER_FULL:
+ /* buffer full - can't happen unless auth is buggy */
+ e_error(conn->conn.event,
+ "BUG: Auth server sent us more than %d bytes of data",
+ AUTH_SERVER_CONN_MAX_LINE_LENGTH);
+ auth_client_connection_disconnect(conn, "Buffer full");
+ break;
+ default:
+ /* disconnected */
+ auth_client_connection_reconnect(
+ conn, (conn->conn.input->stream_errno != 0 ?
+ strerror(conn->conn.input->stream_errno) :
+ "EOF"));
+ }
+}
+
+static void auth_server_reconnect_timeout(struct auth_client_connection *conn)
+{
+ (void)auth_client_connection_connect(conn);
+}
+
+static void
+auth_client_connection_reconnect(struct auth_client_connection *conn,
+ const char *disconnect_reason)
+{
+ time_t next_connect;
+
+ auth_client_connection_disconnect(conn, disconnect_reason);
+
+ next_connect = conn->last_connect + AUTH_SERVER_RECONNECT_TIMEOUT_SECS;
+ conn->to = timeout_add(ioloop_time >= next_connect ? 0 :
+ (next_connect - ioloop_time) * 1000,
+ auth_server_reconnect_timeout, conn);
+}
+
+void auth_client_connection_deinit(struct auth_client_connection **_conn)
+{
+ struct auth_client_connection *conn = *_conn;
+
+ *_conn = NULL;
+
+ auth_client_connection_disconnect(conn, "deinitializing");
+ i_assert(hash_table_count(conn->requests) == 0);
+ hash_table_destroy(&conn->requests);
+ timeout_remove(&conn->to);
+ array_free(&conn->available_auth_mechs);
+ connection_deinit(&conn->conn);
+ pool_unref(&conn->pool);
+}
+
+static void auth_client_handshake_timeout(struct auth_client_connection *conn)
+{
+ e_error(conn->conn.event, "Timeout waiting for handshake from auth server. "
+ "my pid=%u, input bytes=%"PRIuUOFF_T,
+ conn->client->client_pid, conn->conn.input->v_offset);
+ auth_client_connection_reconnect(conn, "auth server timeout");
+}
+
+static void
+auth_client_connection_connected(struct connection *_conn, bool success)
+{
+ struct auth_client_connection *conn =
+ container_of(_conn, struct auth_client_connection, conn);
+
+ /* Cannot get here unless connect() was successful */
+ i_assert(success);
+
+ conn->connected = TRUE;
+}
+
+int auth_client_connection_connect(struct auth_client_connection *conn)
+{
+ const char *handshake;
+
+ i_assert(!conn->connected);
+
+ conn->last_connect = ioloop_time;
+ timeout_remove(&conn->to);
+
+ /* max. 1 second wait here. */
+ if (connection_client_connect(&conn->conn) < 0) {
+ if (errno == EACCES) {
+ e_error(conn->conn.event, "%s",
+ eacces_error_get("connect",
+ conn->client->auth_socket_path));
+ } else {
+ e_error(conn->conn.event, "connect(%s) failed: %m",
+ conn->client->auth_socket_path);
+ };
+ return -1;
+ }
+
+ handshake = t_strdup_printf("VERSION\t%u\t%u\nCPID\t%u\n",
+ AUTH_CLIENT_PROTOCOL_MAJOR_VERSION,
+ AUTH_CLIENT_PROTOCOL_MINOR_VERSION,
+ conn->client->client_pid);
+ if (o_stream_send_str(conn->conn.output, handshake) < 0) {
+ e_warning(conn->conn.event,
+ "Error sending handshake to auth server: %s",
+ o_stream_get_error(conn->conn.output));
+ auth_client_connection_disconnect(conn,
+ o_stream_get_error(conn->conn.output));
+ return -1;
+ }
+
+ conn->to = timeout_add(conn->client->connect_timeout_msecs,
+ auth_client_handshake_timeout, conn);
+ return 0;
+}
+
+unsigned int
+auth_client_connection_add_request(struct auth_client_connection *conn,
+ struct auth_client_request *request)
+{
+ unsigned int id;
+
+ i_assert(conn->conn.handshake_received);
+
+ id = ++conn->client->request_id_counter;
+ if (id == 0) {
+ /* wrapped - ID 0 not allowed */
+ id = ++conn->client->request_id_counter;
+ }
+ i_assert(hash_table_lookup(conn->requests, POINTER_CAST(id)) == NULL);
+ hash_table_insert(conn->requests, POINTER_CAST(id), request);
+ return id;
+}
+
+void auth_client_connection_remove_request(struct auth_client_connection *conn,
+ unsigned int id)
+{
+ i_assert(conn->conn.handshake_received);
+ hash_table_remove(conn->requests, POINTER_CAST(id));
+}
diff --git a/src/lib-auth/auth-client-interface.h b/src/lib-auth/auth-client-interface.h
new file mode 100644
index 0000000..2367a00
--- /dev/null
+++ b/src/lib-auth/auth-client-interface.h
@@ -0,0 +1,43 @@
+#ifndef AUTH_CLIENT_INTERFACE_H
+#define AUTH_CLIENT_INTERFACE_H
+
+/* Major version changes are not backwards compatible,
+ minor version numbers can be ignored. */
+#define AUTH_CLIENT_PROTOCOL_MAJOR_VERSION 1
+#define AUTH_CLIENT_PROTOCOL_MINOR_VERSION 2
+
+/* GSSAPI can use quite large packets */
+#define AUTH_CLIENT_MAX_LINE_LENGTH 16384
+
+enum mech_security_flags {
+ /* Don't advertise this as available SASL mechanism (eg. APOP) */
+ MECH_SEC_PRIVATE = 0x0001,
+ /* Anonymous authentication */
+ MECH_SEC_ANONYMOUS = 0x0002,
+ /* Transfers plaintext passwords */
+ MECH_SEC_PLAINTEXT = 0x0004,
+ /* Subject to passive (dictionary) attack */
+ MECH_SEC_DICTIONARY = 0x0008,
+ /* Subject to active (non-dictionary) attack */
+ MECH_SEC_ACTIVE = 0x0010,
+ /* Provides forward secrecy between sessions */
+ MECH_SEC_FORWARD_SECRECY = 0x0020,
+ /* Provides mutual authentication */
+ MECH_SEC_MUTUAL_AUTH = 0x0040,
+ /* Allow NULs in input data */
+ MECH_SEC_ALLOW_NULS = 0x0080,
+};
+
+/* auth failure codes */
+#define AUTH_CLIENT_FAIL_CODE_AUTHZFAILED "authz_fail"
+#define AUTH_CLIENT_FAIL_CODE_TEMPFAIL "temp_fail"
+#define AUTH_CLIENT_FAIL_CODE_USER_DISABLED "user_disabled"
+#define AUTH_CLIENT_FAIL_CODE_PASS_EXPIRED "pass_expired"
+#define AUTH_CLIENT_FAIL_CODE_INVALID_BASE64 "invalid_base64"
+
+/* not actually returned from auth service */
+#define AUTH_CLIENT_FAIL_CODE_MECH_INVALID "auth_mech_invalid"
+#define AUTH_CLIENT_FAIL_CODE_MECH_SSL_REQUIRED "auth_mech_ssl_required"
+#define AUTH_CLIENT_FAIL_CODE_ANONYMOUS_DENIED "anonymous_denied"
+
+#endif
diff --git a/src/lib-auth/auth-client-private.h b/src/lib-auth/auth-client-private.h
new file mode 100644
index 0000000..36b2463
--- /dev/null
+++ b/src/lib-auth/auth-client-private.h
@@ -0,0 +1,88 @@
+#ifndef AUTH_CLIENT_PRIVATE_H
+#define AUTH_CLIENT_PRIVATE_H
+
+#include "connection.h"
+
+#include "auth-client.h"
+
+#define AUTH_CONNECT_TIMEOUT_MSECS (30*1000)
+
+struct auth_client_request {
+ pool_t pool;
+ struct event *event;
+
+ struct auth_client_connection *conn;
+ unsigned int id;
+ time_t created;
+
+ auth_request_callback_t *callback;
+ void *context;
+};
+
+struct auth_client_connection {
+ struct connection conn;
+ pool_t pool;
+
+ struct auth_client *client;
+ time_t last_connect;
+
+ struct timeout *to;
+
+ unsigned int server_pid;
+ unsigned int connect_uid;
+ char *cookie;
+
+ ARRAY(struct auth_mech_desc) available_auth_mechs;
+
+ /* id => request */
+ HASH_TABLE(void *, struct auth_client_request *) requests;
+
+ bool has_plain_mech:1;
+ bool connected:1;
+};
+
+struct auth_client {
+ char *auth_socket_path;
+ unsigned int client_pid;
+ struct event *event;
+
+ struct connection_list *clist;
+ struct auth_client_connection *conn;
+
+ auth_connect_notify_callback_t *connect_notify_callback;
+ void *connect_notify_context;
+
+ unsigned int request_id_counter;
+
+ unsigned int connect_timeout_msecs;
+
+ bool debug:1;
+};
+
+extern struct event_category event_category_auth_client;
+
+bool auth_client_request_is_aborted(struct auth_client_request *request);
+time_t auth_client_request_get_create_time(struct auth_client_request *request);
+
+void auth_client_request_server_input(struct auth_client_request *request,
+ enum auth_request_status status,
+ const char *const *args);
+
+struct connection_list *auth_client_connection_list_init(void);
+
+struct auth_client_connection *
+auth_client_connection_init(struct auth_client *client);
+void auth_client_connection_deinit(struct auth_client_connection **conn);
+
+int auth_client_connection_connect(struct auth_client_connection *conn);
+void auth_client_connection_disconnect(struct auth_client_connection *conn,
+ const char *reason);
+
+/* Queues a new request. Must not be called if connection is not connected. */
+unsigned int
+auth_client_connection_add_request(struct auth_client_connection *conn,
+ struct auth_client_request *request);
+void auth_client_connection_remove_request(struct auth_client_connection *conn,
+ unsigned int id);
+
+#endif
diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
new file mode 100644
index 0000000..629b77b
--- /dev/null
+++ b/src/lib-auth/auth-client-request.c
@@ -0,0 +1,359 @@
+/* Copyright (c) 2003-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "array.h"
+#include "str.h"
+#include "strescape.h"
+#include "ostream.h"
+#include "auth-client-private.h"
+
+static void auth_server_send_new_request(struct auth_client_connection *conn,
+ struct auth_client_request *request,
+ const struct auth_request_info *info)
+{
+ string_t *str;
+
+ str = t_str_new(512);
+ str_printfa(str, "AUTH\t%u\t", request->id);
+ str_append_tabescaped(str, info->mech);
+ str_append(str, "\tservice=");
+ str_append_tabescaped(str, info->service);
+
+ event_add_str(request->event, "mechanism", info->mech);
+ event_add_str(request->event, "service", info->service);
+
+ if ((info->flags & AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP) != 0)
+ str_append(str, "\tfinal-resp-ok");
+ if ((info->flags & AUTH_REQUEST_FLAG_SECURED) != 0) {
+ str_append(str, "\tsecured");
+ if ((info->flags & AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS) != 0) {
+ str_append(str, "=tls");
+ event_add_str(request->event, "transport", "TLS");
+ } else {
+ event_add_str(request->event, "transport", "trusted");
+ }
+ } else {
+ i_assert((info->flags & AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS) == 0);
+ event_add_str(request->event, "transport", "insecure");
+ }
+ if ((info->flags & AUTH_REQUEST_FLAG_NO_PENALTY) != 0)
+ str_append(str, "\tno-penalty");
+ if ((info->flags & AUTH_REQUEST_FLAG_VALID_CLIENT_CERT) != 0)
+ str_append(str, "\tvalid-client-cert");
+ if ((info->flags & AUTH_REQUEST_FLAG_DEBUG) != 0)
+ str_append(str, "\tdebug");
+
+ if (info->session_id != NULL) {
+ str_append(str, "\tsession=");
+ str_append_tabescaped(str, info->session_id);
+ event_add_str(request->event, "session", info->session_id);
+ }
+ if (info->cert_username != NULL) {
+ str_append(str, "\tcert_username=");
+ str_append_tabescaped(str, info->cert_username);
+ event_add_str(request->event, "certificate_user",
+ info->cert_username);
+ }
+ if (info->local_ip.family != 0) {
+ str_printfa(str, "\tlip=%s", net_ip2addr(&info->local_ip));
+ event_add_str(request->event, "local_ip", net_ip2addr(&info->local_ip));
+ }
+ if (info->remote_ip.family != 0) {
+ str_printfa(str, "\trip=%s", net_ip2addr(&info->remote_ip));
+ event_add_str(request->event, "remote_ip", net_ip2addr(&info->remote_ip));
+ }
+ if (info->local_port != 0) {
+ str_printfa(str, "\tlport=%u", info->local_port);
+ event_add_int(request->event, "local_port", info->local_port);
+ }
+ if (info->remote_port != 0) {
+ str_printfa(str, "\trport=%u", info->remote_port);
+ event_add_int(request->event, "remote_port", info->remote_port);
+ }
+ if (info->real_local_ip.family != 0) {
+ event_add_str(request->event, "real_local_ip",
+ net_ip2addr(&info->real_local_ip));
+ }
+ if (info->real_remote_ip.family != 0) {
+ event_add_str(request->event, "real_remote_ip",
+ net_ip2addr(&info->real_remote_ip));
+ }
+ if (info->real_local_port != 0) {
+ event_add_int(request->event, "real_local_port",
+ info->real_local_port);
+ }
+ if (info->real_remote_port != 0) {
+ event_add_int(request->event, "real_remote_port",
+ info->real_remote_port);
+ }
+ /* send the real_* variants only when they differ from the unreal
+ ones */
+ if (info->real_local_ip.family != 0 &&
+ !net_ip_compare(&info->real_local_ip, &info->local_ip)) {
+ str_printfa(str, "\treal_lip=%s",
+ net_ip2addr(&info->real_local_ip));
+ }
+ if (info->real_remote_ip.family != 0 &&
+ !net_ip_compare(&info->real_remote_ip, &info->remote_ip)) {
+ str_printfa(str, "\treal_rip=%s",
+ net_ip2addr(&info->real_remote_ip));
+ }
+ if (info->real_local_port != 0 &&
+ info->real_local_port != info->local_port)
+ str_printfa(str, "\treal_lport=%u", info->real_local_port);
+ if (info->real_remote_port != 0 &&
+ info->real_remote_port != info->remote_port)
+ str_printfa(str, "\treal_rport=%u", info->real_remote_port);
+ if (info->local_name != NULL &&
+ *info->local_name != '\0') {
+ str_append(str, "\tlocal_name=");
+ str_append_tabescaped(str, info->local_name);
+ event_add_str(request->event, "local_name", info->local_name);
+ }
+ if (info->ssl_cipher_bits != 0 && info->ssl_cipher != NULL) {
+ event_add_str(request->event, "tls_cipher", info->ssl_cipher);
+ event_add_int(request->event, "tls_cipher_bits", info->ssl_cipher_bits);
+ if (info->ssl_pfs != NULL) {
+ event_add_str(request->event, "tls_pfs", info->ssl_pfs);
+ }
+ }
+ if (info->ssl_protocol != NULL) {
+ event_add_str(request->event, "tls_protocol", info->ssl_protocol);
+ }
+ if (info->client_id != NULL &&
+ *info->client_id != '\0') {
+ str_append(str, "\tclient_id=");
+ str_append_tabescaped(str, info->client_id);
+ event_add_str(request->event, "client_id", info->client_id);
+ }
+ if (info->forward_fields != NULL &&
+ *info->forward_fields != '\0') {
+ str_append(str, "\tforward_fields=");
+ str_append_tabescaped(str, info->forward_fields);
+ }
+ if (array_is_created(&info->extra_fields)) {
+ const char *const *fieldp;
+ array_foreach(&info->extra_fields, fieldp) {
+ str_append_c(str, '\t');
+ str_append_tabescaped(str, *fieldp);
+ }
+ }
+ if (info->initial_resp_base64 != NULL) {
+ str_append(str, "\tresp=");
+ str_append_tabescaped(str, info->initial_resp_base64);
+ }
+ str_append_c(str, '\n');
+
+ struct event_passthrough *e =
+ event_create_passthrough(request->event)->
+ set_name("auth_client_request_started");
+ e_debug(e->event(), "Started request");
+
+ if (o_stream_send(conn->conn.output, str_data(str), str_len(str)) < 0) {
+ e_error(request->event,
+ "Error sending request to auth server: %m");
+ }
+}
+
+struct auth_client_request *
+auth_client_request_new(struct auth_client *client,
+ const struct auth_request_info *request_info,
+ auth_request_callback_t *callback, void *context)
+{
+ struct auth_client_request *request;
+ pool_t pool;
+
+ pool = pool_alloconly_create("auth client request", 512);
+ request = p_new(pool, struct auth_client_request, 1);
+ request->pool = pool;
+ request->conn = client->conn;
+
+ request->callback = callback;
+ request->context = context;
+
+ request->id =
+ auth_client_connection_add_request(request->conn, request);
+ request->created = ioloop_time;
+
+ request->event = event_create(client->event);
+ event_add_int(request->event, "id", request->id);
+ event_set_append_log_prefix(request->event,
+ t_strdup_printf("request [%u]: ",
+ request->id));
+
+ T_BEGIN {
+ auth_server_send_new_request(request->conn, request, request_info);
+ } T_END;
+ return request;
+}
+
+void auth_client_request_continue(struct auth_client_request *request,
+ const char *data_base64)
+{
+ struct const_iovec iov[3];
+ const char *prefix;
+
+ prefix = t_strdup_printf("CONT\t%u\t", request->id);
+
+ iov[0].iov_base = prefix;
+ iov[0].iov_len = strlen(prefix);
+ iov[1].iov_base = data_base64;
+ iov[1].iov_len = strlen(data_base64);
+ iov[2].iov_base = "\n";
+ iov[2].iov_len = 1;
+
+ struct event_passthrough *e =
+ event_create_passthrough(request->event)->
+ set_name("auth_client_request_continued");
+ e_debug(e->event(), "Continue request");
+
+ if (o_stream_sendv(request->conn->conn.output, iov, 3) < 0) {
+ e_error(request->event,
+ "Error sending continue request to auth server: %m");
+ }
+}
+
+static void ATTR_NULL(3, 4)
+call_callback(struct auth_client_request *request,
+ enum auth_request_status status,
+ const char *data_base64,
+ const char *const *args)
+{
+ auth_request_callback_t *callback = request->callback;
+
+ if (status != AUTH_REQUEST_STATUS_CONTINUE)
+ request->callback = NULL;
+ callback(request, status, data_base64, args, request->context);
+}
+
+static void auth_client_request_free(struct auth_client_request **_request)
+{
+ struct auth_client_request *request = *_request;
+
+ *_request = NULL;
+
+ event_unref(&request->event);
+ pool_unref(&request->pool);
+}
+
+void auth_client_request_abort(struct auth_client_request **_request,
+ const char *reason)
+{
+ struct auth_client_request *request = *_request;
+
+ *_request = NULL;
+
+ struct event_passthrough *e =
+ event_create_passthrough(request->event)->
+ set_name("auth_client_request_finished");
+ e->add_str("error", reason);
+ e_debug(e->event(), "Aborted: %s", reason);
+
+ auth_client_send_cancel(request->conn->client, request->id);
+ call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
+ /* remove the request */
+ auth_client_connection_remove_request(request->conn, request->id);
+ auth_client_request_free(&request);
+}
+
+unsigned int auth_client_request_get_id(struct auth_client_request *request)
+{
+ return request->id;
+}
+
+unsigned int
+auth_client_request_get_server_pid(struct auth_client_request *request)
+{
+ return request->conn->server_pid;
+}
+
+const char *auth_client_request_get_cookie(struct auth_client_request *request)
+{
+ return request->conn->cookie;
+}
+
+bool auth_client_request_is_aborted(struct auth_client_request *request)
+{
+ return request->callback == NULL;
+}
+
+time_t auth_client_request_get_create_time(struct auth_client_request *request)
+{
+ return request->created;
+}
+
+static void args_parse_user(struct auth_client_request *request, const char *arg)
+{
+ if (str_begins(arg, "user="))
+ event_add_str(request->event, "user", arg + 5);
+ else if (str_begins(arg, "original_user="))
+ event_add_str(request->event, "original_user", arg + 14);
+ else if (str_begins(arg, "auth_user="))
+ event_add_str(request->event, "auth_user", arg + 10);
+}
+
+void auth_client_request_server_input(struct auth_client_request *request,
+ enum auth_request_status status,
+ const char *const *args)
+{
+ const char *const *tmp, *base64_data = NULL;
+ struct event_passthrough *e;
+
+ if (request->callback == NULL) {
+ /* aborted already */
+ return;
+ }
+
+ switch (status) {
+ case AUTH_REQUEST_STATUS_CONTINUE:
+ e = event_create_passthrough(request->event)->
+ set_name("auth_client_request_challenged");
+ break;
+ default:
+ e = event_create_passthrough(request->event)->
+ set_name("auth_client_request_finished");
+ break;
+ }
+
+ for (tmp = args; *tmp != NULL; tmp++) {
+ if (str_begins(*tmp, "resp=")) {
+ base64_data = *tmp + 5;
+ }
+ args_parse_user(request, *tmp);
+ }
+
+ switch (status) {
+ case AUTH_REQUEST_STATUS_OK:
+ e_debug(e->event(), "Finished");
+ break;
+ case AUTH_REQUEST_STATUS_CONTINUE:
+ base64_data = args[0];
+ args = NULL;
+ e_debug(e->event(), "Got challenge");
+ break;
+ case AUTH_REQUEST_STATUS_FAIL:
+ e->add_str("error", "Authentication failed");
+ e_debug(e->event(), "Finished");
+ break;
+ case AUTH_REQUEST_STATUS_INTERNAL_FAIL:
+ e->add_str("error", "Internal failure");
+ e_debug(e->event(), "Finished");
+ break;
+ case AUTH_REQUEST_STATUS_ABORT:
+ i_unreached();
+ }
+
+ call_callback(request, status, base64_data, args);
+ if (status != AUTH_REQUEST_STATUS_CONTINUE)
+ auth_client_request_free(&request);
+}
+
+void auth_client_send_cancel(struct auth_client *client, unsigned int id)
+{
+ const char *str = t_strdup_printf("CANCEL\t%u\n", id);
+
+ if (o_stream_send_str(client->conn->conn.output, str) < 0) {
+ e_error(client->conn->conn.event,
+ "Error sending request to auth server: %m");
+ }
+}
diff --git a/src/lib-auth/auth-client.c b/src/lib-auth/auth-client.c
new file mode 100644
index 0000000..9523282
--- /dev/null
+++ b/src/lib-auth/auth-client.c
@@ -0,0 +1,112 @@
+/* Copyright (c) 2005-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "array.h"
+#include "auth-client-private.h"
+
+struct event_category event_category_auth_client = {
+ .name = "auth-client"
+};
+
+struct auth_client *
+auth_client_init(const char *auth_socket_path, unsigned int client_pid,
+ bool debug)
+{
+ struct auth_client *client;
+
+ client = i_new(struct auth_client, 1);
+ client->client_pid = client_pid;
+ client->auth_socket_path = i_strdup(auth_socket_path);
+ client->debug = debug;
+ client->connect_timeout_msecs = AUTH_CONNECT_TIMEOUT_MSECS;
+ client->clist = auth_client_connection_list_init();
+
+ client->event = event_create(NULL);
+ event_add_category(client->event, &event_category_auth_client);
+ event_set_append_log_prefix(client->event, "auth-client: ");
+ event_set_forced_debug(client->event, client->debug);
+
+ client->conn = auth_client_connection_init(client);
+ return client;
+}
+
+void auth_client_deinit(struct auth_client **_client)
+{
+ struct auth_client *client = *_client;
+
+ *_client = NULL;
+
+ auth_client_connection_deinit(&client->conn);
+ connection_list_deinit(&client->clist);
+ event_unref(&client->event);
+ i_free(client->auth_socket_path);
+ i_free(client);
+}
+
+void auth_client_connect(struct auth_client *client)
+{
+ if (!client->conn->connected)
+ (void)auth_client_connection_connect(client->conn);
+}
+
+void auth_client_disconnect(struct auth_client *client, const char *reason)
+{
+ auth_client_connection_disconnect(client->conn, reason);
+}
+
+bool auth_client_is_connected(struct auth_client *client)
+{
+ /* handshake_received isn't unset immediately after disconnection */
+ return client->conn->conn.handshake_received &&
+ client->conn->connected;
+}
+
+bool auth_client_is_disconnected(struct auth_client *client)
+{
+ return !client->conn->connected;
+}
+
+void auth_client_set_connect_timeout(struct auth_client *client,
+ unsigned int msecs)
+{
+ client->connect_timeout_msecs = msecs;
+}
+
+void auth_client_set_connect_notify(struct auth_client *client,
+ auth_connect_notify_callback_t *callback,
+ void *context)
+{
+ client->connect_notify_callback = callback;
+ client->connect_notify_context = context;
+}
+
+const struct auth_mech_desc *
+auth_client_get_available_mechs(struct auth_client *client,
+ unsigned int *mech_count)
+{
+ i_assert(auth_client_is_connected(client));
+
+ return array_get(&client->conn->available_auth_mechs, mech_count);
+}
+
+const struct auth_mech_desc *
+auth_client_find_mech(struct auth_client *client, const char *name)
+{
+ const struct auth_mech_desc *mech;
+
+ array_foreach(&client->conn->available_auth_mechs, mech) {
+ if (strcasecmp(mech->name, name) == 0)
+ return mech;
+ }
+ return NULL;
+}
+
+void auth_client_get_connect_id(struct auth_client *client,
+ unsigned int *server_pid_r,
+ unsigned int *connect_uid_r)
+{
+ i_assert(auth_client_is_connected(client));
+
+ *server_pid_r = client->conn->server_pid;
+ *connect_uid_r = client->conn->connect_uid;
+}
diff --git a/src/lib-auth/auth-client.h b/src/lib-auth/auth-client.h
new file mode 100644
index 0000000..917f904
--- /dev/null
+++ b/src/lib-auth/auth-client.h
@@ -0,0 +1,124 @@
+#ifndef AUTH_CLIENT_H
+#define AUTH_CLIENT_H
+
+#include "net.h"
+#include "auth-client-interface.h"
+
+struct auth_client;
+struct auth_client_request;
+
+enum auth_request_flags {
+ AUTH_REQUEST_FLAG_SECURED = 0x01,
+ AUTH_REQUEST_FLAG_VALID_CLIENT_CERT = 0x02,
+ /* Skip penalty checks for this request */
+ AUTH_REQUEST_FLAG_NO_PENALTY = 0x04,
+ /* Support final SASL response */
+ AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP = 0x08,
+ /* Enable auth_debug=yes logging for this request */
+ AUTH_REQUEST_FLAG_DEBUG = 0x10,
+ /* If TLS was used */
+ AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS = 0x20,
+};
+
+enum auth_request_status {
+ AUTH_REQUEST_STATUS_ABORT = -3,
+ AUTH_REQUEST_STATUS_INTERNAL_FAIL = -2,
+ AUTH_REQUEST_STATUS_FAIL = -1,
+ AUTH_REQUEST_STATUS_CONTINUE,
+ AUTH_REQUEST_STATUS_OK
+};
+
+struct auth_mech_desc {
+ char *name;
+ enum mech_security_flags flags;
+};
+
+struct auth_connect_id {
+ unsigned int server_pid;
+ unsigned int connect_uid;
+};
+
+struct auth_request_info {
+ const char *mech;
+ const char *service;
+ const char *session_id;
+ const char *cert_username;
+ const char *local_name;
+ const char *client_id;
+ const char *forward_fields;
+ ARRAY_TYPE(const_string) extra_fields;
+
+ unsigned int ssl_cipher_bits;
+ const char *ssl_cipher;
+ const char *ssl_pfs;
+ const char *ssl_protocol;
+
+ enum auth_request_flags flags;
+
+ struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip;
+ in_port_t local_port, remote_port, real_local_port, real_remote_port;
+
+ const char *initial_resp_base64;
+};
+
+typedef void auth_request_callback_t(struct auth_client_request *request,
+ enum auth_request_status status,
+ const char *data_base64,
+ const char *const *args, void *context);
+
+typedef void auth_connect_notify_callback_t(struct auth_client *client,
+ bool connected, void *context);
+
+/* Create new authentication client. */
+struct auth_client *
+auth_client_init(const char *auth_socket_path, unsigned int client_pid,
+ bool debug);
+void auth_client_deinit(struct auth_client **client);
+
+void auth_client_connect(struct auth_client *client);
+void auth_client_disconnect(struct auth_client *client, const char *reason);
+bool auth_client_is_connected(struct auth_client *client);
+bool auth_client_is_disconnected(struct auth_client *client);
+
+void auth_client_set_connect_timeout(struct auth_client *client,
+ unsigned int msecs);
+void auth_client_set_connect_notify(struct auth_client *client,
+ auth_connect_notify_callback_t *callback,
+ void *context) ATTR_NULL(2, 3);
+const struct auth_mech_desc *
+auth_client_get_available_mechs(struct auth_client *client,
+ unsigned int *mech_count);
+const struct auth_mech_desc *
+auth_client_find_mech(struct auth_client *client, const char *name);
+
+/* Return current connection's identifiers. */
+void auth_client_get_connect_id(struct auth_client *client,
+ unsigned int *server_pid_r,
+ unsigned int *connect_uid_r);
+
+/* Create a new authentication request. callback is called whenever something
+ happens for the request. */
+struct auth_client_request *
+auth_client_request_new(struct auth_client *client,
+ const struct auth_request_info *request_info,
+ auth_request_callback_t *callback, void *context)
+ ATTR_NULL(4);
+/* Continue authentication. Call when
+ reply->result == AUTH_CLIENT_REQUEST_CONTINUE */
+void auth_client_request_continue(struct auth_client_request *request,
+ const char *data_base64);
+/* Abort ongoing authentication request. */
+void auth_client_request_abort(struct auth_client_request **request,
+ const char *reason) ATTR_NULL(2);
+/* Return ID of this request. */
+unsigned int auth_client_request_get_id(struct auth_client_request *request);
+/* Return the PID of the server that handled this request. */
+unsigned int
+auth_client_request_get_server_pid(struct auth_client_request *request);
+/* Return cookie of the server that handled this request. */
+const char *auth_client_request_get_cookie(struct auth_client_request *request);
+
+/* Tell auth process to drop specified request from memory */
+void auth_client_send_cancel(struct auth_client *client, unsigned int id);
+
+#endif
diff --git a/src/lib-auth/auth-master.c b/src/lib-auth/auth-master.c
new file mode 100644
index 0000000..57cf8d2
--- /dev/null
+++ b/src/lib-auth/auth-master.c
@@ -0,0 +1,1030 @@
+/* Copyright (c) 2005-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "lib-signals.h"
+#include "array.h"
+#include "ioloop.h"
+#include "eacces-error.h"
+#include "net.h"
+#include "istream.h"
+#include "ostream.h"
+#include "str.h"
+#include "strescape.h"
+#include "connection.h"
+#include "master-interface.h"
+#include "auth-client-private.h"
+#include "auth-master.h"
+
+#include <unistd.h>
+
+#define AUTH_PROTOCOL_MAJOR 1
+#define AUTH_PROTOCOL_MINOR 0
+
+#define AUTH_MASTER_IDLE_SECS 60
+
+#define MAX_INBUF_SIZE 8192
+#define MAX_OUTBUF_SIZE 1024
+
+struct auth_master_connection {
+ struct connection conn;
+ struct connection_list *clist;
+ struct event *event_parent, *event;
+
+ char *auth_socket_path;
+ enum auth_master_flags flags;
+
+ struct ioloop *ioloop, *prev_ioloop;
+ struct timeout *to;
+
+ unsigned int request_counter;
+
+ bool (*reply_callback)(const char *cmd, const char *const *args,
+ void *context);
+ void *reply_context;
+
+ unsigned int timeout_msecs;
+
+ bool connected:1;
+ bool sent_handshake:1;
+ bool aborted:1;
+};
+
+struct auth_master_lookup_ctx {
+ struct auth_master_connection *conn;
+ const char *user;
+ const char *expected_reply;
+ int return_value;
+
+ pool_t pool;
+ const char **fields;
+};
+
+struct auth_master_user_list_ctx {
+ struct auth_master_connection *conn;
+ string_t *username;
+ bool finished;
+ bool failed;
+};
+
+static void auth_master_connected(struct connection *_conn, bool success);
+static int
+auth_master_input_args(struct connection *_conn, const char *const *args);
+static int
+auth_master_handshake_line(struct connection *_conn, const char *line);
+static int auth_master_input_line(struct connection *_conn, const char *line);
+static void auth_master_destroy(struct connection *_conn);
+
+static const struct connection_vfuncs auth_master_vfuncs = {
+ .destroy = auth_master_destroy,
+ .handshake_line = auth_master_handshake_line,
+ .input_args = auth_master_input_args,
+ .input_line = auth_master_input_line,
+ .client_connected = auth_master_connected,
+};
+
+static const struct connection_settings auth_master_set = {
+ .dont_send_version = TRUE,
+ .service_name_in = "auth-master",
+ .service_name_out = "auth-master",
+ .major_version = AUTH_PROTOCOL_MAJOR,
+ .minor_version = AUTH_PROTOCOL_MINOR,
+ .unix_client_connect_msecs = 1000,
+ .input_max_size = MAX_INBUF_SIZE,
+ .output_max_size = MAX_OUTBUF_SIZE,
+ .client = TRUE,
+};
+
+struct auth_master_connection *
+auth_master_init(const char *auth_socket_path, enum auth_master_flags flags)
+{
+ struct auth_master_connection *conn;
+
+ conn = i_new(struct auth_master_connection, 1);
+ conn->auth_socket_path = i_strdup(auth_socket_path);
+ conn->flags = flags;
+ conn->timeout_msecs = 1000*MASTER_AUTH_LOOKUP_TIMEOUT_SECS;
+ conn->clist = connection_list_init(&auth_master_set,
+ &auth_master_vfuncs);
+
+ conn->event_parent = conn->event = event_create(NULL);
+ event_add_category(conn->event_parent, &event_category_auth_client);
+ event_set_append_log_prefix(conn->event_parent, "auth-master: ");
+ event_set_forced_debug(conn->event_parent,
+ HAS_ALL_BITS(flags, AUTH_MASTER_FLAG_DEBUG));
+
+ conn->conn.event_parent = conn->event_parent;
+ connection_init_client_unix(conn->clist, &conn->conn,
+ conn->auth_socket_path);
+
+ return conn;
+}
+
+static void auth_connection_close(struct auth_master_connection *conn)
+{
+ conn->connected = FALSE;
+ connection_disconnect(&conn->conn);
+
+ timeout_remove(&conn->to);
+
+ conn->sent_handshake = FALSE;
+}
+
+void auth_master_deinit(struct auth_master_connection **_conn)
+{
+ struct auth_master_connection *conn = *_conn;
+ struct connection_list *clist = conn->clist;
+
+ *_conn = NULL;
+
+ auth_connection_close(conn);
+ connection_deinit(&conn->conn);
+ connection_list_deinit(&clist);
+ event_unref(&conn->event_parent);
+ i_free(conn->auth_socket_path);
+ i_free(conn);
+}
+
+void auth_master_set_timeout(struct auth_master_connection *conn,
+ unsigned int msecs)
+{
+ conn->timeout_msecs = msecs;
+}
+
+const char *auth_master_get_socket_path(struct auth_master_connection *conn)
+{
+ return conn->auth_socket_path;
+}
+
+static void auth_request_lookup_abort(struct auth_master_connection *conn)
+{
+ io_loop_stop(conn->ioloop);
+ conn->aborted = TRUE;
+}
+
+static void auth_master_destroy(struct connection *_conn)
+{
+ struct auth_master_connection *conn =
+ container_of(_conn, struct auth_master_connection, conn);
+
+ if (conn->connected)
+ connection_disconnect(&conn->conn);
+ conn->connected = FALSE;
+ conn->sent_handshake = FALSE;
+
+ switch (_conn->disconnect_reason) {
+ case CONNECTION_DISCONNECT_HANDSHAKE_FAILED:
+ break;
+ case CONNECTION_DISCONNECT_BUFFER_FULL:
+ e_error(conn->event, "BUG: Received more than %d bytes",
+ MAX_INBUF_SIZE);
+ break;
+ default:
+ if (!conn->aborted)
+ e_error(conn->event, "Disconnected unexpectedly");
+ }
+ auth_request_lookup_abort(conn);
+}
+
+static int
+auth_master_handshake_line(struct connection *_conn, const char *line)
+{
+ struct auth_master_connection *conn =
+ container_of(_conn, struct auth_master_connection, conn);
+ const char *const *tmp;
+ unsigned int major_version, minor_version;
+
+ tmp = t_strsplit_tabescaped(line);
+ if (strcmp(tmp[0], "VERSION") == 0 &&
+ tmp[1] != NULL && tmp[2] != NULL) {
+ if (str_to_uint(tmp[1], &major_version) < 0 ||
+ str_to_uint(tmp[2], &minor_version) < 0) {
+ e_error(conn->event,
+ "Auth server sent invalid version line: %s",
+ line);
+ auth_request_lookup_abort(conn);
+ return -1;
+ }
+
+ if (connection_verify_version(_conn, "auth-master",
+ major_version,
+ minor_version) < 0) {
+ auth_request_lookup_abort(conn);
+ return -1;
+ }
+ } else if (strcmp(tmp[0], "SPID") == 0) {
+ return 1;
+ }
+ return 0;
+}
+
+static int
+parse_reply(struct auth_master_lookup_ctx *ctx, const char *cmd,
+ const char *const *args)
+{
+ struct auth_master_connection *conn = ctx->conn;
+
+ if (strcmp(cmd, ctx->expected_reply) == 0)
+ return 1;
+ if (strcmp(cmd, "NOTFOUND") == 0)
+ return 0;
+ if (strcmp(cmd, "FAIL") == 0) {
+ if (*args == NULL) {
+ e_error(conn->event, "Auth %s lookup failed",
+ ctx->expected_reply);
+ } else {
+ e_debug(conn->event,
+ "Auth %s lookup returned temporary failure: %s",
+ ctx->expected_reply, *args);
+ }
+ return -2;
+ }
+ e_error(conn->event, "Unknown reply: %s", cmd);
+ return -1;
+}
+
+static const char *const *args_hide_passwords(const char *const *args)
+{
+ ARRAY_TYPE(const_string) new_args;
+ const char *p, *p2;
+ unsigned int i;
+
+ /* if there are any keys that contain "pass" string */
+ for (i = 0; args[i] != NULL; i++) {
+ p = strstr(args[i], "pass");
+ if (p != NULL && p < strchr(args[i], '='))
+ break;
+ }
+ if (args[i] == NULL)
+ return args;
+
+ /* there are. replace their values with <hidden> */
+ t_array_init(&new_args, i + 16);
+ array_append(&new_args, args, i);
+ for (; args[i] != NULL; i++) {
+ p = strstr(args[i], "pass");
+ p2 = strchr(args[i], '=');
+ if (p != NULL && p < p2) {
+ p = t_strconcat(t_strdup_until(args[i], p2),
+ "=<hidden>", NULL);
+ array_push_back(&new_args, &p);
+ } else {
+ array_push_back(&new_args, &args[i]);
+ }
+ }
+ array_append_zero(&new_args);
+ return array_front(&new_args);
+}
+
+static bool auth_lookup_reply_callback(const char *cmd, const char *const *args,
+ void *context)
+{
+ struct auth_master_lookup_ctx *ctx = context;
+ unsigned int i, len;
+
+ io_loop_stop(ctx->conn->ioloop);
+
+ ctx->return_value = parse_reply(ctx, cmd, args);
+
+ len = str_array_length(args);
+ i_assert(*args != NULL || len == 0); /* for static analyzer */
+ if (ctx->return_value >= 0) {
+ ctx->fields = p_new(ctx->pool, const char *, len + 1);
+ for (i = 0; i < len; i++)
+ ctx->fields[i] = p_strdup(ctx->pool, args[i]);
+ } else {
+ /* put the reason string into first field */
+ ctx->fields = p_new(ctx->pool, const char *, 2);
+ for (i = 0; i < len; i++) {
+ if (str_begins(args[i], "reason=")) {
+ ctx->fields[0] =
+ p_strdup(ctx->pool, args[i] + 7);
+ break;
+ }
+ }
+ }
+ args = args_hide_passwords(args);
+ e_debug(ctx->conn->event, "auth %s input: %s",
+ ctx->expected_reply, t_strarray_join(args, " "));
+ return TRUE;
+}
+
+static int
+auth_master_input_args(struct connection *_conn, const char *const *args)
+{
+ struct auth_master_connection *conn =
+ container_of(_conn, struct auth_master_connection, conn);
+ const char *const *in_args = args;
+ const char *cmd, *id, *wanted_id;
+
+ cmd = *args; args++;
+ if (*args == NULL)
+ id = "";
+ else {
+ id = *args;
+ args++;
+ }
+
+ wanted_id = dec2str(conn->request_counter);
+ if (strcmp(id, wanted_id) == 0) {
+ return (conn->reply_callback(cmd, args, conn->reply_context) ?
+ 0 : 1);
+ }
+
+ if (strcmp(cmd, "CUID") == 0) {
+ e_error(conn->event, "%s is an auth client socket. "
+ "It should be a master socket.",
+ conn->auth_socket_path);
+ } else {
+ e_error(conn->event, "BUG: Unexpected input: %s",
+ t_strarray_join(in_args, "\t"));
+ }
+ auth_request_lookup_abort(conn);
+ return -1;
+}
+
+static int auth_master_input_line(struct connection *_conn, const char *line)
+{
+ struct auth_master_connection *conn =
+ container_of(_conn, struct auth_master_connection, conn);
+ int ret;
+
+ ret = connection_input_line_default(_conn, line);
+ return (io_loop_is_running(conn->ioloop) ? ret : 0);
+}
+
+static void auth_master_connected(struct connection *_conn, bool success)
+{
+ struct auth_master_connection *conn =
+ container_of(_conn, struct auth_master_connection, conn);
+
+ /* Cannot get here unless connect() was successful */
+ i_assert(success);
+
+ conn->connected = TRUE;
+}
+
+static int auth_master_connect(struct auth_master_connection *conn)
+{
+ i_assert(!conn->connected);
+
+ if (conn->ioloop != NULL)
+ connection_switch_ioloop_to(&conn->conn, conn->ioloop);
+ if (connection_client_connect(&conn->conn) < 0) {
+ if (errno == EACCES) {
+ e_error(conn->event,
+ "%s", eacces_error_get("connect",
+ conn->auth_socket_path));
+ } else {
+ e_error(conn->event, "connect(%s) failed: %m",
+ conn->auth_socket_path);
+ }
+ return -1;
+ }
+
+ connection_input_halt(&conn->conn);
+ return 0;
+}
+
+static void auth_request_timeout(struct auth_master_connection *conn)
+{
+ if (!conn->conn.handshake_received)
+ e_error(conn->event, "Connecting timed out");
+ else
+ e_error(conn->event, "Request timed out");
+ auth_request_lookup_abort(conn);
+}
+
+static void auth_idle_timeout(struct auth_master_connection *conn)
+{
+ auth_connection_close(conn);
+}
+
+static void auth_master_set_io(struct auth_master_connection *conn)
+{
+ if (conn->ioloop != NULL)
+ return;
+
+ timeout_remove(&conn->to);
+
+ conn->prev_ioloop = current_ioloop;
+ conn->ioloop = io_loop_create();
+ connection_switch_ioloop_to(&conn->conn, conn->ioloop);
+ if (conn->connected)
+ connection_input_resume(&conn->conn);
+
+ conn->to = timeout_add_to(conn->ioloop, conn->timeout_msecs,
+ auth_request_timeout, conn);
+}
+
+static void auth_master_unset_io(struct auth_master_connection *conn)
+{
+ if (conn->prev_ioloop != NULL) {
+ io_loop_set_current(conn->prev_ioloop);
+ }
+ if (conn->ioloop != NULL) {
+ io_loop_set_current(conn->ioloop);
+ connection_switch_ioloop_to(&conn->conn, conn->ioloop);
+ connection_input_halt(&conn->conn);
+ timeout_remove(&conn->to);
+ io_loop_destroy(&conn->ioloop);
+ }
+
+ if ((conn->flags & AUTH_MASTER_FLAG_NO_IDLE_TIMEOUT) == 0) {
+ if (conn->prev_ioloop == NULL)
+ auth_connection_close(conn);
+ else {
+ i_assert(conn->to == NULL);
+ conn->to = timeout_add(1000*AUTH_MASTER_IDLE_SECS,
+ auth_idle_timeout, conn);
+ }
+ }
+}
+
+static bool is_valid_string(const char *str)
+{
+ const char *p;
+
+ /* make sure we're not sending any characters that have a special
+ meaning. */
+ for (p = str; *p != '\0'; p++) {
+ if (*p == '\t' || *p == '\n' || *p == '\r')
+ return FALSE;
+ }
+ return TRUE;
+}
+
+static int auth_master_run_cmd_pre(struct auth_master_connection *conn,
+ const char *cmd)
+{
+ auth_master_set_io(conn);
+
+ if (!conn->connected) {
+ if (auth_master_connect(conn) < 0) {
+ auth_master_unset_io(conn);
+ return -1;
+ }
+ i_assert(conn->connected);
+ connection_input_resume(&conn->conn);
+ }
+
+ o_stream_cork(conn->conn.output);
+ if (!conn->sent_handshake) {
+ const struct connection_settings *set = &conn->conn.list->set;
+
+ o_stream_nsend_str(conn->conn.output,
+ t_strdup_printf("VERSION\t%u\t%u\n",
+ set->major_version,
+ set->minor_version));
+ conn->sent_handshake = TRUE;
+ }
+
+ o_stream_nsend_str(conn->conn.output, cmd);
+ o_stream_uncork(conn->conn.output);
+
+ if (o_stream_flush(conn->conn.output) < 0) {
+ e_error(conn->event, "write(auth socket) failed: %s",
+ o_stream_get_error(conn->conn.output));
+ auth_master_unset_io(conn);
+ auth_connection_close(conn);
+ return -1;
+ }
+ return 0;
+}
+
+static int auth_master_run_cmd_post(struct auth_master_connection *conn)
+{
+ auth_master_unset_io(conn);
+ if (conn->aborted) {
+ conn->aborted = FALSE;
+ auth_connection_close(conn);
+ return -1;
+ }
+ return 0;
+}
+
+static int auth_master_run_cmd(struct auth_master_connection *conn,
+ const char *cmd)
+{
+ if (auth_master_run_cmd_pre(conn, cmd) < 0)
+ return -1;
+ io_loop_run(conn->ioloop);
+ return auth_master_run_cmd_post(conn);
+}
+
+static unsigned int
+auth_master_next_request_id(struct auth_master_connection *conn)
+{
+ if (++conn->request_counter == 0) {
+ /* avoid zero */
+ conn->request_counter++;
+ }
+ return conn->request_counter;
+}
+
+void auth_user_info_export(string_t *str, const struct auth_user_info *info)
+{
+ const char *const *fieldp;
+
+ if (info->service != NULL) {
+ str_append(str, "\tservice=");
+ str_append(str, info->service);
+ }
+ if (info->session_id != NULL) {
+ str_append(str, "\tsession=");
+ str_append_tabescaped(str, info->session_id);
+ }
+ if (info->local_name != NULL) {
+ str_append(str, "\tlocal_name=");
+ str_append_tabescaped(str, info->local_name);
+ }
+ if (info->local_ip.family != 0)
+ str_printfa(str, "\tlip=%s", net_ip2addr(&info->local_ip));
+ if (info->local_port != 0)
+ str_printfa(str, "\tlport=%d", info->local_port);
+ if (info->remote_ip.family != 0)
+ str_printfa(str, "\trip=%s", net_ip2addr(&info->remote_ip));
+ if (info->remote_port != 0)
+ str_printfa(str, "\trport=%d", info->remote_port);
+ if (info->real_remote_ip.family != 0 &&
+ !net_ip_compare(&info->real_remote_ip, &info->remote_ip))
+ str_printfa(str, "\treal_rip=%s", net_ip2addr(&info->real_remote_ip));
+ if (info->real_local_ip.family != 0 &&
+ !net_ip_compare(&info->real_local_ip, &info->local_ip))
+ str_printfa(str, "\treal_lip=%s", net_ip2addr(&info->real_local_ip));
+ if (info->real_local_port != 0 &&
+ info->real_local_port != info->local_port)
+ str_printfa(str, "\treal_lport=%d", info->real_local_port);
+ if (info->real_remote_port != 0 &&
+ info->real_remote_port != info->remote_port)
+ str_printfa(str, "\treal_rport=%d", info->real_remote_port);
+ if (info->debug)
+ str_append(str, "\tdebug");
+ if (info->forward_fields != NULL &&
+ *info->forward_fields != '\0') {
+ str_append(str, "\tforward_fields=");
+ str_append_tabescaped(str, info->forward_fields);
+ }
+ if (array_is_created(&info->extra_fields)) {
+ array_foreach(&info->extra_fields, fieldp) {
+ str_append_c(str, '\t');
+ str_append_tabescaped(str, *fieldp);
+ }
+ }
+}
+
+static void
+auth_master_event_create(struct auth_master_connection *conn,
+ const char *prefix)
+{
+ i_assert(conn->event == conn->event_parent);
+ conn->event = event_create(conn->event_parent);
+ event_set_append_log_prefix(conn->event, prefix);
+}
+
+static void
+auth_master_user_event_create(struct auth_master_connection *conn,
+ const char *prefix,
+ const struct auth_user_info *info)
+{
+ auth_master_event_create(conn, prefix);
+
+ if (info != NULL) {
+ if (info->service != NULL)
+ event_add_str(conn->event, "service", info->service);
+ if (info->session_id != NULL)
+ event_add_str(conn->event, "session", info->session_id);
+ if (info->local_name != NULL)
+ event_add_str(conn->event, "local_name", info->local_name);
+ if (info->local_ip.family != 0) {
+ event_add_str(conn->event, "local_ip",
+ net_ip2addr(&info->local_ip));
+ }
+ if (info->local_port != 0) {
+ event_add_int(conn->event, "local_port",
+ info->local_port);
+ }
+ if (info->remote_ip.family != 0) {
+ event_add_str(conn->event, "remote_ip",
+ net_ip2addr(&info->remote_ip));
+ }
+ if (info->remote_port != 0) {
+ event_add_int(conn->event, "remote_port",
+ info->remote_port);
+ }
+ if (info->real_local_ip.family != 0)
+ event_add_str(conn->event, "real_local_ip",
+ net_ip2addr(&info->real_local_ip));
+ if (info->real_remote_ip.family != 0)
+ event_add_str(conn->event, "real_remote_ip",
+ net_ip2addr(&info->real_remote_ip));
+ if (info->real_local_port != 0)
+ event_add_int(conn->event, "real_local_port",
+ info->real_local_port);
+ if (info->real_remote_port != 0)
+ event_add_int(conn->event, "real_remote_port",
+ info->real_remote_port);
+ }
+}
+
+static void
+auth_master_event_finish(struct auth_master_connection *conn)
+{
+ i_assert(conn->event != conn->event_parent);
+ event_unref(&conn->event);
+ conn->event = conn->event_parent;
+}
+
+int auth_master_user_lookup(struct auth_master_connection *conn,
+ const char *user, const struct auth_user_info *info,
+ pool_t pool, const char **username_r,
+ const char *const **fields_r)
+{
+ struct auth_master_lookup_ctx ctx;
+ string_t *str;
+
+ if (!is_valid_string(user) || !is_valid_string(info->service)) {
+ /* non-allowed characters, the user can't exist */
+ *username_r = NULL;
+ *fields_r = NULL;
+ return 0;
+ }
+
+ i_zero(&ctx);
+ ctx.conn = conn;
+ ctx.return_value = -1;
+ ctx.pool = pool;
+ ctx.expected_reply = "USER";
+ ctx.user = user;
+
+ conn->reply_callback = auth_lookup_reply_callback;
+ conn->reply_context = &ctx;
+
+ str = t_str_new(128);
+ str_printfa(str, "USER\t%u\t%s",
+ auth_master_next_request_id(conn), user);
+ auth_user_info_export(str, info);
+ str_append_c(str, '\n');
+
+ auth_master_user_event_create(
+ conn, t_strdup_printf("userdb lookup(%s): ", user), info);
+ event_add_str(conn->event, "user", user);
+
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_userdb_lookup_started");
+ e_debug(e->event(), "Started userdb lookup");
+
+ (void)auth_master_run_cmd(conn, str_c(str));
+
+ if (ctx.return_value <= 0 || ctx.fields[0] == NULL) {
+ *username_r = NULL;
+ *fields_r = ctx.fields != NULL ? ctx.fields :
+ p_new(pool, const char *, 1);
+
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_userdb_lookup_finished");
+
+ if (ctx.return_value > 0) {
+ e->add_str("error", "Lookup didn't return username");
+ e_error(e->event(), "Userdb lookup failed: "
+ "Lookup didn't return username");
+ ctx.return_value = -2;
+ } else if ((*fields_r)[0] == NULL) {
+ e->add_str("error", "Lookup failed");
+ e_debug(e->event(), "Userdb lookup failed");
+ } else {
+ e->add_str("error", (*fields_r)[0]);
+ e_debug(e->event(), "Userdb lookup failed: %s",
+ (*fields_r)[0]);
+ }
+ } else {
+ *username_r = ctx.fields[0];
+ *fields_r = ctx.fields + 1;
+
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_userdb_lookup_finished");
+ e_debug(e->event(), "Finished userdb lookup (username=%s %s)",
+ *username_r, t_strarray_join(*fields_r, " "));
+ }
+ auth_master_event_finish(conn);
+
+ conn->reply_context = NULL;
+ return ctx.return_value;
+}
+
+void auth_user_fields_parse(const char *const *fields, pool_t pool,
+ struct auth_user_reply *reply_r)
+{
+ i_zero(reply_r);
+ reply_r->uid = (uid_t)-1;
+ reply_r->gid = (gid_t)-1;
+ p_array_init(&reply_r->extra_fields, pool, 64);
+
+ for (; *fields != NULL; fields++) {
+ if (str_begins(*fields, "uid=")) {
+ if (str_to_uid(*fields + 4, &reply_r->uid) < 0)
+ i_error("Invalid uid in reply");
+ } else if (str_begins(*fields, "gid=")) {
+ if (str_to_gid(*fields + 4, &reply_r->gid) < 0)
+ i_error("Invalid gid in reply");
+ } else if (str_begins(*fields, "home="))
+ reply_r->home = p_strdup(pool, *fields + 5);
+ else if (str_begins(*fields, "chroot="))
+ reply_r->chroot = p_strdup(pool, *fields + 7);
+ else if (strcmp(*fields, "anonymous") == 0)
+ reply_r->anonymous = TRUE;
+ else {
+ const char *field = p_strdup(pool, *fields);
+ array_push_back(&reply_r->extra_fields, &field);
+ }
+ }
+}
+
+int auth_master_pass_lookup(struct auth_master_connection *conn,
+ const char *user, const struct auth_user_info *info,
+ pool_t pool, const char *const **fields_r)
+{
+ struct auth_master_lookup_ctx ctx;
+ string_t *str;
+
+ if (!is_valid_string(user) || !is_valid_string(info->service)) {
+ /* non-allowed characters, the user can't exist */
+ *fields_r = NULL;
+ return 0;
+ }
+
+ i_zero(&ctx);
+ ctx.conn = conn;
+ ctx.return_value = -1;
+ ctx.pool = pool;
+ ctx.expected_reply = "PASS";
+ ctx.user = user;
+
+ conn->reply_callback = auth_lookup_reply_callback;
+ conn->reply_context = &ctx;
+
+ str = t_str_new(128);
+ str_printfa(str, "PASS\t%u\t%s",
+ auth_master_next_request_id(conn), user);
+ auth_user_info_export(str, info);
+ str_append_c(str, '\n');
+
+ auth_master_user_event_create(
+ conn, t_strdup_printf("passdb lookup(%s): ", user), info);
+ event_add_str(conn->event, "user", user);
+
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_passdb_lookup_started");
+ e_debug(e->event(), "Started passdb lookup");
+
+ (void)auth_master_run_cmd(conn, str_c(str));
+
+ *fields_r = ctx.fields != NULL ? ctx.fields :
+ p_new(pool, const char *, 1);
+
+ if (ctx.return_value <= 0) {
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_passdb_lookup_finished");
+ if ((*fields_r)[0] == NULL) {
+ e->add_str("error", "Lookup failed");
+ e_debug(e->event(), "Passdb lookup failed");
+ } else {
+ e->add_str("error", (*fields_r)[0]);
+ e_debug(e->event(), "Passdb lookup failed: %s",
+ (*fields_r)[0]);
+ }
+ } else {
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_passdb_lookup_finished");
+ e_debug(e->event(), "Finished passdb lookup (%s)",
+ t_strarray_join(*fields_r, " "));
+ }
+ auth_master_event_finish(conn);
+
+ conn->reply_context = NULL;
+ return ctx.return_value;
+}
+
+struct auth_master_cache_ctx {
+ struct auth_master_connection *conn;
+ unsigned int count;
+ bool failed;
+};
+
+static bool
+auth_cache_flush_reply_callback(const char *cmd, const char *const *args,
+ void *context)
+{
+ struct auth_master_cache_ctx *ctx = context;
+
+ if (strcmp(cmd, "OK") != 0)
+ ctx->failed = TRUE;
+ else if (args[0] == NULL || str_to_uint(args[0], &ctx->count) < 0)
+ ctx->failed = TRUE;
+
+ io_loop_stop(ctx->conn->ioloop);
+ return TRUE;
+}
+
+int auth_master_cache_flush(struct auth_master_connection *conn,
+ const char *const *users, unsigned int *count_r)
+{
+ struct auth_master_cache_ctx ctx;
+ string_t *str;
+
+ i_zero(&ctx);
+ ctx.conn = conn;
+
+ conn->reply_callback = auth_cache_flush_reply_callback;
+ conn->reply_context = &ctx;
+
+ str = t_str_new(128);
+ str_printfa(str, "CACHE-FLUSH\t%u", auth_master_next_request_id(conn));
+ if (users != NULL) {
+ for (; *users != NULL; users++) {
+ str_append_c(str, '\t');
+ str_append_tabescaped(str, *users);
+ }
+ }
+ str_append_c(str, '\n');
+
+ auth_master_event_create(conn, "auth cache flush: ");
+
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_cache_flush_started");
+ e_debug(e->event(), "Started cache flush");
+
+ (void)auth_master_run_cmd(conn, str_c(str));
+
+ if (ctx.failed) {
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_cache_flush_finished");
+ e->add_str("error", "Cache flush failed");
+ e_debug(e->event(), "Cache flush failed");
+ } else {
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_cache_flush_finished");
+ e_debug(e->event(), "Finished cache flush");
+ }
+ auth_master_event_finish(conn);
+
+ conn->reply_context = NULL;
+ *count_r = ctx.count;
+ return ctx.failed ? -1 : 0;
+}
+
+static bool
+auth_user_list_reply_callback(const char *cmd, const char *const *args,
+ void *context)
+{
+ struct auth_master_user_list_ctx *ctx = context;
+ struct auth_master_connection *conn = ctx->conn;
+
+ timeout_reset(ctx->conn->to);
+ io_loop_stop(ctx->conn->ioloop);
+
+ if (strcmp(cmd, "DONE") == 0) {
+ if (args[0] != NULL && strcmp(args[0], "fail") == 0) {
+ e_error(conn->event, "User listing returned failure");
+ ctx->failed = TRUE;
+ }
+ ctx->finished = TRUE;
+ } else if (strcmp(cmd, "LIST") == 0 && args[0] != NULL) {
+ /* we'll just read all the users into memory. otherwise we'd
+ have to use a separate connection for listing and there's
+ a higher chance of a failure since the connection could be
+ open to dovecot-auth for a long time. */
+ str_append(ctx->username, args[0]);
+ } else {
+ e_error(conn->event, "User listing returned invalid input");
+ ctx->failed = TRUE;
+ }
+ return FALSE;
+}
+
+struct auth_master_user_list_ctx *
+auth_master_user_list_init(struct auth_master_connection *conn,
+ const char *user_mask,
+ const struct auth_user_info *info)
+{
+ struct auth_master_user_list_ctx *ctx;
+ string_t *str;
+
+ ctx = i_new(struct auth_master_user_list_ctx, 1);
+ ctx->conn = conn;
+ ctx->username = str_new(default_pool, 128);
+
+ conn->reply_callback = auth_user_list_reply_callback;
+ conn->reply_context = ctx;
+
+ str = t_str_new(128);
+ str_printfa(str, "LIST\t%u",
+ auth_master_next_request_id(conn));
+ if (*user_mask != '\0')
+ str_printfa(str, "\tuser=%s", user_mask);
+ if (info != NULL)
+ auth_user_info_export(str, info);
+ str_append_c(str, '\n');
+
+ auth_master_user_event_create(conn, "userdb list: ", info);
+ event_add_str(conn->event," user_mask", user_mask);
+
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_userdb_list_started");
+ e_debug(e->event(), "Started listing users (user_mask=%s)", user_mask);
+
+ if (auth_master_run_cmd_pre(conn, str_c(str)) < 0)
+ ctx->failed = TRUE;
+ if (conn->prev_ioloop != NULL)
+ io_loop_set_current(conn->prev_ioloop);
+
+ return ctx;
+}
+
+static const char *
+auth_master_user_do_list_next(struct auth_master_user_list_ctx *ctx)
+{
+ struct auth_master_connection *conn = ctx->conn;
+ const char *line;
+
+ if (!conn->connected)
+ return NULL;
+
+ str_truncate(ctx->username, 0);
+
+ /* try to read already buffered input */
+ line = i_stream_next_line(conn->conn.input);
+ if (line != NULL) {
+ T_BEGIN {
+ conn->conn.v.input_line(&conn->conn, line);
+ } T_END;
+ }
+ if (conn->aborted)
+ ctx->failed = TRUE;
+ if (ctx->finished || ctx->failed)
+ return NULL;
+ if (str_len(ctx->username) > 0)
+ return str_c(ctx->username);
+
+ /* wait for more data */
+ io_loop_set_current(conn->ioloop);
+ i_stream_set_input_pending(conn->conn.input, TRUE);
+ io_loop_run(conn->ioloop);
+ io_loop_set_current(conn->prev_ioloop);
+
+ if (conn->aborted)
+ ctx->failed = TRUE;
+ if (ctx->finished || ctx->failed)
+ return NULL;
+ return str_c(ctx->username);
+}
+
+const char *auth_master_user_list_next(struct auth_master_user_list_ctx *ctx)
+{
+ struct auth_master_connection *conn = ctx->conn;
+ const char *username;
+
+ username = auth_master_user_do_list_next(ctx);
+ if (username == NULL)
+ return NULL;
+
+ e_debug(conn->event, "Returned username: %s", username);
+ return username;
+}
+
+int auth_master_user_list_deinit(struct auth_master_user_list_ctx **_ctx)
+{
+ struct auth_master_user_list_ctx *ctx = *_ctx;
+ struct auth_master_connection *conn = ctx->conn;
+ int ret = ctx->failed ? -1 : 0;
+
+ *_ctx = NULL;
+ auth_master_run_cmd_post(ctx->conn);
+
+ if (ret < 0) {
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_userdb_list_finished");
+ e->add_str("error", "Listing users failed");
+ e_debug(e->event(), "Listing users failed");
+ } else {
+ struct event_passthrough *e =
+ event_create_passthrough(conn->event)->
+ set_name("auth_client_userdb_list_finished");
+ e_debug(e->event(), "Finished listing users");
+ }
+ auth_master_event_finish(conn);
+
+ str_free(&ctx->username);
+ i_free(ctx);
+ return ret;
+}
diff --git a/src/lib-auth/auth-master.h b/src/lib-auth/auth-master.h
new file mode 100644
index 0000000..f62985a
--- /dev/null
+++ b/src/lib-auth/auth-master.h
@@ -0,0 +1,76 @@
+#ifndef AUTH_MASTER_H
+#define AUTH_MASTER_H
+
+#include "net.h"
+
+enum auth_master_flags {
+ /* Enable logging debug information */
+ AUTH_MASTER_FLAG_DEBUG = 0x01,
+ /* Don't disconnect from auth socket when idling */
+ AUTH_MASTER_FLAG_NO_IDLE_TIMEOUT = 0x02
+};
+
+struct auth_user_info {
+ const char *service;
+ const char *session_id;
+ const char *local_name;
+ struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip;
+ in_port_t local_port, remote_port, real_local_port, real_remote_port;
+ const char *forward_fields;
+ ARRAY_TYPE(const_string) extra_fields;
+ bool debug;
+};
+
+struct auth_user_reply {
+ uid_t uid;
+ gid_t gid;
+ const char *home, *chroot;
+ ARRAY_TYPE(const_string) extra_fields;
+ bool anonymous:1;
+};
+
+struct auth_master_connection *
+auth_master_init(const char *auth_socket_path, enum auth_master_flags flags);
+void auth_master_deinit(struct auth_master_connection **conn);
+
+/* Set timeout for lookups. */
+void auth_master_set_timeout(struct auth_master_connection *conn,
+ unsigned int msecs);
+
+/* Returns the auth_socket_path */
+const char *auth_master_get_socket_path(struct auth_master_connection *conn);
+
+/* Do a USER lookup. Returns -2 = user-specific error, -1 = internal error,
+ 0 = user not found, 1 = ok. When returning -1 and fields[0] isn't NULL, it
+ contains an error message that should be shown to user. */
+int auth_master_user_lookup(struct auth_master_connection *conn,
+ const char *user, const struct auth_user_info *info,
+ pool_t pool, const char **username_r,
+ const char *const **fields_r);
+/* Do a PASS lookup (the actual password isn't returned). */
+int auth_master_pass_lookup(struct auth_master_connection *conn,
+ const char *user, const struct auth_user_info *info,
+ pool_t pool, const char *const **fields_r);
+/* Flush authentication cache for everyone (users=NULL) or only for specified
+ users. Returns number of users flushed from cache. */
+int auth_master_cache_flush(struct auth_master_connection *conn,
+ const char *const *users, unsigned int *count_r);
+
+/* Parse userdb extra fields into auth_user_reply structure. */
+void auth_user_fields_parse(const char *const *fields, pool_t pool,
+ struct auth_user_reply *reply_r);
+
+/* Iterate through all users. If user_mask is non-NULL, it contains a string
+ with wildcards ('*', '?') that the auth server MAY use to limit what users
+ are returned (but it may as well return all users anyway). */
+struct auth_master_user_list_ctx *
+auth_master_user_list_init(struct auth_master_connection *conn,
+ const char *user_mask,
+ const struct auth_user_info *info) ATTR_NULL(3);
+const char *auth_master_user_list_next(struct auth_master_user_list_ctx *ctx);
+/* Returns -1 if anything failed, 0 if ok */
+int auth_master_user_list_deinit(struct auth_master_user_list_ctx **ctx);
+
+/* INTERNAL: */
+void auth_user_info_export(string_t *str, const struct auth_user_info *info);
+#endif
diff --git a/src/lib-auth/test-auth-master.c b/src/lib-auth/test-auth-master.c
new file mode 100644
index 0000000..95c9daf
--- /dev/null
+++ b/src/lib-auth/test-auth-master.c
@@ -0,0 +1,74 @@
+/* Copyright (c) 2019 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "auth-master.h"
+#include "net.h"
+#include "test-common.h"
+#include "str.h"
+
+static void test_auth_user_info_export(void)
+{
+ string_t *str;
+ struct auth_user_info info;
+
+ i_zero(&info);
+
+ test_begin("auth_user_info_export()");
+
+ /* Setup info for auth_user_info_export call where the
+ * resulting auth request string should contain all
+ * real_ variables. */
+ test_assert(net_addr2ip("192.168.1.1", &info.local_ip) == 0);
+ test_assert(net_addr2ip("192.23.42.9", &info.real_local_ip) == 0);
+ test_assert(net_addr2ip("10.42.3.223", &info.remote_ip) == 0);
+ test_assert(net_addr2ip("192.168.1.2", &info.real_remote_ip) == 0);
+ info.local_port = 57035;
+ info.remote_port = 53075;
+ info.real_remote_port = 64385;
+ info.real_local_port = 57391;
+
+ str = t_str_new(128);
+ auth_user_info_export(str, &info);
+
+ test_assert(strstr(str_c(str), "real_rip=192.168.1.2") != NULL);
+ test_assert(strstr(str_c(str), "real_lip=192.23.42.9") != NULL);
+ test_assert(strstr(str_c(str), "rip=10.42.3.223") != NULL);
+ test_assert(strstr(str_c(str), "lip=192.168.1.1") != NULL);
+ test_assert(strstr(str_c(str), "real_rport=64385") != NULL);
+ test_assert(strstr(str_c(str), "rport=53075") != NULL);
+ test_assert(strstr(str_c(str), "real_lport=57391") != NULL);
+ test_assert(strstr(str_c(str), "lport=57035") != NULL);
+
+ /* Setup info for auth_user_info_export call where the
+ * resulting auth request string should not contain any
+ * real_ variables. */
+ test_assert(net_addr2ip("10.42.3.223", &info.real_remote_ip) == 0);
+ test_assert(net_addr2ip("192.168.1.1", &info.real_local_ip) == 0);
+ info.real_remote_port = 53075;
+ info.real_local_port = 57035;
+
+ str_truncate(str, 0);
+ auth_user_info_export(str, &info);
+
+ test_assert(strstr(str_c(str), "rip=10.42.3.223") != NULL);
+ test_assert(strstr(str_c(str), "lip=192.168.1.1") != NULL);
+ test_assert(strstr(str_c(str), "lport=57035") != NULL);
+ test_assert(strstr(str_c(str), "rport=53075") != NULL);
+ /* The following fields should not be part of the string as
+ * they are matching with their non-real counterparts */
+ test_assert(strstr(str_c(str), "real_lport") == NULL);
+ test_assert(strstr(str_c(str), "real_rport") == NULL);
+ test_assert(strstr(str_c(str), "real_rip") == NULL);
+ test_assert(strstr(str_c(str), "real_lip") == NULL);
+
+ test_end();
+}
+
+int main(void)
+{
+ static void (*const test_functions[])(void) = {
+ test_auth_user_info_export,
+ NULL
+ };
+ return test_run(test_functions);
+}