1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
/* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */
#include "auth-common.h"
#include "passdb.h"
#ifdef PASSDB_PASSWD
#include "safe-memset.h"
#include "ipwd.h"
#define PASSWD_CACHE_KEY "%u"
#define PASSWD_PASS_SCHEME "CRYPT"
static enum passdb_result
passwd_lookup(struct auth_request *request, struct passwd *pw_r)
{
e_debug(authdb_event(request), "lookup");
switch (i_getpwnam(request->fields.user, pw_r)) {
case -1:
e_error(authdb_event(request),
"getpwnam() failed: %m");
return PASSDB_RESULT_INTERNAL_FAILURE;
case 0:
auth_request_log_unknown_user(request, AUTH_SUBSYS_DB);
return PASSDB_RESULT_USER_UNKNOWN;
}
if (!IS_VALID_PASSWD(pw_r->pw_passwd)) {
e_info(authdb_event(request),
"invalid password field '%s'", pw_r->pw_passwd);
return PASSDB_RESULT_USER_DISABLED;
}
/* save the password so cache can use it */
auth_request_set_field(request, "password", pw_r->pw_passwd,
PASSWD_PASS_SCHEME);
return PASSDB_RESULT_OK;
}
static void
passwd_verify_plain(struct auth_request *request, const char *password,
verify_plain_callback_t *callback)
{
struct passwd pw;
enum passdb_result res;
int ret;
res = passwd_lookup(request, &pw);
if (res != PASSDB_RESULT_OK) {
callback(res, request);
return;
}
/* check if the password is valid */
ret = auth_request_password_verify(request, password, pw.pw_passwd,
PASSWD_PASS_SCHEME, AUTH_SUBSYS_DB);
/* clear the passwords from memory */
safe_memset(pw.pw_passwd, 0, strlen(pw.pw_passwd));
if (ret <= 0) {
callback(PASSDB_RESULT_PASSWORD_MISMATCH, request);
return;
}
/* make sure we're using the username exactly as it's in the database */
auth_request_set_field(request, "user", pw.pw_name, NULL);
callback(PASSDB_RESULT_OK, request);
}
static void
passwd_lookup_credentials(struct auth_request *request,
lookup_credentials_callback_t *callback)
{
struct passwd pw;
enum passdb_result res;
res = passwd_lookup(request, &pw);
if (res != PASSDB_RESULT_OK) {
callback(res, NULL, 0, request);
return;
}
/* make sure we're using the username exactly as it's in the database */
auth_request_set_field(request, "user", pw.pw_name, NULL);
passdb_handle_credentials(PASSDB_RESULT_OK, pw.pw_passwd,
PASSWD_PASS_SCHEME, callback, request);
}
static struct passdb_module *
passwd_preinit(pool_t pool, const char *args)
{
struct passdb_module *module;
module = p_new(pool, struct passdb_module, 1);
module->blocking = TRUE;
if (strcmp(args, "blocking=no") == 0)
module->blocking = FALSE;
else if (*args != '\0')
i_fatal("passdb passwd: Unknown setting: %s", args);
module->default_cache_key = PASSWD_CACHE_KEY;
module->default_pass_scheme = PASSWD_PASS_SCHEME;
return module;
}
static void passwd_deinit(struct passdb_module *module ATTR_UNUSED)
{
endpwent();
}
struct passdb_module_interface passdb_passwd = {
"passwd",
passwd_preinit,
NULL,
passwd_deinit,
passwd_verify_plain,
passwd_lookup_credentials,
NULL
};
#else
struct passdb_module_interface passdb_passwd = {
.name = "passwd"
};
#endif
|