Commit | Line | Data |
---|---|---|
16ff981e PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
c4ceed07 | 5 | /* Copyright (c) University of Cambridge 1995 - 2012 */ |
16ff981e PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | #include "../exim.h" | |
9 | ||
10 | /* This module contains the function server_condition(), which is used | |
11 | by all authenticators. */ | |
12 | ||
13 | ||
14 | /************************************************* | |
15 | * Check server_condition * | |
16 | *************************************************/ | |
17 | ||
18 | /* This function is called from the server code of all authenticators. For | |
44bbabb5 PP |
19 | plaintext and gsasl, it is always called: the argument cannot be empty, because |
20 | for those, setting server_condition is what enables it as a server | |
16ff981e PH |
21 | authenticator. For all the other authenticators, this function is called after |
22 | they have authenticated, to enable additional authorization to be done. | |
23 | ||
24 | Argument: the authenticator's instance block | |
25 | ||
26 | Returns: | |
27 | OK NULL argument, or success | |
28 | DEFER couldn't complete the check | |
29 | FAIL authentication failed | |
30 | */ | |
31 | ||
32 | int | |
33 | auth_check_serv_cond(auth_instance *ablock) | |
44bbabb5 PP |
34 | { |
35 | return auth_check_some_cond(ablock, | |
36 | US"server_condition", ablock->server_condition, OK); | |
37 | } | |
38 | ||
39 | ||
40 | /************************************************* | |
41 | * Check some server condition * | |
42 | *************************************************/ | |
43 | ||
44 | /* This underlies server_condition, but is also used for some more generic | |
45 | checks. | |
46 | ||
47 | Arguments: | |
48 | ablock the authenticator's instance block | |
49 | label debugging label naming the string checked | |
50 | condition the condition string to be expanded and checked | |
51 | unset value to return on NULL condition | |
52 | ||
53 | Returns: | |
54 | OK success (or unset=OK) | |
55 | DEFER couldn't complete the check | |
56 | FAIL authentication failed | |
57 | */ | |
58 | ||
59 | int | |
60 | auth_check_some_cond(auth_instance *ablock, | |
61 | uschar *label, uschar *condition, int unset) | |
16ff981e PH |
62 | { |
63 | uschar *cond; | |
64 | ||
65 | HDEBUG(D_auth) | |
66 | { | |
44bbabb5 | 67 | debug_printf("%s authenticator %s:\n", ablock->name, label); |
37942ad8 JH |
68 | for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i]) |
69 | debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]); | |
d7978c0f | 70 | for (int i = 1; i <= expand_nmax; i++) |
16ff981e PH |
71 | debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]); |
72 | debug_print_string(ablock->server_debug_string); /* customized debug */ | |
73 | } | |
74 | ||
75 | /* For the plaintext authenticator, server_condition is never NULL. For the | |
76 | rest, an unset condition lets everything through. */ | |
77 | ||
44bbabb5 PP |
78 | /* For server_condition, an unset condition lets everything through. |
79 | For plaintext/gsasl authenticators, it will have been pre-checked to prevent | |
80 | this. We return the unset scenario value given to us, which for | |
81 | server_condition will be OK and otherwise will typically be FAIL. */ | |
82 | ||
37942ad8 | 83 | if (!condition) return unset; |
44bbabb5 | 84 | cond = expand_string(condition); |
16ff981e PH |
85 | |
86 | HDEBUG(D_auth) | |
37942ad8 | 87 | if (!cond) |
16ff981e PH |
88 | debug_printf("expansion failed: %s\n", expand_string_message); |
89 | else | |
90 | debug_printf("expanded string: %s\n", cond); | |
16ff981e PH |
91 | |
92 | /* A forced expansion failure causes authentication to fail. Other expansion | |
93 | failures yield DEFER, which will cause a temporary error code to be returned to | |
94 | the AUTH command. The problem is at the server end, so the client should try | |
95 | again later. */ | |
96 | ||
37942ad8 | 97 | if (!cond) |
16ff981e | 98 | { |
8768d548 | 99 | if (f.expand_string_forcedfail) return FAIL; |
16ff981e PH |
100 | auth_defer_msg = expand_string_message; |
101 | return DEFER; | |
102 | } | |
103 | ||
104 | /* Return FAIL for empty string, "0", "no", and "false"; return OK for | |
105 | "1", "yes", and "true"; return DEFER for anything else, with the string | |
106 | available as an error text for the user. */ | |
107 | ||
108 | if (*cond == 0 || | |
109 | Ustrcmp(cond, "0") == 0 || | |
110 | strcmpic(cond, US"no") == 0 || | |
111 | strcmpic(cond, US"false") == 0) | |
112 | return FAIL; | |
113 | ||
114 | if (Ustrcmp(cond, "1") == 0 || | |
115 | strcmpic(cond, US"yes") == 0 || | |
116 | strcmpic(cond, US"true") == 0) | |
117 | return OK; | |
118 | ||
119 | auth_defer_msg = cond; | |
120 | auth_defer_user_msg = string_sprintf(": %s", cond); | |
121 | return DEFER; | |
122 | } | |
123 | ||
124 | /* End of check_serv_cond.c */ |