[exim.git] / src / src / auths / dovecot.c

/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.12 2010/03/05 16:11:11 nm4 Exp $ */

/*
 * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published
 * by the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 */

/* A number of modifications have been made to the original code. Originally I
commented them specially, but now they are getting quite extensive, so I have
ceased doing that. The biggest change is to use unbuffered I/O on the socket
because using C buffered I/O gives problems on some operating systems. PH */

#include "../exim.h"
#include "dovecot.h"

#define VERSION_MAJOR  1
#define VERSION_MINOR  0

/* Options specific to the authentication mechanism. */
optionlist auth_dovecot_options[] = {
       {
       "server_socket",
       opt_stringptr,
       (void *)(offsetof(auth_dovecot_options_block, server_socket))
       },
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_dovecot_options_count =
       sizeof(auth_dovecot_options) / sizeof(optionlist);

/* Default private options block for the authentication method. */

auth_dovecot_options_block auth_dovecot_option_defaults = {
       NULL,                           /* server_socket */
};


/* Static variables for reading from the socket */

static uschar sbuffer[256];
static int sbp;


/*************************************************
 *          Initialization entry point           *
 *************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

void auth_dovecot_init(auth_instance *ablock)
{
       auth_dovecot_options_block *ob =
               (auth_dovecot_options_block *)(ablock->options_block);

       if (ablock->public_name == NULL)
               ablock->public_name = ablock->name;
       if (ob->server_socket != NULL)
               ablock->server = TRUE;
       ablock->client = FALSE;
}

static int strcut(uschar *str, uschar **ptrs, int nptrs)
{
       uschar *tmp = str;
       int n;

       for (n = 0; n < nptrs; n++)
               ptrs[n] = NULL;
       n = 1;

       while (*str) {
               if (*str == '\t') {
                       if (n <= nptrs) {
                               *ptrs++ = tmp;
                               tmp = str + 1;
                               *str = 0;
                       }
                       n++;
               }
               str++;
       }

       if (n < nptrs)
               *ptrs = tmp;

       return n;
}

#define CHECK_COMMAND(str, arg_min, arg_max) do { \
       if (strcmpic(US(str), args[0]) != 0) \
               goto out; \
       if (nargs - 1 < (arg_min)) \
               goto out; \
       if ( (arg_max != -1) && (nargs - 1 > (arg_max)) ) \
               goto out; \
} while (0)

#define OUT(msg) do { \
       auth_defer_msg = (US msg); \
       goto out; \
} while(0)


/*************************************************
*      "fgets" to read directly from socket      *
*************************************************/

/* Added by PH after a suggestion by Steve Usher because the previous use of
C-style buffered I/O gave trouble. */

static uschar *
dc_gets(uschar *s, int n, int fd)
{
int p = 0;
int count = 0;

for (;;)
  {
  if (sbp == 0)
    {
    sbp = read(fd, sbuffer, sizeof(sbuffer));
    if (sbp == 0) { if (count == 0) return NULL; else break; }
    p = 0;
    }

  while (p < sbp)
    {
    if (count >= n - 1) break;
    s[count++] = sbuffer[p];
    if (sbuffer[p++] == '\n') break;
    }

  memmove(sbuffer, sbuffer + p, sbp - p);
  sbp -= p;

  if (s[count-1] == '\n' || count >= n - 1) break;
  }

s[count] = 0;
return s;
}


/*************************************************
*              Server entry point                *
*************************************************/

int auth_dovecot_server(auth_instance *ablock, uschar *data)
{
       auth_dovecot_options_block *ob =
               (auth_dovecot_options_block *)(ablock->options_block);
       struct sockaddr_un sa;
       uschar buffer[4096];
       uschar *args[8];
       uschar *auth_command;
       uschar *auth_extra_data = US"";
       int nargs, tmp;
       int cuid = 0, cont = 1, found = 0, fd, ret = DEFER;

       HDEBUG(D_auth) debug_printf("dovecot authentication\n");

       memset(&sa, 0, sizeof(sa));
       sa.sun_family = AF_UNIX;

       /* This was the original code here: it is nonsense because strncpy()
       does not return an integer. I have converted this to use the function
       that formats and checks length. PH */

       /*
       if (strncpy(sa.sun_path, ob->server_socket, sizeof(sa.sun_path)) < 0) {
       */

       if (!string_format(US sa.sun_path, sizeof(sa.sun_path), "%s",
                          ob->server_socket)) {
               auth_defer_msg = US"authentication socket path too long";
               return DEFER;
       }

       auth_defer_msg = US"authentication socket connection error";

       fd = socket(PF_UNIX, SOCK_STREAM, 0);
       if (fd < 0)
               return DEFER;

       if (connect(fd, (struct sockaddr *) &sa, sizeof(sa)) < 0)
               goto out;

       auth_defer_msg = US"authentication socket protocol error";

       sbp = 0;  /* Socket buffer pointer */
       while (cont) {
               if (dc_gets(buffer, sizeof(buffer), fd) == NULL)
                       OUT("authentication socket read error or premature eof");

               buffer[Ustrlen(buffer) - 1] = 0;
               HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
               nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));

               /* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that
                  Exim will need. Original code also failed if Dovecot server sent unknown
                  command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */
               if (Ustrcmp(args[0], US"CUID") == 0) {
                       CHECK_COMMAND("CUID", 1, 1);
                       cuid = Uatoi(args[1]);
               } else if (Ustrcmp(args[0], US"VERSION") == 0) {
                       CHECK_COMMAND("VERSION", 2, 2);
                       if (Uatoi(args[1]) != VERSION_MAJOR)
                               OUT("authentication socket protocol version mismatch");
               } else if (Ustrcmp(args[0], US"MECH") == 0) {
                       CHECK_COMMAND("MECH", 1, INT_MAX);
                       if (strcmpic(US args[1], ablock->public_name) == 0)
                               found = 1;
               } else if (Ustrcmp(args[0], US"DONE") == 0) {
                       CHECK_COMMAND("DONE", 0, 0);
                       cont = 0;
               }
       }

       if (!found)
               goto out;

       /* Added by PH: data must not contain tab (as it is
       b64 it shouldn't, but check for safety). */

       if (Ustrchr(data, '\t') != NULL) {
               ret = FAIL;
               goto out;
       }

       /* Added by PH: extra fields when TLS is in use or if the TCP/IP
       connection is local. */

       if (tls_cipher != NULL)
               auth_extra_data = string_sprintf("secured\t%s%s",
                   tls_certificate_verified? "valid-client-cert" : "",
                   tls_certificate_verified? "\t" : "");
       else if (interface_address != NULL &&
                Ustrcmp(sender_host_address, interface_address) == 0)
               auth_extra_data = US"secured\t";


/****************************************************************************
   The code below was the original code here. It didn't work. A reading of the
   file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that
   this was not right. Maybe something changed. I changed it to move the
   service indication into the AUTH command, and it seems to be better. PH

       fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
               "AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
               VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
               ablock->public_name, sender_host_address, interface_address,
               data ? (char *) data : "");

   Subsequently, the command was modified to add "secured" and "valid-client-
   cert" when relevant.

   The auth protocol is documented here:
        http://wiki.dovecot.org/Authentication_Protocol
****************************************************************************/

       auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
               "AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n",
               VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
               ablock->public_name, auth_extra_data, sender_host_address,
               interface_address, data ? (char *) data : "");

       if (write(fd, auth_command, Ustrlen(auth_command)) < 0)
              HDEBUG(D_auth) debug_printf("error sending auth_command: %s\n",
                strerror(errno));

       HDEBUG(D_auth) debug_printf("sent: %s", auth_command);

       while (1) {
               uschar *temp;
               uschar *auth_id_pre = NULL;
               int i;

               if (dc_gets(buffer, sizeof(buffer), fd) == NULL) {
                       auth_defer_msg = US"authentication socket read error or premature eof";
                       goto out;
               }

               buffer[Ustrlen(buffer) - 1] = 0;
               HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
               nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));

               if (Uatoi(args[1]) != cuid)
                       OUT("authentication socket connection id mismatch");

               switch (toupper(*args[0])) {
               case 'C':
                       CHECK_COMMAND("CONT", 1, 2);

                       tmp = auth_get_no64_data(&data, US args[2]);
                       if (tmp != OK) {
                               ret = tmp;
                               goto out;
                       }

                       /* Added by PH: data must not contain tab (as it is
                       b64 it shouldn't, but check for safety). */

                       if (Ustrchr(data, '\t') != NULL) {
                               ret = FAIL;
                               goto out;
                       }

                       temp = string_sprintf("CONT\t%d\t%s\n", cuid, data);
                       if (write(fd, temp, Ustrlen(temp)) < 0)
                               OUT("authentication socket write error");
                       break;

               case 'F':
                       CHECK_COMMAND("FAIL", 1, -1);

                       for (i=2; (i<nargs) && (auth_id_pre == NULL); i++)
                       {
                               if ( Ustrncmp(args[i], US"user=", 5) == 0 )
                               {
                                       auth_id_pre = args[i]+5;
                                       expand_nstring[1] = auth_vars[0] =
                                               string_copy(auth_id_pre); /* PH */
                                       expand_nlength[1] = Ustrlen(auth_id_pre);
                                       expand_nmax = 1;
                               }
                       }

                       ret = FAIL;
                       goto out;

               case 'O':
                       CHECK_COMMAND("OK", 2, -1);

                       /*
                        * Search for the "user=$USER" string in the args array
                        * and return the proper value.
                        */
                       for (i=2; (i<nargs) && (auth_id_pre == NULL); i++)
                       {
                               if ( Ustrncmp(args[i], US"user=", 5) == 0 )
                               {
                                       auth_id_pre = args[i]+5;
                                       expand_nstring[1] = auth_vars[0] =
                                               string_copy(auth_id_pre); /* PH */
                                       expand_nlength[1] = Ustrlen(auth_id_pre);
                                       expand_nmax = 1;
                               }
                       }

                       if (auth_id_pre == NULL)
                               OUT("authentication socket protocol error, username missing");

                       ret = OK;
                       /* fallthrough */

               default:
                       goto out;
               }
       }

out:
       /* close the socket used by dovecot */
       if (fd >= 0)
              close(fd);

       /* Expand server_condition as an authorization check */
       return (ret == OK)? auth_check_serv_cond(ablock) : ret;
}
Commit	Line	Data
981a9fad	1	/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.12 2010/03/05 16:11:11 nm4 Exp $ */
14aa5a05 PH	2
	3	/*
	4	* Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published
	8	* by the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*/
	11
57c2c631 PH	12	/* A number of modifications have been made to the original code. Originally I
	13	commented them specially, but now they are getting quite extensive, so I have
	14	ceased doing that. The biggest change is to use unbuffered I/O on the socket
	15	because using C buffered I/O gives problems on some operating systems. PH */
	16
14aa5a05 PH	17	#include "../exim.h"
	18	#include "dovecot.h"
	19
	20	#define VERSION_MAJOR 1
	21	#define VERSION_MINOR 0
	22
	23	/* Options specific to the authentication mechanism. */
	24	optionlist auth_dovecot_options[] = {
	25	{
57c2c631 PH	26	"server_socket",
	27	opt_stringptr,
	28	(void *)(offsetof(auth_dovecot_options_block, server_socket))
14aa5a05 PH	29	},
	30	};
	31
	32	/* Size of the options list. An extern variable has to be used so that its
	33	address can appear in the tables drtables.c. */
57c2c631	34
14aa5a05 PH	35	int auth_dovecot_options_count =
	36	sizeof(auth_dovecot_options) / sizeof(optionlist);
	37
	38	/* Default private options block for the authentication method. */
57c2c631	39
14aa5a05 PH	40	auth_dovecot_options_block auth_dovecot_option_defaults = {
	41	NULL, /* server_socket */
	42	};
	43
57c2c631 PH	44
	45	/* Static variables for reading from the socket */
	46
	47	static uschar sbuffer[256];
	48	static int sbp;
	49
	50
	51
14aa5a05 PH	52	/*************************************************
	53	* Initialization entry point *
	54	*************************************************/
	55
	56	/* Called for each instance, after its options have been read, to
	57	enable consistency checks to be done, or anything else that needs
	58	to be set up. */
57c2c631	59
14aa5a05 PH	60	void auth_dovecot_init(auth_instance *ablock)
	61	{
	62	auth_dovecot_options_block *ob =
	63	(auth_dovecot_options_block *)(ablock->options_block);
	64
	65	if (ablock->public_name == NULL)
	66	ablock->public_name = ablock->name;
	67	if (ob->server_socket != NULL)
	68	ablock->server = TRUE;
	69	ablock->client = FALSE;
	70	}
	71
57c2c631	72	static int strcut(uschar str, uschar *ptrs, int nptrs)
14aa5a05	73	{
57c2c631	74	uschar *tmp = str;
14aa5a05 PH	75	int n;
	76
	77	for (n = 0; n < nptrs; n++)
	78	ptrs[n] = NULL;
	79	n = 1;
	80
	81	while (*str) {
	82	if (*str == '\t') {
	83	if (n <= nptrs) {
	84	*ptrs++ = tmp;
	85	tmp = str + 1;
	86	*str = 0;
	87	}
	88	n++;
	89	}
	90	str++;
	91	}
	92
	93	if (n < nptrs)
	94	*ptrs = tmp;
	95
	96	return n;
	97	}
	98
	99	#define CHECK_COMMAND(str, arg_min, arg_max) do { \
57c2c631	100	if (strcmpic(US(str), args[0]) != 0) \
14aa5a05 PH	101	goto out; \
	102	if (nargs - 1 < (arg_min)) \
	103	goto out; \
6c588e74	104	if ( (arg_max != -1) && (nargs - 1 > (arg_max)) ) \
14aa5a05 PH	105	goto out; \
	106	} while (0)
	107
	108	#define OUT(msg) do { \
	109	auth_defer_msg = (US msg); \
	110	goto out; \
	111	} while(0)
	112
7befa435 PH	113
7befa435 PH	114
14aa5a05	115	/*************************************************
57c2c631 PH	116	* "fgets" to read directly from socket *
	117	*************************************************/
	118
	119	/* Added by PH after a suggestion by Steve Usher because the previous use of
	120	C-style buffered I/O gave trouble. */
	121
	122	static uschar *
	123	dc_gets(uschar *s, int n, int fd)
	124	{
	125	int p = 0;
	126	int count = 0;
	127
	128	for (;;)
	129	{
	130	if (sbp == 0)
	131	{
	132	sbp = read(fd, sbuffer, sizeof(sbuffer));
	133	if (sbp == 0) { if (count == 0) return NULL; else break; }
51473862	134	p = 0;
57c2c631 PH	135	}
	136
	137	while (p < sbp)
	138	{
	139	if (count >= n - 1) break;
	140	s[count++] = sbuffer[p];
	141	if (sbuffer[p++] == '\n') break;
	142	}
	143
	144	memmove(sbuffer, sbuffer + p, sbp - p);
	145	sbp -= p;
	146
	147	if (s[count-1] == '\n' \|\| count >= n - 1) break;
	148	}
	149
	150	s[count] = 0;
	151	return s;
	152	}
	153
	154
	155
	156
	157	/*************************************************
	158	* Server entry point *
	159	*************************************************/
14aa5a05 PH	160
	161	int auth_dovecot_server(auth_instance ablock, uschar data)
	162	{
	163	auth_dovecot_options_block *ob =
	164	(auth_dovecot_options_block *)(ablock->options_block);
	165	struct sockaddr_un sa;
57c2c631 PH	166	uschar buffer[4096];
57c2c631 PH	167	uschar *args[8];
7befa435 PH	168	uschar *auth_command;
7befa435 PH	169	uschar *auth_extra_data = US"";
14aa5a05 PH	170	int nargs, tmp;
14aa5a05 PH	171	int cuid = 0, cont = 1, found = 0, fd, ret = DEFER;
14aa5a05 PH	172
	173	HDEBUG(D_auth) debug_printf("dovecot authentication\n");
	174
	175	memset(&sa, 0, sizeof(sa));
	176	sa.sun_family = AF_UNIX;
	177
	178	/* This was the original code here: it is nonsense because strncpy()
	179	does not return an integer. I have converted this to use the function
	180	that formats and checks length. PH */
	181
	182	/*
	183	if (strncpy(sa.sun_path, ob->server_socket, sizeof(sa.sun_path)) < 0) {
	184	*/
	185
	186	if (!string_format(US sa.sun_path, sizeof(sa.sun_path), "%s",
	187	ob->server_socket)) {
	188	auth_defer_msg = US"authentication socket path too long";
	189	return DEFER;
	190	}
	191
	192	auth_defer_msg = US"authentication socket connection error";
	193
	194	fd = socket(PF_UNIX, SOCK_STREAM, 0);
	195	if (fd < 0)
	196	return DEFER;
	197
	198	if (connect(fd, (struct sockaddr *) &sa, sizeof(sa)) < 0)
	199	goto out;
	200
14aa5a05 PH	201	auth_defer_msg = US"authentication socket protocol error";
14aa5a05 PH	202
57c2c631	203	sbp = 0; /* Socket buffer pointer */
14aa5a05	204	while (cont) {
57c2c631	205	if (dc_gets(buffer, sizeof(buffer), fd) == NULL)
14aa5a05 PH	206	OUT("authentication socket read error or premature eof");
14aa5a05 PH	207
57c2c631	208	buffer[Ustrlen(buffer) - 1] = 0;
14aa5a05 PH	209	HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
	210	nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));
	211
981a9fad NM	212	/* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that
	213	Exim will need. Original code also failed if Dovecot server sent unknown
	214	command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */
	215	if (Ustrcmp(args[0], US"CUID") == 0) {
14aa5a05	216	CHECK_COMMAND("CUID", 1, 1);
57c2c631	217	cuid = Uatoi(args[1]);
981a9fad	218	} else if (Ustrcmp(args[0], US"VERSION") == 0) {
14aa5a05	219	CHECK_COMMAND("VERSION", 2, 2);
57c2c631	220	if (Uatoi(args[1]) != VERSION_MAJOR)
14aa5a05	221	OUT("authentication socket protocol version mismatch");
981a9fad NM	222	} else if (Ustrcmp(args[0], US"MECH") == 0) {
	223	CHECK_COMMAND("MECH", 1, INT_MAX);
	224	if (strcmpic(US args[1], ablock->public_name) == 0)
	225	found = 1;
	226	} else if (Ustrcmp(args[0], US"DONE") == 0) {
	227	CHECK_COMMAND("DONE", 0, 0);
	228	cont = 0;
14aa5a05 PH	229	}
	230	}
	231
	232	if (!found)
	233	goto out;
	234
7befa435 PH	235	/* Added by PH: data must not contain tab (as it is
	236	b64 it shouldn't, but check for safety). */
	237
	238	if (Ustrchr(data, '\t') != NULL) {
	239	ret = FAIL;
	240	goto out;
	241	}
	242
	243	/* Added by PH: extra fields when TLS is in use or if the TCP/IP
	244	connection is local. */
	245
	246	if (tls_cipher != NULL)
	247	auth_extra_data = string_sprintf("secured\t%s%s",
	248	tls_certificate_verified? "valid-client-cert" : "",
	249	tls_certificate_verified? "\t" : "");
094a9ec3 PH	250	else if (interface_address != NULL &&
094a9ec3 PH	251	Ustrcmp(sender_host_address, interface_address) == 0)
7befa435 PH	252	auth_extra_data = US"secured\t";
7befa435 PH	253
14aa5a05 PH	254
	255	/****************************************************************************
	256	The code below was the original code here. It didn't work. A reading of the
	257	file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that
7befa435 PH	258	this was not right. Maybe something changed. I changed it to move the
7befa435 PH	259	service indication into the AUTH command, and it seems to be better. PH
14aa5a05 PH	260
	261	fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
	262	"AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
	263	VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
	264	ablock->public_name, sender_host_address, interface_address,
	265	data ? (char *) data : "");
7befa435 PH	266
	267	Subsequently, the command was modified to add "secured" and "valid-client-
	268	cert" when relevant.
6c588e74 NM	269
	270	The auth protocol is documented here:
	271	http://wiki.dovecot.org/Authentication_Protocol
14aa5a05 PH	272	****************************************************************************/
14aa5a05 PH	273
7befa435	274	auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
deafd5b3	275	"AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n",
14aa5a05	276	VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
7befa435 PH	277	ablock->public_name, auth_extra_data, sender_host_address,
7befa435 PH	278	interface_address, data ? (char *) data : "");
14aa5a05	279
57c2c631 PH	280	if (write(fd, auth_command, Ustrlen(auth_command)) < 0)
	281	HDEBUG(D_auth) debug_printf("error sending auth_command: %s\n",
	282	strerror(errno));
	283
7befa435	284	HDEBUG(D_auth) debug_printf("sent: %s", auth_command);
14aa5a05 PH	285
14aa5a05 PH	286	while (1) {
57c2c631	287	uschar *temp;
6c588e74 NM	288	uschar *auth_id_pre = NULL;
	289	int i;
	290
57c2c631	291	if (dc_gets(buffer, sizeof(buffer), fd) == NULL) {
14aa5a05 PH	292	auth_defer_msg = US"authentication socket read error or premature eof";
	293	goto out;
	294	}
	295
57c2c631	296	buffer[Ustrlen(buffer) - 1] = 0;
14aa5a05 PH	297	HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
	298	nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));
	299
57c2c631	300	if (Uatoi(args[1]) != cuid)
14aa5a05 PH	301	OUT("authentication socket connection id mismatch");
	302
	303	switch (toupper(*args[0])) {
	304	case 'C':
	305	CHECK_COMMAND("CONT", 1, 2);
	306
	307	tmp = auth_get_no64_data(&data, US args[2]);
	308	if (tmp != OK) {
	309	ret = tmp;
	310	goto out;
	311	}
	312
7befa435 PH	313	/* Added by PH: data must not contain tab (as it is
	314	b64 it shouldn't, but check for safety). */
	315
	316	if (Ustrchr(data, '\t') != NULL) {
	317	ret = FAIL;
	318	goto out;
	319	}
	320
deafd5b3	321	temp = string_sprintf("CONT\t%d\t%s\n", cuid, data);
57c2c631	322	if (write(fd, temp, Ustrlen(temp)) < 0)
14aa5a05	323	OUT("authentication socket write error");
14aa5a05 PH	324	break;
	325
	326	case 'F':
6c588e74	327	CHECK_COMMAND("FAIL", 1, -1);
14aa5a05	328
6c588e74 NM	329	for (i=2; (i<nargs) && (auth_id_pre == NULL); i++)
	330	{
	331	if ( Ustrncmp(args[i], US"user=", 5) == 0 )
	332	{
	333	auth_id_pre = args[i]+5;
f0872424	334	expand_nstring[1] = auth_vars[0] =
6c588e74 NM	335	string_copy(auth_id_pre); /* PH */
6c588e74 NM	336	expand_nlength[1] = Ustrlen(auth_id_pre);
14aa5a05 PH	337	expand_nmax = 1;
	338	}
	339	}
	340
	341	ret = FAIL;
	342	goto out;
	343
	344	case 'O':
6c588e74 NM	345	CHECK_COMMAND("OK", 2, -1);
	346
	347	/*
	348	* Search for the "user=$USER" string in the args array
	349	* and return the proper value.
	350	*/
	351	for (i=2; (i<nargs) && (auth_id_pre == NULL); i++)
14aa5a05	352	{
6c588e74 NM	353	if ( Ustrncmp(args[i], US"user=", 5) == 0 )
	354	{
	355	auth_id_pre = args[i]+5;
	356	expand_nstring[1] = auth_vars[0] =
	357	string_copy(auth_id_pre); /* PH */
	358	expand_nlength[1] = Ustrlen(auth_id_pre);
	359	expand_nmax = 1;
	360	}
14aa5a05	361	}
6c588e74 NM	362
	363	if (auth_id_pre == NULL)
	364	OUT("authentication socket protocol error, username missing");
	365
14aa5a05 PH	366	ret = OK;
	367	/* fallthrough */
	368
	369	default:
	370	goto out;
	371	}
	372	}
	373
57c2c631	374	out:
3f0da4d0 NM	375	/* close the socket used by dovecot */
	376	if (fd >= 0)
	377	close(fd);
16ff981e PH	378
	379	/* Expand server_condition as an authorization check */
	380	return (ret == OK)? auth_check_serv_cond(ablock) : ret;
14aa5a05	381	}