1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2023 */
6 /* Copyright (c) University of Cambridge 1995 - 2012 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
12 /* This module contains the function server_condition(), which is used
13 by all authenticators. */
16 /*************************************************
17 * Check server_condition *
18 *************************************************/
20 /* This function is called from the server code of all authenticators. For
21 plaintext and gsasl, it is always called: the argument cannot be empty, because
22 for those, setting server_condition is what enables it as a server
23 authenticator. For all the other authenticators, this function is called after
24 they have authenticated, to enable additional authorization to be done.
26 Argument: the authenticator's instance block
29 OK NULL argument, or success
30 DEFER couldn't complete the check
31 FAIL authentication failed
35 auth_check_serv_cond(auth_instance * ablock)
37 return auth_check_some_cond(ablock,
38 US"server_condition", ablock->server_condition, OK);
42 /*************************************************
43 * Check some server condition *
44 *************************************************/
46 /* This underlies server_condition, but is also used for some more generic
50 ablock the authenticator's instance block
51 label debugging label naming the string checked
52 condition the condition string to be expanded and checked
53 unset value to return on NULL condition
56 OK success (or unset=OK)
57 DEFER couldn't complete the check
58 FAIL authentication failed
62 auth_check_some_cond(auth_instance * ablock,
63 uschar * label, uschar * condition, int unset)
69 debug_printf("%s authenticator %s:\n", ablock->name, label);
70 for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
71 debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
72 for (int i = 1; i <= expand_nmax; i++)
73 debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
74 debug_print_string(ablock->server_debug_string); /* customized debug */
77 /* For the plaintext authenticator, server_condition is never NULL. For the
78 rest, an unset condition lets everything through. */
80 /* For server_condition, an unset condition lets everything through.
81 For plaintext/gsasl authenticators, it will have been pre-checked to prevent
82 this. We return the unset scenario value given to us, which for
83 server_condition will be OK and otherwise will typically be FAIL. */
85 if (!condition) return unset;
86 cond = expand_string(condition);
90 debug_printf("expansion failed: %s\n", expand_string_message);
92 debug_printf("expanded string: %s\n", cond);
94 /* A forced expansion failure causes authentication to fail. Other expansion
95 failures yield DEFER, which will cause a temporary error code to be returned to
96 the AUTH command. The problem is at the server end, so the client should try
101 if (f.expand_string_forcedfail) return FAIL;
102 auth_defer_msg = expand_string_message;
106 /* Return FAIL for empty string, "0", "no", and "false"; return OK for
107 "1", "yes", and "true"; return DEFER for anything else, with the string
108 available as an error text for the user. */
111 Ustrcmp(cond, "0") == 0 ||
112 strcmpic(cond, US"no") == 0 ||
113 strcmpic(cond, US"false") == 0)
116 if (Ustrcmp(cond, "1") == 0 ||
117 strcmpic(cond, US"yes") == 0 ||
118 strcmpic(cond, US"true") == 0)
121 auth_defer_msg = cond;
122 auth_defer_user_msg = string_sprintf(": %s", cond);
126 /* End of check_serv_cond.c */
git://git.exim.org / exim.git / blob