X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/3634fc257bd0667daef14d72005cd87c735bbb24..a85c067ba6c6940512cf57ec213277a370d87e70:/src/src/auths/check_serv_cond.c diff --git a/src/src/auths/check_serv_cond.c b/src/src/auths/check_serv_cond.c index 476d112ae..033d2026b 100644 --- a/src/src/auths/check_serv_cond.c +++ b/src/src/auths/check_serv_cond.c @@ -2,8 +2,9 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2012 */ /* See the file NOTICE for conditions of use and distribution. */ +/* SPDX-License-Identifier: GPL-2.0-only */ #include "../exim.h" @@ -16,8 +17,8 @@ by all authenticators. */ *************************************************/ /* This function is called from the server code of all authenticators. For -plaintext, it is always called: the argument cannot be empty, because for -plaintext, setting server_condition is what enables it as a server +plaintext and gsasl, it is always called: the argument cannot be empty, because +for those, setting server_condition is what enables it as a server authenticator. For all the other authenticators, this function is called after they have authenticated, to enable additional authorization to be done. @@ -31,19 +32,43 @@ Returns: int auth_check_serv_cond(auth_instance *ablock) +{ + return auth_check_some_cond(ablock, + US"server_condition", ablock->server_condition, OK); +} + + +/************************************************* +* Check some server condition * +*************************************************/ + +/* This underlies server_condition, but is also used for some more generic + checks. + +Arguments: + ablock the authenticator's instance block + label debugging label naming the string checked + condition the condition string to be expanded and checked + unset value to return on NULL condition + +Returns: + OK success (or unset=OK) + DEFER couldn't complete the check + FAIL authentication failed +*/ + +int +auth_check_some_cond(auth_instance *ablock, + uschar *label, uschar *condition, int unset) { uschar *cond; HDEBUG(D_auth) { - int i; - debug_printf("%s authenticator:\n", ablock->name); - for (i = 0; i < AUTH_VARS; i++) - { - if (auth_vars[i] != NULL) - debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]); - } - for (i = 1; i <= expand_nmax; i++) + debug_printf("%s authenticator %s:\n", ablock->name, label); + for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i]) + debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]); + for (int i = 1; i <= expand_nmax; i++) debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]); debug_print_string(ablock->server_debug_string); /* customized debug */ } @@ -51,25 +76,28 @@ HDEBUG(D_auth) /* For the plaintext authenticator, server_condition is never NULL. For the rest, an unset condition lets everything through. */ -if (ablock->server_condition == NULL) return OK; -cond = expand_string(ablock->server_condition); +/* For server_condition, an unset condition lets everything through. +For plaintext/gsasl authenticators, it will have been pre-checked to prevent +this. We return the unset scenario value given to us, which for +server_condition will be OK and otherwise will typically be FAIL. */ + +if (!condition) return unset; +cond = expand_string(condition); HDEBUG(D_auth) - { - if (cond == NULL) + if (!cond) debug_printf("expansion failed: %s\n", expand_string_message); else debug_printf("expanded string: %s\n", cond); - } /* A forced expansion failure causes authentication to fail. Other expansion failures yield DEFER, which will cause a temporary error code to be returned to the AUTH command. The problem is at the server end, so the client should try again later. */ -if (cond == NULL) +if (!cond) { - if (expand_string_forcedfail) return FAIL; + if (f.expand_string_forcedfail) return FAIL; auth_defer_msg = expand_string_message; return DEFER; }