From: gilles@poolp.org
Subject: Re: smtpd: table auth offloading
To: "Omar Polo" <op@omarpolo.com>
Cc: tech@openbsd.org
Date: Sun, 26 May 2024 21:27:16 +0000

> 
> updated, I decided to not be as verbose about auth tables since its a
> developer only feature, moved it to smtpd-tables.7, made >80 lines
> shorter.
> 
> if no objection, I'll commit tomorrow.
> 
> Index: lka.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/lka.c,v
> diff -u -p -r1.248 lka.c
> --- lka.c 20 Jan 2024 09:01:03 -0000 1.248
> +++ lka.c 26 May 2024 20:56:02 -0000
> @@ -720,6 +720,7 @@ static int
> lka_authenticate(const char *tablename, const char *user, const char *password)
> {
> struct table *table;
> + char offloadkey[LINE_MAX];
> union lookup lk;
> 
> log_debug("debug: lka: authenticating for %s:%s", tablename, user);
> @@ -730,7 +731,27 @@ lka_authenticate(const char *tablename,
> return (LKA_TEMPFAIL);
> }
> 
> - switch (table_lookup(table, K_CREDENTIALS, user, &lk)) {
> + /* table backend supports authentication offloading */
> + if (table_check_service(table, K_AUTH)) {
> + if (!bsnprintf(offloadkey, sizeof(offloadkey), "%s:%s",
> + user, password)) {
> + log_warnx("warn: key serialization failed for %s:%s",
> + tablename, user);
> + return (LKA_TEMPFAIL);
> + }
> + switch (table_match(table, K_AUTH, offloadkey)) {
> + case -1:
> + log_warnx("warn: user credentials lookup fail for %s:%s",
> + tablename, user);
> + return (LKA_TEMPFAIL);
> + case 0:
> + return (LKA_PERMFAIL);
> + default:
> + return (LKA_OK);
> + }
> + }
> +
> + switch (table_lookup(table, K_CRE10;rgb:f8f8/f8f8/f2f2DENTIALS, user, &lk)) {
> case -1:
> log_warnx("warn: user credentials lookup fail for %s:%s",
> tablename, user);

dunno why "10;rgb:f8f8/f8f8/f2f2" got inserted in the middle of my diff,
it should read as follow:


Index: lka.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/lka.c,v
diff -u -p -r1.248 lka.c
--- lka.c	20 Jan 2024 09:01:03 -0000	1.248
+++ lka.c	26 May 2024 21:24:31 -0000
@@ -720,6 +720,7 @@ static int
 lka_authenticate(const char *tablename, const char *user, const char *password)
 {
 	struct table		*table;
+	char	       		 offloadkey[LINE_MAX];
 	union lookup		 lk;
 
 	log_debug("debug: lka: authenticating for %s:%s", tablename, user);
@@ -728,6 +729,26 @@ lka_authenticate(const char *tablename, 
 		log_warnx("warn: could not find table %s needed for authentication",
 		    tablename);
 		return (LKA_TEMPFAIL);
+	}
+
+	/* table backend supports authentication offloading */
+	if (table_check_service(table, K_AUTH)) {
+		if (!bsnprintf(offloadkey, sizeof(offloadkey), "%s:%s",
+			user, password)) {
+			log_warnx("warn: key serialization failed for %s:%s",
+			    tablename, user);
+			return (LKA_TEMPFAIL);
+		}
+		switch (table_match(table, K_AUTH, offloadkey)) {
+		case -1:
+			log_warnx("warn: user credentials lookup fail for %s:%s",
+			    tablename, user);
+			return (LKA_TEMPFAIL);
+		case 0:
+			return (LKA_PERMFAIL);
+		default:
+			return (LKA_OK);
+		}
 	}
 
 	switch (table_lookup(table, K_CREDENTIALS, user, &lk)) {