diff -up dovecot-2.3.8/src/auth/Makefile.am.CVE_2020_12674prereq dovecot-2.3.8/src/auth/Makefile.am

--- dovecot-2.3.8/src/auth/Makefile.am.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/Makefile.am	2020-08-07 20:46:56.095295825 +0200

@@ -38,6 +38,7 @@ AM_CPPFLAGS = \

 	-I$(top_srcdir)/src/lib-oauth2 \

 	-I$(top_srcdir)/src/lib-ssl-iostream \

 	-I$(top_srcdir)/src/lib-lua \

+	-I$(top_srcdir)/src/lib-dcrypt \

 	-DAUTH_MODULE_DIR=\""$(auth_moduledir)"\" \

 	-DPKG_LIBEXECDIR=\""$(pkglibexecdir)"\" \

 	-DPKG_RUNDIR=\""$(rundir)"\" \

@@ -248,7 +249,8 @@ libstats_auth_la_SOURCES = auth-stats.c

 test_programs = \

 	test-libpassword \

 	test-auth-cache \

-	test-auth

+	test-auth \

+	test-mech

 noinst_PROGRAMS = $(test_programs)

@@ -288,6 +290,13 @@ test_auth_SOURCES = \

 test_auth_LDADD = $(test_libs) $(auth_libs) $(AUTH_LIBS)

 test_auth_DEPENDENCIES = $(pkglibexec_PROGRAMS) $(test_libs)

+test_mech_SOURCES = \

+	test-mock.c \

+	test-mech.c

+

+test_mech_LDADD = $(test_libs) $(auth_libs) $(AUTH_LIBS)

+test_mech_DEPENDENCIES = $(pkglibexec_PROGRAMS) $(test_libs)

+

 check-local:

 	for bin in $(test_programs); do \

 	  if ! $(RUN_TEST) ./$$bin; then exit 1; fi; \

diff -up dovecot-2.3.8/src/auth/passdb.h.CVE_2020_12674prereq dovecot-2.3.8/src/auth/passdb.h

--- dovecot-2.3.8/src/auth/passdb.h.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/passdb.h	2020-08-07 20:35:16.295684287 +0200

@@ -24,6 +24,8 @@ enum passdb_result {

 typedef void verify_plain_callback_t(enum passdb_result result,

 				     struct auth_request *request);

+typedef void verify_plain_continue_callback_t(struct auth_request *request,

+					      verify_plain_callback_t *callback);

 typedef void lookup_credentials_callback_t(enum passdb_result result,

 					   const unsigned char *credentials,

 					   size_t size,

diff -up dovecot-2.3.8/src/auth/auth-request-handler-private.h.CVE_2020_12674prereq dovecot-2.3.8/src/auth/auth-request-handler-private.h

--- dovecot-2.3.8/src/auth/auth-request-handler-private.h.CVE_2020_12674prereq	2020-08-07 20:35:16.295684287 +0200

+++ dovecot-2.3.8/src/auth/auth-request-handler-private.h	2020-08-07 20:35:16.295684287 +0200

@@ -0,0 +1,27 @@

+#ifndef AUTH_REQUEST_HANDLER_PRIVATE_H

+#define AUTH_REQUEST_HANDLER_PRIVATE_H

+

+struct auth_request;

+struct auth_client_connection;

+

+struct auth_request_handler {

+	int refcount;

+	pool_t pool;

+	HASH_TABLE(void *, struct auth_request *) requests;

+

+        unsigned int connect_uid, client_pid;

+

+	auth_client_request_callback_t *callback;

+	struct auth_client_connection *conn;

+

+	auth_master_request_callback_t *master_callback;

+	auth_request_handler_reply_callback_t *reply_callback;

+	auth_request_handler_reply_continue_callback_t *reply_continue_callback;

+	verify_plain_continue_callback_t *verify_plain_continue_callback;

+

+	bool destroyed:1;

+	bool token_auth:1;

+};

+

+

+#endif

diff -up dovecot-2.3.8/src/auth/auth-request-handler.h.CVE_2020_12674prereq dovecot-2.3.8/src/auth/auth-request-handler.h

--- dovecot-2.3.8/src/auth/auth-request-handler.h.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/auth-request-handler.h	2020-08-07 20:35:16.295684287 +0200

@@ -17,6 +17,17 @@ auth_client_request_callback_t(const cha

 typedef void

 auth_master_request_callback_t(const char *reply, struct auth_master_connection *conn);

+typedef void

+auth_request_handler_reply_callback_t(struct auth_request *request,

+				      enum auth_client_result result,

+				      const void *auth_reply,

+				      size_t reply_size);

+typedef void

+auth_request_handler_reply_continue_callback_t(struct auth_request *request,

+					       const void *reply,

+					       size_t reply_size);

+

+

 struct auth_request_handler *

 auth_request_handler_create(bool token_auth, auth_client_request_callback_t *callback,

 			    struct auth_client_connection *conn,

diff -up dovecot-2.3.8/src/auth/test-mock.c.CVE_2020_12674prereq dovecot-2.3.8/src/auth/test-mock.c

--- dovecot-2.3.8/src/auth/test-mock.c.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/test-mock.c	2020-08-07 20:35:16.296684273 +0200

@@ -28,14 +28,22 @@ static void passdb_mock_verify_plain(str

 	callback(PASSDB_RESULT_OK, request);

 }

+static void passdb_mock_lookup_credentials(struct auth_request *request,

+					   lookup_credentials_callback_t *callback)

+{

+	passdb_handle_credentials(PASSDB_RESULT_OK, "password", "PLAIN",

+				  callback, request);

+}

+

 static struct passdb_module_interface mock_interface = {

 	.name = "mock",

 	.init = passdb_mock_init,

 	.deinit = passdb_mock_deinit,

 	.verify_plain = passdb_mock_verify_plain,

+	.lookup_credentials = passdb_mock_lookup_credentials,

 };

-static struct auth_passdb_settings set = {

+struct auth_passdb_settings mock_passdb_set = {

 	.name = "mock",

 	.driver = "mock",

 	.args = "",

@@ -95,7 +103,7 @@ void passdb_mock_mod_deinit(void)

 struct auth_passdb *passdb_mock(void)

 {

 	struct auth_passdb *ret = i_new(struct auth_passdb, 1);

-	ret->set = &set;

+	ret->set = &mock_passdb_set;

 	ret->passdb = mock_passdb_mod;

 	return ret;

 }

diff -up dovecot-2.3.8/src/auth/test-auth.h.CVE_2020_12674prereq dovecot-2.3.8/src/auth/test-auth.h

--- dovecot-2.3.8/src/auth/test-auth.h.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/test-auth.h	2020-08-07 20:35:16.296684273 +0200

@@ -8,6 +8,8 @@

 struct auth_passdb;

+extern struct auth_passdb_settings mock_passdb_set;

+

 void test_auth_request_var_expand(void);

 void test_db_dict_parse_cache_key(void);

 void test_username_filter(void);

diff -up dovecot-2.3.8/src/auth/auth-request.c.CVE_2020_12674prereq dovecot-2.3.8/src/auth/auth-request.c

--- dovecot-2.3.8/src/auth/auth-request.c.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/auth-request.c	2020-08-07 20:35:16.295684287 +0200

@@ -16,6 +16,7 @@

 #include "auth-cache.h"

 #include "auth-request.h"

 #include "auth-request-handler.h"

+#include "auth-request-handler-private.h"

 #include "auth-request-stats.h"

 #include "auth-client-connection.h"

 #include "auth-master-connection.h"

@@ -67,9 +68,6 @@ static void

 auth_request_userdb_import(struct auth_request *request, const char *args);

 static

-void auth_request_verify_plain_continue(struct auth_request *request,

-					verify_plain_callback_t *callback);

-static

 void auth_request_lookup_credentials_policy_continue(struct auth_request *request,

 						     lookup_credentials_callback_t *callback);

 static

@@ -307,10 +307,12 @@ void auth_request_success_continue(struct auth_policy_check_ctx *ctx)

 		return;

 	}

-	stats = auth_request_stats_get(request);

-	stats->auth_success_count++;

-	if (request->master_user != NULL)

-		stats->auth_master_success_count++;

+	if (request->set->stats) {

+		stats = auth_request_stats_get(request);

+		stats->auth_success_count++;

+		if (request->master_user != NULL)

+			stats->auth_master_success_count++;

+	}

 	auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);

 	auth_request_refresh_last_access(request);

@@ -324,8 +326,10 @@ void auth_request_fail(struct auth_request *request)

 	i_assert(request->state == AUTH_REQUEST_STATE_MECH_CONTINUE);

-	stats = auth_request_stats_get(request);

-	stats->auth_failure_count++;

+	if (request->set->stats) {

+		stats = auth_request_stats_get(request);

+		stats->auth_failure_count++;

+	}

 	auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED);

 	auth_request_refresh_last_access(request);

@@ -1233,7 +1231,7 @@ void auth_request_policy_penalty_finish(

 	switch(ctx->type) {

 	case AUTH_POLICY_CHECK_TYPE_PLAIN:

-		auth_request_verify_plain_continue(ctx->request, ctx->callback_plain);

+		ctx->request->handler->verify_plain_continue_callback(ctx->request, ctx->callback_plain);

 		return;

 	case AUTH_POLICY_CHECK_TYPE_LOOKUP:

 		auth_request_lookup_credentials_policy_continue(ctx->request, ctx->callback_lookup);

@@ -1284,7 +1282,8 @@ void auth_request_verify_plain(struct au

 	request->user_changed_by_lookup = FALSE;

 	if (request->policy_processed || !request->set->policy_check_before_auth) {

-		auth_request_verify_plain_continue(request, callback);

+		request->handler->verify_plain_continue_callback(request,

+								 callback);

 	} else {

 		ctx = p_new(request->pool, struct auth_policy_check_ctx, 1);

 		ctx->request = request;

@@ -1294,10 +1293,9 @@ void auth_request_verify_plain(struct au

 	}

 }

-static

-void auth_request_verify_plain_continue(struct auth_request *request,

-					verify_plain_callback_t *callback) {

-

+void auth_request_default_verify_plain_continue(struct auth_request *request,

+						verify_plain_callback_t *callback)

+{

 	struct auth_passdb *passdb;

 	enum passdb_result result;

 	const char *cache_key, *error;

diff -up dovecot-2.3.8/src/auth/auth-request-handler.c.CVE_2020_12674prereq dovecot-2.3.8/src/auth/auth-request-handler.c

--- dovecot-2.3.8/src/auth/auth-request-handler.c.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/auth-request-handler.c	2020-08-07 20:35:16.295684287 +0200

@@ -17,32 +17,28 @@

 #include "auth-client-connection.h"

 #include "auth-master-connection.h"

 #include "auth-request-handler.h"

+#include "auth-request-handler-private.h"

 #include "auth-policy.h"

 #define AUTH_FAILURE_DELAY_CHECK_MSECS 500

-

-struct auth_request_handler {

-	int refcount;

-	pool_t pool;

-	HASH_TABLE(void *, struct auth_request *) requests;

-

-        unsigned int connect_uid, client_pid;

-

-	auth_client_request_callback_t *callback;

-	struct auth_client_connection *conn;

-

-	auth_master_request_callback_t *master_callback;

-

-	bool destroyed:1;

-	bool token_auth:1;

-};

-

 static ARRAY(struct auth_request *) auth_failures_arr;

 static struct aqueue *auth_failures;

 static struct timeout *to_auth_failures;

 static void auth_failure_timeout(void *context) ATTR_NULL(1);

+

+static void

+auth_request_handler_default_reply_callback(struct auth_request *request,

+					    enum auth_client_result result,

+					    const void *auth_reply,

+					    size_t reply_size);

+

+static void

+auth_request_handler_default_reply_continue(struct auth_request *request,

+					    const void *reply,

+					    size_t reply_size);

+

 struct auth_request_handler *

 auth_request_handler_create(bool token_auth, auth_client_request_callback_t *callback,

 			    struct auth_client_connection *conn,

@@ -61,6 +57,12 @@ auth_request_handler_create(bool token_a

 	handler->conn = conn;

 	handler->master_callback = master_callback;

 	handler->token_auth = token_auth;

+	handler->reply_callback =

+		auth_request_handler_default_reply_callback;

+	handler->reply_continue_callback =

+		auth_request_handler_default_reply_continue;

+	handler->verify_plain_continue_callback =

+		auth_request_default_verify_plain_continue;

 	return handler;

 }

@@ -355,6 +363,16 @@ void auth_request_handler_reply(struct a

 				enum auth_client_result result,

 				const void *auth_reply, size_t reply_size)

 {

+	struct auth_request_handler *handler = request->handler;

+	handler->reply_callback(request, result, auth_reply, reply_size);

+}

+

+static void

+auth_request_handler_default_reply_callback(struct auth_request *request,

+					    enum auth_client_result result,

+					    const void *auth_reply,

+					    size_t reply_size)

+{

         struct auth_request_handler *handler = request->handler;

 	string_t *str;

 	int ret;

@@ -407,6 +425,14 @@ void auth_request_handler_reply(struct a

 void auth_request_handler_reply_continue(struct auth_request *request,

 					 const void *reply, size_t reply_size)

 {

+	request->handler->reply_continue_callback(request, reply, reply_size);

+}

+

+static void

+auth_request_handler_default_reply_continue(struct auth_request *request,

+					    const void *reply,

+					    size_t reply_size)

+{

 	auth_request_handler_reply(request, AUTH_CLIENT_RESULT_CONTINUE,

 				   reply, reply_size);

 }

@@ -703,6 +729,7 @@ static void auth_str_append_userdb_extra

 		auth_str_add_keyvalue(dest, "master_user",

 				      request->master_user);

 	}

+	auth_str_add_keyvalue(dest, "auth_mech", request->mech->mech_name);

 	if (*request->set->anonymous_username != '\0' &&

 	    strcmp(request->user, request->set->anonymous_username) == 0) {

 		/* this is an anonymous login, either via ANONYMOUS

diff -up dovecot-2.3.8/src/auth/auth-request.h.CVE_2020_12674prereq dovecot-2.3.8/src/auth/auth-request.h

--- dovecot-2.3.8/src/auth/auth-request.h.CVE_2020_12674prereq	2019-10-08 10:46:18.000000000 +0200

+++ dovecot-2.3.8/src/auth/auth-request.h	2020-08-07 20:35:16.295684287 +0200

@@ -295,6 +295,8 @@ void auth_request_set_credentials(struct

 				  set_credentials_callback_t *callback);

 void auth_request_userdb_callback(enum userdb_result result,

 				  struct auth_request *request);

+void auth_request_default_verify_plain_continue(struct auth_request *request,

+						verify_plain_callback_t *callback);

 void auth_request_refresh_last_access(struct auth_request *request);

 void auth_str_append(string_t *dest, const char *key, const char *value);