dovecot-1.1: DIGEST-MD5: Fixed authentication with user at domain u...

dovecot at dovecot.org dovecot at dovecot.org
Sun Feb 22 00:07:24 EET 2009 

details:   http://hg.dovecot.org/dovecot-1.1/rev/2b0043ba89ae
changeset: 8170:2b0043ba89ae
user:      Timo Sirainen <tss at iki.fi>
date:      Sat Feb 21 17:07:11 2009 -0500
description:
DIGEST-MD5: Fixed authentication with user at domain usernames.

diffstat:

4 files changed, 34 insertions(+), 12 deletions(-)
src/auth/auth-request.h    |    3 +++
src/auth/mech-digest-md5.c |   17 +++++++++++------
src/auth/passdb.c          |    8 +++++++-
src/auth/password-scheme.c |   18 +++++++++++++-----

diffs (111 lines):

diff -r bb7ac37f78ee -r 2b0043ba89ae src/auth/auth-request.h
--- a/src/auth/auth-request.h	Sat Feb 21 14:59:33 2009 -0500
+++ b/src/auth/auth-request.h	Sat Feb 21 17:07:11 2009 -0500
@@ -40,6 +40,8 @@ struct auth_request {
 	/* the username after doing all internal translations, but before
 	   being changed by a db lookup */
 	const char *translated_username;
+	/* realm for the request, may be specified by some auth mechanisms */
+	const char *realm;
 	char *mech_password; /* set if verify_plain() is called */
 	char *passdb_password; /* set after password lookup if successful */
         /* extra_fields are returned in authentication reply. Fields prefixed
@@ -84,6 +86,7 @@ struct auth_request {
 	unsigned int passdb_internal_failure:1;
 	unsigned int userdb_internal_failure:1;
 	unsigned int delayed_failure:1;
+	unsigned int domain_is_realm:1;
 	unsigned int accept_input:1;
 	unsigned int no_failure_delay:1;
 	unsigned int no_login:1;
diff -r bb7ac37f78ee -r 2b0043ba89ae src/auth/mech-digest-md5.c
--- a/src/auth/mech-digest-md5.c	Sat Feb 21 14:59:33 2009 -0500
+++ b/src/auth/mech-digest-md5.c	Sat Feb 21 17:07:11 2009 -0500
@@ -41,7 +41,6 @@ struct digest_auth_request {
 	enum qop_option qop;
 
 	/* received: */
-	char *realm; /* may be NULL */
 	char *username;
 	char *cnonce;
 	char *nonce_count;
@@ -300,8 +299,9 @@ static bool auth_handle_response(struct 
 					str_sanitize(value, MAX_REALM_LEN));
 			return FALSE;
 		}
-		if (request->realm == NULL && *value != '\0')
-			request->realm = p_strdup(request->pool, value);
+		if (request->auth_request.realm == NULL && *value != '\0')
+			request->auth_request.realm =
+				p_strdup(request->pool, value);
 		return TRUE;
 	}
 
@@ -551,9 +551,14 @@ mech_digest_md5_auth_continue(struct aut
 	}
 
 	if (parse_digest_response(request, data, data_size, &error)) {
-		username = request->realm == NULL ? request->username :
-			t_strconcat(request->username, "@",
-				    request->realm, NULL);
+		if (auth_request->realm != NULL &&
+		    strchr(request->username, '@') == NULL) {
+			username = t_strconcat(request->username, "@",
+					       auth_request->realm, NULL);
+			auth_request->domain_is_realm = TRUE;
+		} else {
+			username = request->username;
+		}
 
 		if (auth_request_set_username(auth_request, username, &error)) {
 			auth_request_lookup_credentials(auth_request,
diff -r bb7ac37f78ee -r 2b0043ba89ae src/auth/passdb.c
--- a/src/auth/passdb.c	Sat Feb 21 14:59:33 2009 -0500
+++ b/src/auth/passdb.c	Sat Feb 21 17:07:11 2009 -0500
@@ -101,9 +101,15 @@ bool passdb_get_credentials(struct auth_
 		plaintext = t_strndup(*credentials_r, *size_r);
 		username = auth_request->original_username != NULL ?
 			auth_request->original_username : auth_request->user;
+		if (!auth_request->domain_is_realm &&
+		    strchr(username, '@') != NULL) {
+			/* domain must not be used as realm. add the @realm. */
+			username = t_strconcat(username, "@",
+					       auth_request->realm, NULL);
+		}
 		if (auth_request->auth->verbose_debug_passwords) {
 			auth_request_log_info(auth_request, "password",
-				"Generating %s from user %s password %s",
+				"Generating %s from user '%s', password '%s'",
 				wanted_scheme, username, plaintext);
 		}
 		if (!password_generate(plaintext, username,
diff -r bb7ac37f78ee -r 2b0043ba89ae src/auth/password-scheme.c
--- a/src/auth/password-scheme.c	Sat Feb 21 14:59:33 2009 -0500
+++ b/src/auth/password-scheme.c	Sat Feb 21 17:07:11 2009 -0500
@@ -448,13 +448,21 @@ digest_md5_generate(const char *plaintex
 	if (user == NULL)
 		i_fatal("digest_md5_generate(): username not given");
 
+
+	/* assume user at realm format for username. If user at domain is wanted
+	   in the username, allow also user at domain@realm. */
+	realm = strrchr(user, '@');
+	if (realm != NULL) {
+		user = t_strdup_until(user, realm);
+		realm++;
+	} else {
+		user = realm;
+		realm = "";
+	}
+
 	/* user:realm:passwd */
-	realm = strchr(user, '@');
-	if (realm != NULL) realm++; else realm = "";
-
 	digest = t_malloc(MD5_RESULTLEN);
-	str = t_strdup_printf("%s:%s:%s", t_strcut(user, '@'),
-			      realm, plaintext);
+	str = t_strdup_printf("%s:%s:%s", user, realm, plaintext);
 	md5_get_digest(str, strlen(str), digest);
 
 	*raw_password_r = digest;

More information about the dovecot-cvs mailing list