dovecot-1.2: imap/pop3 proxy: Support master user logins.
dovecot at dovecot.org
dovecot at dovecot.org
Sun Dec 14 05:46:35 EET 2008
details: http://hg.dovecot.org/dovecot-1.2/rev/50f49805b13b
changeset: 8546:50f49805b13b
user: Timo Sirainen <tss at iki.fi>
date: Sun Dec 14 05:46:31 2008 +0200
description:
imap/pop3 proxy: Support master user logins.
diffstat:
10 files changed, 173 insertions(+), 65 deletions(-)
src/auth/auth-request-handler.c | 17 +++-
src/imap-login/client-authenticate.c | 6 +
src/imap-login/client.c | 4 -
src/imap-login/client.h | 2
src/imap-login/imap-proxy.c | 117 ++++++++++++++++++++++++----------
src/imap-login/imap-proxy.h | 3
src/pop3-login/client-authenticate.c | 6 +
src/pop3-login/client.h | 2
src/pop3-login/pop3-proxy.c | 78 ++++++++++++++++------
src/pop3-login/pop3-proxy.h | 3
diffs (truncated from 470 to 300 lines):
diff -r ef08feef501a -r 50f49805b13b src/auth/auth-request-handler.c
--- a/src/auth/auth-request-handler.c Sun Dec 14 04:57:23 2008 +0200
+++ b/src/auth/auth-request-handler.c Sun Dec 14 05:46:31 2008 +0200
@@ -145,10 +145,19 @@ static void get_client_extra_fields(stru
}
}
- if (request->proxy && !seen_pass && request->mech_password != NULL) {
- /* we're proxying - send back the password that was
- sent by user (not the password in passdb). */
- auth_stream_reply_add(reply, "pass", request->mech_password);
+ if (request->proxy) {
+ /* we're proxying */
+ if (!seen_pass && request->mech_password != NULL) {
+ /* send back the password that was sent by user
+ (not the password in passdb). */
+ auth_stream_reply_add(reply, "pass",
+ request->mech_password);
+ }
+ if (request->master_user != NULL) {
+ /* the master username needs to be forwarded */
+ auth_stream_reply_add(reply, "master",
+ request->master_user);
+ }
}
}
diff -r ef08feef501a -r 50f49805b13b src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/client-authenticate.c Sun Dec 14 05:46:31 2008 +0200
@@ -98,6 +98,7 @@ static bool client_handle_args(struct im
const char *const *args, bool success)
{
const char *reason = NULL, *host = NULL, *destuser = NULL, *pass = NULL;
+ const char *master_user = NULL;
string_t *reply;
unsigned int port = 143;
bool proxy = FALSE, temp = FALSE, nologin = !success, proxy_self;
@@ -122,6 +123,8 @@ static bool client_handle_args(struct im
destuser = *args + 9;
else if (strncmp(*args, "pass=", 5) == 0)
pass = *args + 5;
+ else if (strncmp(*args, "master=", 7) == 0)
+ master_user = *args + 7;
else if (strncmp(*args, "user=", 5) == 0) {
/* already handled in login-common */
} else if (auth_debug) {
@@ -143,7 +146,8 @@ static bool client_handle_args(struct im
proxy host=.. [port=..] [destuser=..] pass=.. */
if (!success)
return FALSE;
- if (imap_proxy_new(client, host, port, destuser, pass) < 0)
+ if (imap_proxy_new(client, host, port, destuser, master_user,
+ pass) < 0)
client_destroy_internal_failure(client);
return TRUE;
}
diff -r ef08feef501a -r 50f49805b13b src/imap-login/client.c
--- a/src/imap-login/client.c Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/client.c Sun Dec 14 05:46:31 2008 +0200
@@ -585,8 +585,8 @@ void client_destroy(struct imap_client *
client->proxy_password = NULL;
}
- i_free(client->proxy_user);
- client->proxy_user = NULL;
+ i_free_and_null(client->proxy_user);
+ i_free_and_null(client->proxy_master_user);
if (client->proxy != NULL) {
login_proxy_free(client->proxy);
diff -r ef08feef501a -r 50f49805b13b src/imap-login/client.h
--- a/src/imap-login/client.h Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/client.h Sun Dec 14 05:46:31 2008 +0200
@@ -17,7 +17,7 @@ struct imap_client {
struct timeout *to_idle_disconnect, *to_auth_waiting;
struct login_proxy *proxy;
- char *proxy_user, *proxy_password;
+ char *proxy_user, *proxy_master_user, *proxy_password;
unsigned int bad_counter;
diff -r ef08feef501a -r 50f49805b13b src/imap-login/imap-proxy.c
--- a/src/imap-login/imap-proxy.c Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/imap-proxy.c Sun Dec 14 05:46:31 2008 +0200
@@ -4,6 +4,7 @@
#include "ioloop.h"
#include "istream.h"
#include "ostream.h"
+#include "base64.h"
#include "str.h"
#include "str-sanitize.h"
#include "safe-memset.h"
@@ -46,42 +47,86 @@ static void proxy_write_id(struct imap_c
client->common.local_port);
}
-static int proxy_input_line(struct imap_client *client,
- struct ostream *output, const char *line)
+static void proxy_free_password(struct imap_client *client)
+{
+ safe_memset(client->proxy_password, 0, strlen(client->proxy_password));
+ i_free_and_null(client->proxy_password);
+}
+
+static void get_plain_auth(struct imap_client *client, string_t *dest)
{
string_t *str;
- i_assert(!client->destroyed);
-
- if (!client->proxy_login_sent) {
- /* this is a banner */
- if (strncmp(line, "* OK ", 5) != 0) {
- client_syslog(&client->common, t_strdup_printf(
- "proxy: Remote returned invalid banner: %s",
- str_sanitize(line, 160)));
- client_destroy_internal_failure(client);
- return -1;
- }
-
- str = t_str_new(128);
- if (imap_banner_has_capability(line + 5, "ID"))
- proxy_write_id(client, str);
-
- /* send LOGIN command */
- str_append(str, "P LOGIN ");
+ str = t_str_new(128);
+ str_append(str, client->proxy_user);
+ str_append_c(str, '\0');
+ str_append(str, client->proxy_master_user);
+ str_append_c(str, '\0');
+ str_append(str, client->proxy_password);
+ base64_encode(str_data(str), str_len(str), dest);
+}
+
+static int proxy_input_banner(struct imap_client *client,
+ struct ostream *output, const char *line)
+{
+ string_t *str;
+
+ if (strncmp(line, "* OK ", 5) != 0) {
+ client_syslog(&client->common, t_strdup_printf(
+ "proxy: Remote returned invalid banner: %s",
+ str_sanitize(line, 160)));
+ client_destroy_internal_failure(client);
+ return -1;
+ }
+
+ str = t_str_new(128);
+ if (imap_banner_has_capability(line + 5, "ID"))
+ proxy_write_id(client, str);
+
+ if (client->proxy_master_user == NULL) {
+ /* logging in normally - use LOGIN command */
+ str_append(str, "L LOGIN ");
imap_quote_append_string(str, client->proxy_user, FALSE);
str_append_c(str, ' ');
imap_quote_append_string(str, client->proxy_password, FALSE);
+
+ proxy_free_password(client);
+ } else if (imap_banner_has_capability(line + 5, "SASL-IR")) {
+ /* master user login with SASL initial response support */
+ str_append(str, "L AUTHENTICATE PLAIN ");
+ get_plain_auth(client, str);
+ proxy_free_password(client);
+ } else {
+ /* master user login without SASL initial response */
+ str_append(str, "L AUTHENTICATE PLAIN");
+ }
+
+ str_append(str, "\r\n");
+ (void)o_stream_send(output, str_data(str), str_len(str));
+ client->proxy_login_sent = TRUE;
+ return 0;
+}
+
+static int proxy_input_line(struct imap_client *client,
+ struct ostream *output, const char *line)
+{
+ string_t *str;
+
+ i_assert(!client->destroyed);
+
+ if (!client->proxy_login_sent) {
+ /* this is a banner */
+ return proxy_input_banner(client, output, line);
+ } else if (*line == '+') {
+ /* AUTHENTICATE started. finish it. */
+ str = t_str_new(128);
+ get_plain_auth(client, str);
str_append(str, "\r\n");
+ proxy_free_password(client);
+
(void)o_stream_send(output, str_data(str), str_len(str));
-
- safe_memset(client->proxy_password, 0,
- strlen(client->proxy_password));
- i_free(client->proxy_password);
- client->proxy_password = NULL;
- client->proxy_login_sent = TRUE;
return 0;
- } else if (strncmp(line, "P OK ", 5) == 0) {
+ } else if (strncmp(line, "L OK ", 5) == 0) {
/* Login successful. Send this line to client. */
str = t_str_new(128);
str_append(str, client->cmd_tag);
@@ -101,6 +146,10 @@ static int proxy_input_line(struct imap_
str_append_c(str, '/');
str_append(str, client->proxy_user);
}
+ if (client->proxy_master_user != NULL) {
+ str_printfa(str, " (master %s)",
+ client->proxy_master_user);
+ }
(void)client_skip_line(client);
login_proxy_detach(client->proxy, client->common.input,
@@ -112,7 +161,7 @@ static int proxy_input_line(struct imap_
client->common.fd = -1;
client_destroy_success(client, str_c(str));
return -1;
- } else if (strncmp(line, "P ", 2) == 0) {
+ } else if (strncmp(line, "L ", 2) == 0) {
/* If the backend server isn't Dovecot, the error message may
be different from Dovecot's "user doesn't exist" error. This
would allow an attacker to find out what users exist in the
@@ -140,6 +189,10 @@ static int proxy_input_line(struct imap_
str_append_c(str, '/');
str_append(str, client->proxy_user);
}
+ if (client->proxy_master_user != NULL) {
+ str_printfa(str, " (master %s)",
+ client->proxy_master_user);
+ }
str_append(str, ": ");
if (strncasecmp(line + 2, "NO ", 3) == 0)
str_append(str, line + 2 + 3);
@@ -156,8 +209,8 @@ static int proxy_input_line(struct imap_
login_proxy_free(client->proxy);
client->proxy = NULL;
- i_free(client->proxy_user);
- client->proxy_user = NULL;
+ i_free_and_null(client->proxy_user);
+ i_free_and_null(client->proxy_master_user);
return -1;
} else {
/* probably some untagged reply */
@@ -210,7 +263,8 @@ static void proxy_input(struct istream *
}
int imap_proxy_new(struct imap_client *client, const char *host,
- unsigned int port, const char *user, const char *password)
+ unsigned int port, const char *user, const char *master_user,
+ const char *password)
{
i_assert(user != NULL);
i_assert(!client->destroyed);
@@ -236,6 +290,7 @@ int imap_proxy_new(struct imap_client *c
client->proxy_login_sent = FALSE;
client->proxy_user = i_strdup(user);
+ client->proxy_master_user = i_strdup(master_user);
client->proxy_password = i_strdup(password);
/* disable input until authentication is finished */
diff -r ef08feef501a -r 50f49805b13b src/imap-login/imap-proxy.h
--- a/src/imap-login/imap-proxy.h Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/imap-proxy.h Sun Dec 14 05:46:31 2008 +0200
@@ -4,6 +4,7 @@
#include "login-proxy.h"
int imap_proxy_new(struct imap_client *client, const char *host,
- unsigned int port, const char *user, const char *password);
+ unsigned int port, const char *user, const char *master_user,
+ const char *password);
#endif
diff -r ef08feef501a -r 50f49805b13b src/pop3-login/client-authenticate.c
--- a/src/pop3-login/client-authenticate.c Sun Dec 14 04:57:23 2008 +0200
+++ b/src/pop3-login/client-authenticate.c Sun Dec 14 05:46:31 2008 +0200
@@ -86,6 +86,7 @@ static bool client_handle_args(struct po
const char *const *args, bool success)
{
const char *reason = NULL, *host = NULL, *destuser = NULL, *pass = NULL;
+ const char *master_user = NULL;
string_t *reply;
unsigned int port = 110;
bool proxy = FALSE, temp = FALSE, nologin = !success;
@@ -107,6 +108,8 @@ static bool client_handle_args(struct po
destuser = *args + 9;
else if (strncmp(*args, "pass=", 5) == 0)
pass = *args + 5;
+ else if (strncmp(*args, "master=", 7) == 0)
+ master_user = *args + 7;
else if (strncmp(*args, "user=", 5) == 0) {
/* already handled in login-common */
} else if (auth_debug) {
More information about the dovecot-cvs
mailing list