[Dovecot] [PATCH, RFC] add APOP authentication mechanism

Andrey Panin pazke at donpac.ru
Tue Jul 6 08:28:35 EEST 2004


On 187, 07 05, 2004 at 12:44:57PM +0400, Andrey Panin wrote:
>  
> Hmm, it's really broken:
> 
> Jul  5 12:39:22 pazke dovecot: pop3-login: APOP auth connection lost [80.254.111.17]
> 
> On the client side I see that connection is closed immediately after APOP command.
> I'll try to trace it down some time later.

Problem found: client->auth_id structure passed to auth_client_request_new() isn't
filled anywhere. Attached patch fixes it, it also fixes dovecot-auth crash when
username is not found in userdb.

Please consider applying.

-- 
Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net
-------------- next part --------------
diff -urpNX /usr/share/dontdiff dovecot-1.0-test25.vanilla/src/auth/mech-apop.c dovecot-1.0-test25/src/auth/mech-apop.c
--- dovecot-1.0-test25.vanilla/src/auth/mech-apop.c	2004-07-03 14:43:12.000000000 +0400
+++ dovecot-1.0-test25/src/auth/mech-apop.c	2004-07-05 21:42:29.000000000 +0400
@@ -40,14 +40,20 @@ apop_credentials_callback(const char *cr
 		(struct apop_auth_request *)auth_request;
 	unsigned char digest[16];
 	struct md5_context ctx;
+	int ret = FALSE;
 
-	md5_init(&ctx);
-	md5_update(&ctx, auth->challenge, strlen(auth->challenge));
-	md5_update(&ctx, credentials, strlen(credentials));
-	md5_final(&ctx, digest);
+	if (credentials) {
+		md5_init(&ctx);
+		md5_update(&ctx, auth->challenge, strlen(auth->challenge));
+		md5_update(&ctx, credentials, strlen(credentials));
+		md5_final(&ctx, digest);
 
-	mech_auth_finish(auth_request, NULL, 0,
-			 memcmp(digest, auth->digest, 16) == 0);
+		safe_memset((void *) credentials, 0, strlen(credentials));
+
+		ret = (memcmp(digest, auth->digest, 16) == 0);
+	}
+
+	mech_auth_finish(auth_request, NULL, 0, ret);
 }
 
 static int
diff -urpNX /usr/share/dontdiff dovecot-1.0-test25.vanilla/src/pop3-login/client.c dovecot-1.0-test25/src/pop3-login/client.c
--- dovecot-1.0-test25.vanilla/src/pop3-login/client.c	2004-07-03 13:34:56.000000000 +0400
+++ dovecot-1.0-test25/src/pop3-login/client.c	2004-07-05 20:49:33.000000000 +0400
@@ -225,14 +225,14 @@ static void client_destroy_oldest(void)
 	}
 }
 
-static char *get_apop_challenge(void)
+static char *get_apop_challenge(struct pop3_client *client)
 {
-	struct auth_connect_id id;
+	struct auth_connect_id *id = &client->auth_id;
 
-	if (!auth_client_reserve_connection(auth_client, "APOP", &id))
+	if (!auth_client_reserve_connection(auth_client, "APOP", id))
 		return NULL;
 
-	return i_strdup_printf("<%x.%x.%s@%s>", id.server_pid, id.connect_uid,
+	return i_strdup_printf("<%x.%x.%s@%s>", id->server_pid, id->connect_uid,
 			       dec2str(ioloop_time), my_hostname);
 }
 
@@ -241,7 +241,7 @@ static void client_auth_ready(struct pop
 	client->common.io =
 		io_add(client->common.fd, IO_READ, client_input, client);
 
-	client->apop_challenge = get_apop_challenge();
+	client->apop_challenge = get_apop_challenge(client);
 	client_send_line(client, t_strconcat("+OK " PACKAGE " ready.",
 					     client->apop_challenge, NULL));
 }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040706/f467dd71/attachment-0001.bin>


More information about the dovecot mailing list