Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/login-common/sasl-server.c @ 9651:9ab1c8a10944 HEAD
lib-storage: Message size lookups from cache was broken if fields weren't in "normal" order in file.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 25 Jan 2012 23:45:02 +0200 |
parents | 00cd9aacd03c |
children |
rev | line source |
---|---|
9532
00cd9aacd03c
Updated copyright notices to include year 2010.
Timo Sirainen <tss@iki.fi>
parents:
9408
diff
changeset
|
1 /* Copyright (c) 2002-2010 Dovecot authors, see the included COPYING file */ |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 #include "common.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 #include "base64.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 #include "buffer.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 #include "str-sanitize.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 #include "auth-client.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 #include "ssl-proxy.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 #include "client-common.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 #include "master.h" |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
12 static enum auth_request_flags |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 client_get_auth_flags(struct client *client) |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 { |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
15 enum auth_request_flags auth_flags = 0; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
17 if (client->proxy != NULL && |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 ssl_proxy_has_valid_client_cert(client->proxy)) |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
19 auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT; |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
20 if (client->secured) |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
21 auth_flags |= AUTH_REQUEST_FLAG_SECURED; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 return auth_flags; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
23 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
24 |
5232
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
25 static void |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
26 call_client_callback(struct client *client, enum sasl_server_reply reply, |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
27 const char *data, const char *const *args) |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
28 { |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
29 sasl_server_callback_t *sasl_callback; |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
30 |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
31 i_assert(reply != SASL_SERVER_REPLY_CONTINUE); |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
32 |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
33 sasl_callback = client->sasl_callback; |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
34 client->sasl_callback = NULL; |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
35 |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
36 sasl_callback(client, reply, data, args); |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
37 /* NOTE: client may be destroyed now */ |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
38 } |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
39 |
5846
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
40 static void |
8092
29b623366e1e
Pass the created mail process PID back to login process so it can log it.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
41 master_callback(struct client *client, const struct master_login_reply *reply) |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
42 { |
8092
29b623366e1e
Pass the created mail process PID back to login process so it can log it.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
43 enum sasl_server_reply sasl_reply = SASL_SERVER_REPLY_MASTER_FAILED; |
5846
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
44 const char *data = NULL; |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
45 |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
46 client->authenticating = FALSE; |
8092
29b623366e1e
Pass the created mail process PID back to login process so it can log it.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
47 switch (reply->status) { |
5846
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
48 case MASTER_LOGIN_STATUS_OK: |
8092
29b623366e1e
Pass the created mail process PID back to login process so it can log it.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
49 sasl_reply = SASL_SERVER_REPLY_SUCCESS; |
5846
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
50 break; |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
51 case MASTER_LOGIN_STATUS_INTERNAL_ERROR: |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
52 break; |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
53 case MASTER_LOGIN_STATUS_MAX_CONNECTIONS: |
8233
b7cbf648228f
Mention mail_max_userip_connections setting in the log message if the limit is exceeded.
Timo Sirainen <tss@iki.fi>
parents:
8092
diff
changeset
|
54 data = "Maximum number of connections from user+IP exceeded " |
b7cbf648228f
Mention mail_max_userip_connections setting in the log message if the limit is exceeded.
Timo Sirainen <tss@iki.fi>
parents:
8092
diff
changeset
|
55 "(mail_max_userip_connections)"; |
5846
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
56 break; |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5435
diff
changeset
|
57 } |
8092
29b623366e1e
Pass the created mail process PID back to login process so it can log it.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
58 client->mail_pid = reply->mail_pid; |
29b623366e1e
Pass the created mail process PID back to login process so it can log it.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
59 call_client_callback(client, sasl_reply, data, NULL); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
62 static void authenticate_callback(struct auth_request *request, int status, |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
63 const char *data_base64, |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
64 const char *const *args, void *context) |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
65 { |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
66 struct client *client = context; |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
67 unsigned int i; |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
68 bool nologin; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
69 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
70 if (!client->authenticating) { |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
71 /* client aborted */ |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
72 i_assert(status < 0); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
73 return; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
74 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
75 |
5105 | 76 i_assert(client->auth_request == request); |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
77 switch (status) { |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
78 case 0: |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
79 /* continue */ |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
80 client->sasl_callback(client, SASL_SERVER_REPLY_CONTINUE, |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
81 data_base64, NULL); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
82 break; |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
83 case 1: |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
84 client->auth_request = NULL; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
85 |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
86 nologin = FALSE; |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
87 for (i = 0; args[i] != NULL; i++) { |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
88 if (strncmp(args[i], "user=", 5) == 0) { |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
89 i_free(client->virtual_user); |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
90 client->virtual_user = i_strdup(args[i] + 5); |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
91 } |
4874
e39397cf0915
proxy=y logins can't log in either.
Timo Sirainen <tss@iki.fi>
parents:
4858
diff
changeset
|
92 if (strcmp(args[i], "nologin") == 0 || |
e39397cf0915
proxy=y logins can't log in either.
Timo Sirainen <tss@iki.fi>
parents:
4858
diff
changeset
|
93 strcmp(args[i], "proxy") == 0) { |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
94 /* user can't login */ |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
95 nologin = TRUE; |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
96 } |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
97 } |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
98 |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
99 if (nologin) { |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
100 client->authenticating = FALSE; |
5232
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
101 call_client_callback(client, SASL_SERVER_REPLY_SUCCESS, |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
102 NULL, args); |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
103 } else { |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
104 master_request_login(client, master_callback, |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
105 auth_client_request_get_server_pid(request), |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 auth_client_request_get_id(request)); |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
107 } |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 break; |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
109 case -1: |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
110 client->auth_request = NULL; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
111 |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
112 if (args != NULL) { |
2772
7ac5ee00278c
Use reason=xx field in FAIL to report the error message instead of separate
Timo Sirainen <tss@iki.fi>
parents:
2768
diff
changeset
|
113 /* parse our username if it's there */ |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
114 for (i = 0; args[i] != NULL; i++) { |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
115 if (strncmp(args[i], "user=", 5) == 0) { |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
116 i_free(client->virtual_user); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
117 client->virtual_user = |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
118 i_strdup(args[i] + 5); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
119 } |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
120 } |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
121 } |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
122 |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
123 client->authenticating = FALSE; |
5232
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
124 call_client_callback(client, SASL_SERVER_REPLY_AUTH_FAILED, |
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
125 NULL, args); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
126 break; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
127 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
128 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
129 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
130 void sasl_server_auth_begin(struct client *client, |
2781
e44a84dc947c
s/protocol/service/ in authentication
Timo Sirainen <tss@iki.fi>
parents:
2772
diff
changeset
|
131 const char *service, const char *mech_name, |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
132 const char *initial_resp_base64, |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
133 sasl_server_callback_t *callback) |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
134 { |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
135 struct auth_request_info info; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
136 const struct auth_mech_desc *mech; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
137 const char *error; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
138 |
6992
249e6c711e8d
Instead of logging only "Aborted login", log also if client tried to use
Timo Sirainen <tss@iki.fi>
parents:
6835
diff
changeset
|
139 client->auth_attempts++; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 client->authenticating = TRUE; |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
141 i_free(client->auth_mech_name); |
4858
69a2b3d5f00d
Uppercase the auth mechanism name so it's always uppercased in logs.
Timo Sirainen <tss@iki.fi>
parents:
4770
diff
changeset
|
142 client->auth_mech_name = str_ucase(i_strdup(mech_name)); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
143 client->sasl_callback = callback; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
144 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
145 mech = auth_client_find_mech(auth_client, mech_name); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
146 if (mech == NULL) { |
9408
0c7bbdd7b81f
*-login: Log more precise reasons for some auth failures.
Timo Sirainen <tss@iki.fi>
parents:
9218
diff
changeset
|
147 client->auth_tried_unsupported_mech = TRUE; |
6692
a3079c4320c6
"Unsupported auth mechanism" and "Plaintext auth disabled" errors should
Timo Sirainen <tss@iki.fi>
parents:
6429
diff
changeset
|
148 sasl_server_auth_failed(client, |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
149 "Unsupported authentication mechanism."); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
150 return; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
151 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
152 |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
153 if (!client->secured && disable_plaintext_auth && |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
154 (mech->flags & MECH_SEC_PLAINTEXT) != 0) { |
9408
0c7bbdd7b81f
*-login: Log more precise reasons for some auth failures.
Timo Sirainen <tss@iki.fi>
parents:
9218
diff
changeset
|
155 client->auth_tried_disabled_plaintext = TRUE; |
6692
a3079c4320c6
"Unsupported auth mechanism" and "Plaintext auth disabled" errors should
Timo Sirainen <tss@iki.fi>
parents:
6429
diff
changeset
|
156 sasl_server_auth_failed(client, |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
157 "Plaintext authentication disabled."); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
158 return; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
160 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
161 memset(&info, 0, sizeof(info)); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
162 info.mech = mech->name; |
2781
e44a84dc947c
s/protocol/service/ in authentication
Timo Sirainen <tss@iki.fi>
parents:
2772
diff
changeset
|
163 info.service = service; |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3384
diff
changeset
|
164 info.cert_username = client->proxy == NULL ? NULL : |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3384
diff
changeset
|
165 ssl_proxy_get_peer_name(client->proxy); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
166 info.flags = client_get_auth_flags(client); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
167 info.local_ip = client->local_ip; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
168 info.remote_ip = client->ip; |
5882
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5846
diff
changeset
|
169 info.local_port = client->local_port; |
40ce533c88f9
Send local/remote ports to dovecot-auth. They're now in %a and %b variables.
Timo Sirainen <tss@iki.fi>
parents:
5846
diff
changeset
|
170 info.remote_port = client->remote_port; |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2733
diff
changeset
|
171 info.initial_resp_base64 = initial_resp_base64; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
172 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
173 client->auth_request = |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
174 auth_client_request_new(auth_client, NULL, &info, |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
175 authenticate_callback, client, &error); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
176 if (client->auth_request == NULL) { |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
177 sasl_server_auth_failed(client, |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
178 t_strconcat("Authentication failed: ", error, NULL)); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
179 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
180 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
181 |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
182 static void sasl_server_auth_cancel(struct client *client, const char *reason, |
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
183 enum sasl_server_reply reply) |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
184 { |
5149
892b8f1c1916
Make sure we crash if we're trying to call sasl_callback() too many times.
Timo Sirainen <tss@iki.fi>
parents:
5105
diff
changeset
|
185 i_assert(client->authenticating); |
892b8f1c1916
Make sure we crash if we're trying to call sasl_callback() too many times.
Timo Sirainen <tss@iki.fi>
parents:
5105
diff
changeset
|
186 |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
187 if (verbose_auth && reason != NULL) { |
3384
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3056
diff
changeset
|
188 const char *auth_name = |
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3056
diff
changeset
|
189 str_sanitize(client->auth_mech_name, MAX_MECH_NAME); |
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3056
diff
changeset
|
190 client_syslog(client, |
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3056
diff
changeset
|
191 t_strdup_printf("Authenticate %s failed: %s", |
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3056
diff
changeset
|
192 auth_name, reason)); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
193 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
194 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
195 client->authenticating = FALSE; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
196 if (client->auth_request != NULL) { |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
197 auth_client_request_abort(client->auth_request); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
198 client->auth_request = NULL; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
199 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
200 |
5232
7e26736a9fba
After calling sasl_callback() the client may be destroyed already. Don't try
Timo Sirainen <tss@iki.fi>
parents:
5149
diff
changeset
|
201 call_client_callback(client, reply, reason, NULL); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
202 } |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
203 |
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
204 void sasl_server_auth_failed(struct client *client, const char *reason) |
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
205 { |
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
206 sasl_server_auth_cancel(client, reason, SASL_SERVER_REPLY_AUTH_FAILED); |
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
207 } |
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
208 |
9218
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
209 void sasl_server_auth_abort(struct client *client) |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
210 { |
9408
0c7bbdd7b81f
*-login: Log more precise reasons for some auth failures.
Timo Sirainen <tss@iki.fi>
parents:
9218
diff
changeset
|
211 client->auth_try_aborted = TRUE; |
9218
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
212 sasl_server_auth_cancel(client, NULL, SASL_SERVER_REPLY_AUTH_ABORTED); |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3863
diff
changeset
|
213 } |