Mercurial > dovecot > original-hg > dovecot-1.2
view src/auth/auth-request-handler.c @ 9266:cd29b745c8dd HEAD
configure: clock_gettime()'s -lrt adding dropped everything else from $LIBS.
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Mon, 27 Jul 2009 06:32:42 -0400 |
| parents | ee173ea99ea6 |
| children | 00cd9aacd03c |
line wrap: on
line source
/* Copyright (c) 2005-2009 Dovecot authors, see the included COPYING file */ #include "common.h" #include "ioloop.h" #include "array.h" #include "aqueue.h" #include "base64.h" #include "hash.h" #include "str.h" #include "str-sanitize.h" #include "auth-request.h" #include "auth-master-connection.h" #include "auth-request-handler.h" #include <stdlib.h> #define DEFAULT_AUTH_FAILURE_DELAY 2 #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 struct auth_request_handler { int refcount; pool_t pool; struct hash_table *requests; struct auth *auth; unsigned int connect_uid, client_pid; auth_request_callback_t *callback; void *context; auth_request_callback_t *master_callback; }; static ARRAY_DEFINE(auth_failures_arr, struct auth_request *); static struct aqueue *auth_failures; static struct timeout *to_auth_failures; static unsigned int auth_failure_delay; static void auth_failure_timeout(void *context); #undef auth_request_handler_create struct auth_request_handler * auth_request_handler_create(struct auth *auth, auth_request_callback_t *callback, void *context, auth_request_callback_t *master_callback) { struct auth_request_handler *handler; pool_t pool; pool = pool_alloconly_create("auth request handler", 4096); handler = p_new(pool, struct auth_request_handler, 1); handler->refcount = 1; handler->pool = pool; handler->requests = hash_table_create(default_pool, pool, 0, NULL, NULL); handler->auth = auth; handler->callback = callback; handler->context = context; handler->master_callback = master_callback; return handler; } void auth_request_handler_unref(struct auth_request_handler **_handler) { struct auth_request_handler *handler = *_handler; struct hash_iterate_context *iter; void *key, *value; *_handler = NULL; i_assert(handler->refcount > 0); if (--handler->refcount > 0) return; iter = hash_table_iterate_init(handler->requests); while (hash_table_iterate(iter, &key, &value)) { struct auth_request *auth_request = value; auth_request_unref(&auth_request); } hash_table_iterate_deinit(&iter); /* notify parent that we're done with all requests */ handler->callback(NULL, handler->context); hash_table_destroy(&handler->requests); pool_unref(&handler->pool); } void auth_request_handler_set(struct auth_request_handler *handler, unsigned int connect_uid, unsigned int client_pid) { handler->connect_uid = connect_uid; handler->client_pid = client_pid; } static void auth_request_handler_remove(struct auth_request_handler *handler, struct auth_request *request) { hash_table_remove(handler->requests, POINTER_CAST(request->id)); auth_request_unref(&request); } void auth_request_handler_check_timeouts(struct auth_request_handler *handler) { struct hash_iterate_context *iter; void *key, *value; iter = hash_table_iterate_init(handler->requests); while (hash_table_iterate(iter, &key, &value)) { struct auth_request *request = value; if (request->last_access + AUTH_REQUEST_TIMEOUT < ioloop_time) auth_request_handler_remove(handler, request); } hash_table_iterate_deinit(&iter); } static void get_client_extra_fields(struct auth_request *request, struct auth_stream_reply *reply) { const char **fields, *extra_fields; unsigned int src, dest; bool seen_pass = FALSE; if (auth_stream_is_empty(request->extra_fields)) return; extra_fields = auth_stream_reply_export(request->extra_fields); if (!request->proxy) { /* we only wish to remove all fields prefixed with "userdb_" */ if (strstr(extra_fields, "userdb_") == NULL) { auth_stream_reply_import(reply, extra_fields); return; } } fields = t_strsplit(extra_fields, "\t"); for (src = dest = 0; fields[src] != NULL; src++) { if (strncmp(fields[src], "userdb_", 7) != 0) { if (!seen_pass && strncmp(fields[src], "pass=", 5) == 0) seen_pass = TRUE; auth_stream_reply_import(reply, fields[src]); } } if (request->proxy) { /* we're proxying */ if (!seen_pass && request->mech_password != NULL) { /* send back the password that was sent by user (not the password in passdb). */ auth_stream_reply_add(reply, "pass", request->mech_password); } if (request->master_user != NULL) { /* the master username needs to be forwarded */ auth_stream_reply_add(reply, "master", request->master_user); } } } static void auth_request_handle_failure(struct auth_request *request, struct auth_stream_reply *reply) { struct auth_request_handler *handler = request->context; if (request->delayed_failure) { /* we came here from flush_failures() */ handler->callback(reply, handler->context); return; } /* remove the request from requests-list */ auth_request_ref(request); auth_request_handler_remove(handler, request); if (request->no_failure_delay) { /* passdb specifically requested not to delay the reply. */ handler->callback(reply, handler->context); auth_request_unref(&request); return; } /* failure. don't announce it immediately to avoid a) timing attacks, b) flooding */ request->delayed_failure = TRUE; handler->refcount++; request->last_access = ioloop_time; aqueue_append(auth_failures, &request); if (to_auth_failures == NULL) { to_auth_failures = timeout_add(AUTH_FAILURE_DELAY_CHECK_MSECS, auth_failure_timeout, NULL); } } static void auth_callback(struct auth_request *request, enum auth_client_result result, const void *auth_reply, size_t reply_size) { struct auth_request_handler *handler = request->context; struct auth_stream_reply *reply; string_t *str; reply = auth_stream_reply_init(pool_datastack_create()); switch (result) { case AUTH_CLIENT_RESULT_CONTINUE: auth_stream_reply_add(reply, "CONT", NULL); auth_stream_reply_add(reply, NULL, dec2str(request->id)); str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size)); base64_encode(auth_reply, reply_size, str); auth_stream_reply_add(reply, NULL, str_c(str)); request->accept_input = TRUE; handler->callback(reply, handler->context); break; case AUTH_CLIENT_RESULT_SUCCESS: auth_request_proxy_finish(request, TRUE); auth_stream_reply_add(reply, "OK", NULL); auth_stream_reply_add(reply, NULL, dec2str(request->id)); auth_stream_reply_add(reply, "user", request->user); if (reply_size > 0) { str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size)); base64_encode(auth_reply, reply_size, str); auth_stream_reply_add(reply, "resp", str_c(str)); } get_client_extra_fields(request, reply); if (request->no_login || handler->master_callback == NULL) { /* this request doesn't have to wait for master process to pick it up. delete it */ auth_request_handler_remove(handler, request); } handler->callback(reply, handler->context); break; case AUTH_CLIENT_RESULT_FAILURE: auth_request_proxy_finish(request, FALSE); auth_stream_reply_add(reply, "FAIL", NULL); auth_stream_reply_add(reply, NULL, dec2str(request->id)); if (request->user != NULL) auth_stream_reply_add(reply, "user", request->user); if (request->internal_failure) auth_stream_reply_add(reply, "temp", NULL); else if (request->master_user != NULL) { /* authentication succeeded, but we can't log in as the wanted user */ auth_stream_reply_add(reply, "authz", NULL); } if (request->no_failure_delay) auth_stream_reply_add(reply, "nodelay", NULL); get_client_extra_fields(request, reply); auth_request_handle_failure(request, reply); break; } /* NOTE: request may be destroyed now */ auth_request_handler_unref(&handler); } static void auth_request_handler_auth_fail(struct auth_request_handler *handler, struct auth_request *request, const char *reason) { struct auth_stream_reply *reply; auth_request_log_info(request, request->mech->mech_name, "%s", reason); reply = auth_stream_reply_init(pool_datastack_create()); auth_stream_reply_add(reply, "FAIL", NULL); auth_stream_reply_add(reply, NULL, dec2str(request->id)); auth_stream_reply_add(reply, "reason", reason); handler->callback(reply, handler->context); auth_request_handler_remove(handler, request); } bool auth_request_handler_auth_begin(struct auth_request_handler *handler, const char *args) { const struct mech_module *mech; struct auth_request *request; const char *const *list, *name, *arg, *initial_resp; const void *initial_resp_data; size_t initial_resp_len; unsigned int id; buffer_t *buf; /* <id> <mechanism> [...] */ list = t_strsplit(args, "\t"); if (list[0] == NULL || list[1] == NULL) { i_error("BUG: Authentication client %u " "sent broken AUTH request", handler->client_pid); return FALSE; } id = (unsigned int)strtoul(list[0], NULL, 10); mech = mech_module_find(list[1]); if (mech == NULL) { /* unsupported mechanism */ i_error("BUG: Authentication client %u requested unsupported " "authentication mechanism %s", handler->client_pid, str_sanitize(list[1], MAX_MECH_NAME_LEN)); return FALSE; } request = auth_request_new(handler->auth, mech, auth_callback, handler); request->connect_uid = handler->connect_uid; request->client_pid = handler->client_pid; request->id = id; /* parse optional parameters */ initial_resp = NULL; for (list += 2; *list != NULL; list++) { arg = strchr(*list, '='); if (arg == NULL) { name = *list; arg = ""; } else { name = t_strdup_until(*list, arg); arg++; } if (auth_request_import(request, name, arg)) ; else if (strcmp(name, "resp") == 0) { initial_resp = arg; /* this must be the last parameter */ list++; break; } } if (*list != NULL) { i_error("BUG: Authentication client %u " "sent AUTH parameters after 'resp'", handler->client_pid); return FALSE; } if (request->service == NULL) { i_error("BUG: Authentication client %u " "didn't specify service in request", handler->client_pid); return FALSE; } hash_table_insert(handler->requests, POINTER_CAST(id), request); if (request->auth->ssl_require_client_cert && !request->valid_client_cert) { /* we fail without valid certificate */ auth_request_handler_auth_fail(handler, request, "Client didn't present valid SSL certificate"); return TRUE; } /* Empty initial response is a "=" base64 string. Completely empty string shouldn't really be sent, but at least Exim does it, so just allow it for backwards compatibility.. */ if (initial_resp == NULL || *initial_resp == '\0') { initial_resp_data = NULL; initial_resp_len = 0; } else { size_t len = strlen(initial_resp); buf = buffer_create_dynamic(pool_datastack_create(), MAX_BASE64_DECODED_SIZE(len)); if (base64_decode(initial_resp, len, NULL, buf) < 0) { auth_request_handler_auth_fail(handler, request, "Invalid base64 data in initial response"); return TRUE; } initial_resp_data = buf->data; initial_resp_len = buf->used; } /* handler is referenced until auth_callback is called. */ handler->refcount++; auth_request_initial(request, initial_resp_data, initial_resp_len); return TRUE; } bool auth_request_handler_auth_continue(struct auth_request_handler *handler, const char *args) { struct auth_request *request; const char *data; size_t data_len; buffer_t *buf; unsigned int id; data = strchr(args, '\t'); if (data == NULL) { i_error("BUG: Authentication client sent broken CONT request"); return FALSE; } data++; id = (unsigned int)strtoul(args, NULL, 10); request = hash_table_lookup(handler->requests, POINTER_CAST(id)); if (request == NULL) { struct auth_stream_reply *reply; reply = auth_stream_reply_init(pool_datastack_create()); auth_stream_reply_add(reply, "FAIL", NULL); auth_stream_reply_add(reply, NULL, dec2str(id)); auth_stream_reply_add(reply, "reason", "Timeouted"); handler->callback(reply, handler->context); return TRUE; } /* accept input only once after mechanism has sent a CONT reply */ if (!request->accept_input) { auth_request_handler_auth_fail(handler, request, "Unexpected continuation"); return TRUE; } request->accept_input = FALSE; data_len = strlen(data); buf = buffer_create_dynamic(pool_datastack_create(), MAX_BASE64_DECODED_SIZE(data_len)); if (base64_decode(data, data_len, NULL, buf) < 0) { auth_request_handler_auth_fail(handler, request, "Invalid base64 data in continued response"); return TRUE; } /* handler is referenced until auth_callback is called. */ handler->refcount++; auth_request_continue(request, buf->data, buf->used); return TRUE; } static void userdb_callback(enum userdb_result result, struct auth_request *request) { struct auth_request_handler *handler = request->context; struct auth_stream_reply *reply; i_assert(request->state == AUTH_REQUEST_STATE_USERDB); request->state = AUTH_REQUEST_STATE_FINISHED; if (request->userdb_lookup_failed) result = USERDB_RESULT_INTERNAL_FAILURE; reply = auth_stream_reply_init(pool_datastack_create()); switch (result) { case USERDB_RESULT_INTERNAL_FAILURE: auth_stream_reply_add(reply, "FAIL", NULL); auth_stream_reply_add(reply, NULL, dec2str(request->id)); break; case USERDB_RESULT_USER_UNKNOWN: auth_stream_reply_add(reply, "NOTFOUND", NULL); auth_stream_reply_add(reply, NULL, dec2str(request->id)); break; case USERDB_RESULT_OK: auth_stream_reply_add(reply, "USER", NULL); auth_stream_reply_add(reply, NULL, dec2str(request->id)); if (request->master_user != NULL) { auth_stream_reply_add(request->userdb_reply, "master_user", request->master_user); } auth_stream_reply_import(reply, auth_stream_reply_export(request->userdb_reply)); break; } handler->master_callback(reply, request->master); auth_master_connection_unref(&request->master); auth_request_unref(&request); auth_request_handler_unref(&handler); } void auth_request_handler_master_request(struct auth_request_handler *handler, struct auth_master_connection *master, unsigned int id, unsigned int client_id) { struct auth_request *request; struct auth_stream_reply *reply; reply = auth_stream_reply_init(pool_datastack_create()); request = hash_table_lookup(handler->requests, POINTER_CAST(client_id)); if (request == NULL) { i_error("Master request %u.%u not found", handler->client_pid, client_id); auth_stream_reply_add(reply, "NOTFOUND", NULL); auth_stream_reply_add(reply, NULL, dec2str(id)); handler->master_callback(reply, master); return; } auth_request_ref(request); auth_request_handler_remove(handler, request); if (request->state != AUTH_REQUEST_STATE_FINISHED || !request->successful) { i_error("Master requested unfinished authentication request " "%u.%u", handler->client_pid, client_id); auth_stream_reply_add(reply, "NOTFOUND", NULL); auth_stream_reply_add(reply, NULL, dec2str(id)); handler->master_callback(reply, master); auth_request_unref(&request); } else { /* the request isn't being referenced anywhere anymore, so we can do a bit of kludging.. replace the request's old client_id with master's id. */ request->state = AUTH_REQUEST_STATE_USERDB; request->id = id; request->context = handler; request->master = master; /* master and handler are referenced until userdb_callback i s called. */ auth_master_connection_ref(master); handler->refcount++; auth_request_lookup_user(request, userdb_callback); } } void auth_request_handler_flush_failures(bool flush_all) { struct auth_request **auth_requests, *auth_request; unsigned int i, count; time_t diff; count = aqueue_count(auth_failures); if (count == 0) { if (to_auth_failures != NULL) timeout_remove(&to_auth_failures); return; } auth_requests = array_idx_modifiable(&auth_failures_arr, 0); for (i = 0; i < count; i++) { auth_request = auth_requests[aqueue_idx(auth_failures, 0)]; diff = ioloop_time - auth_request->last_access; if (diff < (time_t)auth_failure_delay && !flush_all) break; aqueue_delete_tail(auth_failures); i_assert(auth_request->state == AUTH_REQUEST_STATE_FINISHED); auth_request->callback(auth_request, AUTH_CLIENT_RESULT_FAILURE, NULL, 0); auth_request_unref(&auth_request); } } static void auth_failure_timeout(void *context ATTR_UNUSED) { auth_request_handler_flush_failures(FALSE); } void auth_request_handler_init(void) { const char *env; env = getenv("FAILURE_DELAY"); auth_failure_delay = env != NULL ? atoi(env) : DEFAULT_AUTH_FAILURE_DELAY; i_array_init(&auth_failures_arr, 128); auth_failures = aqueue_init(&auth_failures_arr.arr); } void auth_request_handler_deinit(void) { auth_request_handler_flush_failures(TRUE); array_free(&auth_failures_arr); aqueue_deinit(&auth_failures); if (to_auth_failures != NULL) timeout_remove(&to_auth_failures); }