Mercurial > dovecot > original-hg > dovecot-1.2
changeset 8926:415089905616 HEAD
imap-login: Use [resp-codes] to figure out when to replace remote's auth failed message with ours.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Tue, 07 Apr 2009 16:38:47 -0400 |
parents | 4907cc591449 |
children | 7d484e0f0789 |
files | src/imap-login/client-authenticate.c src/imap-login/client-authenticate.h src/imap-login/imap-proxy.c src/pop3-login/pop3-proxy.c |
diffstat | 4 files changed, 50 insertions(+), 23 deletions(-) [+] |
line wrap: on
line diff
--- a/src/imap-login/client-authenticate.c Tue Apr 07 14:42:16 2009 -0400 +++ b/src/imap-login/client-authenticate.c Tue Apr 07 16:38:47 2009 -0400 @@ -21,9 +21,6 @@ #define AUTH_FAILURE_DELAY_INCREASE_MSECS 5000 #define IMAP_SERVICE_NAME "imap" -#define IMAP_AUTH_FAILED_MSG "["IMAP_RESP_CODE_AUTHFAILED"] "AUTH_FAILED_MSG -#define IMAP_AUTHZ_FAILED_MSG \ - "["IMAP_RESP_CODE_AUTHZFAILED"] Authorization failed" const char *client_authenticate_get_capabilities(bool secured) {
--- a/src/imap-login/client-authenticate.h Tue Apr 07 14:42:16 2009 -0400 +++ b/src/imap-login/client-authenticate.h Tue Apr 07 16:38:47 2009 -0400 @@ -1,6 +1,13 @@ #ifndef CLIENT_AUTHENTICATE_H #define CLIENT_AUTHENTICATE_H +struct imap_arg; + +#define IMAP_AUTH_FAILED_MSG \ + "["IMAP_RESP_CODE_AUTHFAILED"] "AUTH_FAILED_MSG +#define IMAP_AUTHZ_FAILED_MSG \ + "["IMAP_RESP_CODE_AUTHZFAILED"] Authorization failed" + const char *client_authenticate_get_capabilities(bool secured); int cmd_login(struct imap_client *client, const struct imap_arg *args);
--- a/src/imap-login/imap-proxy.c Tue Apr 07 14:42:16 2009 -0400 +++ b/src/imap-login/imap-proxy.c Tue Apr 07 16:38:47 2009 -0400 @@ -9,6 +9,7 @@ #include "str-sanitize.h" #include "safe-memset.h" #include "client.h" +#include "client-authenticate.h" #include "imap-resp-code.h" #include "imap-quote.h" #include "imap-proxy.h" @@ -186,21 +187,7 @@ client_destroy_success(client, str_c(str)); return 1; } else if (strncmp(line, "L ", 2) == 0) { - /* If the backend server isn't Dovecot, the error message may - be different from Dovecot's "user doesn't exist" error. This - would allow an attacker to find out what users exist in the - system. - - The optimal way to handle this would be to replace the - backend's "password failed" error message with Dovecot's - AUTH_FAILED_MSG, but this would require a new setting and - the sysadmin to actually bother setting it properly. - - So for now we'll just forward the error message. This - shouldn't be a real problem since of course everyone will - be using only Dovecot as their backend :) */ - client_send_tagline(client, line + 2); - + line += 2; if (verbose_auth) { str = t_str_new(128); str_printfa(str, "proxy(%s): Login failed to %s:%u", @@ -218,12 +205,35 @@ client->proxy_master_user); } str_append(str, ": "); - if (strncasecmp(line + 2, "NO ", 3) == 0) - str_append(str, line + 2 + 3); + if (strncasecmp(line, "NO ", 3) == 0) + str_append(str, line + 3); else - str_append(str, line + 2); + str_append(str, line); i_info("%s", str_c(str)); } +#define STR_NO_IMAP_RESP_CODE_AUTHFAILED "NO ["IMAP_RESP_CODE_AUTHFAILED"]" + if (strncmp(line, STR_NO_IMAP_RESP_CODE_AUTHFAILED, + strlen(STR_NO_IMAP_RESP_CODE_AUTHFAILED)) == 0) { + /* the remote sent a generic "authentication failed" + error. replace it with our one, so that in case + the remote is sending a different error message + an attacker can't find out what users exist in + the system. */ + line = "NO "IMAP_AUTH_FAILED_MSG; + } else if (strncmp(line, "NO [", 4) == 0) { + /* remote sent some other resp-code. forward it. */ + } else { + /* there was no [resp-code], so remote isn't Dovecot + v1.2+. we could either forward the line as-is and + leak information about what users exist in this + system, or we could hide other errors than password + failures. since other errors are pretty rare, + it's safer to just hide them. they're still + available in logs though. */ + line = "NO "IMAP_AUTH_FAILED_MSG; + } + client_send_tagline(client, line); + proxy_failed(client, FALSE); return -1; } else {
--- a/src/pop3-login/pop3-proxy.c Tue Apr 07 14:42:16 2009 -0400 +++ b/src/pop3-login/pop3-proxy.c Tue Apr 07 16:38:47 2009 -0400 @@ -137,8 +137,21 @@ return 1; } - /* Login failed. Pass through the error message to client - (see imap-proxy code for potential problems with this) */ + /* Login failed. Pass through the error message to client. + + If the backend server isn't Dovecot, the error message may + be different from Dovecot's "user doesn't exist" error. This + would allow an attacker to find out what users exist in the + system. + + The optimal way to handle this would be to replace the + backend's "password failed" error message with Dovecot's + AUTH_FAILED_MSG, but this would require a new setting and + the sysadmin to actually bother setting it properly. + + So for now we'll just forward the error message. This + shouldn't be a real problem since of course everyone will + be using only Dovecot as their backend :) */ if (strncmp(line, "-ERR ", 5) != 0) client_send_line(client, "-ERR "AUTH_FAILED_MSG); else