Mercurial > dovecot > original-hg > dovecot-1.2
changeset 3073:7e0caae73c59 HEAD
Require a valid timestamp in APOP challenge.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 09 Jan 2005 02:48:02 +0200 |
parents | 289a98ba5d95 |
children | 3feb38ff17f5 |
files | src/auth/common.h src/auth/main.c src/auth/mech-apop.c src/pop3-login/client.c |
diffstat | 4 files changed, 18 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/common.h Sat Jan 08 23:37:32 2005 +0200 +++ b/src/auth/common.h Sun Jan 09 02:48:02 2005 +0200 @@ -9,5 +9,6 @@ extern struct ioloop *ioloop; extern int standalone; +extern time_t process_start_time; #endif
--- a/src/auth/main.c Sat Jan 08 23:37:32 2005 +0200 +++ b/src/auth/main.c Sun Jan 09 02:48:02 2005 +0200 @@ -25,6 +25,7 @@ struct ioloop *ioloop; int standalone = FALSE; +time_t process_start_time; static buffer_t *masters_buf; static struct auth *auth; @@ -193,6 +194,8 @@ const char *env; unsigned int pid; + process_start_time = ioloop_time; + mech_init(); auth_init(auth); auth_requests_init();
--- a/src/auth/mech-apop.c Sat Jan 08 23:37:32 2005 +0200 +++ b/src/auth/mech-apop.c Sun Jan 09 02:48:02 2005 +0200 @@ -17,7 +17,8 @@ #include "auth-client-connection.h" #include "auth-master-connection.h" -#include <ctype.h> +#include <stdio.h> +#include <unistd.h> struct apop_auth_request { struct auth_request auth_request; @@ -76,7 +77,8 @@ struct apop_auth_request *request = (struct apop_auth_request *)auth_request; const unsigned char *tmp, *end, *username = NULL; - const char *str, *error; + unsigned long pid, connect_uid, timestamp; + const char *error; if (data_size == 0) { /* Should never happen */ @@ -94,10 +96,14 @@ /* the challenge must begin with trusted unique ID. we trust only ourself, so make sure it matches our connection specific UID - which we told to client in handshake. */ - str = t_strdup_printf("<%x.%x.", auth_request->conn->master->pid, - auth_request->conn->connect_uid); - if (memcmp(data, str, strlen(str)) != 0) { + which we told to client in handshake. Also require a timestamp + which is later than this process's start time. */ + + if (sscanf((const char *)data, "<%lx.%lx.%lx.", + &pid, &connect_uid, ×tamp) != 3 || + connect_uid != auth_request->conn->connect_uid || + pid != (unsigned long)getpid() || + (time_t)timestamp < process_start_time) { auth_request_log_info(auth_request, "apop", "invalid challenge"); auth_request_fail(auth_request);
--- a/src/pop3-login/client.c Sat Jan 08 23:37:32 2005 +0200 +++ b/src/pop3-login/client.c Sun Jan 09 02:48:02 2005 +0200 @@ -274,8 +274,9 @@ base64_encode(buffer, sizeof(buffer), buf); buffer_append_c(buf, '\0'); - ret = i_strdup_printf("<%x.%x.%s@%s>", + ret = i_strdup_printf("<%x.%x.%lx.%s@%s>", id->server_pid, id->connect_uid, + (unsigned long)ioloop_time, (const char *)buf->data, my_hostname); t_pop(); return ret;