Mercurial > dovecot > original-hg > dovecot-1.2

changeset 3073:7e0caae73c59 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Require a valid timestamp in APOP challenge.
author Timo Sirainen <tss@iki.fi>
date Sun, 09 Jan 2005 02:48:02 +0200
parents 289a98ba5d95
children 3feb38ff17f5
files src/auth/common.h src/auth/main.c src/auth/mech-apop.c src/pop3-login/client.c
diffstat 4 files changed, 18 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/common.h	Sat Jan 08 23:37:32 2005 +0200
+++ b/src/auth/common.h	Sun Jan 09 02:48:02 2005 +0200
@@ -9,5 +9,6 @@
 
 extern struct ioloop *ioloop;
 extern int standalone;
+extern time_t process_start_time;
 
 #endif
--- a/src/auth/main.c	Sat Jan 08 23:37:32 2005 +0200
+++ b/src/auth/main.c	Sun Jan 09 02:48:02 2005 +0200
@@ -25,6 +25,7 @@
 
 struct ioloop *ioloop;
 int standalone = FALSE;
+time_t process_start_time;
 
 static buffer_t *masters_buf;
 static struct auth *auth;
@@ -193,6 +194,8 @@
 	const char *env;
 	unsigned int pid;
 
+	process_start_time = ioloop_time;
+
 	mech_init();
 	auth_init(auth);
 	auth_requests_init();
--- a/src/auth/mech-apop.c	Sat Jan 08 23:37:32 2005 +0200
+++ b/src/auth/mech-apop.c	Sun Jan 09 02:48:02 2005 +0200
@@ -17,7 +17,8 @@
 #include "auth-client-connection.h"
 #include "auth-master-connection.h"
 
-#include <ctype.h>
+#include <stdio.h>
+#include <unistd.h>
 
 struct apop_auth_request {
 	struct auth_request auth_request;
@@ -76,7 +77,8 @@
 	struct apop_auth_request *request =
 		(struct apop_auth_request *)auth_request;
 	const unsigned char *tmp, *end, *username = NULL;
-	const char *str, *error;
+	unsigned long pid, connect_uid, timestamp;
+	const char *error;
 
 	if (data_size == 0) {
 		/* Should never happen */
@@ -94,10 +96,14 @@
 
 	/* the challenge must begin with trusted unique ID. we trust only
 	   ourself, so make sure it matches our connection specific UID
-	   which we told to client in handshake. */
-        str = t_strdup_printf("<%x.%x.", auth_request->conn->master->pid,
-			      auth_request->conn->connect_uid);
-	if (memcmp(data, str, strlen(str)) != 0) {
+	   which we told to client in handshake. Also require a timestamp
+	   which is later than this process's start time. */
+
+	if (sscanf((const char *)data, "<%lx.%lx.%lx.",
+		   &pid, &connect_uid, &timestamp) != 3 ||
+	    connect_uid != auth_request->conn->connect_uid ||
+            pid != (unsigned long)getpid() ||
+	    (time_t)timestamp < process_start_time) {
 		auth_request_log_info(auth_request, "apop",
 				      "invalid challenge");
 		auth_request_fail(auth_request);
--- a/src/pop3-login/client.c	Sat Jan 08 23:37:32 2005 +0200
+++ b/src/pop3-login/client.c	Sun Jan 09 02:48:02 2005 +0200
@@ -274,8 +274,9 @@
 	base64_encode(buffer, sizeof(buffer), buf);
 	buffer_append_c(buf, '\0');
 
-	ret = i_strdup_printf("<%x.%x.%s@%s>",
+	ret = i_strdup_printf("<%x.%x.%lx.%s@%s>",
 			      id->server_pid, id->connect_uid,
+			      (unsigned long)ioloop_time,
 			      (const char *)buf->data, my_hostname);
 	t_pop();
 	return ret;