[dovecot-cvs] dovecot/src/pop3-login client-authenticate.c, 1.28, 1.29 client.c, 1.27, 1.28 client.h, 1.10, 1.11

cras at dovecot.org cras at dovecot.org
Tue Oct 5 19:00:21 EEST 2004 

Update of /var/lib/cvs/dovecot/src/pop3-login
In directory talvi:/tmp/cvs-serv755/pop3-login

Modified Files:
	client-authenticate.c client.c client.h 
Log Message:
auth_verbose now affects imap/pop3 login processes too. Every authentication
attempt by client is logged. Also fixed replies in AUTHENTICATE/AUTH
commands when it was aborted by client.



Index: client-authenticate.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/pop3-login/client-authenticate.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -d -r1.28 -r1.29
--- client-authenticate.c	15 Sep 2004 13:20:17 -0000	1.28
+++ client-authenticate.c	5 Oct 2004 16:00:18 -0000	1.29
@@ -1,4 +1,4 @@
-/* Copyright (C) 2002 Timo Sirainen */
+/* Copyright (C) 2002-2004 Timo Sirainen */
 
 #include "common.h"
 #include "base64.h"
@@ -9,6 +9,7 @@
 #include "ostream.h"
 #include "safe-memset.h"
 #include "str.h"
+#include "str-sanitize.h"
 #include "auth-client.h"
 #include "../pop3/capability.h"
 #include "ssl-proxy.h"
@@ -18,6 +19,9 @@
 #include "client-authenticate.h"
 #include "ssl-proxy.h"
 
+/* Used only for string sanitization while verbose_auth is set. */
+#define MAX_MECH_NAME 64
+
 int cmd_capa(struct pop3_client *client, const char *args __attr_unused__)
 {
 	const struct auth_mech_desc *mech;
@@ -51,11 +55,16 @@
 
 static void client_auth_abort(struct pop3_client *client, const char *msg)
 {
+	client->authenticating = FALSE;
+
 	if (client->common.auth_request != NULL) {
 		auth_client_request_abort(client->common.auth_request);
 		client->common.auth_request = NULL;
 	}
 
+	if (msg != NULL && verbose_auth)
+		client_syslog(client, "Authentication failed: %s", msg);
+
 	client_send_line(client, msg != NULL ? t_strconcat("-ERR ", msg, NULL) :
 			 "-ERR Authentication failed.");
 
@@ -111,19 +120,6 @@
 	t_pop();
 }
 
-static enum auth_client_request_new_flags
-client_get_auth_flags(struct pop3_client *client)
-{
-        enum auth_client_request_new_flags auth_flags = 0;
-
-	if (client->common.proxy != NULL &&
-	    ssl_proxy_has_valid_client_cert(client->common.proxy))
-		auth_flags |= AUTH_CLIENT_FLAG_SSL_VALID_CLIENT_CERT;
-	if (client->tls)
-		auth_flags |= AUTH_CLIENT_FLAG_SSL_ENABLED;
-	return auth_flags;
-}
-
 static void login_callback(struct auth_request *request,
 			   struct auth_client_request_reply *reply,
 			   const unsigned char *data, void *context)
@@ -142,14 +138,32 @@
 	default:
 		/* success, we should be able to log in. if we fail, just
 		   disconnect the client. */
+                client->authenticating = FALSE;
 		client_send_line(client, "+OK Logged in.");
 		client_unref(client);
 	}
 }
 
+static enum auth_client_request_new_flags
+client_get_auth_flags(struct pop3_client *client)
+{
+        enum auth_client_request_new_flags auth_flags = 0;
+
+	if (client->common.proxy != NULL &&
+	    ssl_proxy_has_valid_client_cert(client->common.proxy))
+		auth_flags |= AUTH_CLIENT_FLAG_SSL_VALID_CLIENT_CERT;
+	if (client->tls)
+		auth_flags |= AUTH_CLIENT_FLAG_SSL_ENABLED;
+	return auth_flags;
+}
+
 int cmd_user(struct pop3_client *client, const char *args)
 {
 	if (!client->secured && disable_plaintext_auth) {
+		if (verbose_auth) {
+			client_syslog(client, "Login failed: "
+				      "Plaintext authentication disabled");
+		}
 		client_send_line(client,
 				 "-ERR Plaintext authentication disabled.");
 		return TRUE;
@@ -190,23 +204,27 @@
 	info.initial_resp_size = str_len(plain_login);
 
 	client_ref(client);
+
 	client->common.auth_request =
 		auth_client_request_new(auth_client, NULL, &info,
 					login_callback, client, &error);
-
-	if (client->common.auth_request != NULL) {
-		/* don't read any input from client until login is finished */
-		if (client->common.io != NULL) {
-			io_remove(client->common.io);
-			client->common.io = NULL;
-		}
-		return TRUE;
-	} else {
+	if (client->common.auth_request == NULL) {
+		if (verbose_auth)
+			client_syslog(client, "Login failed: %s", error);
 		client_send_line(client,
 			t_strconcat("-ERR Login failed: ", error, NULL));
 		client_unref(client);
 		return TRUE;
 	}
+
+	/* don't read any input from client until login is finished */
+	if (client->common.io != NULL) {
+		io_remove(client->common.io);
+		client->common.io = NULL;
+	}
+
+	client->authenticating = TRUE;
+	return TRUE;
 }
 
 static void authenticate_callback(struct auth_request *request,
@@ -216,6 +234,12 @@
 	struct pop3_client *client = context;
 	const char *error;
 
+	if (!client->authenticating) {
+		/* client aborted */
+		i_assert(reply == NULL);
+		return;
+	}
+
 	switch (auth_callback(request, reply, data, &client->common,
 			      master_callback, &error)) {
 	case -1:
@@ -230,6 +254,7 @@
 	default:
 		/* success, we should be able to log in. if we fail, just
 		   disconnect the client. */
+                client->authenticating = FALSE;
 		client_send_line(client, "+OK Logged in.");
 		client_unref(client);
 	}
@@ -307,12 +332,22 @@
 
 	mech = auth_client_find_mech(auth_client, mech_name);
 	if (mech == NULL) {
+		if (verbose_auth) {
+			client_syslog(client, "Authenticate %s failed: "
+				      "Unsupported mechanism",
+				      str_sanitize(mech_name, MAX_MECH_NAME));
+		}
 		client_send_line(client,
 				 "-ERR Unsupported authentication mechanism.");
 		return TRUE;
 	}
 
 	if (!client->secured && mech->plaintext && disable_plaintext_auth) {
+		if (verbose_auth) {
+			client_syslog(client, "Authenticate %s failed: "
+				      "Plaintext authentication disabled",
+				      str_sanitize(mech_name, MAX_MECH_NAME));
+		}
 		client_send_line(client,
 				 "-ERR Plaintext authentication disabled.");
 		return TRUE;
@@ -346,7 +381,13 @@
 			io_remove(client->common.io);
 		client->common.io = io_add(client->common.fd, IO_READ,
 					   client_auth_input, client);
+                client->authenticating = TRUE;
 	} else {
+		if (verbose_auth) {
+			client_syslog(client, "Authenticate %s failed: %s",
+				      str_sanitize(mech_name, MAX_MECH_NAME),
+				      error);
+		}
 		client_send_line(client, t_strconcat(
 			"-ERR Authentication failed: ", error, NULL));
 		client_unref(client);
@@ -362,6 +403,8 @@
 	buffer_t *apop_data;
 
 	if (client->apop_challenge == NULL) {
+		if (verbose_auth)
+			client_syslog(client, "APOP failed: APOP not enabled");
 	        client_send_line(client, "-ERR APOP not enabled.");
 		return TRUE;
 	}
@@ -369,6 +412,10 @@
 	/* <username> <md5 sum in hex> */
 	p = strchr(args, ' ');
 	if (p == NULL || strlen(p+1) != 32) {
+		if (verbose_auth) {
+			client_syslog(client, "APOP failed: "
+				      "Invalid parameters");
+		}
 	        client_send_line(client, "-ERR Invalid parameters.");
 		return TRUE;
 	}
@@ -382,6 +429,10 @@
 	buffer_append_c(apop_data, '\0');
 
 	if (hex_to_binary(p+1, apop_data) <= 0) {
+		if (verbose_auth) {
+			client_syslog(client, "APOP failed: "
+				      "Invalid characters in MD5 response");
+		}
 		client_send_line(client,
 				 "-ERR Invalid characters in MD5 response.");
 		return TRUE;
@@ -409,6 +460,7 @@
 			io_remove(client->common.io);
 			client->common.io = NULL;
 		}
+                client->authenticating = TRUE;
 	} else if (error == NULL) {
 		/* the auth connection was lost. we have no choice
 		   but to fail the APOP logins completely since the
@@ -416,6 +468,8 @@
 		client_destroy(client, "APOP auth connection lost");
 		client_unref(client);
 	} else {
+		if (verbose_auth) 
+			client_syslog(client, "APOP failed: %s", error);
 		client_send_line(client,
 			t_strconcat("-ERR Login failed: ", error, NULL));
 		client_unref(client);

Index: client.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/pop3-login/client.c,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -d -r1.27 -r1.28
--- client.c	27 Sep 2004 15:58:57 -0000	1.27
+++ client.c	5 Oct 2004 16:00:18 -0000	1.28
@@ -340,7 +340,7 @@
 	client->destroyed = TRUE;
 
 	if (reason != NULL)
-		client_syslog(client, reason);
+		client_syslog(client, "%s", reason);
 
 	hash_remove(clients, client);
 
@@ -405,15 +405,20 @@
 		client_destroy(client, "Transmit buffer full");
 }
 
-void client_syslog(struct pop3_client *client, const char *text)
+void client_syslog(struct pop3_client *client, const char *format, ...)
 {
 	const char *addr;
+	va_list args;
 
 	addr = net_ip2addr(&client->common.ip);
 	if (addr == NULL)
 		addr = "??";
 
-	i_info("%s [%s]", text, addr);
+	t_push();
+	va_start(args, format);
+	i_info("%s [%s]", t_strdup_vprintf(format, args), addr);
+	va_end(args);
+	t_pop();
 }
 
 static void client_check_idle(struct pop3_client *client)

Index: client.h
===================================================================
RCS file: /var/lib/cvs/dovecot/src/pop3-login/client.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- client.h	3 Jul 2004 09:44:21 -0000	1.10
+++ client.h	5 Oct 2004 16:00:18 -0000	1.11
@@ -25,6 +25,7 @@
 
 	unsigned int tls:1;
 	unsigned int secured:1;
+	unsigned int authenticating:1;
 	unsigned int auth_connected:1;
 	unsigned int destroyed:1;
 };
@@ -32,7 +33,8 @@
 void client_destroy(struct pop3_client *client, const char *reason);
 
 void client_send_line(struct pop3_client *client, const char *line);
-void client_syslog(struct pop3_client *client, const char *text);
+void client_syslog(struct pop3_client *client, const char *format, ...)
+	__attr_format__(2, 3);
 
 int client_read(struct pop3_client *client);
 void client_input(void *context);

More information about the dovecot-cvs mailing list