[dovecot-cvs] dovecot/src/auth common.h, 1.9, 1.10 main.c, 1.35,
1.36 mech-apop.c, 1.13, 1.14
cras at dovecot.org
cras at dovecot.org
Sun Jan 9 02:48:06 EET 2005
- Previous message: [dovecot-cvs] dovecot/src/auth auth-client-connection.c, 1.31,
1.32 auth-request.c, 1.5, 1.6 auth-request.h, 1.5,
1.6 mech-anonymous.c, 1.11, 1.12 mech-apop.c, 1.12,
1.13 mech-cram-md5.c, 1.19, 1.20 mech-digest-md5.c, 1.33,
1.34 mech-login.c, 1.10, 1.11 mech-ntlm.c, 1.16,
1.17 mech-plain.c, 1.28, 1.29 mech-rpa.c, 1.15, 1.16 mech.h,
1.33, 1.34
- Next message: [dovecot-cvs] dovecot/src/pop3-login client.c,1.38,1.39
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv27272/auth
Modified Files:
common.h main.c mech-apop.c
Log Message:
Require a valid timestamp in APOP challenge.
Index: common.h
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/common.h,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- common.h 8 Jan 2005 16:56:04 -0000 1.9
+++ common.h 9 Jan 2005 00:48:02 -0000 1.10
@@ -9,5 +9,6 @@
extern struct ioloop *ioloop;
extern int standalone;
+extern time_t process_start_time;
#endif
Index: main.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/main.c,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -d -r1.35 -r1.36
--- main.c 8 Jan 2005 16:56:04 -0000 1.35
+++ main.c 9 Jan 2005 00:48:03 -0000 1.36
@@ -25,6 +25,7 @@
struct ioloop *ioloop;
int standalone = FALSE;
+time_t process_start_time;
static buffer_t *masters_buf;
static struct auth *auth;
@@ -193,6 +194,8 @@
const char *env;
unsigned int pid;
+ process_start_time = ioloop_time;
+
mech_init();
auth_init(auth);
auth_requests_init();
Index: mech-apop.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/mech-apop.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14
--- mech-apop.c 8 Jan 2005 21:37:32 -0000 1.13
+++ mech-apop.c 9 Jan 2005 00:48:03 -0000 1.14
@@ -17,7 +17,8 @@
#include "auth-client-connection.h"
#include "auth-master-connection.h"
-#include <ctype.h>
+#include <stdio.h>
+#include <unistd.h>
struct apop_auth_request {
struct auth_request auth_request;
@@ -76,7 +77,8 @@
struct apop_auth_request *request =
(struct apop_auth_request *)auth_request;
const unsigned char *tmp, *end, *username = NULL;
- const char *str, *error;
+ unsigned long pid, connect_uid, timestamp;
+ const char *error;
if (data_size == 0) {
/* Should never happen */
@@ -94,10 +96,14 @@
/* the challenge must begin with trusted unique ID. we trust only
ourself, so make sure it matches our connection specific UID
- which we told to client in handshake. */
- str = t_strdup_printf("<%x.%x.", auth_request->conn->master->pid,
- auth_request->conn->connect_uid);
- if (memcmp(data, str, strlen(str)) != 0) {
+ which we told to client in handshake. Also require a timestamp
+ which is later than this process's start time. */
+
+ if (sscanf((const char *)data, "<%lx.%lx.%lx.",
+ &pid, &connect_uid, ×tamp) != 3 ||
+ connect_uid != auth_request->conn->connect_uid ||
+ pid != (unsigned long)getpid() ||
+ (time_t)timestamp < process_start_time) {
auth_request_log_info(auth_request, "apop",
"invalid challenge");
auth_request_fail(auth_request);
- Previous message: [dovecot-cvs] dovecot/src/auth auth-client-connection.c, 1.31,
1.32 auth-request.c, 1.5, 1.6 auth-request.h, 1.5,
1.6 mech-anonymous.c, 1.11, 1.12 mech-apop.c, 1.12,
1.13 mech-cram-md5.c, 1.19, 1.20 mech-digest-md5.c, 1.33,
1.34 mech-login.c, 1.10, 1.11 mech-ntlm.c, 1.16,
1.17 mech-plain.c, 1.28, 1.29 mech-rpa.c, 1.15, 1.16 mech.h,
1.33, 1.34
- Next message: [dovecot-cvs] dovecot/src/pop3-login client.c,1.38,1.39
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the dovecot-cvs
mailing list