dovecot-1.1: Login process: Log auth failure reasons better in d...

dovecot at dovecot.org dovecot at dovecot.org
Sun Oct 19 13:58:35 EEST 2008 

details:   http://hg.dovecot.org/dovecot-1.1/rev/a496e5a323e5
changeset: 7954:a496e5a323e5
user:      Timo Sirainen <tss at iki.fi>
date:      Sun Oct 19 13:58:30 2008 +0300
description:
Login process: Log auth failure reasons better in disconnect message.
For example if client certs are required it now logs if the cert wasn't sent
or if the cert was invalid.

diffstat:

12 files changed, 56 insertions(+), 20 deletions(-)
src/imap-login/client-authenticate.c |    1 +
src/imap-login/client.c              |   14 ++++----------
src/login-common/client-common.c     |   22 ++++++++++++++++++++++
src/login-common/client-common.h     |    1 +
src/login-common/common.h            |    1 +
src/login-common/main.c              |    2 ++
src/login-common/ssl-proxy-openssl.c |    5 +++++
src/login-common/ssl-proxy.c         |    5 +++++
src/login-common/ssl-proxy.h         |    1 +
src/master/login-process.c           |    9 +++++++++
src/pop3-login/client-authenticate.c |    1 +
src/pop3-login/client.c              |   14 ++++----------

diffs (221 lines):

diff -r bf15f435028c -r a496e5a323e5 src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/imap-login/client-authenticate.c	Sun Oct 19 13:58:30 2008 +0300
@@ -321,6 +321,7 @@ int cmd_login(struct imap_client *client
 				      "Plaintext authentication disabled");
 		}
 		client->common.auth_tried_disabled_plaintext = TRUE;
+		client->common.auth_attempts++;
 		client_send_line(client,
 			"* BAD [ALERT] Plaintext authentication is disabled, "
 			"but your client sent password in plaintext anyway. "
diff -r bf15f435028c -r a496e5a323e5 src/imap-login/client.c
--- a/src/imap-login/client.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/imap-login/client.c	Sun Oct 19 13:58:30 2008 +0300
@@ -207,12 +207,7 @@ static int cmd_logout(struct imap_client
 {
 	client_send_line(client, "* BYE Logging out");
 	client_send_tagline(client, "OK Logout completed.");
-	if (client->common.auth_tried_disabled_plaintext) {
-		client_destroy(client, "Aborted login "
-			"(tried to use disabled plaintext authentication)");
-	} else {
-		client_destroy(client, "Aborted login");
-	}
+	client_destroy(client, "Aborted login");
 	return 1;
 }
 
@@ -485,10 +480,9 @@ void client_destroy(struct imap_client *
 	client->destroyed = TRUE;
 
 	if (!client->login_success && reason != NULL) {
-		reason = client->common.auth_attempts == 0 ?
-			t_strdup_printf("%s (no auth attempts)", reason) :
-			t_strdup_printf("%s (auth failed, %u attempts)",
-					reason, client->common.auth_attempts);
+		reason = t_strconcat(reason, " ",
+			client_get_extra_disconnect_reason(&client->common),
+			NULL);
 	}
 	if (reason != NULL)
 		client_syslog(&client->common, reason);
diff -r bf15f435028c -r a496e5a323e5 src/login-common/client-common.c
--- a/src/login-common/client-common.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/login-common/client-common.c	Sun Oct 19 13:58:30 2008 +0300
@@ -154,3 +154,25 @@ void client_syslog(struct client *client
 		client_syslog_real(client, msg);
 	} T_END;
 }
+
+const char *client_get_extra_disconnect_reason(struct client *client)
+{
+	if (ssl_require_client_cert && client->proxy != NULL) {
+		if (ssl_proxy_has_broken_client_cert(client->proxy))
+			return "(client sent an invalid cert)";
+		if (!ssl_proxy_has_valid_client_cert(client->proxy))
+			return "(client didn't send a cert)";
+	}
+
+	if (client->auth_attempts == 0)
+		return "(no auth attempts)";
+
+	/* some auth attempts without SSL/TLS */
+	if (client->auth_tried_disabled_plaintext)
+		return "(tried to use disabled plaintext auth)";
+	if (ssl_require_client_cert)
+		return "(cert required, client didn't start TLS)";
+
+	return t_strdup_printf("(auth failed, %u attempts)",
+			       client->auth_attempts);
+}
diff -r bf15f435028c -r a496e5a323e5 src/login-common/client-common.h
--- a/src/login-common/client-common.h	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/login-common/client-common.h	Sun Oct 19 13:58:30 2008 +0300
@@ -42,6 +42,7 @@ unsigned int clients_get_count(void);
 unsigned int clients_get_count(void);
 
 void client_syslog(struct client *client, const char *msg);
+const char *client_get_extra_disconnect_reason(struct client *client);
 
 void clients_notify_auth_connected(void);
 void client_destroy_oldest(void);
diff -r bf15f435028c -r a496e5a323e5 src/login-common/common.h
--- a/src/login-common/common.h	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/login-common/common.h	Sun Oct 19 13:58:30 2008 +0300
@@ -15,6 +15,7 @@ extern const char *login_protocol;
 
 extern bool disable_plaintext_auth, process_per_connection, greeting_capability;
 extern bool verbose_proctitle, verbose_ssl, verbose_auth;
+extern bool ssl_require_client_cert;
 extern const char *greeting, *log_format;
 extern const char *const *log_format_elements;
 extern const char *capability_string;
diff -r bf15f435028c -r a496e5a323e5 src/login-common/main.c
--- a/src/login-common/main.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/login-common/main.c	Sun Oct 19 13:58:30 2008 +0300
@@ -21,6 +21,7 @@
 
 bool disable_plaintext_auth, process_per_connection, greeting_capability;
 bool verbose_proctitle, verbose_ssl, verbose_auth;
+bool ssl_require_client_cert;
 const char *greeting, *log_format;
 const char *const *log_format_elements;
 unsigned int max_connections;
@@ -316,6 +317,7 @@ static void main_init(void)
 	verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
         verbose_ssl = getenv("VERBOSE_SSL") != NULL;
         verbose_auth = getenv("VERBOSE_AUTH") != NULL;
+	ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
 
 	greeting = getenv("GREETING");
 	if (greeting == NULL)
diff -r bf15f435028c -r a496e5a323e5 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Sun Oct 19 13:58:30 2008 +0300
@@ -517,6 +517,11 @@ bool ssl_proxy_has_valid_client_cert(str
 	return proxy->cert_received && !proxy->cert_broken;
 }
 
+bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy)
+{
+	return proxy->cert_received && proxy->cert_broken;
+}
+
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
 {
 	X509 *x509;
diff -r bf15f435028c -r a496e5a323e5 src/login-common/ssl-proxy.c
--- a/src/login-common/ssl-proxy.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/login-common/ssl-proxy.c	Sun Oct 19 13:58:30 2008 +0300
@@ -17,6 +17,11 @@ int ssl_proxy_new(int fd ATTR_UNUSED, st
 }
 
 bool ssl_proxy_has_valid_client_cert(struct ssl_proxy *proxy ATTR_UNUSED)
+{
+	return FALSE;
+}
+
+bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy ATTR_UNUSED)
 {
 	return FALSE;
 }
diff -r bf15f435028c -r a496e5a323e5 src/login-common/ssl-proxy.h
--- a/src/login-common/ssl-proxy.h	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/login-common/ssl-proxy.h	Sun Oct 19 13:58:30 2008 +0300
@@ -11,6 +11,7 @@ extern bool ssl_initialized;
    the given fd must be simply forgotten. */
 int ssl_proxy_new(int fd, struct ip_addr *ip, struct ssl_proxy **proxy_r);
 bool ssl_proxy_has_valid_client_cert(struct ssl_proxy *proxy);
+bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy);
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy);
 bool ssl_proxy_is_handshaked(struct ssl_proxy *proxy);
 const char *ssl_proxy_get_last_error(struct ssl_proxy *proxy);
diff -r bf15f435028c -r a496e5a323e5 src/master/login-process.c
--- a/src/master/login-process.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/master/login-process.c	Sun Oct 19 13:58:30 2008 +0300
@@ -508,6 +508,8 @@ static void login_process_init_env(struc
 static void login_process_init_env(struct login_group *group, pid_t pid)
 {
 	struct settings *set = group->set;
+	const struct auth_settings *auth;
+	bool require_cert;
 
 	child_process_init_env();
 
@@ -557,6 +559,13 @@ static void login_process_init_env(struc
 		env_put("VERBOSE_SSL=1");
 	if (set->server->auths->verbose)
 		env_put("VERBOSE_AUTH=1");
+	require_cert = TRUE;
+	for (auth = set->server->auths; auth != NULL; auth = auth->next) {
+		if (!auth->ssl_require_client_cert)
+			require_cert = FALSE;
+	}
+	if (require_cert)
+		env_put("SSL_REQUIRE_CLIENT_CERT=1");
 
 	if (set->login_process_per_connection) {
 		env_put("PROCESS_PER_CONNECTION=1");
diff -r bf15f435028c -r a496e5a323e5 src/pop3-login/client-authenticate.c
--- a/src/pop3-login/client-authenticate.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/pop3-login/client-authenticate.c	Sun Oct 19 13:58:30 2008 +0300
@@ -277,6 +277,7 @@ static bool check_plaintext_auth(struct 
 	}
 	client_send_line(client, "-ERR "AUTH_PLAINTEXT_DISABLED_MSG);
 	client->common.auth_tried_disabled_plaintext = TRUE;
+	client->common.auth_attempts++;
 	return FALSE;
 }
 
diff -r bf15f435028c -r a496e5a323e5 src/pop3-login/client.c
--- a/src/pop3-login/client.c	Sun Oct 19 13:31:32 2008 +0300
+++ b/src/pop3-login/client.c	Sun Oct 19 13:58:30 2008 +0300
@@ -146,12 +146,7 @@ static bool cmd_quit(struct pop3_client 
 static bool cmd_quit(struct pop3_client *client)
 {
 	client_send_line(client, "+OK Logging out");
-	if (client->common.auth_tried_disabled_plaintext) {
-		client_destroy(client, "Aborted login "
-			"(tried to use disabled plaintext authentication)");
-	} else {
-		client_destroy(client, "Aborted login");
-	}
+	client_destroy(client, "Aborted login");
 	return TRUE;
 }
 
@@ -352,10 +347,9 @@ void client_destroy(struct pop3_client *
 	client->destroyed = TRUE;
 
 	if (!client->login_success && reason != NULL) {
-		reason = client->common.auth_attempts == 0 ?
-			t_strdup_printf("%s (no auth attempts)", reason) :
-			t_strdup_printf("%s (auth failed, %u attempts)",
-					reason, client->common.auth_attempts);
+		reason = t_strconcat(reason, " ",
+			client_get_extra_disconnect_reason(&client->common),
+			NULL);
 	}
 	if (reason != NULL)
 		client_syslog(&client->common, reason);

More information about the dovecot-cvs mailing list