dovecot-1.2: Login process: Log auth failure reasons better in d...
dovecot at dovecot.org
dovecot at dovecot.org
Sun Oct 19 14:01:01 EEST 2008
details: http://hg.dovecot.org/dovecot-1.2/rev/0db37acdc59f
changeset: 8302:0db37acdc59f
user: Timo Sirainen <tss at iki.fi>
date: Sun Oct 19 14:00:57 2008 +0300
description:
Login process: Log auth failure reasons better in disconnect message.
For example if client certs are required it now logs if the cert wasn't sent
or if the cert was invalid.
diffstat:
12 files changed, 56 insertions(+), 20 deletions(-)
src/imap-login/client-authenticate.c | 1 +
src/imap-login/client.c | 14 ++++----------
src/login-common/client-common.c | 22 ++++++++++++++++++++++
src/login-common/client-common.h | 1 +
src/login-common/common.h | 1 +
src/login-common/main.c | 2 ++
src/login-common/ssl-proxy-openssl.c | 5 +++++
src/login-common/ssl-proxy.c | 5 +++++
src/login-common/ssl-proxy.h | 1 +
src/master/login-process.c | 9 +++++++++
src/pop3-login/client-authenticate.c | 1 +
src/pop3-login/client.c | 14 ++++----------
diffs (221 lines):
diff -r d46579bb7a3c -r 0db37acdc59f src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/imap-login/client-authenticate.c Sun Oct 19 14:00:57 2008 +0300
@@ -322,6 +322,7 @@ int cmd_login(struct imap_client *client
"Plaintext authentication disabled");
}
client->common.auth_tried_disabled_plaintext = TRUE;
+ client->common.auth_attempts++;
client_send_line(client,
"* BAD [ALERT] Plaintext authentication is disabled, "
"but your client sent password in plaintext anyway. "
diff -r d46579bb7a3c -r 0db37acdc59f src/imap-login/client.c
--- a/src/imap-login/client.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/imap-login/client.c Sun Oct 19 14:00:57 2008 +0300
@@ -256,12 +256,7 @@ static int cmd_logout(struct imap_client
{
client_send_line(client, "* BYE Logging out");
client_send_tagline(client, "OK Logout completed.");
- if (client->common.auth_tried_disabled_plaintext) {
- client_destroy(client, "Aborted login "
- "(tried to use disabled plaintext authentication)");
- } else {
- client_destroy(client, "Aborted login");
- }
+ client_destroy(client, "Aborted login");
return 1;
}
@@ -547,10 +542,9 @@ void client_destroy(struct imap_client *
client->destroyed = TRUE;
if (!client->login_success && reason != NULL) {
- reason = client->common.auth_attempts == 0 ?
- t_strdup_printf("%s (no auth attempts)", reason) :
- t_strdup_printf("%s (auth failed, %u attempts)",
- reason, client->common.auth_attempts);
+ reason = t_strconcat(reason, " ",
+ client_get_extra_disconnect_reason(&client->common),
+ NULL);
}
if (reason != NULL)
client_syslog(&client->common, reason);
diff -r d46579bb7a3c -r 0db37acdc59f src/login-common/client-common.c
--- a/src/login-common/client-common.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/login-common/client-common.c Sun Oct 19 14:00:57 2008 +0300
@@ -179,3 +179,25 @@ bool client_is_trusted(struct client *cl
}
return FALSE;
}
+
+const char *client_get_extra_disconnect_reason(struct client *client)
+{
+ if (ssl_require_client_cert && client->proxy != NULL) {
+ if (ssl_proxy_has_broken_client_cert(client->proxy))
+ return "(client sent an invalid cert)";
+ if (!ssl_proxy_has_valid_client_cert(client->proxy))
+ return "(client didn't send a cert)";
+ }
+
+ if (client->auth_attempts == 0)
+ return "(no auth attempts)";
+
+ /* some auth attempts without SSL/TLS */
+ if (client->auth_tried_disabled_plaintext)
+ return "(tried to use disabled plaintext auth)";
+ if (ssl_require_client_cert)
+ return "(cert required, client didn't start TLS)";
+
+ return t_strdup_printf("(auth failed, %u attempts)",
+ client->auth_attempts);
+}
diff -r d46579bb7a3c -r 0db37acdc59f src/login-common/client-common.h
--- a/src/login-common/client-common.h Sun Oct 19 13:32:01 2008 +0300
+++ b/src/login-common/client-common.h Sun Oct 19 14:00:57 2008 +0300
@@ -54,6 +54,7 @@ unsigned int clients_get_count(void) ATT
unsigned int clients_get_count(void) ATTR_PURE;
void client_syslog(struct client *client, const char *msg);
+const char *client_get_extra_disconnect_reason(struct client *client);
bool client_is_trusted(struct client *client);
void clients_notify_auth_connected(void);
diff -r d46579bb7a3c -r 0db37acdc59f src/login-common/common.h
--- a/src/login-common/common.h Sun Oct 19 13:32:01 2008 +0300
+++ b/src/login-common/common.h Sun Oct 19 14:00:57 2008 +0300
@@ -15,6 +15,7 @@ extern const char *login_protocol;
extern bool disable_plaintext_auth, process_per_connection;
extern bool verbose_proctitle, verbose_ssl, verbose_auth;
+extern bool ssl_require_client_cert;
extern const char *greeting, *log_format;
extern const char *const *log_format_elements;
extern const char *capability_string;
diff -r d46579bb7a3c -r 0db37acdc59f src/login-common/main.c
--- a/src/login-common/main.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/login-common/main.c Sun Oct 19 14:00:57 2008 +0300
@@ -21,6 +21,7 @@
bool disable_plaintext_auth, process_per_connection;
bool verbose_proctitle, verbose_ssl, verbose_auth;
+bool ssl_require_client_cert;
const char *greeting, *log_format;
const char *const *log_format_elements;
const char *trusted_networks;
@@ -317,6 +318,7 @@ static void main_init(void)
verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
verbose_ssl = getenv("VERBOSE_SSL") != NULL;
verbose_auth = getenv("VERBOSE_AUTH") != NULL;
+ ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
greeting = getenv("GREETING");
if (greeting == NULL)
diff -r d46579bb7a3c -r 0db37acdc59f src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Sun Oct 19 14:00:57 2008 +0300
@@ -517,6 +517,11 @@ bool ssl_proxy_has_valid_client_cert(con
return proxy->cert_received && !proxy->cert_broken;
}
+bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy)
+{
+ return proxy->cert_received && proxy->cert_broken;
+}
+
const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
{
X509 *x509;
diff -r d46579bb7a3c -r 0db37acdc59f src/login-common/ssl-proxy.c
--- a/src/login-common/ssl-proxy.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/login-common/ssl-proxy.c Sun Oct 19 14:00:57 2008 +0300
@@ -17,6 +17,11 @@ int ssl_proxy_new(int fd ATTR_UNUSED, st
}
bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy ATTR_UNUSED)
+{
+ return FALSE;
+}
+
+bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy ATTR_UNUSED)
{
return FALSE;
}
diff -r d46579bb7a3c -r 0db37acdc59f src/login-common/ssl-proxy.h
--- a/src/login-common/ssl-proxy.h Sun Oct 19 13:32:01 2008 +0300
+++ b/src/login-common/ssl-proxy.h Sun Oct 19 14:00:57 2008 +0300
@@ -11,6 +11,7 @@ extern bool ssl_initialized;
the given fd must be simply forgotten. */
int ssl_proxy_new(int fd, struct ip_addr *ip, struct ssl_proxy **proxy_r);
bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy) ATTR_PURE;
+bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy);
const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy);
bool ssl_proxy_is_handshaked(const struct ssl_proxy *proxy) ATTR_PURE;
const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) ATTR_PURE;
diff -r d46579bb7a3c -r 0db37acdc59f src/master/login-process.c
--- a/src/master/login-process.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/master/login-process.c Sun Oct 19 14:00:57 2008 +0300
@@ -530,6 +530,8 @@ static void login_process_init_env(struc
static void login_process_init_env(struct login_group *group, pid_t pid)
{
struct settings *set = group->set;
+ const struct auth_settings *auth;
+ bool require_cert;
child_process_init_env();
@@ -579,6 +581,13 @@ static void login_process_init_env(struc
env_put("VERBOSE_SSL=1");
if (set->server->auths->verbose)
env_put("VERBOSE_AUTH=1");
+ require_cert = TRUE;
+ for (auth = set->server->auths; auth != NULL; auth = auth->next) {
+ if (!auth->ssl_require_client_cert)
+ require_cert = FALSE;
+ }
+ if (require_cert)
+ env_put("SSL_REQUIRE_CLIENT_CERT=1");
if (set->login_process_per_connection) {
env_put("PROCESS_PER_CONNECTION=1");
diff -r d46579bb7a3c -r 0db37acdc59f src/pop3-login/client-authenticate.c
--- a/src/pop3-login/client-authenticate.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/pop3-login/client-authenticate.c Sun Oct 19 14:00:57 2008 +0300
@@ -276,6 +276,7 @@ static bool check_plaintext_auth(struct
}
client_send_line(client, "-ERR "AUTH_PLAINTEXT_DISABLED_MSG);
client->common.auth_tried_disabled_plaintext = TRUE;
+ client->common.auth_attempts++;
return FALSE;
}
diff -r d46579bb7a3c -r 0db37acdc59f src/pop3-login/client.c
--- a/src/pop3-login/client.c Sun Oct 19 13:32:01 2008 +0300
+++ b/src/pop3-login/client.c Sun Oct 19 14:00:57 2008 +0300
@@ -143,12 +143,7 @@ static bool cmd_quit(struct pop3_client
static bool cmd_quit(struct pop3_client *client)
{
client_send_line(client, "+OK Logging out");
- if (client->common.auth_tried_disabled_plaintext) {
- client_destroy(client, "Aborted login "
- "(tried to use disabled plaintext authentication)");
- } else {
- client_destroy(client, "Aborted login");
- }
+ client_destroy(client, "Aborted login");
return TRUE;
}
@@ -352,10 +347,9 @@ void client_destroy(struct pop3_client *
client->destroyed = TRUE;
if (!client->login_success && reason != NULL) {
- reason = client->common.auth_attempts == 0 ?
- t_strdup_printf("%s (no auth attempts)", reason) :
- t_strdup_printf("%s (auth failed, %u attempts)",
- reason, client->common.auth_attempts);
+ reason = t_strconcat(reason, " ",
+ client_get_extra_disconnect_reason(&client->common),
+ NULL);
}
if (reason != NULL)
client_syslog(&client->common, reason);
More information about the dovecot-cvs
mailing list