dovecot-1.3: imap-login: Use [resp-codes] to figure out when to ...
dovecot at dovecot.org
dovecot at dovecot.org
Tue Apr 7 23:41:32 EEST 2009
details: http://hg.dovecot.org/dovecot-1.3/rev/72045e108c8b
changeset: 9038:72045e108c8b
user: Timo Sirainen <tss at iki.fi>
date: Tue Apr 07 16:41:23 2009 -0400
description:
imap-login: Use [resp-codes] to figure out when to replace remote's auth failed message with ours.
diffstat:
4 files changed, 50 insertions(+), 23 deletions(-)
src/imap-login/client-authenticate.c | 3 --
src/imap-login/client-authenticate.h | 7 +++++
src/imap-login/imap-proxy.c | 46 ++++++++++++++++++++--------------
src/pop3-login/pop3-proxy.c | 17 +++++++++++-
diffs (129 lines):
diff -r a33777517e3a -r 72045e108c8b src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c Tue Apr 07 14:35:03 2009 -0400
+++ b/src/imap-login/client-authenticate.c Tue Apr 07 16:41:23 2009 -0400
@@ -21,9 +21,6 @@
#define AUTH_FAILURE_DELAY_INCREASE_MSECS 5000
#define IMAP_SERVICE_NAME "imap"
-#define IMAP_AUTH_FAILED_MSG "["IMAP_RESP_CODE_AUTHFAILED"] "AUTH_FAILED_MSG
-#define IMAP_AUTHZ_FAILED_MSG \
- "["IMAP_RESP_CODE_AUTHZFAILED"] Authorization failed"
const char *client_authenticate_get_capabilities(bool secured)
{
diff -r a33777517e3a -r 72045e108c8b src/imap-login/client-authenticate.h
--- a/src/imap-login/client-authenticate.h Tue Apr 07 14:35:03 2009 -0400
+++ b/src/imap-login/client-authenticate.h Tue Apr 07 16:41:23 2009 -0400
@@ -1,5 +1,12 @@
#ifndef CLIENT_AUTHENTICATE_H
#define CLIENT_AUTHENTICATE_H
+
+struct imap_arg;
+
+#define IMAP_AUTH_FAILED_MSG \
+ "["IMAP_RESP_CODE_AUTHFAILED"] "AUTH_FAILED_MSG
+#define IMAP_AUTHZ_FAILED_MSG \
+ "["IMAP_RESP_CODE_AUTHZFAILED"] Authorization failed"
const char *client_authenticate_get_capabilities(bool secured);
diff -r a33777517e3a -r 72045e108c8b src/imap-login/imap-proxy.c
--- a/src/imap-login/imap-proxy.c Tue Apr 07 14:35:03 2009 -0400
+++ b/src/imap-login/imap-proxy.c Tue Apr 07 16:41:23 2009 -0400
@@ -9,6 +9,7 @@
#include "str-sanitize.h"
#include "safe-memset.h"
#include "client.h"
+#include "client-authenticate.h"
#include "imap-resp-code.h"
#include "imap-quote.h"
#include "imap-proxy.h"
@@ -186,21 +187,7 @@ static int proxy_input_line(struct imap_
client_destroy_success(client, str_c(str));
return 1;
} else if (strncmp(line, "L ", 2) == 0) {
- /* If the backend server isn't Dovecot, the error message may
- be different from Dovecot's "user doesn't exist" error. This
- would allow an attacker to find out what users exist in the
- system.
-
- The optimal way to handle this would be to replace the
- backend's "password failed" error message with Dovecot's
- AUTH_FAILED_MSG, but this would require a new setting and
- the sysadmin to actually bother setting it properly.
-
- So for now we'll just forward the error message. This
- shouldn't be a real problem since of course everyone will
- be using only Dovecot as their backend :) */
- client_send_tagline(client, line + 2);
-
+ line += 2;
if (login_settings->verbose_auth) {
str = t_str_new(128);
str_printfa(str, "proxy(%s): Login failed to %s:%u",
@@ -218,12 +205,35 @@ static int proxy_input_line(struct imap_
client->proxy_master_user);
}
str_append(str, ": ");
- if (strncasecmp(line + 2, "NO ", 3) == 0)
- str_append(str, line + 2 + 3);
+ if (strncasecmp(line, "NO ", 3) == 0)
+ str_append(str, line + 3);
else
- str_append(str, line + 2);
+ str_append(str, line);
i_info("%s", str_c(str));
}
+#define STR_NO_IMAP_RESP_CODE_AUTHFAILED "NO ["IMAP_RESP_CODE_AUTHFAILED"]"
+ if (strncmp(line, STR_NO_IMAP_RESP_CODE_AUTHFAILED,
+ strlen(STR_NO_IMAP_RESP_CODE_AUTHFAILED)) == 0) {
+ /* the remote sent a generic "authentication failed"
+ error. replace it with our one, so that in case
+ the remote is sending a different error message
+ an attacker can't find out what users exist in
+ the system. */
+ line = "NO "IMAP_AUTH_FAILED_MSG;
+ } else if (strncmp(line, "NO [", 4) == 0) {
+ /* remote sent some other resp-code. forward it. */
+ } else {
+ /* there was no [resp-code], so remote isn't Dovecot
+ v1.2+. we could either forward the line as-is and
+ leak information about what users exist in this
+ system, or we could hide other errors than password
+ failures. since other errors are pretty rare,
+ it's safer to just hide them. they're still
+ available in logs though. */
+ line = "NO "IMAP_AUTH_FAILED_MSG;
+ }
+ client_send_tagline(client, line);
+
proxy_failed(client, FALSE);
return -1;
} else {
diff -r a33777517e3a -r 72045e108c8b src/pop3-login/pop3-proxy.c
--- a/src/pop3-login/pop3-proxy.c Tue Apr 07 14:35:03 2009 -0400
+++ b/src/pop3-login/pop3-proxy.c Tue Apr 07 16:41:23 2009 -0400
@@ -137,8 +137,21 @@ static int proxy_input_line(struct pop3_
return 1;
}
- /* Login failed. Pass through the error message to client
- (see imap-proxy code for potential problems with this) */
+ /* Login failed. Pass through the error message to client.
+
+ If the backend server isn't Dovecot, the error message may
+ be different from Dovecot's "user doesn't exist" error. This
+ would allow an attacker to find out what users exist in the
+ system.
+
+ The optimal way to handle this would be to replace the
+ backend's "password failed" error message with Dovecot's
+ AUTH_FAILED_MSG, but this would require a new setting and
+ the sysadmin to actually bother setting it properly.
+
+ So for now we'll just forward the error message. This
+ shouldn't be a real problem since of course everyone will
+ be using only Dovecot as their backend :) */
if (strncmp(line, "-ERR ", 5) != 0)
client_send_line(client, "-ERR "AUTH_FAILED_MSG);
else
More information about the dovecot-cvs
mailing list