[dovecot-cvs] dovecot/src/auth auth-client-connection.c, 1.40, 1.41 auth-request.c, 1.44, 1.45 auth-request.h, 1.22, 1.23 auth.c, 1.24, 1.25 auth.h, 1.17, 1.18 passdb-cache.c, 1.16, 1.17 passdb-ldap.c, 1.41, 1.42 passdb-passwd-file.c, 1.25, 1.26 passdb-sql.c, 1.25, 1.26 passdb-vpopmail.c, 1.23, 1.24

Sun Jan 22 13:33:29 EET 2006

Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv22926/src/auth

Modified Files:
	auth-client-connection.c auth-request.c auth-request.h auth.c 
	auth.h passdb-cache.c passdb-ldap.c passdb-passwd-file.c 
	passdb-sql.c passdb-vpopmail.c 
Log Message:
Added auth_debug_passwords setting. If it's not enabled, hide all password
strings from logs.



Index: auth-client-connection.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/auth-client-connection.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -d -r1.40 -r1.41

--- auth-client-connection.c	14 Jan 2006 18:47:20 -0000	1.40
+++ auth-client-connection.c	22 Jan 2006 11:33:27 -0000	1.41
@@ -21,26 +21,38 @@
 static void auth_client_connection_unref(struct auth_client_connection **_conn);
 
 static void auth_client_input(void *context);
-static void auth_client_send(struct auth_client_connection *conn,
-			     const char *fmt, ...) __attr_format__(2, 3);
+
+static const char *reply_line_hide_pass(const char *line)
+{
+	const char *p, *p2;
+
+	/* hide proxy reply password */
+	p = strstr(line, "\tpass=");
+	if (p == NULL)
+		return line;
+	p += 6;
+
+	p2 = strchr(p, '\t');
+	return t_strconcat(t_strdup_until(line, p), "<hidden>", p2, NULL);
+}
 
 static void auth_client_send(struct auth_client_connection *conn,
-			     const char *fmt, ...)
+			     const char *cmd)
 {
-	va_list args;
 	string_t *str;
 
 	i_assert(conn->refcount > 1);
 
 	t_push();
-	va_start(args, fmt);
 	str = t_str_new(256);
-	str_vprintfa(str, fmt, args);
+	str_append(str, cmd);
+	str_append_c(str, '\n');
 
-	if (conn->auth->verbose_debug)
-		i_info("client out: %s", str_c(str));
+	if (conn->auth->verbose_debug) {
+		i_info("client out: %s", conn->auth->verbose_debug_passwords ?
+		       cmd : reply_line_hide_pass(cmd));
+	}
 
-	str_append_c(str, '\n');
 	(void)o_stream_send(conn->output, str_data(str), str_len(str));
 
 	if (o_stream_get_buffer_used_size(conn->output) >=
@@ -50,7 +62,6 @@
 		if (conn->io != NULL)
 			io_remove(&conn->io);
 	}
-	va_end(args);
 	t_pop();
 }
 
@@ -64,7 +75,7 @@
 		return;
 	}
 
-	auth_client_send(conn, "%s", reply);
+	auth_client_send(conn, reply);
 }
 
 static bool
@@ -128,22 +139,55 @@
 	return 1;
 }
 
+static const char *auth_line_hide_pass(const char *line)
+{
+	const char *p, *p2;
+
+	p = strstr(line, "\tresp=");
+	if (p == NULL)
+		return line;
+	p += 6;
+
+	p2 = strchr(p, '\t');
+	return t_strconcat(t_strdup_until(line, p), "<hidden>", p2, NULL);
+}
+
+static const char *cont_line_hide_pass(const char *line)
+{
+	const char *p;
+
+	p = strchr(line, '\t');
+	if (p == NULL)
+		return line;
+
+	return t_strconcat(t_strdup_until(line, p), "<hidden>", NULL);
+}
+
 static bool
 auth_client_handle_line(struct auth_client_connection *conn, const char *line)
 {
-	if (conn->auth->verbose_debug)
-		i_info("client in: %s", line);
-
 	if (strncmp(line, "AUTH\t", 5) == 0) {
+		if (conn->auth->verbose_debug) {
+			i_info("client in: %s",
+			       conn->auth->verbose_debug_passwords ? line :
+			       auth_line_hide_pass(line));
+		}
 		return auth_request_handler_auth_begin(conn->request_handler,
 						       line + 5);
 	}
 	if (strncmp(line, "CONT\t", 5) == 0) {
+		if (conn->auth->verbose_debug) {
+			i_info("client in: %s",
+			       conn->auth->verbose_debug_passwords ? line :
+			       cont_line_hide_pass(line));
+		}
 		return auth_request_handler_auth_continue(conn->request_handler,
 							  line + 5);
 	}
 
 	/* ignore unknown command */
+	if (conn->auth->verbose_debug)
+		i_info("client in (unknown command): %s", line);
 	return TRUE;
 }
 

Index: auth-request.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/auth-request.c,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -d -r1.44 -r1.45
--- auth-request.c	14 Jan 2006 18:47:20 -0000	1.44
+++ auth-request.c	22 Jan 2006 11:33:27 -0000	1.45
@@ -15,6 +15,7 @@
 #include "passdb-blocking.h"
 #include "userdb-blocking.h"
 #include "passdb-cache.h"
+#include "password-scheme.h"
 
 struct auth_request *
 auth_request_new(struct auth *auth, struct mech_module *mech,
@@ -576,6 +577,31 @@
 	auth_stream_reply_add(request->extra_fields, name, value);
 }
 
+int auth_request_password_verify(struct auth_request *request,
+				 const char *plain_password,
+				 const char *crypted_password,
+				 const char *scheme, const char *subsystem)
+{
+	int ret;
+
+	ret = password_verify(plain_password, crypted_password, scheme,
+			      request->user);
+	if (ret < 0) {
+		auth_request_log_error(request, subsystem,
+				       "Unknown password scheme %s", scheme);
+	} else if (ret == 0) {
+		auth_request_log_info(request, subsystem,
+				      "Password mismatch");
+		if (request->auth->verbose_debug_passwords) {
+			auth_request_log_debug(request, subsystem,
+					       "%s(%s) != '%s'", scheme,
+					       plain_password,
+					       crypted_password);
+		}
+	}
+	return ret;
+}
+
 static const char *escape_none(const char *str)
 {
 	return str;

Index: auth-request.h
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/auth-request.h,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -d -r1.22 -r1.23
--- auth-request.h	14 Jan 2006 18:47:20 -0000	1.22
+++ auth-request.h	22 Jan 2006 11:33:27 -0000	1.23
@@ -101,6 +101,11 @@
 			    const char *name, const char *value,
 			    const char *default_scheme);
 
+int auth_request_password_verify(struct auth_request *request,
+				 const char *plain_password,
+				 const char *crypted_password,
+				 const char *scheme, const char *subsystem);
+
 const struct var_expand_table *
 auth_request_get_var_expand_table(const struct auth_request *auth_request,
 				  const char *(*escape_func)(const char *));

Index: auth.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/auth.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -d -r1.24 -r1.25
--- auth.c	14 Jan 2006 18:47:20 -0000	1.24
+++ auth.c	22 Jan 2006 11:33:27 -0000	1.25
@@ -28,6 +28,8 @@
 
 	auth->verbose = getenv("VERBOSE") != NULL;
 	auth->verbose_debug = getenv("VERBOSE_DEBUG") != NULL;
+	auth->verbose_debug_passwords =
+		getenv("VERBOSE_DEBUG_PASSWORDS") != NULL;
 
 	t_push();
 	for (i = 1; ; i++) {

Index: auth.h
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/auth.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18
--- auth.h	14 Jan 2006 18:47:20 -0000	1.17
+++ auth.h	22 Jan 2006 11:33:27 -0000	1.18
@@ -44,7 +44,7 @@
 	bool ssl_require_client_cert;
         bool ssl_username_from_cert;
 
-	bool verbose, verbose_debug;
+	bool verbose, verbose_debug, verbose_debug_passwords;
 };
 
 const string_t *auth_mechanisms_get_list(struct auth *auth);

Index: passdb-cache.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-cache.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- passdb-cache.c	14 Jan 2006 18:47:20 -0000	1.16
+++ passdb-cache.c	22 Jan 2006 11:33:27 -0000	1.17
@@ -69,13 +69,8 @@
 	scheme = password_get_scheme(&cached_pw);
 	i_assert(scheme != NULL);
 
-	ret = password_verify(password, cached_pw, scheme, request->user);
-	if (ret < 0) {
-		auth_request_log_error(request, "cache",
-				       "Unknown password scheme %s", scheme);
-	} else if (ret == 0) {
-		auth_request_log_info(request, "cache", "Password mismatch");
-	}
+	ret = auth_request_password_verify(request, password, cached_pw,
+					   scheme, "cache");
 
 	*result_r = ret > 0 ? PASSDB_RESULT_OK :
 		PASSDB_RESULT_PASSWORD_MISMATCH;

Index: passdb-ldap.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-ldap.c,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -d -r1.41 -r1.42
--- passdb-ldap.c	14 Jan 2006 18:47:20 -0000	1.41
+++ passdb-ldap.c	22 Jan 2006 11:33:27 -0000	1.42
@@ -175,15 +175,9 @@
 		return;
 	}
 
-	ret = password_verify(auth_request->mech_password, password, scheme,
-			      auth_request->user);
-	if (ret < 0) {
-		auth_request_log_error(auth_request, "ldap",
-			"Unknown password scheme %s", scheme);
-	} else if (ret == 0) {
-		auth_request_log_info(auth_request, "ldap",
-				      "password mismatch");
-	}
+	ret = auth_request_password_verify(auth_request,
+					   auth_request->mech_password,
+					   password, scheme, "ldap");
 
 	ldap_request->callback.verify_plain(ret > 0 ? PASSDB_RESULT_OK :
 					    PASSDB_RESULT_PASSWORD_MISMATCH,

Index: passdb-passwd-file.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-passwd-file.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- passdb-passwd-file.c	15 Jan 2006 13:38:32 -0000	1.25
+++ passdb-passwd-file.c	22 Jan 2006 11:33:27 -0000	1.26
@@ -45,20 +45,11 @@
 				       crypted_pass, scheme);
 	}
 
-	ret = password_verify(password, crypted_pass, scheme,
-			      request->user);
-	if (ret > 0)
-		callback(PASSDB_RESULT_OK, request);
-	else {
-		if (ret < 0) {
-			auth_request_log_error(request, "passwd-file",
-				"unknown password scheme %s", scheme);
-		} else {
-			auth_request_log_info(request, "passwd-file",
-					      "password mismatch");
-		}
-		callback(PASSDB_RESULT_PASSWORD_MISMATCH, request);
-	}
+	ret = auth_request_password_verify(request, password, crypted_pass,
+					   scheme, "passwd-file");
+
+	callback(ret > 0 ? PASSDB_RESULT_OK : PASSDB_RESULT_PASSWORD_MISMATCH,
+		 request);
 }
 
 static void

Index: passdb-sql.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-sql.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- passdb-sql.c	14 Jan 2006 18:47:20 -0000	1.25
+++ passdb-sql.c	22 Jan 2006 11:33:27 -0000	1.26
@@ -111,14 +111,9 @@
 		return;
 	}
 
-	ret = password_verify(auth_request->mech_password, password,
-			      scheme, user);
-	if (ret < 0) {
-		auth_request_log_error(auth_request, "sql",
-				       "Unknown password scheme %s", scheme);
-	} else if (ret == 0) {
-		auth_request_log_info(auth_request, "sql", "Password mismatch");
-	}
+	ret = auth_request_password_verify(auth_request,
+					   auth_request->mech_password,
+					   password, scheme, "sql");
 
 	sql_request->callback.verify_plain(ret > 0 ? PASSDB_RESULT_OK :
 					   PASSDB_RESULT_PASSWORD_MISMATCH,

Index: passdb-vpopmail.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-vpopmail.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -d -r1.23 -r1.24
--- passdb-vpopmail.c	16 Oct 2005 14:06:59 -0000	1.23
+++ passdb-vpopmail.c	22 Jan 2006 11:33:27 -0000	1.24
@@ -50,7 +50,8 @@
 	if (scheme == NULL)
 		scheme = request->passdb->passdb->default_pass_scheme;
 
-	ret = password_verify(password, crypted_pass, scheme, request->user);
+	ret = auth_request_password_verify(request, password, crypted_pass,
+					   scheme, "vpopmail");
 
 	safe_memset(vpw->pw_passwd, 0, strlen(vpw->pw_passwd));
 	if (vpw->pw_clear_passwd != NULL) {
@@ -59,13 +60,6 @@
 	}
 
 	if (ret <= 0) {
-		if (ret < 0) {
-			auth_request_log_error(request, "vpopmail",
-				"Unknown password scheme %s", scheme);
-		} else {
-			auth_request_log_info(request, "vpopmail",
-					      "password mismatch");
-		}
 		callback(PASSDB_RESULT_PASSWORD_MISMATCH, request);
 		return;
 	}

