dovecot-1.2: imap/pop3 proxy: Support master user logins.

dovecot at dovecot.org dovecot at dovecot.org
Sun Dec 14 05:46:35 EET 2008 

details:   http://hg.dovecot.org/dovecot-1.2/rev/50f49805b13b
changeset: 8546:50f49805b13b
user:      Timo Sirainen <tss at iki.fi>
date:      Sun Dec 14 05:46:31 2008 +0200
description:
imap/pop3 proxy: Support master user logins.

diffstat:

10 files changed, 173 insertions(+), 65 deletions(-)
src/auth/auth-request-handler.c      |   17 +++-
src/imap-login/client-authenticate.c |    6 +
src/imap-login/client.c              |    4 -
src/imap-login/client.h              |    2 
src/imap-login/imap-proxy.c          |  117 ++++++++++++++++++++++++----------
src/imap-login/imap-proxy.h          |    3 
src/pop3-login/client-authenticate.c |    6 +
src/pop3-login/client.h              |    2 
src/pop3-login/pop3-proxy.c          |   78 ++++++++++++++++------
src/pop3-login/pop3-proxy.h          |    3 

diffs (truncated from 470 to 300 lines):

diff -r ef08feef501a -r 50f49805b13b src/auth/auth-request-handler.c
--- a/src/auth/auth-request-handler.c	Sun Dec 14 04:57:23 2008 +0200
+++ b/src/auth/auth-request-handler.c	Sun Dec 14 05:46:31 2008 +0200
@@ -145,10 +145,19 @@ static void get_client_extra_fields(stru
 		}
 	}
 
-	if (request->proxy && !seen_pass && request->mech_password != NULL) {
-		/* we're proxying - send back the password that was
-		   sent by user (not the password in passdb). */
-		auth_stream_reply_add(reply, "pass", request->mech_password);
+	if (request->proxy) {
+		/* we're proxying */
+		if (!seen_pass && request->mech_password != NULL) {
+			/* send back the password that was sent by user
+			   (not the password in passdb). */
+			auth_stream_reply_add(reply, "pass",
+					      request->mech_password);
+		}
+		if (request->master_user != NULL) {
+			/* the master username needs to be forwarded */
+			auth_stream_reply_add(reply, "master",
+					      request->master_user);
+		}
 	}
 }
 
diff -r ef08feef501a -r 50f49805b13b src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c	Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/client-authenticate.c	Sun Dec 14 05:46:31 2008 +0200
@@ -98,6 +98,7 @@ static bool client_handle_args(struct im
 			       const char *const *args, bool success)
 {
 	const char *reason = NULL, *host = NULL, *destuser = NULL, *pass = NULL;
+	const char *master_user = NULL;
 	string_t *reply;
 	unsigned int port = 143;
 	bool proxy = FALSE, temp = FALSE, nologin = !success, proxy_self;
@@ -122,6 +123,8 @@ static bool client_handle_args(struct im
 			destuser = *args + 9;
 		else if (strncmp(*args, "pass=", 5) == 0)
 			pass = *args + 5;
+		else if (strncmp(*args, "master=", 7) == 0)
+			master_user = *args + 7;
 		else if (strncmp(*args, "user=", 5) == 0) {
 			/* already handled in login-common */
 		} else if (auth_debug) {
@@ -143,7 +146,8 @@ static bool client_handle_args(struct im
 		   proxy host=.. [port=..] [destuser=..] pass=.. */
 		if (!success)
 			return FALSE;
-		if (imap_proxy_new(client, host, port, destuser, pass) < 0)
+		if (imap_proxy_new(client, host, port, destuser, master_user,
+				   pass) < 0)
 			client_destroy_internal_failure(client);
 		return TRUE;
 	}
diff -r ef08feef501a -r 50f49805b13b src/imap-login/client.c
--- a/src/imap-login/client.c	Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/client.c	Sun Dec 14 05:46:31 2008 +0200
@@ -585,8 +585,8 @@ void client_destroy(struct imap_client *
 		client->proxy_password = NULL;
 	}
 
-	i_free(client->proxy_user);
-	client->proxy_user = NULL;
+	i_free_and_null(client->proxy_user);
+	i_free_and_null(client->proxy_master_user);
 
 	if (client->proxy != NULL) {
 		login_proxy_free(client->proxy);
diff -r ef08feef501a -r 50f49805b13b src/imap-login/client.h
--- a/src/imap-login/client.h	Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/client.h	Sun Dec 14 05:46:31 2008 +0200
@@ -17,7 +17,7 @@ struct imap_client {
 	struct timeout *to_idle_disconnect, *to_auth_waiting;
 
 	struct login_proxy *proxy;
-	char *proxy_user, *proxy_password;
+	char *proxy_user, *proxy_master_user, *proxy_password;
 
 	unsigned int bad_counter;
 
diff -r ef08feef501a -r 50f49805b13b src/imap-login/imap-proxy.c
--- a/src/imap-login/imap-proxy.c	Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/imap-proxy.c	Sun Dec 14 05:46:31 2008 +0200
@@ -4,6 +4,7 @@
 #include "ioloop.h"
 #include "istream.h"
 #include "ostream.h"
+#include "base64.h"
 #include "str.h"
 #include "str-sanitize.h"
 #include "safe-memset.h"
@@ -46,42 +47,86 @@ static void proxy_write_id(struct imap_c
 		    client->common.local_port);
 }
 
-static int proxy_input_line(struct imap_client *client,
-			    struct ostream *output, const char *line)
+static void proxy_free_password(struct imap_client *client)
+{
+	safe_memset(client->proxy_password, 0, strlen(client->proxy_password));
+	i_free_and_null(client->proxy_password);
+}
+
+static void get_plain_auth(struct imap_client *client, string_t *dest)
 {
 	string_t *str;
 
-	i_assert(!client->destroyed);
-
-	if (!client->proxy_login_sent) {
-		/* this is a banner */
-		if (strncmp(line, "* OK ", 5) != 0) {
-			client_syslog(&client->common, t_strdup_printf(
-				"proxy: Remote returned invalid banner: %s",
-				str_sanitize(line, 160)));
-			client_destroy_internal_failure(client);
-			return -1;
-		}
-
-		str = t_str_new(128);
-		if (imap_banner_has_capability(line + 5, "ID"))
-			proxy_write_id(client, str);
-
-		/* send LOGIN command */
-		str_append(str, "P LOGIN ");
+	str = t_str_new(128);
+	str_append(str, client->proxy_user);
+	str_append_c(str, '\0');
+	str_append(str, client->proxy_master_user);
+	str_append_c(str, '\0');
+	str_append(str, client->proxy_password);
+	base64_encode(str_data(str), str_len(str), dest);
+}
+
+static int proxy_input_banner(struct imap_client *client,
+			      struct ostream *output, const char *line)
+{
+	string_t *str;
+
+	if (strncmp(line, "* OK ", 5) != 0) {
+		client_syslog(&client->common, t_strdup_printf(
+			"proxy: Remote returned invalid banner: %s",
+			str_sanitize(line, 160)));
+		client_destroy_internal_failure(client);
+		return -1;
+	}
+
+	str = t_str_new(128);
+	if (imap_banner_has_capability(line + 5, "ID"))
+		proxy_write_id(client, str);
+
+	if (client->proxy_master_user == NULL) {
+		/* logging in normally - use LOGIN command */
+		str_append(str, "L LOGIN ");
 		imap_quote_append_string(str, client->proxy_user, FALSE);
 		str_append_c(str, ' ');
 		imap_quote_append_string(str, client->proxy_password, FALSE);
+
+		proxy_free_password(client);
+	} else if (imap_banner_has_capability(line + 5, "SASL-IR")) {
+		/* master user login with SASL initial response support */
+		str_append(str, "L AUTHENTICATE PLAIN ");
+		get_plain_auth(client, str);
+		proxy_free_password(client);
+	} else {
+		/* master user login without SASL initial response */
+		str_append(str, "L AUTHENTICATE PLAIN");
+	}
+
+	str_append(str, "\r\n");
+	(void)o_stream_send(output, str_data(str), str_len(str));
+	client->proxy_login_sent = TRUE;
+	return 0;
+}
+
+static int proxy_input_line(struct imap_client *client,
+			    struct ostream *output, const char *line)
+{
+	string_t *str;
+
+	i_assert(!client->destroyed);
+
+	if (!client->proxy_login_sent) {
+		/* this is a banner */
+		return proxy_input_banner(client, output, line);
+	} else if (*line == '+') {
+		/* AUTHENTICATE started. finish it. */
+		str = t_str_new(128);
+		get_plain_auth(client, str);
 		str_append(str, "\r\n");
+		proxy_free_password(client);
+
 		(void)o_stream_send(output, str_data(str), str_len(str));
-
-		safe_memset(client->proxy_password, 0,
-			    strlen(client->proxy_password));
-		i_free(client->proxy_password);
-		client->proxy_password = NULL;
-		client->proxy_login_sent = TRUE;
 		return 0;
-	} else if (strncmp(line, "P OK ", 5) == 0) {
+	} else if (strncmp(line, "L OK ", 5) == 0) {
 		/* Login successful. Send this line to client. */
 		str = t_str_new(128);
 		str_append(str, client->cmd_tag);
@@ -101,6 +146,10 @@ static int proxy_input_line(struct imap_
 			str_append_c(str, '/');
 			str_append(str, client->proxy_user);
 		}
+		if (client->proxy_master_user != NULL) {
+			str_printfa(str, " (master %s)",
+				    client->proxy_master_user);
+		}
 
 		(void)client_skip_line(client);
 		login_proxy_detach(client->proxy, client->common.input,
@@ -112,7 +161,7 @@ static int proxy_input_line(struct imap_
 		client->common.fd = -1;
 		client_destroy_success(client, str_c(str));
 		return -1;
-	} else if (strncmp(line, "P ", 2) == 0) {
+	} else if (strncmp(line, "L ", 2) == 0) {
 		/* If the backend server isn't Dovecot, the error message may
 		   be different from Dovecot's "user doesn't exist" error. This
 		   would allow an attacker to find out what users exist in the
@@ -140,6 +189,10 @@ static int proxy_input_line(struct imap_
 				str_append_c(str, '/');
 				str_append(str, client->proxy_user);
 			}
+			if (client->proxy_master_user != NULL) {
+				str_printfa(str, " (master %s)",
+					    client->proxy_master_user);
+			}
 			str_append(str, ": ");
 			if (strncasecmp(line + 2, "NO ", 3) == 0)
 				str_append(str, line + 2 + 3);
@@ -156,8 +209,8 @@ static int proxy_input_line(struct imap_
 		login_proxy_free(client->proxy);
 		client->proxy = NULL;
 
-		i_free(client->proxy_user);
-		client->proxy_user = NULL;
+		i_free_and_null(client->proxy_user);
+		i_free_and_null(client->proxy_master_user);
 		return -1;
 	} else {
 		/* probably some untagged reply */
@@ -210,7 +263,8 @@ static void proxy_input(struct istream *
 }
 
 int imap_proxy_new(struct imap_client *client, const char *host,
-		   unsigned int port, const char *user, const char *password)
+		   unsigned int port, const char *user, const char *master_user,
+		   const char *password)
 {
 	i_assert(user != NULL);
 	i_assert(!client->destroyed);
@@ -236,6 +290,7 @@ int imap_proxy_new(struct imap_client *c
 
 	client->proxy_login_sent = FALSE;
 	client->proxy_user = i_strdup(user);
+	client->proxy_master_user = i_strdup(master_user);
 	client->proxy_password = i_strdup(password);
 
 	/* disable input until authentication is finished */
diff -r ef08feef501a -r 50f49805b13b src/imap-login/imap-proxy.h
--- a/src/imap-login/imap-proxy.h	Sun Dec 14 04:57:23 2008 +0200
+++ b/src/imap-login/imap-proxy.h	Sun Dec 14 05:46:31 2008 +0200
@@ -4,6 +4,7 @@
 #include "login-proxy.h"
 
 int imap_proxy_new(struct imap_client *client, const char *host,
-		   unsigned int port, const char *user, const char *password);
+		   unsigned int port, const char *user, const char *master_user,
+		   const char *password);
 
 #endif
diff -r ef08feef501a -r 50f49805b13b src/pop3-login/client-authenticate.c
--- a/src/pop3-login/client-authenticate.c	Sun Dec 14 04:57:23 2008 +0200
+++ b/src/pop3-login/client-authenticate.c	Sun Dec 14 05:46:31 2008 +0200
@@ -86,6 +86,7 @@ static bool client_handle_args(struct po
 			       const char *const *args, bool success)
 {
 	const char *reason = NULL, *host = NULL, *destuser = NULL, *pass = NULL;
+	const char *master_user = NULL;
 	string_t *reply;
 	unsigned int port = 110;
 	bool proxy = FALSE, temp = FALSE, nologin = !success;
@@ -107,6 +108,8 @@ static bool client_handle_args(struct po
 			destuser = *args + 9;
 		else if (strncmp(*args, "pass=", 5) == 0)
 			pass = *args + 5;
+		else if (strncmp(*args, "master=", 7) == 0)
+			master_user = *args + 7;
 		else if (strncmp(*args, "user=", 5) == 0) {
 			/* already handled in login-common */
 		} else if (auth_debug) {

More information about the dovecot-cvs mailing list