auth-request-handler.c revision 8bb360f9e5de1c25e4f875205bb06e8bf15dae14
5f5870385cff47efd2f58e7892f251cf13761528Timo Sirainen/* Copyright (c) 2005-2010 Dovecot authors, see the included COPYING file */
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainenstatic ARRAY_DEFINE(auth_failures_arr, struct auth_request *);
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainenstatic void auth_failure_timeout(void *context);
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainenauth_request_handler_create(auth_request_callback_t *callback, void *context,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen pool = pool_alloconly_create("auth request handler", 4096);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler = p_new(pool, struct auth_request_handler, 1);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->requests = hash_table_create(default_pool, pool, 0, NULL, NULL);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainenvoid auth_request_handler_unref(struct auth_request_handler **_handler)
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen struct auth_request_handler *handler = *_handler;
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen iter = hash_table_iterate_init(handler->requests);
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen while (hash_table_iterate(iter, &key, &value)) {
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen /* notify parent that we're done with all requests */
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainenvoid auth_request_handler_set(struct auth_request_handler *handler,
8c6c6b95f482d2a2cdc74db5582aeb24871e3579Timo Sirainenstatic void auth_request_handler_remove(struct auth_request_handler *handler,
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen hash_table_remove(handler->requests, POINTER_CAST(request->id));
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainenstatic void get_client_extra_fields(struct auth_request *request,
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen unsigned int src;
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen if (auth_stream_is_empty(request->extra_fields))
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen extra_fields = auth_stream_reply_export(request->extra_fields);
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen /* we only wish to remove all fields prefixed with "userdb_" */
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen if (strstr(extra_fields, "userdb_") == NULL) {
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen auth_stream_reply_import(reply, extra_fields);
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen if (strncmp(fields[src], "userdb_", 7) != 0) {
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen if (!seen_pass && strncmp(fields[src], "pass=", 5) == 0)
657afb33796f8216c568ad813627da89970760beTimo Sirainen /* we're proxying */
657afb33796f8216c568ad813627da89970760beTimo Sirainen if (!seen_pass && request->mech_password != NULL) {
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* send back the password that was sent by user
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen (not the password in passdb). */
ea95a057fa5f02d50027122cacd3147fce7679faTimo Sirainen /* the master username needs to be forwarded */
e69e7b734b625de1f8921b7e0d92afa1df6b900dTimo Sirainenauth_request_handle_failure(struct auth_request *request,
657afb33796f8216c568ad813627da89970760beTimo Sirainen struct auth_request_handler *handler = request->context;
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen /* we came here from flush_failures() */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* remove the request from requests-list */
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen auth_request_handler_remove(handler, request);
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen /* passdb specifically requested not to delay the
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* failure. don't announce it immediately to avoid
3c296d819c54e21ce05c3d2eeeedc79be42ac593Timo Sirainen a) timing attacks, b) flooding */
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainenstatic void auth_callback(struct auth_request *request,
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen struct auth_request_handler *handler = request->context;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen reply = auth_stream_reply_init(pool_datastack_create());
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen auth_stream_reply_add(reply, NULL, dec2str(request->id));
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size));
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen auth_stream_reply_add(reply, NULL, str_c(str));
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen /* reset penalty */
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen auth_penalty_update(auth_penalty, request, 0);
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen auth_stream_reply_add(reply, NULL, dec2str(request->id));
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen auth_stream_reply_add(reply, "user", request->user);
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen str = t_str_new(MAX_BASE64_ENCODED_SIZE(reply_size));
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen auth_stream_reply_add(reply, "resp", str_c(str));
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen if (request->no_login || handler->master_callback == NULL) {
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen /* this request doesn't have to wait for master
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen process to pick it up. delete it */
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen auth_request_handler_remove(handler, request);
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen auth_stream_reply_add(reply, NULL, dec2str(request->id));
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_stream_reply_add(reply, "user", request->user);
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen /* authentication succeeded, but we can't log in
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen as the wanted user */
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_stream_reply_add(reply, "nodelay", NULL);
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen /* NOTE: request may be destroyed now */
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainenstatic void auth_request_handler_auth_fail(struct auth_request_handler *handler,
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_request_log_info(request, request->mech->mech_name, "%s", reason);
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen reply = auth_stream_reply_init(pool_datastack_create());
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_stream_reply_add(reply, NULL, dec2str(request->id));
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_stream_reply_add(reply, "reason", reason);
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_request_handler_remove(handler, request);
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainenstatic void auth_request_timeout(struct auth_request *request)
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_request_handler_remove(request->handler, request);
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainenstatic void auth_request_penalty_finish(struct auth_request *request)
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainenauth_penalty_callback(unsigned int penalty, struct auth_request *request)
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen unsigned int secs;
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen request->to_penalty = timeout_add(secs * 1000,
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainenbool auth_request_handler_auth_begin(struct auth_request_handler *handler,
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen const char *const *list, *name, *arg, *initial_resp;
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen unsigned int id;
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen /* <id> <mechanism> [...] */
e8a96ad5c10e9d5c0c4e2e88dd09a38fdb3e34b4Timo Sirainen "sent broken AUTH request", handler->client_pid);
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen id = (unsigned int)strtoul(list[0], NULL, 10);
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen /* unsupported mechanism */
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen i_error("BUG: Authentication client %u requested unsupported "
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen "authentication mechanism %s", handler->client_pid,
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen request = auth_request_new(mech, auth_callback, handler);
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen /* parse optional parameters */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* this must be the last parameter */
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen "sent AUTH parameters after 'resp'",
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "didn't specify service in request",
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen request->to_abort = timeout_add(AUTH_REQUEST_TIMEOUT * 1000,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen hash_table_insert(handler->requests, POINTER_CAST(id), request);
657afb33796f8216c568ad813627da89970760beTimo Sirainen /* we fail without valid certificate */
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen auth_request_handler_auth_fail(handler, request,
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen "Client didn't present valid SSL certificate");
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen /* Empty initial response is a "=" base64 string. Completely empty
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen string shouldn't really be sent, but at least Exim does it,
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen so just allow it for backwards compatibility.. */
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen if (initial_resp != NULL && *initial_resp != '\0') {
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen buf = buffer_create_dynamic(pool_datastack_create(),
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen if (base64_decode(initial_resp, len, NULL, buf) < 0) {
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen auth_request_handler_auth_fail(handler, request,
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen "Invalid base64 data in initial response");
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen memcpy(initial_resp_data, buf->data, buf->used);
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen request->initial_response = initial_resp_data;
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen /* handler is referenced until auth_callback is called. */
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen /* before we start authenticating, see if we need to wait first */
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainenbool auth_request_handler_auth_continue(struct auth_request_handler *handler,
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen unsigned int id;
7242e1ce7803b83bc82e239ef111b47c1c72dd4bAndrey Panin i_error("BUG: Authentication client sent broken CONT request");
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen request = hash_table_lookup(handler->requests, POINTER_CAST(id));
9261dbf0675204898c6557591c7aa376e23a52b2Timo Sirainen reply = auth_stream_reply_init(pool_datastack_create());
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_stream_reply_add(reply, NULL, dec2str(id));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_stream_reply_add(reply, "reason", "Timeouted");
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* accept input only once after mechanism has sent a CONT reply */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_auth_fail(handler, request,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "Unexpected continuation");
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen buf = buffer_create_dynamic(pool_datastack_create(),
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen if (base64_decode(data, data_len, NULL, buf) < 0) {
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_auth_fail(handler, request,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "Invalid base64 data in continued response");
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* handler is referenced until auth_callback is called. */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_continue(request, buf->data, buf->used);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainenstatic void userdb_callback(enum userdb_result result,
ab122a3bbae3b5fd2aad66e2f2840149d98cee52Timo Sirainen struct auth_request_handler *handler = request->context;
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen i_assert(request->state == AUTH_REQUEST_STATE_USERDB);
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen reply = auth_stream_reply_init(pool_datastack_create());
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen auth_stream_reply_add(reply, NULL, dec2str(request->id));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen value = auth_stream_reply_find(request->userdb_reply,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_stream_reply_add(reply, "reason", value);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_stream_reply_add(reply, "NOTFOUND", NULL);
b5322c8270616a28f2e65cb3a09580c410bb0941Timo Sirainen auth_stream_reply_add(reply, NULL, dec2str(request->id));
b5322c8270616a28f2e65cb3a09580c410bb0941Timo Sirainen auth_stream_reply_add(reply, NULL, dec2str(request->id));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen "master_user",
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_stream_reply_export(request->userdb_reply));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen handler->master_callback(reply, request->master);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_master_connection_unref(&request->master);
4f2248a8a70985c7295afc3bf91c848e81d740d9Timo Sirainenvoid auth_request_handler_master_request(struct auth_request_handler *handler,
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen unsigned int id,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen reply = auth_stream_reply_init(pool_datastack_create());
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen request = hash_table_lookup(handler->requests, POINTER_CAST(client_id));
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen auth_stream_reply_add(reply, NULL, dec2str(id));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request_handler_remove(handler, request);
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen if (request->state != AUTH_REQUEST_STATE_FINISHED ||
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen i_error("Master requested unfinished authentication request "
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen auth_stream_reply_add(reply, NULL, dec2str(id));
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* the request isn't being referenced anywhere anymore,
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen so we can do a bit of kludging.. replace the request's
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen old client_id with master's id. */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* master and handler are referenced until userdb_callback i
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen auth_request_lookup_user(request, userdb_callback);
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainenvoid auth_request_handler_flush_failures(bool flush_all)
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen struct auth_request **auth_requests, *auth_request;
cac6735a6cd73f2b815a1f3c1e21855075e7c81eTimo Sirainen unsigned int i, count;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_requests = array_idx_modifiable(&auth_failures_arr, 0);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen for (i = 0; i < count; i++) {
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen auth_request = auth_requests[aqueue_idx(auth_failures, 0)];
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen /* FIXME: assumess that failure_delay is always the same. */
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen diff = ioloop_time - auth_request->last_access;
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen if (diff < (time_t)auth_request->set->failure_delay &&
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen i_assert(auth_request->state == AUTH_REQUEST_STATE_FINISHED);
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainenstatic void auth_failure_timeout(void *context ATTR_UNUSED)