src/imap-login/client-authenticate.c

	client-authenticate.c revision 04eb0abcf8f8b0c014499b5c5bae89484553613f
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen/* Copyright (c) 2002-2016 Dovecot authors, see the included COPYING file */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "login-common.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "base64.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "buffer.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "ioloop.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "istream.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "ostream.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "safe-memset.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "str.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "str-sanitize.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "net.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "imap-resp-code.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "imap-parser.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "imap-url.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "auth-client.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "imap-login-client.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "client-authenticate.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen#include "imap-proxy.h"
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainenvoid client_authenticate_get_capabilities(struct client *client, string_t *str)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen{
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    const struct auth_mech_desc *mech;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    unsigned int i, count;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    mech = sasl_server_get_advertised_mechs(client, &count);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    for (i = 0; i < count; i++) {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        str_append_c(str, ' ');
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        str_append(str, "AUTH=");
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        str_append(str, mech[i].name);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen}
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainenvoid imap_client_auth_result(struct client *client,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                 enum client_auth_result result,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                 const struct client_auth_reply *reply,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                 const char *text)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen{
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    struct imap_url url;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    string_t *referral;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    switch (result) {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_SUCCESS:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        /* nothing to be done for IMAP */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_REFERRAL_SUCCESS:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_REFERRAL_NOLOGIN:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        /* IMAP referral
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen           [nologin] referral host=.. [port=..] [destuser=..]
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen           [reason=..]
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen           NO [REFERRAL imap://destuser;AUTH=..@host:port/] Can't login.
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen           OK [...] Logged in, but you should use this server instead.
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen           .. [REFERRAL ..] (Reason from auth server)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        referral = t_str_new(128);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        memset(&url, 0, sizeof(url));
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        url.userid = reply->destuser;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        url.auth_type = client->auth_mech_name;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        url.host.name = reply->host;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        if (reply->port != 143)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            url.port = reply->port;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        str_append(referral, "REFERRAL ");
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        str_append(referral, imap_url_create(&url));
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        if (result == CLIENT_AUTH_RESULT_REFERRAL_SUCCESS) {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            client_send_reply_code(client, IMAP_CMD_REPLY_OK,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                           str_c(referral), text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        } else {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            client_send_reply_code(client, IMAP_CMD_REPLY_NO,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                           str_c(referral), text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_ABORTED:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        client_send_reply(client, IMAP_CMD_REPLY_BAD, text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_AUTHFAILED_REASON:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_MECH_INVALID:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        if (text[0] == '[')
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            client_send_reply(client, IMAP_CMD_REPLY_NO, text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        else {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            client_send_reply_code(client, IMAP_CMD_REPLY_NO,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                           "ALERT", text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_AUTHZFAILED:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        client_send_reply_code(client, IMAP_CMD_REPLY_NO,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                       IMAP_RESP_CODE_AUTHZFAILED, text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_TEMPFAIL:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        client_send_reply_code(client, IMAP_CMD_REPLY_NO,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                       IMAP_RESP_CODE_UNAVAILABLE, text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_SSL_REQUIRED:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_MECH_SSL_REQUIRED:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        client_send_reply_code(client, IMAP_CMD_REPLY_NO,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                       IMAP_RESP_CODE_PRIVACYREQUIRED, text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_PASS_EXPIRED:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_LOGIN_DISABLED:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    case CLIENT_AUTH_RESULT_AUTHFAILED:
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        client_send_reply_code(client, IMAP_CMD_REPLY_NO,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                       IMAP_RESP_CODE_AUTHFAILED, text);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen}
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainenstatic int
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainenimap_client_auth_begin(struct imap_client *imap_client, const char *mech_name,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen               const char *init_resp)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen{
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    char *prefix;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    prefix = i_strdup_printf("%d%s",
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            imap_client->client_ignores_capability_resp_code ? 1 : 0,
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            imap_client->cmd_tag);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    i_free(imap_client->common.master_data_prefix);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    imap_client->common.master_data_prefix = (void *)prefix;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    imap_client->common.master_data_prefix_len = strlen(prefix)+1;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    return client_auth_begin(&imap_client->common, mech_name, init_resp);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen}
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainenint cmd_authenticate(struct imap_client *imap_client, bool *parsed_r)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen{
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    /* NOTE: This command's input is handled specially because the
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen       SASL-IR can be large. */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    struct client *client = &imap_client->common;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    const unsigned char *data;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    size_t i, size;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    int ret;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    *parsed_r = FALSE;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    /* <auth mechanism name> [<initial SASL response>] */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    if (!imap_client->auth_mech_name_parsed) {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        data = i_stream_get_data(client->input, &size);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        for (i = 0; i < size; i++) {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            if (data[i] == ' ' ||
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                data[i] == '\r' || data[i] == '\n')
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                break;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        if (i == size)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            return 0;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        if (i == 0) {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            /* empty mechanism name */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            imap_client->skip_line = TRUE;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            return -1;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        i_free(client->auth_mech_name);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        client->auth_mech_name = i_strndup(data, i);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        imap_client->auth_mech_name_parsed = TRUE;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        if (data[i] == ' ')
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            i++;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        i_stream_skip(client->input, i);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    /* get SASL-IR, if any */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    if ((ret = client_auth_read_line(client)) <= 0)
e10d8b1291090c26b9ef499637e6e632485ca5beTimo Sirainen        return ret;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
e10d8b1291090c26b9ef499637e6e632485ca5beTimo Sirainen    *parsed_r = TRUE;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    imap_client->auth_mech_name_parsed = FALSE;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    return imap_client_auth_begin(imap_client,
e10d8b1291090c26b9ef499637e6e632485ca5beTimo Sirainen                      t_strdup(client->auth_mech_name),
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                      t_strdup(str_c(client->auth_response)));
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen}
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainenint cmd_login(struct imap_client *imap_client, const struct imap_arg *args)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen{
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    struct client *client = &imap_client->common;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    const char *user, *pass;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    string_t *plain_login, *base64;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    /* two arguments: username and password */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    if (!imap_arg_get_astring(&args[0], &user) ||
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        !imap_arg_get_astring(&args[1], &pass) ||
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        !IMAP_ARG_IS_EOL(&args[2]))
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        return -1;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    if (!client_check_plaintext_auth(client, TRUE)) {
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        if (client->virtual_user == NULL)
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen            client->virtual_user = i_strdup(user);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen        return 1;
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    }
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    /* authorization ID \0 authentication ID \0 pass */
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    plain_login = buffer_create_dynamic(pool_datastack_create(), 64);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    buffer_append_c(plain_login, '\0');
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    buffer_append(plain_login, user, strlen(user));
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    buffer_append_c(plain_login, '\0');
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    buffer_append(plain_login, pass, strlen(pass));
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    base64 = buffer_create_dynamic(pool_datastack_create(),
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen                    MAX_BASE64_ENCODED_SIZE(plain_login->used));
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    base64_encode(plain_login->data, plain_login->used, base64);
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen    return imap_client_auth_begin(imap_client, "PLAIN", str_c(base64));
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen}
ac26a4607cb12b156f6a42f1ead2881bedd43d94Timo Sirainen