client-authenticate.c revision f1e9611e93dcb3b745c1904029084fa81644e1b3
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen/* Copyright (C) 2002-2004 Timo Sirainen */
3f190f4cbb9233a3a6830956cb5c7ae56a577b79Timo Sirainenconst char *client_authenticate_get_capabilities(bool secured)
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen unsigned int i, count;
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen mech = auth_client_get_available_mechs(auth_client, &count);
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen for (i = 0; i < count; i++) {
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen /* a) transport is secured
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen b) auth mechanism isn't plaintext
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen c) we allow insecure authentication
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen if ((mech[i].flags & MECH_SEC_PRIVATE) == 0 &&
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainenstatic void client_auth_input(struct imap_client *client)
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen if (i_stream_next_line(client->input) == NULL)
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen /* @UNSAFE */
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen sasl_server_auth_client_error(&client->common,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen "Authentication aborted");
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen } else if (client->common.waiting_auth_reply) {
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen sasl_server_auth_client_error(&client->common,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen "Don't send unrequested data");
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen auth_client_request_continue(client->common.auth_request, line);
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen /* clear sensitive data */
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainenstatic bool client_handle_args(struct imap_client *client,
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen const char *reason = NULL, *host = NULL, *destuser = NULL, *pass = NULL;
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen bool proxy = FALSE, temp = FALSE, nologin = !success;
7501b9f694460101b41d1d708ebc3ec2b0400b1cTimo Sirainen /* we want to proxy the connection to another server.
7501b9f694460101b41d1d708ebc3ec2b0400b1cTimo Sirainen don't do this unless authentication succeeded. with
7501b9f694460101b41d1d708ebc3ec2b0400b1cTimo Sirainen master user proxying we can get FAIL with proxy still set.
7501b9f694460101b41d1d708ebc3ec2b0400b1cTimo Sirainen proxy host=.. [port=..] [destuser=..] pass=.. */
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen if (imap_proxy_new(client, host, port, destuser, pass) < 0)
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen /* IMAP referral
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen [nologin] referral host=.. [port=..] [destuser=..]
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen NO [REFERRAL imap://destuser;AUTH=..@host:port/] Can't login.
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen OK [...] Logged in, but you should use this server instead.
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen .. [REFERRAL ..] (Reason from auth server)
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen str_printfa(reply, "[REFERRAL imap://%s;AUTH=%s@%s",
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen destuser, client->common.auth_mech_name, host);
3343a61404603b21c246783a7963b77833095f31Timo Sirainen str_append(reply, "Try this server instead.");
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen str_append(reply, "Logged in, but you should use "
f1901fd21906911f7be075c965ac882f6a87b4c3Timo Sirainen "this server instead.");
if (!nologin) {
return TRUE;
} else if (nologin) {
else if (temp)
return FALSE;
return TRUE;
const char *msg;
switch (reply) {
NULL);
if (verbose_auth) {