imap-proxy.c revision d229d26d263a57a77eec8fe7cba24fbfd9509966
/* Copyright (c) 2004-2013 Dovecot authors, see the included COPYING file */
#include "login-common.h"
#include "array.h"
#include "ioloop.h"
#include "istream.h"
#include "ostream.h"
#include "base64.h"
#include "str.h"
#include "str-sanitize.h"
#include "safe-memset.h"
#include "sasl-client.h"
#include "client.h"
#include "client-authenticate.h"
#include "imap-resp-code.h"
#include "imap-quote.h"
#include "imap-proxy.h"
#include <stdlib.h>
enum imap_proxy_state {
};
{
"\"x-session-id\" \"%s\" "
"\"x-originating-ip\" \"%s\" "
"\"x-originating-port\" \"%u\" "
"\"x-connected-ip\" \"%s\" "
"\"x-connected-port\" \"%u\" "
"\"x-proxy-ttl\" \"%u\")\r\n",
}
{
return;
}
{
struct sasl_client_settings sasl_set;
const unsigned char *output;
unsigned int len;
/* logging in normally - use LOGIN command */
return 0;
}
if (client->proxy_sasl_ir) {
"proxy: SASL mechanism %s init failed: %s",
return -1;
}
if (len == 0)
else
}
return 0;
}
{
const char *const *capabilities = NULL;
"proxy: Remote returned invalid banner: %s",
return -1;
}
}
if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) != 0) {
if (capabilities != NULL &&
"proxy: Remote doesn't support STARTTLS");
return -1;
}
} else {
return -1;
}
return 0;
}
static void
const char *line)
{
const char *capability;
bool tagged_capability;
if (tagged_capability)
/* client has used CAPABILITY command, so it didn't understand
the capabilities in the banner. send the backend's untagged
CAPABILITY reply and hope that the client understands it */
}
if (*line == '[') {
/* we need to send the capability.
skip over this resp-code */
line++;
}
}
}
{
const unsigned char *data;
unsigned int data_len;
const char *error;
int ret;
if (!imap_client->proxy_seen_banner) {
/* this is a banner */
return -1;
}
return 0;
} else if (*line == '+') {
/* AUTHENTICATE started. finish it. */
/* used literals with LOGIN command, just ignore. */
return 0;
}
"proxy: Server sent invalid base64 data in AUTHENTICATE response");
return -1;
}
if (ret == 0) {
}
if (ret < 0) {
"proxy: Server sent invalid authentication data: %s",
error));
return -1;
}
str_truncate(str, 0);
return 0;
/* STARTTLS failed */
"proxy: Remote STARTTLS failed: %s",
return -1;
}
/* STARTTLS successful, begin TLS negotiation. */
return -1;
}
return -1;
}
return 1;
/* Login successful. Send this line to client. */
(void)client_skip_line(imap_client);
return 1;
line += 2;
log_line += 3;
}
strlen(STR_NO_IMAP_RESP_CODE_AUTHFAILED)) == 0) {
/* the remote sent a generic "authentication failed"
error. replace it with our one, so that in case
the remote is sending a different error message
an attacker can't find out what users exist in
the system. */
/* remote sent some other resp-code. forward it. */
} else {
/* there was no [resp-code], so remote isn't Dovecot
v1.2+. we could either forward the line as-is and
leak information about what users exist in this
system, or we could hide other errors than password
failures. since other errors are pretty rare,
it's safer to just hide them. they're still
available in logs though. */
}
return -1;
return 0;
/* Reply to CAPABILITY command we sent, ignore it */
return 0;
/* Reply to ID command we sent, ignore it */
return 0;
/* untagged reply. just foward it. */
return 0;
} else {
/* tagged reply, shouldn't happen. */
"proxy: Unexpected input, ignoring: %s",
return 0;
}
}
{
}
{
}