src/login-common/login-settings.c

	login-settings.c revision a64adf62fa33f2463a86f990217b0c9078531a40
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen/* Copyright (c) 2005-2008 Dovecot authors, see the included COPYING file */
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#include "lib.h"
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#include "settings-parser.h"
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#include "login-settings.h"
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#include <stddef.h>
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#include <unistd.h>
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#undef DEF
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#define DEF(type, name) \
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    { type, #name, offsetof(struct login_settings, name), NULL }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainenstatic struct setting_define login_setting_defines[] = {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, login_dir),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, login_chroot),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, login_trusted_networks),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, login_greeting),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, login_log_format_elements),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, login_log_format),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, login_process_per_connection),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, capability_string),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_ENUM, ssl),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, ssl_ca_file),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, ssl_cert_file),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, ssl_key_file),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, ssl_key_password),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, ssl_parameters_file),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, ssl_cipher_list),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_STR, ssl_cert_username_field),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, ssl_verify_client_cert),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, ssl_require_client_cert),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, ssl_username_from_cert),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, verbose_ssl),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, disable_plaintext_auth),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, verbose_auth),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, auth_debug),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_BOOL, verbose_proctitle),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    DEF(SET_UINT, login_max_connections),
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    SETTING_DEFINE_LIST_END
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen};
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainenstatic struct login_settings login_default_settings = {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_dir) "login",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_chroot) TRUE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_trusted_networks) "",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_greeting) PACKAGE" ready.",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_log_format_elements) "user=<%u> method=%m rip=%r lip=%l %c",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_log_format) "%$: %s",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_process_per_connection) TRUE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(capability_string) NULL,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl) "yes:no:required",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_ca_file) "",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_key_password) "",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_parameters_file) "ssl-parameters.dat",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_cipher_list) "ALL:!LOW:!SSLv2",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_cert_username_field) "commonName",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_verify_client_cert) FALSE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_require_client_cert) FALSE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(ssl_username_from_cert) FALSE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(verbose_ssl) FALSE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(disable_plaintext_auth) TRUE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(verbose_auth) FALSE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(auth_debug) FALSE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(verbose_proctitle) FALSE,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(login_max_connections) 256
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen};
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainenstruct setting_parser_info login_setting_parser_info = {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(defines) login_setting_defines,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(defaults) &login_default_settings,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(parent) NULL,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(dynamic_parsers) NULL,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(parent_offset) (size_t)-1,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(type_offset) (size_t)-1,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    MEMBER(struct_size) sizeof(struct login_settings)
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen};
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainenstatic pool_t settings_pool = NULL;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainenstatic int ssl_settings_check(struct login_settings *set ATTR_UNUSED)
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen{
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#ifndef HAVE_SSL
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_error("SSL support not compiled in but ssl_disable=no");
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    return FALSE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#else
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (*set->ssl_cert_file == '\0') {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_error("ssl_cert_file not set");
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        return FALSE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (access(set->ssl_cert_file, R_OK) < 0) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_error("ssl_cert_file: access(%s) failed: %m",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen            set->ssl_cert_file);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        return FALSE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (*set->ssl_key_file == '\0') {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_error("ssl_key_file not set");
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        return FALSE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (access(set->ssl_key_file, R_OK) < 0) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_error("ssl_key_file: access(%s) failed: %m",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen            set->ssl_key_file);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        return FALSE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (*set->ssl_ca_file != '\0' &&
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        access(set->ssl_ca_file, R_OK) < 0) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_error("ssl_ca_file: access(%s) failed: %m",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen            set->ssl_ca_file);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        return FALSE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (set->ssl_verify_client_cert && *set->ssl_ca_file == '\0') {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_error("ssl_verify_client_cert set, but ssl_ca_file not");
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        return FALSE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    return TRUE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen#endif
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen}
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainenstatic void login_settings_check(struct login_settings *set)
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen{
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (strcmp(set->ssl, "no") == 0) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        /* disabled */
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    } else if (strcmp(set->ssl, "yes") == 0) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        if (!ssl_settings_check(set))
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen            set->ssl = "no";
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    } else if (strcmp(set->ssl, "required") == 0) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        if (!ssl_settings_check(set))
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen            i_fatal("Couldn't initialize ssl with ssl=required");
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        set->disable_plaintext_auth = TRUE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    } else {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_fatal("Unknown ssl setting value: %s", set->ssl);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    set->log_format_elements_split =
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        t_strsplit(set->login_log_format_elements, " ");
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (set->ssl_require_client_cert || set->ssl_username_from_cert) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        /* if we require valid cert, make sure we also ask for it */
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        set->ssl_verify_client_cert = TRUE;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (set->login_max_connections < 1)
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_fatal("login_max_connections must be at least 1");
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen}
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainenstruct login_settings *login_settings_read(void)
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen{
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    struct setting_parser_context *parser;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        struct login_settings *set;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (settings_pool == NULL)
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        settings_pool = pool_alloconly_create("settings pool", 512);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    else
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        p_clear(settings_pool);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    parser = settings_parser_init(settings_pool,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen                      &login_setting_parser_info,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen                      SETTINGS_PARSER_FLAG_IGNORE_UNKNOWN_KEYS);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    if (settings_parse_environ(parser) < 0) {
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen        i_fatal("Error reading configuration: %s",
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen            settings_parser_get_error(parser));
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    }
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    set = settings_parser_get(parser);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    settings_parser_deinit(&parser);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    login_settings_check(set);
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen    return set;
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen}