src/login-common/login-settings.c

	login-settings.c revision 557ed09439ba193b8bca128e460518e4464df2b5
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch/* Copyright (c) 2005-2009 Dovecot authors, see the included COPYING file */
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch#include "common.h"
9f8559a5ac7b53b83378c894de6578773dc1e392Timo Sirainen#include "settings-parser.h"
9f8559a5ac7b53b83378c894de6578773dc1e392Timo Sirainen#include "master-service-settings.h"
e641c9f656f1788ca6226ef0d60b2d592e2ca6d1Stephan Bosch#include "login-settings.h"
e641c9f656f1788ca6226ef0d60b2d592e2ca6d1Stephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch#include <stddef.h>
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch#include <unistd.h>
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Boschstatic bool login_settings_check(void *_set, pool_t pool, const char **error_r);
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch#undef DEF
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Bosch#define DEF(type, name) \
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Bosch    { type, #name, offsetof(struct login_settings, name), NULL }
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Bosch
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Boschstatic struct setting_define login_setting_defines[] = {
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, login_trusted_networks),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, login_greeting),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, login_log_format_elements),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, login_log_format),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_ENUM, ssl),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, ssl_ca_file),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, ssl_cert),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, ssl_key),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, ssl_key_password),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, ssl_parameters_file),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, ssl_cipher_list),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_STR, ssl_cert_username_field),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, ssl_verify_client_cert),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, ssl_require_client_cert),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, ssl_username_from_cert),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, verbose_ssl),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, disable_plaintext_auth),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, verbose_auth),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, auth_debug),
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    DEF(SET_BOOL, verbose_proctitle),
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Bosch
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Bosch    DEF(SET_UINT, mail_max_userip_connections),
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Bosch
1e653c7406ec0b062c0bacfdf2e7568a3f860500Stephan Bosch    SETTING_DEFINE_LIST_END
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch};
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Boschstatic struct login_settings login_default_settings = {
d45ab3fff7c47f1719b9cd310228c0dac2bdd1b2Timo Sirainen    MEMBER(login_trusted_networks) "",
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    MEMBER(login_greeting) PACKAGE_NAME" ready.",
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    MEMBER(login_log_format_elements) "user=<%u> method=%m rip=%r lip=%l %c",
e641c9f656f1788ca6226ef0d60b2d592e2ca6d1Stephan Bosch    MEMBER(login_log_format) "%$: %s",
e641c9f656f1788ca6226ef0d60b2d592e2ca6d1Stephan Bosch
e641c9f656f1788ca6226ef0d60b2d592e2ca6d1Stephan Bosch    MEMBER(ssl) "yes:no:required",
e641c9f656f1788ca6226ef0d60b2d592e2ca6d1Stephan Bosch    MEMBER(ssl_ca_file) "",
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_cert) "",
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_key) "",
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_key_password) "",
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_parameters_file) "ssl-parameters.dat",
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_cipher_list) "ALL:!LOW:!SSLv2",
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_cert_username_field) "commonName",
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_verify_client_cert) FALSE,
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_require_client_cert) FALSE,
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(ssl_username_from_cert) FALSE,
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(verbose_ssl) FALSE,
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    MEMBER(disable_plaintext_auth) TRUE,
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    MEMBER(verbose_auth) FALSE,
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    MEMBER(auth_debug) FALSE,
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch    MEMBER(verbose_proctitle) FALSE,
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch    MEMBER(mail_max_userip_connections) 10
d82ad7143c057c565e1fd5f3580645556ed0bcc9Stephan Bosch};
069def4dc35022852d569b7ab75a3b19d2cb0f1cTimo Sirainen
069def4dc35022852d569b7ab75a3b19d2cb0f1cTimo Sirainenstruct setting_parser_info login_setting_parser_info = {
c911297407bdcc7c7936305eb8f791b450d6375cTimo Sirainen    MEMBER(defines) login_setting_defines,
c911297407bdcc7c7936305eb8f791b450d6375cTimo Sirainen    MEMBER(defaults) &login_default_settings,
5394bed8aaef2a6c1c870a34a23a7824e1f370bbStephan Bosch
    MEMBER(parent) NULL,
    MEMBER(dynamic_parsers) NULL,

    MEMBER(parent_offset) (size_t)-1,
    MEMBER(type_offset) (size_t)-1,
    MEMBER(struct_size) sizeof(struct login_settings),
    MEMBER(check_func) login_settings_check
};

/* <settings checks> */
static int ssl_settings_check(void *_set ATTR_UNUSED, const char **error_r)
{
    struct login_settings *set = _set;

#ifndef HAVE_SSL
    *error_r = t_strdup_printf("SSL support not compiled in but ssl=%s",
                   set->ssl);
    return FALSE;
#else
    if (*set->ssl_cert == '\0') {
        *error_r = "ssl enabled, but ssl_cert not set";
        return FALSE;
    }
    if (*set->ssl_key == '\0') {
        *error_r = "ssl enabled, but ssl_key not set";
        return FALSE;
    }
    if (set->ssl_verify_client_cert && *set->ssl_ca_file == '\0') {
        *error_r = "ssl_verify_client_cert set, but ssl_ca_file not";
        return FALSE;
    }

#ifndef CONFIG_BINARY
    if (*set->ssl_ca_file != '\0' && access(set->ssl_ca_file, R_OK) < 0) {
        *error_r = t_strdup_printf("ssl_ca_file: access(%s) failed: %m",
                       set->ssl_ca_file);
        return FALSE;
    }
#endif
    return TRUE;
#endif
}

static bool login_settings_check(void *_set, pool_t pool, const char **error_r)
{
    struct login_settings *set = _set;

    set->log_format_elements_split =
        p_strsplit(pool, set->login_log_format_elements, " ");

    if (set->ssl_require_client_cert || set->ssl_username_from_cert) {
        /* if we require valid cert, make sure we also ask for it */
        set->ssl_verify_client_cert = TRUE;
    }

    if (strcmp(set->ssl, "no") == 0) {
        /* disabled */
    } else if (strcmp(set->ssl, "yes") == 0) {
        if (!ssl_settings_check(set, error_r))
            return FALSE;
    } else if (strcmp(set->ssl, "required") == 0) {
        if (!ssl_settings_check(set, error_r))
            return FALSE;
        set->disable_plaintext_auth = TRUE;
    } else {
        *error_r = t_strdup_printf("Unknown ssl setting value: %s",
                       set->ssl);
        return FALSE;
    }
    return TRUE;
}
/* </settings checks> */

struct login_settings *
login_settings_read(struct master_service *service, pool_t pool,
            const struct ip_addr *local_ip,
            const struct ip_addr *remote_ip)
{
    static const struct setting_parser_info *set_roots[] = {
        &login_setting_parser_info,
        NULL
    };
    struct master_service_settings_input input;
    const char *error;
    void **sets;
    struct login_settings *set;

    memset(&input, 0, sizeof(input));
    input.roots = set_roots;
    input.module = "login";
    input.service = login_protocol;

    if (local_ip != NULL)
        input.local_ip = *local_ip;
    if (remote_ip != NULL)
        input.remote_ip = *remote_ip;

    /* this function always clears the previous settings pool. since we're
       doing per-connection lookups, we always need to duplicate the
       settings using another pool. */
    if (master_service_settings_read(service, &input, &error) < 0)
        i_fatal("Error reading configuration: %s", error);

    sets = master_service_settings_get_others(service);
    set = settings_dup(&login_setting_parser_info, sets[0], pool);
    if (!login_settings_check(set, pool, &error))
        i_fatal("login_settings_check() failed: %s", error);
    return set;
}