static int
pop3_proxy_continue_sasl_auth(struct client *client, struct ostream *output,
const char *line)
{
string_t *str;
const unsigned char *data;
size_t data_len;
const char *error;
int ret;
str = t_str_new(128);
if (base64_decode(line, strlen(line), NULL, str) < 0) {
client_log_err(client, "proxy: Server sent invalid base64 data in AUTH response");
return -1;
}
ret = dsasl_client_input(client->proxy_sasl_client,
str_data(str), str_len(str), &error);
if (ret == 0) {
ret = dsasl_client_output(client->proxy_sasl_client,
&data, &data_len, &error);
}
if (ret < 0) {
client_log_err(client, t_strdup_printf(
"proxy: Server sent invalid authentication data: %s",
error));
return -1;
}
i_assert(ret == 0);
str_truncate(str, 0);
base64_encode(data, data_len, str);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
return 0;
}
static int proxy_write_login(struct imap_client *client, string_t *str)
{
struct dsasl_client_settings sasl_set;
const unsigned char *output;
unsigned int len;
const char *mech_name, *error;
/* Send CAPABILITY command if we don't know the capabilities yet.
Also as kind of a Dovecot-backend workaround if the client insisted
on sending CAPABILITY command (even though our banner already sent
it), send the (unnecessary) CAPABILITY command to backend as well
to avoid sending the CAPABILITY reply twice (untagged and OK resp
code). */
if (!client->proxy_capability_request_sent &&
(client->proxy_backend_capability == NULL ||
client->client_ignores_capability_resp_code)) {
client->proxy_capability_request_sent = TRUE;
str_append(str, "C CAPABILITY\r\n");
if (client->common.proxy_nopipelining) {
/* authenticate only after receiving C OK reply. */
return 0;
}
}
if (client->common.proxy_mech == NULL) {
/* logging in normally - use LOGIN command */
if (client->proxy_logindisabled &&
login_proxy_get_ssl_flags(client->common.login_proxy) == 0) {
client_log_err(&client->common,
"proxy: Remote advertised LOGINDISABLED and SSL/TLS not enabled");
return -1;
}
str_append(str, "L LOGIN ");
imap_append_string(str, client->common.proxy_user);
str_append_c(str, ' ');
imap_append_string(str, client->common.proxy_password);
str_append(str, "\r\n");
proxy_free_password(&client->common);
return 0;
}
i_assert(client->common.proxy_sasl_client == NULL);
memset(&sasl_set, 0, sizeof(sasl_set));
sasl_set.authid = client->common.proxy_master_user != NULL ?
client->common.proxy_master_user : client->common.proxy_user;
sasl_set.authzid = client->common.proxy_user;
sasl_set.password = client->common.proxy_password;
client->common.proxy_sasl_client =
dsasl_client_new(client->common.proxy_mech, &sasl_set);
mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
str_append(str, "L AUTHENTICATE ");
str_append(str, mech_name);
if (client->proxy_sasl_ir) {
if (dsasl_client_output(client->common.proxy_sasl_client,
&output, &len, &error) < 0) {
client_log_err(&client->common, t_strdup_printf(
"proxy: SASL mechanism %s init failed: %s",
mech_name, error));
return -1;
}
str_append_c(str, ' ');
if (len == 0)
str_append_c(str, '=');
else
base64_encode(output, len, str);
}
str_append(str, "\r\n");
proxy_free_password(&client->common);
return 0;
}
int imap_proxy_parse_line(struct client *client, const char *line)
{
struct imap_client *imap_client = (struct imap_client *)client;
struct ostream *output;
string_t *str;
const unsigned char *data;
unsigned int data_len;
const char *error;
int ret;
i_assert(!client->destroyed);
output = login_proxy_get_ostream(client->login_proxy);
if (!imap_client->proxy_seen_banner) {
/* this is a banner */
client->proxy_state = IMAP_PROXY_STATE_BANNER;
imap_client->proxy_seen_banner = TRUE;
if (proxy_input_banner(imap_client, output, line) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
return 0;
} else if (*line == '+') {
/* AUTHENTICATE started. finish it. */
if (client->proxy_sasl_client == NULL) {
/* used literals with LOGIN command, just ignore. */
return 0;
}
client->proxy_state = IMAP_PROXY_STATE_AUTH_CONTINUE;
str = t_str_new(128);
if (line[1] != ' ' ||
base64_decode(line+2, strlen(line+2), NULL, str) < 0) {
client_log_err(client,
"proxy: Server sent invalid base64 data in AUTHENTICATE response");
client_proxy_failed(client, TRUE);
return -1;
}
ret = dsasl_client_input(client->proxy_sasl_client,
str_data(str), str_len(str), &error);
if (ret == 0) {
ret = dsasl_client_output(client->proxy_sasl_client,
&data, &data_len, &error);
}
if (ret < 0) {
client_log_err(client, t_strdup_printf(
"proxy: Server sent invalid authentication data: %s",
error));
client_proxy_failed(client, TRUE);
return -1;
}
i_assert(ret == 0);
str_truncate(str, 0);
base64_encode(data, data_len, str);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
return 0;
} else if (strncmp(line, "S ", 2) == 0) {
if (strncmp(line, "S OK ", 5) != 0) {
/* STARTTLS failed */
client_log_err(client, t_strdup_printf(
"proxy: Remote STARTTLS failed: %s",
str_sanitize(line + 5, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
/* STARTTLS successful, begin TLS negotiation. */
client->proxy_state = IMAP_PROXY_STATE_STARTTLS;
if (login_proxy_starttls(client->login_proxy) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
/* i/ostreams changed. */
output = login_proxy_get_ostream(client->login_proxy);
str = t_str_new(128);
if (proxy_write_login(imap_client, str) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
o_stream_nsend(output, str_data(str), str_len(str));
return 1;
} else if (strncmp(line, "L OK ", 5) == 0) {
/* Login successful. Send this line to client. */
client->proxy_state = IMAP_PROXY_STATE_LOGIN;
str = t_str_new(128);
client_send_login_reply(imap_client, str, line + 5);
o_stream_nsend(client->output, str_data(str), str_len(str));
(void)client_skip_line(imap_client);
client_proxy_finish_destroy_client(client);
return 1;
} else if (strncmp(line, "L ", 2) == 0) {
line += 2;
if (client->set->auth_verbose) {
const char *log_line = line;
if (strncasecmp(log_line, "NO ", 3) == 0)
log_line += 3;
client_proxy_log_failure(client, log_line);
}
#define STR_NO_IMAP_RESP_CODE_AUTHFAILED "NO ["IMAP_RESP_CODE_AUTHFAILED"]"
if (strncmp(line, STR_NO_IMAP_RESP_CODE_AUTHFAILED,
strlen(STR_NO_IMAP_RESP_CODE_AUTHFAILED)) == 0) {
/* the remote sent a generic "authentication failed"
error. replace it with our one, so that in case
the remote is sending a different error message
an attacker can't find out what users exist in
the system. */
client_send_reply_code(client, IMAP_CMD_REPLY_NO,
IMAP_RESP_CODE_AUTHFAILED,
AUTH_FAILED_MSG);
} else if (strncmp(line, "NO [", 4) == 0) {
/* remote sent some other resp-code. forward it. */
client_send_raw(client, t_strconcat(
imap_client->cmd_tag, " ", line, "\r\n", NULL));
} else {
/* there was no [resp-code], so remote isn't Dovecot
v1.2+. we could either forward the line as-is and
leak information about what users exist in this
system, or we could hide other errors than password
failures. since other errors are pretty rare,
it's safer to just hide them. they're still
available in logs though. */
client_send_reply_code(client, IMAP_CMD_REPLY_NO,
IMAP_RESP_CODE_AUTHFAILED,
AUTH_FAILED_MSG);
}
client->proxy_auth_failed = TRUE;
client_proxy_failed(client, FALSE);
return -1;
} else if (strncasecmp(line, "* CAPABILITY ", 13) == 0) {
i_free(imap_client->proxy_backend_capability);
imap_client->proxy_backend_capability = i_strdup(line + 13);
return 0;
} else if (strncmp(line, "C ", 2) == 0) {
/* Reply to CAPABILITY command we sent */
client->proxy_state = IMAP_PROXY_STATE_CAPABILITY;
if (strncmp(line, "C OK ", 5) == 0 &&
client->proxy_password != NULL) {
/* pipelining was disabled, send the login now. */
str = t_str_new(128);
if (proxy_write_login(imap_client, str) < 0)
return -1;
o_stream_nsend(output, str_data(str), str_len(str));
return 1;
}
return 0;
} else if (strncasecmp(line, "I ", 2) == 0) {
/* Reply to ID command we sent, ignore it unless
pipelining is disabled, in which case send
either STARTTLS or login */
client->proxy_state = IMAP_PROXY_STATE_ID;
if (client->proxy_nopipelining) {
str = t_str_new(128);
if ((ret = proxy_write_starttls(imap_client, str)) < 0) {
return -1;
} else if (ret == 0) {
if (proxy_write_login(imap_client, str) < 0)
return -1;
}
o_stream_nsend(output, str_data(str), str_len(str));
return 1;
}
return 0;
} else if (strncasecmp(line, "* ID ", 5) == 0) {
/* Reply to ID command we sent, ignore it */
return 0;
} else if (strncmp(line, "* ", 2) == 0) {
/* untagged reply. just forward it. */
client_send_raw(client, t_strconcat(line, "\r\n", NULL));
return 0;
} else {
/* tagged reply, shouldn't happen. */
client_log_err(client, t_strdup_printf(
"proxy: Unexpected input, ignoring: %s",
str_sanitize(line, 160)));
return 0;
}
}
static int proxy_send_login(struct pop3_client *client, struct ostream *output)
{
struct dsasl_client_settings sasl_set;
const unsigned char *sasl_output;
size_t len;
const char *mech_name, *error;
string_t *str = t_str_new(128);
i_assert(client->common.proxy_ttl > 1);
if (client->proxy_xclient &&
!client->common.proxy_not_trusted) {
string_t *fwd = t_str_new(128);
for(const char *const *ptr = client->common.auth_passdb_args;*ptr != NULL; ptr++) {
if (strncasecmp(*ptr, "forward_", 8) == 0) {
if (str_len(fwd) > 0)
str_append_c(fwd, '\t');
str_append_tabescaped(fwd, (*ptr)+8);
}
}
str_printfa(str, "XCLIENT ADDR=%s PORT=%u SESSION=%s TTL=%u",
net_ip2addr(&client->common.ip),
client->common.remote_port,
client_get_session_id(&client->common),
client->common.proxy_ttl - 1);
if (str_len(fwd) > 0) {
str_append(str, " FORWARD=");
base64_encode(str_data(fwd), str_len(fwd), str);
}
str_append(str, "\r\n");
/* remote supports XCLIENT, send it */
o_stream_nsend(output, str_data(str), str_len(str));
client->proxy_state = POP3_PROXY_XCLIENT;
} else {
client->proxy_state = POP3_PROXY_LOGIN1;
}
str_truncate(str, 0);
if (client->common.proxy_mech == NULL) {
/* send USER command */
str_append(str, "USER ");
str_append(str, client->common.proxy_user);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
return 0;
}
i_assert(client->common.proxy_sasl_client == NULL);
i_zero(&sasl_set);
sasl_set.authid = client->common.proxy_master_user != NULL ?
client->common.proxy_master_user : client->common.proxy_user;
sasl_set.authzid = client->common.proxy_user;
sasl_set.password = client->common.proxy_password;
client->common.proxy_sasl_client =
dsasl_client_new(client->common.proxy_mech, &sasl_set);
mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
str_printfa(str, "AUTH %s ", mech_name);
if (dsasl_client_output(client->common.proxy_sasl_client,
&sasl_output, &len, &error) < 0) {
client_log_err(&client->common, t_strdup_printf(
"proxy: SASL mechanism %s init failed: %s",
mech_name, error));
return -1;
}
if (len == 0)
str_append_c(str, '=');
else
base64_encode(sasl_output, len, str);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
proxy_free_password(&client->common);
if (client->proxy_state != POP3_PROXY_XCLIENT)
client->proxy_state = POP3_PROXY_LOGIN2;
return 0;
}
static int proxy_send_login(struct pop3_client *client, struct ostream *output)
{
struct dsasl_client_settings sasl_set;
const unsigned char *sasl_output;
unsigned int len;
const char *mech_name, *error;
string_t *str;
i_assert(client->common.proxy_ttl > 1);
if (client->proxy_xclient &&
!client->common.proxy_not_trusted) {
/* remote supports XCLIENT, send it */
o_stream_nsend_str(output, t_strdup_printf(
"XCLIENT ADDR=%s PORT=%u SESSION=%s TTL=%u\r\n",
net_ip2addr(&client->common.ip),
client->common.remote_port,
client_get_session_id(&client->common),
client->common.proxy_ttl - 1));
client->common.proxy_state = POP3_PROXY_XCLIENT;
} else {
client->common.proxy_state = POP3_PROXY_LOGIN1;
}
str = t_str_new(128);
if (client->common.proxy_mech == NULL) {
/* send USER command */
str_append(str, "USER ");
str_append(str, client->common.proxy_user);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
return 0;
}
i_assert(client->common.proxy_sasl_client == NULL);
memset(&sasl_set, 0, sizeof(sasl_set));
sasl_set.authid = client->common.proxy_master_user != NULL ?
client->common.proxy_master_user : client->common.proxy_user;
sasl_set.authzid = client->common.proxy_user;
sasl_set.password = client->common.proxy_password;
client->common.proxy_sasl_client =
dsasl_client_new(client->common.proxy_mech, &sasl_set);
mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
str_printfa(str, "AUTH %s ", mech_name);
if (dsasl_client_output(client->common.proxy_sasl_client,
&sasl_output, &len, &error) < 0) {
client_log_err(&client->common, t_strdup_printf(
"proxy: SASL mechanism %s init failed: %s",
mech_name, error));
return -1;
}
if (len == 0)
str_append_c(str, '=');
else
base64_encode(sasl_output, len, str);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
proxy_free_password(&client->common);
if (client->common.proxy_state != POP3_PROXY_XCLIENT)
client->common.proxy_state = POP3_PROXY_LOGIN2;
return 0;
}
