int detect_mitm(isieve_t *obj, char *mechlist)
{
char *new_mechlist;
int ch, r = 0;
/* wait and probe for possible automatic capability response */
usleep(250000);
prot_NONBLOCK(obj->pin);
if ((ch = prot_getc(obj->pin)) != EOF) {
/* automatic capability response */
prot_ungetc(ch, obj->pin);
} else {
/* manually ask for capabilities */
prot_printf(obj->pout, "CAPABILITY\r\n");
prot_flush(obj->pout);
}
prot_BLOCK(obj->pin);
if ((new_mechlist = read_capability(obj))) {
/* if the server still advertises SASL mechs, compare lists */
r = strcmp(new_mechlist, mechlist);
free(new_mechlist);
}
return r;
}
void backend_disconnect(struct backend *s)
{
char buf[1024];
if (!s || s->sock == -1) return;
if (!prot_error(s->in)) {
if (s->prot->logout_cmd.cmd) {
prot_printf(s->out, "%s\r\n", s->prot->logout_cmd.cmd);
prot_flush(s->out);
for (;;) {
if (!prot_fgets(buf, sizeof(buf), s->in)) {
/* connection closed? */
break;
} else if (s->prot->logout_cmd.unsol &&
!strncmp(s->prot->logout_cmd.unsol, buf,
strlen(s->prot->logout_cmd.unsol))) {
/* unsolicited response */
continue;
} else {
/* success/fail response -- don't care either way */
break;
}
}
}
}
/* Flush the incoming buffer */
prot_NONBLOCK(s->in);
prot_fill(s->in);
#ifdef HAVE_SSL
/* Free tlsconn */
if (s->tlsconn) {
tls_reset_servertls(&s->tlsconn);
s->tlsconn = NULL;
}
#endif /* HAVE_SSL */
/* close/free socket & prot layer */
cyrus_close_sock(s->sock);
s->sock = -1;
prot_free(s->in);
prot_free(s->out);
s->in = s->out = NULL;
/* Free saslconn */
if(s->saslconn) {
sasl_dispose(&(s->saslconn));
s->saslconn = NULL;
}
/* free last_result buffer */
buf_free(&s->last_result);
forget_capabilities(s);
}
static void sync_reset(void)
{
proc_cleanup();
if (sync_in) {
prot_NONBLOCK(sync_in);
prot_fill(sync_in);
prot_free(sync_in);
}
if (sync_out) {
prot_flush(sync_out);
prot_free(sync_out);
}
sync_in = sync_out = NULL;
#ifdef HAVE_SSL
if (tls_conn) {
tls_reset_servertls(&tls_conn);
tls_conn = NULL;
}
#endif
cyrus_reset_stdio();
sync_clienthost = "[local]";
if (sync_logfd != -1) {
close(sync_logfd);
sync_logfd = -1;
}
if (sync_userid != NULL) {
free(sync_userid);
sync_userid = NULL;
}
if (sync_authstate) {
auth_freestate(sync_authstate);
sync_authstate = NULL;
}
if (sync_saslconn) {
sasl_dispose(&sync_saslconn);
sync_saslconn = NULL;
}
sync_starttls_done = 0;
sync_compress_done = 0;
saslprops_reset(&saslprops);
}
/*
* Get capabilities from the server, and parse them according to
* details in the protocol_t, so that the CAPA() macro and perhaps
* the backend_get_cap_params() function will notice them. Any
* capabilities previously parsed are forgotten.
*
* The server might give us capabilities for free just because we
* connected (or did a STARTTLS or logged in); in this case, call
* with a non-zero value for @automatic. Otherwise, we send a
* protocol-specific command to the server to tickle it into
* disgorging some capabilities.
*
* Returns: 1 if any capabilities were found, 0 otherwise.
*/
static int ask_capability(struct backend *s, int dobanner, int automatic)
{
struct protstream *pout = s->out, *pin = s->in;
const struct protocol_t *prot = s->prot;
int matches = 0;
char str[4096];
const char *resp;
resp = (automatic == AUTO_CAPA_BANNER) ?
prot->banner.resp : prot->capa_cmd.resp;
if (!automatic) {
/* no capability command */
if (!prot->capa_cmd.cmd) return -1;
/* request capabilities of server */
prot_printf(pout, "%s", prot->capa_cmd.cmd);
if (prot->capa_cmd.arg) prot_printf(pout, " %s", prot->capa_cmd.arg);
prot_printf(pout, "\r\n");
prot_flush(pout);
}
forget_capabilities(s);
do {
if (prot_fgets(str, sizeof(str), pin) == NULL) break;
matches |= parse_capability(s, str);
if (!resp) {
/* multiline response with no distinct end (IMAP banner) */
prot_NONBLOCK(pin);
}
if (dobanner) strncpy(s->banner, str, sizeof(s->banner));
/* look for the end of the capabilities */
} while (!resp || strncasecmp(str, resp, strlen(resp)));
prot_BLOCK(pin);
post_parse_capability(s);
return matches;
}
int main(int argc, char *argv[])
{
extern char *optarg;
int opt;
char *alt_config = NULL, *port = "119";
const char *peer = NULL, *server = "localhost", *wildmat = "*";
char *authname = NULL, *password = NULL;
int psock = -1, ssock = -1;
struct protstream *pin, *pout, *sin, *sout;
char buf[BUFFERSIZE];
char sfile[1024] = "";
int fd = -1, i, offered, rejected, accepted, failed;
time_t stamp;
strarray_t resp = STRARRAY_INITIALIZER;
int newnews = 1;
char *datefmt = "%y%m%d %H%M%S";
if ((geteuid()) == 0 && (become_cyrus(/*is_master*/0) != 0)) {
fatal("must run as the Cyrus user", EC_USAGE);
}
while ((opt = getopt(argc, argv, "C:s:w:f:a:p:ny")) != EOF) {
switch (opt) {
case 'C': /* alt config file */
alt_config = optarg;
break;
case 's': /* server */
server = xstrdup(optarg);
if ((port = strchr(server, ':')))
*port++ = '\0';
else
port = "119";
break;
case 'w': /* wildmat */
wildmat = optarg;
break;
case 'f': /* timestamp file */
snprintf(sfile, sizeof(sfile), "%s", optarg);
break;
case 'a': /* authname */
authname = optarg;
break;
case 'p': /* password */
password = optarg;
break;
case 'n': /* no newnews */
newnews = 0;
break;
case 'y': /* newsserver is y2k compliant */
datefmt = "%Y%m%d %H%M%S";
break;
default:
usage();
/* NOTREACHED */
}
}
if (argc - optind < 1) {
usage();
/* NOTREACHED */
}
peer = argv[optind++];
cyrus_init(alt_config, "fetchnews", 0, 0);
/* connect to the peer */
/* xxx configurable port number? */
if ((psock = init_net(peer, "119", &pin, &pout)) < 0) {
fprintf(stderr, "connection to %s failed\n", peer);
cyrus_done();
exit(-1);
}
/* read the initial greeting */
if (!prot_fgets(buf, sizeof(buf), pin) || strncmp("20", buf, 2)) {
syslog(LOG_ERR, "peer not available");
goto quit;
}
if (authname) {
/* authenticate to peer */
/* XXX this should be modified to support SASL and STARTTLS */
prot_printf(pout, "AUTHINFO USER %s\r\n", authname);
if (!prot_fgets(buf, sizeof(buf), pin)) {
syslog(LOG_ERR, "AUTHINFO USER terminated abnormally");
goto quit;
}
else if (!strncmp("381", buf, 3)) {
/* password required */
if (!password)
password = cyrus_getpass("Please enter the password: "******"failed to get password\n");
goto quit;
}
prot_printf(pout, "AUTHINFO PASS %s\r\n", password);
if (!prot_fgets(buf, sizeof(buf), pin)) {
syslog(LOG_ERR, "AUTHINFO PASS terminated abnormally");
goto quit;
}
}
if (strncmp("281", buf, 3)) {
/* auth failed */
goto quit;
}
}
/* change to reader mode - not always necessary, so ignore result */
prot_printf(pout, "MODE READER\r\n");
prot_fgets(buf, sizeof(buf), pin);
if (newnews) {
struct tm ctime, *ptime;
/* fetch the server's current time */
prot_printf(pout, "DATE\r\n");
if (!prot_fgets(buf, sizeof(buf), pin) || strncmp("111 ", buf, 4)) {
syslog(LOG_ERR, "error fetching DATE");
goto quit;
}
/* parse and normalize the server time */
memset(&ctime, 0, sizeof(struct tm));
sscanf(buf+4, "%4d%02d%02d%02d%02d%02d",
&ctime.tm_year, &ctime.tm_mon, &ctime.tm_mday,
&ctime.tm_hour, &ctime.tm_min, &ctime.tm_sec);
ctime.tm_year -= 1900;
ctime.tm_mon--;
ctime.tm_isdst = -1;
/* read the previous timestamp */
if (!sfile[0]) {
char oldfile[1024];
snprintf(sfile, sizeof(sfile), "%s/fetchnews.stamp", config_dir);
/* upgrade from the old stamp filename to the new */
snprintf(oldfile, sizeof(oldfile), "%s/newsstamp", config_dir);
rename(oldfile, sfile);
}
if ((fd = open(sfile, O_RDWR | O_CREAT, 0644)) == -1) {
syslog(LOG_ERR, "cannot open %s", sfile);
goto quit;
}
if (lock_nonblocking(fd) == -1) {
syslog(LOG_ERR, "cannot lock %s: %m", sfile);
goto quit;
}
if (read(fd, &stamp, sizeof(stamp)) < (int) sizeof(stamp)) {
/* XXX do something better here */
stamp = 0;
}
/* ask for new articles */
if (stamp) stamp -= 180; /* adjust back 3 minutes */
ptime = gmtime(&stamp);
ptime->tm_isdst = -1;
strftime(buf, sizeof(buf), datefmt, ptime);
prot_printf(pout, "NEWNEWS %s %s GMT\r\n", wildmat, buf);
if (!prot_fgets(buf, sizeof(buf), pin) || strncmp("230", buf, 3)) {
syslog(LOG_ERR, "peer doesn't support NEWNEWS");
newnews = 0;
}
/* prepare server's current time as new timestamp */
stamp = mktime(&ctime);
/* adjust for local timezone
XXX We need to do this because we use gmtime() above.
We can't change this, otherwise we'd be incompatible
with an old localtime timestamp.
*/
stamp += gmtoff_of(&ctime, stamp);
}
if (!newnews) {
prot_printf(pout, "LIST ACTIVE %s\r\n", wildmat);
if (!prot_fgets(buf, sizeof(buf), pin) || strncmp("215", buf, 3)) {
syslog(LOG_ERR, "peer doesn't support LIST ACTIVE");
goto quit;
}
}
/* process the NEWNEWS/LIST ACTIVE list */
while (prot_fgets(buf, sizeof(buf), pin)) {
if (buf[0] == '.') break;
strarray_append(&resp, buf);
}
if (buf[0] != '.') {
syslog(LOG_ERR, "%s terminated abnormally",
newnews ? "NEWNEWS" : "LIST ACTIVE");
goto quit;
}
if (!resp.count) {
/* nothing matches our wildmat */
goto quit;
}
/* connect to the server */
if ((ssock = init_net(server, port, &sin, &sout)) < 0) {
fprintf(stderr, "connection to %s failed\n", server);
goto quit;
}
/* read the initial greeting */
if (!prot_fgets(buf, sizeof(buf), sin) || strncmp("20", buf, 2)) {
syslog(LOG_ERR, "server not available");
goto quit;
}
/* fetch and store articles */
offered = rejected = accepted = failed = 0;
if (newnews) {
/* response is a list of msgids */
for (i = 0; i < resp.count; i++) {
/* find the end of the msgid */
*(strrchr(resp.data[i], '>') + 1) = '\0';
offered++;
if (fetch(resp.data[i], 1, pin, pout, sin, sout,
&rejected, &accepted, &failed)) {
goto quit;
}
}
/* write the current timestamp */
lseek(fd, 0, SEEK_SET);
if (write(fd, &stamp, sizeof(stamp)) < (int) sizeof(stamp))
syslog(LOG_ERR, "error writing %s", sfile);
lock_unlock(fd);
close(fd);
}
else {
char group[BUFFERSIZE], msgid[BUFFERSIZE], lastbuf[50];
const char *data;
unsigned long low, high, last, cur;
int start;
size_t datalen;
struct txn *tid = NULL;
newsrc_init(NULL, 0);
/*
* response is a list of groups.
* select each group, and STAT each article we haven't seen yet.
*/
for (i = 0; i < resp.count; i++) {
/* parse the LIST ACTIVE response */
sscanf(resp.data[i], "%s %lu %lu", group, &high, &low);
last = 0;
if (!cyrusdb_fetchlock(newsrc_db, group, strlen(group),
&data, &datalen, &tid)) {
last = strtoul(data, NULL, 10);
}
if (high <= last) continue;
/* select the group */
prot_printf(pout, "GROUP %s\r\n", group);
if (!prot_fgets(buf, sizeof(buf), pin)) {
syslog(LOG_ERR, "GROUP terminated abnormally");
continue;
}
else if (strncmp("211", buf, 3)) break;
for (start = 1, cur = low > last ? low : ++last;; cur++) {
if (start) {
/* STAT the first article we haven't seen */
prot_printf(pout, "STAT %lu\r\n", cur);
} else {
/* continue with the NEXT article */
prot_printf(pout, "NEXT\r\n");
}
if (!prot_fgets(buf, sizeof(buf), pin)) {
syslog(LOG_ERR, "STAT/NEXT terminated abnormally");
cur--;
break;
}
if (!strncmp("223", buf, 3)) {
/* parse the STAT/NEXT response */
sscanf(buf, "223 %lu %s", &cur, msgid);
/* find the end of the msgid */
*(strrchr(msgid, '>') + 1) = '\0';
if (fetch(msgid, 0, pin, pout, sin, sout,
&rejected, &accepted, &failed)) {
cur--;
break;
}
offered++;
start = 0;
}
/* have we reached the highwater mark? */
if (cur >= high) break;
}
snprintf(lastbuf, sizeof(lastbuf), "%lu", cur);
cyrusdb_store(newsrc_db, group, strlen(group),
lastbuf, strlen(lastbuf)+1, &tid);
}
if (tid) cyrusdb_commit(newsrc_db, tid);
newsrc_done();
}
syslog(LOG_NOTICE,
"fetchnews: %s offered %d; %s rejected %d, accepted %d, failed %d",
peer, offered, server, rejected, accepted, failed);
quit:
if (psock >= 0) {
prot_printf(pout, "QUIT\r\n");
prot_flush(pout);
/* Flush the incoming buffer */
prot_NONBLOCK(pin);
prot_fill(pin);
/* close/free socket & prot layer */
close(psock);
prot_free(pin);
prot_free(pout);
}
if (ssock >= 0) {
prot_printf(sout, "QUIT\r\n");
prot_flush(sout);
/* Flush the incoming buffer */
prot_NONBLOCK(sin);
prot_fill(sin);
/* close/free socket & prot layer */
close(psock);
prot_free(sin);
prot_free(sout);
}
cyrus_done();
return 0;
}
struct backend *backend_connect(struct backend *ret_backend, const char *server,
struct protocol_t *prot, const char *userid,
sasl_callback_t *cb, const char **auth_status)
{
/* need to (re)establish connection to server or create one */
int sock = -1;
int r;
int err = -1;
int ask = 1; /* should we explicitly ask for capabilities? */
struct addrinfo hints, *res0 = NULL, *res;
struct sockaddr_un sunsock;
char buf[2048];
struct sigaction action;
struct backend *ret;
char rsessionid[MAX_SESSIONID_SIZE];
if (!ret_backend) {
ret = xzmalloc(sizeof(struct backend));
strlcpy(ret->hostname, server, sizeof(ret->hostname));
ret->timeout = NULL;
}
else
ret = ret_backend;
if (server[0] == '/') { /* unix socket */
res0 = &hints;
memset(res0, 0, sizeof(struct addrinfo));
res0->ai_family = PF_UNIX;
res0->ai_socktype = SOCK_STREAM;
res0->ai_addr = (struct sockaddr *) &sunsock;
res0->ai_addrlen = sizeof(sunsock.sun_family) + strlen(server) + 1;
#ifdef SIN6_LEN
res0->ai_addrlen += sizeof(sunsock.sun_len);
sunsock.sun_len = res0->ai_addrlen;
#endif
sunsock.sun_family = AF_UNIX;
strlcpy(sunsock.sun_path, server, sizeof(sunsock.sun_path));
/* XXX set that we are preauthed */
/* change hostname to 'config_servername' */
strlcpy(ret->hostname, config_servername, sizeof(ret->hostname));
}
else { /* inet socket */
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
err = getaddrinfo(server, prot->service, &hints, &res0);
if (err) {
syslog(LOG_ERR, "getaddrinfo(%s) failed: %s",
server, gai_strerror(err));
goto error;
}
}
/* Setup timeout */
timedout = 0;
action.sa_flags = 0;
action.sa_handler = timed_out;
sigemptyset(&action.sa_mask);
if(sigaction(SIGALRM, &action, NULL) < 0)
{
syslog(LOG_ERR, "Setting timeout in backend_connect failed: sigaction: %m");
/* continue anyway */
}
for (res = res0; res; res = res->ai_next) {
sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (sock < 0)
continue;
alarm(config_getint(IMAPOPT_CLIENT_TIMEOUT));
if (connect(sock, res->ai_addr, res->ai_addrlen) >= 0)
break;
if(errno == EINTR && timedout == 1)
errno = ETIMEDOUT;
close(sock);
sock = -1;
}
/* Remove timeout code */
alarm(0);
signal(SIGALRM, SIG_IGN);
if (sock < 0) {
if (res0 != &hints)
freeaddrinfo(res0);
syslog(LOG_ERR, "connect(%s) failed: %m", server);
goto error;
}
memcpy(&ret->addr, res->ai_addr, res->ai_addrlen);
if (res0 != &hints)
freeaddrinfo(res0);
ret->in = prot_new(sock, 0);
ret->out = prot_new(sock, 1);
ret->sock = sock;
prot_setflushonread(ret->in, ret->out);
ret->prot = prot;
/* use literal+ to send literals */
prot_setisclient(ret->in, 1);
prot_setisclient(ret->out, 1);
if (prot->banner.auto_capa) {
/* try to get the capabilities from the banner */
r = ask_capability(ret, /*dobanner*/1, AUTO_CAPA_BANNER);
if (r) {
/* found capabilities in banner -> don't ask */
ask = 0;
}
}
else {
do { /* read the initial greeting */
if (!prot_fgets(buf, sizeof(buf), ret->in)) {
syslog(LOG_ERR,
"backend_connect(): couldn't read initial greeting: %s",
ret->in->error ? ret->in->error : "(null)");
goto error;
}
} while (strncasecmp(buf, prot->banner.resp,
strlen(prot->banner.resp)));
strncpy(ret->banner, buf, 2048);
}
if (ask) {
/* get the capabilities */
ask_capability(ret, /*dobanner*/0, AUTO_CAPA_NO);
}
/* now need to authenticate to backend server,
unless we're doing LMTP/CSYNC on a UNIX socket (deliver/sync_client) */
if ((server[0] != '/') ||
(strcmp(prot->sasl_service, "lmtp") &&
strcmp(prot->sasl_service, "csync"))) {
char *old_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
const char *my_status;
if ((r = backend_authenticate(ret, userid, cb, &my_status))) {
syslog(LOG_ERR, "couldn't authenticate to backend server: %s",
sasl_errstring(r, NULL, NULL));
free(old_mechlist);
goto error;
}
else {
const void *ssf;
sasl_getprop(ret->saslconn, SASL_SSF, &ssf);
if (*((sasl_ssf_t *) ssf)) {
/* if we have a SASL security layer, compare SASL mech lists
before/after AUTH to check for a MITM attack */
char *new_mechlist;
int auto_capa = (prot->sasl_cmd.auto_capa == AUTO_CAPA_AUTH_SSF);
if (!strcmp(prot->service, "sieve")) {
/* XXX Hack to handle ManageSieve servers.
* No way to tell from protocol if server will
* automatically send capabilities, so we treat it
* as optional.
*/
char ch;
/* wait and probe for possible auto-capability response */
usleep(250000);
prot_NONBLOCK(ret->in);
if ((ch = prot_getc(ret->in)) != EOF) {
prot_ungetc(ch, ret->in);
} else {
auto_capa = AUTO_CAPA_AUTH_NO;
}
prot_BLOCK(ret->in);
}
ask_capability(ret, /*dobanner*/0, auto_capa);
new_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
if (new_mechlist &&
old_mechlist &&
strcmp(new_mechlist, old_mechlist)) {
syslog(LOG_ERR, "possible MITM attack:"
"list of available SASL mechanisms changed");
free(new_mechlist);
free(old_mechlist);
goto error;
}
free(new_mechlist);
}
else if (prot->sasl_cmd.auto_capa == AUTO_CAPA_AUTH_OK) {
/* try to get the capabilities from the AUTH success response */
forget_capabilities(ret);
parse_capability(ret, my_status);
post_parse_capability(ret);
}
if (!(strcmp(prot->service, "imap") &&
(strcmp(prot->service, "pop3")))) {
parse_sessionid(my_status, rsessionid);
syslog(LOG_NOTICE, "proxy %s sessionid=<%s> remote=<%s>", userid, session_id(), rsessionid);
}
}
if (auth_status) *auth_status = my_status;
free(old_mechlist);
}
/* start compression if requested and both client/server support it */
if (config_getswitch(IMAPOPT_PROXY_COMPRESS) && ret &&
CAPA(ret, CAPA_COMPRESS) &&
prot->compress_cmd.cmd &&
do_compress(ret, &prot->compress_cmd)) {
syslog(LOG_ERR, "couldn't enable compression on backend server");
goto error;
}
return ret;
error:
forget_capabilities(ret);
if (ret->in) {
prot_free(ret->in);
ret->in = NULL;
}
if (ret->out) {
prot_free(ret->out);
ret->out = NULL;
}
if (sock >= 0)
close(sock);
if (ret->saslconn) {
sasl_dispose(&ret->saslconn);
ret->saslconn = NULL;
}
if (!ret_backend)
free(ret);
return NULL;
}
static int backend_login(struct backend *ret, const char *userid,
sasl_callback_t *cb, const char **auth_status,
int noauth)
{
int r = 0;
int ask = 1; /* should we explicitly ask for capabilities? */
char buf[2048];
struct protocol_t *prot = ret->prot;
if (prot->type != TYPE_STD) return -1;
if (prot->u.std.banner.auto_capa) {
/* try to get the capabilities from the banner */
r = ask_capability(ret, /*dobanner*/1, AUTO_CAPA_BANNER);
if (r) {
/* found capabilities in banner -> don't ask */
ask = 0;
}
}
else {
do { /* read the initial greeting */
if (!prot_fgets(buf, sizeof(buf), ret->in)) {
syslog(LOG_ERR,
"backend_login(): couldn't read initial greeting: %s",
ret->in->error ? ret->in->error : "(null)");
return -1;
}
} while (strncasecmp(buf, prot->u.std.banner.resp,
strlen(prot->u.std.banner.resp)));
xstrncpy(ret->banner, buf, 2048);
}
if (ask) {
/* get the capabilities */
ask_capability(ret, /*dobanner*/0, AUTO_CAPA_NO);
}
/* now need to authenticate to backend server,
unless we're doing LMTP/CSYNC on a UNIX socket (deliver/sync_client) */
if (!noauth) {
char *old_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
const char *my_status;
if ((r = backend_authenticate(ret, userid, cb, &my_status))) {
syslog(LOG_ERR, "couldn't authenticate to backend server: %s",
sasl_errstring(r, NULL, NULL));
free(old_mechlist);
return -1;
}
else {
const void *ssf;
sasl_getprop(ret->saslconn, SASL_SSF, &ssf);
if (*((sasl_ssf_t *) ssf)) {
/* if we have a SASL security layer, compare SASL mech lists
before/after AUTH to check for a MITM attack */
char *new_mechlist;
int auto_capa = (prot->u.std.sasl_cmd.auto_capa == AUTO_CAPA_AUTH_SSF);
if (!strcmp(prot->service, "sieve")) {
/* XXX Hack to handle ManageSieve servers.
* No way to tell from protocol if server will
* automatically send capabilities, so we treat it
* as optional.
*/
char ch;
/* wait and probe for possible auto-capability response */
usleep(250000);
prot_NONBLOCK(ret->in);
if ((ch = prot_getc(ret->in)) != EOF) {
prot_ungetc(ch, ret->in);
} else {
auto_capa = AUTO_CAPA_AUTH_NO;
}
prot_BLOCK(ret->in);
}
ask_capability(ret, /*dobanner*/0, auto_capa);
new_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
if (new_mechlist &&
old_mechlist &&
strcmp(new_mechlist, old_mechlist)) {
syslog(LOG_ERR, "possible MITM attack:"
"list of available SASL mechanisms changed");
if (new_mechlist) free(new_mechlist);
if (old_mechlist) free(old_mechlist);
return -1;
}
free(new_mechlist);
}
else if (prot->u.std.sasl_cmd.auto_capa == AUTO_CAPA_AUTH_OK) {
/* try to get the capabilities from the AUTH success response */
forget_capabilities(ret);
parse_capability(ret, my_status);
post_parse_capability(ret);
}
if (!(strcmp(prot->service, "imap") &&
(strcmp(prot->service, "pop3")))) {
char rsessionid[MAX_SESSIONID_SIZE];
parse_sessionid(my_status, rsessionid);
syslog(LOG_NOTICE, "auditlog: proxy %s sessionid=<%s> remote=<%s>", userid, session_id(), rsessionid);
}
}
if (auth_status) *auth_status = my_status;
free(old_mechlist);
}
/* start compression if requested and both client/server support it */
if (config_getswitch(IMAPOPT_PROXY_COMPRESS) &&
CAPA(ret, CAPA_COMPRESS) &&
prot->u.std.compress_cmd.cmd) {
r = do_compress(ret, &prot->u.std.compress_cmd);
if (r) {
syslog(LOG_NOTICE, "couldn't enable compression on backend server: %s", error_message(r));
r = 0; /* not a fail-level error */
}
}
return 0;
}
/*
* Get capabilities from the server, and parse them according to
* details in the protocol_t, so that the CAPA() macro and perhaps
* the backend_get_cap_params() function will notice them. Any
* capabilities previously parsed are forgotten.
*
* The server might give us capabilities for free just because we
* connected (or did a STARTTLS or logged in); in this case, call
* with a non-zero value for @automatic. Otherwise, we send a
* protocol-specific command to the server to tickle it into
* disgorging some capabilities.
*
* Returns: 1 if any capabilities were found, 0 otherwise.
*/
static int ask_capability(struct backend *s, int dobanner, int automatic)
{
struct protstream *pout = s->out, *pin = s->in;
const struct protocol_t *prot = s->prot;
int matches = 0;
char str[4096];
const char *resp;
if (prot->type != TYPE_STD) return 0;
resp = (automatic == AUTO_CAPA_BANNER) ?
prot->u.std.banner.resp : prot->u.std.capa_cmd.resp;
if (!automatic) {
/* no capability command */
if (!prot->u.std.capa_cmd.cmd) return -1;
/* request capabilities of server */
prot_printf(pout, "%s", prot->u.std.capa_cmd.cmd);
if (prot->u.std.capa_cmd.arg)
prot_printf(pout, " %s", prot->u.std.capa_cmd.arg);
prot_printf(pout, "\r\n");
prot_flush(pout);
}
forget_capabilities(s);
do {
if (prot_fgets(str, sizeof(str), pin) == NULL) break;
matches |= parse_capability(s, str);
if (!resp) {
/* multiline response with no distinct end (IMAP banner) */
prot_NONBLOCK(pin);
}
if (dobanner) {
// This routine would always take the last line, which for
// starttls against backends would amount to a tagged
// "ok completed" response.
// Banner is always untagged
if (!strncmp(str, "* ", 2)) {
// The last untagged response however is a new set
// of capabilities, and not the banner.
//
// Banner also has "server ready" some place
if (strstr(str, "server ready")) {
xstrncpy(s->banner, str, sizeof(s->banner));
}
}
}
/* look for the end of the capabilities */
} while (!resp || strncasecmp(str, resp, strlen(resp)));
prot_BLOCK(pin);
post_parse_capability(s);
return matches;
}
HIDDEN int ws_start_channel(struct transaction_t *txn, const char *protocol,
int (*data_cb)(struct buf *inbuf, struct buf *outbuf,
struct buf *logbuf, void **rock))
{
int r;
const char **hdr, *accept = NULL;
wslay_event_context_ptr ev;
struct ws_context *ctx;
struct wslay_event_callbacks callbacks = {
recv_cb,
send_cb,
NULL,
NULL,
NULL,
NULL,
on_msg_recv_cb
};
/* Check for supported WebSocket version */
hdr = spool_getheader(txn->req_hdrs, "Sec-WebSocket-Version");
if (!hdr) {
txn->error.desc = "Missing WebSocket version";
return HTTP_BAD_REQUEST;
}
else if (hdr[1]) {
txn->error.desc = "Multiple WebSocket versions";
return HTTP_BAD_REQUEST;
}
else if (strcmp(hdr[0], WS_VERSION)) {
txn->error.desc = "Unsupported WebSocket version";
return HTTP_UPGRADE;
}
if (protocol) {
/* Check for supported WebSocket subprotocol */
int i, found = 0;
hdr = spool_getheader(txn->req_hdrs, "Sec-WebSocket-Protocol");
if (!hdr) {
txn->error.desc = "Missing WebSocket protocol";
return HTTP_BAD_REQUEST;
}
for (i = 0; !found && hdr[i]; i++) {
tok_t tok = TOK_INITIALIZER(hdr[i], ",", TOK_TRIMLEFT|TOK_TRIMRIGHT);
char *token;
while ((token = tok_next(&tok))) {
if (!strcmp(token, protocol)) {
found = 1;
break;
}
}
tok_fini(&tok);
}
if (!found) {
txn->error.desc = "Unsupported WebSocket protocol";
return HTTP_BAD_REQUEST;
}
}
if (txn->flags.ver == VER_1_1) {
unsigned char sha1buf[SHA1_DIGEST_LENGTH];
/* Check for WebSocket client key */
hdr = spool_getheader(txn->req_hdrs, "Sec-WebSocket-Key");
if (!hdr) {
txn->error.desc = "Missing WebSocket client key";
return HTTP_BAD_REQUEST;
}
else if (hdr[1]) {
txn->error.desc = "Multiple WebSocket client keys";
return HTTP_BAD_REQUEST;
}
else if (strlen(hdr[0]) != WS_CKEY_LEN) {
txn->error.desc = "Invalid WebSocket client key";
return HTTP_BAD_REQUEST;
}
/* Create WebSocket accept key */
buf_setcstr(&txn->buf, hdr[0]);
buf_appendcstr(&txn->buf, WS_GUID);
xsha1((u_char *) buf_base(&txn->buf), buf_len(&txn->buf), sha1buf);
buf_ensure(&txn->buf, WS_AKEY_LEN+1);
accept = buf_base(&txn->buf);
r = sasl_encode64((char *) sha1buf, SHA1_DIGEST_LENGTH,
(char *) accept, WS_AKEY_LEN+1, NULL);
if (r != SASL_OK) syslog(LOG_WARNING, "sasl_encode64: %d", r);
}
/* Create server context */
r = wslay_event_context_server_init(&ev, &callbacks, txn);
if (r) {
syslog(LOG_WARNING,
"wslay_event_context_init: %s", wslay_strerror(r));
return HTTP_SERVER_ERROR;
}
/* Create channel context */
ctx = xzmalloc(sizeof(struct ws_context));
ctx->event = ev;
ctx->accept = accept;
ctx->protocol = protocol;
ctx->data_cb = data_cb;
txn->ws_ctx = ctx;
/* Check for supported WebSocket extensions */
parse_extensions(txn);
/* Prepare log buffer */
/* Add client data */
buf_printf(&ctx->log, "%s", txn->conn->clienthost);
if (httpd_userid) buf_printf(&ctx->log, " as \"%s\"", httpd_userid);
if ((hdr = spool_getheader(txn->req_hdrs, "User-Agent"))) {
buf_printf(&ctx->log, " with \"%s\"", hdr[0]);
if ((hdr = spool_getheader(txn->req_hdrs, "X-Client")))
buf_printf(&ctx->log, " by \"%s\"", hdr[0]);
else if ((hdr = spool_getheader(txn->req_hdrs, "X-Requested-With")))
buf_printf(&ctx->log, " by \"%s\"", hdr[0]);
}
/* Add request-line */
buf_printf(&ctx->log, "; \"WebSocket/%s via %s\"",
protocol ? protocol : "echo" , txn->req_line.ver);
ctx->log_tail = buf_len(&ctx->log);
/* Tell client that WebSocket negotiation has succeeded */
if (txn->conn->sess_ctx) {
/* Treat WS data as chunked response */
txn->flags.te = TE_CHUNKED;
response_header(HTTP_OK, txn);
/* Force the response to the client immediately */
prot_flush(httpd_out);
}
else response_header(HTTP_SWITCH_PROT, txn);
/* Set connection as non-blocking */
prot_NONBLOCK(txn->conn->pin);
/* Don't do telemetry logging in prot layer */
prot_setlog(txn->conn->pin, PROT_NO_FD);
prot_setlog(txn->conn->pout, PROT_NO_FD);
return 0;
}
