static void proxy_input(struct client *client)
{
struct istream *input;
struct ostream *output;
const char *line;
unsigned int duration;
if (client->login_proxy == NULL) {
/* we're just freeing the proxy */
return;
}
input = login_proxy_get_istream(client->login_proxy);
if (input == NULL) {
if (client->destroyed) {
/* we came here from client_destroy() */
return;
}
/* failed for some reason, probably server disconnected */
client_proxy_failed(client, TRUE);
return;
}
i_assert(!client->destroyed);
switch (i_stream_read(input)) {
case -2:
client_log_err(client, "proxy: Remote input buffer full");
client_proxy_failed(client, TRUE);
return;
case -1:
line = i_stream_next_line(input);
duration = ioloop_time - client->created;
client_log_err(client, t_strdup_printf(
"proxy: Remote %s:%u disconnected: %s "
"(state=%u, duration=%us)%s",
login_proxy_get_host(client->login_proxy),
login_proxy_get_port(client->login_proxy),
get_disconnect_reason(input),
client->proxy_state, duration,
line == NULL ? "" : t_strdup_printf(
" - BUG: line not read: %s", line)));
client_proxy_failed(client, TRUE);
return;
}
output = client->output;
o_stream_ref(output);
o_stream_cork(output);
while ((line = i_stream_next_line(input)) != NULL) {
if (client->v.proxy_parse_line(client, line) != 0)
break;
}
o_stream_uncork(output);
o_stream_unref(&output);
}
int pop3_proxy_parse_line(struct client *client, const char *line)
{
struct pop3_client *pop3_client = (struct pop3_client *)client;
struct ostream *output;
enum login_proxy_ssl_flags ssl_flags;
string_t *str;
i_assert(!client->destroyed);
output = login_proxy_get_ostream(client->login_proxy);
switch (client->proxy_state) {
case POP3_PROXY_BANNER:
/* this is a banner */
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote returned invalid banner: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
ssl_flags = login_proxy_get_ssl_flags(client->login_proxy);
if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) == 0) {
proxy_send_login(pop3_client, output);
} else {
(void)o_stream_send_str(output, "STLS\r\n");
client->proxy_state = POP3_PROXY_STARTTLS;
}
return 0;
case POP3_PROXY_STARTTLS:
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote STLS failed: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
if (login_proxy_starttls(client->login_proxy) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
/* i/ostreams changed. */
output = login_proxy_get_ostream(client->login_proxy);
proxy_send_login(pop3_client, output);
return 1;
case POP3_PROXY_LOGIN1:
str = t_str_new(128);
if (client->proxy_master_user == NULL) {
if (strncmp(line, "+OK", 3) != 0)
break;
/* USER successful, send PASS */
str_append(str, "PASS ");
str_append(str, client->proxy_password);
str_append(str, "\r\n");
} else {
if (*line != '+')
break;
/* AUTH successful, send the authentication data */
get_plain_auth(client, str);
str_append(str, "\r\n");
}
(void)o_stream_send(output, str_data(str), str_len(str));
proxy_free_password(client);
client->proxy_state = POP3_PROXY_LOGIN2;
return 0;
case POP3_PROXY_LOGIN2:
if (strncmp(line, "+OK", 3) != 0)
break;
/* Login successful. Send this line to client. */
line = t_strconcat(line, "\r\n", NULL);
(void)o_stream_send_str(client->output, line);
client_proxy_finish_destroy_client(client);
return 1;
}
/* Login failed. Pass through the error message to client.
If the backend server isn't Dovecot, the error message may
be different from Dovecot's "user doesn't exist" error. This
would allow an attacker to find out what users exist in the
system.
The optimal way to handle this would be to replace the
backend's "password failed" error message with Dovecot's
AUTH_FAILED_MSG, but this would require a new setting and
the sysadmin to actually bother setting it properly.
So for now we'll just forward the error message. This
shouldn't be a real problem since of course everyone will
be using only Dovecot as their backend :) */
if (strncmp(line, "-ERR ", 5) != 0) {
client_send_line(client, CLIENT_CMD_REPLY_AUTH_FAILED,
AUTH_FAILED_MSG);
} else {
client_send_raw(client, t_strconcat(line, "\r\n", NULL));
}
if (client->set->verbose_auth) {
if (strncmp(line, "-ERR ", 5) == 0)
line += 5;
client_proxy_log_failure(client, line);
}
client_proxy_failed(client, FALSE);
return -1;
}
int imap_proxy_parse_line(struct client *client, const char *line)
{
struct imap_client *imap_client = (struct imap_client *)client;
struct ostream *output;
string_t *str;
const unsigned char *data;
unsigned int data_len;
const char *error;
int ret;
i_assert(!client->destroyed);
output = login_proxy_get_ostream(client->login_proxy);
if (!imap_client->proxy_seen_banner) {
/* this is a banner */
client->proxy_state = IMAP_PROXY_STATE_BANNER;
imap_client->proxy_seen_banner = TRUE;
if (proxy_input_banner(imap_client, output, line) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
return 0;
} else if (*line == '+') {
/* AUTHENTICATE started. finish it. */
if (client->proxy_sasl_client == NULL) {
/* used literals with LOGIN command, just ignore. */
return 0;
}
client->proxy_state = IMAP_PROXY_STATE_AUTH_CONTINUE;
str = t_str_new(128);
if (line[1] != ' ' ||
base64_decode(line+2, strlen(line+2), NULL, str) < 0) {
client_log_err(client,
"proxy: Server sent invalid base64 data in AUTHENTICATE response");
client_proxy_failed(client, TRUE);
return -1;
}
ret = dsasl_client_input(client->proxy_sasl_client,
str_data(str), str_len(str), &error);
if (ret == 0) {
ret = dsasl_client_output(client->proxy_sasl_client,
&data, &data_len, &error);
}
if (ret < 0) {
client_log_err(client, t_strdup_printf(
"proxy: Server sent invalid authentication data: %s",
error));
client_proxy_failed(client, TRUE);
return -1;
}
i_assert(ret == 0);
str_truncate(str, 0);
base64_encode(data, data_len, str);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
return 0;
} else if (strncmp(line, "S ", 2) == 0) {
if (strncmp(line, "S OK ", 5) != 0) {
/* STARTTLS failed */
client_log_err(client, t_strdup_printf(
"proxy: Remote STARTTLS failed: %s",
str_sanitize(line + 5, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
/* STARTTLS successful, begin TLS negotiation. */
client->proxy_state = IMAP_PROXY_STATE_STARTTLS;
if (login_proxy_starttls(client->login_proxy) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
/* i/ostreams changed. */
output = login_proxy_get_ostream(client->login_proxy);
str = t_str_new(128);
if (proxy_write_login(imap_client, str) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
o_stream_nsend(output, str_data(str), str_len(str));
return 1;
} else if (strncmp(line, "L OK ", 5) == 0) {
/* Login successful. Send this line to client. */
client->proxy_state = IMAP_PROXY_STATE_LOGIN;
str = t_str_new(128);
client_send_login_reply(imap_client, str, line + 5);
o_stream_nsend(client->output, str_data(str), str_len(str));
(void)client_skip_line(imap_client);
client_proxy_finish_destroy_client(client);
return 1;
} else if (strncmp(line, "L ", 2) == 0) {
line += 2;
if (client->set->auth_verbose) {
const char *log_line = line;
if (strncasecmp(log_line, "NO ", 3) == 0)
log_line += 3;
client_proxy_log_failure(client, log_line);
}
#define STR_NO_IMAP_RESP_CODE_AUTHFAILED "NO ["IMAP_RESP_CODE_AUTHFAILED"]"
if (strncmp(line, STR_NO_IMAP_RESP_CODE_AUTHFAILED,
strlen(STR_NO_IMAP_RESP_CODE_AUTHFAILED)) == 0) {
/* the remote sent a generic "authentication failed"
error. replace it with our one, so that in case
the remote is sending a different error message
an attacker can't find out what users exist in
the system. */
client_send_reply_code(client, IMAP_CMD_REPLY_NO,
IMAP_RESP_CODE_AUTHFAILED,
AUTH_FAILED_MSG);
} else if (strncmp(line, "NO [", 4) == 0) {
/* remote sent some other resp-code. forward it. */
client_send_raw(client, t_strconcat(
imap_client->cmd_tag, " ", line, "\r\n", NULL));
} else {
/* there was no [resp-code], so remote isn't Dovecot
v1.2+. we could either forward the line as-is and
leak information about what users exist in this
system, or we could hide other errors than password
failures. since other errors are pretty rare,
it's safer to just hide them. they're still
available in logs though. */
client_send_reply_code(client, IMAP_CMD_REPLY_NO,
IMAP_RESP_CODE_AUTHFAILED,
AUTH_FAILED_MSG);
}
client->proxy_auth_failed = TRUE;
client_proxy_failed(client, FALSE);
return -1;
} else if (strncasecmp(line, "* CAPABILITY ", 13) == 0) {
i_free(imap_client->proxy_backend_capability);
imap_client->proxy_backend_capability = i_strdup(line + 13);
return 0;
} else if (strncmp(line, "C ", 2) == 0) {
/* Reply to CAPABILITY command we sent */
client->proxy_state = IMAP_PROXY_STATE_CAPABILITY;
if (strncmp(line, "C OK ", 5) == 0 &&
client->proxy_password != NULL) {
/* pipelining was disabled, send the login now. */
str = t_str_new(128);
if (proxy_write_login(imap_client, str) < 0)
return -1;
o_stream_nsend(output, str_data(str), str_len(str));
return 1;
}
return 0;
} else if (strncasecmp(line, "I ", 2) == 0) {
/* Reply to ID command we sent, ignore it unless
pipelining is disabled, in which case send
either STARTTLS or login */
client->proxy_state = IMAP_PROXY_STATE_ID;
if (client->proxy_nopipelining) {
str = t_str_new(128);
if ((ret = proxy_write_starttls(imap_client, str)) < 0) {
return -1;
} else if (ret == 0) {
if (proxy_write_login(imap_client, str) < 0)
return -1;
}
o_stream_nsend(output, str_data(str), str_len(str));
return 1;
}
return 0;
} else if (strncasecmp(line, "* ID ", 5) == 0) {
/* Reply to ID command we sent, ignore it */
return 0;
} else if (strncmp(line, "* ", 2) == 0) {
/* untagged reply. just forward it. */
client_send_raw(client, t_strconcat(line, "\r\n", NULL));
return 0;
} else {
/* tagged reply, shouldn't happen. */
client_log_err(client, t_strdup_printf(
"proxy: Unexpected input, ignoring: %s",
str_sanitize(line, 160)));
return 0;
}
}
int pop3_proxy_parse_line(struct client *client, const char *line)
{
struct pop3_client *pop3_client = (struct pop3_client *)client;
struct ostream *output;
enum login_proxy_ssl_flags ssl_flags;
i_assert(!client->destroyed);
output = login_proxy_get_ostream(client->login_proxy);
switch (pop3_client->proxy_state) {
case POP3_PROXY_BANNER:
/* this is a banner */
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote returned invalid banner: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
pop3_client->proxy_xclient =
strncmp(line+3, " [XCLIENT]", 10) == 0;
ssl_flags = login_proxy_get_ssl_flags(client->login_proxy);
if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) == 0) {
if (proxy_send_login(pop3_client, output) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
} else {
o_stream_nsend_str(output, "STLS\r\n");
pop3_client->proxy_state = POP3_PROXY_STARTTLS;
}
return 0;
case POP3_PROXY_STARTTLS:
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote STLS failed: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
if (login_proxy_starttls(client->login_proxy) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
/* i/ostreams changed. */
output = login_proxy_get_ostream(client->login_proxy);
if (proxy_send_login(pop3_client, output) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
return 1;
case POP3_PROXY_XCLIENT:
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote XCLIENT failed: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
pop3_client->proxy_state = client->proxy_sasl_client == NULL ?
POP3_PROXY_LOGIN1 : POP3_PROXY_LOGIN2;
return 0;
case POP3_PROXY_LOGIN1:
i_assert(client->proxy_sasl_client == NULL);
if (strncmp(line, "+OK", 3) != 0)
break;
/* USER successful, send PASS */
o_stream_nsend_str(output, t_strdup_printf(
"PASS %s\r\n", client->proxy_password));
proxy_free_password(client);
pop3_client->proxy_state = POP3_PROXY_LOGIN2;
return 0;
case POP3_PROXY_LOGIN2:
if (strncmp(line, "+ ", 2) == 0 &&
client->proxy_sasl_client != NULL) {
/* continue SASL authentication */
if (pop3_proxy_continue_sasl_auth(client, output,
line+2) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
return 0;
}
if (strncmp(line, "+OK", 3) != 0)
break;
/* Login successful. Send this line to client. */
line = t_strconcat(line, "\r\n", NULL);
o_stream_nsend_str(client->output, line);
client_proxy_finish_destroy_client(client);
return 1;
case POP3_PROXY_STATE_COUNT:
i_unreached();
}
/* Login failed. Pass through the error message to client.
If the backend server isn't Dovecot, the error message may
be different from Dovecot's "user doesn't exist" error. This
would allow an attacker to find out what users exist in the
system.
The optimal way to handle this would be to replace the
backend's "password failed" error message with Dovecot's
AUTH_FAILED_MSG, but this would require a new setting and
the sysadmin to actually bother setting it properly.
So for now we'll just forward the error message. This
shouldn't be a real problem since of course everyone will
be using only Dovecot as their backend :) */
if (strncmp(line, "-ERR ", 5) != 0) {
client_send_reply(client, POP3_CMD_REPLY_ERROR,
AUTH_FAILED_MSG);
} else {
client_send_raw(client, t_strconcat(line, "\r\n", NULL));
}
if (client->set->auth_verbose) {
if (strncmp(line, "-ERR ", 5) == 0)
line += 5;
client_proxy_log_failure(client, line);
}
client->proxy_auth_failed = TRUE;
client_proxy_failed(client, FALSE);
return -1;
}
