static bool client_handle_next_command(struct client *client, bool *remove_io_r) { *remove_io_r = FALSE; if (client->input_lock != NULL) { if (client->input_lock->state == CLIENT_COMMAND_STATE_WAIT_UNAMBIGUITY) { *remove_io_r = TRUE; return FALSE; } return client_command_input(client->input_lock); } if (client->input_skip_line) { /* first eat the previous command line */ if (!client_skip_line(client)) return FALSE; client->input_skip_line = FALSE; } /* don't bother creating a new client command before there's at least some input */ if (i_stream_get_data_size(client->input) == 0) return FALSE; /* beginning a new command */ if (client->command_queue_size >= CLIENT_COMMAND_QUEUE_MAX_SIZE || client->output_cmd_lock != NULL) { /* wait for some of the commands to finish */ *remove_io_r = TRUE; return FALSE; } client->input_lock = client_command_new(client); return client_command_input(client->input_lock); }
int imap_proxy_parse_line(struct client *client, const char *line) { struct imap_client *imap_client = (struct imap_client *)client; struct ostream *output; string_t *str; const unsigned char *data; unsigned int data_len; const char *error; int ret; i_assert(!client->destroyed); output = login_proxy_get_ostream(client->login_proxy); if (!imap_client->proxy_seen_banner) { /* this is a banner */ client->proxy_state = IMAP_PROXY_STATE_BANNER; imap_client->proxy_seen_banner = TRUE; if (proxy_input_banner(imap_client, output, line) < 0) { client_proxy_failed(client, TRUE); return -1; } return 0; } else if (*line == '+') { /* AUTHENTICATE started. finish it. */ if (client->proxy_sasl_client == NULL) { /* used literals with LOGIN command, just ignore. */ return 0; } client->proxy_state = IMAP_PROXY_STATE_AUTH_CONTINUE; str = t_str_new(128); if (line[1] != ' ' || base64_decode(line+2, strlen(line+2), NULL, str) < 0) { client_log_err(client, "proxy: Server sent invalid base64 data in AUTHENTICATE response"); client_proxy_failed(client, TRUE); return -1; } ret = dsasl_client_input(client->proxy_sasl_client, str_data(str), str_len(str), &error); if (ret == 0) { ret = dsasl_client_output(client->proxy_sasl_client, &data, &data_len, &error); } if (ret < 0) { client_log_err(client, t_strdup_printf( "proxy: Server sent invalid authentication data: %s", error)); client_proxy_failed(client, TRUE); return -1; } i_assert(ret == 0); str_truncate(str, 0); base64_encode(data, data_len, str); str_append(str, "\r\n"); o_stream_nsend(output, str_data(str), str_len(str)); return 0; } else if (strncmp(line, "S ", 2) == 0) { if (strncmp(line, "S OK ", 5) != 0) { /* STARTTLS failed */ client_log_err(client, t_strdup_printf( "proxy: Remote STARTTLS failed: %s", str_sanitize(line + 5, 160))); client_proxy_failed(client, TRUE); return -1; } /* STARTTLS successful, begin TLS negotiation. */ client->proxy_state = IMAP_PROXY_STATE_STARTTLS; if (login_proxy_starttls(client->login_proxy) < 0) { client_proxy_failed(client, TRUE); return -1; } /* i/ostreams changed. */ output = login_proxy_get_ostream(client->login_proxy); str = t_str_new(128); if (proxy_write_login(imap_client, str) < 0) { client_proxy_failed(client, TRUE); return -1; } o_stream_nsend(output, str_data(str), str_len(str)); return 1; } else if (strncmp(line, "L OK ", 5) == 0) { /* Login successful. Send this line to client. */ client->proxy_state = IMAP_PROXY_STATE_LOGIN; str = t_str_new(128); client_send_login_reply(imap_client, str, line + 5); o_stream_nsend(client->output, str_data(str), str_len(str)); (void)client_skip_line(imap_client); client_proxy_finish_destroy_client(client); return 1; } else if (strncmp(line, "L ", 2) == 0) { line += 2; if (client->set->auth_verbose) { const char *log_line = line; if (strncasecmp(log_line, "NO ", 3) == 0) log_line += 3; client_proxy_log_failure(client, log_line); } #define STR_NO_IMAP_RESP_CODE_AUTHFAILED "NO ["IMAP_RESP_CODE_AUTHFAILED"]" if (strncmp(line, STR_NO_IMAP_RESP_CODE_AUTHFAILED, strlen(STR_NO_IMAP_RESP_CODE_AUTHFAILED)) == 0) { /* the remote sent a generic "authentication failed" error. replace it with our one, so that in case the remote is sending a different error message an attacker can't find out what users exist in the system. */ client_send_reply_code(client, IMAP_CMD_REPLY_NO, IMAP_RESP_CODE_AUTHFAILED, AUTH_FAILED_MSG); } else if (strncmp(line, "NO [", 4) == 0) { /* remote sent some other resp-code. forward it. */ client_send_raw(client, t_strconcat( imap_client->cmd_tag, " ", line, "\r\n", NULL)); } else { /* there was no [resp-code], so remote isn't Dovecot v1.2+. we could either forward the line as-is and leak information about what users exist in this system, or we could hide other errors than password failures. since other errors are pretty rare, it's safer to just hide them. they're still available in logs though. */ client_send_reply_code(client, IMAP_CMD_REPLY_NO, IMAP_RESP_CODE_AUTHFAILED, AUTH_FAILED_MSG); } client->proxy_auth_failed = TRUE; client_proxy_failed(client, FALSE); return -1; } else if (strncasecmp(line, "* CAPABILITY ", 13) == 0) { i_free(imap_client->proxy_backend_capability); imap_client->proxy_backend_capability = i_strdup(line + 13); return 0; } else if (strncmp(line, "C ", 2) == 0) { /* Reply to CAPABILITY command we sent */ client->proxy_state = IMAP_PROXY_STATE_CAPABILITY; if (strncmp(line, "C OK ", 5) == 0 && client->proxy_password != NULL) { /* pipelining was disabled, send the login now. */ str = t_str_new(128); if (proxy_write_login(imap_client, str) < 0) return -1; o_stream_nsend(output, str_data(str), str_len(str)); return 1; } return 0; } else if (strncasecmp(line, "I ", 2) == 0) { /* Reply to ID command we sent, ignore it unless pipelining is disabled, in which case send either STARTTLS or login */ client->proxy_state = IMAP_PROXY_STATE_ID; if (client->proxy_nopipelining) { str = t_str_new(128); if ((ret = proxy_write_starttls(imap_client, str)) < 0) { return -1; } else if (ret == 0) { if (proxy_write_login(imap_client, str) < 0) return -1; } o_stream_nsend(output, str_data(str), str_len(str)); return 1; } return 0; } else if (strncasecmp(line, "* ID ", 5) == 0) { /* Reply to ID command we sent, ignore it */ return 0; } else if (strncmp(line, "* ", 2) == 0) { /* untagged reply. just forward it. */ client_send_raw(client, t_strconcat(line, "\r\n", NULL)); return 0; } else { /* tagged reply, shouldn't happen. */ client_log_err(client, t_strdup_printf( "proxy: Unexpected input, ignoring: %s", str_sanitize(line, 160))); return 0; } }
static bool cmd_compress(struct client_command_context *cmd) { struct client *client = cmd->client; struct zlib_client *zclient = IMAP_ZLIB_IMAP_CONTEXT(client); const struct compression_handler *handler; const struct imap_arg *args; struct istream *old_input; struct ostream *old_output; const char *mechanism, *value; unsigned int level; /* <mechanism> */ if (!client_read_args(cmd, 0, 0, &args)) return FALSE; if (!imap_arg_get_atom(args, &mechanism) || !IMAP_ARG_IS_EOL(&args[1])) { client_send_command_error(cmd, "Invalid arguments."); return TRUE; } if (zclient->handler != NULL) { client_send_tagline(cmd, t_strdup_printf( "NO [COMPRESSIONACTIVE] COMPRESSION=%s already enabled.", t_str_ucase(zclient->handler->name))); return TRUE; } if (client->tls_compression) { client_send_tagline(cmd, "NO [COMPRESSIONACTIVE] TLS compression already enabled."); return TRUE; } handler = compression_lookup_handler(t_str_lcase(mechanism)); if (handler == NULL || handler->create_istream == NULL) { client_send_tagline(cmd, "NO Unknown compression mechanism."); return TRUE; } client_skip_line(client); client_send_tagline(cmd, "OK Begin compression."); value = mail_user_plugin_getenv(client->user, "imap_zlib_compress_level"); if (value == NULL || str_to_uint(value, &level) < 0 || level <= 0 || level > 9) level = IMAP_COMPRESS_DEFAULT_LEVEL; old_input = client->input; old_output = client->output; client->input = handler->create_istream(old_input, FALSE); client->output = handler->create_ostream(old_output, level); /* preserve output offset so that the bytes out counter in logout message doesn't get reset here */ client->output->offset = old_output->offset; i_stream_unref(&old_input); o_stream_unref(&old_output); client_update_imap_parser_streams(client); zclient->handler = handler; return TRUE; }