summaryrefslogtreecommitdiffstats
path: root/src/lib-smtp/smtp-server-cmd-auth.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib-smtp/smtp-server-cmd-auth.c242
1 files changed, 242 insertions, 0 deletions
diff --git a/src/lib-smtp/smtp-server-cmd-auth.c b/src/lib-smtp/smtp-server-cmd-auth.c
new file mode 100644
index 0000000..841e186
--- /dev/null
+++ b/src/lib-smtp/smtp-server-cmd-auth.c
@@ -0,0 +1,242 @@
+/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "istream.h"
+#include "smtp-syntax.h"
+#include "smtp-command-parser.h"
+
+#include "smtp-server-private.h"
+
+/* AUTH command (RFC 4954) */
+
+
+static bool
+cmd_auth_check_state(struct smtp_server_cmd_ctx *cmd)
+{
+ struct smtp_server_connection *conn = cmd->conn;
+
+ /* RFC 4954, Section 4:
+ After an AUTH command has been successfully completed, no more
+ AUTH commands may be issued in the same session. After a
+ successful AUTH command completes, a server MUST reject any
+ further AUTH commands with a 503 reply. */
+ if (conn->authenticated) {
+ smtp_server_reply(cmd,
+ 503, "5.5.0", "Already authenticated");
+ return FALSE;
+ }
+
+ /* RFC 4954, Section 4:
+ The AUTH command is not permitted during a mail transaction.
+ An AUTH command issued during a mail transaction MUST be
+ rejected with a 503 reply. */
+ if (conn->state.trans != NULL) {
+ smtp_server_reply(cmd, 503, "5.5.0",
+ "Authentication not permitted during a mail transaction");
+ return FALSE;
+ }
+ return TRUE;
+}
+
+void smtp_server_cmd_auth_success(struct smtp_server_cmd_ctx *cmd,
+ const char *username, const char *success_msg)
+{
+ cmd->conn->username = i_strdup(username);
+
+ smtp_server_reply(cmd, 235, "2.7.0", "%s",
+ (success_msg == NULL ? "Logged in." : success_msg));
+}
+
+static void
+cmd_auth_completed(struct smtp_server_cmd_ctx *cmd,
+ struct smtp_server_cmd_auth *data ATTR_UNUSED)
+{
+ struct smtp_server_connection *conn = cmd->conn;
+ struct smtp_server_command *command = cmd->cmd;
+
+ i_assert(smtp_server_command_is_replied(command));
+ if (smtp_server_command_replied_success(command)) {
+ /* only one valid success status for AUTH command */
+ i_assert(smtp_server_command_reply_status_equals(command, 235));
+ conn->authenticated = TRUE;
+ }
+}
+
+static void cmd_auth_input(struct smtp_server_cmd_ctx *cmd)
+{
+ struct smtp_server_connection *conn = cmd->conn;
+ const struct smtp_server_callbacks *callbacks = conn->callbacks;
+ struct smtp_server_command *command = cmd->cmd;
+ enum smtp_command_parse_error error_code;
+ const char *auth_response, *error;
+ int ret;
+
+ /* parse response */
+ if ((ret=smtp_command_parse_auth_response(conn->smtp_parser,
+ &auth_response, &error_code, &error)) <= 0) {
+ /* check for disconnect */
+ if (conn->conn.input->eof) {
+ smtp_server_connection_close(&conn,
+ i_stream_get_disconnect_reason(conn->conn.input));
+ return;
+ }
+ /* handle syntax error */
+ if (ret < 0) {
+ e_debug(conn->event,
+ "Client sent invalid AUTH response: %s", error);
+
+ smtp_server_command_input_lock(cmd);
+ switch (error_code) {
+ case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND:
+ conn->input_broken = TRUE;
+ /* fall through */
+ case SMTP_COMMAND_PARSE_ERROR_BAD_COMMAND:
+ smtp_server_reply(cmd, 500, "5.5.2",
+ "Invalid AUTH response syntax");
+ break;
+ case SMTP_COMMAND_PARSE_ERROR_LINE_TOO_LONG:
+ smtp_server_reply(cmd, 500, "5.5.2",
+ "Line too long");
+ break;
+ default:
+ i_unreached();
+ }
+ }
+ if (conn->input_broken || conn->closing)
+ smtp_server_connection_input_halt(conn);
+ return;
+ }
+
+ e_debug(conn->event, "Received AUTH response: %s", auth_response);
+
+ smtp_server_command_input_lock(cmd);
+
+ /* continue authentication */
+ smtp_server_command_ref(command);
+ i_assert(callbacks != NULL &&
+ callbacks->conn_cmd_auth_continue != NULL);
+ if ((ret=callbacks->conn_cmd_auth_continue(conn->context,
+ cmd, auth_response)) <= 0) {
+ /* command is waiting for external event or it failed */
+ i_assert(ret == 0 || smtp_server_command_is_replied(command));
+ smtp_server_command_unref(&command);
+ return;
+ }
+ if (!smtp_server_command_is_replied(command)) {
+ /* set generic AUTH success reply if none is provided */
+ smtp_server_reply(cmd, 235, "2.7.0", "Logged in.");
+ }
+ conn->authenticated = TRUE;
+ smtp_server_command_unref(&command);
+}
+
+void smtp_server_cmd_auth_send_challenge(struct smtp_server_cmd_ctx *cmd,
+ const char *challenge)
+{
+ struct smtp_server_connection *conn = cmd->conn;
+ struct smtp_server_command *command = cmd->cmd;
+
+ i_assert(command->prev == NULL &&
+ command->reg->func == smtp_server_cmd_auth);
+
+ smtp_server_connection_reply_immediate(conn, 334, "%s", challenge);
+ smtp_server_connection_timeout_reset(conn);
+
+ /* start AUTH-specific input handling */
+ smtp_server_command_input_capture(cmd, cmd_auth_input);
+}
+
+static void
+cmd_auth_start(struct smtp_server_cmd_ctx *cmd,
+ struct smtp_server_cmd_auth *data)
+{
+ struct smtp_server_connection *conn = cmd->conn;
+ struct smtp_server_command *command = cmd->cmd;
+ const struct smtp_server_callbacks *callbacks = conn->callbacks;
+ int ret;
+
+ /* all preceeding commands have finished and now the transaction state
+ is clear. This provides the opportunity to re-check the protocol
+ state */
+ if (!cmd_auth_check_state(cmd))
+ return;
+
+ /* advance state */
+ smtp_server_connection_set_state(conn, SMTP_SERVER_STATE_AUTH, NULL);
+
+ smtp_server_command_ref(command);
+ i_assert(callbacks != NULL && callbacks->conn_cmd_auth != NULL);
+
+ /* specific implementation of AUTH command */
+ ret = callbacks->conn_cmd_auth(conn->context, cmd, data);
+ i_assert(ret == 0 || smtp_server_command_is_replied(command));
+
+ if (ret == 0)
+ smtp_server_connection_timeout_stop(conn);
+
+ smtp_server_command_unref(&command);
+ return;
+}
+
+void smtp_server_cmd_auth(struct smtp_server_cmd_ctx *cmd,
+ const char *params)
+{
+ struct smtp_server_connection *conn = cmd->conn;
+ struct smtp_server_command *command = cmd->cmd;
+ struct smtp_server_cmd_auth *auth_data;
+ const char *sasl_mech, *initial_response;
+ const char *const *argv;
+ int ret = 1;
+
+ if ((conn->set.capabilities & SMTP_CAPABILITY_AUTH) == 0) {
+ smtp_server_reply(cmd,
+ 502, "5.5.1", "Unsupported command");
+ return;
+ }
+
+ /* RFC 4954, Section 8:
+
+ auth-command = "AUTH" SP sasl-mech [SP initial-response]
+ *(CRLF [base64]) [CRLF cancel-response]
+ CRLF
+ ;; <sasl-mech> is defined in [SASL]
+
+ initial-response = base64 / "="
+ */
+ argv = t_strsplit(params, " ");
+ initial_response = sasl_mech = NULL;
+ if (argv[0] == NULL) {
+ smtp_server_reply(cmd,
+ 501, "5.5.4", "Missing SASL mechanism parameter");
+ ret = -1;
+ } else {
+ sasl_mech = argv[0];
+
+ if (argv[1] != NULL) {
+ if (argv[2] != NULL) {
+ smtp_server_reply(cmd,
+ 501, "5.5.4", "Invalid parameters");
+ ret = -1;
+ } else {
+ initial_response = argv[1];
+ }
+ }
+ }
+ if (ret < 0)
+ return;
+
+ /* check protocol state */
+ if (!cmd_auth_check_state(cmd))
+ return;
+
+ smtp_server_command_input_lock(cmd);
+
+ auth_data = p_new(cmd->pool, struct smtp_server_cmd_auth, 1);
+ auth_data->sasl_mech = p_strdup(cmd->pool, sasl_mech);
+ auth_data->initial_response = p_strdup(cmd->pool, initial_response);
+
+ smtp_server_command_add_hook(command, SMTP_SERVER_COMMAND_HOOK_NEXT,
+ cmd_auth_start, auth_data);
+ smtp_server_command_add_hook(command, SMTP_SERVER_COMMAND_HOOK_COMPLETED,
+ cmd_auth_completed, auth_data);
+}