diff options
Diffstat (limited to 'src/lib-smtp/smtp-server-cmd-auth.c')
-rw-r--r-- | src/lib-smtp/smtp-server-cmd-auth.c | 242 |
1 files changed, 242 insertions, 0 deletions
diff --git a/src/lib-smtp/smtp-server-cmd-auth.c b/src/lib-smtp/smtp-server-cmd-auth.c new file mode 100644 index 0000000..841e186 --- /dev/null +++ b/src/lib-smtp/smtp-server-cmd-auth.c @@ -0,0 +1,242 @@ +/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */ + +#include "lib.h" +#include "istream.h" +#include "smtp-syntax.h" +#include "smtp-command-parser.h" + +#include "smtp-server-private.h" + +/* AUTH command (RFC 4954) */ + + +static bool +cmd_auth_check_state(struct smtp_server_cmd_ctx *cmd) +{ + struct smtp_server_connection *conn = cmd->conn; + + /* RFC 4954, Section 4: + After an AUTH command has been successfully completed, no more + AUTH commands may be issued in the same session. After a + successful AUTH command completes, a server MUST reject any + further AUTH commands with a 503 reply. */ + if (conn->authenticated) { + smtp_server_reply(cmd, + 503, "5.5.0", "Already authenticated"); + return FALSE; + } + + /* RFC 4954, Section 4: + The AUTH command is not permitted during a mail transaction. + An AUTH command issued during a mail transaction MUST be + rejected with a 503 reply. */ + if (conn->state.trans != NULL) { + smtp_server_reply(cmd, 503, "5.5.0", + "Authentication not permitted during a mail transaction"); + return FALSE; + } + return TRUE; +} + +void smtp_server_cmd_auth_success(struct smtp_server_cmd_ctx *cmd, + const char *username, const char *success_msg) +{ + cmd->conn->username = i_strdup(username); + + smtp_server_reply(cmd, 235, "2.7.0", "%s", + (success_msg == NULL ? "Logged in." : success_msg)); +} + +static void +cmd_auth_completed(struct smtp_server_cmd_ctx *cmd, + struct smtp_server_cmd_auth *data ATTR_UNUSED) +{ + struct smtp_server_connection *conn = cmd->conn; + struct smtp_server_command *command = cmd->cmd; + + i_assert(smtp_server_command_is_replied(command)); + if (smtp_server_command_replied_success(command)) { + /* only one valid success status for AUTH command */ + i_assert(smtp_server_command_reply_status_equals(command, 235)); + conn->authenticated = TRUE; + } +} + +static void cmd_auth_input(struct smtp_server_cmd_ctx *cmd) +{ + struct smtp_server_connection *conn = cmd->conn; + const struct smtp_server_callbacks *callbacks = conn->callbacks; + struct smtp_server_command *command = cmd->cmd; + enum smtp_command_parse_error error_code; + const char *auth_response, *error; + int ret; + + /* parse response */ + if ((ret=smtp_command_parse_auth_response(conn->smtp_parser, + &auth_response, &error_code, &error)) <= 0) { + /* check for disconnect */ + if (conn->conn.input->eof) { + smtp_server_connection_close(&conn, + i_stream_get_disconnect_reason(conn->conn.input)); + return; + } + /* handle syntax error */ + if (ret < 0) { + e_debug(conn->event, + "Client sent invalid AUTH response: %s", error); + + smtp_server_command_input_lock(cmd); + switch (error_code) { + case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND: + conn->input_broken = TRUE; + /* fall through */ + case SMTP_COMMAND_PARSE_ERROR_BAD_COMMAND: + smtp_server_reply(cmd, 500, "5.5.2", + "Invalid AUTH response syntax"); + break; + case SMTP_COMMAND_PARSE_ERROR_LINE_TOO_LONG: + smtp_server_reply(cmd, 500, "5.5.2", + "Line too long"); + break; + default: + i_unreached(); + } + } + if (conn->input_broken || conn->closing) + smtp_server_connection_input_halt(conn); + return; + } + + e_debug(conn->event, "Received AUTH response: %s", auth_response); + + smtp_server_command_input_lock(cmd); + + /* continue authentication */ + smtp_server_command_ref(command); + i_assert(callbacks != NULL && + callbacks->conn_cmd_auth_continue != NULL); + if ((ret=callbacks->conn_cmd_auth_continue(conn->context, + cmd, auth_response)) <= 0) { + /* command is waiting for external event or it failed */ + i_assert(ret == 0 || smtp_server_command_is_replied(command)); + smtp_server_command_unref(&command); + return; + } + if (!smtp_server_command_is_replied(command)) { + /* set generic AUTH success reply if none is provided */ + smtp_server_reply(cmd, 235, "2.7.0", "Logged in."); + } + conn->authenticated = TRUE; + smtp_server_command_unref(&command); +} + +void smtp_server_cmd_auth_send_challenge(struct smtp_server_cmd_ctx *cmd, + const char *challenge) +{ + struct smtp_server_connection *conn = cmd->conn; + struct smtp_server_command *command = cmd->cmd; + + i_assert(command->prev == NULL && + command->reg->func == smtp_server_cmd_auth); + + smtp_server_connection_reply_immediate(conn, 334, "%s", challenge); + smtp_server_connection_timeout_reset(conn); + + /* start AUTH-specific input handling */ + smtp_server_command_input_capture(cmd, cmd_auth_input); +} + +static void +cmd_auth_start(struct smtp_server_cmd_ctx *cmd, + struct smtp_server_cmd_auth *data) +{ + struct smtp_server_connection *conn = cmd->conn; + struct smtp_server_command *command = cmd->cmd; + const struct smtp_server_callbacks *callbacks = conn->callbacks; + int ret; + + /* all preceeding commands have finished and now the transaction state + is clear. This provides the opportunity to re-check the protocol + state */ + if (!cmd_auth_check_state(cmd)) + return; + + /* advance state */ + smtp_server_connection_set_state(conn, SMTP_SERVER_STATE_AUTH, NULL); + + smtp_server_command_ref(command); + i_assert(callbacks != NULL && callbacks->conn_cmd_auth != NULL); + + /* specific implementation of AUTH command */ + ret = callbacks->conn_cmd_auth(conn->context, cmd, data); + i_assert(ret == 0 || smtp_server_command_is_replied(command)); + + if (ret == 0) + smtp_server_connection_timeout_stop(conn); + + smtp_server_command_unref(&command); + return; +} + +void smtp_server_cmd_auth(struct smtp_server_cmd_ctx *cmd, + const char *params) +{ + struct smtp_server_connection *conn = cmd->conn; + struct smtp_server_command *command = cmd->cmd; + struct smtp_server_cmd_auth *auth_data; + const char *sasl_mech, *initial_response; + const char *const *argv; + int ret = 1; + + if ((conn->set.capabilities & SMTP_CAPABILITY_AUTH) == 0) { + smtp_server_reply(cmd, + 502, "5.5.1", "Unsupported command"); + return; + } + + /* RFC 4954, Section 8: + + auth-command = "AUTH" SP sasl-mech [SP initial-response] + *(CRLF [base64]) [CRLF cancel-response] + CRLF + ;; <sasl-mech> is defined in [SASL] + + initial-response = base64 / "=" + */ + argv = t_strsplit(params, " "); + initial_response = sasl_mech = NULL; + if (argv[0] == NULL) { + smtp_server_reply(cmd, + 501, "5.5.4", "Missing SASL mechanism parameter"); + ret = -1; + } else { + sasl_mech = argv[0]; + + if (argv[1] != NULL) { + if (argv[2] != NULL) { + smtp_server_reply(cmd, + 501, "5.5.4", "Invalid parameters"); + ret = -1; + } else { + initial_response = argv[1]; + } + } + } + if (ret < 0) + return; + + /* check protocol state */ + if (!cmd_auth_check_state(cmd)) + return; + + smtp_server_command_input_lock(cmd); + + auth_data = p_new(cmd->pool, struct smtp_server_cmd_auth, 1); + auth_data->sasl_mech = p_strdup(cmd->pool, sasl_mech); + auth_data->initial_response = p_strdup(cmd->pool, initial_response); + + smtp_server_command_add_hook(command, SMTP_SERVER_COMMAND_HOOK_NEXT, + cmd_auth_start, auth_data); + smtp_server_command_add_hook(command, SMTP_SERVER_COMMAND_HOOK_COMPLETED, + cmd_auth_completed, auth_data); +} |