summaryrefslogtreecommitdiffstats
path: root/src/lib-smtp/smtp-server-cmd-auth.c
blob: 841e1866b28d4b59094453d6a3a9d4a535bff2d1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */

#include "lib.h"
#include "istream.h"
#include "smtp-syntax.h"
#include "smtp-command-parser.h"

#include "smtp-server-private.h"

/* AUTH command (RFC 4954) */


static bool
cmd_auth_check_state(struct smtp_server_cmd_ctx *cmd)
{
	struct smtp_server_connection *conn = cmd->conn;

	/* RFC 4954, Section 4:
	   After an AUTH command has been successfully completed, no more
	   AUTH commands may be issued in the same session.  After a
	   successful AUTH command completes, a server MUST reject any
	   further AUTH commands with a 503 reply. */
	if (conn->authenticated) {
		smtp_server_reply(cmd,
			503, "5.5.0", "Already authenticated");
		return FALSE;
	}

	/* RFC 4954, Section 4:
	   The AUTH command is not permitted during a mail transaction.
	   An AUTH command issued during a mail transaction MUST be
	   rejected with a 503 reply. */
	if (conn->state.trans != NULL) {
		smtp_server_reply(cmd, 503, "5.5.0",
			"Authentication not permitted during a mail transaction");
		return FALSE;
	}
	return TRUE;
}

void smtp_server_cmd_auth_success(struct smtp_server_cmd_ctx *cmd,
				  const char *username, const char *success_msg)
{
	cmd->conn->username = i_strdup(username);

	smtp_server_reply(cmd, 235, "2.7.0", "%s",
		(success_msg == NULL ? "Logged in." : success_msg));
}

static void
cmd_auth_completed(struct smtp_server_cmd_ctx *cmd,
		   struct smtp_server_cmd_auth *data ATTR_UNUSED)
{
	struct smtp_server_connection *conn = cmd->conn;
	struct smtp_server_command *command = cmd->cmd;

	i_assert(smtp_server_command_is_replied(command));
	if (smtp_server_command_replied_success(command)) {
		/* only one valid success status for AUTH command */
		i_assert(smtp_server_command_reply_status_equals(command, 235));
		conn->authenticated = TRUE;
	}
}

static void cmd_auth_input(struct smtp_server_cmd_ctx *cmd)
{
	struct smtp_server_connection *conn = cmd->conn;
	const struct smtp_server_callbacks *callbacks = conn->callbacks;
	struct smtp_server_command *command = cmd->cmd;
	enum smtp_command_parse_error error_code;
	const char *auth_response, *error;
	int ret;

	/* parse response */
	if ((ret=smtp_command_parse_auth_response(conn->smtp_parser,
		&auth_response, &error_code, &error)) <= 0) {
		/* check for disconnect */
		if (conn->conn.input->eof) {
			smtp_server_connection_close(&conn,
				i_stream_get_disconnect_reason(conn->conn.input));
			return;
		}
		/* handle syntax error */
		if (ret < 0) {
			e_debug(conn->event,
				"Client sent invalid AUTH response: %s", error);

			smtp_server_command_input_lock(cmd);
			switch (error_code) {
			case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND:
				conn->input_broken = TRUE;
				/* fall through */
			case SMTP_COMMAND_PARSE_ERROR_BAD_COMMAND:
				smtp_server_reply(cmd, 500, "5.5.2",
					"Invalid AUTH response syntax");
				break;
			case SMTP_COMMAND_PARSE_ERROR_LINE_TOO_LONG:
				smtp_server_reply(cmd, 500, "5.5.2",
					"Line too long");
				break;
			default:
				i_unreached();
			}
		}
		if (conn->input_broken || conn->closing)
			smtp_server_connection_input_halt(conn);
		return;
	}

	e_debug(conn->event, "Received AUTH response: %s", auth_response);

	smtp_server_command_input_lock(cmd);

	/* continue authentication */
	smtp_server_command_ref(command);
	i_assert(callbacks != NULL &&
		 callbacks->conn_cmd_auth_continue != NULL);
	if ((ret=callbacks->conn_cmd_auth_continue(conn->context,
		cmd, auth_response)) <= 0) {
		/* command is waiting for external event or it failed */
		i_assert(ret == 0 || smtp_server_command_is_replied(command));
		smtp_server_command_unref(&command);
		return;
	}
	if (!smtp_server_command_is_replied(command)) {
		/* set generic AUTH success reply if none is provided */
		smtp_server_reply(cmd, 235, "2.7.0", "Logged in.");
	}
	conn->authenticated = TRUE;
	smtp_server_command_unref(&command);
}

void smtp_server_cmd_auth_send_challenge(struct smtp_server_cmd_ctx *cmd,
					 const char *challenge)
{
	struct smtp_server_connection *conn = cmd->conn;
	struct smtp_server_command *command = cmd->cmd;

	i_assert(command->prev == NULL &&
		command->reg->func == smtp_server_cmd_auth);

	smtp_server_connection_reply_immediate(conn, 334, "%s", challenge);
	smtp_server_connection_timeout_reset(conn);

	/* start AUTH-specific input handling */
	smtp_server_command_input_capture(cmd, cmd_auth_input);
}

static void
cmd_auth_start(struct smtp_server_cmd_ctx *cmd,
	       struct smtp_server_cmd_auth *data)
{
	struct smtp_server_connection *conn = cmd->conn;
	struct smtp_server_command *command = cmd->cmd;
	const struct smtp_server_callbacks *callbacks = conn->callbacks;
	int ret;

	/* all preceeding commands have finished and now the transaction state
	   is clear. This provides the opportunity to re-check the protocol
	   state */
	if (!cmd_auth_check_state(cmd))
		return;

	/* advance state */
	smtp_server_connection_set_state(conn, SMTP_SERVER_STATE_AUTH, NULL);

	smtp_server_command_ref(command);
	i_assert(callbacks != NULL && callbacks->conn_cmd_auth != NULL);

	/* specific implementation of AUTH command */
	ret = callbacks->conn_cmd_auth(conn->context, cmd, data);
	i_assert(ret == 0 || smtp_server_command_is_replied(command));

	if (ret == 0)
		smtp_server_connection_timeout_stop(conn);

	smtp_server_command_unref(&command);
	return;
}

void smtp_server_cmd_auth(struct smtp_server_cmd_ctx *cmd,
			  const char *params)
{
	struct smtp_server_connection *conn = cmd->conn;
	struct smtp_server_command *command = cmd->cmd;
	struct smtp_server_cmd_auth *auth_data;
	const char *sasl_mech, *initial_response;
	const char *const *argv;
	int ret = 1;

	if ((conn->set.capabilities & SMTP_CAPABILITY_AUTH) == 0) {
		smtp_server_reply(cmd,
			502, "5.5.1", "Unsupported command");
		return;
	}

	/* RFC 4954, Section 8:

	   auth-command     = "AUTH" SP sasl-mech [SP initial-response]
	                      *(CRLF [base64]) [CRLF cancel-response]
	                      CRLF
	                      ;; <sasl-mech> is defined in [SASL]

	   initial-response = base64 / "="
	 */
	argv = t_strsplit(params, " ");
	initial_response = sasl_mech = NULL;
	if (argv[0] == NULL) {
		smtp_server_reply(cmd,
			501, "5.5.4", "Missing SASL mechanism parameter");
		ret = -1;
	} else {
		sasl_mech = argv[0];

		if (argv[1] != NULL) {
			if (argv[2] != NULL) {
				smtp_server_reply(cmd,
					501, "5.5.4", "Invalid parameters");
				ret = -1;
			} else {
				initial_response = argv[1];
			}
		}
	}
	if (ret < 0)
		return;

	/* check protocol state */
	if (!cmd_auth_check_state(cmd))
		return;

	smtp_server_command_input_lock(cmd);

	auth_data = p_new(cmd->pool, struct smtp_server_cmd_auth, 1);
	auth_data->sasl_mech = p_strdup(cmd->pool, sasl_mech);
	auth_data->initial_response = p_strdup(cmd->pool, initial_response);

	smtp_server_command_add_hook(command, SMTP_SERVER_COMMAND_HOOK_NEXT,
				     cmd_auth_start, auth_data);
	smtp_server_command_add_hook(command, SMTP_SERVER_COMMAND_HOOK_COMPLETED,
				     cmd_auth_completed, auth_data);
}