2 * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
3 * Copyright (c) 2006-2017 The Exim Maintainers
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published
7 * by the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
11 /* A number of modifications have been made to the original code. Originally I
12 commented them specially, but now they are getting quite extensive, so I have
13 ceased doing that. The biggest change is to use unbuffered I/O on the socket
14 because using C buffered I/O gives problems on some operating systems. PH */
16 /* Protocol specifications:
17 * Dovecot 1, protocol version 1.1
18 * http://wiki.dovecot.org/Authentication%20Protocol
20 * Dovecot 2, protocol version 1.1
21 * http://wiki2.dovecot.org/Design/AuthProtocol
27 #define VERSION_MAJOR 1
28 #define VERSION_MINOR 0
30 /* http://wiki.dovecot.org/Authentication%20Protocol
31 "The maximum line length isn't defined,
32 but it's currently expected to fit into 8192 bytes"
34 #define DOVECOT_AUTH_MAXLINELEN 8192
36 /* This was hard-coded as 8.
37 AUTH req C->S sends {"AUTH", id, mechanism, service } + params, 5 defined for
38 Dovecot 1; Dovecot 2 (same protocol version) defines 9.
40 Master->Server sends {"USER", id, userid} + params, 6 defined.
41 Server->Client only gives {"OK", id} + params, unspecified, only 1 guaranteed.
43 We only define here to accept S->C; max seen is 3+<unspecified>, plus the two
44 for the command and id, where unspecified might include _at least_ user=...
46 So: allow for more fields than we ever expect to see, while aware that count
47 can go up without changing protocol version.
48 The cost is the length of an array of pointers on the stack.
50 #define DOVECOT_AUTH_MAXFIELDCOUNT 16
52 /* Options specific to the authentication mechanism. */
53 optionlist auth_dovecot_options[] = {
57 (void *)(offsetof(auth_dovecot_options_block, server_socket))
61 /* Size of the options list. An extern variable has to be used so that its
62 address can appear in the tables drtables.c. */
64 int auth_dovecot_options_count =
65 sizeof(auth_dovecot_options) / sizeof(optionlist);
67 /* Default private options block for the authentication method. */
69 auth_dovecot_options_block auth_dovecot_option_defaults = {
70 NULL, /* server_socket */
79 void auth_dovecot_init(auth_instance *ablock) {}
80 int auth_dovecot_server(auth_instance *ablock, uschar *data) {return 0;}
81 int auth_dovecot_client(auth_instance *ablock, smtp_inblock *inblock,
82 smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
84 #else /*!MACRO_PREDEF*/
87 /* Static variables for reading from the socket */
89 static uschar sbuffer[256];
90 static int socket_buffer_left;
94 /*************************************************
95 * Initialization entry point *
96 *************************************************/
98 /* Called for each instance, after its options have been read, to
99 enable consistency checks to be done, or anything else that needs
102 void auth_dovecot_init(auth_instance *ablock)
104 auth_dovecot_options_block *ob =
105 (auth_dovecot_options_block *)(ablock->options_block);
107 if (ablock->public_name == NULL)
108 ablock->public_name = ablock->name;
109 if (ob->server_socket != NULL)
110 ablock->server = TRUE;
111 ablock->client = FALSE;
114 /*************************************************
115 * "strcut" to split apart server lines *
116 *************************************************/
118 /* Dovecot auth protocol uses TAB \t as delimiter; a line consists
119 of a command-name, TAB, and then any parameters, each separated by a TAB.
120 A parameter can be param=value or a bool, just param.
122 This function modifies the original str in-place, inserting NUL characters.
123 It initialises ptrs entries, setting all to NULL and only setting
124 non-NULL N entries, where N is the return value, the number of fields seen
125 (one more than the number of tabs).
127 Note that the return value will always be at least 1, is the count of
128 actual fields (so last valid offset into ptrs is one less).
132 strcut(uschar *str, uschar **ptrs, int nptrs)
134 uschar *last_sub_start = str;
137 for (n = 0; n < nptrs; n++)
144 *ptrs++ = last_sub_start;
145 last_sub_start = str + 1;
153 /* It's acceptable for the string to end with a tab character. We see
154 this in AUTH PLAIN without an initial response from the client, which
155 causing us to send "334 " and get the data from the client. */
157 *ptrs = last_sub_start;
159 HDEBUG(D_auth) debug_printf("dovecot: warning: too many results from tab-splitting; saw %d fields, room for %d\n", n, nptrs);
163 return n <= nptrs ? n : nptrs;
166 static void debug_strcut(uschar **ptrs, int nlen, int alen) ARG_UNUSED;
168 debug_strcut(uschar **ptrs, int nlen, int alen)
171 debug_printf("%d read but unreturned bytes; strcut() gave %d results: ",
172 socket_buffer_left, nlen);
173 for (i = 0; i < nlen; i++) {
174 debug_printf(" {%s}", ptrs[i]);
177 debug_printf(" last is %s\n", ptrs[i] ? ptrs[i] : US"<null>");
179 debug_printf(" (max for capacity)\n");
182 #define CHECK_COMMAND(str, arg_min, arg_max) do { \
183 if (strcmpic(US(str), args[0]) != 0) \
185 if (nargs - 1 < (arg_min)) \
187 if ( (arg_max != -1) && (nargs - 1 > (arg_max)) ) \
191 #define OUT(msg) do { \
192 auth_defer_msg = (US msg); \
198 /*************************************************
199 * "fgets" to read directly from socket *
200 *************************************************/
202 /* Added by PH after a suggestion by Steve Usher because the previous use of
203 C-style buffered I/O gave trouble. */
206 dc_gets(uschar *s, int n, int fd)
213 if (socket_buffer_left == 0)
215 socket_buffer_left = read(fd, sbuffer, sizeof(sbuffer));
216 if (socket_buffer_left == 0) { if (count == 0) return NULL; else break; }
220 while (p < socket_buffer_left)
222 if (count >= n - 1) break;
223 s[count++] = sbuffer[p];
224 if (sbuffer[p++] == '\n') break;
227 memmove(sbuffer, sbuffer + p, socket_buffer_left - p);
228 socket_buffer_left -= p;
230 if (s[count-1] == '\n' || count >= n - 1) break;
240 /*************************************************
241 * Server entry point *
242 *************************************************/
245 auth_dovecot_server(auth_instance * ablock, uschar * data)
247 auth_dovecot_options_block *ob =
248 (auth_dovecot_options_block *) ablock->options_block;
249 struct sockaddr_un sa;
250 uschar buffer[DOVECOT_AUTH_MAXLINELEN];
251 uschar *args[DOVECOT_AUTH_MAXFIELDCOUNT];
252 uschar *auth_command;
253 uschar *auth_extra_data = US"";
256 int crequid = 1, cont = 1, fd = -1, ret = DEFER;
257 BOOL found = FALSE, have_mech_line = FALSE;
259 HDEBUG(D_auth) debug_printf("dovecot authentication\n");
267 memset(&sa, 0, sizeof(sa));
268 sa.sun_family = AF_UNIX;
270 /* This was the original code here: it is nonsense because strncpy()
271 does not return an integer. I have converted this to use the function
272 that formats and checks length. PH */
275 if (strncpy(sa.sun_path, ob->server_socket, sizeof(sa.sun_path)) < 0) {
279 if (!string_format(US sa.sun_path, sizeof(sa.sun_path), "%s",
282 auth_defer_msg = US"authentication socket path too long";
286 auth_defer_msg = US"authentication socket connection error";
288 if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
291 if (connect(fd, (struct sockaddr *) &sa, sizeof(sa)) < 0)
294 auth_defer_msg = US"authentication socket protocol error";
296 socket_buffer_left = 0; /* Global, used to read more than a line but return by line */
299 if (dc_gets(buffer, sizeof(buffer), fd) == NULL)
300 OUT("authentication socket read error or premature eof");
301 p = buffer + Ustrlen(buffer) - 1;
303 OUT("authentication socket protocol line too long");
306 HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
308 nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));
310 /* HDEBUG(D_auth) debug_strcut(args, nargs, sizeof(args) / sizeof(args[0])); */
312 /* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that
313 Exim will need. Original code also failed if Dovecot server sent unknown
314 command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */
315 /* pdp: note that CUID is a per-connection identifier sent by the server,
316 which increments at server discretion.
317 By contrast, the "id" field of the protocol is a connection-specific request
318 identifier, which needs to be unique per request from the client and is not
319 connected to the CUID value, so we ignore CUID from server. It's purely for
322 if (Ustrcmp(args[0], US"VERSION") == 0)
324 CHECK_COMMAND("VERSION", 2, 2);
325 if (Uatoi(args[1]) != VERSION_MAJOR)
326 OUT("authentication socket protocol version mismatch");
328 else if (Ustrcmp(args[0], US"MECH") == 0)
330 CHECK_COMMAND("MECH", 1, INT_MAX);
331 have_mech_line = TRUE;
332 if (strcmpic(US args[1], ablock->public_name) == 0)
335 else if (Ustrcmp(args[0], US"SPID") == 0)
337 /* Unfortunately the auth protocol handshake wasn't designed well
338 to differentiate between auth-client/userdb/master. auth-userdb
339 and auth-master send VERSION + SPID lines only and nothing
340 afterwards, while auth-client sends VERSION + MECH + SPID +
341 CUID + more. The simplest way that we can determine if we've
342 connected to the correct socket is to see if MECH line exists or
343 not (alternatively we'd have to have a small timeout after SPID
344 to see if CUID is sent or not). */
347 OUT("authentication socket type mismatch"
348 " (connected to auth-master instead of auth-client)");
350 else if (Ustrcmp(args[0], US"DONE") == 0)
352 CHECK_COMMAND("DONE", 0, 0);
359 auth_defer_msg = string_sprintf(
360 "Dovecot did not advertise mechanism \"%s\" to us", ablock->public_name);
364 /* Added by PH: data must not contain tab (as it is
365 b64 it shouldn't, but check for safety). */
367 if (Ustrchr(data, '\t') != NULL)
373 /* Added by PH: extra fields when TLS is in use or if the TCP/IP
374 connection is local. */
376 if (tls_in.cipher != NULL)
377 auth_extra_data = string_sprintf("secured\t%s%s",
378 tls_in.certificate_verified? "valid-client-cert" : "",
379 tls_in.certificate_verified? "\t" : "");
381 else if ( interface_address != NULL
382 && Ustrcmp(sender_host_address, interface_address) == 0)
383 auth_extra_data = US"secured\t";
386 /****************************************************************************
387 The code below was the original code here. It didn't work. A reading of the
388 file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that
389 this was not right. Maybe something changed. I changed it to move the
390 service indication into the AUTH command, and it seems to be better. PH
392 fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
393 "AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
394 VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
395 ablock->public_name, sender_host_address, interface_address,
396 data ? CS data : "");
398 Subsequently, the command was modified to add "secured" and "valid-client-
400 ****************************************************************************/
402 auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
403 "AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n",
404 VERSION_MAJOR, VERSION_MINOR, getpid(), crequid,
405 ablock->public_name, auth_extra_data, sender_host_address,
406 interface_address, data);
408 if (write(fd, auth_command, Ustrlen(auth_command)) < 0)
409 HDEBUG(D_auth) debug_printf("error sending auth_command: %s\n",
412 HDEBUG(D_auth) debug_printf("sent: %s", auth_command);
417 uschar *auth_id_pre = NULL;
420 if (dc_gets(buffer, sizeof(buffer), fd) == NULL)
422 auth_defer_msg = US"authentication socket read error or premature eof";
426 buffer[Ustrlen(buffer) - 1] = 0;
427 HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
428 nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));
430 if (Uatoi(args[1]) != crequid)
431 OUT("authentication socket connection id mismatch");
433 switch (toupper(*args[0]))
436 CHECK_COMMAND("CONT", 1, 2);
438 if ((tmp = auth_get_no64_data(&data, US args[2])) != OK)
444 /* Added by PH: data must not contain tab (as it is
445 b64 it shouldn't, but check for safety). */
447 if (Ustrchr(data, '\t') != NULL)
453 temp = string_sprintf("CONT\t%d\t%s\n", crequid, data);
454 if (write(fd, temp, Ustrlen(temp)) < 0)
455 OUT("authentication socket write error");
459 CHECK_COMMAND("FAIL", 1, -1);
461 for (i=2; (i<nargs) && (auth_id_pre == NULL); i++)
463 if ( Ustrncmp(args[i], US"user=", 5) == 0 )
465 auth_id_pre = args[i]+5;
466 expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
467 expand_nlength[1] = Ustrlen(auth_id_pre);
476 CHECK_COMMAND("OK", 2, -1);
478 /* Search for the "user=$USER" string in the args array
479 and return the proper value. */
481 for (i=2; (i<nargs) && (auth_id_pre == NULL); i++)
483 if ( Ustrncmp(args[i], US"user=", 5) == 0 )
485 auth_id_pre = args[i]+5;
486 expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
487 expand_nlength[1] = Ustrlen(auth_id_pre);
492 if (auth_id_pre == NULL)
493 OUT("authentication socket protocol error, username missing");
504 /* close the socket used by dovecot */
508 /* Expand server_condition as an authorization check */
509 return ret == OK ? auth_check_serv_cond(ablock) : ret;
513 #endif /*!MACRO_PREDEF*/