[exim.git] / src / src / auths / dovecot.c

/*
 * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
 * Copyright (c) 2006-2020 The Exim Maintainers
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published
 * by the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 */

/* A number of modifications have been made to the original code. Originally I
commented them specially, but now they are getting quite extensive, so I have
ceased doing that. The biggest change is to use unbuffered I/O on the socket
because using C buffered I/O gives problems on some operating systems. PH */

/* Protocol specifications:
 * Dovecot 1, protocol version 1.1
 *   http://wiki.dovecot.org/Authentication%20Protocol
 *
 * Dovecot 2, protocol version 1.1
 *   http://wiki2.dovecot.org/Design/AuthProtocol
 */

#include "../exim.h"
#include "dovecot.h"

#define VERSION_MAJOR  1
#define VERSION_MINOR  0

/* http://wiki.dovecot.org/Authentication%20Protocol
"The maximum line length isn't defined,
 but it's currently expected to fit into 8192 bytes"
*/
#define DOVECOT_AUTH_MAXLINELEN 8192

/* This was hard-coded as 8.
AUTH req C->S sends {"AUTH", id, mechanism, service } + params, 5 defined for
Dovecot 1; Dovecot 2 (same protocol version) defines 9.

Master->Server sends {"USER", id, userid} + params, 6 defined.
Server->Client only gives {"OK", id} + params, unspecified, only 1 guaranteed.

We only define here to accept S->C; max seen is 3+<unspecified>, plus the two
for the command and id, where unspecified might include _at least_ user=...

So: allow for more fields than we ever expect to see, while aware that count
can go up without changing protocol version.
The cost is the length of an array of pointers on the stack.
*/
#define DOVECOT_AUTH_MAXFIELDCOUNT 16

/* Options specific to the authentication mechanism. */
optionlist auth_dovecot_options[] = {
  { "server_socket", opt_stringptr, OPT_OFF(auth_dovecot_options_block, server_socket) },
/*{ "server_tls", opt_bool, OPT_OFF(auth_dovecot_options_block, server_tls) },*/
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_dovecot_options_count = nelem(auth_dovecot_options);

/* Default private options block for the authentication method. */

auth_dovecot_options_block auth_dovecot_option_defaults = {
	.server_socket = NULL,
/*	.server_tls =	FALSE,*/
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_dovecot_init(auth_instance *ablock) {}
int auth_dovecot_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_dovecot_client(auth_instance *ablock, void * sx,
  int timeout, uschar *buffer, int buffsize) {return 0;}

#else   /*!MACRO_PREDEF*/


/* Static variables for reading from the socket */

static uschar sbuffer[256];
static int socket_buffer_left;


/*************************************************
 *          Initialization entry point           *
 *************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

void auth_dovecot_init(auth_instance *ablock)
{
auth_dovecot_options_block *ob =
       (auth_dovecot_options_block *)(ablock->options_block);

if (!ablock->public_name) ablock->public_name = ablock->name;
if (ob->server_socket) ablock->server = TRUE;
ablock->client = FALSE;
}

/*************************************************
 *    "strcut" to split apart server lines       *
 *************************************************/

/* Dovecot auth protocol uses TAB \t as delimiter; a line consists
of a command-name, TAB, and then any parameters, each separated by a TAB.
A parameter can be param=value or a bool, just param.

This function modifies the original str in-place, inserting NUL characters.
It initialises ptrs entries, setting all to NULL and only setting
non-NULL N entries, where N is the return value, the number of fields seen
(one more than the number of tabs).

Note that the return value will always be at least 1, is the count of
actual fields (so last valid offset into ptrs is one less).
*/

static int
strcut(uschar *str, uschar **ptrs, int nptrs)
{
uschar *last_sub_start = str;
int n;

for (n = 0; n < nptrs; n++)
  ptrs[n] = NULL;
n = 1;

while (*str)
  if (*str++ == '\t')
    if (n++ <= nptrs)
      {
      *ptrs++ = last_sub_start;
      last_sub_start = str;
      str[-1] = '\0';
      }

/* It's acceptable for the string to end with a tab character.  We see
this in AUTH PLAIN without an initial response from the client, which
causing us to send "334 " and get the data from the client. */
if (n <= nptrs)
  *ptrs = last_sub_start;
else
  {
  HDEBUG(D_auth)
    debug_printf("dovecot: warning: too many results from tab-splitting;"
		  " saw %d fields, room for %d\n", n, nptrs);
  n = nptrs;
  }

return n <= nptrs ? n : nptrs;
}

static void debug_strcut(uschar **ptrs, int nlen, int alen) ARG_UNUSED;
static void
debug_strcut(uschar **ptrs, int nlen, int alen)
{
int i;
debug_printf("%d read but unreturned bytes; strcut() gave %d results: ",
		socket_buffer_left, nlen);
for (i = 0; i < nlen; i++)
  debug_printf(" {%s}", ptrs[i]);
if (nlen < alen)
  debug_printf(" last is %s\n", ptrs[i] ? ptrs[i] : US"<null>");
else
  debug_printf(" (max for capacity)\n");
}

#define CHECK_COMMAND(str, arg_min, arg_max) do { \
       if (strcmpic(US(str), args[0]) != 0) \
               goto out; \
       if (nargs - 1 < (arg_min)) \
               goto out; \
       if ( (arg_max != -1) && (nargs - 1 > (arg_max)) ) \
               goto out; \
} while (0)

#define OUT(msg) do { \
       auth_defer_msg = (US msg); \
       goto out; \
} while(0)


/*************************************************
*      "fgets" to read directly from socket      *
*************************************************/

/* Added by PH after a suggestion by Steve Usher because the previous use of
C-style buffered I/O gave trouble. */

static uschar *
dc_gets(uschar *s, int n, client_conn_ctx * cctx)
{
int p = 0;
int count = 0;

for (;;)
  {
  if (socket_buffer_left == 0)
    {
    if ((socket_buffer_left =
#ifndef DISABLE_TLS
	cctx->tls_ctx ? tls_read(cctx->tls_ctx, sbuffer, sizeof(sbuffer)) :
#endif
	read(cctx->sock, sbuffer, sizeof(sbuffer))) <= 0)
      if (count == 0)
	return NULL;
      else
	break;
    p = 0;
    }

  while (p < socket_buffer_left)
    {
    if (count >= n - 1) break;
    s[count++] = sbuffer[p];
    if (sbuffer[p++] == '\n') break;
    }

  memmove(sbuffer, sbuffer + p, socket_buffer_left - p);
  socket_buffer_left -= p;

  if (s[count-1] == '\n' || count >= n - 1) break;
  }

s[count] = '\0';
return s;
}


/*************************************************
*              Server entry point                *
*************************************************/

int
auth_dovecot_server(auth_instance * ablock, uschar * data)
{
auth_dovecot_options_block *ob =
       (auth_dovecot_options_block *) ablock->options_block;
uschar buffer[DOVECOT_AUTH_MAXLINELEN];
uschar *args[DOVECOT_AUTH_MAXFIELDCOUNT];
uschar *auth_command;
uschar *auth_extra_data = US"";
uschar *p;
int nargs, tmp;
int crequid = 1, ret = DEFER;
host_item host;
client_conn_ctx cctx = {.sock = -1, .tls_ctx = NULL};
BOOL found = FALSE, have_mech_line = FALSE;

HDEBUG(D_auth) debug_printf("dovecot authentication\n");

if (!data)
  {
  ret = FAIL;
  goto out;
  }

/*XXX timeout? */
cctx.sock = ip_streamsocket(ob->server_socket, &auth_defer_msg, 5, &host);
if (cctx.sock < 0)
 goto out;

#ifdef notdef
# ifndef DISABLE_TLS
if (ob->server_tls)
  {
  uschar * s;
  smtp_connect_args conn_args = { .host = &host };
  tls_support tls_dummy = {.sni=NULL};
  uschar * errstr;

  if (!tls_client_start(&cctx, &conn_args, NULL, &tls_dummy, &errstr))
    {
    auth_defer_msg = string_sprintf("TLS connect failed: %s", errstr);
    goto out;
    }
  }
# endif
#endif

auth_defer_msg = US"authentication socket protocol error";

socket_buffer_left = 0;  /* Global, used to read more than a line but return by line */
for (;;)
  {
debug_printf("%s %d\n", __FUNCTION__, __LINE__);
  if (!dc_gets(buffer, sizeof(buffer), &cctx))
    OUT("authentication socket read error or premature eof");
debug_printf("%s %d\n", __FUNCTION__, __LINE__);
  p = buffer + Ustrlen(buffer) - 1;
  if (*p != '\n')
    OUT("authentication socket protocol line too long");

  *p = '\0';
  HDEBUG(D_auth) debug_printf("received: '%s'\n", buffer);

  nargs = strcut(buffer, args, nelem(args));

  HDEBUG(D_auth) debug_strcut(args, nargs, nelem(args));

  /* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that
    Exim will need. Original code also failed if Dovecot server sent unknown
    command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */
  /* pdp: note that CUID is a per-connection identifier sent by the server,
    which increments at server discretion.
    By contrast, the "id" field of the protocol is a connection-specific request
    identifier, which needs to be unique per request from the client and is not
    connected to the CUID value, so we ignore CUID from server.  It's purely for
    diagnostics. */

  if (Ustrcmp(args[0], US"VERSION") == 0)
    {
    CHECK_COMMAND("VERSION", 2, 2);
    if (Uatoi(args[1]) != VERSION_MAJOR)
      OUT("authentication socket protocol version mismatch");
    }
  else if (Ustrcmp(args[0], US"MECH") == 0)
    {
    CHECK_COMMAND("MECH", 1, INT_MAX);
    have_mech_line = TRUE;
    if (strcmpic(US args[1], ablock->public_name) == 0)
      found = TRUE;
    }
  else if (Ustrcmp(args[0], US"SPID") == 0)
    {
    /* Unfortunately the auth protocol handshake wasn't designed well
    to differentiate between auth-client/userdb/master. auth-userdb
    and auth-master send VERSION + SPID lines only and nothing
    afterwards, while auth-client sends VERSION + MECH + SPID +
    CUID + more. The simplest way that we can determine if we've
    connected to the correct socket is to see if MECH line exists or
    not (alternatively we'd have to have a small timeout after SPID
    to see if CUID is sent or not). */

    if (!have_mech_line)
      OUT("authentication socket type mismatch"
	" (connected to auth-master instead of auth-client)");
    }
  else if (Ustrcmp(args[0], US"DONE") == 0)
    {
    CHECK_COMMAND("DONE", 0, 0);
    break;
    }
  }

if (!found)
  {
  auth_defer_msg = string_sprintf(
    "Dovecot did not advertise mechanism \"%s\" to us", ablock->public_name);
  goto out;
  }

/* Added by PH: data must not contain tab (as it is
b64 it shouldn't, but check for safety). */

if (Ustrchr(data, '\t') != NULL)
  {
  ret = FAIL;
  goto out;
  }

/* Added by PH: extra fields when TLS is in use or if the TCP/IP
connection is local. */

if (tls_in.cipher)
  auth_extra_data = string_sprintf("secured\t%s%s",
     tls_in.certificate_verified ? "valid-client-cert" : "",
     tls_in.certificate_verified ? "\t" : "");

else if (  interface_address
        && Ustrcmp(sender_host_address, interface_address) == 0)
  auth_extra_data = US"secured\t";


/****************************************************************************
The code below was the original code here. It didn't work. A reading of the
file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that
this was not right. Maybe something changed. I changed it to move the
service indication into the AUTH command, and it seems to be better. PH

fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
       "AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
       VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
       ablock->public_name, sender_host_address, interface_address,
       data ? CS  data : "");

Subsequently, the command was modified to add "secured" and "valid-client-
cert" when relevant.
****************************************************************************/

auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
       "AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n",
       VERSION_MAJOR, VERSION_MINOR, getpid(), crequid,
       ablock->public_name, auth_extra_data, sender_host_address,
       interface_address, data);

if ((
#ifndef DISABLE_TLS
    cctx.tls_ctx ? tls_write(cctx.tls_ctx, auth_command, Ustrlen(auth_command), FALSE) :
#endif
    write(cctx.sock, auth_command, Ustrlen(auth_command))) < 0)
  HDEBUG(D_auth) debug_printf("error sending auth_command: %s\n",
    strerror(errno));

HDEBUG(D_auth) debug_printf("sent: '%s'\n", auth_command);

while (1)
  {
  uschar *temp;
  uschar *auth_id_pre = NULL;

  if (!dc_gets(buffer, sizeof(buffer), &cctx))
    {
    auth_defer_msg = US"authentication socket read error or premature eof";
    goto out;
    }

  buffer[Ustrlen(buffer) - 1] = 0;
  HDEBUG(D_auth) debug_printf("received: '%s'\n", buffer);
  nargs = strcut(buffer, args, nelem(args));
  HDEBUG(D_auth) debug_strcut(args, nargs, nelem(args));

  if (Uatoi(args[1]) != crequid)
    OUT("authentication socket connection id mismatch");

  switch (toupper(*args[0]))
    {
    case 'C':
      CHECK_COMMAND("CONT", 1, 2);

      if ((tmp = auth_get_no64_data(&data, US args[2])) != OK)
	{
	ret = tmp;
	goto out;
	}

      /* Added by PH: data must not contain tab (as it is
      b64 it shouldn't, but check for safety). */

      if (Ustrchr(data, '\t') != NULL)
        {
	ret = FAIL;
	goto out;
	}

      temp = string_sprintf("CONT\t%d\t%s\n", crequid, data);
      if ((
#ifndef DISABLE_TLS
	  cctx.tls_ctx ? tls_write(cctx.tls_ctx, temp, Ustrlen(temp), FALSE) :
#endif
	  write(cctx.sock, temp, Ustrlen(temp))) < 0)
	OUT("authentication socket write error");
      break;

    case 'F':
      CHECK_COMMAND("FAIL", 1, -1);

      for (int i = 2; i < nargs && !auth_id_pre; i++)
	if (Ustrncmp(args[i], US"user=", 5) == 0)
	  {
	  auth_id_pre = args[i] + 5;
	  expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
	  expand_nlength[1] = Ustrlen(auth_id_pre);
	  expand_nmax = 1;
	  }
      ret = FAIL;
      goto out;

    case 'O':
      CHECK_COMMAND("OK", 2, -1);

      /* Search for the "user=$USER" string in the args array
      and return the proper value.  */

      for (int i = 2; i < nargs && !auth_id_pre; i++)
	if (Ustrncmp(args[i], US"user=", 5) == 0)
	  {
	  auth_id_pre = args[i] + 5;
	  expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
	  expand_nlength[1] = Ustrlen(auth_id_pre);
	  expand_nmax = 1;
	  }

      if (!auth_id_pre)
        OUT("authentication socket protocol error, username missing");

      auth_defer_msg = NULL;
      ret = OK;
      /* fallthrough */

    default:
      goto out;
    }
  }

out:
/* close the socket used by dovecot */
#ifndef DISABLE_TLS
if (cctx.tls_ctx)
  tls_close(cctx.tls_ctx, TRUE);
#endif
if (cctx.sock >= 0)
  close(cctx.sock);

/* Expand server_condition as an authorization check */
return ret == OK ? auth_check_serv_cond(ablock) : ret;
}


#endif   /*!MACRO_PREDEF*/
Commit	Line	Data
14aa5a05 PH	1	/*
14aa5a05 PH	2	* Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
1e1ddfac	3	* Copyright (c) 2006-2020 The Exim Maintainers
14aa5a05 PH	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published
	7	* by the Free Software Foundation; either version 2 of the License, or
	8	* (at your option) any later version.
	9	*/
	10
57c2c631 PH	11	/* A number of modifications have been made to the original code. Originally I
	12	commented them specially, but now they are getting quite extensive, so I have
	13	ceased doing that. The biggest change is to use unbuffered I/O on the socket
	14	because using C buffered I/O gives problems on some operating systems. PH */
	15
3f1df0e3 PP	16	/* Protocol specifications:
	17	* Dovecot 1, protocol version 1.1
	18	* http://wiki.dovecot.org/Authentication%20Protocol
	19	*
	20	* Dovecot 2, protocol version 1.1
	21	* http://wiki2.dovecot.org/Design/AuthProtocol
	22	*/
	23
14aa5a05 PH	24	#include "../exim.h"
	25	#include "dovecot.h"
	26
	27	#define VERSION_MAJOR 1
	28	#define VERSION_MINOR 0
	29
3f1df0e3 PP	30	/* http://wiki.dovecot.org/Authentication%20Protocol
	31	"The maximum line length isn't defined,
	32	but it's currently expected to fit into 8192 bytes"
	33	*/
	34	#define DOVECOT_AUTH_MAXLINELEN 8192
	35
	36	/* This was hard-coded as 8.
	37	AUTH req C->S sends {"AUTH", id, mechanism, service } + params, 5 defined for
	38	Dovecot 1; Dovecot 2 (same protocol version) defines 9.
	39
	40	Master->Server sends {"USER", id, userid} + params, 6 defined.
	41	Server->Client only gives {"OK", id} + params, unspecified, only 1 guaranteed.
	42
	43	We only define here to accept S->C; max seen is 3+<unspecified>, plus the two
	44	for the command and id, where unspecified might include _at least_ user=...
	45
	46	So: allow for more fields than we ever expect to see, while aware that count
	47	can go up without changing protocol version.
	48	The cost is the length of an array of pointers on the stack.
	49	*/
	50	#define DOVECOT_AUTH_MAXFIELDCOUNT 16
	51
14aa5a05 PH	52	/* Options specific to the authentication mechanism. */
14aa5a05 PH	53	optionlist auth_dovecot_options[] = {
7d2f2d36 JH	54	{ "server_socket", opt_stringptr, OPT_OFF(auth_dovecot_options_block, server_socket) },
7d2f2d36 JH	55	/{ "server_tls", opt_bool, OPT_OFF(auth_dovecot_options_block, server_tls) },/
14aa5a05 PH	56	};
	57
	58	/* Size of the options list. An extern variable has to be used so that its
	59	address can appear in the tables drtables.c. */
57c2c631	60
c71c454d	61	int auth_dovecot_options_count = nelem(auth_dovecot_options);
14aa5a05 PH	62
14aa5a05 PH	63	/* Default private options block for the authentication method. */
57c2c631	64
14aa5a05	65	auth_dovecot_options_block auth_dovecot_option_defaults = {
7d2f2d36 JH	66	.server_socket = NULL,
7d2f2d36 JH	67	/* .server_tls = FALSE,*/
14aa5a05 PH	68	};
14aa5a05 PH	69
57c2c631	70
d185889f JH	71
	72
	73	#ifdef MACRO_PREDEF
	74
	75	/* Dummy values */
	76	void auth_dovecot_init(auth_instance *ablock) {}
	77	int auth_dovecot_server(auth_instance ablock, uschar data) {return 0;}
251b9eb4 JH	78	int auth_dovecot_client(auth_instance ablock, void sx,
251b9eb4 JH	79	int timeout, uschar *buffer, int buffsize) {return 0;}
d185889f JH	80
	81	#else /!MACRO_PREDEF/
	82
	83
57c2c631 PH	84	/* Static variables for reading from the socket */
	85
	86	static uschar sbuffer[256];
3f1df0e3	87	static int socket_buffer_left;
57c2c631 PH	88
	89
	90
14aa5a05 PH	91	/*************************************************
	92	* Initialization entry point *
	93	*************************************************/
	94
	95	/* Called for each instance, after its options have been read, to
	96	enable consistency checks to be done, or anything else that needs
	97	to be set up. */
57c2c631	98
14aa5a05 PH	99	void auth_dovecot_init(auth_instance *ablock)
14aa5a05 PH	100	{
c71c454d JH	101	auth_dovecot_options_block *ob =
	102	(auth_dovecot_options_block *)(ablock->options_block);
	103
	104	if (!ablock->public_name) ablock->public_name = ablock->name;
	105	if (ob->server_socket) ablock->server = TRUE;
	106	ablock->client = FALSE;
14aa5a05 PH	107	}
14aa5a05 PH	108
3f1df0e3 PP	109	/*************************************************
	110	* "strcut" to split apart server lines *
	111	*************************************************/
	112
	113	/* Dovecot auth protocol uses TAB \t as delimiter; a line consists
	114	of a command-name, TAB, and then any parameters, each separated by a TAB.
	115	A parameter can be param=value or a bool, just param.
	116
	117	This function modifies the original str in-place, inserting NUL characters.
	118	It initialises ptrs entries, setting all to NULL and only setting
	119	non-NULL N entries, where N is the return value, the number of fields seen
	120	(one more than the number of tabs).
	121
	122	Note that the return value will always be at least 1, is the count of
	123	actual fields (so last valid offset into ptrs is one less).
	124	*/
	125
	126	static int
	127	strcut(uschar str, uschar *ptrs, int nptrs)
14aa5a05	128	{
d7978c0f JH	129	uschar *last_sub_start = str;
	130	int n;
	131
	132	for (n = 0; n < nptrs; n++)
	133	ptrs[n] = NULL;
	134	n = 1;
	135
	136	while (*str)
c71c454d JH	137	if (*str++ == '\t')
c71c454d JH	138	if (n++ <= nptrs)
d7978c0f JH	139	{
d7978c0f JH	140	*ptrs++ = last_sub_start;
c71c454d JH	141	last_sub_start = str;
c71c454d JH	142	str[-1] = '\0';
d7978c0f	143	}
d7978c0f JH	144
	145	/* It's acceptable for the string to end with a tab character. We see
	146	this in AUTH PLAIN without an initial response from the client, which
	147	causing us to send "334 " and get the data from the client. */
	148	if (n <= nptrs)
c71c454d	149	*ptrs = last_sub_start;
d7978c0f	150	else
c71c454d JH	151	{
	152	HDEBUG(D_auth)
	153	debug_printf("dovecot: warning: too many results from tab-splitting;"
	154	" saw %d fields, room for %d\n", n, nptrs);
	155	n = nptrs;
	156	}
d7978c0f JH	157
d7978c0f JH	158	return n <= nptrs ? n : nptrs;
3f1df0e3	159	}
14aa5a05	160
3f1df0e3 PP	161	static void debug_strcut(uschar **ptrs, int nlen, int alen) ARG_UNUSED;
	162	static void
	163	debug_strcut(uschar **ptrs, int nlen, int alen)
	164	{
d7978c0f JH	165	int i;
	166	debug_printf("%d read but unreturned bytes; strcut() gave %d results: ",
	167	socket_buffer_left, nlen);
	168	for (i = 0; i < nlen; i++)
	169	debug_printf(" {%s}", ptrs[i]);
	170	if (nlen < alen)
	171	debug_printf(" last is %s\n", ptrs[i] ? ptrs[i] : US"<null>");
	172	else
	173	debug_printf(" (max for capacity)\n");
14aa5a05 PH	174	}
	175
	176	#define CHECK_COMMAND(str, arg_min, arg_max) do { \
57c2c631	177	if (strcmpic(US(str), args[0]) != 0) \
14aa5a05 PH	178	goto out; \
	179	if (nargs - 1 < (arg_min)) \
	180	goto out; \
6c588e74	181	if ( (arg_max != -1) && (nargs - 1 > (arg_max)) ) \
14aa5a05 PH	182	goto out; \
	183	} while (0)
	184
	185	#define OUT(msg) do { \
	186	auth_defer_msg = (US msg); \
	187	goto out; \
	188	} while(0)
	189
7befa435 PH	190
7befa435 PH	191
14aa5a05	192	/*************************************************
57c2c631 PH	193	* "fgets" to read directly from socket *
	194	*************************************************/
	195
	196	/* Added by PH after a suggestion by Steve Usher because the previous use of
	197	C-style buffered I/O gave trouble. */
	198
	199	static uschar *
7d2f2d36	200	dc_gets(uschar s, int n, client_conn_ctx cctx)
57c2c631 PH	201	{
	202	int p = 0;
	203	int count = 0;
	204
	205	for (;;)
	206	{
3f1df0e3	207	if (socket_buffer_left == 0)
57c2c631	208	{
7d2f2d36 JH	209	if ((socket_buffer_left =
	210	#ifndef DISABLE_TLS
	211	cctx->tls_ctx ? tls_read(cctx->tls_ctx, sbuffer, sizeof(sbuffer)) :
	212	#endif
	213	read(cctx->sock, sbuffer, sizeof(sbuffer))) <= 0)
	214	if (count == 0)
	215	return NULL;
	216	else
	217	break;
51473862	218	p = 0;
57c2c631 PH	219	}
57c2c631 PH	220
3f1df0e3	221	while (p < socket_buffer_left)
57c2c631 PH	222	{
	223	if (count >= n - 1) break;
	224	s[count++] = sbuffer[p];
	225	if (sbuffer[p++] == '\n') break;
	226	}
	227
3f1df0e3 PP	228	memmove(sbuffer, sbuffer + p, socket_buffer_left - p);
3f1df0e3 PP	229	socket_buffer_left -= p;
57c2c631 PH	230
	231	if (s[count-1] == '\n' \|\| count >= n - 1) break;
	232	}
	233
3f1df0e3	234	s[count] = '\0';
57c2c631 PH	235	return s;
	236	}
	237
	238
	239
	240
	241	/*************************************************
	242	* Server entry point *
	243	*************************************************/
14aa5a05	244
96f5fe4c JH	245	int
96f5fe4c JH	246	auth_dovecot_server(auth_instance * ablock, uschar * data)
14aa5a05	247	{
96f5fe4c JH	248	auth_dovecot_options_block *ob =
96f5fe4c JH	249	(auth_dovecot_options_block *) ablock->options_block;
96f5fe4c JH	250	uschar buffer[DOVECOT_AUTH_MAXLINELEN];
	251	uschar *args[DOVECOT_AUTH_MAXFIELDCOUNT];
	252	uschar *auth_command;
	253	uschar *auth_extra_data = US"";
	254	uschar *p;
	255	int nargs, tmp;
7d2f2d36 JH	256	int crequid = 1, ret = DEFER;
	257	host_item host;
	258	client_conn_ctx cctx = {.sock = -1, .tls_ctx = NULL};
96f5fe4c JH	259	BOOL found = FALSE, have_mech_line = FALSE;
	260
	261	HDEBUG(D_auth) debug_printf("dovecot authentication\n");
	262
	263	if (!data)
	264	{
	265	ret = FAIL;
	266	goto out;
	267	}
14aa5a05	268
7d2f2d36 JH	269	/XXX timeout? /
	270	cctx.sock = ip_streamsocket(ob->server_socket, &auth_defer_msg, 5, &host);
	271	if (cctx.sock < 0)
	272	goto out;
14aa5a05	273
7d2f2d36 JH	274	#ifdef notdef
	275	# ifndef DISABLE_TLS
	276	if (ob->server_tls)
96f5fe4c	277	{
7d2f2d36 JH	278	uschar * s;
	279	smtp_connect_args conn_args = { .host = &host };
	280	tls_support tls_dummy = {.sni=NULL};
	281	uschar * errstr;
7befa435	282
7d2f2d36 JH	283	if (!tls_client_start(&cctx, &conn_args, NULL, &tls_dummy, &errstr))
	284	{
	285	auth_defer_msg = string_sprintf("TLS connect failed: %s", errstr);
	286	goto out;
	287	}
	288	}
	289	# endif
	290	#endif
7befa435	291
96f5fe4c	292	auth_defer_msg = US"authentication socket protocol error";
14aa5a05	293
96f5fe4c	294	socket_buffer_left = 0; /* Global, used to read more than a line but return by line */
7d2f2d36	295	for (;;)
96f5fe4c	296	{
7d2f2d36 JH	297	debug_printf("%s %d\n", __FUNCTION__, __LINE__);
7d2f2d36 JH	298	if (!dc_gets(buffer, sizeof(buffer), &cctx))
96f5fe4c	299	OUT("authentication socket read error or premature eof");
7d2f2d36	300	debug_printf("%s %d\n", __FUNCTION__, __LINE__);
96f5fe4c JH	301	p = buffer + Ustrlen(buffer) - 1;
	302	if (*p != '\n')
	303	OUT("authentication socket protocol line too long");
	304
	305	*p = '\0';
7d2f2d36	306	HDEBUG(D_auth) debug_printf("received: '%s'\n", buffer);
96f5fe4c	307
c71c454d	308	nargs = strcut(buffer, args, nelem(args));
96f5fe4c	309
7d2f2d36	310	HDEBUG(D_auth) debug_strcut(args, nargs, nelem(args));
96f5fe4c JH	311
	312	/* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that
	313	Exim will need. Original code also failed if Dovecot server sent unknown
	314	command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */
	315	/* pdp: note that CUID is a per-connection identifier sent by the server,
	316	which increments at server discretion.
	317	By contrast, the "id" field of the protocol is a connection-specific request
	318	identifier, which needs to be unique per request from the client and is not
	319	connected to the CUID value, so we ignore CUID from server. It's purely for
	320	diagnostics. */
	321
	322	if (Ustrcmp(args[0], US"VERSION") == 0)
	323	{
	324	CHECK_COMMAND("VERSION", 2, 2);
	325	if (Uatoi(args[1]) != VERSION_MAJOR)
	326	OUT("authentication socket protocol version mismatch");
	327	}
	328	else if (Ustrcmp(args[0], US"MECH") == 0)
	329	{
	330	CHECK_COMMAND("MECH", 1, INT_MAX);
	331	have_mech_line = TRUE;
	332	if (strcmpic(US args[1], ablock->public_name) == 0)
	333	found = TRUE;
	334	}
	335	else if (Ustrcmp(args[0], US"SPID") == 0)
	336	{
	337	/* Unfortunately the auth protocol handshake wasn't designed well
	338	to differentiate between auth-client/userdb/master. auth-userdb
	339	and auth-master send VERSION + SPID lines only and nothing
	340	afterwards, while auth-client sends VERSION + MECH + SPID +
	341	CUID + more. The simplest way that we can determine if we've
	342	connected to the correct socket is to see if MECH line exists or
	343	not (alternatively we'd have to have a small timeout after SPID
	344	to see if CUID is sent or not). */
	345
	346	if (!have_mech_line)
	347	OUT("authentication socket type mismatch"
	348	" (connected to auth-master instead of auth-client)");
	349	}
	350	else if (Ustrcmp(args[0], US"DONE") == 0)
	351	{
	352	CHECK_COMMAND("DONE", 0, 0);
7d2f2d36	353	break;
96f5fe4c JH	354	}
96f5fe4c JH	355	}
14aa5a05	356
96f5fe4c JH	357	if (!found)
	358	{
	359	auth_defer_msg = string_sprintf(
	360	"Dovecot did not advertise mechanism \"%s\" to us", ablock->public_name);
	361	goto out;
	362	}
14aa5a05	363
96f5fe4c JH	364	/* Added by PH: data must not contain tab (as it is
96f5fe4c JH	365	b64 it shouldn't, but check for safety). */
57c2c631	366
96f5fe4c JH	367	if (Ustrchr(data, '\t') != NULL)
	368	{
	369	ret = FAIL;
	370	goto out;
	371	}
14aa5a05	372
96f5fe4c JH	373	/* Added by PH: extra fields when TLS is in use or if the TCP/IP
96f5fe4c JH	374	connection is local. */
6c588e74	375
c71c454d	376	if (tls_in.cipher)
96f5fe4c	377	auth_extra_data = string_sprintf("secured\t%s%s",
c71c454d JH	378	tls_in.certificate_verified ? "valid-client-cert" : "",
c71c454d JH	379	tls_in.certificate_verified ? "\t" : "");
14aa5a05	380
c71c454d	381	else if ( interface_address
96f5fe4c JH	382	&& Ustrcmp(sender_host_address, interface_address) == 0)
96f5fe4c JH	383	auth_extra_data = US"secured\t";
14aa5a05	384
14aa5a05	385
96f5fe4c JH	386	/****************************************************************************
	387	The code below was the original code here. It didn't work. A reading of the
	388	file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that
	389	this was not right. Maybe something changed. I changed it to move the
	390	service indication into the AUTH command, and it seems to be better. PH
	391
	392	fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
	393	"AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
	394	VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
	395	ablock->public_name, sender_host_address, interface_address,
5903c6ff	396	data ? CS data : "");
96f5fe4c JH	397
	398	Subsequently, the command was modified to add "secured" and "valid-client-
	399	cert" when relevant.
	400	****************************************************************************/
14aa5a05	401
96f5fe4c JH	402	auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
	403	"AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n",
	404	VERSION_MAJOR, VERSION_MINOR, getpid(), crequid,
	405	ablock->public_name, auth_extra_data, sender_host_address,
	406	interface_address, data);
14aa5a05	407
7d2f2d36 JH	408	if ((
	409	#ifndef DISABLE_TLS
	410	cctx.tls_ctx ? tls_write(cctx.tls_ctx, auth_command, Ustrlen(auth_command), FALSE) :
	411	#endif
	412	write(cctx.sock, auth_command, Ustrlen(auth_command))) < 0)
96f5fe4c JH	413	HDEBUG(D_auth) debug_printf("error sending auth_command: %s\n",
96f5fe4c JH	414	strerror(errno));
7befa435	415
7d2f2d36	416	HDEBUG(D_auth) debug_printf("sent: '%s'\n", auth_command);
7befa435	417
96f5fe4c JH	418	while (1)
	419	{
	420	uschar *temp;
	421	uschar *auth_id_pre = NULL;
14aa5a05	422
7d2f2d36	423	if (!dc_gets(buffer, sizeof(buffer), &cctx))
96f5fe4c JH	424	{
	425	auth_defer_msg = US"authentication socket read error or premature eof";
	426	goto out;
	427	}
6c588e74	428
96f5fe4c	429	buffer[Ustrlen(buffer) - 1] = 0;
7d2f2d36	430	HDEBUG(D_auth) debug_printf("received: '%s'\n", buffer);
c71c454d	431	nargs = strcut(buffer, args, nelem(args));
7d2f2d36	432	HDEBUG(D_auth) debug_strcut(args, nargs, nelem(args));
6c588e74	433
96f5fe4c JH	434	if (Uatoi(args[1]) != crequid)
96f5fe4c JH	435	OUT("authentication socket connection id mismatch");
14aa5a05	436
96f5fe4c JH	437	switch (toupper(*args[0]))
	438	{
	439	case 'C':
	440	CHECK_COMMAND("CONT", 1, 2);
	441
	442	if ((tmp = auth_get_no64_data(&data, US args[2])) != OK)
	443	{
	444	ret = tmp;
	445	goto out;
	446	}
	447
	448	/* Added by PH: data must not contain tab (as it is
	449	b64 it shouldn't, but check for safety). */
	450
	451	if (Ustrchr(data, '\t') != NULL)
	452	{
	453	ret = FAIL;
	454	goto out;
	455	}
	456
	457	temp = string_sprintf("CONT\t%d\t%s\n", crequid, data);
7d2f2d36 JH	458	if ((
	459	#ifndef DISABLE_TLS
	460	cctx.tls_ctx ? tls_write(cctx.tls_ctx, temp, Ustrlen(temp), FALSE) :
	461	#endif
	462	write(cctx.sock, temp, Ustrlen(temp))) < 0)
96f5fe4c JH	463	OUT("authentication socket write error");
	464	break;
	465
	466	case 'F':
	467	CHECK_COMMAND("FAIL", 1, -1);
	468
c71c454d JH	469	for (int i = 2; i < nargs && !auth_id_pre; i++)
c71c454d JH	470	if (Ustrncmp(args[i], US"user=", 5) == 0)
96f5fe4c	471	{
c71c454d	472	auth_id_pre = args[i] + 5;
96f5fe4c JH	473	expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
	474	expand_nlength[1] = Ustrlen(auth_id_pre);
	475	expand_nmax = 1;
	476	}
96f5fe4c JH	477	ret = FAIL;
	478	goto out;
	479
	480	case 'O':
	481	CHECK_COMMAND("OK", 2, -1);
	482
	483	/* Search for the "user=$USER" string in the args array
	484	and return the proper value. */
	485
c71c454d JH	486	for (int i = 2; i < nargs && !auth_id_pre; i++)
c71c454d JH	487	if (Ustrncmp(args[i], US"user=", 5) == 0)
96f5fe4c	488	{
c71c454d	489	auth_id_pre = args[i] + 5;
96f5fe4c JH	490	expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
	491	expand_nlength[1] = Ustrlen(auth_id_pre);
	492	expand_nmax = 1;
	493	}
96f5fe4c	494
c71c454d	495	if (!auth_id_pre)
96f5fe4c JH	496	OUT("authentication socket protocol error, username missing");
96f5fe4c JH	497
7d2f2d36	498	auth_defer_msg = NULL;
96f5fe4c JH	499	ret = OK;
	500	/* fallthrough */
	501
	502	default:
	503	goto out;
	504	}
	505	}
14aa5a05	506
57c2c631	507	out:
96f5fe4c	508	/* close the socket used by dovecot */
7d2f2d36 JH	509	#ifndef DISABLE_TLS
	510	if (cctx.tls_ctx)
	511	tls_close(cctx.tls_ctx, TRUE);
	512	#endif
	513	if (cctx.sock >= 0)
	514	close(cctx.sock);
16ff981e	515
96f5fe4c JH	516	/* Expand server_condition as an authorization check */
96f5fe4c JH	517	return ret == OK ? auth_check_serv_cond(ablock) : ret;
14aa5a05	518	}
d185889f JH	519
	520
	521	#endif /!MACRO_PREDEF/