Why is SASL authentication have to be so difficult? Round 2
Derrick J Brashear
shadow at dementia.org
Tue Dec 7 04:39:22 EST 2004
On Mon, 6 Dec 2004, Robert Lubbers wrote:
> * OK cyrus.domain.com Cyrus IMAP4 v2.2.9 server ready
> . login cyrususer secret
> . NO Login failed: can't request info until later in exchange
> . logout
> * BYE LOGOUT received
> . OK Completed
Ken pointed something out to me about this yesterday, notably, that imap
has code e.g.
r = sasl_getprop(imapd_saslconn, SASL_USERNAME,
(const void **) &canon_user);
while pop does not. And I don't know the history. This is one reason I'd
rather have a real database of bugs, but making bugzilla manageable for
this is somewhat hard.
The commit log on 1.398.2.81 is "don't canonify a userid twice"
So we switch from (effectively) calling auth_canonifyid from
canonify_userid before doing sasl stuff, to this sasl_getprop after.
Reversing that change would be as follows, you'll almost certainly need to
apply it by hand.
hand.
Index: imapd.c
===================================================================
RCS file: /afs/andrew.cmu.edu/system/cvs/src/cyrus/imap/imapd.c,v
retrieving revision 1.398.2.81
retrieving revision 1.398.2.80
diff -u -r1.398.2.81 -r1.398.2.80
--- imapd.c 29 May 2003 20:18:58 -0000 1.398.2.81
+++ imapd.c 29 May 2003 14:50:45 -0000 1.398.2.80
@@ -38,7 +38,7 @@
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: imapd.c,v 1.398.2.81 2003/05/29 20:18:58 rjs3 Exp $ */
+/* $Id: imapd.c,v 1.398.2.80 2003/05/29 14:50:45 ken3 Exp $ */
#include <config.h>
@@ -1561,7 +1561,8 @@
char c;
struct buf passwdbuf;
char *passwd;
- const char *reply = NULL;
+ char *canon_user;
+ const char *reply = 0;
int plaintextloginpause;
int r;
@@ -1571,10 +1572,20 @@
return;
}
+ canon_user = canonify_userid(user, NULL, NULL);
+
+ if (!canon_user) {
+ syslog(LOG_NOTICE, "badlogin: %s plaintext %s invalid user",
+ imapd_clienthost, beautify_string(user));
+ prot_printf(imapd_out, "%s NO %s\r\n", tag,
+ error_message(IMAP_INVALID_USER));
+ return;
+ }
+
/* possibly disallow login */
if ((imapd_starttls_done == 0) &&
(config_getswitch(IMAPOPT_ALLOWPLAINTEXT) == 0) &&
- !is_userid_anonymous(user)) {
+ strcmp(canon_user, "anonymous") != 0) {
eatline(imapd_in, ' ');
prot_printf(imapd_out, "%s NO Login only available under a layer\r\n",
tag);
@@ -1596,7 +1607,7 @@
passwd = passwdbuf.s;
- if (is_userid_anonymous(user)) {
+ if (!strcmp(canon_user, "anonymous")) {
if (config_getswitch(IMAPOPT_ALLOWANONYMOUSLOGIN)) {
passwd = beautify_string(passwd);
if (strlen(passwd) > 500) passwd[500] = '\0';
@@ -1615,21 +1626,22 @@
}
}
else if ((r = sasl_checkpass(imapd_saslconn,
- user,
- strlen(user),
+ canon_user,
+ strlen(canon_user),
passwd,
strlen(passwd))) != SASL_OK) {
syslog(LOG_NOTICE, "badlogin: %s plaintext %s %s",
- imapd_clienthost, user, sasl_errdetail(imapd_saslconn));
+ imapd_clienthost, canon_user, sasl_errdetail(imapd_saslconn));
sleep(3);
- if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
+ if (reply) {
+ prot_printf(imapd_out, "%s NO Login failed: %s\r\n", tag, reply);
+ } else if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
prot_printf(imapd_out, "%s NO Login failed: %s\r\n", tag, reply);
} else {
prot_printf(imapd_out, "%s NO Login failed: %d\r\n", tag, r);
}
-
snmp_increment_args(AUTHENTICATION_NO, 1,
VARIABLE_AUTH, 0 /* hash_simple("LOGIN") */,
VARIABLE_LISTEND);
@@ -1637,26 +1649,6 @@
return;
}
else {
- const char *canon_user;
-
- r = sasl_getprop(imapd_saslconn, SASL_USERNAME,
- (const void **) &canon_user);
-
- if(r != SASL_OK) {
- if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
- prot_printf(imapd_out, "%s NO Login failed: %s\r\n",
- tag, reply);
- } else {
- prot_printf(imapd_out, "%s NO Login failed: %d\r\n", tag, r);
- }
-
- snmp_increment_args(AUTHENTICATION_NO, 1,
- VARIABLE_AUTH, 0 /* hash_simple("LOGIN") */,
- VARIABLE_LISTEND);
- freebuf(&passwdbuf);
- return;
- }
-
imapd_userid = xstrdup(canon_user);
snmp_increment_args(AUTHENTICATION_YES, 1,
VARIABLE_AUTH, 0 /*hash_simple("LOGIN") */,
@@ -1761,6 +1753,7 @@
*/
sasl_result = sasl_getprop(imapd_saslconn, SASL_USERNAME,
(const void **) &canon_user);
+ imapd_userid = xstrdup(canon_user);
if (sasl_result != SASL_OK) {
prot_printf(imapd_out, "%s NO weird SASL error %d SASL_USERNAME\r\n",
tag, sasl_result);
@@ -1769,7 +1762,6 @@
reset_saslconn(&imapd_saslconn);
return;
}
- imapd_userid = xstrdup(canon_user);
proc_register("imapd", imapd_clienthost, imapd_userid, (char *)0);
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list