From abeb122d6e447f03be252094e857bf6d5611de19 Mon Sep 17 00:00:00 2001 From: Igor Sysoev Date: Mon, 23 Oct 2006 13:10:10 +0000 Subject: [PATCH] APOP --- src/core/ngx_config.h | 2 + src/core/ngx_file.c | 6 +- src/imap/ngx_imap.h | 54 +++++++++++------- src/imap/ngx_imap_auth_http_module.c | 51 ++++++++++++++++- src/imap/ngx_imap_core_module.c | 45 +++++++++++++++ src/imap/ngx_imap_handler.c | 82 +++++++++++++++++++++++++++- src/imap/ngx_imap_parse.c | 24 ++++++-- src/os/unix/ngx_posix_init.c | 2 + src/os/win32/ngx_win32_config.h | 3 + 9 files changed, 235 insertions(+), 34 deletions(-) diff --git a/src/core/ngx_config.h b/src/core/ngx_config.h index 6078d89c7..ef31be538 100644 --- a/src/core/ngx_config.h +++ b/src/core/ngx_config.h @@ -49,6 +49,8 @@ #define ngx_signal_helper(n) SIG##n #define ngx_signal_value(n) ngx_signal_helper(n) +#define ngx_random random + /* TODO: #ifndef */ #define NGX_SHUTDOWN_SIGNAL QUIT #define NGX_TERMINATE_SIGNAL TERM diff --git a/src/core/ngx_file.c b/src/core/ngx_file.c index f6bf04b03..e74c1aeab 100644 --- a/src/core/ngx_file.c +++ b/src/core/ngx_file.c @@ -9,7 +9,7 @@ static ngx_atomic_uint_t ngx_temp_number; -static ngx_atomic_uint_t ngx_random; +static ngx_atomic_uint_t ngx_random_number; ssize_t @@ -216,7 +216,7 @@ void ngx_init_temp_number(void) { ngx_temp_number = 0; - ngx_random = 123456; + ngx_random_number = 123456; } @@ -224,7 +224,7 @@ ngx_atomic_uint_t ngx_next_temp_number(ngx_uint_t collision) { if (collision) { - ngx_temp_number += ngx_random; + ngx_temp_number += ngx_random_number; } return ngx_temp_number++; diff --git a/src/imap/ngx_imap.h b/src/imap/ngx_imap.h index a55ad8cbc..2c24b5cf0 100644 --- a/src/imap/ngx_imap.h +++ b/src/imap/ngx_imap.h @@ -87,6 +87,10 @@ typedef struct { ngx_str_t imap_starttls_capability; ngx_str_t imap_starttls_only_capability; + ngx_str_t server_name; + + ngx_uint_t auth_methods; + ngx_array_t pop3_capabilities; ngx_array_t imap_capabilities; @@ -149,10 +153,12 @@ typedef struct { unsigned backslash:1; unsigned no_sync_literal:1; unsigned starttls:1; + unsigned auth_method:1; ngx_str_t login; ngx_str_t passwd; + ngx_str_t salt; ngx_str_t tag; ngx_str_t tagged_line; @@ -179,29 +185,37 @@ typedef struct { } ngx_imap_log_ctx_t; -#define NGX_POP3_USER 1 -#define NGX_POP3_PASS 2 -#define NGX_POP3_CAPA 3 -#define NGX_POP3_QUIT 4 -#define NGX_POP3_NOOP 5 -#define NGX_POP3_STLS 6 -#define NGX_POP3_APOP 7 -#define NGX_POP3_STAT 8 -#define NGX_POP3_LIST 9 -#define NGX_POP3_RETR 10 -#define NGX_POP3_DELE 11 -#define NGX_POP3_RSET 12 -#define NGX_POP3_TOP 13 -#define NGX_POP3_UIDL 14 +#define NGX_POP3_USER 1 +#define NGX_POP3_PASS 2 +#define NGX_POP3_CAPA 3 +#define NGX_POP3_QUIT 4 +#define NGX_POP3_NOOP 5 +#define NGX_POP3_STLS 6 +#define NGX_POP3_APOP 7 +#define NGX_POP3_STAT 8 +#define NGX_POP3_LIST 9 +#define NGX_POP3_RETR 10 +#define NGX_POP3_DELE 11 +#define NGX_POP3_RSET 12 +#define NGX_POP3_TOP 13 +#define NGX_POP3_UIDL 14 -#define NGX_IMAP_LOGIN 1 -#define NGX_IMAP_LOGOUT 2 -#define NGX_IMAP_CAPABILITY 3 -#define NGX_IMAP_NOOP 4 -#define NGX_IMAP_STARTTLS 5 +#define NGX_IMAP_LOGIN 1 +#define NGX_IMAP_LOGOUT 2 +#define NGX_IMAP_CAPABILITY 3 +#define NGX_IMAP_NOOP 4 +#define NGX_IMAP_STARTTLS 5 -#define NGX_IMAP_NEXT 6 +#define NGX_IMAP_NEXT 6 + + +#define NGX_IMAP_AUTH_PLAIN 0 +#define NGX_IMAP_AUTH_APOP 1 + + +#define NGX_IMAP_AUTH_PLAIN_ENABLED 0x0002 +#define NGX_IMAP_AUTH_APOP_ENABLED 0x0004 #define NGX_IMAP_PARSE_INVALID_COMMAND 20 diff --git a/src/imap/ngx_imap_auth_http_module.c b/src/imap/ngx_imap_auth_http_module.c index 96531ab96..fd9bb5352 100644 --- a/src/imap/ngx_imap_auth_http_module.c +++ b/src/imap/ngx_imap_auth_http_module.c @@ -131,7 +131,10 @@ ngx_module_t ngx_imap_auth_http_module = { }; -static char *ngx_imap_auth_http_protocol[] = { "pop3", "imap" }; +static char *ngx_imap_auth_http_protocol[] = { "pop3", "imap" }; +static ngx_str_t ngx_imap_auth_http_method[] = { + ngx_string("plain"), ngx_string("apop") +}; void @@ -558,6 +561,25 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s, continue; } + if (len == sizeof("Auth-Pass") - 1 + && ngx_strncasecmp(ctx->header_name_start, "Auth-Pass", + sizeof("Auth-Pass") - 1) == 0) + { + s->passwd.len = ctx->header_end - ctx->header_start; + + s->passwd.data = ngx_palloc(s->connection->pool, s->passwd.len); + if (s->passwd.data == NULL) { + ngx_close_connection(ctx->peer.connection); + ngx_destroy_pool(ctx->pool); + ngx_imap_session_internal_server_error(s); + return; + } + + ngx_memcpy(s->passwd.data, ctx->header_start, s->passwd.len); + + continue; + } + if (len == sizeof("Auth-Wait") - 1 && ngx_strncasecmp(ctx->header_name_start, "Auth-Wait", sizeof("Auth-Wait") - 1) == 0) @@ -614,6 +636,15 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s, return; } + if (s->passwd.data == NULL) { + ngx_log_error(NGX_LOG_ERR, s->connection->log, 0, + "auth http server %V did not send password", + &ctx->peer.peers->peer[0].name); + ngx_destroy_pool(ctx->pool); + ngx_imap_session_internal_server_error(s); + return; + } + peers = ngx_pcalloc(s->connection->pool, sizeof(ngx_peers_t)); if (peers == NULL) { ngx_destroy_pool(ctx->pool); @@ -731,6 +762,8 @@ ngx_imap_auth_sleep_handler(ngx_event_t *rev) s->connection->read->handler = ngx_imap_auth_state; } + s->auth_method = NGX_IMAP_AUTH_PLAIN; + c->log->action = "in auth state"; ngx_imap_send(s->connection->write); @@ -1007,6 +1040,7 @@ ngx_imap_auth_http_create_request(ngx_imap_session_t *s, ngx_pool_t *pool, + sizeof("Auth-Method: plain" CRLF) - 1 + sizeof("Auth-User: ") - 1 + login.len + sizeof(CRLF) - 1 + sizeof("Auth-Pass: ") - 1 + passwd.len + sizeof(CRLF) - 1 + + sizeof("Auth-Salt: ") - 1 + s->salt.len + sizeof("Auth-Protocol: imap" CRLF) - 1 + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN + sizeof(CRLF) - 1 @@ -1029,8 +1063,12 @@ ngx_imap_auth_http_create_request(ngx_imap_session_t *s, ngx_pool_t *pool, ahcf->host_header.len); *b->last++ = CR; *b->last++ = LF; - b->last = ngx_cpymem(b->last, "Auth-Method: plain" CRLF, - sizeof("Auth-Method: plain" CRLF) - 1); + b->last = ngx_cpymem(b->last, "Auth-Method: ", + sizeof("Auth-Method: ") - 1); + b->last = ngx_cpymem(b->last, + ngx_imap_auth_http_method[s->auth_method].data, + ngx_imap_auth_http_method[s->auth_method].len); + *b->last++ = CR; *b->last++ = LF; b->last = ngx_cpymem(b->last, "Auth-User: ", sizeof("Auth-User: ") - 1); b->last = ngx_copy(b->last, login.data, login.len); @@ -1040,6 +1078,13 @@ ngx_imap_auth_http_create_request(ngx_imap_session_t *s, ngx_pool_t *pool, b->last = ngx_copy(b->last, passwd.data, passwd.len); *b->last++ = CR; *b->last++ = LF; + if (s->salt.len) { + b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); + b->last = ngx_copy(b->last, s->salt.data, s->salt.len); + + s->passwd.data = NULL; + } + b->last = ngx_cpymem(b->last, "Auth-Protocol: ", sizeof("Auth-Protocol: ") - 1); b->last = ngx_cpymem(b->last, ngx_imap_auth_http_protocol[s->protocol], diff --git a/src/imap/ngx_imap_core_module.c b/src/imap/ngx_imap_core_module.c index af50ad6cc..3ae370a5d 100644 --- a/src/imap/ngx_imap_core_module.c +++ b/src/imap/ngx_imap_core_module.c @@ -45,6 +45,13 @@ static ngx_str_t ngx_imap_default_capabilities[] = { }; +static ngx_conf_bitmask_t ngx_imap_auth_methods[] = { + { ngx_string("plain"), NGX_IMAP_AUTH_PLAIN_ENABLED }, + { ngx_string("apop"), NGX_IMAP_AUTH_APOP_ENABLED }, + { ngx_null_string, 0 } +}; + + static ngx_command_t ngx_imap_core_commands[] = { { ngx_string("server"), @@ -103,6 +110,20 @@ static ngx_command_t ngx_imap_core_commands[] = { offsetof(ngx_imap_core_srv_conf_t, imap_capabilities), NULL }, + { ngx_string("server_name"), + NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_IMAP_SRV_CONF_OFFSET, + offsetof(ngx_imap_core_srv_conf_t, server_name), + NULL }, + + { ngx_string("auth"), + NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_1MORE, + ngx_conf_set_bitmask_slot, + NGX_IMAP_SRV_CONF_OFFSET, + offsetof(ngx_imap_core_srv_conf_t, auth_methods), + &ngx_imap_auth_methods }, + ngx_null_command }; @@ -210,6 +231,30 @@ ngx_imap_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_value(conf->so_keepalive, prev->so_keepalive, 0); + ngx_conf_merge_bitmask_value(conf->auth_methods, prev->auth_methods, + (NGX_CONF_BITMASK_SET|NGX_IMAP_AUTH_PLAIN_ENABLED)); + + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + + if (conf->server_name.len == 0) { + conf->server_name.data = ngx_palloc(cf->pool, NGX_MAXHOSTNAMELEN); + if (conf->server_name.data == NULL) { + return NGX_CONF_ERROR; + } + + if (gethostname((char *) conf->server_name.data, NGX_MAXHOSTNAMELEN) + == -1) + { + ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, + "gethostname() failed"); + return NGX_CONF_ERROR; + } + + conf->server_name.len = ngx_strlen(conf->server_name.data); + } + + if (conf->pop3_capabilities.nelts == 0) { conf->pop3_capabilities = prev->pop3_capabilities; } diff --git a/src/imap/ngx_imap_handler.c b/src/imap/ngx_imap_handler.c index 4a4c2c7cd..bb92b36df 100644 --- a/src/imap/ngx_imap_handler.c +++ b/src/imap/ngx_imap_handler.c @@ -233,6 +233,7 @@ ngx_imap_ssl_handshake_handler(ngx_connection_t *c) static void ngx_imap_init_session(ngx_connection_t *c) { + u_char *p; ngx_imap_session_t *s; ngx_imap_core_srv_conf_t *cscf; @@ -253,6 +254,35 @@ ngx_imap_init_session(ngx_connection_t *c) s->out = greetings[s->protocol]; + if ((cscf->auth_methods & NGX_IMAP_AUTH_APOP_ENABLED) + && s->protocol == NGX_IMAP_POP3_PROTOCOL) + { + s->salt.data = ngx_palloc(c->pool, + sizeof(" <18446744073709551616.@>" CRLF) - 1 + + NGX_TIME_T_LEN + + cscf->server_name.len); + if (s->salt.data == NULL) { + ngx_imap_session_internal_server_error(s); + return; + } + + s->salt.len = ngx_sprintf(s->salt.data, "<%ul.%T@%V>" CRLF, + ngx_random(), ngx_time(), &cscf->server_name) + - s->salt.data; + + s->out.data = ngx_palloc(c->pool, greetings[0].len + 1 + s->salt.len); + if (s->out.data == NULL) { + ngx_imap_session_internal_server_error(s); + return; + } + + p = ngx_cpymem(s->out.data, greetings[0].data, greetings[0].len - 2); + *p++ = ' '; + p = ngx_cpymem(p, s->salt.data, s->salt.len); + + s->out.len = p - s->out.data; + } + ngx_add_timer(c->read, cscf->timeout); if (ngx_handle_read_event(c->read, 0) == NGX_ERROR) { @@ -726,6 +756,56 @@ ngx_pop3_auth_state(ngx_event_t *rev) text = cscf->pop3_capability.data; break; + case NGX_POP3_APOP: + cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); + + if ((cscf->auth_methods & NGX_IMAP_AUTH_APOP_ENABLED) + && s->args.nelts == 2) + { + arg = s->args.elts; + + s->login.len = arg[0].len; + s->login.data = ngx_palloc(c->pool, s->login.len); + if (s->login.data == NULL) { + ngx_imap_session_internal_server_error(s); + return; + } + + ngx_memcpy(s->login.data, arg[0].data, s->login.len); + + s->passwd.len = arg[1].len; + s->passwd.data = ngx_palloc(c->pool, s->passwd.len); + if (s->passwd.data == NULL) { + ngx_imap_session_internal_server_error(s); + return; + } + + ngx_memcpy(s->passwd.data, arg[1].data, s->passwd.len); + + ngx_log_debug2(NGX_LOG_DEBUG_IMAP, c->log, 0, + "pop3 apop: \"%V\" \"%V\"", + &s->login, &s->passwd); + + s->auth_method = NGX_IMAP_AUTH_APOP; + + s->args.nelts = 0; + s->buffer->pos = s->buffer->start; + s->buffer->last = s->buffer->start; + + if (rev->timer_set) { + ngx_del_timer(rev); + } + + ngx_imap_auth_http_init(s); + + return; + + } else { + rc = NGX_IMAP_PARSE_INVALID_COMMAND; + } + + break; + case NGX_POP3_QUIT: s->quit = 1; break; @@ -763,8 +843,6 @@ ngx_pop3_auth_state(ngx_event_t *rev) case NGX_POP3_PASS: if (s->args.nelts == 1) { - /* STUB */ s->imap_state = ngx_pop3_start; - arg = s->args.elts; s->passwd.len = arg[0].len; s->passwd.data = ngx_palloc(c->pool, s->passwd.len); diff --git a/src/imap/ngx_imap_parse.c b/src/imap/ngx_imap_parse.c index eea4550a8..6256cc863 100644 --- a/src/imap/ngx_imap_parse.c +++ b/src/imap/ngx_imap_parse.c @@ -429,6 +429,10 @@ ngx_int_t ngx_pop3_parse_command(ngx_imap_session_t *s) { s->command = NGX_POP3_PASS; + } else if (c0 == 'A' && c1 == 'P' && c2 == 'O' && c3 == 'P') + { + s->command = NGX_POP3_APOP; + } else if (c0 == 'Q' && c1 == 'U' && c2 == 'I' && c3 == 'T') { s->command = NGX_POP3_QUIT; @@ -496,12 +500,20 @@ ngx_int_t ngx_pop3_parse_command(ngx_imap_session_t *s) case sw_argument: switch (ch) { - /* - * the space should be considered part of the at username - * or password, but not of argument in other commands - * - * case ' ': - */ + case ' ': + + /* + * the space should be considered as part of the at username + * or password, but not of argument in other commands + */ + + if (s->command == NGX_POP3_USER + || s->command == NGX_POP3_PASS) + { + break; + } + + /* fall through */ case CR: case LF: diff --git a/src/os/unix/ngx_posix_init.c b/src/os/unix/ngx_posix_init.c index a44a89cb8..4844ae52f 100644 --- a/src/os/unix/ngx_posix_init.c +++ b/src/os/unix/ngx_posix_init.c @@ -61,6 +61,8 @@ ngx_os_init(ngx_log_t *log) ngx_inherited_nonblocking = 0; #endif + srandom(ngx_time()); + return NGX_OK; } diff --git a/src/os/win32/ngx_win32_config.h b/src/os/win32/ngx_win32_config.h index eecf10589..696280a10 100644 --- a/src/os/win32/ngx_win32_config.h +++ b/src/os/win32/ngx_win32_config.h @@ -171,4 +171,7 @@ typedef int sig_atomic_t; #endif +#define ngx_random rand + + #endif /* _NGX_WIN32_CONFIG_H_INCLUDED_ */