From: Timo Sirainen Date: Sat, 15 Nov 2008 19:29:59 +0000 (+0200) Subject: Give a different error message if authentication succeeds but authorization fails. X-Git-Tag: 1.2.alpha4~76 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=708ea1c397d89586af66c97d74c907f3f2b95134;p=thirdparty%2Fdovecot%2Fcore.git Give a different error message if authentication succeeds but authorization fails. Added a new "authz" parameter for FAIL result in the auth protocol for this. --HG-- branch : HEAD --- diff --git a/doc/auth-protocol.txt b/doc/auth-protocol.txt index 1a6ff5e6d1..bfcebd83c3 100644 --- a/doc/auth-protocol.txt +++ b/doc/auth-protocol.txt @@ -111,12 +111,18 @@ AUTH parameters are: security holes if user-given data is directly put to base64 string without filtering out tabs. -FAIL parameters may contain "reason=.." parameter which should be sent to -remote user instead of a standard "Authentication failed" message. For -example "invalid base64 data". It should NOT be used to give exact reason -for authentication failure (ie. "user not found" vs. "password mismatch"). -Sending "temp" parameter indicates that the error was a temporary internal -failure, eg. connection was lost to SQL database. +FAIL parameters may contain: + + - reason= : should be sent to remote user instead of the standard + "Authentication failed" messages. For example "invalid base64 + data". It must NOT be used to give exact reason for + authentication failure (i.e. "user not found" vs. "password + mismatch"). + - temp : This is a temporary internal failure, e.g. connection was + lost to SQL database. + - authz : Authentication succeeded, but authorization failed (master + user's password was ok, but destnation user was not ok). + Added in Dovecot v1.2. CONT command means that the authentication continues, and more data is expected from client to finish the authentication. Given base64 data should @@ -124,7 +130,7 @@ be sent to client. FAIL and OK may contain multiple unspecified parameters which authentication client may handle specially. The only one specified here is -"user=" parameter, which should always be sent if userid is known. +"user=" parameter, which should always be sent if the userid is known. Server <-> Master diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c index a06e047554..ca481f54e4 100644 --- a/src/auth/auth-request-handler.c +++ b/src/auth/auth-request-handler.c @@ -237,8 +237,14 @@ static void auth_callback(struct auth_request *request, auth_stream_reply_add(reply, NULL, dec2str(request->id)); if (request->user != NULL) auth_stream_reply_add(reply, "user", request->user); + if (request->internal_failure) auth_stream_reply_add(reply, "temp", NULL); + else if (request->master_user != NULL) { + /* authentication succeeded, but we can't log in + as the wanted user */ + auth_stream_reply_add(reply, "authz", NULL); + } get_client_extra_fields(request, reply); auth_request_handle_failure(request, reply); diff --git a/src/imap-login/client-authenticate.c b/src/imap-login/client-authenticate.c index f1a2c379c8..7d6dc4af8a 100644 --- a/src/imap-login/client-authenticate.c +++ b/src/imap-login/client-authenticate.c @@ -20,6 +20,8 @@ #define IMAP_SERVICE_NAME "imap" #define IMAP_AUTH_FAILED_MSG "["IMAP_RESP_CODE_AUTHFAILED"] "AUTH_FAILED_MSG +#define IMAP_AUTHZ_FAILED_MSG \ + "["IMAP_RESP_CODE_AUTHZFAILED"] Authorization failed" const char *client_authenticate_get_capabilities(bool secured) { @@ -95,6 +97,7 @@ static bool client_handle_args(struct imap_client *client, string_t *reply; unsigned int port = 143; bool proxy = FALSE, temp = FALSE, nologin = !success, proxy_self; + bool authz_failure = FALSE; for (; *args != NULL; args++) { if (strcmp(*args, "nologin") == 0) @@ -103,6 +106,8 @@ static bool client_handle_args(struct imap_client *client, proxy = TRUE; else if (strcmp(*args, "temp") == 0) temp = TRUE; + else if (strcmp(*args, "authz") == 0) + authz_failure = TRUE; else if (strncmp(*args, "reason=", 7) == 0) reason = *args + 7; else if (strncmp(*args, "host=", 5) == 0) @@ -183,6 +188,8 @@ static bool client_handle_args(struct imap_client *client, else if (temp || proxy_self) { str_append(reply, "NO ["IMAP_RESP_CODE_UNAVAILABLE"] " AUTH_TEMP_FAILED_MSG); + } else if (authz_failure) { + str_append(reply, "NO "IMAP_AUTHZ_FAILED_MSG); } else { str_append(reply, "NO "IMAP_AUTH_FAILED_MSG); }