1 #ifndef CLIENT_COMMON_H
2 #define CLIENT_COMMON_H
3 
4 struct module;
5 
6 #include "net.h"
7 #include "login-proxy.h"
8 #include "sasl-server.h"
9 #include "master-login.h" /* for LOGIN_MAX_SESSION_ID_LEN */
10 
11 #define LOGIN_MAX_SESSION_ID_LEN 64
12 #define LOGIN_MAX_MASTER_PREFIX_LEN 128
13 #define LOGIN_MAX_CLIENT_ID_LEN 256
14 
15 /* max. size of input buffer. this means:
16 
17    IMAP: Max. length of command's all parameters. SASL-IR is read into
18          a separate larger buffer.
19    POP3: Max. length of a command line (spec says 512 would be enough)
20 */
21 #define LOGIN_MAX_INBUF_SIZE \
22 	(MASTER_AUTH_MAX_DATA_SIZE - LOGIN_MAX_MASTER_PREFIX_LEN - \
23 	 LOGIN_MAX_SESSION_ID_LEN)
24 /* max. size of output buffer. if it gets full, the client is disconnected.
25    SASL authentication gives the largest output. */
26 #define LOGIN_MAX_OUTBUF_SIZE 4096
27 
28 /* Max. length of SASL authentication buffer. */
29 #define LOGIN_MAX_AUTH_BUF_SIZE 8192
30 
31 /* Disconnect client after this many milliseconds if it hasn't managed
32    to log in yet. */
33 #define CLIENT_LOGIN_TIMEOUT_MSECS (MASTER_LOGIN_TIMEOUT_SECS*1000)
34 
35 #define AUTH_SERVER_WAITING_MSG \
36 	"Waiting for authentication process to respond.."
37 #define AUTH_MASTER_WAITING_MSG \
38 	"Waiting for authentication master process to respond.."
39 
40 /* Client logged out without having successfully authenticated. */
41 #define CLIENT_UNAUTHENTICATED_LOGOUT_MSG \
42 	"Aborted login by logging out"
43 
44 struct master_service_connection;
45 
46 enum client_disconnect_reason {
47 	CLIENT_DISCONNECT_TIMEOUT,
48 	CLIENT_DISCONNECT_SYSTEM_SHUTDOWN,
49 	CLIENT_DISCONNECT_RESOURCE_CONSTRAINT,
50 	CLIENT_DISCONNECT_INTERNAL_ERROR
51 };
52 
53 enum client_auth_fail_code {
54 	CLIENT_AUTH_FAIL_CODE_NONE = 0,
55 	CLIENT_AUTH_FAIL_CODE_AUTHZFAILED,
56 	CLIENT_AUTH_FAIL_CODE_TEMPFAIL,
57 	CLIENT_AUTH_FAIL_CODE_USER_DISABLED,
58 	CLIENT_AUTH_FAIL_CODE_PASS_EXPIRED,
59 	CLIENT_AUTH_FAIL_CODE_INVALID_BASE64,
60 	CLIENT_AUTH_FAIL_CODE_LOGIN_DISABLED,
61 	CLIENT_AUTH_FAIL_CODE_MECH_INVALID,
62 	CLIENT_AUTH_FAIL_CODE_MECH_SSL_REQUIRED,
63 	CLIENT_AUTH_FAIL_CODE_ANONYMOUS_DENIED,
64 };
65 
66 enum client_auth_result {
67 	CLIENT_AUTH_RESULT_SUCCESS,
68 	CLIENT_AUTH_RESULT_REFERRAL_SUCCESS,
69 	CLIENT_AUTH_RESULT_REFERRAL_NOLOGIN,
70 	CLIENT_AUTH_RESULT_ABORTED,
71 	CLIENT_AUTH_RESULT_AUTHFAILED,
72 	CLIENT_AUTH_RESULT_AUTHFAILED_REASON,
73 	CLIENT_AUTH_RESULT_AUTHZFAILED,
74 	CLIENT_AUTH_RESULT_TEMPFAIL,
75 	CLIENT_AUTH_RESULT_PASS_EXPIRED,
76 	CLIENT_AUTH_RESULT_SSL_REQUIRED,
77 	CLIENT_AUTH_RESULT_INVALID_BASE64,
78 	CLIENT_AUTH_RESULT_LOGIN_DISABLED,
79 	CLIENT_AUTH_RESULT_MECH_INVALID,
80 	CLIENT_AUTH_RESULT_MECH_SSL_REQUIRED,
81 	CLIENT_AUTH_RESULT_ANONYMOUS_DENIED
82 };
83 
84 enum client_list_type {
85 	CLIENT_LIST_TYPE_NONE = 0,
86 	/* clients (disconnected=FALSE, fd_proxying=FALSE, destroyed=FALSE) */
87 	CLIENT_LIST_TYPE_ACTIVE,
88 	/* destroyed_clients (destroyed=TRUE, fd_proxying=FALSE). Either the
89 	   client will soon be freed or it's only referenced via
90 	   "login_proxies". */
91 	CLIENT_LIST_TYPE_DESTROYED,
92 	/* client_fd_proxies (fd_proxying=TRUE) */
93 	CLIENT_LIST_TYPE_FD_PROXY,
94 };
95 
96 struct client_auth_reply {
97 	const char *master_user, *reason;
98 	enum client_auth_fail_code fail_code;
99 
100 	/* for proxying */
101 	const char *host, *hostip, *source_ip;
102 	const char *destuser, *password, *proxy_mech;
103 	in_port_t port;
104 	unsigned int proxy_timeout_msecs;
105 	unsigned int proxy_refresh_secs;
106 	unsigned int proxy_host_immediate_failure_after_secs;
107 	enum login_proxy_ssl_flags ssl_flags;
108 
109 	/* all the key=value fields returned by passdb */
110 	const char *const *all_fields;
111 
112 	bool proxy:1;
113 	bool proxy_noauth:1;
114 	bool proxy_nopipelining:1;
115 	bool proxy_not_trusted:1;
116 	bool nologin:1;
117 };
118 
119 struct client_vfuncs {
120 	struct client *(*alloc)(pool_t pool);
121 	void (*create)(struct client *client, void **other_sets);
122 	void (*destroy)(struct client *client);
123 	void (*notify_auth_ready)(struct client *client);
124 	void (*notify_disconnect)(struct client *client,
125 				  enum client_disconnect_reason reason,
126 				  const char *text);
127 	void (*notify_status)(struct client *client,
128 			      bool bad, const char *text);
129 	void (*notify_starttls)(struct client *client,
130 				bool success, const char *text);
131 	void (*starttls)(struct client *client);
132 	void (*input)(struct client *client);
133 	bool (*sasl_filter_mech)(struct client *client,
134 				 struct auth_mech_desc *mech);
135 	bool (*sasl_check_login)(struct client *client);
136 	void (*auth_send_challenge)(struct client *client, const char *data);
137 	void (*auth_parse_response)(struct client *client);
138 	void (*auth_result)(struct client *client,
139 			    enum client_auth_result result,
140 			    const struct client_auth_reply *reply,
141 			    const char *text);
142 	void (*proxy_reset)(struct client *client);
143 	int (*proxy_parse_line)(struct client *client, const char *line);
144 	void (*proxy_failed)(struct client *client,
145 			     enum login_proxy_failure_type type,
146 			     const char *reason, bool reconnecting);
147 	const char *(*proxy_get_state)(struct client *client);
148 	void (*send_raw_data)(struct client *client,
149 			      const void *data, size_t size);
150 	bool (*input_next_cmd)(struct client *client);
151 	void (*free)(struct client *client);
152 };
153 
154 struct client {
155 	struct client *prev, *next;
156 	/* Specifies which linked list the client is in */
157 	enum client_list_type list_type;
158 
159 	pool_t pool;
160 	/* this pool gets free'd once proxying starts */
161 	pool_t preproxy_pool;
162 	struct client_vfuncs v;
163 	struct client_vfuncs *vlast;
164 
165 	struct timeval created;
166 	int refcount;
167 	struct event *event;
168 
169 	struct ip_addr local_ip;
170 	struct ip_addr ip;
171 	struct ip_addr real_remote_ip, real_local_ip;
172 	in_port_t local_port, remote_port;
173 	in_port_t real_local_port, real_remote_port;
174 	struct ssl_iostream *ssl_iostream;
175 	const struct login_settings *set;
176 	const struct master_service_ssl_settings *ssl_set;
177 	const struct master_service_ssl_server_settings *ssl_server_set;
178 	const char *session_id, *listener_name, *postlogin_socket_path;
179 	const char *local_name;
180 	const char *client_cert_common_name;
181 
182 	string_t *client_id;
183 	string_t *forward_fields;
184 
185 	int fd;
186 	struct istream *input;
187 	struct ostream *output;
188 	struct io *io;
189 	struct iostream_proxy *iostream_fd_proxy;
190 	struct timeout *to_auth_waiting;
191 	struct timeout *to_disconnect;
192 
193 	unsigned char *master_data_prefix;
194 	unsigned int master_data_prefix_len;
195 
196 	struct login_proxy *login_proxy;
197 	char *proxy_user, *proxy_master_user, *proxy_password;
198 	const struct dsasl_client_mech *proxy_mech;
199 	struct dsasl_client *proxy_sasl_client;
200 	unsigned int proxy_ttl;
201 
202 	char *auth_mech_name;
203 	struct auth_client_request *auth_request;
204 	string_t *auth_response;
205 	time_t auth_first_started, auth_finished;
206 	const char *sasl_final_resp;
207 	const char *const *auth_passdb_args;
208 	struct anvil_query *anvil_query;
209 	struct anvil_request *anvil_request;
210 
211 	unsigned int master_auth_id;
212 	unsigned int master_tag;
213 	sasl_server_callback_t *sasl_callback;
214 
215 	unsigned int bad_counter;
216 	unsigned int auth_attempts, auth_successes;
217 	enum client_auth_fail_code last_auth_fail;
218 	pid_t mail_pid;
219 
220 	/* Module-specific contexts. */
221 	ARRAY(union login_client_module_context *) module_contexts;
222 
223 	char *virtual_user, *virtual_user_orig, *virtual_auth_user;
224 	/* passdb user_* fields are set here after a successful auth.
225 	   This is a NULL-terminated array where fields are in the same order
226 	   as in global_alt_usernames. If some field doesn't exist, it's "".
227 	   Can also be NULL if there are no user_* fields. */
228 	const char **alt_usernames;
229 	/* director_username_hash cached, if non-zero */
230 	unsigned int director_username_hash_cache;
231 
232 	bool create_finished:1;
233 	bool disconnected:1;
234 	bool destroyed:1;
235 	bool input_blocked:1;
236 	bool login_success:1;
237 	bool no_extra_disconnect_reason:1;
238 	bool starttls:1;
239 	bool tls:1;
240 	bool proxied_ssl:1;
241 	bool secured:1;
242 	bool ssl_secured:1;
243 	bool trusted:1;
244 	bool ssl_servername_settings_read:1;
245 	bool banner_sent:1;
246 	bool authenticating:1;
247 	bool auth_try_aborted:1;
248 	bool auth_initializing:1;
249 	bool auth_process_comm_fail:1;
250 	bool auth_anonymous:1;
251 	bool proxy_auth_failed:1;
252 	bool proxy_noauth:1;
253 	bool proxy_nopipelining:1;
254 	bool proxy_not_trusted:1;
255 	bool auth_waiting:1;
256 	bool notified_auth_ready:1;
257 	bool notified_disconnect:1;
258 	bool fd_proxying:1;
259 	/* ... */
260 };
261 
262 union login_client_module_context {
263 	struct client_vfuncs super;
264 	struct login_module_register *reg;
265 };
266 
267 struct login_client_hooks {
268 	void (*client_allocated)(struct client *client);
269 };
270 
271 extern struct client *clients;
272 
273 typedef void login_client_allocated_func_t(struct client *client);
274 
275 void login_client_hooks_add(struct module *module,
276 			    const struct login_client_hooks *hooks);
277 void login_client_hooks_remove(const struct login_client_hooks *hooks);
278 
279 struct client *
280 client_alloc(int fd, pool_t pool,
281 	     const struct master_service_connection *conn,
282 	     const struct login_settings *set,
283 	     const struct master_service_ssl_settings *ssl_set,
284 	     const struct master_service_ssl_server_settings *ssl_server_set);
285 void client_init(struct client *client, void **other_sets);
286 void client_disconnect(struct client *client, const char *reason,
287 		       bool add_disconnected_prefix);
288 void client_destroy(struct client *client, const char *reason);
289 void client_destroy_iostream_error(struct client *client);
290 /* Destroy the client after a successful login. Either the client fd was
291    sent to the post-login process, or the connection will be proxied. */
292 void client_destroy_success(struct client *client, const char *reason);
293 
294 void client_ref(struct client *client);
295 bool client_unref(struct client **client) ATTR_NOWARN_UNUSED_RESULT;
296 
297 int client_init_ssl(struct client *client);
298 void client_cmd_starttls(struct client *client);
299 
300 int client_get_plaintext_fd(struct client *client, int *fd_r, bool *close_fd_r);
301 
302 unsigned int clients_get_count(void) ATTR_PURE;
303 unsigned int clients_get_fd_proxies_count(void);
304 struct client *clients_get_first_fd_proxy(void);
305 
306 void client_add_forward_field(struct client *client, const char *key,
307 			      const char *value);
308 void client_set_title(struct client *client);
309 const char *client_get_extra_disconnect_reason(struct client *client);
310 
311 void client_auth_respond(struct client *client, const char *response);
312 void client_auth_abort(struct client *client);
313 bool client_is_tls_enabled(struct client *client);
314 void client_auth_fail(struct client *client, const char *text);
315 const char *client_get_session_id(struct client *client);
316 
317 bool client_read(struct client *client);
318 
319 void client_input(struct client *client);
320 
321 static inline bool
client_does_custom_io(struct client * client)322 client_does_custom_io(struct client *client)
323 {
324 	return (client->v.input == NULL);
325 }
326 
327 void client_notify_auth_ready(struct client *client);
328 void client_notify_status(struct client *client, bool bad, const char *text);
329 void client_notify_disconnect(struct client *client,
330 			      enum client_disconnect_reason reason,
331 			      const char *text);
332 
333 void client_send_raw_data(struct client *client, const void *data, size_t size);
334 void client_send_raw(struct client *client, const char *data);
335 void client_common_send_raw_data(struct client *client,
336 				 const void *data, size_t size);
337 void client_common_default_free(struct client *client);
338 void client_common_proxy_failed(struct client *client,
339 				enum login_proxy_failure_type type,
340 				const char *reason, bool reconnecting);
341 
342 void client_set_auth_waiting(struct client *client);
343 void client_auth_send_challenge(struct client *client, const char *data);
344 void client_auth_parse_response(struct client *client);
345 int client_auth_begin(struct client *client, const char *mech_name,
346 		      const char *init_resp);
347 int client_auth_begin_private(struct client *client, const char *mech_name,
348 			      const char *init_resp);
349 bool client_check_plaintext_auth(struct client *client, bool pass_sent);
350 int client_auth_read_line(struct client *client);
351 
352 void client_proxy_finish_destroy_client(struct client *client);
353 void client_proxy_log_failure(struct client *client, const char *line);
354 const char *client_proxy_get_state(struct client *client);
355 
356 void clients_notify_auth_connected(void);
357 bool client_destroy_oldest(bool kill, struct timeval *created_r);
358 void clients_destroy_all(void);
359 void clients_destroy_all_reason(const char *reason);
360 
361 void client_destroy_fd_proxies(void);
362 void client_common_init(void);
363 void client_common_deinit(void);
364 
365 #endif
366