/* * Copyright (C) Igor Sysoev */ #include #include #include #include static void ngx_imap_init_session(ngx_connection_t *c); static void ngx_imap_init_protocol(ngx_event_t *rev); static ngx_int_t ngx_imap_decode_auth_plain(ngx_imap_session_t *s, ngx_str_t *encoded); static void ngx_imap_do_auth(ngx_imap_session_t *s); static ngx_int_t ngx_imap_read_command(ngx_imap_session_t *s); static u_char *ngx_imap_log_error(ngx_log_t *log, u_char *buf, size_t len); #if (NGX_IMAP_SSL) static void ngx_imap_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c); static void ngx_imap_ssl_handshake_handler(ngx_connection_t *c); #endif static ngx_str_t greetings[] = { ngx_string("+OK POP3 ready" CRLF), ngx_string("* OK IMAP4 ready" CRLF) }; static ngx_str_t internal_server_errors[] = { ngx_string("-ERR internal server error" CRLF), ngx_string("* BAD internal server error" CRLF), }; static u_char pop3_ok[] = "+OK" CRLF; static u_char pop3_next[] = "+ " CRLF; static u_char pop3_username[] = "+ VXNlcm5hbWU6" CRLF; static u_char pop3_password[] = "+ UGFzc3dvcmQ6" CRLF; static u_char pop3_invalid_command[] = "-ERR invalid command" CRLF; static u_char imap_star[] = "* "; static u_char imap_ok[] = "OK completed" CRLF; static u_char imap_next[] = "+ OK" CRLF; static u_char imap_bye[] = "* BYE" CRLF; static u_char imap_invalid_command[] = "BAD invalid command" CRLF; void ngx_imap_init_connection(ngx_connection_t *c) { in_addr_t in_addr; socklen_t len; ngx_uint_t i; struct sockaddr_in sin; ngx_imap_log_ctx_t *ctx; ngx_imap_in_port_t *imip; ngx_imap_in_addr_t *imia; ngx_imap_session_t *s; #if (NGX_IMAP_SSL) ngx_imap_ssl_conf_t *sslcf; #endif /* find the server configuration for the address:port */ /* AF_INET only */ imip = c->listening->servers; imia = imip->addrs; i = 0; if (imip->naddrs > 1) { /* * There are several addresses on this port and one of them * is the "*:port" wildcard so getsockname() is needed to determine * the server address. * * AcceptEx() already gave this address. */ #if (NGX_WIN32) if (c->local_sockaddr) { in_addr = ((struct sockaddr_in *) c->local_sockaddr)->sin_addr.s_addr; } else #endif { len = sizeof(struct sockaddr_in); if (getsockname(c->fd, (struct sockaddr *) &sin, &len) == -1) { ngx_connection_error(c, ngx_socket_errno, "getsockname() failed"); ngx_imap_close_connection(c); return; } in_addr = sin.sin_addr.s_addr; } /* the last address is "*" */ for ( /* void */ ; i < imip->naddrs - 1; i++) { if (in_addr == imia[i].addr) { break; } } } s = ngx_pcalloc(c->pool, sizeof(ngx_imap_session_t)); if (s == NULL) { ngx_imap_close_connection(c); return; } s->main_conf = imia[i].ctx->main_conf; s->srv_conf = imia[i].ctx->srv_conf; s->addr_text = &imia[i].addr_text; c->data = s; s->connection = c; ngx_log_error(NGX_LOG_INFO, c->log, 0, "*%ui client %V connected to %V", c->number, &c->addr_text, s->addr_text); ctx = ngx_palloc(c->pool, sizeof(ngx_imap_log_ctx_t)); if (ctx == NULL) { ngx_imap_close_connection(c); return; } ctx->client = &c->addr_text; ctx->session = s; c->log->connection = c->number; c->log->handler = ngx_imap_log_error; c->log->data = ctx; c->log->action = "sending client greeting line"; c->log_error = NGX_ERROR_INFO; #if (NGX_IMAP_SSL) sslcf = ngx_imap_get_module_srv_conf(s, ngx_imap_ssl_module); if (sslcf->enable) { ngx_imap_ssl_init_connection(&sslcf->ssl, c); return; } #endif ngx_imap_init_session(c); } #if (NGX_IMAP_SSL) static void ngx_imap_starttls_handler(ngx_event_t *rev) { ngx_connection_t *c; ngx_imap_session_t *s; ngx_imap_ssl_conf_t *sslcf; c = rev->data; s = c->data; s->starttls = 1; c->log->action = "in starttls state"; sslcf = ngx_imap_get_module_srv_conf(s, ngx_imap_ssl_module); ngx_imap_ssl_init_connection(&sslcf->ssl, c); } static void ngx_imap_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) { ngx_imap_session_t *s; ngx_imap_core_srv_conf_t *cscf; if (ngx_ssl_create_connection(ssl, c, 0) == NGX_ERROR) { ngx_imap_close_connection(c); return; } if (ngx_ssl_handshake(c) == NGX_AGAIN) { s = c->data; cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); ngx_add_timer(c->read, cscf->timeout); c->ssl->handler = ngx_imap_ssl_handshake_handler; return; } ngx_imap_ssl_handshake_handler(c); } static void ngx_imap_ssl_handshake_handler(ngx_connection_t *c) { ngx_imap_session_t *s; if (c->ssl->handshaked) { s = c->data; if (s->starttls) { c->read->handler = ngx_imap_init_protocol; c->write->handler = ngx_imap_send; ngx_imap_init_protocol(c->read); return; } ngx_imap_init_session(c); return; } ngx_imap_close_connection(c); } #endif static void ngx_imap_init_session(ngx_connection_t *c) { u_char *p; ngx_imap_session_t *s; ngx_imap_core_srv_conf_t *cscf; c->read->handler = ngx_imap_init_protocol; c->write->handler = ngx_imap_send; s = c->data; cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); s->protocol = cscf->protocol; s->ctx = ngx_pcalloc(c->pool, sizeof(void *) * ngx_imap_max_module); if (s->ctx == NULL) { ngx_imap_session_internal_server_error(s); return; } s->out = greetings[s->protocol]; if ((cscf->auth_methods & NGX_IMAP_AUTH_APOP_ENABLED) && s->protocol == NGX_IMAP_POP3_PROTOCOL) { s->salt.data = ngx_palloc(c->pool, sizeof(" <18446744073709551616.@>" CRLF) - 1 + NGX_TIME_T_LEN + cscf->server_name.len); if (s->salt.data == NULL) { ngx_imap_session_internal_server_error(s); return; } s->salt.len = ngx_sprintf(s->salt.data, "<%ul.%T@%V>" CRLF, ngx_random(), ngx_time(), &cscf->server_name) - s->salt.data; s->out.data = ngx_palloc(c->pool, greetings[0].len + 1 + s->salt.len); if (s->out.data == NULL) { ngx_imap_session_internal_server_error(s); return; } p = ngx_cpymem(s->out.data, greetings[0].data, greetings[0].len - 2); *p++ = ' '; p = ngx_cpymem(p, s->salt.data, s->salt.len); s->out.len = p - s->out.data; } ngx_add_timer(c->read, cscf->timeout); if (ngx_handle_read_event(c->read, 0) == NGX_ERROR) { ngx_imap_close_connection(c); } ngx_imap_send(c->write); } void ngx_imap_send(ngx_event_t *wev) { ngx_int_t n; ngx_connection_t *c; ngx_imap_session_t *s; ngx_imap_core_srv_conf_t *cscf; c = wev->data; s = c->data; if (wev->timedout) { ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out"); c->timedout = 1; ngx_imap_close_connection(c); return; } if (s->out.len == 0) { if (ngx_handle_write_event(c->write, 0) == NGX_ERROR) { ngx_imap_close_connection(c); } return; } n = c->send(c, s->out.data, s->out.len); if (n > 0) { s->out.len -= n; if (wev->timer_set) { ngx_del_timer(wev); } if (s->quit) { ngx_imap_close_connection(c); return; } if (s->blocked) { c->read->handler(c->read); } return; } if (n == NGX_ERROR) { ngx_imap_close_connection(c); return; } /* n == NGX_AGAIN */ cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); ngx_add_timer(c->write, cscf->timeout); if (ngx_handle_write_event(c->write, 0) == NGX_ERROR) { ngx_imap_close_connection(c); return; } } static void ngx_imap_init_protocol(ngx_event_t *rev) { size_t size; ngx_connection_t *c; ngx_imap_session_t *s; ngx_imap_core_srv_conf_t *cscf; c = rev->data; c->log->action = "in auth state"; if (rev->timedout) { ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out"); c->timedout = 1; ngx_imap_close_connection(c); return; } s = c->data; if (s->protocol == NGX_IMAP_POP3_PROTOCOL) { size = 128; s->imap_state = ngx_pop3_start; c->read->handler = ngx_pop3_auth_state; } else { cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); size = cscf->imap_client_buffer_size; s->imap_state = ngx_imap_start; c->read->handler = ngx_imap_auth_state; } if (s->buffer == NULL) { if (ngx_array_init(&s->args, c->pool, 2, sizeof(ngx_str_t)) == NGX_ERROR) { ngx_imap_session_internal_server_error(s); return; } s->buffer = ngx_create_temp_buf(c->pool, size); if (s->buffer == NULL) { ngx_imap_session_internal_server_error(s); return; } } c->read->handler(rev); } void ngx_imap_auth_state(ngx_event_t *rev) { u_char *text, *last, *p, *dst, *src, *end; ssize_t text_len, last_len; ngx_str_t *arg; ngx_int_t rc; ngx_uint_t tag, i; ngx_connection_t *c; ngx_imap_session_t *s; ngx_imap_core_srv_conf_t *cscf; #if (NGX_IMAP_SSL) ngx_imap_ssl_conf_t *sslcf; #endif c = rev->data; s = c->data; ngx_log_debug0(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap auth state"); if (rev->timedout) { ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out"); c->timedout = 1; ngx_imap_close_connection(c); return; } if (s->out.len) { ngx_log_debug0(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap send handler busy"); s->blocked = 1; return; } s->blocked = 0; rc = ngx_imap_read_command(s); ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap auth: %i", rc); if (rc == NGX_AGAIN || rc == NGX_ERROR) { return; } tag = 1; text = NULL; text_len = 0; last = imap_ok; last_len = sizeof(imap_ok) - 1; if (rc == NGX_OK) { ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap auth command: %i", s->command); if (s->backslash) { arg = s->args.elts; for (i = 0; i < s->args.nelts; i++) { dst = arg[i].data; end = dst + arg[i].len; for (src = dst; src < end; dst++) { *dst = *src; if (*src++ == '\\') { *dst = *src++; } } arg[i].len = dst - arg[i].data; } s->backslash = 0; } switch (s->command) { case NGX_IMAP_LOGIN: #if (NGX_IMAP_SSL) if (c->ssl == NULL) { sslcf = ngx_imap_get_module_srv_conf(s, ngx_imap_ssl_module); if (sslcf->starttls == NGX_IMAP_STARTTLS_ONLY) { rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } } #endif arg = s->args.elts; if (s->args.nelts == 2 && arg[0].len) { s->login.len = arg[0].len; s->login.data = ngx_palloc(c->pool, s->login.len); if (s->login.data == NULL) { ngx_imap_session_internal_server_error(s); return; } ngx_memcpy(s->login.data, arg[0].data, s->login.len); s->passwd.len = arg[1].len; s->passwd.data = ngx_palloc(c->pool, s->passwd.len); if (s->passwd.data == NULL) { ngx_imap_session_internal_server_error(s); return; } ngx_memcpy(s->passwd.data, arg[1].data, s->passwd.len); #if (NGX_DEBUG_IMAP_PASSWD) ngx_log_debug2(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap login:\"%V\" passwd:\"%V\"", &s->login, &s->passwd); #else ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap login:\"%V\"", &s->login); #endif ngx_imap_do_auth(s); return; } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; case NGX_IMAP_CAPABILITY: cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); #if (NGX_IMAP_SSL) if (c->ssl == NULL) { sslcf = ngx_imap_get_module_srv_conf(s, ngx_imap_ssl_module); if (sslcf->starttls == NGX_IMAP_STARTTLS_ON) { text_len = cscf->imap_starttls_capability.len; text = cscf->imap_starttls_capability.data; break; } if (sslcf->starttls == NGX_IMAP_STARTTLS_ONLY) { text_len = cscf->imap_starttls_only_capability.len; text = cscf->imap_starttls_only_capability.data; break; } } #endif text_len = cscf->imap_capability.len; text = cscf->imap_capability.data; break; case NGX_IMAP_LOGOUT: s->quit = 1; text = imap_bye; text_len = sizeof(imap_bye) - 1; break; case NGX_IMAP_NOOP: break; #if (NGX_IMAP_SSL) case NGX_IMAP_STARTTLS: if (c->ssl == NULL) { sslcf = ngx_imap_get_module_srv_conf(s, ngx_imap_ssl_module); if (sslcf->starttls) { c->read->handler = ngx_imap_starttls_handler; break; } } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; #endif default: rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } } else if (rc == NGX_IMAP_NEXT) { last = imap_next; last_len = sizeof(imap_next) - 1; tag = 0; } if (rc == NGX_IMAP_PARSE_INVALID_COMMAND) { last = imap_invalid_command; last_len = sizeof(imap_invalid_command) - 1; } if (tag) { if (s->tag.len == 0) { s->tag.len = sizeof(imap_star) - 1; s->tag.data = (u_char *) imap_star; } if (s->tagged_line.len < s->tag.len + text_len + last_len) { s->tagged_line.len = s->tag.len + text_len + last_len; s->tagged_line.data = ngx_palloc(c->pool, s->tagged_line.len); if (s->tagged_line.data == NULL) { ngx_imap_close_connection(c); return; } } s->out.data = s->tagged_line.data; s->out.len = s->tag.len + text_len + last_len; p = s->out.data; if (text) { p = ngx_cpymem(p, text, text_len); } p = ngx_cpymem(p, s->tag.data, s->tag.len); ngx_memcpy(p, last, last_len); } else { s->out.data = last; s->out.len = last_len; } if (rc != NGX_IMAP_NEXT) { s->args.nelts = 0; s->buffer->pos = s->buffer->start; s->buffer->last = s->buffer->start; s->tag.len = 0; } ngx_imap_send(c->write); } void ngx_pop3_auth_state(ngx_event_t *rev) { u_char *text, *p, *last; ssize_t size; ngx_int_t rc; ngx_str_t *arg, salt; ngx_connection_t *c; ngx_imap_session_t *s; ngx_imap_core_srv_conf_t *cscf; #if (NGX_IMAP_SSL) ngx_imap_ssl_conf_t *sslcf; #endif c = rev->data; s = c->data; ngx_log_debug0(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 auth state"); if (rev->timedout) { ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out"); c->timedout = 1; ngx_imap_close_connection(c); return; } if (s->out.len) { ngx_log_debug0(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap send handler busy"); s->blocked = 1; return; } s->blocked = 0; rc = ngx_imap_read_command(s); if (rc == NGX_AGAIN || rc == NGX_ERROR) { return; } text = pop3_ok; size = sizeof(pop3_ok) - 1; if (rc == NGX_OK) { switch (s->imap_state) { case ngx_pop3_start: switch (s->command) { case NGX_POP3_USER: if (s->args.nelts == 1) { s->imap_state = ngx_pop3_user; arg = s->args.elts; s->login.len = arg[0].len; s->login.data = ngx_palloc(c->pool, s->login.len); if (s->login.data == NULL) { ngx_imap_session_internal_server_error(s); return; } ngx_memcpy(s->login.data, arg[0].data, s->login.len); ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 login: \"%V\"", &s->login); break; } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; case NGX_POP3_CAPA: cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); #if (NGX_IMAP_SSL) if (c->ssl == NULL) { sslcf = ngx_imap_get_module_srv_conf(s, ngx_imap_ssl_module); if (sslcf->starttls) { size = cscf->pop3_starttls_capability.len; text = cscf->pop3_starttls_capability.data; break; } } #endif size = cscf->pop3_capability.len; text = cscf->pop3_capability.data; break; case NGX_POP3_APOP: cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); if ((cscf->auth_methods & NGX_IMAP_AUTH_APOP_ENABLED) && s->args.nelts == 2) { arg = s->args.elts; s->login.len = arg[0].len; s->login.data = ngx_palloc(c->pool, s->login.len); if (s->login.data == NULL) { ngx_imap_session_internal_server_error(s); return; } ngx_memcpy(s->login.data, arg[0].data, s->login.len); s->passwd.len = arg[1].len; s->passwd.data = ngx_palloc(c->pool, s->passwd.len); if (s->passwd.data == NULL) { ngx_imap_session_internal_server_error(s); return; } ngx_memcpy(s->passwd.data, arg[1].data, s->passwd.len); ngx_log_debug2(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 apop: \"%V\" \"%V\"", &s->login, &s->passwd); s->auth_method = NGX_IMAP_AUTH_APOP; ngx_imap_do_auth(s); return; } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; case NGX_POP3_AUTH: cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); if (s->args.nelts == 0) { size = cscf->pop3_auth_capability.len; text = cscf->pop3_auth_capability.data; s->state = 0; break; } arg = s->args.elts; if (arg[0].len == 5) { if (ngx_strncasecmp(arg[0].data, "LOGIN", 5) == 0) { if (s->args.nelts != 1) { rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } s->imap_state = ngx_pop3_auth_login_username; size = sizeof(pop3_username) - 1; text = pop3_username; break; } else if (ngx_strncasecmp(arg[0].data, "PLAIN", 5) == 0) { if (s->args.nelts == 1) { s->imap_state = ngx_pop3_auth_plain; size = sizeof(pop3_next) - 1; text = pop3_next; break; } if (s->args.nelts == 2) { /* * workaround for Eudora for Mac: it sends * AUTH PLAIN [base64 encoded] */ rc = ngx_imap_decode_auth_plain(s, &arg[1]); if (rc == NGX_OK) { ngx_imap_do_auth(s); return; } if (rc == NGX_ERROR) { ngx_imap_session_internal_server_error(s); return; } /* rc == NGX_IMAP_PARSE_INVALID_COMMAND */ break; } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } } else if (arg[0].len == 8 && ngx_strncasecmp(arg[0].data, "CRAM-MD5", 8) == 0) { s->imap_state = ngx_pop3_auth_cram_md5; text = ngx_palloc(c->pool, sizeof("+ " CRLF) - 1 + ngx_base64_encoded_length(s->salt.len)); if (text == NULL) { ngx_imap_session_internal_server_error(s); return; } text[0] = '+'; text[1]= ' '; salt.data = &text[2]; s->salt.len -= 2; ngx_encode_base64(&salt, &s->salt); s->salt.len += 2; size = 2 + salt.len; text[size++] = CR; text[size++] = LF; break; } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; case NGX_POP3_QUIT: s->quit = 1; break; case NGX_POP3_NOOP: break; #if (NGX_IMAP_SSL) case NGX_POP3_STLS: if (c->ssl == NULL) { sslcf = ngx_imap_get_module_srv_conf(s, ngx_imap_ssl_module); if (sslcf->starttls) { c->read->handler = ngx_imap_starttls_handler; break; } } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; #endif default: s->imap_state = ngx_pop3_start; rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } break; case ngx_pop3_user: switch (s->command) { case NGX_POP3_PASS: if (s->args.nelts == 1) { arg = s->args.elts; s->passwd.len = arg[0].len; s->passwd.data = ngx_palloc(c->pool, s->passwd.len); if (s->passwd.data == NULL) { ngx_imap_session_internal_server_error(s); return; } ngx_memcpy(s->passwd.data, arg[0].data, s->passwd.len); #if (NGX_DEBUG_IMAP_PASSWD) ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 passwd: \"%V\"", &s->passwd); #endif ngx_imap_do_auth(s); return; } rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; case NGX_POP3_CAPA: cscf = ngx_imap_get_module_srv_conf(s, ngx_imap_core_module); size = cscf->pop3_capability.len; text = cscf->pop3_capability.data; break; case NGX_POP3_QUIT: s->quit = 1; break; case NGX_POP3_NOOP: break; default: s->imap_state = ngx_pop3_start; rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } break; /* suppress warinings */ case ngx_pop3_passwd: break; case ngx_pop3_auth_login_username: arg = s->args.elts; s->imap_state = ngx_pop3_auth_login_password; ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 auth login username: \"%V\"", &arg[0]); s->login.data = ngx_palloc(c->pool, ngx_base64_decoded_length(arg[0].len)); if (s->login.data == NULL){ ngx_imap_session_internal_server_error(s); return; } if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent invalid base64 encoding " "in AUTH LOGIN command"); rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 auth login username: \"%V\"", &s->login); size = sizeof(pop3_password) - 1; text = pop3_password; break; case ngx_pop3_auth_login_password: arg = s->args.elts; #if (NGX_DEBUG_IMAP_PASSWD) ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 auth login password: \"%V\"", &arg[0]); #endif s->passwd.data = ngx_palloc(c->pool, ngx_base64_decoded_length(arg[0].len)); if (s->passwd.data == NULL){ ngx_imap_session_internal_server_error(s); return; } if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent invalid base64 encoding " "in AUTH LOGIN command"); rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } #if (NGX_DEBUG_IMAP_PASSWD) ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 auth login password: \"%V\"", &s->passwd); #endif ngx_imap_do_auth(s); return; case ngx_pop3_auth_plain: arg = s->args.elts; rc = ngx_imap_decode_auth_plain(s, &arg[0]); if (rc == NGX_OK) { ngx_imap_do_auth(s); return; } if (rc == NGX_ERROR) { ngx_imap_session_internal_server_error(s); return; } /* rc == NGX_IMAP_PARSE_INVALID_COMMAND */ break; case ngx_pop3_auth_cram_md5: arg = s->args.elts; ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 auth cram-md5: \"%V\"", &arg[0]); s->login.data = ngx_palloc(c->pool, ngx_base64_decoded_length(arg[0].len)); if (s->login.data == NULL){ ngx_imap_session_internal_server_error(s); return; } if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent invalid base64 encoding " "in AUTH CRAM-MD5 command"); rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } p = s->login.data; last = p + s->login.len; while (p < last) { if (*p++ == ' ') { s->login.len = p - s->login.data - 1; s->passwd.len = last - p; s->passwd.data = p; break; } } if (s->passwd.len != 32) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent invalid CRAM-MD5 hash " "in AUTH CRAM-MD5 command"); rc = NGX_IMAP_PARSE_INVALID_COMMAND; break; } ngx_log_debug2(NGX_LOG_DEBUG_IMAP, c->log, 0, "pop3 auth cram-md5: \"%V\" \"%V\"", &s->login, &s->passwd); s->auth_method = NGX_IMAP_AUTH_CRAM_MD5; ngx_imap_do_auth(s); return; } } if (rc == NGX_IMAP_PARSE_INVALID_COMMAND) { s->imap_state = ngx_pop3_start; s->state = 0; text = pop3_invalid_command; size = sizeof(pop3_invalid_command) - 1; } s->args.nelts = 0; s->buffer->pos = s->buffer->start; s->buffer->last = s->buffer->start; if (s->state) { s->arg_start = s->buffer->start; } s->out.data = text; s->out.len = size; ngx_imap_send(c->write); } static ngx_int_t ngx_imap_decode_auth_plain(ngx_imap_session_t *s, ngx_str_t *encoded) { u_char *p, *last; ngx_str_t plain; #if (NGX_DEBUG_IMAP_PASSWD) ngx_log_debug1(NGX_LOG_DEBUG_IMAP, s->connection->log, 0, "pop3 auth plain: \"%V\"", encoded); #endif plain.data = ngx_palloc(s->connection->pool, ngx_base64_decoded_length(encoded->len)); if (plain.data == NULL){ return NGX_ERROR; } if (ngx_decode_base64(&plain, encoded) != NGX_OK) { ngx_log_error(NGX_LOG_INFO, s->connection->log, 0, "client sent invalid base64 encoding " "in AUTH PLAIN command"); return NGX_IMAP_PARSE_INVALID_COMMAND; } p = plain.data; last = p + plain.len; while (p < last && *p++) { /* void */ } if (p == last) { ngx_log_error(NGX_LOG_INFO, s->connection->log, 0, "client sent invalid login in AUTH PLAIN command"); return NGX_IMAP_PARSE_INVALID_COMMAND; } s->login.data = p; while (p < last && *p) { p++; } if (p == last) { ngx_log_error(NGX_LOG_INFO, s->connection->log, 0, "client sent invalid password in AUTH PLAIN command"); return NGX_IMAP_PARSE_INVALID_COMMAND; } s->login.len = p++ - s->login.data; s->passwd.len = last - p; s->passwd.data = p; #if (NGX_DEBUG_IMAP_PASSWD) ngx_log_debug2(NGX_LOG_DEBUG_IMAP, s->connection->log, 0, "pop3 auth plain: \"%V\" \"%V\"", &s->login, &s->passwd); #endif return NGX_OK; } static void ngx_imap_do_auth(ngx_imap_session_t *s) { s->args.nelts = 0; s->buffer->pos = s->buffer->start; s->buffer->last = s->buffer->start; s->state = 0; if (s->connection->read->timer_set) { ngx_del_timer(s->connection->read); } s->login_attempt++; ngx_imap_auth_http_init(s); } static ngx_int_t ngx_imap_read_command(ngx_imap_session_t *s) { ssize_t n; ngx_int_t rc; n = s->connection->recv(s->connection, s->buffer->last, s->buffer->end - s->buffer->last); if (n == NGX_ERROR || n == 0) { ngx_imap_close_connection(s->connection); return NGX_ERROR; } if (n > 0) { s->buffer->last += n; } if (n == NGX_AGAIN) { if (ngx_handle_read_event(s->connection->read, 0) == NGX_ERROR) { ngx_imap_session_internal_server_error(s); return NGX_ERROR; } return NGX_AGAIN; } if (s->protocol == NGX_IMAP_POP3_PROTOCOL) { rc = ngx_pop3_parse_command(s); } else { rc = ngx_imap_parse_command(s); } if (rc == NGX_AGAIN || rc == NGX_IMAP_NEXT || rc == NGX_IMAP_PARSE_INVALID_COMMAND) { return rc; } if (rc == NGX_ERROR) { ngx_imap_close_connection(s->connection); return NGX_ERROR; } return NGX_OK; } void ngx_imap_session_internal_server_error(ngx_imap_session_t *s) { s->out = internal_server_errors[s->protocol]; s->quit = 1; ngx_imap_send(s->connection->write); } void ngx_imap_close_connection(ngx_connection_t *c) { ngx_pool_t *pool; ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0, "close imap connection: %d", c->fd); #if (NGX_IMAP_SSL) if (c->ssl) { if (ngx_ssl_shutdown(c) == NGX_AGAIN) { c->ssl->handler = ngx_imap_close_connection; return; } } #endif c->destroyed = 1; pool = c->pool; ngx_close_connection(c); ngx_destroy_pool(pool); } static u_char * ngx_imap_log_error(ngx_log_t *log, u_char *buf, size_t len) { u_char *p; ngx_imap_session_t *s; ngx_imap_log_ctx_t *ctx; if (log->action) { p = ngx_snprintf(buf, len, " while %s", log->action); len -= p - buf; buf = p; } ctx = log->data; p = ngx_snprintf(buf, len, ", client: %V", ctx->client); len -= p - buf; buf = p; s = ctx->session; if (s == NULL) { return p; } p = ngx_snprintf(buf, len, ", server: %V", s->addr_text); len -= p - buf; buf = p; if (s->login.len == 0) { return p; } p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login); len -= p - buf; buf = p; if (s->proxy == NULL) { return p; } p = ngx_snprintf(buf, len, ", upstream: %V", s->proxy->upstream.name); return p; }