i_assert(request->state == AUTH_REQUEST_STATE_NEW);
auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE);
+
+ if (auth_request_fail_on_nuls(request, request->initial_response,
+ request->initial_response_len))
+ return;
+
request->mech->auth_initial(request, request->initial_response,
request->initial_response_len);
}
return;
}
+ if (auth_request_fail_on_nuls(request, data, data_size))
+ return;
+
auth_request_refresh_last_access(request);
request->mech->auth_continue(request, data, data_size);
}
const struct mech_module mech_anonymous = {
"ANONYMOUS",
- .flags = MECH_SEC_ANONYMOUS,
+ .flags = MECH_SEC_ANONYMOUS | MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
mech_anonymous_auth_new,
const struct mech_module mech_apop = {
"APOP",
- .flags = MECH_SEC_PRIVATE | MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
+ .flags = MECH_SEC_PRIVATE | MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE |
+ MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_VERIFY_RESPONSE,
mech_apop_auth_new,
const struct mech_module mech_dovecot_token = {
"DOVECOT-TOKEN",
- .flags = MECH_SEC_PRIVATE,
+ .flags = MECH_SEC_PRIVATE | MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
mech_dovecot_token_auth_new,
const struct mech_module mech_gssapi_spnego = {
"GSS-SPNEGO",
- .flags = 0,
+ .flags = MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
mech_gssapi_auth_new,
const struct mech_module mech_ntlm = {
"NTLM",
- .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
+ .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE |
+ MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
mech_ntlm_auth_new,
const struct mech_module mech_otp = {
"OTP",
- .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
+ .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_SET_CREDENTIALS,
mech_otp_auth_new,
const struct mech_module mech_plain = {
"PLAIN",
- .flags = MECH_SEC_PLAINTEXT,
+ .flags = MECH_SEC_PLAINTEXT | MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_VERIFY_PLAIN,
mech_plain_auth_new,
"RPA",
.flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE |
- MECH_SEC_MUTUAL_AUTH,
+ MECH_SEC_MUTUAL_AUTH | MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
mech_rpa_auth_new,
const struct mech_module mech_winbind_ntlm = {
"NTLM",
- .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
+ .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE |
+ MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
mech_winbind_ntlm_auth_new,
bool auth_request_fail_on_nuls(struct auth_request *request,
const unsigned char *data, size_t data_size)
{
+ if ((request->mech->flags & MECH_SEC_ALLOW_NULS) != 0)
+ return FALSE;
if (memchr(data, '\0', data_size) != NULL) {
e_debug(request->mech_event, "Unexpected NUL in auth data");
auth_request_fail(request);
/* Provides forward secrecy between sessions */
MECH_SEC_FORWARD_SECRECY = 0x0020,
/* Provides mutual authentication */
- MECH_SEC_MUTUAL_AUTH = 0x0040
+ MECH_SEC_MUTUAL_AUTH = 0x0040,
+ /* Allow NULs in input data */
+ MECH_SEC_ALLOW_NULS = 0x0080,
};
/* auth failure codes */