From: Stephan Bosch Date: Wed, 8 Nov 2023 23:05:22 +0000 (+0100) Subject: lib-sasl: dsasl-client - Add support for channel binding X-Git-Tag: 2.4.1~293 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=538c32d6b39f14a7d10404b604efd6e61a23ddb9;p=thirdparty%2Fdovecot%2Fcore.git lib-sasl: dsasl-client - Add support for channel binding --- diff --git a/src/imap-login/Makefile.am b/src/imap-login/Makefile.am index b0a240ff4f..13a2651c74 100644 --- a/src/imap-login/Makefile.am +++ b/src/imap-login/Makefile.am @@ -14,6 +14,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib-login \ -I$(top_srcdir)/src/lib-mail \ -I$(top_srcdir)/src/lib-var-expand \ + -I$(top_srcdir)/src/lib-ssl-iostream \ -I$(top_srcdir)/src/login-common \ $(BINARY_CFLAGS) diff --git a/src/lib-sasl/Makefile.am b/src/lib-sasl/Makefile.am index 914be5e0c4..22a6f290e7 100644 --- a/src/lib-sasl/Makefile.am +++ b/src/lib-sasl/Makefile.am @@ -3,8 +3,10 @@ noinst_LTLIBRARIES = libsasl.la AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib \ -I$(top_srcdir)/src/lib-test \ + -I$(top_srcdir)/src/lib-settings \ -I$(top_srcdir)/src/lib-auth \ - -I$(top_srcdir)/src/lib-json + -I$(top_srcdir)/src/lib-json \ + -I$(top_srcdir)/src/lib-ssl-iostream libsasl_la_SOURCES = \ mech-external.c \ diff --git a/src/lib-sasl/dsasl-client-private.h b/src/lib-sasl/dsasl-client-private.h index 00272e9cf7..b67964ffa1 100644 --- a/src/lib-sasl/dsasl-client-private.h +++ b/src/lib-sasl/dsasl-client-private.h @@ -12,6 +12,10 @@ struct dsasl_client { struct dsasl_client_settings set; char *password; const struct dsasl_client_mech *mech; + + enum ssl_iostream_protocol_version channel_version; + dsasl_client_channel_binding_callback_t *cbinding_callback; + void *cbinding_context; }; struct dsasl_client_mech { @@ -44,4 +48,18 @@ extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_256; void dsasl_client_mech_register(const struct dsasl_client_mech *mech); void dsasl_client_mech_unregister(const struct dsasl_client_mech *mech); +static inline int +dasl_client_get_channel_binding(struct dsasl_client *client, + const char *type, const buffer_t **data_r, + const char **error_r) +{ + if (client->channel_version == SSL_IOSTREAM_PROTOCOL_VERSION_UNKNOWN || + client->cbinding_callback == NULL) { + *error_r = "Channel binding not available locally"; + return -1; + } + return client->cbinding_callback(type, client->cbinding_context, + data_r, error_r); +} + #endif diff --git a/src/lib-sasl/dsasl-client.c b/src/lib-sasl/dsasl-client.c index aa14809eef..ebe6ffbd01 100644 --- a/src/lib-sasl/dsasl-client.c +++ b/src/lib-sasl/dsasl-client.c @@ -85,6 +85,16 @@ void dsasl_client_free(struct dsasl_client **_client) pool_unref(&client->pool); } +void dsasl_client_enable_channel_binding( + struct dsasl_client *client, + enum ssl_iostream_protocol_version channel_version, + dsasl_client_channel_binding_callback_t *callback, void *context) +{ + client->channel_version = channel_version; + client->cbinding_callback = callback; + client->cbinding_context = context; +} + int dsasl_client_input(struct dsasl_client *client, const unsigned char *input, size_t input_len, const char **error_r) diff --git a/src/lib-sasl/dsasl-client.h b/src/lib-sasl/dsasl-client.h index 999008d588..1b3a7fa808 100644 --- a/src/lib-sasl/dsasl-client.h +++ b/src/lib-sasl/dsasl-client.h @@ -1,6 +1,8 @@ #ifndef DSASL_CLIENT_H #define DSASL_CLIENT_H +#include "iostream-ssl.h" + struct dsasl_client_settings { /* authentication ID - must be set with most mechanisms */ const char *authid; @@ -11,6 +13,11 @@ struct dsasl_client_settings { const char *password; }; +typedef int +dsasl_client_channel_binding_callback_t(const char *type, void *context, + const buffer_t **data_r, + const char **error_r); + /* PLAIN mechanism always exists and can be accessed directly via this. */ extern const struct dsasl_client_mech dsasl_client_mech_plain; @@ -21,6 +28,12 @@ struct dsasl_client *dsasl_client_new(const struct dsasl_client_mech *mech, const struct dsasl_client_settings *set); void dsasl_client_free(struct dsasl_client **client); +/* Enable channel binding support for this client. */ +void dsasl_client_enable_channel_binding( + struct dsasl_client *client, + enum ssl_iostream_protocol_version channel_version, + dsasl_client_channel_binding_callback_t *callback, void *context); + /* Call for server input. */ int dsasl_client_input(struct dsasl_client *client, const unsigned char *input, size_t input_len, diff --git a/src/pop3-login/Makefile.am b/src/pop3-login/Makefile.am index f639d48433..59e66b0034 100644 --- a/src/pop3-login/Makefile.am +++ b/src/pop3-login/Makefile.am @@ -10,6 +10,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib-master \ -I$(top_srcdir)/src/lib-login \ -I$(top_srcdir)/src/login-common \ + -I$(top_srcdir)/src/lib-ssl-iostream \ -I$(top_srcdir)/src/lib-pop3 \ -I$(top_srcdir)/src/lib-var-expand \ $(BINARY_CFLAGS) diff --git a/src/submission-login/Makefile.am b/src/submission-login/Makefile.am index 928da154ad..b7ec914c22 100644 --- a/src/submission-login/Makefile.am +++ b/src/submission-login/Makefile.am @@ -12,6 +12,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib-login \ -I$(top_srcdir)/src/lib-smtp \ -I$(top_srcdir)/src/lib-var-expand \ + -I$(top_srcdir)/src/lib-ssl-iostream \ -I$(top_srcdir)/src/login-common submission_login_LDADD = \