From e213fe0f4040bb6001e76edd51131ccf18129a3f Mon Sep 17 00:00:00 2001 From: Stephan Bosch Date: Sat, 9 Dec 2017 02:34:52 +0100 Subject: [PATCH] lib-master: master-auth: Pass more information about the user connection to the backend in struct master_auth_request. Adds remote and local ports and security information about the connection. This changes the master-auth protocol incompatibly, so the major version is updated. --- src/lib-master/master-auth.h | 9 +++++++-- src/login-common/sasl-server.c | 6 ++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/lib-master/master-auth.h b/src/lib-master/master-auth.h index 91b63550a1..59db83977b 100644 --- a/src/lib-master/master-auth.h +++ b/src/lib-master/master-auth.h @@ -25,7 +25,11 @@ struct master_service; enum mail_auth_request_flags { /* Connection has TLS compression enabled */ - MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION = 0x01 + MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION = BIT(0), + /* Connection is secure (SSL or just trusted) */ + MAIL_AUTH_REQUEST_FLAG_CONN_SECURED = BIT(1), + /* Connection is secured using SSL specifically */ + MAIL_AUTH_REQUEST_FLAG_CONN_SSL_SECURED = BIT(2), }; /* Authentication request. File descriptor may be sent along with the @@ -40,9 +44,10 @@ struct master_auth_request { unsigned int client_pid; uint8_t cookie[MASTER_AUTH_COOKIE_SIZE]; - /* Local and remote IPs of the connection. The file descriptor + /* Properties of the connection. The file descriptor itself may be a local socketpair. */ struct ip_addr local_ip, remote_ip; + in_port_t local_port, remote_port; uint32_t flags; diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index c74a2280b8..9d8b418578 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -135,10 +135,16 @@ static int master_send_request(struct anvil_request *anvil_request) req.auth_id = anvil_request->auth_id; req.local_ip = client->local_ip; req.remote_ip = client->ip; + req.local_port = client->local_port; + req.remote_port = client->remote_port; req.client_pid = getpid(); if (client->ssl_iostream != NULL && ssl_iostream_get_compression(client->ssl_iostream) != NULL) req.flags |= MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION; + if (client->secured) + req.flags |= MAIL_AUTH_REQUEST_FLAG_CONN_SECURED; + if (client->ssl_secured) + req.flags |= MAIL_AUTH_REQUEST_FLAG_CONN_SSL_SECURED; memcpy(req.cookie, anvil_request->cookie, sizeof(req.cookie)); buf = t_buffer_create(256); -- 2.47.3