login-common: sasl-server - Make private authentication mechanisms unavailable for...

These mechanisms can only be used when the authentication is explicitly marked
as private.

diff --git a/src/imap-urlauth/imap-urlauth-login.c b/src/imap-urlauth/imap-urlauth-login.c
index 8de85c41ba510f4d3857cfbd0b233cf57117c920..9a627dabd500497052d18c854619acd2dcc8f344 100644 (file)
--- a/src/imap-urlauth/imap-urlauth-login.c
+++ b/src/imap-urlauth/imap-urlauth-login.c
@@ -107,8 +107,8 @@ static void imap_urlauth_client_handle_input(struct client *client)
                base64_encode(str_data(auth_data),
                              str_len(auth_data), init_resp);
 
-               (void)client_auth_begin(client, "DOVECOT-TOKEN",
-                                       str_c(init_resp));
+               (void)client_auth_begin_private(client, "DOVECOT-TOKEN",
+                                               str_c(init_resp));
        } T_END;
 }
 

diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
index 72555e1afdf354708ea00bb46235c93179df2c97..8b87134f0495f6c45b73eb8c7c9e27bda622fcfb 100644 (file)
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -768,8 +768,9 @@ sasl_callback(struct client *client, enum sasl_server_reply sasl_reply,
        client_unref(&client);
 }
 
-int client_auth_begin(struct client *client, const char *mech_name,
-                     const char *init_resp)
+static int
+client_auth_begin_common(struct client *client, const char *mech_name,
+                        bool private, const char *init_resp)
 {
        if (!client->secured && strcmp(client->ssl_set->ssl, "required") == 0) {
                if (client->set->auth_verbose) {
@@ -786,7 +787,7 @@ int client_auth_begin(struct client *client, const char *mech_name,
        client_ref(client);
        client->auth_initializing = TRUE;
        sasl_server_auth_begin(client, login_binary->protocol, mech_name,
-                              init_resp, sasl_callback);
+                              private, init_resp, sasl_callback);
        client->auth_initializing = FALSE;
        if (!client->authenticating)
                return 1;
@@ -797,6 +798,18 @@ int client_auth_begin(struct client *client, const char *mech_name,
        return 0;
 }
 
+int client_auth_begin(struct client *client, const char *mech_name,
+                     const char *init_resp)
+{
+       return client_auth_begin_common(client, mech_name, FALSE, init_resp);
+}
+
+int client_auth_begin_private(struct client *client, const char *mech_name,
+                             const char *init_resp)
+{
+       return client_auth_begin_common(client, mech_name, TRUE, init_resp);
+}
+
 bool client_check_plaintext_auth(struct client *client, bool pass_sent)
 {
        bool ssl_required = (strcmp(client->ssl_set->ssl, "required") == 0);

diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h
index bbbb1f5bf1c2f3fc670db403da9daa0c072e83ee..639778395c7870414c1f5456e6910a1cd8621450 100644 (file)
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -315,6 +315,8 @@ void client_auth_send_challenge(struct client *client, const char *data);
 void client_auth_parse_response(struct client *client);
 int client_auth_begin(struct client *client, const char *mech_name,
                      const char *init_resp);
+int client_auth_begin_private(struct client *client, const char *mech_name,
+                             const char *init_resp);
 bool client_check_plaintext_auth(struct client *client, bool pass_sent);
 int client_auth_read_line(struct client *client);
 

diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index 0f0ad9de8377ff7ea24d703eb2fb57956c1d662f..a779fcbf712a727ffe4099a9f5d06c38977d9778 100644 (file)
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -415,7 +415,7 @@ static bool get_cert_username(struct client *client, const char **username_r,
 
 void sasl_server_auth_begin(struct client *client,
                            const char *service, const char *mech_name,
-                           const char *initial_resp_base64,
+                           bool private, const char *initial_resp_base64,
                            sasl_server_callback_t *callback)
 {
        struct auth_request_info info;
@@ -434,13 +434,16 @@ void sasl_server_auth_begin(struct client *client,
        client->sasl_callback = callback;
 
        mech = sasl_server_find_available_mech(client, mech_name);
-       if (mech == NULL) {
+       if (mech == NULL ||
+           ((mech->flags & MECH_SEC_PRIVATE) != 0 && !private)) {
                sasl_server_auth_failed(client,
                        "Unsupported authentication mechanism.",
                        AUTH_CLIENT_FAIL_CODE_MECH_INVALID);
                return;
        }
 
+       i_assert(!private || (mech->flags & MECH_SEC_PRIVATE) != 0);
+
        if (!client->secured && client->set->disable_plaintext_auth &&
            (mech->flags & MECH_SEC_PLAINTEXT) != 0) {
                sasl_server_auth_failed(client,

diff --git a/src/login-common/sasl-server.h b/src/login-common/sasl-server.h
index c0acc11e71fc3ae26050c516ac8d28cbfe242abe..84098bf2bb5259446f8100e56b08e88cc8ec045e 100644 (file)
--- a/src/login-common/sasl-server.h
+++ b/src/login-common/sasl-server.h
@@ -22,7 +22,7 @@ sasl_server_find_available_mech(struct client *client, const char *name);
 
 void sasl_server_auth_begin(struct client *client,
                            const char *service, const char *mech_name,
-                           const char *initial_resp_base64,
+                           bool private, const char *initial_resp_base64,
                            sasl_server_callback_t *callback);
 void sasl_server_auth_failed(struct client *client, const char *reason,
        const char *code) ATTR_NULL(3);

diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index e10ab39b3562a2eb0a97ec59fb75e9705b2c6a7d..b65409bc81093249cd5cc75a17b55a3e248768a1 100644 (file)
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -221,6 +221,6 @@ bool cmd_apop(struct pop3_client *pop3_client, const char *args)
                return TRUE;
        }
 
-       (void)client_auth_begin(client, "APOP", str_c(base64));
+       (void)client_auth_begin_private(client, "APOP", str_c(base64));
        return TRUE;
 }