From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 4 Nov 2020 22:00:48 +0000 (+0100)
Subject: login-common: sasl-server - Add support for channel binding
X-Git-Tag: 2.4.1~294
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=060e5281c684966d99a2252b6362fbac5558ee51;p=thirdparty%2Fdovecot%2Fcore.git

login-common: sasl-server - Add support for channel binding
---

diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index 4e26730b7d..f02262c00f 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -60,6 +60,11 @@ sasl_server_filter_mech(struct client *client, struct auth_mech_desc *mech,
 	    !client->set->auth_allow_cleartext &&
 	    (mech->flags & MECH_SEC_PLAINTEXT) != 0)
 		return FALSE;
+	/* Disable mechanisms that require channel binding when there is no TLS
+	   layer (yet). */
+	if (client->ssl_iostream == NULL &&
+	    (mech->flags & MECH_SEC_CHANNEL_BINDING) != 0)
+		return FALSE;
 
 	return TRUE;
 }
@@ -335,6 +340,16 @@ args_parse_user(struct client *client, const char *key, const char *value)
 	return TRUE;
 }
 
+static int
+sasl_server_channel_binding(const char *type, void *context,
+			    const buffer_t **data_r, const char **error_r)
+{
+	struct client *client = context;
+
+	return ssl_iostream_get_channel_binding(client->ssl_iostream,
+						type, data_r, error_r);
+}
+
 static void
 sasl_server_auth_success_finish(struct client *client, bool nologin,
 				const char *data, const char *const *args)
@@ -585,6 +600,9 @@ void sasl_server_auth_begin(struct client *client, const char *mech_name,
 	client->auth_request =
 		auth_client_request_new(auth_client, &info,
 					authenticate_callback, client);
+	auth_client_request_enable_channel_binding(client->auth_request,
+						   sasl_server_channel_binding,
+						   client);
 }
 
 static void ATTR_NULL(2, 3)