From: Stephan Bosch Date: Fri, 9 Aug 2019 21:44:39 +0000 (+0200) Subject: login-common: sasl-server - Make private authentication mechanisms unavailable for... X-Git-Tag: 2.3.9~318 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30b518b13774343d93cc5ce27f966ac48254cedc;p=thirdparty%2Fdovecot%2Fcore.git login-common: sasl-server - Make private authentication mechanisms unavailable for normal authentication. These mechanisms can only be used when the authentication is explicitly marked as private. --- diff --git a/src/imap-urlauth/imap-urlauth-login.c b/src/imap-urlauth/imap-urlauth-login.c index 8de85c41ba..9a627dabd5 100644 --- a/src/imap-urlauth/imap-urlauth-login.c +++ b/src/imap-urlauth/imap-urlauth-login.c @@ -107,8 +107,8 @@ static void imap_urlauth_client_handle_input(struct client *client) base64_encode(str_data(auth_data), str_len(auth_data), init_resp); - (void)client_auth_begin(client, "DOVECOT-TOKEN", - str_c(init_resp)); + (void)client_auth_begin_private(client, "DOVECOT-TOKEN", + str_c(init_resp)); } T_END; } diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c index 72555e1afd..8b87134f04 100644 --- a/src/login-common/client-common-auth.c +++ b/src/login-common/client-common-auth.c @@ -768,8 +768,9 @@ sasl_callback(struct client *client, enum sasl_server_reply sasl_reply, client_unref(&client); } -int client_auth_begin(struct client *client, const char *mech_name, - const char *init_resp) +static int +client_auth_begin_common(struct client *client, const char *mech_name, + bool private, const char *init_resp) { if (!client->secured && strcmp(client->ssl_set->ssl, "required") == 0) { if (client->set->auth_verbose) { @@ -786,7 +787,7 @@ int client_auth_begin(struct client *client, const char *mech_name, client_ref(client); client->auth_initializing = TRUE; sasl_server_auth_begin(client, login_binary->protocol, mech_name, - init_resp, sasl_callback); + private, init_resp, sasl_callback); client->auth_initializing = FALSE; if (!client->authenticating) return 1; @@ -797,6 +798,18 @@ int client_auth_begin(struct client *client, const char *mech_name, return 0; } +int client_auth_begin(struct client *client, const char *mech_name, + const char *init_resp) +{ + return client_auth_begin_common(client, mech_name, FALSE, init_resp); +} + +int client_auth_begin_private(struct client *client, const char *mech_name, + const char *init_resp) +{ + return client_auth_begin_common(client, mech_name, TRUE, init_resp); +} + bool client_check_plaintext_auth(struct client *client, bool pass_sent) { bool ssl_required = (strcmp(client->ssl_set->ssl, "required") == 0); diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h index bbbb1f5bf1..639778395c 100644 --- a/src/login-common/client-common.h +++ b/src/login-common/client-common.h @@ -315,6 +315,8 @@ void client_auth_send_challenge(struct client *client, const char *data); void client_auth_parse_response(struct client *client); int client_auth_begin(struct client *client, const char *mech_name, const char *init_resp); +int client_auth_begin_private(struct client *client, const char *mech_name, + const char *init_resp); bool client_check_plaintext_auth(struct client *client, bool pass_sent); int client_auth_read_line(struct client *client); diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index 0f0ad9de83..a779fcbf71 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -415,7 +415,7 @@ static bool get_cert_username(struct client *client, const char **username_r, void sasl_server_auth_begin(struct client *client, const char *service, const char *mech_name, - const char *initial_resp_base64, + bool private, const char *initial_resp_base64, sasl_server_callback_t *callback) { struct auth_request_info info; @@ -434,13 +434,16 @@ void sasl_server_auth_begin(struct client *client, client->sasl_callback = callback; mech = sasl_server_find_available_mech(client, mech_name); - if (mech == NULL) { + if (mech == NULL || + ((mech->flags & MECH_SEC_PRIVATE) != 0 && !private)) { sasl_server_auth_failed(client, "Unsupported authentication mechanism.", AUTH_CLIENT_FAIL_CODE_MECH_INVALID); return; } + i_assert(!private || (mech->flags & MECH_SEC_PRIVATE) != 0); + if (!client->secured && client->set->disable_plaintext_auth && (mech->flags & MECH_SEC_PLAINTEXT) != 0) { sasl_server_auth_failed(client, diff --git a/src/login-common/sasl-server.h b/src/login-common/sasl-server.h index c0acc11e71..84098bf2bb 100644 --- a/src/login-common/sasl-server.h +++ b/src/login-common/sasl-server.h @@ -22,7 +22,7 @@ sasl_server_find_available_mech(struct client *client, const char *name); void sasl_server_auth_begin(struct client *client, const char *service, const char *mech_name, - const char *initial_resp_base64, + bool private, const char *initial_resp_base64, sasl_server_callback_t *callback); void sasl_server_auth_failed(struct client *client, const char *reason, const char *code) ATTR_NULL(3); diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c index e10ab39b35..b65409bc81 100644 --- a/src/pop3-login/client-authenticate.c +++ b/src/pop3-login/client-authenticate.c @@ -221,6 +221,6 @@ bool cmd_apop(struct pop3_client *pop3_client, const char *args) return TRUE; } - (void)client_auth_begin(client, "APOP", str_c(base64)); + (void)client_auth_begin_private(client, "APOP", str_c(base64)); return TRUE; }