From: Stephan Bosch Date: Sat, 4 Mar 2023 21:38:01 +0000 (+0100) Subject: lib-auth-client: auth-client-interface - Rename and move mechanism security flags X-Git-Tag: 2.4.2~268 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9eaa54df5a0f0c1c3e96f100bfc422d4aded30ec;p=thirdparty%2Fdovecot%2Fcore.git lib-auth-client: auth-client-interface - Rename and move mechanism security flags Move to lib-sasl. --- diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am index 43c522bf23..23e111a6e3 100644 --- a/src/auth/Makefile.am +++ b/src/auth/Makefile.am @@ -39,6 +39,7 @@ pkglibexec_PROGRAMS = auth AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib \ -I$(top_srcdir)/src/lib-auth \ + -I$(top_srcdir)/src/lib-sasl \ -I$(top_srcdir)/src/lib-auth-client \ -I$(top_srcdir)/src/lib-test \ -I$(top_srcdir)/src/lib-json \ diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index d7dbd25926..68926c6285 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -423,7 +423,7 @@ static bool auth_request_fail_on_nuls(struct auth_request *request, const unsigned char *data, size_t data_size) { - if ((request->mech->flags & MECH_SEC_ALLOW_NULS) != 0) + if ((request->mech->flags & SASL_MECH_SEC_ALLOW_NULS) != 0) return FALSE; if (memchr(data, '\0', data_size) != NULL) { e_debug(request->mech_event, "Unexpected NUL in auth data"); diff --git a/src/auth/auth-sasl-mech-apop.c b/src/auth/auth-sasl-mech-apop.c index 1acf6df276..894a18463f 100644 --- a/src/auth/auth-sasl-mech-apop.c +++ b/src/auth/auth-sasl-mech-apop.c @@ -161,8 +161,8 @@ static struct auth_request *mech_apop_auth_new(void) const struct mech_module mech_apop = { .mech_name = "APOP", - .flags = MECH_SEC_PRIVATE | MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | - MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_PRIVATE | SASL_MECH_SEC_DICTIONARY | + SASL_MECH_SEC_ACTIVE | SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_VERIFY_RESPONSE, .auth_new = mech_apop_auth_new, diff --git a/src/auth/auth-sasl-mech-dovecot-token.c b/src/auth/auth-sasl-mech-dovecot-token.c index 08815ac106..9b189e64c1 100644 --- a/src/auth/auth-sasl-mech-dovecot-token.c +++ b/src/auth/auth-sasl-mech-dovecot-token.c @@ -82,7 +82,7 @@ static struct auth_request *mech_dovecot_token_auth_new(void) const struct mech_module mech_dovecot_token = { .mech_name = "DOVECOT-TOKEN", - .flags = MECH_SEC_PRIVATE | MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_PRIVATE | SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, .auth_new = mech_dovecot_token_auth_new, diff --git a/src/auth/mech.c b/src/auth/mech.c index ba048ab14f..b2699d6f87 100644 --- a/src/auth/mech.c +++ b/src/auth/mech.c @@ -82,27 +82,27 @@ static void mech_register_add(struct mechanisms_register *reg, list = p_new(reg->pool, struct mech_module_list, 1); list->module = *mech; - if ((mech->flags & MECH_SEC_CHANNEL_BINDING) != 0) + if ((mech->flags & SASL_MECH_SEC_CHANNEL_BINDING) != 0) handshake = reg->handshake_cbind; else handshake = reg->handshake; str_printfa(handshake, "MECH\t%s", mech->mech_name); - if ((mech->flags & MECH_SEC_PRIVATE) != 0) + if ((mech->flags & SASL_MECH_SEC_PRIVATE) != 0) str_append(handshake, "\tprivate"); - if ((mech->flags & MECH_SEC_ANONYMOUS) != 0) + if ((mech->flags & SASL_MECH_SEC_ANONYMOUS) != 0) str_append(handshake, "\tanonymous"); - if ((mech->flags & MECH_SEC_PLAINTEXT) != 0) + if ((mech->flags & SASL_MECH_SEC_PLAINTEXT) != 0) str_append(handshake, "\tplaintext"); - if ((mech->flags & MECH_SEC_DICTIONARY) != 0) + if ((mech->flags & SASL_MECH_SEC_DICTIONARY) != 0) str_append(handshake, "\tdictionary"); - if ((mech->flags & MECH_SEC_ACTIVE) != 0) + if ((mech->flags & SASL_MECH_SEC_ACTIVE) != 0) str_append(handshake, "\tactive"); - if ((mech->flags & MECH_SEC_FORWARD_SECRECY) != 0) + if ((mech->flags & SASL_MECH_SEC_FORWARD_SECRECY) != 0) str_append(handshake, "\tforward-secrecy"); - if ((mech->flags & MECH_SEC_MUTUAL_AUTH) != 0) + if ((mech->flags & SASL_MECH_SEC_MUTUAL_AUTH) != 0) str_append(handshake, "\tmutual-auth"); - if ((mech->flags & MECH_SEC_CHANNEL_BINDING) != 0) + if ((mech->flags & SASL_MECH_SEC_CHANNEL_BINDING) != 0) str_append(handshake, "\tchannel-binding"); str_append_c(handshake, '\n'); diff --git a/src/auth/sasl-server-mech-anonymous.c b/src/auth/sasl-server-mech-anonymous.c index 87ee07e3f7..c83823242e 100644 --- a/src/auth/sasl-server-mech-anonymous.c +++ b/src/auth/sasl-server-mech-anonymous.c @@ -35,7 +35,7 @@ static struct auth_request *mech_anonymous_auth_new(void) const struct mech_module mech_anonymous = { .mech_name = "ANONYMOUS", - .flags = MECH_SEC_ANONYMOUS | MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_ANONYMOUS | SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, .auth_new = mech_anonymous_auth_new, diff --git a/src/auth/sasl-server-mech-cram-md5.c b/src/auth/sasl-server-mech-cram-md5.c index e98a8e0805..a5f0558965 100644 --- a/src/auth/sasl-server-mech-cram-md5.c +++ b/src/auth/sasl-server-mech-cram-md5.c @@ -180,7 +180,7 @@ static struct auth_request *mech_cram_md5_auth_new(void) const struct mech_module mech_cram_md5 = { .mech_name = "CRAM-MD5", - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE, + .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE, .passdb_need = MECH_PASSDB_NEED_VERIFY_RESPONSE, .auth_new = mech_cram_md5_auth_new, diff --git a/src/auth/sasl-server-mech-digest-md5.c b/src/auth/sasl-server-mech-digest-md5.c index 2058e7fa54..710f6994ab 100644 --- a/src/auth/sasl-server-mech-digest-md5.c +++ b/src/auth/sasl-server-mech-digest-md5.c @@ -620,8 +620,8 @@ static struct auth_request *mech_digest_md5_auth_new(void) const struct mech_module mech_digest_md5 = { .mech_name = "DIGEST-MD5", - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | - MECH_SEC_MUTUAL_AUTH, + .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE | + SASL_MECH_SEC_MUTUAL_AUTH, .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, .auth_new = mech_digest_md5_auth_new, diff --git a/src/auth/sasl-server-mech-gssapi.c b/src/auth/sasl-server-mech-gssapi.c index f6e2daccd1..20067559cb 100644 --- a/src/auth/sasl-server-mech-gssapi.c +++ b/src/auth/sasl-server-mech-gssapi.c @@ -692,7 +692,7 @@ mech_gssapi_auth_free(struct auth_request *auth_request) const struct mech_module mech_gssapi = { .mech_name = "GSSAPI", - .flags = MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, .auth_new = mech_gssapi_auth_new, @@ -707,7 +707,7 @@ const struct mech_module mech_gssapi = { const struct mech_module mech_gssapi_spnego = { .mech_name = "GSS-SPNEGO", - .flags = MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, .auth_new = mech_gssapi_auth_new, diff --git a/src/auth/sasl-server-mech-login.c b/src/auth/sasl-server-mech-login.c index bfb095e3b8..140a5e47f3 100644 --- a/src/auth/sasl-server-mech-login.c +++ b/src/auth/sasl-server-mech-login.c @@ -64,7 +64,7 @@ static struct auth_request *mech_login_auth_new(void) const struct mech_module mech_login = { .mech_name = "LOGIN", - .flags = MECH_SEC_PLAINTEXT, + .flags = SASL_MECH_SEC_PLAINTEXT, .passdb_need = MECH_PASSDB_NEED_VERIFY_PLAIN, .auth_new = mech_login_auth_new, diff --git a/src/auth/sasl-server-mech-oauth2.c b/src/auth/sasl-server-mech-oauth2.c index 8fad0aef6e..3ccfc3a207 100644 --- a/src/auth/sasl-server-mech-oauth2.c +++ b/src/auth/sasl-server-mech-oauth2.c @@ -310,7 +310,7 @@ const struct mech_module mech_oauthbearer = { /* while this does not transfer plaintext password, the token is still considered as password */ - .flags = MECH_SEC_PLAINTEXT, + .flags = SASL_MECH_SEC_PLAINTEXT, .passdb_need = 0, .auth_new = mech_oauth2_auth_new, @@ -322,7 +322,7 @@ const struct mech_module mech_oauthbearer = { const struct mech_module mech_xoauth2 = { .mech_name = "XOAUTH2", - .flags = MECH_SEC_PLAINTEXT, + .flags = SASL_MECH_SEC_PLAINTEXT, .passdb_need = 0, .auth_new = mech_oauth2_auth_new, diff --git a/src/auth/sasl-server-mech-otp.c b/src/auth/sasl-server-mech-otp.c index 2e179c3c28..6206300ac8 100644 --- a/src/auth/sasl-server-mech-otp.c +++ b/src/auth/sasl-server-mech-otp.c @@ -319,7 +319,8 @@ static void mech_otp_auth_free(struct auth_request *auth_request) const struct mech_module mech_otp = { .mech_name = "OTP", - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE | + SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_SET_CREDENTIALS, .auth_new = mech_otp_auth_new, diff --git a/src/auth/sasl-server-mech-plain.c b/src/auth/sasl-server-mech-plain.c index 53c1a8299b..9b5740b3fc 100644 --- a/src/auth/sasl-server-mech-plain.c +++ b/src/auth/sasl-server-mech-plain.c @@ -78,7 +78,7 @@ static struct auth_request *mech_plain_auth_new(void) const struct mech_module mech_plain = { .mech_name = "PLAIN", - .flags = MECH_SEC_PLAINTEXT | MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_PLAINTEXT | SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_VERIFY_PLAIN, .auth_new = mech_plain_auth_new, diff --git a/src/auth/sasl-server-mech-scram.c b/src/auth/sasl-server-mech-scram.c index 15236e89fd..4baf20643f 100644 --- a/src/auth/sasl-server-mech-scram.c +++ b/src/auth/sasl-server-mech-scram.c @@ -227,7 +227,7 @@ static void mech_scram_auth_free(struct auth_request *auth_request) const struct mech_module mech_scram_sha1 = { .mech_name = "SCRAM-SHA-1", - .flags = MECH_SEC_MUTUAL_AUTH, + .flags = SASL_MECH_SEC_MUTUAL_AUTH, .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, .auth_new = mech_scram_sha1_auth_new, @@ -239,7 +239,7 @@ const struct mech_module mech_scram_sha1 = { const struct mech_module mech_scram_sha1_plus = { .mech_name = "SCRAM-SHA-1-PLUS", - .flags = MECH_SEC_MUTUAL_AUTH | MECH_SEC_CHANNEL_BINDING, + .flags = SASL_MECH_SEC_MUTUAL_AUTH | SASL_MECH_SEC_CHANNEL_BINDING, .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, .auth_new = mech_scram_sha1_auth_new, @@ -251,7 +251,7 @@ const struct mech_module mech_scram_sha1_plus = { const struct mech_module mech_scram_sha256 = { .mech_name = "SCRAM-SHA-256", - .flags = MECH_SEC_MUTUAL_AUTH, + .flags = SASL_MECH_SEC_MUTUAL_AUTH, .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, .auth_new = mech_scram_sha256_auth_new, @@ -263,7 +263,7 @@ const struct mech_module mech_scram_sha256 = { const struct mech_module mech_scram_sha256_plus = { .mech_name = "SCRAM-SHA-256-PLUS", - .flags = MECH_SEC_MUTUAL_AUTH | MECH_SEC_CHANNEL_BINDING, + .flags = SASL_MECH_SEC_MUTUAL_AUTH | SASL_MECH_SEC_CHANNEL_BINDING, .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, .auth_new = mech_scram_sha256_auth_new, diff --git a/src/auth/sasl-server-mech-winbind.c b/src/auth/sasl-server-mech-winbind.c index ed508a6184..86e96c101d 100644 --- a/src/auth/sasl-server-mech-winbind.c +++ b/src/auth/sasl-server-mech-winbind.c @@ -341,8 +341,8 @@ static struct auth_request *mech_winbind_spnego_auth_new(void) const struct mech_module mech_winbind_ntlm = { .mech_name = "NTLM", - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | - MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE | + SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, .auth_new = mech_winbind_ntlm_auth_new, @@ -354,7 +354,7 @@ const struct mech_module mech_winbind_ntlm = { const struct mech_module mech_winbind_spnego = { .mech_name = "GSS-SPNEGO", - .flags = MECH_SEC_ALLOW_NULS, + .flags = SASL_MECH_SEC_ALLOW_NULS, .passdb_need = MECH_PASSDB_NEED_NOTHING, .auth_new = mech_winbind_spnego_auth_new, diff --git a/src/auth/sasl-server-protected.h b/src/auth/sasl-server-protected.h index 0ea486de33..b7d8f74105 100644 --- a/src/auth/sasl-server-protected.h +++ b/src/auth/sasl-server-protected.h @@ -11,7 +11,7 @@ struct auth_request; struct mech_module { const char *mech_name; - enum mech_security_flags flags; + enum sasl_mech_security_flags flags; enum mech_passdb_need passdb_need; struct auth_request *(*auth_new)(void); diff --git a/src/auth/sasl-server.h b/src/auth/sasl-server.h index 0c153fe4a4..e45266310f 100644 --- a/src/auth/sasl-server.h +++ b/src/auth/sasl-server.h @@ -3,6 +3,8 @@ #include "auth-client-interface.h" +#include "sasl-common.h" + enum mech_passdb_need { /* Mechanism doesn't need a passdb at all */ MECH_PASSDB_NEED_NOTHING = 0, diff --git a/src/imap-urlauth-login/Makefile.am b/src/imap-urlauth-login/Makefile.am index d44e24c488..528dc50d6e 100644 --- a/src/imap-urlauth-login/Makefile.am +++ b/src/imap-urlauth-login/Makefile.am @@ -8,6 +8,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib-settings \ -I$(top_srcdir)/src/lib-auth-client \ -I$(top_srcdir)/src/lib-master \ + -I$(top_srcdir)/src/lib-sasl \ -I$(top_srcdir)/src/lib-login \ -I$(top_srcdir)/src/lib-var-expand \ $(BINARY_CFLAGS) diff --git a/src/imap-urlauth/Makefile.am b/src/imap-urlauth/Makefile.am index 0b38db2ea9..72006656f9 100644 --- a/src/imap-urlauth/Makefile.am +++ b/src/imap-urlauth/Makefile.am @@ -6,6 +6,7 @@ pkglibexec_PROGRAMS = imap-urlauth imap-urlauth-worker AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib \ -I$(top_srcdir)/src/lib-settings \ + -I$(top_srcdir)/src/lib-sasl \ -I$(top_srcdir)/src/lib-auth-client \ -I$(top_srcdir)/src/lib-master \ -I$(top_srcdir)/src/lib-login \ diff --git a/src/lib-auth-client/Makefile.am b/src/lib-auth-client/Makefile.am index 402b037294..afb77b8cbe 100644 --- a/src/lib-auth-client/Makefile.am +++ b/src/lib-auth-client/Makefile.am @@ -4,6 +4,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib \ -I$(top_srcdir)/src/lib-master \ -I$(top_srcdir)/src/lib-settings \ + -I$(top_srcdir)/src/lib-sasl \ -I$(top_srcdir)/src/lib-test \ -I$(top_srcdir)/src/lib-var-expand diff --git a/src/lib-auth-client/auth-client-connection.c b/src/lib-auth-client/auth-client-connection.c index 886dd3df91..8e6bb8ab18 100644 --- a/src/lib-auth-client/auth-client-connection.c +++ b/src/lib-auth-client/auth-client-connection.c @@ -78,21 +78,21 @@ auth_server_input_mech(struct auth_client_connection *conn, for (args++; *args != NULL; args++) { if (strcmp(*args, "private") == 0) - mech_desc.flags |= MECH_SEC_PRIVATE; + mech_desc.flags |= SASL_MECH_SEC_PRIVATE; else if (strcmp(*args, "anonymous") == 0) - mech_desc.flags |= MECH_SEC_ANONYMOUS; + mech_desc.flags |= SASL_MECH_SEC_ANONYMOUS; else if (strcmp(*args, "plaintext") == 0) - mech_desc.flags |= MECH_SEC_PLAINTEXT; + mech_desc.flags |= SASL_MECH_SEC_PLAINTEXT; else if (strcmp(*args, "dictionary") == 0) - mech_desc.flags |= MECH_SEC_DICTIONARY; + mech_desc.flags |= SASL_MECH_SEC_DICTIONARY; else if (strcmp(*args, "active") == 0) - mech_desc.flags |= MECH_SEC_ACTIVE; + mech_desc.flags |= SASL_MECH_SEC_ACTIVE; else if (strcmp(*args, "forward-secrecy") == 0) - mech_desc.flags |= MECH_SEC_FORWARD_SECRECY; + mech_desc.flags |= SASL_MECH_SEC_FORWARD_SECRECY; else if (strcmp(*args, "mutual-auth") == 0) - mech_desc.flags |= MECH_SEC_MUTUAL_AUTH; + mech_desc.flags |= SASL_MECH_SEC_MUTUAL_AUTH; else if (strcmp(*args, "channel-binding") == 0) - mech_desc.flags |= MECH_SEC_CHANNEL_BINDING; + mech_desc.flags |= SASL_MECH_SEC_CHANNEL_BINDING; } array_push_back(&conn->available_auth_mechs, &mech_desc); return 0; diff --git a/src/lib-auth-client/auth-client-interface.h b/src/lib-auth-client/auth-client-interface.h index 5e22e0805f..1554409c4a 100644 --- a/src/lib-auth-client/auth-client-interface.h +++ b/src/lib-auth-client/auth-client-interface.h @@ -1,6 +1,8 @@ #ifndef AUTH_CLIENT_INTERFACE_H #define AUTH_CLIENT_INTERFACE_H +#include "sasl-common.h" + /* Major version changes are not backwards compatible, minor version numbers can be ignored. */ #define AUTH_CLIENT_PROTOCOL_MAJOR_VERSION 1 @@ -9,27 +11,6 @@ /* GSSAPI can use quite large packets */ #define AUTH_CLIENT_MAX_LINE_LENGTH 16384 -enum mech_security_flags { - /* Don't advertise this as available SASL mechanism (eg. APOP) */ - MECH_SEC_PRIVATE = 0x0001, - /* Anonymous authentication */ - MECH_SEC_ANONYMOUS = 0x0002, - /* Transfers plaintext passwords */ - MECH_SEC_PLAINTEXT = 0x0004, - /* Subject to passive (dictionary) attack */ - MECH_SEC_DICTIONARY = 0x0008, - /* Subject to active (non-dictionary) attack */ - MECH_SEC_ACTIVE = 0x0010, - /* Provides forward secrecy between sessions */ - MECH_SEC_FORWARD_SECRECY = 0x0020, - /* Provides mutual authentication */ - MECH_SEC_MUTUAL_AUTH = 0x0040, - /* Allow NULs in input data */ - MECH_SEC_ALLOW_NULS = 0x0080, - /* Requires channel binding */ - MECH_SEC_CHANNEL_BINDING = 0x0100, -}; - /* auth failure codes */ #define AUTH_CLIENT_FAIL_CODE_AUTHZFAILED "authz_fail" #define AUTH_CLIENT_FAIL_CODE_TEMPFAIL "temp_fail" diff --git a/src/lib-auth-client/auth-client.h b/src/lib-auth-client/auth-client.h index 00334a0077..b9ba31fc79 100644 --- a/src/lib-auth-client/auth-client.h +++ b/src/lib-auth-client/auth-client.h @@ -35,7 +35,7 @@ enum auth_request_status { struct auth_mech_desc { char *name; - enum mech_security_flags flags; + enum sasl_mech_security_flags flags; }; struct auth_connect_id { diff --git a/src/lib-login/Makefile.am b/src/lib-login/Makefile.am index c12e47d1ea..a92f657868 100644 --- a/src/lib-login/Makefile.am +++ b/src/lib-login/Makefile.am @@ -5,6 +5,7 @@ noinst_LTLIBRARIES = liblogin.la AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib \ -I$(top_srcdir)/src/lib-test \ + -I$(top_srcdir)/src/lib-sasl \ -I$(top_srcdir)/src/lib-auth-client \ -I$(top_srcdir)/src/lib-master diff --git a/src/lib-sasl/Makefile.am b/src/lib-sasl/Makefile.am index 295b8384ef..c6f69fc662 100644 --- a/src/lib-sasl/Makefile.am +++ b/src/lib-sasl/Makefile.am @@ -21,6 +21,7 @@ libsasl_la_DEPENDENCIES = \ ../lib-json/libjson.la headers = \ + sasl-common.h \ dsasl-client.h \ dsasl-client-private.h diff --git a/src/lib-sasl/sasl-common.h b/src/lib-sasl/sasl-common.h new file mode 100644 index 0000000000..210dfc55c1 --- /dev/null +++ b/src/lib-sasl/sasl-common.h @@ -0,0 +1,25 @@ +#ifndef SASL_COMMON_H +#define SASL_COMMON_H + +enum sasl_mech_security_flags { + /* Don't advertise this as available SASL mechanism (eg. APOP) */ + SASL_MECH_SEC_PRIVATE = 0x0001, + /* Anonymous authentication */ + SASL_MECH_SEC_ANONYMOUS = 0x0002, + /* Transfers plaintext passwords */ + SASL_MECH_SEC_PLAINTEXT = 0x0004, + /* Subject to passive (dictionary) attack */ + SASL_MECH_SEC_DICTIONARY = 0x0008, + /* Subject to active (non-dictionary) attack */ + SASL_MECH_SEC_ACTIVE = 0x0010, + /* Provides forward secrecy between sessions */ + SASL_MECH_SEC_FORWARD_SECRECY = 0x0020, + /* Provides mutual authentication */ + SASL_MECH_SEC_MUTUAL_AUTH = 0x0040, + /* Allow NULs in input data */ + SASL_MECH_SEC_ALLOW_NULS = 0x0080, + /* Requires channel binding */ + SASL_MECH_SEC_CHANNEL_BINDING = 0x0100, +}; + +#endif diff --git a/src/login-common/Makefile.am b/src/login-common/Makefile.am index cd196ed59c..2999fa94a7 100644 --- a/src/login-common/Makefile.am +++ b/src/login-common/Makefile.am @@ -3,8 +3,8 @@ noinst_LTLIBRARIES = liblogin.la AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib \ -I$(top_srcdir)/src/lib-settings \ - -I$(top_srcdir)/src/lib-auth-client \ -I$(top_srcdir)/src/lib-sasl \ + -I$(top_srcdir)/src/lib-auth-client \ -I$(top_srcdir)/src/lib-master \ -I$(top_srcdir)/src/lib-login \ -I$(top_srcdir)/src/lib-ssl-iostream \ diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index c1cfebf70c..15cbdd6165 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -41,11 +41,11 @@ sasl_server_filter_mech(struct client *client, struct auth_mech_desc *mech, return FALSE; /* Disable anonymous mechanisms unless the protocol explicitly allows anonymous login when configured. */ - if ((mech->flags & MECH_SEC_ANONYMOUS) != 0 && + if ((mech->flags & SASL_MECH_SEC_ANONYMOUS) != 0 && !login_binary->anonymous_login_acceptable) return FALSE; /* Don't advertize private mechanisms. */ - if (advertize && (mech->flags & MECH_SEC_PRIVATE) != 0) + if (advertize && (mech->flags & SASL_MECH_SEC_PRIVATE) != 0) return FALSE; /* Only advertize this mechanism if either: a) transport is secured @@ -58,12 +58,12 @@ sasl_server_filter_mech(struct client *client, struct auth_mech_desc *mech, */ if (advertize && !client->connection_secured && !client->set->auth_allow_cleartext && - (mech->flags & MECH_SEC_PLAINTEXT) != 0) + (mech->flags & SASL_MECH_SEC_PLAINTEXT) != 0) return FALSE; /* Disable mechanisms that require channel binding when there is no TLS layer (yet). */ if (client->ssl_iostream == NULL && - (mech->flags & MECH_SEC_CHANNEL_BINDING) != 0) + (mech->flags & SASL_MECH_SEC_CHANNEL_BINDING) != 0) return FALSE; return TRUE; @@ -591,17 +591,17 @@ void sasl_server_auth_begin(struct client *client, const char *mech_name, mech = sasl_server_find_available_mech(client, mech_name); if (mech == NULL || - ((mech->flags & MECH_SEC_PRIVATE) != 0 && !private)) { + ((mech->flags & SASL_MECH_SEC_PRIVATE) != 0 && !private)) { sasl_server_auth_failed(client, "Unsupported authentication mechanism.", AUTH_CLIENT_FAIL_CODE_MECH_INVALID); return; } - i_assert(!private || (mech->flags & MECH_SEC_PRIVATE) != 0); + i_assert(!private || (mech->flags & SASL_MECH_SEC_PRIVATE) != 0); if (!client->connection_secured && !client->set->auth_allow_cleartext && - (mech->flags & MECH_SEC_PLAINTEXT) != 0) { + (mech->flags & SASL_MECH_SEC_PLAINTEXT) != 0) { client_notify_status(client, TRUE, "cleartext authentication not allowed " "without SSL/TLS, but your client did it anyway. "