From 060e5281c684966d99a2252b6362fbac5558ee51 Mon Sep 17 00:00:00 2001 From: Stephan Bosch Date: Wed, 4 Nov 2020 23:00:48 +0100 Subject: [PATCH] login-common: sasl-server - Add support for channel binding --- src/login-common/sasl-server.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index 4e26730b7d..f02262c00f 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -60,6 +60,11 @@ sasl_server_filter_mech(struct client *client, struct auth_mech_desc *mech, !client->set->auth_allow_cleartext && (mech->flags & MECH_SEC_PLAINTEXT) != 0) return FALSE; + /* Disable mechanisms that require channel binding when there is no TLS + layer (yet). */ + if (client->ssl_iostream == NULL && + (mech->flags & MECH_SEC_CHANNEL_BINDING) != 0) + return FALSE; return TRUE; } @@ -335,6 +340,16 @@ args_parse_user(struct client *client, const char *key, const char *value) return TRUE; } +static int +sasl_server_channel_binding(const char *type, void *context, + const buffer_t **data_r, const char **error_r) +{ + struct client *client = context; + + return ssl_iostream_get_channel_binding(client->ssl_iostream, + type, data_r, error_r); +} + static void sasl_server_auth_success_finish(struct client *client, bool nologin, const char *data, const char *const *args) @@ -585,6 +600,9 @@ void sasl_server_auth_begin(struct client *client, const char *mech_name, client->auth_request = auth_client_request_new(auth_client, &info, authenticate_callback, client); + auth_client_request_enable_channel_binding(client->auth_request, + sasl_server_channel_binding, + client); } static void ATTR_NULL(2, 3) -- 2.47.3