Move to lib-sasl.
AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib \
-I$(top_srcdir)/src/lib-auth \
+ -I$(top_srcdir)/src/lib-sasl \
-I$(top_srcdir)/src/lib-auth-client \
-I$(top_srcdir)/src/lib-test \
-I$(top_srcdir)/src/lib-json \
auth_request_fail_on_nuls(struct auth_request *request,
const unsigned char *data, size_t data_size)
{
- if ((request->mech->flags & MECH_SEC_ALLOW_NULS) != 0)
+ if ((request->mech->flags & SASL_MECH_SEC_ALLOW_NULS) != 0)
return FALSE;
if (memchr(data, '\0', data_size) != NULL) {
e_debug(request->mech_event, "Unexpected NUL in auth data");
const struct mech_module mech_apop = {
.mech_name = "APOP",
- .flags = MECH_SEC_PRIVATE | MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE |
- MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_PRIVATE | SASL_MECH_SEC_DICTIONARY |
+ SASL_MECH_SEC_ACTIVE | SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_VERIFY_RESPONSE,
.auth_new = mech_apop_auth_new,
const struct mech_module mech_dovecot_token = {
.mech_name = "DOVECOT-TOKEN",
- .flags = MECH_SEC_PRIVATE | MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_PRIVATE | SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
.auth_new = mech_dovecot_token_auth_new,
list = p_new(reg->pool, struct mech_module_list, 1);
list->module = *mech;
- if ((mech->flags & MECH_SEC_CHANNEL_BINDING) != 0)
+ if ((mech->flags & SASL_MECH_SEC_CHANNEL_BINDING) != 0)
handshake = reg->handshake_cbind;
else
handshake = reg->handshake;
str_printfa(handshake, "MECH\t%s", mech->mech_name);
- if ((mech->flags & MECH_SEC_PRIVATE) != 0)
+ if ((mech->flags & SASL_MECH_SEC_PRIVATE) != 0)
str_append(handshake, "\tprivate");
- if ((mech->flags & MECH_SEC_ANONYMOUS) != 0)
+ if ((mech->flags & SASL_MECH_SEC_ANONYMOUS) != 0)
str_append(handshake, "\tanonymous");
- if ((mech->flags & MECH_SEC_PLAINTEXT) != 0)
+ if ((mech->flags & SASL_MECH_SEC_PLAINTEXT) != 0)
str_append(handshake, "\tplaintext");
- if ((mech->flags & MECH_SEC_DICTIONARY) != 0)
+ if ((mech->flags & SASL_MECH_SEC_DICTIONARY) != 0)
str_append(handshake, "\tdictionary");
- if ((mech->flags & MECH_SEC_ACTIVE) != 0)
+ if ((mech->flags & SASL_MECH_SEC_ACTIVE) != 0)
str_append(handshake, "\tactive");
- if ((mech->flags & MECH_SEC_FORWARD_SECRECY) != 0)
+ if ((mech->flags & SASL_MECH_SEC_FORWARD_SECRECY) != 0)
str_append(handshake, "\tforward-secrecy");
- if ((mech->flags & MECH_SEC_MUTUAL_AUTH) != 0)
+ if ((mech->flags & SASL_MECH_SEC_MUTUAL_AUTH) != 0)
str_append(handshake, "\tmutual-auth");
- if ((mech->flags & MECH_SEC_CHANNEL_BINDING) != 0)
+ if ((mech->flags & SASL_MECH_SEC_CHANNEL_BINDING) != 0)
str_append(handshake, "\tchannel-binding");
str_append_c(handshake, '\n');
const struct mech_module mech_anonymous = {
.mech_name = "ANONYMOUS",
- .flags = MECH_SEC_ANONYMOUS | MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_ANONYMOUS | SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
.auth_new = mech_anonymous_auth_new,
const struct mech_module mech_cram_md5 = {
.mech_name = "CRAM-MD5",
- .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
+ .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE,
.passdb_need = MECH_PASSDB_NEED_VERIFY_RESPONSE,
.auth_new = mech_cram_md5_auth_new,
const struct mech_module mech_digest_md5 = {
.mech_name = "DIGEST-MD5",
- .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE |
- MECH_SEC_MUTUAL_AUTH,
+ .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE |
+ SASL_MECH_SEC_MUTUAL_AUTH,
.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
.auth_new = mech_digest_md5_auth_new,
const struct mech_module mech_gssapi = {
.mech_name = "GSSAPI",
- .flags = MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
.auth_new = mech_gssapi_auth_new,
const struct mech_module mech_gssapi_spnego = {
.mech_name = "GSS-SPNEGO",
- .flags = MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
.auth_new = mech_gssapi_auth_new,
const struct mech_module mech_login = {
.mech_name = "LOGIN",
- .flags = MECH_SEC_PLAINTEXT,
+ .flags = SASL_MECH_SEC_PLAINTEXT,
.passdb_need = MECH_PASSDB_NEED_VERIFY_PLAIN,
.auth_new = mech_login_auth_new,
/* while this does not transfer plaintext password,
the token is still considered as password */
- .flags = MECH_SEC_PLAINTEXT,
+ .flags = SASL_MECH_SEC_PLAINTEXT,
.passdb_need = 0,
.auth_new = mech_oauth2_auth_new,
const struct mech_module mech_xoauth2 = {
.mech_name = "XOAUTH2",
- .flags = MECH_SEC_PLAINTEXT,
+ .flags = SASL_MECH_SEC_PLAINTEXT,
.passdb_need = 0,
.auth_new = mech_oauth2_auth_new,
const struct mech_module mech_otp = {
.mech_name = "OTP",
- .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE | MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE |
+ SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_SET_CREDENTIALS,
.auth_new = mech_otp_auth_new,
const struct mech_module mech_plain = {
.mech_name = "PLAIN",
- .flags = MECH_SEC_PLAINTEXT | MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_PLAINTEXT | SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_VERIFY_PLAIN,
.auth_new = mech_plain_auth_new,
const struct mech_module mech_scram_sha1 = {
.mech_name = "SCRAM-SHA-1",
- .flags = MECH_SEC_MUTUAL_AUTH,
+ .flags = SASL_MECH_SEC_MUTUAL_AUTH,
.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
.auth_new = mech_scram_sha1_auth_new,
const struct mech_module mech_scram_sha1_plus = {
.mech_name = "SCRAM-SHA-1-PLUS",
- .flags = MECH_SEC_MUTUAL_AUTH | MECH_SEC_CHANNEL_BINDING,
+ .flags = SASL_MECH_SEC_MUTUAL_AUTH | SASL_MECH_SEC_CHANNEL_BINDING,
.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
.auth_new = mech_scram_sha1_auth_new,
const struct mech_module mech_scram_sha256 = {
.mech_name = "SCRAM-SHA-256",
- .flags = MECH_SEC_MUTUAL_AUTH,
+ .flags = SASL_MECH_SEC_MUTUAL_AUTH,
.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
.auth_new = mech_scram_sha256_auth_new,
const struct mech_module mech_scram_sha256_plus = {
.mech_name = "SCRAM-SHA-256-PLUS",
- .flags = MECH_SEC_MUTUAL_AUTH | MECH_SEC_CHANNEL_BINDING,
+ .flags = SASL_MECH_SEC_MUTUAL_AUTH | SASL_MECH_SEC_CHANNEL_BINDING,
.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
.auth_new = mech_scram_sha256_auth_new,
const struct mech_module mech_winbind_ntlm = {
.mech_name = "NTLM",
- .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE |
- MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_DICTIONARY | SASL_MECH_SEC_ACTIVE |
+ SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
.auth_new = mech_winbind_ntlm_auth_new,
const struct mech_module mech_winbind_spnego = {
.mech_name = "GSS-SPNEGO",
- .flags = MECH_SEC_ALLOW_NULS,
+ .flags = SASL_MECH_SEC_ALLOW_NULS,
.passdb_need = MECH_PASSDB_NEED_NOTHING,
.auth_new = mech_winbind_spnego_auth_new,
struct mech_module {
const char *mech_name;
- enum mech_security_flags flags;
+ enum sasl_mech_security_flags flags;
enum mech_passdb_need passdb_need;
struct auth_request *(*auth_new)(void);
#include "auth-client-interface.h"
+#include "sasl-common.h"
+
enum mech_passdb_need {
/* Mechanism doesn't need a passdb at all */
MECH_PASSDB_NEED_NOTHING = 0,
-I$(top_srcdir)/src/lib-settings \
-I$(top_srcdir)/src/lib-auth-client \
-I$(top_srcdir)/src/lib-master \
+ -I$(top_srcdir)/src/lib-sasl \
-I$(top_srcdir)/src/lib-login \
-I$(top_srcdir)/src/lib-var-expand \
$(BINARY_CFLAGS)
AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib \
-I$(top_srcdir)/src/lib-settings \
+ -I$(top_srcdir)/src/lib-sasl \
-I$(top_srcdir)/src/lib-auth-client \
-I$(top_srcdir)/src/lib-master \
-I$(top_srcdir)/src/lib-login \
-I$(top_srcdir)/src/lib \
-I$(top_srcdir)/src/lib-master \
-I$(top_srcdir)/src/lib-settings \
+ -I$(top_srcdir)/src/lib-sasl \
-I$(top_srcdir)/src/lib-test \
-I$(top_srcdir)/src/lib-var-expand
for (args++; *args != NULL; args++) {
if (strcmp(*args, "private") == 0)
- mech_desc.flags |= MECH_SEC_PRIVATE;
+ mech_desc.flags |= SASL_MECH_SEC_PRIVATE;
else if (strcmp(*args, "anonymous") == 0)
- mech_desc.flags |= MECH_SEC_ANONYMOUS;
+ mech_desc.flags |= SASL_MECH_SEC_ANONYMOUS;
else if (strcmp(*args, "plaintext") == 0)
- mech_desc.flags |= MECH_SEC_PLAINTEXT;
+ mech_desc.flags |= SASL_MECH_SEC_PLAINTEXT;
else if (strcmp(*args, "dictionary") == 0)
- mech_desc.flags |= MECH_SEC_DICTIONARY;
+ mech_desc.flags |= SASL_MECH_SEC_DICTIONARY;
else if (strcmp(*args, "active") == 0)
- mech_desc.flags |= MECH_SEC_ACTIVE;
+ mech_desc.flags |= SASL_MECH_SEC_ACTIVE;
else if (strcmp(*args, "forward-secrecy") == 0)
- mech_desc.flags |= MECH_SEC_FORWARD_SECRECY;
+ mech_desc.flags |= SASL_MECH_SEC_FORWARD_SECRECY;
else if (strcmp(*args, "mutual-auth") == 0)
- mech_desc.flags |= MECH_SEC_MUTUAL_AUTH;
+ mech_desc.flags |= SASL_MECH_SEC_MUTUAL_AUTH;
else if (strcmp(*args, "channel-binding") == 0)
- mech_desc.flags |= MECH_SEC_CHANNEL_BINDING;
+ mech_desc.flags |= SASL_MECH_SEC_CHANNEL_BINDING;
}
array_push_back(&conn->available_auth_mechs, &mech_desc);
return 0;
#ifndef AUTH_CLIENT_INTERFACE_H
#define AUTH_CLIENT_INTERFACE_H
+#include "sasl-common.h"
+
/* Major version changes are not backwards compatible,
minor version numbers can be ignored. */
#define AUTH_CLIENT_PROTOCOL_MAJOR_VERSION 1
/* GSSAPI can use quite large packets */
#define AUTH_CLIENT_MAX_LINE_LENGTH 16384
-enum mech_security_flags {
- /* Don't advertise this as available SASL mechanism (eg. APOP) */
- MECH_SEC_PRIVATE = 0x0001,
- /* Anonymous authentication */
- MECH_SEC_ANONYMOUS = 0x0002,
- /* Transfers plaintext passwords */
- MECH_SEC_PLAINTEXT = 0x0004,
- /* Subject to passive (dictionary) attack */
- MECH_SEC_DICTIONARY = 0x0008,
- /* Subject to active (non-dictionary) attack */
- MECH_SEC_ACTIVE = 0x0010,
- /* Provides forward secrecy between sessions */
- MECH_SEC_FORWARD_SECRECY = 0x0020,
- /* Provides mutual authentication */
- MECH_SEC_MUTUAL_AUTH = 0x0040,
- /* Allow NULs in input data */
- MECH_SEC_ALLOW_NULS = 0x0080,
- /* Requires channel binding */
- MECH_SEC_CHANNEL_BINDING = 0x0100,
-};
-
/* auth failure codes */
#define AUTH_CLIENT_FAIL_CODE_AUTHZFAILED "authz_fail"
#define AUTH_CLIENT_FAIL_CODE_TEMPFAIL "temp_fail"
struct auth_mech_desc {
char *name;
- enum mech_security_flags flags;
+ enum sasl_mech_security_flags flags;
};
struct auth_connect_id {
AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib \
-I$(top_srcdir)/src/lib-test \
+ -I$(top_srcdir)/src/lib-sasl \
-I$(top_srcdir)/src/lib-auth-client \
-I$(top_srcdir)/src/lib-master
../lib-json/libjson.la
headers = \
+ sasl-common.h \
dsasl-client.h \
dsasl-client-private.h
--- /dev/null
+#ifndef SASL_COMMON_H
+#define SASL_COMMON_H
+
+enum sasl_mech_security_flags {
+ /* Don't advertise this as available SASL mechanism (eg. APOP) */
+ SASL_MECH_SEC_PRIVATE = 0x0001,
+ /* Anonymous authentication */
+ SASL_MECH_SEC_ANONYMOUS = 0x0002,
+ /* Transfers plaintext passwords */
+ SASL_MECH_SEC_PLAINTEXT = 0x0004,
+ /* Subject to passive (dictionary) attack */
+ SASL_MECH_SEC_DICTIONARY = 0x0008,
+ /* Subject to active (non-dictionary) attack */
+ SASL_MECH_SEC_ACTIVE = 0x0010,
+ /* Provides forward secrecy between sessions */
+ SASL_MECH_SEC_FORWARD_SECRECY = 0x0020,
+ /* Provides mutual authentication */
+ SASL_MECH_SEC_MUTUAL_AUTH = 0x0040,
+ /* Allow NULs in input data */
+ SASL_MECH_SEC_ALLOW_NULS = 0x0080,
+ /* Requires channel binding */
+ SASL_MECH_SEC_CHANNEL_BINDING = 0x0100,
+};
+
+#endif
AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib \
-I$(top_srcdir)/src/lib-settings \
- -I$(top_srcdir)/src/lib-auth-client \
-I$(top_srcdir)/src/lib-sasl \
+ -I$(top_srcdir)/src/lib-auth-client \
-I$(top_srcdir)/src/lib-master \
-I$(top_srcdir)/src/lib-login \
-I$(top_srcdir)/src/lib-ssl-iostream \
return FALSE;
/* Disable anonymous mechanisms unless the protocol explicitly
allows anonymous login when configured. */
- if ((mech->flags & MECH_SEC_ANONYMOUS) != 0 &&
+ if ((mech->flags & SASL_MECH_SEC_ANONYMOUS) != 0 &&
!login_binary->anonymous_login_acceptable)
return FALSE;
/* Don't advertize private mechanisms. */
- if (advertize && (mech->flags & MECH_SEC_PRIVATE) != 0)
+ if (advertize && (mech->flags & SASL_MECH_SEC_PRIVATE) != 0)
return FALSE;
/* Only advertize this mechanism if either:
a) transport is secured
*/
if (advertize && !client->connection_secured &&
!client->set->auth_allow_cleartext &&
- (mech->flags & MECH_SEC_PLAINTEXT) != 0)
+ (mech->flags & SASL_MECH_SEC_PLAINTEXT) != 0)
return FALSE;
/* Disable mechanisms that require channel binding when there is no TLS
layer (yet). */
if (client->ssl_iostream == NULL &&
- (mech->flags & MECH_SEC_CHANNEL_BINDING) != 0)
+ (mech->flags & SASL_MECH_SEC_CHANNEL_BINDING) != 0)
return FALSE;
return TRUE;
mech = sasl_server_find_available_mech(client, mech_name);
if (mech == NULL ||
- ((mech->flags & MECH_SEC_PRIVATE) != 0 && !private)) {
+ ((mech->flags & SASL_MECH_SEC_PRIVATE) != 0 && !private)) {
sasl_server_auth_failed(client,
"Unsupported authentication mechanism.",
AUTH_CLIENT_FAIL_CODE_MECH_INVALID);
return;
}
- i_assert(!private || (mech->flags & MECH_SEC_PRIVATE) != 0);
+ i_assert(!private || (mech->flags & SASL_MECH_SEC_PRIVATE) != 0);
if (!client->connection_secured && !client->set->auth_allow_cleartext &&
- (mech->flags & MECH_SEC_PLAINTEXT) != 0) {
+ (mech->flags & SASL_MECH_SEC_PLAINTEXT) != 0) {
client_notify_status(client, TRUE,
"cleartext authentication not allowed "
"without SSL/TLS, but your client did it anyway. "
projects / thirdparty / dovecot / core.git / commitdiff
