Postfix 2.6 will pass the "TLS is active flag". I have changed the
API so that we no longer need to make code changes in every SASL
plugin when another attribute is added.
Wietse
On Mon, Feb 23, 2009 at 02:18:01PM -0500, Timo Sirainen wrote:
> In some setups it's useful for authentication handling to know if the
> connection is SSL/TLS secured. The patch below should tell this to
> Dovecot. It compiles, but other than that I haven't yet tested it.
>
> It anyway looks like sending the SSL/TLS state requires an additional
> parameter to xsasl_server_create(). Wietse, how do you think the API
> should be changed to support this functionality? I guess the choices
> are:
>
> - int tls parameter as in the patch
> - a more generic int flags bitmask
> - secprops-like string
> - replace all the existing parameters with a pointer to struct
> xsasl_parameters so more stuff can easily be added to it later.
>
> I guess I'd prefer the last one, especially because other people also
> want to tell the local/remote IP addresses to SASL.
>
> diff -ru postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c
> postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c
> --- postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c 2007-10-05 18:56:34.000000000
> -0400
> +++ postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c 2009-02-23
> 13:59:28.000000000 -0500
> @@ -151,6 +151,7 @@
> const char *sasl_opts_val)
> {
> const char *mechanism_list;
> + int tls;
>
> /*
> * Initialize SASL-specific state variables. Use long-lived storage for
> @@ -169,11 +170,16 @@
> */
> #define SMTPD_SASL_SERVICE "smtp"
>
> +#ifdef USE_TLS
> + tls = state->tls_context != 0;
> +#else
> + tls = 0;
> +#endif
> if ((state->sasl_server =
> xsasl_server_create(smtpd_sasl_impl, state->client,
> SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
> var_smtpd_sasl_realm : (char *) 0,
> - sasl_opts_val)) == 0)
> + sasl_opts_val, tls)) == 0)
> msg_fatal("SASL per-connection initialization failed");
>
> /*
> diff -ru postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c
> postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c
> --- postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c 2007-05-25
> 12:42:17.000000000 -0400
> +++ postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c 2009-02-23
> 14:03:21.000000000 -0500
> @@ -157,7 +157,8 @@
> VSTREAM *,
> const char *,
> const char *,
> - const char *);
> + const char *,
> + int);
> static void xsasl_cyrus_server_free(XSASL_SERVER *);
> static int xsasl_cyrus_server_first(XSASL_SERVER *, const char *,
> const char *, VSTRING *);
> @@ -262,7 +263,8 @@
> VSTREAM *stream,
> const char *service,
> const char *realm,
> - const char *sec_props)
> + const char *sec_props,
> + int unused_tls)
> {
> const char *myname = "xsasl_cyrus_server_create";
> char *server_address;
> diff -ru postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c
> postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c
> --- postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c 2008-03-16
> 19:09:04.000000000 -0400
> +++ postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c 2009-02-23
> 14:02:49.000000000 -0500
> @@ -160,6 +160,7 @@
> char *username; /* authenticated user */
> VSTRING *sasl_line;
> unsigned int sec_props; /* Postfix mechanism filter */
> + int tls; /* TLS enabled in this session */
> char *mechanism_list; /* filtered mechanism list */
> ARGV *mechanism_argv; /* ditto */
> } XSASL_DOVECOT_SERVER;
> @@ -172,7 +173,8 @@
> VSTREAM *,
> const char *,
> const char *,
> - const char *);
> + const char *,
> + int);
> static void xsasl_dovecot_server_free(XSASL_SERVER *);
> static int xsasl_dovecot_server_first(XSASL_SERVER *, const char *,
> const char *, VSTRING *);
> @@ -382,7 +384,8 @@
> VSTREAM *unused_stream,
> const char *service,
> const char *realm,
> - const char *sec_props)
> + const char *sec_props,
> + int tls)
> {
> const char *myname = "xsasl_dovecot_server_create";
> XSASL_DOVECOT_SERVER *server;
> @@ -409,6 +412,7 @@
> server->last_request_id = 0;
> server->mechanism_list = 0;
> server->mechanism_argv = 0;
> + server->tls = tls;
> server->sec_props =
> name_mask_opt(myname, xsasl_dovecot_conf_sec_props,
> sec_props, NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
> @@ -608,6 +612,8 @@
> "AUTH\t%u\t%s\tservice=%s\tnologin",
> server->last_request_id, sasl_method,
> server->service);
> + if (server->tls)
> + vstream_fputs("\tsecured", server->impl->sasl_stream);
> if (init_response) {
>
> /*
> diff -ru postfix-2.5.6/src/xsasl/xsasl.h
> postfix-2.5.6-dovecot/src/xsasl/xsasl.h
> --- postfix-2.5.6/src/xsasl/xsasl.h 2005-12-19 16:34:20.000000000 -0500
> +++ postfix-2.5.6-dovecot/src/xsasl/xsasl.h 2009-02-23 13:58:00.000000000
> -0500
> @@ -45,15 +45,15 @@
> * own private data.
> */
> typedef struct XSASL_SERVER_IMPL {
> - XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, VSTREAM *, const
> char *, const char *, const char *);
> + XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, VSTREAM *, const
> char *, const char *, const char *, int);
> void (*done) (struct XSASL_SERVER_IMPL *);
> } XSASL_SERVER_IMPL;
>
> extern XSASL_SERVER_IMPL *xsasl_server_init(const char *, const char *);
> extern ARGV *xsasl_server_types(void);
>
> -#define xsasl_server_create(impl, stream, service, realm, sec_props) \
> - (impl)->create((impl), (stream), (service), (realm), (sec_props))
> +#define xsasl_server_create(impl, stream, service, realm, sec_props, tls) \
> + (impl)->create((impl), (stream), (service), (realm), (sec_props), (tls))
> #define xsasl_server_done(impl) (impl)->done((impl));
>
> /*
>
