auth: Support secured=tls

dovecot · Mar 13, 2018 · b06ad24 · b06ad24
1 parent b205e85
commit b06ad24
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 9 deletions.
diff --git a/src/auth/auth-request-var-expand.c b/src/auth/auth-request-var-expand.c
@@ -115,7 +115,12 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
 	}
 	tab[10].value = auth_request->mech_name == NULL ? "" :
 		escape_func(auth_request->mech_name, auth_request);
-	tab[11].value = auth_request->secured ? "secured" : "";
+	switch(auth_request->secured) {
+	case AUTH_REQUEST_SECURED_NONE: tab[11].value = ""; break;
+	case AUTH_REQUEST_SECURED: tab[11].value = "secured"; break;
+	case AUTH_REQUEST_SECURED_TLS: tab[11].value = "TLS"; break;
+	default: tab[11].value = ""; break;
+	};
 	tab[12].value = dec2str(auth_request->local_port);
 	tab[13].value = dec2str(auth_request->remote_port);
 	tab[14].value = auth_request->valid_client_cert ? "valid" : "";

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
@@ -352,8 +352,12 @@ void auth_request_export(struct auth_request *request, string_t *dest)
 		str_printfa(dest, "\tsession=%s", request->session_id);
 	if (request->debug)
 		str_append(dest, "\tdebug");
-	if (request->secured)
-		str_append(dest, "\tsecured");
+	switch(request->secured) {
+	case AUTH_REQUEST_SECURED_NONE: break;
+	case AUTH_REQUEST_SECURED: str_append(dest, "\tsecured"); break;
+	case AUTH_REQUEST_SECURED_TLS: str_append(dest, "\tsecured=tls"); break;
+	default: break;
+	}
 	if (request->skip_password_check)
 		str_append(dest, "\tskip-password-check");
 	if (request->delayed_credentials != NULL)
@@ -437,8 +441,12 @@ bool auth_request_import_auth(struct auth_request *request,
 		return TRUE;
 
 	/* auth client may set these */
-	if (strcmp(key, "secured") == 0)
-		request->secured = TRUE;
+	if (strcmp(key, "secured") == 0) {
+		if (strcmp(value, "tls") == 0)
+			request->secured = AUTH_REQUEST_SECURED_TLS;
+		else
+			request->secured = AUTH_REQUEST_SECURED;
+	}
 	else if (strcmp(key, "final-resp-ok") == 0)
 		request->final_resp_ok = TRUE;
 	else if (strcmp(key, "no-penalty") == 0)

diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h
@@ -23,6 +23,12 @@ enum auth_request_state {
 	AUTH_REQUEST_STATE_MAX
 };
 
+enum auth_request_secured {
+	AUTH_REQUEST_SECURED_NONE,
+	AUTH_REQUEST_SECURED,
+	AUTH_REQUEST_SECURED_TLS,
+};
+
 struct auth_request {
 	int refcount;
 
@@ -108,8 +114,9 @@ struct auth_request {
 	/* auth_debug is enabled for this request */
 	bool debug:1;
 
+	enum auth_request_secured secured;
+
 	/* flags received from auth client: */
-	bool secured:1;
 	bool final_resp_ok:1;
 	bool no_penalty:1;
 	bool valid_client_cert:1;

diff --git a/src/auth/test-auth-request-var-expand.c b/src/auth/test-auth-request-var-expand.c
@@ -30,7 +30,7 @@ static struct auth_request default_test_request = {
 	.client_pid = 54321,
 	.mech_password = "-password",
 	.mech_name = "-mech",
-	.secured = TRUE,
+	.secured = AUTH_REQUEST_SECURED,
 	.local_port = 21,
 	.remote_port = 210,
 	.valid_client_cert = TRUE,
@@ -122,15 +122,15 @@ static void test_auth_request_var_expand_flags(void)
 	test_begin("auth request var expand flags");
 
 	test_request.userdb_lookup = FALSE;
-	test_request.secured = FALSE;
+	test_request.secured = AUTH_REQUEST_SECURED_NONE;
 	test_request.valid_client_cert = FALSE;
 	test_assert(var_expand(str, test_input,
 		auth_request_get_var_expand_table(&test_request, test_escape),
 		&error) == 1);
 	test_assert(strcmp(str_c(str), "40\n\n\n") == 0);
 
 	test_request.userdb_lookup = TRUE;
-	test_request.secured = TRUE;
+	test_request.secured = AUTH_REQUEST_SECURED;
 	test_request.valid_client_cert = TRUE;
 
 	str_truncate(str, 0);