commit fc300fd811e56407d329a895e91e9dd84ca84297
parent e67cf01eb834901c53c549985ac945c8723a1144
Author: Anton Khirnov <anton@khirnov.net>
Date: Sun, 3 Jan 2021 19:39:08 +0100
Set authentication id for the SASL EXTERNAL mechanism
The SASL library will refuse to use the EXTERNAL module when no auth id
is set a priori.
Tested to work with Dovecot, using TLS client certificates for
authentication.
Diffstat:
1 file changed, 16 insertions(+), 0 deletions(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -2273,6 +2273,7 @@ imap_open_store_authenticate2( imap_store_t *ctx )
#ifdef HAVE_LIBSASL
const char *saslavail;
char saslmechs[1024], *saslend = saslmechs;
+ int want_external = 0;
#endif
// Ensure that there are no leftovers from previous runs. This is needed in case
@@ -2308,6 +2309,9 @@ imap_open_store_authenticate2( imap_store_t *ctx )
*saslend++ = ' ';
memcpy( saslend, cmech->string, len + 1 );
saslend += len;
+
+ if (!strcasecmp( cmech->string, "EXTERNAL" ))
+ want_external = 1;
#endif
}
}
@@ -2343,6 +2347,18 @@ imap_open_store_authenticate2( imap_store_t *ctx )
goto bail;
}
+ // The built-in EXTERNAL mechanism wants the authentication id to be set
+ // even before instantiation; consequently it won't prompt for it, either.
+ // While this clearly makes sense on the server side, it arguably does not
+ // on the client side. Ah, well ...
+ if (want_external && ensure_user( srvc )) {
+ rc = sasl_setprop( ctx->sasl, SASL_AUTH_EXTERNAL, srvc->user );
+ if (rc != SASL_OK ) {
+ error( "Error setting SASL authentication id: %s\n", sasl_errdetail( ctx->sasl ) );
+ goto bail;
+ }
+ }
+
rc = sasl_client_start( ctx->sasl, saslmechs + 1, &interact, CAP(SASLIR) ? &out : NULL, &out_len, &gotmech );
if (rc == SASL_NOMECH)
goto notsasl;