aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Holme <steve_holme@hotmail.com>2013-12-18 20:44:20 +0000
committerSteve Holme <steve_holme@hotmail.com>2013-12-18 20:45:17 +0000
commit48043f87b60a74af22bfe66a2db3b105a946921c (patch)
treeeda4eb3deb6bfe28b31ee2b07106c5f6e5ac6d64
parentb7b126ee416239b03f681774edb6deebb2196841 (diff)
imap/pop3/smtp: Added support for SASL authentication downgrades
Added support for downgrading the SASL authentication mechanism when the decoding of CRAM-MD5, DIGEST-MD5 and NTLM messages fails. This enhances the previously added support for graceful cancellation by allowing the client to retry a lesser SASL mechanism such as LOGIN or PLAIN, or even APOP / clear text (in the case of POP3 and IMAP) when supported by the server.
-rw-r--r--lib/imap.c35
-rw-r--r--lib/pop3.c42
-rw-r--r--lib/smtp.c31
-rw-r--r--tests/data/test8301
-rw-r--r--tests/data/test8311
-rw-r--r--tests/data/test8321
6 files changed, 105 insertions, 6 deletions
diff --git a/lib/imap.c b/lib/imap.c
index 37feff429..bd03c76cd 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1307,14 +1307,45 @@ static CURLcode imap_state_auth_cancel_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
+ CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
+ struct imap_conn *imapc = &conn->proto.imapc;
+ const char *mech = NULL;
+ char *initresp = NULL;
+ size_t len = 0;
+ imapstate state1 = IMAP_STOP;
+ imapstate state2 = IMAP_STOP;
(void)imapcode;
(void)instate; /* no use for this yet */
- failf(data, "Authentication cancelled");
+ /* Remove the offending mechanism from the supported list */
+ imapc->authmechs ^= imapc->authused;
+
+ /* Calculate alternative SASL login details */
+ result = imap_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+ &state2);
+
+ if(!result) {
+ /* Do we have any mechanisms left or can we fallback to clear text? */
+ if(mech) {
+ /* Retry SASL based authentication */
+ result = imap_perform_authenticate(conn, mech, initresp, state1, state2);
+
+ Curl_safefree(initresp);
+ }
+ else if((!imapc->login_disabled) &&
+ (imapc->preftype & IMAP_TYPE_CLEARTEXT))
+ /* Perform clear text authentication */
+ result = imap_perform_login(conn);
+ else {
+ failf(data, "Authentication cancelled");
+
+ result = CURLE_LOGIN_DENIED;
+ }
+ }
- return CURLE_LOGIN_DENIED;
+ return result;
}
/* For final responses in the AUTHENTICATE sequence */
diff --git a/lib/pop3.c b/lib/pop3.c
index 1554f09cd..c2c151a93 100644
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -1161,14 +1161,52 @@ static CURLcode pop3_state_auth_cancel_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
+ CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
+ struct pop3_conn *pop3c = &conn->proto.pop3c;
+ const char *mech = NULL;
+ char *initresp = NULL;
+ size_t len = 0;
+ pop3state state1 = POP3_STOP;
+ pop3state state2 = POP3_STOP;
(void)pop3code;
(void)instate; /* no use for this yet */
- failf(data, "Authentication cancelled");
+ /* Remove the offending mechanism from the supported list */
+ pop3c->authmechs ^= pop3c->authused;
+
+ /* Calculate alternative SASL login details */
+ result = pop3_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+ &state2);
+
+ if(!result) {
+ /* Do we have any mechanisms left or can we fallback to another
+ authentication type? */
+ if(mech) {
+ /* Retry SASL based authentication */
+ result = pop3_perform_auth(conn, mech, initresp, len, state1, state2);
+
+ Curl_safefree(initresp);
+ }
+#ifndef CURL_DISABLE_CRYPTO_AUTH
+ else if((pop3c->authtypes & POP3_TYPE_APOP) &&
+ (pop3c->preftype & POP3_TYPE_APOP))
+ /* Perform APOP authentication */
+ result = pop3_perform_apop(conn);
+#endif
+ else if((pop3c->authtypes & POP3_TYPE_CLEARTEXT) &&
+ (pop3c->preftype & POP3_TYPE_CLEARTEXT))
+ /* Perform clear text authentication */
+ result = pop3_perform_user(conn);
+ else {
+ failf(data, "Authentication cancelled");
+
+ result = CURLE_LOGIN_DENIED;
+ }
+ }
- return CURLE_LOGIN_DENIED;
+ return result;
}
/* For final responses in the AUTH sequence */
diff --git a/lib/smtp.c b/lib/smtp.c
index 07fec11f9..f35f7537e 100644
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -1189,14 +1189,41 @@ static CURLcode smtp_state_auth_cancel_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
+ CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
+ struct smtp_conn *smtpc = &conn->proto.smtpc;
+ const char *mech = NULL;
+ char *initresp = NULL;
+ size_t len = 0;
+ smtpstate state1 = SMTP_STOP;
+ smtpstate state2 = SMTP_STOP;
(void)smtpcode;
(void)instate; /* no use for this yet */
- failf(data, "Authentication cancelled");
+ /* Remove the offending mechanism from the supported list */
+ smtpc->authmechs ^= smtpc->authused;
+
+ /* Calculate alternative SASL login details */
+ result = smtp_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+ &state2);
- return CURLE_LOGIN_DENIED;
+ if(!result) {
+ /* Do we have any mechanisms left? */
+ if(mech) {
+ /* Retry SASL based authentication */
+ result = smtp_perform_auth(conn, mech, initresp, len, state1, state2);
+
+ Curl_safefree(initresp);
+ }
+ else {
+ failf(data, "Authentication cancelled");
+
+ result = CURLE_LOGIN_DENIED;
+ }
+ }
+
+ return result;
}
/* For final responses in the AUTH sequence */
diff --git a/tests/data/test830 b/tests/data/test830
index edc3eb1e7..ff5586717 100644
--- a/tests/data/test830
+++ b/tests/data/test830
@@ -12,6 +12,7 @@ RFC2195
<reply>
<servercmd>
AUTH CRAM-MD5
+CAPA LOGINDISABLED
REPLY AUTHENTICATE + Rubbish
REPLY * A002 NO AUTH exchange cancelled by client
</servercmd>
diff --git a/tests/data/test831 b/tests/data/test831
index 4963ba372..51864db33 100644
--- a/tests/data/test831
+++ b/tests/data/test831
@@ -11,6 +11,7 @@ IMAP AUTH NTLM
<reply>
<servercmd>
AUTH NTLM
+CAPA LOGINDISABLED
REPLY AUTHENTICATE +
REPLY TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= + Rubbish
REPLY * A002 NO AUTH exchange cancelled by client
diff --git a/tests/data/test832 b/tests/data/test832
index 6c54b304f..edc910d21 100644
--- a/tests/data/test832
+++ b/tests/data/test832
@@ -12,6 +12,7 @@ RFC2831
<reply>
<servercmd>
AUTH DIGEST-MD5
+CAPA LOGINDISABLED
REPLY AUTHENTICATE + Rubbish
REPLY * A002 NO AUTH exchange cancelled by client
</servercmd>