diff options
author | Steve Holme <steve_holme@hotmail.com> | 2014-08-10 21:32:56 +0100 |
---|---|---|
committer | Steve Holme <steve_holme@hotmail.com> | 2014-08-15 21:39:31 +0100 |
commit | 96034c4a512ea2c3dbeb38654d993cb49e99bfda (patch) | |
tree | 7500e976e2b1837097dcbec795e7e67f96258b80 | |
parent | 078d1fbf2b9d2d3a79f03c92ddca6fb0c6f1a434 (diff) |
imap: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
-rw-r--r-- | lib/imap.c | 186 |
1 files changed, 186 insertions, 0 deletions
diff --git a/lib/imap.c b/lib/imap.c index 7d44e4408..e80bc03c1 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -1300,6 +1300,158 @@ static CURLcode imap_state_auth_ntlm_type2msg_resp(struct connectdata *conn, } #endif +#if defined(USE_WINDOWS_SSPI) +/* For AUTHENTICATE GSSAPI (without initial response) responses */ +static CURLcode imap_state_auth_gssapi_resp(struct connectdata *conn, + int imapcode, + imapstate instate) +{ + CURLcode result = CURLE_OK; + struct SessionHandle *data = conn->data; + struct imap_conn *imapc = &conn->proto.imapc; + size_t len = 0; + char *respmsg = NULL; + + (void)instate; /* no use for this yet */ + + if(imapcode != '+') { + failf(data, "Access denied: %d", imapcode); + result = CURLE_LOGIN_DENIED; + } + else { + /* Create the initial response message */ + result = Curl_sasl_create_gssapi_user_message(data, conn->user, + conn->passwd, "imap", + imapc->mutual_auth, + NULL, &conn->krb5, + &respmsg, &len); + if(!result && respmsg) { + /* Send the message */ + result = Curl_pp_sendf(&imapc->pp, "%s", respmsg); + + if(!result) + state(conn, IMAP_AUTHENTICATE_GSSAPI_TOKEN); + } + } + + Curl_safefree(respmsg); + + return result; +} + +/* For AUTHENTICATE GSSAPI user token responses */ +static CURLcode imap_state_auth_gssapi_token_resp(struct connectdata *conn, + int imapcode, + imapstate instate) +{ + CURLcode result = CURLE_OK; + struct SessionHandle *data = conn->data; + struct imap_conn *imapc = &conn->proto.imapc; + char *chlgmsg = NULL; + char *respmsg = NULL; + size_t len = 0; + + (void)instate; /* no use for this yet */ + + if(imapcode != '+') { + failf(data, "Access denied: %d", imapcode); + result = CURLE_LOGIN_DENIED; + } + else { + /* Get the challenge message */ + imap_get_message(data->state.buffer, &chlgmsg); + + if(imapc->mutual_auth) + /* Decode the user token challenge and create the optional response + message */ + result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL, + imapc->mutual_auth, + chlgmsg, &conn->krb5, + &respmsg, &len); + else + /* Decode the security challenge and create the response message */ + result = Curl_sasl_create_gssapi_security_message(data, chlgmsg, + &conn->krb5, + &respmsg, &len); + + if(result) { + if(result == CURLE_BAD_CONTENT_ENCODING) { + /* Send the cancellation */ + result = Curl_pp_sendf(&imapc->pp, "%s", "*"); + + if(!result) + state(conn, IMAP_AUTHENTICATE_CANCEL); + } + } + else { + /* Send the response */ + if(respmsg) + result = Curl_pp_sendf(&imapc->pp, "%s", respmsg); + else + result = Curl_pp_sendf(&imapc->pp, "%s", ""); + + if(!result) + state(conn, (imapc->mutual_auth ? IMAP_AUTHENTICATE_GSSAPI_NO_DATA : + IMAP_AUTHENTICATE_FINAL)); + } + } + + Curl_safefree(respmsg); + + return result; +} + +/* For AUTHENTICATE GSSAPI no data responses */ +static CURLcode imap_state_auth_gssapi_no_data_resp(struct connectdata *conn, + int imapcode, + imapstate instate) +{ + CURLcode result = CURLE_OK; + struct SessionHandle *data = conn->data; + char *chlgmsg = NULL; + char *respmsg = NULL; + size_t len = 0; + + (void)instate; /* no use for this yet */ + + if(imapcode != '+') { + failf(data, "Access denied: %d", imapcode); + result = CURLE_LOGIN_DENIED; + } + else { + /* Get the challenge message */ + imap_get_message(data->state.buffer, &chlgmsg); + + /* Decode the security challenge and create the response message */ + result = Curl_sasl_create_gssapi_security_message(data, chlgmsg, + &conn->krb5, + &respmsg, &len); + if(result) { + if(result == CURLE_BAD_CONTENT_ENCODING) { + /* Send the cancellation */ + result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "*"); + + if(!result) + state(conn, IMAP_AUTHENTICATE_CANCEL); + } + } + else { + /* Send the response */ + if(respmsg) { + result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", respmsg); + + if(!result) + state(conn, IMAP_AUTHENTICATE_FINAL); + } + } + } + + Curl_safefree(respmsg); + + return result; +} +#endif + /* For AUTHENTICATE XOAUTH2 (without initial response) responses */ static CURLcode imap_state_auth_xoauth2_resp(struct connectdata *conn, int imapcode, @@ -1759,6 +1911,21 @@ static CURLcode imap_statemach_act(struct connectdata *conn) break; #endif +#if defined(USE_WINDOWS_SSPI) + case IMAP_AUTHENTICATE_GSSAPI: + result = imap_state_auth_gssapi_resp(conn, imapcode, imapc->state); + break; + + case IMAP_AUTHENTICATE_GSSAPI_TOKEN: + result = imap_state_auth_gssapi_token_resp(conn, imapcode, imapc->state); + break; + + case IMAP_AUTHENTICATE_GSSAPI_NO_DATA: + result = imap_state_auth_gssapi_no_data_resp(conn, imapcode, + imapc->state); + break; +#endif + case IMAP_AUTHENTICATE_XOAUTH2: result = imap_state_auth_xoauth2_resp(conn, imapcode, imapc->state); break; @@ -2636,6 +2803,25 @@ static CURLcode imap_calc_sasl_details(struct connectdata *conn, /* Calculate the supported authentication mechanism, by decreasing order of security, as well as the initial response where appropriate */ +#if defined(USE_WINDOWS_SSPI) + if((imapc->authmechs & SASL_MECH_GSSAPI) && + (imapc->prefmech & SASL_MECH_GSSAPI)) { + imapc->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */ + + *mech = SASL_MECH_STRING_GSSAPI; + *state1 = IMAP_AUTHENTICATE_GSSAPI; + *state2 = IMAP_AUTHENTICATE_GSSAPI_TOKEN; + imapc->authused = SASL_MECH_GSSAPI; + + if(imapc->ir_supported || data->set.sasl_ir) + result = Curl_sasl_create_gssapi_user_message(data, conn->user, + conn->passwd, "imap", + imapc->mutual_auth, + NULL, &conn->krb5, + initresp, len); + } + else +#endif #ifndef CURL_DISABLE_CRYPTO_AUTH if((imapc->authmechs & SASL_MECH_DIGEST_MD5) && (imapc->prefmech & SASL_MECH_DIGEST_MD5)) { |