From 48043f87b60a74af22bfe66a2db3b105a946921c Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Wed, 18 Dec 2013 20:44:20 +0000
Subject: imap/pop3/smtp: Added support for SASL authentication downgrades

Added support for downgrading the SASL authentication mechanism when the
decoding of CRAM-MD5, DIGEST-MD5 and NTLM messages fails. This enhances
the previously added support for graceful cancellation by allowing the
client to retry a lesser SASL mechanism such as LOGIN or PLAIN, or even
APOP / clear text (in the case of POP3 and IMAP) when supported by the
server.
---
 lib/imap.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

(limited to 'lib/imap.c')

diff --git a/lib/imap.c b/lib/imap.c
index 37feff429..bd03c76cd 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1307,14 +1307,45 @@ static CURLcode imap_state_auth_cancel_resp(struct connectdata *conn,
                                             int imapcode,
                                             imapstate instate)
 {
+  CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
+  struct imap_conn *imapc = &conn->proto.imapc;
+  const char *mech = NULL;
+  char *initresp = NULL;
+  size_t len = 0;
+  imapstate state1 = IMAP_STOP;
+  imapstate state2 = IMAP_STOP;
 
   (void)imapcode;
   (void)instate; /* no use for this yet */
 
-  failf(data, "Authentication cancelled");
+  /* Remove the offending mechanism from the supported list */
+  imapc->authmechs ^= imapc->authused;
+
+  /* Calculate alternative SASL login details */
+  result = imap_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+                                  &state2);
+
+  if(!result) {
+    /* Do we have any mechanisms left or can we fallback to clear text? */
+    if(mech) {
+      /* Retry SASL based authentication */
+      result = imap_perform_authenticate(conn, mech, initresp, state1, state2);
+
+      Curl_safefree(initresp);
+    }
+    else if((!imapc->login_disabled) &&
+            (imapc->preftype & IMAP_TYPE_CLEARTEXT))
+      /* Perform clear text authentication */
+      result = imap_perform_login(conn);
+    else {
+      failf(data, "Authentication cancelled");
+
+      result = CURLE_LOGIN_DENIED;
+    }
+  }
 
-  return CURLE_LOGIN_DENIED;
+  return result;
 }
 
 /* For final responses in the AUTHENTICATE sequence */
-- 
cgit v1.2.3