2 * Copyright (C) 1999-2000 Brendan Cully <brendan@kublai.com>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
19 /* GSS login/authentication code */
21 /* for HAVE_HEIMDAL */
25 #include "imap_private.h"
28 #include <netinet/in.h>
31 # include <gssapi/gssapi.h>
32 # define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
34 # include <gssapi/gssapi.h>
35 # include <gssapi/gssapi_generic.h>
38 #define GSS_BUFSIZE 8192
40 #define GSS_AUTH_P_NONE 1
41 #define GSS_AUTH_P_INTEGRITY 2
42 #define GSS_AUTH_P_PRIVACY 4
44 /* imap_auth_gss: AUTH=GSSAPI support. */
45 imap_auth_res_t imap_auth_gss (IMAP_DATA* idata, const char* method)
47 gss_buffer_desc request_buf, send_token;
48 gss_buffer_t sec_token;
49 gss_name_t target_name;
54 OM_uint32 maj_stat, min_stat;
55 char buf1[GSS_BUFSIZE], buf2[GSS_BUFSIZE], server_conf_flags;
56 unsigned long buf_size;
59 if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
60 return IMAP_AUTH_UNAVAIL;
62 if (mutt_account_getuser (&idata->conn->account))
63 return IMAP_AUTH_FAILURE;
65 /* get an IMAP service ticket for the server */
66 snprintf (buf1, sizeof (buf1), "imap@%s", idata->conn->account.host);
67 request_buf.value = buf1;
68 request_buf.length = strlen (buf1) + 1;
69 maj_stat = gss_import_name (&min_stat, &request_buf, gss_nt_service_name,
71 if (maj_stat != GSS_S_COMPLETE)
73 dprint (2, (debugfile, "Couldn't get service name for [%s]\n", buf1));
74 return IMAP_AUTH_UNAVAIL;
77 else if (debuglevel >= 2)
79 maj_stat = gss_display_name (&min_stat, target_name, &request_buf,
81 dprint (2, (debugfile, "Using service name [%s]\n",
82 (char*) request_buf.value));
83 maj_stat = gss_release_buffer (&min_stat, &request_buf);
86 /* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
87 sec_token = GSS_C_NO_BUFFER;
88 context = GSS_C_NO_CONTEXT;
91 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
92 target_name, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0,
93 GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL, &send_token,
94 (unsigned int*) &cflags, NULL);
95 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
97 dprint (1, (debugfile, "Error acquiring credentials - no TGT?\n"));
98 gss_release_name (&min_stat, &target_name);
100 return IMAP_AUTH_UNAVAIL;
103 /* now begin login */
104 mutt_message _("Authenticating (GSSAPI)...");
106 imap_cmd_start (idata, "AUTHENTICATE GSSAPI");
108 /* expect a null continuation response ("+") */
110 rc = imap_cmd_step (idata);
111 while (rc == IMAP_CMD_CONTINUE);
113 if (rc != IMAP_CMD_RESPOND)
115 dprint (2, (debugfile, "Invalid response from server: %s\n", buf1));
116 gss_release_name (&min_stat, &target_name);
120 /* now start the security context initialisation loop... */
121 dprint (2, (debugfile, "Sending credentials\n"));
122 mutt_to_base64 ((unsigned char*) buf1, send_token.value, send_token.length,
124 gss_release_buffer (&min_stat, &send_token);
125 safe_strcat (buf1, sizeof (buf1), "\r\n");
126 mutt_socket_write (idata->conn, buf1);
128 while (maj_stat == GSS_S_CONTINUE_NEEDED)
130 /* Read server data */
132 rc = imap_cmd_step (idata);
133 while (rc == IMAP_CMD_CONTINUE);
135 if (rc != IMAP_CMD_RESPOND)
137 dprint (1, (debugfile, "Error receiving server response.\n"));
138 gss_release_name (&min_stat, &target_name);
142 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
143 request_buf.value = buf2;
144 sec_token = &request_buf;
146 /* Write client data */
147 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
148 target_name, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0,
149 GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL, &send_token,
150 (unsigned int*) &cflags, NULL);
151 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
153 dprint (1, (debugfile, "Error exchanging credentials\n"));
154 gss_release_name (&min_stat, &target_name);
158 mutt_to_base64 ((unsigned char*) buf1, send_token.value,
159 send_token.length, sizeof (buf1) - 2);
160 gss_release_buffer (&min_stat, &send_token);
161 safe_strcat (buf1, sizeof (buf1), "\r\n");
162 mutt_socket_write (idata->conn, buf1);
165 gss_release_name (&min_stat, &target_name);
167 /* get security flags and buffer size */
169 rc = imap_cmd_step (idata);
170 while (rc == IMAP_CMD_CONTINUE);
172 if (rc != IMAP_CMD_RESPOND)
174 dprint (1, (debugfile, "Error receiving server response.\n"));
177 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
178 request_buf.value = buf2;
180 maj_stat = gss_unwrap (&min_stat, context, &request_buf, &send_token,
182 if (maj_stat != GSS_S_COMPLETE)
184 dprint (2, (debugfile, "Couldn't unwrap security level data\n"));
185 gss_release_buffer (&min_stat, &send_token);
188 dprint (2, (debugfile, "Credential exchange complete\n"));
190 /* first octet is security levels supported. We want NONE */
191 server_conf_flags = ((char*) send_token.value)[0];
192 if ( !(((char*) send_token.value)[0] & GSS_AUTH_P_NONE) )
194 dprint (2, (debugfile, "Server requires integrity or privacy\n"));
195 gss_release_buffer (&min_stat, &send_token);
199 /* we don't care about buffer size if we don't wrap content. But here it is */
200 ((char*) send_token.value)[0] = 0;
201 buf_size = ntohl (*((long *) send_token.value));
202 gss_release_buffer (&min_stat, &send_token);
203 dprint (2, (debugfile, "Unwrapped security level flags: %c%c%c\n",
204 server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-',
205 server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
206 server_conf_flags & GSS_AUTH_P_PRIVACY ? 'P' : '-'));
207 dprint (2, (debugfile, "Maximum GSS token size is %ld\n", buf_size));
209 /* agree to terms (hack!) */
210 buf_size = htonl (buf_size); /* not relevant without integrity/privacy */
211 memcpy (buf1, &buf_size, 4);
212 buf1[0] = GSS_AUTH_P_NONE;
213 /* server decides if principal can log in as user */
214 strncpy (buf1 + 4, idata->conn->account.user, sizeof (buf1) - 4);
215 request_buf.value = buf1;
216 request_buf.length = 4 + strlen (idata->conn->account.user) + 1;
217 maj_stat = gss_wrap (&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
218 &cflags, &send_token);
219 if (maj_stat != GSS_S_COMPLETE)
221 dprint (2, (debugfile, "Error creating login request\n"));
225 mutt_to_base64 ((unsigned char*) buf1, send_token.value, send_token.length,
227 dprint (2, (debugfile, "Requesting authorisation as %s\n",
228 idata->conn->account.user));
229 safe_strcat (buf1, sizeof (buf1), "\r\n");
230 mutt_socket_write (idata->conn, buf1);
232 /* Joy of victory or agony of defeat? */
234 rc = imap_cmd_step (idata);
235 while (rc == IMAP_CMD_CONTINUE);
236 if (rc == IMAP_CMD_RESPOND)
238 dprint (1, (debugfile, "Unexpected server continuation request.\n"));
241 if (imap_code (idata->cmd.buf))
243 /* flush the security context */
244 dprint (2, (debugfile, "Releasing GSS credentials\n"));
245 maj_stat = gss_delete_sec_context (&min_stat, &context, &send_token);
246 if (maj_stat != GSS_S_COMPLETE)
247 dprint (1, (debugfile, "Error releasing credentials\n"));
249 /* send_token may contain a notification to the server to flush
250 * credentials. RFC 1731 doesn't specify what to do, and since this
251 * support is only for authentication, we'll assume the server knows
252 * enough to flush its own credentials */
253 gss_release_buffer (&min_stat, &send_token);
255 return IMAP_AUTH_SUCCESS;
261 mutt_socket_write (idata->conn, "*\r\n");
263 rc = imap_cmd_step (idata);
264 while (rc == IMAP_CMD_CONTINUE);
267 mutt_error _("GSSAPI authentication failed.");
269 return IMAP_AUTH_FAILURE;