2 * Copyright notice from original mutt:
3 * Copyright (C) 1999-2000 Brendan Cully <brendan@kublai.com>
5 * This file is part of mutt-ng, see http://www.muttng.org/.
6 * It's licensed under the GNU General Public License,
7 * please see the file GPL in the top level source directory.
10 /* GSS login/authentication code */
12 #include <lib-lib/lib-lib.h>
16 #include <netinet/in.h>
19 # include <gssapi/gssapi.h>
20 # define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
22 # include <gssapi/gssapi.h>
23 # include <gssapi/gssapi_generic.h>
26 #define GSS_BUFSIZE 8192
28 #define GSS_AUTH_P_NONE 1
29 #define GSS_AUTH_P_INTEGRITY 2
30 #define GSS_AUTH_P_PRIVACY 4
33 #include "imap_private.h"
36 /* imap_auth_gss: AUTH=GSSAPI support. */
37 imap_auth_res_t imap_auth_gss (IMAP_DATA * idata, const char *method __attribute__ ((unused)))
39 gss_buffer_desc request_buf, send_token;
40 gss_buffer_t sec_token;
41 gss_name_t target_name;
45 OM_uint32 maj_stat, min_stat;
46 char buf1[GSS_BUFSIZE], buf2[GSS_BUFSIZE], server_conf_flags;
47 unsigned long buf_size;
50 if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
51 return IMAP_AUTH_UNAVAIL;
53 if (mutt_account_getuser (&idata->conn->account))
54 return IMAP_AUTH_FAILURE;
56 /* get an IMAP service ticket for the server */
57 snprintf (buf1, sizeof (buf1), "imap@%s", idata->conn->account.host);
58 request_buf.value = buf1;
59 request_buf.length = m_strlen(buf1) + 1;
60 maj_stat = gss_import_name (&min_stat, &request_buf, gss_nt_service_name,
62 if (maj_stat != GSS_S_COMPLETE) {
63 return IMAP_AUTH_UNAVAIL;
66 /* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
67 sec_token = GSS_C_NO_BUFFER;
68 context = GSS_C_NO_CONTEXT;
71 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
72 target_name, GSS_C_NO_OID,
73 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0,
74 GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,
75 &send_token, (unsigned int *) &cflags,
77 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
78 gss_release_name (&min_stat, &target_name);
80 return IMAP_AUTH_UNAVAIL;
84 mutt_message _("Authenticating (GSSAPI)...");
86 imap_cmd_start (idata, "AUTHENTICATE GSSAPI");
88 /* expect a null continuation response ("+") */
90 rc = imap_cmd_step (idata);
91 while (rc == IMAP_CMD_CONTINUE);
93 if (rc != IMAP_CMD_RESPOND) {
94 gss_release_name (&min_stat, &target_name);
98 /* now start the security context initialisation loop... */
99 mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
101 gss_release_buffer (&min_stat, &send_token);
102 m_strcat(buf1, sizeof(buf1), "\r\n");
103 mutt_socket_write (idata->conn, buf1);
105 while (maj_stat == GSS_S_CONTINUE_NEEDED) {
106 /* Read server data */
108 rc = imap_cmd_step (idata);
109 while (rc == IMAP_CMD_CONTINUE);
111 if (rc != IMAP_CMD_RESPOND) {
112 gss_release_name (&min_stat, &target_name);
116 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
117 request_buf.value = buf2;
118 sec_token = &request_buf;
120 /* Write client data */
121 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
122 target_name, GSS_C_NO_OID,
123 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
124 0, GSS_C_NO_CHANNEL_BINDINGS, sec_token,
126 (unsigned int *) &cflags, NULL);
127 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
128 gss_release_name (&min_stat, &target_name);
132 mutt_to_base64 ((unsigned char *) buf1, send_token.value,
133 send_token.length, sizeof (buf1) - 2);
134 gss_release_buffer (&min_stat, &send_token);
135 m_strcat(buf1, sizeof(buf1), "\r\n");
136 mutt_socket_write (idata->conn, buf1);
139 gss_release_name (&min_stat, &target_name);
141 /* get security flags and buffer size */
143 rc = imap_cmd_step (idata);
144 while (rc == IMAP_CMD_CONTINUE);
146 if (rc != IMAP_CMD_RESPOND) {
149 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
150 request_buf.value = buf2;
152 maj_stat = gss_unwrap (&min_stat, context, &request_buf, &send_token,
154 if (maj_stat != GSS_S_COMPLETE) {
155 gss_release_buffer (&min_stat, &send_token);
159 /* first octet is security levels supported. We want NONE */
160 server_conf_flags = ((char *) send_token.value)[0];
161 if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE)) {
162 gss_release_buffer (&min_stat, &send_token);
166 /* we don't care about buffer size if we don't wrap content. But here it is */
167 ((char *) send_token.value)[0] = 0;
168 buf_size = ntohl (*((long *) send_token.value));
169 gss_release_buffer (&min_stat, &send_token);
171 /* agree to terms (hack!) */
172 buf_size = htonl (buf_size); /* not relevant without integrity/privacy */
173 memcpy (buf1, &buf_size, 4);
174 buf1[0] = GSS_AUTH_P_NONE;
175 /* server decides if principal can log in as user */
176 strncpy (buf1 + 4, idata->conn->account.user, sizeof (buf1) - 4);
177 request_buf.value = buf1;
178 request_buf.length = 4 + m_strlen(idata->conn->account.user) + 1;
179 maj_stat = gss_wrap (&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
180 &cflags, &send_token);
181 if (maj_stat != GSS_S_COMPLETE) {
185 mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
187 m_strcat(buf1, sizeof(buf1), "\r\n");
188 mutt_socket_write (idata->conn, buf1);
190 /* Joy of victory or agony of defeat? */
192 rc = imap_cmd_step (idata);
193 while (rc == IMAP_CMD_CONTINUE);
194 if (rc == IMAP_CMD_RESPOND) {
197 if (imap_code (idata->cmd.buf)) {
198 /* flush the security context */
199 maj_stat = gss_delete_sec_context (&min_stat, &context, &send_token);
201 /* send_token may contain a notification to the server to flush
202 * credentials. RFC 1731 doesn't specify what to do, and since this
203 * support is only for authentication, we'll assume the server knows
204 * enough to flush its own credentials */
205 gss_release_buffer (&min_stat, &send_token);
207 return IMAP_AUTH_SUCCESS;
213 mutt_socket_write (idata->conn, "*\r\n");
215 rc = imap_cmd_step (idata);
216 while (rc == IMAP_CMD_CONTINUE);
219 mutt_error _("GSSAPI authentication failed.");
221 return IMAP_AUTH_FAILURE;