2 * Copyright notice from original mutt:
3 * Copyright (C) 1999-2000 Brendan Cully <brendan@kublai.com>
5 * This file is part of mutt-ng, see http://www.muttng.org/.
6 * It's licensed under the GNU General Public License,
7 * please see the file GPL in the top level source directory.
10 /* GSS login/authentication code */
17 #include "imap_private.h"
20 #include <lib-lib/macros.h>
21 #include "lib/debug.h"
23 #include <netinet/in.h>
26 # include <gssapi/gssapi.h>
27 # define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
29 # include <gssapi/gssapi.h>
30 # include <gssapi/gssapi_generic.h>
33 #define GSS_BUFSIZE 8192
35 #define GSS_AUTH_P_NONE 1
36 #define GSS_AUTH_P_INTEGRITY 2
37 #define GSS_AUTH_P_PRIVACY 4
39 /* imap_auth_gss: AUTH=GSSAPI support. */
40 imap_auth_res_t imap_auth_gss (IMAP_DATA * idata, const char *method)
42 gss_buffer_desc request_buf, send_token;
43 gss_buffer_t sec_token;
44 gss_name_t target_name;
49 OM_uint32 maj_stat, min_stat;
50 char buf1[GSS_BUFSIZE], buf2[GSS_BUFSIZE], server_conf_flags;
51 unsigned long buf_size;
54 if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
55 return IMAP_AUTH_UNAVAIL;
57 if (mutt_account_getuser (&idata->conn->account))
58 return IMAP_AUTH_FAILURE;
60 /* get an IMAP service ticket for the server */
61 snprintf (buf1, sizeof (buf1), "imap@%s", idata->conn->account.host);
62 request_buf.value = buf1;
63 request_buf.length = m_strlen(buf1) + 1;
64 maj_stat = gss_import_name (&min_stat, &request_buf, gss_nt_service_name,
66 if (maj_stat != GSS_S_COMPLETE) {
67 debug_print (2, ("Couldn't get service name for [%s]\n", buf1));
68 return IMAP_AUTH_UNAVAIL;
71 else if (DebugLevel >= 2) {
72 maj_stat = gss_display_name (&min_stat, target_name, &request_buf,
74 debug_print (2, ("Using service name [%s]\n",
75 (char *) request_buf.value));
76 maj_stat = gss_release_buffer (&min_stat, &request_buf);
79 /* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
80 sec_token = GSS_C_NO_BUFFER;
81 context = GSS_C_NO_CONTEXT;
84 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
85 target_name, GSS_C_NO_OID,
86 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0,
87 GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,
88 &send_token, (unsigned int *) &cflags,
90 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
91 debug_print (1, ("Error acquiring credentials - no TGT?\n"));
92 gss_release_name (&min_stat, &target_name);
94 return IMAP_AUTH_UNAVAIL;
98 mutt_message _("Authenticating (GSSAPI)...");
100 imap_cmd_start (idata, "AUTHENTICATE GSSAPI");
102 /* expect a null continuation response ("+") */
104 rc = imap_cmd_step (idata);
105 while (rc == IMAP_CMD_CONTINUE);
107 if (rc != IMAP_CMD_RESPOND) {
108 debug_print (2, ("Invalid response from server: %s\n", buf1));
109 gss_release_name (&min_stat, &target_name);
113 /* now start the security context initialisation loop... */
114 debug_print (2, ("Sending credentials\n"));
115 mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
117 gss_release_buffer (&min_stat, &send_token);
118 str_cat (buf1, sizeof (buf1), "\r\n");
119 mutt_socket_write (idata->conn, buf1);
121 while (maj_stat == GSS_S_CONTINUE_NEEDED) {
122 /* Read server data */
124 rc = imap_cmd_step (idata);
125 while (rc == IMAP_CMD_CONTINUE);
127 if (rc != IMAP_CMD_RESPOND) {
128 debug_print (1, ("Error receiving server response.\n"));
129 gss_release_name (&min_stat, &target_name);
133 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
134 request_buf.value = buf2;
135 sec_token = &request_buf;
137 /* Write client data */
138 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
139 target_name, GSS_C_NO_OID,
140 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
141 0, GSS_C_NO_CHANNEL_BINDINGS, sec_token,
143 (unsigned int *) &cflags, NULL);
144 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
145 debug_print (1, ("Error exchanging credentials\n"));
146 gss_release_name (&min_stat, &target_name);
150 mutt_to_base64 ((unsigned char *) buf1, send_token.value,
151 send_token.length, sizeof (buf1) - 2);
152 gss_release_buffer (&min_stat, &send_token);
153 str_cat (buf1, sizeof (buf1), "\r\n");
154 mutt_socket_write (idata->conn, buf1);
157 gss_release_name (&min_stat, &target_name);
159 /* get security flags and buffer size */
161 rc = imap_cmd_step (idata);
162 while (rc == IMAP_CMD_CONTINUE);
164 if (rc != IMAP_CMD_RESPOND) {
165 debug_print (1, ("Error receiving server response.\n"));
168 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
169 request_buf.value = buf2;
171 maj_stat = gss_unwrap (&min_stat, context, &request_buf, &send_token,
173 if (maj_stat != GSS_S_COMPLETE) {
174 debug_print (2, ("Couldn't unwrap security level data\n"));
175 gss_release_buffer (&min_stat, &send_token);
178 debug_print (2, ("Credential exchange complete\n"));
180 /* first octet is security levels supported. We want NONE */
181 server_conf_flags = ((char *) send_token.value)[0];
182 if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE)) {
183 debug_print (2, ("Server requires integrity or privacy\n"));
184 gss_release_buffer (&min_stat, &send_token);
188 /* we don't care about buffer size if we don't wrap content. But here it is */
189 ((char *) send_token.value)[0] = 0;
190 buf_size = ntohl (*((long *) send_token.value));
191 gss_release_buffer (&min_stat, &send_token);
192 debug_print (2, ("Unwrapped security level flags: %c%c%c\n",
193 server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-',
194 server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
195 server_conf_flags & GSS_AUTH_P_PRIVACY ? 'P' : '-'));
196 debug_print (2, ("Maximum GSS token size is %ld\n", buf_size));
198 /* agree to terms (hack!) */
199 buf_size = htonl (buf_size); /* not relevant without integrity/privacy */
200 memcpy (buf1, &buf_size, 4);
201 buf1[0] = GSS_AUTH_P_NONE;
202 /* server decides if principal can log in as user */
203 strncpy (buf1 + 4, idata->conn->account.user, sizeof (buf1) - 4);
204 request_buf.value = buf1;
205 request_buf.length = 4 + m_strlen(idata->conn->account.user) + 1;
206 maj_stat = gss_wrap (&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
207 &cflags, &send_token);
208 if (maj_stat != GSS_S_COMPLETE) {
209 debug_print (2, ("Error creating login request\n"));
213 mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
215 debug_print (2, ("Requesting authorisation as %s\n", idata->conn->account.user));
216 str_cat (buf1, sizeof (buf1), "\r\n");
217 mutt_socket_write (idata->conn, buf1);
219 /* Joy of victory or agony of defeat? */
221 rc = imap_cmd_step (idata);
222 while (rc == IMAP_CMD_CONTINUE);
223 if (rc == IMAP_CMD_RESPOND) {
224 debug_print (1, ("Unexpected server continuation request.\n"));
227 if (imap_code (idata->cmd.buf)) {
228 /* flush the security context */
229 debug_print (2, ("Releasing GSS credentials\n"));
230 maj_stat = gss_delete_sec_context (&min_stat, &context, &send_token);
231 if (maj_stat != GSS_S_COMPLETE)
232 debug_print (1, ("Error releasing credentials\n"));
234 /* send_token may contain a notification to the server to flush
235 * credentials. RFC 1731 doesn't specify what to do, and since this
236 * support is only for authentication, we'll assume the server knows
237 * enough to flush its own credentials */
238 gss_release_buffer (&min_stat, &send_token);
240 return IMAP_AUTH_SUCCESS;
246 mutt_socket_write (idata->conn, "*\r\n");
248 rc = imap_cmd_step (idata);
249 while (rc == IMAP_CMD_CONTINUE);
252 mutt_error _("GSSAPI authentication failed.");
254 return IMAP_AUTH_FAILURE;