2 * Copyright (C) 1999-2000 Brendan Cully <brendan@kublai.com>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
19 /* GSS login/authentication code */
26 #include "imap_private.h"
29 #include <netinet/in.h>
32 # include <gssapi/gssapi.h>
33 # define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
35 # include <gssapi/gssapi.h>
36 # include <gssapi/gssapi_generic.h>
39 #define GSS_BUFSIZE 8192
41 #define GSS_AUTH_P_NONE 1
42 #define GSS_AUTH_P_INTEGRITY 2
43 #define GSS_AUTH_P_PRIVACY 4
45 /* imap_auth_gss: AUTH=GSSAPI support. */
46 imap_auth_res_t imap_auth_gss (IMAP_DATA * idata, const char *method)
48 gss_buffer_desc request_buf, send_token;
49 gss_buffer_t sec_token;
50 gss_name_t target_name;
55 OM_uint32 maj_stat, min_stat;
56 char buf1[GSS_BUFSIZE], buf2[GSS_BUFSIZE], server_conf_flags;
57 unsigned long buf_size;
60 if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
61 return IMAP_AUTH_UNAVAIL;
63 if (mutt_account_getuser (&idata->conn->account))
64 return IMAP_AUTH_FAILURE;
66 /* get an IMAP service ticket for the server */
67 snprintf (buf1, sizeof (buf1), "imap@%s", idata->conn->account.host);
68 request_buf.value = buf1;
69 request_buf.length = strlen (buf1) + 1;
70 maj_stat = gss_import_name (&min_stat, &request_buf, gss_nt_service_name,
72 if (maj_stat != GSS_S_COMPLETE) {
73 dprint (2, (debugfile, "Couldn't get service name for [%s]\n", buf1));
74 return IMAP_AUTH_UNAVAIL;
77 else if (debuglevel >= 2) {
78 maj_stat = gss_display_name (&min_stat, target_name, &request_buf,
80 dprint (2, (debugfile, "Using service name [%s]\n",
81 (char *) request_buf.value));
82 maj_stat = gss_release_buffer (&min_stat, &request_buf);
85 /* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
86 sec_token = GSS_C_NO_BUFFER;
87 context = GSS_C_NO_CONTEXT;
90 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
91 target_name, GSS_C_NO_OID,
92 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0,
93 GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,
94 &send_token, (unsigned int *) &cflags,
96 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
97 dprint (1, (debugfile, "Error acquiring credentials - no TGT?\n"));
98 gss_release_name (&min_stat, &target_name);
100 return IMAP_AUTH_UNAVAIL;
103 /* now begin login */
104 mutt_message _("Authenticating (GSSAPI)...");
106 imap_cmd_start (idata, "AUTHENTICATE GSSAPI");
108 /* expect a null continuation response ("+") */
110 rc = imap_cmd_step (idata);
111 while (rc == IMAP_CMD_CONTINUE);
113 if (rc != IMAP_CMD_RESPOND) {
114 dprint (2, (debugfile, "Invalid response from server: %s\n", buf1));
115 gss_release_name (&min_stat, &target_name);
119 /* now start the security context initialisation loop... */
120 dprint (2, (debugfile, "Sending credentials\n"));
121 mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
123 gss_release_buffer (&min_stat, &send_token);
124 safe_strcat (buf1, sizeof (buf1), "\r\n");
125 mutt_socket_write (idata->conn, buf1);
127 while (maj_stat == GSS_S_CONTINUE_NEEDED) {
128 /* Read server data */
130 rc = imap_cmd_step (idata);
131 while (rc == IMAP_CMD_CONTINUE);
133 if (rc != IMAP_CMD_RESPOND) {
134 dprint (1, (debugfile, "Error receiving server response.\n"));
135 gss_release_name (&min_stat, &target_name);
139 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
140 request_buf.value = buf2;
141 sec_token = &request_buf;
143 /* Write client data */
144 maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
145 target_name, GSS_C_NO_OID,
146 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
147 0, GSS_C_NO_CHANNEL_BINDINGS, sec_token,
149 (unsigned int *) &cflags, NULL);
150 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
151 dprint (1, (debugfile, "Error exchanging credentials\n"));
152 gss_release_name (&min_stat, &target_name);
156 mutt_to_base64 ((unsigned char *) buf1, send_token.value,
157 send_token.length, sizeof (buf1) - 2);
158 gss_release_buffer (&min_stat, &send_token);
159 safe_strcat (buf1, sizeof (buf1), "\r\n");
160 mutt_socket_write (idata->conn, buf1);
163 gss_release_name (&min_stat, &target_name);
165 /* get security flags and buffer size */
167 rc = imap_cmd_step (idata);
168 while (rc == IMAP_CMD_CONTINUE);
170 if (rc != IMAP_CMD_RESPOND) {
171 dprint (1, (debugfile, "Error receiving server response.\n"));
174 request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
175 request_buf.value = buf2;
177 maj_stat = gss_unwrap (&min_stat, context, &request_buf, &send_token,
179 if (maj_stat != GSS_S_COMPLETE) {
180 dprint (2, (debugfile, "Couldn't unwrap security level data\n"));
181 gss_release_buffer (&min_stat, &send_token);
184 dprint (2, (debugfile, "Credential exchange complete\n"));
186 /* first octet is security levels supported. We want NONE */
187 server_conf_flags = ((char *) send_token.value)[0];
188 if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE)) {
189 dprint (2, (debugfile, "Server requires integrity or privacy\n"));
190 gss_release_buffer (&min_stat, &send_token);
194 /* we don't care about buffer size if we don't wrap content. But here it is */
195 ((char *) send_token.value)[0] = 0;
196 buf_size = ntohl (*((long *) send_token.value));
197 gss_release_buffer (&min_stat, &send_token);
198 dprint (2, (debugfile, "Unwrapped security level flags: %c%c%c\n",
199 server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-',
200 server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
201 server_conf_flags & GSS_AUTH_P_PRIVACY ? 'P' : '-'));
202 dprint (2, (debugfile, "Maximum GSS token size is %ld\n", buf_size));
204 /* agree to terms (hack!) */
205 buf_size = htonl (buf_size); /* not relevant without integrity/privacy */
206 memcpy (buf1, &buf_size, 4);
207 buf1[0] = GSS_AUTH_P_NONE;
208 /* server decides if principal can log in as user */
209 strncpy (buf1 + 4, idata->conn->account.user, sizeof (buf1) - 4);
210 request_buf.value = buf1;
211 request_buf.length = 4 + strlen (idata->conn->account.user) + 1;
212 maj_stat = gss_wrap (&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
213 &cflags, &send_token);
214 if (maj_stat != GSS_S_COMPLETE) {
215 dprint (2, (debugfile, "Error creating login request\n"));
219 mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
221 dprint (2, (debugfile, "Requesting authorisation as %s\n",
222 idata->conn->account.user));
223 safe_strcat (buf1, sizeof (buf1), "\r\n");
224 mutt_socket_write (idata->conn, buf1);
226 /* Joy of victory or agony of defeat? */
228 rc = imap_cmd_step (idata);
229 while (rc == IMAP_CMD_CONTINUE);
230 if (rc == IMAP_CMD_RESPOND) {
231 dprint (1, (debugfile, "Unexpected server continuation request.\n"));
234 if (imap_code (idata->cmd.buf)) {
235 /* flush the security context */
236 dprint (2, (debugfile, "Releasing GSS credentials\n"));
237 maj_stat = gss_delete_sec_context (&min_stat, &context, &send_token);
238 if (maj_stat != GSS_S_COMPLETE)
239 dprint (1, (debugfile, "Error releasing credentials\n"));
241 /* send_token may contain a notification to the server to flush
242 * credentials. RFC 1731 doesn't specify what to do, and since this
243 * support is only for authentication, we'll assume the server knows
244 * enough to flush its own credentials */
245 gss_release_buffer (&min_stat, &send_token);
247 return IMAP_AUTH_SUCCESS;
253 mutt_socket_write (idata->conn, "*\r\n");
255 rc = imap_cmd_step (idata);
256 while (rc == IMAP_CMD_CONTINUE);
259 mutt_error _("GSSAPI authentication failed.");
261 return IMAP_AUTH_FAILURE;