/* GSS login/authentication code */
-#if HAVE_CONFIG_H
-# include "config.h"
-#endif
+#include <lib-lib/lib-lib.h>
-#include "mutt.h"
-#include "imap_private.h"
-#include "auth.h"
-
-#include <lib-lib/macros.h>
-#include "lib/debug.h"
+#ifdef USE_GSS
#include <netinet/in.h>
#define GSS_AUTH_P_INTEGRITY 2
#define GSS_AUTH_P_PRIVACY 4
+#include "mutt.h"
+#include "imap_private.h"
+#include "auth.h"
+
/* imap_auth_gss: AUTH=GSSAPI support. */
-imap_auth_res_t imap_auth_gss (IMAP_DATA * idata, const char *method)
+imap_auth_res_t imap_auth_gss (IMAP_DATA * idata, const char *method __attribute__ ((unused)))
{
gss_buffer_desc request_buf, send_token;
gss_buffer_t sec_token;
gss_name_t target_name;
gss_ctx_id_t context;
- gss_OID mech_name;
gss_qop_t quality;
int cflags;
OM_uint32 maj_stat, min_stat;
maj_stat = gss_import_name (&min_stat, &request_buf, gss_nt_service_name,
&target_name);
if (maj_stat != GSS_S_COMPLETE) {
- debug_print (2, ("Couldn't get service name for [%s]\n", buf1));
return IMAP_AUTH_UNAVAIL;
}
-#ifdef DEBUG
- else if (DebugLevel >= 2) {
- maj_stat = gss_display_name (&min_stat, target_name, &request_buf,
- &mech_name);
- debug_print (2, ("Using service name [%s]\n",
- (char *) request_buf.value));
- maj_stat = gss_release_buffer (&min_stat, &request_buf);
- }
-#endif
+
/* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
sec_token = GSS_C_NO_BUFFER;
context = GSS_C_NO_CONTEXT;
&send_token, (unsigned int *) &cflags,
NULL);
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
- debug_print (1, ("Error acquiring credentials - no TGT?\n"));
gss_release_name (&min_stat, &target_name);
return IMAP_AUTH_UNAVAIL;
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND) {
- debug_print (2, ("Invalid response from server: %s\n", buf1));
gss_release_name (&min_stat, &target_name);
goto bail;
}
/* now start the security context initialisation loop... */
- debug_print (2, ("Sending credentials\n"));
mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
sizeof (buf1) - 2);
gss_release_buffer (&min_stat, &send_token);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND) {
- debug_print (1, ("Error receiving server response.\n"));
gss_release_name (&min_stat, &target_name);
goto bail;
}
NULL, &send_token,
(unsigned int *) &cflags, NULL);
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
- debug_print (1, ("Error exchanging credentials\n"));
gss_release_name (&min_stat, &target_name);
goto err_abort_cmd;
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND) {
- debug_print (1, ("Error receiving server response.\n"));
goto bail;
}
request_buf.length = mutt_from_base64 (buf2, idata->cmd.buf + 2);
maj_stat = gss_unwrap (&min_stat, context, &request_buf, &send_token,
&cflags, &quality);
if (maj_stat != GSS_S_COMPLETE) {
- debug_print (2, ("Couldn't unwrap security level data\n"));
gss_release_buffer (&min_stat, &send_token);
goto err_abort_cmd;
}
- debug_print (2, ("Credential exchange complete\n"));
/* first octet is security levels supported. We want NONE */
server_conf_flags = ((char *) send_token.value)[0];
if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE)) {
- debug_print (2, ("Server requires integrity or privacy\n"));
gss_release_buffer (&min_stat, &send_token);
goto err_abort_cmd;
}
((char *) send_token.value)[0] = 0;
buf_size = ntohl (*((long *) send_token.value));
gss_release_buffer (&min_stat, &send_token);
- debug_print (2, ("Unwrapped security level flags: %c%c%c\n",
- server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-',
- server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
- server_conf_flags & GSS_AUTH_P_PRIVACY ? 'P' : '-'));
- debug_print (2, ("Maximum GSS token size is %ld\n", buf_size));
/* agree to terms (hack!) */
buf_size = htonl (buf_size); /* not relevant without integrity/privacy */
memcpy (buf1, &buf_size, 4);
buf1[0] = GSS_AUTH_P_NONE;
/* server decides if principal can log in as user */
- strncpy (buf1 + 4, idata->conn->account.user, sizeof (buf1) - 4);
+ m_strcpy(buf1 + 4, sizeof(buf1) - 4, idata->conn->account.user);
request_buf.value = buf1;
request_buf.length = 4 + m_strlen(idata->conn->account.user) + 1;
maj_stat = gss_wrap (&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
&cflags, &send_token);
if (maj_stat != GSS_S_COMPLETE) {
- debug_print (2, ("Error creating login request\n"));
goto err_abort_cmd;
}
mutt_to_base64 ((unsigned char *) buf1, send_token.value, send_token.length,
sizeof (buf1) - 2);
- debug_print (2, ("Requesting authorisation as %s\n", idata->conn->account.user));
m_strcat(buf1, sizeof(buf1), "\r\n");
mutt_socket_write (idata->conn, buf1);
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
if (rc == IMAP_CMD_RESPOND) {
- debug_print (1, ("Unexpected server continuation request.\n"));
goto err_abort_cmd;
}
if (imap_code (idata->cmd.buf)) {
/* flush the security context */
- debug_print (2, ("Releasing GSS credentials\n"));
maj_stat = gss_delete_sec_context (&min_stat, &context, &send_token);
- if (maj_stat != GSS_S_COMPLETE)
- debug_print (1, ("Error releasing credentials\n"));
/* send_token may contain a notification to the server to flush
* credentials. RFC 1731 doesn't specify what to do, and since this
mutt_sleep (2);
return IMAP_AUTH_FAILURE;
}
+
+#endif /* USE_GSS */
projects / apps / madmutt.git / blobdiff