aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric S. Raymond <esr@thyrsus.com>1997-05-27 19:21:49 +0000
committerEric S. Raymond <esr@thyrsus.com>1997-05-27 19:21:49 +0000
commitcda98906893b358d8dd22775af95c9ade5cfe5e5 (patch)
tree34c1005ce799b43b623fed8426c4582497d55038
parent52788ad79c407f4f9a4e898e06d736730a2fe00a (diff)
downloadfetchmail-cda98906893b358d8dd22775af95c9ade5cfe5e5.tar.gz
fetchmail-cda98906893b358d8dd22775af95c9ade5cfe5e5.tar.bz2
fetchmail-cda98906893b358d8dd22775af95c9ade5cfe5e5.zip
Add imap-k4 capability.
svn path=/trunk/; revision=1029
-rw-r--r--NEWS4
-rw-r--r--fetchmail.c6
-rw-r--r--fetchmail.h7
-rw-r--r--fetchmail.man27
-rw-r--r--imap.c327
-rw-r--r--options.c8
6 files changed, 332 insertions, 47 deletions
diff --git a/NEWS b/NEWS
index 6c42ca5e..fb090132 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,10 @@ every user entry in a multi-user poll declaration.
------------------------------------------------------------------------------
+pl 3.9.6 ():
+* Fix the libc6 configuration stuff (thanks to Jesse Thilo).
+* Support for Kerberos-v4-authenticated IMAP.
+
pl 3.9.5 (Sun May 18 01:05:13 EDT 1997):
* Add an error notification when an incoming message has embedded NULs.
* Throw out >From lines in headers to prevent getting hosed by upstream
diff --git a/fetchmail.c b/fetchmail.c
index 3bea5ab4..723257f9 100644
--- a/fetchmail.c
+++ b/fetchmail.c
@@ -299,7 +299,7 @@ int main (int argc, char **argv)
for (ctl = querylist; ctl; ctl = ctl->next)
if (ctl->active && !(implicitmode && ctl->server.skip)&&!ctl->password)
{
- if (ctl->server.authenticate == A_KERBEROS_V4)
+ if (ctl->server.authenticate == A_KERBEROS_V4 || ctl->server.protocol == P_IMAP_K4)
/* Server won't care what the password is, but there
must be some non-null string here. */
ctl->password = ctl->remotename;
@@ -315,7 +315,7 @@ int main (int argc, char **argv)
ctl->password = xstrdup(p->password);
}
- if (ctl->server.protocol != P_ETRN && !ctl->password)
+ if (ctl->server.protocol != P_ETRN && ctl->server.protocol != P_IMAP_K4 && !ctl->password)
{
(void) sprintf(tmpbuf, "Enter password for %s@%s: ",
ctl->remotename, ctl->server.names->id);
@@ -731,6 +731,7 @@ static char *showproto(int proto)
case P_POP2: return("POP2"); break;
case P_POP3: return("POP3"); break;
case P_IMAP: return("IMAP"); break;
+ case P_IMAP_K4: return("IMAP-K4"); break;
case P_APOP: return("APOP"); break;
case P_RPOP: return("RPOP"); break;
case P_ETRN: return("ETRN"); break;
@@ -777,6 +778,7 @@ static int query_host(struct query *ctl)
return(doPOP3(ctl));
break;
case P_IMAP:
+ case P_IMAP_K4:
return(doIMAP(ctl));
break;
case P_ETRN:
diff --git a/fetchmail.h b/fetchmail.h
index 8e1ec231..d7bc9f02 100644
--- a/fetchmail.h
+++ b/fetchmail.h
@@ -7,9 +7,10 @@
#define P_POP2 2
#define P_POP3 3
#define P_IMAP 4
-#define P_APOP 5
-#define P_RPOP 6
-#define P_ETRN 7
+#define P_IMAP_K4 5
+#define P_APOP 6
+#define P_RPOP 7
+#define P_ETRN 8
#define KPOP_PORT 1109
diff --git a/fetchmail.man b/fetchmail.man
index 1a6f2518..455f2c43 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -142,6 +142,9 @@ Use POP3 with RPOP authentication.
Use POP3 with Kerberos V4 authentication on port 1109.
.IP IMAP
IMAP2bis, IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities).
+.IP IMAP-K4
+IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities)
+with RFC 1731 Kerberos v4 authentication.
.IP ETRN
Use the ESMTP ETRN option.
.RE
@@ -266,7 +269,7 @@ exactness, `\fBkerberos_v4\fR'). This option is provided
primarily for developers; choosing KPOP protocol automatically selects
Kerberos preauthentication, and all other alternatives use ordinary
password authentication (though APOP uses a generated one-time
-key as the password).
+key as the password and IMAP-K4 uses RFC1731 Kerberos v4 authentication).
This option does not work with ETRN.
.SS Miscellaneous Options
.TP
@@ -391,6 +394,9 @@ If your \fIfetchmail\fR was built with Kerberos support and you specify
Kerberos preauthentication (either with --auth or the \fI.fetchmailrc\fR
option \fBauthenticate kerberos_v4\fR) it will try to get a Kerberos
ticket from the mailserver at the start of each query.
+.PP
+If you use IMAP-K4 the code will expect the IMAP server to have
+RFC1731-conformant AUTHENTICATE KERBEROS_V4 capability.
.SH DAEMON MODE
The
@@ -1082,15 +1088,16 @@ The RFC822 parser used in multidrop mode chokes on some @-addresses that
are technically legal but bizarre. Strange uses of quoting and
embedded comments are likely to confuse it.
.PP
-Use of any of the supported protocols other than APOP, KPOP, or ETRN requires
-that the program send unencrypted passwords over the TCP/IP connection
-to the mailserver. This creates a risk that name/password pairs
-might be snaffled with a packet sniffer or more sophisticated
-monitoring software. Under Linux, the --interface option can be used
-to restrict polling to availability of a specific interface device with
-a specific local IP address, but snooping is still possible if (a)
-either host has a network device that can be opened in promiscuous mode,
-or (b) the intervening network link can be tapped.
+Use of any of the supported protocols other than APOP, KPOP, IMAP-K4,
+or ETRN requires that the program send unencrypted passwords over the
+TCP/IP connection to the mailserver. This creates a risk that
+name/password pairs might be snaffled with a packet sniffer or more
+sophisticated monitoring software. Under Linux, the --interface
+option can be used to restrict polling to availability of a specific
+interface device with a specific local IP address, but snooping is
+still possible if (a) either host has a network device that can be
+opened in promiscuous mode, or (b) the intervening network link can be
+tapped.
.PP
Send comments, bug reports, gripes, and the like to Eric S. Raymond
<esr@thyrsus.com>.
diff --git a/imap.c b/imap.c
index 1bc57998..36bdaf06 100644
--- a/imap.c
+++ b/imap.c
@@ -16,6 +16,11 @@
#include "fetchmail.h"
#include "socket.h"
+#ifdef KERBEROS_V4
+#include <krb.h>
+#include "base64.h"
+#endif /* KERBEROS_V4 */
+
extern char *strstr(); /* needed on sysV68 R3V7.1. */
/* imap_version values */
@@ -76,45 +81,307 @@ int imap_ok (int sock, char *argbuf)
}
}
-int imap_getauth(int sock, struct query *ctl, char *buf)
-/* apply for connection authorization */
+#ifdef KERBEROS_V4
+static int do_rfc1731(int sock, struct query *ctl, char *buf)
+/* authenticate as per RFC1731
+ * note 32-bit integer requirement here...
+ * sizeof int must be 4!
+ *
+ * Note: Base64 conversion routines come from Cyrus IMAPd and have
+ * possibly too-restrictive redistribution requirements. See base64.c
+ * for details. Base64 is defined in RFC2045 section 6.8, "Base64
+ * Content-Transfer-Encoding", but lines must not be broken in the
+ * scheme used here.
+ */
{
- char rbuf [POPBUFSIZE+1];
+ int result = 0, len;
+ char buf1[4096], buf2[4096];
+ union {
+ int cint;
+ char cstr[4];
+ } challenge1, challenge2;
+ char srvinst[INST_SZ];
+ char *p;
+ char srvrealm[REALM_SZ];
+ KTEXT_ST authenticator;
+ CREDENTIALS credentials;
+ char tktuser[MAX_K_NAME_SZ+1+INST_SZ+1+REALM_SZ+1];
+ char tktinst[INST_SZ];
+ char tktrealm[REALM_SZ];
+ des_cblock session;
+ des_key_schedule schedule;
+
+ gen_send(sock, "AUTHENTICATE KERBEROS_V4");
+
+ /* The data encoded in the first ready response contains a random
+ * 32-bit number in network byte order. The client should respond
+ * with a Kerberos ticket and an authenticator for the principal
+ * "imap.hostname@realm", where "hostname" is the first component
+ * of the host name of the server with all letters in lower case
+ * and where "realm" is the Kerberos realm of the server. The
+ * encrypted checksum field included within the Kerberos
+ * authenticator should contain the server provided 32-bit number
+ * in network byte order.
+ */
- /* try to get authorized */
- int ok = gen_transact(sock,
- "LOGIN %s \"%s\"",
- ctl->remotename, ctl->password);
+ if (result = gen_recv(sock, buf1, sizeof buf1)) {
+ return result;
+ }
- if (ok)
- return(ok);
+ len = from64(challenge1.cstr, buf1);
+ if (len < 0) {
+ error(0, -1, "could not decode initial BASE64 challenge");
+ return PS_AUTHFAIL;
+ }
- /* probe to see if we're running IMAP4 and can use RFC822.PEEK */
- gen_send(sock, "CAPABILITY");
- if ((ok = gen_recv(sock, rbuf, sizeof(rbuf))))
- return(ok);
- if (strstr(rbuf, "BAD"))
- {
- imap_version = IMAP2;
- if (outlevel == O_VERBOSE)
- error(0, 0, "Protocol identified as IMAP2 or IMAP2BIS");
+ /* Client responds with a Kerberos ticket and an authenticator for
+ * the principal "imap.hostname@realm" where "hostname" is the
+ * first component of the host name of the server with all letters
+ * in lower case and where "realm" is the Kerberos realm of the
+ * server. The encrypted checksum field included within the
+ * Kerberos authenticator should contain the server-provided
+ * 32-bit number in network byte order.
+ */
+
+ strncpy(srvinst, ctl->server.names->id, (sizeof srvinst)-1);
+ srvinst[(sizeof srvinst)-1] = '\0';
+ for (p = srvinst; *p; p++) {
+ if (isupper(*p)) {
+ *p = tolower(*p);
+ }
}
- else if (strstr(rbuf, "IMAP4rev1"))
- {
- imap_version = IMAP4rev1;
- if (outlevel == O_VERBOSE)
- error(0, 0, "Protocol identified as IMAP4 rev 1");
+
+ strncpy(srvrealm, krb_realmofhost(srvinst), (sizeof srvrealm)-1);
+ srvrealm[(sizeof srvrealm)-1] = '\0';
+ if (p = strchr(srvinst, '.')) {
+ *p = '\0';
}
- else
- {
- imap_version = IMAP4;
- if (outlevel == O_VERBOSE)
- error(0, 0, "Protocol identified as IMAP4 rev 0");
+
+ result = krb_mk_req(&authenticator, "imap", srvinst, srvrealm, 0);
+ if (result) {
+ error(0, -1, "krb_mq_req: %s", krb_get_err_text(result));
+ return PS_AUTHFAIL;
}
- peek_capable = (imap_version >= IMAP4);
+ result = krb_get_cred("imap", srvinst, srvrealm, &credentials);
+ if (result) {
+ error(0, -1, "krb_get_cred: %s", krb_get_err_text(result));
+ return PS_AUTHFAIL;
+ }
- return(PS_SUCCESS);
+ memcpy(session, credentials.session, sizeof session);
+ memset(&credentials, 0, sizeof credentials);
+ des_key_sched(session, schedule);
+
+ result = krb_get_tf_fullname(TKT_FILE, tktuser, tktinst, tktrealm);
+ if (result) {
+ error(0, -1, "krb_get_tf_fullname: %s", krb_get_err_text(result));
+ return PS_AUTHFAIL;
+ }
+
+ if (strcmp(tktuser, user) != 0) {
+ error(0, -1, "principal %s in ticket does not match -u %s", tktuser,
+ user);
+ return PS_AUTHFAIL;
+ }
+
+ if (tktinst[0]) {
+ error(0, 0, "non-null instance (%s) might cause strange behavior",
+ tktinst);
+ strcat(tktuser, ".");
+ strcat(tktuser, tktinst);
+ }
+
+ if (strcmp(tktrealm, srvrealm) != 0) {
+ strcat(tktuser, "@");
+ strcat(tktuser, tktrealm);
+ }
+
+ result = krb_mk_req(&authenticator, "imap", srvinst, srvrealm,
+ challenge1.cint);
+ if (result) {
+ error(0, -1, "krb_mq_req: %s", krb_get_err_text(result));
+ return PS_AUTHFAIL;
+ }
+
+ to64(buf1, authenticator.dat, authenticator.length);
+ if (outlevel == O_VERBOSE) {
+ error(0, 0, "IMAP> %s", buf1);
+ }
+ SockWrite(sock, buf1, strlen(buf1));
+ SockWrite(sock, "\r\n", 2);
+
+ /* Upon decrypting and verifying the ticket and authenticator, the
+ * server should verify that the contained checksum field equals
+ * the original server provided random 32-bit number. Should the
+ * verification be successful, the server must add one to the
+ * checksum and construct 8 octets of data, with the first four
+ * octets containing the incremented checksum in network byte
+ * order, the fifth octet containing a bit-mask specifying the
+ * protection mechanisms supported by the server, and the sixth
+ * through eighth octets containing, in network byte order, the
+ * maximum cipher-text buffer size the server is able to receive.
+ * The server must encrypt the 8 octets of data in the session key
+ * and issue that encrypted data in a second ready response. The
+ * client should consider the server authenticated if the first
+ * four octets the un-encrypted data is equal to one plus the
+ * checksum it previously sent.
+ */
+
+ if (result = gen_recv(sock, buf1, sizeof buf1))
+ return result;
+
+ /* The client must construct data with the first four octets
+ * containing the original server-issued checksum in network byte
+ * order, the fifth octet containing the bit-mask specifying the
+ * selected protection mechanism, the sixth through eighth octets
+ * containing in network byte order the maximum cipher-text buffer
+ * size the client is able to receive, and the following octets
+ * containing a user name string. The client must then append
+ * from one to eight octets so that the length of the data is a
+ * multiple of eight octets. The client must then PCBC encrypt the
+ * data with the session key and respond to the second ready
+ * response with the encrypted data. The server decrypts the data
+ * and verifies the contained checksum. The username field
+ * identifies the user for whom subsequent IMAP operations are to
+ * be performed; the server must verify that the principal
+ * identified in the Kerberos ticket is authorized to connect as
+ * that user. After these verifications, the authentication
+ * process is complete.
+ */
+
+ len = from64(buf2, buf1);
+ if (len < 0) {
+ error(0, -1, "could not decode BASE64 ready response");
+ return PS_AUTHFAIL;
+ }
+
+ des_ecb_encrypt((des_cblock *)buf2, (des_cblock *)buf2, schedule, 0);
+ memcpy(challenge2.cstr, buf2, 4);
+ if (ntohl(challenge2.cint) != challenge1.cint + 1) {
+ error(0, -1, "challenge mismatch");
+ return PS_AUTHFAIL;
+ }
+
+ memset(authenticator.dat, 0, sizeof authenticator.dat);
+
+ result = htonl(challenge1.cint);
+ memcpy(authenticator.dat, &result, sizeof result);
+
+ /* The protection mechanisms and their corresponding bit-masks are as
+ * follows:
+ *
+ * 1 No protection mechanism
+ * 2 Integrity (krb_mk_safe) protection
+ * 4 Privacy (krb_mk_priv) protection
+ */
+ authenticator.dat[4] = 1;
+
+ len = strlen(tktuser);
+ strncpy(authenticator.dat+8, tktuser, len);
+ authenticator.length = len + 8 + 1;
+ while (authenticator.length & 7) {
+ authenticator.length++;
+ }
+ des_pcbc_encrypt((des_cblock *)authenticator.dat,
+ (des_cblock *)authenticator.dat, authenticator.length, schedule,
+ &session, 1);
+
+ to64(buf1, authenticator.dat, authenticator.length);
+ if (outlevel == O_VERBOSE) {
+ error(0, 0, "IMAP> %s", buf1);
+ }
+ SockWrite(sock, buf1, strlen(buf1));
+ SockWrite(sock, "\r\n", 2);
+
+ if (result = gen_recv(sock, buf1, sizeof buf1))
+ return result;
+
+ if (strstr(buf1, "OK")) {
+ return PS_SUCCESS;
+ }
+ else {
+ return PS_AUTHFAIL;
+ }
+}
+#endif /* KERBEROS_V4 */
+
+int imap_getauth(int sock, struct query *ctl, char *buf)
+/* apply for connection authorization */
+{
+ char rbuf [POPBUFSIZE+1];
+ int ok = 0;
+#ifdef KERBEROS_V4
+ int kerbok = 0;
+
+ if (ctl->server.protocol != P_IMAP_K4)
+#endif /* KERBEROS_V4 */
+ /* try to get authorized */
+ ok = gen_transact(sock,
+ "LOGIN %s \"%s\"", ctl->remotename, ctl->password);
+
+ if (ok)
+ return(ok);
+
+ /* probe to see if we're running IMAP4 and can use RFC822.PEEK */
+ gen_send(sock, "CAPABILITY");
+ if ((ok = gen_recv(sock, rbuf, sizeof(rbuf))))
+ return(ok);
+ if (strstr(rbuf, "BAD"))
+ {
+ imap_version = IMAP2;
+ if (outlevel == O_VERBOSE)
+ error(0, 0, "Protocol identified as IMAP2 or IMAP2BIS");
+ }
+ else if (strstr(rbuf, "IMAP4rev1"))
+ {
+ imap_version = IMAP4rev1;
+ if (outlevel == O_VERBOSE)
+ error(0, 0, "Protocol identified as IMAP4 rev 1");
+ }
+ else
+ {
+ imap_version = IMAP4;
+ if (outlevel == O_VERBOSE)
+ error(0, 0, "Protocol identified as IMAP4 rev 0");
+ }
+
+ peek_capable = (imap_version >= IMAP4);
+
+#ifdef KERBEROS_V4
+ if (strstr(rbuf, "AUTH=KERBEROS_V4"))
+ {
+ kerbok++;
+ if (outlevel == O_VERBOSE)
+ error(0, 0, "KERBEROS_V4 authentication is supported");
+ }
+
+ /* eat OK response */
+ if ((ok = gen_recv(sock, rbuf, sizeof(rbuf))))
+ return(ok);
+
+ if (!strstr(rbuf, "OK"))
+ return(PS_AUTHFAIL);
+
+ if ((imap_version >= IMAP4) && (ctl->server.protocol == P_IMAP_K4))
+ {
+ if (!kerbok)
+ {
+ error(0, -1, "Required KERBEROS_V4 capability not supported by server");
+ return(PS_AUTHFAIL);
+ }
+
+ if ((ok = do_rfc1731(sock, ctl, buf)))
+ {
+ if (outlevel == O_VERBOSE)
+ error(0, 0, "IMAP> *");
+ SockWrite(sock, "*\r\n", 3);
+ return(ok);
+ }
+ }
+#endif /* KERBEROS_V4 */
+
+ return(PS_SUCCESS);
}
static int imap_getrange(int sock,
diff --git a/options.c b/options.c
index fcc5fddf..74893519 100644
--- a/options.c
+++ b/options.c
@@ -177,8 +177,6 @@ struct query *ctl; /* option record to be initialized */
ctl->server.protocol = P_POP2;
else if (strcasecmp(optarg,"pop3") == 0)
ctl->server.protocol = P_POP3;
- else if (strcasecmp(optarg,"imap") == 0)
- ctl->server.protocol = P_IMAP;
else if (strcasecmp(optarg,"apop") == 0)
ctl->server.protocol = P_APOP;
else if (strcasecmp(optarg,"rpop") == 0)
@@ -189,6 +187,12 @@ struct query *ctl; /* option record to be initialized */
ctl->server.port = KPOP_PORT;
ctl->server.authenticate = A_KERBEROS_V4;
}
+ else if (strcasecmp(optarg,"imap") == 0)
+ ctl->server.protocol = P_IMAP;
+#ifdef KERBEROS_V4
+ else if (strcasecmp(optarg,"imap-k4") == 0)
+ ctl->server.protocol = P_IMAP_K4;
+#endif /* KERBEROS_V4 */
else if (strcasecmp(optarg,"etrn") == 0)
ctl->server.protocol = P_ETRN;
else {