diff options
author | Eric S. Raymond <esr@thyrsus.com> | 2001-02-11 20:24:31 +0000 |
---|---|---|
committer | Eric S. Raymond <esr@thyrsus.com> | 2001-02-11 20:24:31 +0000 |
commit | 49e1f41ffef6834125db955993f99f1ac17c0bcf (patch) | |
tree | d9f7693d9d2091a4c62538284274a7476c5d0bc2 /imap.c | |
parent | bf10e6bd5289d9bc7ef15d628128cc12b5c1ffe9 (diff) | |
download | fetchmail-49e1f41ffef6834125db955993f99f1ac17c0bcf.tar.gz fetchmail-49e1f41ffef6834125db955993f99f1ac17c0bcf.tar.bz2 fetchmail-49e1f41ffef6834125db955993f99f1ac17c0bcf.zip |
Refactored the Kerberos stuff.
svn path=/trunk/; revision=3066
Diffstat (limited to 'imap.c')
-rw-r--r-- | imap.c | 262 |
1 files changed, 1 insertions, 261 deletions
@@ -15,22 +15,6 @@ #include "fetchmail.h" #include "socket.h" -#ifdef KERBEROS_V4 -#ifdef KERBEROS_V5 -#include <kerberosIV/des.h> -#include <kerberosIV/krb.h> -#else -#if defined (__bsdi__) -#include <des.h> -#define krb_get_err_text(e) (krb_err_txt[e]) -#endif -#if defined(__NetBSD__) || (__FreeBSD__) || defined(__linux__) -#define krb_get_err_text(e) (krb_err_txt[e]) -#endif -#include <krb.h> -#endif -#endif /* KERBEROS_V4 */ - #ifdef GSSAPI #ifdef HAVE_GSSAPI_H #include <gssapi.h> @@ -214,250 +198,6 @@ static int do_otp(int sock, struct query *ctl) }; #endif /* OPIE_ENABLE */ -#ifdef KERBEROS_V4 -#if SIZEOF_INT == 4 -typedef int int32; -#elif SIZEOF_SHORT == 4 -typedef short int32; -#elif SIZEOF_LONG == 4 -typedef long int32; -#else -#error Cannot deduce a 32-bit-type -#endif - -static int do_rfc1731(int sock, char *truename) -/* authenticate as per RFC1731 -- note 32-bit integer requirement here */ -{ - int result = 0, len; - char buf1[4096], buf2[4096]; - union { - int32 cint; - char cstr[4]; - } challenge1, challenge2; - char srvinst[INST_SZ]; - char *p; - char srvrealm[REALM_SZ]; - KTEXT_ST authenticator; - CREDENTIALS credentials; - char tktuser[MAX_K_NAME_SZ+1+INST_SZ+1+REALM_SZ+1]; - char tktinst[INST_SZ]; - char tktrealm[REALM_SZ]; - des_cblock session; - des_key_schedule schedule; - - gen_send(sock, "AUTHENTICATE KERBEROS_V4"); - - /* The data encoded in the first ready response contains a random - * 32-bit number in network byte order. The client should respond - * with a Kerberos ticket and an authenticator for the principal - * "imap.hostname@realm", where "hostname" is the first component - * of the host name of the server with all letters in lower case - * and where "realm" is the Kerberos realm of the server. The - * encrypted checksum field included within the Kerberos - * authenticator should contain the server provided 32-bit number - * in network byte order. - */ - - if (result = gen_recv(sock, buf1, sizeof buf1)) { - return result; - } - - len = from64tobits(challenge1.cstr, buf1); - if (len < 0) { - report(stderr, _("could not decode initial BASE64 challenge\n")); - return PS_AUTHFAIL; - } - - /* this patch by Dan Root <dar@thekeep.org> solves an endianess - * problem. */ - { - char tmp[4]; - - *(int *)tmp = ntohl(*(int *) challenge1.cstr); - memcpy(challenge1.cstr, tmp, sizeof(tmp)); - } - - /* Client responds with a Kerberos ticket and an authenticator for - * the principal "imap.hostname@realm" where "hostname" is the - * first component of the host name of the server with all letters - * in lower case and where "realm" is the Kerberos realm of the - * server. The encrypted checksum field included within the - * Kerberos authenticator should contain the server-provided - * 32-bit number in network byte order. - */ - - strncpy(srvinst, truename, (sizeof srvinst)-1); - srvinst[(sizeof srvinst)-1] = '\0'; - for (p = srvinst; *p; p++) { - if (isupper(*p)) { - *p = tolower(*p); - } - } - - strncpy(srvrealm, (char *)krb_realmofhost(srvinst), (sizeof srvrealm)-1); - srvrealm[(sizeof srvrealm)-1] = '\0'; - if (p = strchr(srvinst, '.')) { - *p = '\0'; - } - - result = krb_mk_req(&authenticator, "imap", srvinst, srvrealm, 0); - if (result) { - report(stderr, "krb_mq_req: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - - result = krb_get_cred("imap", srvinst, srvrealm, &credentials); - if (result) { - report(stderr, "krb_get_cred: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - - memcpy(session, credentials.session, sizeof session); - memset(&credentials, 0, sizeof credentials); - des_key_sched(session, schedule); - - result = krb_get_tf_fullname(TKT_FILE, tktuser, tktinst, tktrealm); - if (result) { - report(stderr, "krb_get_tf_fullname: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - -#ifdef __UNUSED__ - /* - * Andrew H. Chatham <andrew.chatham@duke.edu> alleges that this check - * is not necessary and has consistently been messing him up. - */ - if (strcmp(tktuser, user) != 0) { - report(stderr, - _("principal %s in ticket does not match -u %s\n"), tktuser, - user); - return PS_AUTHFAIL; - } -#endif /* __UNUSED__ */ - - if (tktinst[0]) { - report(stderr, - _("non-null instance (%s) might cause strange behavior\n"), - tktinst); - strcat(tktuser, "."); - strcat(tktuser, tktinst); - } - - if (strcmp(tktrealm, srvrealm) != 0) { - strcat(tktuser, "@"); - strcat(tktuser, tktrealm); - } - - result = krb_mk_req(&authenticator, "imap", srvinst, srvrealm, - challenge1.cint); - if (result) { - report(stderr, "krb_mq_req: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - - to64frombits(buf1, authenticator.dat, authenticator.length); - if (outlevel >= O_MONITOR) { - report(stdout, "IMAP> %s\n", buf1); - } - strcat(buf1, "\r\n"); - SockWrite(sock, buf1, strlen(buf1)); - - /* Upon decrypting and verifying the ticket and authenticator, the - * server should verify that the contained checksum field equals - * the original server provided random 32-bit number. Should the - * verification be successful, the server must add one to the - * checksum and construct 8 octets of data, with the first four - * octets containing the incremented checksum in network byte - * order, the fifth octet containing a bit-mask specifying the - * protection mechanisms supported by the server, and the sixth - * through eighth octets containing, in network byte order, the - * maximum cipher-text buffer size the server is able to receive. - * The server must encrypt the 8 octets of data in the session key - * and issue that encrypted data in a second ready response. The - * client should consider the server authenticated if the first - * four octets the un-encrypted data is equal to one plus the - * checksum it previously sent. - */ - - if (result = gen_recv(sock, buf1, sizeof buf1)) - return result; - - /* The client must construct data with the first four octets - * containing the original server-issued checksum in network byte - * order, the fifth octet containing the bit-mask specifying the - * selected protection mechanism, the sixth through eighth octets - * containing in network byte order the maximum cipher-text buffer - * size the client is able to receive, and the following octets - * containing a user name string. The client must then append - * from one to eight octets so that the length of the data is a - * multiple of eight octets. The client must then PCBC encrypt the - * data with the session key and respond to the second ready - * response with the encrypted data. The server decrypts the data - * and verifies the contained checksum. The username field - * identifies the user for whom subsequent IMAP operations are to - * be performed; the server must verify that the principal - * identified in the Kerberos ticket is authorized to connect as - * that user. After these verifications, the authentication - * process is complete. - */ - - len = from64tobits(buf2, buf1); - if (len < 0) { - report(stderr, _("could not decode BASE64 ready response\n")); - return PS_AUTHFAIL; - } - - des_ecb_encrypt((des_cblock *)buf2, (des_cblock *)buf2, schedule, 0); - memcpy(challenge2.cstr, buf2, 4); - if (ntohl(challenge2.cint) != challenge1.cint + 1) { - report(stderr, _("challenge mismatch\n")); - return PS_AUTHFAIL; - } - - memset(authenticator.dat, 0, sizeof authenticator.dat); - - result = htonl(challenge1.cint); - memcpy(authenticator.dat, &result, sizeof result); - - /* The protection mechanisms and their corresponding bit-masks are as - * follows: - * - * 1 No protection mechanism - * 2 Integrity (krb_mk_safe) protection - * 4 Privacy (krb_mk_priv) protection - */ - authenticator.dat[4] = 1; - - len = strlen(tktuser); - strncpy(authenticator.dat+8, tktuser, len); - authenticator.length = len + 8 + 1; - while (authenticator.length & 7) { - authenticator.length++; - } - des_pcbc_encrypt((des_cblock *)authenticator.dat, - (des_cblock *)authenticator.dat, authenticator.length, schedule, - &session, 1); - - to64frombits(buf1, authenticator.dat, authenticator.length); - if (outlevel >= O_MONITOR) { - report(stdout, "IMAP> %s\n", buf1); - } - - strcat(buf1, "\r\n"); - SockWrite(sock, buf1, strlen(buf1)); - - if (result = gen_recv(sock, buf1, sizeof buf1)) - return result; - - if (strstr(buf1, "OK")) { - return PS_SUCCESS; - } - else { - return PS_AUTHFAIL; - } -} -#endif /* KERBEROS_V4 */ - #ifdef GSSAPI #define GSSAUTH_P_NONE 1 #define GSSAUTH_P_INTEGRITY 2 @@ -827,7 +567,7 @@ int imap_getauth(int sock, struct query *ctl, char *greeting) if (ctl->server.protocol == P_IMAP_K4) { - if ((ok = do_rfc1731(sock, ctl->server.truename))) + if ((ok = do_rfc1731(sock, "AUTHENTICATE", ctl->server.truename))) /* SASL cancellation of authentication */ gen_send(sock, "*"); |