diff options
Diffstat (limited to 'gssapi.c')
-rw-r--r-- | gssapi.c | 207 |
1 files changed, 207 insertions, 0 deletions
diff --git a/gssapi.c b/gssapi.c new file mode 100644 index 00000000..4b51cb49 --- /dev/null +++ b/gssapi.c @@ -0,0 +1,207 @@ +/* + * cram.c -- GSSAPI authentication (see RFC 1508) + * + * For license terms, see the file COPYING in this directory. + */ + +#include "config.h" +#include <stdio.h> +#include <string.h> +#include <ctype.h> +#if defined(STDC_HEADERS) +#include <stdlib.h> +#endif +#include "fetchmail.h" +#include "socket.h" + +#include "i18n.h" +#include "md5.h" + +#ifdef GSSAPI +# ifdef HAVE_GSSAPI_H +# include <gssapi.h> +# endif +# ifdef HAVE_GSSAPI_GSSAPI_H +# include <gssapi/gssapi.h> +# endif +# ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +# include <gssapi/gssapi_generic.h> +# endif +# ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE +# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +# endif + +#define GSSAUTH_P_NONE 1 +#define GSSAUTH_P_INTEGRITY 2 +#define GSSAUTH_P_PRIVACY 4 + +int do_gssauth(int sock, char *command, char *hostname, char *username) +{ + gss_buffer_desc request_buf, send_token; + gss_buffer_t sec_token; + gss_name_t target_name; + gss_ctx_id_t context; + gss_OID mech_name; + gss_qop_t quality; + int cflags; + OM_uint32 maj_stat, min_stat; + char buf1[8192], buf2[8192], server_conf_flags; + unsigned long buf_size; + int result; + + /* first things first: get an imap ticket for host */ + sprintf(buf1, "imap@%s", hostname); + request_buf.value = buf1; + request_buf.length = strlen(buf1) + 1; + maj_stat = gss_import_name(&min_stat, &request_buf, GSS_C_NT_HOSTBASED_SERVICE, + &target_name); + if (maj_stat != GSS_S_COMPLETE) { + report(stderr, _("Couldn't get service name for [%s]\n"), buf1); + return PS_AUTHFAIL; + } + else if (outlevel >= O_DEBUG) { + maj_stat = gss_display_name(&min_stat, target_name, &request_buf, + &mech_name); + report(stderr, _("Using service name [%s]\n"),request_buf.value); + maj_stat = gss_release_buffer(&min_stat, &request_buf); + } + + gen_send(sock, "%s GSSAPI", command); + + /* upon receipt of the GSSAPI authentication request, server returns + * null data ready response. */ + if (result = gen_recv(sock, buf1, sizeof buf1)) { + return result; + } + + /* now start the security context initialisation loop... */ + sec_token = GSS_C_NO_BUFFER; + context = GSS_C_NO_CONTEXT; + if (outlevel >= O_VERBOSE) + report(stdout, _("Sending credentials\n")); + do { + send_token.length = 0; + send_token.value = NULL; + maj_stat = gss_init_sec_context(&min_stat, + GSS_C_NO_CREDENTIAL, + &context, + target_name, + GSS_C_NO_OID, + GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + sec_token, + NULL, + &send_token, + NULL, + NULL); + if (maj_stat!=GSS_S_COMPLETE && maj_stat!=GSS_S_CONTINUE_NEEDED) { + report(stderr, _("Error exchanging credentials\n")); + gss_release_name(&min_stat, &target_name); + /* wake up server and await NO response */ + SockWrite(sock, "\r\n", 2); + if (result = gen_recv(sock, buf1, sizeof buf1)) + return result; + return PS_AUTHFAIL; + } + to64frombits(buf1, send_token.value, send_token.length); + gss_release_buffer(&min_stat, &send_token); + strcat(buf1, "\r\n"); + SockWrite(sock, buf1, strlen(buf1)); + if (outlevel >= O_MONITOR) + report(stdout, "IMAP> %s\n", buf1); + if (maj_stat == GSS_S_CONTINUE_NEEDED) { + if (result = gen_recv(sock, buf1, sizeof buf1)) { + gss_release_name(&min_stat, &target_name); + return result; + } + request_buf.length = from64tobits(buf2, buf1 + 2); + request_buf.value = buf2; + sec_token = &request_buf; + } + } while (maj_stat == GSS_S_CONTINUE_NEEDED); + gss_release_name(&min_stat, &target_name); + + /* get security flags and buffer size */ + if (result = gen_recv(sock, buf1, sizeof buf1)) { + return result; + } + request_buf.length = from64tobits(buf2, buf1 + 2); + request_buf.value = buf2; + + maj_stat = gss_unwrap(&min_stat, context, &request_buf, &send_token, + &cflags, &quality); + if (maj_stat != GSS_S_COMPLETE) { + report(stderr, _("Couldn't unwrap security level data\n")); + gss_release_buffer(&min_stat, &send_token); + return PS_AUTHFAIL; + } + if (outlevel >= O_DEBUG) + report(stdout, _("Credential exchange complete\n")); + /* first octet is security levels supported. We want none, for now */ + server_conf_flags = ((char *)send_token.value)[0]; + if ( !(((char *)send_token.value)[0] & GSSAUTH_P_NONE) ) { + report(stderr, _("Server requires integrity and/or privacy\n")); + gss_release_buffer(&min_stat, &send_token); + return PS_AUTHFAIL; + } + ((char *)send_token.value)[0] = 0; + buf_size = ntohl(*((long *)send_token.value)); + /* we don't care about buffer size if we don't wrap data */ + gss_release_buffer(&min_stat, &send_token); + if (outlevel >= O_DEBUG) { + report(stdout, _("Unwrapped security level flags: %s%s%s\n"), + server_conf_flags & GSSAUTH_P_NONE ? "N" : "-", + server_conf_flags & GSSAUTH_P_INTEGRITY ? "I" : "-", + server_conf_flags & GSSAUTH_P_PRIVACY ? "C" : "-"); + report(stdout, _("Maximum GSS token size is %ld\n"),buf_size); + } + + /* now respond in kind (hack!!!) */ + buf_size = htonl(buf_size); /* do as they do... only matters if we do enc */ + memcpy(buf1, &buf_size, 4); + buf1[0] = GSSAUTH_P_NONE; + strcpy(buf1+4, username); /* server decides if princ is user */ + request_buf.length = 4 + strlen(username) + 1; + request_buf.value = buf1; + maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf, + &cflags, &send_token); + if (maj_stat != GSS_S_COMPLETE) { + report(stderr, _("Error creating security level request\n")); + return PS_AUTHFAIL; + } + to64frombits(buf1, send_token.value, send_token.length); + if (outlevel >= O_DEBUG) { + report(stdout, _("Requesting authorization as %s\n"), username); + report(stdout, "IMAP> %s\n",buf1); + } + strcat(buf1, "\r\n"); + SockWrite(sock, buf1, strlen(buf1)); + + /* we should be done. Get status and finish up */ + do { + if (result = gen_recv(sock, buf1, sizeof buf1)) + return result; + } while(strncmp(buf1, tag, strlen(tag)) != 0); + if (strstr(buf1, "OK")) { + /* flush security context */ + if (outlevel >= O_DEBUG) + report(stdout, _("Releasing GSS credentials\n")); + maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token); + if (maj_stat != GSS_S_COMPLETE) { + report(stderr, _("Error releasing credentials\n")); + return PS_AUTHFAIL; + } + /* send_token may contain a notification to the server to flush + * credentials. RFC 1731 doesn't specify what to do, and since this + * support is only for authentication, we'll assume the server + * knows enough to flush its own credentials */ + gss_release_buffer(&min_stat, &send_token); + return PS_SUCCESS; + } + + return PS_AUTHFAIL; +} +#endif /* GSSAPI */ + +/* gssapi.c ends here */ |