2 * gssapi.c -- GSSAPI authentication (see RFC 1508)
4 * For license terms, see the file COPYING in this directory.
11 #if defined(STDC_HEADERS)
14 #include "fetchmail.h"
20 #include <sys/types.h>
21 #include <netinet/in.h> /* for htonl/ntohl */
27 # if defined(HAVE_GSSAPI_H) && !defined(HAVE_GSSAPI_GSSAPI_H)
30 # ifdef HAVE_GSSAPI_GSSAPI_H
31 # include <gssapi/gssapi.h>
33 # ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
34 # include <gssapi/gssapi_generic.h>
36 # ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE
37 # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
41 #define GSSAUTH_P_NONE 1
42 #define GSSAUTH_P_INTEGRITY 2
43 #define GSSAUTH_P_PRIVACY 4
45 int do_gssauth(int sock, char *command, char *service, char *hostname, char *username)
47 gss_buffer_desc request_buf, send_token;
48 gss_buffer_t sec_token;
49 gss_name_t target_name;
54 OM_uint32 maj_stat, min_stat;
55 char buf1[8192], buf2[8192], server_conf_flags;
56 unsigned long buf_size;
59 /* first things first: get an imap ticket for host */
60 snprintf(buf1, sizeof(buf1), "%s@%s", service, hostname);
61 request_buf.value = buf1;
62 request_buf.length = strlen(buf1) + 1;
63 maj_stat = gss_import_name(&min_stat, &request_buf, GSS_C_NT_HOSTBASED_SERVICE,
65 if (maj_stat != GSS_S_COMPLETE) {
66 report(stderr, GT_("Couldn't get service name for [%s]\n"), buf1);
69 else if (outlevel >= O_DEBUG) {
70 maj_stat = gss_display_name(&min_stat, target_name, &request_buf,
72 report(stderr, GT_("Using service name [%s]\n"),
73 (char *)request_buf.value);
74 maj_stat = gss_release_buffer(&min_stat, &request_buf);
77 gen_send(sock, "%s GSSAPI", command);
79 /* upon receipt of the GSSAPI authentication request, server returns
80 * null data ready response. */
81 result = gen_recv(sock, buf1, sizeof buf1);
85 /* now start the security context initialisation loop... */
86 sec_token = GSS_C_NO_BUFFER;
87 context = GSS_C_NO_CONTEXT;
88 if (outlevel >= O_VERBOSE)
89 report(stdout, GT_("Sending credentials\n"));
91 send_token.length = 0;
92 send_token.value = NULL;
93 maj_stat = gss_init_sec_context(&min_stat,
98 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
100 GSS_C_NO_CHANNEL_BINDINGS,
106 if (maj_stat!=GSS_S_COMPLETE && maj_stat!=GSS_S_CONTINUE_NEEDED) {
107 report(stderr, GT_("Error exchanging credentials\n"));
108 gss_release_name(&min_stat, &target_name);
109 /* wake up server and await NO response */
110 SockWrite(sock, "\r\n", 2);
111 result = gen_recv(sock, buf1, sizeof buf1);
116 to64frombits(buf1, send_token.value, send_token.length);
117 gss_release_buffer(&min_stat, &send_token);
119 suppress_tags = TRUE;
120 gen_send(sock, buf1, strlen(buf1));
121 suppress_tags = FALSE;
123 if (maj_stat == GSS_S_CONTINUE_NEEDED) {
124 result = gen_recv(sock, buf1, sizeof buf1);
126 gss_release_name(&min_stat, &target_name);
129 request_buf.length = from64tobits(buf2, buf1 + 2, sizeof(buf2));
130 if ((int)request_buf.length == -1) /* in case of bad data */
131 request_buf.length = 0;
132 request_buf.value = buf2;
133 sec_token = &request_buf;
136 (maj_stat == GSS_S_CONTINUE_NEEDED);
137 gss_release_name(&min_stat, &target_name);
139 /* get security flags and buffer size */
140 result = gen_recv(sock, buf1, sizeof buf1);
144 request_buf.length = from64tobits(buf2, buf1 + 2, sizeof(buf2));
145 if ((int)request_buf.length == -1) /* in case of bad data */
146 request_buf.length = 0;
147 request_buf.value = buf2;
149 maj_stat = gss_unwrap(&min_stat, context,
150 &request_buf, &send_token, &cflags, &quality);
151 if (maj_stat != GSS_S_COMPLETE) {
152 report(stderr, GT_("Couldn't unwrap security level data\n"));
153 gss_release_buffer(&min_stat, &send_token);
156 if (outlevel >= O_DEBUG)
157 report(stdout, GT_("Credential exchange complete\n"));
158 /* first octet is security levels supported. We want none, for now */
159 server_conf_flags = ((char *)send_token.value)[0];
160 if ( !(((char *)send_token.value)[0] & GSSAUTH_P_NONE) ) {
161 report(stderr, GT_("Server requires integrity and/or privacy\n"));
162 gss_release_buffer(&min_stat, &send_token);
165 ((char *)send_token.value)[0] = 0;
166 buf_size = ntohl(*((long *)send_token.value));
167 /* we don't care about buffer size if we don't wrap data */
168 gss_release_buffer(&min_stat, &send_token);
169 if (outlevel >= O_DEBUG) {
170 report(stdout, GT_("Unwrapped security level flags: %s%s%s\n"),
171 server_conf_flags & GSSAUTH_P_NONE ? "N" : "-",
172 server_conf_flags & GSSAUTH_P_INTEGRITY ? "I" : "-",
173 server_conf_flags & GSSAUTH_P_PRIVACY ? "C" : "-");
174 report(stdout, GT_("Maximum GSS token size is %ld\n"),buf_size);
177 /* now respond in kind (hack!!!) */
178 buf_size = htonl(buf_size); /* do as they do... only matters if we do enc */
179 memcpy(buf1, &buf_size, 4);
180 buf1[0] = GSSAUTH_P_NONE;
181 strlcpy(buf1+4, username, sizeof(buf1) - 4); /* server decides if princ is user */
182 request_buf.length = 4 + strlen(username) + 1;
183 request_buf.value = buf1;
184 maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
185 &cflags, &send_token);
186 if (maj_stat != GSS_S_COMPLETE) {
187 report(stderr, GT_("Error creating security level request\n"));
190 to64frombits(buf1, send_token.value, send_token.length);
192 suppress_tags = TRUE;
193 result = gen_transact(sock, buf1, strlen(buf1));
194 suppress_tags = FALSE;
196 /* flush security context */
197 if (outlevel >= O_DEBUG)
198 report(stdout, GT_("Releasing GSS credentials\n"));
199 maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);
200 if (maj_stat != GSS_S_COMPLETE) {
201 report(stderr, GT_("Error releasing credentials\n"));
204 /* send_token may contain a notification to the server to flush
205 * credentials. RFC 1731 doesn't specify what to do, and since this
206 * support is only for authentication, we'll assume the server
207 * knows enough to flush its own credentials */
208 gss_release_buffer(&min_stat, &send_token);
217 /* gssapi.c ends here */