2 * gssapi.c -- GSSAPI authentication (see RFC 1508)
4 * For license terms, see the file COPYING in this directory.
11 #if defined(STDC_HEADERS)
14 #include "fetchmail.h"
24 # ifdef HAVE_GSSAPI_GSSAPI_H
25 # include <gssapi/gssapi.h>
27 # ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
28 # include <gssapi/gssapi_generic.h>
30 # ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE
31 # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
34 #define GSSAUTH_P_NONE 1
35 #define GSSAUTH_P_INTEGRITY 2
36 #define GSSAUTH_P_PRIVACY 4
38 int do_gssauth(int sock, char *command, char *hostname, char *username)
40 gss_buffer_desc request_buf, send_token;
41 gss_buffer_t sec_token;
42 gss_name_t target_name;
47 OM_uint32 maj_stat, min_stat;
48 char buf1[8192], buf2[8192], server_conf_flags;
49 unsigned long buf_size;
52 /* first things first: get an imap ticket for host */
53 sprintf(buf1, "imap@%s", hostname);
54 request_buf.value = buf1;
55 request_buf.length = strlen(buf1) + 1;
56 maj_stat = gss_import_name(&min_stat, &request_buf, GSS_C_NT_HOSTBASED_SERVICE,
58 if (maj_stat != GSS_S_COMPLETE) {
59 report(stderr, _("Couldn't get service name for [%s]\n"), buf1);
62 else if (outlevel >= O_DEBUG) {
63 maj_stat = gss_display_name(&min_stat, target_name, &request_buf,
65 report(stderr, _("Using service name [%s]\n"),request_buf.value);
66 maj_stat = gss_release_buffer(&min_stat, &request_buf);
69 gen_send(sock, "%s GSSAPI", command);
71 /* upon receipt of the GSSAPI authentication request, server returns
72 * null data ready response. */
73 if (result = gen_recv(sock, buf1, sizeof buf1)) {
77 /* now start the security context initialisation loop... */
78 sec_token = GSS_C_NO_BUFFER;
79 context = GSS_C_NO_CONTEXT;
80 if (outlevel >= O_VERBOSE)
81 report(stdout, _("Sending credentials\n"));
83 send_token.length = 0;
84 send_token.value = NULL;
85 maj_stat = gss_init_sec_context(&min_stat,
90 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
92 GSS_C_NO_CHANNEL_BINDINGS,
98 if (maj_stat!=GSS_S_COMPLETE && maj_stat!=GSS_S_CONTINUE_NEEDED) {
99 report(stderr, _("Error exchanging credentials\n"));
100 gss_release_name(&min_stat, &target_name);
101 /* wake up server and await NO response */
102 SockWrite(sock, "\r\n", 2);
103 if (result = gen_recv(sock, buf1, sizeof buf1))
107 to64frombits(buf1, send_token.value, send_token.length);
108 gss_release_buffer(&min_stat, &send_token);
109 strcat(buf1, "\r\n");
110 SockWrite(sock, buf1, strlen(buf1));
111 if (outlevel >= O_MONITOR)
112 report(stdout, "IMAP> %s\n", buf1);
113 if (maj_stat == GSS_S_CONTINUE_NEEDED) {
114 if (result = gen_recv(sock, buf1, sizeof buf1)) {
115 gss_release_name(&min_stat, &target_name);
118 request_buf.length = from64tobits(buf2, buf1 + 2);
119 request_buf.value = buf2;
120 sec_token = &request_buf;
122 } while (maj_stat == GSS_S_CONTINUE_NEEDED);
123 gss_release_name(&min_stat, &target_name);
125 /* get security flags and buffer size */
126 if (result = gen_recv(sock, buf1, sizeof buf1)) {
129 request_buf.length = from64tobits(buf2, buf1 + 2);
130 request_buf.value = buf2;
132 maj_stat = gss_unwrap(&min_stat, context, &request_buf, &send_token,
134 if (maj_stat != GSS_S_COMPLETE) {
135 report(stderr, _("Couldn't unwrap security level data\n"));
136 gss_release_buffer(&min_stat, &send_token);
139 if (outlevel >= O_DEBUG)
140 report(stdout, _("Credential exchange complete\n"));
141 /* first octet is security levels supported. We want none, for now */
142 server_conf_flags = ((char *)send_token.value)[0];
143 if ( !(((char *)send_token.value)[0] & GSSAUTH_P_NONE) ) {
144 report(stderr, _("Server requires integrity and/or privacy\n"));
145 gss_release_buffer(&min_stat, &send_token);
148 ((char *)send_token.value)[0] = 0;
149 buf_size = ntohl(*((long *)send_token.value));
150 /* we don't care about buffer size if we don't wrap data */
151 gss_release_buffer(&min_stat, &send_token);
152 if (outlevel >= O_DEBUG) {
153 report(stdout, _("Unwrapped security level flags: %s%s%s\n"),
154 server_conf_flags & GSSAUTH_P_NONE ? "N" : "-",
155 server_conf_flags & GSSAUTH_P_INTEGRITY ? "I" : "-",
156 server_conf_flags & GSSAUTH_P_PRIVACY ? "C" : "-");
157 report(stdout, _("Maximum GSS token size is %ld\n"),buf_size);
160 /* now respond in kind (hack!!!) */
161 buf_size = htonl(buf_size); /* do as they do... only matters if we do enc */
162 memcpy(buf1, &buf_size, 4);
163 buf1[0] = GSSAUTH_P_NONE;
164 strcpy(buf1+4, username); /* server decides if princ is user */
165 request_buf.length = 4 + strlen(username) + 1;
166 request_buf.value = buf1;
167 maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
168 &cflags, &send_token);
169 if (maj_stat != GSS_S_COMPLETE) {
170 report(stderr, _("Error creating security level request\n"));
173 to64frombits(buf1, send_token.value, send_token.length);
175 suppress_tags = TRUE;
176 result = gen_transact(sock, buf1, strlen(buf));
177 suppress_tags = FALSE;
179 /* flush security context */
180 if (outlevel >= O_DEBUG)
181 report(stdout, _("Releasing GSS credentials\n"));
182 maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);
183 if (maj_stat != GSS_S_COMPLETE) {
184 report(stderr, _("Error releasing credentials\n"));
187 /* send_token may contain a notification to the server to flush
188 * credentials. RFC 1731 doesn't specify what to do, and since this
189 * support is only for authentication, we'll assume the server
190 * knows enough to flush its own credentials */
191 gss_release_buffer(&min_stat, &send_token);
200 /* gssapi.c ends here */