/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
/* camel-imap-auth.c: IMAP AUTHENTICATE implementations */
/*
* Authors: Dan Winship <danw@helixcode.com>
*
* Copyright 2000 Helix Code, Inc. (www.helixcode.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.
*
*/
#include <config.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#ifdef HAVE_KRB4
#include <krb.h>
/* MIT krb4 des.h #defines _. Sigh. We don't need it. */
#undef _
#endif
#include "camel-exception.h"
#include "camel-mime-utils.h"
#include "camel-imap-auth.h"
#include "camel-imap-command.h"
#include "camel-imap-utils.h"
#include "camel-imap-private.h"
#ifdef HAVE_KRB4
static char *
base64_encode_simple (const char *data, int len)
{
unsigned char *out;
int state = 0, outlen;
unsigned int save = 0;
out = g_malloc (len * 4 / 3 + 5);
outlen = base64_encode_close ((unsigned char *)data, len, FALSE,
out, &state, &save);
out[outlen] = '\0';
return (char *)out;
}
static int
base64_decode_simple (char *data, int len)
{
int state = 0;
unsigned int save = 0;
return base64_decode_step ((unsigned char *)data, len,
(unsigned char *)data, &state, &save);
}
#define IMAP_KERBEROS_V4_PROTECTION_NONE 1
#define IMAP_KERBEROS_V4_PROTECTION_INTEGRITY 2
#define IMAP_KERBEROS_V4_PROTECTION_PRIVACY 4
gboolean
imap_try_kerberos_v4_auth (CamelImapStore *store, CamelException *ex)
{
CamelImapResponse *response;
char *resp, *data;
int status, len;
char *inst, *realm, *buf, *username;
guint32 nonce_n, nonce_h, plus1;
struct hostent *h;
KTEXT_ST authenticator;
CREDENTIALS credentials;
des_cblock session;
des_key_schedule schedule;
CAMEL_IMAP_STORE_LOCK(store, command_lock);
/* The kickoff. */
response = camel_imap_command (store, NULL, ex,
"AUTHENTICATE KERBEROS_V4");
if (!response)
goto fail;
resp = camel_imap_response_extract_continuation (response, ex);
if (!resp)
goto fail;
data = imap_next_word (resp);
/* First server response is a base64-encoded 32-bit random number
* ("nonce") in network byte order.
*/
if (strlen (data) != 8 || base64_decode_simple (data, 8) != 4) {
g_free (resp);
goto break_and_lose;
}
memcpy (&nonce_n, data, 4);
g_free (resp);
nonce_h = ntohl (nonce_n);
/* Our response is an authenticator including that number. */
h = camel_service_gethost (CAMEL_SERVICE (store), ex);
if (!h)
goto break_and_lose;
inst = g_strndup (h->h_name, strcspn (h->h_name, "."));
g_strdown (inst);
realm = g_strdup (krb_realmofhost (h->h_name));
status = krb_mk_req (&authenticator, "imap", inst, realm, nonce_h);
if (status == KSUCCESS) {
status = krb_get_cred ("imap", inst, realm, &credentials);
memcpy (session, credentials.session, sizeof (session));
memset (&credentials, 0, sizeof (credentials));
}
g_free (inst);
g_free (realm);
if (status != KSUCCESS) {
camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE,
_("Could not get Kerberos ticket:\n%s"),
krb_err_txt[status]);
goto break_and_lose;
}
des_key_sched (&session, schedule);
buf = base64_encode_simple (authenticator.dat, authenticator.length);
response = camel_imap_command_continuation (store, ex, buf);
g_free (buf);
if (!response)
goto lose;
resp = camel_imap_response_extract_continuation (response, ex);
if (!resp)
goto lose;
data = imap_next_word (resp);
len = strlen (data);
base64_decode_simple (data, strlen (data));
/* This one is encrypted. */
des_ecb_encrypt ((des_cblock *)data, (des_cblock *)data, schedule, 0);
/* Check that the returned value is the original nonce plus one. */
memcpy (&plus1, data, 4);
if (ntohl (plus1) != nonce_h + 1) {
g_free (resp);
goto lose;
}
/* "the fifth octet contain[s] a bit-mask specifying the
* protection mechanisms supported by the server"
*/
if (!(data[4] & IMAP_KERBEROS_V4_PROTECTION_NONE)) {
g_warning ("Server does not support `no protection' :-(");
g_free (resp);
goto break_and_lose;
}
g_free (resp);
username = CAMEL_SERVICE (store)->url->user;
len = strlen (username) + 9;
len += 8 - len % 8;
data = g_malloc0 (len);
memcpy (data, &nonce_n, 4);
data[4] = IMAP_KERBEROS_V4_PROTECTION_NONE;
data[5] = data[6] = data[7] = 0;
strcpy (data + 8, username);
des_pcbc_encrypt ((des_cblock *)data, (des_cblock *)data, len,
schedule, &session, 1);
memset (&session, 0, sizeof (session));
buf = base64_encode_simple (data, len);
g_free (data);
response = camel_imap_command_continuation (store, ex, buf);
if (!response)
goto lose;
camel_imap_response_free (response);
CAMEL_IMAP_STORE_UNLOCK(store, command_lock);
return TRUE;
break_and_lose:
/* Get the server out of "waiting for continuation data" mode. */
response = camel_imap_command_continuation (store, NULL, "*");
if (response)
camel_imap_response_free (response);
lose:
memset (&session, 0, sizeof (session));
if (!camel_exception_is_set (ex)) {
camel_exception_set (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE,
_("Bad authentication response from server."));
}
fail:
CAMEL_IMAP_STORE_UNLOCK(store, command_lock);
return FALSE;
}
#endif /* HAVE_KRB4 */
