From dd50048ab4db6cf804c3fc59b55a8ed140f45631 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Mon, 30 Oct 2000 17:00:06 +0000 Subject: New file with code for IMAP authentication mechanisms. (Currently just * providers/imap/camel-imap-auth.c: New file with code for IMAP authentication mechanisms. (Currently just krb4, and without integrity/privacy protection). * providers/imap/Makefile.am: Add camel-imap-auth.[ch] and krb4 CFLAGS/LDFLAGS * providers/imap/camel-imap-store.c (connect_to_server): Split out from imap_connect. Just does the basic connect and CAPABILITY check. Redo the CAPABILITY code more robustly. (query_auth_types_connected): Do this right rather than punting to query_auth_types_generic. Check for KERBEROS_V4 if compiled with krb4 support. (query_auth_types_generic): Mention KERBEROS_V4 if compiled with krb4 support. (imap_connect): Use connect_to_server(). svn path=/trunk/; revision=6272 --- camel/providers/imap/Makefile.am | 5 +- camel/providers/imap/camel-imap-auth.c | 195 +++++++++++++++++++++++++++ camel/providers/imap/camel-imap-store.c | 231 ++++++++++++++++++++------------ camel/providers/imap/camel-imap-store.h | 10 +- 4 files changed, 357 insertions(+), 84 deletions(-) create mode 100644 camel/providers/imap/camel-imap-auth.c (limited to 'camel/providers/imap') diff --git a/camel/providers/imap/Makefile.am b/camel/providers/imap/Makefile.am index a6f5cbf3b1..19646f1960 100644 --- a/camel/providers/imap/Makefile.am +++ b/camel/providers/imap/Makefile.am @@ -17,9 +17,11 @@ INCLUDES = -I.. \ -I$(top_srcdir) \ -I$(includedir) \ $(GTK_INCLUDEDIR) \ + $(KRB4_CFLAGS) \ -DG_LOG_DOMAIN=\"camel-imap-provider\" libcamelimap_la_SOURCES = \ + camel-imap-auth.c \ camel-imap-command.c \ camel-imap-folder.c \ camel-imap-provider.c \ @@ -28,6 +30,7 @@ libcamelimap_la_SOURCES = \ camel-imap-utils.c libcamelimapinclude_HEADERS = \ + camel-imap-auth.h \ camel-imap-command.h \ camel-imap-folder.h \ camel-imap-store.h \ @@ -35,7 +38,7 @@ libcamelimapinclude_HEADERS = \ camel-imap-summary.h \ camel-imap-utils.h -libcamelimap_la_LDFLAGS = -version-info 0:0:0 +libcamelimap_la_LDFLAGS = $(KRB4_LDFLAGS) -version-info 0:0:0 EXTRA_DIST = libcamelimap.urls diff --git a/camel/providers/imap/camel-imap-auth.c b/camel/providers/imap/camel-imap-auth.c new file mode 100644 index 0000000000..3bf1af6535 --- /dev/null +++ b/camel/providers/imap/camel-imap-auth.c @@ -0,0 +1,195 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */ +/* camel-imap-auth.c: IMAP AUTHENTICATE implementations */ + +/* + * Authors: Dan Winship + * + * Copyright 2000 Helix Code, Inc. (www.helixcode.com) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA. + * + */ + +#include + +#include + +#ifdef HAVE_KRB4 +#include +/* MIT krb4 des.h #defines _. Sigh. We don't need it. */ +#undef _ +#endif + +#include "camel-exception.h" +#include "camel-mime-utils.h" + +#include "camel-imap-auth.h" +#include "camel-imap-command.h" +#include "camel-imap-utils.h" + +static char * +base64_encode_simple (const char *data, int len) +{ + unsigned char *out; + int state = 0, outlen; + unsigned int save = 0; + + out = g_malloc (len * 4 / 3 + 5); + outlen = base64_encode_close ((unsigned char *)data, len, FALSE, + out, &state, &save); + out[outlen] = '\0'; + return (char *)out; +} + +static int +base64_decode_simple (char *data, int len) +{ + int state = 0; + unsigned int save = 0; + + return base64_decode_step ((unsigned char *)data, len, + (unsigned char *)data, &state, &save); +} + +#ifdef HAVE_KRB4 +#define IMAP_KERBEROS_V4_PROTECTION_NONE 1 +#define IMAP_KERBEROS_V4_PROTECTION_INTEGRITY 2 +#define IMAP_KERBEROS_V4_PROTECTION_PRIVACY 4 + +gboolean +imap_try_kerberos_v4_auth (CamelImapStore *store, CamelException *ex) +{ + CamelImapResponse *response; + char *resp, *data; + int status, len; + char *inst, *realm, *buf, *username; + guint32 nonce_n, nonce_h, plus1; + struct hostent *h; + KTEXT_ST authenticator; + CREDENTIALS credentials; + des_cblock session; + des_key_schedule schedule; + + /* The kickoff. */ + response = camel_imap_command (store, NULL, ex, + "AUTHENTICATE KERBEROS_V4"); + if (!response) + return FALSE; + resp = camel_imap_response_extract_continuation (response, ex); + if (!resp) + return FALSE; + data = imap_next_word (resp); + + /* First server response is a base64-encoded 32-bit random number + * ("nonce") in network byte order. + */ + if (strlen (data) != 8 || base64_decode_simple (data, 8) != 4) { + g_free (resp); + goto lose; + } + memcpy (&nonce_n, data, 4); + g_free (resp); + nonce_h = ntohl (nonce_n); + + /* Our response is an authenticator including that number. */ + h = camel_service_gethost (CAMEL_SERVICE (store), ex); + if (!h) + goto lose; + inst = g_strndup (h->h_name, strcspn (h->h_name, ".")); + g_strdown (inst); + realm = g_strdup (krb_realmofhost (h->h_name)); + status = krb_mk_req (&authenticator, "imap", inst, realm, nonce_h); + if (status == KSUCCESS) { + status = krb_get_cred ("imap", inst, realm, &credentials); + memcpy (session, credentials.session, sizeof (session)); + memset (&credentials, 0, sizeof (credentials)); + } + g_free (inst); + g_free (realm); + + if (status != KSUCCESS) { + camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE, + _("Could not get Kerberos ticket:\n%s"), + krb_err_txt[status]); + goto lose; + } + des_key_sched (&session, schedule); + + buf = base64_encode_simple (authenticator.dat, authenticator.length); + response = camel_imap_command_continuation (store, ex, buf); + g_free (buf); + if (!response) + goto lose; + resp = camel_imap_response_extract_continuation (response, ex); + if (!resp) + goto lose; + data = imap_next_word (resp); + + len = strlen (data); + base64_decode_simple (data, strlen (data)); + + /* This one is encrypted. */ + des_ecb_encrypt ((des_cblock *)data, (des_cblock *)data, schedule, 0); + + /* Check that the returned value is the original nonce plus one. */ + memcpy (&plus1, data, 4); + if (ntohl (plus1) != nonce_h + 1) { + g_free (resp); + goto lose; + } + + /* "the fifth octet contain[s] a bit-mask specifying the + * protection mechanisms supported by the server" + */ + if (!(data[4] & IMAP_KERBEROS_V4_PROTECTION_NONE)) { + g_warning ("Server does not support `no protection' :-("); + g_free (resp); + goto lose; + } + g_free (resp); + + username = CAMEL_SERVICE (store)->url->user; + len = strlen (username) + 9; + len += 8 - len % 8; + data = g_malloc0 (len); + memcpy (data, &nonce_n, 4); + data[4] = IMAP_KERBEROS_V4_PROTECTION_NONE; + data[5] = data[6] = data[7] = 0; + strcpy (data + 8, username); + + des_pcbc_encrypt ((des_cblock *)data, (des_cblock *)data, len, + schedule, &session, 1); + memset (&session, 0, sizeof (session)); + buf = base64_encode_simple (data, len); + g_free (data); + + response = camel_imap_command_continuation (store, ex, buf); + if (!response) + goto lose; + camel_imap_response_free (response); + return TRUE; + + lose: + memset (&session, 0, sizeof (session)); + + /* Get the server out of "waiting for continuation data" mode. + */ + response = camel_imap_command_continuation (store, NULL, "*"); + if (response) + camel_imap_response_free (response); + + return FALSE; +} +#endif /* HAVE_KRB4 */ diff --git a/camel/providers/imap/camel-imap-store.c b/camel/providers/imap/camel-imap-store.c index bea7a03b18..749785b724 100644 --- a/camel/providers/imap/camel-imap-store.c +++ b/camel/providers/imap/camel-imap-store.c @@ -34,6 +34,7 @@ #include #include "camel-imap-store.h" +#include "camel-imap-auth.h" #include "camel-imap-folder.h" #include "camel-imap-utils.h" #include "camel-imap-command.h" @@ -157,6 +158,76 @@ camel_imap_store_get_type (void) return camel_imap_store_type; } +static struct { + const char *name; + guint32 flag; +} capabilities[] = { + { "IMAP4", IMAP_CAPABILITY_IMAP4 }, + { "IMAP4REV1", IMAP_CAPABILITY_IMAP4REV1 }, + { "STATUS", IMAP_CAPABILITY_STATUS }, + { "NAMESPACE", IMAP_CAPABILITY_NAMESPACE }, + { "AUTH=KERBEROS_V4", IMAP_CAPABILITY_AUTH_KERBEROS_V4 }, + { "AUTH=GSSAPI", IMAP_CAPABILITY_AUTH_GSSAPI }, + { "UIDPLUS", IMAP_CAPABILITY_UIDPLUS }, + { "LITERAL+", IMAP_CAPABILITY_LITERALPLUS }, + { NULL, 0 } +}; + +static gboolean +connect_to_server (CamelService *service, CamelException *ex) +{ + CamelImapStore *store = CAMEL_IMAP_STORE (service); + CamelImapResponse *response; + char *result, *buf, *capa, *lasts; + int i; + + if (!CAMEL_SERVICE_CLASS (remote_store_class)->connect (service, ex)) + return FALSE; + + store->command = 0; + + /* Read the greeting, if any. FIXME: deal with PREAUTH */ + if (camel_remote_store_recv_line (CAMEL_REMOTE_STORE (service), + &buf, ex) < 0) { + return FALSE; + } + g_free (buf); + store->connected = TRUE; + + /* Find out the IMAP capabilities */ + store->capabilities = 0; + response = camel_imap_command (store, NULL, ex, "CAPABILITY"); + if (!response) + return FALSE; + result = camel_imap_response_extract (response, "CAPABILITY", ex); + if (!result) + return FALSE; + + /* Skip over "* CAPABILITY". */ + capa = imap_next_word (result + 2); + + for (capa = strtok_r (capa, " ", &lasts); capa; + capa = strtok_r (NULL, " ", &lasts)) { + for (i = 0; capabilities[i].name; i++) { + if (g_strcasecmp (capa, capabilities[i].name) == 0) { + store->capabilities |= capabilities[i].flag; + break; + } + } + } + g_free (result); + + if (store->capabilities & IMAP_CAPABILITY_IMAP4REV1) { + store->server_level = IMAP_LEVEL_IMAP4REV1; + store->capabilities |= IMAP_CAPABILITY_STATUS; + } else if (store->capabilities & IMAP_CAPABILITY_IMAP4) + store->server_level = IMAP_LEVEL_IMAP4; + else + store->server_level = IMAP_LEVEL_UNKNOWN; + + return TRUE; +} + static CamelServiceAuthType password_authtype = { N_("Password"), @@ -167,44 +238,45 @@ static CamelServiceAuthType password_authtype = { TRUE }; +#ifdef HAVE_KRB4 +static CamelServiceAuthType kerberos_v4_authtype = { + N_("Kerberos 4"), + + N_("This option will connect to the IMAP server using " + "Kerberos 4 authentication."), + + "KERBEROS_V4", + FALSE +}; +#endif + static GList * query_auth_types_connected (CamelService *service, CamelException *ex) { -#if 0 - GList *ret = NULL; - gboolean passwd = TRUE; - - if (service->url) { - passwd = try_connect (service, ex); - if (camel_exception_get_id (ex) != CAMEL_EXCEPTION_NONE) - return NULL; - } - - if (passwd) - ret = g_list_append (ret, &password_authtype); - - if (!ret) { - camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_UNAVAILABLE, - _("Could not connect to IMAP server on %s."), - service->url->host ? service->url->host : - _("(unknown host)")); - } - - return ret; -#else - g_warning ("imap::query_auth_types_connected: not implemented. Defaulting."); - /* FIXME: use the classfunc instead of the local? */ - return query_auth_types_generic (service, ex); + GList *types; + + if (!connect_to_server (service, ex)) + return NULL; + + types = CAMEL_SERVICE_CLASS (remote_store_class)->query_auth_types_connected (service, ex); +#ifdef HAVE_KRB4 + if (CAMEL_IMAP_STORE (service)->capabilities & + IMAP_CAPABILITY_AUTH_KERBEROS_V4) + types = g_list_prepend (types, &kerberos_v4_authtype); #endif + return g_list_prepend (types, &password_authtype); } static GList * query_auth_types_generic (CamelService *service, CamelException *ex) { - GList *prev; + GList *types; - prev = CAMEL_SERVICE_CLASS (remote_store_class)->query_auth_types_generic (service, ex); - return g_list_prepend (prev, &password_authtype); + types = CAMEL_SERVICE_CLASS (remote_store_class)->query_auth_types_generic (service, ex); +#ifdef HAVE_KRB4 + types = g_list_prepend (types, &kerberos_v4_authtype); +#endif + return g_list_prepend (types, &password_authtype); } static gboolean @@ -212,65 +284,78 @@ imap_connect (CamelService *service, CamelException *ex) { CamelImapStore *store = CAMEL_IMAP_STORE (service); CamelSession *session = camel_service_get_session (CAMEL_SERVICE (store)); - gchar *result, *buf, *errbuf = NULL, *namespace; + gchar *result, *errbuf = NULL, *namespace; CamelImapResponse *response; gboolean authenticated = FALSE; int len; - if (CAMEL_SERVICE_CLASS (remote_store_class)->connect (service, ex) == FALSE) + if (connect_to_server (service, ex) == 0) return FALSE; - store->command = 0; - if (!store->storage_path) { - store->storage_path = - camel_session_get_storage_path (session, service, ex); - if (camel_exception_is_set (ex)) + /* authenticate the user */ +#ifdef HAVE_KRB4 + if (service->url->authmech && + !g_strcasecmp (service->url->authmech, "KERBEROS_V4")) { + if (!(store->capabilities & IMAP_CAPABILITY_AUTH_KERBEROS_V4)) { + camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE, + "IMAP server %s does not " + "support requested " + "authentication type %s", + service->url->host, + service->url->authmech); + camel_service_disconnect (service, NULL); return FALSE; + } + + authenticated = imap_try_kerberos_v4_auth (store, ex); + if (camel_exception_is_set (ex)) { + camel_service_disconnect (service, NULL); + return FALSE; + } } - - /* Read the greeting, if any. */ - if (camel_remote_store_recv_line (CAMEL_REMOTE_STORE (service), &buf, ex) < 0) { - return FALSE; - } - g_free (buf); - - /* authenticate the user */ +#endif + while (!authenticated) { if (errbuf) { /* We need to un-cache the password before prompting again */ - camel_session_query_authenticator (session, - CAMEL_AUTHENTICATOR_TELL, NULL, - TRUE, service, "password", ex); + camel_session_query_authenticator ( + session, CAMEL_AUTHENTICATOR_TELL, NULL, + TRUE, service, "password", ex); g_free (service->url->passwd); service->url->passwd = NULL; } - + if (!service->url->authmech && !service->url->passwd) { - gchar *prompt; - - prompt = g_strdup_printf (_("%sPlease enter the IMAP password for %s@%s"), - errbuf ? errbuf : "", service->url->user, service->url->host); + char *prompt; + + prompt = g_strdup_printf (_("%sPlease enter the IMAP " + "password for %s@%s"), + errbuf ? errbuf : "", + service->url->user, + service->url->host); service->url->passwd = - camel_session_query_authenticator (session, - CAMEL_AUTHENTICATOR_ASK, prompt, - TRUE, service, "password", ex); + camel_session_query_authenticator ( + session, CAMEL_AUTHENTICATOR_ASK, + prompt, TRUE, service, "password", ex); g_free (prompt); g_free (errbuf); errbuf = NULL; - + if (!service->url->passwd) { camel_exception_set (ex, CAMEL_EXCEPTION_USER_CANCEL, "You didn\'t enter a password."); + camel_service_disconnect (service, NULL); return FALSE; } } - + response = camel_imap_command (store, NULL, ex, "LOGIN \"%s\" \"%s\"", service->url->user, service->url->passwd); if (!response) { - errbuf = g_strdup_printf (_("Unable to authenticate to IMAP server.\n%s\n\n"), + errbuf = g_strdup_printf (_("Unable to authenticate " + "to IMAP server.\n%s\n\n"), camel_exception_get_description (ex)); camel_exception_clear (ex); } else { @@ -278,32 +363,14 @@ imap_connect (CamelService *service, CamelException *ex) camel_imap_response_free (response); } } - - /* At this point we know we're connected... */ - store->connected = TRUE; - - /* Now lets find out the IMAP capabilities */ - response = camel_imap_command (store, NULL, ex, "CAPABILITY"); - if (!response) - return FALSE; - result = camel_imap_response_extract (response, "CAPABILITY", ex); - if (!result) - return FALSE; - /* parse for capabilities here. */ - if (e_strstrcase (result, "IMAP4REV1")) - store->server_level = IMAP_LEVEL_IMAP4REV1; - else if (e_strstrcase (result, "IMAP4")) - store->server_level = IMAP_LEVEL_IMAP4; - else - store->server_level = IMAP_LEVEL_UNKNOWN; - - if ((store->server_level >= IMAP_LEVEL_IMAP4REV1) || - (e_strstrcase (result, "STATUS"))) - store->has_status_capability = TRUE; - else - store->has_status_capability = FALSE; - g_free (result); + /* Find our storage path. */ + if (!store->storage_path) { + store->storage_path = + camel_session_get_storage_path (session, service, ex); + if (camel_exception_is_set (ex)) + return FALSE; + } /* Find the hierarchy separator for our namespace. */ namespace = service->url->path; diff --git a/camel/providers/imap/camel-imap-store.h b/camel/providers/imap/camel-imap-store.h index b5038ea7de..8fd996c420 100644 --- a/camel/providers/imap/camel-imap-store.h +++ b/camel/providers/imap/camel-imap-store.h @@ -45,6 +45,14 @@ typedef enum { IMAP_LEVEL_IMAP4REV1 } CamelImapServerLevel; +#define IMAP_CAPABILITY_IMAP4 (1 << 0) +#define IMAP_CAPABILITY_IMAP4REV1 (1 << 1) +#define IMAP_CAPABILITY_STATUS (1 << 2) +#define IMAP_CAPABILITY_NAMESPACE (1 << 3) +#define IMAP_CAPABILITY_AUTH_KERBEROS_V4 (1 << 4) +#define IMAP_CAPABILITY_AUTH_GSSAPI (1 << 5) +#define IMAP_CAPABILITY_UIDPLUS (1 << 6) +#define IMAP_CAPABILITY_LITERALPLUS (1 << 7) typedef struct { CamelRemoteStore parent_object; @@ -54,7 +62,7 @@ typedef struct { guint32 command; CamelImapServerLevel server_level; - gboolean has_status_capability; + guint32 capabilities; gchar dir_sep, *storage_path, *base_url; -- cgit v1.2.3