/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */ /* * Authors: Jeffrey Stedfast <fejj@ximian.com> * * Copyright 2001 Ximian, Inc. (www.ximian.com) * * This program is free software; you can redistribute it and/or * modify it under the terms of version 2 of the GNU General Public * License as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public * License along with this program; if not, write to the * Free Software Foundation, Inc., 59 Temple Place - Suite 330, * Boston, MA 02111-1307, USA. * */ #ifdef HAVE_CONFIG_H #include <config.h> #endif #ifdef HAVE_KRB4 #include <krb.h> /* MIT krb4 des.h #defines _. Sigh. We don't need it. #undef it here * so we get the gettexty _ definition later. */ #undef _ #include <string.h> #include "camel-string-utils.h" #include "camel-sasl-kerberos4.h" #include "camel-service.h" CamelServiceAuthType camel_sasl_kerberos4_authtype = { N_("Kerberos 4"), N_("This option will connect to the server using " "Kerberos 4 authentication."), "KERBEROS_V4", FALSE }; #define KERBEROS_V4_PROTECTION_NONE 1 #define KERBEROS_V4_PROTECTION_INTEGRITY 2 #define KERBEROS_V4_PROTECTION_PRIVACY 4 static CamelSaslClass *parent_class = NULL; /* Returns the class for a CamelSaslKerberos4 */ #define CSK4_CLASS(so) CAMEL_SASL_KERBEROS4_CLASS (CAMEL_OBJECT_GET_CLASS (so)) static GByteArray *krb4_challenge (CamelSasl *sasl, GByteArray *token, CamelException *ex); struct _CamelSaslKerberos4Private { int state; guint32 nonce_n; guint32 nonce_h; des_cblock session; des_key_schedule schedule; }; static void camel_sasl_kerberos4_class_init (CamelSaslKerberos4Class *camel_sasl_kerberos4_class) { CamelSaslClass *camel_sasl_class = CAMEL_SASL_CLASS (camel_sasl_kerberos4_class); parent_class = CAMEL_SASL_CLASS (camel_type_get_global_classfuncs (camel_sasl_get_type ())); /* virtual method overload */ camel_sasl_class->challenge = krb4_challenge; } static void camel_sasl_kerberos4_init (gpointer object, gpointer klass) { CamelSaslKerberos4 *sasl_krb4 = CAMEL_SASL_KERBEROS4 (object); sasl_krb4->priv = g_new0 (struct _CamelSaslKerberos4Private, 1); } static void camel_sasl_kerberos4_finalize (CamelObject *object) { CamelSaslKerberos4 *sasl = CAMEL_SASL_KERBEROS4 (object); if (sasl->priv) { memset (sasl->priv, 0, sizeof (sasl->priv)); g_free (sasl->priv); } } CamelType camel_sasl_kerberos4_get_type (void) { static CamelType type = CAMEL_INVALID_TYPE; if (type == CAMEL_INVALID_TYPE) { type = camel_type_register (camel_sasl_get_type (), "CamelSaslKerberos4", sizeof (CamelSaslKerberos4), sizeof (CamelSaslKerberos4Class), (CamelObjectClassInitFunc) camel_sasl_kerberos4_class_init, NULL, (CamelObjectInitFunc) camel_sasl_kerberos4_init, (CamelObjectFinalizeFunc) camel_sasl_kerberos4_finalize); } return type; } static GByteArray * krb4_challenge (CamelSasl *sasl, GByteArray *token, CamelException *ex) { struct _CamelSaslKerberos4Private *priv = CAMEL_SASL_KERBEROS4 (sasl)->priv; GByteArray *ret = NULL; char *inst, *realm, *username; struct hostent *h; int status, len; KTEXT_ST authenticator; CREDENTIALS credentials; guint32 plus1; /* Need to wait for the server */ if (!token) return NULL; switch (priv->state) { case 0: if (token->len != 4) goto lose; memcpy (&priv->nonce_n, token->data, 4); priv->nonce_h = ntohl (priv->nonce_n); /* Our response is an authenticator including that number. */ h = camel_service_gethost (sasl->service, ex); inst = g_strndup (h->h_name, strcspn (h->h_name, ".")); camel_strdown (inst); realm = g_strdup (krb_realmofhost (h->h_name)); camel_free_host(h); status = krb_mk_req (&authenticator, sasl->service_name, inst, realm, priv->nonce_h); if (status == KSUCCESS) { status = krb_get_cred (sasl->service_name, inst, realm, &credentials); memcpy (priv->session, credentials.session, sizeof (priv->session)); memset (&credentials, 0, sizeof (credentials)); } g_free (inst); g_free (realm); if (status != KSUCCESS) { camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE, _("Could not get Kerberos ticket:\n%s"), krb_err_txt[status]); goto lose; } des_key_sched (&priv->session, priv->schedule); ret = g_byte_array_new (); g_byte_array_append (ret, (const guint8 *)authenticator.dat, authenticator.length); break; case 1: if (token->len != 8) goto lose; /* This one is encrypted. */ des_ecb_encrypt ((des_cblock *)token->data, (des_cblock *)token->data, priv->schedule, 0); /* Check that the returned value is the original nonce plus one. */ memcpy (&plus1, token->data, 4); if (ntohl (plus1) != priv->nonce_h + 1) goto lose; /* "the fifth octet contain[s] a bit-mask specifying the * protection mechanisms supported by the server" */ if (!(token->data[4] & KERBEROS_V4_PROTECTION_NONE)) { g_warning ("Server does not support `no protection' :-("); goto lose; } username = sasl->service->url->user; len = strlen (username) + 9; len += 8 - len % 8; ret = g_byte_array_new (); g_byte_array_set_size (ret, len); memset (ret->data, 0, len); memcpy (ret->data, &priv->nonce_n, 4); ret->data[4] = KERBEROS_V4_PROTECTION_NONE; ret->data[5] = ret->data[6] = ret->data[7] = 0; strcpy (ret->data + 8, username); des_pcbc_encrypt ((void *)ret->data, (void *)ret->data, len, priv->schedule, &priv->session, 1); memset (&priv->session, 0, sizeof (priv->session)); sasl->authenticated = TRUE; break; } priv->state++; return ret; lose: memset (&priv->session, 0, sizeof (priv->session)); if (!camel_exception_is_set (ex)) { camel_exception_set (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE, _("Bad authentication response from server.")); } return NULL; } #endif /* HAVE_KRB4 */