diff options
| author | Eduardo Chappa <chappa@washington.edu> | 2020-02-19 00:39:42 -0700 |
|---|---|---|
| committer | Eduardo Chappa <chappa@washington.edu> | 2020-02-19 00:39:42 -0700 |
| commit | cd53b13aa5acaecb776c82cd6566122a6893240d (patch) | |
| tree | 4e811c0dfdebf647b564f4f9659c388c87a44f4c /imap/src/c-client/auth_gss.c | |
| parent | 8781af1dfc9fdc1fbc08b281cc418bee8dde604d (diff) | |
| download | alpine-cd53b13aa5acaecb776c82cd6566122a6893240d.tar.xz | |
* Added support for SALS-IR (rfc 4959) and similar support for other
protocols (SMTP, NNTP, POP3) as some SMTP servers do not support a
round-trip two step authentication. For example, davmail does not
support PLAIN authentication in SMTP using the challenge-response
scheme. Implemented after a report by Geoffrey Bodwin.
Diffstat (limited to 'imap/src/c-client/auth_gss.c')
| -rw-r--r-- | imap/src/c-client/auth_gss.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/imap/src/c-client/auth_gss.c b/imap/src/c-client/auth_gss.c index c6cc9079..4ed612c2 100644 --- a/imap/src/c-client/auth_gss.c +++ b/imap/src/c-client/auth_gss.c @@ -29,7 +29,7 @@ long auth_gssapi_valid (void); -long auth_gssapi_client (authchallenge_t challenger,authrespond_t responder, +long auth_gssapi_client (authchallenge_t challenger,authrespond_t responder, char *base, char *service,NETMBX *mb,void *stream, unsigned long port, unsigned long *trial,char *user); long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, @@ -89,7 +89,8 @@ long auth_gssapi_valid (void) * Returns: T if success, NIL otherwise, number of trials incremented if retry */ -long auth_gssapi_client (authchallenge_t challenger,authrespond_t responder, +long auth_gssapi_client (authchallenge_t challenger,authrespond_t +responder,char *base, char *service,NETMBX *mb,void *stream,unsigned long port, unsigned long *trial,char *user) { @@ -101,12 +102,12 @@ long auth_gssapi_client (authchallenge_t challenger,authrespond_t responder, if ((chal.value = (*challenger) (stream,(unsigned long *) &chal.length)) != NULL) { if (chal.length) { /* abort if challenge non-empty */ mm_log ("Server bug: non-empty initial GSSAPI challenge",WARN); - (*responder) (stream,NIL,0); + (*responder) (stream,NIL,NIL,0); ret = LONGT; /* will get a BAD response back */ } else if (mb->authuser[0] && strcmp (mb->authuser,myusername ())) { mm_log ("Can't use Kerberos: invalid /authuser",WARN); - (*responder) (stream,NIL,0); + (*responder) (stream,NIL,NIL,0); ret = LONGT; /* will get a BAD response back */ } else ret = auth_gssapi_client_work (challenger,chal,responder,service,mb, @@ -148,7 +149,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, if (gss_import_name (&smn,&buf,GSS_C_NT_HOSTBASED_SERVICE,&crname) != GSS_S_COMPLETE) { mm_log ("Can't import Kerberos service name",WARN); - (*responder) (stream,NIL,0); + (*responder) (stream,NIL,NIL,0); } else { data = (*bn) (BLOCK_SENSITIVE,NIL); @@ -163,7 +164,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, while (smj == GSS_S_CONTINUE_NEEDED) { if (chal.value) fs_give ((void **) &chal.value); /* send response, get next challenge */ - i = (*responder) (stream,resp.value,resp.length) && + i = (*responder) (stream,NIL,resp.value,resp.length) && (chal.value = (*challenger) (stream,(unsigned long *) &chal.length)); gss_release_buffer (&smn,&resp); if (i) { /* negotiate continuation with KDC */ @@ -184,7 +185,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, } else { /* error in continuation */ mm_log ("Error in negotiating Kerberos continuation",WARN); - (*responder) (stream,NIL,0); + (*responder) (stream,NIL,NIL,0); /* don't need context any more */ gss_delete_sec_context (&smn,&ctx,NIL); break; @@ -195,7 +196,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, case GSS_S_COMPLETE: if (chal.value) fs_give ((void **) &chal.value); /* get prot mechanisms and max size */ - if ((*responder) (stream,resp.value ? resp.value : "",resp.length) && + if ((*responder) (stream,NIL,resp.value ? resp.value : "",resp.length) && (chal.value = (*challenger) (stream,(unsigned long *)&chal.length))&& (gss_unwrap (&smn,ctx,&chal,&resp,&conf,&qop) == GSS_S_COMPLETE) && (resp.length >= 4) && (*((char *) resp.value) & AUTH_GSSAPI_P_NONE)){ @@ -210,7 +211,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, /* successful negotiation */ switch (smj = gss_wrap (&smn,ctx,NIL,qop,&buf,&conf,&resp)) { case GSS_S_COMPLETE: - if ((*responder) (stream,resp.value,resp.length)) ret = T; + if ((*responder) (stream,NIL,resp.value,resp.length)) ret = T; gss_release_buffer (&smn,&resp); break; default: @@ -233,7 +234,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, gss_release_buffer (&dsmn,&resp); } while (dsmj == GSS_S_CONTINUE_NEEDED); - (*responder) (stream,NIL,0); + (*responder) (stream,NIL,NIL,0); } } /* flush final challenge */ @@ -252,7 +253,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, sprintf (tmp,"Kerberos credentials expired (try running kinit) for %s", mb->host); mm_log (tmp,WARN); - (*responder) (stream,NIL,0); + (*responder) (stream,NIL,NIL,0); } break; case GSS_S_FAILURE: @@ -267,7 +268,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, stream,user,NIL); break; /* done */ } - else (*responder) (stream,NIL,0); + else (*responder) (stream,NIL,NIL,0); case GSS_S_CONTINUE_NEEDED: sprintf (tmp,kerberos_try_kinit (smn) ? "Kerberos error: %.80s (try running kinit) for %.80s" : @@ -298,7 +299,7 @@ long auth_gssapi_client_work (authchallenge_t challenger,gss_buffer_desc chal, gss_release_buffer (&dsmn,&resp); } while (dsmj == GSS_S_CONTINUE_NEEDED); - (*responder) (stream,NIL,0); + (*responder) (stream,NIL,NIL,0); break; } /* finished with credentials name */ |