Skip to content

Commit

Permalink
smtp: Added support for GSSAPI (Kerberos V5) authentication via Windo…
Browse files Browse the repository at this point in the history 
…ws SSPI
  • Loading branch information
@captain-caveman2k
captain-caveman2k committed Aug 15, 2014
1 parent 03f368d commit 5663272
Showing 1 changed file with 186 additions and 0 deletions.
186 changes: 186 additions & 0 deletions lib/smtp.c
View file
Expand Up @@ -1150,6 +1150,158 @@ static CURLcode smtp_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
}
#endif

#if defined(USE_WINDOWS_SSPI)
/* For AUTH GSSAPI (without initial response) responses */
static CURLcode smtp_state_auth_gssapi_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct smtp_conn *smtpc = &conn->proto.smtpc;
char *respmsg = NULL;
size_t len = 0;

(void)instate; /* no use for this yet */

if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the initial response message */
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd, "smtp",
smtpc->mutual_auth, NULL,
&conn->krb5,
&respmsg, &len);
if(!result && respmsg) {
/* Send the message */
result = Curl_pp_sendf(&smtpc->pp, "%s", respmsg);

if(!result)
state(conn, SMTP_AUTH_GSSAPI_TOKEN);
}
}

Curl_safefree(respmsg);

return result;
}

/* For AUTH GSSAPI user token responses */
static CURLcode smtp_state_auth_gssapi_token_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct smtp_conn *smtpc = &conn->proto.smtpc;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;

(void)instate; /* no use for this yet */

if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
smtp_get_message(data->state.buffer, &chlgmsg);

if(smtpc->mutual_auth)
/* Decode the user token challenge and create the optional response
message */
result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL,
smtpc->mutual_auth,
chlgmsg, &conn->krb5,
&respmsg, &len);
else
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);

if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&smtpc->pp, "%s", "*");

if(!result)
state(conn, SMTP_AUTH_CANCEL);
}
}
else {
/* Send the response */
if(respmsg)
result = Curl_pp_sendf(&smtpc->pp, "%s", respmsg);
else
result = Curl_pp_sendf(&smtpc->pp, "%s", "");

if(!result)
state(conn, (smtpc->mutual_auth ? SMTP_AUTH_GSSAPI_NO_DATA :
SMTP_AUTH_FINAL));
}
}

Curl_safefree(respmsg);

return result;
}

/* For AUTH GSSAPI no data responses */
static CURLcode smtp_state_auth_gssapi_no_data_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;

(void)instate; /* no use for this yet */

if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
smtp_get_message(data->state.buffer, &chlgmsg);

/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "*");

if(!result)
state(conn, SMTP_AUTH_CANCEL);
}
}
else {
/* Send the response */
if(respmsg) {
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", respmsg);

if(!result)
state(conn, SMTP_AUTH_FINAL);
}
}
}

Curl_safefree(respmsg);

return result;
}
#endif

/* For AUTH XOAUTH2 (without initial response) responses */
static CURLcode smtp_state_auth_xoauth2_resp(struct connectdata *conn,
int smtpcode, smtpstate instate)
Expand Down Expand Up @@ -1478,6 +1630,21 @@ static CURLcode smtp_statemach_act(struct connectdata *conn)
break;
#endif

#if defined(USE_WINDOWS_SSPI)
case SMTP_AUTH_GSSAPI:
result = smtp_state_auth_gssapi_resp(conn, smtpcode, smtpc->state);
break;

case SMTP_AUTH_GSSAPI_TOKEN:
result = smtp_state_auth_gssapi_token_resp(conn, smtpcode, smtpc->state);
break;

case SMTP_AUTH_GSSAPI_NO_DATA:
result = smtp_state_auth_gssapi_no_data_resp(conn, smtpcode,
smtpc->state);
break;
#endif

case SMTP_AUTH_XOAUTH2:
result = smtp_state_auth_xoauth2_resp(conn, smtpcode, smtpc->state);
break;
Expand Down Expand Up @@ -2039,6 +2206,25 @@ static CURLcode smtp_calc_sasl_details(struct connectdata *conn,

/* Calculate the supported authentication mechanism, by decreasing order of
security, as well as the initial response where appropriate */
#if defined(USE_WINDOWS_SSPI)
if((smtpc->authmechs & SASL_MECH_GSSAPI) &&
(smtpc->prefmech & SASL_MECH_GSSAPI)) {
smtpc->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */

*mech = SASL_MECH_STRING_GSSAPI;
*state1 = SMTP_AUTH_GSSAPI;
*state2 = SMTP_AUTH_GSSAPI_TOKEN;
smtpc->authused = SASL_MECH_GSSAPI;

if(data->set.sasl_ir)
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd, "smtp",
smtpc->mutual_auth,
NULL, &conn->krb5,
initresp, len);
}
else
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if((smtpc->authmechs & SASL_MECH_DIGEST_MD5) &&
(smtpc->prefmech & SASL_MECH_DIGEST_MD5)) {
Expand Down

0 comments on commit 5663272

Please sign in to comment.