1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-05 10:58:05 -05:00

SASL: common state engine for imap/pop3/smtp

This commit is contained in:
Patrick Monnerat 2015-01-20 17:33:05 +01:00
parent e1ea18f90e
commit 79543caf90
8 changed files with 577 additions and 2352 deletions

View File

@ -43,6 +43,7 @@
#include "strtok.h" #include "strtok.h"
#include "strequal.h" #include "strequal.h"
#include "rawstr.h" #include "rawstr.h"
#include "sendf.h"
#include "non-ascii.h" /* included for Curl_convert_... prototypes */ #include "non-ascii.h" /* included for Curl_convert_... prototypes */
#define _MPRINTF_REPLACE /* use our functions only */ #define _MPRINTF_REPLACE /* use our functions only */
@ -1271,11 +1272,339 @@ CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
* *
* Initializes an SASL structure. * Initializes an SASL structure.
*/ */
void Curl_sasl_init(struct SASL *sasl) void Curl_sasl_init(struct SASL *sasl, const struct SASLproto *params)
{ {
sasl->params = params; /* Set protocol dependent parameters */
sasl->state = SASL_STOP; /* Not yet running */
sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */ sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */
sasl->prefmech = SASL_AUTH_ANY; /* Prefer all mechanisms */ sasl->prefmech = SASL_AUTH_ANY; /* Prefer all mechanisms */
sasl->authused = SASL_AUTH_NONE; /* No the authentication mechanism used */ sasl->authused = SASL_AUTH_NONE; /* No the authentication mechanism used */
sasl->resetprefs = TRUE; /* Reset prefmech upon AUTH parsing. */ sasl->resetprefs = TRUE; /* Reset prefmech upon AUTH parsing. */
sasl->mutual_auth = FALSE; /* No mutual authentication (GSSAPI only) */ sasl->mutual_auth = FALSE; /* No mutual authentication (GSSAPI only) */
sasl->force_ir = FALSE; /* Respect external option */
}
/*
* state()
*
* This is the ONLY way to change SASL state!
*/
static void state(struct SASL *sasl,
struct connectdata *conn, saslstate newstate)
{
#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
/* for debug purposes */
static const char * const names[]={
"STOP",
"PLAIN",
"LOGIN",
"LOGIN_PASSWD",
"CRAMMD5",
"DIGESTMD5",
"DIGESTMD5_RESP",
"NTLM",
"NTLM_TYPE2MSG",
"GSSAPI",
"GSSAPI_TOKEN",
"GSSAPI_NO_DATA",
"XOAUTH2",
"CANCEL",
"FINAL",
/* LAST */
};
if(sasl->state != newstate)
infof(conn->data, "SASL %p state change from %s to %s\n",
(void *)sasl, names[sasl->state], names[newstate]);
#endif
sasl->state = newstate;
}
/*
* Curl_sasl_start()
*
* Calculate the required login details for SASL authentication.
*/
CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
bool force_ir, saslprogress *progress)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
unsigned int enabledmechs;
const char *mech = NULL;
char *resp = NULL;
size_t len = 0;
saslstate state1 = SASL_STOP;
saslstate state2 = SASL_FINAL;
sasl->force_ir = force_ir; /* Latch for future use */
sasl->authused = 0; /* No mechanism used yet */
enabledmechs = sasl->authmechs & sasl->prefmech;
*progress = SASL_IDLE;
/* Calculate the supported authentication mechanism, by decreasing order of
* security, as well as the initial response where appropriate */
#if defined(USE_KERBEROS5)
if(enabledmechs & SASL_MECH_GSSAPI) {
sasl->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */
mech = SASL_MECH_STRING_GSSAPI;
state1 = SASL_GSSAPI;
state2 = SASL_GSSAPI_TOKEN;
sasl->authused = SASL_MECH_GSSAPI;
if(force_ir || data->set.sasl_ir)
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd,
sasl->params->service,
sasl->mutual_auth,
NULL, &conn->krb5,
&resp, &len);
}
else
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if(enabledmechs & SASL_MECH_DIGEST_MD5) {
mech = SASL_MECH_STRING_DIGEST_MD5;
state1 = SASL_DIGESTMD5;
sasl->authused = SASL_MECH_DIGEST_MD5;
}
else if(enabledmechs & SASL_MECH_CRAM_MD5) {
mech = SASL_MECH_STRING_CRAM_MD5;
state1 = SASL_CRAMMD5;
sasl->authused = SASL_MECH_CRAM_MD5;
}
else
#endif
#ifdef USE_NTLM
if(enabledmechs & SASL_MECH_NTLM) {
mech = SASL_MECH_STRING_NTLM;
state1 = SASL_NTLM;
state2 = SASL_NTLM_TYPE2MSG;
sasl->authused = SASL_MECH_NTLM;
if(force_ir || data->set.sasl_ir)
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm, &resp, &len);
}
else
#endif
if((((enabledmechs & SASL_MECH_XOAUTH2) &&
sasl->prefmech != SASL_AUTH_ANY)) || conn->xoauth2_bearer) {
mech = SASL_MECH_STRING_XOAUTH2;
state1 = SASL_XOAUTH2;
sasl->authused = SASL_MECH_XOAUTH2;
if(force_ir || data->set.sasl_ir)
result = Curl_sasl_create_xoauth2_message(data, conn->user,
conn->xoauth2_bearer,
&resp, &len);
}
else if(enabledmechs & SASL_MECH_LOGIN) {
mech = SASL_MECH_STRING_LOGIN;
state1 = SASL_LOGIN;
state2 = SASL_LOGIN_PASSWD;
sasl->authused = SASL_MECH_LOGIN;
if(force_ir || data->set.sasl_ir)
result = Curl_sasl_create_login_message(data, conn->user, &resp, &len);
}
else if(enabledmechs & SASL_MECH_PLAIN) {
mech = SASL_MECH_STRING_PLAIN;
state1 = SASL_PLAIN;
sasl->authused = SASL_MECH_PLAIN;
if(force_ir || data->set.sasl_ir)
result = Curl_sasl_create_plain_message(data, conn->user, conn->passwd,
&resp, &len);
}
else
state2 = SASL_STOP; /* No authentication started */
if(!result) {
if(resp && sasl->params->maxirlen &&
strlen(mech) + len > sasl->params->maxirlen) {
Curl_safefree(resp);
resp = NULL;
}
if(mech) {
result = sasl->params->sendauth(conn, mech, resp);
if(!result) {
*progress = SASL_INPROGRESS;
state(sasl, conn, resp? state2: state1);
}
}
}
Curl_safefree(resp);
return result;
}
/*
* Curl_sasl_continue()
*
* Continue an SASL authentication.
*/
CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
int code, saslprogress *progress)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
saslstate newstate = SASL_FINAL;
char *chlg = NULL;
char *resp = NULL;
char *serverdata;
size_t len = 0;
size_t chlglen = 0;
*progress = SASL_INPROGRESS;
if(sasl->state == SASL_FINAL) {
if(code != sasl->params->finalcode)
result = CURLE_LOGIN_DENIED;
*progress = SASL_DONE;
state(sasl, conn, SASL_STOP);
return result;
}
if(sasl->state != SASL_CANCEL && code != sasl->params->contcode) {
*progress = SASL_DONE;
state(sasl, conn, SASL_STOP);
return CURLE_LOGIN_DENIED;
}
switch(sasl->state) {
case SASL_STOP:
*progress = SASL_DONE;
return result;
case SASL_PLAIN:
result = Curl_sasl_create_plain_message(data, conn->user, conn->passwd,
&resp, &len);
break;
case SASL_LOGIN:
result = Curl_sasl_create_login_message(data, conn->user, &resp, &len);
newstate = SASL_LOGIN_PASSWD;
break;
case SASL_LOGIN_PASSWD:
result = Curl_sasl_create_login_message(data, conn->passwd, &resp, &len);
break;
#ifndef CURL_DISABLE_CRYPTO_AUTH
case SASL_CRAMMD5:
sasl->params->getmessage(data->state.buffer, &serverdata);
result = Curl_sasl_decode_cram_md5_message(serverdata, &chlg, &chlglen);
if(!result)
result = Curl_sasl_create_cram_md5_message(data, chlg, conn->user,
conn->passwd, &resp, &len);
Curl_safefree(chlg);
break;
case SASL_DIGESTMD5:
sasl->params->getmessage(data->state.buffer, &serverdata);
result = Curl_sasl_create_digest_md5_message(data, serverdata,
conn->user, conn->passwd,
sasl->params->service,
&resp, &len);
newstate = SASL_DIGESTMD5_RESP;
break;
case SASL_DIGESTMD5_RESP:
if(!(resp = strdup("")))
result = CURLE_OUT_OF_MEMORY;
break;
#endif
#ifdef USE_NTLM
case SASL_NTLM:
/* Create the type-1 message */
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm,
&resp, &len);
newstate = SASL_NTLM_TYPE2MSG;
break;
case SASL_NTLM_TYPE2MSG:
/* Decode the type-2 message */
sasl->params->getmessage(data->state.buffer, &serverdata);
result = Curl_sasl_decode_ntlm_type2_message(data,
serverdata, &conn->ntlm);
if(!result)
result = Curl_sasl_create_ntlm_type3_message(data, conn->user,
conn->passwd, &conn->ntlm,
&resp, &len);
break;
#endif
#if defined(USE_KERBEROS5)
case SASL_GSSAPI:
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd,
sasl->params->service,
sasl->mutual_auth, NULL,
&conn->krb5,
&resp, &len);
newstate = SASL_GSSAPI_TOKEN;
break;
case SASL_GSSAPI_TOKEN:
sasl->params->getmessage(data->state.buffer, &serverdata);
if(sasl->mutual_auth) {
/* Decode the user token challenge and create the optional response
message */
result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL,
sasl->mutual_auth,
serverdata, &conn->krb5,
&resp, &len);
newstate = SASL_GSSAPI_NO_DATA;
}
else
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, serverdata,
&conn->krb5,
&resp, &len);
break;
case SASL_GSSAPI_NO_DATA:
sasl->params->getmessage(data->state.buffer, &serverdata);
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, serverdata,
&conn->krb5,
&resp, &len);
break;
#endif
case SASL_XOAUTH2:
/* Create the authorisation message */
result = Curl_sasl_create_xoauth2_message(data, conn->user,
conn->xoauth2_bearer,
&resp, &len);
break;
case SASL_CANCEL:
/* Remove the offending mechanism from the supported list */
sasl->authmechs ^= sasl->authused;
/* Start an alternative SASL authentication */
result = Curl_sasl_start(sasl, conn, sasl->force_ir, progress);
newstate = sasl->state; /* Use state from Curl_sasl_start() */
break;
default:
failf(data, "Unsupported SASL authentication mechanism");
result = CURLE_UNSUPPORTED_PROTOCOL; /* Should not happen */
break;
}
switch(result) {
case CURLE_BAD_CONTENT_ENCODING:
/* Cancel dialog */
result = sasl->params->sendcont(conn, "*");
newstate = SASL_CANCEL;
break;
case CURLE_OK:
if(resp)
result = sasl->params->sendcont(conn, resp);
break;
default:
newstate = SASL_STOP; /* Stop on error */
*progress = SASL_DONE;
break;
}
Curl_safefree(resp);
state(sasl, conn, newstate);
return result;
} }

View File

@ -68,13 +68,57 @@ enum {
CURLDIGESTALGO_MD5SESS CURLDIGESTALGO_MD5SESS
}; };
/* SASL machine states */
typedef enum {
SASL_STOP,
SASL_PLAIN,
SASL_LOGIN,
SASL_LOGIN_PASSWD,
SASL_CRAMMD5,
SASL_DIGESTMD5,
SASL_DIGESTMD5_RESP,
SASL_NTLM,
SASL_NTLM_TYPE2MSG,
SASL_GSSAPI,
SASL_GSSAPI_TOKEN,
SASL_GSSAPI_NO_DATA,
SASL_XOAUTH2,
SASL_CANCEL,
SASL_FINAL
} saslstate;
/* Progress indicator */
typedef enum {
SASL_IDLE,
SASL_INPROGRESS,
SASL_DONE
} saslprogress;
/* Protocol dependent SASL parameters */
struct SASLproto {
const char *service; /* The service name */
int contcode; /* Code to receive when continuation is expected */
int finalcode; /* Code to receive upon authentication success */
size_t maxirlen; /* Maximum initial response length */
CURLcode (*sendauth)(struct connectdata *conn,
const char *mech, const char *ir);
/* Send authentication command */
CURLcode (*sendcont)(struct connectdata *conn, const char *contauth);
/* Send authentication continuation */
void (*getmessage)(char *buffer, char **outptr);
/* Get SASL response message */
};
/* Per-connection parameters */ /* Per-connection parameters */
struct SASL { struct SASL {
const struct SASLproto *params; /* Protocol dependent parameters */
saslstate state; /* Current machine state */
unsigned int authmechs; /* Accepted authentication mechanisms */ unsigned int authmechs; /* Accepted authentication mechanisms */
unsigned int prefmech; /* Preferred authentication mechanism */ unsigned int prefmech; /* Preferred authentication mechanism */
unsigned int authused; /* Auth mechanism used for the connection */ unsigned int authused; /* Auth mechanism used for the connection */
bool resetprefs; /* For URL auth option parsing. */ bool resetprefs; /* For URL auth option parsing. */
bool mutual_auth; /* Mutual authentication enabled (GSSAPI only) */ bool mutual_auth; /* Mutual authentication enabled (GSSAPI only) */
bool force_ir; /* Protocol always supports initial response */
}; };
/* This is used to test whether the line starts with the given mechanism */ /* This is used to test whether the line starts with the given mechanism */
@ -211,6 +255,14 @@ CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
const char *value, size_t len); const char *value, size_t len);
/* Initializes an SASL structure */ /* Initializes an SASL structure */
void Curl_sasl_init(struct SASL *sasl); void Curl_sasl_init(struct SASL *sasl, const struct SASLproto *params);
/* Calculate the required login details for SASL authentication */
CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
bool force_ir, saslprogress *progress);
/* Continue an SASL authentication */
CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
int code, saslprogress *progress);
#endif /* HEADER_CURL_SASL_H */ #endif /* HEADER_CURL_SASL_H */

View File

@ -105,10 +105,12 @@ static CURLcode imap_sendf(struct connectdata *conn, const char *fmt, ...);
static CURLcode imap_parse_url_options(struct connectdata *conn); static CURLcode imap_parse_url_options(struct connectdata *conn);
static CURLcode imap_parse_url_path(struct connectdata *conn); static CURLcode imap_parse_url_path(struct connectdata *conn);
static CURLcode imap_parse_custom_request(struct connectdata *conn); static CURLcode imap_parse_custom_request(struct connectdata *conn);
static CURLcode imap_calc_sasl_details(struct connectdata *conn, static CURLcode imap_perform_authenticate(struct connectdata *conn,
const char **mech, const char *mech,
char **initresp, size_t *len, const char *initresp);
imapstate *state1, imapstate *state2); static CURLcode imap_continue_authenticate(struct connectdata *conn,
const char *resp);
static void imap_get_message(char *buffer, char** outptr);
/* /*
* IMAP protocol handler. * IMAP protocol handler.
@ -213,6 +215,18 @@ static const struct Curl_handler Curl_handler_imaps_proxy = {
#endif #endif
#endif #endif
/* SASL parameters for the imap protocol */
static const struct SASLproto saslimap = {
"imap", /* The service name */
'+', /* Code received when continuation is expected */
'O', /* Code to receive upon authentication success */
0, /* Maximum initial response length (no max) */
imap_perform_authenticate, /* Send authentication command */
imap_continue_authenticate, /* Send authentication continuation */
imap_get_message /* Get SASL response message */
};
#ifdef USE_SSL #ifdef USE_SSL
static void imap_to_imaps(struct connectdata *conn) static void imap_to_imaps(struct connectdata *conn)
{ {
@ -353,16 +367,7 @@ static bool imap_endofresp(struct connectdata *conn, char *line, size_t len,
(len >= 2 && !memcmp("+ ", line, 2))) { (len >= 2 && !memcmp("+ ", line, 2))) {
switch(imapc->state) { switch(imapc->state) {
/* States which are interested in continuation responses */ /* States which are interested in continuation responses */
case IMAP_AUTHENTICATE_PLAIN: case IMAP_AUTHENTICATE:
case IMAP_AUTHENTICATE_LOGIN:
case IMAP_AUTHENTICATE_LOGIN_PASSWD:
case IMAP_AUTHENTICATE_CRAMMD5:
case IMAP_AUTHENTICATE_DIGESTMD5:
case IMAP_AUTHENTICATE_DIGESTMD5_RESP:
case IMAP_AUTHENTICATE_NTLM:
case IMAP_AUTHENTICATE_NTLM_TYPE2MSG:
case IMAP_AUTHENTICATE_XOAUTH2:
case IMAP_AUTHENTICATE_FINAL:
case IMAP_APPEND: case IMAP_APPEND:
*resp = '+'; *resp = '+';
break; break;
@ -425,20 +430,7 @@ static void state(struct connectdata *conn, imapstate newstate)
"CAPABILITY", "CAPABILITY",
"STARTTLS", "STARTTLS",
"UPGRADETLS", "UPGRADETLS",
"AUTHENTICATE_PLAIN", "AUTHENTICATE",
"AUTHENTICATE_LOGIN",
"AUTHENTICATE_LOGIN_PASSWD",
"AUTHENTICATE_CRAMMD5",
"AUTHENTICATE_DIGESTMD5",
"AUTHENTICATE_DIGESTMD5_RESP",
"AUTHENTICATE_NTLM",
"AUTHENTICATE_NTLM_TYPE2MSG",
"AUTHENTICATE_GSSAPI",
"AUTHENTICATE_GSSAPI_TOKEN",
"AUTHENTICATE_GSSAPI_NO_DATA",
"AUTHENTICATE_XOAUTH2",
"AUTHENTICATE_CANCEL",
"AUTHENTICATE_FINAL",
"LOGIN", "LOGIN",
"LIST", "LIST",
"SELECT", "SELECT",
@ -576,29 +568,36 @@ static CURLcode imap_perform_login(struct connectdata *conn)
*/ */
static CURLcode imap_perform_authenticate(struct connectdata *conn, static CURLcode imap_perform_authenticate(struct connectdata *conn,
const char *mech, const char *mech,
const char *initresp, const char *initresp)
imapstate state1, imapstate state2)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
if(initresp) { if(initresp) {
/* Send the AUTHENTICATE command with the initial response */ /* Send the AUTHENTICATE command with the initial response */
result = imap_sendf(conn, "AUTHENTICATE %s %s", mech, initresp); result = imap_sendf(conn, "AUTHENTICATE %s %s", mech, initresp);
if(!result)
state(conn, state2);
} }
else { else {
/* Send the AUTHENTICATE command */ /* Send the AUTHENTICATE command */
result = imap_sendf(conn, "AUTHENTICATE %s", mech); result = imap_sendf(conn, "AUTHENTICATE %s", mech);
if(!result)
state(conn, state1);
} }
return result; return result;
} }
/***********************************************************************
*
* imap_continue_authenticate()
*
* Sends SASL continuation data or cancellation.
*/
static CURLcode imap_continue_authenticate(struct connectdata *conn,
const char *resp)
{
struct imap_conn *imapc = &conn->proto.imapc;
return Curl_pp_sendf(&imapc->pp, "%s", resp);
}
/*********************************************************************** /***********************************************************************
* *
* imap_perform_authentication() * imap_perform_authentication()
@ -611,31 +610,22 @@ static CURLcode imap_perform_authentication(struct connectdata *conn)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct imap_conn *imapc = &conn->proto.imapc; struct imap_conn *imapc = &conn->proto.imapc;
const char *mech = NULL; saslprogress progress;
char *initresp = NULL;
size_t len = 0;
imapstate state1 = IMAP_STOP;
imapstate state2 = IMAP_STOP;
/* Check we have a username and password to authenticate with and end the /* Check we have a username and password to authenticate with and end the
connect phase if we don't */ connect phase if we don't */
if(!conn->bits.user_passwd) { if(!conn->bits.user_passwd) {
state(conn, IMAP_STOP); state(conn, IMAP_STOP);
return result; return result;
} }
/* Calculate the SASL login details */ /* Calculate the SASL login details */
result = imap_calc_sasl_details(conn, &mech, &initresp, &len, &state1, result = Curl_sasl_start(&imapc->sasl, conn, imapc->ir_supported, &progress);
&state2);
if(!result) { if(!result) {
if(mech && (imapc->preftype & IMAP_TYPE_SASL)) { if(progress == SASL_INPROGRESS)
/* Perform SASL based authentication */ state(conn, IMAP_AUTHENTICATE);
result = imap_perform_authenticate(conn, mech, initresp, state1, state2); else if(!imapc->login_disabled && (imapc->preftype & IMAP_TYPE_CLEARTEXT))
}
else if((!imapc->login_disabled) &&
(imapc->preftype & IMAP_TYPE_CLEARTEXT))
/* Perform clear text authentication */ /* Perform clear text authentication */
result = imap_perform_login(conn); result = imap_perform_login(conn);
else { else {
@ -645,8 +635,6 @@ static CURLcode imap_perform_authentication(struct connectdata *conn)
} }
} }
Curl_safefree(initresp);
return result; return result;
} }
@ -976,569 +964,36 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
return result; return result;
} }
/* For AUTHENTICATE PLAIN (without initial response) responses */ /* For SASL authentication responses */
static CURLcode imap_state_auth_plain_resp(struct connectdata *conn, static CURLcode imap_state_auth_resp(struct connectdata *conn,
int imapcode, int imapcode,
imapstate instate) imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *plainauth = NULL;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied. %c", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the authorisation message */
result = Curl_sasl_create_plain_message(data, conn->user, conn->passwd,
&plainauth, &len);
if(!result && plainauth) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", plainauth);
if(!result)
state(conn, IMAP_AUTHENTICATE_FINAL);
}
}
Curl_safefree(plainauth);
return result;
}
/* For AUTHENTICATE LOGIN (without initial response) responses */
static CURLcode imap_state_auth_login_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *authuser = NULL;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the user message */
result = Curl_sasl_create_login_message(data, conn->user,
&authuser, &len);
if(!result && authuser) {
/* Send the user */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", authuser);
if(!result)
state(conn, IMAP_AUTHENTICATE_LOGIN_PASSWD);
}
}
Curl_safefree(authuser);
return result;
}
/* For AUTHENTICATE LOGIN user entry responses */
static CURLcode imap_state_auth_login_password_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *authpasswd = NULL;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the password message */
result = Curl_sasl_create_login_message(data, conn->passwd,
&authpasswd, &len);
if(!result && authpasswd) {
/* Send the password */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", authpasswd);
if(!result)
state(conn, IMAP_AUTHENTICATE_FINAL);
}
}
Curl_safefree(authpasswd);
return result;
}
#ifndef CURL_DISABLE_CRYPTO_AUTH
/* For AUTHENTICATE CRAM-MD5 responses */
static CURLcode imap_state_auth_cram_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlg = NULL;
char *chlg64 = NULL;
char *rplyb64 = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
return CURLE_LOGIN_DENIED;
}
/* Get the challenge message */
imap_get_message(data->state.buffer, &chlg64);
/* Decode the challenge message */
result = Curl_sasl_decode_cram_md5_message(chlg64, &chlg, &len);
if(result) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "*");
if(!result)
state(conn, IMAP_AUTHENTICATE_CANCEL);
}
else {
/* Create the response message */
result = Curl_sasl_create_cram_md5_message(data, chlg, conn->user,
conn->passwd, &rplyb64, &len);
if(!result && rplyb64) {
/* Send the response */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", rplyb64);
if(!result)
state(conn, IMAP_AUTHENTICATE_FINAL);
}
}
Curl_safefree(chlg);
Curl_safefree(rplyb64);
return result;
}
/* For AUTHENTICATE DIGEST-MD5 challenge responses */
static CURLcode imap_state_auth_digest_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlg64 = NULL;
char *rplyb64 = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
return CURLE_LOGIN_DENIED;
}
/* Get the challenge message */
imap_get_message(data->state.buffer, &chlg64);
/* Create the response message */
result = Curl_sasl_create_digest_md5_message(data, chlg64,
conn->user, conn->passwd,
"imap", &rplyb64, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "*");
if(!result)
state(conn, IMAP_AUTHENTICATE_CANCEL);
}
}
else {
/* Send the response */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", rplyb64);
if(!result)
state(conn, IMAP_AUTHENTICATE_DIGESTMD5_RESP);
}
Curl_safefree(rplyb64);
return result;
}
/* For AUTHENTICATE DIGEST-MD5 challenge-response responses */
static CURLcode imap_state_auth_digest_resp_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Authentication failed: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Send an empty response */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "");
if(!result)
state(conn, IMAP_AUTHENTICATE_FINAL);
}
return result;
}
#endif
#ifdef USE_NTLM
/* For AUTHENTICATE NTLM (without initial response) responses */
static CURLcode imap_state_auth_ntlm_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *type1msg = NULL;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the type-1 message */
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm,
&type1msg, &len);
if(!result && type1msg) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", type1msg);
if(!result)
state(conn, IMAP_AUTHENTICATE_NTLM_TYPE2MSG);
}
}
Curl_safefree(type1msg);
return result;
}
/* For NTLM type-2 responses (sent in reponse to our type-1 message) */
static CURLcode imap_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *type2msg = NULL;
char *type3msg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
imap_get_message(data->state.buffer, &type2msg);
/* Decode the type-2 message */
result = Curl_sasl_decode_ntlm_type2_message(data, type2msg, &conn->ntlm);
if(result) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "*");
if(!result)
state(conn, IMAP_AUTHENTICATE_CANCEL);
}
else {
/* Create the type-3 message */
result = Curl_sasl_create_ntlm_type3_message(data, conn->user,
conn->passwd, &conn->ntlm,
&type3msg, &len);
if(!result && type3msg) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", type3msg);
if(!result)
state(conn, IMAP_AUTHENTICATE_FINAL);
}
}
}
Curl_safefree(type3msg);
return result;
}
#endif
#if defined(USE_KERBEROS5)
/* For AUTHENTICATE GSSAPI (without initial response) responses */
static CURLcode imap_state_auth_gssapi_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
struct imap_conn *imapc = &conn->proto.imapc; struct imap_conn *imapc = &conn->proto.imapc;
size_t len = 0; saslprogress progress;
char *respmsg = NULL;
(void)instate; /* no use for this yet */ (void)instate; /* no use for this yet */
if(imapcode != '+') { result = Curl_sasl_continue(&imapc->sasl, conn, imapcode, &progress);
failf(data, "Access denied: %d", imapcode); if(!result)
result = CURLE_LOGIN_DENIED; switch(progress) {
} case SASL_DONE:
else { state(conn, IMAP_STOP); /* Authenticated */
/* Create the initial response message */ break;
result = Curl_sasl_create_gssapi_user_message(data, conn->user, case SASL_IDLE: /* No mechanism left after cancellation */
conn->passwd, "imap", if((!imapc->login_disabled) && (imapc->preftype & IMAP_TYPE_CLEARTEXT))
imapc->sasl.mutual_auth, /* Perform clear text authentication */
NULL, &conn->krb5, result = imap_perform_login(conn);
&respmsg, &len); else {
if(!result && respmsg) { failf(data, "Authentication cancelled");
/* Send the message */ result = CURLE_LOGIN_DENIED;
result = Curl_pp_sendf(&imapc->pp, "%s", respmsg);
if(!result)
state(conn, IMAP_AUTHENTICATE_GSSAPI_TOKEN);
}
}
Curl_safefree(respmsg);
return result;
}
/* For AUTHENTICATE GSSAPI user token responses */
static CURLcode imap_state_auth_gssapi_token_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct imap_conn *imapc = &conn->proto.imapc;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
imap_get_message(data->state.buffer, &chlgmsg);
if(imapc->sasl.mutual_auth)
/* Decode the user token challenge and create the optional response
message */
result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL,
imapc->sasl.mutual_auth,
chlgmsg, &conn->krb5,
&respmsg, &len);
else
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&imapc->pp, "%s", "*");
if(!result)
state(conn, IMAP_AUTHENTICATE_CANCEL);
} }
break;
default:
break;
} }
else {
/* Send the response */
if(respmsg)
result = Curl_pp_sendf(&imapc->pp, "%s", respmsg);
else
result = Curl_pp_sendf(&imapc->pp, "%s", "");
if(!result)
state(conn, imapc->sasl.mutual_auth? IMAP_AUTHENTICATE_GSSAPI_NO_DATA:
IMAP_AUTHENTICATE_FINAL);
}
}
Curl_safefree(respmsg);
return result;
}
/* For AUTHENTICATE GSSAPI no data responses */
static CURLcode imap_state_auth_gssapi_no_data_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
imap_get_message(data->state.buffer, &chlgmsg);
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "*");
if(!result)
state(conn, IMAP_AUTHENTICATE_CANCEL);
}
}
else {
/* Send the response */
if(respmsg) {
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", respmsg);
if(!result)
state(conn, IMAP_AUTHENTICATE_FINAL);
}
}
}
Curl_safefree(respmsg);
return result;
}
#endif
/* For AUTHENTICATE XOAUTH2 (without initial response) responses */
static CURLcode imap_state_auth_xoauth2_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *xoauth = NULL;
(void)instate; /* no use for this yet */
if(imapcode != '+') {
failf(data, "Access denied: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the authorisation message */
result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
conn->xoauth2_bearer,
&xoauth, &len);
if(!result && xoauth) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", xoauth);
if(!result)
state(conn, IMAP_AUTHENTICATE_FINAL);
}
}
Curl_safefree(xoauth);
return result;
}
/* For AUTHENTICATE cancellation responses */
static CURLcode imap_state_auth_cancel_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct imap_conn *imapc = &conn->proto.imapc;
const char *mech = NULL;
char *initresp = NULL;
size_t len = 0;
imapstate state1 = IMAP_STOP;
imapstate state2 = IMAP_STOP;
(void)imapcode;
(void)instate; /* no use for this yet */
/* Remove the offending mechanism from the supported list */
imapc->sasl.authmechs ^= imapc->sasl.authused;
/* Calculate alternative SASL login details */
result = imap_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
&state2);
if(!result) {
/* Do we have any mechanisms left or can we fallback to clear text? */
if(mech) {
/* Retry SASL based authentication */
result = imap_perform_authenticate(conn, mech, initresp, state1, state2);
Curl_safefree(initresp);
}
else if((!imapc->login_disabled) &&
(imapc->preftype & IMAP_TYPE_CLEARTEXT))
/* Perform clear text authentication */
result = imap_perform_login(conn);
else {
failf(data, "Authentication cancelled");
result = CURLE_LOGIN_DENIED;
}
}
return result;
}
/* For final responses in the AUTHENTICATE sequence */
static CURLcode imap_state_auth_final_resp(struct connectdata *conn,
int imapcode,
imapstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
(void)instate; /* no use for this yet */
if(imapcode != 'O') {
failf(data, "Authentication failed: %d", imapcode);
result = CURLE_LOGIN_DENIED;
}
else
/* End of connect phase */
state(conn, IMAP_STOP);
return result; return result;
} }
@ -1862,69 +1317,8 @@ static CURLcode imap_statemach_act(struct connectdata *conn)
result = imap_state_starttls_resp(conn, imapcode, imapc->state); result = imap_state_starttls_resp(conn, imapcode, imapc->state);
break; break;
case IMAP_AUTHENTICATE_PLAIN: case IMAP_AUTHENTICATE:
result = imap_state_auth_plain_resp(conn, imapcode, imapc->state); result = imap_state_auth_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_LOGIN:
result = imap_state_auth_login_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_LOGIN_PASSWD:
result = imap_state_auth_login_password_resp(conn, imapcode,
imapc->state);
break;
#ifndef CURL_DISABLE_CRYPTO_AUTH
case IMAP_AUTHENTICATE_CRAMMD5:
result = imap_state_auth_cram_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_DIGESTMD5:
result = imap_state_auth_digest_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_DIGESTMD5_RESP:
result = imap_state_auth_digest_resp_resp(conn, imapcode, imapc->state);
break;
#endif
#ifdef USE_NTLM
case IMAP_AUTHENTICATE_NTLM:
result = imap_state_auth_ntlm_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_NTLM_TYPE2MSG:
result = imap_state_auth_ntlm_type2msg_resp(conn, imapcode,
imapc->state);
break;
#endif
#if defined(USE_KERBEROS5)
case IMAP_AUTHENTICATE_GSSAPI:
result = imap_state_auth_gssapi_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_GSSAPI_TOKEN:
result = imap_state_auth_gssapi_token_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_GSSAPI_NO_DATA:
result = imap_state_auth_gssapi_no_data_resp(conn, imapcode,
imapc->state);
break;
#endif
case IMAP_AUTHENTICATE_XOAUTH2:
result = imap_state_auth_xoauth2_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_CANCEL:
result = imap_state_auth_cancel_resp(conn, imapcode, imapc->state);
break;
case IMAP_AUTHENTICATE_FINAL:
result = imap_state_auth_final_resp(conn, imapcode, imapc->state);
break; break;
case IMAP_LOGIN: case IMAP_LOGIN:
@ -2051,7 +1445,7 @@ static CURLcode imap_connect(struct connectdata *conn, bool *done)
/* Set the default preferred authentication type and mechanism */ /* Set the default preferred authentication type and mechanism */
imapc->preftype = IMAP_TYPE_ANY; imapc->preftype = IMAP_TYPE_ANY;
Curl_sasl_init(&imapc->sasl); Curl_sasl_init(&imapc->sasl, &saslimap);
/* Initialise the pingpong layer */ /* Initialise the pingpong layer */
Curl_pp_init(pp); Curl_pp_init(pp);
@ -2748,108 +2142,4 @@ static CURLcode imap_parse_custom_request(struct connectdata *conn)
return result; return result;
} }
/***********************************************************************
*
* imap_calc_sasl_details()
*
* Calculate the required login details for SASL authentication.
*/
static CURLcode imap_calc_sasl_details(struct connectdata *conn,
const char **mech,
char **initresp, size_t *len,
imapstate *state1, imapstate *state2)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct imap_conn *imapc = &conn->proto.imapc;
/* Calculate the supported authentication mechanism, by decreasing order of
security, as well as the initial response where appropriate */
#if defined(USE_KERBEROS5)
if((imapc->sasl.authmechs & SASL_MECH_GSSAPI) &&
(imapc->sasl.prefmech & SASL_MECH_GSSAPI)) {
imapc->sasl.mutual_auth = FALSE; /* TODO: Calculate mutual auth. */
*mech = SASL_MECH_STRING_GSSAPI;
*state1 = IMAP_AUTHENTICATE_GSSAPI;
*state2 = IMAP_AUTHENTICATE_GSSAPI_TOKEN;
imapc->sasl.authused = SASL_MECH_GSSAPI;
if(imapc->ir_supported || data->set.sasl_ir)
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd, "imap",
imapc->sasl.mutual_auth,
NULL, &conn->krb5,
initresp, len);
}
else
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if((imapc->sasl.authmechs & SASL_MECH_DIGEST_MD5) &&
(imapc->sasl.prefmech & SASL_MECH_DIGEST_MD5)) {
*mech = SASL_MECH_STRING_DIGEST_MD5;
*state1 = IMAP_AUTHENTICATE_DIGESTMD5;
imapc->sasl.authused = SASL_MECH_DIGEST_MD5;
}
else if((imapc->sasl.authmechs & SASL_MECH_CRAM_MD5) &&
(imapc->sasl.prefmech & SASL_MECH_CRAM_MD5)) {
*mech = SASL_MECH_STRING_CRAM_MD5;
*state1 = IMAP_AUTHENTICATE_CRAMMD5;
imapc->sasl.authused = SASL_MECH_CRAM_MD5;
}
else
#endif
#ifdef USE_NTLM
if((imapc->sasl.authmechs & SASL_MECH_NTLM) &&
(imapc->sasl.prefmech & SASL_MECH_NTLM)) {
*mech = SASL_MECH_STRING_NTLM;
*state1 = IMAP_AUTHENTICATE_NTLM;
*state2 = IMAP_AUTHENTICATE_NTLM_TYPE2MSG;
imapc->sasl.authused = SASL_MECH_NTLM;
if(imapc->ir_supported || data->set.sasl_ir)
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm,
initresp, len);
}
else
#endif
if(((imapc->sasl.authmechs & SASL_MECH_XOAUTH2) &&
(imapc->sasl.prefmech & SASL_MECH_XOAUTH2) &&
(imapc->sasl.prefmech != SASL_AUTH_ANY)) || conn->xoauth2_bearer) {
*mech = SASL_MECH_STRING_XOAUTH2;
*state1 = IMAP_AUTHENTICATE_XOAUTH2;
*state2 = IMAP_AUTHENTICATE_FINAL;
imapc->sasl.authused = SASL_MECH_XOAUTH2;
if(imapc->ir_supported || data->set.sasl_ir)
result = Curl_sasl_create_xoauth2_message(data, conn->user,
conn->xoauth2_bearer,
initresp, len);
}
else if((imapc->sasl.authmechs & SASL_MECH_LOGIN) &&
(imapc->sasl.prefmech & SASL_MECH_LOGIN)) {
*mech = SASL_MECH_STRING_LOGIN;
*state1 = IMAP_AUTHENTICATE_LOGIN;
*state2 = IMAP_AUTHENTICATE_LOGIN_PASSWD;
imapc->sasl.authused = SASL_MECH_LOGIN;
if(imapc->ir_supported || data->set.sasl_ir)
result = Curl_sasl_create_login_message(data, conn->user, initresp, len);
}
else if((imapc->sasl.authmechs & SASL_MECH_PLAIN) &&
(imapc->sasl.prefmech & SASL_MECH_PLAIN)) {
*mech = SASL_MECH_STRING_PLAIN;
*state1 = IMAP_AUTHENTICATE_PLAIN;
*state2 = IMAP_AUTHENTICATE_FINAL;
imapc->sasl.authused = SASL_MECH_PLAIN;
if(imapc->ir_supported || data->set.sasl_ir)
result = Curl_sasl_create_plain_message(data, conn->user, conn->passwd,
initresp, len);
}
return result;
}
#endif /* CURL_DISABLE_IMAP */ #endif /* CURL_DISABLE_IMAP */

View File

@ -36,20 +36,7 @@ typedef enum {
IMAP_STARTTLS, IMAP_STARTTLS,
IMAP_UPGRADETLS, /* asynchronously upgrade the connection to SSL/TLS IMAP_UPGRADETLS, /* asynchronously upgrade the connection to SSL/TLS
(multi mode only) */ (multi mode only) */
IMAP_AUTHENTICATE_PLAIN, IMAP_AUTHENTICATE,
IMAP_AUTHENTICATE_LOGIN,
IMAP_AUTHENTICATE_LOGIN_PASSWD,
IMAP_AUTHENTICATE_CRAMMD5,
IMAP_AUTHENTICATE_DIGESTMD5,
IMAP_AUTHENTICATE_DIGESTMD5_RESP,
IMAP_AUTHENTICATE_NTLM,
IMAP_AUTHENTICATE_NTLM_TYPE2MSG,
IMAP_AUTHENTICATE_GSSAPI,
IMAP_AUTHENTICATE_GSSAPI_TOKEN,
IMAP_AUTHENTICATE_GSSAPI_NO_DATA,
IMAP_AUTHENTICATE_XOAUTH2,
IMAP_AUTHENTICATE_CANCEL,
IMAP_AUTHENTICATE_FINAL,
IMAP_LOGIN, IMAP_LOGIN,
IMAP_LIST, IMAP_LIST,
IMAP_SELECT, IMAP_SELECT,

View File

@ -106,10 +106,10 @@ static CURLcode pop3_setup_connection(struct connectdata *conn);
static CURLcode pop3_parse_url_options(struct connectdata *conn); static CURLcode pop3_parse_url_options(struct connectdata *conn);
static CURLcode pop3_parse_url_path(struct connectdata *conn); static CURLcode pop3_parse_url_path(struct connectdata *conn);
static CURLcode pop3_parse_custom_request(struct connectdata *conn); static CURLcode pop3_parse_custom_request(struct connectdata *conn);
static CURLcode pop3_calc_sasl_details(struct connectdata *conn, static CURLcode pop3_perform_auth(struct connectdata *conn, const char *mech,
const char **mech, const char *initresp);
char **initresp, size_t *len, static CURLcode pop3_continue_auth(struct connectdata *conn, const char *resp);
pop3state *state1, pop3state *state2); static void pop3_get_message(char *buffer, char** outptr);
/* /*
* POP3 protocol handler. * POP3 protocol handler.
@ -214,6 +214,17 @@ static const struct Curl_handler Curl_handler_pop3s_proxy = {
#endif #endif
#endif #endif
/* SASL parameters for the pop3 protocol */
static const struct SASLproto saslpop3 = {
"pop", /* The service name */
'+', /* Code received when continuation is expected */
'+', /* Code to receive upon authentication success */
255 - 8, /* Maximum initial response length (no max) */
pop3_perform_auth, /* Send authentication command */
pop3_continue_auth, /* Send authentication continuation */
pop3_get_message /* Get SASL response message */
};
#ifdef USE_SSL #ifdef USE_SSL
static void pop3_to_pop3s(struct connectdata *conn) static void pop3_to_pop3s(struct connectdata *conn)
{ {
@ -312,20 +323,7 @@ static void state(struct connectdata *conn, pop3state newstate)
"CAPA", "CAPA",
"STARTTLS", "STARTTLS",
"UPGRADETLS", "UPGRADETLS",
"AUTH_PLAIN", "AUTH",
"AUTH_LOGIN",
"AUTH_LOGIN_PASSWD",
"AUTH_CRAMMD5",
"AUTH_DIGESTMD5",
"AUTH_DIGESTMD5_RESP",
"AUTH_NTLM",
"AUTH_NTLM_TYPE2MSG",
"AUTH_GSSAPI",
"AUTH_GSSAPI_TOKEN",
"AUTH_GSSAPI_NO_DATA",
"AUTH_XOAUTH2",
"AUTH_CANCEL",
"AUTH_FINAL",
"APOP", "APOP",
"USER", "USER",
"PASS", "PASS",
@ -500,30 +498,37 @@ static CURLcode pop3_perform_apop(struct connectdata *conn)
*/ */
static CURLcode pop3_perform_auth(struct connectdata *conn, static CURLcode pop3_perform_auth(struct connectdata *conn,
const char *mech, const char *mech,
const char *initresp, size_t len, const char *initresp)
pop3state state1, pop3state state2)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct pop3_conn *pop3c = &conn->proto.pop3c; struct pop3_conn *pop3c = &conn->proto.pop3c;
if(initresp && 8 + strlen(mech) + len <= 255) { /* AUTH <mech> ...<crlf> */ if(initresp) { /* AUTH <mech> ...<crlf> */
/* Send the AUTH command with the initial response */ /* Send the AUTH command with the initial response */
result = Curl_pp_sendf(&pop3c->pp, "AUTH %s %s", mech, initresp); result = Curl_pp_sendf(&pop3c->pp, "AUTH %s %s", mech, initresp);
if(!result)
state(conn, state2);
} }
else { else {
/* Send the AUTH command */ /* Send the AUTH command */
result = Curl_pp_sendf(&pop3c->pp, "AUTH %s", mech); result = Curl_pp_sendf(&pop3c->pp, "AUTH %s", mech);
if(!result)
state(conn, state1);
} }
return result; return result;
} }
/***********************************************************************
*
* pop3_continue_auth()
*
* Sends SASL continuation data or cancellation.
*/
static CURLcode pop3_continue_auth(struct connectdata *conn,
const char *resp)
{
struct pop3_conn *pop3c = &conn->proto.pop3c;
return Curl_pp_sendf(&pop3c->pp, "%s", resp);
}
/*********************************************************************** /***********************************************************************
* *
* pop3_perform_authentication() * pop3_perform_authentication()
@ -536,38 +541,32 @@ static CURLcode pop3_perform_authentication(struct connectdata *conn)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct pop3_conn *pop3c = &conn->proto.pop3c; struct pop3_conn *pop3c = &conn->proto.pop3c;
const char *mech = NULL; saslprogress progress = SASL_IDLE;
char *initresp = NULL;
size_t len = 0;
pop3state state1 = POP3_STOP;
pop3state state2 = POP3_STOP;
/* Check we have a username and password to authenticate with and end the /* Check we have a username and password to authenticate with and end the
connect phase if we don't */ connect phase if we don't */
if(!conn->bits.user_passwd) { if(!conn->bits.user_passwd) {
state(conn, POP3_STOP); state(conn, POP3_STOP);
return result; return result;
} }
/* Calculate the SASL login details */ if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_SASL) {
if(pop3c->authtypes & POP3_TYPE_SASL) /* Calculate the SASL login details */
result = pop3_calc_sasl_details(conn, &mech, &initresp, &len, &state1, result = Curl_sasl_start(&pop3c->sasl, conn, FALSE, &progress);
&state2);
if(!result) { if(!result)
if(mech && (pop3c->preftype & POP3_TYPE_SASL)) { if(progress == SASL_INPROGRESS)
/* Perform SASL based authentication */ state(conn, POP3_AUTH);
result = pop3_perform_auth(conn, mech, initresp, len, state1, state2); }
}
if(!result && progress == SASL_IDLE) {
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_CRYPTO_AUTH
else if((pop3c->authtypes & POP3_TYPE_APOP) && if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP)
(pop3c->preftype & POP3_TYPE_APOP))
/* Perform APOP authentication */ /* Perform APOP authentication */
result = pop3_perform_apop(conn); result = pop3_perform_apop(conn);
else
#endif #endif
else if((pop3c->authtypes & POP3_TYPE_CLEARTEXT) && if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_CLEARTEXT)
(pop3c->preftype & POP3_TYPE_CLEARTEXT))
/* Perform clear text authentication */ /* Perform clear text authentication */
result = pop3_perform_user(conn); result = pop3_perform_user(conn);
else { else {
@ -577,8 +576,6 @@ static CURLcode pop3_perform_authentication(struct connectdata *conn)
} }
} }
Curl_safefree(initresp);
return result; return result;
} }
@ -807,575 +804,42 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
return result; return result;
} }
/* For AUTH PLAIN (without initial response) responses */ /* For SASL authentication responses */
static CURLcode pop3_state_auth_plain_resp(struct connectdata *conn, static CURLcode pop3_state_auth_resp(struct connectdata *conn,
int pop3code, int pop3code,
pop3state instate) pop3state instate)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
size_t len = 0; struct pop3_conn *pop3c = &conn->proto.pop3c;
char *plainauth = NULL; saslprogress progress;
(void)instate; /* no use for this yet */ (void)instate; /* no use for this yet */
if(pop3code != '+') { result = Curl_sasl_continue(&pop3c->sasl, conn, pop3code, &progress);
failf(data, "Access denied. %c", pop3code); if(!result)
result = CURLE_LOGIN_DENIED; switch(progress) {
} case SASL_DONE:
else { state(conn, POP3_STOP); /* Authenticated */
/* Create the authorisation message */ break;
result = Curl_sasl_create_plain_message(data, conn->user, conn->passwd, case SASL_IDLE: /* No mechanism left after cancellation */
&plainauth, &len);
if(!result && plainauth) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", plainauth);
if(!result)
state(conn, POP3_AUTH_FINAL);
}
}
Curl_safefree(plainauth);
return result;
}
/* For AUTH LOGIN (without initial response) responses */
static CURLcode pop3_state_auth_login_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *authuser = NULL;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the user message */
result = Curl_sasl_create_login_message(data, conn->user,
&authuser, &len);
if(!result && authuser) {
/* Send the user */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", authuser);
if(!result)
state(conn, POP3_AUTH_LOGIN_PASSWD);
}
}
Curl_safefree(authuser);
return result;
}
/* For AUTH LOGIN user entry responses */
static CURLcode pop3_state_auth_login_password_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *authpasswd = NULL;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the password message */
result = Curl_sasl_create_login_message(data, conn->passwd,
&authpasswd, &len);
if(!result && authpasswd) {
/* Send the password */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", authpasswd);
if(!result)
state(conn, POP3_AUTH_FINAL);
}
}
Curl_safefree(authpasswd);
return result;
}
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_CRYPTO_AUTH
/* For AUTH CRAM-MD5 responses */ if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP)
static CURLcode pop3_state_auth_cram_resp(struct connectdata *conn, /* Perform APOP authentication */
int pop3code, result = pop3_perform_apop(conn);
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlg = NULL;
char *chlg64 = NULL;
char *rplyb64 = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
return CURLE_LOGIN_DENIED;
}
/* Get the challenge message */
pop3_get_message(data->state.buffer, &chlg64);
/* Decode the challenge message */
result = Curl_sasl_decode_cram_md5_message(chlg64, &chlg, &len);
if(result) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "*");
if(!result)
state(conn, POP3_AUTH_CANCEL);
}
else {
/* Create the response message */
result = Curl_sasl_create_cram_md5_message(data, chlg, conn->user,
conn->passwd, &rplyb64, &len);
if(!result && rplyb64) {
/* Send the response */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", rplyb64);
if(!result)
state(conn, POP3_AUTH_FINAL);
}
}
Curl_safefree(chlg);
Curl_safefree(rplyb64);
return result;
}
/* For AUTH DIGEST-MD5 challenge responses */
static CURLcode pop3_state_auth_digest_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlg64 = NULL;
char *rplyb64 = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
return CURLE_LOGIN_DENIED;
}
/* Get the challenge message */
pop3_get_message(data->state.buffer, &chlg64);
/* Create the response message */
result = Curl_sasl_create_digest_md5_message(data, chlg64,
conn->user, conn->passwd,
"pop", &rplyb64, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "*");
if(!result)
state(conn, POP3_AUTH_CANCEL);
}
}
else {
/* Send the response */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", rplyb64);
if(!result)
state(conn, POP3_AUTH_DIGESTMD5_RESP);
}
Curl_safefree(rplyb64);
return result;
}
/* For AUTH DIGEST-MD5 challenge-response responses */
static CURLcode pop3_state_auth_digest_resp_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Authentication failed: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Send an empty response */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "");
if(!result)
state(conn, POP3_AUTH_FINAL);
}
return result;
}
#endif
#ifdef USE_NTLM
/* For AUTH NTLM (without initial response) responses */
static CURLcode pop3_state_auth_ntlm_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *type1msg = NULL;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the type-1 message */
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm,
&type1msg, &len);
if(!result && type1msg) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", type1msg);
if(!result)
state(conn, POP3_AUTH_NTLM_TYPE2MSG);
}
}
Curl_safefree(type1msg);
return result;
}
/* For NTLM type-2 responses (sent in reponse to our type-1 message) */
static CURLcode pop3_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *type2msg = NULL;
char *type3msg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the type-2 message */
pop3_get_message(data->state.buffer, &type2msg);
/* Decode the type-2 message */
result = Curl_sasl_decode_ntlm_type2_message(data, type2msg, &conn->ntlm);
if(result) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "*");
if(!result)
state(conn, POP3_AUTH_CANCEL);
}
else {
/* Create the type-3 message */
result = Curl_sasl_create_ntlm_type3_message(data, conn->user,
conn->passwd, &conn->ntlm,
&type3msg, &len);
if(!result && type3msg) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", type3msg);
if(!result)
state(conn, POP3_AUTH_FINAL);
}
}
}
Curl_safefree(type3msg);
return result;
}
#endif
#if defined(USE_KERBEROS5)
/* For AUTH GSSAPI (without initial response) responses */
static CURLcode pop3_state_auth_gssapi_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct pop3_conn *pop3c = &conn->proto.pop3c;
size_t len = 0;
char *respmsg = NULL;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the initial response message */
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd, "pop",
pop3c->sasl.mutual_auth,
NULL, &conn->krb5,
&respmsg, &len);
if(!result && respmsg) {
/* Send the message */
result = Curl_pp_sendf(&pop3c->pp, "%s", respmsg);
if(!result)
state(conn, POP3_AUTH_GSSAPI_TOKEN);
}
}
Curl_safefree(respmsg);
return result;
}
/* For AUTH GSSAPI user token responses */
static CURLcode pop3_state_auth_gssapi_token_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct pop3_conn *pop3c = &conn->proto.pop3c;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
pop3_get_message(data->state.buffer, &chlgmsg);
if(pop3c->sasl.mutual_auth)
/* Decode the user token challenge and create the optional response
message */
result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL,
pop3c->sasl.mutual_auth,
chlgmsg, &conn->krb5,
&respmsg, &len);
else
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&pop3c->pp, "%s", "*");
if(!result)
state(conn, POP3_AUTH_CANCEL);
}
}
else {
/* Send the response */
if(respmsg)
result = Curl_pp_sendf(&pop3c->pp, "%s", respmsg);
else else
result = Curl_pp_sendf(&pop3c->pp, "%s", "");
if(!result)
state(conn, (pop3c->sasl.mutual_auth ? POP3_AUTH_GSSAPI_NO_DATA :
POP3_AUTH_FINAL));
}
}
Curl_safefree(respmsg);
return result;
}
/* For AUTH GSSAPI no data responses */
static CURLcode pop3_state_auth_gssapi_no_data_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
pop3_get_message(data->state.buffer, &chlgmsg);
/* Decode the security challenge and create the security message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "*");
if(!result)
state(conn, POP3_AUTH_CANCEL);
}
}
else {
/* Send the response */
if(respmsg) {
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", respmsg);
if(!result)
state(conn, POP3_AUTH_FINAL);
}
}
}
Curl_safefree(respmsg);
return result;
}
#endif #endif
if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_CLEARTEXT)
/* For AUTH XOAUTH2 (without initial response) responses */ /* Perform clear text authentication */
static CURLcode pop3_state_auth_xoauth2_resp(struct connectdata *conn, result = pop3_perform_user(conn);
int pop3code, pop3state instate) else {
{ failf(data, "Authentication cancelled");
CURLcode result = CURLE_OK; result = CURLE_LOGIN_DENIED;
struct SessionHandle *data = conn->data; }
size_t len = 0; break;
char *xoauth = NULL; default:
break;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Access denied: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the authorisation message */
result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
conn->xoauth2_bearer,
&xoauth, &len);
if(!result && xoauth) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", xoauth);
if(!result)
state(conn, POP3_AUTH_FINAL);
} }
}
Curl_safefree(xoauth);
return result;
}
/* For AUTH cancellation responses */
static CURLcode pop3_state_auth_cancel_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct pop3_conn *pop3c = &conn->proto.pop3c;
const char *mech = NULL;
char *initresp = NULL;
size_t len = 0;
pop3state state1 = POP3_STOP;
pop3state state2 = POP3_STOP;
(void)pop3code;
(void)instate; /* no use for this yet */
/* Remove the offending mechanism from the supported list */
pop3c->sasl.authmechs ^= pop3c->sasl.authused;
/* Calculate alternative SASL login details */
result = pop3_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
&state2);
if(!result) {
/* Do we have any mechanisms left or can we fallback to another
authentication type? */
if(mech) {
/* Retry SASL based authentication */
result = pop3_perform_auth(conn, mech, initresp, len, state1, state2);
Curl_safefree(initresp);
}
#ifndef CURL_DISABLE_CRYPTO_AUTH
else if((pop3c->authtypes & POP3_TYPE_APOP) &&
(pop3c->preftype & POP3_TYPE_APOP))
/* Perform APOP authentication */
result = pop3_perform_apop(conn);
#endif
else if((pop3c->authtypes & POP3_TYPE_CLEARTEXT) &&
(pop3c->preftype & POP3_TYPE_CLEARTEXT))
/* Perform clear text authentication */
result = pop3_perform_user(conn);
else {
failf(data, "Authentication cancelled");
result = CURLE_LOGIN_DENIED;
}
}
return result;
}
/* For final responses in the AUTH sequence */
static CURLcode pop3_state_auth_final_resp(struct connectdata *conn,
int pop3code,
pop3state instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Authentication failed: %d", pop3code);
result = CURLE_LOGIN_DENIED;
}
else
/* End of connect phase */
state(conn, POP3_STOP);
return result; return result;
} }
@ -1542,69 +1006,8 @@ static CURLcode pop3_statemach_act(struct connectdata *conn)
result = pop3_state_starttls_resp(conn, pop3code, pop3c->state); result = pop3_state_starttls_resp(conn, pop3code, pop3c->state);
break; break;
case POP3_AUTH_PLAIN: case POP3_AUTH:
result = pop3_state_auth_plain_resp(conn, pop3code, pop3c->state); result = pop3_state_auth_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_LOGIN:
result = pop3_state_auth_login_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_LOGIN_PASSWD:
result = pop3_state_auth_login_password_resp(conn, pop3code,
pop3c->state);
break;
#ifndef CURL_DISABLE_CRYPTO_AUTH
case POP3_AUTH_CRAMMD5:
result = pop3_state_auth_cram_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_DIGESTMD5:
result = pop3_state_auth_digest_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_DIGESTMD5_RESP:
result = pop3_state_auth_digest_resp_resp(conn, pop3code, pop3c->state);
break;
#endif
#ifdef USE_NTLM
case POP3_AUTH_NTLM:
result = pop3_state_auth_ntlm_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_NTLM_TYPE2MSG:
result = pop3_state_auth_ntlm_type2msg_resp(conn, pop3code,
pop3c->state);
break;
#endif
#if defined(USE_KERBEROS5)
case POP3_AUTH_GSSAPI:
result = pop3_state_auth_gssapi_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_GSSAPI_TOKEN:
result = pop3_state_auth_gssapi_token_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_GSSAPI_NO_DATA:
result = pop3_state_auth_gssapi_no_data_resp(conn, pop3code,
pop3c->state);
break;
#endif
case POP3_AUTH_XOAUTH2:
result = pop3_state_auth_xoauth2_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_CANCEL:
result = pop3_state_auth_cancel_resp(conn, pop3code, pop3c->state);
break;
case POP3_AUTH_FINAL:
result = pop3_state_auth_final_resp(conn, pop3code, pop3c->state);
break; break;
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_CRYPTO_AUTH
@ -1717,7 +1120,7 @@ static CURLcode pop3_connect(struct connectdata *conn, bool *done)
/* Set the default preferred authentication type and mechanism */ /* Set the default preferred authentication type and mechanism */
pop3c->preftype = POP3_TYPE_ANY; pop3c->preftype = POP3_TYPE_ANY;
Curl_sasl_init(&pop3c->sasl); Curl_sasl_init(&pop3c->sasl, &saslpop3);
/* Initialise the pingpong layer */ /* Initialise the pingpong layer */
Curl_pp_init(pp); Curl_pp_init(pp);
@ -2070,110 +1473,6 @@ static CURLcode pop3_parse_custom_request(struct connectdata *conn)
return result; return result;
} }
/***********************************************************************
*
* pop3_calc_sasl_details()
*
* Calculate the required login details for SASL authentication.
*/
static CURLcode pop3_calc_sasl_details(struct connectdata *conn,
const char **mech,
char **initresp, size_t *len,
pop3state *state1, pop3state *state2)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct pop3_conn *pop3c = &conn->proto.pop3c;
/* Calculate the supported authentication mechanism, by decreasing order of
security, as well as the initial response where appropriate */
#if defined(USE_KERBEROS5)
if((pop3c->sasl.authmechs & SASL_MECH_GSSAPI) &&
(pop3c->sasl.prefmech & SASL_MECH_GSSAPI)) {
pop3c->sasl.mutual_auth = FALSE; /* TODO: Calculate mutual auth. */
*mech = SASL_MECH_STRING_GSSAPI;
*state1 = POP3_AUTH_GSSAPI;
*state2 = POP3_AUTH_GSSAPI_TOKEN;
pop3c->sasl.authused = SASL_MECH_GSSAPI;
if(data->set.sasl_ir)
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd, "pop",
pop3c->sasl.mutual_auth,
NULL, &conn->krb5,
initresp, len);
}
else
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if((pop3c->sasl.authmechs & SASL_MECH_DIGEST_MD5) &&
(pop3c->sasl.prefmech & SASL_MECH_DIGEST_MD5)) {
*mech = SASL_MECH_STRING_DIGEST_MD5;
*state1 = POP3_AUTH_DIGESTMD5;
pop3c->sasl.authused = SASL_MECH_DIGEST_MD5;
}
else if((pop3c->sasl.authmechs & SASL_MECH_CRAM_MD5) &&
(pop3c->sasl.prefmech & SASL_MECH_CRAM_MD5)) {
*mech = SASL_MECH_STRING_CRAM_MD5;
*state1 = POP3_AUTH_CRAMMD5;
pop3c->sasl.authused = SASL_MECH_CRAM_MD5;
}
else
#endif
#ifdef USE_NTLM
if((pop3c->sasl.authmechs & SASL_MECH_NTLM) &&
(pop3c->sasl.prefmech & SASL_MECH_NTLM)) {
*mech = SASL_MECH_STRING_NTLM;
*state1 = POP3_AUTH_NTLM;
*state2 = POP3_AUTH_NTLM_TYPE2MSG;
pop3c->sasl.authused = SASL_MECH_NTLM;
if(data->set.sasl_ir)
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm,
initresp, len);
}
else
#endif
if(((pop3c->sasl.authmechs & SASL_MECH_XOAUTH2) &&
(pop3c->sasl.prefmech & SASL_MECH_XOAUTH2) &&
(pop3c->sasl.prefmech != SASL_AUTH_ANY)) || conn->xoauth2_bearer) {
*mech = SASL_MECH_STRING_XOAUTH2;
*state1 = POP3_AUTH_XOAUTH2;
*state2 = POP3_AUTH_FINAL;
pop3c->sasl.authused = SASL_MECH_XOAUTH2;
if(data->set.sasl_ir)
result = Curl_sasl_create_xoauth2_message(data, conn->user,
conn->xoauth2_bearer,
initresp, len);
}
else if((pop3c->sasl.authmechs & SASL_MECH_LOGIN) &&
(pop3c->sasl.prefmech & SASL_MECH_LOGIN)) {
*mech = SASL_MECH_STRING_LOGIN;
*state1 = POP3_AUTH_LOGIN;
*state2 = POP3_AUTH_LOGIN_PASSWD;
pop3c->sasl.authused = SASL_MECH_LOGIN;
if(data->set.sasl_ir)
result = Curl_sasl_create_login_message(data, conn->user, initresp, len);
}
else if((pop3c->sasl.authmechs & SASL_MECH_PLAIN) &&
(pop3c->sasl.prefmech & SASL_MECH_PLAIN)) {
*mech = SASL_MECH_STRING_PLAIN;
*state1 = POP3_AUTH_PLAIN;
*state2 = POP3_AUTH_FINAL;
pop3c->sasl.authused = SASL_MECH_PLAIN;
if(data->set.sasl_ir)
result = Curl_sasl_create_plain_message(data, conn->user, conn->passwd,
initresp, len);
}
return result;
}
/*********************************************************************** /***********************************************************************
* *
* Curl_pop3_write() * Curl_pop3_write()

View File

@ -36,20 +36,7 @@ typedef enum {
POP3_STARTTLS, POP3_STARTTLS,
POP3_UPGRADETLS, /* asynchronously upgrade the connection to SSL/TLS POP3_UPGRADETLS, /* asynchronously upgrade the connection to SSL/TLS
(multi mode only) */ (multi mode only) */
POP3_AUTH_PLAIN, POP3_AUTH,
POP3_AUTH_LOGIN,
POP3_AUTH_LOGIN_PASSWD,
POP3_AUTH_CRAMMD5,
POP3_AUTH_DIGESTMD5,
POP3_AUTH_DIGESTMD5_RESP,
POP3_AUTH_NTLM,
POP3_AUTH_NTLM_TYPE2MSG,
POP3_AUTH_GSSAPI,
POP3_AUTH_GSSAPI_TOKEN,
POP3_AUTH_GSSAPI_NO_DATA,
POP3_AUTH_XOAUTH2,
POP3_AUTH_CANCEL,
POP3_AUTH_FINAL,
POP3_APOP, POP3_APOP,
POP3_USER, POP3_USER,
POP3_PASS, POP3_PASS,

View File

@ -105,10 +105,10 @@ static CURLcode smtp_setup_connection(struct connectdata *conn);
static CURLcode smtp_parse_url_options(struct connectdata *conn); static CURLcode smtp_parse_url_options(struct connectdata *conn);
static CURLcode smtp_parse_url_path(struct connectdata *conn); static CURLcode smtp_parse_url_path(struct connectdata *conn);
static CURLcode smtp_parse_custom_request(struct connectdata *conn); static CURLcode smtp_parse_custom_request(struct connectdata *conn);
static CURLcode smtp_calc_sasl_details(struct connectdata *conn, static CURLcode smtp_perform_auth(struct connectdata *conn, const char *mech,
const char **mech, const char *initresp);
char **initresp, size_t *len, static CURLcode smtp_continue_auth(struct connectdata *conn, const char *resp);
smtpstate *state1, smtpstate *state2); static void smtp_get_message(char *buffer, char** outptr);
/* /*
* SMTP protocol handler. * SMTP protocol handler.
@ -213,6 +213,17 @@ static const struct Curl_handler Curl_handler_smtps_proxy = {
#endif #endif
#endif #endif
/* SASL parameters for the smtp protocol */
static const struct SASLproto saslsmtp = {
"smtp", /* The service name */
334, /* Code received when continuation is expected */
235, /* Code to receive upon authentication success */
512 - 8, /* Maximum initial response length (no max) */
smtp_perform_auth, /* Send authentication command */
smtp_continue_auth, /* Send authentication continuation */
smtp_get_message /* Get SASL response message */
};
#ifdef USE_SSL #ifdef USE_SSL
static void smtp_to_smtps(struct connectdata *conn) static void smtp_to_smtps(struct connectdata *conn)
{ {
@ -309,20 +320,7 @@ static void state(struct connectdata *conn, smtpstate newstate)
"HELO", "HELO",
"STARTTLS", "STARTTLS",
"UPGRADETLS", "UPGRADETLS",
"AUTH_PLAIN", "AUTH",
"AUTH_LOGIN",
"AUTH_LOGIN_PASSWD",
"AUTH_CRAMMD5",
"AUTH_DIGESTMD5",
"AUTH_DIGESTMD5_RESP",
"AUTH_NTLM",
"AUTH_NTLM_TYPE2MSG",
"AUTH_GSSAPI",
"AUTH_GSSAPI_TOKEN",
"AUTH_GSSAPI_NO_DATA",
"AUTH_XOAUTH2",
"AUTH_CANCEL",
"AUTH_FINAL",
"COMMAND", "COMMAND",
"MAIL", "MAIL",
"RCPT", "RCPT",
@ -445,30 +443,36 @@ static CURLcode smtp_perform_upgrade_tls(struct connectdata *conn)
*/ */
static CURLcode smtp_perform_auth(struct connectdata *conn, static CURLcode smtp_perform_auth(struct connectdata *conn,
const char *mech, const char *mech,
const char *initresp, size_t len, const char *initresp)
smtpstate state1, smtpstate state2)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct smtp_conn *smtpc = &conn->proto.smtpc; struct smtp_conn *smtpc = &conn->proto.smtpc;
if(initresp && 8 + strlen(mech) + len <= 512) { /* AUTH <mech> ...<crlf> */ if(initresp) { /* AUTH <mech> ...<crlf> */
/* Send the AUTH command with the initial response */ /* Send the AUTH command with the initial response */
result = Curl_pp_sendf(&smtpc->pp, "AUTH %s %s", mech, initresp); result = Curl_pp_sendf(&smtpc->pp, "AUTH %s %s", mech, initresp);
if(!result)
state(conn, state2);
} }
else { else {
/* Send the AUTH command */ /* Send the AUTH command */
result = Curl_pp_sendf(&smtpc->pp, "AUTH %s", mech); result = Curl_pp_sendf(&smtpc->pp, "AUTH %s", mech);
if(!result)
state(conn, state1);
} }
return result; return result;
} }
/***********************************************************************
*
* smtp_continue_auth()
*
* Sends SASL continuation data or cancellation.
*/
static CURLcode smtp_continue_auth(struct connectdata *conn, const char *resp)
{
struct smtp_conn *smtpc = &conn->proto.smtpc;
return Curl_pp_sendf(&smtpc->pp, "%s", resp);
}
/*********************************************************************** /***********************************************************************
* *
* smtp_perform_authentication() * smtp_perform_authentication()
@ -480,31 +484,21 @@ static CURLcode smtp_perform_authentication(struct connectdata *conn)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct smtp_conn *smtpc = &conn->proto.smtpc; struct smtp_conn *smtpc = &conn->proto.smtpc;
const char *mech = NULL; saslprogress progress;
char *initresp = NULL;
size_t len = 0;
smtpstate state1 = SMTP_STOP;
smtpstate state2 = SMTP_STOP;
/* Check we have a username and password to authenticate with, and the /* Check we have a username and password to authenticate with, and the
server supports authentiation, and end the connect phase if not */ server supports authentiation, and end the connect phase if not */
if(!conn->bits.user_passwd || !smtpc->auth_supported) { if(!conn->bits.user_passwd || !smtpc->auth_supported) {
state(conn, SMTP_STOP); state(conn, SMTP_STOP);
return result; return result;
} }
/* Calculate the SASL login details */ /* Calculate the SASL login details */
result = smtp_calc_sasl_details(conn, &mech, &initresp, &len, &state1, result = Curl_sasl_start(&smtpc->sasl, conn, FALSE, &progress);
&state2);
if(!result) { if(!result) {
if(mech) { if(progress == SASL_INPROGRESS)
/* Perform SASL based authentication */ state(conn, SMTP_AUTH);
result = smtp_perform_auth(conn, mech, initresp, len, state1, state2);
Curl_safefree(initresp);
}
else { else {
/* Other mechanisms not supported */ /* Other mechanisms not supported */
infof(conn->data, "No known authentication mechanisms supported!\n"); infof(conn->data, "No known authentication mechanisms supported!\n");
@ -825,566 +819,31 @@ static CURLcode smtp_state_helo_resp(struct connectdata *conn, int smtpcode,
return result; return result;
} }
/* For AUTH PLAIN (without initial response) responses */ /* For SASL authentication responses */
static CURLcode smtp_state_auth_plain_resp(struct connectdata *conn, static CURLcode smtp_state_auth_resp(struct connectdata *conn,
int smtpcode, int smtpcode,
smtpstate instate) smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *plainauth = NULL;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the authorisation message */
result = Curl_sasl_create_plain_message(conn->data, conn->user,
conn->passwd, &plainauth, &len);
if(!result && plainauth) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", plainauth);
if(!result)
state(conn, SMTP_AUTH_FINAL);
}
}
Curl_safefree(plainauth);
return result;
}
/* For AUTH LOGIN (without initial response) responses */
static CURLcode smtp_state_auth_login_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *authuser = NULL;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the user message */
result = Curl_sasl_create_login_message(conn->data, conn->user,
&authuser, &len);
if(!result && authuser) {
/* Send the user */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", authuser);
if(!result)
state(conn, SMTP_AUTH_LOGIN_PASSWD);
}
}
Curl_safefree(authuser);
return result;
}
/* For AUTH LOGIN user entry responses */
static CURLcode smtp_state_auth_login_password_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *authpasswd = NULL;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the password message */
result = Curl_sasl_create_login_message(conn->data, conn->passwd,
&authpasswd, &len);
if(!result && authpasswd) {
/* Send the password */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", authpasswd);
if(!result)
state(conn, SMTP_AUTH_FINAL);
}
}
Curl_safefree(authpasswd);
return result;
}
#ifndef CURL_DISABLE_CRYPTO_AUTH
/* For AUTH CRAM-MD5 responses */
static CURLcode smtp_state_auth_cram_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlg = NULL;
char *chlg64 = NULL;
char *rplyb64 = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
return CURLE_LOGIN_DENIED;
}
/* Get the challenge message */
smtp_get_message(data->state.buffer, &chlg64);
/* Decode the challenge message */
result = Curl_sasl_decode_cram_md5_message(chlg64, &chlg, &len);
if(result) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "*");
if(!result)
state(conn, SMTP_AUTH_CANCEL);
}
else {
/* Create the response message */
result = Curl_sasl_create_cram_md5_message(data, chlg, conn->user,
conn->passwd, &rplyb64, &len);
if(!result && rplyb64) {
/* Send the response */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", rplyb64);
if(!result)
state(conn, SMTP_AUTH_FINAL);
}
}
Curl_safefree(chlg);
Curl_safefree(rplyb64);
return result;
}
/* For AUTH DIGEST-MD5 challenge responses */
static CURLcode smtp_state_auth_digest_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlg64 = NULL;
char *rplyb64 = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
return CURLE_LOGIN_DENIED;
}
/* Get the challenge message */
smtp_get_message(data->state.buffer, &chlg64);
/* Create the response message */
result = Curl_sasl_create_digest_md5_message(data, chlg64,
conn->user, conn->passwd,
"smtp", &rplyb64, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "*");
if(!result)
state(conn, SMTP_AUTH_CANCEL);
}
}
else {
/* Send the response */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", rplyb64);
if(!result)
state(conn, SMTP_AUTH_DIGESTMD5_RESP);
}
Curl_safefree(rplyb64);
return result;
}
/* For AUTH DIGEST-MD5 challenge-response responses */
static CURLcode smtp_state_auth_digest_resp_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Authentication failed: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Send an empty response */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "");
if(!result)
state(conn, SMTP_AUTH_FINAL);
}
return result;
}
#endif
#ifdef USE_NTLM
/* For AUTH NTLM (without initial response) responses */
static CURLcode smtp_state_auth_ntlm_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *type1msg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the type-1 message */
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm,
&type1msg, &len);
if(!result && type1msg) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", type1msg);
if(!result)
state(conn, SMTP_AUTH_NTLM_TYPE2MSG);
}
}
Curl_safefree(type1msg);
return result;
}
/* For NTLM type-2 responses (sent in reponse to our type-1 message) */
static CURLcode smtp_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *type2msg = NULL;
char *type3msg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the type-2 message */
smtp_get_message(data->state.buffer, &type2msg);
/* Decode the type-2 message */
result = Curl_sasl_decode_ntlm_type2_message(data, type2msg, &conn->ntlm);
if(result) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "*");
if(!result)
state(conn, SMTP_AUTH_CANCEL);
}
else {
/* Create the type-3 message */
result = Curl_sasl_create_ntlm_type3_message(data, conn->user,
conn->passwd, &conn->ntlm,
&type3msg, &len);
if(!result && type3msg) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", type3msg);
if(!result)
state(conn, SMTP_AUTH_FINAL);
}
}
}
Curl_safefree(type3msg);
return result;
}
#endif
#if defined(USE_KERBEROS5)
/* For AUTH GSSAPI (without initial response) responses */
static CURLcode smtp_state_auth_gssapi_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
struct smtp_conn *smtpc = &conn->proto.smtpc; struct smtp_conn *smtpc = &conn->proto.smtpc;
char *respmsg = NULL; saslprogress progress;
size_t len = 0;
(void)instate; /* no use for this yet */ (void)instate; /* no use for this yet */
if(smtpcode != 334) { result = Curl_sasl_continue(&smtpc->sasl, conn, smtpcode, &progress);
failf(data, "Access denied: %d", smtpcode); if(!result)
result = CURLE_LOGIN_DENIED; switch(progress) {
} case SASL_DONE:
else { state(conn, SMTP_STOP); /* Authenticated */
/* Create the initial response message */ break;
result = Curl_sasl_create_gssapi_user_message(data, conn->user, case SASL_IDLE: /* No mechanism left after cancellation */
conn->passwd, "smtp",
smtpc->sasl.mutual_auth,
NULL,
&conn->krb5,
&respmsg, &len);
if(!result && respmsg) {
/* Send the message */
result = Curl_pp_sendf(&smtpc->pp, "%s", respmsg);
if(!result)
state(conn, SMTP_AUTH_GSSAPI_TOKEN);
}
}
Curl_safefree(respmsg);
return result;
}
/* For AUTH GSSAPI user token responses */
static CURLcode smtp_state_auth_gssapi_token_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct smtp_conn *smtpc = &conn->proto.smtpc;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
smtp_get_message(data->state.buffer, &chlgmsg);
if(smtpc->sasl.mutual_auth)
/* Decode the user token challenge and create the optional response
message */
result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL,
smtpc->sasl.mutual_auth,
chlgmsg, &conn->krb5,
&respmsg, &len);
else
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&smtpc->pp, "%s", "*");
if(!result)
state(conn, SMTP_AUTH_CANCEL);
}
}
else {
/* Send the response */
if(respmsg)
result = Curl_pp_sendf(&smtpc->pp, "%s", respmsg);
else
result = Curl_pp_sendf(&smtpc->pp, "%s", "");
if(!result)
state(conn, (smtpc->sasl.mutual_auth ? SMTP_AUTH_GSSAPI_NO_DATA :
SMTP_AUTH_FINAL));
}
}
Curl_safefree(respmsg);
return result;
}
/* For AUTH GSSAPI no data responses */
static CURLcode smtp_state_auth_gssapi_no_data_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
char *chlgmsg = NULL;
char *respmsg = NULL;
size_t len = 0;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Get the challenge message */
smtp_get_message(data->state.buffer, &chlgmsg);
/* Decode the security challenge and create the response message */
result = Curl_sasl_create_gssapi_security_message(data, chlgmsg,
&conn->krb5,
&respmsg, &len);
if(result) {
if(result == CURLE_BAD_CONTENT_ENCODING) {
/* Send the cancellation */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "*");
if(!result)
state(conn, SMTP_AUTH_CANCEL);
}
}
else {
/* Send the response */
if(respmsg) {
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", respmsg);
if(!result)
state(conn, SMTP_AUTH_FINAL);
}
}
}
Curl_safefree(respmsg);
return result;
}
#endif
/* For AUTH XOAUTH2 (without initial response) responses */
static CURLcode smtp_state_auth_xoauth2_resp(struct connectdata *conn,
int smtpcode, smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
size_t len = 0;
char *xoauth = NULL;
(void)instate; /* no use for this yet */
if(smtpcode != 334) {
failf(data, "Access denied: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else {
/* Create the authorisation message */
result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
conn->xoauth2_bearer,
&xoauth, &len);
if(!result && xoauth) {
/* Send the message */
result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", xoauth);
if(!result)
state(conn, SMTP_AUTH_FINAL);
}
}
Curl_safefree(xoauth);
return result;
}
/* For AUTH cancellation responses */
static CURLcode smtp_state_auth_cancel_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct smtp_conn *smtpc = &conn->proto.smtpc;
const char *mech = NULL;
char *initresp = NULL;
size_t len = 0;
smtpstate state1 = SMTP_STOP;
smtpstate state2 = SMTP_STOP;
(void)smtpcode;
(void)instate; /* no use for this yet */
/* Remove the offending mechanism from the supported list */
smtpc->sasl.authmechs ^= smtpc->sasl.authused;
/* Calculate alternative SASL login details */
result = smtp_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
&state2);
if(!result) {
/* Do we have any mechanisms left? */
if(mech) {
/* Retry SASL based authentication */
result = smtp_perform_auth(conn, mech, initresp, len, state1, state2);
Curl_safefree(initresp);
}
else {
failf(data, "Authentication cancelled"); failf(data, "Authentication cancelled");
result = CURLE_LOGIN_DENIED; result = CURLE_LOGIN_DENIED;
break;
default:
break;
} }
}
return result;
}
/* For final responses in the AUTH sequence */
static CURLcode smtp_state_auth_final_resp(struct connectdata *conn,
int smtpcode,
smtpstate instate)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
(void)instate; /* no use for this yet */
if(smtpcode != 235) {
failf(data, "Authentication failed: %d", smtpcode);
result = CURLE_LOGIN_DENIED;
}
else
/* End of connect phase */
state(conn, SMTP_STOP);
return result; return result;
} }
@ -1582,69 +1041,8 @@ static CURLcode smtp_statemach_act(struct connectdata *conn)
result = smtp_state_starttls_resp(conn, smtpcode, smtpc->state); result = smtp_state_starttls_resp(conn, smtpcode, smtpc->state);
break; break;
case SMTP_AUTH_PLAIN: case SMTP_AUTH:
result = smtp_state_auth_plain_resp(conn, smtpcode, smtpc->state); result = smtp_state_auth_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_LOGIN:
result = smtp_state_auth_login_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_LOGIN_PASSWD:
result = smtp_state_auth_login_password_resp(conn, smtpcode,
smtpc->state);
break;
#ifndef CURL_DISABLE_CRYPTO_AUTH
case SMTP_AUTH_CRAMMD5:
result = smtp_state_auth_cram_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_DIGESTMD5:
result = smtp_state_auth_digest_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_DIGESTMD5_RESP:
result = smtp_state_auth_digest_resp_resp(conn, smtpcode, smtpc->state);
break;
#endif
#ifdef USE_NTLM
case SMTP_AUTH_NTLM:
result = smtp_state_auth_ntlm_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_NTLM_TYPE2MSG:
result = smtp_state_auth_ntlm_type2msg_resp(conn, smtpcode,
smtpc->state);
break;
#endif
#if defined(USE_KERBEROS5)
case SMTP_AUTH_GSSAPI:
result = smtp_state_auth_gssapi_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_GSSAPI_TOKEN:
result = smtp_state_auth_gssapi_token_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_GSSAPI_NO_DATA:
result = smtp_state_auth_gssapi_no_data_resp(conn, smtpcode,
smtpc->state);
break;
#endif
case SMTP_AUTH_XOAUTH2:
result = smtp_state_auth_xoauth2_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_CANCEL:
result = smtp_state_auth_cancel_resp(conn, smtpcode, smtpc->state);
break;
case SMTP_AUTH_FINAL:
result = smtp_state_auth_final_resp(conn, smtpcode, smtpc->state);
break; break;
case SMTP_COMMAND: case SMTP_COMMAND:
@ -1758,7 +1156,7 @@ static CURLcode smtp_connect(struct connectdata *conn, bool *done)
pp->conn = conn; pp->conn = conn;
/* Initialize the SASL storage */ /* Initialize the SASL storage */
Curl_sasl_init(&smtpc->sasl); Curl_sasl_init(&smtpc->sasl, &saslsmtp);
/* Initialise the pingpong layer */ /* Initialise the pingpong layer */
Curl_pp_init(pp); Curl_pp_init(pp);
@ -2172,110 +1570,6 @@ static CURLcode smtp_parse_custom_request(struct connectdata *conn)
return result; return result;
} }
/***********************************************************************
*
* smtp_calc_sasl_details()
*
* Calculate the required login details for SASL authentication.
*/
static CURLcode smtp_calc_sasl_details(struct connectdata *conn,
const char **mech,
char **initresp, size_t *len,
smtpstate *state1, smtpstate *state2)
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct smtp_conn *smtpc = &conn->proto.smtpc;
/* Calculate the supported authentication mechanism, by decreasing order of
security, as well as the initial response where appropriate */
#if defined(USE_KERBEROS5)
if((smtpc->sasl.authmechs & SASL_MECH_GSSAPI) &&
(smtpc->sasl.prefmech & SASL_MECH_GSSAPI)) {
smtpc->sasl.mutual_auth = FALSE; /* TODO: Calculate mutual auth. */
*mech = SASL_MECH_STRING_GSSAPI;
*state1 = SMTP_AUTH_GSSAPI;
*state2 = SMTP_AUTH_GSSAPI_TOKEN;
smtpc->sasl.authused = SASL_MECH_GSSAPI;
if(data->set.sasl_ir)
result = Curl_sasl_create_gssapi_user_message(data, conn->user,
conn->passwd, "smtp",
smtpc->sasl.mutual_auth,
NULL, &conn->krb5,
initresp, len);
}
else
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if((smtpc->sasl.authmechs & SASL_MECH_DIGEST_MD5) &&
(smtpc->sasl.prefmech & SASL_MECH_DIGEST_MD5)) {
*mech = SASL_MECH_STRING_DIGEST_MD5;
*state1 = SMTP_AUTH_DIGESTMD5;
smtpc->sasl.authused = SASL_MECH_DIGEST_MD5;
}
else if((smtpc->sasl.authmechs & SASL_MECH_CRAM_MD5) &&
(smtpc->sasl.prefmech & SASL_MECH_CRAM_MD5)) {
*mech = SASL_MECH_STRING_CRAM_MD5;
*state1 = SMTP_AUTH_CRAMMD5;
smtpc->sasl.authused = SASL_MECH_CRAM_MD5;
}
else
#endif
#ifdef USE_NTLM
if((smtpc->sasl.authmechs & SASL_MECH_NTLM) &&
(smtpc->sasl.prefmech & SASL_MECH_NTLM)) {
*mech = SASL_MECH_STRING_NTLM;
*state1 = SMTP_AUTH_NTLM;
*state2 = SMTP_AUTH_NTLM_TYPE2MSG;
smtpc->sasl.authused = SASL_MECH_NTLM;
if(data->set.sasl_ir)
result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
&conn->ntlm,
initresp, len);
}
else
#endif
if(((smtpc->sasl.authmechs & SASL_MECH_XOAUTH2) &&
(smtpc->sasl.prefmech & SASL_MECH_XOAUTH2) &&
(smtpc->sasl.prefmech != SASL_AUTH_ANY)) || conn->xoauth2_bearer) {
*mech = SASL_MECH_STRING_XOAUTH2;
*state1 = SMTP_AUTH_XOAUTH2;
*state2 = SMTP_AUTH_FINAL;
smtpc->sasl.authused = SASL_MECH_XOAUTH2;
if(data->set.sasl_ir)
result = Curl_sasl_create_xoauth2_message(data, conn->user,
conn->xoauth2_bearer,
initresp, len);
}
else if((smtpc->sasl.authmechs & SASL_MECH_LOGIN) &&
(smtpc->sasl.prefmech & SASL_MECH_LOGIN)) {
*mech = SASL_MECH_STRING_LOGIN;
*state1 = SMTP_AUTH_LOGIN;
*state2 = SMTP_AUTH_LOGIN_PASSWD;
smtpc->sasl.authused = SASL_MECH_LOGIN;
if(data->set.sasl_ir)
result = Curl_sasl_create_login_message(data, conn->user, initresp, len);
}
else if((smtpc->sasl.authmechs & SASL_MECH_PLAIN) &&
(smtpc->sasl.prefmech & SASL_MECH_PLAIN)) {
*mech = SASL_MECH_STRING_PLAIN;
*state1 = SMTP_AUTH_PLAIN;
*state2 = SMTP_AUTH_FINAL;
smtpc->sasl.authused = SASL_MECH_PLAIN;
if(data->set.sasl_ir)
result = Curl_sasl_create_plain_message(data, conn->user, conn->passwd,
initresp, len);
}
return result;
}
CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread) CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
{ {
/* When sending a SMTP payload we must detect CRLF. sequences making sure /* When sending a SMTP payload we must detect CRLF. sequences making sure

View File

@ -37,20 +37,7 @@ typedef enum {
SMTP_STARTTLS, SMTP_STARTTLS,
SMTP_UPGRADETLS, /* asynchronously upgrade the connection to SSL/TLS SMTP_UPGRADETLS, /* asynchronously upgrade the connection to SSL/TLS
(multi mode only) */ (multi mode only) */
SMTP_AUTH_PLAIN, SMTP_AUTH,
SMTP_AUTH_LOGIN,
SMTP_AUTH_LOGIN_PASSWD,
SMTP_AUTH_CRAMMD5,
SMTP_AUTH_DIGESTMD5,
SMTP_AUTH_DIGESTMD5_RESP,
SMTP_AUTH_NTLM,
SMTP_AUTH_NTLM_TYPE2MSG,
SMTP_AUTH_GSSAPI,
SMTP_AUTH_GSSAPI_TOKEN,
SMTP_AUTH_GSSAPI_NO_DATA,
SMTP_AUTH_XOAUTH2,
SMTP_AUTH_CANCEL,
SMTP_AUTH_FINAL,
SMTP_COMMAND, /* VRFY, EXPN, NOOP, RSET and HELP */ SMTP_COMMAND, /* VRFY, EXPN, NOOP, RSET and HELP */
SMTP_MAIL, /* MAIL FROM */ SMTP_MAIL, /* MAIL FROM */
SMTP_RCPT, /* RCPT TO */ SMTP_RCPT, /* RCPT TO */