Commit 48043f87 authored by Steve Holme's avatar Steve Holme
Browse files

imap/pop3/smtp: Added support for SASL authentication downgrades 

Added support for downgrading the SASL authentication mechanism when the
decoding of CRAM-MD5, DIGEST-MD5 and NTLM messages fails. This enhances
the previously added support for graceful cancellation by allowing the
client to retry a lesser SASL mechanism such as LOGIN or PLAIN, or even
APOP / clear text (in the case of POP3 and IMAP) when supported by the
server.
parent b7b126ee

lib/imap.c

+33 −2
Original line number Diff line number Diff line
@@ -1307,14 +1307,45 @@ static CURLcode imap_state_auth_cancel_resp(struct connectdata *conn, 
                                            int imapcode,

                                            imapstate instate)

{

  CURLcode result = CURLE_OK;

  struct SessionHandle *data = conn->data;

  struct imap_conn *imapc = &conn->proto.imapc;

  const char *mech = NULL;

  char *initresp = NULL;

  size_t len = 0;

  imapstate state1 = IMAP_STOP;

  imapstate state2 = IMAP_STOP;



  (void)imapcode;

  (void)instate; /* no use for this yet */



  /* Remove the offending mechanism from the supported list */

  imapc->authmechs ^= imapc->authused;



  /* Calculate alternative SASL login details */

  result = imap_calc_sasl_details(conn, &mech, &initresp, &len, &state1,

                                  &state2);



  if(!result) {

    /* Do we have any mechanisms left or can we fallback to clear text? */

    if(mech) {

      /* Retry SASL based authentication */

      result = imap_perform_authenticate(conn, mech, initresp, state1, state2);



      Curl_safefree(initresp);

    }

    else if((!imapc->login_disabled) &&

            (imapc->preftype & IMAP_TYPE_CLEARTEXT))

      /* Perform clear text authentication */

      result = imap_perform_login(conn);

    else {

      failf(data, "Authentication cancelled");



  return CURLE_LOGIN_DENIED;

      result = CURLE_LOGIN_DENIED;

    }

  }



  return result;

}



/* For final responses in the AUTHENTICATE sequence */

lib/pop3.c

+40 −2
Original line number Diff line number Diff line
@@ -1161,14 +1161,52 @@ static CURLcode pop3_state_auth_cancel_resp(struct connectdata *conn, 
                                            int pop3code,

                                            pop3state instate)

{

  CURLcode result = CURLE_OK;

  struct SessionHandle *data = conn->data;

  struct pop3_conn *pop3c = &conn->proto.pop3c;

  const char *mech = NULL;

  char *initresp = NULL;

  size_t len = 0;

  pop3state state1 = POP3_STOP;

  pop3state state2 = POP3_STOP;



  (void)pop3code;

  (void)instate; /* no use for this yet */



  /* Remove the offending mechanism from the supported list */

  pop3c->authmechs ^= pop3c->authused;



  /* Calculate alternative SASL login details */

  result = pop3_calc_sasl_details(conn, &mech, &initresp, &len, &state1,

                                  &state2);



  if(!result) {

    /* Do we have any mechanisms left or can we fallback to another

       authentication type? */

    if(mech) {

      /* Retry SASL based authentication */

      result = pop3_perform_auth(conn, mech, initresp, len, state1, state2);



      Curl_safefree(initresp);

    }

#ifndef CURL_DISABLE_CRYPTO_AUTH

    else if((pop3c->authtypes & POP3_TYPE_APOP) &&

            (pop3c->preftype & POP3_TYPE_APOP))

      /* Perform APOP authentication */

      result = pop3_perform_apop(conn);

#endif

    else if((pop3c->authtypes & POP3_TYPE_CLEARTEXT) &&

            (pop3c->preftype & POP3_TYPE_CLEARTEXT))

      /* Perform clear text authentication */

      result = pop3_perform_user(conn);

    else {

      failf(data, "Authentication cancelled");



  return CURLE_LOGIN_DENIED;

      result = CURLE_LOGIN_DENIED;

    }

  }



  return result;

}



/* For final responses in the AUTH sequence */

lib/smtp.c

+29 −2
Original line number Diff line number Diff line
@@ -1189,14 +1189,41 @@ static CURLcode smtp_state_auth_cancel_resp(struct connectdata *conn, 
                                            int smtpcode,

                                            smtpstate instate)

{

  CURLcode result = CURLE_OK;

  struct SessionHandle *data = conn->data;

  struct smtp_conn *smtpc = &conn->proto.smtpc;

  const char *mech = NULL;

  char *initresp = NULL;

  size_t len = 0;

  smtpstate state1 = SMTP_STOP;

  smtpstate state2 = SMTP_STOP;



  (void)smtpcode;

  (void)instate; /* no use for this yet */



  /* Remove the offending mechanism from the supported list */

  smtpc->authmechs ^= smtpc->authused;



  /* Calculate alternative SASL login details */

  result = smtp_calc_sasl_details(conn, &mech, &initresp, &len, &state1,

                                  &state2);



  if(!result) {

    /* Do we have any mechanisms left? */

    if(mech) {

      /* Retry SASL based authentication */

      result = smtp_perform_auth(conn, mech, initresp, len, state1, state2);



      Curl_safefree(initresp);

    }

    else {

      failf(data, "Authentication cancelled");



  return CURLE_LOGIN_DENIED;

      result = CURLE_LOGIN_DENIED;

    }

  }



  return result;

}



/* For final responses in the AUTH sequence */

tests/data/test830

+1 −0
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ RFC2195 
<reply>

<servercmd>

AUTH CRAM-MD5

CAPA LOGINDISABLED

REPLY AUTHENTICATE + Rubbish

REPLY * A002 NO AUTH exchange cancelled by client

</servercmd>

tests/data/test831

+1 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ IMAP AUTH NTLM 
<reply>

<servercmd>

AUTH NTLM

CAPA LOGINDISABLED

REPLY AUTHENTICATE +

REPLY TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= + Rubbish

REPLY * A002 NO AUTH exchange cancelled by client