Plug in GSSAPI support.

2003-03-20  Jeffrey Stedfast  <fejj@ximian.com>

	* camel-sasl.c: Plug in GSSAPI support.

	* camel-sasl-gssapi.[c,h]: New source files implementing GSSAPI.

5 files changed, 420 insertions, 0 deletions

diff --git a/camel/ChangeLog b/camel/ChangeLog
index 60091ba22..943e80ed0 100644
--- a/camel/ChangeLog
+++ b/camel/ChangeLog
@@ -1,3 +1,9 @@
+2003-03-20  Jeffrey Stedfast  <fejj@ximian.com>
+
+	* camel-sasl.c: Plug in GSSAPI support.
+
+	* camel-sasl-gssapi.[c,h]: New source files implementing GSSAPI.
+
 2003-03-13  Jeffrey Stedfast  <fejj@ximian.com>
 
 	* camel-mime-part.c (process_header): Use
diff --git a/camel/Makefile.am b/camel/Makefile.am
index 4bb0ddeba..c79045cdf 100644
--- a/camel/Makefile.am
+++ b/camel/Makefile.am
@@ -83,6 +83,7 @@ libcamel_la_SOURCES = 				\
 	camel-sasl-anonymous.c			\
 	camel-sasl-cram-md5.c			\
 	camel-sasl-digest-md5.c			\
+	camel-sasl-gssapi.c			\
 	camel-sasl-kerberos4.c			\
 	camel-sasl-login.c			\
 	camel-sasl-ntlm.c			\
@@ -184,6 +185,7 @@ libcamelinclude_HEADERS =			\
 	camel-sasl-anonymous.h			\
 	camel-sasl-cram-md5.h			\
 	camel-sasl-digest-md5.h			\
+	camel-sasl-gssapi.h			\
 	camel-sasl-kerberos4.h			\
 	camel-sasl-login.h			\
 	camel-sasl-ntlm.h			\
diff --git a/camel/camel-sasl-gssapi.c b/camel/camel-sasl-gssapi.c
new file mode 100644
index 000000000..d9a3f56f9
--- /dev/null
+++ b/camel/camel-sasl-gssapi.c
@@ -0,0 +1,336 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ *  Authors: Jeffrey Stedfast <fejj@ximian.com>
+ *
+ *  Copyright 2003 Ximian, Inc. (www.ximian.com)
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_KRB5
+
+#include <string.h>
+#include <et/com_err.h>
+#ifdef HAVE_MIT_KRB5
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_generic.h>
+#else /* HAVE_HEIMDAL_KRB5 */
+#include <gssapi.h>
+#endif
+#include <errno.h>
+
+#ifndef GSS_C_OID_KRBV5_DES
+#define GSS_C_OID_KRBV5_DES GSS_C_NO_OID
+#endif
+
+#include "camel-sasl-gssapi.h"
+
+CamelServiceAuthType camel_sasl_gssapi_authtype = {
+	N_("GSSAPI"),
+	
+	N_("This option will connect to the server using "
+	   "Kerberos 5 authentication."),
+	
+	"GSSAPI",
+	FALSE
+};
+
+enum {
+	GSSAPI_STATE_INIT,
+	GSSAPI_STATE_CONTINUE_NEEDED,
+	GSSAPI_STATE_COMPLETE,
+	GSSAPI_STATE_AUTHENTICATED
+};
+
+#define GSSAPI_SECURITY_LAYER_NONE       (1 << 0)
+#define GSSAPI_SECURITY_LAYER_INTEGRITY  (1 << 1)
+#define GSSAPI_SECURITY_LAYER_PRIVACY    (1 << 2)
+
+#define DESIRED_SECURITY_LAYER  GSSAPI_SECURITY_LAYER_NONE
+
+struct _CamelSaslGssapiPrivate {
+	int state;
+	gss_ctx_id_t ctx;
+	gss_name_t target;
+};
+
+
+static GByteArray *gssapi_challenge (CamelSasl *sasl, GByteArray *token, CamelException *ex);
+
+
+static CamelSaslClass *parent_class = NULL;
+
+
+static void
+camel_sasl_gssapi_class_init (CamelSaslGssapiClass *klass)
+{
+	CamelSaslClass *camel_sasl_class = CAMEL_SASL_CLASS (klass);
+	
+	parent_class = CAMEL_SASL_CLASS (camel_type_get_global_classfuncs (camel_sasl_get_type ()));
+	
+	/* virtual method overload */
+	camel_sasl_class->challenge = gssapi_challenge;
+}
+
+static void
+camel_sasl_gssapi_init (gpointer object, gpointer klass)
+{
+	CamelSaslGssapi *gssapi = CAMEL_SASL_GSSAPI (object);
+	
+	gssapi->priv = g_new (struct _CamelSaslGssapiPrivate, 1);
+	gssapi->priv->state = GSSAPI_STATE_INIT;
+	gssapi->priv->ctx = GSS_C_NO_CONTEXT;
+	gssapi->priv->target = GSS_C_NO_NAME;
+}
+
+static void
+camel_sasl_gssapi_finalize (CamelObject *object)
+{
+	CamelSaslGssapi *gssapi = CAMEL_SASL_GSSAPI (object);
+	guint32 status;
+	
+	if (gssapi->priv->ctx != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&status, gssapi->priv->ctx, GSS_C_NO_BUFFER);
+	
+	if (gssapi->priv->target != GSS_C_NO_NAME)
+		gss_release_name (&status, gssapi->priv->target);
+	
+	g_free (gssapi->priv);
+}
+
+
+CamelType
+camel_sasl_gssapi_get_type (void)
+{
+	static CamelType type = CAMEL_INVALID_TYPE;
+	
+	if (type == CAMEL_INVALID_TYPE) {
+		type = camel_type_register (
+			camel_sasl_get_type (),
+			"CamelSaslGssapi",
+			sizeof (CamelSaslGssapi),
+			sizeof (CamelSaslGssapiClass),
+			(CamelObjectClassInitFunc) camel_sasl_gssapi_class_init,
+			NULL,
+			(CamelObjectInitFunc) camel_sasl_gssapi_init,
+			(CamelObjectFinalizeFunc) camel_sasl_gssapi_finalize);
+	}
+	
+	return type;
+}
+
+static void
+gssapi_set_exception (OM_uint32 major, OM_uint32 minor, CamelException *ex)
+{
+	const char *str;
+	
+	switch (major) {
+	case GSS_S_BAD_MECH:
+		str = _("The specified mechanism is not supported by the "
+			"provided credential, or is unrecognized by the "
+			"implementation.");
+		break;
+	case GSS_S_BAD_NAME:
+		str = _("The provided target_name parameter was ill-formed.");
+		break;
+	case GSS_S_BAD_NAMETYPE:
+		str = _("The provided target_name parameter contained an "
+			"invalid or unsupported type of name.");
+		break;
+	case GSS_S_BAD_BINDINGS:
+		str = _("The input_token contains different channel "
+			"bindings to those specified via the "
+			"input_chan_bindings parameter.");
+		break;
+	case GSS_S_BAD_SIG:
+		str = _("The input_token contains an invalid signature, or a "
+			"signature that could not be verified.");
+		break;
+	case GSS_S_NO_CRED:
+		str = _("The supplied credentials were not valid for context "
+			"initiation, or the credential handle did not "
+			"reference any credentials.");
+		break;
+	case GSS_S_NO_CONTEXT:
+		str = _("The supplied context handle did not refer to a valid context.");
+		break;
+	case GSS_S_DEFECTIVE_TOKEN:
+		str = _("The consistency checks performed on the input_token failed.");
+		break;
+	case GSS_S_DEFECTIVE_CREDENTIAL:
+		str = _("The consistency checks performed on the credential failed.");
+		break;
+	case GSS_S_CREDENTIALS_EXPIRED:
+		str = _("The referenced credentials have expired.");
+		break;
+	case GSS_S_FAILURE:
+		str = error_message (minor);
+		break;
+	default:
+		str = _("Bad authentication response from server.");
+	}
+	
+	camel_exception_set (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE, str);
+}
+
+static GByteArray *
+gssapi_challenge (CamelSasl *sasl, GByteArray *token, CamelException *ex)
+{
+	struct _CamelSaslGssapiPrivate *priv = CAMEL_SASL_GSSAPI (sasl)->priv;
+	OM_uint32 major, minor, flags, time;
+	gss_buffer_desc inbuf, outbuf;
+	GByteArray *challenge = NULL;
+	gss_buffer_t input_token;
+	struct hostent *h;
+	int conf_state;
+	gss_qop_t qop;
+	gss_OID mech;
+	char *str;
+	
+	switch (priv->state) {
+	case GSSAPI_STATE_INIT:
+		if (!(h = camel_service_gethost (sasl->service, ex))) {
+			camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM,
+					      _("Failed to resolve host `%s': %s"),
+					      sasl->service->url->host, g_strerror (errno));
+			return NULL;
+		}
+		
+		str = g_strdup_printf ("%s@%s", sasl->service_name, h->h_name);
+		printf ("FQDN: %s (%s)\n", h->h_name, str);
+		camel_free_host (h);
+		
+		inbuf.value = str;
+		inbuf.length = strlen (str);
+		major = gss_import_name (&minor, &inbuf, gss_nt_service_name, &priv->target);
+		g_free (str);
+		
+		if (major != GSS_S_COMPLETE) {
+			gssapi_set_exception (major, minor, ex);
+			return NULL;
+		}
+		
+		input_token = GSS_C_NO_BUFFER;
+		
+		goto challenge;
+		break;
+	case GSSAPI_STATE_CONTINUE_NEEDED:
+		if (token == NULL) {
+			camel_exception_set (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE,
+					     _("Bad authentication response from server."));
+			return NULL;
+		}
+		
+		inbuf.value = token->data;
+		inbuf.length = token->len;
+		input_token = &inbuf;
+		
+	challenge:
+		major = gss_init_sec_context (&minor, GSS_C_NO_CREDENTIAL, &priv->ctx, priv->target,
+					      GSS_C_OID_KRBV5_DES, GSS_C_MUTUAL_FLAG |
+					      GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
+					      0, GSS_C_NO_CHANNEL_BINDINGS,
+					      input_token, &mech, &outbuf, &flags, &time);
+		
+		switch (major) {
+		case GSS_S_COMPLETE:
+			priv->state = GSSAPI_STATE_COMPLETE;
+			break;
+		case GSS_S_CONTINUE_NEEDED:
+			priv->state = GSSAPI_STATE_CONTINUE_NEEDED;
+			break;
+		default:
+			gssapi_set_exception (major, minor, ex);
+			printf ("gss_init_sec_context() exception\n");
+			gss_release_buffer (&minor, &outbuf);
+			return NULL;
+		}
+		
+		challenge = g_byte_array_new ();
+		g_byte_array_append (challenge, outbuf.value, outbuf.length);
+		gss_release_buffer (&minor, &outbuf);
+		break;
+	case GSSAPI_STATE_COMPLETE:
+		if (token == NULL) {
+			camel_exception_set (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE,
+					     _("Bad authentication response from server."));
+			return NULL;
+		}
+		
+		inbuf.value = token->data;
+		inbuf.length = token->len;
+		
+		major = gss_unwrap (&minor, priv->ctx, &inbuf, &outbuf, &conf_state, &qop);
+		if (major != GSS_S_COMPLETE) {
+			gssapi_set_exception (major, minor, ex);
+			printf ("gss_unwrap() exception\n");
+			gss_release_buffer (&minor, &outbuf);
+			return NULL;
+		}
+		
+		if (outbuf.length < 4) {
+			camel_exception_set (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE,
+					     _("Bad authentication response from server."));
+			gss_release_buffer (&minor, &outbuf);
+			return NULL;
+		}
+		
+		/* check that our desired security layer is supported */
+		if ((((unsigned char *) outbuf.value)[0] & DESIRED_SECURITY_LAYER) != DESIRED_SECURITY_LAYER) {
+			camel_exception_set (ex, CAMEL_EXCEPTION_SERVICE_CANT_AUTHENTICATE,
+					     _("Unsupported security layer."));
+			gss_release_buffer (&minor, &outbuf);
+			return NULL;
+		}
+		
+		inbuf.length = 4 + strlen (sasl->service->url->user);
+		inbuf.value = str = g_malloc (inbuf.length);
+		memcpy (inbuf.value, outbuf.value, 4);
+		str[0] = DESIRED_SECURITY_LAYER;
+		memcpy (str + 4, sasl->service->url->user, inbuf.length - 4);
+		gss_release_buffer (&minor, &outbuf);
+		
+		major = gss_wrap (&minor, priv->ctx, FALSE, qop, &inbuf, &conf_state, &outbuf);
+		if (major != 0) {
+			gssapi_set_exception (major, minor, ex);
+			printf ("gss_wrap() exception\n");
+			gss_release_buffer (&minor, &outbuf);
+			g_free (str);
+			return NULL;
+		}
+		
+		challenge = g_byte_array_new ();
+		g_byte_array_append (challenge, outbuf.value, outbuf.length);
+		gss_release_buffer (&minor, &outbuf);
+		
+		priv->state = GSSAPI_STATE_AUTHENTICATED;
+		
+		sasl->authenticated = TRUE;
+		break;
+	default:
+		printf ("unknown state exception\n");
+		return NULL;
+	}
+	
+	return challenge;
+}
+
+#endif /* HAVE_KRB5 */
diff --git a/camel/camel-sasl-gssapi.h b/camel/camel-sasl-gssapi.h
new file mode 100644
index 000000000..b4a3fbc1a
--- /dev/null
+++ b/camel/camel-sasl-gssapi.h
@@ -0,0 +1,64 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ *  Authors: Jeffrey Stedfast <fejj@ximian.com>
+ *
+ *  Copyright 2003 Ximian, Inc. (www.ximian.com)
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+
+#ifndef __CAMEL_SASL_GSSAPI_H__
+#define __CAMEL_SASL_GSSAPI_H__
+
+#ifdef __cplusplus
+extern "C" {
+#pragma }
+#endif /* __cplusplus */
+
+#include <sys/types.h>
+#include <camel/camel-sasl.h>
+
+#define CAMEL_SASL_GSSAPI_TYPE     (camel_sasl_gssapi_get_type ())
+#define CAMEL_SASL_GSSAPI(obj)     (CAMEL_CHECK_CAST((obj), CAMEL_SASL_GSSAPI_TYPE, CamelSaslGssapi))
+#define CAMEL_SASL_GSSAPI_CLASS(k) (CAMEL_CHECK_CLASS_CAST ((k), CAMEL_SASL_GSSAPI_TYPE, CamelSaslGssapiClass))
+#define CAMEL_IS_SASL_GSSAPI(o)    (CAMEL_CHECK_TYPE((o), CAMEL_SASL_GSSAPI_TYPE))
+
+typedef struct _CamelSaslGssapi CamelSaslGssapi;
+typedef struct _CamelSaslGssapiClass CamelSaslGssapiClass;
+
+struct _CamelSaslGssapi {
+	CamelSasl parent_object;
+	
+	struct _CamelSaslGssapiPrivate *priv;
+	
+};
+
+struct _CamelSaslGssapiClass {
+	CamelSaslClass parent_class;
+	
+};
+
+/* Standard Camel function */
+CamelType camel_sasl_gssapi_get_type (void);
+
+extern CamelServiceAuthType camel_sasl_gssapi_authtype;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __CAMEL_SASL_GSSAPI_H__ */
diff --git a/camel/camel-sasl.c b/camel/camel-sasl.c
index 6cc8a144e..ec070215c 100644
--- a/camel/camel-sasl.c
+++ b/camel/camel-sasl.c
@@ -31,6 +31,7 @@
 
 #include "camel-sasl-cram-md5.h"
 #include "camel-sasl-digest-md5.h"
+#include "camel-sasl-gssapi.h"
 #include "camel-sasl-kerberos4.h"
 #include "camel-sasl-login.h"
 #include "camel-sasl-plain.h"
@@ -193,6 +194,10 @@ camel_sasl_new (const char *service_name, const char *mechanism, CamelService *s
 		sasl = (CamelSasl *)camel_object_new (CAMEL_SASL_CRAM_MD5_TYPE);
 	else if (!strcmp (mechanism, "DIGEST-MD5"))
 		sasl = (CamelSasl *)camel_object_new (CAMEL_SASL_DIGEST_MD5_TYPE);
+#ifdef HAVE_KRB5
+	else if (!strcmp (mechanism, "GSSAPI"))
+		sasl = (CamelSasl *)camel_object_new (CAMEL_SASL_GSSAPI_TYPE);
+#endif
 #ifdef HAVE_KRB4
 	else if (!strcmp (mechanism, "KERBEROS_V4"))
 		sasl = (CamelSasl *)camel_object_new (CAMEL_SASL_KERBEROS4_TYPE);
@@ -230,6 +235,9 @@ camel_sasl_authtype_list (gboolean include_plain)
 	
 	types = g_list_prepend (types, &camel_sasl_cram_md5_authtype);
 	types = g_list_prepend (types, &camel_sasl_digest_md5_authtype);
+#ifdef HAVE_KRB5
+	types = g_list_prepend (types, &camel_sasl_gssapi_authtype);
+#endif
 #ifdef HAVE_KRB4
 	types = g_list_prepend (types, &camel_sasl_kerberos4_authtype);
 #endif
@@ -254,6 +262,10 @@ camel_sasl_authtype (const char *mechanism)
 		return &camel_sasl_cram_md5_authtype;
 	else if (!strcmp (mechanism, "DIGEST-MD5"))
 		return &camel_sasl_digest_md5_authtype;
+#ifdef HAVE_KRB5
+	else if (!strcmp (mechanism, "GSSAPI"))
+		return &camel_sasl_gssapi_authtype;
+#endif
 #ifdef HAVE_KRB4
 	else if (!strcmp (mechanism, "KERBEROS_V4"))
 		return &camel_sasl_kerberos4_authtype;