imap/pop3/smtp: Added support for SASL authentication downgrades

Added support for downgrading the SASL authentication mechanism when the
decoding of CRAM-MD5, DIGEST-MD5 and NTLM messages fails. This enhances
the previously added support for graceful cancellation by allowing the
client to retry a lesser SASL mechanism such as LOGIN or PLAIN, or even
APOP / clear text (in the case of POP3 and IMAP) when supported by the
server.

diff --git a/lib/imap.c b/lib/imap.c
index 37feff42986d43fb97c8de0f35c1485668b71030..bd03c76cde4be7b8f7d017767c322fb3f8138d7e 100644 (file)
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1307,14 +1307,45 @@ static CURLcode imap_state_auth_cancel_resp(struct connectdata *conn,
                                             int imapcode,
                                             imapstate instate)
 {
+  CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
+  struct imap_conn *imapc = &conn->proto.imapc;
+  const char *mech = NULL;
+  char *initresp = NULL;
+  size_t len = 0;
+  imapstate state1 = IMAP_STOP;
+  imapstate state2 = IMAP_STOP;
 
   (void)imapcode;
   (void)instate; /* no use for this yet */
 
-  failf(data, "Authentication cancelled");
+  /* Remove the offending mechanism from the supported list */
+  imapc->authmechs ^= imapc->authused;
+
+  /* Calculate alternative SASL login details */
+  result = imap_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+                                  &state2);
+
+  if(!result) {
+    /* Do we have any mechanisms left or can we fallback to clear text? */
+    if(mech) {
+      /* Retry SASL based authentication */
+      result = imap_perform_authenticate(conn, mech, initresp, state1, state2);
+
+      Curl_safefree(initresp);
+    }
+    else if((!imapc->login_disabled) &&
+            (imapc->preftype & IMAP_TYPE_CLEARTEXT))
+      /* Perform clear text authentication */
+      result = imap_perform_login(conn);
+    else {
+      failf(data, "Authentication cancelled");
+
+      result = CURLE_LOGIN_DENIED;
+    }
+  }
 
-  return CURLE_LOGIN_DENIED;
+  return result;
 }
 
 /* For final responses in the AUTHENTICATE sequence */

diff --git a/lib/pop3.c b/lib/pop3.c
index 1554f09cd3e5be74404997511fa8158dcc6df388..c2c151a93d42c76720caabc31df540a9e2af6c7d 100644 (file)
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -1161,14 +1161,52 @@ static CURLcode pop3_state_auth_cancel_resp(struct connectdata *conn,
                                             int pop3code,
                                             pop3state instate)
 {
+  CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
+  struct pop3_conn *pop3c = &conn->proto.pop3c;
+  const char *mech = NULL;
+  char *initresp = NULL;
+  size_t len = 0;
+  pop3state state1 = POP3_STOP;
+  pop3state state2 = POP3_STOP;
 
   (void)pop3code;
   (void)instate; /* no use for this yet */
 
-  failf(data, "Authentication cancelled");
+  /* Remove the offending mechanism from the supported list */
+  pop3c->authmechs ^= pop3c->authused;
+
+  /* Calculate alternative SASL login details */
+  result = pop3_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+                                  &state2);
+
+  if(!result) {
+    /* Do we have any mechanisms left or can we fallback to another
+       authentication type? */
+    if(mech) {
+      /* Retry SASL based authentication */
+      result = pop3_perform_auth(conn, mech, initresp, len, state1, state2);
+
+      Curl_safefree(initresp);
+    }
+#ifndef CURL_DISABLE_CRYPTO_AUTH
+    else if((pop3c->authtypes & POP3_TYPE_APOP) &&
+            (pop3c->preftype & POP3_TYPE_APOP))
+      /* Perform APOP authentication */
+      result = pop3_perform_apop(conn);
+#endif
+    else if((pop3c->authtypes & POP3_TYPE_CLEARTEXT) &&
+            (pop3c->preftype & POP3_TYPE_CLEARTEXT))
+      /* Perform clear text authentication */
+      result = pop3_perform_user(conn);
+    else {
+      failf(data, "Authentication cancelled");
+
+      result = CURLE_LOGIN_DENIED;
+    }
+  }
 
-  return CURLE_LOGIN_DENIED;
+  return result;
 }
 
 /* For final responses in the AUTH sequence */

diff --git a/lib/smtp.c b/lib/smtp.c
index 07fec11f9c05f548353664d51cc7e1a9d1e24bb8..f35f7537ecd9f5a4c627c4de0e119b8585017114 100644 (file)
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -1189,14 +1189,41 @@ static CURLcode smtp_state_auth_cancel_resp(struct connectdata *conn,
                                             int smtpcode,
                                             smtpstate instate)
 {
+  CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
+  struct smtp_conn *smtpc = &conn->proto.smtpc;
+  const char *mech = NULL;
+  char *initresp = NULL;
+  size_t len = 0;
+  smtpstate state1 = SMTP_STOP;
+  smtpstate state2 = SMTP_STOP;
 
   (void)smtpcode;
   (void)instate; /* no use for this yet */
 
-  failf(data, "Authentication cancelled");
+  /* Remove the offending mechanism from the supported list */
+  smtpc->authmechs ^= smtpc->authused;
+
+  /* Calculate alternative SASL login details */
+  result = smtp_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+                                  &state2);
 
-  return CURLE_LOGIN_DENIED;
+  if(!result) {
+    /* Do we have any mechanisms left? */
+    if(mech) {
+      /* Retry SASL based authentication */
+      result = smtp_perform_auth(conn, mech, initresp, len, state1, state2);
+
+      Curl_safefree(initresp);
+    }
+    else {
+      failf(data, "Authentication cancelled");
+
+      result = CURLE_LOGIN_DENIED;
+    }
+  }
+
+  return result;
 }
 
 /* For final responses in the AUTH sequence */

diff --git a/tests/data/test830 b/tests/data/test830
index edc3eb1e7f9289ebf9e45969d8e3a930e27cfea7..ff5586717e6161e62f2a55abc70c608c3c611542 100644 (file)
--- a/tests/data/test830
+++ b/tests/data/test830
@@ -12,6 +12,7 @@ RFC2195
 <reply>
 <servercmd>
 AUTH CRAM-MD5
+CAPA LOGINDISABLED
 REPLY AUTHENTICATE + Rubbish
 REPLY * A002 NO AUTH exchange cancelled by client
 </servercmd>

diff --git a/tests/data/test831 b/tests/data/test831
index 4963ba3720a3884b8f8728e19af4b271486ea980..51864db339fcdd2f8a11d3754570a232b3c54b25 100644 (file)
--- a/tests/data/test831
+++ b/tests/data/test831
@@ -11,6 +11,7 @@ IMAP AUTH NTLM
 <reply>
 <servercmd>
 AUTH NTLM
+CAPA LOGINDISABLED
 REPLY AUTHENTICATE +
 REPLY TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= + Rubbish
 REPLY * A002 NO AUTH exchange cancelled by client

diff --git a/tests/data/test832 b/tests/data/test832
index 6c54b304f6e2abc4cac09fff5de8463712415abe..edc910d21b7f89ae5d5f1a23f206ad77e690f555 100644 (file)
--- a/tests/data/test832
+++ b/tests/data/test832
@@ -12,6 +12,7 @@ RFC2831
 <reply>
 <servercmd>
 AUTH DIGEST-MD5
+CAPA LOGINDISABLED
 REPLY AUTHENTICATE + Rubbish
 REPLY * A002 NO AUTH exchange cancelled by client
 </servercmd>