imap/pop3/smtp: Added support for SASL authentication downgrades

Added support for downgrading the SASL authentication mechanism when the decoding of CRAM-MD5, DIGEST-MD5 and NTLM messages fails. This enhances the previously added support for graceful cancellation by allowing the client to retry a lesser SASL mechanism such as LOGIN or PLAIN, or even APOP / clear text (in the case of POP3 and IMAP) when supported by the server.
2013-12-18 20:44:20 +00:00
parent b7b126ee41
commit 48043f87b6
6 changed files with 105 additions and 6 deletions
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -1189,14 +1189,41 @@ static CURLcode smtp_state_auth_cancel_resp(struct connectdata *conn,
                                            int smtpcode,
                                            smtpstate instate)
 {
+  CURLcode result = CURLE_OK;
  struct SessionHandle *data = conn->data;
+  struct smtp_conn *smtpc = &conn->proto.smtpc;
+  const char *mech = NULL;
+  char *initresp = NULL;
+  size_t len = 0;
+  smtpstate state1 = SMTP_STOP;
+  smtpstate state2 = SMTP_STOP;

  (void)smtpcode;
  (void)instate; /* no use for this yet */

-  failf(data, "Authentication cancelled");
+  /* Remove the offending mechanism from the supported list */
+  smtpc->authmechs ^= smtpc->authused;

-  return CURLE_LOGIN_DENIED;
+  /* Calculate alternative SASL login details */
+  result = smtp_calc_sasl_details(conn, &mech, &initresp, &len, &state1,
+                                  &state2);
+
+  if(!result) {
+    /* Do we have any mechanisms left? */
+    if(mech) {
+      /* Retry SASL based authentication */
+      result = smtp_perform_auth(conn, mech, initresp, len, state1, state2);
+
+      Curl_safefree(initresp);
+    }
+    else {
+      failf(data, "Authentication cancelled");
+
+      result = CURLE_LOGIN_DENIED;
+    }
+  }
+
+  return result;
 }

 /* For final responses in the AUTH sequence */