[Evolution-hackers] RFC: camel-sasl "try empty password first"

From: David Woodhouse <dwmw2 infradead org>
To: evolution-hackers gnome org
Subject: [Evolution-hackers] RFC: camel-sasl "try empty password first"
Date: Fri, 01 Apr 2011 23:46:37 +0100
I'm working on single-sign-on support for NTLM, where we don't actually
*know* the password, but just delegate the whole challenge/response
thing to a helper program.

That helper program is /usr/bin/ntlm_auth; the only current
implementation is the Samba one which works when you've logged into the
system using your Windows password and pam_winbind, but we're working on
a less baroque version that works {like,with} gnome-keyring, and there's
a simple hack at http://david.woodhou.se/ntlm_auth_v2.c for testing.

So I need a way to indicate that the authentication mechanism should be
tried once *without* a password, and then if that fails we should try
providing a password.

Thus the patch below. Anyone got a better suggestion for how to handle
it? A patch to actually use this facility in the NTLM authenticator will
follow, of course...

One alternative approach might be to to stop letting the authenticators
look at service->url->passwd, and instead have an 'authenticate' signal
on the CamelSasl object, much the same way as libsoup does it.

But then I think we'd still have to have the users know somehow if that
authenticate signal had been called on the first attempt, to know when
to set the CAMEL_SESSION_PASSWORD_REPROMPT flag, etc. I suspect it would
be a lot of extra work for something that doesn't really end up looking
any prettier by the time it's working.

Hence the 'try_empty_password' flag, which is relatively simple.

Comments?

commit b1787a5f85cdc1e46fb6ccf0c57134fc34f4e12e
Author: David Woodhouse <David Woodhouse intel com>
Date:   Fri Apr 1 23:25:05 2011 +0100

    Add 'try_empty_password' flag to CamelServiceAuthType
    
    NTLM will be use this, to support single-sign-on using /usr/bin/ntlm_auth

diff --git a/camel/camel-sasl-anonymous.c b/camel/camel-sasl-anonymous.c
index dbbb500..850b1ea 100644
--- a/camel/camel-sasl-anonymous.c
+++ b/camel/camel-sasl-anonymous.c
@@ -37,6 +37,7 @@ CamelServiceAuthType camel_sasl_anonymous_authtype = {
 	N_("This option will connect to the server using an anonymous login."),
 
 	"ANONYMOUS",
+	FALSE,
 	FALSE
 };
 
diff --git a/camel/camel-sasl-cram-md5.c b/camel/camel-sasl-cram-md5.c
index ae4bb16..54f9daa 100644
--- a/camel/camel-sasl-cram-md5.c
+++ b/camel/camel-sasl-cram-md5.c
@@ -48,6 +48,7 @@ CamelServiceAuthType camel_sasl_cram_md5_authtype = {
 	   "secure CRAM-MD5 password, if the server supports it."),
 
 	"CRAM-MD5",
+	FALSE,
 	TRUE
 };
 
diff --git a/camel/camel-sasl-digest-md5.c b/camel/camel-sasl-digest-md5.c
index ae12f7b..384f216 100644
--- a/camel/camel-sasl-digest-md5.c
+++ b/camel/camel-sasl-digest-md5.c
@@ -61,6 +61,7 @@ CamelServiceAuthType camel_sasl_digest_md5_authtype = {
 	   "secure DIGEST-MD5 password, if the server supports it."),
 
 	"DIGEST-MD5",
+	FALSE,
 	TRUE
 };
 
diff --git a/camel/camel-sasl-gssapi.c b/camel/camel-sasl-gssapi.c
index 61b3404..832c128 100644
--- a/camel/camel-sasl-gssapi.c
+++ b/camel/camel-sasl-gssapi.c
@@ -93,6 +93,7 @@ CamelServiceAuthType camel_sasl_gssapi_authtype = {
 	   "Kerberos 5 authentication."),
 
 	"GSSAPI",
+	FALSE,
 	FALSE
 };
 
diff --git a/camel/camel-sasl-login.c b/camel/camel-sasl-login.c
index de3aba4..465a8f7 100644
--- a/camel/camel-sasl-login.c
+++ b/camel/camel-sasl-login.c
@@ -42,6 +42,7 @@ CamelServiceAuthType camel_sasl_login_authtype = {
 	   "simple password."),
 
 	"LOGIN",
+	FALSE,
 	TRUE
 };
 
diff --git a/camel/camel-sasl-ntlm.c b/camel/camel-sasl-ntlm.c
index 6d2313a..a285214 100644
--- a/camel/camel-sasl-ntlm.c
+++ b/camel/camel-sasl-ntlm.c
@@ -44,6 +44,7 @@ CamelServiceAuthType camel_sasl_ntlm_authtype = {
 	   "NTLM / Secure Password Authentication."),
 
 	"NTLM",
+	FALSE,
 	TRUE
 };
 
diff --git a/camel/camel-sasl-plain.c b/camel/camel-sasl-plain.c
index e27a6b9..5b1845d 100644
--- a/camel/camel-sasl-plain.c
+++ b/camel/camel-sasl-plain.c
@@ -46,6 +46,7 @@ CamelServiceAuthType camel_sasl_plain_authtype = {
 	   "simple password."),
 
 	"PLAIN",
+	FALSE,
 	TRUE
 };
 
diff --git a/camel/camel-sasl-popb4smtp.c b/camel/camel-sasl-popb4smtp.c
index 043291b..00ef7ff 100644
--- a/camel/camel-sasl-popb4smtp.c
+++ b/camel/camel-sasl-popb4smtp.c
@@ -49,6 +49,7 @@ CamelServiceAuthType camel_sasl_popb4smtp_authtype = {
 
 	"POPB4SMTP",
 	FALSE,
+	FALSE,
 };
 
 /* last time the pop was accessed (through the auth method anyway), *time_t */
diff --git a/camel/camel-service.h b/camel/camel-service.h
index d1efa89..35cf1a9 100644
--- a/camel/camel-service.h
+++ b/camel/camel-service.h
@@ -137,6 +137,7 @@ typedef struct {
 	const gchar *description;
 	const gchar *authproto;
 
+	gboolean try_empty_password;
 	gboolean need_password;   /* needs a password to authenticate */
 } CamelServiceAuthType;
 
diff --git a/camel/providers/imap/camel-imap-store.c b/camel/providers/imap/camel-imap-store.c
index d241ee5..83188db 100644
--- a/camel/providers/imap/camel-imap-store.c
+++ b/camel/providers/imap/camel-imap-store.c
@@ -1143,9 +1143,9 @@ imap_auth_loop (CamelService *service, GError **error)
 			return FALSE;
 		}
 
-		if (!authtype->need_password) {
+		if (!authtype->need_password || authtype->try_empty_password) {
 			authenticated = try_auth (store, authtype->authproto, error);
-			if (!authenticated)
+			if (!authtype->try_empty_password && !authenticated)
 				return FALSE;
 		}
 	}
diff --git a/camel/providers/imapx/camel-imapx-server.c b/camel/providers/imapx/camel-imapx-server.c
index 179252d..78ea5a9 100644
--- a/camel/providers/imapx/camel-imapx-server.c
+++ b/camel/providers/imapx/camel-imapx-server.c
@@ -2968,9 +2968,14 @@ imapx_reconnect (CamelIMAPXServer *is, GError **error)
 	gboolean authenticated = FALSE;
 	CamelServiceAuthType *authtype = NULL;
 	guint32 prompt_flags = CAMEL_SESSION_PASSWORD_SECRET;
+	gboolean need_password = TRUE;
 
 	while (!authenticated) {
-		if (errbuf) {
+		if (authtype && authtype->try_empty_password && !need_password) {
+			need_password = TRUE;
+			g_free (errbuf);
+			errbuf = NULL;
+		} else if (errbuf) {
 			/* We need to un-cache the password before prompting again */
 			prompt_flags |= CAMEL_SESSION_PASSWORD_REPROMPT;
 			g_free (service->url->passwd);
@@ -3004,9 +3009,12 @@ imapx_reconnect (CamelIMAPXServer *is, GError **error)
 					service->url->authmech);
 				goto exception;
 			}
+
+			if (authtype->try_empty_password || !authtype->need_password)
+				need_password = FALSE;
 		}
 
-		if (service->url->passwd == NULL && (!authtype || authtype->need_password)) {
+		if (need_password && service->url->passwd == NULL) {
 			gchar *base_prompt;
 			gchar *full_prompt;
 
diff --git a/camel/providers/smtp/camel-smtp-transport.c b/camel/providers/smtp/camel-smtp-transport.c
index 9f927ee..9d49ae9 100644
--- a/camel/providers/smtp/camel-smtp-transport.c
+++ b/camel/providers/smtp/camel-smtp-transport.c
@@ -465,12 +465,12 @@ smtp_connect (CamelService *service, GError **error)
 			return FALSE;
 		}
 
-		if (!authtype->need_password) {
+		if (!authtype->need_password || authtype->try_empty_password) {
 			/* authentication mechanism doesn't need a password,
 			   so if it fails there's nothing we can do */
 			authenticated = smtp_auth (
 				transport, authtype->authproto, error);
-			if (!authenticated) {
+			if (!authtype->try_empty_password && !authenticated) {
 				camel_service_disconnect (service, TRUE, NULL);
 				return FALSE;
 			}


-- 
dwmw2
Follow-Ups:
- Re: [Evolution-hackers] RFC: camel-sasl "try empty password first"
  - From: Matthew Barnes
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]