/* mutt_sasl_cb_authname: callback to retrieve authname or user from ACCOUNT */
static int mutt_sasl_cb_authname (void *context, int id, const char **result,
unsigned *len)
{
ACCOUNT *account = (ACCOUNT *) context;
*result = NULL;
if (len)
*len = 0;
if (!account)
return SASL_BADPARAM;
debug_print (2, ("getting %s for %s:%u\n",
id == SASL_CB_AUTHNAME ? "authname" : "user",
account->host, account->port));
if (id == SASL_CB_AUTHNAME) {
if (mutt_account_getlogin (account))
return SASL_FAIL;
*result = account->login;
} else {
if (mutt_account_getuser (account))
return SASL_FAIL;
*result = account->user;
}
if (len)
*len = str_len (*result);
return SASL_OK;
}
int mutt_account_getlogin (ACCOUNT* account)
{
/* already set */
if (account->flags & M_ACCT_LOGIN)
return 0;
#ifdef USE_IMAP
else if (account->type == M_ACCT_TYPE_IMAP)
{
if (ImapLogin)
{
strfcpy (account->login, ImapLogin, sizeof (account->login));
account->flags |= M_ACCT_LOGIN;
}
}
#endif
if (!(account->flags & M_ACCT_LOGIN))
{
mutt_account_getuser (account);
strfcpy (account->login, account->user, sizeof (account->login));
}
account->flags |= M_ACCT_LOGIN;
return 0;
}
/* imap_auth_login: Plain LOGIN support */
imap_auth_res_t imap_auth_login (IMAP_DATA* idata, const char* method)
{
char q_user[SHORT_STRING], q_pass[SHORT_STRING];
char buf[STRING];
int rc;
if (bit_val(idata->capabilities, LOGINDISABLED))
{
mutt_message("LOGIN disabled on this server.");
return IMAP_AUTH_UNAVAIL;
}
if (mutt_account_getuser (&idata->conn->account))
return IMAP_AUTH_FAILURE;
if (mutt_account_getpass (&idata->conn->account))
return IMAP_AUTH_FAILURE;
mutt_message("Logging in...");
imap_quote_string (q_user, sizeof (q_user), idata->conn->account.user);
imap_quote_string (q_pass, sizeof (q_pass), idata->conn->account.pass);
snprintf (buf, sizeof (buf), "LOGIN %s %s", q_user, q_pass);
rc = imap_exec (idata, buf, IMAP_CMD_FAIL_OK | IMAP_CMD_PASS);
if (!rc)
{
mutt_clear_error(); /* clear "Logging in...". fixes #3524 */
return IMAP_AUTH_SUCCESS;
}
mutt_error("Login failed.");
mutt_sleep (2);
return IMAP_AUTH_FAILURE;
}
static void tls_get_client_cert (CONNECTION* conn)
{
tlssockdata *data = conn->sockdata;
const gnutls_datum_t* crtdata;
gnutls_x509_crt_t clientcrt;
char* dn;
char* cn;
char* cnend;
size_t dnlen;
/* get our cert CN if we have one */
if (!(crtdata = gnutls_certificate_get_ours (data->state)))
return;
if (gnutls_x509_crt_init (&clientcrt) < 0)
{
dprint (1, (debugfile, "Failed to init gnutls crt\n"));
return;
}
if (gnutls_x509_crt_import (clientcrt, crtdata, GNUTLS_X509_FMT_DER) < 0)
{
dprint (1, (debugfile, "Failed to import gnutls client crt\n"));
goto err_crt;
}
/* get length of DN */
dnlen = 0;
gnutls_x509_crt_get_dn (clientcrt, NULL, &dnlen);
if (!(dn = calloc (1, dnlen)))
{
dprint (1, (debugfile, "could not allocate DN\n"));
goto err_crt;
}
gnutls_x509_crt_get_dn (clientcrt, dn, &dnlen);
dprint (2, (debugfile, "client certificate DN: %s\n", dn));
/* extract CN to use as external user name */
if (!(cn = strstr (dn, "CN=")))
{
dprint (1, (debugfile, "no CN found in DN\n"));
goto err_dn;
}
cn += 3;
if ((cnend = strstr (dn, ",EMAIL=")))
*cnend = '\0';
/* if we are using a client cert, SASL may expect an external auth name */
mutt_account_getuser (&conn->account);
err_dn:
FREE (&dn);
err_crt:
gnutls_x509_crt_deinit (clientcrt);
}
/**
* tls_get_client_cert - Get the client certificate for a TLS connection
* @param conn Connection to a server
*/
static void tls_get_client_cert(struct Connection *conn)
{
struct TlsSockData *data = conn->sockdata;
gnutls_x509_crt_t clientcrt;
char *dn = NULL;
char *cn = NULL;
char *cnend = NULL;
size_t dnlen;
/* get our cert CN if we have one */
const gnutls_datum_t *crtdata = gnutls_certificate_get_ours(data->state);
if (!crtdata)
return;
if (gnutls_x509_crt_init(&clientcrt) < 0)
{
mutt_debug(LL_DEBUG1, "Failed to init gnutls crt\n");
return;
}
if (gnutls_x509_crt_import(clientcrt, crtdata, GNUTLS_X509_FMT_DER) < 0)
{
mutt_debug(LL_DEBUG1, "Failed to import gnutls client crt\n");
goto err_crt;
}
/* get length of DN */
dnlen = 0;
gnutls_x509_crt_get_dn(clientcrt, NULL, &dnlen);
dn = mutt_mem_calloc(1, dnlen);
gnutls_x509_crt_get_dn(clientcrt, dn, &dnlen);
mutt_debug(LL_DEBUG2, "client certificate DN: %s\n", dn);
/* extract CN to use as external user name */
cn = strstr(dn, "CN=");
if (!cn)
{
mutt_debug(LL_DEBUG1, "no CN found in DN\n");
goto err_dn;
}
cnend = strstr(dn, ",EMAIL=");
if (cnend)
*cnend = '\0';
/* if we are using a client cert, SASL may expect an external auth name */
if (mutt_account_getuser(&conn->account) < 0)
mutt_debug(LL_DEBUG1, "Couldn't get user info\n");
err_dn:
FREE(&dn);
err_crt:
gnutls_x509_crt_deinit(clientcrt);
}
static void ssl_get_client_cert(sslsockdata *ssldata, CONNECTION *conn)
{
if (SslClientCert) {
dprint (2, (debugfile, "Using client certificate %s\n", SslClientCert));
SSL_CTX_set_default_passwd_cb_userdata(ssldata->ctx, &conn->account);
SSL_CTX_set_default_passwd_cb(ssldata->ctx, ssl_passwd_cb);
SSL_CTX_use_certificate_file(ssldata->ctx, SslClientCert, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ssldata->ctx, SslClientCert, SSL_FILETYPE_PEM);
/* if we are using a client cert, SASL may expect an external auth name */
mutt_account_getuser (&conn->account);
}
}
static int ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
{
ACCOUNT *account = (ACCOUNT*)userdata;
if (mutt_account_getuser (account))
return 0;
dprint (2, (debugfile, "ssl_passwd_cb: getting password for %s@%s:%u\n",
account->user, account->host, account->port));
if (mutt_account_getpass (account))
return 0;
return snprintf(buf, size, "%s", account->pass);
}
/**
* ssl_get_client_cert - Get the client certificate for an SSL connection
* @param ssldata SSL socket data
* @param conn Connection to a server
*/
static void ssl_get_client_cert(struct SslSockData *ssldata, struct Connection *conn)
{
if (!C_SslClientCert)
return;
mutt_debug(LL_DEBUG2, "Using client certificate %s\n", C_SslClientCert);
SSL_CTX_set_default_passwd_cb_userdata(ssldata->sctx, &conn->account);
SSL_CTX_set_default_passwd_cb(ssldata->sctx, ssl_passwd_cb);
SSL_CTX_use_certificate_file(ssldata->sctx, C_SslClientCert, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ssldata->sctx, C_SslClientCert, SSL_FILETYPE_PEM);
/* if we are using a client cert, SASL may expect an external auth name */
if (mutt_account_getuser(&conn->account) < 0)
mutt_debug(LL_DEBUG1, "Couldn't get user info\n");
}
/**
* ssl_passwd_cb - Callback to get a password
* @param buf Buffer for the password
* @param buflen Length of the buffer
* @param rwflag 0 if writing, 1 if reading (UNUSED)
* @param userdata ConnAccount whose password is requested
* @retval >0 Success, number of chars written to buf
* @retval 0 Error
*/
static int ssl_passwd_cb(char *buf, int buflen, int rwflag, void *userdata)
{
struct ConnAccount *account = userdata;
if (mutt_account_getuser(account) < 0)
return 0;
mutt_debug(LL_DEBUG2, "getting password for %s@%s:%u\n", account->user,
account->host, account->port);
if (mutt_account_getpass(account) < 0)
return 0;
return snprintf(buf, buflen, "%s", account->pass);
}
int mutt_account_getlogin(ACCOUNT *account)
{
/* already set */
if (account->flags & M_ACCT_LOGIN)
return 0;
if (!(account->flags & M_ACCT_LOGIN)) {
mutt_account_getuser(account);
strfcpy(account->login, account->user, sizeof(account->login));
}
account->flags |= M_ACCT_LOGIN;
return 0;
}
/* this is basically a stripped-down version of the cram-md5 method. */
imap_auth_res_t imap_auth_anon (IMAP_DATA* idata, const char* method)
{
int rc;
if (!mutt_bit_isset (idata->capabilities, AUTH_ANON))
return IMAP_AUTH_UNAVAIL;
if (mutt_account_getuser (&idata->conn->account))
return IMAP_AUTH_FAILURE;
if (idata->conn->account.user[0] != '\0')
return IMAP_AUTH_UNAVAIL;
mutt_message _("Authenticating (anonymous)...");
imap_cmd_start (idata, "AUTHENTICATE ANONYMOUS");
do
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND)
{
dprint (1, (debugfile, "Invalid response from server.\n"));
goto bail;
}
mutt_socket_write (idata->conn, "ZHVtbXkK\r\n"); /* base64 ("dummy") */
do
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_OK)
{
dprint (1, (debugfile, "Error receiving server response.\n"));
goto bail;
}
if (imap_code (idata->buf))
return IMAP_AUTH_SUCCESS;
bail:
mutt_error _("Anonymous authentication failed.");
mutt_sleep (2);
return IMAP_AUTH_FAILURE;
}
/* imap_auth_login: Plain LOGIN support */
imap_auth_res_t imap_auth_login (IMAP_DATA* idata, const char* method)
{
char q_user[SHORT_STRING], q_pass[SHORT_STRING];
char buf[STRING];
int rc;
if (mutt_bit_isset (idata->capabilities, LOGINDISABLED))
{
mutt_message _("LOGIN disabled on this server.");
return IMAP_AUTH_UNAVAIL;
}
if (mutt_account_getuser (&idata->conn->account))
return IMAP_AUTH_FAILURE;
if (mutt_account_getpass (&idata->conn->account))
return IMAP_AUTH_FAILURE;
mutt_message _("Logging in...");
imap_quote_string (q_user, sizeof (q_user), idata->conn->account.user);
imap_quote_string (q_pass, sizeof (q_pass), idata->conn->account.pass);
#ifdef DEBUG
/* don't print the password unless we're at the ungodly debugging level
* of 5 or higher */
if (debuglevel < IMAP_LOG_PASS)
dprint (2, (debugfile, "Sending LOGIN command for %s...\n",
idata->conn->account.user));
#endif
snprintf (buf, sizeof (buf), "LOGIN %s %s", q_user, q_pass);
rc = imap_exec (idata, buf, IMAP_CMD_FAIL_OK | IMAP_CMD_PASS);
if (!rc)
return IMAP_AUTH_SUCCESS;
mutt_error _("Login failed.");
mutt_sleep (2);
return IMAP_AUTH_FAILURE;
}
/* imap_auth_sasl: Default authenticator if available. */
imap_auth_res_t imap_auth_sasl (IMAP_DATA* idata, const char* method)
{
sasl_conn_t* saslconn;
sasl_interact_t* interaction = NULL;
int rc, irc;
char buf[HUGE_STRING];
const char* mech;
const char *pc = NULL;
unsigned int len, olen;
unsigned char client_start;
if (mutt_sasl_client_new (idata->conn, &saslconn) < 0)
{
dprint (1, (debugfile,
"imap_auth_sasl: Error allocating SASL connection.\n"));
return IMAP_AUTH_FAILURE;
}
rc = SASL_FAIL;
/* If the user hasn't specified a method, use any available */
if (!method)
{
method = idata->capstr;
/* hack for SASL ANONYMOUS support:
* 1. Fetch username. If it's "" or "anonymous" then
* 2. attempt sasl_client_start with only "AUTH=ANONYMOUS" capability
* 3. if sasl_client_start fails, fall through... */
if (mutt_account_getuser (&idata->conn->account))
return IMAP_AUTH_FAILURE;
if (mutt_bit_isset (idata->capabilities, AUTH_ANON) &&
(!idata->conn->account.user[0] ||
!ascii_strncmp (idata->conn->account.user, "anonymous", 9)))
rc = sasl_client_start (saslconn, "AUTH=ANONYMOUS", NULL, &pc, &olen,
&mech);
} else if (!ascii_strcasecmp ("login", method) &&
!strstr (NONULL (idata->capstr), "AUTH=LOGIN"))
/* do not use SASL login for regular IMAP login (#3556) */
return IMAP_AUTH_UNAVAIL;
if (rc != SASL_OK && rc != SASL_CONTINUE)
do
{
rc = sasl_client_start (saslconn, method, &interaction,
&pc, &olen, &mech);
if (rc == SASL_INTERACT)
mutt_sasl_interact (interaction);
}
while (rc == SASL_INTERACT);
client_start = (olen > 0);
if (rc != SASL_OK && rc != SASL_CONTINUE)
{
if (method)
dprint (2, (debugfile, "imap_auth_sasl: %s unavailable\n", method));
else
dprint (1, (debugfile, "imap_auth_sasl: Failure starting authentication exchange. No shared mechanisms?\n"));
/* SASL doesn't support LOGIN, so fall back */
return IMAP_AUTH_UNAVAIL;
}
mutt_message (_("Authenticating (%s)..."), mech);
snprintf (buf, sizeof (buf), "AUTHENTICATE %s", mech);
if (mutt_bit_isset (idata->capabilities, SASL_IR) && client_start)
{
len = mutt_strlen (buf);
buf[len++] = ' ';
if (sasl_encode64 (pc, olen, buf + len, sizeof (buf) - len, &olen) != SASL_OK)
{
dprint (1, (debugfile, "imap_auth_sasl: error base64-encoding client response.\n"));
goto bail;
}
client_start = olen = 0;
}
imap_cmd_start (idata, buf);
irc = IMAP_CMD_CONTINUE;
/* looping protocol */
while (rc == SASL_CONTINUE || olen > 0)
{
do
irc = imap_cmd_step (idata);
while (irc == IMAP_CMD_CONTINUE);
if (irc == IMAP_CMD_BAD || irc == IMAP_CMD_NO)
goto bail;
if (irc == IMAP_CMD_RESPOND)
{
/* Exchange incorrectly returns +\r\n instead of + \r\n */
if (idata->buf[1] == '\0')
{
buf[0] = '\0';
len = 0;
}
else if (sasl_decode64 (idata->buf+2, strlen (idata->buf+2), buf,
LONG_STRING-1, &len) != SASL_OK)
{
dprint (1, (debugfile, "imap_auth_sasl: error base64-decoding server response.\n"));
goto bail;
}
}
/* client-start is only available with the SASL-IR extension, but
* SASL 2.1 seems to want to use it regardless, at least for DIGEST
* fast reauth. Override if the server sent an initial continuation */
if (!client_start || buf[0])
{
do
{
rc = sasl_client_step (saslconn, buf, len, &interaction, &pc, &olen);
if (rc == SASL_INTERACT)
mutt_sasl_interact (interaction);
}
while (rc == SASL_INTERACT);
}
else
client_start = 0;
/* send out response, or line break if none needed */
if (olen)
{
if (sasl_encode64 (pc, olen, buf, sizeof (buf), &olen) != SASL_OK)
{
dprint (1, (debugfile, "imap_auth_sasl: error base64-encoding client response.\n"));
goto bail;
}
}
if (irc == IMAP_CMD_RESPOND)
{
strfcpy (buf + olen, "\r\n", sizeof (buf) - olen);
mutt_socket_write (idata->conn, buf);
}
/* If SASL has errored out, send an abort string to the server */
if (rc < 0)
{
mutt_socket_write (idata->conn, "*\r\n");
dprint (1, (debugfile, "imap_auth_sasl: sasl_client_step error %d\n",rc));
}
olen = 0;
}
while (irc != IMAP_CMD_OK)
if ((irc = imap_cmd_step (idata)) != IMAP_CMD_CONTINUE)
break;
if (rc != SASL_OK)
goto bail;
if (imap_code (idata->buf))
{
mutt_sasl_setup_conn (idata->conn, saslconn);
return IMAP_AUTH_SUCCESS;
}
bail:
sasl_dispose (&saslconn);
if (method)
{
dprint (2, (debugfile, "imap_auth_sasl: %s failed\n", method));
return IMAP_AUTH_UNAVAIL;
}
mutt_error _("SASL authentication failed.");
mutt_sleep(2);
return IMAP_AUTH_FAILURE;
}
/**
* imap_auth_gss - GSS Authentication support
* @param adata Imap Account data
* @param method Name of this authentication method
* @retval enum Result, e.g. #IMAP_AUTH_SUCCESS
*/
enum ImapAuthRes imap_auth_gss(struct ImapAccountData *adata, const char *method)
{
gss_buffer_desc request_buf, send_token;
gss_buffer_t sec_token;
gss_name_t target_name;
gss_ctx_id_t context;
gss_OID mech_name;
char server_conf_flags;
gss_qop_t quality;
int cflags;
OM_uint32 maj_stat, min_stat;
unsigned long buf_size;
int rc, retval = IMAP_AUTH_FAILURE;
if (!(adata->capabilities & IMAP_CAP_AUTH_GSSAPI))
return IMAP_AUTH_UNAVAIL;
if (mutt_account_getuser(&adata->conn->account) < 0)
return IMAP_AUTH_FAILURE;
struct Buffer *buf1 = mutt_buffer_pool_get();
struct Buffer *buf2 = mutt_buffer_pool_get();
/* get an IMAP service ticket for the server */
mutt_buffer_printf(buf1, "imap@%s", adata->conn->account.host);
request_buf.value = buf1->data;
request_buf.length = mutt_buffer_len(buf1);
maj_stat = gss_import_name(&min_stat, &request_buf, gss_nt_service_name, &target_name);
if (maj_stat != GSS_S_COMPLETE)
{
mutt_debug(LL_DEBUG2, "Couldn't get service name for [%s]\n", buf1);
retval = IMAP_AUTH_UNAVAIL;
goto cleanup;
}
else if (C_DebugLevel >= 2)
{
gss_display_name(&min_stat, target_name, &request_buf, &mech_name);
mutt_debug(LL_DEBUG2, "Using service name [%s]\n", (char *) request_buf.value);
gss_release_buffer(&min_stat, &request_buf);
}
/* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
sec_token = GSS_C_NO_BUFFER;
context = GSS_C_NO_CONTEXT;
/* build token */
maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context, target_name,
GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
0, GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,
&send_token, (unsigned int *) &cflags, NULL);
if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
{
print_gss_error(maj_stat, min_stat);
mutt_debug(LL_DEBUG1, "Error acquiring credentials - no TGT?\n");
gss_release_name(&min_stat, &target_name);
retval = IMAP_AUTH_UNAVAIL;
goto cleanup;
}
/* now begin login */
mutt_message(_("Authenticating (GSSAPI)..."));
imap_cmd_start(adata, "AUTHENTICATE GSSAPI");
/* expect a null continuation response ("+") */
do
rc = imap_cmd_step(adata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND)
{
mutt_debug(LL_DEBUG2, "Invalid response from server: %s\n", buf1);
gss_release_name(&min_stat, &target_name);
goto bail;
}
/* now start the security context initialisation loop... */
mutt_debug(LL_DEBUG2, "Sending credentials\n");
mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
gss_release_buffer(&min_stat, &send_token);
mutt_buffer_addstr(buf1, "\r\n");
mutt_socket_send(adata->conn, mutt_b2s(buf1));
while (maj_stat == GSS_S_CONTINUE_NEEDED)
{
/* Read server data */
do
rc = imap_cmd_step(adata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND)
{
mutt_debug(LL_DEBUG1, "#1 Error receiving server response\n");
gss_release_name(&min_stat, &target_name);
goto bail;
}
if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)
{
mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");
gss_release_name(&min_stat, &target_name);
goto err_abort_cmd;
}
request_buf.value = buf2->data;
request_buf.length = mutt_buffer_len(buf2);
sec_token = &request_buf;
/* Write client data */
maj_stat = gss_init_sec_context(
&min_stat, GSS_C_NO_CREDENTIAL, &context, target_name, GSS_C_NO_OID,
GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS,
sec_token, NULL, &send_token, (unsigned int *) &cflags, NULL);
if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
{
print_gss_error(maj_stat, min_stat);
mutt_debug(LL_DEBUG1, "Error exchanging credentials\n");
gss_release_name(&min_stat, &target_name);
goto err_abort_cmd;
}
mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
gss_release_buffer(&min_stat, &send_token);
mutt_buffer_addstr(buf1, "\r\n");
mutt_socket_send(adata->conn, mutt_b2s(buf1));
}
gss_release_name(&min_stat, &target_name);
/* get security flags and buffer size */
do
rc = imap_cmd_step(adata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND)
{
mutt_debug(LL_DEBUG1, "#2 Error receiving server response\n");
goto bail;
}
if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)
{
mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");
goto err_abort_cmd;
}
request_buf.value = buf2->data;
request_buf.length = mutt_buffer_len(buf2);
maj_stat = gss_unwrap(&min_stat, context, &request_buf, &send_token, &cflags, &quality);
if (maj_stat != GSS_S_COMPLETE)
{
print_gss_error(maj_stat, min_stat);
mutt_debug(LL_DEBUG2, "Couldn't unwrap security level data\n");
gss_release_buffer(&min_stat, &send_token);
goto err_abort_cmd;
}
mutt_debug(LL_DEBUG2, "Credential exchange complete\n");
/* first octet is security levels supported. We want NONE */
server_conf_flags = ((char *) send_token.value)[0];
if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE))
{
mutt_debug(LL_DEBUG2, "Server requires integrity or privacy\n");
gss_release_buffer(&min_stat, &send_token);
goto err_abort_cmd;
}
/* we don't care about buffer size if we don't wrap content. But here it is */
((char *) send_token.value)[0] = '\0';
buf_size = ntohl(*((long *) send_token.value));
gss_release_buffer(&min_stat, &send_token);
mutt_debug(LL_DEBUG2, "Unwrapped security level flags: %c%c%c\n",
(server_conf_flags & GSS_AUTH_P_NONE) ? 'N' : '-',
(server_conf_flags & GSS_AUTH_P_INTEGRITY) ? 'I' : '-',
(server_conf_flags & GSS_AUTH_P_PRIVACY) ? 'P' : '-');
mutt_debug(LL_DEBUG2, "Maximum GSS token size is %ld\n", buf_size);
/* agree to terms (hack!) */
buf_size = htonl(buf_size); /* not relevant without integrity/privacy */
mutt_buffer_reset(buf1);
mutt_buffer_addch(buf1, GSS_AUTH_P_NONE);
mutt_buffer_addstr_n(buf1, ((char *) &buf_size) + 1, 3);
/* server decides if principal can log in as user */
mutt_buffer_addstr(buf1, adata->conn->account.user);
request_buf.value = buf1->data;
request_buf.length = mutt_buffer_len(buf1);
maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
&cflags, &send_token);
if (maj_stat != GSS_S_COMPLETE)
{
mutt_debug(LL_DEBUG2, "Error creating login request\n");
goto err_abort_cmd;
}
mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
mutt_debug(LL_DEBUG2, "Requesting authorisation as %s\n", adata->conn->account.user);
mutt_buffer_addstr(buf1, "\r\n");
mutt_socket_send(adata->conn, mutt_b2s(buf1));
/* Joy of victory or agony of defeat? */
do
rc = imap_cmd_step(adata);
while (rc == IMAP_CMD_CONTINUE);
if (rc == IMAP_CMD_RESPOND)
{
mutt_debug(LL_DEBUG1, "Unexpected server continuation request\n");
goto err_abort_cmd;
}
if (imap_code(adata->buf))
{
/* flush the security context */
mutt_debug(LL_DEBUG2, "Releasing GSS credentials\n");
maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);
if (maj_stat != GSS_S_COMPLETE)
mutt_debug(LL_DEBUG1, "Error releasing credentials\n");
/* send_token may contain a notification to the server to flush
* credentials. RFC1731 doesn't specify what to do, and since this
* support is only for authentication, we'll assume the server knows
* enough to flush its own credentials */
gss_release_buffer(&min_stat, &send_token);
retval = IMAP_AUTH_SUCCESS;
goto cleanup;
}
else
goto bail;
err_abort_cmd:
mutt_socket_send(adata->conn, "*\r\n");
do
rc = imap_cmd_step(adata);
while (rc == IMAP_CMD_CONTINUE);
bail:
mutt_error(_("GSSAPI authentication failed"));
retval = IMAP_AUTH_FAILURE;
cleanup:
mutt_buffer_pool_release(&buf1);
mutt_buffer_pool_release(&buf2);
return retval;
}
/* imap_auth_gss: AUTH=GSSAPI support. */
imap_auth_res_t imap_auth_gss (IMAP_DATA* idata, const char* method)
{
gss_buffer_desc request_buf, send_token;
gss_buffer_t sec_token;
gss_name_t target_name;
gss_ctx_id_t context;
#ifdef DEBUG
gss_OID mech_name;
#endif
gss_qop_t quality;
int cflags;
OM_uint32 maj_stat, min_stat;
char buf1[GSS_BUFSIZE], buf2[GSS_BUFSIZE], server_conf_flags;
unsigned long buf_size;
int rc;
if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
return IMAP_AUTH_UNAVAIL;
if (mutt_account_getuser (&idata->conn->account))
return IMAP_AUTH_FAILURE;
/* get an IMAP service ticket for the server */
snprintf (buf1, sizeof (buf1), "imap@%s", idata->conn->account.host);
request_buf.value = buf1;
request_buf.length = strlen (buf1) + 1;
maj_stat = gss_import_name (&min_stat, &request_buf, gss_nt_service_name,
&target_name);
if (maj_stat != GSS_S_COMPLETE)
{
dprint (2, (debugfile, "Couldn't get service name for [%s]\n", buf1));
return IMAP_AUTH_UNAVAIL;
}
#ifdef DEBUG
else if (debuglevel >= 2)
{
maj_stat = gss_display_name (&min_stat, target_name, &request_buf,
&mech_name);
dprint (2, (debugfile, "Using service name [%s]\n",
(char*) request_buf.value));
maj_stat = gss_release_buffer (&min_stat, &request_buf);
}
#endif
/* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
sec_token = GSS_C_NO_BUFFER;
context = GSS_C_NO_CONTEXT;
/* build token */
maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
target_name, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0,
GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL, &send_token,
(unsigned int*) &cflags, NULL);
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
{
print_gss_error(maj_stat, min_stat);
dprint (1, (debugfile, "Error acquiring credentials - no TGT?\n"));
gss_release_name (&min_stat, &target_name);
return IMAP_AUTH_UNAVAIL;
}
/* now begin login */
mutt_message _("Authenticating (GSSAPI)...");
imap_cmd_start (idata, "AUTHENTICATE GSSAPI");
/* expect a null continuation response ("+") */
do
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND)
{
dprint (2, (debugfile, "Invalid response from server: %s\n", buf1));
gss_release_name (&min_stat, &target_name);
goto bail;
}
/* now start the security context initialisation loop... */
dprint (2, (debugfile, "Sending credentials\n"));
mutt_to_base64 ((unsigned char*) buf1, send_token.value, send_token.length,
sizeof (buf1) - 2);
gss_release_buffer (&min_stat, &send_token);
safe_strcat (buf1, sizeof (buf1), "\r\n");
mutt_socket_write (idata->conn, buf1);
while (maj_stat == GSS_S_CONTINUE_NEEDED)
{
/* Read server data */
do
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND)
{
dprint (1, (debugfile, "Error receiving server response.\n"));
gss_release_name (&min_stat, &target_name);
goto bail;
}
request_buf.length = mutt_from_base64 (buf2, idata->buf + 2);
request_buf.value = buf2;
sec_token = &request_buf;
/* Write client data */
maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &context,
target_name, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0,
GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL, &send_token,
(unsigned int*) &cflags, NULL);
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
{
print_gss_error(maj_stat, min_stat);
dprint (1, (debugfile, "Error exchanging credentials\n"));
gss_release_name (&min_stat, &target_name);
goto err_abort_cmd;
}
mutt_to_base64 ((unsigned char*) buf1, send_token.value,
send_token.length, sizeof (buf1) - 2);
gss_release_buffer (&min_stat, &send_token);
safe_strcat (buf1, sizeof (buf1), "\r\n");
mutt_socket_write (idata->conn, buf1);
}
gss_release_name (&min_stat, &target_name);
/* get security flags and buffer size */
do
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
if (rc != IMAP_CMD_RESPOND)
{
dprint (1, (debugfile, "Error receiving server response.\n"));
goto bail;
}
request_buf.length = mutt_from_base64 (buf2, idata->buf + 2);
request_buf.value = buf2;
maj_stat = gss_unwrap (&min_stat, context, &request_buf, &send_token,
&cflags, &quality);
if (maj_stat != GSS_S_COMPLETE)
{
print_gss_error(maj_stat, min_stat);
dprint (2, (debugfile, "Couldn't unwrap security level data\n"));
gss_release_buffer (&min_stat, &send_token);
goto err_abort_cmd;
}
dprint (2, (debugfile, "Credential exchange complete\n"));
/* first octet is security levels supported. We want NONE */
server_conf_flags = ((char*) send_token.value)[0];
if ( !(((char*) send_token.value)[0] & GSS_AUTH_P_NONE) )
{
dprint (2, (debugfile, "Server requires integrity or privacy\n"));
gss_release_buffer (&min_stat, &send_token);
goto err_abort_cmd;
}
/* we don't care about buffer size if we don't wrap content. But here it is */
((char*) send_token.value)[0] = 0;
buf_size = ntohl (*((long *) send_token.value));
gss_release_buffer (&min_stat, &send_token);
dprint (2, (debugfile, "Unwrapped security level flags: %c%c%c\n",
server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-',
server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
server_conf_flags & GSS_AUTH_P_PRIVACY ? 'P' : '-'));
dprint (2, (debugfile, "Maximum GSS token size is %ld\n", buf_size));
/* agree to terms (hack!) */
buf_size = htonl (buf_size); /* not relevant without integrity/privacy */
memcpy (buf1, &buf_size, 4);
buf1[0] = GSS_AUTH_P_NONE;
/* server decides if principal can log in as user */
strncpy (buf1 + 4, idata->conn->account.user, sizeof (buf1) - 4);
request_buf.value = buf1;
request_buf.length = 4 + strlen (idata->conn->account.user) + 1;
maj_stat = gss_wrap (&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
&cflags, &send_token);
if (maj_stat != GSS_S_COMPLETE)
{
dprint (2, (debugfile, "Error creating login request\n"));
goto err_abort_cmd;
}
mutt_to_base64 ((unsigned char*) buf1, send_token.value, send_token.length,
sizeof (buf1) - 2);
dprint (2, (debugfile, "Requesting authorisation as %s\n",
idata->conn->account.user));
safe_strcat (buf1, sizeof (buf1), "\r\n");
mutt_socket_write (idata->conn, buf1);
/* Joy of victory or agony of defeat? */
do
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
if (rc == IMAP_CMD_RESPOND)
{
dprint (1, (debugfile, "Unexpected server continuation request.\n"));
goto err_abort_cmd;
}
if (imap_code (idata->buf))
{
/* flush the security context */
dprint (2, (debugfile, "Releasing GSS credentials\n"));
maj_stat = gss_delete_sec_context (&min_stat, &context, &send_token);
if (maj_stat != GSS_S_COMPLETE)
dprint (1, (debugfile, "Error releasing credentials\n"));
/* send_token may contain a notification to the server to flush
* credentials. RFC 1731 doesn't specify what to do, and since this
* support is only for authentication, we'll assume the server knows
* enough to flush its own credentials */
gss_release_buffer (&min_stat, &send_token);
return IMAP_AUTH_SUCCESS;
}
else
goto bail;
err_abort_cmd:
mutt_socket_write (idata->conn, "*\r\n");
do
rc = imap_cmd_step (idata);
while (rc == IMAP_CMD_CONTINUE);
bail:
mutt_error _("GSSAPI authentication failed.");
mutt_sleep (2);
return IMAP_AUTH_FAILURE;
}