auth.h File Reference

IMAP authenticator multiplexor. More...

#include "config.h"

Include dependency graph for auth.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Enumerations
enum	ImapAuthRes { IMAP_AUTH_SUCCESS = 0, IMAP_AUTH_FAILURE, IMAP_AUTH_UNAVAIL }
	Results of IMAP Authentication. More...

Functions
enum ImapAuthRes	imap_auth_plain (struct ImapAccountData *adata, const char *method)
	SASL PLAIN support - Implements ImapAuth::authenticate() More...
enum ImapAuthRes	imap_auth_login (struct ImapAccountData *adata, const char *method)
	Plain LOGIN support - Implements ImapAuth::authenticate() More...
enum ImapAuthRes	imap_auth_gss (struct ImapAccountData *adata, const char *method)
	GSS Authentication support - Implements ImapAuth::authenticate() More...
enum ImapAuthRes	imap_auth_sasl (struct ImapAccountData *adata, const char *method)
	Default authenticator if available - Implements ImapAuth::authenticate() More...
enum ImapAuthRes	imap_auth_oauth (struct ImapAccountData *adata, const char *method)
	Authenticate an IMAP connection using OAUTHBEARER - Implements ImapAuth::authenticate() More...

Detailed Description

IMAP authenticator multiplexor.

Authors

• Brendan Cully

Copyright

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

Definition in file auth.h.

Enumeration Type Documentation

ImapAuthRes

enum ImapAuthRes

Results of IMAP Authentication.

Enumerator
IMAP_AUTH_SUCCESS	Authentication successful.
IMAP_AUTH_FAILURE	Authentication failed.
IMAP_AUTH_UNAVAIL	Authentication method not permitted.

Definition at line 36 of file auth.h.

{
  IMAP_AUTH_SUCCESS = 0, 
  IMAP_AUTH_FAILURE,     
  IMAP_AUTH_UNAVAIL,     
};

Function Documentation

imap_auth_plain()

enum ImapAuthRes imap_auth_plain	(	struct ImapAccountData *	adata,
		const char *	method
	)

SASL PLAIN support - Implements ImapAuth::authenticate()

Definition at line 41 of file auth_plain.c.

{
  int rc = IMAP_RES_CONTINUE;
  enum ImapAuthRes res = IMAP_AUTH_SUCCESS;
  static const char auth_plain_cmd[] = "AUTHENTICATE PLAIN";
  char buf[256] = { 0 };

  if (mutt_account_getuser(&adata->conn->account) < 0)
    return IMAP_AUTH_FAILURE;
  if (mutt_account_getpass(&adata->conn->account) < 0)
    return IMAP_AUTH_FAILURE;

  mutt_message(_("Logging in..."));

  /* Prepare full AUTHENTICATE PLAIN message */
  mutt_sasl_plain_msg(buf, sizeof(buf), auth_plain_cmd, adata->conn->account.user,
                      adata->conn->account.user, adata->conn->account.pass);

  if (adata->capabilities & IMAP_CAP_SASL_IR)
  {
    imap_cmd_start(adata, buf);
  }
  else
  {
    /* Split the message so we send AUTHENTICATE PLAIN first, and the
     * credentials after the first command continuation request */
    buf[sizeof(auth_plain_cmd) - 1] = '\0';
    imap_cmd_start(adata, buf);
    while (rc == IMAP_RES_CONTINUE)
    {
      rc = imap_cmd_step(adata);
    }
    if (rc == IMAP_RES_RESPOND)
    {
      mutt_str_cat(buf + sizeof(auth_plain_cmd),
                   sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
      mutt_socket_send(adata->conn, buf + sizeof(auth_plain_cmd));
      rc = IMAP_RES_CONTINUE;
    }
  }

  while (rc == IMAP_RES_CONTINUE)
  {
    rc = imap_cmd_step(adata);
  }

  if (rc == IMAP_RES_BAD)
  {
    res = IMAP_AUTH_UNAVAIL;
  }
  else if (rc == IMAP_RES_NO)
  {
    mutt_error(_("Login failed"));
    res = IMAP_AUTH_FAILURE;
  }

  mutt_clear_error();
  return res;
}

Here is the call graph for this function:

imap_auth_login()

enum ImapAuthRes imap_auth_login	(	struct ImapAccountData *	adata,
		const char *	method
	)

Plain LOGIN support - Implements ImapAuth::authenticate()

Definition at line 41 of file auth_login.c.

{
  char q_user[256], q_pass[256];
  char buf[1024];

  if ((adata->capabilities & IMAP_CAP_LOGINDISABLED))
  {
    mutt_message(_("LOGIN disabled on this server"));
    return IMAP_AUTH_UNAVAIL;
  }

  if (mutt_account_getuser(&adata->conn->account) < 0)
    return IMAP_AUTH_FAILURE;
  if (mutt_account_getpass(&adata->conn->account) < 0)
    return IMAP_AUTH_FAILURE;

  mutt_message(_("Logging in..."));

  imap_quote_string(q_user, sizeof(q_user), adata->conn->account.user, false);
  imap_quote_string(q_pass, sizeof(q_pass), adata->conn->account.pass, false);

  /* don't print the password unless we're at the ungodly debugging level
   * of 5 or higher */

  if (C_DebugLevel < IMAP_LOG_PASS)
    mutt_debug(LL_DEBUG2, "Sending LOGIN command for %s\n", adata->conn->account.user);

  snprintf(buf, sizeof(buf), "LOGIN %s %s", q_user, q_pass);
  if (imap_exec(adata, buf, IMAP_CMD_PASS) == IMAP_EXEC_SUCCESS)
  {
    mutt_clear_error();
    return IMAP_AUTH_SUCCESS;
  }

  mutt_error(_("Login failed"));
  return IMAP_AUTH_FAILURE;
}

Here is the call graph for this function:

imap_auth_gss()

enum ImapAuthRes imap_auth_gss	(	struct ImapAccountData *	adata,
		const char *	method
	)

GSS Authentication support - Implements ImapAuth::authenticate()

Definition at line 103 of file auth_gss.c.

{
  gss_buffer_desc request_buf, send_token;
  gss_buffer_t sec_token;
  gss_name_t target_name;
  gss_ctx_id_t context;
  gss_OID mech_name;
  char server_conf_flags;
  gss_qop_t quality;
  int cflags;
  OM_uint32 maj_stat, min_stat;
  unsigned long buf_size;
  int rc, retval = IMAP_AUTH_FAILURE;

  if (!(adata->capabilities & IMAP_CAP_AUTH_GSSAPI))
    return IMAP_AUTH_UNAVAIL;

  if (mutt_account_getuser(&adata->conn->account) < 0)
    return IMAP_AUTH_FAILURE;

  struct Buffer *buf1 = mutt_buffer_pool_get();
  struct Buffer *buf2 = mutt_buffer_pool_get();

  /* get an IMAP service ticket for the server */
  mutt_buffer_printf(buf1, "imap@%s", adata->conn->account.host);
  request_buf.value = buf1->data;
  request_buf.length = mutt_buffer_len(buf1);

  maj_stat = gss_import_name(&min_stat, &request_buf, gss_nt_service_name, &target_name);
  if (maj_stat != GSS_S_COMPLETE)
  {
    mutt_debug(LL_DEBUG2, "Couldn't get service name for [%s]\n", buf1->data);
    retval = IMAP_AUTH_UNAVAIL;
    goto cleanup;
  }
  else if (C_DebugLevel >= 2)
  {
    gss_display_name(&min_stat, target_name, &request_buf, &mech_name);
    mutt_debug(LL_DEBUG2, "Using service name [%s]\n", (char *) request_buf.value);
    gss_release_buffer(&min_stat, &request_buf);
  }
  /* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
  sec_token = GSS_C_NO_BUFFER;
  context = GSS_C_NO_CONTEXT;

  /* build token */
  maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context, target_name,
                                  GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
                                  0, GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,
                                  &send_token, (unsigned int *) &cflags, NULL);
  if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
  {
    print_gss_error(maj_stat, min_stat);
    mutt_debug(LL_DEBUG1, "Error acquiring credentials - no TGT?\n");
    gss_release_name(&min_stat, &target_name);

    retval = IMAP_AUTH_UNAVAIL;
    goto cleanup;
  }

  /* now begin login */
  // L10N: (%s) is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
  mutt_message(_("Authenticating (%s)..."), "GSSAPI");

  imap_cmd_start(adata, "AUTHENTICATE GSSAPI");

  /* expect a null continuation response ("+") */
  do
  {
    rc = imap_cmd_step(adata);
  } while (rc == IMAP_RES_CONTINUE);

  if (rc != IMAP_RES_RESPOND)
  {
    mutt_debug(LL_DEBUG2, "Invalid response from server: %s\n", buf1->data);
    gss_release_name(&min_stat, &target_name);
    goto bail;
  }

  /* now start the security context initialisation loop... */
  mutt_debug(LL_DEBUG2, "Sending credentials\n");
  mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
  gss_release_buffer(&min_stat, &send_token);
  mutt_buffer_addstr(buf1, "\r\n");
  mutt_socket_send(adata->conn, mutt_b2s(buf1));

  while (maj_stat == GSS_S_CONTINUE_NEEDED)
  {
    /* Read server data */
    do
    {
      rc = imap_cmd_step(adata);
    } while (rc == IMAP_RES_CONTINUE);

    if (rc != IMAP_RES_RESPOND)
    {
      mutt_debug(LL_DEBUG1, "#1 Error receiving server response\n");
      gss_release_name(&min_stat, &target_name);
      goto bail;
    }

    if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)
    {
      mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");
      gss_release_name(&min_stat, &target_name);
      goto err_abort_cmd;
    }
    request_buf.value = buf2->data;
    request_buf.length = mutt_buffer_len(buf2);
    sec_token = &request_buf;

    /* Write client data */
    maj_stat = gss_init_sec_context(
        &min_stat, GSS_C_NO_CREDENTIAL, &context, target_name, GSS_C_NO_OID,
        GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS,
        sec_token, NULL, &send_token, (unsigned int *) &cflags, NULL);
    if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
    {
      print_gss_error(maj_stat, min_stat);
      mutt_debug(LL_DEBUG1, "Error exchanging credentials\n");
      gss_release_name(&min_stat, &target_name);

      goto err_abort_cmd;
    }
    mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
    gss_release_buffer(&min_stat, &send_token);
    mutt_buffer_addstr(buf1, "\r\n");
    mutt_socket_send(adata->conn, mutt_b2s(buf1));
  }

  gss_release_name(&min_stat, &target_name);

  /* get security flags and buffer size */
  do
  {
    rc = imap_cmd_step(adata);
  } while (rc == IMAP_RES_CONTINUE);

  if (rc != IMAP_RES_RESPOND)
  {
    mutt_debug(LL_DEBUG1, "#2 Error receiving server response\n");
    goto bail;
  }
  if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)
  {
    mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");
    goto err_abort_cmd;
  }
  request_buf.value = buf2->data;
  request_buf.length = mutt_buffer_len(buf2);

  maj_stat = gss_unwrap(&min_stat, context, &request_buf, &send_token, &cflags, &quality);
  if (maj_stat != GSS_S_COMPLETE)
  {
    print_gss_error(maj_stat, min_stat);
    mutt_debug(LL_DEBUG2, "Couldn't unwrap security level data\n");
    gss_release_buffer(&min_stat, &send_token);
    goto err_abort_cmd;
  }
  mutt_debug(LL_DEBUG2, "Credential exchange complete\n");

  /* first octet is security levels supported. We want NONE */
  server_conf_flags = ((char *) send_token.value)[0];
  if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE))
  {
    mutt_debug(LL_DEBUG2, "Server requires integrity or privacy\n");
    gss_release_buffer(&min_stat, &send_token);
    goto err_abort_cmd;
  }

  /* we don't care about buffer size if we don't wrap content. But here it is */
  ((char *) send_token.value)[0] = '\0';
  buf_size = ntohl(*((long *) send_token.value));
  gss_release_buffer(&min_stat, &send_token);
  mutt_debug(LL_DEBUG2, "Unwrapped security level flags: %c%c%c\n",
             (server_conf_flags & GSS_AUTH_P_NONE) ? 'N' : '-',
             (server_conf_flags & GSS_AUTH_P_INTEGRITY) ? 'I' : '-',
             (server_conf_flags & GSS_AUTH_P_PRIVACY) ? 'P' : '-');
  mutt_debug(LL_DEBUG2, "Maximum GSS token size is %ld\n", buf_size);

  /* agree to terms (hack!) */
  buf_size = htonl(buf_size); /* not relevant without integrity/privacy */
  mutt_buffer_reset(buf1);
  mutt_buffer_addch(buf1, GSS_AUTH_P_NONE);
  mutt_buffer_addstr_n(buf1, ((char *) &buf_size) + 1, 3);
  /* server decides if principal can log in as user */
  mutt_buffer_addstr(buf1, adata->conn->account.user);
  request_buf.value = buf1->data;
  request_buf.length = mutt_buffer_len(buf1);
  maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
                      &cflags, &send_token);
  if (maj_stat != GSS_S_COMPLETE)
  {
    mutt_debug(LL_DEBUG2, "Error creating login request\n");
    goto err_abort_cmd;
  }

  mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
  mutt_debug(LL_DEBUG2, "Requesting authorisation as %s\n", adata->conn->account.user);
  mutt_buffer_addstr(buf1, "\r\n");
  mutt_socket_send(adata->conn, mutt_b2s(buf1));

  /* Joy of victory or agony of defeat? */
  do
  {
    rc = imap_cmd_step(adata);
  } while (rc == IMAP_RES_CONTINUE);
  if (rc == IMAP_RES_RESPOND)
  {
    mutt_debug(LL_DEBUG1, "Unexpected server continuation request\n");
    goto err_abort_cmd;
  }
  if (imap_code(adata->buf))
  {
    /* flush the security context */
    mutt_debug(LL_DEBUG2, "Releasing GSS credentials\n");
    maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);
    if (maj_stat != GSS_S_COMPLETE)
      mutt_debug(LL_DEBUG1, "Error releasing credentials\n");

    /* send_token may contain a notification to the server to flush
     * credentials. RFC1731 doesn't specify what to do, and since this
     * support is only for authentication, we'll assume the server knows
     * enough to flush its own credentials */
    gss_release_buffer(&min_stat, &send_token);

    retval = IMAP_AUTH_SUCCESS;
    goto cleanup;
  }
  else
    goto bail;

err_abort_cmd:
  mutt_socket_send(adata->conn, "*\r\n");
  do
  {
    rc = imap_cmd_step(adata);
  } while (rc == IMAP_RES_CONTINUE);

bail:
  // L10N: %s is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
  mutt_error(_("%s authentication failed"), "GSSAPI");
  retval = IMAP_AUTH_FAILURE;

cleanup:
  mutt_buffer_pool_release(&buf1);
  mutt_buffer_pool_release(&buf2);

  return retval;
}

Here is the call graph for this function:

imap_auth_sasl()

enum ImapAuthRes imap_auth_sasl	(	struct ImapAccountData *	adata,
		const char *	method
	)

Default authenticator if available - Implements ImapAuth::authenticate()

Definition at line 45 of file auth_sasl.c.

{
  sasl_conn_t *saslconn = NULL;
  sasl_interact_t *interaction = NULL;
  int rc, irc;
  char *buf = NULL;
  size_t bufsize = 0;
  const char *mech = NULL;
  const char *pc = NULL;
  unsigned int len = 0, olen = 0;
  bool client_start;

  if (mutt_sasl_client_new(adata->conn, &saslconn) < 0)
  {
    mutt_debug(LL_DEBUG1, "Error allocating SASL connection\n");
    return IMAP_AUTH_FAILURE;
  }

  rc = SASL_FAIL;

  /* If the user hasn't specified a method, use any available */
  if (!method)
  {
    method = adata->capstr;

    /* hack for SASL ANONYMOUS support:
     * 1. Fetch username. If it's "" or "anonymous" then
     * 2. attempt sasl_client_start with only "AUTH=ANONYMOUS" capability
     * 3. if sasl_client_start fails, fall through... */

    if (mutt_account_getuser(&adata->conn->account) < 0)
    {
      sasl_dispose(&saslconn);
      return IMAP_AUTH_FAILURE;
    }

    if ((adata->capabilities & IMAP_CAP_AUTH_ANONYMOUS) &&
        (!adata->conn->account.user[0] ||
         mutt_str_startswith(adata->conn->account.user, "anonymous")))
    {
      rc = sasl_client_start(saslconn, "AUTH=ANONYMOUS", NULL, &pc, &olen, &mech);
    }
  }
  else if (mutt_istr_equal("login", method) && !strstr(NONULL(adata->capstr), "AUTH=LOGIN"))
  {
    /* do not use SASL login for regular IMAP login */
    sasl_dispose(&saslconn);
    return IMAP_AUTH_UNAVAIL;
  }

  if ((rc != SASL_OK) && (rc != SASL_CONTINUE))
  {
    do
    {
      rc = sasl_client_start(saslconn, method, &interaction, &pc, &olen, &mech);
      if (rc == SASL_INTERACT)
        mutt_sasl_interact(interaction);
    } while (rc == SASL_INTERACT);
  }

  client_start = (olen > 0);

  if ((rc != SASL_OK) && (rc != SASL_CONTINUE))
  {
    if (method)
      mutt_debug(LL_DEBUG2, "%s unavailable\n", method);
    else
    {
      mutt_debug(
          LL_DEBUG1,
          "Failure starting authentication exchange. No shared mechanisms?\n");
    }
    /* SASL doesn't support LOGIN, so fall back */

    sasl_dispose(&saslconn);
    return IMAP_AUTH_UNAVAIL;
  }

  // L10N: (%s) is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
  mutt_message(_("Authenticating (%s)..."), mech);

  bufsize = MAX((olen * 2), 1024);
  buf = mutt_mem_malloc(bufsize);

  snprintf(buf, bufsize, "AUTHENTICATE %s", mech);
  if ((adata->capabilities & IMAP_CAP_SASL_IR) && client_start)
  {
    len = mutt_str_len(buf);
    buf[len++] = ' ';
    if (sasl_encode64(pc, olen, buf + len, bufsize - len, &olen) != SASL_OK)
    {
      mutt_debug(LL_DEBUG1, "#1 error base64-encoding client response\n");
      goto bail;
    }
    client_start = false;
    olen = 0;
  }
  imap_cmd_start(adata, buf);
  irc = IMAP_RES_CONTINUE;

  /* looping protocol */
  while ((rc == SASL_CONTINUE) || (olen > 0))
  {
    do
    {
      irc = imap_cmd_step(adata);
    } while (irc == IMAP_RES_CONTINUE);

    if ((irc == IMAP_RES_BAD) || (irc == IMAP_RES_NO))
      goto bail;

    if (irc == IMAP_RES_RESPOND)
    {
      /* Exchange incorrectly returns +\r\n instead of + \r\n */
      if (adata->buf[1] == '\0')
      {
        buf[0] = '\0';
        len = 0;
      }
      else
      {
        len = strlen(adata->buf + 2);
        if (len > bufsize)
        {
          bufsize = len;
          mutt_mem_realloc(&buf, bufsize);
        }
        /* For sasl_decode64, the fourth parameter, outmax, doesn't
         * include space for the trailing null */
        if (sasl_decode64(adata->buf + 2, len, buf, bufsize - 1, &len) != SASL_OK)
        {
          mutt_debug(LL_DEBUG1, "error base64-decoding server response\n");
          goto bail;
        }
      }
    }

    /* client-start is only available with the SASL-IR extension, but
     * SASL 2.1 seems to want to use it regardless, at least for DIGEST
     * fast reauth. Override if the server sent an initial continuation */
    if (!client_start || buf[0])
    {
      do
      {
        rc = sasl_client_step(saslconn, buf, len, &interaction, &pc, &olen);
        if (rc == SASL_INTERACT)
          mutt_sasl_interact(interaction);
      } while (rc == SASL_INTERACT);
    }
    else
      client_start = false;

    /* send out response, or line break if none needed */
    if (olen)
    {
      if ((olen * 2) > bufsize)
      {
        bufsize = olen * 2;
        mutt_mem_realloc(&buf, bufsize);
      }
      if (sasl_encode64(pc, olen, buf, bufsize, &olen) != SASL_OK)
      {
        mutt_debug(LL_DEBUG1, "#2 error base64-encoding client response\n");
        goto bail;
      }
    }

    if (irc == IMAP_RES_RESPOND)
    {
      mutt_str_copy(buf + olen, "\r\n", bufsize - olen);
      mutt_socket_send(adata->conn, buf);
    }

    /* If SASL has errored out, send an abort string to the server */
    if (rc < 0)
    {
      mutt_socket_send(adata->conn, "*\r\n");
      mutt_debug(LL_DEBUG1, "sasl_client_step error %d\n", rc);
    }

    olen = 0;
  }

  while (irc != IMAP_RES_OK)
  {
    irc = imap_cmd_step(adata);
    if (irc != IMAP_RES_CONTINUE)
      break;
  }

  if (rc != SASL_OK)
    goto bail;

  if (imap_code(adata->buf))
  {
    mutt_sasl_setup_conn(adata->conn, saslconn);
    FREE(&buf);
    return IMAP_AUTH_SUCCESS;
  }

bail:
  sasl_dispose(&saslconn);
  FREE(&buf);

  if (method)
  {
    mutt_debug(LL_DEBUG2, "%s failed\n", method);
    return IMAP_AUTH_UNAVAIL;
  }

  // L10N: %s is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
  mutt_error(_("%s authentication failed"), "SASL ");

  return IMAP_AUTH_FAILURE;
}

Here is the call graph for this function:

imap_auth_oauth()

enum ImapAuthRes imap_auth_oauth	(	struct ImapAccountData *	adata,
		const char *	method
	)

Authenticate an IMAP connection using OAUTHBEARER - Implements ImapAuth::authenticate()

Definition at line 43 of file auth_oauth.c.

{
  char *ibuf = NULL;
  char *oauthbearer = NULL;
  int ilen;
  int rc;

  /* For now, we only support SASL_IR also and over TLS */
  if (!(adata->capabilities & IMAP_CAP_AUTH_OAUTHBEARER) ||
      !(adata->capabilities & IMAP_CAP_SASL_IR) || (adata->conn->ssf == 0))
  {
    return IMAP_AUTH_UNAVAIL;
  }

  /* If they did not explicitly request or configure oauth then fail quietly */
  if (!method && !C_ImapOauthRefreshCommand)
    return IMAP_AUTH_UNAVAIL;

  // L10N: (%s) is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
  mutt_message(_("Authenticating (%s)..."), "OAUTHBEARER");

  /* We get the access token from the imap_oauth_refresh_command */
  oauthbearer = mutt_account_getoauthbearer(&adata->conn->account);
  if (!oauthbearer)
    return IMAP_AUTH_FAILURE;

  ilen = mutt_str_len(oauthbearer) + 30;
  ibuf = mutt_mem_malloc(ilen);
  snprintf(ibuf, ilen, "AUTHENTICATE OAUTHBEARER %s", oauthbearer);

  /* This doesn't really contain a password, but the token is good for
   * an hour, so suppress it anyways.  */
  rc = imap_exec(adata, ibuf, IMAP_CMD_PASS);

  FREE(&oauthbearer);
  FREE(&ibuf);

  if (rc != IMAP_EXEC_SUCCESS)
  {
    /* The error response was in SASL continuation, so continue the SASL
     * to cause a failure and exit SASL input.  See RFC7628 3.2.3 */
    mutt_socket_send(adata->conn, "\001");
    rc = imap_exec(adata, ibuf, IMAP_CMD_NO_FLAGS);
  }

  if (rc == IMAP_EXEC_SUCCESS)
  {
    mutt_clear_error();
    return IMAP_AUTH_SUCCESS;
  }

  // L10N: %s is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
  mutt_error(_("%s authentication failed"), "OAUTHBEARER");
  return IMAP_AUTH_FAILURE;
}

Here is the call graph for this function: