code/auth__gss_8c_source.html

#include "config.h"

#include <arpa/inet.h>

#include <stdio.h>

#include <string.h>

#include "private.h"

#include "mutt/lib.h"

#include "config/lib.h"

#include "core/lib.h"

#include "conn/lib.h"

#include "adata.h"

#include "auth.h"

#ifdef HAVE_HEIMDAL

#include <gssapi/gssapi.h>

#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE

#else

#include <gssapi/gssapi.h>

#include <gssapi/gssapi_generic.h>

#endif


#define GSS_AUTH_P_NONE 1

#define GSS_AUTH_P_INTEGRITY 2

#define GSS_AUTH_P_PRIVACY 4


static void print_gss_error(OM_uint32 err_maj, OM_uint32 err_min)

{

  OM_uint32 maj_stat, min_stat;

  OM_uint32 msg_ctx = 0;

  gss_buffer_desc status_string;

  char buf_maj[512] = { 0 };

  char buf_min[512] = { 0 };


  do

  {

    maj_stat = gss_display_status(&min_stat, err_maj, GSS_C_GSS_CODE,

                                  GSS_C_NO_OID, &msg_ctx, &status_string);

    if (GSS_ERROR(maj_stat))

      break;

    size_t status_len = status_string.length;

    if (status_len >= sizeof(buf_maj))

      status_len = sizeof(buf_maj) - 1;

    strncpy(buf_maj, (char *) status_string.value, status_len);

    buf_maj[status_len] = '\0';

    gss_release_buffer(&min_stat, &status_string);


    maj_stat = gss_display_status(&min_stat, err_min, GSS_C_MECH_CODE,

                                  GSS_C_NULL_OID, &msg_ctx, &status_string);

    if (!GSS_ERROR(maj_stat))

    {

      status_len = status_string.length;

      if (status_len >= sizeof(buf_min))

        status_len = sizeof(buf_min) - 1;

      strncpy(buf_min, (char *) status_string.value, status_len);

      buf_min[status_len] = '\0';

      gss_release_buffer(&min_stat, &status_string);

    }

  } while (!GSS_ERROR(maj_stat) && (msg_ctx != 0));


  mutt_debug(LL_DEBUG2, "((%s:%d )(%s:%d))\n", buf_maj, err_maj, buf_min, err_min);

}


enum ImapAuthRes imap_auth_gss(struct ImapAccountData *adata, const char *method)

{

  gss_buffer_desc request_buf, send_token;

  gss_buffer_t sec_token;

  gss_name_t target_name;

  gss_ctx_id_t context;

  gss_OID mech_name;

  char server_conf_flags;

  gss_qop_t quality;

  int cflags;

  OM_uint32 maj_stat, min_stat;

  unsigned long buf_size;

  int rc, retval = IMAP_AUTH_FAILURE;


  if (!(adata->capabilities & IMAP_CAP_AUTH_GSSAPI))

    return IMAP_AUTH_UNAVAIL;


  if (mutt_account_getuser(&adata->conn->account) < 0)

    return IMAP_AUTH_FAILURE;


  struct Buffer *buf1 = mutt_buffer_pool_get();

  struct Buffer *buf2 = mutt_buffer_pool_get();


  /* get an IMAP service ticket for the server */

  mutt_buffer_printf(buf1, "imap@%s", adata->conn->account.host);

  request_buf.value = buf1->data;

  request_buf.length = mutt_buffer_len(buf1);


  const short c_debug_level = cs_subset_number(NeoMutt->sub, "debug_level");

  maj_stat = gss_import_name(&min_stat, &request_buf, gss_nt_service_name, &target_name);

  if (maj_stat != GSS_S_COMPLETE)

  {

    mutt_debug(LL_DEBUG2, "Couldn't get service name for [%s]\n", buf1->data);

    retval = IMAP_AUTH_UNAVAIL;

    goto cleanup;

  }

  else if (c_debug_level >= 2)

  {

    gss_display_name(&min_stat, target_name, &request_buf, &mech_name);

    mutt_debug(LL_DEBUG2, "Using service name [%s]\n", (char *) request_buf.value);

    gss_release_buffer(&min_stat, &request_buf);

  }

  /* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */

  sec_token = GSS_C_NO_BUFFER;

  context = GSS_C_NO_CONTEXT;


  /* build token */

  maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context, target_name,

                                  GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,

                                  0, GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,

                                  &send_token, (unsigned int *) &cflags, NULL);

  if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))

  {

    print_gss_error(maj_stat, min_stat);

    mutt_debug(LL_DEBUG1, "Error acquiring credentials - no TGT?\n");

    gss_release_name(&min_stat, &target_name);


    retval = IMAP_AUTH_UNAVAIL;

    goto cleanup;

  }


  /* now begin login */

  // L10N: (%s) is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL

  mutt_message(_("Authenticating (%s)..."), "GSSAPI");


  imap_cmd_start(adata, "AUTHENTICATE GSSAPI");


  /* expect a null continuation response ("+") */

  do

  {

    rc = imap_cmd_step(adata);

  } while (rc == IMAP_RES_CONTINUE);


  if (rc != IMAP_RES_RESPOND)

  {

    mutt_debug(LL_DEBUG2, "Invalid response from server: %s\n", buf1->data);

    gss_release_name(&min_stat, &target_name);

    goto bail;

  }


  /* now start the security context initialisation loop... */

  mutt_debug(LL_DEBUG2, "Sending credentials\n");

  mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);

  gss_release_buffer(&min_stat, &send_token);

  mutt_buffer_addstr(buf1, "\r\n");

  mutt_socket_send(adata->conn, mutt_buffer_string(buf1));


  while (maj_stat == GSS_S_CONTINUE_NEEDED)

  {

    /* Read server data */

    do

    {

      rc = imap_cmd_step(adata);

    } while (rc == IMAP_RES_CONTINUE);


    if (rc != IMAP_RES_RESPOND)

    {

      mutt_debug(LL_DEBUG1, "#1 Error receiving server response\n");

      gss_release_name(&min_stat, &target_name);

      goto bail;

    }


    if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)

    {

      mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");

      gss_release_name(&min_stat, &target_name);

      goto err_abort_cmd;

    }

    request_buf.value = buf2->data;

    request_buf.length = mutt_buffer_len(buf2);

    sec_token = &request_buf;


    /* Write client data */

    maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context, target_name,

                                    GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,

                                    0, GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,

                                    &send_token, (unsigned int *) &cflags, NULL);

    if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))

    {

      print_gss_error(maj_stat, min_stat);

      mutt_debug(LL_DEBUG1, "Error exchanging credentials\n");

      gss_release_name(&min_stat, &target_name);


      goto err_abort_cmd;

    }

    mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);

    gss_release_buffer(&min_stat, &send_token);

    mutt_buffer_addstr(buf1, "\r\n");

    mutt_socket_send(adata->conn, mutt_buffer_string(buf1));

  }


  gss_release_name(&min_stat, &target_name);


  /* get security flags and buffer size */

  do

  {

    rc = imap_cmd_step(adata);

  } while (rc == IMAP_RES_CONTINUE);


  if (rc != IMAP_RES_RESPOND)

  {

    mutt_debug(LL_DEBUG1, "#2 Error receiving server response\n");

    goto bail;

  }

  if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)

  {

    mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");

    goto err_abort_cmd;

  }

  request_buf.value = buf2->data;

  request_buf.length = mutt_buffer_len(buf2);


  maj_stat = gss_unwrap(&min_stat, context, &request_buf, &send_token, &cflags, &quality);

  if (maj_stat != GSS_S_COMPLETE)

  {

    print_gss_error(maj_stat, min_stat);

    mutt_debug(LL_DEBUG2, "Couldn't unwrap security level data\n");

    gss_release_buffer(&min_stat, &send_token);

    goto err_abort_cmd;

  }

  mutt_debug(LL_DEBUG2, "Credential exchange complete\n");


  /* first octet is security levels supported. We want NONE */

  server_conf_flags = ((char *) send_token.value)[0];

  if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE))

  {

    mutt_debug(LL_DEBUG2, "Server requires integrity or privacy\n");

    gss_release_buffer(&min_stat, &send_token);

    goto err_abort_cmd;

  }


  /* we don't care about buffer size if we don't wrap content. But here it is */

  ((char *) send_token.value)[0] = '\0';

  buf_size = ntohl(*((long *) send_token.value));

  gss_release_buffer(&min_stat, &send_token);

  mutt_debug(LL_DEBUG2, "Unwrapped security level flags: %c%c%c\n",

             (server_conf_flags & GSS_AUTH_P_NONE) ? 'N' : '-',

             (server_conf_flags & GSS_AUTH_P_INTEGRITY) ? 'I' : '-',

             (server_conf_flags & GSS_AUTH_P_PRIVACY) ? 'P' : '-');

  mutt_debug(LL_DEBUG2, "Maximum GSS token size is %ld\n", buf_size);


  /* agree to terms (hack!) */

  buf_size = htonl(buf_size); /* not relevant without integrity/privacy */

  mutt_buffer_reset(buf1);

  mutt_buffer_addch(buf1, GSS_AUTH_P_NONE);

  mutt_buffer_addstr_n(buf1, ((char *) &buf_size) + 1, 3);

  /* server decides if principal can log in as user */

  mutt_buffer_addstr(buf1, adata->conn->account.user);

  request_buf.value = buf1->data;

  request_buf.length = mutt_buffer_len(buf1);

  maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,

                      &cflags, &send_token);

  if (maj_stat != GSS_S_COMPLETE)

  {

    mutt_debug(LL_DEBUG2, "Error creating login request\n");

    goto err_abort_cmd;

  }


  mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);

  mutt_debug(LL_DEBUG2, "Requesting authorisation as %s\n", adata->conn->account.user);

  mutt_buffer_addstr(buf1, "\r\n");

  mutt_socket_send(adata->conn, mutt_buffer_string(buf1));


  /* Joy of victory or agony of defeat? */

  do

  {

    rc = imap_cmd_step(adata);

  } while (rc == IMAP_RES_CONTINUE);

  if (rc == IMAP_RES_RESPOND)

  {

    mutt_debug(LL_DEBUG1, "Unexpected server continuation request\n");

    goto err_abort_cmd;

  }

  if (imap_code(adata->buf))

  {

    /* flush the security context */

    mutt_debug(LL_DEBUG2, "Releasing GSS credentials\n");

    maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);

    if (maj_stat != GSS_S_COMPLETE)

      mutt_debug(LL_DEBUG1, "Error releasing credentials\n");


    /* send_token may contain a notification to the server to flush

     * credentials. RFC1731 doesn't specify what to do, and since this

     * support is only for authentication, we'll assume the server knows

     * enough to flush its own credentials */

    gss_release_buffer(&min_stat, &send_token);


    retval = IMAP_AUTH_SUCCESS;

    goto cleanup;

  }

  else

  {

    goto bail;

  }


err_abort_cmd:

  mutt_socket_send(adata->conn, "*\r\n");

  do

  {

    rc = imap_cmd_step(adata);

  } while (rc == IMAP_RES_CONTINUE);


bail:

  // L10N: %s is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL

  mutt_error(_("%s authentication failed"), "GSSAPI");

  retval = IMAP_AUTH_FAILURE;


cleanup:

  mutt_buffer_pool_release(&buf1);

  mutt_buffer_pool_release(&buf2);


  return retval;

}

auth.h
IMAP authenticator multiplexor.

ImapAuthRes
ImapAuthRes
Results of IMAP Authentication.
Definition: auth.h:38

IMAP_AUTH_FAILURE
@ IMAP_AUTH_FAILURE
Authentication failed.
Definition: auth.h:40

IMAP_AUTH_SUCCESS
@ IMAP_AUTH_SUCCESS
Authentication successful.
Definition: auth.h:39

IMAP_AUTH_UNAVAIL
@ IMAP_AUTH_UNAVAIL
Authentication method not permitted.
Definition: auth.h:41

imap_auth_gss
enum ImapAuthRes imap_auth_gss(struct ImapAccountData *adata, const char *method)
GSS Authentication support - Implements ImapAuth::authenticate()
Definition: auth_gss.c:104

GSS_AUTH_P_NONE
#define GSS_AUTH_P_NONE
Definition: auth_gss.c:55

print_gss_error
static void print_gss_error(OM_uint32 err_maj, OM_uint32 err_min)
Print detailed error message to the debug log.
Definition: auth_gss.c:64

GSS_AUTH_P_PRIVACY
#define GSS_AUTH_P_PRIVACY
Definition: auth_gss.c:57

GSS_AUTH_P_INTEGRITY
#define GSS_AUTH_P_INTEGRITY
Definition: auth_gss.c:56

mutt_b64_buffer_encode
size_t mutt_b64_buffer_encode(struct Buffer *buf, const char *in, size_t len)
Convert raw bytes to null-terminated base64 string.
Definition: base64.c:199

mutt_b64_buffer_decode
int mutt_b64_buffer_decode(struct Buffer *buf, const char *in)
Convert null-terminated base64 string to raw bytes.
Definition: base64.c:217

mutt_buffer_addstr_n
size_t mutt_buffer_addstr_n(struct Buffer *buf, const char *s, size_t len)
Add a string to a Buffer, expanding it if necessary.
Definition: buffer.c:105

mutt_buffer_len
size_t mutt_buffer_len(const struct Buffer *buf)
Calculate the length of a Buffer.
Definition: buffer.c:409

mutt_buffer_addch
size_t mutt_buffer_addch(struct Buffer *buf, char c)
Add a single character to a Buffer.
Definition: buffer.c:248

mutt_buffer_addstr
size_t mutt_buffer_addstr(struct Buffer *buf, const char *s)
Add a string to a Buffer.
Definition: buffer.c:233

mutt_buffer_printf
int mutt_buffer_printf(struct Buffer *buf, const char *fmt,...)
Format a string overwriting a Buffer.
Definition: buffer.c:168

mutt_buffer_reset
void mutt_buffer_reset(struct Buffer *buf)
Reset an existing Buffer.
Definition: buffer.c:85

mutt_buffer_string
static const char * mutt_buffer_string(const struct Buffer *buf)
Convert a buffer to a const char * "string".
Definition: buffer.h:78

cs_subset_number
short cs_subset_number(const struct ConfigSubset *sub, const char *name)
Get a number config item by name.
Definition: helpers.c:169

lib.h
Convenience wrapper for the config headers.

lib.h
Connection Library.

mutt_account_getuser
int mutt_account_getuser(struct ConnAccount *cac)
Retrieve username into ConnAccount, if necessary.
Definition: connaccount.c:49

lib.h
Convenience wrapper for the core headers.

mutt_error
#define mutt_error(...)
Definition: logging.h:87

mutt_message
#define mutt_message(...)
Definition: logging.h:86

mutt_debug
#define mutt_debug(LEVEL,...)
Definition: logging.h:84

imap_cmd_start
int imap_cmd_start(struct ImapAccountData *adata, const char *cmdstr)
Given an IMAP command, send it to the server.
Definition: command.c:1071

imap_cmd_step
int imap_cmd_step(struct ImapAccountData *adata)
Reads server responses from an IMAP command.
Definition: command.c:1085

imap_code
bool imap_code(const char *s)
Was the command successful.
Definition: command.c:1212

IMAP_RES_RESPOND
#define IMAP_RES_RESPOND
+
Definition: private.h:58

IMAP_CAP_AUTH_GSSAPI
#define IMAP_CAP_AUTH_GSSAPI
RFC1731: GSSAPI authentication.
Definition: private.h:129

IMAP_RES_CONTINUE
#define IMAP_RES_CONTINUE
* ...
Definition: private.h:57

LL_DEBUG2
@ LL_DEBUG2
Log at debug level 2.
Definition: logging.h:41

LL_DEBUG1
@ LL_DEBUG1
Log at debug level 1.
Definition: logging.h:40

lib.h
Convenience wrapper for the library headers.

_
#define _(a)
Definition: message.h:28

mutt_buffer_pool_release
void mutt_buffer_pool_release(struct Buffer **pbuf)
Free a Buffer from the pool.
Definition: pool.c:112

mutt_buffer_pool_get
struct Buffer * mutt_buffer_pool_get(void)
Get a Buffer from the pool.
Definition: pool.c:101

adata.h
Pop-specific Account data.

private.h
GUI display the mailboxes in a side panel.

mutt_socket_send
#define mutt_socket_send(conn, buf)
Definition: socket.h:59

Buffer
String manipulation buffer.
Definition: buffer.h:34

Buffer::data
char * data
Pointer to data.
Definition: buffer.h:35

ConnAccount::user
char user[128]
Username.
Definition: connaccount.h:56

ConnAccount::host
char host[128]
Server to login to.
Definition: connaccount.h:54

Connection::account
struct ConnAccount account
Account details: username, password, etc.
Definition: connection.h:50

ImapAccountData
IMAP-specific Account data -.
Definition: adata.h:40

ImapAccountData::capabilities
ImapCapFlags capabilities
Capability flags.
Definition: adata.h:55

ImapAccountData::buf
char * buf
Definition: adata.h:59

ImapAccountData::conn
struct Connection * conn
Connection to IMAP server.
Definition: adata.h:41

NeoMutt
Container for Accounts, Notifications.
Definition: neomutt.h:37

NeoMutt::sub
struct ConfigSubset * sub
Inherited config items.
Definition: neomutt.h:39