NeoMutt  2025-04-04-8-g381e07
Teaching an old dog new tricks
 		DOXYGEN
Loading...
Searching...
No Matches
auth_gss.c
Go to the documentation of this file.
1
38#include "config.h"
39#include <arpa/inet.h>
40#include <stdio.h>
41#include <string.h>
42#include "private.h"
43#include "mutt/lib.h"
44#include "config/lib.h"
45#include "core/lib.h"
46#include "conn/lib.h"
47#include "adata.h"
48#include "auth.h"
49#ifdef HAVE_HEIMDAL
50#include <gssapi/gssapi.h>
51#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
52#else
53#include <gssapi/gssapi.h>
54#include <gssapi/gssapi_generic.h>
55#endif
56
57#define GSS_AUTH_P_NONE 1
58#define GSS_AUTH_P_INTEGRITY 2
59#define GSS_AUTH_P_PRIVACY 4
60
66static void print_gss_error(OM_uint32 err_maj, OM_uint32 err_min)
67{
68 OM_uint32 maj_stat, min_stat;
69 OM_uint32 msg_ctx = 0;
70 gss_buffer_desc status_string;
71 char buf_maj[512] = { 0 };
72 char buf_min[512] = { 0 };
73
74 do
75 {
76 maj_stat = gss_display_status(&min_stat, err_maj, GSS_C_GSS_CODE,
77 GSS_C_NO_OID, &msg_ctx, &status_string);
78 if (GSS_ERROR(maj_stat))
79 break;
80 size_t status_len = status_string.length;
81 if (status_len >= sizeof(buf_maj))
82 status_len = sizeof(buf_maj) - 1;
83 strncpy(buf_maj, (char *) status_string.value, status_len);
84 buf_maj[status_len] = '\0';
85 gss_release_buffer(&min_stat, &status_string);
86
87 maj_stat = gss_display_status(&min_stat, err_min, GSS_C_MECH_CODE,
88 GSS_C_NULL_OID, &msg_ctx, &status_string);
89 if (!GSS_ERROR(maj_stat))
90 {
91 status_len = status_string.length;
92 if (status_len >= sizeof(buf_min))
93 status_len = sizeof(buf_min) - 1;
94 strncpy(buf_min, (char *) status_string.value, status_len);
95 buf_min[status_len] = '\0';
96 gss_release_buffer(&min_stat, &status_string);
97 }
98 } while (!GSS_ERROR(maj_stat) && (msg_ctx != 0));
99
100 mutt_debug(LL_DEBUG2, "((%s:%d )(%s:%d))\n", buf_maj, err_maj, buf_min, err_min);
101}
102
106enum ImapAuthRes imap_auth_gss(struct ImapAccountData *adata, const char *method)
107{
108 gss_buffer_desc request_buf, send_token;
109 gss_buffer_t sec_token;
110 gss_name_t target_name;
111 gss_ctx_id_t context;
112 gss_OID mech_name;
113 char server_conf_flags;
114 gss_qop_t quality;
115 int cflags;
116 OM_uint32 maj_stat, min_stat;
117 unsigned long buf_size;
118 int rc2, rc = IMAP_AUTH_FAILURE;
119
120 if (!(adata->capabilities & IMAP_CAP_AUTH_GSSAPI))
121 return IMAP_AUTH_UNAVAIL;
122
123 if (mutt_account_getuser(&adata->conn->account) < 0)
124 return IMAP_AUTH_FAILURE;
125
126 struct Buffer *buf1 = buf_pool_get();
127 struct Buffer *buf2 = buf_pool_get();
128
129 /* get an IMAP service ticket for the server */
130 buf_printf(buf1, "imap@%s", adata->conn->account.host);
131 request_buf.value = buf1->data;
132 request_buf.length = buf_len(buf1);
133
134 const short c_debug_level = cs_subset_number(NeoMutt->sub, "debug_level");
135 maj_stat = gss_import_name(&min_stat, &request_buf, gss_nt_service_name, &target_name);
136 if (maj_stat != GSS_S_COMPLETE)
137 {
138 mutt_debug(LL_DEBUG2, "Couldn't get service name for [%s]\n", buf1->data);
139 rc = IMAP_AUTH_UNAVAIL;
140 goto cleanup;
141 }
142 else if (c_debug_level >= 2)
143 {
144 gss_display_name(&min_stat, target_name, &request_buf, &mech_name);
145 mutt_debug(LL_DEBUG2, "Using service name [%s]\n", (char *) request_buf.value);
146 gss_release_buffer(&min_stat, &request_buf);
147 }
148 /* Acquire initial credentials - without a TGT GSSAPI is UNAVAIL */
149 sec_token = GSS_C_NO_BUFFER;
150 context = GSS_C_NO_CONTEXT;
151
152 /* build token */
153 maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context, target_name,
154 GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
155 0, GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,
156 &send_token, (unsigned int *) &cflags, NULL);
157 if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
158 {
159 print_gss_error(maj_stat, min_stat);
160 mutt_debug(LL_DEBUG1, "Error acquiring credentials - no TGT?\n");
161 gss_release_name(&min_stat, &target_name);
162
163 rc = IMAP_AUTH_UNAVAIL;
164 goto cleanup;
165 }
166
167 /* now begin login */
168 // L10N: (%s) is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
169 mutt_message(_("Authenticating (%s)..."), "GSSAPI");
170
171 imap_cmd_start(adata, "AUTHENTICATE GSSAPI");
172
173 /* expect a null continuation response ("+") */
174 do
175 {
176 rc2 = imap_cmd_step(adata);
177 } while (rc2 == IMAP_RES_CONTINUE);
178
179 if (rc2 != IMAP_RES_RESPOND)
180 {
181 mutt_debug(LL_DEBUG2, "Invalid response from server: %s\n", buf1->data);
182 gss_release_name(&min_stat, &target_name);
183 goto bail;
184 }
185
186 /* now start the security context initialisation loop... */
187 mutt_debug(LL_DEBUG2, "Sending credentials\n");
188 mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
189 gss_release_buffer(&min_stat, &send_token);
190 buf_addstr(buf1, "\r\n");
191 mutt_socket_send(adata->conn, buf_string(buf1));
192
193 while (maj_stat == GSS_S_CONTINUE_NEEDED)
194 {
195 /* Read server data */
196 do
197 {
198 rc2 = imap_cmd_step(adata);
199 } while (rc2 == IMAP_RES_CONTINUE);
200
201 if (rc2 != IMAP_RES_RESPOND)
202 {
203 mutt_debug(LL_DEBUG1, "#1 Error receiving server response\n");
204 gss_release_name(&min_stat, &target_name);
205 goto bail;
206 }
207
208 if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)
209 {
210 mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");
211 gss_release_name(&min_stat, &target_name);
212 goto err_abort_cmd;
213 }
214 request_buf.value = buf2->data;
215 request_buf.length = buf_len(buf2);
216 sec_token = &request_buf;
217
218 /* Write client data */
219 maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context, target_name,
220 GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
221 0, GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL,
222 &send_token, (unsigned int *) &cflags, NULL);
223 if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))
224 {
225 print_gss_error(maj_stat, min_stat);
226 mutt_debug(LL_DEBUG1, "Error exchanging credentials\n");
227 gss_release_name(&min_stat, &target_name);
228
229 goto err_abort_cmd;
230 }
231 mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
232 gss_release_buffer(&min_stat, &send_token);
233 buf_addstr(buf1, "\r\n");
234 mutt_socket_send(adata->conn, buf_string(buf1));
235 }
236
237 gss_release_name(&min_stat, &target_name);
238
239 /* get security flags and buffer size */
240 do
241 {
242 rc2 = imap_cmd_step(adata);
243 } while (rc2 == IMAP_RES_CONTINUE);
244
245 if (rc2 != IMAP_RES_RESPOND)
246 {
247 mutt_debug(LL_DEBUG1, "#2 Error receiving server response\n");
248 goto bail;
249 }
250 if (mutt_b64_buffer_decode(buf2, adata->buf + 2) < 0)
251 {
252 mutt_debug(LL_DEBUG1, "Invalid base64 server response\n");
253 goto err_abort_cmd;
254 }
255 request_buf.value = buf2->data;
256 request_buf.length = buf_len(buf2);
257
258 maj_stat = gss_unwrap(&min_stat, context, &request_buf, &send_token, &cflags, &quality);
259 if (maj_stat != GSS_S_COMPLETE)
260 {
261 print_gss_error(maj_stat, min_stat);
262 mutt_debug(LL_DEBUG2, "Couldn't unwrap security level data\n");
263 gss_release_buffer(&min_stat, &send_token);
264 goto err_abort_cmd;
265 }
266 mutt_debug(LL_DEBUG2, "Credential exchange complete\n");
267
268 /* first byte is security levels supported. We want NONE */
269 server_conf_flags = ((char *) send_token.value)[0];
270 if (!(((char *) send_token.value)[0] & GSS_AUTH_P_NONE))
271 {
272 mutt_debug(LL_DEBUG2, "Server requires integrity or privacy\n");
273 gss_release_buffer(&min_stat, &send_token);
274 goto err_abort_cmd;
275 }
276
277 /* we don't care about buffer size if we don't wrap content. But here it is */
278 ((char *) send_token.value)[0] = '\0';
279 buf_size = ntohl(*((long *) send_token.value));
280 gss_release_buffer(&min_stat, &send_token);
281 mutt_debug(LL_DEBUG2, "Unwrapped security level flags: %c%c%c\n",
282 (server_conf_flags & GSS_AUTH_P_NONE) ? 'N' : '-',
283 (server_conf_flags & GSS_AUTH_P_INTEGRITY) ? 'I' : '-',
284 (server_conf_flags & GSS_AUTH_P_PRIVACY) ? 'P' : '-');
285 mutt_debug(LL_DEBUG2, "Maximum GSS token size is %ld\n", buf_size);
286
287 /* agree to terms (hack!) */
288 buf_size = htonl(buf_size); /* not relevant without integrity/privacy */
289 buf_reset(buf1);
290 buf_addch(buf1, GSS_AUTH_P_NONE);
291 buf_addstr_n(buf1, ((char *) &buf_size) + 1, 3);
292 /* server decides if principal can log in as user */
293 buf_addstr(buf1, adata->conn->account.user);
294 request_buf.value = buf1->data;
295 request_buf.length = buf_len(buf1);
296 maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
297 &cflags, &send_token);
298 if (maj_stat != GSS_S_COMPLETE)
299 {
300 mutt_debug(LL_DEBUG2, "Error creating login request\n");
301 goto err_abort_cmd;
302 }
303
304 mutt_b64_buffer_encode(buf1, send_token.value, send_token.length);
305 mutt_debug(LL_DEBUG2, "Requesting authorisation as %s\n", adata->conn->account.user);
306 buf_addstr(buf1, "\r\n");
307 mutt_socket_send(adata->conn, buf_string(buf1));
308
309 /* Joy of victory or agony of defeat? */
310 do
311 {
312 rc2 = imap_cmd_step(adata);
313 } while (rc2 == IMAP_RES_CONTINUE);
314 if (rc2 == IMAP_RES_RESPOND)
315 {
316 mutt_debug(LL_DEBUG1, "Unexpected server continuation request\n");
317 goto err_abort_cmd;
318 }
319 if (imap_code(adata->buf))
320 {
321 /* flush the security context */
322 mutt_debug(LL_DEBUG2, "Releasing GSS credentials\n");
323 maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);
324 if (maj_stat != GSS_S_COMPLETE)
325 mutt_debug(LL_DEBUG1, "Error releasing credentials\n");
326
327 /* send_token may contain a notification to the server to flush
328 * credentials. RFC1731 doesn't specify what to do, and since this
329 * support is only for authentication, we'll assume the server knows
330 * enough to flush its own credentials */
331 gss_release_buffer(&min_stat, &send_token);
332
333 rc = IMAP_AUTH_SUCCESS;
334 goto cleanup;
335 }
336 else
337 {
338 goto bail;
339 }
340
341err_abort_cmd:
342 mutt_socket_send(adata->conn, "*\r\n");
343 do
344 {
345 rc2 = imap_cmd_step(adata);
346 } while (rc2 == IMAP_RES_CONTINUE);
347
348bail:
349 // L10N: %s is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL
350 mutt_error(_("%s authentication failed"), "GSSAPI");
351 rc = IMAP_AUTH_FAILURE;
352
353cleanup:
354 buf_pool_release(&buf1);
355 buf_pool_release(&buf2);
356
357 return rc;
358}
auth.h
IMAP authenticator multiplexor.
ImapAuthRes
ImapAuthRes
Results of IMAP Authentication.
Definition: auth.h:39
IMAP_AUTH_FAILURE
@ IMAP_AUTH_FAILURE
Authentication failed.
Definition: auth.h:41
IMAP_AUTH_SUCCESS
@ IMAP_AUTH_SUCCESS
Authentication successful.
Definition: auth.h:40
IMAP_AUTH_UNAVAIL
@ IMAP_AUTH_UNAVAIL
Authentication method not permitted.
Definition: auth.h:42
GSS_AUTH_P_NONE
#define GSS_AUTH_P_NONE
Definition: auth_gss.c:57
print_gss_error
static void print_gss_error(OM_uint32 err_maj, OM_uint32 err_min)
Print detailed error message to the debug log.
Definition: auth_gss.c:66
GSS_AUTH_P_PRIVACY
#define GSS_AUTH_P_PRIVACY
Definition: auth_gss.c:59
GSS_AUTH_P_INTEGRITY
#define GSS_AUTH_P_INTEGRITY
Definition: auth_gss.c:58
mutt_b64_buffer_encode
size_t mutt_b64_buffer_encode(struct Buffer *buf, const char *in, size_t len)
Convert raw bytes to NUL-terminated base64 string.
Definition: base64.c:198
mutt_b64_buffer_decode
int mutt_b64_buffer_decode(struct Buffer *buf, const char *in)
Convert NUL-terminated base64 string to raw bytes.
Definition: base64.c:216
buf_printf
int buf_printf(struct Buffer *buf, const char *fmt,...)
Format a string overwriting a Buffer.
Definition: buffer.c:161
buf_addstr_n
size_t buf_addstr_n(struct Buffer *buf, const char *s, size_t len)
Add a string to a Buffer, expanding it if necessary.
Definition: buffer.c:96
buf_len
size_t buf_len(const struct Buffer *buf)
Calculate the length of a Buffer.
Definition: buffer.c:491
buf_reset
void buf_reset(struct Buffer *buf)
Reset an existing Buffer.
Definition: buffer.c:76
buf_addch
size_t buf_addch(struct Buffer *buf, char c)
Add a single character to a Buffer.
Definition: buffer.c:241
buf_addstr
size_t buf_addstr(struct Buffer *buf, const char *s)
Add a string to a Buffer.
Definition: buffer.c:226
buf_string
static const char * buf_string(const struct Buffer *buf)
Convert a buffer to a const char * "string".
Definition: buffer.h:96
cs_subset_number
short cs_subset_number(const struct ConfigSubset *sub, const char *name)
Get a number config item by name.
Definition: helpers.c:143
lib.h
Convenience wrapper for the config headers.
lib.h
Connection Library.
mutt_account_getuser
int mutt_account_getuser(struct ConnAccount *cac)
Retrieve username into ConnAccount, if necessary.
Definition: connaccount.c:52
lib.h
Convenience wrapper for the core headers.
imap_auth_gss
enum ImapAuthRes imap_auth_gss(struct ImapAccountData *adata, const char *method)
GSS Authentication support - Implements ImapAuth::authenticate() -.
Definition: auth_gss.c:106
mutt_error
#define mutt_error(...)
Definition: logging2.h:93
mutt_message
#define mutt_message(...)
Definition: logging2.h:92
mutt_debug
#define mutt_debug(LEVEL,...)
Definition: logging2.h:90
imap_cmd_start
int imap_cmd_start(struct ImapAccountData *adata, const char *cmdstr)
Given an IMAP command, send it to the server.
Definition: command.c:1114
imap_cmd_step
int imap_cmd_step(struct ImapAccountData *adata)
Reads server responses from an IMAP command.
Definition: command.c:1128
imap_code
bool imap_code(const char *s)
Was the command successful.
Definition: command.c:1255
IMAP_RES_RESPOND
#define IMAP_RES_RESPOND
+
Definition: private.h:57
IMAP_CAP_AUTH_GSSAPI
#define IMAP_CAP_AUTH_GSSAPI
RFC1731: GSSAPI authentication.
Definition: private.h:127
IMAP_RES_CONTINUE
#define IMAP_RES_CONTINUE
* ...
Definition: private.h:56
LL_DEBUG2
@ LL_DEBUG2
Log at debug level 2.
Definition: logging2.h:45
LL_DEBUG1
@ LL_DEBUG1
Log at debug level 1.
Definition: logging2.h:44
lib.h
Convenience wrapper for the library headers.
_
#define _(a)
Definition: message.h:28
buf_pool_get
struct Buffer * buf_pool_get(void)
Get a Buffer from the pool.
Definition: pool.c:82
buf_pool_release
void buf_pool_release(struct Buffer **ptr)
Return a Buffer to the pool.
Definition: pool.c:96
adata.h
Pop-specific Account data.
private.h
GUI display the mailboxes in a side panel.
mutt_socket_send
#define mutt_socket_send(conn, buf)
Definition: socket.h:57
Buffer
String manipulation buffer.
Definition: buffer.h:36
Buffer::data
char * data
Pointer to data.
Definition: buffer.h:37
ConnAccount::user
char user[128]
Username.
Definition: connaccount.h:56
ConnAccount::host
char host[128]
Server to login to.
Definition: connaccount.h:54
Connection::account
struct ConnAccount account
Account details: username, password, etc.
Definition: connection.h:49
ImapAccountData
IMAP-specific Account data -.
Definition: adata.h:40
ImapAccountData::capabilities
ImapCapFlags capabilities
Capability flags.
Definition: adata.h:55
ImapAccountData::buf
char * buf
Definition: adata.h:59
ImapAccountData::conn
struct Connection * conn
Connection to IMAP server.
Definition: adata.h:41
NeoMutt
Container for Accounts, Notifications.
Definition: neomutt.h:43
NeoMutt::sub
struct ConfigSubset * sub
Inherited config items.
Definition: neomutt.h:47