2 * Copyright notice from original mutt:
3 * Copyright (C) 2000-2001 Vsevolod Volkov <vvv@mutt.org.ua>
5 * This file is part of mutt-ng, see http://www.muttng.org/.
6 * It's licensed under the GNU General Public License,
7 * please see the file GPL in the top level source directory.
14 #include <lib-lib/mem.h>
15 #include <lib-lib/ascii.h>
16 #include <lib-lib/macros.h>
17 #include <lib-hash/hash.h>
18 #include <lib-lib/debug.h>
29 #include <sasl/sasl.h>
30 #include <sasl/saslutil.h>
31 #include "mutt_sasl.h"
35 /* SASL authenticator */
36 static pop_auth_res_t pop_auth_sasl (POP_DATA * pop_data, const char *method)
38 sasl_conn_t *saslconn;
39 sasl_interact_t *interaction = NULL;
41 char buf[LONG_STRING];
42 char inbuf[LONG_STRING];
46 const char *pc = NULL;
48 unsigned int len, olen;
49 unsigned char client_start;
51 if (mutt_sasl_client_new (pop_data->conn, &saslconn) < 0) {
52 debug_print (1, ("Error allocating SASL connection.\n"));
57 method = pop_data->auth_list;
62 sasl_client_start (saslconn, method, &interaction, &pc, &olen, &mech);
64 if (rc != SASL_INTERACT)
66 mutt_sasl_interact (interaction);
69 if (rc != SASL_OK && rc != SASL_CONTINUE) {
70 debug_print (1, ("Failure starting authentication exchange. No shared mechanisms?\n"));
72 /* SASL doesn't support suggested mechanisms, so fall back */
76 client_start = (olen > 0);
78 mutt_message _("Authenticating (SASL)...");
80 snprintf (buf, sizeof (buf), "AUTH %s", mech);
83 /* looping protocol */
85 m_strcpy(buf + olen, sizeof(buf) - olen, "\r\n");
86 mutt_socket_write (pop_data->conn, buf);
87 if (mutt_socket_readln (inbuf, sizeof (inbuf), pop_data->conn) < 0) {
88 sasl_dispose (&saslconn);
89 pop_data->status = POP_DISCONNECTED;
93 if (rc != SASL_CONTINUE)
97 if (!m_strncmp(inbuf, "+ ", 2)
98 && sasl_decode64 (inbuf, strlen (inbuf), buf, LONG_STRING - 1,
102 debug_print (1, ("error base64-decoding server response.\n"));
108 rc = sasl_client_step (saslconn, buf, len, &interaction, &pc, &olen);
109 if (rc != SASL_INTERACT)
111 mutt_sasl_interact (interaction);
116 if (rc != SASL_CONTINUE && (olen == 0 || rc != SASL_OK))
119 /* send out response, or line break if none needed */
121 if (sasl_encode64 (pc, olen, buf, sizeof (buf), &olen) != SASL_OK) {
122 debug_print (1, ("error base64-encoding client response.\n"));
126 /* sasl_client_st(art|ep) allocate pc with malloc, expect me to
137 if (!m_strncmp(inbuf, "+OK", 3)) {
138 mutt_sasl_setup_conn (pop_data->conn, saslconn);
139 return POP_A_SUCCESS;
143 sasl_dispose (&saslconn);
145 /* terminate SASL sessoin if the last responce is not +OK nor -ERR */
146 if (!m_strncmp(inbuf, "+ ", 2)) {
147 snprintf (buf, sizeof (buf), "*\r\n");
148 if (pop_query (pop_data, buf, sizeof (buf)) == PQ_NOT_CONNECTED)
152 mutt_error _("SASL authentication failed.");
156 return POP_A_FAILURE;
160 /* Get the server timestamp for APOP authentication */
161 void pop_apop_timestamp (POP_DATA * pop_data, char *buf)
165 p_delete(&pop_data->timestamp);
167 if ((p1 = strchr (buf, '<')) && (p2 = strchr (p1, '>'))) {
169 pop_data->timestamp = m_strdup(p1);
173 /* APOP authenticator */
174 static pop_auth_res_t pop_auth_apop (POP_DATA * pop_data, const char *method)
177 unsigned char digest[16];
179 char buf[LONG_STRING];
182 if (!pop_data->timestamp)
183 return POP_A_UNAVAIL;
185 mutt_message _("Authenticating (APOP)...");
187 /* Compute the authentication hash to send to the server */
188 MD5Init (&mdContext);
189 MD5Update (&mdContext, (unsigned char *) pop_data->timestamp,
190 strlen (pop_data->timestamp));
191 MD5Update (&mdContext, (unsigned char *) pop_data->conn->account.pass,
192 strlen (pop_data->conn->account.pass));
193 MD5Final (digest, &mdContext);
195 for (i = 0; i < ssizeof(digest); i++)
196 sprintf (hash + 2 * i, "%02x", digest[i]);
198 /* Send APOP command to server */
199 snprintf(buf, sizeof(buf), "APOP %s %s\r\n", pop_data->conn->account.user,
202 switch (pop_query (pop_data, buf, sizeof (buf))) {
204 return POP_A_SUCCESS;
205 case PQ_NOT_CONNECTED:
207 case PFD_FUNCT_ERROR:
213 mutt_error ("%s %s", _("APOP authentication failed."), pop_data->err_msg);
216 return POP_A_FAILURE;
219 /* USER authenticator */
220 static pop_auth_res_t pop_auth_user (POP_DATA * pop_data, const char *method)
222 char buf[LONG_STRING];
223 pop_query_status ret;
225 if (pop_data->cmd_user == CMD_NOT_AVAILABLE)
226 return POP_A_UNAVAIL;
228 mutt_message _("Logging in...");
230 snprintf (buf, sizeof (buf), "USER %s\r\n", pop_data->conn->account.user);
231 ret = pop_query (pop_data, buf, sizeof (buf));
233 if (pop_data->cmd_user == CMD_UNKNOWN) {
235 pop_data->cmd_user = CMD_AVAILABLE;
237 debug_print (1, ("set USER capability\n"));
241 pop_data->cmd_user = CMD_NOT_AVAILABLE;
243 debug_print (1, ("unset USER capability\n"));
244 snprintf (pop_data->err_msg, sizeof (pop_data->err_msg),
245 _("Command USER is not supported by server."));
250 snprintf (buf, sizeof (buf), "PASS %s\r\n", pop_data->conn->account.pass);
251 ret = pop_query_d (pop_data, buf, sizeof (buf),
253 /* don't print the password unless we're at the ungodly debugging level */
254 DebugLevel < M_SOCK_LOG_FULL ? "PASS *\r\n" :
261 return POP_A_SUCCESS;
262 case PQ_NOT_CONNECTED:
264 case PFD_FUNCT_ERROR:
270 mutt_error ("%s %s", _("Login failed."), pop_data->err_msg);
273 return POP_A_FAILURE;
276 static pop_auth_t pop_authenticators[] = {
278 {pop_auth_sasl, NULL},
280 {pop_auth_apop, "apop"},
281 {pop_auth_user, "user"},
288 * -1 - conection lost,
290 * -3 - authentication canceled.
292 pop_query_status pop_authenticate (POP_DATA * pop_data)
294 ACCOUNT *act = &pop_data->conn->account;
295 pop_auth_t *authenticator;
300 int ret = POP_A_UNAVAIL;
302 if (mutt_account_getuser (act) || !act->user[0] ||
303 mutt_account_getpass (act) || !act->pass[0])
304 return PFD_FUNCT_ERROR;
306 if (PopAuthenticators && *PopAuthenticators) {
307 /* Try user-specified list of authentication methods */
308 methods = m_strdup(PopAuthenticators);
312 comma = strchr (method, ':');
315 debug_print (2, ("Trying method %s\n", method));
316 authenticator = pop_authenticators;
318 while (authenticator->authenticate) {
319 if (!authenticator->method ||
320 !ascii_strcasecmp (authenticator->method, method)) {
321 ret = authenticator->authenticate (pop_data, method);
322 if (ret == POP_A_SOCKET)
323 switch (pop_connect (pop_data)) {
326 ret = authenticator->authenticate (pop_data, method);
333 if (ret != POP_A_UNAVAIL)
335 if (ret == POP_A_SUCCESS || ret == POP_A_SOCKET ||
336 (ret == POP_A_FAILURE && !option (OPTPOPAUTHTRYALL))) {
350 /* Fall back to default: any authenticator */
351 debug_print (2, ("Using any available method.\n"));
352 authenticator = pop_authenticators;
354 while (authenticator->authenticate) {
355 ret = authenticator->authenticate (pop_data, authenticator->method);
356 if (ret == POP_A_SOCKET)
357 switch (pop_connect (pop_data)) {
361 authenticator->authenticate (pop_data, authenticator->method);
368 if (ret != POP_A_UNAVAIL)
370 if (ret == POP_A_SUCCESS || ret == POP_A_SOCKET ||
371 (ret == POP_A_FAILURE && !option (OPTPOPAUTHTRYALL)))
382 return PQ_NOT_CONNECTED;
385 mutt_error (_("No authenticators available"));