auth__cram_8c_source.html

#include "config.h"

#include <string.h>

#include "private.h"

#include "mutt/lib.h"

#include "conn/lib.h"

#include "adata.h"

#include "auth.h"


#define MD5_BLOCK_LEN 64

#define MD5_DIGEST_LEN 16


static void hmac_md5(const char *password, const char *challenge, unsigned char *response)

{

  struct Md5Ctx md5ctx = { 0 };

  unsigned char ipad[MD5_BLOCK_LEN] = { 0 };

  unsigned char opad[MD5_BLOCK_LEN] = { 0 };

  unsigned char secret[MD5_BLOCK_LEN + 1] = { 0 };


  size_t secret_len = strlen(password);


  /* passwords longer than MD5_BLOCK_LEN bytes are substituted with their MD5

   * digests */

  if (secret_len > MD5_BLOCK_LEN)

  {

    unsigned char hash_passwd[MD5_DIGEST_LEN];

    mutt_md5_bytes(password, secret_len, hash_passwd);

    mutt_str_copy((char *) secret, (char *) hash_passwd, MD5_DIGEST_LEN);

    secret_len = MD5_DIGEST_LEN;

  }

  else

  {

    mutt_str_copy((char *) secret, password, sizeof(secret));

  }


  memcpy(ipad, secret, secret_len);

  memcpy(opad, secret, secret_len);


  for (int i = 0; i < MD5_BLOCK_LEN; i++)

  {

    ipad[i] ^= 0x36;

    opad[i] ^= 0x5c;

  }


  /* inner hash: challenge and ipadded secret */

  mutt_md5_init_ctx(&md5ctx);

  mutt_md5_process_bytes(ipad, MD5_BLOCK_LEN, &md5ctx);

  mutt_md5_process(challenge, &md5ctx);

  mutt_md5_finish_ctx(&md5ctx, response);


  /* outer hash: inner hash and opadded secret */

  mutt_md5_init_ctx(&md5ctx);

  mutt_md5_process_bytes(opad, MD5_BLOCK_LEN, &md5ctx);

  mutt_md5_process_bytes(response, MD5_DIGEST_LEN, &md5ctx);

  mutt_md5_finish_ctx(&md5ctx, response);

}


enum ImapAuthRes imap_auth_cram_md5(struct ImapAccountData *adata, const char *method)

{

  if (!(adata->capabilities & IMAP_CAP_AUTH_CRAM_MD5))

    return IMAP_AUTH_UNAVAIL;


  // L10N: (%s) is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL

  mutt_message(_("Authenticating (%s)..."), "CRAM-MD5");


  /* get auth info */

  if (mutt_account_getlogin(&adata->conn->account) < 0)

    return IMAP_AUTH_FAILURE;

  if (mutt_account_getpass(&adata->conn->account) < 0)

    return IMAP_AUTH_FAILURE;


  imap_cmd_start(adata, "AUTHENTICATE CRAM-MD5");


  struct Buffer *ibuf = buf_pool_get();

  struct Buffer *obuf = buf_pool_get();

  unsigned char hmac_response[MD5_DIGEST_LEN];

  int rc_step;

  enum ImapAuthRes rc = IMAP_AUTH_FAILURE;


  /* From RFC2195:

   * The data encoded in the first ready response contains a presumptively

   * arbitrary string of random digits, a timestamp, and the fully-qualified

   * primary host name of the server. The syntax of the unencoded form must

   * correspond to that of an RFC822 'msg-id' [RFC822] as described in [POP3].  */

  do

  {

    rc_step = imap_cmd_step(adata);

  } while (rc_step == IMAP_RES_CONTINUE);


  if (rc_step != IMAP_RES_RESPOND)

  {

    mutt_debug(LL_DEBUG1, "Invalid response from server\n");

    goto bail;

  }


  if (mutt_b64_decode(adata->buf + 2, obuf->data, obuf->dsize) == -1)

  {

    mutt_debug(LL_DEBUG1, "Error decoding base64 response\n");

    goto bail;

  }


  mutt_debug(LL_DEBUG2, "CRAM challenge: %s\n", buf_string(obuf));


  /* The client makes note of the data and then responds with a string

   * consisting of the user name, a space, and a 'digest'. The latter is

   * computed by applying the keyed MD5 algorithm from [KEYED-MD5] where the

   * key is a shared secret and the digested text is the timestamp (including

   * angle-brackets).

   *

   * Note: The user name shouldn't be quoted. Since the digest can't contain

   *   spaces, there is no ambiguity. Some servers get this wrong, we'll work

   *   around them when the bug report comes in. Until then, we'll remain

   *   blissfully RFC-compliant.  */

  hmac_md5(adata->conn->account.pass, buf_string(obuf), hmac_response);

  /* dubious optimisation I saw elsewhere: make the whole string in one call */

  int off = buf_printf(obuf, "%s ", adata->conn->account.user);

  mutt_md5_toascii(hmac_response, obuf->data + off);

  mutt_debug(LL_DEBUG2, "CRAM response: %s\n", buf_string(obuf));


  /* ibuf must be long enough to store the base64 encoding of obuf,

   * plus the additional debris */

  mutt_b64_encode(obuf->data, obuf->dsize, ibuf->data, ibuf->dsize - 2);

  buf_addstr(ibuf, "\r\n");

  mutt_socket_send(adata->conn, buf_string(ibuf));


  do

  {

    rc_step = imap_cmd_step(adata);

  } while (rc_step == IMAP_RES_CONTINUE);


  if (rc_step != IMAP_RES_OK)

  {

    mutt_debug(LL_DEBUG1, "Error receiving server response\n");

    goto bail;

  }


  if (imap_code(adata->buf))

    rc = IMAP_AUTH_SUCCESS;


bail:

  if (rc != IMAP_AUTH_SUCCESS)

  {

    // L10N: %s is the method name, e.g. Anonymous, CRAM-MD5, GSSAPI, SASL

    mutt_error(_("%s authentication failed"), "CRAM-MD5");

  }


  buf_pool_release(&ibuf);

  buf_pool_release(&obuf);

  return rc;

}


auth.h
IMAP authenticator multiplexor.

ImapAuthRes
ImapAuthRes
Results of IMAP Authentication.
Definition auth.h:39

IMAP_AUTH_FAILURE
@ IMAP_AUTH_FAILURE
Authentication failed.
Definition auth.h:41

IMAP_AUTH_SUCCESS
@ IMAP_AUTH_SUCCESS
Authentication successful.
Definition auth.h:40

IMAP_AUTH_UNAVAIL
@ IMAP_AUTH_UNAVAIL
Authentication method not permitted.
Definition auth.h:42

MD5_BLOCK_LEN
#define MD5_BLOCK_LEN
Definition auth_cram.c:39

hmac_md5
static void hmac_md5(const char *password, const char *challenge, unsigned char *response)
Produce CRAM-MD5 challenge response.
Definition auth_cram.c:48

MD5_DIGEST_LEN
#define MD5_DIGEST_LEN
Definition auth_cram.c:40

mutt_b64_encode
size_t mutt_b64_encode(const char *in, size_t inlen, char *out, size_t outlen)
Convert raw bytes to NUL-terminated base64 string.
Definition base64.c:87

mutt_b64_decode
int mutt_b64_decode(const char *in, char *out, size_t olen)
Convert NUL-terminated base64 string to raw bytes.
Definition base64.c:135

buf_printf
int buf_printf(struct Buffer *buf, const char *fmt,...)
Format a string overwriting a Buffer.
Definition buffer.c:161

buf_addstr
size_t buf_addstr(struct Buffer *buf, const char *s)
Add a string to a Buffer.
Definition buffer.c:226

buf_string
static const char * buf_string(const struct Buffer *buf)
Convert a buffer to a const char * "string".
Definition buffer.h:96

lib.h
Connection Library.

mutt_account_getpass
int mutt_account_getpass(struct ConnAccount *cac)
Fetch password into ConnAccount, if necessary.
Definition connaccount.c:131

mutt_account_getlogin
int mutt_account_getlogin(struct ConnAccount *cac)
Retrieve login info into ConnAccount, if necessary.
Definition connaccount.c:101

imap_auth_cram_md5
enum ImapAuthRes imap_auth_cram_md5(struct ImapAccountData *adata, const char *method)
Authenticate using CRAM-MD5 - Implements ImapAuth::authenticate() -.
Definition auth_cram.c:96

mutt_error
#define mutt_error(...)
Definition logging2.h:93

mutt_message
#define mutt_message(...)
Definition logging2.h:92

mutt_debug
#define mutt_debug(LEVEL,...)
Definition logging2.h:90

adata.h
Imap-specific Account data.

imap_cmd_start
int imap_cmd_start(struct ImapAccountData *adata, const char *cmdstr)
Given an IMAP command, send it to the server.
Definition command.c:1113

imap_cmd_step
int imap_cmd_step(struct ImapAccountData *adata)
Reads server responses from an IMAP command.
Definition command.c:1127

imap_code
bool imap_code(const char *s)
Was the command successful.
Definition command.c:1254

private.h
Shared constants/structs that are private to IMAP.

IMAP_CAP_AUTH_CRAM_MD5
#define IMAP_CAP_AUTH_CRAM_MD5
RFC2195: CRAM-MD5 authentication.
Definition private.h:126

IMAP_RES_RESPOND
#define IMAP_RES_RESPOND
+
Definition private.h:57

IMAP_RES_OK
#define IMAP_RES_OK
<tag> OK ...
Definition private.h:55

IMAP_RES_CONTINUE
#define IMAP_RES_CONTINUE
* ...
Definition private.h:56

LL_DEBUG2
@ LL_DEBUG2
Log at debug level 2.
Definition logging2.h:45

LL_DEBUG1
@ LL_DEBUG1
Log at debug level 1.
Definition logging2.h:44

mutt_md5_process_bytes
void mutt_md5_process_bytes(const void *buf, size_t buflen, struct Md5Ctx *md5ctx)
Process a block of data.
Definition md5.c:373

mutt_md5_bytes
void * mutt_md5_bytes(const void *buffer, size_t len, void *resbuf)
Calculate the MD5 hash of a buffer.
Definition md5.c:336

mutt_md5_process
void mutt_md5_process(const char *str, struct Md5Ctx *md5ctx)
Process a NUL-terminated string.
Definition md5.c:355

mutt_md5_init_ctx
void mutt_md5_init_ctx(struct Md5Ctx *md5ctx)
Initialise the MD5 computation.
Definition md5.c:261

mutt_md5_finish_ctx
void * mutt_md5_finish_ctx(struct Md5Ctx *md5ctx, void *resbuf)
Process the remaining bytes in the buffer.
Definition md5.c:285

mutt_md5_toascii
void mutt_md5_toascii(const void *digest, char *resbuf)
Convert a binary MD5 digest into ASCII Hexadecimal.
Definition md5.c:456

lib.h
Convenience wrapper for the library headers.

_
#define _(a)
Definition message.h:28

mutt_str_copy
size_t mutt_str_copy(char *dest, const char *src, size_t dsize)
Copy a string into a buffer (guaranteeing NUL-termination)
Definition string.c:581

buf_pool_get
struct Buffer * buf_pool_get(void)
Get a Buffer from the pool.
Definition pool.c:82

buf_pool_release
void buf_pool_release(struct Buffer **ptr)
Return a Buffer to the pool.
Definition pool.c:96

mutt_socket_send
#define mutt_socket_send(conn, buf)
Definition socket.h:57

Buffer
String manipulation buffer.
Definition buffer.h:36

Buffer::dsize
size_t dsize
Length of data.
Definition buffer.h:39

Buffer::data
char * data
Pointer to data.
Definition buffer.h:37

ConnAccount::user
char user[128]
Username.
Definition connaccount.h:56

ConnAccount::pass
char pass[256]
Password.
Definition connaccount.h:57

Connection::account
struct ConnAccount account
Account details: username, password, etc.
Definition connection.h:49

ImapAccountData
IMAP-specific Account data -.
Definition adata.h:40

ImapAccountData::capabilities
ImapCapFlags capabilities
Capability flags.
Definition adata.h:55

ImapAccountData::buf
char * buf
Definition adata.h:59

ImapAccountData::conn
struct Connection * conn
Connection to IMAP server.
Definition adata.h:41

Md5Ctx
Cursor for the MD5 hashing.
Definition md5.h:37