Use flim's sasl.el to authenticate to IMAP servers

Use flim's sasl.el to authenticate to IMAP servers

[Kim Minh Kaplan]

[-- Attachment #1: Type: text/plain, Size: 345 bytes --]

Hello,

I recently wanted to use other authentication mechanisms than plain
IMAP LOGIN command.  Unfortunately, I could not get hold of the file
digest-md5.el that I needed.  But I found that flim¹ implements a
framework for SASL.  Attached is a patch to make it work with IMAP.

Kim Minh.

¹ <URL:ftp://ftp.m17n.org/pub/mule/flim/>


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: IMAP with SASL --]
[-- Type: text/x-patch, Size: 3401 bytes --]

--- imap.el.~6.67.~	2003-11-17 06:55:15.000000000 +0100
+++ imap.el	2004-03-23 18:01:05.000000000 +0100
@@ -143,6 +143,7 @@
   (autoload 'base64-encode-string "base64")
   (autoload 'starttls-open-stream "starttls")
   (autoload 'starttls-negotiate "starttls")
+  (autoload 'sasl-find-mechanism "sasl")
   (autoload 'digest-md5-parse-digest-challenge "digest-md5")
   (autoload 'digest-md5-digest-response "digest-md5")
   (autoload 'digest-md5-digest-uri "digest-md5")
@@ -297,6 +298,7 @@
 			      kerberos4
 			      digest-md5
 			      cram-md5
+			      sasl
 			      login
 			      anonymous)
   "Priority of authenticators to consider when authenticating to server.")
@@ -304,6 +306,7 @@
 (defvar imap-authenticator-alist
   '((gssapi     imap-gssapi-auth-p    imap-gssapi-auth)
     (kerberos4  imap-kerberos4-auth-p imap-kerberos4-auth)
+    (sasl	imap-sasl-auth-p      imap-sasl-auth)
     (cram-md5   imap-cram-md5-p       imap-cram-md5-auth)
     (login      imap-login-p          imap-login-auth)
     (anonymous  imap-anonymous-p      imap-anonymous-auth)
@@ -904,6 +907,61 @@
 		(concat "LOGIN anonymous \"" (concat (user-login-name) "@"
 						     (system-name)) "\"")))))
 
+(defun imap-sasl-make-mechanisms (buffer)
+  (let ((mecs '()))
+    (mapc (lambda (sym)
+	    (let ((name (symbol-name sym)))
+	      (if (and (> (length name) 5)
+		       (string-equal "AUTH=" (substring name 0 5 )))
+		  (setq mecs (cons (substring name 5) mecs)))))
+	  (imap-capability nil buffer))
+    mecs))
+
+(defun imap-sasl-auth-p (buffer)
+  (and (condition-case ()
+	   (require 'sasl)
+	 (error nil))
+       (sasl-find-mechanism (imap-sasl-make-mechanisms buffer))))
+
+(defun imap-sasl-auth (buffer)
+  "Login to server using the SASL method."
+  (message "imap: Authenticating using SASL...")
+  (with-current-buffer buffer
+    (make-local-variable 'imap-username)
+    (make-local-variable 'imap-sasl-client)
+    (make-local-variable 'imap-sasl-step)
+    (let ((mechanism (sasl-find-mechanism (imap-sasl-make-mechanisms buffer)))
+	  logged user)
+      (while (not logged)
+	(setq user (or imap-username
+		       (read-from-minibuffer
+			(concat "IMAP username for " imap-server " using SASL "
+				(sasl-mechanism-name mechanism) ": ")
+			(or user imap-default-user))))
+	(when user
+	  (setq imap-sasl-client (sasl-make-client mechanism user "imap2" imap-server)
+		imap-sasl-step (sasl-next-step imap-sasl-client nil))
+	  (let ((tag (imap-send-command
+		      (if (sasl-step-data imap-sasl-step)
+			  (format "AUTHENTICATE %s %s"
+				  (sasl-mechanism-name mechanism)
+				  (sasl-step-data imap-sasl-step))
+			(format "AUTHENTICATE %s" (sasl-mechanism-name mechanism)))
+		      buffer)))
+	    (while (eq (imap-wait-for-tag tag) 'INCOMPLETE)
+	      (sasl-step-set-data imap-sasl-step (base64-decode-string imap-continuation))
+	      (setq imap-continuation nil
+		    imap-sasl-step (sasl-next-step imap-sasl-client imap-sasl-step))
+	      (imap-send-command-1 (if (sasl-step-data imap-sasl-step)
+				       (base64-encode-string (sasl-step-data imap-sasl-step) t)
+				     "")))
+	    (if (imap-ok-p (imap-wait-for-tag tag))
+		(setq imap-username user
+		      logged t)
+	      (message "Login failed...")
+	      (sit-for 1)))))
+      logged)))
+
 (defun imap-digest-md5-p (buffer)
   (and (imap-capability 'AUTH=DIGEST-MD5 buffer)
        (condition-case ()

Re: Use flim's sasl.el to authenticate to IMAP servers

[Lars Magne Ingebrigtsen]

Kim Minh Kaplan <kmkaplan@selfoffice.com> writes:

> I recently wanted to use other authentication mechanisms than plain
> IMAP LOGIN command.  Unfortunately, I could not get hold of the file
> digest-md5.el that I needed.  But I found that flim¹ implements a
> framework for SASL.  Attached is a patch to make it work with IMAP.

Thanks for the patch; I've applied it to No Gnus v0.3 (i. e., CVS).

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: Use flim's sasl.el to authenticate to IMAP servers

[Katsumi Yamaoka]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=iso-2022-jp-2, Size: 1453 bytes --]

Hi,

>>>>> In <m3zn88e9fg.fsf@quimbies.gnus.org>
>>>>>	Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:

> Kim Minh Kaplan <kmkaplan@selfoffice.com> writes:

>> I recently wanted to use other authentication mechanisms than plain
>> IMAP LOGIN command.  Unfortunately, I could not get hold of the file
>> digest-md5.el that I needed.  But I found that flim^[.A^[N9 implements a
>> framework for SASL.  Attached is a patch to make it work with IMAP.

> Thanks for the patch; I've applied it to No Gnus v0.3 (i. e., CVS).

I'm using nnml, and the IMAP connection for fetching new mails
with the following mail source:

(setq mail-sources '((imap :server "MAILHOST" :port 143
			   :password "PASSWORD"
			   :stream starttls)))

The server's response is:

* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]\
 MAILHOST IMAP4rev1 2001.315rh...

After the recent change, Gnus requires a password whenever I get
new mails, and fails to get them. :<

nnml: Reading incoming mail from imap...
imap: Connecting to MAILHOST...
imap: Connecting with STARTTLS...done
Waiting for response from MAILHOST...done
imap: Authenticating to `MAILHOST' using `sasl'...
imap: Authenticating using SASL...
PLAIN passphrase for yamaoka: 

The problem is solved by modifying the imap-authenticators
variable as follows:

(delq 'sasl imap-authenticators)

Is it always necessary to me?  Or, is there any other solution?

Regards,
-- 
Katsumi Yamaoka <yamaoka@jpl.org>

Re: Use flim's sasl.el to authenticate to IMAP servers

[anti]

Lars Magne Ingebrigtsen wrote:

>Kim Minh Kaplan <kmkaplan@selfoffice.com> writes:
>
>  
>
>>I recently wanted to use other authentication mechanisms than plain
>>IMAP LOGIN command.  Unfortunately, I could not get hold of the file
>>digest-md5.el that I needed.  But I found that flim¹ implements a
>>framework for SASL.  Attached is a patch to make it work with IMAP.
>>    
>>
>
>Thanks for the patch; I've applied it to No Gnus v0.3 (i. e., CVS).
>
>  
>
It's probably due to this change that I can't log into my imaps/plain
server any more. Here's the *Messages* part:

Opening nnimap server on hop...

imap: Connecting to hop...

imap: Opening SSL connection with `openssl s_client -quiet -ssl3 -connect %s:%p'...done

Waiting for response from hop...done

imap: Authenticating using SASL...

PLAIN passphrase for anti: 

PLAIN passphrase for anti: .

PLAIN passphrase for anti: ..

PLAIN passphrase for anti: ........

Unable to open server due to: Internal error, tag 6 status BAD code nil text Unexpected extra arguments to Authenticate

Opening nnimap server on hop...failed


If more debugging is needed, please advise.

anti

Re: Use flim's sasl.el to authenticate to IMAP servers

[Lars Magne Ingebrigtsen]

Katsumi Yamaoka <yamaoka@jpl.org> writes:

> The problem is solved by modifying the imap-authenticators
> variable as follows:
>
> (delq 'sasl imap-authenticators)

I've commented out the sasl from the source now until someone who
knows what it's doing can take a look at it.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: Use flim's sasl.el to authenticate to IMAP servers

[Katsumi Yamaoka]

>>>>> In <m3isev44e6.fsf@quimbies.gnus.org>
>>>>>	Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:

> Katsumi Yamaoka <yamaoka@jpl.org> writes:

>> The problem is solved by modifying the imap-authenticators
>> variable as follows:
>>
>> (delq 'sasl imap-authenticators)

> I've commented out the sasl from the source now until someone who
> knows what it's doing can take a look at it.  :-)

Thanks!
-- 
Katsumi Yamaoka <yamaoka@jpl.org>

~/.authinfo is now ignored for nnimap (was: Use flim's sasl.el to authenticate to IMAP servers)

[Ted Zlatanov]

I'm not able to log in automatically through my ~/.authinfo file, like
I used to before (I get a LOGIN passphrase query).  This is probably
due to the changes made over the weekend.  Could someone look into it?

Thanks
Ted

Re: ~/.authinfo is now ignored for nnimap

[Ted Zlatanov]

On Mon, 17 May 2004, larsi@gnus.org wrote:

> "Ted Zlatanov" <tzz@lifelogs.com> writes:
> 
>> I'm not able to log in automatically through my ~/.authinfo file, like
>> I used to before (I get a LOGIN passphrase query).  This is probably
>> due to the changes made over the weekend.  Could someone look into it?
> 
> It's fixed in CVS...

Thank you!

Ted

Re: ~/.authinfo is now ignored for nnimap

[Lars Magne Ingebrigtsen]

"Ted Zlatanov" <tzz@lifelogs.com> writes:

> I'm not able to log in automatically through my ~/.authinfo file, like
> I used to before (I get a LOGIN passphrase query).  This is probably
> due to the changes made over the weekend.  Could someone look into it?

It's fixed in CVS...

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen