Switch to rsasl SASL provider

Author: dequbed

Cargo.toml

@@ -26,7 +26,7 @@ regex = "1.0"
 bufstream = "0.1.3"
 imap-proto = "0.16.1"
 nom = { version = "7.1.0", default-features = false }
-base64 = "0.13"
+rsasl = { git = "https://github.com/dequbed/rsasl", branch = "development", features = ["provider_base64"] }
 chrono = { version = "0.4", default-features = false, features = ["std"]}
 lazy_static = "1.4"
 ouroboros = "0.15.0"
@@ -41,6 +41,8 @@ encoding = "0.2.32"
 failure = "0.1.8"
 mime = "0.3.4"
 
+rsasl = { git = "https://github.com/dequbed/rsasl", branch = "development", features = ["config_builder", "scram-sha-2", "plain"] }
+
 [[example]]
 name = "basic"
 required-features = ["default"]

examples/rustls_sasl.rs

@@ -0,0 +1,59 @@
+extern crate imap;
+
+use std::{env, error::Error};
+use rsasl::config::SASLConfig;
+use rsasl::prelude::Mechname;
+
+fn main() -> Result<(), Box<dyn Error>> {
+    // Read config from environment or .env file
+    let host = env::var("HOST").expect("missing envvar host");
+    let user = env::var("MAILUSER").expect("missing envvar USER");
+    let password = env::var("PASSWORD").expect("missing envvar password");
+    let port = 993;
+
+    if let Some(email) = fetch_inbox_top(host, user, password, port)? {
+        println!("{}", &email);
+    }
+
+    Ok(())
+}
+
+fn fetch_inbox_top(
+    host: String,
+    user: String,
+    password: String,
+    port: u16,
+) -> Result<Option<String>, Box<dyn Error>> {
+    let client = imap::ClientBuilder::new(&host, port).rustls()?;
+
+    let saslconfig = SASLConfig::with_credentials(None, user, password).unwrap();
+
+    let mechanism = Mechname::parse(b"SCRAM-SHA-256").unwrap();
+
+    // the client we have here is unauthenticated.
+    // to do anything useful with the e-mails, we need to log in
+    let mut imap_session = client.authenticate(saslconfig, mechanism).map_err(|e| e.0)?;
+
+    // we want to fetch the first email in the INBOX mailbox
+    imap_session.select("INBOX")?;
+
+    // fetch message number 1 in this mailbox, along with its RFC822 field.
+    // RFC 822 dictates the format of the body of e-mails
+    let messages = imap_session.fetch("1", "RFC822")?;
+    let message = if let Some(m) = messages.iter().next() {
+        m
+    } else {
+        return Ok(None);
+    };
+
+    // extract the message's body
+    let body = message.body().expect("message did not have a body!");
+    let body = std::str::from_utf8(body)
+        .expect("message was not valid utf-8")
+        .to_string();
+
+    // be nice to the server and log out
+    imap_session.logout()?;
+
+    Ok(Some(body))
+}

src/authenticator.rs

@@ -6,8 +6,9 @@ use std::io::{Read, Write};
 use std::ops::{Deref, DerefMut};
 use std::str;
 use std::sync::mpsc;
+use std::sync::Arc;
+use rsasl::prelude::{Mechname, SASLClient, SASLConfig, Session as SASLSession, State as SASLState};
 
-use super::authenticator::Authenticator;
 use super::error::{Bad, Bye, Error, No, ParseError, Result, ValidateError};
 use super::extensions;
 use super::parse::*;
@@ -432,70 +433,91 @@ impl<T: Read + Write> Client<T> {
     ///     };
     /// }
     /// ```
-    pub fn authenticate<A: Authenticator>(
+    pub fn authenticate(
         mut self,
-        auth_type: impl AsRef<str>,
-        authenticator: &A,
+        config: Arc<SASLConfig>,
+        mechanism: &Mechname,
     ) -> ::std::result::Result<Session<T>, (Error, Client<T>)> {
+        let client = SASLClient::new(config);
+        let session = ok_or_unauth_client_err!(
+            // TODO: Allow rsasl to select the mechanism
+            client.start_suggested(&[mechanism]).map_err(Error::AuthenticationSetup),
+            self
+        );
+        // TODO: check for `SASL-IR` capability and send initial data if it's supported.
         ok_or_unauth_client_err!(
-            self.run_command(&format!("AUTHENTICATE {}", auth_type.as_ref())),
+            self.run_command(&format!("AUTHENTICATE {}", mechanism.as_str())),
             self
         );
-        self.do_auth_handshake(authenticator)
+        self.do_auth_handshake(session)
     }
 
     /// This func does the handshake process once the authenticate command is made.
-    fn do_auth_handshake<A: Authenticator>(
+    fn do_auth_handshake(
         mut self,
-        authenticator: &A,
+        mut authenticator: SASLSession,
     ) -> ::std::result::Result<Session<T>, (Error, Client<T>)> {
-        // TODO Clean up this code
-        loop {
-            let mut line = Vec::new();
-
-            // explicit match blocks neccessary to convert error to tuple and not bind self too
-            // early (see also comment on `login`)
-            ok_or_unauth_client_err!(self.readline(&mut line), self);
-
-            // ignore server comments
-            if line.starts_with(b"* ") {
-                continue;
-            }
-
-            // Some servers will only send `+\r\n`.
-            if line.starts_with(b"+ ") || &line == b"+\r\n" {
-                let challenge = if &line == b"+\r\n" {
-                    Vec::new()
-                } else {
-                    let line_str = ok_or_unauth_client_err!(
-                        match str::from_utf8(line.as_slice()) {
-                            Ok(line_str) => Ok(line_str),
-                            Err(e) => Err(Error::Parse(ParseError::DataNotUtf8(line, e))),
-                        },
-                        self
-                    );
-                    let data =
-                        ok_or_unauth_client_err!(parse_authenticate_response(line_str), self);
-                    ok_or_unauth_client_err!(
-                        base64::decode(data).map_err(|e| Error::Parse(ParseError::Authentication(
-                            data.to_string(),
-                            Some(e)
-                        ))),
-                        self
-                    )
-                };
-
-                let raw_response = &authenticator.process(&challenge);
-                let auth_response = base64::encode(raw_response);
-                ok_or_unauth_client_err!(
-                    self.write_line(auth_response.into_bytes().as_slice()),
+        let mut line = Vec::new();
+        let mut output = Vec::new();
+        let mut state = SASLState::Running;
+
+        while {
+            while {
+                // Drop all read data
+                line.clear();
+                // explicit match blocks necessary to convert error to tuple and not bind self too
+                // early (see also comment on `login`)
+                ok_or_unauth_client_err!(self.readline(&mut line), self);
+
+                // ignore server comments — keep going until a line not starting with * is found
+                line.starts_with(b"* ")
+            } {}
+
+            line.starts_with(b"+ ") || &line == b"+\r\n"
+        } {
+            let challenge = if &line == b"+\r\n" {
+                None
+            } else {
+                let line_str = ok_or_unauth_client_err!(
+                    match str::from_utf8(line.as_slice()) {
+                        Ok(line_str) => Ok(line_str),
+                        Err(e) => Err(Error::Parse(ParseError::DataNotUtf8(line.clone(), e))),
+                    },
                     self
                 );
-            } else {
-                ok_or_unauth_client_err!(self.read_response_onto(&mut line), self);
-                return Ok(Session::new(self.conn));
-            }
+                let data = ok_or_unauth_client_err!(parse_authenticate_response(line_str), self);
+                if data.is_empty() {
+                    None
+                } else {
+                    Some(data.as_bytes())
+                }
+            };
+
+            // Remove all data written in a previous round
+            output.clear();
+            state = ok_or_unauth_client_err!(
+                authenticator.step64(challenge, &mut output).map_err(Error::Authentication),
+                self
+            );
+
+            ok_or_unauth_client_err!(
+                self.write_line(output.as_slice()),
+                self
+            );
+        }
+
+        // It's important to call the SASL mechanism one last time when the server indicates
+        // finished authentication but the SASL session doesn't; otherwise a server could subvert
+        // mutual authentication.
+        if state.is_running() {
+            ok_or_unauth_client_err!(
+                authenticator.step64(None, &mut output).map_err(Error::Authentication),
+                self
+            );
         }
+
+        ok_or_unauth_client_err!(self.read_response_onto(&mut line), self);
+        return Ok(Session::new(self.conn));
     }
 }
 

src/client.rs

@@ -7,13 +7,13 @@ use std::net::TcpStream;
 use std::result;
 use std::str::Utf8Error;
 
-use base64::DecodeError;
 use bufstream::IntoInnerError as BufError;
 use imap_proto::{types::ResponseCode, Response};
 #[cfg(feature = "native-tls")]
 use native_tls::Error as TlsError;
 #[cfg(feature = "native-tls")]
 use native_tls::HandshakeError as TlsHandshakeError;
+use rsasl::prelude::{SASLError, SessionError as SASLSessionError};
 #[cfg(feature = "rustls-tls")]
 use rustls_connector::HandshakeError as RustlsHandshakeError;
 
@@ -92,6 +92,10 @@ pub enum Error {
     ConnectionLost,
     /// Error parsing a server response.
     Parse(ParseError),
+    /// Error occurred when tyring to set up authentication
+    AuthenticationSetup(SASLError),
+    /// Error occurred during authentication
+    Authentication(SASLSessionError),
     /// Command inputs were not valid [IMAP
     /// strings](https://tools.ietf.org/html/rfc3501#section-4.3).
     Validate(ValidateError),
@@ -118,6 +122,17 @@ impl From<ParseError> for Error {
     }
 }
 
+impl From<SASLError> for Error {
+    fn from(err: SASLError) -> Self {
+        Error::AuthenticationSetup(err)
+    }
+}
+impl From<SASLSessionError> for Error {
+    fn from(err: SASLSessionError) -> Self {
+        Error::Authentication(err)
+    }
+}
+
 impl<T> From<BufError<T>> for Error {
     fn from(err: BufError<T>) -> Error {
         Error::Io(err.into())
@@ -170,6 +185,8 @@ impl fmt::Display for Error {
             Error::Append => f.write_str("Could not append mail to mailbox"),
             Error::Unexpected(ref r) => write!(f, "Unexpected Response: {:?}", r),
             Error::MissingStatusResponse => write!(f, "Missing STATUS Response"),
+            Error::AuthenticationSetup(ref e) => fmt::Display::fmt(e, f),
+            Error::Authentication(ref e) => fmt::Display::fmt(e, f),
         }
     }
 }
@@ -194,6 +211,8 @@ impl StdError for Error {
             Error::Append => "Could not append mail to mailbox",
             Error::Unexpected(_) => "Unexpected Response",
             Error::MissingStatusResponse => "Missing STATUS Response",
+            Error::AuthenticationSetup(_) => "Failed to setup authentication",
+            Error::Authentication(_) => "Authentication Failed",
         }
     }
 
@@ -207,6 +226,8 @@ impl StdError for Error {
             #[cfg(feature = "native-tls")]
             Error::TlsHandshake(ref e) => Some(e),
             Error::Parse(ParseError::DataNotUtf8(_, ref e)) => Some(e),
+            Error::AuthenticationSetup(ref e) => Some(e),
+            Error::Authentication(ref e) => Some(e),
             _ => None,
         }
     }
@@ -218,7 +239,7 @@ pub enum ParseError {
     /// Indicates an error parsing the status response. Such as OK, NO, and BAD.
     Invalid(Vec<u8>),
     /// The client could not find or decode the server's authentication challenge.
-    Authentication(String, Option<DecodeError>),
+    Authentication(String),
     /// The client received data that was not UTF-8 encoded.
     DataNotUtf8(Vec<u8>, Utf8Error),
 }
@@ -227,7 +248,7 @@ impl fmt::Display for ParseError {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match *self {
             ParseError::Invalid(_) => f.write_str("Unable to parse status response"),
-            ParseError::Authentication(_, _) => {
+            ParseError::Authentication(_) => {
                 f.write_str("Unable to parse authentication response")
             }
             ParseError::DataNotUtf8(_, _) => f.write_str("Unable to parse data as UTF-8 text"),
@@ -239,17 +260,10 @@ impl StdError for ParseError {
     fn description(&self) -> &str {
         match *self {
             ParseError::Invalid(_) => "Unable to parse status response",
-            ParseError::Authentication(_, _) => "Unable to parse authentication response",
+            ParseError::Authentication(_) => "Unable to parse authentication response",
             ParseError::DataNotUtf8(_, _) => "Unable to parse data as UTF-8 text",
         }
     }
-
-    fn cause(&self) -> Option<&dyn StdError> {
-        match *self {
-            ParseError::Authentication(_, Some(ref e)) => Some(e),
-            _ => None,
-        }
-    }
 }
 
 /// An [invalid character](https://tools.ietf.org/html/rfc3501#section-4.3) was found in a command

src/error.rs

@@ -81,9 +81,6 @@ mod parse;
 
 pub mod types;
 
-mod authenticator;
-pub use crate::authenticator::Authenticator;
-
 mod client;
 pub use crate::client::*;
 mod client_builder;

src/lib.rs

@@ -18,10 +18,7 @@ pub fn parse_authenticate_response(line: &str) -> Result<&str> {
         let data = cap.get(1).map(|x| x.as_str()).unwrap_or("");
         return Ok(data);
     }
-    Err(Error::Parse(ParseError::Authentication(
-        line.to_string(),
-        None,
-    )))
+    Err(Error::Parse(ParseError::Authentication(line.to_string())))
 }
 
 pub(crate) enum MapOrNot<'a, T> {