imap/2543: auth_sasl does not fallback on IMAP_CMD_BAD
>Number: 2543
>Notify-List:
>Category: imap
>Synopsis: auth_sasl does not fallback on IMAP_CMD_BAD
>Confidential: no
>Severity: normal
>Priority: medium
>Responsible: mutt-dev
>State: open
>Keywords:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Oct 29 21:57:21 +0100 2006
>Originator: Kees Cook
>Release: 1.5.12
>Organization:
>Environment:
all
>Description:
Hello! While tracking down a reported problem[1] with authentication, I
discovered that between 1.5.11 and 1.5.12, imap/auth_sasl.c changed how
it handled getting a "NO" vs a "BAD" response from the server. In
1.5.11, it treated both "NO" and "BAD" as the same as "NO", but in
1.5.12, they are distinct. However, this breaks authentication fallback
when sasl fails to make a mechanism work ("BAD"). In 1.5.11, it would
return IMAP_AUTH_UNAVAIL, and auth.c would move on to the next
authenticator. In 1.5.12, it sees a "BAD" and returns
IMAP_AUTH_FAILURE.
If I understand correctly, the correct behavior is to return
IMAP_AUTH_FAILURE when an actual authentication method fails (i.e. bad
password: "NO"), and to return IMAP_AUTH_UNAVAIL (i.e. server doesn't
handle the mechanism: "BAD").
Hitting the bug is hard: you need a server that claims to support a
sasl-handled mechanism, but then doesn't, as fastmail.fm seem to do:
< * OK IMAP4 ready
> a0000 CAPABILITY
< * CAPABILITY IMAP4 ... IDLE AUTH=OTP SASL-IR
> a0001 AUTHENTICATE OTP *******************
< a0001 BAD invalid command
Anyway, the attached patch restores what I think is the expected
fallback behavior seen in 1.5.11.
Thanks!
[1] https://launchpad.net/distros/ubuntu/+source/mutt/+bug/65821
>How-To-Repeat:
With a libsasl that accepts mechanism OTP, connect via IMAPS to fastmail.fm
with mutt 1.5.11, observe successfully fallback to "LOGIN". Now try with
1.5.12, and "LOGIN" is never attempted.
>Fix:
Apply attached patch. :)
>Add-To-Audit-Trail:
>Unformatted:
----gnatsweb-attachment----
Content-Type: text/x-patch; name="fix-imap-auth-abort-on-bad.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="fix-imap-auth-abort-on-bad.diff"
LS0tIGltYXAvYXV0aF9zYXNsLmMub3JpZwkyMDA2LTEwLTI4IDIxOjIzOjQ1LjAwMDAwMDAwMCAt
MDcwMAorKysgaW1hcC9hdXRoX3Nhc2wuYwkyMDA2LTEwLTI4IDIxOjI0OjA4LjAwMDAwMDAwMCAt
MDcwMApAQCAtMTE4LDcgKzExOCw3IEBACiAgICAgICBpcmMgPSBpbWFwX2NtZF9zdGVwIChpZGF0
YSk7CiAgICAgd2hpbGUgKGlyYyA9PSBJTUFQX0NNRF9DT05USU5VRSk7CiAKLSAgICBpZiAobWV0
aG9kICYmIGlyYyA9PSBJTUFQX0NNRF9OTykKKyAgICBpZiAobWV0aG9kICYmIGlyYyA9PSBJTUFQ
X0NNRF9CQUQpCiAgICAgewogICAgICAgZHByaW50ICgyLCAoZGVidWdmaWxlLCAiaW1hcF9hdXRo
X3Nhc2w6ICVzIGZhaWxlZFxuIiwgbWV0aG9kKSk7CiAgICAgICBzYXNsX2Rpc3Bvc2UgKCZzYXNs
Y29ubik7Cg==