<<< Date Index >>>     <<< Thread Index >>>

imap/2543: auth_sasl does not fallback on IMAP_CMD_BAD



>Number:         2543
>Notify-List:    
>Category:       imap
>Synopsis:       auth_sasl does not fallback on IMAP_CMD_BAD
>Confidential:   no
>Severity:       normal
>Priority:       medium
>Responsible:    mutt-dev
>State:          open
>Keywords:       
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 29 21:57:21 +0100 2006
>Originator:     Kees Cook
>Release:        1.5.12
>Organization:
>Environment:
all
>Description:
Hello!  While tracking down a reported problem[1] with authentication, I 
discovered that between 1.5.11 and 1.5.12, imap/auth_sasl.c changed how 
it handled getting a "NO" vs a "BAD" response from the server.  In 
1.5.11, it treated both "NO" and "BAD" as the same as "NO", but in 
1.5.12, they are distinct.  However, this breaks authentication fallback 
when sasl fails to make a mechanism work ("BAD").  In 1.5.11, it would 
return IMAP_AUTH_UNAVAIL, and auth.c would move on to the next 
authenticator.  In 1.5.12, it sees a "BAD" and returns 
IMAP_AUTH_FAILURE.

If I understand correctly, the correct behavior is to return 
IMAP_AUTH_FAILURE when an actual authentication method fails (i.e. bad 
password: "NO"), and to return IMAP_AUTH_UNAVAIL (i.e. server doesn't 
handle the mechanism: "BAD").

Hitting the bug is hard: you need a server that claims to support a 
sasl-handled mechanism, but then doesn't, as fastmail.fm seem to do:

 < * OK IMAP4 ready
 > a0000 CAPABILITY
 < * CAPABILITY IMAP4 ... IDLE AUTH=OTP SASL-IR
 > a0001 AUTHENTICATE OTP *******************
 < a0001 BAD invalid command

Anyway, the attached patch restores what I think is the expected 
fallback behavior seen in 1.5.11.

Thanks!


[1] https://launchpad.net/distros/ubuntu/+source/mutt/+bug/65821
>How-To-Repeat:
With a libsasl that accepts mechanism OTP, connect via IMAPS to fastmail.fm 
with mutt 1.5.11, observe successfully fallback to "LOGIN".  Now try with 
1.5.12, and "LOGIN" is never attempted.
>Fix:
Apply attached patch.  :)
>Add-To-Audit-Trail:

>Unformatted:
 ----gnatsweb-attachment----
 Content-Type: text/x-patch; name="fix-imap-auth-abort-on-bad.diff"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="fix-imap-auth-abort-on-bad.diff"
 
 LS0tIGltYXAvYXV0aF9zYXNsLmMub3JpZwkyMDA2LTEwLTI4IDIxOjIzOjQ1LjAwMDAwMDAwMCAt
 MDcwMAorKysgaW1hcC9hdXRoX3Nhc2wuYwkyMDA2LTEwLTI4IDIxOjI0OjA4LjAwMDAwMDAwMCAt
 MDcwMApAQCAtMTE4LDcgKzExOCw3IEBACiAgICAgICBpcmMgPSBpbWFwX2NtZF9zdGVwIChpZGF0
 YSk7CiAgICAgd2hpbGUgKGlyYyA9PSBJTUFQX0NNRF9DT05USU5VRSk7CiAKLSAgICBpZiAobWV0
 aG9kICYmIGlyYyA9PSBJTUFQX0NNRF9OTykKKyAgICBpZiAobWV0aG9kICYmIGlyYyA9PSBJTUFQ
 X0NNRF9CQUQpCiAgICAgewogICAgICAgZHByaW50ICgyLCAoZGVidWdmaWxlLCAiaW1hcF9hdXRo
 X3Nhc2w6ICVzIGZhaWxlZFxuIiwgbWV0aG9kKSk7CiAgICAgICBzYXNsX2Rpc3Bvc2UgKCZzYXNs
 Y29ubik7Cg==