Re: [Courier-imap] Using ClientCert SASL EXTERNAL authentication with K9Mail Android mailclient

Sat, 29 Feb 2020 22:52:41 -0800 

Florian Mickler writes:


My question though: Can anyone figure out from the rfc4422 and the imap
protocol specification if encoding it base64 is correct?  Since the
SASL protocol is embedded in the imap protocol i guess it can be
possible that it is a requirement from the imap-protocol.. but i
haven't studied the imap-rfc that deeply and would rather not have to
dig into there.

If base64 encoding the AUTHENTICATE EXTERNAL initial response is indeed
correct, i gladly provide a small patch to fix the code :)
I am inclined to believe that using base64 encoding might be correct. RFC 4959 states: 

  This extension adds an optional second argument to the AUTHENTICATE
  command that is defined in Section 6.2.2 of [RFC3501].  If this
  second argument is present, it represents the contents of the
  "initial client response" defined in Section 5.1 of [RFC4422].

Followed by:

  As with any other client response, this initial client response MUST
  be encoded as defined in Section 4 of [RFC4648].

That's base 64.

  It also MUST be
  transmitted outside of a quoted string or literal.  To send a zero-
  length initial response, the client MUST send a single pad character
  ("=").  This indicates that the response is present, but is a zero-
  length string.
The "=" part is handled in authenticate_auth.c, however I think that the base64 decoding needs to be done in auth_sasl_ex(). If there's no initial response provided, auth_sasl_ex() invokes callback_func() and base64-decodes the result.
Since initresponse over here clearly intends to be an alternative to receiving the response via callback_func, initresponse needs to be base64- decoded, so I conclude that this fix needs to be in auth_sasl_ex(): 

diff --git a/courier-authlib/authsasl.c b/courier-authlib/authsasl.c
index 9568775..8924cac 100644
--- a/courier-authlib/authsasl.c
+++ b/courier-authlib/authsasl.c
@@ -99,10 +99,30 @@ int auth_sasl_ex(const char *method,
        if (initresponse && !*initresponse)
                initresponse=NULL;

-       if (initresponse && strcmp(initresponse, externalauth))
+       if (initresponse)
+       {
+               uid=strdup(initresponse);
+
+               if (!uid)
                        return AUTHSASL_ERROR;

-       if (!initresponse)
+               n=authsasl_frombase64(uid);
+
+               if (n < 0)
+               {
+                       free(uid);
+                       return AUTHSASL_ABORTED;
+               }
+               uid[n]=0;
+
+               if (strcmp(uid, externalauth))
+               {
+                       free(uid);
+                       return AUTHSASL_ERROR;
+               }
+               free(uid);
+       }
+       else
        {
                uid=callback_func("", callback_arg);

Attachment: pgpPTonxtGplh.pgp
Description: PGP signature

_______________________________________________
Courier-imap mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap






















					Reply via email to