Re: ManageSieve: authenticate "EXTERNAL" not behaving correctly

Wed, 01 Nov 2017 07:18:06 -0700 

Stephan Bosch wrote:

Op 10/26/2017 om 1:32 PM schreef Marc Weustink:

Hi,

I've enabled client certificate authentication for imap and
managesieve. When I use Thunderbird with the sieve plugin it tries to
login, but times out.

Initially I reported this to the sieve plugin, but we came to the
conclusion that it managesieve is misbehaving.

https://github.com/thsmi/sieve/issues/94

Thunderbird (win10-64) 52.4.0 (32bit)
Sieve 0.2.3k
Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)


What happens is the following (p=plugin sends m=managesieve sends)

p:authenticate "EXTERNAL" ""
m:""

The response is unexpected. According to RFC 5804 an empty
challenge/response is sent as an empty string. So I would expect:

p:authenticate "EXTERNAL" ""
m:OK "Logged in."



With the use of gnutls-cli I could reproduce (c=I send m=managesieve
sends)
  gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile
marc_mail.crt -p sieve 172.17.1.4

...
m:OK "TLS negotiation successful."
c:authenticate "EXTERNAL" ""
m:""
c:""
m:OK "Logged in."


However if I try the "imap" syntax (rfc4959) I get logged in at once

...
m:OK "TLS negotiation successful."
c:authenticate "EXTERNAL" "="
m:OK "Logged in."

Note that this is an imap only extention, "=" is an invalid base64
encoding.


Will get back on this later.

Regards,

Stephan.



With the attached patch I could hac/workaround it

Marc


diff -U 5 
dovecot-2.2.33.1/pigeonhole/src/managesieve-login/client-authenticate.c 
dovecot-2.2.33.1~mwe/pigeonhole/src/managesieve-login/client-authenticate.c
--- dovecot-2.2.33.1/pigeonhole/src/managesieve-login/client-authenticate.c     
2017-11-01 15:06:28.000000000 +0100
+++ dovecot-2.2.33.1~mwe/pigeonhole/src/managesieve-login/client-authenticate.c 
2017-11-01 14:55:43.869493098 +0100
@@ -306,12 +306,20 @@
                return 1;
        }
 
        if ( ret == 0 ) return 0;
 
-       init_response = ( client->auth_response == NULL ? NULL :
-               t_strdup(str_c(client->auth_response)) );
+       
+       if ( client->auth_response == NULL ) {
+               init_response = NULL;
+       } else if (( strncasecmp(client->auth_mech_name, "EXTERNAL", 8) == 0 ) 
&& ( str_len( client->auth_response ) == 0 )) {
+               /* MWE: hack/workaround to pass empty response */
+               init_response = t_strdup("=");
+       } else {
+               init_response = t_strdup(str_c(client->auth_response));
+       }
+
        msieve_client->auth_mech_name_parsed = FALSE;
        if ( (ret=client_auth_begin
                (client, t_strdup(client->auth_mech_name), init_response)) < 0 )
                return ret;

Reply via email to