From 4c6844370c37cf9a88f2baadd1e844bb072c1b62 Mon Sep 17 00:00:00 2001 From: Andreas Oberritter Date: Sun, 9 Jul 2023 12:12:44 +0200 Subject: [PATCH] Add support for SCRAM-SHA-{224,256,384,512} authentication mechanism (via libetpan) to IMAP. They are supported by Cyrus IMAP. Dovecot supports SCRAM-SHA-256. --- src/etpan/imap-thread.c | 2 +- src/imap.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ src/imap.h | 6 +++++- src/prefs_account.c | 4 ++++ 4 files changed, 62 insertions(+), 2 deletions(-) diff --git a/src/etpan/imap-thread.c b/src/etpan/imap-thread.c index 973656cdc..86168d74d 100644 --- a/src/etpan/imap-thread.c +++ b/src/etpan/imap-thread.c @@ -992,7 +992,7 @@ static void login_run(struct etpan_thread_op * op) param->type, param->server, NULL, NULL, param->login, param->login, param->password, NULL); - else if (!strcmp(param->type, "SCRAM-SHA-1")) + else if (!strncmp(param->type, "SCRAM-SHA-", 10)) /* 7th argument has to be NULL here, to stop libetpan sending the * a= attribute in its initial SCRAM-SHA-1 message to server. At least * Dovecot 2.2 doesn't seem to like that, and will not authenticate diff --git a/src/imap.c b/src/imap.c index ff418908a..c373a3aed 100644 --- a/src/imap.c +++ b/src/imap.c @@ -912,6 +912,18 @@ static gint imap_auth(IMAPSession *session, const gchar *user, const gchar *pass case IMAP_AUTH_SCRAM_SHA1: ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-1"); break; + case IMAP_AUTH_SCRAM_SHA224: + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-224"); + break; + case IMAP_AUTH_SCRAM_SHA256: + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-256"); + break; + case IMAP_AUTH_SCRAM_SHA384: + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-384"); + break; + case IMAP_AUTH_SCRAM_SHA512: + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-512"); + break; case IMAP_AUTH_PLAIN: ok = imap_cmd_login(session, user, pass, "PLAIN"); break; @@ -935,6 +947,10 @@ static gint imap_auth(IMAPSession *session, const gchar *user, const gchar *pass "\t CRAM-MD5 %d\n" "\t DIGEST-MD5 %d\n" "\t SCRAM-SHA-1 %d\n" + "\t SCRAM-SHA-224 %d\n" + "\t SCRAM-SHA-256 %d\n" + "\t SCRAM-SHA-384 %d\n" + "\t SCRAM-SHA-512 %d\n" "\t PLAIN %d\n" #ifdef USE_GNUTLS "\t OAUTH2 %d\n" @@ -945,6 +961,10 @@ static gint imap_auth(IMAPSession *session, const gchar *user, const gchar *pass imap_has_capability(session, "CRAM-MD5"), imap_has_capability(session, "DIGEST-MD5"), imap_has_capability(session, "SCRAM-SHA-1"), + imap_has_capability(session, "SCRAM-SHA-224"), + imap_has_capability(session, "SCRAM-SHA-256"), + imap_has_capability(session, "SCRAM-SHA-384"), + imap_has_capability(session, "SCRAM-SHA-512"), imap_has_capability(session, "PLAIN"), #ifdef USE_GNUTLS imap_has_capability(session, "XOAUTH2"), @@ -955,6 +975,14 @@ static gint imap_auth(IMAPSession *session, const gchar *user, const gchar *pass ok = imap_cmd_login(session, user, pass, "CRAM-MD5"); if (ok == MAILIMAP_ERROR_LOGIN && imap_has_capability(session, "DIGEST-MD5")) ok = imap_cmd_login(session, user, pass, "DIGEST-MD5"); + if (ok == MAILIMAP_ERROR_LOGIN && imap_has_capability(session, "SCRAM-SHA-512")) + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-512"); + if (ok == MAILIMAP_ERROR_LOGIN && imap_has_capability(session, "SCRAM-SHA-384")) + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-384"); + if (ok == MAILIMAP_ERROR_LOGIN && imap_has_capability(session, "SCRAM-SHA-256")) + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-256"); + if (ok == MAILIMAP_ERROR_LOGIN && imap_has_capability(session, "SCRAM-SHA-224")) + ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-224"); if (ok == MAILIMAP_ERROR_LOGIN && imap_has_capability(session, "SCRAM-SHA-1")) ok = imap_cmd_login(session, user, pass, "SCRAM-SHA-1"); if (ok == MAILIMAP_ERROR_LOGIN && imap_has_capability(session, "PLAIN")) @@ -992,6 +1020,30 @@ static gint imap_auth(IMAPSession *session, const gchar *user, const gchar *pass "SCRAM SASL plugin is installed."); } + if (type == IMAP_AUTH_SCRAM_SHA224) { + ext_info = _("\n\nSCRAM-SHA-224 logins only work if libetpan has been " + "compiled with SASL support and the " + "SCRAM SASL plugin is installed."); + } + + if (type == IMAP_AUTH_SCRAM_SHA256) { + ext_info = _("\n\nSCRAM-SHA-256 logins only work if libetpan has been " + "compiled with SASL support and the " + "SCRAM SASL plugin is installed."); + } + + if (type == IMAP_AUTH_SCRAM_SHA384) { + ext_info = _("\n\nSCRAM-SHA-384 logins only work if libetpan has been " + "compiled with SASL support and the " + "SCRAM SASL plugin is installed."); + } + + if (type == IMAP_AUTH_SCRAM_SHA512) { + ext_info = _("\n\nSCRAM-SHA-512 logins only work if libetpan has been " + "compiled with SASL support and the " + "SCRAM SASL plugin is installed."); + } + if (type == IMAP_AUTH_PLAIN) { ext_info = _("\n\nPLAIN logins only work if libetpan has been " "compiled with SASL support and the " diff --git a/src/imap.h b/src/imap.h index 3870b1a86..e2fa71cc5 100644 --- a/src/imap.h +++ b/src/imap.h @@ -32,7 +32,11 @@ typedef enum IMAP_AUTH_SCRAM_SHA1 = 1 << 5, IMAP_AUTH_PLAIN = 1 << 6, IMAP_AUTH_LOGIN = 1 << 7, - IMAP_AUTH_OAUTH2 = 1 << 8 + IMAP_AUTH_OAUTH2 = 1 << 8, + IMAP_AUTH_SCRAM_SHA224 = 1 << 9, + IMAP_AUTH_SCRAM_SHA256 = 1 << 10, + IMAP_AUTH_SCRAM_SHA384 = 1 << 11, + IMAP_AUTH_SCRAM_SHA512 = 1 << 12, } IMAPAuthType; FolderClass *imap_get_class (void); diff --git a/src/prefs_account.c b/src/prefs_account.c index 8d8be280c..6d5a37e25 100644 --- a/src/prefs_account.c +++ b/src/prefs_account.c @@ -1790,6 +1790,10 @@ static void receive_create_widget_func(PrefsPage * _page, COMBOBOX_ADD (menu, "GSSAPI", IMAP_AUTH_GSSAPI); COMBOBOX_ADD (menu, "DIGEST-MD5", IMAP_AUTH_DIGEST_MD5); COMBOBOX_ADD (menu, "SCRAM-SHA-1", IMAP_AUTH_SCRAM_SHA1); + COMBOBOX_ADD (menu, "SCRAM-SHA-224", IMAP_AUTH_SCRAM_SHA224); + COMBOBOX_ADD (menu, "SCRAM-SHA-256", IMAP_AUTH_SCRAM_SHA256); + COMBOBOX_ADD (menu, "SCRAM-SHA-384", IMAP_AUTH_SCRAM_SHA384); + COMBOBOX_ADD (menu, "SCRAM-SHA-512", IMAP_AUTH_SCRAM_SHA512); COMBOBOX_ADD (menu, "PLAIN", IMAP_AUTH_PLAIN); COMBOBOX_ADD (menu, "LOGIN", IMAP_AUTH_LOGIN); COMBOBOX_ADD (menu, "OAUTH2", IMAP_AUTH_OAUTH2); -- 2.11.4.GIT