SECURITY: POP3: changes for --auth ssh and RPA

These no longer defeat STARTTLS negotiation,
and RPA is only attempted with --auth any.

3 files changed, 69 insertions, 43 deletions

diff --git a/NEWS b/NEWS
index 3f17f216..cf955bbe 100644
--- a/NEWS
+++ b/NEWS
@@ -101,9 +101,13 @@ fetchmail-6.4.22 (not yet released):
   TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email 
   Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
   Schinzel.  The paper did not mention fetchmail.
-* On IMAP connections, --auth ssh no longer prevents STARTTLS negotiation.
+* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS 
+  negotiation.
 * On IMAP connections, do not permit to override a server-side LOGINDISABLED 
   with --auth password any more.
+* On POP3 connections, the possibility for RPA authentication (by probing with 
+  an AUTH command without arguments) no longer prevents STARTTLS negotiation.
+* For POP3 connections, RPA is only attempted if the authentication type is any.
 
 # BUG FIXES:
 * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the 
diff --git a/fetchmail-SA-2021-02.txt b/fetchmail-SA-2021-02.txt
index c660b4aa..ffa2a3d4 100644
--- a/fetchmail-SA-2021-02.txt
+++ b/fetchmail-SA-2021-02.txt
@@ -3,7 +3,7 @@ fetchmail-SA-2021-02: failure to enforce STARTTLS session encryption
 Topics:		fetchmail fails to enforce an encrypted connection
 
 Author:		Matthias Andree
-Version:	0.2
+Version:	0.3
 Announced:	TBC
 Type:		failure to enforce configured security policy
 Impact:		fetchmail continues an unencrypted connection,
@@ -32,6 +32,9 @@ Corrected in:	TBC	Git commit hash (both needed)
 2021-08-10	initial report to maintainer
 2021-08-10 0.1	first draft
 2021-08-13 0.2	mention --auth ssh defeated STARTTLS
+2021-08-14 0.3	mention POP3 RPA defeated STARTTLS, and
+		make explicit that --auth ssh applied to
+		IMAP and POP3 alike.
 
 
 1. Background
@@ -60,17 +63,24 @@ a clear-text protocol exchange and then requesting a TLS negotiation in-band.
 IMAP also supports sessions that start in "authenticated state" (PREAUTH).
 In this latter case, IMAP (RFC-3501) does not permit sending STARTTLS 
 negotiations, which are only permissible in not-authenticated state.
-
-In such a combination of circumstances (1. IMAP protocol in use, 2. the server 
-greets with PREAUTH, announcing authenticated state, 3. the user configured TLS 
-mandatory, 4. the user did not configure "ssl" mode that uses separate ports 
-for implicit SSL/TLS), fetchmail 6.4.21 and older continues with the 
-unencrypted connection, rather than flagging the situation and aborting.
+  In such a combination of circumstances (1. IMAP protocol in use, 2. the 
+server greets with PREAUTH, announcing authenticated state, 3. the user 
+configured TLS mandatory, 4. the user did not configure "ssl" mode that uses 
+separate ports for implicit SSL/TLS), fetchmail 6.4.21 and older continues 
+with the unencrypted connection, rather than reporting and aborting.
+
+A similar situation is encountered for POP3: if the remote name contains 
+@compuserve.com, the server supports a non-standard "AUTH" command without 
+mechanism argument and responds with a list that contains "RPA" (also in 
+mixed or lower case), then fetchmail will not attempt STARTTLS. While the 
+password itself is then protected by the RPA scheme (which employs MD5 however),
+the session as a whole is not protected by TLS.
 
 Also, a configuration containing --auth ssh (meaning that fetchmail should not 
 authenticate, on the assumption that the session will be pre-authenticated for 
-instance through SSH running a PREAUTH mail server with --plugin, or TLS client 
+instance through SSH running a mail server with --plugin, or TLS client 
 certificates), will also defeat STARTTLS as result of an implementation defect.
+This affected both POP3 and IMAP.
 
 This can cause e-mail and in the first case, also potentially passwords, to be 
 exposed to eavesdropping.
@@ -89,10 +99,10 @@ https://gitlab.com/fetchmail/fetchmail/-/tree/legacy_64 (primary)
 https://sourceforge.net/p/fetchmail/git/ci/legacy_64/tree/ (copy)
 
 
-3b. Alternatively, where the IMAP server supports this form of access,
+3b. Alternatively, where the IMAP or POP3 server supports this form of access,
 fetchmail can be configured to "ssl" mode, meaning it will connect to 
-a dedicated port (default: 993 for IMAP) and negotiate TLS without
-prior clear-text protocol exchange.
+a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS 
+without prior clear-text protocol exchange.
   Also, --ssl can be given on the command line, which switches all
 configured server statements to this ssl mode.
 
diff --git a/pop3.c b/pop3.c
index c2238b72..430ff8d7 100644
--- a/pop3.c
+++ b/pop3.c
@@ -332,9 +332,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 	}
 	peek_capable = 0;
     }
-    if (ctl->server.authenticate == A_SSH) {
-        return PS_SUCCESS;
-    }
 
 #ifdef SDPS_ENABLE
     /*
@@ -348,33 +345,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 
    switch (ctl->server.protocol) {
     case P_POP3:
-#ifdef RPA_ENABLE
-	/* XXX FIXME: AUTH probing (RFC1734) should become global */
-	/* CompuServe POP3 Servers as of 990730 want AUTH first for RPA */
-	if (strstr(ctl->remotename, "@compuserve.com"))
-	{
-	    /* AUTH command should return a list of available mechanisms */
-	    if (gen_transact(sock, "AUTH") == 0)
-	    {
-		char buffer[10];
-		flag has_rpa = FALSE;
-
-		while ((ok = gen_recv(sock, buffer, sizeof(buffer))) == 0)
-		{
-		    if (DOTLINE(buffer))
-			break;
-		    if (strncasecmp(buffer, "rpa", 3) == 0)
-			has_rpa = TRUE;
-		}
-		if (has_rpa && !POP3_auth_rpa(ctl->remotename, 
-					      ctl->password, sock))
-		    return(PS_SUCCESS);
-	    }
-
-	    return(PS_AUTHFAIL);
-	}
-#endif /* RPA_ENABLE */
-
 	/*
 	 * CAPA command may return a list including available
 	 * authentication mechanisms and STLS capability.
@@ -500,7 +470,49 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 	} /* maybe_starttls() */
 #endif /* SSL_ENABLE */
 
-	/*
+	if (ctl->server.authenticate == A_SSH) {
+		return PS_SUCCESS;
+	}
+
+#ifdef RPA_ENABLE
+	/* XXX FIXME: AUTH probing (RFC1734) should become global */
+	/* CompuServe POP3 Servers as of 990730 want AUTH first for RPA */
+	if (strstr(ctl->remotename, "@compuserve.com")
+	&& ctl->server.authenticate == A_ANY)
+	{
+	    /* AUTH command should return a list of available mechanisms. */
+	    /* 2021 update: it is unclear which software still supports RPA these days.
+	       This behavior (AUTH without a method argument, to query) 
+	       is not sanctioned by RFC-1734 but was/is apparently 
+	       supported by Compuserve and Microsoft for their NTLM:
+	       https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pop3/cb6829e1-d6f4-447b-9092-2671a257563c
+	    */
+	    if (gen_transact(sock, "AUTH") == 0)
+	    {
+		char buffer[10];
+		flag has_rpa = FALSE;
+		int err;
+
+		while ((err = gen_recv(sock, buffer, sizeof(buffer))) == 0)
+		{
+		    if (DOTLINE(buffer))
+			break;
+		    if (strncasecmp(buffer, "rpa", 3) == 0)
+			has_rpa = TRUE;
+		}
+		if (err) {
+		    return err;
+		}
+		if (has_rpa && !POP3_auth_rpa(ctl->remotename, 
+					      ctl->password, sock))
+		    return PS_SUCCESS;
+	    }
+
+	    return PS_AUTHFAIL;
+	}
+#endif /* RPA_ENABLE */
+
+/*
 	 * OK, we have an authentication type now.
 	 */
 #if defined(KERBEROS_V4)