From b82c3ccb65e3279996a690ebf577263d7730e0b3 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 26 Aug 2021 23:53:14 +0200 Subject: SECURITY: IMAP: PREAUTH->abort if STARTTLS needed On --sslproto auto (or other nonempty values), when receiving IMAP PREAUTH state, abort the connection, rather than continuing with cleartext. --ssl is unaffected because it always negotiates TLS. See fetchmail-SA-2021-02.txt for details. --- imap.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'imap.c') diff --git a/imap.c b/imap.c index 5f65ee47..3b74f6f6 100644 --- a/imap.c +++ b/imap.c @@ -428,6 +428,20 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) if ((ok = capa_probe(sock, ctl))) return ok; + commonname = ctl->server.pollname; + if (ctl->server.via) + commonname = ctl->server.via; + if (ctl->sslcommonname) + commonname = ctl->sslcommonname; + + /* Defend against a PREAUTH-prevents-STARTTLS attack */ + if (preauth && must_starttls(ctl)) { + report(stderr, GT_("%s: configuration requires TLS, but STARTTLS is not permitted " + "because of authenticated state (PREAUTH). Aborting connection. Server permitting, try --ssl instead (see manual).\n"), commonname); + preauth = FALSE; /* reset for the next session */ + return PS_SOCKET; + } + /* * If either (a) we saw a PREAUTH token in the greeting, or * (b) the user specified ssh preauthentication, then we're done. @@ -438,12 +452,6 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) return(PS_SUCCESS); } - commonname = ctl->server.pollname; - if (ctl->server.via) - commonname = ctl->server.via; - if (ctl->sslcommonname) - commonname = ctl->sslcommonname; - #ifdef SSL_ENABLE if (maybe_starttls(ctl)) { if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) -- cgit v1.2.3