From 321d61b215169346708da3ad2b74711996771635 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sun, 18 Mar 2007 01:24:22 +0000
Subject: Strengthen APOP a bit (validate RFC-822 syntax) in order to fend off
 Leurent-style MITM attacks which are based on MD5 and APOP weaknesses.

svn path=/branches/BRANCH_6-3/; revision=5057
---
 pop3.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'pop3.c')

diff --git a/pop3.c b/pop3.c
index 3ba6af36..17f66c70 100644
--- a/pop3.c
+++ b/pop3.c
@@ -659,6 +659,20 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 	else
 	    *++end = '\0';
 
+	/* SECURITY: 2007-03-17
+	 * Strictly validating the presented challenge for RFC-822
+	 * conformity (it must be a msg-id in terms of that standard) is
+	 * supposed to make attacks against the MD5 implementation
+	 * harder[1]
+	 *
+	 * [1] "Security vulnerability in APOP authentication",
+	 *     Gaëtan Leurent, fetchmail-devel, 2007-03-17 */
+	if (!rfc822_valid_msgid((unsigned char *)start)) {
+	    report(stderr,
+		    GT_("Invalid APOP timestamp.\n"));
+	    return PS_AUTHFAIL;
+	}
+
 	/* copy timestamp and password into digestion buffer */
 	msg = xmalloc((end-start+1) + strlen(ctl->password) + 1);
 	strcpy(msg,start);
-- 
cgit v1.2.3