#3921: SASL passwords seemingly cropped to 127 characters
--------------------------------------------+----------------------
Reporter: ivucica | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: mutt | Version: 1.7.2
Keywords: authentication, sasl, password |
--------------------------------------------+----------------------
Hi,
I've used the following Cyrus SASL plugin to authenticate against Gmail:
https://github.com/moriyoshi/cyrus-sasl-xoauth2
I've used my own mini-client to obtain the token, and verify that it
works. However, the traffic generated by Mutt+cyrus-sasl-xoauth2 does not
match what my client generates, and the authentication failed.
The token generated by Google seems to be 129 characters; the base64
encoding of the `XOAUTH2` token printed in `~/.muttdebug0` seemed a bit
shorter. Decoding them and comparing them, last 2 characters were cropped.
I verified this in a slightly safer fashion as follows:
{{{
set imap_user="usern...@gmail.com"
set
imap_pass="1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij
-----XXXXX"
set imap_authenticators="XOAUTH2"
}}}
The following is `~/.muttdebug0`:
{{{
[2017-03-05 17:23:31] imap_authenticate: Trying method XOAUTH2
[2017-03-05 17:23:31] SASL local ip: 2a03:b0c0:0:1010::41:200a;59982,
remote ip:2a00:1450:400b:c03::6c;993
[2017-03-05 17:23:31] External SSF: 256
[2017-03-05 17:23:31] External authentication name: usern...@gmail.com
[2017-03-05 17:23:31] mutt_sasl_cb_authname: getting authname for
imap.gmail.com:993
[2017-03-05 17:23:31] mutt_sasl_cb_pass: getting password for
usern...@gmail.com@imap.gmail.com:993
[2017-03-05 17:23:31] Authenticating (XOAUTH2)...
[2017-03-05 17:23:31] 6> a0002 AUTHENTICATE XOAUTH2
dXNlcj11c2VybmFtZUBnbWFpbC5jb20BYXV0aD1CZWFyZXIgMTIzNDU2Nzg5MGFiY2RlZmdoaWoxMjM0NTY3ODkwYWJjZGVmZ2hpajEyMzQ1Njc4OTBhYmNkZWZnaGlqMTIzNDU2Nzg5MGFiY2RlZmdoaWoxMjM0NTY3ODkwYWJjZGVmZ2hpajEyMzQ1Njc4OTBhYmNkZWZnaGlqMTIzNDU2NwEB
[2017-03-05 17:23:31] 6< a0001 NO [AUTHENTICATIONFAILED] Invalid
credentials (Failure)
}}}
base64-decoded for your convenience:
{{{
base64 -d <<<
dXNlcj11c2VybmFtZUBnbWFpbC5jb20BYXV0aD1CZWFyZXIgMTIzNDU2Nzg5MGFiY2RlZmdoaWoxMjM0NTY3ODkwYWJjZGVmZ2hpajEyMzQ1Njc4OTBhYmNkZWZnaGlqMTIzNDU2Nzg5MGFiY2RlZmdoaWoxMjM0NTY3ODkwYWJjZGVmZ2hpajEyMzQ1Njc4OTBhYmNkZWZnaGlqMTIzNDU2NwEB
user=username@gmail.comauth=Bearer
1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567
}}}
This is in 1.7.2 NeoMutt, latest available in Debian unstable.
As far as I can tell, this version includes the 7c0bd34 changeset:
https://github.com/neomutt/neomutt/blob/neomutt-20170113/imap/auth_sasl.c
There is no difference in whether I put the token in `imap_pass` in
`~/.muttrc` or if I paste it into the password prompt.
I understand that this may be a NeoMutt-only issue, or that this might be
in `cyrus-sasl-xoauth2`, or even in libsasl2. I grepped over `cyrus-sasl-
xoauth2` and I cannot find a constant/magic number that has the value 127
or 128. Digging a bit around `libsasl2`'s code, I also didn't find a
relevant constant that would read 127 or 128.
So back to Mutt itself. I think `account.h` is the most worrying thing: it
has the structure `ACCOUNT` with field `char pass[128]`. Could this be the
cause? :-)
If so, could you guys, as a stopgap measure, increase the size of this
field?
Thanks!
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3921>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
