Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fetchmail for openSUSE:Factory
checked in at 2021-10-12 21:49:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fetchmail (Old)
and /work/SRC/openSUSE:Factory/.fetchmail.new.2443 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fetchmail"
Tue Oct 12 21:49:49 2021 rev:93 rq:924829 version:6.4.22
Changes:
--------
--- /work/SRC/openSUSE:Factory/fetchmail/fetchmail.changes 2021-09-21
21:14:22.210721926 +0200
+++ /work/SRC/openSUSE:Factory/.fetchmail.new.2443/fetchmail.changes
2021-10-12 21:51:12.272030727 +0200
@@ -1,0 +2,69 @@
+Wed Oct 6 15:00:19 UTC 2021 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
+ * OPENSSL AND LICENSING NOTE:
+ - fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
+ OpenSSL's licensing changed between these releases from dual
+ OpenSSL/SSLeay license to Apache License v2.0, which is
+ considered incompatible with GPL v2 by the FSF. For
+ implications and details, see the file COPYING.
+ * SECURITY FIXES:
+ - CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
+ without --ssl and with nonempty --sslproto, meaning that
+ fetchmail is to enforce TLS, and when the server or an attacker
+ sends a PREAUTH greeting, fetchmail used to continue an
+ unencrypted connection. Now, log the error and abort the
+ connection. --Recommendation for servers that support
+ SSL/TLS-wrapped or "implicit" mode on a dedicated port
+ (default 993): use --ssl, or the ssl user option in an rcfile.
+ - On IMAP and POP3 connections, --auth ssh no longer prevents
+ STARTTLS negotiation.
+ - On IMAP connections, fetchmail does not permit overriding
+ a server-side LOGINDISABLED with --auth password any more.
+ - On POP3 connections, the possibility for RPA authentication
+ (by probing with an AUTH command without arguments) no longer
+ prevents STARTTLS negotiation.
+ - For POP3 connections, only attempt RPA if the authentication
+ type is "any".
+ * BUG FIXES:
+ - On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
+ have received the tagged (= final) response, do not send "*".
+ - On IMAP connections, AUTHENTICATE EXTERNAL without username
+ will properly send a "=" for protocol compliance.
+ - On IMAP connections, AUTHENTICATE EXTERNAL will now check if
+ the server advertised SASL-IR (RFC-4959) support and otherwise
+ refuse (fetchmail <= 6.4 has not supported and does not support
+ the separate challenge/response with command continuation)
+ - On IMAP connections, when --auth external is requested but not
+ advertised by the server, log a proper error message.
+ - Fetchmail no longer crashes when attempting a connection with
+ --plugin "" or --plugout "".
+ - Fetchmail no longer leaks memory when processing the arguments
+ of --plugin or --plugout on connections.
+ - On POP3 connections, the CAPAbilities parser is now caseblind.
+ - Fix segfault on configurations with "defaults ... no envelope".
+ This is a regression in fetchmail 6.4.3 and happened when
+ plugging memory leaks, which did not account for that the
+ envelope parameter is special when set as "no envelope". The
+ segfault happens in a constant strlen(-1), triggered by trusted
+ local input => no vulnerability.
+ - Fix program abort (SIGABRT) with "internal error" when invalid
+ sslproto is given with OpenSSL 1.1.0 API compatible SSL
+ implementations.
+ * CHANGES:
+ - IMAP: When fetchmail is in not-authenticated state and the server
+ volunteers CAPABILITY information, use it and do not re-probe.
+ (After STARTTLS, fetchmail must and will re-probe explicitly.)
+ - For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl
+ option do not match, emit a warning and continue.
+ - fetchmail.man and README.SSL were updated in line with
+ RFC-8314/8996/8997 recommendations to prefer Implicit TLS
+ (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+
+ more prominently. The defaults shall not change between 6.4.X
+ releases for compatibility.
+ * Rebase patches:
+ fetchmail-add-imap-oauthbearer-support.patch
+ fetchmail-add-query_to64_outsize-utility-function.patch
+ fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
+
+-------------------------------------------------------------------
Old:
----
fetchmail-6.4.21.tar.xz
fetchmail-6.4.21.tar.xz.asc
New:
----
fetchmail-6.4.22.tar.xz
fetchmail-6.4.22.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fetchmail.spec ++++++
--- /var/tmp/diff_new_pack.QH2LQi/_old 2021-10-12 21:51:12.988031752 +0200
+++ /var/tmp/diff_new_pack.QH2LQi/_new 2021-10-12 21:51:12.988031752 +0200
@@ -21,7 +21,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: fetchmail
-Version: 6.4.21
+Version: 6.4.22
Release: 0
Summary: Full-Featured POP and IMAP Mail Retrieval Daemon
License: GPL-2.0-or-later
++++++ fetchmail-6.4.21.tar.xz -> fetchmail-6.4.22.tar.xz ++++++
++++ 50166 lines of diff (skipped)
++++++ fetchmail-add-imap-oauthbearer-support.patch ++++++
--- /var/tmp/diff_new_pack.QH2LQi/_old 2021-10-12 21:51:13.556032565 +0200
+++ /var/tmp/diff_new_pack.QH2LQi/_new 2021-10-12 21:51:13.560032571 +0200
@@ -17,8 +17,10 @@
rcfile_l.l | 1
8 files changed, 136 insertions(+), 3 deletions(-)
---- a/conf.c
-+++ b/conf.c
+Index: fetchmail-6.4.22/conf.c
+===================================================================
+--- fetchmail-6.4.22.orig/conf.c
++++ fetchmail-6.4.22/conf.c
@@ -288,6 +288,8 @@ void dump_config(struct runctl *runp, st
stringdump("auth", "otp");
else if (ctl->server.authenticate == A_MSN)
@@ -28,9 +30,11 @@
#ifdef HAVE_RES_SEARCH
booldump("dns", ctl->server.dns);
---- a/fetchmail.c
-+++ b/fetchmail.c
-@@ -1766,6 +1766,9 @@ static void dump_params (struct runctl *
+Index: fetchmail-6.4.22/fetchmail.c
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.c
++++ fetchmail-6.4.22/fetchmail.c
+@@ -1776,6 +1776,9 @@ static void dump_params (struct runctl *
case A_SSH:
printf(GT_(" End-to-end encryption assumed.\n"));
break;
@@ -40,8 +44,10 @@
}
if (ctl->server.principal != (char *) NULL)
printf(GT_(" Mail service principal is: %s\n"),
ctl->server.principal);
---- a/fetchmail.h
-+++ b/fetchmail.h
+Index: fetchmail-6.4.22/fetchmail.h
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.h
++++ fetchmail-6.4.22/fetchmail.h
@@ -79,6 +79,7 @@ struct addrinfo;
#define A_SSH 8 /* authentication at session
level */
#define A_MSN 9 /* same as NTLM with keyword
MSN */
@@ -58,9 +64,11 @@
#define PASSWORDLEN 256 /* max password length */
#define DIGESTLEN 33 /* length of MD5 digest */
---- a/fetchmail.man
-+++ b/fetchmail.man
-@@ -1001,7 +1001,7 @@ AUTHENTICATION below for details). The
+Index: fetchmail-6.4.22/fetchmail.man
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.man
++++ fetchmail-6.4.22/fetchmail.man
+@@ -1007,7 +1007,7 @@ AUTHENTICATION below for details). The
\&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for
excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP,
\fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3),
@@ -69,7 +77,7 @@
When \fBany\fP (the default) is specified, fetchmail tries
first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV,
KERBEROS\ 5); then it looks for methods that mask your password
-@@ -1021,6 +1021,23 @@ GSSAPI or K4. Choosing KPOP protocol au
+@@ -1027,6 +1027,23 @@ GSSAPI or K4. Choosing KPOP protocol au
authentication. This option does not work with ETRN. GSSAPI service names
are
in line with RFC-2743 and IANA registrations, see
.URL https://www.iana.org/assignments/gssapi-service-names/ "Generic Security
Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication
and Security Layer (SASL) Service Names" .
@@ -93,7 +101,7 @@
.SS Miscellaneous Options
.TP
.B \-f <pathname> | \-\-fetchmailrc <pathname>
-@@ -2327,7 +2344,9 @@ Legal protocol identifiers for use with
+@@ -2333,7 +2350,9 @@ Legal protocol identifiers for use with
.PP
Legal authentication types are 'any', 'password', 'kerberos',
\&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
@@ -104,9 +112,11 @@
The 'password' type specifies
authentication by normal transmission of a password (the password may be
plain text or subject to protocol-specific encryption as in CRAM-MD5);
---- a/fetchmailconf.py
-+++ b/fetchmailconf.py
-@@ -487,7 +487,7 @@ defaultports = {"auto":None,
+Index: fetchmail-6.4.22/fetchmailconf.py
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmailconf.py
++++ fetchmail-6.4.22/fetchmailconf.py
+@@ -500,7 +500,7 @@ defaultports = {"auto":None,
"ODMR":"odmr"}
authlist = ("any", "password", "gssapi", "kerberos", "ssh", "otp",
@@ -115,8 +125,10 @@
listboxhelp = {
'title' : 'List Selection Help',
---- a/imap.c
-+++ b/imap.c
+Index: fetchmail-6.4.22/imap.c
+===================================================================
+--- fetchmail-6.4.22.orig/imap.c
++++ fetchmail-6.4.22/imap.c
@@ -26,6 +26,10 @@
#define IMAP4 0 /* IMAP4 rev 0, RFC1730 */
#define IMAP4rev1 1 /* IMAP4 rev 1, RFC2060 */
@@ -128,16 +140,16 @@
/* global variables: please reinitialize them explicitly for proper
* working in daemon mode */
-@@ -38,6 +42,8 @@ static int imap_version = IMAP4;
- static flag do_idle = FALSE, has_idle = FALSE;
- static int expunge_period = 1;
+@@ -51,6 +55,8 @@ static void clear_sessiondata(void) {
+ * a const initializer */
+ const char *const capa_begin = " [CAPABILITY "; const unsigned capa_len = 13;
+static int plus_cont_context = IPLUS_NONE;
+
/* mailbox variables initialized in imap_getrange() */
static int count = 0, oldcount = 0, recentcount = 0, unseen = 0, deletions =
0;
static unsigned int startcount = 1;
-@@ -202,6 +208,21 @@ static int imap_response(int sock, char
+@@ -266,6 +272,21 @@ static int imap_response(int sock, char
if (ok != PS_SUCCESS)
return(ok);
@@ -159,7 +171,7 @@
/* all tokens in responses are caseblind */
for (cp = buf; *cp; cp++)
if (islower((unsigned char)*cp))
-@@ -316,6 +337,69 @@ static int do_imap_ntlm(int sock, struct
+@@ -396,6 +417,69 @@ static int do_imap_ntlm(int sock, struct
}
#endif /* NTLM */
@@ -229,9 +241,9 @@
static void imap_canonicalize(char *result, char *raw, size_t maxlen)
/* encode an IMAP password as per RFC1730's quoting conventions */
{
-@@ -510,6 +594,26 @@ static int imap_getauth(int sock, struct
- */
- ok = PS_AUTHFAIL;
+@@ -577,6 +661,26 @@ static int imap_getauth(int sock, struct
+ for future maintenance */
+ (void)ok;
+ if (ctl->server.authenticate == A_OAUTHBEARER)
+ {
@@ -256,8 +268,10 @@
/* Yahoo hack - we'll just try ID if it was offered by the server,
* and IGNORE errors. */
{
---- a/options.c
-+++ b/options.c
+Index: fetchmail-6.4.22/options.c
+===================================================================
+--- fetchmail-6.4.22.orig/options.c
++++ fetchmail-6.4.22/options.c
@@ -421,6 +421,8 @@ int parsecmdline (int argc /** argument
ctl->server.authenticate = A_ANY;
else if (strcmp(optarg, "msn") == 0)
@@ -267,8 +281,10 @@
else {
fprintf(stderr,GT_("Invalid authentication `%s' specified.\n"),
optarg);
errflag++;
---- a/rcfile_l.l
-+++ b/rcfile_l.l
+Index: fetchmail-6.4.22/rcfile_l.l
+===================================================================
+--- fetchmail-6.4.22.orig/rcfile_l.l
++++ fetchmail-6.4.22/rcfile_l.l
@@ -106,6 +106,7 @@ cram(-md5)? { SETSTATE(0); yylval.proto
msn { SETSTATE(0); yylval.proto = A_MSN; return AUTHTYPE;}
ntlm { SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;}
++++++ fetchmail-add-query_to64_outsize-utility-function.patch ++++++
--- /var/tmp/diff_new_pack.QH2LQi/_old 2021-10-12 21:51:13.568032582 +0200
+++ /var/tmp/diff_new_pack.QH2LQi/_new 2021-10-12 21:51:13.568032582 +0200
@@ -9,11 +9,11 @@
fetchmail.h | 1 +
2 files changed, 8 insertions(+)
-diff --git a/base64.c b/base64.c
-index 3cd41691..25393b35 100644
---- a/base64.c
-+++ b/base64.c
-@@ -61,6 +61,13 @@ fail:
+Index: fetchmail-6.4.22/base64.c
+===================================================================
+--- fetchmail-6.4.22.orig/base64.c
++++ fetchmail-6.4.22/base64.c
+@@ -66,6 +66,13 @@ fail:
return rc;
}
@@ -27,16 +27,15 @@
int from64tobits(void *out_, const char *in, int maxlen)
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
/* maxlen limits output buffer size, set to zero to ignore */
-diff --git a/fetchmail.h b/fetchmail.h
-index 8b9dd6c4..2d378942 100644
---- a/fetchmail.h
-+++ b/fetchmail.h
-@@ -638,6 +638,7 @@ int prc_filecheck(const char *, const flag);
-
+Index: fetchmail-6.4.22/fetchmail.h
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.h
++++ fetchmail-6.4.22/fetchmail.h
+@@ -642,6 +642,7 @@ int prc_filecheck(const char *, const fl
/* base64.c */
+ unsigned len64frombits(unsigned inlen); /** calculate length needed to encode
inlen octets. warnings: 1. caller needs to add 1 for a trailing \0 byte
himself. 2. returns 0 for inlen 0! */
int to64frombits(char *, const void *, int inlen, size_t outlen);
+size_t query_to64_outsize(size_t inlen);
int from64tobits(void *, const char *, int mxoutlen);
/* unmime.c */
-
++++++ fetchmail-support-oauthbearer-xoauth2-with-pop3.patch ++++++
--- /var/tmp/diff_new_pack.QH2LQi/_old 2021-10-12 21:51:13.588032611 +0200
+++ /var/tmp/diff_new_pack.QH2LQi/_new 2021-10-12 21:51:13.588032611 +0200
@@ -16,11 +16,11 @@
create mode 100644 oauth2.c
create mode 100644 oauth2.h
-diff --git a/Makefile.am b/Makefile.am
-index 1e800085..d747f895 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -54,7 +54,7 @@ fetchmail_SOURCES= fetchmail.h getopt.h \
+Index: fetchmail-6.4.22/Makefile.am
+===================================================================
+--- fetchmail-6.4.22.orig/Makefile.am
++++ fetchmail-6.4.22/Makefile.am
+@@ -68,7 +68,7 @@ fetchmail_SOURCES= fetchmail.h getopt.h
fetchmail.c env.c idle.c options.c daemon.c \
driver.c transact.c sink.c smtp.c \
idlist.c uid.c mxget.c md5ify.c cram.c gssapi.c \
@@ -29,11 +29,11 @@
unmime.c conf.c checkalias.c uid_db.h uid_db.c\
lock.h lock.c \
rcfile_l.l rcfile_y.y \
-diff --git a/fetchmail.man b/fetchmail.man
-index d128ece1..aece716e 100644
---- a/fetchmail.man
-+++ b/fetchmail.man
-@@ -928,7 +928,7 @@ This option permits you to specify an authentication type
(see USER
+Index: fetchmail-6.4.22/fetchmail.man
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.man
++++ fetchmail-6.4.22/fetchmail.man
+@@ -1007,7 +1007,7 @@ AUTHENTICATION below for details). The
\&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for
excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP,
\fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3),
@@ -42,7 +42,7 @@
When \fBany\fP (the default) is specified, fetchmail tries
first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV,
KERBEROS\ 5); then it looks for methods that mask your password
-@@ -2222,8 +2222,7 @@ Legal protocol identifiers for use with the 'protocol'
keyword are:
+@@ -2351,8 +2351,7 @@ Legal protocol identifiers for use with
Legal authentication types are 'any', 'password', 'kerberos',
\&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
(only for POP3), 'ntlm', 'ssh', 'external' (only IMAP),
@@ -52,11 +52,11 @@
The 'password' type specifies
authentication by normal transmission of a password (the password may be
plain text or subject to protocol-specific encryption as in CRAM-MD5);
-diff --git a/imap.c b/imap.c
-index 0ab10d31..e38706f5 100644
---- a/imap.c
-+++ b/imap.c
-@@ -14,6 +14,7 @@
+Index: fetchmail-6.4.22/imap.c
+===================================================================
+--- fetchmail-6.4.22.orig/imap.c
++++ fetchmail-6.4.22/imap.c
+@@ -17,6 +17,7 @@
#include <limits.h>
#include <errno.h>
#endif
@@ -64,7 +64,7 @@
#include "socket.h"
#include "i18n.h"
-@@ -329,63 +330,23 @@ static int do_imap_ntlm(int sock, struct query *ctl)
+@@ -419,63 +420,23 @@ static int do_imap_ntlm(int sock, struct
static int do_imap_oauthbearer(int sock, struct query *ctl,flag xoauth2)
{
@@ -134,11 +134,10 @@
return ok;
}
-diff --git a/oauth2.c b/oauth2.c
-new file mode 100644
-index 00000000..a8a324b8
+Index: fetchmail-6.4.22/oauth2.c
+===================================================================
--- /dev/null
-+++ b/oauth2.c
++++ fetchmail-6.4.22/oauth2.c
@@ -0,0 +1,61 @@
+/*
+ * oauth2.c -- oauthbearer and xoauth2 support
@@ -201,11 +200,10 @@
+
+ return oauth2b64;
+}
-diff --git a/oauth2.h b/oauth2.h
-new file mode 100644
-index 00000000..67ebfd6e
+Index: fetchmail-6.4.22/oauth2.h
+===================================================================
--- /dev/null
-+++ b/oauth2.h
++++ fetchmail-6.4.22/oauth2.h
@@ -0,0 +1,6 @@
+#ifndef OAUTH2_H
+#define OAUTH2_H
@@ -213,11 +211,11 @@
+char *get_oauth2_string(struct query *ctl,flag xoauth2);
+
+#endif /*OAUTH2_H*/
-diff --git a/pop3.c b/pop3.c
-index 076d890e..06fc0a0d 100644
---- a/pop3.c
-+++ b/pop3.c
-@@ -15,6 +15,7 @@
+Index: fetchmail-6.4.22/pop3.c
+===================================================================
+--- fetchmail-6.4.22.orig/pop3.c
++++ fetchmail-6.4.22/pop3.c
+@@ -20,6 +20,7 @@
#include <errno.h>
#include "fetchmail.h"
@@ -225,18 +223,18 @@
#include "socket.h"
#include "i18n.h"
#include "uid_db.h"
-@@ -55,6 +56,10 @@ flag has_ntlm = FALSE;
- #ifdef SSL_ENABLE
+@@ -52,6 +53,10 @@ static flag has_cram = FALSE;
+ static flag has_otp = FALSE;
+ static flag has_ntlm = FALSE;
static flag has_stls = FALSE;
- #endif /* SSL_ENABLE */
+static flag has_oauthbearer = FALSE;
+static flag has_xoauth2 = FALSE;
+
+static const char *next_sasl_resp = NULL;
- /* mailbox variables initialized in pop3_getrange() */
- static int last;
-@@ -110,12 +115,65 @@ static int pop3_ok (int sock, char *argbuf)
+ static void clear_sessiondata(void) {
+ /* must match defaults above */
+@@ -135,12 +140,65 @@ static int pop3_ok (int sock, char *argb
char buf [POPBUFSIZE+1];
char *bufp;
@@ -244,67 +242,69 @@
+ while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
{ bufp = buf;
- if (*bufp == '+' || *bufp == '-')
+- bufp++;
+- else
+ if (*bufp == '+')
+ {
- bufp++;
-+ if (*bufp == ' ' && next_sasl_resp != NULL)
-+ {
-+ /* Currently only used for OAUTHBEARER/XOAUTH2, and only
-+ * rarely even then.
-+ *
-+ * This is the only case where the top while() actually
-+ * loops.
-+ *
-+ * For OAUTHBEARER, data aftetr '+ ' is probably
-+ * base64-encoded JSON with some HTTP-related error details.
-+ */
-+ if (*next_sasl_resp != '\0')
-+ SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp));
-+ SockWrite(sock, "\r\n", 2);
-+ if (outlevel >= O_MONITOR)
-+ {
-+ const char *found;
-+ if (shroud[0] && (found = strstr(next_sasl_resp, shroud)))
-+ {
-+ /* enshroud() without copies, and avoid
-+ * confusing with a genuine "*" (cancel).
-+ */
-+ report(stdout, "POP3> %.*s[SHROUDED]%s\n",
-+ (int)(found-next_sasl_resp), next_sasl_resp,
-+ found+strlen(shroud));
-+ }
-+ else
-+ {
-+ report(stdout, "POP3> %s\n", next_sasl_resp);
-+ }
-+ }
-+
-+ if (*next_sasl_resp == '\0' || *next_sasl_resp == '*')
-+ {
-+ /* No more responses expected, cancel AUTH command if
-+ * more responses requested.
-+ */
-+ next_sasl_resp = "*";
-+ }
-+ else
-+ {
-+ next_sasl_resp = "";
-+ }
-+ continue;
-+ }
-+ }
-+ else if (*bufp == '-')
-+ {
-+ bufp++;
-+ }
- else
-+ {
++ bufp++;
++ if (*bufp == ' ' && next_sasl_resp != NULL)
++ {
++ /* Currently only used for OAUTHBEARER/XOAUTH2, and only
++ * rarely even then.
++ *
++ * This is the only case where the top while() actually
++ * loops.
++ *
++ * For OAUTHBEARER, data aftetr '+ ' is probably
++ * base64-encoded JSON with some HTTP-related error details.
++ */
++ if (*next_sasl_resp != '\0')
++ SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp));
++ SockWrite(sock, "\r\n", 2);
++ if (outlevel >= O_MONITOR)
++ {
++ const char *found;
++ if (shroud[0] && (found = strstr(next_sasl_resp, shroud)))
++ {
++ /* enshroud() without copies, and avoid
++ * confusing with a genuine "*" (cancel).
++ */
++ report(stdout, "POP3> %.*s[SHROUDED]%s\n",
++ (int)(found-next_sasl_resp), next_sasl_resp,
++ found+strlen(shroud));
++ }
++ else
++ {
++ report(stdout, "POP3> %s\n", next_sasl_resp);
++ }
++ }
++
++ if (*next_sasl_resp == '\0' || *next_sasl_resp == '*')
++ {
++ /* No more responses expected, cancel AUTH command if
++ * more responses requested.
++ */
++ next_sasl_resp = "*";
++ }
++ else
++ {
++ next_sasl_resp = "";
++ }
++ continue;
++ }
++ }
++ else if (*bufp == '-')
++ {
++ bufp++;
++ }
++ else
++ {
return(PS_PROTOCOL);
-+ }
++ }
while (isalpha((unsigned char)*bufp))
bufp++;
-@@ -184,6 +242,8 @@ static int pop3_ok (int sock, char *argbuf)
+@@ -209,6 +267,8 @@ static int pop3_ok (int sock, char *argb
#endif
if (argbuf != NULL)
strcpy(argbuf,bufp);
@@ -313,22 +313,33 @@
}
return(ok);
-@@ -212,11 +272,13 @@ static int capa_probe(int sock)
+@@ -237,11 +297,13 @@ static int capa_probe(int sock)
#ifdef NTLM_ENABLE
has_ntlm = FALSE;
#endif /* NTLM_ENABLE */
-+ has_oauthbearer = FALSE;
-+ has_xoauth2 = FALSE;
++ has_oauthbearer = FALSE;
++ has_xoauth2 = FALSE;
ok = gen_transact(sock, "CAPA");
if (ok == PS_SUCCESS)
{
- char buffer[64];
+ char buffer[128];
+ char *cp;
/* determine what authentication methods we have available */
- while ((ok = gen_recv(sock, buffer, sizeof(buffer))) == 0)
-@@ -246,6 +308,12 @@ static int capa_probe(int sock)
+@@ -256,6 +318,10 @@ static int capa_probe(int sock)
+ if (strstr(buffer, "STLS"))
+ has_stls = TRUE;
+ #endif /* SSL_ENABLE */
++static flag has_oauthbearer = FALSE;
++static flag has_xoauth2 = FALSE;
++
++static const char *next_sasl_resp = NULL;
+
+ #if defined(GSSAPI)
+ if (strstr(buffer, "GSSAPI"))
+@@ -279,6 +345,12 @@ static int capa_probe(int sock)
if (strstr(buffer, "CRAM-MD5"))
has_cram = TRUE;
@@ -341,7 +352,7 @@
}
}
done_capa = TRUE;
-@@ -312,6 +380,40 @@ static int do_apop(int sock, struct query *ctl, char
*greeting)
+@@ -295,6 +367,40 @@ static void set_peek_capable(struct quer
peek_capable = !ctl->fetchall && (!ctl->keep || ctl->server.uidl);
}
@@ -382,7 +393,7 @@
static int pop3_getauth(int sock, struct query *ctl, char *greeting)
/* apply for connection authorization */
{
-@@ -436,6 +538,7 @@ static int pop3_getauth(int sock, struct query *ctl, char
*greeting)
+@@ -374,6 +480,7 @@ static int pop3_getauth(int sock, struct
(ctl->server.authenticate == A_KERBEROS_V5) ||
(ctl->server.authenticate == A_OTP) ||
(ctl->server.authenticate == A_CRAM_MD5) ||
@@ -390,7 +401,7 @@
maybe_starttls(ctl))
{
if ((ok = capa_probe(sock)) != PS_SUCCESS)
-@@ -540,6 +643,19 @@ static int pop3_getauth(int sock, struct query *ctl, char
*greeting)
+@@ -523,6 +630,19 @@ static int pop3_getauth(int sock, struct
/*
* OK, we have an authentication type now.
*/
@@ -410,6 +421,3 @@
#if defined(KERBEROS_V4)
/*
* Servers doing KPOP have to go through a dummy login sequence
---
-2.31.1
-
