prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization

an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2025-07-12 12:24:38 +03:00 · 2024-03-08 23:29:15 +01:00
parent 8e6fe7459b
commit c57aeac7f0
99 changed files with 59625 additions and 114 deletions
--- a/imapserver/condstore_test.go
+++ b/imapserver/condstore_test.go
@ -34,7 +34,7 @@ func testCondstoreQresync(t *testing.T, qresync bool) {
 		capability = "Qresync"
 	}

-	tc.client.Login("mjl@mox.example", "testtest")
+	tc.client.Login("mjl@mox.example", password0)
 	tc.client.Enable(capability)
 	tc.transactf("ok", "Select inbox")
 	tc.xuntaggedOpt(false, imapclient.UntaggedResult{Status: imapclient.OK, RespText: imapclient.RespText{Code: "HIGHESTMODSEQ", CodeArg: imapclient.CodeHighestModSeq(1), More: "x"}})
@ -101,13 +101,13 @@ func testCondstoreQresync(t *testing.T, qresync bool) {
 	// tc2 is a client without condstore, so no modseq responses.
 	tc2 := startNoSwitchboard(t)
 	defer tc2.close()
-	tc2.client.Login("mjl@mox.example", "testtest")
+	tc2.client.Login("mjl@mox.example", password0)
 	tc2.client.Select("inbox")

 	// tc3 is a client with condstore, so with modseq responses.
 	tc3 := startNoSwitchboard(t)
 	defer tc3.close()
-	tc3.client.Login("mjl@mox.example", "testtest")
+	tc3.client.Login("mjl@mox.example", password0)
 	tc3.client.Enable(capability)
 	tc3.client.Select("inbox")

@ -357,7 +357,7 @@ func testCondstoreQresync(t *testing.T, qresync bool) {
 			xtc.close()
 			store.CheckConsistencyOnClose = true
 		}()
-		xtc.client.Login("mjl@mox.example", "testtest")
+		xtc.client.Login("mjl@mox.example", password0)
 		fn(xtc)
 		tagcount++
 		label := fmt.Sprintf("l%d", tagcount)
@ -444,13 +444,13 @@ func testCondstoreQresync(t *testing.T, qresync bool) {
 	// tc2o is a client without condstore, so no modseq responses.
 	tc2o := startNoSwitchboard(t)
 	defer tc2o.close()
-	tc2o.client.Login("mjl@mox.example", "testtest")
+	tc2o.client.Login("mjl@mox.example", password0)
 	tc2o.client.Select("otherbox")

 	// tc3o is a client with condstore, so with modseq responses.
 	tc3o := startNoSwitchboard(t)
 	defer tc3o.close()
-	tc3o.client.Login("mjl@mox.example", "testtest")
+	tc3o.client.Login("mjl@mox.example", password0)
 	tc3o.client.Enable(capability)
 	tc3o.client.Select("otherbox")

@ -529,7 +529,7 @@ func testQresync(t *testing.T, tc *testconn, clientModseq int64) {

 	// Vanished not allowed without first enabling qresync. ../rfc/7162:1697
 	xtc := startNoSwitchboard(t)
-	xtc.client.Login("mjl@mox.example", "testtest")
+	xtc.client.Login("mjl@mox.example", password0)
 	xtc.transactf("ok", "Select inbox (Condstore)")
 	xtc.transactf("bad", "Uid Fetch 1:* (Flags) (Changedsince 1 Vanished)")
 	// Prevent triggering the consistency checker, we still have modseq/createseq at 0.
@ -553,7 +553,7 @@ func testQresync(t *testing.T, tc *testconn, clientModseq int64) {

 	// Must enable qresync explicitly before using. ../rfc/7162:1446
 	xtc = startNoSwitchboard(t)
-	xtc.client.Login("mjl@mox.example", "testtest")
+	xtc.client.Login("mjl@mox.example", password0)
 	xtc.transactf("bad", "Select inbox (Qresync 1 0)")
 	// Prevent triggering the consistency checker, we still have modseq/createseq at 0.
 	store.CheckConsistencyOnClose = false