implement the plus variants of scram, to bind the authentication exchange to the tls connection

to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
2025-07-10 07:14:40 +03:00 · 2023-12-23 23:07:21 +01:00
parent 4701857d7f
commit e7478ed6ac
23 changed files with 690 additions and 189 deletions
--- a/imapclient/client.go
+++ b/imapclient/client.go
@ -16,6 +16,7 @@ package imapclient

 import (
 	"bufio"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"reflect"
@ -117,6 +118,15 @@ func (c *Conn) xcheck(err error) {
 	}
 }

+// TLSConnectionState returns the TLS connection state if the connection uses TLS.
+func (c *Conn) TLSConnectionState() *tls.ConnectionState {
+	if conn, ok := c.conn.(*tls.Conn); ok {
+		cs := conn.ConnectionState()
+		return &cs
+	}
+	return nil
+}
+
 // Commandf writes a free-form IMAP command to the server.
 // If tag is empty, a next unique tag is assigned.
 func (c *Conn) Commandf(tag string, format string, args ...any) (rerr error) {