implement the plus variants of scram, to bind the authentication exchange to the tls connection

to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
2025-07-10 07:14:40 +03:00 · 2023-12-23 23:07:21 +01:00
parent 4701857d7f
commit e7478ed6ac
23 changed files with 690 additions and 189 deletions
--- a/imapclient/cmds.go
+++ b/imapclient/cmds.go
@ -61,13 +61,26 @@ func (c *Conn) AuthenticatePlain(username, password string) (untagged []Untagged
 	return
 }

-// Authenticate with SCRAM-SHA-1 or SCRAM-SHA-256, where the password is not
-// exchanged in original plaintext form, but only derived hashes are exchanged by
-// both parties as proof of knowledge of password.
+// Authenticate with SCRAM-SHA-256(-PLUS) or SCRAM-SHA-1(-PLUS). With SCRAM, the
+// password is not exchanged in plaintext form, but only derived hashes are
+// exchanged by both parties as proof of knowledge of password.
+//
+// The PLUS variants bind the authentication exchange to the TLS connection,
+// detecting MitM attacks.
 func (c *Conn) AuthenticateSCRAM(method string, h func() hash.Hash, username, password string) (untagged []Untagged, result Result, rerr error) {
 	defer c.recover(&rerr)

-	sc := scram.NewClient(h, username, "")
+	var cs *tls.ConnectionState
+	lmethod := strings.ToLower(method)
+	if strings.HasSuffix(lmethod, "-plus") {
+		tlsConn, ok := c.conn.(*tls.Conn)
+		if !ok {
+			c.xerrorf("cannot use scram plus without tls")
+		}
+		xcs := tlsConn.ConnectionState()
+		cs = &xcs
+	}
+	sc := scram.NewClient(h, username, "", false, cs)
 	clientFirst, err := sc.ClientFirst()
 	c.xcheckf(err, "scram clientFirst")
 	c.LastTag = c.nextTag()