Re: [Fetchmail-devel] XOAUTH2 bug in pop3.c, "next" branch

[Matthias A. <mat...@gm...>]

(direct mail to Geoff and to list)

Geoff,

A happy new year!

Following up on myself (I never received a reply to my suggestions) I
can also say that it may worth trying 7.0.0-alpha7, which extends the
token buffer; there have been reports that Office 365 tokens are longer
than 2 kByte buffer, and 7.0.0-alpha7 or the "next" branch in Git for
now use a 4 kByte buffer. I have received a message via sourceforge from
what appears to be a Dutch or Flemish writer that he had success with
alpha6 with a "PASSWORDLEN" password buffer size of 4096 (which we use
to hold the OAUTH2 token for Google mail or MS Office 365). This is
PASSWORDLEN is a #define in fetchmail.h.

Regards,
Matthias

Am 13.11.20 um 01:04 schrieb Matthias Andree:
> Am 11.11.20 um 03:22 schrieb Geoff Bailey:
>> G'day all,
>>
>> I'm trying to use fetchmail with Office 365 and XOAUTH2 enabled.  So far
>> unsuccessfully, alas.  Anyway, this section in lines 650 to 662 of pop3.c
>> is not helping:
>>
>>         if (ctl->server.authenticate == A_OAUTHBEARER)
>>         {
>>             if (has_oauthbearer || !has_xoauth2)
>>             {
>>                 ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
>>             }
>>             if (ok != PS_SUCCESS && has_xoauth2)
>>             {
>>                 ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
>>             }
>>                 break;
>>         }
>>
>> As you can see, if has_xoauth2 is true and has_oauthbearer is false, as it
>> is in this case, then a very old value of ok is incorrectly used and the
>> XOAUTH2 branch is skipped.
>>
>> The simplest adjustment would be to insert
>>
>>             ok = PS_AUTHFAIL;   /* anything other than PS_SUCCESS */
>>
>> or similar before the has_oauthbearer check.
>>
> Hi Geoff,
>
> thanks for the report. Does it help to rewrite the code as:
>
>         if (ctl->server.authenticate == A_OAUTHBEARER)
>         {
>             if (has_oauthbearer || !has_xoauth2)
>             {
>                 ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
>             }
>             else
>             {
>                 ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
>             }
>             if (ok == PS_SUCCESS)
>              break;
>
>         }
>
> This will change behaviour however, in that there is no fall-through
> from OAUTHBEARER if it fails to XOAUTH2.
>
> Cheers,
> Matthias
>
>
>
> _______________________________________________
> Fetchmail-devel mailing list
> Fet...@li...
> https://lists.sourceforge.net/lists/listinfo/fetchmail-devel