Bug 2428

Summary: Password obfuscator fails to decrypt some passwords
Product: Claws Mail (GTK 2) Reporter: beavisjohn
Component: OtherAssignee: users
Status: RESOLVED INVALID    
Severity: normal    
Priority: P3    
Version: 3.7.9   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
A tool to generate passwords that fail to decrypt in claws-mail on Linux
none
Do not write truncated LDAP passwords none

Description beavisjohn 2011-05-17 20:09:21 UTC 
I have discovered this bug while analysing sudden failures when searching for e-mail addresses in LDAP address book (M$ Exchange). It seems that included password obfuscator truncates some passwords because it can generate nul (0x0, \000) character while encrypting the password. I have found a workaround that works for me: change default PASSCRYPT_KEY to something else. Since I do not want to reveal my work password I have attached a tool that uses brute force method to generate passwords that fail to decrypt in claws-mail (this can be easily traced by adding a printf to function passcrypt_decrypt in file common/passcrypt.c). The tool will stop when 20 failed attempts at encrypting the password are encountered. I have observed this behaviour on Linux, it would be interesting to check if the same bug is present on FreeBSD since there is an ifdef in passcrypt.c for the latter OS.
Comment 1 beavisjohn 2011-05-17 20:10:05 UTC 
Created attachment 983 [details]
A tool to generate passwords that fail to decrypt in claws-mail on Linux
Comment 2 beavisjohn 2015-03-23 10:27:34 UTC 
Created attachment 1502 [details]
Do not write truncated LDAP passwords

I have had another look at this bug. The issue happens because
quoted printable encoding is used on obfuscated password. I have
changed it to use base64 and it works fine for my previously
problematic pasword.

The fix should support existing obfuscated passwords in
addrbook--index.xml file. Whenever a new LDAP password is set it will
be encoded using base64.

Old style passwords are marked with !|, new style uses !!. I
have not tested what happens when one has ! as a first character
in their LDAP password.
Comment 3 Ricardo Mones 2016-08-23 09:38:14 UTC 
The 3.14.0 release implements a completely new password storage backend.