Re: [mpop-users] POP3 Authorization using SCRAM-SHA-1 fails

Sat, 15 Jan 2011 04:18:48 -0800 

Hi Simon!

On 11/01/11 22:36, Simon Josefsson wrote:
>> >From your analysis, it seems that SCRAM-SHA-1 needs the same exception
>> rule that DIGEST-MD5 needs, so the attached patch might fix the problem.
>> Would you please test it?
> ...
>> -    /* For DIGEST-MD5, we need to send an empty answer to the last 334
>> -     * response before we get 235. */
>> -    if (strcmp(auth_mech, "DIGEST-MD5") == 0)
>> +    /* For DIGEST-MD5 and SCRAM-SHA-1, we need to send an empty answer to 
>> the
>> +     * last response before we get an OK. */
>> +    if (strcmp(auth_mech, "DIGEST-MD5") == 0
>> +            || strcmp(auth_mech, "SCRAM-SHA-1") == 0)
> 
> This looks a bit strange -- it shouldn't special-case SASL mechanisms,
> but just use the normal SASL state machine.  You can use the return
> value from gsasl_step function to guide you when to quit the loop,
> although you need to observe that each challenge has a response.

I have no idea how to get this working for all mechanisms without
special handling of some. The loop currently is this:

do {
    e = gsasl_step64(ctx, in, &out);
    if (e != OK && e != NEEDS_MORE) {
        /* fail */;
    }
    if (!in) {
        /* send AUTH <MECHANISM> */
        /* get answer */
        /* if answer not ok, fail */
        /* else put it into 'in' */
    }
    if (out[0] != '\0'
        || mechanism == DIGEST_MD5
        || mechanism == SCRAM-SHA-1
        || mechanism == GSSAPI) {
        /* send 'out' */
        /* get answer */
        /* if answer not ok, fail */
        /* else put it into 'in' */
    }
} while (e == NEEDS_MORE);

How is it supposed to be done instead?

Unfortunately, the libgsasl examples all seem to be purely theoretical,
and cannot be applied to a POP3 or SMTP client as far as I can see. A
working example for a real protocol would be most helpful.

Martin

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
mpop-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mpop-users

Reply via email to