[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [mpop-users] POP3 Authorization using SCRAM-SHA-1 fails
Hi Simon!
On 11/01/11 22:36, Simon Josefsson wrote:
>> >From your analysis, it seems that SCRAM-SHA-1 needs the same exception
>> rule that DIGEST-MD5 needs, so the attached patch might fix the problem.
>> Would you please test it?
> ...
>> - /* For DIGEST-MD5, we need to send an empty answer to the last 334
>> - * response before we get 235. */
>> - if (strcmp(auth_mech, "DIGEST-MD5") == 0)
>> + /* For DIGEST-MD5 and SCRAM-SHA-1, we need to send an empty answer to the
>> + * last response before we get an OK. */
>> + if (strcmp(auth_mech, "DIGEST-MD5") == 0
>> + || strcmp(auth_mech, "SCRAM-SHA-1") == 0)
>
> This looks a bit strange -- it shouldn't special-case SASL mechanisms,
> but just use the normal SASL state machine. You can use the return
> value from gsasl_step function to guide you when to quit the loop,
> although you need to observe that each challenge has a response.
I have no idea how to get this working for all mechanisms without
special handling of some. The loop currently is this:
do {
e = gsasl_step64(ctx, in, &out);
if (e != OK && e != NEEDS_MORE) {
/* fail */;
}
if (!in) {
/* send AUTH <MECHANISM> */
/* get answer */
/* if answer not ok, fail */
/* else put it into 'in' */
}
if (out[0] != '\0'
|| mechanism == DIGEST_MD5
|| mechanism == SCRAM-SHA-1
|| mechanism == GSSAPI) {
/* send 'out' */
/* get answer */
/* if answer not ok, fail */
/* else put it into 'in' */
}
} while (e == NEEDS_MORE);
How is it supposed to be done instead?
Unfortunately, the libgsasl examples all seem to be purely theoretical,
and cannot be applied to a POP3 or SMTP client as far as I can see. A
working example for a real protocol would be most helpful.
Martin