[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [mpop-users] POP3 Authorization using SCRAM-SHA-1 fails



Hi Simon!

On 11/01/11 22:36, Simon Josefsson wrote:
>> >From your analysis, it seems that SCRAM-SHA-1 needs the same exception
>> rule that DIGEST-MD5 needs, so the attached patch might fix the problem.
>> Would you please test it?
> ...
>> -    /* For DIGEST-MD5, we need to send an empty answer to the last 334
>> -     * response before we get 235. */
>> -    if (strcmp(auth_mech, "DIGEST-MD5") == 0)
>> +    /* For DIGEST-MD5 and SCRAM-SHA-1, we need to send an empty answer to the
>> +     * last response before we get an OK. */
>> +    if (strcmp(auth_mech, "DIGEST-MD5") == 0
>> +            || strcmp(auth_mech, "SCRAM-SHA-1") == 0)
> 
> This looks a bit strange -- it shouldn't special-case SASL mechanisms,
> but just use the normal SASL state machine.  You can use the return
> value from gsasl_step function to guide you when to quit the loop,
> although you need to observe that each challenge has a response.

I have no idea how to get this working for all mechanisms without
special handling of some. The loop currently is this:

do {
    e = gsasl_step64(ctx, in, &out);
    if (e != OK && e != NEEDS_MORE) {
        /* fail */;
    }
    if (!in) {
        /* send AUTH <MECHANISM> */
        /* get answer */
        /* if answer not ok, fail */
        /* else put it into 'in' */
    }
    if (out[0] != '\0'
        || mechanism == DIGEST_MD5
        || mechanism == SCRAM-SHA-1
        || mechanism == GSSAPI) {
        /* send 'out' */
        /* get answer */
        /* if answer not ok, fail */
        /* else put it into 'in' */
    }
} while (e == NEEDS_MORE);

How is it supposed to be done instead?

Unfortunately, the libgsasl examples all seem to be purely theoretical,
and cannot be applied to a POP3 or SMTP client as far as I can see. A
working example for a real protocol would be most helpful.

Martin