Discussion about the mpop tool ()

Steffen Lehmann | 11 Jan 2011 14:39

Picon

POP3 Authorization using SCRAM-SHA-1 fails

POP3 Authorization using SCRAM-SHA-1 fails, because mpop violates the rules 
according to SASL RFC 4422, Section 3:
"Where the mechanism specifies that the server is to return additional
data to the client with a successful outcome and this field is
unavailable or unused, the additional data is sent as a challenge
whose response is empty. After receiving this response, the server
then indicates the successful outcome."

RFC 5034, Section 4:
"Note that POP3 does not allow for additional data to be sent
with a message indicating a successfull outcome (see Section 3.6 of RFC 4422)."

Hence, the following message sequence according to SASL RFC 4422, Section 3 
applies:

C: Request authentication exchange
S: Initial challenge
C: Initial response
<additional challenge/response messages>
S: Additional data challenge
C: Empty Response
S: Outcome of authentication exchange

But mpop behaves as following:

C: AUTH SCRAM-SHA-1  (POP3: command request)
S: +                 (SASL: Initial challenge)
C: biwsb...          (SASL: Initial response; RFC 5802 client-first-message) 
S: + cj01b2t...      (SASL: additional challenge; RFC 5802 server-first-
message)

(Continue reading)

Martin Lambers | 11 Jan 2011 22:32

Picon

Re: POP3 Authorization using SCRAM-SHA-1 fails

Hi Steffen!

On 11/01/11 14:39, Steffen Lehmann wrote:
> POP3 Authorization using SCRAM-SHA-1 fails, because mpop violates the rules 
> according to SASL RFC 4422, Section 3:
> "Where the mechanism specifies that the server is to return additional
> data to the client with a successful outcome and this field is
> unavailable or unused, the additional data is sent as a challenge
> whose response is empty. After receiving this response, the server
> then indicates the successful outcome."
> 
> RFC 5034, Section 4:
> "Note that POP3 does not allow for additional data to be sent
> with a message indicating a successfull outcome (see Section 3.6 of RFC 4422)."
> 
> Hence, the following message sequence according to SASL RFC 4422, Section 3 
> applies:
> 
> C: Request authentication exchange
> S: Initial challenge
> C: Initial response
> <additional challenge/response messages>
> S: Additional data challenge
> C: Empty Response
> S: Outcome of authentication exchange
> 
> But mpop behaves as following:
> 
> C: AUTH SCRAM-SHA-1  (POP3: command request)
> S: +                 (SASL: Initial challenge)

(Continue reading)

Simon Josefsson | 11 Jan 2011 22:36

Re: POP3 Authorization using SCRAM-SHA-1 fails

Martin Lambers <marlam <at> marlam.de> writes:

>>From your analysis, it seems that SCRAM-SHA-1 needs the same exception
> rule that DIGEST-MD5 needs, so the attached patch might fix the problem.
> Would you please test it?
...
> -    /* For DIGEST-MD5, we need to send an empty answer to the last 334
> -     * response before we get 235. */
> -    if (strcmp(auth_mech, "DIGEST-MD5") == 0)
> +    /* For DIGEST-MD5 and SCRAM-SHA-1, we need to send an empty answer to the
> +     * last response before we get an OK. */
> +    if (strcmp(auth_mech, "DIGEST-MD5") == 0
> +            || strcmp(auth_mech, "SCRAM-SHA-1") == 0)

This looks a bit strange -- it shouldn't special-case SASL mechanisms,
but just use the normal SASL state machine.  You can use the return
value from gsasl_step function to guide you when to quit the loop,
although you need to observe that each challenge has a response.

This is just an initial reaction, I haven't studied the code in more
detail.

/Simon

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

(Continue reading)

Steffen Lehmann | 12 Jan 2011 10:08

Picon

Re: POP3 Authorization using SCRAM-SHA-1 fails

Martin Lambers <marlam <at> marlam.de> writes:

> Would you please test it?

Hi Martin,

I will test it as soon as a new version is ready for download.

Steffen

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

Martin Lambers | 12 Jan 2011 17:42

Picon

Re: POP3 Authorization using SCRAM-SHA-1 fails

On 12/01/11 10:08, Steffen Lehmann wrote:
>> Would you please test it?
> 
> I will test it as soon as a new version is ready for download.

OK, I made an intermediate release available at
<http://www.marlam.de/mpop-1.0.22a.tar.bz2>.

Martin

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

Steffen Lehmann | 14 Jan 2011 10:09

Picon

Re: POP3 Authorization using SCRAM-SHA-1 fails

Martin Lambers <marlam <at> marlam.de> writes:

> 
> On 12/01/11 10:08, Steffen Lehmann wrote:
> >> Would you please test it?
> > 
> > I will test it as soon as a new version is ready for download.
> 
> OK, I made an intermediate release available at
> <http://www.marlam.de/mpop-1.0.22a.tar.bz2>.
> 
> Martin
> 

Congratulations, mpop's SCRAM-SHA-1 authentication works fine now.

Steffen

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

Martin Lambers | 15 Jan 2011 13:18

Picon

Re: POP3 Authorization using SCRAM-SHA-1 fails

Hi Simon!

On 11/01/11 22:36, Simon Josefsson wrote:
>> >From your analysis, it seems that SCRAM-SHA-1 needs the same exception
>> rule that DIGEST-MD5 needs, so the attached patch might fix the problem.
>> Would you please test it?
> ...
>> -    /* For DIGEST-MD5, we need to send an empty answer to the last 334
>> -     * response before we get 235. */
>> -    if (strcmp(auth_mech, "DIGEST-MD5") == 0)
>> +    /* For DIGEST-MD5 and SCRAM-SHA-1, we need to send an empty answer to the
>> +     * last response before we get an OK. */
>> +    if (strcmp(auth_mech, "DIGEST-MD5") == 0
>> +            || strcmp(auth_mech, "SCRAM-SHA-1") == 0)
> 
> This looks a bit strange -- it shouldn't special-case SASL mechanisms,
> but just use the normal SASL state machine.  You can use the return
> value from gsasl_step function to guide you when to quit the loop,
> although you need to observe that each challenge has a response.

I have no idea how to get this working for all mechanisms without
special handling of some. The loop currently is this:

do {
    e = gsasl_step64(ctx, in, &out);
    if (e != OK && e != NEEDS_MORE) {
        /* fail */;
    }
    if (!in) {
        /* send AUTH <MECHANISM> */

(Continue reading)

Martin Lambers | 17 Jan 2011 21:47

Picon

mpop 1.0.23 is released.

Hi all,

mpop 1.0.23 is released.

This release fixes SCRAM-SHA-1 authentication via GNU SASL.

Martin

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

Group

gmane.mail.mpop.user.

Project Web Page

Discussion about the mpop tool ()

Search Archive

Page

1

Articles in period: 8

January 2011

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

mpop 1.0.28 is released! (22 Apr 2013)
Question about spam mailbox (22 Sep 2012)
Fails to Build (28 Aug 2012)
filter old mails (6 Jul 2012)
mpop 1.0.27 is released! (1 May 2012)
mpop 1.0.26 is released! (7 Jan 2012)
OS X Keychain support (29 Nov 2011)
Downloading from MailEnable catch-all (12 Nov 2011)
mpop 1.0.25 is released! (16 Oct 2011)
Problems trying to get mpop to talk to Exchange 2007. (12 Oct 2011)
mpop 1.0.24 is released! (27 Apr 2011)
take $user from netrc (25 Apr 2011)
Call for testing (16 Apr 2011)
mpop 1.0.23 is released. (17 Jan 2011)
POP3 Authorization using SCRAM-SHA-1 fails (11 Jan 2011)
mpop 1.0.22 is released! (30 Dec 2010)
mpop status update (23 Dec 2010)
New feature: passwordeval (21 Dec 2010)
make pop3_write_received_header() optional (14 Sep 2010)
mpop 1.0.21 is released! (3 Jul 2010)
How to not fetch the mails that have read via other imap clients? (27 Apr 2010)

Archives

1	April 2013
2	September 2012
2	August 2012
2	July 2012
1	May 2012
1	January 2012
3	November 2011
6	October 2011
5	April 2011
8	January 2011
4	December 2010
2	September 2010
1	July 2010
3	April 2010
1	March 2010
3	February 2010
1	December 2009
3	October 2009
5	September 2009
1	August 2009
1	April 2009
2	January 2009
2	December 2008
4	September 2008
2	August 2008
1	June 2008
1	March 2008
2	February 2008
1	January 2008
3	December 2007

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template