Fix interoperability issue of DIGEST-MD5 with "auth-int" and "auth-conf" qops #43
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Net::SMTP->auth() method from working with a server offering DIGEST-MD5 mechanism with qops of "auth-int" or "auth-conf". This is because Net::SMTP does not support encoding/decoding traffic over a socket while Authen::SASL supports it and accepts mechanisms with not only authentication but also encryption. When the server offers DIGEST-MD5 with "auth-int" or "auth-conf", the authentication itself succeeds with code 235 but the next command from the client will fail because Net::SMTP tries to send it in cleartext. This breaks DIGEST-MD5 support in Net::SMTP. To fix this, this patch disables "auth-int" and "auth-conf" by forcibly setting maximum SSF on the client side as zero. By doing this, the client accepts only "auth" qop in the negotiation even if the server offers "auth-int" or "auth-conf" in addition to it. Note that this patch is sub-optimal. To fix this properly, Net::SMTP should support READ and WRITE methods provided by Authen::SASL though it requires major rewrite.
When I was building libnet-3.12 against perl-5.34 I noticed
non-deterministic output for final package:
-perl5.34.0-libnet-3.12/lib/perl5/site_perl/5.34.0/Net/libnet.cfg
+perl5.34.0-libnet-3.12.check/lib/perl5/site_perl/5.34.0/Net/libnet.cfg
Ordering differences only
{
'ph_hosts' => [],
'daytime_hosts' => [],
'ph_hosts' => [],
...
It's caused by a raw dump of perl's map.
Let's stabilize it's output with sorting on map keys.
Spotted by Mike Blackwell <mike.blackwell@rrd.com>.
Some mechanisms in Authen::SASL offer additional security layers and encode()/decode() methods for them. The I/O routines in Net::Cmd now use it if they are available. Currently only Net::SMTP defines protocol-specific methods. In addition to that, EHLO is now issued just after a successful authentication with an additional security layer as described in Sec. 4 in RFC 4954.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch adds a workaround for a problem which can prevent Net::SMTP->auth() method from working with a server offering DIGEST-MD5 mechanism with qops of "auth-int" or "auth-conf".
This is because Net::SMTP does not support encoding/decoding traffic over a socket while Authen::SASL supports it and accepts mechanisms with not only authentication but also encryption. When the server offers DIGEST-MD5 with "auth-int" or "auth-conf",
the authentication itself succeeds with code 235 but the next command from the client will fail because Net::SMTP tries to send it in cleartext.
This patch disables "auth-int" and "auth-conf" by forcibly setting maximum SSF on the client side as zero. By doing this, the client accepts only "auth" qop in the negotiation even if the server offers "auth-int" or "auth-conf" additionally.
This issue has been reported in other places such as gbarr/perl-authen-sasl#7