#3862: Error in POP3 authentication via SASL mechanism DIGEST-MD5
-----------------------+----------------------
Reporter: g1pimutt | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: POP | Version:
Resolution: | Keywords:
-----------------------+----------------------
Comment (by g1pimutt):
Step 4:
On entry to sasl_client_step(), buf="rspauth=''MD5 sent by server''"; the
call
returns 0 (SASL_OK), and sets pc="" and olen=0.
To me, this means SASL authentication was successful: Client and Server
have verified
each other, otherwise the return value would be negative,
Step 5:
... yet the client is supposed to send one more blank line to the server.
I'm not sure whether the SASL library or the application should drive
this.
The manual for sasl_client_step() says:
"... in IMAP sasl_client_step should still be called one more time
with a serverinlen of zero." (presumably "after it returns SASL_OK")
I believe this applies to POP too: when sasl_client_step returns SASL_OK
and sets pc="" and olen=0, another call should be made; unfortunately
olen=0 triggers a break in the code a few lines later.
Does the following patch seem reasonable to you?
{{{
--- pop_auth.c 2016-10-07 14:11:54.183776683 +0200
+++ pop_auth.c.new 2016-10-07 12:49:19.026548655 +0200
@@ -117,7 +117,7 @@
client_start = 0;
}
- if (rc != SASL_CONTINUE && (olen == 0 || rc != SASL_OK))
+ if (rc != SASL_CONTINUE && rc != SASL_OK)
break;
/* send out response, or line break if none needed */
}}}
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3862#comment:4>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
