Re: [Mutt] #3862: Error in POP3 authentication via SASL mechanism DIGEST-MD5

Sun, 09 Oct 2016 04:05:05 -0700 

#3862: Error in POP3 authentication via SASL mechanism DIGEST-MD5
-----------------------+----------------------
  Reporter:  g1pimutt  |      Owner:  mutt-dev
      Type:  defect    |     Status:  new
  Priority:  major     |  Milestone:
 Component:  POP       |    Version:
Resolution:            |   Keywords:
-----------------------+----------------------

Comment (by kevin8t8):

 >> I think the only thing that makes me nervous is that it
 >> (theoretically) could exit prematurely now.

 > You probably meant "loop forever"

 Sorry, my language was unclear.  I was talking about the behavior of your
 first patch.

 I was thinking there might be a case where rc == SASL_CONTINUE yet
 inbuf started with "+OK" or "-ERR".  This would make your first patch
 terminate before the sasl code said the interaction was done.  I don't
 think this actually would happen, so that's what I meant by
 "theoretically".

 > I believe you were right in rejecting my first patch: we shouldn't
 > look at the POP3 protocol in the middle of the SASL exchange, even if
 > we know the authentication phase is over and was successful. That's
 > why I would not add || !mutt_strncmp(...) to the test.

 My concern with your second patch is the interaction
 {{{
         C: AUTH PLAIN
             (note that there is a space following the '+' on the
             following line)
         S: +
         C: dGVzdAB0ZXN0AHRlc3Q=
         S: +OK Maildrop locked and ready
 }}}

 In this case, the sasl_client_step would return SASL_OK on the 4th step,
 but your second patch would send another blank line to the server and
 read its response.  My proposed patch would accept the SASL_OK without
 further interaction because inbuf started with "+OK".

 I need to read more about the POP protocol, but am short on time today
 (I need to work on the 1.7.1 release).  Do you know what the server
 would return if the client sends one more "\r\n" after the 4th step?

 If it is guaranteed to repeat the "+OK" then I guess your patch is okay
 but my patch saves a last round trip.  I'd appreciate your thoughts and
 testing for this.

--
Ticket URL: <https://dev.mutt.org/trac/ticket/3862#comment:11>
Mutt <http://www.mutt.org/>
The Mutt mail user agent

Reply via email to