Re: carddav with DIGEST-MD5
Thanks Ken, I’ll keep that in mind. In this particular case (and with your earlier patch applied) it appears that http_auth() in cyrus-imap’s httpd.c returns SASL_CONTINUE. The comment around line 3272 says “Need another step to complete authentication”, but the caller (response_header(), line ~2270) appears not to invoke that other step. I tested this by calling http_auth() again if it returns SASL_CONTINUE, and that authenticated me. // Johan On Jul 23, 2014, at 13:30, Ken Murchison wrote: > I had issues with the Apple clients and Digest. Unless you really need > Digest, I'd recommend using TLS + Basic. > > > > On 07/23/2014 01:27 PM, Johan Hattne wrote: >> Hi Ken; >> >> That fixes the crash but results in a “401 Unauthorized”. I’ll look into >> that a bit more at the next opportunity. >> >> This is using Contacts (8.0 1371) on an up-to-date OS X 10.9.4. It also >> works on the iPhone (iOS 7.1.2). >> >> // Johan >> >> >> On Jul 23, 2014, at 10:55, Ken Murchison wrote: >> >>> Hi Johan, >>> >>> I believe this issue is fixed by the following commit: >>> http://git.cyrusimap.org/cyrus-sasl/commit/?id=76ce885a44e7cb511ba54ceae46349036abb9cc8 >>> >>> BTW, which CardDAV client is using Digest? >>> >>> >>> On 07/22/2014 01:48 PM, Johan Hattne wrote: While PLAIN authentication works fine, I had the https daemon crash during DIGEST-MD5 authentication. The crash turned out to be a divide error in libdigestmd5 from cyrus-sasl. In particular (in cyrus-sasl’s plugins/digestmd5.c): /* Create an initial cache entry for non-persistent HTTP connections */ unsigned val = hash((char *) nonce) % text->reauth->size; would fail due to text->reauth->size being zero. If I’m reading this correctly, this appears to be the effect of initializing the plugin (as done in digestmd5_server_plug_init(), defined in same file as the snippet above) with an undefined reauth_timeout. And indeed, adding "sasl_reauth_timeout: 10” to /etc/imapd.conf makes the crash go away. I didn’t expect a configuration without reauth_timeout to crash imapd, but I haven’t done enough research to be sure, nor to tell where the problem lies should this be a real issue. Any further insight is greatly appreciated! // Cheers; Johan Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus >>> >>> -- >>> Kenneth Murchison >>> Principal Systems Software Engineer >>> Carnegie Mellon University >>> > > > -- > Kenneth Murchison > Principal Systems Software Engineer > Carnegie Mellon University > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: carddav with DIGEST-MD5
I had issues with the Apple clients and Digest. Unless you really need Digest, I'd recommend using TLS + Basic. On 07/23/2014 01:27 PM, Johan Hattne wrote: > Hi Ken; > > That fixes the crash but results in a “401 Unauthorized”. I’ll look into > that a bit more at the next opportunity. > > This is using Contacts (8.0 1371) on an up-to-date OS X 10.9.4. It also > works on the iPhone (iOS 7.1.2). > > // Johan > > > On Jul 23, 2014, at 10:55, Ken Murchison wrote: > >> Hi Johan, >> >> I believe this issue is fixed by the following commit: >> http://git.cyrusimap.org/cyrus-sasl/commit/?id=76ce885a44e7cb511ba54ceae46349036abb9cc8 >> >> BTW, which CardDAV client is using Digest? >> >> >> On 07/22/2014 01:48 PM, Johan Hattne wrote: >>> While PLAIN authentication works fine, I had the https daemon crash during >>> DIGEST-MD5 authentication. The crash turned out to be a divide error in >>> libdigestmd5 from cyrus-sasl. In particular (in cyrus-sasl’s >>> plugins/digestmd5.c): >>> >>>/* Create an initial cache entry for non-persistent HTTP connections */ >>>unsigned val = hash((char *) nonce) % text->reauth->size; >>> >>> would fail due to text->reauth->size being zero. If I’m reading this >>> correctly, this appears to be the effect of initializing the plugin (as >>> done in digestmd5_server_plug_init(), defined in same file as the snippet >>> above) with an undefined reauth_timeout. And indeed, adding >>> "sasl_reauth_timeout: 10” to /etc/imapd.conf makes the crash go away. >>> >>> I didn’t expect a configuration without reauth_timeout to crash imapd, but >>> I haven’t done enough research to be sure, nor to tell where the problem >>> lies should this be a real issue. Any further insight is greatly >>> appreciated! >>> >>> // Cheers; Johan >>> >>> >>> Cyrus Home Page: http://www.cyrusimap.org/ >>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >>> To Unsubscribe: >>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus >> >> -- >> Kenneth Murchison >> Principal Systems Software Engineer >> Carnegie Mellon University >> -- Kenneth Murchison Principal Systems Software Engineer Carnegie Mellon University Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: carddav with DIGEST-MD5
Hi Ken; That fixes the crash but results in a “401 Unauthorized”. I’ll look into that a bit more at the next opportunity. This is using Contacts (8.0 1371) on an up-to-date OS X 10.9.4. It also works on the iPhone (iOS 7.1.2). // Johan On Jul 23, 2014, at 10:55, Ken Murchison wrote: > Hi Johan, > > I believe this issue is fixed by the following commit: > http://git.cyrusimap.org/cyrus-sasl/commit/?id=76ce885a44e7cb511ba54ceae46349036abb9cc8 > > BTW, which CardDAV client is using Digest? > > > On 07/22/2014 01:48 PM, Johan Hattne wrote: >> While PLAIN authentication works fine, I had the https daemon crash during >> DIGEST-MD5 authentication. The crash turned out to be a divide error in >> libdigestmd5 from cyrus-sasl. In particular (in cyrus-sasl’s >> plugins/digestmd5.c): >> >> /* Create an initial cache entry for non-persistent HTTP connections */ >> unsigned val = hash((char *) nonce) % text->reauth->size; >> >> would fail due to text->reauth->size being zero. If I’m reading this >> correctly, this appears to be the effect of initializing the plugin (as done >> in digestmd5_server_plug_init(), defined in same file as the snippet above) >> with an undefined reauth_timeout. And indeed, adding "sasl_reauth_timeout: >> 10” to /etc/imapd.conf makes the crash go away. >> >> I didn’t expect a configuration without reauth_timeout to crash imapd, but I >> haven’t done enough research to be sure, nor to tell where the problem lies >> should this be a real issue. Any further insight is greatly appreciated! >> >> // Cheers; Johan >> >> >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> To Unsubscribe: >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > -- > Kenneth Murchison > Principal Systems Software Engineer > Carnegie Mellon University > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: carddav with DIGEST-MD5
Hi Johan, I believe this issue is fixed by the following commit: http://git.cyrusimap.org/cyrus-sasl/commit/?id=76ce885a44e7cb511ba54ceae46349036abb9cc8 BTW, which CardDAV client is using Digest? On 07/22/2014 01:48 PM, Johan Hattne wrote: > While PLAIN authentication works fine, I had the https daemon crash during > DIGEST-MD5 authentication. The crash turned out to be a divide error in > libdigestmd5 from cyrus-sasl. In particular (in cyrus-sasl’s > plugins/digestmd5.c): > >/* Create an initial cache entry for non-persistent HTTP connections */ >unsigned val = hash((char *) nonce) % text->reauth->size; > > would fail due to text->reauth->size being zero. If I’m reading this > correctly, this appears to be the effect of initializing the plugin (as done > in digestmd5_server_plug_init(), defined in same file as the snippet above) > with an undefined reauth_timeout. And indeed, adding "sasl_reauth_timeout: > 10” to /etc/imapd.conf makes the crash go away. > > I didn’t expect a configuration without reauth_timeout to crash imapd, but I > haven’t done enough research to be sure, nor to tell where the problem lies > should this be a real issue. Any further insight is greatly appreciated! > > // Cheers; Johan > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Kenneth Murchison Principal Systems Software Engineer Carnegie Mellon University Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus