On Friday, October 3, 2014 2:45:45 PM CEST, NSS Ltd wrote:
Great ! Some elements do need quotes but some others don't - I found
that out when I changed the code initially to remove all quoting and
got these helpful hints from aox :
I think the guiding principle here is that things are either quoted or
base64-encoded, but not both.
What would you suggest ? I can just make the change since I've already
made a few !
My opinion: "XOAUTH2", "SCRAM-SHA-1", "NTLM", "CRAM-MD5", "DIGEST-MD5",
"PLAIN", "LOGIN".
XOAUTH2 (Google's early deployment of OAUTH-BEARER) is best, because it
protects well against a common attack that none of the others do. With
XOAUTH2 the client doesn't need to remember the user's password, instead it
has a couple of tokens. A snooping attacker can hear only a short
lived-token, an attacker with client disk access can read a per-client
longer-lived token. Not the password.
SCRAM is good too, it's the best conventional mechanism. NTLM is arguable,
it can be both good and bad, so I didn't move it. CRAM-MD5 is at least
interoperable. DIGEST-MD5 is weak on interop and hardly better than CRAM on
security, so I moved it near the end. PLAIN and LOGIN both make the client
store the password and transmit it only lightly obfuscated, so they're
terrible.
My arguments are good, but others may weigh these arguments differently and
arrive at different order.
The .NET client is using LOGIN I think but I've not had time to try to
debug that; I suspect it may also be mis-matching the protocol since
everything I found said I was doing it right in theory and the MailKit
experience essentially confirms that. I'll fire up my aox development
environment again and add some additional debug info to see if I can
track that.
LOGIN may be slightly shady on interop:. Some people implemented a draft
and the draft changed afterwards, if my memory serves me.
Here's the diff I ended up with:
diff --git a/sasl/digest-md5.cpp b/sasl/digest-md5.cpp
index 19fdfe4..8265b6e 100644
--- a/sasl/digest-md5.cpp
+++ b/sasl/digest-md5.cpp
@@ -162,7 +162,7 @@ void DigestMD5::parseResponse( const EString &r )
s = "nc not unique in DIGEST-MD5 response";
setState( Failed );
}
- else if ( nc->value().length() != 8 ) {
+ else if ( nc->value().length() < 8 ) {
s = "nc <<" + nc->value() + ">> has length " +
fn( nc->value().length() ) + " (not 8) in DIGEST-MD5
response";
setState( Failed );
@@ -175,7 +175,7 @@ void DigestMD5::parseResponse( const EString &r )
s = "resp not unique in DIGEST-MD5 response";
setState( Failed );
}
- else if ( resp->value().length() != 32 ) {
+ else if ( resp->value().length() < 32 ) {
s = "resp <<" + resp->value() + ">> has length " +
fn( resp->value().length() ) + " (not 32) in DIGEST-MD5
response";
setState( Failed );
Arnt
