carddav with DIGEST-MD5

Johan Hattne johan at hattne.se
Wed Jul 23 18:59:48 EDT 2014 

Thanks Ken, I’ll keep that in mind.  In this particular case (and with your earlier patch applied) it appears that http_auth() in cyrus-imap’s httpd.c returns SASL_CONTINUE.  The comment around line 3272 says “Need another step to complete authentication”, but the caller (response_header(), line ~2270) appears not to invoke that other step.

I tested this by calling http_auth() again if it returns SASL_CONTINUE, and that authenticated me.

// Johan


On Jul 23, 2014, at 13:30, Ken Murchison <murch at andrew.cmu.edu> wrote:

> I had issues with the Apple clients and Digest.  Unless you really need Digest, I'd recommend using TLS + Basic.
> 
> 
> 
> On 07/23/2014 01:27 PM, Johan Hattne wrote:
>> Hi Ken;
>> 
>> That fixes the crash but results in a “401 Unauthorized”.  I’ll look into that a bit more at the next opportunity.
>> 
>> This is using Contacts (8.0 1371) on an up-to-date OS X 10.9.4.  It also works on the iPhone (iOS 7.1.2).
>> 
>> // Johan
>> 
>> 
>> On Jul 23, 2014, at 10:55, Ken Murchison <murch at andrew.cmu.edu> wrote:
>> 
>>> Hi Johan,
>>> 
>>> I believe this issue is fixed by the following commit: http://git.cyrusimap.org/cyrus-sasl/commit/?id=76ce885a44e7cb511ba54ceae46349036abb9cc8
>>> 
>>> BTW, which CardDAV client is using Digest?
>>> 
>>> 
>>> On 07/22/2014 01:48 PM, Johan Hattne wrote:
>>>> While PLAIN authentication works fine, I had the https daemon crash during DIGEST-MD5 authentication.  The crash turned out to be a divide error in libdigestmd5 from cyrus-sasl.  In particular (in cyrus-sasl’s plugins/digestmd5.c):
>>>> 
>>>>   /* Create an initial cache entry for non-persistent HTTP connections */
>>>>   unsigned val = hash((char *) nonce) % text->reauth->size;
>>>> 
>>>> would fail due to text->reauth->size being zero.  If I’m reading this correctly, this appears to be the effect of initializing the plugin (as done in digestmd5_server_plug_init(), defined in same file as the snippet above) with an undefined reauth_timeout.  And indeed, adding "sasl_reauth_timeout: 10” to /etc/imapd.conf makes the crash go away.
>>>> 
>>>> I didn’t expect a configuration without reauth_timeout to crash imapd, but I haven’t done enough research to be sure, nor to tell where the problem lies should this be a real issue.  Any further insight is greatly appreciated!
>>>> 
>>>> // Cheers; Johan
>>>> 
>>>> ----
>>>> Cyrus Home Page: http://www.cyrusimap.org/
>>>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>>>> To Unsubscribe:
>>>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>>> 
>>> -- 
>>> Kenneth Murchison
>>> Principal Systems Software Engineer
>>> Carnegie Mellon University
>>> 
> 
> 
> -- 
> Kenneth Murchison
> Principal Systems Software Engineer
> Carnegie Mellon University
>

More information about the Info-cyrus mailing list