carddav with DIGEST-MD5

Johan Hattne johan at hattne.se
Thu Jul 24 10:57:56 EDT 2014 

What format would you like that in (and how do I produce that)?

> On Jul 24, 2014, at 10:48, Ken Murchison <murch at andrew.cmu.edu> wrote:
> 
> I would probably have to see the protocol exchange to  in order to understand what is happening.
> 
> 
>> On 07/23/2014 06:59 PM, Johan Hattne wrote:
>> Thanks Ken, I’ll keep that in mind.  In this particular case (and with your earlier patch applied) it appears that http_auth() in cyrus-imap’s httpd.c returns SASL_CONTINUE.  The comment around line 3272 says “Need another step to complete authentication”, but the caller (response_header(), line ~2270) appears not to invoke that other step.
>> 
>> I tested this by calling http_auth() again if it returns SASL_CONTINUE, and that authenticated me.
>> 
>> // Johan
>> 
>> 
>>> On Jul 23, 2014, at 13:30, Ken Murchison <murch at andrew.cmu.edu> wrote:
>>> 
>>> I had issues with the Apple clients and Digest.  Unless you really need Digest, I'd recommend using TLS + Basic.
>>> 
>>> 
>>> 
>>>> On 07/23/2014 01:27 PM, Johan Hattne wrote:
>>>> Hi Ken;
>>>> 
>>>> That fixes the crash but results in a “401 Unauthorized”.  I’ll look into that a bit more at the next opportunity.
>>>> 
>>>> This is using Contacts (8.0 1371) on an up-to-date OS X 10.9.4.  It also works on the iPhone (iOS 7.1.2).
>>>> 
>>>> // Johan
>>>> 
>>>> 
>>>>> On Jul 23, 2014, at 10:55, Ken Murchison <murch at andrew.cmu.edu> wrote:
>>>>> 
>>>>> Hi Johan,
>>>>> 
>>>>> I believe this issue is fixed by the following commit: http://git.cyrusimap.org/cyrus-sasl/commit/?id=76ce885a44e7cb511ba54ceae46349036abb9cc8
>>>>> 
>>>>> BTW, which CardDAV client is using Digest?
>>>>> 
>>>>> 
>>>>>> On 07/22/2014 01:48 PM, Johan Hattne wrote:
>>>>>> While PLAIN authentication works fine, I had the https daemon crash during DIGEST-MD5 authentication.  The crash turned out to be a divide error in libdigestmd5 from cyrus-sasl.  In particular (in cyrus-sasl’s plugins/digestmd5.c):
>>>>>> 
>>>>>>   /* Create an initial cache entry for non-persistent HTTP connections */
>>>>>>   unsigned val = hash((char *) nonce) % text->reauth->size;
>>>>>> 
>>>>>> would fail due to text->reauth->size being zero.  If I’m reading this correctly, this appears to be the effect of initializing the plugin (as done in digestmd5_server_plug_init(), defined in same file as the snippet above) with an undefined reauth_timeout.  And indeed, adding "sasl_reauth_timeout: 10” to /etc/imapd.conf makes the crash go away.
>>>>>> 
>>>>>> I didn’t expect a configuration without reauth_timeout to crash imapd, but I haven’t done enough research to be sure, nor to tell where the problem lies should this be a real issue.  Any further insight is greatly appreciated!
>>>>>> 
>>>>>> // Cheers; Johan
>>>>>> 
>>>>>> ----
>>>>>> Cyrus Home Page: http://www.cyrusimap.org/
>>>>>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>>>>>> To Unsubscribe:
>>>>>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>>>>> -- 
>>>>> Kenneth Murchison
>>>>> Principal Systems Software Engineer
>>>>> Carnegie Mellon University
>>> 
>>> -- 
>>> Kenneth Murchison
>>> Principal Systems Software Engineer
>>> Carnegie Mellon University
> 
> 
> -- 
> Kenneth Murchison
> Principal Systems Software Engineer
> Carnegie Mellon University
>

More information about the Info-cyrus mailing list