Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔒 Add SASL SCRAM-SHA-* mechanisms #172

Merged
merged 1 commit into from
Sep 24, 2023
Merged

🔒 Add SASL SCRAM-SHA-* mechanisms #172

merged 1 commit into from
Sep 24, 2023

Conversation

nevans
Copy link
Collaborator

@nevans nevans commented Sep 10, 2023
edited
Loading

@nevans nevans added the SASL 🔒 Authentication and authentication mechanisms label Sep 10, 2023
@nevans nevans force-pushed the sasl/scram-sha-256 branch 6 times, most recently from 317c619 to 9eb10ee Compare September 16, 2023 18:40
@nevans nevans mentioned this pull request Sep 16, 2023
Open
@nevans
Copy link
Collaborator Author

nevans commented Sep 16, 2023

I've delayed finishing this PR for ~a year now? Unfortunately, I haven't had much cause to use this myself (OAUTHBEARER support was more immediately useful for my needs).

As far as the authenticator API (expanded to include #initial_response? and #done?) is concerned, it's basically done... although I would really appreciate another pair of eyes on the implementation!

However, Net::IMAP#authenticate still needs to be updated so it ensures the authenticator is #done?. As it is now, if the server returns OK before sending its final message, then we can't satisfy the following requirement from the RFC:

The client then authenticates the server by computing the
ServerSignature and comparing it to the value sent by the server. If
the two are different, the client MUST consider the authentication
exchange to be unsuccessful, and it might have to drop the
connection.

@nevans nevans mentioned this pull request Sep 20, 2023
Draft
37 tasks
This was referenced Sep 23, 2023
Merged
Merged
@nevans @singpolyma
🔒 Add SASL SCRAM-SHA-* mechanisms
617acb3 
Loosely based on the implementation by @singpolyma at
nevans/net-sasl#5

New authenticators for any digest algorithms supported can be added by
subclassing ScramAuthenticator and adding a DIGEST_NAME constant (and
then registering with an Authenticators registry).

Co-authored-by: Stephen Paul Weber <[email protected]>
@nevans nevans merged commit b00141c into master Sep 24, 2023
22 checks passed
@nevans nevans deleted the sasl/scram-sha-256 branch September 24, 2023 00:17
@nevans
Copy link
Collaborator Author

nevans commented Sep 25, 2023
edited
Loading

@singpolyma, @Neustradamus FYI: This has been merged and I'm going to make a new release containing it this week (maybe today or tomorrow?). If you have any time to look over what I've done and maybe even test it a little bit, I'd be grateful.

@Neustradamus
Copy link

@nevans: Excellent, thanks!

Have you plan a net-sasl build with?

Have you looked for -PLUS variants part?

@singpolyma: Can you look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
SASL 🔒 Authentication and authentication mechanisms
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports
2 participants
@nevans @Neustradamus