🔒 SASL DIGEST-MD5: realm, host, service_name, etc#284
Merged
nevans merged 1 commit intoruby:masterfrom Jun 30, 2024
Merged
Conversation
nevans
force-pushed
the
sasl/digest-md5-updates-lol
branch
2 times, most recently
from
5dc3f1d to
f675169
Compare
nevans
force-pushed
the
sasl/digest-md5-updates-lol
branch
4 times, most recently
from
f2b5ebb to
27e21e8
Compare
Yes, DIGEST-MD5 is deprecated! But that also means that it was lower risk for experimenting with other SASL changes. Its complexity vs most other mechanisms made it a good test-bed for the completeness of net-imap's SASL implementation. For example: * It demonstrated that we were missing features such as `done?`. * It demonstrates the utility of using callbacks for attributes such as `realm` (the user might select from a server-provided list). _Please note: the initial work I did to support attribute callbacks was reverted, to simplify the big SASL re-write. It could still be a useful feature for this and other mechanisms._ * It shows that `service` should not be hard-coded to `imap`, and should be provided by the client (or the protocol adapter). _Please note: Although the current (experimental) client adapters _do_ have a `#service` method, it is not used by the (experimental) AuthenticationExchange yet._ * It requires other attributes that should be provided by the client such as `host`, `port` (also used by `OAUTHBEARER`). I improved the existing authenticator in several ways: * ✨ Add `realm`, `host`, `service_name`, `service` attributes. This allows non-IMAP clients to construct the correct `digest-uri`. * 🔒 Use SecureRandom for cnonce (not Time.now + insecure PRNG!) * ✨ Default `qop=auth` (as in RFC) * ✨ Enforce requirements for `sparam` keys (required and no-multiples). * ♻️ Various other minor refactorings. However... it's still deprecated, so don't use if you don't need to! 🙃
nevans
force-pushed
the
sasl/digest-md5-updates-lol
branch
from
27e21e8 to
bf34d6f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(This work in this commit was done about 18 months ago, as part of #78. In fact, the work done in this PR was used to guide the style of all of the new authenticators. I wasn't sure whether it was worth submitting as a PR, but for the sake of completeness: here it is.)
Yes, DIGEST-MD5 is deprecated! But that also means that it was lower risk for experimenting with other SASL changes. Its complexity vs most other mechanisms made it a good test-bed for the completeness of net-imap's SASL implementation. For example:
done?.Added in 🔒 Verify SASL authentication has completed #179.
realm(the user might select from a server-provided list).Please note: the initial work I did to support attribute callbacks was reverted, to simplify the SASL re-write. It could still be a useful feature for this and other mechanisms.
serviceshould not be hard-coded toimap, and should be provided by the client (or the protocol adapter).Please note: Although the current (experimental) client adapters do have a
#servicemethod, it is not used by the (experimental) AuthenticationExchange yet.host,port(also used byOAUTHBEARER).I improved the existing authenticator in several ways:
realm,host,service_name,serviceattributes. This allows non-IMAP clients to construct the correctdigest-uri.qop=auth(as in RFC)sparamkeys (required and no-multiples).However... it's still deprecated, so don't use it! 🙃