Summary: | add SCRAM-SHA-1 support | ||||||
---|---|---|---|---|---|---|---|
Product: | Claws Mail (GTK 2) | Reporter: | franz.wudy | ||||
Component: | SMTP | Assignee: | users | ||||
Status: | REOPENED --- | ||||||
Severity: | enhancement | CC: | Neustradamus | ||||
Priority: | P3 | ||||||
Version: | other | ||||||
Hardware: | PC | ||||||
OS: | All | ||||||
Attachments: |
|
Description
franz.wudy
2012-11-19 05:15:51 UTC
For IMAP, we are limited by what libetpan supports, and I haven't found any mention of even a plan to add SCRAM-SHA-1 support there. For SMTP, I think this is doable. We will, however, need two things: 1. A good source for random numbers to generate good client nonce. We can either use GnuTLS's gnutls_rand(), or directly read from /dev/urandom. That is not portable to Windows, though, we'd have to use CryptGenRandom() on Windows, or simply not support SCRAM-SHA-1 for Windows. Using GnuTLS for this would of course mean that we would only support SCRAM-SHA-1 if compiled with GnuTLS support. 2. SHA1 digest implementation. Again, we could use GnuTLS, libnettle (implies additional dependency), or simply grab an implementation from e.g. nettle library. Thoughts? (In reply to comment #1) > 2. SHA1 digest implementation. Again, we could use GnuTLS, libnettle > (implies additional dependency), or simply grab an implementation from e.g. > nettle library. Looks like gnutls depends on nettle (at least the Arch Linux package does). So there is no extra dependency for most users. (In reply to comment #2) > Looks like gnutls depends on nettle (at least the Arch Linux package does). > So there is no extra dependency for most users. Unfortunately, that isn't the case on Debian (at least on stable wheezy) -the GnuTLS library itself does not depend on nettle. Only the gnutls-bin package with various utility programs does. But anyway, if we decide to explicitly use functions from nettle library, we would have to explicitly add a check for it in configure. There is another option for getting SHA1 which I forgot: Glib 2.30 adds support for HMAC digests[1], so we could use those, if we bump our minimum Glib version requirement from current 2.20 to 2.30. I'm not sure if that's a good idea, though just for one additional authentication method. 1. https://developer.gnome.org/glib/stable/glib-Data-HMACs.html What about using libsasl2 (Cyrus SASL)? This is what libetpan uses [1], and claws-mail in Debian Testing (3.11.1-1) already depends on it. Cyrus SASL supports SCRAM-SHA-1: https://github.com/coapp-packages/cyrus-sasl/blob/master/plugins/scram.c Example usage in a client: http://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/programming.php#client_section On that note, couldn't we just use SCRAM-SHA-1 through libetpan for IMAP, as with CRAM-MD5 and DIGEST-MD5? For SMTP, could we use sasl_client_* functions from Cyrus SASL for the auth? 1. https://github.com/dinhviethoa/libetpan/blob/master/configure.ac#L514 Created attachment 1465 [details]
SCRAM-SHA-1 for IMAP
Yes, that will probably be best approach, sometimes I really should step back and look at what's available, instead of trying to reinvent the wheel. :)
Anyway, patch for the easier part (IMAP, using libetpan) is attached, and seems to be working fine on my local IMAP server. Note the caveat mentioned in comment of first hunk.
this was added back in January, but no-one closed this at the time. I haven't closed the bug because we still do not offer this auth method for SMTP, my patch only adds it for IMAP. Can you confirm me the state of play of this support? |