[Dovecot] [PATCH] SCRAM-SHA-1 authentication

Florian Zeitz florob at babelmonkeys.de
Fri Sep 16 03:47:56 EEST 2011


Hy,

over the last days I have implemented SCRAM-SHA-1 in Dovecot's 2.1
branch. It does not do SCRAM-SHA-1-PLUS, but should be extendable enough
to introduce it later.

There are some checks for the message format which (assuming the client
acts correclty) are not strictly necessary during parsing. This is
partially in the hope that it might aid client implementers, partially
because it (IMHO) improves readability when checking against the RFC.

Also errors found in this way could be sent to the client, this is
however strictly OPTIONAL in the RFC, for now they are just logged.

Some of the variable names are rather long. This is in order to have
them match the terms introduced in the RFC, again I expect it to help
readability (maybe my recent Objective-C programming showing though).

I do feel somewhat insecure about my usage of some lib functions.
Hopefully no API has been abused too much.

I also note that there are a lot of fields in the scram_auth_request
struct. I think they are all there for a reason, however feel free to
prove me wrong.

Attached is a hg export.
It also includes a hmac-sha1 implementation, an adaption off of the
hmac-md5 implementation already in Dovecot. I guess those should
eventually be merged into a hash-independent hmac implementation, but I
figured this would have to do for now.

The implementation has been tested against GNU SASL and does appear to
work fine. (The command line was `gsasl -m SCRAM-SHA-1 -a user -p pass
--imap host` for those curious)

Regards
Florian "Florob" Zeitz
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: scram-sha-1.exp
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110916/c268709f/attachment-0002.pl>


More information about the dovecot mailing list