Author pepoluan
Recipients Dario D'Amico, Mario Colombo, barry, pepoluan, r.david.murray, redstone-cold
Date 2020-12-14.06:48:14
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1607928495.24.0.711952359935.issue27820@roundup.psfhosted.org>
In-reply-to
Content
Hi, I'm one of the maintainers of aio-libs/aiosmtpd.

This issue also bit me when trying to write unit tests for aio-libs/aiosmtpd AUTH implementation

But I partially disagree with Dario D'Amico's changes, specifically the suggested change in the auth_login() method.

According to draft-murchison-sasl-login-00.txt [1], the two challenges sent by the server SHOULD be ignored. The example in that document uses b"VXNlciBOYW1lAA==" and b"UGFzc3dvcmQA" (b64 of b"User Name\x00" and b"Password\x00", respectively), and this is what we have implemented in aio-libs/aiosmtpd.

Furthermore, the same document never indicated that username may be sent along with "AUTH LOGIN", so we haven't implemented that in aio-libs/aiosmtpd.

So rather than hardcoding the challenges to b"Username:" and b"Password:", a compliant SMTP client must instead _count_ the number of challenges it received.

I propose the following changes instead:

    def auth(self, mechanism, authobject, *, initial_response_ok=True):
        ... snip ...
        if initial_response is not None:
            response = encode_base64(initial_response.encode('ascii'), eol='')
            (code, resp) = self.docmd("AUTH", mechanism + " " + response)
            self._challenge_count = 1
        else:
            (code, resp) = self.docmd("AUTH", mechanism)
            self._challenge_count = 0
        # If server responds with a challenge, send the response.
        while code == 334:
            self._challenge_count += 1
            challenge = base64.decodebytes(resp)
        ... snip ...

    ... snip ...

    def auth_login(self, challenge=None):
        """ Authobject to use with LOGIN authentication. Requires self.user and
        self.password to be set."""
        if challenge is None or self._challenge_count < 2:
            return self.user
        else:
            return self.password


[1] https://www.ietf.org/archive/id/draft-murchison-sasl-login-00.txt
History
Date User Action Args
2020-12-14 06:48:15pepoluansetrecipients: + pepoluan, barry, r.david.murray, redstone-cold, Dario D'Amico, Mario Colombo
2020-12-14 06:48:15pepoluansetmessageid: <1607928495.24.0.711952359935.issue27820@roundup.psfhosted.org>
2020-12-14 06:48:15pepoluanlinkissue27820 messages
2020-12-14 06:48:14pepoluancreate