Digest md5: Use hostname to generate spn instead of realm #11395
Conversation
In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2 digest-uri-value should be serv-type "/" host , where host is The DNS host name or IP address for the service requested. The DNS host name must be the fully-qualified canonical name of the host. The DNS host name is the preferred form; see notes on server processing of the digest-uri. Realm may not be the host, so we must specify the host explicitly
kop316
force-pushed
the
wip/imap_md5
branch
2 times, most recently
from
c1e780e
to
591dd10
Compare
|
I added the response auth in the modified tests that should be included per https://www.rfc-editor.org/rfc/rfc2831#section-2.1.3 . It looks like curl does not check that response auth. |
|
According to feedback in #11369, this does not solve the issue... |
Yeah I unfortunately saw that. What I can say is this PR does fix DIGEST-MD5 login for me, so I have no further way of trying to diagnose/fix it for @MonkeybreadSoftware . I gave a couple of ideas of how to fix it in #11369 (comment) , maybe those will wok. I also saw this is identical to what is in I welcome any other thoughts on what you think should/can be done. |
digest_sspi.c uses the Windows SSPI API that is enabled in some Windows builds. Both digest.c and digest_sspi.c should format the spn as "service/host" if passed service and host strings. git blame puts it at 9feb267 (check its comments) when, prior to that, to build spn there was only one parameter for host and realm called 'instance'. You can see since then for some calls the host is passed as the realm, but in this one case here the realm is passed as the host. I still don't know why that is. |
|
@jay If I am reading https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2 correctly, Actually when looking at 9feb267 , almost every other one looks to use host as well. (EDIT: Sorry I think you noticed that as well in your comment.) I tried looking back, but it looks like it was always Perhaps I am reading the RFC wrong? |
|
So for a different IMAP server for visual voicemail, they are able to successfully login with the current However, in Android's actual code, They appear to use the host for the And as I annotated here: #11369 (comment) the different realm is not functional for me in DIGEST-MD5. So perhaps the realm is used some of the time for DIGEST-MD5, but I am just not sure? |
|
My best guess as to what happened here is the dev assumed that the realm would be a more formal host (like maybe they assumed with a hostname of You said in the other thread you had a realm of
In that case what happens if you send spn |
I tried
I also tried this, and make the digest-uri
I actually worked with someone to try this out. I will see if I can get them to try it out and see if it works. |
|
@jay The user was successfully able to log into the IMAP server with spn As an aside, AT&T built their own proprietary app for accessing their IMAP server in Android. I sort of wonder if they use curl as a backend and just worked around this issue? |
|
Thanks
If it's proprietary it's hard to say... |
In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2 digest-uri-value should be serv-type "/" host , where host is: The DNS host name or IP address for the service requested. The DNS host name must be the fully-qualified canonical name of the host. The DNS host name is the preferred form; see notes on server processing of the digest-uri. Realm may not be the host, so we must specify the host explicitly. Note this change only affects the non-SSPI digest code. The digest code used by SSPI builds already uses the hostname to generate the spn. Ref: curl#11369 Closes curl#11395
Fixes #11369
In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2
digest-uri-value should be serv-type "/" host , where host is
Realm may not be the host, so we must specify the host explicitly.
This fixes an issue I have seen where
DIGEST-MD5does not work for the Visual Voicemail Server (and presumably fixes the other one references in the issue).