Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: SCRAM-SHA-1 support via libgsasl
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Simon Josefsson via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 25 Dec 2020 22:11:26 +0100
Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se> writes:
> On Thu, 24 Dec 2020, Simon Josefsson via curl-library wrote:
>
> Hi Simon!
>
> Thanks for contributing to curl!
>
>> I am looking for feedback and review of a patch that implement
>> support for SCRAM-SHA-1 in curl via libgsasl:
>>
>> https://github.com/curl/curl/compare/master...jas4711:jas4711/gsasl-scram
>
> We generally prefer if you just go ahead and submit it as a pull
> request, so that it gets scrutinized by the tools first and then human
> review on github.
Hi Daniel, thanks for feedback. I have pushed it as a pull request now.
>> Is it okay to pass strings allocated by libgsasl back for later
>> free() by libcurl? Some platforms used to have separate heap
>> managers for different context, but I don't know if this is still a
>> concern for libcurl. If so, the newly allocated strings received
>> from libgsasl could be re-allocated and the libgsasl strings
>> deallocated immediately.
>
> It is still a concern. Windows is the one platform that still has that
> widespread use of different heap managers in different parts and
> Windows users make up a significant user share in curl land.
Agreed, I have fixed this in the push above.
>> I don't know how to add self-tests -- can anyone explain how the
>> existing CRAM-MD5/DIGEST-MD5/NTLM/etc self-tests work?
>
> I believe Steve Holme would be the best guy to explain this, but he's
> been "laying low" recently.
>
> There seems to be 10 existing tests that use CRAM-MD5 (I just grepped
> for "CRAM-MD5" in tests/data/), for IMAP and SMTP. They basically make
> sure that the test server claims to support the auth mechanisms and
> then verifies that the correct protocol strings were exchanged when
> the mails were retrieved or sent. I think it would make sense to copy
> the setup from one or more of those and just adapt to SHA-1 ?
I still haven't figured this out, but I just noticed pull request #5155
that may help me. Btw, that pull request add TLS channel binding
supports, which is required for SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS.
/Simon
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2020-12-25
Date: Fri, 25 Dec 2020 22:11:26 +0100
Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se> writes:
> On Thu, 24 Dec 2020, Simon Josefsson via curl-library wrote:
>
> Hi Simon!
>
> Thanks for contributing to curl!
>
>> I am looking for feedback and review of a patch that implement
>> support for SCRAM-SHA-1 in curl via libgsasl:
>>
>> https://github.com/curl/curl/compare/master...jas4711:jas4711/gsasl-scram
>
> We generally prefer if you just go ahead and submit it as a pull
> request, so that it gets scrutinized by the tools first and then human
> review on github.
Hi Daniel, thanks for feedback. I have pushed it as a pull request now.
>> Is it okay to pass strings allocated by libgsasl back for later
>> free() by libcurl? Some platforms used to have separate heap
>> managers for different context, but I don't know if this is still a
>> concern for libcurl. If so, the newly allocated strings received
>> from libgsasl could be re-allocated and the libgsasl strings
>> deallocated immediately.
>
> It is still a concern. Windows is the one platform that still has that
> widespread use of different heap managers in different parts and
> Windows users make up a significant user share in curl land.
Agreed, I have fixed this in the push above.
>> I don't know how to add self-tests -- can anyone explain how the
>> existing CRAM-MD5/DIGEST-MD5/NTLM/etc self-tests work?
>
> I believe Steve Holme would be the best guy to explain this, but he's
> been "laying low" recently.
>
> There seems to be 10 existing tests that use CRAM-MD5 (I just grepped
> for "CRAM-MD5" in tests/data/), for IMAP and SMTP. They basically make
> sure that the test server claims to support the auth mechanisms and
> then verifies that the correct protocol strings were exchanged when
> the mails were retrieved or sent. I think it would make sense to copy
> the setup from one or more of those and just adapt to SHA-1 ?
I still haven't figured this out, but I just noticed pull request #5155
that may help me. Btw, that pull request add TLS channel binding
supports, which is required for SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS.
/Simon
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-signature attachment: signature.asc