Improved support for SCRAM-SHA-1 & SCRAM-SHA-256

This commit is contained in:
djmaze 2021-03-29 21:43:51 +02:00
parent 68d103b3c1
commit 389e473e22
2 changed files with 29 additions and 10 deletions

View file

@ -162,21 +162,40 @@ class ImapClient extends \MailSo\Net\NetClient
$this->sLogginedUser = $sLogin;
// $encrypted = !empty(\stream_get_meta_data($this->rConnect)['crypto']);
$type = '';
$types = [
// 'SCRAM-SHA-256' => 1, // !$encrypted
// 'SCRAM-SHA-1' => 1, // !$encrypted
'CRAM-MD5' => $bUseAuthCramMd5IfSupported,
'PLAIN' => $bUseAuthPlainIfSupported,
'LOGIN' => 1 // $encrypted
];
foreach ($types as $sasl_type => $active) {
if ($active && $this->IsSupported("AUTH={$sasl_type}") && \SnappyMail\SASL::isSupported($sasl_type)) {
$type = $sasl_type;
break;
}
}
$SASL = \SnappyMail\SASL::factory($type);
$SASL->base64 = true;
try
{
if ($bUseAuthCramMd5IfSupported && $this->IsSupported('AUTH=CRAM-MD5'))
if ('CRAM-MD5' === $type)
{
$oContinuationResponse = $this->SendRequestGetResponse('AUTHENTICATE', array('CRAM-MD5'))->getLast();
$oContinuationResponse = $this->SendRequestGetResponse('AUTHENTICATE', array($type))->getLast();
if ($oContinuationResponse && Enumerations\ResponseType::CONTINUATION === $oContinuationResponse->ResponseType)
{
$sTicket = $oContinuationResponse->ResponseList[1] ?? null;
if ($sTicket)
{
$sToken = $SASL->authenticate($sLogin, $sPassword, $sTicket)
$sTicket = \base64_decode($sTicket);
$this->oLogger->Write('ticket: '.$sTicket);
$sToken = \base64_encode($sLogin.' '.\hash_hmac('md5', $sTicket, $sPassword));
if ($this->oLogger)
{
$this->oLogger->AddSecret($sToken);
@ -199,9 +218,9 @@ class ImapClient extends \MailSo\Net\NetClient
\MailSo\Log\Enumerations\Type::NOTICE, true);
}
}
else if ($bUseAuthPlainIfSupported && $this->IsSupported('AUTH=PLAIN'))
else if ('PLAIN' === $type)
{
$sToken = \base64_encode("\0".$sLogin."\0".$sPassword);
$sToken = $SASL->authenticate($sLogin, $sPassword);
if ($this->oLogger)
{
$this->oLogger->AddSecret($sToken);

View file

@ -189,11 +189,11 @@ class SmtpClient extends \MailSo\Net\NetClient
{
// RFC 4616
case 'PLAIN':
$this->sendRequestWithCheck($SASL->authenticate($username, $passphrase), 235, '', true);
$this->sendRequestWithCheck($SASL->authenticate($sLogin, $sPassword), 235, '', true);
break;
case 'LOGIN':
$sResult = $this->sendRequestWithCheck($SASL->authenticate($username, $passphrase, $sResult), 334, '');
$sResult = $this->sendRequestWithCheck($SASL->authenticate($sLogin, $sPassword, $sResult), 334, '');
$this->sendRequestWithCheck($SASL->challenge($sResult), 235, '', true);
break;
@ -211,7 +211,7 @@ class SmtpClient extends \MailSo\Net\NetClient
// RFC 5802
case 'SCRAM-SHA-1':
case 'SCRAM-SHA-256':
$sResult = $this->sendRequestWithCheck($SASL->authenticate($username, $passphrase, $sResult), 234, '');
$sResult = $this->sendRequestWithCheck($SASL->authenticate($sLogin, $sPassword, $sResult), 234, '');
$sResult = $this->sendRequestWithCheck($SASL->challenge($sResult), 235, '', true);
$SASL->verify($sResult);
break;
@ -509,7 +509,7 @@ class SmtpClient extends \MailSo\Net\NetClient
{
$this->sendRequest($sCommand, $sAddToCommand, $bSecureLog);
$this->validateResponse($mExpectCode, $sErrorPrefix);
return empty($this->aResults[0]) ? '' : \substr($this->aResults[0], 4);
return empty($this->aResults[0]) ? '' : \trim(\substr($this->aResults[0], 4));
}
private function ehloOrHelo(string $sHost) : void