diff options
Diffstat (limited to 'lib/net/imap/authenticators')
| -rw-r--r-- | lib/net/imap/authenticators/cram_md5.rb | 49 | ||||
| -rw-r--r-- | lib/net/imap/authenticators/digest_md5.rb | 111 | ||||
| -rw-r--r-- | lib/net/imap/authenticators/login.rb | 43 | ||||
| -rw-r--r-- | lib/net/imap/authenticators/plain.rb | 41 |
4 files changed, 0 insertions, 244 deletions
diff --git a/lib/net/imap/authenticators/cram_md5.rb b/lib/net/imap/authenticators/cram_md5.rb deleted file mode 100644 index 0930c5ac34..0000000000 --- a/lib/net/imap/authenticators/cram_md5.rb +++ /dev/null @@ -1,49 +0,0 @@ -# frozen_string_literal: true - -require "digest/md5" - -# Authenticator for the "+CRAM-MD5+" SASL mechanism, specified in -# RFC2195[https://tools.ietf.org/html/rfc2195]. See Net::IMAP#authenticate. -# -# == Deprecated -# -# +CRAM-MD5+ is obsolete and insecure. It is included for compatibility with -# existing servers. -# {draft-ietf-sasl-crammd5-to-historic}[https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00.html] -# recommends using +SCRAM-*+ or +PLAIN+ protected by TLS instead. -# -# Additionally, RFC8314[https://tools.ietf.org/html/rfc8314] discourage the use -# of cleartext and recommends TLS version 1.2 or greater be used for all -# traffic. With TLS +CRAM-MD5+ is okay, but so is +PLAIN+ -class Net::IMAP::CramMD5Authenticator - def process(challenge) - digest = hmac_md5(challenge, @password) - return @user + " " + digest - end - - private - - def initialize(user, password) - @user = user - @password = password - end - - def hmac_md5(text, key) - if key.length > 64 - key = Digest::MD5.digest(key) - end - - k_ipad = key + "\0" * (64 - key.length) - k_opad = key + "\0" * (64 - key.length) - for i in 0..63 - k_ipad[i] = (k_ipad[i].ord ^ 0x36).chr - k_opad[i] = (k_opad[i].ord ^ 0x5c).chr - end - - digest = Digest::MD5.digest(k_ipad + text) - - return Digest::MD5.hexdigest(k_opad + digest) - end - - Net::IMAP.add_authenticator "PLAIN", self -end diff --git a/lib/net/imap/authenticators/digest_md5.rb b/lib/net/imap/authenticators/digest_md5.rb deleted file mode 100644 index 19e1a460c8..0000000000 --- a/lib/net/imap/authenticators/digest_md5.rb +++ /dev/null @@ -1,111 +0,0 @@ -# frozen_string_literal: true - -require "digest/md5" -require "strscan" - -# Net::IMAP authenticator for the "`DIGEST-MD5`" SASL mechanism type, specified -# in RFC2831(https://tools.ietf.org/html/rfc2831). See Net::IMAP#authenticate. -# -# == Deprecated -# -# "+DIGEST-MD5+" has been deprecated by -# {RFC6331}[https://tools.ietf.org/html/rfc6331] and should not be relied on for -# security. It is included for compatibility with existing servers. -class Net::IMAP::DigestMD5Authenticator - def process(challenge) - case @stage - when STAGE_ONE - @stage = STAGE_TWO - sparams = {} - c = StringScanner.new(challenge) - while c.scan(/(?:\s*,)?\s*(\w+)=("(?:[^\\"]+|\\.)*"|[^,]+)\s*/) - k, v = c[1], c[2] - if v =~ /^"(.*)"$/ - v = $1 - if v =~ /,/ - v = v.split(',') - end - end - sparams[k] = v - end - - raise DataFormatError, "Bad Challenge: '#{challenge}'" unless c.rest.size == 0 - raise Error, "Server does not support auth (qop = #{sparams['qop'].join(',')})" unless sparams['qop'].include?("auth") - - response = { - :nonce => sparams['nonce'], - :username => @user, - :realm => sparams['realm'], - :cnonce => Digest::MD5.hexdigest("%.15f:%.15f:%d" % [Time.now.to_f, rand, Process.pid.to_s]), - :'digest-uri' => 'imap/' + sparams['realm'], - :qop => 'auth', - :maxbuf => 65535, - :nc => "%08d" % nc(sparams['nonce']), - :charset => sparams['charset'], - } - - response[:authzid] = @authname unless @authname.nil? - - # now, the real thing - a0 = Digest::MD5.digest( [ response.values_at(:username, :realm), @password ].join(':') ) - - a1 = [ a0, response.values_at(:nonce,:cnonce) ].join(':') - a1 << ':' + response[:authzid] unless response[:authzid].nil? - - a2 = "AUTHENTICATE:" + response[:'digest-uri'] - a2 << ":00000000000000000000000000000000" if response[:qop] and response[:qop] =~ /^auth-(?:conf|int)$/ - - response[:response] = Digest::MD5.hexdigest( - [ - Digest::MD5.hexdigest(a1), - response.values_at(:nonce, :nc, :cnonce, :qop), - Digest::MD5.hexdigest(a2) - ].join(':') - ) - - return response.keys.map {|key| qdval(key.to_s, response[key]) }.join(',') - when STAGE_TWO - @stage = nil - # if at the second stage, return an empty string - if challenge =~ /rspauth=/ - return '' - else - raise ResponseParseError, challenge - end - else - raise ResponseParseError, challenge - end - end - - def initialize(user, password, authname = nil) - @user, @password, @authname = user, password, authname - @nc, @stage = {}, STAGE_ONE - end - - private - - STAGE_ONE = :stage_one - STAGE_TWO = :stage_two - - def nc(nonce) - if @nc.has_key? nonce - @nc[nonce] = @nc[nonce] + 1 - else - @nc[nonce] = 1 - end - return @nc[nonce] - end - - # some responses need quoting - def qdval(k, v) - return if k.nil? or v.nil? - if %w"username authzid realm nonce cnonce digest-uri qop".include? k - v.gsub!(/([\\"])/, "\\\1") - return '%s="%s"' % [k, v] - else - return '%s=%s' % [k, v] - end - end - - Net::IMAP.add_authenticator "DIGEST-MD5", self -end diff --git a/lib/net/imap/authenticators/login.rb b/lib/net/imap/authenticators/login.rb deleted file mode 100644 index e1afebc323..0000000000 --- a/lib/net/imap/authenticators/login.rb +++ /dev/null @@ -1,43 +0,0 @@ -# frozen_string_literal: true - -# Authenticator for the "+LOGIN+" SASL mechanism. See Net::IMAP#authenticate. -# -# +LOGIN+ authentication sends the password in cleartext. -# RFC3501[https://tools.ietf.org/html/rfc3501] encourages servers to disable -# cleartext authentication until after TLS has been negotiated. -# RFC8314[https://tools.ietf.org/html/rfc8314] recommends TLS version 1.2 or -# greater be used for all traffic, and deprecate cleartext access ASAP. +LOGIN+ -# can be secured by TLS encryption. -# -# == Deprecated -# -# The {SASL mechanisms -# registry}[https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml] -# marks "LOGIN" as obsoleted in favor of "PLAIN". It is included here for -# compatibility with existing servers. See -# {draft-murchison-sasl-login}[https://www.iana.org/go/draft-murchison-sasl-login] -# for both specification and deprecation. -class Net::IMAP::LoginAuthenticator - def process(data) - case @state - when STATE_USER - @state = STATE_PASSWORD - return @user - when STATE_PASSWORD - return @password - end - end - - private - - STATE_USER = :USER - STATE_PASSWORD = :PASSWORD - - def initialize(user, password) - @user = user - @password = password - @state = STATE_USER - end - - Net::IMAP.add_authenticator "LOGIN", self -end diff --git a/lib/net/imap/authenticators/plain.rb b/lib/net/imap/authenticators/plain.rb deleted file mode 100644 index a9d46c920e..0000000000 --- a/lib/net/imap/authenticators/plain.rb +++ /dev/null @@ -1,41 +0,0 @@ -# frozen_string_literal: true - -# Authenticator for the "+PLAIN+" SASL mechanism, specified in -# RFC4616[https://tools.ietf.org/html/rfc4616]. See Net::IMAP#authenticate. -# -# +PLAIN+ authentication sends the password in cleartext. -# RFC3501[https://tools.ietf.org/html/rfc3501] encourages servers to disable -# cleartext authentication until after TLS has been negotiated. -# RFC8314[https://tools.ietf.org/html/rfc8314] recommends TLS version 1.2 or -# greater be used for all traffic, and deprecate cleartext access ASAP. +PLAIN+ -# can be secured by TLS encryption. -class Net::IMAP::PlainAuthenticator - - def process(data) - return "#@authzid\0#@username\0#@password" - end - - # :nodoc: - NULL = -"\0".b - - private - - # +username+ is the authentication identity, the identity whose +password+ is - # used. +username+ is referred to as +authcid+ by - # RFC4616[https://tools.ietf.org/html/rfc4616]. - # - # +authzid+ is the authorization identity (identity to act as). It can - # usually be left blank. When +authzid+ is left blank (nil or empty string) - # the server will derive an identity from the credentials and use that as the - # authorization identity. - def initialize(username, password, authzid: nil) - raise ArgumentError, "username contains NULL" if username&.include?(NULL) - raise ArgumentError, "password contains NULL" if password&.include?(NULL) - raise ArgumentError, "authzid contains NULL" if authzid&.include?(NULL) - @username = username - @password = password - @authzid = authzid - end - - Net::IMAP.add_authenticator "PLAIN", self -end |