Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.3.2

Bug #16647 AUTHENTICATE command hangs
Submitted: 2009-09-27 11:33 UTC Modified: 2009-10-08 14:20 UTC
From: speed47 Assigned: yunosh
Status: Closed Package: Net_Sieve (version CVS)
PHP Version: 5.2.5 OS: Linux
Roadmaps: (Not assigned)    

 [2009-09-27 11:33 UTC] speed47 (Stéphane Lesimple)
Description: ------------ I can't use the Net_Sieve to login to my managesieve dovecot server. After some debugging and Wiresharking, I noticed that after the AUTHENTICATE "CRAM-MD5" command, the server sends back a challenge, and then sits waiting for an answer. Net_Sieve never sends any answer back because it's still waiting for others data from the server, due to the way the _doCmd() is written. The code seems to support challenges, but only if the challenge length is announced with a string-length indicator, as in : C:AUTHENTICATE "CRAM-MD5" S:{30} S:abcdefghijklmnopqrstuvwxyz1234 But the ietf draft (see also shows that the server can send the challenge between quotes and without a length-indicator, as in : C:AUTHENTICATE "CRAM-MD5" S:"abcdefghijklmnopqrstuvwxyz1234" For some reason, my managesieve dovecot server uses the latter form. I wrote a patch to add support for this form to Net_Sieve.php, and it now works. This is done adding another state to the class : NET_SIEVE_STATE_CONNECTED, which is set right after the TCP connection is established, and until we set either state AUTHORISATION or TRANSACTION, after establishing the TLS layer (if configured) and after querying the capabilities. When the state AUTHORISATION state is active, the _doCmd() function will wait for challenges from the server, expecting either the form with the string-length indicator, or without. The portion of the code that expects a challenge without a string-length indicator is only active if the AUTHORISATION state is active, which is why I added the CONNECTED state : to avoid taking an answer to CAPABILITY or a server greeting for a challenge). It has been tested with auth methods PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5, with and without TLS. The "bypass auth" case is however untested. It should be also a good idea to test it with servers that use the first form for challenges (apparently timsieved does). The managesieve dovecot server version I use is 1.13, from Debian lenny backports. My actual version of PHP is 5.2.6 (it's absent from the listbox). Test script: --------------- <?php include('Sieve.php'); $sieve = new Net_Sieve('user', 'pass', 'localhost' , 2000, '', '', true, false, false, null); Expected result: ---------------- Successful login Actual result: -------------- S:"IMPLEMENTATION" "dovecot" S:"SASL" "PLAIN LOGIN CRAM-MD5" S:"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify include envelope body relational regex subaddress copy" S:"STARTTLS" S:"RENAME" S:OK "Dovecot ready." C:CAPABILITY S:"IMPLEMENTATION" "dovecot" S:"SASL" "PLAIN LOGIN CRAM-MD5" S:"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify include envelope body relational regex subaddress copy" S:"STARTTLS" S:"RENAME" S:OK "Capability completed." C:AUTHENTICATE "CRAM-MD5" S:"PDI2NzUxNTYyMTQ2OTgyODcuMTI1NDA0NjYzM0BtYWlsPg==" // it then hangs here forever (_doCmd never returns)


 [2009-09-27 11:37 UTC] speed47 (Stéphane Lesimple)
 [2009-09-28 10:04 UTC] yunosh (Jan Schneider)
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yunosh
 [2009-10-07 23:32 UTC] yunosh (Jan Schneider)
-Status: Assigned +Status: Feedback
Thank you for taking the time to report a problem with the package. Unfortunately you are not using a current version of the package -- the problem might already be fixed. Please download a new version from If you are able to reproduce the bug with one of the latest versions, please change the package version on this bug report to the version you tested and change the status back to "Open". Again, thank you for your continued support of PEAR.
 [2009-10-07 23:33 UTC] yunosh (Jan Schneider)
I tried to solve this differently in 1.2.0b1, please let me know if this solution works for you too.
 [2009-10-08 07:49 UTC] speed47 (Stéphane Lesimple)
1.2.0b1 indeed works with my configuration, and I haven't noticed yet any regression so far. Thanks, for me and for the community :)
 [2009-10-08 14:20 UTC] yunosh (Jan Schneider)
-Status: Feedback +Status: Closed
That's good news.