SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) supp…

…orts pear#57
schengawegga · Apr 1, 2023 · 14f0c76 · 14f0c76
1 parent ebecdd2
commit 14f0c76
Showing 1 changed file with 30 additions and 8 deletions.
diff --git a/Net/SMTP.php b/Net/SMTP.php
@@ -1165,9 +1165,6 @@ public function authXOAuth2($uid, $token, $authz, $conn)
         return true;
     }
 
-
-
-
     /**
      * Authenticates the user using the SCRAM-SHA-1 method.
      *
@@ -1279,23 +1276,48 @@ protected function authScramSHA($uid, $pwd, $authz = '')
         }
 
         $auth_sasl = new Auth_SASL;
-        $challenge = base64_decode($this->arguments[0]);
         $cram      = $auth_sasl->factory($this->scram_sha_hash_algorithm);
-        $auth_str  = base64_encode($cram->getResponse($uid, $pwd, $challenge));
+        $auth_str  = base64_encode($cram->getResponse($uid, $pwd));
 
+        /* Step 1: Send first authentication request */
         if (PEAR::isError($error = $this->put($auth_str))) {
             return $error;
         }
 
-        /* 235: Authentication successful */
-        if (PEAR::isError($error = $this->parseResponse(235))) {
+        /* 334: Continue authentication request with password salt */
+        if (PEAR::isError($error = $this->parseResponse(334))) {
             return $error;
         }
-    }
 
+        $challenge = base64_decode($this->arguments[0]);
+        $auth_str  = base64_encode($cram->getResponse($uid, $pwd, $challenge));
 
+        /* Step 2: Send salted authentication request */
+        if (PEAR::isError($error = $this->put($auth_str))) {
+            return $error;
+        }
 
+        /* 334: Continue authentication request with password salt */
+        if (PEAR::isError($error = $this->parseResponse(334))) {
+            return $error;
+        }
 
+        /* Verify server signature */
+        $verification = $cram->processOutcome(base64_decode($this->arguments[0]));
+        if ($verification == false) {
+            return PEAR::raiseError("SCRAM Server verification on step 3 not successful");
+        }
+
+        /* Step 3: Send a request to acknowledge verification */
+        if (PEAR::isError($error = $this->put("NOOP"))) {
+            return $error;
+        }
+
+        /* 235: Authentication successful */
+        if (PEAR::isError($error = $this->parseResponse(235))) {
+            return $error;
+        }
+    }
 
     /**
      * Send the HELO command.