>From: owner-openssl-us...@openssl.org On Behalf Of vinay krishna
>Sent: Sunday, 21 April, 2013 00:52
>Hello I am writing a POP3 client in C on ubuntu. I am using OpenSSl
>I am stuck in the AUTHORIZATION state! I send the user name and get
>a success response, and when i send the password , it always says
>-ERR bad command. I am sure the password is correct. Since i am
Are you sure the username is correct? Usual security practice has
long required, as RFC 1939 hints, that the feedback for a uid/pw
login should not indicate which one was bad nor in what way,
only that the *pair* is bad. This means that a bad USER
would still +OK and only the subsequent PASS would -ERR.
Although -ERR "bad command" is somewhat discourteous;
it could be a little more specific and still be secure.
>using open ssl , wireshark was of not of much help. Heres how
For recent versions of wireshark (about the last 2 years or so)
if your code gets the SSL_SESSION after handshake (i.e. after
SSL_connect or equivalent for a client) and _print's it to a file
which you give to wireshark it should be able to decrypt.
(And wireshark has vulnerabilities, at least loop or crash
vulnerabilities, often enough it's good to keep up to date.)
>i am sending the password
>scanf("%s",password);
>sprintf(pass_cmd,"PASS %s\r\n",password);
If either the input to password or the line to pass_cmd
exceeds the size of the respective buffer, this will
overrun memory and do unpredictably bad things.
The official C term for this is Undefined Behavior.
Use *scanf %<limit>s where limit is at most size-1,
and unless you've prearranged the sizes to fit,
either sprintf %.<limit>s or snprintf (standard in C99,
but widely available before and outside that).
Alternatively if this is the only data on an input line,
and I expect in this situation it would be, use fgets
and discard the \n if (and only if) it's there.
>sent = SSL_write(ssl, pass_cmd, strlen(pass_cmd));
>pass_cmd is flushed and cleaned before used in write.
What exactly is flush? Normally that is used for I/O
(write especially, less often read) and there is no I/O
before the SSL_write; the SSL_write IS the I/O.
Assuming clean means OPENSSL_cleanse or equivalent,
before the build (sprintf) or between that and write?
The former is useless; the latter would destroy exactly
the data you want to send, which is stupid. If you want
to clean it so you don't have it in memory, clean it after
sending. And clean password anytime after using it to
build pass_cmd. (It may be and often is convenient
to group all needed clean operations at the end
of the function body, just before the return --
assuming there is a single return, which is often but
not universally considered good programming practice.)
>The strlen is also giving a valid size including \r\n
But not after being cleaned, if in fact it is.
FWIW {,f,s,sn}printf returns the number of characters
written, excluding the null terminator, so you could
remember that and use that. Tomayto, tomahto.
>Is this in anyway related to OpenSSL?
Very unlikely. If you get an application level response -ERR
then your application level request got there.
If the server allows nonSSL access that might be easier
to debug. Alternatively, try connecting with commandline
s_client and typing the (few) commands manually. (It's
not easy to get the CR on terminal input at least on Unix,
but a Postelian server will likely accept plain-LF.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
