Subj : Bug report: BinkP CRAM challenges
To   : All
From : Rob Swindell
Date : Fri Mar 09 2018 11:36 am

I'm not sure if this echo is still active (doesn't appear to be), but here goes
anyway:

During the development of a new BinkP mailer
(http://wiki.synchro.net/module:binkit) we found an incompatibility with
Internet Rex 2.29 Win32, due to a BinkP spec violation:

When IRex is making an outbound connection to a BinkP link using CRAM-MD5 auth,
if the CRAM challenge (sent by the remote) is greater in length than 16 bytes
(32 hex chars), then IRex fails to compute the CRAM response (MD5-HMAC)
correctly. The specification (FTS-1027) states:

  "Size and contents of challenge data are implementation-dependent,
   but it SHOULD be no smaller than 8 bytes and no bigger than 64
   bytes."

Yet IRex appears to only support 16 byte challenges (which happens to be what
BinkD sends, always).

                                            digital man

Synchronet/BBS Terminology Definition #52:
Sysop = System Operator
Norco, CA WX: 67.9øF, 37.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs

.