From 842aa402c339d2394e9f8f25a06319dfcd31ad4b Mon Sep 17 00:00:00 2001
From: Oswald Buddenhagen <ossi@users.sf.net>
Date: Sat, 13 Apr 2013 10:47:46 +0200
Subject: [PATCH] fix CRAM-MD5 authentication

the decoded challenge may be padded, so we really need to use strlen()
rather than just the decoded length.
---
 src/socket.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/socket.c b/src/socket.c
index c7eadcd..90c7ca0 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -679,7 +679,7 @@ cram( const char *challenge, const char *user, const char *pass, char **_final,
 {
 	char *response, *final;
 	unsigned hashlen;
-	int i, clen, rlen, blen, flen, olen;
+	int i, clen, blen, flen, olen;
 	unsigned char hash[16];
 	char buf[256], hex[33];
 	HMAC_CTX hmac;
@@ -689,8 +689,8 @@ cram( const char *challenge, const char *user, const char *pass, char **_final,
 	clen = strlen( challenge );
 	/* response will always be smaller than challenge because we are decoding. */
 	response = nfcalloc( 1 + clen );
-	rlen = EVP_DecodeBlock( (unsigned char *)response, (unsigned char *)challenge, clen );
-	HMAC_Update( &hmac, (unsigned char *)response, rlen );
+	EVP_DecodeBlock( (unsigned char *)response, (unsigned char *)challenge, clen );
+	HMAC_Update( &hmac, (unsigned char *)response, strlen( response ) );
 	free( response );
 
 	hashlen = sizeof(hash);