ruby
diff --git a/‎lib/net/imap.rb
Lines changed: 11 additions & 0 deletions b/‎lib/net/imap.rb
Lines changed: 11 additions & 0 deletions
diff --git a/‎lib/net/imap/sasl.rb
Lines changed: 16 additions & 0 deletions b/‎lib/net/imap/sasl.rb
Lines changed: 16 additions & 0 deletions
diff --git a/‎lib/net/imap/sasl/authenticators.rb
Lines changed: 2 additions & 0 deletions b/‎lib/net/imap/sasl/authenticators.rb
Lines changed: 2 additions & 0 deletions
diff --git a/‎lib/net/imap/sasl/gs2_header.rb
Lines changed: 12 additions & 11 deletions b/‎lib/net/imap/sasl/gs2_header.rb
Lines changed: 12 additions & 11 deletions
diff --git a/‎lib/net/imap/sasl/scram_algorithm.rb
Lines changed: 58 additions & 0 deletions b/‎lib/net/imap/sasl/scram_algorithm.rb
Lines changed: 58 additions & 0 deletions
@@ -1026,6 +1026,17 @@ def starttls(options = {}, verify = true)
     #
     #     Login using clear-text username and password.
     #
+    # +SCRAM-SHA-1+::
+    # +SCRAM-SHA-256+::
+    #     See ScramAuthenticator[rdoc-ref:Net::IMAP::SASL::ScramAuthenticator].
+    #
+    #     Login by username and password.  The password is not sent to the
+    #     server but is used in a salted challenge/response exchange.
+    #     +SCRAM-SHA-1+ and +SCRAM-SHA-256+ are directly supported by
+    #     Net::IMAP::SASL.  New authenticators can easily be added for any other
+    #     <tt>SCRAM-*</tt> mechanism if the digest algorithm is supported by
+    #     OpenSSL::Digest.
+    #
     # +XOAUTH2+::
     #     See XOAuth2Authenticator[rdoc-ref:Net::IMAP::SASL::XOAuth2Authenticator].
     #
 
@@ -51,6 +51,17 @@ class IMAP
     #
     #     Login using clear-text username and password.
     #
+    # +SCRAM-SHA-1+::
+    # +SCRAM-SHA-256+::
+    #     See ScramAuthenticator.
+    #
+    #     Login by username and password.  The password is not sent to the
+    #     server but is used in a salted challenge/response exchange.
+    #     +SCRAM-SHA-1+ and +SCRAM-SHA-256+ are directly supported by
+    #     Net::IMAP::SASL.  New authenticators can easily be added for any other
+    #     <tt>SCRAM-*</tt> mechanism if the digest algorithm is supported by
+    #     OpenSSL::Digest.
+    #
     # +XOAUTH2+::
     #     See XOAuth2Authenticator.
     #
@@ -89,10 +100,15 @@ module SASL
       sasl_dir = File.expand_path("sasl", __dir__)
       autoload :Authenticators,           "#{sasl_dir}/authenticators"
       autoload :GS2Header,                "#{sasl_dir}/gs2_header"
+      autoload :ScramAlgorithm,           "#{sasl_dir}/scram_algorithm"
+      autoload :ScramAuthenticator,       "#{sasl_dir}/scram_authenticator"
+
       autoload :AnonymousAuthenticator,   "#{sasl_dir}/anonymous_authenticator"
       autoload :ExternalAuthenticator,    "#{sasl_dir}/external_authenticator"
       autoload :OAuthBearerAuthenticator, "#{sasl_dir}/oauthbearer_authenticator"
       autoload :PlainAuthenticator,       "#{sasl_dir}/plain_authenticator"
+      autoload :ScramSHA1Authenticator,   "#{sasl_dir}/scram_sha1_authenticator"
+      autoload :ScramSHA256Authenticator, "#{sasl_dir}/scram_sha256_authenticator"
       autoload :XOAuth2Authenticator,     "#{sasl_dir}/xoauth2_authenticator"
 
       autoload :CramMD5Authenticator,     "#{sasl_dir}/cram_md5_authenticator"
 
@@ -37,6 +37,8 @@ def initialize(use_defaults: false)
         add_authenticator "External"
         add_authenticator "OAuthBearer"
         add_authenticator "Plain"
+        add_authenticator "Scram-SHA-1"
+        add_authenticator "Scram-SHA-256"
         add_authenticator "XOAuth2"
         add_authenticator "Login"      # deprecated
         add_authenticator "Cram-MD5"   # deprecated
 
@@ -4,15 +4,19 @@ module Net
   class IMAP < Protocol
     module SASL
 
-      # Several mechanisms start with a GS2 header:
-      # * +GS2-*+
-      # * +SCRAM-*+ --- ScramAuthenticator
-      # * +OPENID20+
-      # * +SAML20+
-      # * +OAUTH10A+
-      # * +OAUTHBEARER+ --- OAuthBearerAuthenticator
+      # Originally defined for the GS2 mechanism family in
+      # RFC5801[https://tools.ietf.org/html/rfc5801],
+      # several different mechanisms start with a GS2 header:
+      # * +GS2-*+       --- RFC5801[https://tools.ietf.org/html/rfc5801]
+      # * +SCRAM-*+     --- RFC5802[https://tools.ietf.org/html/rfc5802],
+      #   see ScramAuthenticator.
+      # * +SAML20+      --- RFC6595[https://tools.ietf.org/html/rfc6595]
+      # * +OPENID20+    --- RFC6616[https://tools.ietf.org/html/rfc6616]
+      # * +OAUTH10A+    --- RFC7628[https://tools.ietf.org/html/rfc7628]
+      # * +OAUTHBEARER+ --- RFC7628[https://tools.ietf.org/html/rfc7628],
+      #   see OAuthBearerAuthenticator..
       #
-      # Classes that include this must implement +#authzid+.
+      # Classes that include this module must implement +#authzid+.
       module GS2Header
         NO_NULL_CHARS = /\A[^\x00]+\z/u.freeze # :nodoc:
 
@@ -60,9 +64,6 @@ def gs2_authzid
         module_function
 
         # Encodes +str+ to match RFC5801_SASLNAME.
-        #
-        #--
-        # TODO: validate NO_NULL_CHARS and valid UTF-8 in the attr_writer.
         def gs2_saslname_encode(str)
           str = str.encode("UTF-8")
           # Regexp#match raises "invalid byte sequence" for invalid UTF-8
 
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Net
+  class IMAP
+    module SASL
+
+      # For method descriptions,
+      # see {RFC5802 §2.2}[https://www.rfc-editor.org/rfc/rfc5802#section-2.2]
+      # and {RFC5802 §3}[https://www.rfc-editor.org/rfc/rfc5802#section-3].
+      module ScramAlgorithm
+        def Normalize(str) SASL.saslprep(str) end
+
+        def Hi(str, salt, iterations)
+          length = digest.digest_length
+          OpenSSL::KDF.pbkdf2_hmac(
+            str,
+            salt:       salt,
+            iterations: iterations,
+            length: length,
+            hash: digest,
+          )
+        end
+
+        def H(str) digest.digest str end
+
+        def HMAC(key, data) OpenSSL::HMAC.digest(digest, key, data) end
+
+        def XOR(str1, str2)
+          str1.unpack("C*")
+            .zip(str2.unpack("C*"))
+            .map {|a, b| a ^ b }
+            .pack("C*")
+        end
+
+        def auth_message
+          [
+            client_first_message_bare,
+            server_first_message,
+            client_final_message_without_proof,
+          ]
+            .join(",")
+        end
+
+        def salted_password
+          Hi(Normalize(password), salt, iterations)
+        end
+
+        def client_key;       HMAC(salted_password, "Client Key") end
+        def server_key;       HMAC(salted_password, "Server Key") end
+        def stored_key;       H(client_key)                       end
+        def client_signature; HMAC(stored_key, auth_message)      end
+        def server_signature; HMAC(server_key, auth_message)      end
+        def client_proof;     XOR(client_key, client_signature)   end
+      end
+
+    end
+  end
+end
Original file line number	Diff line number	Diff line change
`@@ -1026,6 +1026,17 @@ def starttls(options = {}, verify = true)`
`1026`	`1026`	`#`
`1027`	`1027`	`# Login using clear-text username and password.`
`1028`	`1028`	`#`
	`1029`	`+ # +SCRAM-SHA-1+::`
	`1030`	`+ # +SCRAM-SHA-256+::`
	`1031`	`+ # See ScramAuthenticator[rdoc-ref:Net::IMAP::SASL::ScramAuthenticator].`
	`1032`	`+ #`
	`1033`	`+ # Login by username and password. The password is not sent to the`
	`1034`	`+ # server but is used in a salted challenge/response exchange.`
	`1035`	`+ # +SCRAM-SHA-1+ and +SCRAM-SHA-256+ are directly supported by`
	`1036`	`+ # Net::IMAP::SASL. New authenticators can easily be added for any other`
	`1037`	`+ # <tt>SCRAM-*</tt> mechanism if the digest algorithm is supported by`
	`1038`	`+ # OpenSSL::Digest.`
	`1039`	`+ #`
`1029`	`1040`	`# +XOAUTH2+::`
`1030`	`1041`	`# See XOAuth2Authenticator[rdoc-ref:Net::IMAP::SASL::XOAuth2Authenticator].`
`1031`	`1042`	`#`