[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question about digest-md5 implementation
From: |
Simon Josefsson |
Subject: |
Re: question about digest-md5 implementation |
Date: |
Tue, 11 Dec 2007 16:22:52 +0100 |
User-agent: |
Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) |
Adam Goode <address@hidden> writes:
> Hi,
>
> I have been debugging the SASL implementation in some programs, and
> discovered a common bug in some SASL libraries.
>
> Digest-MD5, as given by RFC2831, has a weird special case here:
> http://rfc.net/rfc2831.html#p11
>
> The "username-value", "realm-value" and "passwd" are encoded
> according to the value of the "charset" directive. If "charset=UTF-8"
> is present, and all the characters of either "username-value" or
> "passwd" are in the ISO 8859-1 character set, then it must be
> converted to ISO 8859-1 before being hashed. This is so that
> authentication databases that store the hashed username, realm and
> password (which is common) can be shared compatibly with HTTP, which
> specifies ISO 8859-1. A sample implementation of this conversion is
> in section 8.
>
> It looks like gsasl also has this bug, where this reencoding is not
> implemented. Is this true? I have looked through the code, but I can't
> be sure.
You are right. I have added a FIXME to the code now, patches are
welcome.
Note that DIGEST-MD5 is being deprecated by the IETF SASL WG. Unless
you really need a DIGEST-MD5 implementation, I would consider spending
your time implementing one of the newer password-based mechanisms.
> Note that the RFC as quoted above is a bit misleading. While it says
> that username-value and passwd must be converted, the realm-value should
> also be converted. (This is what Cyrus-SASL and Java do.)
Thanks for the information.
/Simon