[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
question about digest-md5 implementation
|
From: |
Adam Goode |
|
Subject: |
question about digest-md5 implementation |
|
Date: |
Tue, 11 Dec 2007 02:32:28 -0500 |
|
User-agent: |
Thunderbird 2.0.0.9 (X11/20071115) |
Hi,
I have been debugging the SASL implementation in some programs, and
discovered a common bug in some SASL libraries.
Digest-MD5, as given by RFC2831, has a weird special case here:
http://rfc.net/rfc2831.html#p11
The "username-value", "realm-value" and "passwd" are encoded
according to the value of the "charset" directive. If "charset=UTF-8"
is present, and all the characters of either "username-value" or
"passwd" are in the ISO 8859-1 character set, then it must be
converted to ISO 8859-1 before being hashed. This is so that
authentication databases that store the hashed username, realm and
password (which is common) can be shared compatibly with HTTP, which
specifies ISO 8859-1. A sample implementation of this conversion is
in section 8.
It looks like gsasl also has this bug, where this reencoding is not
implemented. Is this true? I have looked through the code, but I can't
be sure.
Note that the RFC as quoted above is a bit misleading. While it says
that username-value and passwd must be converted, the realm-value should
also be converted. (This is what Cyrus-SASL and Java do.)
Thanks,
Adam
signature.asc
Description: OpenPGP digital signature
- question about digest-md5 implementation,
Adam Goode <=