Re: question about digest-md5 implementation

[Simon Josefsson]

Adam Goode <address@hidden> writes:

> Hi,
>
> I have been debugging the SASL implementation in some programs, and
> discovered a common bug in some SASL libraries.
>
> Digest-MD5, as given by RFC2831, has a weird special case here:
> http://rfc.net/rfc2831.html#p11
>
>    The "username-value", "realm-value" and "passwd" are encoded
>    according to the value of the "charset" directive. If "charset=UTF-8"
>    is present, and all the characters of either "username-value" or
>    "passwd" are in the ISO 8859-1 character set, then it must be
>    converted to ISO 8859-1 before being hashed. This is so that
>    authentication databases that store the hashed username, realm and
>    password (which is common) can be shared compatibly with HTTP, which
>    specifies ISO 8859-1. A sample implementation of this conversion is
>    in section 8.
>
> It looks like gsasl also has this bug, where this reencoding is not
> implemented. Is this true? I have looked through the code, but I can't
> be sure.

You are right.  I have added a FIXME to the code now, patches are
welcome.

Note that DIGEST-MD5 is being deprecated by the IETF SASL WG.  Unless
you really need a DIGEST-MD5 implementation, I would consider spending
your time implementing one of the newer password-based mechanisms.

> Note that the RFC as quoted above is a bit misleading. While it says
> that username-value and passwd must be converted, the realm-value should
> also be converted. (This is what Cyrus-SASL and Java do.)

Thanks for the information.

/Simon