help-gsasl
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential bug in win32 binary version?


From: Daniel Armyr
Subject: Re: Potential bug in win32 binary version?
Date: Sat, 12 Jan 2008 10:38:19 +0100

Actually, I didn't build it myself. I used the version from the Vortex
Project, because I don't have a MingW environment set up on my computer.

--DA

On Fri, 11 Jan 2008 17:05:27 +0100
Simon Josefsson <address@hidden> wrote:

> "Daniel Armyr" <address@hidden> writes:
> 
> > Hi.
> > I attempted to secure an existing program win32  by adding gsasl as
> > the authentication process. Everything works fine, but we suddenly
> > realized that the challenge strings are allways identical. Is this
> > a known bug?
> >
> > Here is a sample code snippet so show the problem:
> >
> > char  password[40];
> > Gsasl *ctx;
> > Gsasl_session *session;
> > char *p;
> >
> > gsasl_init (&ctx);
> > gsasl_server_start (ctx,"CRAM-MD5",&session); gsasl_property_set
> > (session, GSASL_AUTHID, "admin" ); gsasl_property_set (session,
> > GSASL_PASSWORD, password ); gsasl_step64( session, "", &p );
> >
> > In this case, p is allways exactly the same string every time.
> > Anyone see the problem?
> 
> Hi!  Thanks for the report.  Did you link gsasl with libgcrypt?
> Otherwise, gsasl will read the nonce from /dev/random which probably
> doesn't exist on win32.  You should have seen a warning
> from ./configure when you built gsasl.
> 
> This seems like a serious problem, and we should make sure it can't
> happen.  The code in the CRAM-MD5 server doesn't check the return
> value from the randomness-function.  Fixing that would be the first
> step.  A self-test to test whether two challenges are different
> should be added too.
> 
> Thanks,
> /Simon
> 
> 
> _______________________________________________
> Help-gsasl mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/help-gsasl




reply via email to

[Prev in Thread] Current Thread [Next in Thread]