[os-libsynthesis] Plain text (B64) authentication when plugin uses Password_MD5_Nonce_IN

Thu, 04 Aug 2011 06:22:45 -0700

There is note in TPluginApiAgent::CheckLogin() that plain text authentication 
is impossible when plugin uses password verifucation type
Password_MD5_Nonce_IN.

I guess it is still possible as one have access to
- user name
- password
- nonce value (it may however be queried in the begin of method)
From these data one can generate MD5(MD5(user:pwd):nonce)
to provide to the plugin for authentication. This situation is useful
when real authentication check is provided by other server outside
the libsynthesis plugin and this server does not provide autside
access neither to password nor MD5(user:pwd).

Attached is some very preliminary patch to include support
for plain text login in this case. It does not check config setting
whether plain text authorisation should be allowed at all
(plain text login is not so bad evil in case of using SSL).

With this patch authentication of Funambol Android client
from Android Market (which uses plain text login and XML)
suceeded even if this cĺient still does not working with
libsynthesis based server (and seems that I'll have to give
up in attempts to get it working).

Andris


--- libsynthesis_3.4.0.24/src/DB_interfaces/api_db/pluginapiagent.cpp.plain_login	2011-08-04 09:14:34.000000000 +0300
+++ libsynthesis_3.4.0.24/src/DB_interfaces/api_db/pluginapiagent.cpp	2011-08-04 09:39:42.000000000 +0300
@@ -609,9 +609,21 @@ bool TPluginApiAgent::CheckLogin(const c
     authok = fDBApiSession.Login(aModifiedUserName,aAuthString,userKey)==LOCERR_OK;
   }
   else if (pwmode == Password_MD5_Nonce_IN) {
-    if (aAuthStringType==sectyp_clearpass) return false; // auth not possible
+    if (aAuthStringType==sectyp_clearpass) {
+        std::string p1, p2, p3;
+        if (nonce == "") getAuthNonce(aDeviceID, nonce);
+        p1 = aModifiedUserName;
+        p1 += ":";
+        p1 += aAuthString;
+        MD5B64(p1.c_str(), p1.length(), p2);
+        p2 += ":";
+        p2 += nonce;
+        MD5B64(p2.c_str(), p2.length(), p3);
+        authok = fDBApiSession.Login(aModifiedUserName,p3.c_str(), userKey)==LOCERR_OK;
+    } else {
     // login with MD5( MD5( user:pwd ):nonce )
     authok = fDBApiSession.Login(aModifiedUserName,aAuthString,userKey)==LOCERR_OK;
+    }
   }
   else {
     if (pwmode == Password_MD5_OUT) {

_______________________________________________
os-libsynthesis mailing list
os-libsynthesis@synthesis.ch
http://lists.synthesis.ch/mailman/listinfo/os-libsynthesis

Reply via email to