Hi Graham, hi Chris,
On Wednesday 10 March 2004 22:27, Chris Ridd wrote:
> On 8/3/04 12:28 pm, Graham Barr <[EMAIL PROTECTED]> wrote:
> > On 4 Mar 2004, at 09:03, Paul Connolly wrote:
> >> Graham & co-
> >> See below for a patch to DIGEST_MD5.pm - there are two issues
> >> resolved here. Firstly, as reported on this list, the qop value in the
> >> response should not be a quoted value.
> >> The second fixes bad handling of the qop in the challenge. The
> >> qop challenge is a quoted string of one or more tokens. The only
> >> supported option is 'auth', so the patch checks for this option in the
> >> list (others could be 'auth-int' and 'auth-conf') and always sets qop
> >> in the response to the same.
> >> I've verified this against the Critical Path Directory Server
> >> and against Windows 2003 Active Directory.
> >
> > Chris, You said a while back that you had some changes for DIGEST_MD5,
> > is this fixing the same problem ?
>
> I don't recall the first problem, but the second one sounds similar to what
> I saw. I've been fighting the linker on HP-UX for the last few days, but
> will take a look at this tomorrow...
let me come back to the mail from Paul Connolly.
I tested DIGEST-MD5 from Authen-SASL 2.05 against OpenLDAP
(using cyrus-sasl2 as server-side SASL implementation) and can
confirm Paul's findings.
I also checked against RFC2831 as well as the newer draft in cyrus-sasl2
package. Both say:
- the server sends a quoted list of comma separated qop-values
e.g. qop="auth,auth-int,auth-conf"
- the client sends back one of the elements received from the server
e.g. qop=auth
So Paul's fixes match the RFCs.
(If I understand the RFCs and the code correctly he is even right in saying
that the client sending qop values auth-int and auth-conf is not supported in
the code)
I have converted his fixes into unified diff format and added a patch for the
test which I append to this mail
Would you mind applying this patch to Authen-SASL and release a new version ?
Yours
Peter
--
Peter Marschall
eMail: [EMAIL PROTECTED]
# patch to fix the handling of qop in Digest-MD5 SASL mech
# published on the perl-ldap ML on 03/04/2004 by Paul Connolly
# test script adapted by Peter Marschall <[EMAIL PROTECTED]>
--- lib/Authen/SASL/Perl/DIGEST_MD5.pm
+++ lib/Authen/SASL/Perl/DIGEST_MD5.pm 2004-03-06 18:07:54.000000000 +0100
@@ -19,7 +19,7 @@
);
# some have to be quoted - some don't - sigh!
-my %qdval; @qdval{qw(username realm nonce cnonce digest-uri qop)} = ();
+my %qdval; @qdval{qw(username realm nonce cnonce digest-uri)} = ();
sub _order { 3 }
sub _secflags {
@@ -51,6 +51,9 @@
return $self->set_error("Bad challenge: '$challenge'")
if length $challenge;
+ return $self->set_error("Server does not support auth (qop = $sparams{'qop'})")
+ unless grep { /^auth$/ } split(/,/, $sparams{'qop'});
+
my %response = (
nonce => $sparams{'nonce'},
username => $self->_call('user'),
@@ -58,7 +61,7 @@
nonce => $sparams{'nonce'},
cnonce => md5_hex($CNONCE || join (":", $$, time, rand)),
'digest-uri' => $self->service . '/' . $self->host,
- qop => $sparams{'qop'},
+ qop => 'auth',
nc => sprintf("%08d", ++$self->{nonce}{$sparams{'nonce'}}),
charset => $sparams{'charset'},
);
--- t/digest_md5.t
+++ t/digest_md5.t Sun Mar 14 11:03:00 2004
@@ -30,13 +30,13 @@
$conn->client_start eq '' or print "not ";
print "ok 4\n";
-my $sparams = 'realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8';
+my $sparams = 'realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth,auth-inf",algorithm=md5-sess,charset=utf-8';
# override for testing as by default it uses $$, time and rand
$Authen::SASL::Perl::DIGEST_MD5::CNONCE = "foobar";
$Authen::SASL::Perl::DIGEST_MD5::CNONCE = "foobar"; # avoid used only once warning
my $initial = $conn->client_step($sparams);
-$initial eq 'charset=utf-8,cnonce="3858f62230ac3c915f300c664312c63f",digest-uri="ldap/localhost",nc=00000001,nonce="OA6MG9tEQGm2hh",qop="auth",realm="elwood.innosoft.com",response=9c81619e12f61fb2eed6bc8ed504ad28,username="gbarr"'
+$initial eq 'charset=utf-8,cnonce="3858f62230ac3c915f300c664312c63f",digest-uri="ldap/localhost",nc=00000001,nonce="OA6MG9tEQGm2hh",qop=auth,realm="elwood.innosoft.com",response=9c81619e12f61fb2eed6bc8ed504ad28,username="gbarr"'
or print "not ";
print "ok 5\n";
