DIGEST-MD5 authzid question
Remko Tronçon
remko at el-tramo.be
Fri Feb 2 11:48:59 EST 2007
Hi,
I was browsing the digest-md5 code, and found the following piece of
code in make_client_response() (and in other places):
if (strcmp(oparams->user, oparams->authid)) {
if (add_to_challenge(params->utils, &text->out_buf,
&text->out_buf_len, &resplen,
"authzid", (char *) oparams->user, TRUE)
!= SASL_OK) {
result = SASL_FAIL;
goto FreeAllocatedMem;
}
}
Does this mean that Cyrus compares the authorization id against the
authentication id, and doesn't add it to the challenge if they are
equal? If so, why is this done? Because Section 5 of RFC2222bis says
that "A protocol profile MUST specify the form of the authorization
identity (since it is protocol specific, as opposed to the
authentication identity, which is mechanism specific) and how
authorization identities are to be compared.", so comparing
authorization and authentication ids asounds illegal in the first
place.
thanks,
Remko
More information about the Cyrus-sasl
mailing list