Cyrus-SASL 2.1.22 DIGEST-MD5 and RFC2831
Andreas Winkelmann
ml at awinkelmann.de
Mon Jan 29 13:43:20 EST 2007
On Monday 29 January 2007 15:59, Alexey Melnikov wrote:
Thanks for the answer.
> >In another list someone shows an Error-Message from the digest-md5 Plugin:
> >
> >"xxx: realm changed: authentication aborted".
>
> I would like to get more information on this error. This error message
> is a good indicator that the client is broken.
Shall happen with Outlook 2007 and something which is called "40tude". I've
none of them. Maybe someone else can test this?
> >This happens if the Realm (Server->Client) in Step 1 is diffrent from the
> >Realm (Client->Server) in Step 2.
> >
> >In RFC 2831 the Description of the Realm out of Step 2 is described as:
> >
> > realm
> > The realm containing the user's account. This directive is
> > required if the server provided any realms in the
> > "digest-challenge", in which case it may appear exactly once and
> > its value SHOULD be one of those realms. If the directive is
> > missing, "realm-value" will set to the empty string when computing
> > A1 (see below for details).
> >
> >The Value in Step 2 "SHOULD" be one of the Values passed in Step 1.
> >The "SHOULD" is realized as a "MUST" in Cyrus-SASL. Is this really ok or
> > is this something which should better be changed?
>
> Here is some background for why the SHOULD is used in the text you
> quoted: The server can support one or more realms, but it might not
> advertise some of them (i.e. not send them to the client). The client
> can pick one of the realms sent by the server or it can pick something
> else if it specifically configured to do so. That "something else" still
> has to be accepted by the server.
Yes, and I think there does Cyrus-SASL something different.
Out of the Sourcecode from step2 (plugins/digestmd5.c):
...
realm is the catched Realm from step 2, text->realm the one from step 1.
...
/* Sanity check the parameters */
if (realm == NULL) {
... Realm is "something else" and not empty, so we can skip this...
/* CLAIM: realm is not NULL below */
} else if ((strcmp(realm, text->realm) != 0) &&
(text->realm[0] != 0)) {
SETERROR(sparams->utils,
"realm changed: authentication aborted");
result = SASL_BADAUTH;
goto FreeAllMem;
}
This is an easy strcmp between the Realm in step1 and the Realm from step2. If
both are different, it jumps out with SASL_BADAUTH.
If I see this correct and the Realm is "something else", it fails. Maybe I'm
wrong. Please correct me if I write nonsense.
> Cyrus SASL server never "hides" any of the realms it supports, so the
> client must pick one of the ones sent by the server. So I think the
> current coded behavior is correct.
--
Andreas
More information about the Cyrus-sasl
mailing list