Cyrus-SASL 2.1.22 DIGEST-MD5 and RFC2831

Wed Jan 31 08:49:25 EST 2007

Andreas Winkelmann wrote:

>On Monday 29 January 2007 15:59, Alexey Melnikov wrote:
>
>Thanks for the answer.
>  
>
>>>In another list someone shows an Error-Message from the digest-md5 Plugin:
>>>
>>>"xxx: realm changed: authentication aborted".
>>>      
>>>
>>I would like to get more information on this error. This error message
>>is a good indicator that the client is broken.
>>    
>>
>*Shall happen with Outlook 2007 and something which is called "40tude".* I've 
>none of them. Maybe someone else can test this?
>  
>
>>>This happens if the Realm (Server->Client) in Step 1 is diffrent from the
>>>Realm (Client->Server) in Step 2.
>>>
>>>In RFC 2831 the Description of the Realm out of Step 2 is described as:
>>>
>>>  realm
>>>     The realm containing the user's account. This directive is
>>>     required if the server provided any realms in the
>>>     "digest-challenge", in which case it may appear exactly once and
>>>     its value SHOULD be one of those realms. If the directive is
>>>     missing, "realm-value" will set to the empty string when computing
>>>     A1 (see below for details).
>>>
>>>The Value in Step 2 "SHOULD" be one of the Values passed in Step 1.
>>>The "SHOULD" is realized as a "MUST" in Cyrus-SASL. Is this really ok or
>>>is this something which should better be changed?
>>>      
>>>
>>Here is some background for why the SHOULD is used in the text you
>>quoted: The server can support one or more realms, but it might not
>>advertise some of them (i.e. not send them to the client). The client
>>can pick one of the realms sent by the server or it can pick something
>>else if it specifically configured to do so. That "something else" still
>>has to be accepted by the server.
>>    
>>
>Yes, and I think there does Cyrus-SASL something different.
>  
>
Hi Andreas,
 From your response it is not clear where you think the problem might 
be, so I will just comment on the actual code below.

>Out of the Sourcecode from step2 (plugins/digestmd5.c):
>
>...
>realm is the catched Realm from step 2, text->realm the one from step 1.
>...
>
>    /* Sanity check the parameters */
>    if (realm == NULL) {
>
>... Realm is "something else" and not empty, so we can skip this...
>  
>
According to RFC 2831, if the client didn't send any realm, it is the 
same as if the client sent 'realm=""'.
So if the server doesn't use empty string as the realm (and Cyrus SASL 
never does), then the client is broken.

>    /* CLAIM: realm is not NULL below */
>    } else if ((strcmp(realm, text->realm) != 0) &&
>        (text->realm[0] != 0)) {
>  
>
Client has sent a realm that the server didn't advertise ==> fail

Note that in practice text->realm (the realm advertised by the server) 
is never empty.

>        SETERROR(sparams->utils,
>                 "realm changed: authentication aborted");
>        result = SASL_BADAUTH;
>        goto FreeAllMem;
>    }
>
>This is an easy strcmp between the Realm in step1 and the Realm from step2. If 
>both are different, it jumps out with SASL_BADAUTH. 
>  
>
Yes, because the client didn't use one of the realms the server sent to it.

>If I see this correct and the Realm is "something else", it fails. Maybe I'm 
>wrong. Please correct me if I write nonsense.
>  
>
>>Cyrus SASL server never "hides" any of the realms it supports, so the
>>client must pick one of the ones sent by the server. So I think the
>>current coded behavior is correct.
>>    
>>