Cyrus-SASL 2.1.22 DIGEST-MD5 and RFC2831

Andreas Winkelmann ml at awinkelmann.de
Wed Jan 31 11:04:58 EST 2007


On Wednesday 31 January 2007 14:49, Alexey Melnikov wrote:

> >>>In RFC 2831 the Description of the Realm out of Step 2 is described as:
> >>>
> >>>  realm
> >>>     The realm containing the user's account. This directive is
> >>>     required if the server provided any realms in the
> >>>     "digest-challenge", in which case it may appear exactly once and
> >>>     its value SHOULD be one of those realms. If the directive is
> >>>     missing, "realm-value" will set to the empty string when computing
> >>>     A1 (see below for details).

> >    /* CLAIM: realm is not NULL below */
> >    } else if ((strcmp(realm, text->realm) != 0) &&
> >        (text->realm[0] != 0)) {
>
> Client has sent a realm that the server didn't advertise ==> fail
>
> Note that in practice text->realm (the realm advertised by the server)
> is never empty.
>
> >        SETERROR(sparams->utils,
> >                 "realm changed: authentication aborted");
> >        result = SASL_BADAUTH;
> >        goto FreeAllMem;
> >    }
> >
> >This is an easy strcmp between the Realm in step1 and the Realm from
> > step2. If both are different, it jumps out with SASL_BADAUTH.
>
> Yes, because the client didn't use one of the realms the server sent to it.

Yes, exactly. I understand the RFC so, that the realm in step2 
(Client->Server) is arbitrary. The Client can send each Realm that it likes 
and does not have to select one of the Realms that the Server sends in Step1. 
It can select one of the Realms from the Server, but it does not have to.

In other words: "should be one of those" does not mean "must be one of those". 

Example:

C: AUTH DIGEST-MD5
S: ....realm=server.domain,tld...
C: ....realm=something.else.tld...

Is this ok or not?

Hmm, I know, my english is not the best. I hope you can understand what I 
mean.

> >If I see this correct and the Realm is "something else", it fails. Maybe
> > I'm wrong. Please correct me if I write nonsense.
> >
> >>Cyrus SASL server never "hides" any of the realms it supports, so the
> >>client must pick one of the ones sent by the server. So I think the
> >>current coded behavior is correct.

-- 
	Andreas


More information about the Cyrus-sasl mailing list