Issue 4887 - JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831
Summary: JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831
Status: RESOLVED FEEDBACK
Alias: None
Product: JLDAP
Classification: Unclassified
Component: JLDAP (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-21 20:57 UTC by giovannix@gmail.com
Modified: 2021-08-03 17:48 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description giovannix@gmail.com 2007-03-21 20:57:05 UTC 
Full_Name: Giovanni Almeida Santos
Version: 2.3.34
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.199.204.60)


According to RFC2831 (Using Digest Authentication as a SASL Mechanism), the
rules for a "digest-response" is defined as follows:

digest-response  = 1#( username | realm | nonce | cnonce |
                          nonce-count | qop | digest-uri | response |
                          maxbuf | charset | cipher | authzid |
                          auth-param )
       username         = "username" "=" <"> username-value <">
       username-value   = qdstr-val
       ...
       authzid          = "authzid" "=" <"> authzid-value <">
       authzid-value    = qdstr-val

com.novell.sasl.client.DigestMD5SaslClient class does not implement that RFC at
all because it does not use authzid as described above.

To correct this, it is necessary modify two methods on DigestMD5SaslClient:
DigestCalcHA1 and createDigestResponse.

In the DigestCalcHA1 method it is necessary include the code delimited by //
-->> as follows:

    char[] DigestCalcHA1(
        String   algorithm,
        String   userName,
        String   realm,
        String   password,
        String   nonce,
        String   clientNonce) throws SaslException
    {
     ...
            if ("md5-sess".equals(algorithm))
            {
                md.update(hash);
                md.update(":".getBytes("UTF-8"));
                md.update(nonce.getBytes("UTF-8"));
                md.update(":".getBytes("UTF-8"));
                md.update(clientNonce.getBytes("UTF-8"));
                // -->> It is necessary to allow Proxy Authorization
                if(m_authorizationId != null && !"".equals(m_authorizationId))
                {
                    md.update(":".getBytes("UTF-8"));
                    md.update(m_authorizationId.getBytes("UTF-8"));
                }
                // -->> End
                hash = md.digest();
            }
     ...
    }

In the createDigestResponse method it is necessary remove
<code>digestResponse.append(m_authorizationId)<code> (commented below) and
insert the code delimited by // -->>

    private String createDigestResponse(
        byte[] challenge)
            throws SaslException
    {
     ...
        digestResponse.append("username=\"");
        //digestResponse.append(m_authorizationId);
        // -->> It is necessary to allow Proxy Authorization
        digestResponse.append(m_name);
        if(m_authorizationId != null && !"".equals(m_authorizationId))
        {
        	digestResponse.append("\",authzid=\"");
        	digestResponse.append(m_authorizationId);
        }
        // -->> End
     ...
     }

Without these modifications, proxy authorization is not possible.
Comment 1 ando@openldap.org 2007-03-21 23:16:41 UTC 
changed notes
Comment 2 Howard Chu 2007-04-02 23:47:35 UTC 
moved from Incoming to Contrib
Comment 3 npalani@openldap.org 2008-01-02 08:48:18 UTC 
Hi,

In the above code in the comments portion I am not clear what you do in the
proxy authorization. I tried without the above code changes for the proxy user
authorization yet I was able to bind to it. Are you doing anything else?
 
Can you make the proxy authorization a bit more clear ? What exactly does that
mean ?
Comment 4 npalani@openldap.org 2008-01-02 08:48:24 UTC 
changed state Open to Feedback
Comment 5 OpenLDAP project 2014-08-01 21:03:27 UTC 
JLDAP