Issue 7817 - jldap DigesetMD5SaslClient is using authzid for username when it should use authcid
Summary: jldap DigesetMD5SaslClient is using authzid for username when it should use a...
Status: UNCONFIRMED
Alias: None
Product: JLDAP
Classification: Unclassified
Component: JLDAP (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-10 14:46 UTC by fschmaus@gmail.com
Modified: 2020-03-15 06:30 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description fschmaus@gmail.com 2014-03-10 14:46:50 UTC 
Full_Name: Florian Schmaus
Version: 
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (88.217.98.14)


The openldap-jldap's com.novell.sasl.cient.DigestMD5SaslClient is using
authorization id (authzid) as value for the username. But the relevant RFC2831
states in section 2.1.2 that there is an extra attribute 'authzid' when
assembling the response. The value of username should use m_name (the authcid)
and the response should only add the authzid if it's set (Note that authzid is
*optional*).

--- a/com/novell/sasl/client/DigestMD5SaslClient.java
+++ b/com/novell/sasl/client/DigestMD5SaslClient.java
@@ -661,7 +661,7 @@ public class DigestMD5SaslClient implements SaslClient
                                       true);
 
         digestResponse.append("username=\"");
-        digestResponse.append(m_authorizationId);
+        digestResponse.append(m_name);
         if (0 != m_realm.length())
         {
             digestResponse.append("\",realm=\"");
@@ -679,8 +679,12 @@ public class DigestMD5SaslClient implements SaslClient
         digestResponse.append(response);
         digestResponse.append(",charset=utf-8,nonce=\"");
         digestResponse.append(m_dc.getNonce());
+        if (m_authorizationId != null && m_authorizationId.length() >= 0)
+        {
+            digestResponse.append("\",authzid=\"");
+            digestResponse.append(m_authorizationId);
+        }
         digestResponse.append("\"");
-
         return digestResponse.toString();
      }
Comment 1 fschmaus@gmail.com 2014-03-11 13:02:40 UTC 
Of course the if condition for string length should be '>0' not '>=0'.
Comment 2 Quanah Gibson-Mount 2014-03-11 16:31:17 UTC 
--On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus@gmail.com wrote:

> --bcaec53969d8ce043204f45455b2
> Content-Type: text/plain; charset=ISO-8859-1
>
> Of course the if condition for string length should be '>0' not '>=0'.

Can you expand upon your report?  What source code, for example, you're 
referring to?  This is a bit vague.

--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration
Comment 3 Quanah Gibson-Mount 2014-03-11 16:37:10 UTC 
--On Tuesday, March 11, 2014 5:31 PM +0000 quanah@zimbra.com wrote:

> --On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus@gmail.com wrote:
>
>> --bcaec53969d8ce043204f45455b2
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Of course the if condition for string length should be '>0' not '>=0'.
>
> Can you expand upon your report?  What source code, for example, you're
> referring to?  This is a bit vague.

Never mind. ;) Your reply came through like a new ITS. :P

--Quanah


--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration
Comment 4 fschmaus@gmail.com 2014-03-11 18:27:21 UTC 
I just got a report [1] that the patch is incomplete, because authzid is
used to calculate A1 value of the response (RFC2831 2.1.2.1). Stay tuned
for an updated version.

1:
https://github.com/Flowdalic/asmack/commit/2b4d004fe5a7b4224380a32658ff20560c6c3a05#commitcomment-5636515