Viewing Contrib/4887
Full headers

Major security issue: yes  no

Notes:
JLDAP
Notification:

Date: Wed, 21 Mar 2007 20:57:05 GMT
From: giovannix@gmail.com
To: openldap-its@OpenLDAP.org
Subject: JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831

Full_Name: Giovanni Almeida Santos
Version: 2.3.34
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.199.204.60)


According to RFC2831 (Using Digest Authentication as a SASL Mechanism), the
rules for a "digest-response" is defined as follows:

digest-response  = 1#( username | realm | nonce | cnonce |
                          nonce-count | qop | digest-uri | response |
                          maxbuf | charset | cipher | authzid |
                          auth-param )
       username         = "username" "=" <"> username-value <">
       username-value   = qdstr-val
       ...
       authzid          = "authzid" "=" <"> authzid-value <">
       authzid-value    = qdstr-val

com.novell.sasl.client.DigestMD5SaslClient class does not implement that RFC at
all because it does not use authzid as described above.

To correct this, it is necessary modify two methods on DigestMD5SaslClient:
DigestCalcHA1 and createDigestResponse.

In the DigestCalcHA1 method it is necessary include the code delimited by //
-->> as follows:

    char[] DigestCalcHA1(
        String   algorithm,
        String   userName,
        String   realm,
        String   password,
        String   nonce,
        String   clientNonce) throws SaslException
    {
     ...
            if ("md5-sess".equals(algorithm))
            {
                md.update(hash);
                md.update(":".getBytes("UTF-8"));
                md.update(nonce.getBytes("UTF-8"));
                md.update(":".getBytes("UTF-8"));
                md.update(clientNonce.getBytes("UTF-8"));
                // -->> It is necessary to allow Proxy Authorization
                if(m_authorizationId != null &&
!"".equals(m_authorizationId))
                {
                    md.update(":".getBytes("UTF-8"));
                    md.update(m_authorizationId.getBytes("UTF-8"));
                }
                // -->> End
                hash = md.digest();
            }
     ...
    }

In the createDigestResponse method it is necessary remove
<code>digestResponse.append(m_authorizationId)<code> (commented
below) and
insert the code delimited by // -->>

    private String createDigestResponse(
        byte[] challenge)
            throws SaslException
    {
     ...
        digestResponse.append("username=\"");
        //digestResponse.append(m_authorizationId);
        // -->> It is necessary to allow Proxy Authorization
        digestResponse.append(m_name);
        if(m_authorizationId != null && !"".equals(m_authorizationId))
        {
        	digestResponse.append("\",authzid=\"");
        	digestResponse.append(m_authorizationId);
        }
        // -->> End
     ...
     }

Without these modifications, proxy authorization is not possible.

Reply 1

From: Nachiappan Palaniappan <openldap-its@OpenLDAP.org>
To: giovannix@gmail.com
Subject: Re: JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831 (ITS#4887)
Date: Wed Jan  2 08:48:18 2008

Hi,

In the above code in the comments portion I am not clear what you do in the
proxy authorization. I tried without the above code changes for the proxy user
authorization yet I was able to bind to it. Are you doing anything else?
 
Can you make the proxy authorization a bit more clear ? What exactly does that
mean ?