Full_Name: Florian Schmaus Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.217.98.14) The openldap-jldap's com.novell.sasl.cient.DigestMD5SaslClient is using authorization id (authzid) as value for the username. But the relevant RFC2831 states in section 2.1.2 that there is an extra attribute 'authzid' when assembling the response. The value of username should use m_name (the authcid) and the response should only add the authzid if it's set (Note that authzid is *optional*). --- a/com/novell/sasl/client/DigestMD5SaslClient.java +++ b/com/novell/sasl/client/DigestMD5SaslClient.java @@ -661,7 +661,7 @@ public class DigestMD5SaslClient implements SaslClient true); digestResponse.append("username=\""); - digestResponse.append(m_authorizationId); + digestResponse.append(m_name); if (0 != m_realm.length()) { digestResponse.append("\",realm=\""); @@ -679,8 +679,12 @@ public class DigestMD5SaslClient implements SaslClient digestResponse.append(response); digestResponse.append(",charset=utf-8,nonce=\""); digestResponse.append(m_dc.getNonce()); + if (m_authorizationId != null && m_authorizationId.length() >= 0) + { + digestResponse.append("\",authzid=\""); + digestResponse.append(m_authorizationId); + } digestResponse.append("\""); - return digestResponse.toString(); }
Of course the if condition for string length should be '>0' not '>=0'.
--On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus@gmail.com wrote: > --bcaec53969d8ce043204f45455b2 > Content-Type: text/plain; charset=ISO-8859-1 > > Of course the if condition for string length should be '>0' not '>=0'. Can you expand upon your report? What source code, for example, you're referring to? This is a bit vague. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, March 11, 2014 5:31 PM +0000 quanah@zimbra.com wrote: > --On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus@gmail.com wrote: > >> --bcaec53969d8ce043204f45455b2 >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Of course the if condition for string length should be '>0' not '>=0'. > > Can you expand upon your report? What source code, for example, you're > referring to? This is a bit vague. Never mind. ;) Your reply came through like a new ITS. :P --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
I just got a report [1] that the patch is incomplete, because authzid is used to calculate A1 value of the response (RFC2831 2.1.2.1). Stay tuned for an updated version. 1: https://github.com/Flowdalic/asmack/commit/2b4d004fe5a7b4224380a32658ff20560c6c3a05#commitcomment-5636515