Re: Bug: RFC2831 noncompliance - "charset=utf-8" in challenge REQUIRES "

help-gsasl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug: RFC2831 noncompliance - "charset=utf-8" in challenge REQUIRES "

From:	Simon Josefsson
Subject:	Re: Bug: RFC2831 noncompliance - "charset=utf-8" in challenge REQUIRES "charset=utf-8" in response
Date:	Fri, 11 Apr 2008 10:10:05 +0200
User-agent:	Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

I'm working to fix this now, but this appears to be one of the
problematic parts of the DIGEST-MD5 protocol.  The RFC specifies that
the username and password need to be converted from UTF-8 to ISO-8859-1
(for the hashing) if that is possible, but some implementations does the
same for realm values as well.  Since GNU SASL uses UTF-8 for strings,
the DIGEST-MD5 mechanism will need to convert strings received from the
network from ISO-8859-1 to UTF-8 as well, before letting the application
see them.

I'll see what solution I chose.  If anyone can interop test my patch
with non-ASCII username and/or passwords, that would be appreciated.

/Simon

Simon Josefsson <address@hidden> writes:

> Thanks for forwarding this.  I've identified the cause:
>
> int
> digest_md5_validate (digest_md5_challenge * c, digest_md5_response * r)
> {
> ...
>   if (c->utf8 != r->utf8)
>     return -1;
>
> Thus, if the server and client have different charset=utf8 values, the
> authentication is refused.
>
> The code needs to permit where the client did not send charset=utf8,
> however in this case it needs to upgrade the string from ISO-8859-1 to
> UTF-8 because GNU SASL is a strict UTF-8 library.
>
> I'll see if I can produce a patch shortly.
>
> /Simon
>
> marty <address@hidden> writes:
>
>> This bug was encountered using
>>
>>
>>    jabberd2 2.1.23 w/ GSASL 0.2.25
>>
>>
>>    Pidgin 2.4.0 (Cyrus-based SASL)
>>
>>
>> In summary, the issue is that jabberd2 (as a consequence of gsasl)
>> indicates support for "charset=utf-8" in the challenge, and then
>> consequently _requires_ that the response contain a "charset=utf-8"
>> directive.  This expectation is contrary to the RFC, which only states
>> that the "charset=utf-8" directive in the challenge indicates server
>> support for _optional_ utf-8 encoding of the response.
>>
>> For details, please refer to the following:
>>
>> (bug against jabberd2)          http://jabberd2.xiaoka.com/ticket/200
>>
>> (original bug against Pidgin)  http://developer.pidgin.im/ticket/5213

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Bug: RFC2831 noncompliance - "charset=utf-8" in challenge REQUIRES "charset=utf-8" in response, Simon Josefsson <=
- Re: Bug: RFC2831 noncompliance - "charset=utf-8" in challenge REQUIRES "charset=utf-8" in response, Simon Josefsson, 2008/04/11

Prev by Date: Re: win32 Visual Studio 2005 project for gsasl
Next by Date: Re: Bug: RFC2831 noncompliance - "charset=utf-8" in challenge REQUIRES "charset=utf-8" in response
Previous by thread: Re: win32 Visual Studio 2005 project for gsasl
Next by thread: Re: Bug: RFC2831 noncompliance - "charset=utf-8" in challenge REQUIRES "charset=utf-8" in response
Index(es):
- Date
- Thread