Tk Library Source Code

View Ticket
Login
Ticket UUID: 1545306
Title: nonce-count for DIGEST-MD5 handled incorrect
Type: Bug Version: None
Submitter: mic42 Created on: 2006-08-23 14:01:54
Subsystem: sasl Assigned To: aku
Priority: 9 Immediate Severity: Minor
Status: Deleted Last Modified: 2013-06-06 00:09:07
Resolution: Not Applicable Here Closed By: aku
    Closed on: 2013-06-06 00:09:07
Description:
The RFC states that the nonce-count is to be used to
guard against replay attacks, and has to be increased
for each time the nonce is sent.

But the current Tcllib SASL code increases the
nonce-count for every request, which leads to
increasing nonce-count values between different sasl
contexts.

Example:
set ctx [SASL::new -mechanism DIGEST-MD5 ...]
# send a request, which fails, maybe because the
password is wrong
SASL::cleanup $ctx
# nonce-count is now 1

set ctx [SASL::new -mechanism DIGEST-MD5 ...]
# try again with correct password
# this fails because the server complains about a
nonce-count of 2, while his internal counter just reached 1

Michael
User Comments: patthoyts added on 2007-08-26 07:16:48:

File Added - 242826: bug1545306.patch

Logged In: YES 
user_id=202636
Originator: NO

You might try the attached patch which moves the nonce count into the context structure. SASL::cleanup will remove it so a new context will begin again at 1.
To reuse a SASL context as described in the RFC you should call SASL::reset. As the context remembers the original server challenge and now the noncecount it will compose a new auth request as before but with an incremented noncecount and should re-authenticate. This needs confirming -- I don't have an LDAP setup to try against and my SMTPd doesn't do re-authentication.
File Added: bug1545306.patch

mic42 added on 2006-09-14 19:59:27:
Logged In: YES 
user_id=302287

A workaround is in place in the ldap module, which looks for
the namespace var storing the nonce count and resetting it,
before a new attempt. Not perfect but works. If this gets
fixed in the sasl module, it would be better, but its not a
showstopper for ldap sasl support.

patthoyts added on 2006-09-14 19:56:08:
Logged In: YES 
user_id=202636

This is known to be an issue with the LDAP module.

Attachments: