[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential bug in win32 binary version?
From: |
Simon Josefsson |
Subject: |
Re: Potential bug in win32 binary version? |
Date: |
Fri, 11 Jan 2008 17:05:27 +0100 |
User-agent: |
Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) |
"Daniel Armyr" <address@hidden> writes:
> Hi.
> I attempted to secure an existing program win32 by adding gsasl as the
> authentication process. Everything works fine, but we suddenly realized that
> the challenge strings are allways identical. Is this a known bug?
>
> Here is a sample code snippet so show the problem:
>
> char password[40];
> Gsasl *ctx;
> Gsasl_session *session;
> char *p;
>
> gsasl_init (&ctx);
> gsasl_server_start (ctx,"CRAM-MD5",&session); gsasl_property_set (session,
> GSASL_AUTHID, "admin" ); gsasl_property_set (session, GSASL_PASSWORD,
> password ); gsasl_step64( session, "", &p );
>
> In this case, p is allways exactly the same string every time. Anyone see
> the problem?
Hi! Thanks for the report. Did you link gsasl with libgcrypt?
Otherwise, gsasl will read the nonce from /dev/random which probably
doesn't exist on win32. You should have seen a warning from ./configure
when you built gsasl.
This seems like a serious problem, and we should make sure it can't
happen. The code in the CRAM-MD5 server doesn't check the return value
from the randomness-function. Fixing that would be the first step. A
self-test to test whether two challenges are different should be added
too.
Thanks,
/Simon
- Potential bug in win32 binary version?, Daniel Armyr, 2008/01/11
- Re: Potential bug in win32 binary version?,
Simon Josefsson <=
- Re: Potential bug in win32 binary version?, Daniel Armyr, 2008/01/12
- Re: Potential bug in win32 binary version?, Francis Brosnan Blazquez, 2008/01/14
- Re: Potential bug in win32 binary version?, Simon Josefsson, 2008/01/14
- Re: Potential bug in win32 binary version?, Simon Josefsson, 2008/01/15
- Re: Potential bug in win32 binary version?, Francis Brosnan Blazquez, 2008/01/15
- SV: Potential bug in win32 binary version?, Daniel Armyr, 2008/01/15
- Re: SV: Potential bug in win32 binary version?, Simon Josefsson, 2008/01/15
- SV: SV: Potential bug in win32 binary version?, Daniel Armyr, 2008/01/15
- Re: SV: SV: Potential bug in win32 binary version?, Simon Josefsson, 2008/01/18