[jboss-jira] [JBoss JIRA] (ELY-1761) Unicode normalization in SASL client breaks some non-ASCII passwords
Farah Juma (Jira)
issues at jboss.org
Fri Mar 8 11:02:01 EST 2019
[ https://issues.jboss.org/browse/ELY-1761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13705819#comment-13705819 ]
Farah Juma commented on ELY-1761:
---------------------------------
Checked the Plain SASL mechanism [RFC|https://tools.ietf.org/html/rfc4616#section-2], normalization is recommended but not required:
{quote}
The SASLPrep profile of the StringPrep algorithm is the RECOMMENDED preparation algorithm. The SASLprep preparation algorithm is not mandatory so as to allow the server to employ other preparation algorithms (including none) when appropriate. For instance, use of a different preparation algorithm may be necessary for the server to interoperate with an external system.
{quote}
Adding a new profile in {{StringPrep}} that skips over {{NORMALIZE_KC}} seems reasonable. A new SASL property could then be used to indicate that this new profile should be used.
In particular, this would involve the following steps:
# Add a new profile to {{StringPrep}} that is similar to {{PROFILE_SASL_STORED}} but does not include {{NORMALIZE_KC}}.
# Add a new property to [WildFlySasl|https://github.com/wildfly-security/wildfly-elytron/blob/master/sasl/base/src/main/java/org/wildfly/security/sasl/WildFlySasl.java] (e.g., something like {{SKIP_NORMALIZATION = "org.wildfly.sasl.skip-normalization"}}) that defaults to {{false}}.
# Update [PlainSaslClientFactory#createSaslClient|https://github.com/wildfly-security/wildfly-elytron/blob/1.x/sasl/plain/src/main/java/org/wildfly/security/sasl/plain/PlainSaslClientFactory.java#L42] to check if {{props}} contains the new property and what its value is. Pass this to the [PlainSaslClient|https://github.com/wildfly-security/wildfly-elytron/blob/1.x/sasl/plain/src/main/java/org/wildfly/security/sasl/plain/PlainSaslClient.java#L49] constructor.
# Make use of this value in {{PlainSaslClient#evaluateChallenge}} to determine which {{StringPrep}} profile to use.
> Unicode normalization in SASL client breaks some non-ASCII passwords
> --------------------------------------------------------------------
>
> Key: ELY-1761
> URL: https://issues.jboss.org/browse/ELY-1761
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SASL
> Affects Versions: 1.7.0.Final
> Reporter: Philippe Marschall
> Priority: Major
>
> We have users that use U+00A8 ([diaeresis|https://en.wikipedia.org/wiki/Diaeresis_(diacritic)]) as an Active Directory password. They can not log in using the Elytron LDAP realm. Here's the sequence of events:
> * PlainSaslClient.evaluateChallenge calls StringPrep.encode with the profile StringPrep.PROFILE_SASL_STORED https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/plain/src/main/java/org/wildfly/security/sasl/plain/PlainSaslClient.java#L95
> * StringPrep.PROFILE_SASL_STORED ors PROFILE_SASL_QUERY which ors NORMALIZE_KC https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L67
> * StringPrep.encode then normalises using NFKC which replaces U+00A8 with U+0020 U+0308 https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L199
> * Active Directory rejects the login
> We would be wiling to work on a patch but we need some guidance on the desired solution. A simple solution would be a new profile in StringPrep that doesn't normalize and is used for passwords.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list