Hi,
I was browsing the digest-md5 code, and found the following piece of
code in make_client_response() (and in other places):
if (strcmp(oparams->user, oparams->authid)) {
if (add_to_challenge(params->utils, &text->out_buf,
&text->out_buf_len, &resplen,
"authzid", (char *) oparams->user, TRUE)
!= SASL_OK) {
result = SASL_FAIL;
goto FreeAllocatedMem;
}
}
Does this mean that Cyrus compares the authorization id against the
authentication id, and doesn't add it to the challenge if they are
equal? If so, why is this done? Because Section 5 of RFC2222bis says
that "A protocol profile MUST specify the form of the authorization
identity (since it is protocol specific, as opposed to the
authentication identity, which is mechanism specific) and how
authorization identities are to be compared.", so comparing
authorization and authentication ids asounds illegal in the first
place.
thanks,
Remko
