Qpid
  1. Qpid
  2. QPID-3158

.NET 0-8 clients fail to connect with some valid passwords

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: M2.1, M3, M4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 0.11
    • Fix Version/s: 0.11
    • Component/s: Dot Net Client, Java Broker
    • Labels:
      None
    • Environment:

      Qpid .NET 0-8 client

      Description

      There is a defect in the CRAM MD5 Hex SASL mechanism within the Qpid broker that prevents some passwords from being used to connect from the Qpid 0-8 .Net client. The defect does not affect authentications using the same password from the Java client as it connects using a different SASL mechanism.

      The defect seemingly affects about 30% of all possible passwords. It shows no bias towards strong/weak passwords as the defect in the mechanism is after the cleartext has been MD5 digested.

      The client sees a 503 exception (Apache.Qpid.Client.AMQAuthenticationException: not allowed) from the new AMQConnection(QpidConnectionInfo) constructor.

        Activity

        Keith Wall created issue -
        Hide
        Keith Wall added a comment -

        This is a patch that addresses the issue on the trunk. It includes a unit test for the CRAM-MD5-HEX mechanism.

        Show
        Keith Wall added a comment - This is a patch that addresses the issue on the trunk. It includes a unit test for the CRAM-MD5-HEX mechanism.
        Keith Wall made changes -
        Field Original Value New Value
        Attachment 0001-QPID-3158-Defect-in-the-CRAM-MD5-HEX-mechanism-CRAMM.patch [ 12474206 ]
        Hide
        Keith Wall added a comment -

        This is a patch that addresses the issue on the 0-5 branch. It includes a unit test for the CRAM-MD5-HEX mechanism. It also includes a qpid-password-check tool that can be used to determine if a password will fall-foul of this defect.

        Show
        Keith Wall added a comment - This is a patch that addresses the issue on the 0-5 branch. It includes a unit test for the CRAM-MD5-HEX mechanism. It also includes a qpid-password-check tool that can be used to determine if a password will fall-foul of this defect.
        Keith Wall made changes -
        Keith Wall made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        Keith Wall added a comment -

        This is a patch that addresses the issue on the trunk. It includes a unit test for the CRAM-MD5-HEX mechanism.(Re-uploaded with unique filename)

        Show
        Keith Wall added a comment - This is a patch that addresses the issue on the trunk. It includes a unit test for the CRAM-MD5-HEX mechanism.(Re-uploaded with unique filename)
        Keith Wall made changes -
        Keith Wall made changes -
        Attachment 0001-QPID-3158-Defect-in-the-CRAM-MD5-HEX-mechanism-CRAMM.patch [ 12474206 ]
        Hide
        Robbie Gemmell added a comment -

        Patches applied.

        Show
        Robbie Gemmell added a comment - Patches applied.
        Robbie Gemmell made changes -
        Fix Version/s 0.11 [ 12316272 ]
        Affects Version/s 0.8 [ 12315477 ]
        Affects Version/s 0.7 [ 12314455 ]
        Affects Version/s 0.6 [ 12313728 ]
        Affects Version/s M4 [ 12313279 ]
        Affects Version/s M3 [ 12312117 ]
        Affects Version/s M2.1 [ 12312720 ]
        Affects Version/s 0.9 [ 12315382 ]
        Affects Version/s 0.10 [ 12316273 ]
        Robbie Gemmell made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Assignee Keith Wall [ k-wall ] Robbie Gemmell [ gemmellr ]
        Resolution Fixed [ 1 ]
        Justin Ross made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Robbie Gemmell
            Reporter:
            Keith Wall
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development