/ 
Authen-DigestMD5-0.04
River stage zero No dependents
/ Authen::DigestMD5
Security Advisories (1)
CVE-2025-40919 (2025-07-16)

Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, "The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy."

NAME

Authen::DigestMD5 - SASL DIGEST-MD5 authentication (RFC2831)

SYNOPSIS

  use Authen::DigestMD5;

  use OnLDAP;
  $ld=OnLDAP::Client->new($host);
  ($rc, $id)=$ld->sasl_bind(undef, 'DIGEST-MD5');
  ($rc, $msg)=$ld->result($id);
  ($rc, $req)=$ld->parse_sasl_bind_result($msg);

  print "IN: |$req|\n";
  my $request=Authen::DigestMD5::Request->new($req);
  my $response=Authen::DigestMD5::Response->new;
  $response->got_request($request);
  $response->set(username => $user,
	         realm => $realm,
	         'digest-uri' => "ldap/$host");
  $response->add_digest(password=>$passwd);
  my $res=$response->output;
  print "OUT: |$res|\n";

  ($rc, $id)=$ld->sasl_bind(undef, 'DIGEST-MD5', $res);
  ($rc, $msg)=$ld->result($id);
  ($rc, $req)=$ld->parse_sasl_bind_result($msg);

  $request->input($req);
  print $request->auth_ok ? "AUTH OK\n" : "AUTH FAILED\n"

ABSTRACT

This module supports DIGEST-MD5 SASL authentication as defined on RFC-2831.

DESCRIPTION

This module implements three classes:

Authen::DigestMD5::Packet

base class implementing common methods to process SASL DIGEST-MD5 strings or objects:

Authen::DigestMD5::Packet->new(%props)
Authen::DigestMD5::Packet->new($input, %props)

create a new object with the properties in %props. If $input is passed it is parsed and the values obtained from it added to the object.

$pkt->input($input)

parses the properties on the string $input and adds them to the object.

$pkt->output()

packs all the properties on the object as a string suitable for sending to a SASL DIGEST-MD5 server or client.

$pkg->set($k1=>$v1, $k2=>$v2, ...)
$pkg->set(%props)

set object properties.

($v1, $v2, ...)=$pkg->get($k1, $k2, ...)

gets object properties.

$pkg->reset()

clears public object properties. Some internal properties like nc counters are retained.

Authen::DigestMD5::Request

class to represent SASL DIGEST-MD5 requests as obtained from a server.

$req->auth_ok()

returns a true value if the request object contains a valid authentication token.

Authen::DigestMD5::Response

class to represent and generate SASL DIGEST-MD5 responses suitables for sending to a server.

$res->got_request($req)

adds certain properties to the response $res object generated from the request $req ones.

$res->add_digest(password => $password)

adds the response property containing the MD5 digest to the response object.

SEE ALSO

Be sure to look at Authen::SASL because it is very likely that it is what you are looking for (Authen::DigestMD5 is only suitable when you need a finer control over the authentication procedure).

SASL DIGEST-MD5 RFC http://www.ietf.org/rfc/rfc2831.txt.

AUTHOR

Salvador Fandiño, <sfandino@yahoo.com>

COPYRIGHT AND LICENSE

Copyright 2003 by Salvador Fandiño.

Portions of this module have been copied from the Authen::SASL package by Graham Barr.

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

1 POD Error

The following errors were encountered while parsing the POD:

Around line 317:

Non-ASCII character seen before =encoding in 'Fandiño,'. Assuming CP1252