Jabberd

SASL fails to send success-with-additional-data

Bug #582040 reported by darkrain42
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jabberd
Confirmed
High
Unassigned

Bug Description

jabberd2 2.2.9 using gsasl (though the cyrus sasl glue contains the same bug) fails to include the SASL "additional data" (see http://tools.ietf.org/html/rfc2222#section-5.2 and http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-08#section-6.2.10) for mechanisms that provide it (this is all on a c2s connection).

This is bad because it ends up dropping actual data from the DIGEST-MD5 and SCRAM (http://sn.im/sasl-scram) mechanisms, in which the server sends a success-with-data to the client that allows the client to verify the server's identity (as best as I can tell, this data isn't optional in DIGEST-MD5 and I'm nearly certain it's non-optional with SCRAM). Previously (jabberd2 2.1.series), the server sent the success data as another roundtrip (so "<challenge>rspauth</challenge>", then the client responds with "<response/>", then the server sent an empty "<success/>"), so this issue never manifested itself.

Most XMPP clients (well, I looked at Gajim and Psi) don't validate the DIGEST-MD5 rspauth, but this causes issues for Pidgin, which does, and thus refuses to connect to a jabberd2 server.

I've attached a(n anonymized) log.

Revision history for this message
darkrain42 (darkrain42) wrote :
Tomasz Sterna (smoku)
Changed in jabberd2:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Tomasz Sterna (smoku) wrote :

Although it's not strictly duplicate of Bug 899284, the root cause is the same.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.