powered by Jive Software

Bug in SASL Md5 use of authzid?

Hi, all.

I’'ve been using your latest rendition of Wildfire for the last few weeks, and I have been really impressed by the robstness and quality. I really love it.

I have stumbled upon a problem this weekend, which took me a day of hunting to find.

I wrote an XMPP client with SASL/Md5 authentication, which I have been using on a variety of servers for many months now, but I haven’'t been able to log into Wildfire with it. My client sends the optional authzid field. The error in the Warning log is something like:

DIGEST-MD5: user is not authorized to act as user@host

This SASLException originally comes from a Sun class, DigestMd5Server.java. There is a copy here:

http://www.cs.duke.edu/csed/java/source1.5/src/share/classes/com/sun/security/sa sl/digest/DigestMD5Server.java

The exception comes from the test here, where the username is compared to the received authzid (line 79)

http://www.jivesoftware.org/fisheye/viewrep/svn-org/wildfire/trunk/src/java/org/ jivesoftware/wildfire/net/XMPPCallbackHandler.java?r=3500

IMHO, the problem lies in the straight equality test here:

if (authenId.equals(authorId))

This might be a more robust test:

if ( authenId.equals(authorId) || authorId.startsWith(authenId + “@”) )

or maybe, to be more strict:

if ( authenId.equals(authorId) || authorId.equals(authenId + “@” + host) )

Which can test for both cases, whether the client sends the authzid or not.

This should not be a security problem, since Wildfire is not vouching for other

domains.

This may seem overkill, but other servers can handle both conditions just fine.

Thanks again for this excellent server.