phpBB 3.2.6 integration with OpenFire 4.4.4 (or 4.0.3)

mdibella · March 8, 2020, 8:45pm

I’m trying out phpBB’s XMPP integration with OpenFire and I’m seeing an error. Here’s the transaction ladder:

phpBB : <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5'/>

OF: <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">DATA</challenge>

phpBB: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>DATA</response>

OF: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>

I’ve seen several other posts on OF and phpBB boards about this issue, but no definitive solution.

The account is pre-initialized and the password is known valid.

Anyone have this integration working?

guus · March 9, 2020, 3:25pm

This is not so much an error, other than that authentication is failing. Try authenticating with the same username/password using a regular XMPP client, and see if Openfire accepts that.

mdibella · March 9, 2020, 3:40pm

Yup, it seem pretty obviously a credential issue, but the same username and password works fine in Psi. Could it be a mismatch in the format of the hashed credential string? For instance, could phpBB be hashing local-part@domain-part:password, but Openfire is expecting the hash of a different format credential string?

guus · March 9, 2020, 10:25pm

The SASL DIGEST-MD5 mechanism is well defined. I can’t imagine that Openfire has this wrong, as it has been used by many clients of many different vendors for almost two decades. I am not familiar with PHPBBs implementation. Maybe something is off there?

mdibella · March 9, 2020, 11:01pm

I see that (reading RFC 2851)…

I guess it could be a bug in phpBB, but I’d think I’d be seeing many more posts with similar issues cropping up in other implementation pairs. So far this particular issue seems to have a nexus with phpBB and OpenFire.

Is clock synchronization required for DIGEST-MD5? The peer clocks are within 1 second but they are set in different TZ (one in UTC and other in PDT).

guus · March 10, 2020, 8:18am

It’s been a while, but I don’t think that there’s a time-based component in DIGEST-MD5. The RFC that you’re referencing seems to be wrong. I think you mean https://tools.ietf.org/html/rfc2831 instead. Here’s an explanation that’s more specific to XMPP: https://wiki.xmpp.org/web/SASL_and_DIGEST-MD5

My guess is that PHPBB sends a malformed request. Maybe it includes the XMPP domain as part of the username, something like that.

mdibella · March 10, 2020, 4:55pm

Here’s the Base64 decode from an exchange for JID phpbb@ircgw.dibella.net hostname ircgw.dibella.net:

OF: realm="ircgw.dibella.net",nonce="wlQnyYSzsvOm6fL1R0pqjhGI8hkc8hRmblQBrKjd",qop="auth",charset=utf-8,algorithm=md5-sess

phpBB: username="phpbb",response="7027425a3a06e0a58f91e292d1ff4295",charset="utf-8",nc="00000001",qop="auth",nonce="wlQnyYSzsvOm6fL1R0pqjhGI8hkc8hRmblQBrKjd",digest-uri="xmpp/ircgw.dibella.net",realm="ircgw.dibella.net",cnonce="NTMyMDM2OTA0MzNkYzc3YzE2MmQxMzIxYWZmMGI0NDg="

Anything look awry?

mdibella · March 10, 2020, 5:54pm

I see that the OF specifies charset=utf-8, but phpBB sends charset=“utf-8”…could this discrepancy in how the charset is negotiated be an issue?

mdibella · March 10, 2020, 6:31pm

No joy. I found the place in the php code where the quotes are added and modified the code to pass the parameter as charset=utf-8 without quotes. Same result.

guus · March 11, 2020, 11:35am

I can’t immediately spot a problem with that decoded test that phpbb sends. It looks close to what I get when logging in with Smack, forcing DIGEST-MD5.

You can try this code to see exactly what Smack does. Maybe that’ll give you an idea:

import org.jivesoftware.smack.ConnectionConfiguration;
import org.jivesoftware.smack.SmackConfiguration;
import org.jivesoftware.smack.tcp.XMPPTCPConnection;
import org.jivesoftware.smack.tcp.XMPPTCPConnectionConfiguration;

import java.time.Duration;

public class DebugClient
{
    public static void main( String[] args ) throws Exception
    {
        // Make stanzas be printed to std-out.
        SmackConfiguration.DEBUG = true;

        final XMPPTCPConnectionConfiguration.Builder builder = XMPPTCPConnectionConfiguration.builder()
                .setXmppDomain("example.org")
                .setHost("host.example.org")
                .setUsernameAndPassword("username", "password")
                .addEnabledSaslMechanism("DIGEST-MD5")
                .setSecurityMode(ConnectionConfiguration.SecurityMode.disabled);

        final XMPPTCPConnection connection = new XMPPTCPConnection(builder.build());
        try
        {
            connection.connect();
            connection.login();
            Thread.sleep(Duration.ofSeconds(2).toMillis());
        }
        finally
        {
            connection.disconnect();
        }
    }
}

mdibella · March 11, 2020, 4:51pm

I’ll take a look.

My confidence in the currency of this piece of the phpBB code has withered after further testing and code review yesterday. I did a code review of the module as well as pcap comparisons of the auth exchange between Psi and phpBB and see numerous differences in implementation.

I tried to test the integration against three other public XMPP server implementations and none would accept the auth exchange from phpBB. Two failed because they only support connections to port 5222 and require TLS, and the phpBB code does not support STARTTLS. The other accepted 5223 but negotiated PLAIN and the phpBB code failed even with plaintext-over-secure-channel.

I even rewrote the entire section of the phpBB code that generates the response token, following the pseudocode in the article you provided.

DIGEST-MD5 is obsolete…it is clear this integration hasn’t been updated in a long time. I doubt this feature of phpBB is in widespread use among the user base.

Guus, thanks very much for your help with this. Mike