possible XMPP SASL bug?

Joe Hildebrand joe.hildebrand at webex.com
Mon May 3 21:38:48 UTC 2010 

Attached.  Line to focus on:

15:35:58: <ESPurpleJabberAccount:385a9c0 2>:testuser at webex.com: Disconnected
("SASL authentication failed"): Automatically reconnecting in 5.000000
seconds (0 attempts performed)



On 5/3/10 3:03 PM, "Evan Schoenberg, M.D." <evan at adium.im> wrote:

> 
> On May 3, 2010, at 3:49 PM, Joe Hildebrand wrote:
> 
>> This *almost* works.  The error is now correct, but we shouldn't
>> auto-reconnect if the password was bad.
> 
> I agree; however, code is already in place which should be handling that.
> Please post debug logging of sending an incorrect password and not getting
> prompted to enter a correct one.
> 
> -Evan
> 
>> 
>> 
>> On 5/3/10 2:30 PM, "Evan Schoenberg, M.D." <evan at adium.im> wrote:
>> 
>>> 
>>> On May 3, 2010, at 11:42 AM, David Smith wrote:
>>> 
>>>> I'd be happy to check if I can still connect to iChat Server if someone
>>>> gives
>>>> me a patched Adium.
>>> 
>>> 
>>> I should have checked the code instead of the ticket; I left later-me some
>>> good details there.
>>> jabber_auth_start_cyrus() for us includes:
>>> {
>>> /* We have no mechs which can work.
>>> * Try falling back on the old jabber:iq:auth method. We get here if the
>>> server
>>> supports
>>> * one or more sasl mechs, we are compiled with cyrus-sasl support, but we
>>> support or can connect with none of
>>> * the offerred mechs. jabberd 2.0 w/ SASL and Apple's iChat Server 10.5 both
>>> handle and expect
>>> * jabber:iq:auth in this situation.  iChat Server in particular offers SASL
>>> GSSAPI by default, which is often
>>> * not configured on the client side, and expects a fallback to
>>> jabber:iq:auth
>>> when it (predictably) fails.
>>> *
>>> * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure
>>> is
>>> wrong. However,
>>> * I believe this refers to actual authentication failure, not a simple lack
>>> of
>>> concordant mechanisms.
>>> * Doing otherwise means that simply compiling with SASL support renders the
>>> client unable to connect to servers
>>> * which would connect without issue otherwise. -evands
>>> */
>>> js->auth_mech = NULL;
>>> jabber_auth_start_old(js);
>>> return JABBER_SASL_STATE_CONTINUE;
>>> }
>>> 
>>> 
>>> However, elsewhere in auth_cyrus, jabber_cyrus_handle_failure() has what
>>> appears to be better logic:
>>> 
>>> if (tried_gssapi_first) {
>>> /* If we tried GSSAPI first, it failed, and it was our only shot, try
>>> jabber:iq:auth
>>> * for compatibility with iChat 10.5 Server.
>>> *
>>> * iChat Server 10.5  offers SASL GSSAPI by default, which is often
>>> * not configured on the client side, and expects a fallback to
>>> jabber:iq:auth
>>> when it (predictably) fails.
>>> *
>>> * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure
>>> is
>>> wrong. However,
>>> * I believe this refers to actual authentication failure, not a simple lack
>>> of
>>> concordant mechanisms.
>>> * Doing otherwise means that simply compiling with SASL support renders the
>>> client unable to connect to servers
>>> * which would connect without issue otherwise. -evands
>>> */
>>> sasl_dispose(&js->sasl);
>>> js->sasl = NULL;
>>> js->auth_mech = NULL;
>>> jabber_auth_start_old(js);
>>> return JABBER_SASL_STATE_CONTINUE;
>>> }
>>> 
>>> (comments expanded just-now by me).
>>> In im.pigin.adium.1-4's 2fcd834324b05d3becf6878db8ce1c474578e720 I have
>>> removed the former, aggressive behavior and left the latter.  I think this
>>> should solve the problem presented while maintaining the workaround for
>>> iChat
>>> Server 10.5's apparent wrongness.
>>> 
>>> 
>>> This is committed in adium-1.4's [6534647aece5289a0e5ac90c012bcbf75e3918f3].
>>> 
>>> A build for testing is uploaded at
>>> http://adiumx.cachefly.net/Adium_1.4b18-noJabberHack.dmg
>>> 
>>> The downgrade attack Joe mentions does still exist, but now if and only if
>>> ((GSSAPI is the only offered SASL mech) && (GSSAPI fails)).  Further
>>> improvement would be a prompt as described in that setting; patches welcome.
>>> 
>>> Look forward to any feedback.
>>> 
>>> -Evan
>> 
>> -- 
>> Joe Hildebrand
>> 
>> 
> 
> 

-- 
Joe Hildebrand

-------------- next part --------------
A non-text attachment was scrubbed...
Name: recon.log
Type: application/octet-stream
Size: 14258 bytes
Desc: not available
URL: <http://adium.im/pipermail/devel_adium.im/attachments/20100503/bf91f543/attachment.obj>

More information about the devel mailing list