#729 mod_sasl sends incorrect success auth message

Reporter Andrey
Owner Zash
Created
Updated
Stars ★★ (2)
Tags
  • Priority-Medium
  • Type-Defect
  • Status-Invalid
  1. Andrey on

    function build_reply within SASL authentication module mod_sasl adds "=" sign to empry response. This reply cannot be decoded back from Base64 and processed with Smack library (or any other XMPP library in fact )and fails with "invalid base" exception. Proposed fix: remove "=" sign with empty string. Detailed exception log from Smack XMPP client for a reference: 08-25 17:04:10.929 18037-18532/ D/SMACK: SENT (0): <stream:stream xmlns='jabber:client' to='example.com' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='user@example.com' xml:lang='en'> 08-25 17:04:10.958 18037-18533/ D/SMACK: RECV (0): <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' from='example.com' id='150e9ad5-8cb0-4bb3-a6ae-a3d7956fda97' version='1.0' xmlns='jabber:client'><stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features> 08-25 17:04:10.958 18037-18532/ D/SMACK: SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls> 08-25 17:04:10.987 18037-18533/ D/SMACK: RECV (0): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> 08-25 17:04:11.142 18037-18532/ D/SMACK: SENT (0): <stream:stream xmlns='jabber:client' to='example.com' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='user@example.com' xml:lang='en'> 08-25 17:04:11.172 18037-18533/ D/SMACK: RECV (0): <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' from='example.com' id='5fdec49e-eb78-40f7-985e-9852999f30d4' version='1.0' xmlns='jabber:client'><stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism></mechanisms></stream:features> 08-25 17:04:11.173 18037-18530/ D/RoosterConnection: Connected Successfully 08-25 17:04:11.174 18037-18532/ D/SMACK: SENT (0): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>cGFzc3dvcmQx</auth> 08-25 17:04:11.204 18037-18533/ D/SMACK: RECV (0): <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>=</success> 08-25 17:04:11.204 18037-18532/ D/SMACK: SENT (0): <stream:stream xmlns='jabber:client' to='example.com' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='user@example.com' id='5fdec49e-eb78-40f7-985e-9852999f30d4' xml:lang='en'> 08-25 17:04:16.176 18037-18530/ D/RoosterConnectionService: Something went wrong while connecting ,make sure the credentials are right and try again 08-25 17:04:16.176 18037-18530/ W/System.err: org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'. 08-25 17:04:16.176 18037-18530/ W/System.err: at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:250) 08-25 17:04:16.176 18037-18530/ W/System.err: at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginNonAnonymously(XMPPTCPConnection.java:365) 08-25 17:04:16.176 18037-18530/ W/System.err: at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:452) 08-25 17:04:16.176 18037-18530/ W/System.err: at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:410) 08-25 17:04:16.176 18037-18530/ W/System.err: at java.lang.Thread.run(Thread.java:818) 08-25 17:04:16.176 18037-18533/ W/art: Long monitor contention event with owner method=void org.jivesoftware.smack.AbstractXMPPConnection.login() from AbstractXMPPConnection.java:400 waiters=0 for 4.972s 08-25 17:04:16.177 18037-18037/ D/RoosterConnectionService: onDestroy() 08-25 17:04:16.178 18037-18037/ D/RoosterConnectionService: stop() 08-25 17:04:16.179 18037-18533/ W/AbstractXMPPConnection: Connection closed with error java.lang.IllegalArgumentException: bad base-64 at android.util.Base64.decode(Base64.java:161) at android.util.Base64.decode(Base64.java:136) at android.util.Base64.decode(Base64.java:118) at org.jivesoftware.smack.util.stringencoder.android.AndroidBase64Encoder.decode(AndroidBase64Encoder.java:41) at org.jivesoftware.smack.util.stringencoder.Base64.decode(Base64.java:86) at org.jivesoftware.smack.sasl.SASLMechanism.challengeReceived(SASLMechanism.java:229) at org.jivesoftware.smack.SASLAuthentication.challengeReceived(SASLAuthentication.java:328) at org.jivesoftware.smack.SASLAuthentication.authenticated(SASLAuthentication.java:347) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1049) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$200(XMPPTCPConnection.java:937) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:952) at java.lang.Thread.run(Thread.java:818)

  2. Zash on

    This is the specified encoding of a zero length SASL message. See eg http://xmpp.org/rfcs/rfc6120.html#sasl-process-neg-initiate

  3. Andrey on

    Thanks for the link, looks like for so SASL Success and zero response, "=" character presence is mandatory. Ok, then I've no more questions, will raise bug at Smack repository then.

  4. Zash on

    Hm, I don't think SASL PLAIN should be sending any data with success at all, and a quick check of util.sasl.plain suggests that it doesn't. Are you using a custom authentication module?

  5. Zash on

    Changes
    • owner Zash
    • tags Status-Invalid
  6. Andrey on

    I'm using Cyrus SASL module, referenced in prosody docs.

  7. Andrey on

    SASL debian package details below: dpkg -l | grep cyrus ii lua-cyrussasl:i386 1.0.0-4 i386 Cyrus SASL library for the Lua language

  8. Zash on

    Looks like util.sasl_cyrus does the rigtht thing, so it's probably an issue in lua-cyrussasl.

  9. Dan on

    not only clients using smack 4.2 but also Empathy won't be able to login when using prosody 0.10 with Cyrus SASL authentication. Unfortunately this renders using Cyrus authentication unusable for us.

New comment

Not published. Used for spam prevention and optional update notifications.