Project

General

Profile

Bug #449

Beem Authentication Bug

Added by Anonymous over 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Category:
Communication
Target version:
Start date:
08/12/2012
Due date:
% Done:

0%

Estimated time:
Affected version:
0.1.7
Locale:
Close

Description

Hi All,
So my JID is either in the form of or just 555 (I can't tell) and I'm trying to log into host sub.myname.net with a slightly modified xmpp server, but I don't think that's the problem and I can't seem to figure out what's wrong.. Any help/guidance would be apprciated..

When I set the JID to 555 in Beem (with the option to "Use my full JID as username" in either setting), I see a convo with my XMPP server that is like:

<stream:stream to="555" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' id='0314dcea-1729-4f45-8272-820fb14594f3' from='555' version='1.0'><stream:error><host-unknown xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
<presence id="eU8sz-14" type="unavailable"></presence>
</stream:stream>

When I set my JID to the form of with "Use my full JID as username" off I see something like:

<stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" to="sub.myname.net" version="1.0"/>
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' id='1c2d492b-7c31-42d2-8946-bf268981dbeb' from='sub.myname.net' version='1.0'>
<stream:features>
  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>PLAIN</mechanism>
  </mechanisms>
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">NTU1NTU1VTlKTnhGb2JCRmp5RW1FSg==</auth>
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>


There, "NTU1NTU1VTlKTnhGb2JCRmp5RW1FSg==" is the base64 encoding of "555555U9JNxFobBFjyEmEJ", with 555 being my JID before the @ and "U9JNxFobBFjyEmEJ" being my example password.

When I set my JID to the form of with "Use my full JID as username" on I see something identical to the previous, except the base64 encoding translates to: "<NULL><NULL>U9JNxFobBFjyEmEJ" (WITH delimiters).

Finally, when I use my Desktop PC and Jabber, using all normal settings, I see something like:

<stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" to="sub.myname.net" version="1.0"/>
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' id='24672be6-d751-4928-a750-fbc20cce6e5f' from='sub.myname.net' version='1.0'>
<stream:features>
  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>PLAIN</mechanism>
  </mechanisms>
</stream:features>
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" xmlns:ga="http://www.google.com/talk/protocol/auth" mechanism="PLAIN" client-uses-full-bind-result="true">NTU1VTlKTnhGb2JCRmp5RW1FSg==</auth>
<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>

This base64 encoding translates simply into "<NULL>555<NULL>U9JNxFobBFjyEmEJ" with no domain and no duplicated JID. This is the only thing that authenticates successfully against my server.

(Note that I also don't understand how the server is supposed to discern between the end of the JID and the beginning of the password with the auth stanzas from Beem, since they lack the NULL byte delimieters, but maybe I'm missing something..)

Please advise.
Thanks!
Mike

(Note: I've gone and replaced all usernames, passwords and domains for privacy reasons.)

PS:
Looking at RFC 4616 (the spec for PLAIN SASL AUTH), the format of the auth XMPP stanza's base64-encoded contents should be "authzid<NULL>authcid<NULL>password", where the relationship between authzid and authcid are described as follows (sorry if this is remedial.. these are new terms to me):

Upon receipt of the message, the server will verify the presented (in the message) authentication identity (authcid) and password (passwd) with the system authentication database, and it will verify that the authentication credentials permit the client to act as the (presented or derived) authorization identity (authzid).

Looking at my code, it looks like authzid is disregarded. So it seems this whole problem is fixed by allowing some way for the transmitted base64-encoded string to read "noonecares<NULL>555<NULL>U9JNxFobBFjyEmEJ"

Also available in: Atom PDF