Details
-
Bug
-
Resolution: Fixed
-
P4
-
6
-
b23
-
x86
-
linux
-
Verified
Description
FULL PRODUCT VERSION :
java version "1.6.0_02"
Java(TM) SE Runtime Environment (build 1.6.0_02-b05)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_02-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
verified on Linux x86 and Linux x86_64, believed to be found on all platforms running Java.
A DESCRIPTION OF THE PROBLEM :
RFC 2831 describes the DIGEST-MD5 SASL mechanism. In section 2.2 "Subsequent Authentication" is described. Java does not implement "Subsequent Authentication" but fails to handle the case when a client attempts it. From the RFC:
"The server receives the "digest-response". If the server does not
support subsequent authentication, then it sends a
"digest-challenge", and authentication proceeds as in initial
authentication."
Java should therefore not throw a SaslException upon an initial token, but should proceed as an initial authentication ignoring the initial token provided.
This was encountered in the Openfire XMPP server when using the Pidgin client (which uses the Cryus SASL libraries). Some bug reports that may be useful:
http://www.igniterealtime.org/community/message/155314
http://www.igniterealtime.org/issues/browse/JM-1109
http://developer.pidgin.im/ticket/2095
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Install Openfire (see http://www.igniterealtime.org/)
2. Install Pidgin
3. Connect to Openfire with Pidgin
4. Disconnect from Openfire, but do not exit Pidgin
5. Reconnect to Openfire.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Pidgin reconnects to Openfire
ACTUAL -
Failure to connect. Openfire logs report a SaslException due to the initial token from Pidgin.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.security.sasl.SaslException: DIGEST-MD5 must not have an initial response
at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)
at org.jivesoftware.wildfire.net.SASLAuthentication.handle(SASLAuthentication.java:205)
at org.jivesoftware.wildfire.net.SocketReadingMode.authenticateClient(SocketReadingMode.java:117)
at org.jivesoftware.wildfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:136)
at org.jivesoftware.wildfire.net.BlockingReadingMode.run(BlockingReadingMode.java:62)
at org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:123)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
A temporary workaround for Openfire is to strip the inital token off for DIGEST-MD5 auth packets before creating the SaslServer object.
java version "1.6.0_02"
Java(TM) SE Runtime Environment (build 1.6.0_02-b05)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_02-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
verified on Linux x86 and Linux x86_64, believed to be found on all platforms running Java.
A DESCRIPTION OF THE PROBLEM :
RFC 2831 describes the DIGEST-MD5 SASL mechanism. In section 2.2 "Subsequent Authentication" is described. Java does not implement "Subsequent Authentication" but fails to handle the case when a client attempts it. From the RFC:
"The server receives the "digest-response". If the server does not
support subsequent authentication, then it sends a
"digest-challenge", and authentication proceeds as in initial
authentication."
Java should therefore not throw a SaslException upon an initial token, but should proceed as an initial authentication ignoring the initial token provided.
This was encountered in the Openfire XMPP server when using the Pidgin client (which uses the Cryus SASL libraries). Some bug reports that may be useful:
http://www.igniterealtime.org/community/message/155314
http://www.igniterealtime.org/issues/browse/JM-1109
http://developer.pidgin.im/ticket/2095
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Install Openfire (see http://www.igniterealtime.org/)
2. Install Pidgin
3. Connect to Openfire with Pidgin
4. Disconnect from Openfire, but do not exit Pidgin
5. Reconnect to Openfire.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Pidgin reconnects to Openfire
ACTUAL -
Failure to connect. Openfire logs report a SaslException due to the initial token from Pidgin.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.security.sasl.SaslException: DIGEST-MD5 must not have an initial response
at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)
at org.jivesoftware.wildfire.net.SASLAuthentication.handle(SASLAuthentication.java:205)
at org.jivesoftware.wildfire.net.SocketReadingMode.authenticateClient(SocketReadingMode.java:117)
at org.jivesoftware.wildfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:136)
at org.jivesoftware.wildfire.net.BlockingReadingMode.run(BlockingReadingMode.java:62)
at org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:123)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
A temporary workaround for Openfire is to strip the inital token off for DIGEST-MD5 auth packets before creating the SaslServer object.
Attachments
Issue Links
- duplicates
-
-
- Closed
-