Opened 8 years ago

Last modified 6 years ago

#13556 new defect

Error in DIGEST-MD5 implementation

Reported by: kbotc Owned by: deryni
Milestone: Component: XMPP
Version: 2.7.11 Keywords:
Cc:

Description

Hello, I am a developer over with the Adium project and I'd like to point out an error I found.

If you attempt to connect to a server which is authenticating against a domain (Such as an Active Directory), and the domain is hosted on another computer, it will fail to connect via DIGEST-MD5.

The reasoning behind this is libpurple is constructing an invalid digest-uri for the server it is connecting to. It's appending the realm name to the uri instead of the FQDN of the server we're interested in. Any jabber server which verifies that (As it should according to RFC-2831), will deny the connection, as it appears that it is attempting to reach another XMPP host.

Example: http://trac.adium.im/attachment/ticket/14465/Adium_1.4.2nightly_AD_auth.txt Look at line 103 on there. The digest-uri should be: xmpp/ichatserver.example.com (A valid service principal), not xmpp/activedirectory.example.com

Code at fault is /libpurple/protocols/jabber/auth_digest_md5.c:252

It should be the FQDN of the server we are attempting to connect to, not the realm.

Attachments (5)

as-is.txt (2.5 KB) - added by darkrain42 8 years ago.
The status quo -- connects to ejabberd
as-is.2.txt (2.5 KB) - added by darkrain42 8 years ago.
The status quo -- connects to ejabberd
domain-server-hostname.txt (2.1 KB) - added by darkrain42 8 years ago.
xmpp/ejabber.darkrain42.org/xmpp1.hosted.im
server-hostname.txt (2.0 KB) - added by darkrain42 8 years ago.
xmpp/xmpp1.hosted.im
server-hostname-domain.txt (2.1 KB) - added by darkrain42 8 years ago.
xmpp/xmpp1.hosted.im/ejabber.darkrain42.org

Download all attachments as: .zip

Change History (16)

comment:1 follow-up: Changed 8 years ago by darkrain42

This change breaks connecting to ejabberd (various 2.1 branched versions), as does sending xmpp/xmpp1.hosted.im/ejabber.darkrain42.org (for a JID of paul@…).

Both deryni and I are perplexed by this, though (the RFC and ejabberd's source suggest the second should be accepted).

comment:2 Changed 8 years ago by darkrain42

Nor does (for completeness) xmpp/ejabber.darkrain42.org/xmpp1.hosted.im.

comment:3 Changed 8 years ago by kbotc

Reading through ejabberd2.1.7's source, we may need to send the host key value pair as well (even if the comments in ejabberd's source says otherwise). It seems like a poor implementation (Doesn't do DNS checking).

comment:4 Changed 8 years ago by kbotc

I don't see it in the ejabberd source, but the domain name in the "host" value needs to be lowercase or else it will fail.

comment:5 Changed 8 years ago by MagerValp

Being the original reporter over at http://trac.adium.im/ticket/14465 I'm just posting to get on the Cc: list for this bug (why is RSS disabled for this Trac?). If you need more logs or testing, let me know.

comment:6 Changed 8 years ago by rekkanoryo

RSS generates too significant a load on our server for us to be able to leave it on.

Changed 8 years ago by darkrain42

The status quo -- connects to ejabberd

Changed 8 years ago by darkrain42

The status quo -- connects to ejabberd

Changed 8 years ago by darkrain42

xmpp/ejabber.darkrain42.org/xmpp1.hosted.im

Changed 8 years ago by darkrain42

xmpp/xmpp1.hosted.im

Changed 8 years ago by darkrain42

xmpp/xmpp1.hosted.im/ejabber.darkrain42.org

comment:7 Changed 8 years ago by darkrain42

kbotc: I've attached debug logs of the four DIGEST-MD5 negotiations with varying behaviors, from opening stream (post TLS) to either failure or stream restart.

The only one which can connect to ejabberd is the first (digest-uri="xmpp/ejabber.darkrain42.org").

Let me know if you needed more tests/data from these, but as I said, both deryni and I are confused over why "xmpp/xmpp1.hosted.im/ejabber.darkrain42.org" didn't work.

comment:8 Changed 8 years ago by darkrain42

Forgot to mention: I also tested this (xmpp/server name/domain name) against public XMPP servers, the handful running 2.1.x on which I have accounts, and was seeing the same symptoms as on my hosted.im account.

Edit: corrected typo (I had a trailing '/' which was not present in my tests)

comment:9 Changed 8 years ago by kbotc

So, are we to assume this is a bug in ejabberd's implementation? I'm not very good with erlang so I'm not sure if I can point out the error to them.

comment:10 Changed 7 years ago by MagerValp

So did anyone look at the reporter's suggestion that the FQDN should be sent instead of the realm at /libpurple/protocols/jabber/auth_digest_md5.c:252?

comment:11 in reply to: ↑ 1 Changed 6 years ago by adehnert

Replying to darkrain42:

This change breaks connecting to ejabberd (various 2.1 branched versions), as does sending xmpp/xmpp1.hosted.im/ejabber.darkrain42.org (for a JID of paul@…).

It appears that sufficiently recent ejabberd versions should support the Correct digest-uri (https://support.process-one.net/browse/EJAB-1529, https://github.com/processone/ejabberd/commit/983da9c887d6cb64812087cba961dc85f349e1f9). (I haven't tested this, though, just read bugtrackers.)

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!