[JDEV] Differences in SASL realisation in jabberd2 and ejabberd
Peter Saint-Andre
stpeter at jabber.org
Tue Jan 13 13:48:42 CST 2004
On Mon, Jan 12, 2004 at 10:07:18AM +0300, Alexey Nezhdanov wrote:
> Hello. Recently tryed to use SASL against ejabberd.
> Found several differences:
> 1) challenge responces.
> jabberd2 response:
> realm="jabber.penza-gsm.ru",nonce="baca3d3c76bab6edb7d7f2736733cf63300f9595",qop=auth,charset=utf-8,algorithm=md5-sess
> ejabbed response:
> nonce="1303694217",qop="auth",charset=utf-8,algorithm=md5-sess
>
> The main problem is that double quotes appears in one case and disappears in
> the another. The worst problem that I can't find out which case is proper.
> RFC2831 extract:
> snake at sarge:/mnt/hda2/var/lib/cvs/jabberpy2/ietf-docs$ grep qop rfc2831.txt,v
> qop-options = "qop" "=" <"> qop-list <">
> qop-list = 1#qop-value
> qop-value = "auth" | "auth-int" | "auth-conf" |
> qop = "qop" "=" qop-value
> On the other hand here is example challenge from the same RFC:
> S: realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
> response=d388dad90d4bbd760a152321f2143af7,qop=auth
OK, I received clarification about this from one of my SASL guru
friends.
There are two different instances of "qop": the one sent from the server
to the client (or, in s2s, the other server) and the one sent from the
client to the server.
The "qop" sent from the server to the client is a comma-separated list
of qops and must be quoted (even if the list of qops contains only one
qop).
The "qop" sent from the client to the server is a single qop and
therefore is not quoted.
Thus jabberd2 has a bug because it is not quoting the qop list it sends
out.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php
More information about the JDev
mailing list