[jdev] SASL debugging
Matthias Wimmer
m at tthias.net
Sat Dec 10 05:47:26 CST 2005
Hi Yves!
Yves Goergen schrieb:
>>Yes, there are many characters above U+0100, that are allowed in
>>usernames. What is allowed is defined by a stringprep profile called
>>"nodeprep".
>>Same for the passwords, but using the SASLprep profile.
>>
>>
>Umm... I followed that word and its references but stopped reading all
>of them because after a few lines each I realised I didn't understand a
>word. So I guess I simply assume full Unicode support... The relevant
>parts of the used protocols are UTF-8-encoded, so it should work fine
>anyway.
>
>
I would not recommend this. If you do not want to implement stringprep
yourself, than have a look for a library implementing stringprep on the
platform you are using. (Typically you better find them, if you are
looking for IDN, which used stringprep with the nameprep profile as well.)
As I wrote in my last mail, stringprep is more than just telling you
which characters are allowed. It also maps some characters to other
characters. If you get multiple messages, presences, or stanzas from the
server, your client cannot know if they are from the same entity, if it
does not stringprep the JID before comparing.
While you might not notice this when using your client against our
present servers (that do pass JIDs in normalized form, but that is no
requirement for the servers), you already might get into real problems,
if you do not normalize passwords using the SASLprep profile. Consider
the client user has a password containing the character “ℹ”. SASLprep
normalizes this to “i”. So if you are using DIGEST-MD5 as the SASL
mechanism, you have to calculate a hash of the password. This hash will
be completely different, when you (incorrectly) calculate it for the
password still containing “ℹ” instead of “i”. You will not be able to
authenticate using this incorrect hash value.
Tot kijk
Matthias
More information about the JDev
mailing list