Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6682540

Incorrect SASL DIGEST-MD5 behavior

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b23
    • CPU:
      x86
    • OS:
      linux
    • Verification:
      Verified

      Description

      FULL PRODUCT VERSION :
      java version "1.6.0_02"
      Java(TM) SE Runtime Environment (build 1.6.0_02-b05)
      Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_02-b05, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      verified on Linux x86 and Linux x86_64, believed to be found on all platforms running Java.

      A DESCRIPTION OF THE PROBLEM :
      RFC 2831 describes the DIGEST-MD5 SASL mechanism. In section 2.2 "Subsequent Authentication" is described. Java does not implement "Subsequent Authentication" but fails to handle the case when a client attempts it. From the RFC:

      "The server receives the "digest-response". If the server does not
         support subsequent authentication, then it sends a
         "digest-challenge", and authentication proceeds as in initial
         authentication."

      Java should therefore not throw a SaslException upon an initial token, but should proceed as an initial authentication ignoring the initial token provided.

      This was encountered in the Openfire XMPP server when using the Pidgin client (which uses the Cryus SASL libraries). Some bug reports that may be useful:

      http://www.igniterealtime.org/community/message/155314
      http://www.igniterealtime.org/issues/browse/JM-1109
      http://developer.pidgin.im/ticket/2095


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Install Openfire (see http://www.igniterealtime.org/)
      2. Install Pidgin
      3. Connect to Openfire with Pidgin
      4. Disconnect from Openfire, but do not exit Pidgin
      5. Reconnect to Openfire.



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Pidgin reconnects to Openfire
      ACTUAL -
      Failure to connect. Openfire logs report a SaslException due to the initial token from Pidgin.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      javax.security.sasl.SaslException: DIGEST-MD5 must not have an initial response
      at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)
      at org.jivesoftware.wildfire.net.SASLAuthentication.handle(SASLAuthentication.java:205)
      at org.jivesoftware.wildfire.net.SocketReadingMode.authenticateClient(SocketReadingMode.java:117)
      at org.jivesoftware.wildfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:136)
      at org.jivesoftware.wildfire.net.BlockingReadingMode.run(BlockingReadingMode.java:62)
      at org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:123)
      at java.lang.Thread.run(Unknown Source)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      A temporary workaround for Openfire is to strip the inital token off for DIGEST-MD5 auth packets before creating the SaslServer object.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              ndcosta Nelson Dcosta (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: