wokkel.client.XMPPClient cannot authenticate when JID has escaped characters

[jcbrand]

I'm using wokkel.client.XMPPClient to automatically authenticate my site's users to the XMPP server so that their vCards may be set.

However, when I try to authenticate with users who have escaped characters in their JIDs (specifically \40 for @) I get a SASLAuthError.

Twisted gives the following log messages:

Starting factory <twisted.words.protocols.jabber.xmlstream.XmlStreamFactory object at 0xc7f1c90>
SEND: "<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='chat.myserver.com' version='1.0'>"
RECV: "<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='4213779102' from='chat.myserver.com' version='1.0' xml:lang='en'>"
RECV: "<stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism></mechanisms><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='YUDz8u9BV6d/pR9YmuUwklKsq6c='/><register xmlns='http://jabber.org/features/iq-register'/></stream:features>"
SEND: "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5'/>"
RECV: "<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>bm9uY2U9IjEyMzc1OTIwNjEiLHFvcD0iYXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=</challenge>"
SEND: "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>dXNlcm5hbWU9IndlYndvcmthZG1pblw0MHN0YXJhbGxpYW5jZS5jb20iLG5vbmNlPSIxMjM3NTkyMDYxIixkaWdlc3QtdXJpPSJ4bXBwL2NoYXQuc3RhcmFsbGlhbmNlLmNvbSIsY2hhcnNldD11dGYtOCxyZWFsbT0iY2hhdC5zdGFyYWxsaWFuY2UuY29tIixxb3A9YXV0aCxjbm9uY2U9IjU3NmU5MDcwMGYxYWZkZWM4N2E5MTAyYTM0ZjBjZWU1IixuYz0wMDAwMDAwMSxyZXNwb25zZT0wMjc2NTVlMWVlYjEzNTExNGQ1MGE5MDVhZTZmMWI5Mg==</response>"
RECV: "<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure>"

Ejabberd's log gives the following output:

=INFO REPORT==== 2013-08-27 16:58:20 ===
I(<0.6053.0>:ejabberd_c2s:733) : ({socket_state,gen_tcp,#Port<0.12456>,<0.6052.0>}) Failed authentication for jeff40myserver.com@chat.myserver.com

=INFO REPORT==== 2013-08-27 16:58:20 ===
D(<0.6053.0>:ejabberd_c2s:1456) : Send XML on stream = <<"<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure>">>

What I find interesting from the ejabberd log is that the escaped character \40 is shown as only 40. This is what made me realise that this has to do with the fact that there is an escaped character in the first place.

Users without escaped characters in their JIDs authenticate fine.

As far as I can tell, my JID is correctly escaped, so I assume this must be a bug somewhere during the authentication routine.

(Pdb) pp jid
JID(u'jeff\\40myserver.com@chat.myserver.com')

I tried to dive into the Wokkel and Twisted code to debug this further but without luck.

Any help would be greatly appreciated.

[jcbrand]

I've now eventually gotten to where the SASL authentication is happening.

In sendResponse of SASLInitiatingInitializer in twisted.words.protocols.jabber.sasl.py, after being challenged by the XMPP server, the following data is sent:

(Pdb) pp data
u'username="jeff\\40myserver.com",nonce="1172501009",digest-uri="xmpp/chat.myserver.com",charset=utf-8,realm="chat.myserver.com",qop=auth,cnonce="efc56d019622aa571e508307e02b2dbd",nc=00000001,response=63d142e6cfd18b9653aaf4a7f3d316c7'

Here the username is still escaped correctly.

I don't find anything wrong with what Wokkel is doing during the authentication so I'm starting to question my previous assumption that this is a bug in Wokkel. Could this be an issue with ejabberd?

[jcbrand]

I used Pidgin to log in to ejabberd with an account that has a special character in it. I was able to authenticate successfully and tailing ejabberd's log showed why.

Decoding the Base64 encoded data in the challenge response stanza sent from Pidgin to the XMPP server, showed the following:

'username="jeff\\\\40myserver.com",realm="chat.myserver.com",nonce="4209400094",cnonce="XsuCL4dl22t+3Iao9tIEdYWVVvTs0Dbzn6cA2kudUFE=",nc=00000001,qop=auth,digest-uri="xmpp/chat.myserver.com",response=ad7e44663abece0e0fb9359354d67281,charset=utf-8'

The escaped @ sign, which is supposed to be escaped to \40 (which is r"\40" or u"\\40" in python), is now escaped to \\\\40.

I quickly hacked sendResponse to change u'\\40' to u'\\\\40' and now authentication works.

Ok, I'm happy it worked, but I don't understand why ejabberd expects there to be two backslashes (4 backslashes when escaped), instead of just one.

XEP-106 dictates that @ must be escaped to \40.

Any idea why this is might be the case? Also, I'm not sure what the fix should look like.

[ralphm]

Hi @jcbrand!

I found this bug https://support.process-one.net/browse/EJAB-81, but that's for pretty old versions of ejabberd. Which version are you talking against?

[jcbrand]

Hi @ralphm :)

I'm using 2.1.5 (which comes with debian squeeze). The ticket you mention points to this one (https://support.process-one.net/browse/EJAB-1006) where the user Badlop reports an issue that looks basically the same.

That ticket is filed against an older version and they rejected it :o/

I've implemented a crude workaround for now and will sometime check against a newer version of ejabberd.

I'm not sure whether anything should be done about this in Wokkel, so I guess you can close this ticket for now.

Thanks!

[ralphm]

Hmm. Yeah, I think trying to solve this in Wokkel might introduce problems for others. Thanks for the report anyway.