Changeset

1159:f81c8cec0e71

Adding minimal support for authorization identities to workaround buggy SASL implementations.
author Tobias Markmann <tm@ayena.de>
date Fri, 15 May 2009 17:24:52 +0200
parents 1158:7d1e4fc1ee6d
children 1160:7e48324f946e
files util/sasl.lua
diffstat 1 files changed, 11 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/util/sasl.lua	Fri May 15 17:05:26 2009 +0200
+++ b/util/sasl.lua	Fri May 15 17:24:52 2009 +0200
@@ -203,8 +203,17 @@
 			local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5", decoder)
 			if Y == nil then return "failure", "not-authorized"
 			elseif Y == false then return "failure", "account-disabled" end
-			
-			local A1 = Y..":"..response["nonce"]..":"..response["cnonce"]--:authzid
+			local A1 = "";
+			if response.authzid then
+				if response.authzid == self.username.."@"..self.realm then
+					log("warn", "Client is violating XMPP RFC. See section 6.1 of RFC 3920");
+					A1 = Y..":"..response["nonce"]..":"..response["cnonce"]..":"..response.authzid;
+				else
+					A1 = "?";
+				end
+			else
+				A1 = Y..":"..response["nonce"]..":"..response["cnonce"];
+			end
 			local A2 = "AUTHENTICATE:"..protocol.."/"..domain;
 			
 			local HA1 = md5(A1, true)