[Psi-devel] [bug] qca-sasl request authzid from it's user
textshell-I1QKlO at neutronstar.dyndns.org
textshell-I1QKlO at neutronstar.dyndns.org
Fri Dec 8 02:40:12 PST 2006
qca-sasl always requests a authzid from it's users.
This leads psi to send an authzid in some cases even if the user didn't specify one, that's asking for trouble IMO.
i think it's wrong to set authzid to the jid without the user requesting authzid being set.
in simple-sasl it's implemented in what I think is the right way. But qca-sasl does tell it's user that it needs an authzid, and the iris code has a hack to supply it only if it's requested and user is already set... so the failure mode is that the first login works but the second might not...
relevant iris code, that hacks around the sasl plugins requesting of authzid
void ClientStream::sasl_needParams(const QCA::SASL::Params& p)
{
[...]
if(p.authzid && !p.user) {
d->sasl->setAuthzid(d->jid.bare());
}
if(p.user || p.pass || p.realm) {
d->state = NeedParams;
needAuthParams(p.user, p.pass, p.realm);
}
else
d->sasl->continueAfterParams();
}
mini prove of concept patch to fix qca-sasl (without looking much in to the right way to disable it)
--- old-psi/third-party/qca-sasl/qca-sasl.cpp 2006-12-08 11:27:36.000000000 +0100
+++ new-psi/third-party/qca-sasl/qca-sasl.cpp 2006-12-08 11:27:36.000000000 +0100
@@ -144,7 +146,7 @@
bool missingAny() const
{
- if((need.user && !have.user) || (need.authzid && !have.authzid) || (need.pass && !have.pass) || (need.realm && !have.realm))
+ if((need.user && !have.user) /* || (need.authzid && !have.authzid) */ || (need.pass && !have.pass) || (need.realm && !have.realm))
return true;
return false;
}
@@ -154,7 +156,7 @@
SASL::Params np = need;
if(have.user)
np.user = false;
- if(have.authzid)
+ //if(have.authzid)
np.authzid = false;
if(have.pass)
np.pass = false;
- Martin H.
More information about the psi-devel
mailing list