NPE in sasl-external (#1099)

Activities

wojciech.kapcia@tigase.net opened 5 years ago

Due Date
2020-01-17

[2020-01-11 06:16:29:086] [FINEST  ] [      pool-38-thread-7 ] XMPPIOService.processSocketData(): CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, READ:[auth xmlns=&apos;urn:ietf:params:xml:ns:xmpp-sasl&apos; mechanism=&apos;EXTERNAL&apos;]amFiYmVyLnNhbXBvLnJ1[/auth]
…
[2020-01-11 06:16:29:098] [FINEST  ] [      pool-38-thread-7 ] XMPPIOService.moveParsedPacketsToReceived(): CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, Read packet: [auth mechanism=&quot;EXTERNAL&quot; xmlns=&quot;urn:ietf:params:xml:ns:xmpp-sasl&quot;]amFiYmVyLnNhbXBvLnJ1[/auth]
…
[2020-01-11 06:16:29:098] [FINEST  ] [      pool-38-thread-7 ] SaslExternal.process()           : CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, Received auth request: from=null, to=null, DATA=[auth mechanism=&quot;EXTERNAL&quot; xmlns=&quot;urn:ietf:params:xml:ns:xmpp-sasl&quot;]amFiYmVyLnNhbXBvLnJ1[/auth], SIZE=95, XMLNS=urn:ietf:params:xml:ns:xmpp-sasl, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
…
[2020-01-11 06:16:29:098] [WARNING ] [      pool-38-thread-7 ] SaslExternal.process()           : Error.
java.lang.NullPointerException
	at tigase.server.xmppserver.proc.SaslExternal.processAuth(SaslExternal.java:206)
	at tigase.server.xmppserver.proc.SaslExternal.process(SaslExternal.java:122)
	at tigase.server.xmppserver.S2SConnectionManager.processSocketData(S2SConnectionManager.java:283)
	at tigase.server.xmppserver.S2SConnectionManager.processSocketData(S2SConnectionManager.java:50)
	at tigase.server.ConnectionManager.packetsReady(ConnectionManager.java:347)
	at tigase.server.ConnectionManager.packetsReady(ConnectionManager.java:61)
	at tigase.net.IOService.call(IOService.java:197)
	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:146)
	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:51)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:835)

wojciech.kapcia@tigase.net commented 5 years ago

I backtracked it from different connection:

[2020-01-13 04:46:26:185] [FINEST  ] [  ConnectionOpenThread ] S2SConnectionManager.serviceStarted(): s2s connection opened: CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null
…
[2020-01-13 04:46:27:922] [FINEST  ] [      pool-38-thread-3 ] XMPPIOService.processSocketData(): CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null, READ:<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' to='tigase.net' version='1.0'>
…
[2020-01-13 04:46:27:927] [FINER   ] [      pool-38-thread-3 ] S2SConnectionManager.xmppStreamOpened(): CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null, Stream opened: {xmlns:stream=http://etherx.jabber.org/streams, xmlns=jabber:server, to=tigase.net, version=1.0, xmlns:db=jabber:server:dialback}

Basically, the other party never sends from and chooses to use sasl-external (which is just plain wrong... and can't work under no circumstances as we can't verify the certificate against the).

I fixed the problem by:

avoiding NPE if the CID is null
skip advertising SASL-EXTERNAL in case from was missing as per https://xmpp.org/extensions/xep-0178.html#s2s, point 9:

Server2 advertises SASL mechanisms. If the 'from' attribute of the stream header sent by Server1 can be matched against one of the identifiers provided in the certificate following the matching rules from RFC 6125, Server2 SHOULD advertise the SASL EXTERNAL mechanism. If no match is found, Server2 MAY either close Server1's TCP connection or continue with a Server Dialback (XEP-0220) [8] negotiation.

While working on this issue I also ran into other problem - even after authenticating the connection we were still advertising SASL-EXTERNAL and some servers (M-Link on jabber.org) were falling into authentication loop.

I think it's finally working quite well.

wojciech.kapcia@tigase.net commented 5 years ago

If anyone ( @kobit , @andrzej.wojcik , @bmalkow ) still experience problems with s2s to other servers please do let me know which domains.

Referenced from commit 1 year ago

Issue #1099 - see-other-host redirection on USER_LOGIN command

fix xmlns and type for BOSH stream:error
add new configuration option for see-other-host: (c2s|bosh|ws2c)/cm-see-other-host/active=(OPEN|LOGIN|OTHER) denoting in which phase redirects should be active with default value set to OPEN

Wojciech Kapcia committed 1 decade ago

f6661594

Type	Task
Priority	Normal
Assignee	wojciech.kapcia@tigase.net
Spent time	6h 15m

#1047 Closed

Add SASL-EXTERNAL on s2s conections

Issue Votes (0)

Watchers (0)

Reference

tigase/_server/server-core#1099