Projects tigase _server server-core Issues #726
Authentication fails with SCRAM-SHA-1 (#726)
Giuseppe Moscarella opened 8 years ago
Due Date
2016-11-24

After upgrading Tigase server to 7.1.0-SNAPSHOT-b4325 my clients can't authenticate.

For example I get this exception using smack:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized

And this exception using babbler:

rocks.xmpp.core.sasl.AuthenticationException: SCRAM-SHA-1 authentication failed with condition SASL failure: not-authorized (Password not verified) (Password not verified)

If I configure tigase to use only PLAIN authentication method for my vhost, my clients (mobile and desktop apps) login without problems, so it's not a matter of wrong credentials.

Everything was working fine with older 7.1.0 snapshots (7.1.0-SNAPSHOT-b4193) when SCRAM was not enabled by default.

This is a blocker for me, because I don't know what is wrong and can't change my production client code to disable SCRAM and force PLAIN.

I tried

basic-conf/auth-repo-params/sasl-mechs=PLAIN,DIGEST-MD5

but existing vhosts seems to ignore that. The only working thing that disables SCRAM is forcing PLAIN explicitly in each VHOST, I used psi client for that.

My system creates dynamically many vhosts, and it would be very tedious to force PLAIN auth for the existing ones.

Is it possible at least to disable SCRAM authentication with a global configuration that is valid for every vhost?

wojciech.kapcia@tigase.net commented 8 years ago

Can you provide full, verbose client logs? Including stanza exchange? We have tested SCRAM implementation and it works for us.

You could try following options to limit enabled mechanisms:

sess-man/plugins-conf/enabled-mechanisms=PLAIN,DIGEST-MD5

Andrzej Wójcik (Tigase) commented 8 years ago

It would be also good to provide version of used Smack and babbler library, so we could use same versions to replicate this issue.

Giuseppe Moscarella commented 8 years ago

I've created a maven integration test with both babbler and smack. You can clone it from https://github.com/bytecodeguru/tigase-scram-test.

It also contains the packets captured with ngrep during my local tests.

I'm now trying your proposed workaround sess-man/plugins-conf/enabled-mechanisms=PLAIN,DIGEST-MD5 and will let you know if it works asap.

Giuseppe Moscarella commented 8 years ago

I'm now trying your proposed workaround sess-man/plugins-conf/enabled-mechanisms=PLAIN,DIGEST-MD5 and will let you know if it works asap.

I can confirm that the suggested workaround configuration works in my test environment, thank you. Perhaps it would be useful to add it to the administration doc.

Please let me know if I can help further to investigate the SCRAM authentication issue.

wojciech.kapcia@tigase.net commented 8 years ago

Bartek, please take a look.

Bartosz Małkowski commented 8 years ago

Short version

Tigase Server works fine, Smack library is broken.

Longer version

As you can see in "RFC- 5802 attribute r (nonce) described as "this attribute specifies a sequence of random printable ASCII characters excluding ','" and formally defined as:

nonce           = "r=" c-nonce [s-nonce]
                     ;; Second part provided by server.

c-nonce         = printable

s-nonce         = printable

printable       = %x21-2B / %x2D-7E
                     ;; Printable ASCII except ",".
                     ;; Note that any "printable" is also
                     ;; a valid "value".

cannot contains space (@x20@) character.

But Smack sends for example:

n,,n=alice,r=9/g!s~0u%e:k5`x1 s/i{!i`BSJ#Sa>[
n,,n=alice,r= lMs?0>qPY%XLVIFf6.wn"N..?;eC@f}
n,,n=alice,r=D3Nqf7meC 8g'Hey*v>d!}$k5bUjyh<%
n,,n=alice,r=D3Nqf7meC 8g'Hey*v>d!}$k5bUjyh<%

In this case, Server rejects those request as invalid.

I set your test @ SmackScramIT@ to connect to tigase.org server. I limited it only to SCRAM mechanism.

It failed 14 times per 36 runs. Each failed test contains x20 character in @nonce@.

Sample failed test:

Using SCRAM auth.
Connecting to t2.tigase.org:5222
03:09:42 PM SENT (0): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:42 PM RECV (0): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='ed37310f-4809-43b4-a00e-16577b95655a' version='1.0' xml:lang='en'>
03:09:42 PM RECV (0): <stream:features><sm xmlns="urn:xmpp:sm:3"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
03:09:42 PM SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
03:09:43 PM RECV (0): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
03:09:44 PM SENT (0): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:44 PM RECV (0): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='ed37310f-4809-43b4-a00e-16577b95655a' version='1.0' xml:lang='en'>
03:09:44 PM RECV (0): <stream:features><sm xmlns="urn:xmpp:sm:3"/><auth xmlns="http://jabber.org/features/iq-auth"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>SCRAM-SHA-1-PLUS</mechanism><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><ver xmlns="urn:xmpp:features:rosterver"/><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
Connected. Trying to login.
03:09:44 PM SENT (0): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SCRAM-SHA-1'>biwsbj10dXJ0bGVib3Qscj10Znd8bnxPZ0Q0OyhFUEIkNCliNShnPlNkckYgM1ExOA==</auth>
03:09:44 PM RECV (0): <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>
03:09:44 PM SENT (0): <presence id='GbcYJ-3' type='unavailable'></presence>
03:09:44 PM SENT (0): </stream:stream>

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized

	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1052)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:956)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:971)
	at java.lang.Thread.run(Thread.java:745)

Sample success test:

Using SCRAM auth.
Connecting to t2.tigase.org:5222
03:09:44 PM SENT (1): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:44 PM RECV (1): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' version='1.0' xml:lang='en'>
03:09:44 PM RECV (1): <stream:features><sm xmlns="urn:xmpp:sm:3"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
03:09:44 PM SENT (1): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
03:09:45 PM RECV (1): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
03:09:45 PM SENT (1): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:45 PM RECV (1): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' version='1.0' xml:lang='en'>
03:09:45 PM RECV (1): <stream:features><sm xmlns="urn:xmpp:sm:3"/><auth xmlns="http://jabber.org/features/iq-auth"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>SCRAM-SHA-1-PLUS</mechanism><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><ver xmlns="urn:xmpp:features:rosterver"/><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
Connected. Trying to login.
03:09:45 PM SENT (1): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SCRAM-SHA-1'>biwsbj10dXJ0bGVib3Qscj0jbjBeZT0yaTZzaU1aXWBrN20hbXhwTXU9YGU5SlJQdQ==</auth>
03:09:46 PM RECV (1): <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cj0jbjBeZT0yaTZzaU1aXWBrN20hbXhwTXU9YGU5SlJQdWVJYUp0ME9VSTJLMGRQSHJiUWZSLHM9dWdKakp4elpsL3lQK3c9PSxpPTQwOTY=</challenge>
03:09:46 PM SENT (1): <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>Yz1iaXdzLHI9I24wXmU9Mmk2c2lNWl1gazdtIW14cE11PWBlOUpSUHVlSWFKdDBPVUkySzBkUEhyYlFmUixwPWorNHVXRzZjQ1NTOTdYRmQyckgzWnMrLzNkZz0=</response>
03:09:46 PM RECV (1): <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dj1jaXVGNDVhK0lVK0prVjgrVXhRZnhJa0FDUnc9</success>
03:09:46 PM SENT (1): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' xml:lang='en'>
03:09:46 PM RECV (1): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' version='1.0' xml:lang='en'>
03:09:46 PM RECV (1): <stream:features><sm xmlns="urn:xmpp:sm:3"/><mobile xmlns="http://tigase.org/protocol/mobile#v1"/><mobile xmlns="http://tigase.org/protocol/mobile#v2"/><csi xmlns="urn:xmpp:csi:0"/><ver xmlns="urn:xmpp:features:rosterver"/><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/><session xmlns="urn:ietf:params:xml:ns:xmpp-session"/></stream:features>
03:09:46 PM SENT (1): <iq id='GbcYJ-6' type='set'><bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'><resource>resource</resource></bind></iq>
03:09:46 PM RECV (1): <iq xmlns="jabber:client" type="result" id="GbcYJ-6" to="turtlebot@tigase.org/resource"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><jid>turtlebot@tigase.org/resource</jid></bind></iq>
03:09:46 PM SENT (1): <iq id='GbcYJ-8' type='set'><session xmlns='urn:ietf:params:xml:ns:xmpp-session'/></iq>
03:09:46 PM RECV (1): <iq xmlns="jabber:client" type="result" id="GbcYJ-8" to="turtlebot@tigase.org/resource"/>
03:09:46 PM SENT (1): <enable xmlns='urn:xmpp:sm:3' resume='true'/>
03:09:46 PM RECV (1): <enabled xmlns='urn:xmpp:sm:3' id='b1f2e325-c14b-498f-8222-8e808466e889' resume='true' max='90' location='t2.tigase.org' />
03:09:46 PM User logged (1): turtlebot@tigase.org:5222/resource
03:09:46 PM XMPPConnection authenticated (1)
03:09:46 PM SENT (1): <iq id='GbcYJ-10' type='get'><query xmlns='jabber:iq:roster'></query></iq>
Login successful. Disconnecting.

03:09:46 PM SENT (1): <presence id='GbcYJ-11'><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.igniterealtime.org/projects/smack' ver='NfJ3flI83zSdUDzCEICtbypursw='/></presence>
03:09:46 PM SENT (1): <presence id='GbcYJ-12' type='unavailable'></presence>
03:09:46 PM SENT (1): <a xmlns='urn:xmpp:sm:3' h='0'/>
03:09:46 PM SENT (1): </stream:stream>
03:09:46 PM XMPPConnection closed (1)
Bartosz Małkowski commented 8 years ago

Babbler works fine with tigase.org and my local Server.

Giuseppe Moscarella commented 8 years ago

Bartosz Malkowski wrote:

Babbler works fine with tigase.org and my local Server.

Thank you for the detailed feedback. I will file an issue to smack devs.

However I can't get babbler working using my test credentials, the test is passing with PLAIN auth but failing every time with SCRAM. It seems for fail for a different reason than smack. Could you try using username "jenkins" password "test" on your environment?

SCRAM:

T 2016/10/20 13:54:05.592764 10.122.122.1:53532 -> 10.122.122.10:5222 [AP]
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="SCRAM-SHA-1">biwsbj1qZW5raW5zLHI9YmdId0xRSEJkNFMrK3F2VEIzZis0QT09</auth>
#
T 2016/10/20 13:54:05.606573 10.122.122.10:5222 -> 10.122.122.1:53532 [AP]
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cj1iZ0h3TFFIQmQ0UysrcXZUQjNmKzRBPT1lWXY4REhIMk81dHRxNlRtV3pncyxzPUZSelkraGM5TitMc0FnPT0saT00MDk2</challenge>
##
T 2016/10/20 13:54:05.748772 10.122.122.1:53532 -> 10.122.122.10:5222 [AP]
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">Yz1iaXdzLHI9YmdId0xRSEJkNFMrK3F2VEIzZis0QT09ZVl2OERISDJPNXR0cTZUbVd6Z3MscD1JTlpKaDljTkQyeFJlYzZBQytSYlBoRVdVakk9</response>
#
T 2016/10/20 13:54:05.750357 10.122.122.10:5222 -> 10.122.122.1:53532 [AP]
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/><text xml:lang='en'>Password not verified</text></failure>

PLAIN:

T 2016/10/20 13:54:05.011158 10.122.122.1:53531 -> 10.122.122.10:5222 [AP]
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AGplbmtpbnMAdGVzdA==</auth>
#
T 2016/10/20 13:54:05.020439 10.122.122.10:5222 -> 10.122.122.1:53531 [AP]
<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>

Bartosz Małkowski commented 8 years ago

Letters in username doesn't matter.

No idea what is wrong with your server.

I'm using revision 8e20620.

Here is my config:

config-type = --gen-config-def
--virt-hosts = coffeebean.local,coffeebean2.local
--user-db=mysql
--user-db-uri=jdbc:mysql://127.0.0.1:3306/tigasedb?user=tigase_username&password=tigase_password&useUnicode=true&characterEncoding=UTF-8&autoCreateUser=true
--admins = alice@coffeebean.local
--cluster-mode = true
--debug = auth
Bartosz Małkowski commented 8 years ago

I also checked SCRAM data you quoted in last comment. Data are OK, and my SCRAM code calculates the same values, so problem fur sure isn't in SCRAM implementation.

Giuseppe Moscarella commented 8 years ago

Bartosz Malkowski wrote:

I also checked SCRAM data you quoted in last comment. Data are OK, and my SCRAM code calculates the same values, so problem fur sure isn't in SCRAM implementation.

Thank you for your help. I can confirm that changing credentials I get the same issue. I've downloaded the latest nightly build and I am now trying to enable remote debugging to check what is really happening in my test environment.

Giuseppe Moscarella commented 8 years ago

The smack support team confirms the issue: https://issues.igniterealtime.org/browse/SMACK-735

Meanwhile I tracked down the code that refuses to authentication: it's AbstractSaslSCRAM.java in processClientLastMessage()

boolean proofMatch = Arrays.equals(clientProof, dcp);

if (proofMatch == false) {
	throw new XmppSaslException(SaslError.not_authorized, "Password not verified");
}

The arrays are equal in length but (completely) different in content. Any clue?

Bartosz Małkowski commented 8 years ago

Nope!

It may be everything. Different salted password?

Giuseppe Moscarella commented 8 years ago

Bartosz Malkowski wrote:

Nope!

It may be everything. Different salted password?

Here are the values of the variables just before the proof match condition, I have base64 encoded byte arrays for readability:

saltedPassword: "MqWV7jbPDuXoQiy/ZdLNgb5xRb0="
clientKeyData: "Q2xpZW50IEtleQ=="

data: "c=biws,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM,p=Mgrbqu6DPIKdiPS9h2PwOFpf0xs="

clmWithoutProof: "c=biws,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM"
clmCb: "biws" // decoded is "n,,"
clmNonce: "xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM"
clmProof: "Mgrbqu6DPIKdiPS9h2PwOFpf0xs="

cfmGs2Header: "n,,"
calculatedCb: "n,,"
// clmCb matches calculatedCb

sfmNonce: "xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM" // matches clmNonce

cfmBareMessage: "n=jenkins2,r=xqQV/Tayn0z7ioxsm2Gc9A=="
sfmMessage: "r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM,s=VfWenT+UYflUIA==,i=4096"

authMessage: "n=jenkins2,r=xqQV/Tayn0z7ioxsm2Gc9A==,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM,s=VfWenT+UYflUIA==,i=4096,c=biws,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM"

storedKey: "jDreacq6illlMWmAo/QgsPH0bQY="
clientSignature: "BtHvyc4Tt61VCRTx/eKJHAEI+Is="
clientKey: "DOSss8bthWpmQt6nW2mNvnmh5/s="
clientProof: "CjVDegj+MsczS8pWposEonipH3A="

Bartosz Małkowski commented 8 years ago

salt("test", "VfWenT+UYflUIA==", 4096) is gkz3PO5XI5+CJ1q0Z2TGszYyc1s= not MqWV7jbPDuXoQiy/ZdLNgb5xRb0=

Giuseppe Moscarella commented 8 years ago

Bartosz Malkowski wrote:

salt("test", "VfWenT+UYflUIA==", 4096) is gkz3PO5XI5+CJ1q0Z2TGszYyc1s= not MqWV7jbPDuXoQiy/ZdLNgb5xRb0=

Sorry I made this debug test using different credentials "jenkins2" "test2". The column tig_users.user_pw contains "469e3aa6433370b9dfa16be36a85fb21" for user jenkins2.

Thank you for your effort, I'd like to be able to help you more than this. I'll try to find a better test case, but really I don't understand what could be the difference between your environment and mine.

Bartosz Małkowski commented 8 years ago

salt("test2", "VfWenT+UYflUIA==", 4096) is JQg+GLuRCp/ZjnNWr1wKcdCmv6M= not MqWV7jbPDuXoQiy/ZdLNgb5xRb0=

Can you check WHAT exactly is salted? With exactly what salt? What password is got from DB?

You can start here: tigase/auth/impl/ScramCallbackHandler.java:150

Giuseppe Moscarella commented 8 years ago

I managed to print some intermediate results:


processClientFirstMessage data: n,,n=jenkins2,r=Z7E(V)0U9LGe2x7VpEeG$DS6&\1Xmzp;

pwd: 469e3aa6433370b9dfa16be36a85fb21
AbstractSaslSCRAM.normalize(pwd): NDY5ZTNhYTY0MzMzNzBiOWRmYTE2YmUzNmE4NWZiMjE=
salt: X0sIVLFGxLKJeA==
pbkd2Iterations: 4096
saltedPassword: 5ehMcvvJl/KeqkCECw9ra5AngeE=

sfmMessage: r=Z7E(V)0U9LGe2x7VpEeG$DS6&\1Xmzp;LWluEkMnyLLAXsNYs8PO,s=X0sIVLFGxLKJeA==,i=4096

processClientLastMessage data: c=biws,r=Z7E(V)0U9LGe2x7VpEeG$DS6&\1Xmzp;LWluEkMnyLLAXsNYs8PO,p=znKxGzyNdi5iEPvtiqzRAmTWBDI=

clientProof: X2ToJNuMHY2Hb4Q91943gJ3rXbs=

Bartosz Małkowski commented 8 years ago

pwd looks like hash.

Does salt is different in each login?

Giuseppe Moscarella commented 8 years ago

Does salt is different in each login?

The password is exactly the value stored in tig_users table.

Yes the salt is different at each login attempt.

For example here is a first attempt:

processClientFirstMessage data: n,,n=jenkins2,r=4QzedGUmJmhQ8IHjUPtcyg==

pwd: 469e3aa6433370b9dfa16be36a85fb21
AbstractSaslSCRAM.normalize(pwd): NDY5ZTNhYTY0MzMzNzBiOWRmYTE2YmUzNmE4NWZiMjE=
salt: pUVj9F0qervFcA==
pbkd2Iterations: 4096
saltedPassword: S5asvzXJTBayXH/SWShbSJAR/7I=

processClientFirstMessage sfmMessage: r=4QzedGUmJmhQ8IHjUPtcyg==8GnZmmbBDpyUtSg9k4nx,s=pUVj9F0qervFcA==,i=4096
processClientLastMessage data: c=biws,r=4QzedGUmJmhQ8IHjUPtcyg==8GnZmmbBDpyUtSg9k4nx,p=gEeBzJSyzC62CMRKEUe7+84ouhk=
clientProof: ZH1rl+H5guam0S9K2Wur6Utkrds=

Here is a second attempt:

processClientFirstMessage data: n,,n=jenkins2,r=nTdnAHg9JpcemqYkaS/Jdg==

pwd: 469e3aa6433370b9dfa16be36a85fb21
AbstractSaslSCRAM.normalize(pwd): NDY5ZTNhYTY0MzMzNzBiOWRmYTE2YmUzNmE4NWZiMjE=
salt: EMwAS0gScW+Qwg==
pbkd2Iterations: 4096
saltedPassword: v9gsWrqvDhe1aiRhMoZlQcnMbYQ=

processClientFirstMessage sfmMessage: r=nTdnAHg9JpcemqYkaS/Jdg==pYrvVr6URLg14fr2WEFC,s=EMwAS0gScW+Qwg==,i=4096
processClientLastMessage data: c=biws,r=nTdnAHg9JpcemqYkaS/Jdg==pYrvVr6URLg14fr2WEFC,p=F04rDy6cm+spxk5bTkm4wr7c7SQ=
clientProof: OQx9wLr/2inzufuGSjbEs6EpKus=
Bartosz Małkowski commented 8 years ago

Scram doesn't works with passwords hashed with md5. For Scram you have to use plain passwords or salted ones compatible with Scram (pbkd2).

Giuseppe Moscarella commented 8 years ago

Bartosz Malkowski wrote:

Scram doesn't works with passwords hashed with md5. For Scram you have to use plain passwords or salted ones compatible with Scram (pbkd2).

Thank you, this could explain everything, in fact I have this config: TigPutDBProperty('password-encoding', 'MD5-USERNAME-PASSWORD');

So, if I understand correctly, this would stop working after a simple upgrade to the latest tigase snapshot that enables scram by default. Perhaps it would be better to clarify this in the changelog.

How do I fix the situation for my existing users? Should I follow the procedure described at http://docs.tigase.org/tigase-server/snapshot/Administration_Guide/html/#hashedPasswords ? I don't think it's possible to transform hashed passwords back to plain ones without the help of the users ;-)

Moreover I don't see pbkd2 method, only plain or md5-*. Should I really revert back to plain?

I'm starting to think that at this point the only feasible solution for this situation is to disable SCRAM.

Florian Schmaus commented 8 years ago

Bartosz Malkowski wrote:

h3. Short version

Tigase Server works fine, Smack library is broken.

Thanks for the detailed bug description. Just for the record. This is tracked as SMACK-735 (https://issues.igniterealtime.org/browse/SMACK-735).

May I suggest that Tigase should report a different SASL error in case c-nonce contains invalid characters (and in similar cases) instead of 'not-authorized'? A think a good candidate would be 'malformed-request' (RFC 6120 § 6.5.8.).

wojciech.kapcia@tigase.net commented 8 years ago

Giuseppe Moscarella wrote:

Bartosz Malkowski wrote:

Scram doesn't works with passwords hashed with md5. For Scram you have to use plain passwords or salted ones compatible with Scram (pbkd2).

Thank you, this could explain everything, in fact I have this config: TigPutDBProperty('password-encoding', 'MD5-USERNAME-PASSWORD');

So, if I understand correctly, this would stop working after a simple upgrade to the latest tigase snapshot that enables scram by default. Perhaps it would be better to clarify this in the changelog.

Bartek, could we make availability of SCRAM based on the password-encoding db property? Seems reasonable to disable it when there is MD5 enabled for passwords...

Florian Schmaus wrote:

Thanks for the detailed bug description. Just for the record. This is tracked as SMACK-735 (https://issues.igniterealtime.org/browse/SMACK-735).

May I suggest that Tigase should report a different SASL error in case c-nonce contains invalid characters (and in similar cases) instead of 'not-authorized'? A think a good candidate would be 'malformed-request' (RFC 6120 § 6.5.8.).

Makes sense.

Bartosz Małkowski commented 8 years ago

Implemented

Daniel Wisnewski commented 8 years ago

Just built and ran a build with this fix, following errors occur on startup:

2017-01-10 10:39:56.904 [WrapperSimpleAppMain]  DefaultMechanismSelector.init()  WARNING: Cannot check password-encoding
java.sql.SQLException: No suitable driver found for jdbc:default:connection
	at java.sql.DriverManager.getConnection(Unknown Source)
	at java.sql.DriverManager.getConnection(Unknown Source)
	at tigase.db.derby.StoredProcedures.tigGetDBProperty(StoredProcedures.java:332)
	at tigase.auth.DefaultMechanismSelector.init(DefaultMechanismSelector.java:60)
	at tigase.auth.MechanismSelectorFactory.create(MechanismSelectorFactory.java:19)
	at tigase.xmpp.impl.JabberIqAuth.init(JabberIqAuth.java:129)
	at tigase.server.xmppsession.SessionManager.setProperties(SessionManager.java:929)
	at tigase.cluster.SessionManagerClustered.setProperties(SessionManagerClustered.java:516)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addComponent(MessageRouter.java:115)
	at tigase.server.MessageRouter.addRouter(MessageRouter.java:152)
	at tigase.server.MessageRouter.setProperties(MessageRouter.java:745)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:138)
	at tigase.server.MessageRouter.setConfig(MessageRouter.java:644)
	at tigase.server.XMPPServer.start(XMPPServer.java:142)
	at tigase.server.XMPPServer.main(XMPPServer.java:112)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
	at java.lang.Thread.run(Unknown Source)

and

2017-01-10 10:39:56.909 [WrapperSimpleAppMain]  DefaultMechanismSelector.init()  WARNING: Cannot check password-encoding
java.sql.SQLException: No suitable driver found for jdbc:default:connection
	at java.sql.DriverManager.getConnection(Unknown Source)
	at java.sql.DriverManager.getConnection(Unknown Source)
	at tigase.db.derby.StoredProcedures.tigGetDBProperty(StoredProcedures.java:332)
	at tigase.auth.DefaultMechanismSelector.init(DefaultMechanismSelector.java:60)
	at tigase.auth.MechanismSelectorFactory.create(MechanismSelectorFactory.java:19)
	at tigase.xmpp.impl.SaslAuth.init(SaslAuth.java:155)
	at tigase.server.xmppsession.SessionManager.setProperties(SessionManager.java:929)
	at tigase.cluster.SessionManagerClustered.setProperties(SessionManagerClustered.java:516)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addComponent(MessageRouter.java:115)
	at tigase.server.MessageRouter.addRouter(MessageRouter.java:152)
	at tigase.server.MessageRouter.setProperties(MessageRouter.java:745)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:138)
	at tigase.server.MessageRouter.setConfig(MessageRouter.java:644)
	at tigase.server.XMPPServer.start(XMPPServer.java:142)
	at tigase.server.XMPPServer.main(XMPPServer.java:112)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
	at java.lang.Thread.run(Unknown Source)
Bartosz Małkowski commented 8 years ago

Commit reverted. I made mistake.

It cannot be done automatically because it needs a lot of changes in AuthRepository interface. We can postpone it to release 7.2.

The only way to turn off SCRAM is set list of allowed SASL mechanisms in @init.properties@.

wojciech.kapcia@tigase.net commented 8 years ago

A follow-up #4814 was created to implement checking of the DB property.

issue 1 of 1
Type
Bug
Priority
Major
Assignee
RedmineID
4678
Version
tigase-server-7.1.0
Spent time
47h 30m
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#726
Please wait...
Page is in error, reload to recover