aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTobias Markmann <tm@ayena.de>2009-05-15 17:24:52 +0200
committerTobias Markmann <tm@ayena.de>2009-05-15 17:24:52 +0200
commita8d9ed20faa9663e2a7578102ffff7692c4793e7 (patch)
tree922784717a91307b5bd8933f8b11dbb944e4a6ba
parent00122588ee55ef7a2c4495857f5ba6bcbab3a382 (diff)
downloadprosody-a8d9ed20faa9663e2a7578102ffff7692c4793e7.tar.gz
prosody-a8d9ed20faa9663e2a7578102ffff7692c4793e7.zip
Adding minimal support for authorization identities to workaround buggy SASL implementations.
-rw-r--r--util/sasl.lua13
1 files changed, 11 insertions, 2 deletions
diff --git a/util/sasl.lua b/util/sasl.lua
index 6aad20fb..200950e2 100644
--- a/util/sasl.lua
+++ b/util/sasl.lua
@@ -203,8 +203,17 @@ local function new_digest_md5(realm, password_handler)
local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5", decoder)
if Y == nil then return "failure", "not-authorized"
elseif Y == false then return "failure", "account-disabled" end
-
- local A1 = Y..":"..response["nonce"]..":"..response["cnonce"]--:authzid
+ local A1 = "";
+ if response.authzid then
+ if response.authzid == self.username.."@"..self.realm then
+ log("warn", "Client is violating XMPP RFC. See section 6.1 of RFC 3920");
+ A1 = Y..":"..response["nonce"]..":"..response["cnonce"]..":"..response.authzid;
+ else
+ A1 = "?";
+ end
+ else
+ A1 = Y..":"..response["nonce"]..":"..response["cnonce"];
+ end
local A2 = "AUTHENTICATE:"..protocol.."/"..domain;
local HA1 = md5(A1, true)