[jdev] SASL debugging

Matthias Wimmer m at tthias.net
Sat Dec 10 05:47:26 CST 2005

Hi Yves!

Yves Goergen schrieb:

>>Yes, there are many characters above U+0100, that are allowed in 
>>usernames. What is allowed is defined by a stringprep profile called 
>>Same for the passwords, but using the SASLprep profile.
>Umm... I followed that word and its references but stopped reading all
>of them because after a few lines each I realised I didn't understand a
>word. So I guess I simply assume full Unicode support... The relevant
>parts of the used protocols are UTF-8-encoded, so it should work fine

I would not recommend this. If you do not want to implement stringprep 
yourself, than have a look for a library implementing stringprep on the 
platform you are using. (Typically you better find them, if you are 
looking for IDN, which used stringprep with the nameprep profile as well.)

As I wrote in my last mail, stringprep is more than just telling you 
which characters are allowed. It also maps some characters to other 
characters. If you get multiple messages, presences, or stanzas from the 
server, your client cannot know if they are from the same entity, if it 
does not stringprep the JID before comparing.
While you might not notice this when using your client against our 
present servers (that do pass JIDs in normalized form, but that is no 
requirement for the servers), you already might get into real problems, 
if you do not normalize passwords using the SASLprep profile. Consider 
the client user has a password containing the character “ℹ”. SASLprep 
normalizes this to “i”. So if you are using DIGEST-MD5 as the SASL 
mechanism, you have to calculate a hash of the password. This hash will 
be completely different, when you (incorrectly) calculate it for the 
password still containing “ℹ” instead of “i”. You will not be able to 
authenticate using this incorrect hash value.

Tot kijk

More information about the JDev mailing list