1. 07 Dec, 2014 1 commit
    • Florian Schmaus's avatar
      Don't return incorrect-encoding when receiving '=' · 84e41fbe
      Florian Schmaus authored
      when performing SASL authentication.
      
      Since 3eadecb6 Openfire would return
      incorrect-encoding when a SASL auth packet would contain just a single
      equals sign ('='). But this is correct (client) behavior according to
      RFC 6120 6.4.2.
      
      Related to OF-736
      
      07:25:42 PM SENT (2109957412): <stream:stream xmlns='jabber:client' to='igniterealtime.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
      07:25:42 PM RCV  (2109957412): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="igniterealtime.org" id="1d96e3b3" xml:lang="en" version="1.0">
      07:25:43 PM RCV  (2109957412): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mechanism>JIVE-SHAREDSECRET</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism>CRAM-MD5</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
      07:25:43 PM SENT (2109957412): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5'>=</auth>
      07:25:43 PM RCV  (2109957412): <failure
      xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><incorrect-encoding/></failure>
      84e41fbe
  2. 05 Aug, 2014 1 commit
    • Dave Cridland's avatar
      More S2S fixes · dc21027b
      Dave Cridland authored
      Kim 'Zash' Alvefur commented that an empty authzid in EXTERNAL wasn't working.
      
      This patch adds this handling, and also changes authorization checks from a
      domain.contains() to a domain.equals().
      dc21027b
  3. 17 Jun, 2014 1 commit
    • Dave Cridland's avatar
      Support Dialback Without Dialback · 4c528c9d
      Dave Cridland authored
      When processing a <db:result/>, this checks for the certificate first. If
      this matches, then we don't bother actually dialling back, speeding up the
      session setup.
      
      This factors out the certificate verification function.
      4c528c9d
  4. 05 Jun, 2014 1 commit
  5. 04 Jun, 2014 2 commits
    • Dave Cridland's avatar
      a17da995
    • Dave Cridland's avatar
      OF-405 : Perform proper path validation on certificate chains · 78e4eff7
      Dave Cridland authored
      What this patch actually does is place existing certificates into a CertStore,
      including those from its (untrusted) keystore, the trust store, and any from
      the chain supplied by the peer, and then rebuild a chain back to a known trust
      anchor (from the trust store).
      
      This strategy will cope with unknown ICAs in chains, abbreviated chains, and so
      on, and replaces attempts to specifically handle self-signed certificates.
      
      That last said, there is an explicit shortcut to handle self-signed certificates
      which are supplied as end-entity certificates. These are simply checked against
      the trust store without any attempt to build a path.
      78e4eff7
  6. 02 Jun, 2014 1 commit
  7. 18 May, 2014 1 commit
  8. 10 Apr, 2014 1 commit
  9. 04 Mar, 2014 1 commit
  10. 16 Feb, 2014 2 commits
  11. 09 Apr, 2011 1 commit
  12. 07 Feb, 2010 1 commit
  13. 09 Nov, 2009 1 commit
  14. 30 Sep, 2009 1 commit
  15. 21 Aug, 2009 1 commit
  16. 16 Jul, 2008 1 commit
  17. 17 Jun, 2008 1 commit
  18. 11 Jun, 2008 3 commits
  19. 03 Jun, 2008 1 commit
  20. 15 May, 2008 1 commit
  21. 11 Apr, 2008 1 commit
  22. 08 Apr, 2008 1 commit
  23. 27 Feb, 2008 1 commit
  24. 13 Feb, 2008 1 commit
  25. 12 Dec, 2007 1 commit
  26. 09 Oct, 2007 1 commit
  27. 08 Oct, 2007 1 commit
  28. 18 Sep, 2007 1 commit
  29. 13 Sep, 2007 1 commit
  30. 05 Sep, 2007 1 commit
  31. 20 Jun, 2007 1 commit
    • Jay Kline's avatar
      !!This will require config changes to all SSO users!! · a7d40b6e
      Jay Kline authored
      Large restructure of SASL authorization and some SASL authentication changes:
      
       * Implemented PLAIN SASL Server 
       * Moved PLAIN auth to using SASL Server object
       * Allow case for client EXTERNAL auth
       * Created AuthorizationMappings (allow for default usernames different from 
            principal used)
       * More robust handling of LDAP authorization (allows JID != principal)
       * Fixes case sensitivy issue with default authorization policy
       * Removed UnixK5LoginPorivder, since it will likely never be used, has never
            been tested, and would be difficult to maintain in the long run.
      
      The Loose, Lazy, and Strict policies have been removed, and folded into a 
      single Default policy that now resides in 
      org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy
      
      Issues: JM-1079 JM-1086
      
      
      
      git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@8583 b35dd754-fafc-0310-a699-88a17e54d16e
      a7d40b6e
  32. 30 May, 2007 1 commit
  33. 28 Mar, 2007 1 commit
  34. 22 Mar, 2007 1 commit
  35. 09 Mar, 2007 1 commit
  36. 07 Feb, 2007 1 commit