SASL authentication fails when multiple mechanisms are available

### Problem
SASL authentication fails when both server and client support more than 1 SASL mechanism.

### Environment to reproduce the bug
- Client: Debian Buster with package `libauthen-sasl-cyrus-perl`
  Actual version was `0.13-server-10+b5`
- Server: Prosody (stable) configured for multiple mechanisms.
  Actual server was `jabber.de` supporting `PLAIN` and `SCRAM-SHA-1`
- Debug log:
    ```
    XML::Stream: Read: buff(<?xml version='1.0'?><stream:stream version='1.0' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' id='***uuid***' from='jabber.de'><stream:features><register xmlns='http://jabber.org/features/iq-register'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>)
    [...]
    XMPP::Conn: AuthSASL: shiney new auth
    XML::Stream: Send: (<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SCRAM-SHA-1 PLAIN'>***credentials***</auth>)
    XMPP::Conn: AuthSASL: haven't authed yet... let's wait.
    XMPP::Conn: Process: timeout(1)
    XML::Stream: Read: buff(<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><invalid-mechanism/></failure>)
    ```

### Cause
- The problem is caused by the invalid attribute `mechanism='SCRAM-SHA-1 PLAIN'` in the client request. It should not contain both supported mechanisms.
- Removal of the package `libauthen-sasl-cyrus-perl` - which effectively means removing support for `SCRAM-SHA-1` on the client side - fixes the problem:
    ```
    XML::Stream: Read: buff(<?xml version='1.0'?><stream:stream version='1.0' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' id='***uuid***' from='jabber.de'><stream:features><register xmlns='http://jabber.org/features/iq-register'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>)
    [...]
    XMPP::Conn: AuthSASL: shiney new auth
    XML::Stream: Send: (<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>***credentials***</auth>)
    XMPP::Conn: AuthSASL: haven't authed yet... let's wait.
    XMPP::Conn: Process: timeout(1)
    XML::Stream: Read: buff(<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>)
    ```
- Root cause seems to be [XML/Stream.pm](https://salsa.debian.org/perl-team/modules/packages/libxml-stream-perl/-/blob/master/lib/XML/Stream.pm#L2254) where all available mechanisms are concatenated:
    ```perl
        my $sasl = Authen::SASL->new(mechanism=>join(" ",@{$mechanisms}),
    ```

The same line can be found in [Net/XMPP/Protocol.pm](https://salsa.debian.org/perl-team/modules/packages/libnet-xmpp-perl/-/blob/master/lib/Net/XMPP/Protocol.pm#L3257).

### Related issues
- https://github.com/dap/XML-Stream/issues/7
- https://github.com/dap/Net-XMPP/pull/19


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SASL authentication fails when multiple mechanisms are available #27

Problem

Environment to reproduce the bug

Cause

Related issues

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

SASL authentication fails when multiple mechanisms are available #27

Description

Problem

Environment to reproduce the bug

Cause

Related issues

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions