SASL 2

xmppserver/src/main/java/org/jivesoftware/openfire/SessionPacketRouter.java

@@ -59,7 +59,7 @@ public void route(Element wrappedElement)
             throws UnknownStanzaException {
         String tag = wrappedElement.getName();
         if ("auth".equals(tag) || "response".equals(tag)) {
-            SASLAuthentication.handle(session, wrappedElement);
+            SASLAuthentication.handle(session, wrappedElement, false);
         }
         else if ("iq".equals(tag)) {
             route(getIQ(wrappedElement));

xmppserver/src/main/java/org/jivesoftware/openfire/http/HttpSession.java

@@ -227,10 +227,7 @@ public List<Element> getAvailableStreamFeatures() {
 
         // If authentication has not happened yet, include available authentication mechanisms.
         if (getAuthToken() == null) {
-            final Element sasl = SASLAuthentication.getSASLMechanismsElement(this);
-            if (sasl != null) {
-                elements.add(sasl);
-            }
+            SASLAuthentication.addSASLMechanisms(elements, this);
         }
 
         if (XMPPServer.getInstance().getIQRegisterHandler().isInbandRegEnabled()) {

xmppserver/src/main/java/org/jivesoftware/openfire/net/BlockingReadingMode.java

@@ -150,7 +150,19 @@ private void readStream() throws Exception {
             }
             else if ("auth".equals(tag)) {
                 // User is trying to authenticate using SASL
-                if (authenticateClient(doc)) {
+                if (authenticateClient(doc, false)) {
+                    // SASL authentication was successful so open a new stream and offer
+                    // resource binding and session establishment (to client sessions only)
+                    saslSuccessful();
+                }
+                else if (socketReader.connection.isClosed()) {
+                    socketReader.open = false;
+                    socketReader.session = null;
+                }
+            }
+            else if ("authenticate".equals(tag)) {
+                // User is trying to authenticate using SASL
+                if (authenticateClient(doc, true)) {
                     // SASL authentication was successful so open a new stream and offer
                     // resource binding and session establishment (to client sessions only)
                     saslSuccessful();

xmppserver/src/main/java/org/jivesoftware/openfire/net/SocketReadingMode.java

@@ -106,10 +106,7 @@ protected void tlsNegotiated() throws XmlPullParserException, IOException
 
         // Offer stream features including SASL Mechanisms
         final Element features = DocumentHelper.createElement(QName.get("features", "stream", "http://etherx.jabber.org/streams"));
-        final Element mechanisms = SASLAuthentication.getSASLMechanisms(socketReader.session);
-        if (mechanisms != null) {
-            features.add(mechanisms);
-        }
+        SASLAuthentication.addSASLMechanisms(features, socketReader.session);
         final List<Element> specificFeatures = socketReader.session.getAvailableStreamFeatures();
         if (specificFeatures != null) {
             for (final Element feature : specificFeatures) {
@@ -121,7 +118,7 @@ protected void tlsNegotiated() throws XmlPullParserException, IOException
         socketReader.connection.deliverRawText(StringUtils.asUnclosedStream(document));
     }
 
-    protected boolean authenticateClient(Element doc) throws DocumentException, IOException,
+    protected boolean authenticateClient(Element doc, boolean usingSASL2) throws DocumentException, IOException,
             XmlPullParserException {
         // Ensure that connection was encrypted if TLS was required
         if (socketReader.connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required &&
@@ -133,7 +130,7 @@ protected boolean authenticateClient(Element doc) throws DocumentException, IOEx
         boolean isComplete = false;
         boolean success = false;
         while (!isComplete) {
-            SASLAuthentication.Status status = SASLAuthentication.handle(socketReader.session, doc);
+            SASLAuthentication.Status status = SASLAuthentication.handle(socketReader.session, doc, usingSASL2);
             if (status == SASLAuthentication.Status.needResponse) {
                 // Get the next answer since we are not done yet
                 doc = socketReader.reader.parseDocument().getRootElement();
@@ -145,6 +142,10 @@ protected boolean authenticateClient(Element doc) throws DocumentException, IOEx
             else {
                 isComplete = true;
                 success = status == SASLAuthentication.Status.authenticated;
+                if (success && usingSASL2) {
+                    Element features = generateFeatures();
+                    socketReader.session.deliverRawText(features.asXML());
+                }
             }
         }
         return success;
@@ -159,6 +160,13 @@ protected boolean authenticateClient(Element doc) throws DocumentException, IOEx
     protected void saslSuccessful() throws XmlPullParserException, IOException
     {
         final Document document = getStreamHeader();
+        final Element features = generateFeatures();
+        document.getRootElement().add(features);
+
+        socketReader.connection.deliverRawText(StringUtils.asUnclosedStream(document));
+    }
+
+    protected Element generateFeatures() {
         final Element features = DocumentHelper.createElement(QName.get("features", "stream", "http://etherx.jabber.org/streams"));
 
         // Include specific features such as resource binding and session establishment for client sessions
@@ -168,9 +176,8 @@ protected void saslSuccessful() throws XmlPullParserException, IOException
                 features.add(feature);
             }
         }
-        document.getRootElement().add(features);
 
-        socketReader.connection.deliverRawText(StringUtils.asUnclosedStream(document));
+        return features;
     }
 
     /**
@@ -248,14 +255,8 @@ protected void compressionSuccessful() throws XmlPullParserException, IOExceptio
         final Element features = DocumentHelper.createElement(QName.get("features", "stream", "http://etherx.jabber.org/streams"));
         document.getRootElement().add(features);
 
-        // Include SASL mechanisms only if client has not been authenticated
-        if (!socketReader.session.isAuthenticated()) {
-            // Include available SASL Mechanisms
-            final Element saslMechanisms = SASLAuthentication.getSASLMechanisms(socketReader.session);
-            if (saslMechanisms != null) {
-                features.add(saslMechanisms);
-            }
-        }
+        // Include available SASL Mechanisms
+        SASLAuthentication.addSASLMechanisms(features, socketReader.session);
         // Include specific features such as resource binding and session establishment for client sessions.
         final List<Element> specificFeatures = socketReader.session.getAvailableStreamFeatures();
         if (specificFeatures != null) {

xmppserver/src/main/java/org/jivesoftware/openfire/net/StanzaHandler.java

@@ -74,6 +74,7 @@ public abstract class StanzaHandler {
     // Flag that indicates that the client requested to be authenticated. Once the
     // authentication process is over the value will return to false.
     protected boolean startedSASL = false;
+    protected boolean usingSASL2 = false;
     /**
      * SASL status based on the last SASL interaction
      */
@@ -202,10 +203,23 @@ else if ("auth".equals(tag)) {
             // User is trying to authenticate using SASL
             startedSASL = true;
             // Process authentication stanza
-            saslStatus = SASLAuthentication.handle(session, doc);
+            saslStatus = SASLAuthentication.handle(session, doc, usingSASL2);
+        } else if ("authenticate".equals(tag)) {
+            // User is trying to authenticate using SASL2.
+            startedSASL = true;
+            usingSASL2 = true;
+            saslStatus = SASLAuthentication.handle(session, doc, usingSASL2);
         } else if (startedSASL && "response".equals(tag) || "abort".equals(tag)) {
             // User is responding to SASL challenge. Process response
-            saslStatus = SASLAuthentication.handle(session, doc);
+            saslStatus = SASLAuthentication.handle(session, doc, usingSASL2);
+            if (saslStatus == SASLAuthentication.Status.failed) {
+                startedSASL = false;
+                usingSASL2 = false;
+            }
+            if (saslStatus == SASLAuthentication.Status.authenticated && usingSASL2) {
+                Element features = generateFeatures();
+                session.deliverRawText(features.asXML());
+            }
         }
         else if ("compress".equals(tag)) {
             // Client is trying to initiate compression
@@ -313,7 +327,7 @@ else if ("iq".equals(tag)) {
                 // The original packet contains a malformed JID so answer an error
                 IQ reply = new IQ();
                 if (!doc.elements().isEmpty()) {
-                    reply.setChildElement(((Element)doc.elements().get(0)).createCopy());
+                    reply.setChildElement((doc.elements().get(0)).createCopy());
                 }
                 reply.setID(doc.attributeValue("id"));
                 reply.setTo(session.getAddress());
@@ -353,7 +367,7 @@ private IQ getIQ(Element doc) {
                     for (Element element : elements){
                         session.setSoftwareVersionData(element.getName(), element.getStringValue());
                     }
-                }    
+                }
             } catch (Exception e) {
                 Log.error("Unexpected exception while processing IQ Version stanza from '{}'", session.getAddress(), e);
             }
@@ -492,10 +506,7 @@ protected void tlsNegotiated(XmlPullParser xpp) throws XmlPullParserException, I
         document.getRootElement().add(features);
 
         // Include available SASL Mechanisms
-        final Element mechanismsElement=SASLAuthentication.getSASLMechanisms(session);
-        if (mechanismsElement!=null) {
-        	features.add(mechanismsElement);
-        }
+        SASLAuthentication.addSASLMechanisms(features, session);
 
         // Include specific features such as auth and register for client sessions
         final List<Element> specificFeatures = session.getAvailableStreamFeatures();
@@ -516,8 +527,12 @@ protected void tlsNegotiated(XmlPullParser xpp) throws XmlPullParserException, I
      */
     protected void saslSuccessful() {
         final Document document = getStreamHeader();
-        final Element features = DocumentHelper.createElement(QName.get("features", "stream", "http://etherx.jabber.org/streams"));
+        final Element features = generateFeatures();
         document.getRootElement().add(features);
+        connection.deliverRawText(StringUtils.asUnclosedStream(document));
+    }
+    protected Element generateFeatures() {
+        final Element features = DocumentHelper.createElement(QName.get("features", "stream", "http://etherx.jabber.org/streams"));
 
         // Include specific features such as resource binding and session establishment for client sessions
         final List<Element> specificFeatures = session.getAvailableStreamFeatures();
@@ -527,7 +542,7 @@ protected void saslSuccessful() {
             }
         }
 
-        connection.deliverRawText(StringUtils.asUnclosedStream(document));
+        return features;
     }
 
     /**
@@ -594,12 +609,8 @@ protected void compressionSuccessful() {
         document.getRootElement().add(features);
 
         // Include SASL mechanisms only if client has not been authenticated
-        if (!session.isAuthenticated()) {
-            final Element saslMechanisms = SASLAuthentication.getSASLMechanisms(session);
-            if (saslMechanisms != null) {
-                features.add(saslMechanisms);
-            }
-        }
+        SASLAuthentication.addSASLMechanisms(features, session);
+
         // Include specific features such as resource binding and session establishment for client sessions
         final List<Element> specificFeatures = session.getAvailableStreamFeatures();
         if (specificFeatures != null) {

xmppserver/src/main/java/org/jivesoftware/openfire/net/UserAgentInfo.java

@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2025 Ignite Realtime Foundation. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jivesoftware.openfire.net;
+
+import org.dom4j.Element;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.UUID;
+
+/**
+ * Represents user agent information provided by XMPP clients during authentication.
+ * This information includes an optional UUID v4 identifier, software description,
+ * and device description. This information is not exposed to other entities.
+ */
+public class UserAgentInfo {
+    private static final Logger Log = LoggerFactory.getLogger(UserAgentInfo.class);
+
+    private String id;          // UUID v4
+    private String software;    // Software description
+    private String device;      // Device description
+
+    /**
+     * Extracts and validates user agent information from the authentication element.
+     *
+     * @param userAgentElement the authentication element containing potential user agent data
+     * @return UserAgentInfo containing the parsed data, or null if no user agent data present
+     */
+    public static UserAgentInfo extract(Element userAgentElement) {
+        if (userAgentElement == null) {
+            return null;
+        }
+
+        UserAgentInfo userAgentInfo = new UserAgentInfo();
+
+        // Extract and validate UUID v4 id if present
+        String id = userAgentElement.attributeValue("id");
+        if (id != null) {
+            try {
+                UUID uuid = UUID.fromString(id);
+                // Validate it's a v4 UUID
+                if (uuid.version() == 4) {
+                    userAgentInfo.setId(id);
+                } else {
+                    Log.warn("Invalid UUID version in user-agent id (must be v4): " + id);
+                }
+            } catch (IllegalArgumentException e) {
+                Log.warn("Invalid UUID format in user-agent id: " + id);
+            }
+        }
+
+        // Extract software info if present
+        Element softwareElement = userAgentElement.element("software");
+        if (softwareElement != null) {
+            userAgentInfo.setSoftware(softwareElement.getTextTrim());
+        }
+
+        // Extract device info if present
+        Element deviceElement = userAgentElement.element("device");
+        if (deviceElement != null) {
+            userAgentInfo.setDevice(deviceElement.getTextTrim());
+        }
+
+        return userAgentInfo;
+    }
+
+    public String getId() {
+        return id;
+    }
+
+    void setId(String id) {
+        this.id = id;
+    }
+
+    public String getSoftware() {
+        return software;
+    }
+
+    void setSoftware(String software) {
+        this.software = software;
+    }
+
+    public String getDevice() {
+        return device;
+    }
+
+    void setDevice(String device) {
+        this.device = device;
+    }
+}

xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalClientSession.java

@@ -292,10 +292,7 @@ public static LocalClientSession createSession(String serverName, XmlPullParser
                 Log.warn("Unable to access the identity store for client connections. StartTLS is not being offered as a feature for this session.", e);
             }
             // Include available SASL Mechanisms
-            final Element saslMechanisms = SASLAuthentication.getSASLMechanisms(session);
-            if (saslMechanisms != null) {
-                features.add(saslMechanisms);
-            }
+            SASLAuthentication.addSASLMechanisms(features, session);
             // Include Stream features
             final List<Element> specificFeatures = session.getAvailableStreamFeatures();
             if (specificFeatures != null) {

xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java

@@ -187,10 +187,7 @@ public static LocalIncomingServerSession createSession(String serverName, XmlPul
                 }
 
                 // Include available SASL Mechanisms
-                final Element saslMechanisms = SASLAuthentication.getSASLMechanisms(session);
-                if (saslMechanisms != null) {
-                    features.add(saslMechanisms);
-                }
+                SASLAuthentication.addSASLMechanisms(features, session);
 
                 if (ServerDialback.isEnabled()) {
                     // Also offer server dialback (when TLS is not required). Server dialback may be offered

xmppserver/src/main/java/org/jivesoftware/openfire/websocket/WebSocketClientStanzaHandler.java

@@ -164,10 +164,7 @@ private void sendStreamFeatures() {
         final Element features = DocumentHelper.createElement(QName.get("features", "stream", "http://etherx.jabber.org/streams"));
         if (saslStatus != SASLAuthentication.Status.authenticated) {
             // Include available SASL Mechanisms
-            final Element saslMechanisms = SASLAuthentication.getSASLMechanisms(session);
-            if (saslMechanisms != null) {
-                features.add(saslMechanisms);
-            }
+            SASLAuthentication.addSASLMechanisms(features, session);
         }
         // Include Stream features
         final List<Element> specificFeatures = session.getAvailableStreamFeatures();