[jdev] sasl help

Tue Oct 23 09:55:43 CDT 2007

On 10/23/07, Dave Cridland <dave at cridland.net> wrote:
>
> On Tue Oct 23 08:25:59 2007, Jacob Wright wrote:
> > I'm working on the DIGEST-MD5 SASL authentication and feel like I'm
> > doing it
> > perfectly, but my server is telling me I've got an incorrect auth
> > for the
> > right username and password.
>
> Now you know one of the reasons that the IETF is deprecating it. :-/

Deprecating it! After all this work I've done!? ;)  What is going to be the
preferred method in the future?

> var dataStr:String = bytes.readUTFBytes(bytes.bytesAvailable);
>
> Hmmm... DIGEST-MD5 isn't UTF-8, by default. (It's iso-8859-1, I
> think, due to HTTP-isms in it). This will probably work, though.
>
>
>
> > // transcode the string into an object
> >
> > var data:Object = stringToObject(dataStr);
> >
> >
> What does this actually do?

This takes the comma-delim string and creates a hash object out of it.

> if (data.algorithm)
> >
> > obj.algorithm = data.algorithm;
> >
> >
> It doesn't seem very likely that you want to be messing with
> algorithm. It's not present in RFC2831, after all, and has no effect
> unless you're doing something other than qop=auth.

Ok.

> obj.nc = "00000001";
> >
> > if (data.qop)
> >
> > obj.qop = "auth";
> >
> >
> qop absent, or qop=auth, are the same thing. You don't need to be
> conditional on whether the remote end gives you a choice. (Unless
> you're trying to do auth-int).

Good to know.

> obj.cnonce = conn.generateId();
> >
> >
> This isn't secure enough, but it should still work, of course.

Again, good to know.

> var a1:String, a2:String;
> >
> >
> > a1 = MD5.hash(obj.username + ":" + obj.realm + ":" + password) +
> > ":" +
> > obj.nonce + ":" + obj.cnonce;
> >
> >
> Ooops - does MD5.hash() return a hex digest or a binary one? You want
> a binary digest here.

AH! That was it! You are the best! I've spent hours on this. Thank you for
your help, seriously.

> var resultStr:String = objectToString(obj);
> >
> >
> And again, what is this doing? Bear in mind that if it's some
> convenient built-in that produces output that's similar to
> DIGEST-MD5's syntax, this may not be quite right.

It is a convenience method. It takes the object I've been putting together
and creates a key="value",key2="value2" string out of it. Is that bad to
quote every value? I noticed in examples that several key-value pairs were
not quoted (e.g. charset, nc, etc.) but thought it didn't matter.

Hope this gives you some pointers, anyway. I'm pretty sure it'll be
> down to the distinction between H() and HEX(H()).

You were right. Thank you thank you again.

Jacob Wright
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20071023/42f80f10/attachment-0002.htm>