<div><span class="gmail_quote">On 10/23/07, <b class="gmail_sendername">Dave Cridland</b> &lt;<a href="mailto:dave@cridland.net">dave@cridland.net</a>&gt; wrote:</span><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue Oct 23 08:25:59 2007, Jacob Wright wrote:<br>&gt; I&#39;m working on the DIGEST-MD5 SASL authentication and feel like I&#39;m<br>&gt; doing it<br>&gt; perfectly, but my server is telling me I&#39;ve got an incorrect auth
<br>&gt; for the<br>&gt; right username and password.<br><br>Now you know one of the reasons that the IETF is deprecating it. :-/</blockquote><div><br class="webkit-block-placeholder"></div><div>Deprecating it! After all this work I&#39;ve done!? ;) &nbsp;What is going to be the preferred method in the future?&nbsp;
</div><br><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">&gt; var dataStr:String = bytes.readUTFBytes(bytes.bytesAvailable);<br><br>Hmmm... DIGEST-MD5 isn&#39;t UTF-8, by default. (It&#39;s iso-8859-1, I
<br>think, due to HTTP-isms in it). This will probably work, though.<br><br><br><br>&gt; // transcode the string into an object<br>&gt;<br>&gt; var data:Object = stringToObject(dataStr);<br>&gt;<br>&gt;<br>What does this actually do?
</blockquote><div><br class="webkit-block-placeholder"></div><div>This takes the comma-delim string and creates a hash object out of it.&nbsp;</div><div><br class="webkit-block-placeholder"></div><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
&gt; if (data.algorithm)<br>&gt;<br>&gt; obj.algorithm = data.algorithm;<br>&gt;<br>&gt;<br>It doesn&#39;t seem very likely that you want to be messing with<br>algorithm. It&#39;s not present in RFC2831, after all, and has no effect
<br>unless you&#39;re doing something other than qop=auth.</blockquote><div><br class="webkit-block-placeholder"></div><div>Ok.&nbsp;</div><br><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
&gt; <a href="http://obj.nc">obj.nc</a> = &quot;00000001&quot;;<br>&gt;<br>&gt; if (data.qop)<br>&gt;<br>&gt; obj.qop = &quot;auth&quot;;<br>&gt;<br>&gt;<br>qop absent, or qop=auth, are the same thing. You don&#39;t need to be
<br>conditional on whether the remote end gives you a choice. (Unless<br>you&#39;re trying to do auth-int).</blockquote><div><br class="webkit-block-placeholder"></div><div>Good to know.&nbsp;</div><br><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
&gt; obj.cnonce = conn.generateId();<br>&gt;<br>&gt;<br>This isn&#39;t secure enough, but it should still work, of course.</blockquote><div><br class="webkit-block-placeholder"></div><div>Again, good to know.&nbsp;</div><br><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
&gt; var a1:String, a2:String;<br>&gt;<br>&gt;<br>&gt; a1 = MD5.hash(obj.username + &quot;:&quot; + obj.realm + &quot;:&quot; + password) +<br>&gt; &quot;:&quot; +<br>&gt; obj.nonce + &quot;:&quot; + obj.cnonce;<br>&gt;<br>
&gt;<br>Ooops - does MD5.hash() return a hex digest or a binary one? You want<br>a binary digest here.</blockquote><div><br class="webkit-block-placeholder"></div><div>AH! That was it! You are the best! I&#39;ve spent hours on this. Thank you for your help, seriously.
</div><div><br class="webkit-block-placeholder"></div><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">&gt; var resultStr:String = objectToString(obj);<br>&gt;
<br>&gt;<br>And again, what is this doing? Bear in mind that if it&#39;s some<br>convenient built-in that produces output that&#39;s similar to<br>DIGEST-MD5&#39;s syntax, this may not be quite right.</blockquote><div><br class="webkit-block-placeholder">
</div><div>It is a convenience method. It takes the object I&#39;ve been putting together and creates a key=&quot;value&quot;,key2=&quot;value2&quot; string out of it. Is that bad to quote every value? I noticed in examples that several key-value pairs were not quoted (
e.g. charset, nc, etc.) but thought it didn&#39;t matter.&nbsp;</div><br><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">Hope this gives you some pointers, anyway. I&#39;m pretty sure it&#39;ll be
<br>down to the distinction between H() and HEX(H()).</blockquote><div><br class="webkit-block-placeholder"></div><div>You were right. Thank you thank you again.&nbsp;</div><div><br class="webkit-block-placeholder"></div><div>
Jacob Wright&nbsp;</div><br></div><br>