Actually, let me take my previous email back.. Both Jabber and Java use SHA1. So now here's my question:
I also looked at Gabber's code and I can understand most of it (other than the most important parts).. mainly, 1) When you hash the password, in java, you'll get back a 20-byte array. This can then be converted into a hex string. So the question is during the next hash (with the token), do you take the hex string, append the token to it, and then hash that resultant string? Or do you actually just take 20-byte array, hash that, and then hash the token? The difference here is if the second hashing is hashing the 20-byte array or the 40-byte hex representation of the hash. 2) Now after that second hash, you take that hash and run it through the number of sequences specified by the sequence. The question is the same as the first one. Do you take the hex string (40 bytes) representation and hash that to obtain the next subsequent hash or do you take the 20-byte array and hash that instead? I'm rather very confused about how gabber or jabber server is doing it because (1) I don't read C code that well, and (2) I am not sure if the sha_hash() C functions actually converted those 40-byte hex representation into a 20-byte array first hash the bytes. Thanks, Chris At 07:48 PM 10/10/2001, you wrote: >Does the digest library your using distinguish between SHA and SHA1? If >so, that could be the problem, otherwise I don't know enough java to >compare it to the C the server uses to generate it. But if you can read >C, here's the snippet: > > /* first, hash the pass */ > shahash_r(pass,hash); > /* next, hash that and the token */ > shahash_r(spools(m->packet->p,hash,token,m->packet->p),hash); > /* we've got hash0, now make as many as the sequence is */ > for(i = 0; i < sequence; i++, shahash_r(hash,hash)); > >I know that gabber and winjab are supporting it, but if it's a problem in >the spec I'd be happy to fix it, or if anyone has time to update the .sgml >with better examples feel free. > >On the reset/update, I published a new draft at >http://core.jabber.org/white/zerokreg.sgml.html and implemented it in >current CVS. If it works out well, I'd like to combine all the zerok work >and publish a JEP on it in the near future. > >Jer > >_______________________________________________ >jdev mailing list >[EMAIL PROTECTED] >http://mailman.jabber.org/listinfo/jdev PGP at ldap://certserver.pgp.com/ _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
