On 10/23/07, Dave Cridland <[EMAIL PROTECTED]> wrote: > > On Tue Oct 23 08:25:59 2007, Jacob Wright wrote: > > I'm working on the DIGEST-MD5 SASL authentication and feel like I'm > > doing it > > perfectly, but my server is telling me I've got an incorrect auth > > for the > > right username and password. > > Now you know one of the reasons that the IETF is deprecating it. :-/
Deprecating it! After all this work I've done!? ;) What is going to be the preferred method in the future? > var dataStr:String = bytes.readUTFBytes(bytes.bytesAvailable); > > Hmmm... DIGEST-MD5 isn't UTF-8, by default. (It's iso-8859-1, I > think, due to HTTP-isms in it). This will probably work, though. > > > > > // transcode the string into an object > > > > var data:Object = stringToObject(dataStr); > > > > > What does this actually do? This takes the comma-delim string and creates a hash object out of it. > if (data.algorithm) > > > > obj.algorithm = data.algorithm; > > > > > It doesn't seem very likely that you want to be messing with > algorithm. It's not present in RFC2831, after all, and has no effect > unless you're doing something other than qop=auth. Ok. > obj.nc = "00000001"; > > > > if (data.qop) > > > > obj.qop = "auth"; > > > > > qop absent, or qop=auth, are the same thing. You don't need to be > conditional on whether the remote end gives you a choice. (Unless > you're trying to do auth-int). Good to know. > obj.cnonce = conn.generateId(); > > > > > This isn't secure enough, but it should still work, of course. Again, good to know. > var a1:String, a2:String; > > > > > > a1 = MD5.hash(obj.username + ":" + obj.realm + ":" + password) + > > ":" + > > obj.nonce + ":" + obj.cnonce; > > > > > Ooops - does MD5.hash() return a hex digest or a binary one? You want > a binary digest here. AH! That was it! You are the best! I've spent hours on this. Thank you for your help, seriously. > var resultStr:String = objectToString(obj); > > > > > And again, what is this doing? Bear in mind that if it's some > convenient built-in that produces output that's similar to > DIGEST-MD5's syntax, this may not be quite right. It is a convenience method. It takes the object I've been putting together and creates a key="value",key2="value2" string out of it. Is that bad to quote every value? I noticed in examples that several key-value pairs were not quoted (e.g. charset, nc, etc.) but thought it didn't matter. Hope this gives you some pointers, anyway. I'm pretty sure it'll be > down to the distinction between H() and HEX(H()). You were right. Thank you thank you again. Jacob Wright
