On Tue Oct 23 15:55:43 2007, Jacob Wright wrote:
On 10/23/07, Dave Cridland <[EMAIL PROTECTED]> wrote:
>
> On Tue Oct 23 08:25:59 2007, Jacob Wright wrote:
> > I'm working on the DIGEST-MD5 SASL authentication and feel like
I'm
> > doing it
> > perfectly, but my server is telling me I've got an incorrect
auth
> > for the
> > right username and password.
>
> Now you know one of the reasons that the IETF is deprecating it.
:-/
Deprecating it! After all this work I've done!? ;) What is going
to be the
preferred method in the future?
Now there's a question... Probably SCRAM, which predates DIGEST-MD5,
in fact. Luckily it's much simpler to code, although you need to do a
XOR operation over a binary hash string.
> > var data:Object = stringToObject(dataStr);
> >
> >
> What does this actually do?
This takes the comma-delim string and creates a hash object out of
it.
Your code? The syntax for DIGEST-MD5's blobs is one of the reasons
why it's being dropped - it's just fantastically complex. In the past
year, I've seen two implementations with bugs in that area. Spaces
are allowed everywhere, for instance. You probably want to do an
interop test against a few implementations. ISTR GNU SASL has some
oddities here, for instance.
AH! That was it! You are the best!
I know. ;-)
I've spent hours on this. Thank you for
your help, seriously.
I know lots of people who took a while to figure it out, including
the author of the original Cyrus SASL plugin for it (Alexey Melnikov,
who also wrote the revised specification). You're in good company.
Go get qop=auth-int and fast reauth working, now.
> And again, what is this doing? Bear in mind that if it's some
> convenient built-in that produces output that's similar to
> DIGEST-MD5's syntax, this may not be quite right.
It is a convenience method. It takes the object I've been putting
together
and creates a key="value",key2="value2" string out of it. Is that
bad to
quote every value? I noticed in examples that several key-value
pairs were
not quoted (e.g. charset, nc, etc.) but thought it didn't matter.
That's an interesting question...
You see, in the syntax, qop, for instance, is given as a token - not
a quoted-string. Therefore, it cannot be quoted, and if you saw the
string qop="auth", that indicates a qop value of "auth" - with the
quotes, not without. I have to admit I just parse out the quotes, so
qop="auth" means, to me, qop=auth.
But, in the examples, qop is always quoted - qop="auth" - as well, so
the examples would appear to disagree with the syntax.
So, given that, I gave up and asked Alexey:
(16:23:53) [EMAIL PROTECTED]/Office: Another DIGEST-MD5 question... Is
it legal to quote all values?
(16:27:35) Alexey: I vaguely remember there were some exceptions
So, erm, I hope that settles it for you. ;-)
FWIW, it's always safe to not quote unless you have spaces, and any
value which can have spaces can be quoted safely. So I'd say don't
quote unless you have to.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
