On Thu, Sep 18, 2008 at 8:59 AM, Norman Rasmussen <[EMAIL PROTECTED]> wrote: > So I can only assume the response values are incorrect, because the other > values are identical. Does your password has any non-ascii characters that > might be being encoded as utf-8 correctly? Can you force the server to > generate the same nonce for both clients? (It would require hacking at the > DIGEST-MD5 code, but it would help validate that the response is being > generated correctly.
The password is alnum only. Using a hard-coded nonce of "9be91df13f8159809d392ed8dc96bdc2": Psi: -> TLS established -> <?xml version="1.0"?><stream:stream xmlns:stream="http://etherx.jabber.org/streams"; version="1.0" xmlns="jabber:client" to="malkier.net" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace"; > <- <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='malkier.net' id='f76c54806898a90dc1f12e78796f69c9' version='1.0'> <- <stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features> -> <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="DIGEST-MD5" /> <- <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cmVhbG09bWFsa2llci5uZXQsbm9uY2U9IjliZTkxZGYxM2Y4MTU5ODA5ZDM5MmVkOGRjOTZiZGMyIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz</challenge> -> <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dXNlcm5hbWU9InJha2F1ciIscmVhbG09Im1hbGtpZXIubmV0Iixub25jZT0iOWJlOTFkZjEzZjgxNTk4MDlkMzkyZWQ4ZGM5NmJkYzIiLGNub25jZT0idVBvQWVnN2J1eHJ2UFpGMnkxakpjRUxsN3NlQXFGQW1KR0phMVZZdGtVWT0iLG5jPTAwMDAwMDAxLGRpZ2VzdC11cmk9InhtcHAvbWFsa2llci5uZXQiLHFvcD1hdXRoLHJlc3BvbnNlPTMxNjBhODJhMWY4NGY0NmM2YTIwNDcxMzFlNGFmNzdlLGNoYXJzZXQ9dXRmLTg=</response> <- <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure> <- </stream:stream> Or, decoded: <- challenge: realm=malkier.net,nonce="9be91df13f8159809d392ed8dc96bdc2",qop="auth",charset=utf-8,algorithm=md5-sess -> response: username="rakaur",realm="malkier.net",nonce="9be91df13f8159809d392ed8dc96bdc2",cnonce="uPoAeg7buxrvPZF2y1jJcELl7seAqFAmJGJa1VYtkUY=",nc=00000001,digest-uri="xmpp/malkier.net",qop=auth,response=3160a82a1f84f46c6a2047131e4af77e,charset=utf-8 <- failure Gajim (and Digsby, FYI): -> TLS established -> <?xml version='1.0'?><stream:stream xmlns="jabber:client" to="malkier.net" version="1.0" xmlns:stream="http://etherx.jabber.org/streams"; > <- <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='malkier.net' id='205d1918670c0a28dc4a8c8402e05032' version='1.0'> <- <stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features> -> <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="DIGEST-MD5" /> <- <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cmVhbG09bWFsa2llci5uZXQsbm9uY2U9IjliZTkxZGYxM2Y4MTU5ODA5ZDM5MmVkOGRjOTZiZGMyIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz</challenge> -> <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">Y2hhcnNldD11dGYtOCx1c2VybmFtZT0icmFrYXVyIixyZWFsbT0ibWFsa2llci5uZXQiLG5vbmNlPSI5YmU5MWRmMTNmODE1OTgwOWQzOTJlZDhkYzk2YmRjMiIsbmM9MDAwMDAwMDEsY25vbmNlPSIxZWE1ZTkwNTAyMTAxYTcwOGZlOTQ3MjMwOTM1ZWYwZTQ2MDYzZjIxM2ExMmNhMmRjIixkaWdlc3QtdXJpPSJ4bXBwL21hbGtpZXIubmV0IixyZXNwb25zZT04ZWI5YTNiNDkyNzFiNWJlZDk3Y2M2YTgzOTg4YWJhMyxxb3A9YXV0aA==</response> <- <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cnNwYXV0aD1lYjRkYjNmMjM5N2E0NDQzY2FhNTIxYmY4ZGZjZWQyZQ==</challenge> -> <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl" /> <- <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> -> SASL established Or, decoded: <- challenge: realm=malkier.net,nonce="9be91df13f8159809d392ed8dc96bdc2",qop="auth",charset=utf-8,algorithm=md5-sess -> response: charset=utf-8,username="rakaur",realm="malkier.net",nonce="9be91df13f8159809d392ed8dc96bdc2",nc=00000001,cnonce="1ea5e90502101a708fe947230935ef0e46063f213a12ca2dc",digest-uri="xmpp/malkier.net",response=8eb9a3b49271b5bed97cc6a83988aba3,qop=auth <- challenge: binary -> response: empty <- success This is my (Ruby) code to generate the same response: def h(s) Digest::MD5.digest(s) end def hh(s) Digest::MD5.hexdigest(s) end def startsasl(response) @jid = response['username'] + '@' + response['realm'] a1_h = DB::[EMAIL PROTECTED] # Compute response and see if it matches. # Sorry, but there's no pretty way to do this. a1 = "%s:%s:%s" % [a1_h, response['nonce'], response['cnonce']] a2 = "AUTHENTICATE:%s" % response['digest-uri'] myresp = "%s:%s:%s:%s:auth:%s" % [hh(a1), response['nonce'], response['nc'], response['cnonce'], hh(a2)] myresp = hh(myresp) [if myresp is equal to response, they're authorized, otherwise failure] end It appears as though Psi isn't base64 encoding cnonce. They're doing what looks to be an md5 digest, and the proper encoding is a base64-encoded md5 _hex_digest. As confusing as this (and MD5-DIGEST in general) is, I believe the culprit to be the lack of base64 encoding on cnonce. I have been known to be wrong, though. I'm unsure as to how Psi could have gotten this wrong and it's never been caught, unless everyone's using PLAIN and not a single one is using DIGEST-MD5 and they didn't test it at all, which seems unlikely given the longevity of the client. I just don't understand how it could be my code if it works with (at least) two other clients using DIGEST-MD5. -- Eric Will EBL Engineers National Institutes of Health xmpp:[EMAIL PROTECTED] _______________________________________________ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] _______________________________________________
