On 12/30/05, Eric Schnoebelen <[EMAIL PROTECTED]> wrote: > > Norman Rasmussen writes: > - Could you post some of the auth's for pymsnt/pyicqt/jcr with shorted > - passwords - i.e. they should all work. I'd like to double check that > - my understanding of the JEP is right. > > Done.. > http://www.cirr.com/~eric/muc-jcr-connect.1.txt > http://www.cirr.com/~eric/pymsn-connect.1.txt > http://www.cirr.com/~eric/pyicq-connect.1.txt
what's the password that you used? It's a bit difficult to check the stuff otherwise :-P If this is your production password, then it's not too important. I assume it's right. To test run 'openssl sha1 -hex' then paste the stream id followed by the password, then press Ctrl-D three times (no newlines at any point). It should output the hash all on the same line. > - FYI: Check out tcpflow if you can :-) > > I will soon.. (another thing on the to check list.. :) It's basically like tcpdump except it _only_ outputs the stream data. It can also output each stream into it's own file. > - I'd be tempted to say, rip out the sha1 hash calculations from > - jabberd2/jcr and test them separately from the whole jabber > - environment. i.e. with constant inputs, etc. > > I've been looking at the source for the sha1 functions > provided as part of jabber2, and it's kinda scary, all the > assumptions I can see littered throughout the code about word > size.. Ugh! > > And the JCR library used by muc uses the same source > module (exactly, right down to the comments.) not a surprise. I would expect jcr to use the hash code from jabberd1, but then I guess jabberd2 would too. > - If you add some debugging output then you could compare between i32 > - and a64 easily. (If you don't have/can't find a i32 machine, I'm > - happy to run the code) > > At this point, given that jabberd2 uses OpenSSL for > other things, I'm wondering why it isn't using OpenSSL to get a > platform independent (correct?) sha1 implementation. maybe someone though openssl isn't available for all the platforms that jabberd2 will compile on? Although most builds support tls on 5222 and ssl on 5223, so I don't see why not. > I'm copying onto the jabberd dev list to make them aware > of the problem. > yep agreed. I'm actually begining to find several small 'bugs' in jabberd2, that I'm too lazy to put into bugzilla. -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/ From [EMAIL PROTECTED] Fri Dec 30 14:35:15 2005 From: [EMAIL PROTECTED] (Eric Schnoebelen) Date: Fri Dec 30 14:35:25 2005 Subject: [py-transports] PyMSNt problems with shared secrets longer than 15 characters In-Reply-To: Your message of "Fri, 30 Dec 2005 10:58:48 +0200." <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Norman Rasmussen writes: - On 12/30/05, Eric Schnoebelen <[EMAIL PROTECTED]> wrote: - > Norman Rasmussen writes: - > - Could you post some of the auth's for pymsnt/pyicqt/jcr with shorted - > - passwords - i.e. they should all work. I'd like to double check that - > - my understanding of the JEP is right. - > - > Done.. - > http://www.cirr.com/~eric/muc-jcr-connect.1.txt - > http://www.cirr.com/~eric/pymsn-connect.1.txt - > http://www.cirr.com/~eric/pyicq-connect.1.txt - - what's the password that you used? Oops... It's ``yykoO1U-vEi1Ywi''. - If this is your production password, then it's - not too important. Nope, it's not the production password.. I generated it just for this use.. - To test run 'openssl sha1 -hex' then paste the stream id followed - by the password, then press Ctrl-D three times (no newlines at - any point). It should output the hash all on the same line. Thanks for that clue/pointer! - > - I'd be tempted to say, rip out the sha1 hash calculations from - > - jabberd2/jcr and test them separately from the whole jabber - > - environment. i.e. with constant inputs, etc. - > - > I've been looking at the source for the sha1 functions - > provided as part of jabber2, and it's kinda scary, all the - > assumptions I can see littered throughout the code about word - > size.. Ugh! - > - > And the JCR library used by muc uses the same source - > module (exactly, right down to the comments.) - - not a surprise. I would expect jcr to use the hash code from - jabberd1, but then I guess jabberd2 would too. Sounds like I need to enter bugs against all of jabberd 1.4.x, jabberd 2, and jcr. yeah! - > I'm copying onto the jabberd dev list to make them aware - > of the problem. - - yep agreed. I'm actually begining to find several small 'bugs' in - jabberd2, that I'm too lazy to put into bugzilla. Do you have fixes for them? Myself, I'm always hesitant to enter bugs if I don't have a fix/patch to provide. -- Eric Schnoebelen [EMAIL PROTECTED] http://www.cirr.com "Any field of study that has 'science' as part of its name isn't. For example, computer science." From [EMAIL PROTECTED] Fri Dec 30 15:16:58 2005 From: [EMAIL PROTECTED] (Norman Rasmussen) Date: Fri Dec 30 15:17:02 2005 Subject: [py-transports] PyMSNt problems with shared secrets longer than 15 characters In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> On 12/30/05, Eric Schnoebelen <[EMAIL PROTECTED]> wrote: > > Norman Rasmussen writes: > - On 12/30/05, Eric Schnoebelen <[EMAIL PROTECTED]> wrote: > - > Norman Rasmussen writes: > - > - Could you post some of the auth's for pymsnt/pyicqt/jcr with shorted > - > - passwords - i.e. they should all work. I'd like to double check that > - > - my understanding of the JEP is right. > - > > - > Done.. > - > http://www.cirr.com/~eric/muc-jcr-connect.1.txt > - > http://www.cirr.com/~eric/pymsn-connect.1.txt > - > http://www.cirr.com/~eric/pyicq-connect.1.txt > - > - what's the password that you used? > > Oops... It's ``yykoO1U-vEi1Ywi''. Yep, all matches. Notice though that the msn transport fails the first time around. (for some reason it send a stream header twice.) > - > - I'd be tempted to say, rip out the sha1 hash calculations from > - > - jabberd2/jcr and test them separately from the whole jabber > - > - environment. i.e. with constant inputs, etc. > - > > - > I've been looking at the source for the sha1 functions > - > provided as part of jabber2, and it's kinda scary, all the > - > assumptions I can see littered throughout the code about word > - > size.. Ugh! > - > > - > And the JCR library used by muc uses the same source > - > module (exactly, right down to the comments.) > - > - not a surprise. I would expect jcr to use the hash code from > - jabberd1, but then I guess jabberd2 would too. > > Sounds like I need to enter bugs against all of jabberd > 1.4.x, jabberd 2, and jcr. yeah! yep. > - > I'm copying onto the jabberd dev list to make them aware > - > of the problem. > - > - yep agreed. I'm actually begining to find several small 'bugs' in > - jabberd2, that I'm too lazy to put into bugzilla. > > Do you have fixes for them? Myself, I'm always hesitant > to enter bugs if I don't have a fix/patch to provide. > nope, no bug patches. The only patch I apply is the vcard one for photos (I got it from bugzilla). -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/
