Re: [jdev] ruby xmppd, and Psi
> That didn't go so well. First off, Ruby's REXML library doesn't like that > Psi "re"defines xmlns:xml in the opening stream. We're defining it as http://www.w3.org/XML/1998/namespace, which, as Peter pointed out, should be ok. > Also, it fails on SASL DIGEST-MD5. The first challenge reponse is wrong. > This isn't my fault, > because it works with Gajim and Digsby. It's not Psi's fault, because Psi > obviously works fine with other servers. Well, many servers are liberal in what they accept, so I wouldn't exclude that Psi is wrong. But still, an example stream would give us a definitive answer on that. We've had problems before with quoting in the challenge/response. > When I switch to offering "PLAIN" alone, Gajim and Digsby work, and Psi > works unless I do what the new draft says, which is blah>=. Psi rejects that, and none of the others care, so for now > I just have it with . Just to be sure I'm looking at the right code: what version of Psi are you using? What distribution? Do you have qca-(cyrus)-sasl installed? cheers, Remko ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
It took a while of playing around, but this works: resp = Base64.decode64(elem.text) re = /((?:[\w-]+)\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/ response = {} resp.scan(re) do |kv| k, v = kv[0].split('=', 2) v.gsub!(/^"(.*)"$/, '\1') response[k] = v end And isn't totally repulsive. Thanks. ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
This still ugly thing works, except for some reason 'digest-uri' comes out as 'uri' Any more ideas? On Thu, Sep 18, 2008 at 11:16 AM, Eric Will <[EMAIL PROTECTED]> wrote: > This is ugly, but it (kind of) works: > > resp = Base64.decode64(elem.text) >re = /(\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/ > >m = re.match resp > >response = {} >k, v = m[1].split('=',2) >v.gsub!(/^"(.*)"$/, '\1') >response[k] = v > >while (m = re.match m.post_match) >k, v = m[1].split('=',2) >v.gsub!(/^"(.*)"$/, '\1') >response[k] = v >end > > Unfortunately, it also kills the '=' on cnonce. > ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
This is ugly, but it (kind of) works: resp = Base64.decode64(elem.text) re = /(\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/ m = re.match resp response = {} k, v = m[1].split('=',2) v.gsub!(/^"(.*)"$/, '\1') response[k] = v while (m = re.match m.post_match) k, v = m[1].split('=',2) v.gsub!(/^"(.*)"$/, '\1') response[k] = v end Unfortunately, it also kills the '=' on cnonce. ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
Peter Saint-Andre wrote: Justin Karneges wrote: On Wednesday 17 September 2008 14:22:33 Eric Will wrote: When I switch to offering "PLAIN" alone, Gajim and Digsby work, and Psi works unless I do what the new draft says, which is blah>=. Psi rejects that, and none of the others care, so for now I just have it with . I don't think you're supposed to send response data with PLAIN, are you? (no response data) is correct, not = (response data of zero-length). Good point. I don't see any mention of that in RFC 4616, but I'll double-check with the author or the SASL list just to be sure. If additional data with success is not sent in SASL PLAIN, I'll correct the examples in rfc3920bis. Alexey Melnikov has confirmed for me that additional data with success is never sent in SASL PLAIN, so I will correct the examples. /psa smime.p7s Description: S/MIME Cryptographic Signature ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 11:03 AM, Norman Rasmussen <[EMAIL PROTECTED]> wrote: > oh, it might want the global flag: > resp.match(/(\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/g) Ruby doesn't have the global flag, unfortunately: irb(main):001:0> /re/g SyntaxError: compile error (irb):1: unknown regexp option - g from (irb):1 ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
oh, it might want the global flag: resp.match(/(\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/g) On Thu, Sep 18, 2008 at 4:58 PM, Eric Will <[EMAIL PROTECTED]> wrote: > On Thu, Sep 18, 2008 at 10:56 AM, Norman Rasmussen > <[EMAIL PROTECTED]> wrote: > > (IANARC - I am not a ruby coder), here's another attempt: > >resp = Base64.decode64(elem.text) > >resp = resp.match(/(\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/) > >response = {} > >resp.captures do |kv| > >k, v = kv.split('=',2) > >v.gsub!(/^"(.*)"$/, '\1') > > > >response[k] = v > > > >end > > On Thu, Sep 18, 2008 at 10:45 AM, Norman Rasmussen > <[EMAIL PROTECTED]> wrote: > > fixed: > > I'm not sure how to use your re; when I match it the only capture I > get is "charset=utf8." Do you continue to loop over it, or something? > ___ > JDev mailing list > FAQ: http://www.jabber.org/discussion-lists/jdev-faq > Forum: http://www.jabberforum.org/forumdisplay.php?f=20 > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: [EMAIL PROTECTED] > ___ > -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/ ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 10:56 AM, Norman Rasmussen <[EMAIL PROTECTED]> wrote: > (IANARC - I am not a ruby coder), here's another attempt: >resp = Base64.decode64(elem.text) >resp = resp.match(/(\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/) >response = {} >resp.captures do |kv| >k, v = kv.split('=',2) >v.gsub!(/^"(.*)"$/, '\1') > >response[k] = v > >end On Thu, Sep 18, 2008 at 10:45 AM, Norman Rasmussen <[EMAIL PROTECTED]> wrote: > fixed: I'm not sure how to use your re; when I match it the only capture I get is "charset=utf8." Do you continue to loop over it, or something? ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
(IANARC - I am not a ruby coder), here's another attempt: resp = Base64.decode64(elem.text) resp = resp.match(/(\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+)))/) response = {} resp.captures do |kv| k, v = kv.split('=',2) v.gsub!(/^"(.*)"$/, '\1') response[k] = v end -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/ ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
Eric Will wrote: On Wed, Sep 17, 2008 at 6:29 PM, Peter Saint-Andre <[EMAIL PROTECTED]> wrote: When you say that Psi "redefines" xmlns:xml, do you mean it assigns that prefix to a namespace other than "http://www.w3.org/XML/1998/namespace";? Or does it simply declare that namespace (which according to the spec it MAY do)? If the latter, then I think REXML is in error. The latter. I'm guessing REXML is wrong. It tends to be a pain, and I wish there were a "leave me alone" switch in it. I just really don't want to parse it myself. :) I'll post this to ruby-talk. Wow, a list I'm not on. :) But I see that you posted about this already: http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/05d99e56a6fc1d18# Thanks for following up. /psa smime.p7s Description: S/MIME Cryptographic Signature ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
fixed: On Thu, Sep 18, 2008 at 4:34 PM, Eric Will <[EMAIL PROTECTED]> wrote: >resp.each do |kv| >k, v = kv.split('=',2) # <-- fixed >v.gsub!(/^"/, '') >v.gsub!(/"$/, '') > >response[k] = v > >end -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/ ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 4:34 PM, Eric Will <[EMAIL PROTECTED]> wrote: > I found my problem. As I figured, it was my fault. I hadn't counted on > cnonce being base64-encoded, and in my code that forms the `response` > hash I use, I split the string into key=>value by splitting on the '=' > sign. The cnonce had an '=' on the end of it, which was just getting > lopped off. I've fixed this with: You shouldn't split it that way, because you also won't handle quoted strings with comma's correctly. Here's the regex I use: (\w+\s*=\s*(?:(?:"[^"]+")|(?:[^,]+))) you end up with one capture per key=value, then you can split that on the first = is the string, and then remove the quotes from the value if they exist. (I guess the correct thing to do would be to write a proper tokenizer instead of string splitting, or regex) -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/ ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
Justin Karneges wrote: On Wednesday 17 September 2008 14:22:33 Eric Will wrote: When I switch to offering "PLAIN" alone, Gajim and Digsby work, and Psi works unless I do what the new draft says, which is =. Psi rejects that, and none of the others care, so for now I just have it with . I don't think you're supposed to send response data with PLAIN, are you? (no response data) is correct, not = (response data of zero-length). Good point. I don't see any mention of that in RFC 4616, but I'll double-check with the author or the SASL list just to be sure. If additional data with success is not sent in SASL PLAIN, I'll correct the examples in rfc3920bis. /psa smime.p7s Description: S/MIME Cryptographic Signature ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
Eric Will wrote: > I found my problem. As I figured, it was my fault. I hadn't counted on > cnonce being base64-encoded, and in my code that forms the `response` > hash I use, I split the string into key=>value by splitting on the '=' > sign. The cnonce had an '=' on the end of it, which was just getting > lopped off. I've fixed this with: > > resp = Base64.decode64(elem.text) > resp = resp.split(',') > > response = {} > resp.each do |kv| > k, v = kv.split('=') > v += '=' if kv[-2].chr == '=' # Some clients base64-encode > 'cnonce' (ahem, Psi) But if cnonce can be anything, it can also be something like "c=n=o=n=c=e", and then your code still fails ;) -- Maciek xmpp:[EMAIL PROTECTED] ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 10:11 AM, Norman Rasmussen <[EMAIL PROTECTED]> wrote: > cnonce should be an opaque blob as far as clients are concerned, (my guess > is psi is pulling random bytes and base64 encoding them) > Any chance we can get a log with a known (to us), password? I found my problem. As I figured, it was my fault. I hadn't counted on cnonce being base64-encoded, and in my code that forms the `response` hash I use, I split the string into key=>value by splitting on the '=' sign. The cnonce had an '=' on the end of it, which was just getting lopped off. I've fixed this with: resp = Base64.decode64(elem.text) resp = resp.split(',') response = {} resp.each do |kv| k, v = kv.split('=') v += '=' if kv[-2].chr == '=' # Some clients base64-encode 'cnonce' (ahem, Psi) v.gsub!(/^"/, '') v.gsub!(/"$/, '') response[k] = v end And it now works successfully. Sorry to bother you with my screw ups. Thanks for the help -- Eric Will ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 4:01 PM, Eric Will <[EMAIL PROTECTED]> wrote: > I was wrong again. Other clients are sending SOMETHING, I just don't > know what. It's not an md5 hexdigest. I'm unsure if it's > base64-encoded, or just random numbers/letters. I've been scanning the > SASL DIGEST-MD5 RFC and I can't come to a conclusion. I don't think > cnonce is required to be encoded as anything except as part of the > 'response'. Perhaps Psi is botching the computation for that. > cnonce should be an opaque blob as far as clients are concerned, (my guess is psi is pulling random bytes and base64 encoding them) Any chance we can get a log with a known (to us), password? -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/ ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 9:56 AM, Eric Will <[EMAIL PROTECTED]> wrote: > Yes, upon further investigation it appears cnonce should be an MD5 > hexdigest of some random entropy generated by the client (gibberish in > most cases). It seems Psi is doing a base64-encode instead of an MD5 > hexdigest. I was wrong again. Other clients are sending SOMETHING, I just don't know what. It's not an md5 hexdigest. I'm unsure if it's base64-encoded, or just random numbers/letters. I've been scanning the SASL DIGEST-MD5 RFC and I can't come to a conclusion. I don't think cnonce is required to be encoded as anything except as part of the 'response'. Perhaps Psi is botching the computation for that. > -- > Eric Will > ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
Yes, upon further investigation it appears cnonce should be an MD5 hexdigest of some random entropy generated by the client (gibberish in most cases). It seems Psi is doing a base64-encode instead of an MD5 hexdigest. However, I'm not totally sure, because: 1. I can't fix this by decoding the base64 cnonce and using that to compute my response, and; 2. I can't fix this by decoding the base64 cnonce and then md5-hexing it to compute my response, and; 3. I can't fix this by md5-ing the base64-encoded cnonce and using that to compute my response. Silly DIGEST-MD5. -- Eric Will ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 9:38 AM, Eric Will <[EMAIL PROTECTED]> wrote: > It appears as though Psi isn't base64 encoding cnonce. They're doing > what looks to be an md5 digest, and the proper encoding is a > base64-encoded md5 _hex_digest. As confusing as this (and MD5-DIGEST > in general) is, I believe the culprit to be the lack of base64 > encoding on cnonce. My mistake, I got that backwards. Psi *IS* base64-encoding cnonce, and it shouldn't be. > -- > Eric Will > EBL Engineers > National Institutes of Health > xmpp:[EMAIL PROTECTED] > ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 8:59 AM, Norman Rasmussen <[EMAIL PROTECTED]> wrote: > So I can only assume the response values are incorrect, because the other > values are identical. Does your password has any non-ascii characters that > might be being encoded as utf-8 correctly? Can you force the server to > generate the same nonce for both clients? (It would require hacking at the > DIGEST-MD5 code, but it would help validate that the response is being > generated correctly. The password is alnum only. Using a hard-coded nonce of "9be91df13f8159809d392ed8dc96bdc2": Psi: -> TLS established -> http://etherx.jabber.org/streams"; version="1.0" xmlns="jabber:client" to="malkier.net" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace"; > <- <- DIGEST-MD5PLAIN -> <- cmVhbG09bWFsa2llci5uZXQsbm9uY2U9IjliZTkxZGYxM2Y4MTU5ODA5ZDM5MmVkOGRjOTZiZGMyIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz -> dXNlcm5hbWU9InJha2F1ciIscmVhbG09Im1hbGtpZXIubmV0Iixub25jZT0iOWJlOTFkZjEzZjgxNTk4MDlkMzkyZWQ4ZGM5NmJkYzIiLGNub25jZT0idVBvQWVnN2J1eHJ2UFpGMnkxakpjRUxsN3NlQXFGQW1KR0phMVZZdGtVWT0iLG5jPTAwMDAwMDAxLGRpZ2VzdC11cmk9InhtcHAvbWFsa2llci5uZXQiLHFvcD1hdXRoLHJlc3BvbnNlPTMxNjBhODJhMWY4NGY0NmM2YTIwNDcxMzFlNGFmNzdlLGNoYXJzZXQ9dXRmLTg= <- <- Or, decoded: <- challenge: realm=malkier.net,nonce="9be91df13f8159809d392ed8dc96bdc2",qop="auth",charset=utf-8,algorithm=md5-sess -> response: username="rakaur",realm="malkier.net",nonce="9be91df13f8159809d392ed8dc96bdc2",cnonce="uPoAeg7buxrvPZF2y1jJcELl7seAqFAmJGJa1VYtkUY=",nc=0001,digest-uri="xmpp/malkier.net",qop=auth,response=3160a82a1f84f46c6a2047131e4af77e,charset=utf-8 <- failure Gajim (and Digsby, FYI): -> TLS established -> http://etherx.jabber.org/streams"; > <- <- DIGEST-MD5PLAIN -> <- cmVhbG09bWFsa2llci5uZXQsbm9uY2U9IjliZTkxZGYxM2Y4MTU5ODA5ZDM5MmVkOGRjOTZiZGMyIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz -> Y2hhcnNldD11dGYtOCx1c2VybmFtZT0icmFrYXVyIixyZWFsbT0ibWFsa2llci5uZXQiLG5vbmNlPSI5YmU5MWRmMTNmODE1OTgwOWQzOTJlZDhkYzk2YmRjMiIsbmM9MDAwMDAwMDEsY25vbmNlPSIxZWE1ZTkwNTAyMTAxYTcwOGZlOTQ3MjMwOTM1ZWYwZTQ2MDYzZjIxM2ExMmNhMmRjIixkaWdlc3QtdXJpPSJ4bXBwL21hbGtpZXIubmV0IixyZXNwb25zZT04ZWI5YTNiNDkyNzFiNWJlZDk3Y2M2YTgzOTg4YWJhMyxxb3A9YXV0aA== <- cnNwYXV0aD1lYjRkYjNmMjM5N2E0NDQzY2FhNTIxYmY4ZGZjZWQyZQ== -> <- -> SASL established Or, decoded: <- challenge: realm=malkier.net,nonce="9be91df13f8159809d392ed8dc96bdc2",qop="auth",charset=utf-8,algorithm=md5-sess -> response: charset=utf-8,username="rakaur",realm="malkier.net",nonce="9be91df13f8159809d392ed8dc96bdc2",nc=0001,cnonce="1ea5e90502101a708fe947230935ef0e46063f213a12ca2dc",digest-uri="xmpp/malkier.net",response=8eb9a3b49271b5bed97cc6a83988aba3,qop=auth <- challenge: binary -> response: empty <- success This is my (Ruby) code to generate the same response: def h(s) Digest::MD5.digest(s) end def hh(s) Digest::MD5.hexdigest(s) end def startsasl(response) @jid = response['username'] + '@' + response['realm'] a1_h = DB::[EMAIL PROTECTED] # Compute response and see if it matches. # Sorry, but there's no pretty way to do this. a1 = "%s:%s:%s" % [a1_h, response['nonce'], response['cnonce']] a2 = "AUTHENTICATE:%s" % response['digest-uri'] myresp = "%s:%s:%s:%s:auth:%s" % [hh(a1), response['nonce'], response['nc'], response['cnonce'], hh(a2)] myresp = hh(myresp) [if myresp is equal to response, they're authorized, otherwise failure] end It appears as though Psi isn't base64 encoding cnonce. They're doing what looks to be an md5 digest, and the proper encoding is a base64-encoded md5 _hex_digest. As confusing as this (and MD5-DIGEST in general) is, I believe the culprit to be the lack of base64 encoding on cnonce. I have been known to be wrong, though. I'm unsure as to how Psi could have gotten this wrong and it's never been caught, unless everyone's using PLAIN and not a single one is using DIGEST-MD5 and they didn't test it at all, which seems unlikely given the longevity of the client. I just don't understand how it could be my code if it works with (at least) two other clients using DIGEST-MD5. -- Eric Will EBL Engineers National Institutes of Health xmpp:[EMAIL PROTECTED] ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Thu, Sep 18, 2008 at 2:15 PM, Eric Will <[EMAIL PROTECTED]> wrote: > Here it is, starting with the opening after successful TLS: > and decoded for the base64decoder'less people: (I use `fold -w 79 | openssl base64 -d`) challenge : realm=malkier.net ,nonce="134fea83d50a222b49a08c4427c75802",qop="auth",charset=utf-8,algorithm=md5-sess response : username="rakaur",realm="malkier.net ",nonce="134fea83d50a222b49a08c4427c75802",cnonce="8wOz7xs1xNIHJJGVY7gTrSaOdCgXAwZP/kI1jSRrQss=",nc=0001,digest-uri="xmpp/ malkier.net ",qop=auth,response=e92dad582393b1f8b0165e6d20b827ee,charset=utf-8 failure and: challenge : realm=malkier.net ,nonce="2062054399a6396d31196a8d0530e800",qop="auth",charset=utf-8,algorithm=md5-sess response : charset=utf-8,username="rakaur",realm="malkier.net ",nonce="2062054399a6396d31196a8d0530e800",nc=0001,cnonce="8b17fd4ba66b1ef220ac5be13521f5451386520a09df2799b",digest-uri="xmpp/ malkier.net",response=2d8c70364862e055fcce759aec9aaa92,qop=auth challenge : rspauth=310f6eb7f7d99306c5252201119529bc response : none success So I can only assume the response values are incorrect, because the other values are identical. Does your password has any non-ascii characters that might be being encoded as utf-8 correctly? Can you force the server to generate the same nonce for both clients? (It would require hacking at the DIGEST-MD5 code, but it would help validate that the response is being generated correctly. Cheers Norman -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/ ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
> DIGEST-MD5 is notoriously confusing, which is why the IETF has deprecated > it. > > Perhaps you could send along the exact XML (and character data) that you > exchanged? Here it is, starting with the opening after successful TLS: -> TLS established -> http://etherx.jabber.org/streams"; version="1.0" xmlns="jabber:client" to="malkier.net" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace"; > <- <- DIGEST-MD5PLAIN -> <- cmVhbG09bWFsa2llci5uZXQsbm9uY2U9IjEzNGZlYTgzZDUwYTIyMmI0OWEwOGM0NDI3Yzc1ODAyIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz -> dXNlcm5hbWU9InJha2F1ciIscmVhbG09Im1hbGtpZXIubmV0Iixub25jZT0iMTM0ZmVhODNkNTBhMjIyYjQ5YTA4YzQ0MjdjNzU4MDIiLGNub25jZT0iOHdPejd4czF4TklISkpHVlk3Z1RyU2FPZENnWEF3WlAva0kxalNSclFzcz0iLG5jPTAwMDAwMDAxLGRpZ2VzdC11cmk9InhtcHAvbWFsa2llci5uZXQiLHFvcD1hdXRoLHJlc3BvbnNlPWU5MmRhZDU4MjM5M2IxZjhiMDE2NWU2ZDIwYjgyN2VlLGNoYXJzZXQ9dXRmLTg= <- <- The password is correct. Just as a reference, here's gajim doing the same thing: -> TLS established -> http://etherx.jabber.org/streams"; > <- <- DIGEST-MD5PLAIN -> <- cmVhbG09bWFsa2llci5uZXQsbm9uY2U9IjIwNjIwNTQzOTlhNjM5NmQzMTE5NmE4ZDA1MzBlODAwIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz -> Y2hhcnNldD11dGYtOCx1c2VybmFtZT0icmFrYXVyIixyZWFsbT0ibWFsa2llci5uZXQiLG5vbmNlPSIyMDYyMDU0Mzk5YTYzOTZkMzExOTZhOGQwNTMwZTgwMCIsbmM9MDAwMDAwMDEsY25vbmNlPSI4YjE3ZmQ0YmE2NmIxZWYyMjBhYzViZTEzNTIxZjU0NTEzODY1MjBhMDlkZjI3OTliIixkaWdlc3QtdXJpPSJ4bXBwL21hbGtpZXIubmV0IixyZXNwb25zZT0yZDhjNzAzNjQ4NjJlMDU1ZmNjZTc1OWFlYzlhYWE5Mixxb3A9YXV0aA== <- cnNwYXV0aD0zMTBmNmViN2Y3ZDk5MzA2YzUyNTIyMDExMTk1MjliYw== -> <- -> SASL established Thanks. -- Eric Will EBL Engineers National Institutes of Health xmpp:[EMAIL PROTECTED] ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___
Re: [jdev] ruby xmppd, and Psi
On Wed, Sep 17, 2008 at 6:29 PM, Peter Saint-Andre <[EMAIL PROTECTED]> wrote: > When you say that Psi "redefines" xmlns:xml, do you mean it assigns that > prefix to a namespace other than "http://www.w3.org/XML/1998/namespace";? Or > does it simply declare that namespace (which according to the spec it MAY > do)? If the latter, then I think REXML is in error. The latter. I'm guessing REXML is wrong. It tends to be a pain, and I wish there were a "leave me alone" switch in it. I just really don't want to parse it myself. :) I'll post this to ruby-talk. On Thu, Sep 18, 2008 at 2:50 AM, Justin Karneges <[EMAIL PROTECTED]> wrote: > I don't think you're supposed to send response data with PLAIN, are you? > (no response data) is correct, not = (response > data of zero-length). According to Peter's new draft: The receiving entity reports success of the handshake by sending a element qualified by the 'urn:ietf:params:xml:ns:xmpp-sasl' namespace; this element MAY contain XML character data (in SASL terminology, "additional data with success") if the chosen SASL mechanism supports or requires it; if the receiving entity needs to send additional data of zero length, it MUST transmit the data as a single equals sign character ("="). And in the example a while later: Step 9: Client selects an authentication mechanism, in this case [PLAIN]: C: UjBtMzBSMGNrcw== Step 10: Server informs client of success: S: = I don't think this is a mission-critical thing, and I'm not sure why the receiving entity would "need to send additional data of zero length." Peter, what should I do here? Is this specific to SASL PLAIN? And yes, DIGEST-MD5 is incredibly confusing. I already implemented it though. Is it a bad thing to keep around? Thanks guys. -- Eric Will EBL Engineers National Institutes of Health xmpp:[EMAIL PROTECTED] ___ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] ___