[jdev] implementing SASL digest in client library
stpeter at jabber.org
Fri Mar 24 12:25:27 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Andrew Plotkin wrote:
> I implemented this months ago, and it worked, but I never fully tested
> it with non-ASCII usernames and passwords. Now I'm running into a
> problem, and I don't know whether it's my fault.
> The SASL Digest document (rfc2831) says, in section 220.127.116.11:
> The "username-value", "realm-value" and "passwd" are encoded
> according to the value of the "charset" directive. If "charset=UTF-8"
> is present, and all the characters of either "username-value" or
> "passwd" are in the ISO 8859-1 character set, then it must be
> converted to ISO 8859-1 before being hashed.
> If I follow this instruction, authentication doesn't work. (I mean, it
> doesn't work for usernames that contain characters in the 128-255 range.
> If everything fits in ASCII, the two encodings are identical and
> everything works. If there's a character beyond 255, the quoted
> instruction doesn't apply and everything still works.)
> If I ignore the instruction (and never convert to 8859-1), then
> authentication works in all cases.
> (I tested this against our own ejabberd server and against jabber.org.)
> So, did I screw up the implementation somewhere? Is ejabberd behaving
> badly? Or should I be ignoring that line of the spec? (That would surely
> be the easy way out, since it leads to my code working.)
Ick, I never noticed that conversion to 8859-1 before. XMPP is all UTF-8
so the 8859-1 conversion seems wrong for us. But I'll seek clarification
from the SASL folks.
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the JDev