[JDEV] Question about password digest

Sebastian Paul Avarvarei proteus at proteusworld.com
Thu Sep 12 10:54:00 CDT 2002


I'm writing a PHP site which which will integrate with Jabber (jabberd). PHP doesn't have bult-in SHA-1 support (only MD5), and installing mhash is (unfortunately) not an option for my current project. And I would really like to avoid sending clear-text passwords.

One of the options I looked into is to generate the digest with "openssl sha1", but I can't seem to get the correct hash. Session example (from Winjab debug):

RECV: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' id='3D809521' xmlns='jabber:client' from='my.srv.com'>
SENT: <iq type="get" id="JCOM_79"><query xmlns="jabber:iq:auth"><username>admin</username></query></iq>
RECV: <iq type='result' id='JCOM_79'><query xmlns='jabber:iq:auth'><username>admin</username><password/><sequence>463</sequence><token>3D7DEE68</token><resource/></query></iq>
SENT: <iq type="set" id="JCOM_80"><query xmlns="jabber:iq:auth"><username>admin</username><hash>aa9d89856d398bf06de9863af744d1289c4eaadd</hash><resource>Winjab</resource></query></iq>

Given the above session, which string is used for generating the digest? Is it "3D809521123", meaning the id attribute of the session (3D809521) plus my password (123)? I tried this and other combinations and I can't get the same hash as Winjab's. For my tests, OpenSSL is reading the string from a text file, no \n after the string.

If anyone can tell me what I'm doing wrong here or suggest a different solution for PHP (such as an SHA-1 algorithm written in PHP), it would be greatly appreciated.

Best regards,

More information about the JDev mailing list