[jdev] implementing SASL digest in client library

Peter Saint-Andre stpeter at jabber.org
Fri Mar 24 12:25:27 CST 2006

Hash: SHA1

Andrew Plotkin wrote:
> I implemented this months ago, and it worked, but I never fully tested
> it with non-ASCII usernames and passwords. Now I'm running into a
> problem, and I don't know whether it's my fault.
> The SASL Digest document (rfc2831) says, in section
>    The "username-value", "realm-value" and "passwd" are encoded
>    according to the value of the "charset" directive. If "charset=UTF-8"
>    is present, and all the characters of either "username-value" or
>    "passwd" are in the ISO 8859-1 character set, then it must be
>    converted to ISO 8859-1 before being hashed.
> If I follow this instruction, authentication doesn't work. (I mean, it
> doesn't work for usernames that contain characters in the 128-255 range.
> If everything fits in ASCII, the two encodings are identical and
> everything works. If there's a character beyond 255, the quoted
> instruction doesn't apply and everything still works.)
> If I ignore the instruction (and never convert to 8859-1), then
> authentication works in all cases.
> (I tested this against our own ejabberd server and against jabber.org.)
> So, did I screw up the implementation somewhere? Is ejabberd behaving
> badly? Or should I be ignoring that line of the spec? (That would surely
> be the easy way out, since it leads to my code working.)

Ick, I never noticed that conversion to 8859-1 before. XMPP is all UTF-8
so the 8859-1 conversion seems wrong for us. But I'll seek clarification
from the SASL folks.


- --
Peter Saint-Andre
Jabber Software Foundation

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20060324/ef2b20cd/attachment-0002.bin>

More information about the JDev mailing list