[jdev] sasl help

Dave Cridland dave at cridland.net
Tue Oct 23 10:46:36 CDT 2007

On Tue Oct 23 15:55:43 2007, Jacob Wright wrote:
> On 10/23/07, Dave Cridland <dave at cridland.net> wrote:
> >
> > On Tue Oct 23 08:25:59 2007, Jacob Wright wrote:
> > > I'm working on the DIGEST-MD5 SASL authentication and feel like  
> I'm
> > > doing it
> > > perfectly, but my server is telling me I've got an incorrect  
> auth
> > > for the
> > > right username and password.
> >
> > Now you know one of the reasons that the IETF is deprecating it.  
> :-/
> Deprecating it! After all this work I've done!? ;)  What is going  
> to be the
> preferred method in the future?
Now there's a question... Probably SCRAM, which predates DIGEST-MD5,  
in fact. Luckily it's much simpler to code, although you need to do a  
XOR operation over a binary hash string.

> > > var data:Object = stringToObject(dataStr);
> > >
> > >
> > What does this actually do?
> This takes the comma-delim string and creates a hash object out of  
> it.
Your code? The syntax for DIGEST-MD5's blobs is one of the reasons  
why it's being dropped - it's just fantastically complex. In the past  
year, I've seen two implementations with bugs in that area. Spaces  
are allowed everywhere, for instance. You probably want to do an  
interop test against a few implementations. ISTR GNU SASL has some  
oddities here, for instance.

> AH! That was it! You are the best!

I know. ;-)

>  I've spent hours on this. Thank you for
> your help, seriously.
I know lots of people who took a while to figure it out, including  
the author of the original Cyrus SASL plugin for it (Alexey Melnikov,  
who also wrote the revised specification). You're in good company.

Go get qop=auth-int and fast reauth working, now.

> > And again, what is this doing? Bear in mind that if it's some
> > convenient built-in that produces output that's similar to
> > DIGEST-MD5's syntax, this may not be quite right.
> It is a convenience method. It takes the object I've been putting  
> together
> and creates a key="value",key2="value2" string out of it. Is that  
> bad to
> quote every value? I noticed in examples that several key-value  
> pairs were
> not quoted (e.g. charset, nc, etc.) but thought it didn't matter.

That's an interesting question...

You see, in the syntax, qop, for instance, is given as a token - not  
a quoted-string. Therefore, it cannot be quoted, and if you saw the  
string qop="auth", that indicates a qop value of "auth" - with the  
quotes, not without. I have to admit I just parse out the quotes, so  
qop="auth" means, to me, qop=auth.

But, in the examples, qop is always quoted - qop="auth" - as well, so  
the examples would appear to disagree with the syntax.

So, given that, I gave up and asked Alexey:

(16:23:53) dwd at jabber.org/Office: Another DIGEST-MD5 question... Is  
it legal to quote all values?
(16:27:35) Alexey: I vaguely remember there were some exceptions

So, erm, I hope that settles it for you. ;-)

FWIW, it's always safe to not quote unless you have spaces, and any  
value which can have spaces can be quoted safely. So I'd say don't  
quote unless you have to.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the JDev mailing list