DIGEST-MD5 problem - Forum

Yasu

2011-09-15, 08:31 #1

Member since Sep 2011 · 22 posts
Group memberships: Members

Show profile ·

Link to this post

Subject: DIGEST-MD5 problem

I tried to connect to OpenFire by using your sample code:MiniClient and I changed to use BOSH. (MatriX 1.4.2 binary .NET version)
And I found a problem about DIGEST-MD5 authorization.

I used username,password,domain name like this.

username: 012345678910
password: word012345678910
Server : abc.abdev1.xyz.tests.co.jp (<- this is a local openfire server)

This long charactor setting causes error at DIGEST-MD5 authorization.
But using shorter username and password, it was successed.

I need to use such a long username,password,domain name for our products.
Can I solve this problem by changing MiniClient?
If this is library's problem, I hope this problem fixed soon.

[failed log]
SEND: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="abc.abdev1.xyz.tests.co.jp" version="1.0" >
RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="abc.abdev1.xyz.tests.co.jp" version="1.0" id="a55c5232" >
RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams">
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>DIGEST-MD5</mechanism>
    <mechanism>PLAIN</mechanism>
    <mechanism>ANONYMOUS</mechanism>
    <mechanism>CRAM-MD5</mechanism>
</mechanisms>
<compression xmlns="http://jabber.org/features/compress">
    <method>zlib</method>
</compression>
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind" />
<session xmlns="urn:ietf:params:xml:ns:xmpp-session" />
</stream:features>
SEND: <auth mechanism="DIGEST-MD5" xmlns="urn:ietf:params:xml:ns:xmpp-sasl" />
RECV: <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cmVhbG09ImFiYy5hYmRldjEueHl6LnRlc3RzLmNvLmpwIixub25jZT0ibG8reWNEeHp5OHdncTVTYVM0WkNlOW1WZ00xZzRoNDUvUmZ3R3VDMCIscW9wPSJhdXRoIixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw==</challenge>
SEND: <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dXNlcm5hbWU9IjAxMjM0NTY3ODkwIixyZWFsbT0iYWJjLmFiZGV2MS54eXoudGVzdHMuY28uanAiLG5vbmNlPSJsbyt5Y0R4enk4d2dxNVNhUzRaQ2U5bVZnTTFnNGg0NS9SZndHdUMwIixjbm9uY2U9IjYzMjEyMmNlMGZhODc3OTEwYjY1MzM5NjA5Yzc2ZmEwZGFhMzM4MzA5N2E0YWEzMjZiYmM0ZTYzMzNkZTViMzUiLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvYWJjLmFiZGV2MS54eXoudGVzdHMuY28uanAiLGNoYXJzZXQ9dXRmLTgscmVzcG9uc2U9YjBiNzYyYzU4MjY3YmUxZDdlOWZlNDMzNTBhZTMwM2I=</response>
RECV: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<not-authorized />
</failure>
SEND: </stream:stream>
RECV: </stream:stream>

Alex

2011-09-15, 08:50 #2

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

I see no reason why Digest MD5 should fail with long usernames, password or domains. We have many customers using much longer usernames. Have you tried an existing client like Psi?
Anyway, Digest MD5 is deprecated and broken in the design and not recommended to use anymore.

Alex

Yasu

2011-09-16, 02:29 #3

Member since Sep 2011 · 22 posts
Group memberships: Members

Show profile ·

Link to this post

My expression was wrong.

MatriX generates wrong result of encryption at sasl authorization(choose digest-md5 for auth),
when using long string name and password,domain.( when these all three parameters are long string, this happens.)

I tried existing client Sparks,and existing library Smack and strophe.js, but they have no problem.
only MatriX causes this problem, so I think this is something bug of MatriX.

[this is server side log : openfire]
javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched response.
    at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(Unknown Source)
    at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)
    at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:296)
    at org.jivesoftware.openfire.SessionPacketRouter.route(SessionPacketRouter.java:58)
    at org.jivesoftware.openfire.http.HttpSession.sendPendingPackets(HttpSession.java:619)
    at org.jivesoftware.openfire.http.HttpSessionManager$HttpPacketSender.run(HttpSessionManager.java:377)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

This post was edited on 2011-09-16, 02:56 by Yasu.

Alex

2011-09-16, 10:51 #4

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

please post a username and password combination which fails for you with exact these exception in Openfire.

Alex

Yasu

2011-09-16, 13:52 #5

Member since Sep 2011 · 22 posts
Group memberships: Members

Show profile ·

Link to this post

This is failed combination.

username: 012345678910
password: pass012345678910
domain : abc.abdev1.xyz.tests.co.jp (<- this is a local openfire server)

Alex

2011-09-16, 14:33 #6

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

I will debug this and come back to you then.

Alex

Alex

2011-09-16, 16:47 #7

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

Ok I can confirm that there is a problem. I while ago I have added a Managed MD5 class for Silverlight and Windows Phone, because there is no MD5 available in the Framework. For longer strings, or depending on the input this hashing class seems create wrong hashes. I am working on a solution and will post the results then.

Alex

Alex

2011-09-16, 20:03 #8

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

problem is fixed. There is a bug in Microsofts managed MD5 Hash class.
see. http://archive.msdn.microsoft.com/SilverlightMD5

I am uploading a new binary 1.4.3.0 in the next minutes.

Alex

Yasu

2011-09-20, 03:40 #9

Member since Sep 2011 · 22 posts
Group memberships: Members

Show profile ·

Link to this post

I tried 1.4.3.0 , It works fine!!

Thanks for your help.

ghostknight 2013-10-03, 15:48 #10

Member since Oct 2013 · 17 posts
Group memberships: Members

Show profile ·

Link to this post

The problem is still actual in 1.5.2 in Compact Framework.
Login longer than 56 symbols causes problem with MD5 hash generation.
Login\password that produces error are:
login: available11-4e415559_4546_484e_1220_2012060300000a95-emergency
password:4e415559_4546_484e_1220_2012060300000a95

Please, advise.

Alex

2013-10-03, 18:20 #11

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

the buggy MD5 Hash implementation was fixed with release 1.4.2.0. Also in the Compact version.
You can test yourself if the MD-5 Hashing in the CF version produces valid output.

Util.Hash.Md5HashBytes is public, so just test it with some long strings.

In the SASL Digest-MD5 mechanism its hashing more than the password during authentication. It builds strings which includes also username, realm. nonce, cnonce etc... So the string which gets hashed is much longer than your password only.

Are you sure that the problem relies in MatriX and not on your server?

Alex

ghostknight 2013-10-04, 16:31 #12

Member since Oct 2013 · 17 posts
Group memberships: Members

Show profile ·

Link to this post

Alex,

For the moment I'm unsure, that it's Matrix fault. At least I've found a bug on the server in manageing password (have reported it to developers). Thank you for support!

Alex

2013-10-04, 22:15 #13

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

ok, let me know when you have info, then I can take a look at the codes again.

Alex