XMPP rspauth token should contain what in a DIGEST-MD5 auth?

Question

Background: I'm fiddling with a XMPP server that doesn't work.

So the documentation on this particular response token called rspauth is not very well documented anywhere really. Some appear to just skip it and go for a static string looking like this:

cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==

Which b64decodes to:

rspauth=ea40f60335c427b5527b84dbabcdfffd

However at the last stages of the MD5-DIGEST authentication, supposedly I should be sending the following:

<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
   cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
</challenge>

Again, I'm not sure why everyone everywhere in every bug report uses this static string. But any XMPP client will respond with:

jabber: Error is -10 : SASL(-10): server failed mutual authentication step: DIGEST-MD5: This server wants us to believe that he knows shared secret

I try to follow the RFC's as close as I can, and this is what the RFC says about rspauth=:

The server receives and validates the "digest-response". The server
checks that the nonce-count is "00000001". If it supports subsequent
authentication (see section 2.2), it saves the value of the nonce and the nonce-count. It sends a message formatted as follows:

response-auth = "rspauth" "=" response-value

where response-value is calculated as above, using the values sent in step two, except that if qop is "auth", then A2 is

   A2 = { ":", digest-uri-value }

Based on this, this is how i build my rspauth:

rspauth=b64enc(ByteConv('rspauth=:'+md5_this("xmpp/example.com")))

Which boils down to:

# md5_this == 6dae15e9021a0103e8e09ce86956a659 (obv not with example.com)
respauth = 'cnNwYXV0aD02ZGFlMTVlOTAyMWEwMTAzZThlMDljZTg2OTU2YTY1OQ=='
cli.respond('<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cnNwYXV0aD02ZGFlMTVlOTAyMWEwMTAzZThlMDljZTg2OTU2YTY1OQ==</challenge>')

According to this thread on the matter, the last thing i send is wrong, I should be sending:

<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cnNwYXV0aD02ZGFlMTVlOTAyMWEwMTAzZThlMDljZTg2OTU2YTY1OQ==</success>

This fails as well and then the client sends </stream:stream> and the connection breaks.
With the <challenge>...


Now this is where I'm lost, I'm assuming I'm building the rspauth=... token wrong, but I don't know what it's supposed to be.

Here's the full communication trace between Pidgin and the XMPP server:

client connected
<< <?xml version='1.0' ?>
<< <stream:stream to='example.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

>> Sending: <?xml version='1.0'?>
                <stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='example.com' id='d86961dc-bfb5-4578-aa45-116d5f14ef54' xml:lang='en' xmlns='jabber:client'>
                    <stream:features>
                        <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls>
                        <register xmlns='http://jabber.org/features/iq-register'/></stream:features>

<< <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
>> Sending: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
 - Secure connection established [TLS]

<< <stream:stream to='example.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
>> sending: <?xml version='1.0'?>
                <stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='example.com' id='516f7395-4112-4892-87f1-2e9f7f3a96e1' xml:lang='en' xmlns='jabber:client'>
                    <stream:features>
                        <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
                            <mechanism>DIGEST-MD5</mechanism>
                        </mechanisms>
                    <auth xmlns='http://jabber.org/features/iq-auth'/>
                </stream:features>

<< <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'/>
>> Sending: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cmVhbG09ImV4YW1wbGUuY29tIixub25jZT0iMTE2Iixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz</challenge>

<< <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>dXNlcm5hbWU9InRvcnhlZCIscmVhbG09ImV4YW1wbGUuY29tIixub25jZT0iMTE2Iixjbm9uY2U9IjZGUDF5RUtBRk1TN2lHSnRBNlNiME5oQ1JBcmhGU0t3OHRMa2xJVEJPZGs9IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxkaWdlc3QtdXJpPSJ4bXBwL2V4YW1wbGUuY29tIixyZXNwb25zZT1jODhmNTRiMjJlMmFiZGI4ZThlMTljOWVjZDliYjAxOCxjaGFyc2V0PXV0Zi04</response> 
>> Sending: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==</challenge>
   DEBUG: rspauth=ea40f60335c427b5527b84dbabcdfffd

<< </stream:stream>

I've followed these RFC guides:

• http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-01.html
• https://www.ietf.org/rfc/rfc2831.txt
• http://wiki.xmpp.org/web/SASLandDIGEST-MD5

And had a look at these source codes:

• https://github.com/jaxl/JAXL/blob/master/xmpp/xmpp.auth.php#L86 (also checked this out)
• https://github.com/thobbs/pure-sasl/blob/1f7428b8ed37e5ab6d5500b53a637c4698a298ad/puresasl/mechanisms.py

And basically what's left is to reverse engineer a successful connection and break down the responses even further, but the md5 hashes is tricky to reverse in a timely manner, so I'm asking for help this time.

Found something

Checked around in some old source codes and found the following:

respauth = step_4 + ':' + nonce + ':' + cresp['nc'] + ':' + cnonce + ':' + cresp['qop'] + ':' + step_5
rspauth = 'rspauth=' + md5_this(rspauth)

Now It still generates the same error, but it's something other than static strings so I got that to work with for now.

Answer 1

i know this is 4 months old, but i had exact same problem, and i seem to have solved it.

the rfc for sasl digest (https://www.rfc-editor.org/rfc/rfc2831#section-2.1.3)

i made the code in C#, but it should be easy to adept, i used the Function names as they use in the RFC.

i know the code is not feature complete or bug free, but this works for me in pidgin, gajim and psi (psi does not check the returning hash from server, i am sure that is concerning). i hope this code helps you, or others that needed to look this up.

!ATTENTION! MD5-Digest is seen as unsafe, and the new standart is SCRAM SASL (https://www.rfc-editor.org/rfc/rfc5802)

The methode to Check the client Hash

public string GenerateClientHash(string user, string realm, string password, string nonce, string cnonce, string authzid, string digesturi, string qop, string nc)
            {
                byte[] A2 = (qop.Equals("auth") ? Encoder.GetBytes($"AUTHENTICATE:{digesturi}"): Encoder.GetBytes($"AUTHENTICATE:{digesturi}:00000000000000000000000000000000"));
    
                byte[] h1 = H(Encoder.GetBytes($"{user}:{realm}:{password}"));
                byte[] h2 = Encoder.GetBytes($":{nonce}:{cnonce}");
    
                byte[] A1 = Merge(h1,h2);
                byte[] response_value = HEX(KD(HEX(H(A1)),
                    Merge(Encoder.GetBytes($"{nonce}:{nc}:{cnonce}:{qop}:"), HEX(H(A2)))
                    ));
    
                byte[] h3 = Merge(h1, h2);
                return Encoder.GetString(response_value);
            }

Generate Server Hash (the one you had problems with)

public string GenerateServerHash(string user, string realm, string password, string nonce, string cnonce, string authzid, string digesturi, string qop, string nc)
        {
            byte[] A2 = (qop.Equals("auth") ? Encoder.GetBytes($":{digesturi}") : Encoder.GetBytes($":{digesturi}:00000000000000000000000000000000"));

            byte[] h1 = H(Encoder.GetBytes($"{user}:{realm}:{password}"));
            byte[] h2 = Encoder.GetBytes($":{nonce}:{cnonce}");

            byte[] A1 = Merge(h1, h2);
            byte[] response_value = HEX(KD(HEX(H(A1)),
                Merge(Encoder.GetBytes($"{nonce}:{nc}:{cnonce}:{qop}:"), HEX(H(A2)))
                ));

            byte[] h3 = Merge(h1, h2);
            return Encoder.GetString(response_value);
        }

The functions that the RFC mentioned.

/// <summary>
        /// Let H(s) be the 16 octet MD5 hash [RFC 1321] of the octet string s.
        /// </summary>
        /// <param name="s">Byte Array Af streng for at sikre encodning</param>
        /// <returns>s -> Base16(s) = s16 -> MD5Hash(s16)</returns>
        public byte[] H(byte[] s)
        {
            MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
            return md5.ComputeHash(s);
        }
        /// <summary>
        /// Let KD(k, s) be H({k, ":", s}), i.e., the 16 octet hash of the string k, a colon and the string s.
        /// </summary>
        /// <param name="k">Byte Array Af streng for at sikre encodning</param>
        /// <param name="s">Byte Array Af streng for at sikre encodning</param>
        /// <returns>k + ":" + s = ks -> H(ks)</returns>
        public byte[] KD(byte[] k, byte[] s)
        {
            byte[] colon = Encoder.GetBytes(":");
            byte[] ks = Merge(k, colon, s);
            return H(ks);
        }
        /// <summary>
        /// Let HEX(n) be the representation of the 16 octet MD5 hash n as a string of 32 hex digits(with alphabetic characters always in lower case, since MD5 is case sensitive).
        /// </summary>
        /// <param name="n">Byte Array Af streng for at sikre encodning</param>
        /// <returns>lowercase of n</returns>
        public byte[] HEX(byte[] n)
        {
            byte[] b = Encoder.GetBytes(toBase16(n).ToLower());
            return b;
        }