XMPP SASL Challenge-Response Using DIGEST-MD5 In C#

I’ve been struggling mightily with implementing the SASL challenge-response portion of an XMPP client I’ve been working on. By far, this has been the hardest part to implement as it’s been difficult to validate whether I’ve implemented the algorithm correctly as there doesn’t seem to be any (easy to find) open source implementations of of SASL with the DIGEST-MD5 implementation (let alone in C#).

The trickiest part of the whole process is building the response token which gets sent back as a part of the message to the server.

RFC2831 documents the SASL DIGEST-MD5 authentication mechanism as such:

Seems simple enough, right? Not! It took a bit of time to parse through it mentally and come up with an impelementation, but I was still failing (miserably).

The breakthrough came when I stumbled upon a posting by Robbie Hanson:

Here’s the trick – normally when you hash stuff you get a result in hex values. But we don’t want this result as a string of hex values! We need to keep the result as raw data! If you were to do a hex dump of this data you’d find it to be “3a4f5725a748ca945e506e30acd906f0”. But remeber, we need to operate on it’s raw data, so don’t convert it to a string.

The most important part of his posting is the last line (and that it included the intermediate hexadecimal string results. Win! Now I finally had some sample data to compare against to figure out where I was going wrong). At one critical junction in my implementation of the algorithm, I was converting the MD5 hash value to a hexadecimal string — thank goodness for Robbie’s clarification of that point!

Armed with this test data, I was finally able to get it all working. Here is the test code:

I modeled the SASL challenge like so:

And finally, here is the challenge response class which contains the meat of the response building logic:

Happy DIGESTing!

You may also like...

2 Responses

  1. Robert says:

    Awesome! I was converting my hex digest to a string, too!

  2. FrankSH says:

    OMG! The RFC is terrible. You’re a life saver, Thanks!