Page 1 of 1

Generating a digest

Posted: Thu May 04, 2006 6:58 am
by Chris Corbyn
I need to calculate a response for an SMTP server in a challege/response authentication mechanism. There's little documentation and the RFC was confusing me so I found a tutorial online but I'm stuck it putting this tiny part here into PHP.
The client generates a digest using the following MD5 hashing algorithm (where password is null-padded to a length of 64 bytes, ipad is 0x36 repeated 64 times and opad is 0x5C repeated 64 times):

Code: Select all

digest = MD5((password XOR opad), MD5((password XOR ipad), challenge))
"password" is a variable that I know, and "challege" is also a variable I've decoded.... I'm just not sure how that C code translates to PHP. Namely, the outer MD5() has 3 paramaters in it :?

Is it something like:

Code: Select all

$digest = md5( md5($password ^ str_repeat(0x5C, 64)) . md5($password ^ str_repeat(0x36, 64)) . $challenge);
?

Cheers :)

Posted: Thu May 04, 2006 7:11 am
by Weirdan
That depends on implementation of your MD5 function in C. Could you post it?

Posted: Thu May 04, 2006 7:17 am
by Chris Corbyn
Weirdan wrote:That depends on implementation of your MD5 function in C. Could you post it?
Doh! No I don't have that since I didn't write it... It's just what was written in this little tutorial.

I think I've just found a little library of SASL mechanisms on pear.php.net actually and CRAM-MD5 is in there (that's this thing) so I'll look how they do it :)

Thanks for help :D

Posted: Thu May 04, 2006 7:23 am
by Chris Corbyn
This is the PHP version from PEAR:

Code: Select all

function _HMAC_MD5($key, $data)
    {
        if (strlen($key) > 64) {
            $key = pack('H32', md5($key));
        }

        if (strlen($key) < 64) {
            $key = str_pad($key, 64, chr(0));
        }

        $k_ipad = substr($key, 0, 64) ^ str_repeat(chr(0x36), 64);
        $k_opad = substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64);

        $inner  = pack('H32', md5($k_ipad . $data));
        $digest = md5($k_opad . $inner);

        return $digest;
    }
$key is the "password" and $data is the "challenge". I was miles off :P

Posted: Thu May 04, 2006 7:31 am
by Weirdan
btw, you may see how squirrelmail does smtp auth: http://www.koders.com/php/fid8635C4160B ... ram-md5%22