?

Log in

No account? Create an account
Challenge-response? - LiveJournal Client Discussions [entries|archive|friends|userinfo]
LiveJournal Client Discussions

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Challenge-response? [Jun. 22nd, 2005|09:14 pm]
LiveJournal Client Discussions

lj_clients

[shitty_kitty]
I'm using the flat protocol, and I'm trying to authenticate using the challenge-response system. When I send the "getchallenge" command to the server, I'm getting this back:

challenge=c0:1119488400:2948:60:wrdelynkdgtzldsu5vnq:c32fcf37f954ef177f8a0007394f557b

No matter how hard I try, I can't get it to authenticate. I've tried using the whole string, colon-separated chunks of the string, and the last two chunks together (I noticed they're the main two that change), but nothing's working. I've checked my MD5 function and it's working correctly (I can generate hpassword's just fine), and I'm using the MD5_hex(challenge + MD5_hex(password)) formula. So, which part of that string do I need to return as "auth_challenge", and which part do I need to manipulate using that formula to return as "auth_response"?
linkReply

Comments:
[User Picture]From: talisker
2005-06-23 03:29 pm (UTC)
you need to return the whole challenge string, as well as your response to it.

Basically, if you're using the flat interface, you need to do something like this:

string challenge = /* LJ challenge string */

//this class computes md5(challenge + md5(password))
string auth_response = MD5Hasher.Compute(challenge + hpasswd);

string body = "mode=sessiongenerate&";
body += "user=" + uname + "&";
body += "auth_method=challenge&";
body += "auth_challenge=" + challenge + "&";
body += "auth_response=" + auth_response + "&";
body += "expiration=long&";
body += "ver=" + pver;

And you need to send the body string to the server in a POST. This will return you a ljsession cookie that you can use for your subsequent calls to the server.

Hope this helps.
(Reply) (Thread)
[User Picture]From: marksmith
2005-06-23 04:14 pm (UTC)
Ensure all MD5 hashes you generate and use are lowercase. That's the #1 cause of verification failures. Unix does lowercase, many Windows libraries do uppercase.
(Reply) (Thread)