New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WAMP CRA password salt is sent base64 encoded #385
Comments
I am not sure if that is the correct change to fix the linked issue. The issue is that some WAMP implementations (like Nexus) use the PBKDF2 derived key bytes to sign the challenge, which is broken (at least with Crossbar). They should rather encode those bytes to base64 string AND then get a byte representation of that string to sign the challenge. At this stage I am not sure if that is a bug in Crossbar ? So we need to clarify what should clients do. |
sorry, I don't understand ^ but I of course agree: we should improve the spec text. rgd "bug in crossbar": that would probably mean a bug in AB Py, J and JS as well. not sure. I think it is easier to look at this as a spec bug;) if there is a bug in crossbar, we should first have a unit test that demonstrates the bug ...
that's what crossbar does? here are the helpers: |
actually, it looks like we really could make good use of some salt-specific unit tests .. don't see much here: https://github.com/crossbario/crossbar/blob/93f3931eb3fb34bae59c6a8d3d4bcbbef7131d67/crossbar/router/test/test_authorize.py#L92 but it looks plausible to add some salt-specific test code to above. does Nexus have respective tests? if so, we could copy and add their test vectors and vice versa. that way, interop is ensure by test coverage |
I'll look into coming up with a test case, sure. Let me try to explain again, as my previous reply is confusing even for me :-D This call ( Then What's not clear is and should be cleared in the spec document: Should the challenge be signed with the base64 key OR should it actually be signed with the raw bytes of the key. Crossbar (and all autobahn libraries) does the former, Nexus does the latter |
sounds cool! thanks!
yes, it should be signed using the binary key (secret), and this is what crossbar/autobahn is doing:
above is using utf8, since here the data
the signature must be created using PBKDF2. this algo does not talk about strings, but bytes - hence the raw key and raw salt must be used when computing the signature """ only for wire transfer the question of encoding pops up. and this text is indeed missing, hence
anyways, I still don't quite understand the problem ... hence I think before changing any code in AB or CB, we should add unit test coverage for salt-based WAMP-CRA as I still think everything is good (but I might be wrong and too dumb to realize the bug or what ..)
|
Pls see:
Proposal: change text in
ap_authentication_cra.md
fromto
The text was updated successfully, but these errors were encountered: