hmacsha1 WebSocket?

Print Thread

hmacsha1 WebSocket? #240281 16/01/13 03:03 PM
Joined: Jan 2013 Posts: 2 G godzhand OP Bowl of petunias
OP godzhand Bowl of petunias G Joined: Jan 2013 Posts: 2	ok so i am trying to run a 'test' handshake server for my website and use mIRC sockets... ------------------------------------------- Proxy.3679 GET / HTTP/1.1 Proxy.3679 Host: ********:7000 Proxy.3679 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0 Proxy.3679 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8 Proxy.3679 Accept-Language: en-US,en;q=0.5 Proxy.3679 Accept-Encoding: gzip, deflate Proxy.3679 Sec-WebSocket-Version: 13 Proxy.3679 Origin: http://???????.net Proxy.3679 Sec-WebSocket-Key: GjTa/iHcExT2LZKLBrnILg== Proxy.3679 Connection: keep-alive, Upgrade Proxy.3679 Pragma: no-cache Proxy.3679 Cache-Control: no-cache Proxy.3679 Upgrade: websocket ----------------------------------------------- the problem is in the key that is sent to mIRC Sec-WebSocket-Key: GjTa/iHcExT2LZKLBrnILg== that needs to "apparently" be appended to a magic key: 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 if im correct would look like GjTa/iHcExT2LZKLBrnILg==258EAFA5-E914-47DA-95CA-C5AB0DC85B11 then it needs to be HMAC-SHA1 / then base64 encoded.. any help would be gratitude

Re: hmacsha1 WebSocket?

godzhand #240282 16/01/13 05:17 PM

Joined: Mar 2008

Posts: 93

Austria

BhaaL

Babel fish

BhaaL

Babel fish

Joined: Mar 2008

Posts: 93

Austria

HMAC is defined in RFC 2104, and its fairly straight-forward to implement in mIRC. Infact, I used to use this snippet for challenge-auth on QuakeNet:

Code:

alias -l hmac_md5 {
  bunset &opad
  bunset &ipad

  bset &key 64 0
  bset -t &key 1 $2

  bcopy &ipad 1 &key 1 64
  bcopy &opad 1 &key 1 64

  var %i = 1
  while (%i <= 64) {
    bset &ipad %i $xor($bvar(&ipad, %i),$base(36,16,10))
    bset &opad %i $xor($bvar(&opad, %i),$base(5c,16,10)) 
    inc %i
  }
  bset -t &ipad $calc($bvar(&ipad,0) + 1) $1
  bset &opad $calc($bvar(&opad,0) + 1) $digest($md5(&ipad, 1))
  return $md5(&opad,1)
}

alias -l digest {
  var %ret = ""
  var %i = 1
  while (%i < $len($1)) {
    %ret = $+(%ret,$chr(32),$base($mid($1,%i,2),16,10))
    inc %i 2
  }
  return %ret
}

Replace $md5 with $sha1 and you should be fine; all you need to know now is what your HMAC-components are (pass them as $1 and $2)

Re: hmacsha1 WebSocket? BhaaL #240285 16/01/13 06:03 PM
Joined: Jan 2013 Posts: 2 G godzhand OP Bowl of petunias
OP godzhand Bowl of petunias G Joined: Jan 2013 Posts: 2	thank you! for replying...but i dont get it.. i changed md5 to sha1 in your code now look --- As of HyBi 06, the client sends a Sec-WebSocket-Key which is base64 encoded. To this key the magic string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" is appended, hashed with SHA1 and then base64 encoded. The result is then replied in the header "Sec-WebSocket-Accept". For instance, a string of "x3JJHMbDL1EzLkh9GBhXDw==258EAFA5-E914-47DA-95CA-C5AB0DC85B11" hashed by SHA1 yields a hexadecimal value of "1d29ab734b0c9585240069a6e4e3e91b61da1969". Here's what the version 6 handshake looks like: GET /ws HTTP/1.1 Host: gravelleconsulting.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Version: 6 Sec-WebSocket-Origin: http://gravelleconsulting.com Sec-WebSocket-Extensions: deflate-stream Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== ...to which the server responds: HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk= ---- i am not getting the same results...

Re: hmacsha1 WebSocket? godzhand #240290 17/01/13 04:54 PM
Joined: Mar 2008 Posts: 93 Austria B BhaaL Babel fish
BhaaL Babel fish B Joined: Mar 2008 Posts: 93 Austria	I never worked with WebSockets, so I can't really help you with that. Could it be that the base64-encoded part is actually encoded because its signature bytes, and not a key? I suggest you check out the specification of this WebSocket security and see what they say.

Re: hmacsha1 WebSocket? godzhand #244038 18/01/14 10:27 PM
Joined: Oct 2003 Posts: 3,918 Montreal, QC, Canada A argv0 Hoopy frood
argv0 Hoopy frood A Joined: Oct 2003 Posts: 3,918 Montreal, QC, Canada	It's not HMAC SHA, it's just a regular SHA. The problem is that the SHA1 has to be base64 encoded from the binary contents, not the hex representation. In other words, it's not as simple as: $encode($sha1(%WEBSOCKET_KEY $+ 258EAFA5-E914-47DA-95CA-C5AB0DC85B11),m) You actually have to build a binary string based on the hex representation that $sha1 returns and $encode that. Here you go: Code: alias sha1binb64 { var %i = 1, %sha1 = $sha1($1), %len = $len(%sha1) while (%i < %len) { bset &sha1 $calc((%i + 1) / 2) $base($mid(%sha1, %i, 2), 16, 10) inc %i 2 } noop $encode(&sha1, mb) return $bvar(&sha1, 1-).text } Usage: Code: //echo -a $sha1binb64(x3JJHMbDL1EzLkh9GBhXDw==258EAFA5-E914-47DA-95CA-C5AB0DC85B11) Returns "HSmrc0sMlYUkAGmm5OPpG2HaGWk=" as per Wikipedia's description of the WS handshake. - argv[0] on EFnet #mIRC - "Life is a pointer to an integer without a cast"

Link Copied to Clipboard

Forums Developers hmacsha1 WebSocket?