«

I'd be very grateful if someone could help me out with this
problem regarding the internals of SHA-1 and Java. I maintain
an Open Source (GPL) project which implements the Yahoo Instant
Messenger protocol (YMSG) as a Java package...

http://jymsg9.sourceforge.net/

As I'm sure you know, Yahoo occasionally tweaks its login
protocol to lock out third party code. So far I've been able
to match them by updating my own code, based upon changes made
to other third party projects like libyahoo2 and gaim (see
http://libyahoo2.sf.net/ and http://gaim.sf.net/ ). But the
most recent change has caused me some headaches. It's a small
alteration regarding SHA-1, but I'm not sure if I can easily
replicate it in Java.

I'm hoping some knowledgable soul here will throw some light on
the matter - if I cannot solve this problem, then the whole jYMSG
project is at threat!

Below is a fragment of C source (taken from libyahoo2, via Gaim)
showing the two new lines apparently required to fix the login
process. As you can see, it involves an assignment to a variable
'sizeLo'... My problem is, how can I replicate this using the
standard SHA-1 code which comes with java.security.MessageDigest ?

shaUpdate(&ctx1, crypt_hash_xor1, 64);
/* Start of additions */
if(j>=3)
ctx1.sizeLo = 0x1ff;
/* End of additions */
shaUpdate(&ctx1, magic_key_char, 4);
shaFinal(&ctx1, digest1);

My knowledge of message digests and the like is limited. I took
a look at some SHA-1 C source on-line, and it appears that sizeLo
is manipulated when updating the digest, then used when padding
the data(?). But there is a further update following the setting
of sizeLo, so I can't just replicate the behaviour by manually
padding the digest with the correct bytes myself (can I?)

So, I guess my problem amounts to....

1) Can I reproduce the effect of setting sizeLo mid-way through
a digest update, as in the source above, using
java.security.MessageDigest ?
2) If not, can anyone recommend a good, GPL-friendly, SHA-1
implementation in Java, which would facilitate such a thing?

Any help or suggestions gratefully received!

Some links... The SHA-1 C source I studied was here...
http://www.openaether.org/jabberd2/source/util/sha1.c
http://www.openaether.org/jabberd2/source/util/sha1.h
And the web CVS page for the complete source file from which
the sample C fragement was taken is here...
http://cvs.sourceforge.net/viewcvs.p...rc/libyahoo2.c


-FISH- ><>

On 27 Jun 2004 06:38:09 -0700, (FISH) wrote or
quoted :

>Any help or suggestions gratefully received!

Is Yahoo attempting to block others from accessing its IM service
other than with their clients?

Surely they have the legal right to do that, even though it will
inconvenience many.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.

> 1) Can I reproduce the effect of setting sizeLo mid-way through
> a digest update, as in the source above, using
> java.security.MessageDigest ?

Unlikely.

> 2) If not, can anyone recommend a good, GPL-friendly, SHA-1
> implementation in Java, which would facilitate such a thing?
>

BouncyCastle (http://www.bouncycastle.org) is good, and has a fairly
liberal license compatible with the GPL. The GNU Crypto project
(http://www.gnu.org/software/gnu-crypto) is also GPL-friendly.

(FISH) wrote in message news:< om>...
> I'd be very grateful if someone could help me out with this
> problem regarding the internals of SHA-1 and Java. I maintain
> an Open Source (GPL) project which implements the Yahoo Instant
> Messenger protocol (YMSG) as a Java package...
>
> http://jymsg9.sourceforge.net/
[snipped...]


A big thanks to those who posted and emailed solutions to this problem.

As it turned out, one of the project's users had already crafted a
SHA1 implementation which was capable of being manipulated in the way
needed - so jYMSG is back in business once more! Even so, I'm going
to look into the links you people provided, as I doubt this will be
the last time Yahoo screw about with their login code.

Thanks,

-FISH- ><>

> 1) Can I reproduce the effect of setting sizeLo mid-way through
> a digest update, as in the source above, using
> java.security.MessageDigest ?
> 2) If not, can anyone recommend a good, GPL-friendly, SHA-1
> implementation in Java, which would facilitate such a thing?

Try to find the class (I am not sure if the code is native or in java) which
contains the implementation of :
java.security.MessageDigest.getInstance("SHA-1"); ... and decompile it.

Good Luck.
Vincent