Bug #2410
digest-md5 auth is wrongly implemented
| Status: | Fixed | Start date: | 2012-04-11 | |
|---|---|---|---|---|
| Priority: | Urgent | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | mod_auth | Estimated time: | 1.00 hour | |
| Target version: | 1.4.31 | |||
| Missing in 1.5.x: | No |
Description
hi,
i was digging in rfc since weeks about an issue i have in another project,
seems your is also affected. the issue appears in HA1 computation with md5-sess algo
in http_auth.c (about lines 1096)
if (algorithm &&
strcasecmp(algorithm, "md5-sess") == 0) {
//here there is a missing call to CvtHex(HA1, xxx);
li_MD5_Init(&Md5Ctx);
li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); //here the size is now 32bytes
li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
li_MD5_Final(HA1, &Md5Ctx);
}
CvtHex(HA1, a1);as the HA1 needs to be converted to an hex string of 32 bytes.
See errata 1649 at http://www.rfc-editor.org/errata_search.php?rfc=2617 for more info
regards,
david maciejak
Associated revisions
[mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)
History
#1 Updated by stbuehler about 1 year ago
- Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset r2832.
#2 Updated by stbuehler about 1 year ago
- Target version set to 1.4.31
Also available in: Atom