Project

General

Profile

Bug #2410

digest-md5 auth is wrongly implemented

Added by dmaciejak about 4 years ago. Updated about 4 years ago.

Status:
Fixed
Priority:
Urgent
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2012-04-11
Due date:
% Done:

100%

Estimated time:
1.00 h
Missing in 1.5.x:
No

Description

hi,

i was digging in rfc since weeks about an issue i have in another project,
seems your is also affected. the issue appears in HA1 computation with md5-sess algo
in http_auth.c (about lines 1096)

if (algorithm &&
strcasecmp(algorithm, "md5-sess") == 0) {
//here there is a missing call to CvtHex(HA1, xxx);
li_MD5_Init(&Md5Ctx);
li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); //here the size is now 32bytes
li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
li_MD5_Final(HA1, &Md5Ctx);
}
CvtHex(HA1, a1);

as the HA1 needs to be converted to an hex string of 32 bytes.
See errata 1649 at http://www.rfc-editor.org/errata_search.php?rfc=2617 for more info

regards,
david maciejak

Associated revisions

Revision 61047369 (diff)
Added by stbuehler about 4 years ago

[mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2832 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 2832 (diff)
Added by stbuehler about 4 years ago

[mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)

History

#1 Updated by stbuehler about 4 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2832.

#2 Updated by stbuehler about 4 years ago

  • Target version set to 1.4.31

Also available in: Atom