Project

General

Profile

Actions

Bug #2410

closed

digest-md5 auth is wrongly implemented

Added by dmaciejak over 12 years ago. Updated over 12 years ago.

Status:
Fixed
Priority:
Urgent
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

hi,

i was digging in rfc since weeks about an issue i have in another project,
seems your is also affected. the issue appears in HA1 computation with md5-sess algo
in http_auth.c (about lines 1096)

if (algorithm &&
strcasecmp(algorithm, "md5-sess") == 0) {
//here there is a missing call to CvtHex(HA1, xxx);
li_MD5_Init(&Md5Ctx);
li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); //here the size is now 32bytes
li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
li_MD5_Final(HA1, &Md5Ctx);
}
CvtHex(HA1, a1);

as the HA1 needs to be converted to an hex string of 32 bytes.
See errata 1649 at http://www.rfc-editor.org/errata_search.php?rfc=2617 for more info

regards,
david maciejak

Actions #1

Updated by stbuehler over 12 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2832.

Actions #2

Updated by stbuehler over 12 years ago

  • Target version set to 1.4.31
Actions

Also available in: Atom