apple / ccs-calendarserver

The Calendar and Contacts Server.
https://www.calendarserver.org
Apache License 2.0
486 stars 136 forks source link

Digest authentication algorithm md5 & RFC2617 #330

Closed macosforgebot closed 13 years ago

macosforgebot commented 13 years ago

marten.gajda@… originally submitted this as ticket:422


I'm writing a CardDAV-Sync adapter for Android and came across the following issue when connecting to caldavd: Android's HTTP implementation can not handle digest authentication when algorithm is set to "md5" instead of "MD5".

I do not know whether Android is wrong or caldavd. RFC2617 states:

algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token )

but does not say anything about case-sensitivity.

I'd like to know your opinion about this. I'm not sure if I can work around this issue somehow. For the moment my only solution is to advise my users to change the algorithm to MD5.

Thanks

Marten

macosforgebot commented 13 years ago

@wsanchez originally submitted this as comment:1:⁠ticket:422

macosforgebot commented 13 years ago

@wsanchez originally submitted this as comment:2:⁠ticket:422


See http://www.ietf.org/rfc/rfc2617.txt, section 1.2:

HTTP provides a simple challenge-response authentication mechanism that MAY be used by a server to challenge a client request and by a client to provide authentication information. It uses an extensible, case-insensitive token to identify the authentication scheme, followed by a comma-separated list of attribute-value pairs which carry the parameters necessary for achieving authentication via that scheme.

macosforgebot commented 13 years ago

@cyrusdaboo originally submitted this as comment:3:⁠ticket:422


My fault: that comment in RFC2617 actually refers to the auth method not the algorithm value. The spec does not indicate whether the algorithm is case-sensitive or not (some other parameters it does give an explicit statement). However, 2517 uses the same ABNF as 2616 and in 2616 Section 2.1 it states

"literal"

Quotation marks surround literal text. Unless stated otherwise, the text is case-insensitive.

So that implies that the "literals" in the 2617 syntax are case-insensitive by default.

macosforgebot commented 13 years ago

marten.gajda@… originally submitted this as comment:4:⁠ticket:422


Good point. I'll file an Android bug.

Thanks.