search

kristapsdz / kcgi

minimal CGI and FastCGI library for C/C++
https://kristaps.bsd.lv/kcgi
ISC License
275 stars 40 forks source link

Fix HTTP Digest authentication when qpop=auth-int #25

Closed cac04 closed 6 years ago

cac04 commented 6 years ago

There are a couple of problems with kcgi's auth-int implementation:

First, it does not hash the body before including it in A2.

RFC 2617 defines A2 like this:

If the "qop" value is "auth-int", then A2 is:

  A2       = Method ":" digest-uri-value ":" H(entity-body)

But child.c included entity-body directly in the calculation of H(A2) without hashing it first.

Second, child.c used SCRIPT_NAME + PATH_INFO as digest-uri-value.

That's wrong: it has to be the value of the uri auth param to ensure that it is the same string that the client used. See section 3.2.2.5 of RFC 2617.

This commit changes kworker_auth_child to return the uri auth param if it is needed, instead of just a boolean (int) to indicate that the body should be hashed.

This commit also contains a regression test for qpop=auth-int

cac04 commented 6 years ago

I blame child-induced sleep deprivation and insufficient caffeine. A slightly less insane pull request should be coming in a moment...

...and now it's here: #26