But child.c included entity-body directly in the calculation of H(A2)
without hashing it first.
Second, child.c used SCRIPT_NAME + PATH_INFO as digest-uri-value.
That's wrong: it has to be the value of the uri auth param to ensure
that it is the same string that the client used. See section 3.2.2.5 of
RFC 2617.
This commit changes kworker_auth_child to return the uri auth param if it is needed, instead of just a boolean (int) to indicate that the body should be hashed.
This commit also contains a regression test for qpop=auth-int
There are a couple of problems with kcgi's auth-int implementation:
First, it does not hash the body before including it in
A2
.RFC 2617 defines A2 like this:
But
child.c
includedentity-body
directly in the calculation ofH(A2)
without hashing it first.Second,
child.c
usedSCRIPT_NAME
+PATH_INFO
asdigest-uri-value
.That's wrong: it has to be the value of the
uri
auth param to ensure that it is the same string that the client used. See section 3.2.2.5 of RFC 2617.This commit changes
kworker_auth_child
to return theuri
auth param if it is needed, instead of just a boolean (int
) to indicate that the body should be hashed.This commit also contains a regression test for qpop=auth-int