Closed cac04 closed 6 years ago
There are a couple of problems with kcgi's auth-int implementation:
First, it does not hash the body before including it in A2.
A2
RFC 2617 defines A2 like this:
If the "qop" value is "auth-int", then A2 is: A2 = Method ":" digest-uri-value ":" H(entity-body)
If the "qop" value is "auth-int", then A2 is:
A2 = Method ":" digest-uri-value ":" H(entity-body)
But child.c included entity-body directly in the calculation of H(A2) without hashing it first.
child.c
entity-body
H(A2)
Second, child.c used SCRIPT_NAME + PATH_INFO as digest-uri-value.
SCRIPT_NAME
PATH_INFO
digest-uri-value
That's wrong: it has to be the value of the uri auth param to ensure that it is the same string that the client used. See section 3.2.2.5 of RFC 2617.
uri
This commit also contains a regression test for qpop=auth-int
There are a couple of problems with kcgi's auth-int implementation:
First, it does not hash the body before including it in
A2
.RFC 2617 defines A2 like this:
But
child.c
includedentity-body
directly in the calculation ofH(A2)
without hashing it first.Second,
child.c
usedSCRIPT_NAME
+PATH_INFO
asdigest-uri-value
.That's wrong: it has to be the value of the
uri
auth param to ensure that it is the same string that the client used. See section 3.2.2.5 of RFC 2617.This commit also contains a regression test for qpop=auth-int