Closed cac04 closed 6 years ago
There are a couple of problems with kcgi's auth-int implementation:
First, it does not hash the body before including it in A2.
A2
RFC 2617 defines A2 like this:
If the "qop" value is "auth-int", then A2 is: A2 = Method ":" digest-uri-value ":" H(entity-body)
If the "qop" value is "auth-int", then A2 is:
A2 = Method ":" digest-uri-value ":" H(entity-body)
But child.c included entity-body directly in the calculation of H(A2) without hashing it first.
child.c
entity-body
H(A2)
Second, child.c used SCRIPT_NAME + PATH_INFO as digest-uri-value.
SCRIPT_NAME
PATH_INFO
digest-uri-value
That's wrong: it has to be the value of the uri auth param to ensure that it is the same string that the client used. See section 3.2.2.5 of RFC 2617.
uri
This commit also contains a regression test for qpop=auth-int
There are a couple of problems with kcgi's auth-int implementation:
First, it does not hash the body before including it in
A2.RFC 2617 defines A2 like this:
But
child.cincludedentity-bodydirectly in the calculation ofH(A2)without hashing it first.Second,
child.cusedSCRIPT_NAME+PATH_INFOasdigest-uri-value.That's wrong: it has to be the value of the
uriauth param to ensure that it is the same string that the client used. See section 3.2.2.5 of RFC 2617.This commit also contains a regression test for qpop=auth-int