Ticket #401 (closed defect: wontfix)

Opened 3 years ago

Last modified 8 months ago

authorization header parsing for digest authentication (intarweb)

Reported by: daishi Owned by: sjamaan
Priority: critical Milestone: 4.9.0
Component: extensions Version: 4.6.x
Keywords: spiffy intarweb Cc:

Description

nc param in the authorization header must be string.
Parsing it as number causes failing in digest authentication.

Attachments

patch.txt (0.9 kB) - added by daishi 3 years ago.
the patch is untested.

Change History

Changed 3 years ago by daishi

the patch is untested.

Changed 3 years ago by sjamaan

How are you using this? Are you writing an authentication server or using http-client?

Before applying this, I'd like to see some code that uses this in practice so I can see it working. Nonce count is fundamentally a number, so I don't see why it needs to be kept around in string form.

When generating or checking the digest value we can always convert it to a string (it's a string of 8 hexdigits), but its native "type" is number. The idea of the nonce count is you keep around the last value and compare it to the current number. Only if it is a higher number should the request be allowed (otherwise it's a reply attack). If it's kept around as a string, you'll need to convert it back to a number anyway.

Changed 3 years ago by sjamaan

  • owner set to sjamaan
  • status changed from new to accepted

Changed 3 years ago by daishi

I'm writing my server code, which does digest authentication. I've been using it for chicken3/http-server.
I know it's native type is integer, but the purpose is to authenticate, and for that we need 8LENHEX.

The code I am having as a workaround is:
(let ([user (header-param 'username 'authorization hdrs)]

[qop (header-param 'qop 'authorization hdrs)]
[nonce (header-param 'nonce 'authorization hdrs)]
[cnonce (header-param 'cnonce 'authorization hdrs)]
[nc (let* ([nc (header-param 'nc 'authorization hdrs)]

[nc-str (number->string nc 16)]
[len (- 8 (string-length nc-str))])

(string-append (make-string len #\0) nc-str))]

[uri (uri->string (header-param 'uri 'authorization hdrs))]
[response (header-param 'response 'authorization hdrs)])

(and user qop nonce cnonce nc uri response

(equal? response

(md5-digest

(string-append

(get-user user) ;;this is md5 value stored in the server side.
":"
nonce
":"
nc
":"
cnonce
":"
qop
":"
(md5-digest (string-append method ":" uri)))))))

So, I had to make nc back to 8LENHEX and uri to string.
I would assume its nature is a number but it has to be treated as a HEX string.

Changed 3 years ago by sjamaan

  • status changed from accepted to closed
  • resolution set to wontfix

You say its *purpose* is to authenticate, but its primary purpose is to prevent session *replay attacks*. For that, you need to compare the nonce count to earlier nonce count values, which is done numerically.

The fact that the nonce count is also put somewhere in the hash is to prevent an attacker from spoofing the nonce count's value.

I stick with my initial point: it's fundamentally a number, and treating it as a string in its native form is just wrong.

Changed 2 years ago by felix

  • milestone changed from 4.7.0 to 4.8.0

Milestone 4.7.0 deleted

Changed 8 months ago by felix

  • milestone changed from 4.8.0 to 4.9.0

Milestone 4.8.0 deleted

Note: See TracTickets for help on using tickets.