Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#401 closed defect (wontfix)

authorization header parsing for digest authentication (intarweb)

Reported by: daishi Owned by: sjamaan
Priority: critical Milestone: 4.9.0
Component: extensions Version: 4.6.x
Keywords: spiffy intarweb Cc:
Estimated difficulty:

Description

nc param in the authorization header must be string.
Parsing it as number causes failing in digest authentication.

Attachments (1)

patch.txt (947 bytes) - added by daishi 9 years ago.
the patch is untested.

Download all attachments as: .zip

Change History (7)

Changed 9 years ago by daishi

Attachment: patch.txt added

the patch is untested.

comment:1 Changed 9 years ago by sjamaan

How are you using this? Are you writing an authentication server or using http-client?

Before applying this, I'd like to see some code that uses this in practice so I can see it working. Nonce count is fundamentally a number, so I don't see why it needs to be kept around in string form.

When generating or checking the digest value we can always convert it to a string (it's a string of 8 hexdigits), but its native "type" is number. The idea of the nonce count is you keep around the last value and compare it to the current number. Only if it is a higher number should the request be allowed (otherwise it's a reply attack). If it's kept around as a string, you'll need to convert it back to a number anyway.

comment:2 Changed 9 years ago by sjamaan

Owner: set to sjamaan
Status: newaccepted

comment:3 Changed 9 years ago by daishi

I'm writing my server code, which does digest authentication. I've been using it for chicken3/http-server.
I know it's native type is integer, but the purpose is to authenticate, and for that we need 8LENHEX.

The code I am having as a workaround is:
(let ([user (header-param 'username 'authorization hdrs)]

[qop (header-param 'qop 'authorization hdrs)]
[nonce (header-param 'nonce 'authorization hdrs)]
[cnonce (header-param 'cnonce 'authorization hdrs)]
[nc (let* ([nc (header-param 'nc 'authorization hdrs)]

[nc-str (number->string nc 16)]
[len (- 8 (string-length nc-str))])

(string-append (make-string len #\0) nc-str))]

[uri (uri->string (header-param 'uri 'authorization hdrs))]
[response (header-param 'response 'authorization hdrs)])

(and user qop nonce cnonce nc uri response

(equal? response

(md5-digest

(string-append

(get-user user) ;;this is md5 value stored in the server side.
":"
nonce
":"
nc
":"
cnonce
":"
qop
":"
(md5-digest (string-append method ":" uri)))))))

So, I had to make nc back to 8LENHEX and uri to string.
I would assume its nature is a number but it has to be treated as a HEX string.

comment:4 Changed 9 years ago by sjamaan

Resolution: wontfix
Status: acceptedclosed

You say its *purpose* is to authenticate, but its primary purpose is to prevent session *replay attacks*. For that, you need to compare the nonce count to earlier nonce count values, which is done numerically.

The fact that the nonce count is also put somewhere in the hash is to prevent an attacker from spoofing the nonce count's value.

I stick with my initial point: it's fundamentally a number, and treating it as a string in its native form is just wrong.

comment:5 Changed 9 years ago by felix winkelmann

Milestone: 4.7.04.8.0

Milestone 4.7.0 deleted

comment:6 Changed 7 years ago by felix winkelmann

Milestone: 4.8.04.9.0

Milestone 4.8.0 deleted

Note: See TracTickets for help on using tickets.