#401 closed defect (wontfix)
authorization header parsing for digest authentication (intarweb)
| Reported by: | daishi | Owned by: | sjamaan |
|---|---|---|---|
| Priority: | critical | Milestone: | 4.9.0 |
| Component: | extensions | Version: | 4.6.x |
| Keywords: | spiffy intarweb | Cc: | |
| Estimated difficulty: |
Description
nc param in the authorization header must be string.
Parsing it as number causes failing in digest authentication.
Attachments (1)
Change History (7)
Changed 14 years ago by
comment:1 Changed 14 years ago by
How are you using this? Are you writing an authentication server or using http-client?
Before applying this, I'd like to see some code that uses this in practice so I can see it working. Nonce count is fundamentally a number, so I don't see why it needs to be kept around in string form.
When generating or checking the digest value we can always convert it to a string (it's a string of 8 hexdigits), but its native "type" is number. The idea of the nonce count is you keep around the last value and compare it to the current number. Only if it is a higher number should the request be allowed (otherwise it's a reply attack). If it's kept around as a string, you'll need to convert it back to a number anyway.
comment:2 Changed 14 years ago by
| Owner: | set to sjamaan |
|---|---|
| Status: | new → accepted |
comment:3 Changed 14 years ago by
I'm writing my server code, which does digest authentication. I've been using it for chicken3/http-server.
I know it's native type is integer, but the purpose is to authenticate, and for that we need 8LENHEX.
The code I am having as a workaround is:
(let ([user (header-param 'username 'authorization hdrs)]
[qop (header-param 'qop 'authorization hdrs)]
[nonce (header-param 'nonce 'authorization hdrs)]
[cnonce (header-param 'cnonce 'authorization hdrs)]
[nc (let* ([nc (header-param 'nc 'authorization hdrs)]
[nc-str (number->string nc 16)]
[len (- 8 (string-length nc-str))])
(string-append (make-string len #\0) nc-str))]
[uri (uri->string (header-param 'uri 'authorization hdrs))]
[response (header-param 'response 'authorization hdrs)])
(and user qop nonce cnonce nc uri response
(equal? response
(md5-digest
(string-append
(get-user user) ;;this is md5 value stored in the server side.
":"
nonce
":"
nc
":"
cnonce
":"
qop
":"
(md5-digest (string-append method ":" uri)))))))
So, I had to make nc back to 8LENHEX and uri to string.
I would assume its nature is a number but it has to be treated as a HEX string.
comment:4 Changed 14 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | accepted → closed |
You say its *purpose* is to authenticate, but its primary purpose is to prevent session *replay attacks*. For that, you need to compare the nonce count to earlier nonce count values, which is done numerically.
The fact that the nonce count is also put somewhere in the hash is to prevent an attacker from spoofing the nonce count's value.
I stick with my initial point: it's fundamentally a number, and treating it as a string in its native form is just wrong.
the patch is untested.