Digest Access Authentication probably broken

Moin,

I've been playing around with Amaya 7.2 under Gentoo Linux with kernel
2.4.20 and Digest Access Authentication. But as soon as the server
started sending qop="auth, auth-int" in it's WWW-Authenticate response
header, Amaya was unable to authenticate any longer while Mozilla worked
fine.

By modifying the server code I found that Amaya uses "auth, auth-int"
(without the quotes of course) as value for unq(qop-value) in the
calculation of the request-digest (RFC 2617, section 3.2.2.1), while RFC
2617 clearly states that it "... MUST be one of the alternatives the
server indicated it supports in the WWW-Authenticate header. [...] Note
that this is a single token, not a quoted list of alternatives as in
WWW-Authenticate." (section 3.2.2)

So, if I'm not mistaken this is a bug in Amaya, isn't it?


Appendix: abbreviated trace of the whole process:

| GET /~henryk/digestauthtest.php HTTP/1.1
| Host: gleam.homeip.net
| User-Agent: amaya/7.2 libwww/5.4.0

| HTTP/1.1 401 Authorization Required
| Date: Sat, 29 Mar 2003 05:15:27 GMT
| Server: Apache/1.3.27 (Unix)  (Gentoo/Linux) PHP/4.3.1
| WWW-Authenticate: Digest realm="Privatbereich", algorithm=MD5,
|  qop="auth", nonce="1048914927;01b735bc99b9a649b0aaba92c80b397b"

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048914927;01b735bc99b9a649b0aaba92c80b397b",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000001,
|  cnonce="012345678", response=f2c608b80ce93b01d917f868fc22440f

| HTTP/1.1 200 OK
| Date: Sat, 29 Mar 2003 05:15:27 GMT

(So username/password are okay, now modify the qop-options and wait some
time for the nonce to become stale)

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048914927;01b735bc99b9a649b0aaba92c80b397b",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000004,
|  cnonce="012345678", response=db3d2bb738528b8202bf9ad2924bfe4f

| HTTP/1.1 401 Authorization Required
| Date: Sat, 29 Mar 2003 05:17:01 GMT
| WWW-Authenticate: Digest realm="Privatbereich", stale=true,
|  algorithm=MD5, qop="auth, auth-int",
|  nonce="1048915021;27b59a639ad37173b20f6d64a5f6b040"

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048915021;27b59a639ad37173b20f6d64a5f6b040",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000001,
|  cnonce="012345678", response=0159180556a57ae1c191a75d8198d117

| HTTP/1.1 401 Authorization Required
| Date: Sat, 29 Mar 2003 05:17:01 GMT
| WWW-Authenticate: Digest realm="Privatbereich", algorithm=MD5,
|  qop="auth, auth-int",
|  nonce="1048915021;27b59a639ad37173b20f6d64a5f6b040"

(Now modify the server to too use "auth, auth-int" in the request
digest calculation)

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048916207;a55a349d45382773f7451e12190679c6",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000001,
|  cnonce="012345678", response=915adaab5d6de34418915e3ac607a9ab

| HTTP/1.1 200 OK
| Date: Sat, 29 Mar 2003 05:36:47 GMT

-- 
Henryk Plötz
Grüße von der Ostsee

Help Microsoft combat software piracy: Give Linux to a friend today!

Received on Saturday, 29 March 2003 00:49:20 UTC