Digest Access Authentication probably broken from Henryk Plötz on 2003-03-29 (www-amaya@w3.org from January to March 2003)

From: Henryk Plötz <henryk@ploetzli.ch>
Date: Sat, 29 Mar 2003 06:49:38 +0100
To: www-amaya@w3.org
Message-Id: <20030329064938.6fc99a79.henryk@ploetzli.ch>
Moin,

I've been playing around with Amaya 7.2 under Gentoo Linux with kernel
2.4.20 and Digest Access Authentication. But as soon as the server
started sending qop="auth, auth-int" in it's WWW-Authenticate response
header, Amaya was unable to authenticate any longer while Mozilla worked
fine.

By modifying the server code I found that Amaya uses "auth, auth-int"
(without the quotes of course) as value for unq(qop-value) in the
calculation of the request-digest (RFC 2617, section 3.2.2.1), while RFC
2617 clearly states that it "... MUST be one of the alternatives the
server indicated it supports in the WWW-Authenticate header. [...] Note
that this is a single token, not a quoted list of alternatives as in
WWW-Authenticate." (section 3.2.2)

So, if I'm not mistaken this is a bug in Amaya, isn't it?


Appendix: abbreviated trace of the whole process:

| GET /~henryk/digestauthtest.php HTTP/1.1
| Host: gleam.homeip.net
| User-Agent: amaya/7.2 libwww/5.4.0

| HTTP/1.1 401 Authorization Required
| Date: Sat, 29 Mar 2003 05:15:27 GMT
| Server: Apache/1.3.27 (Unix)  (Gentoo/Linux) PHP/4.3.1
| WWW-Authenticate: Digest realm="Privatbereich", algorithm=MD5,
|  qop="auth", nonce="1048914927;01b735bc99b9a649b0aaba92c80b397b"

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048914927;01b735bc99b9a649b0aaba92c80b397b",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000001,
|  cnonce="012345678", response=f2c608b80ce93b01d917f868fc22440f

| HTTP/1.1 200 OK
| Date: Sat, 29 Mar 2003 05:15:27 GMT

(So username/password are okay, now modify the qop-options and wait some
time for the nonce to become stale)

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048914927;01b735bc99b9a649b0aaba92c80b397b",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000004,
|  cnonce="012345678", response=db3d2bb738528b8202bf9ad2924bfe4f

| HTTP/1.1 401 Authorization Required
| Date: Sat, 29 Mar 2003 05:17:01 GMT
| WWW-Authenticate: Digest realm="Privatbereich", stale=true,
|  algorithm=MD5, qop="auth, auth-int",
|  nonce="1048915021;27b59a639ad37173b20f6d64a5f6b040"

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048915021;27b59a639ad37173b20f6d64a5f6b040",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000001,
|  cnonce="012345678", response=0159180556a57ae1c191a75d8198d117

| HTTP/1.1 401 Authorization Required
| Date: Sat, 29 Mar 2003 05:17:01 GMT
| WWW-Authenticate: Digest realm="Privatbereich", algorithm=MD5,
|  qop="auth, auth-int",
|  nonce="1048915021;27b59a639ad37173b20f6d64a5f6b040"

(Now modify the server to too use "auth, auth-int" in the request
digest calculation)

| GET /~henryk/digestauthtest.php HTTP/1.1
| Authorization: Digest username="fubar", realm="Privatbereich",
|  nonce="1048916207;a55a349d45382773f7451e12190679c6",
|  uri="/~henryk/digestauthtest.php", qop=auth, nc=00000001,
|  cnonce="012345678", response=915adaab5d6de34418915e3ac607a9ab

| HTTP/1.1 200 OK
| Date: Sat, 29 Mar 2003 05:36:47 GMT

-- 
Henryk Plötz
Grüße von der Ostsee

Help Microsoft combat software piracy: Give Linux to a friend today!
Received on Saturday, 29 March 2003 00:49:20 UTC