"WWW-Authenticate" header generated by Auth::Digest::MD5 is wrong (RFC 2617 BNF) [includes patch]

29 views
Skip to first unread message

Iñaki Baz Castillo

unread,
Dec 18, 2009, 2:44:59 PM12/18/09
to rack-...@googlegroups.com
Hi, Rack::Auth::Digest::MD5 generates "WWW-Authenticate" like this:

WWW-Authenticate: Digest realm="domain.org",
nonce="MTI2MTE2NDI0OCAxMzE5MmUwMjQ5NmRmMjliZTU5NTFjNTc1NTg5OThlNQ==",
opaque="acc85fcea72cd0e4032763ed0c565dbc", qop=auth

The 'qop' field is wrong as it must appear enclosed between doble quotation
("). This is because 'qop' parameter could contain more than one value
separated by space.

In the other hand, the "WWW-Authorization" header sent by the client also
contains a 'qop' parameter but it must not enclose the value between doble
quotation as it just allows a single value.


RFC 2617 (Digest) clearly says that 'qop' value(s) must be enclosed between ":

3.2.1 The WWW-Authenticate Response Header

challenge = "Digest" digest-challenge

digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ qop-options ] | [auth-param] )


domain = "domain" "=" <"> URI ( 1*SP URI ) <">
URI = absoluteURI | abs_path
nonce = "nonce" "=" nonce-value
nonce-value = quoted-string
opaque = "opaque" "=" quoted-string
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" |
token )
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token


Note that 'qop-options' is:

qop-options = "qop" "=" <"> 1#qop-value <">


I attach a patch which fixes it (taken from Rack 1.0.1).

In the other hand, "WWW-Authorization" header sent by the client has a
different format for 'qop' parameter (with no quotation and single value):

3.2.2 The Authorization Request Header

credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )

username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"


Note that 'message-qop' is:

message-qop = "qop" "=" qop-value

and 'qop-value' is defined in section 3.2.1 as:

qop-value = "auth" | "auth-int" | token

so it must appear without quotation.

BTW is there a bug tracker for Rack project? or is this maillist the
appropriate place to report bugs?

Regards.

--
Iñaki Baz Castillo <i...@aliax.net>

auth_digest_params.rb.diff

Scytrin dai Kinthra

unread,
Dec 18, 2009, 5:00:50 PM12/18/09
to rack-...@googlegroups.com

The official bug and ticketing system is referred to in the rubydocs. It used to be rack-devel but is now on lighthouse.

Reply all
Reply to author
Forward
0 new messages