#83 ✓resolved
Iñaki Baz Castillo

"WWW-Authenticate" header generated by Auth::Digest::MD5 is wrong (RFC 2617 BNF) [includes patch]

Reported by Iñaki Baz Castillo | December 18th, 2009 @ 11:17 PM

Rack::Auth::Digest::MD5 generates "WWW-Authenticate" like this:

  WWW-Authenticate: Digest realm="domain.org",
    nonce="MTI2MTE2NDI0OCAxMzE5MmUwMjQ5NmRmMjliZTU5NTFjNTc1NTg5OThlNQ==",
    opaque="acc85fcea72cd0e4032763ed0c565dbc", qop=auth

The 'qop' field is wrong as it must appear enclosed between doble quotation
("). This is because 'qop' parameter could contain more than one value separated by space.

In the other hand, the "WWW-Authorization" header sent by the client also
contains a 'qop' parameter but it must not enclose the value between doble
quotation as it just allows a single value.

RFC 2617 (Digest) clearly says that 'qop' value(s) must be enclosed between ":

3.2.1 The WWW-Authenticate Response Header

  challenge        =  "Digest" digest-challenge

  digest-challenge  = 1#( realm | [ domain ] | nonce |
                      [ opaque ] |[ stale ] | [ algorithm ] |
                      [ qop-options ] | [auth-param] )


  domain            = "domain" "=" <"> URI ( 1*SP URI ) <">
  URI               = absoluteURI | abs_path
  nonce             = "nonce" "=" nonce-value
  nonce-value       = quoted-string
  opaque            = "opaque" "=" quoted-string
  stale             = "stale" "=" ( "true" | "false" )
  algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" |
                       token )
  qop-options       = "qop" "=" <"> 1#qop-value <">
  qop-value         = "auth" | "auth-int" | token

Note that 'qop-options' is:

qop-options = "qop" "=" <"> 1#qop-value <">

I attach a patch which fixes it (taken from Rack 1.0.1).

In the other hand, "WWW-Authorization" header sent by the client has a
different format for 'qop' parameter (with no quotation and single value):

3.2.2 The Authorization Request Header

   credentials      = "Digest" digest-response
   digest-response  = 1#( username | realm | nonce | digest-uri
                   | response | [ algorithm ] | [cnonce] |
                   [opaque] | [message-qop] |
                       [nonce-count]  | [auth-param] )

   username         = "username" "=" username-value
   username-value   = quoted-string
   digest-uri       = "uri" "=" digest-uri-value
   digest-uri-value = request-uri   ; As specified by HTTP/1.1
   message-qop      = "qop" "=" qop-value
   cnonce           = "cnonce" "=" cnonce-value
   cnonce-value     = nonce-value
   nonce-count      = "nc" "=" nc-value
   nc-value         = 8LHEX
   response         = "response" "=" request-digest
   request-digest = <"> 32LHEX <">
   LHEX             =  "0" | "1" | "2" | "3" |
                       "4" | "5" | "6" | "7" |
                       "8" | "9" | "a" | "b" |
                       "c" | "d" | "e" | "f"

Note that 'message-qop' is:

message-qop = "qop" "=" qop-value

and 'qop-value' is defined in section 3.2.1 as:

qop-value = "auth" | "auth-int" | token

so it must appear without quotation.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

People watching this ticket

Attachments

Tags

Pages