-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: compute user:realm:pass digest w/o userhash #8066
Conversation
I am looking for feedback before I update the curl digest calculations in the curl HTTP Digest auth tests with
|
https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4 ... the client MUST calculate a hash of the username after any other hash calculation ... Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
130466a
to
c8d08a3
Compare
I updated tests to make this PR complete. The hashes in the previous code matched |
To be clear, the existing code calculates HA1 as H( userhash ":" realm ":" password ) and I believe that HA1 should be calculated as H( username ":" realm ":" password ), the same as with |
Manually calculating the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks correct to me!
RFC7616 HTTP Digest username* and userhash support (if configured) userhash support must be configured to enable: auth.require = ( "/" => ( "userhash" => "enable", ... ) ) and one of auth.backend = "htdigest" # mod_authn_file or auth.backend = "dbi" # mod_authn_dbi and appropriate modification to add userhash into htdigest or db table along with adding "sql-userhash" => "..." SQL query for mod_authn_dbi Note: open issue with curl preventing userhash from working with curl: curl/curl#8066
Thanks! |
RFC7616 HTTP Digest username* and userhash support (if configured) userhash support must be configured to enable: auth.require = ( "/" => ( "userhash" => "enable", ... ) ) and one of auth.backend = "htdigest" # mod_authn_file or auth.backend = "dbi" # mod_authn_dbi and appropriate modification to add userhash into htdigest or db table along with adding "sql-userhash" => "..." SQL query for mod_authn_dbi Note: open issue with curl preventing userhash from working with curl: curl/curl#8066
auth: compute user:realm:pass digest w/o userhash
https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4
... the client MUST calculate a hash of the username after
any other hash calculation ...
Signed-off-by: Glenn Strauss gstrauss@gluelogic.com
I am implementing HTTP Digest Auth userhash support in lighttpd and I read RFC 7616 Section 3.4.4 differently from how it is currently implemented in cURL from 2b5b37c. The patch in this PR works with my development version of lighttpd, and I am looking for confirmation on whether or not this is an issue in curl, or if I have misunderstood RFC 7616 Section 3.4.4. Thanks.