auth: compute user:realm:pass digest w/o userhash #8066
Conversation
|
I am looking for feedback before I update the curl digest calculations in the curl HTTP Digest auth tests with |
https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4 ... the client MUST calculate a hash of the username after any other hash calculation ... Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
gstrauss
force-pushed
the
userhash-digest
branch
from
130466a
to
c8d08a3
Compare
|
I updated tests to make this PR complete. The hashes in the previous code matched |
|
To be clear, the existing code calculates HA1 as H( userhash ":" realm ":" password ) and I believe that HA1 should be calculated as H( username ":" realm ":" password ), the same as with |
|
Manually calculating the |
RFC7616 HTTP Digest username* and userhash support (if configured)
userhash support must be configured to enable:
auth.require = ( "/" => ( "userhash" => "enable", ... ) )
and one of
auth.backend = "htdigest" # mod_authn_file
or
auth.backend = "dbi" # mod_authn_dbi
and appropriate modification to add userhash into htdigest or db table
along with adding "sql-userhash" => "..." SQL query for mod_authn_dbi
Note: open issue with curl preventing userhash from working with curl:
curl/curl#8066
|
Thanks! |
RFC7616 HTTP Digest username* and userhash support (if configured)
userhash support must be configured to enable:
auth.require = ( "/" => ( "userhash" => "enable", ... ) )
and one of
auth.backend = "htdigest" # mod_authn_file
or
auth.backend = "dbi" # mod_authn_dbi
and appropriate modification to add userhash into htdigest or db table
along with adding "sql-userhash" => "..." SQL query for mod_authn_dbi
Note: open issue with curl preventing userhash from working with curl:
curl/curl#8066
auth: compute user:realm:pass digest w/o userhash
https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4
... the client MUST calculate a hash of the username after
any other hash calculation ...
Signed-off-by: Glenn Strauss gstrauss@gluelogic.com
I am implementing HTTP Digest Auth userhash support in lighttpd and I read RFC 7616 Section 3.4.4 differently from how it is currently implemented in cURL from 2b5b37c. The patch in this PR works with my development version of lighttpd, and I am looking for confirmation on whether or not this is an issue in curl, or if I have misunderstood RFC 7616 Section 3.4.4. Thanks.