[Dillo-dev] http authentication: http digest

Justus Winter 4winter at informatik.uni-hamburg.de
Mon Mar 23 00:40:59 CET 2009 

Hey folks :)

attached is a patch that implements http digest authentication. Some
thoughs:

* add-md5.patch adds md5.{c,h}, a BSD licensed md5 implementation by
  L. Peter Deutsch from [0]
* the digest logic resides in digest.c
* I adapted a lot of challenge parsing code from Jeremys basic auth
  to better suit my needs, sorry for the big patch, but this reduces
  code duplication (even mailman thinks the patch is too big >,<)
* rfc2617 is a bit fuzzy about the quoted strings in the challenge.
  strings are enclosed in double quotes, but it is not specified
  (or I overlooked it..) how double quotes within this string
  should be escaped. I intuitively escaped them with a \, and
  apache2 plays along nicely. So does my code. Funny thing is,
  neither one of the mayor browsers (I tested ff, epiphany, opera,
  konqueror, ie6) can cope with realms containing quotes...
  Am I missing something here?
* http digest can provide integrity protection for the request body
  by computing a hash over the request body, but I have no pointer to
  the request body, only the request URL. We might need to pass the
  whole request object (is there such a thing?) to the auth code instead
  of just the url. The code is there, just the pointer is missing. The
  code in auth.c will select the method without integrity protection for
  now, hoping that the server will accept both auth and auth-int.
* there is a memory leak (well, at least one that I am aware of) in
  a_Auth_get_auth_str (grep 'this leaks memory' auth.c). This function
  is called for each request dillo makes to a host using http auth. For
  basic authentication the challenge response is always the same, so a
  reference to that string is stored in the realm and it is freed with
  its destruction.
  For digest authentication a different response is needed for each
  request (the request uri and a nonce_counter needs to be updated),
  so a new string has to be generated for each request. This should be
  easily fixable, but I didn't looked into that yet (need to touch the
  callers code).

That's it :) feedback is welcome!
Justus

0: http://sourceforge.net/project/showfiles.php?group_id=42360

-------------- next part --------------
A non-text attachment was scrubbed...
Name: add-md5.patch.gz
Type: application/x-gzip
Size: 5103 bytes
Desc: not available
Url : /pipermail/attachments/20090323/6db48818/add-md5.patch-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-digest.patch.gz
Type: application/x-gzip
Size: 6646 bytes
Desc: not available
Url : /pipermail/attachments/20090323/6db48818/http-digest.patch-0001.bin

More information about the Dillo-dev mailing list