I missed to urlDecode the request-URI, it's fixed.
I will add protection for replay attack (handle nc properly) maybe in few days.
I'll be glad to see some life signs...
On 4/3/07, samuel alba <[EMAIL PROTECTED]> wrote:
Hello,
to complete my precedent message, I fixed some things on my patch,
especially Internet Explorer support in digest string parser.
I also reduced my patch by ignoring spaces (sorry).
Thanks,
- samuel alba
Index: bin/gnump3d2
===================================================================
RCS file: /sources/gnump3d/gnump3d/bin/gnump3d2,v
retrieving revision 1.152
diff -b -B -r1.152 gnump3d2
197a198
> our $AUTHORIZATION_TYPE= "";
779c780
< if ( $request =~ /Authorization: Basic ([^\r\n]+)/ )
---
> if ( $request =~ /Authorization: (Basic|Digest) ([^\r\n]+)/ )
781c782
< $AUTHORIZATION = $1;
---
> $AUTHORIZATION = $2;
1421a1423,1431
> if ($AUTHORIZATION_TYPE eq 'Digest')
> {
> my $md5_handle = gnump3d::MD5->new();
> $md5_handle->add(rand() + time());
> my $nonce = $md5_handle->hexdigest;
> $header .= "WWW-Authenticate: Digest realm=\"GNUMP3d\", nonce=\"" . $nonce . "\", algorithm=MD5, domain=\"" . $REQUEST . "\", qop=\"auth\"\r\n";
> }
> elsif ($AUTHORIZATION_TYPE eq 'Basic')
> {
1423a1434
> }
3037,3038d3047
< my $decoder = gnump3d::base64->new( );
< my $decoded = $decoder->decode( $AUTHORIZATION );
3040a3050,3074
> my $digestRequest = "";
>
> if ($AUTHORIZATION_TYPE eq 'Digest')
> {
> my $md5_handle = gnump3d::MD5->new();
> my ($username, $realm, $nonce, $uri, $algorithm, $response, $qop, $nc, $cnonce);
> $username = $1 if ($AUTHORIZATION =~ /username="([^"]*)"/);
> $realm = $1 if ($AUTHORIZATION =~ /realm="([^"]*)"/);
> $nonce = $1 if ($AUTHORIZATION =~ /nonce="([^"]*)"/);
> $uri = $1 if ($AUTHORIZATION =~ /uri="([^"]*)"/);
> $response = $1 if ($AUTHORIZATION =~ /response="([^"]*)"/);
> $qop = $1 if ($AUTHORIZATION =~ /qop=["]?([a-zA-Z]+)["]?/);
> $nc = $1 if ($AUTHORIZATION =~ /nc=([0-9]+)/);
> $cnonce = $1 if ($AUTHORIZATION =~ /cnonce="([^"]*)"/);
>
> $md5_handle->add('GET:' . &urlEncode($REQUEST));
> my $A2 = $md5_handle->hexdigest;
> $user = $username;
> $pass = $nonce . ':' . $nc . ':' . $cnonce . ':' . $qop . ':' . $A2;
> $digestRequest = $response;
> }
> elsif ($AUTHORIZATION_TYPE eq 'Basic')
> {
> my $decoder = gnump3d::base64->new( );
> my $decoded = $decoder->decode( $AUTHORIZATION );
3046a3081
> }
3074c3108,3123
< if ( $line eq "$user:$pass" )
---
> if ($AUTHORIZATION_TYPE eq 'Digest')
> {
> if ($line =~ /(.*):(.*)/)
> {
> my $md5_handle = gnump3d::MD5->new();
> $md5_handle->add($2 . ':' . $pass);
> my $digest = $md5_handle->hexdigest;
> if (($user eq $1) and ($digest eq $digestRequest))
> {
> # Successful login - saved logged in username
> $LOGGED_IN_USER = $user;
> return;
> }
> }
> }
> elsif ( $line eq "$user:$pass" )
3429a3479
> $AUTHORIZATION_TYPE = getConfig( 'authentication_type', 'Basic' );
Index: etc/gnump3d.conf
===================================================================
RCS file: /sources/gnump3d/gnump3d/etc/gnump3d.conf,v
retrieving revision 1.23
diff -b -B -r1.23 gnump3d.conf
309a310,318
> # OR, for Digest authentification, the password file should be of
> # the following format:
> #
> # username:hash
> # username2:hash2
> #
> # hash or hash2 represent MD5(login:GNUMP3d:password)
> # To generate an hash string, type:
> # $> echo -n 'username:GNUMP3d:password' | md5sum
318a328
> # authentication_type = Basic # Basic or Digest
_______________________________________________
Gnump3d-users mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/gnump3d-users
