[mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2832 152afb58-edef-0310-8abb-c4023f1b3aa9
2012-04-19 13:02:09 +00:00 · 2012-04-19 13:02:09 +00:00 · 61047369c7
parent ab0fa7d873
commit 61047369c7
2 changed files with 4 additions and 1 deletions
--- a/1
+++ b/1
@ -11,6 +11,7 @@ NEWS
  * buffer_caseless_compare: always convert letters to lowercase to get transitive results, fixing array lookups (fixes #2405)
  * Fix handling of empty header list entries in http_request_split_value, fixing invalid read in valgrind (fixes #2413)
  * Fix access log escaping of " and \\ (fixes #1551)
+  * [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)

 - 1.4.30 - 2011-12-18
  * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
--- a/src/http_auth.c
+++ b/src/http_auth.c
@ -1095,7 +1095,9 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 	if (algorithm &&
 	    strcasecmp(algorithm, "md5-sess") == 0) {
 		li_MD5_Init(&Md5Ctx);
-		li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
+		/* Errata ID 1649: http://www.rfc-editor.org/errata_search.php?rfc=2617 */
+		CvtHex(HA1, a1);
+		li_MD5_Update(&Md5Ctx, (unsigned char *)a1, 32);
 		li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
 		li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
 		li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);