develooper Front page | perl.libwww | Postings from January 2001

Re: LWP::Authen::Digest update for RFC 2617

Thread Previous | Thread Next
From:
Gisle Aas
Date:
January 19, 2001 10:12
Subject:
Re: LWP::Authen::Digest update for RFC 2617
Message ID:
lrpuhjfm3m.fsf@caliper.ActiveState.com
Dave Dunkin <dave_dunkin@hotmail.com> writes:

> My bad. Try this one.

[...]

> --- Digest.pm.latest	Fri Jan 19 03:02:43 2001
> +++ Digest.pm	Fri Jan 19 03:09:32 2001
> @@ -3,6 +3,8 @@
>  
>  require MD5;
>  
> +my %nonce_count;
> +
>  sub authenticate
>  {
>      my($class, $ua, $proxy, $auth_param, $response,
> @@ -12,6 +14,10 @@
>                                                    $request->url, $proxy);
>      return $response unless defined $user and defined $pass;
>  
> +    $nonce_count{$auth_param->{nonce}}++;
> +    my $nc = sprintf "%08X", $nonce_count{$auth_param->{nonce}};
> +    my $cnonce = sprintf "%8x", time;
> +

I think the %nonce_count here should really be a $ua attribute.  If
you use multiple LWP::UserAgents then they should maintain different
sequences, because they are different clients.  Something like:

   $ua->{authen_md5_nounce_count}{$auth_param->{nonce}}++;

should be acceptable.

You should probably try to avoid warnings from perl about using undef
values if the response did not include any nonce value too.  LWP
really ought to have a test-suite entry for this code too.

>      my $uri = $request->url->path_query;
>      $uri = "/" unless length $uri;
>  
> @@ -24,7 +30,11 @@
>  
>      push(@digest, $auth_param->{nonce});
>  
> -    $md5->add(join(":", $request->method, $uri));
> +    if ($auth_param->{qop}) {
> +	push(@digest, $nc, $cnonce, $auth_param->{qop});
> +    }
> +
> +    $md5->add(join(":", $request->method, $request->url->path));

I believe you should not change the last parameter to $md5->add here.

>      push(@digest, $md5->hexdigest);
>      $md5->reset;
>  
> @@ -33,9 +43,13 @@
>      $md5->reset;
>  
>      my %resp = map { $_ => $auth_param->{$_} } qw(realm nonce opaque);
> -    @resp{qw(username uri response)} = ($user, $uri, $digest);
> +    @resp{qw(username uri response algorithm)} = ($user, $uri, $digest, "MD5");
> +
> +    if($auth_param->{qop} eq "auth") {
> +	@resp{qw(qop cnonce nc)} = ("auth", $cnonce, $nc);
> +    }
>  
> -    my(@order) = qw(username realm nonce uri response);
> +    my(@order) = qw(username realm qop algorithm uri nonce nc cnonce response);
>      if($request->method =~ /^(?:POST|PUT)$/) {
>  	$md5->add($request->content);
>  	my $content = $md5->hexdigest;

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About