Bug 58530 - flaws in digest authentication implementation
Summary: flaws in digest authentication implementation
Status: RESOLVED WORKSFORME
Alias: None
Product: frameworks-kio
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: 5.48.0
Platform: FreeBSD Ports All
: NOR normal
Target Milestone: ---
Assignee: Dawit Alemayehu
URL:
Keywords:
: 53997 57862 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-05-15 16:07 UTC by Fernando Schapachnik
Modified: 2020-06-30 04:33 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fernando Schapachnik 2003-05-15 16:07:39 UTC
Version:            (using KDE KDE 3.1)
Installed from:    FreeBSD Ports
Compiler:          gcc version 2.95.4 20020320 [FreeBSD] 
OS:          FreeBSD

When required digest authentication the window prompting for username and password pops up several times, approx. once for each HTTP object. This was discovered tracking an apparent bug in Squid Web Proxy digest authentication. It turned that the problem was in the browser side (wrong nonce count).

You can find the complete bug report (with traces, logs, etc.) on the Squid bugzilla under bug id 630:
http://www.squid-cache.org/bugs/show_bug.cgi?id=630

Thanks!
Comment 1 Maksim Orlovich 2003-05-15 17:03:08 UTC
Moving to kio-http; not sure the problem is exactly there, but I imagine Zogje  
would be the right person to comment on this anyway. 
Comment 2 Dawit Alemayehu 2003-05-16 02:19:09 UTC
> When required digest authentication the window prompting for username and 
> password pops up several times, approx. once for each HTTP object.  
 
Hmm... this is supposed to have already been addressed, i.e. the issue of multiple 
password dialogs. I will see if I can duplicate. 
 
> This was discovered tracking an apparent bug in Squid Web Proxy digest 
> authentication. It turned that the problem was in the browser side (wrong nonce 
> count).  
 
This is a known issue in the current implementation of kio_http's (KDE's http handler) 
authentication handler code. Here is what the code that deals with nonce-count does:  
 
  // HACK: Should be fixed according to RFC 2617 section 3.2.2. 
  _data._nc = "00000001"; 
 
When we implemented support for digest authentication very few servers supported 
that particular authentication scheme and some of the more complex features were 
simply left un-implemented.   
 
I however would be a bit surprised if Squid's implementation by default supports the 
'qop' directive.  RFC 2617 section 3.2.2 explicitly states that support for 'qop' is 
provided for backwards compatibility with RFC 2069... 
 
From the server's perspective what kio_http does should look like a replay since it 
sends back the same constant nc value of 1 all the time.  We do not also properly 
support support qop = auth-int since it requires the calculation of the digest value for 
the entity-body to be trasmitted. 
 
Anyways, I will put this on my to do list but it will probably have a lower priority since 
for the reasons I stated above, namely it being a deprecated feature... 
 
Regards, 
Dawit A. 
Comment 3 Henrik Nordstrom 2003-05-16 16:09:54 UTC
Dawit:

You are misreading the Digest specifications.

According to RFC2617 qop SHOULD be used, but to provide compability with RFC2069
implementations it MAY optionally not be used.

Squid uses qop=auth, and this requires nc to be at least increasing for each
request. In the optimal world nc SHOULD increase by exacly one for each new
request using the same server nonce, but it MUST at least be increasing on each
new request. A client MUST NOT send two requests with the same nonce-count value
(nc=)

If a client implementation does not support qop (i.e. a minimal Digest
implementation by RFC2069) then it should not respond to the qop invitation by
the server. Such requests will however be rejected by RFC2617 servers requiring
qop such as Squid as the Digest security level when not using qop is quite poor.
Comment 4 Dawit Alemayehu 2003-05-16 19:51:45 UTC
Henrik: 
 
You are right!  I indeed misread the specification.  I stand corrected. Anyways, I have 
now fixed this and will test it with my squid installation. 
 
Regards, 
Dawit A. 
Comment 5 Fernando Schapachnik 2003-05-19 18:15:06 UTC
Dawit:
On a related note, it seems that Konqueror is first trying Basic auth, even when
Digest is present, and first on the proxy's list:

HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.5.STABLE2-20030519
Mime-Version: 1.0
Date: Mon, 19 May 2003 16:11:36 GMT
Content-Type: text/html
Content-Length: 1343
Expires: Mon, 19 May 2003 16:11:36 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Digest realm="squid", nonce="OALJPkCjQwnCK7It", qop="auth",
stale=false
Proxy-Authenticate: Basic realm="squid"
X-Cache: MISS from raimundo.mecon.ar
Proxy-Connection: close

I think strongest method should be prefered (not sure what the RFC says).
Mozilla handles this Ok.

Thanks!
Comment 6 Dawit Alemayehu 2003-05-19 19:10:26 UTC
Hi Fernando,

That should not happen as we automatically ook for the strongest authentication
scheme. If basic authentication is being used as the result of the response you
posted, then there must be another issue. I will have a look at that too.  I
know for sure that this problem does not exist in the version I have on my local
HD which is at the moment very different than what is in the cvs.

Regards,
Dawit A.
Comment 7 Henrik Nordstrom 2003-05-19 19:17:37 UTC
RFC2617 4.6 Weakness Created by Multiple Authentication Schemes

   An HTTP/1.1 server may return multiple challenges with a 401
   (Authenticate) response, and each challenge may use a different
   auth-scheme. A user agent MUST choose to use the strongest auth-
   scheme it understands and request credentials from the user based
   upon that challenge.
Comment 8 Dawit Alemayehu 2003-06-04 05:56:15 UTC
*** Bug 57862 has been marked as a duplicate of this bug. ***
Comment 9 Dawit Alemayehu 2003-06-04 06:05:54 UTC
*** Bug 53997 has been marked as a duplicate of this bug. ***
Comment 10 Dawit Alemayehu 2003-06-28 02:40:15 UTC
All the problems mentioned in this report are now fixed in a new branch called 
kio_http_experimental.  You can check out that branch for the following two 
modules => kdelibs/kioslave/http and kdelibs/interface/kio if you are using CVS 
version. 
 
Regards, 
Dawit A.   
Comment 11 Waldo Bastian 2003-11-12 17:26:04 UTC
See also http://bugzilla.mozilla.org/show_bug.cgi?id=114451
I think there is a problem ensuring correctly increasing nonce-count if we share the same nonce across multiple io-slaves (paralel connections). The best way to ensure correct nonce-count seems to me if the nonce's where not cached in the password deamon and each slave would keep track of its own nonce and nonce-count.

Would that work, or would we, with two slaves operating in parallel, keep triggering invalid nonces in such case?

Comment 12 Henrik Nordstrom 2003-11-12 23:06:53 UTC
The nonce-count check is tricky to get correct. About the only way to ensure correcness is to never have more than one concurrent request per nonce.

For now Squid does not enforce increasing nonce-count due to the high risk browsers gets it incorrect or messages gets reordered in the network (i.e. hierarchy of proxies). Eventually we hope to enable this again as it's use strengthens digest auth from replay attacks.
Comment 13 Dawit Alemayehu 2003-11-26 20:18:28 UTC
We definitely need to store the nonce-count in the password server so that all the http io-slaves can correctly obtain the current count. Otherwise, two http io-slaves operating in parallel would indeed end up sending invalid nonce values. Which reminds me that I still need to fix the experimetal branch such that the nonce values are correctly incremented when we pre-emptively send authentication to the server.
Comment 14 groot 2004-01-17 15:16:36 UTC
Not FreeBSD specific, it seems. Dawit, has this been fixed for 3.2?
Comment 15 Dawit Alemayehu 2004-01-17 17:17:20 UTC
Subject: Re:  flaws in digest authentication implementation

On Saturday 17 January 2004 09:16, Adriaan De Groot wrote:
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
> http://bugs.kde.org/show_bug.cgi?id=58530
> adridg@cs.kun.nl changed:
>
>            What    |Removed                     |Added
> ---------------------------------------------------------------------------
>- OS/Version|FreeBSD                     |All
>
>
>
> ------- Additional Comments From adridg@cs.kun.nl  2004-01-17 15:16 -------
> Not FreeBSD specific, it seems. Dawit, has this been fixed for 3.2?

See comment #10. For the most part it is fixed in the experimental branch, but 
I am not sure if and when the experimental branch is going to be merged back 
in.  At this point it is only safe to say that it will not be before the 3.2 
release...

Comment 16 ingo 2006-08-04 14:23:28 UTC
There is another flaw within the digest authentication code.
Within the response (Proxy-)Authorization, the values of the
parameters algorithm and qop are quoted. This is against the
spec. The response value of algorithm and qop are single tokens,
cf. rfc2617, "3.2.2 The Authorization Request Header"
a) the augmented BNF
b) 
====
 qop
     Indicates what "quality of protection" the client has applied to
     the message. If present, its value MUST be one of the alternatives
     the server indicated it supports in the WWW-Authenticate header.
     These values affect the computation of the request-digest. Note
     that this is a single token, not a quoted list of alternatives as
     in WWW- Authenticate.
===

The value of algorithm is a single token in any case, i.e. without quotes
(both within request and response, see rfc2617 "3.2.1 The WWW-Authenticate Response Header")
NOTE that the quotes within the
augmented BNF do NOT belong to the token nor indicate that the token
must be enclosed by quotes (see rfc2616, "2.1 Augmented BNF":
===
   "literal"
      Quotation marks surround literal text. Unless stated otherwise,
      the text is case-insensitive.
===

This flaw is present up to 3.2.5
Comment 17 ingo 2006-08-04 14:34:25 UTC
...sorry: I meant present up to 3.5.4, i.e. the recent stable version as of today. See attached a patch for kdelibs-3.5.4/kioslave/http/http.cc
=====
--- http.cc.orig        2006-08-04 14:33:16.070320080 +0200
+++ http.cc     2006-08-04 14:33:59.170767816 +0200
@@ -5939,15 +5939,14 @@
   auth += "\", uri=\"";
   auth += m_request.url.encodedPathAndQuery(0, true);

-  auth += "\", algorithm=\"";
+  auth += "\", algorithm=";
   auth += info.algorithm;
-  auth +="\"";

   if ( !info.qop.isEmpty() )
   {
-    auth += ", qop=\"";
+    auth += ", qop=";
     auth += info.qop;
-    auth += "\", cnonce=\"";
+    auth += ", cnonce=\"";
     auth += info.cnonce;
     auth += "\", nc=";
     auth += info.nc;
Comment 18 ingo 2007-10-01 23:36:30 UTC
the quoting flaw still is present in 3.5.7.
*sigh*
Comment 19 ingo 2007-10-01 23:40:51 UTC
the flaw is present up to 3.93.0.
Comment 20 ingo 2007-12-05 20:11:28 UTC
Unfixed. Still present in kdelibs-3.96.0. Please fix it.
Comment 21 ingo 2007-12-24 18:56:06 UTC
Unfixed. Still present in kdelibs-3.97.0. Please fix it.
Comment 22 Sok Ann Yap 2008-07-21 11:07:54 UTC
I implemented a digest authentication service that works fine with Opera and Firefox, but always get replay attacked by Konqueror since the nc never increase. Konqueror can still authenticate, but each request has to be repeated, i.e. 1st request denied due to replay attack -> server sends a new nonce with stale=true -> 2nd request OK. 

By the way, Ingo, I think you have misread the spec. Both algorithm and qop MUST[1] be quoted:

algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" | token )
qop-options       = "qop" "=" <"> 1#qop-value <">

[1] http://www.ietf.org/rfc/rfc2119.txt :P
Comment 23 ingo 2008-07-21 19:49:15 UTC
@Sok Ann Yap. Nope. You misread it. Sorry, dude.

cf.
a) http://www.ietf.org/rfc/rfc2617.txt (1.1 Reliance on the HTTP/1.1 Spec)
---
This specification is a companion to the HTTP/1.1 specification [2].
It uses the augmented BNF section 2.1 of that document, and relies on
both the non-terminals defined in that document and other aspects of
the HTTP/1.1 specification.
---

b) http://www.ietf.org/rfc/rfc2616.txt (2.1 Augmented BNF)
---
  "literal"
  Quotation marks surround literal text. Unless stated otherwise,
  the text is case-insensitive.
---
The quotes are NOT part of the literal text.

As for "qop" this is clear from the spec, too (see above)
http://www.ietf.org/rfc/rfc2617.txt (3.2.2)
---
message-qop      = "qop" "=" qop-value
[...]
Note that this is a single token, not a quoted list of alternatives as
in WWW- Authenticate.
---
Comment 24 Henrik Nordstrom 2008-07-21 21:13:44 UTC
Ingo is right here. Quoted strings in the BNF syntax is string literals with the value being the string between the quotes. The quotes is not part of the protocol.

Quotes when present in the protocol is represented as <"> in the BNF syntax, as can be seen in the definitions of domain (RFC2617) or quoted-string (RFC2616)

qop is a little confusing as it uses different syntax for requests and responses. In requests it's a single vaule and not quoted (qop). In challenges (responses) it's a quoted list of possible values (qop-message)...

Comment 25 Henrik Nordstrom 2008-07-21 21:16:54 UTC
a little tired... meant qop-options, not qop-message. 
Comment 26 Sok Ann Yap 2008-07-22 13:07:00 UTC
You guys are correct. I misread the spec indeed. Guess that makes me a perfect candidate for the IE team :)

Ingo, you may want to try creating a separate bug report for the syntax issue. The title for this bug report is too general, and that could be one of the reason why nothing get done after 5 years.
Comment 27 Nils 2010-04-13 10:28:14 UTC
I don't have developer versions, so parts may already be fixed, but a quick look in the trunk suggests that the bugs are still there.

1) It seems that the entity-body can't be accessed. So "auth-int" should not be used at all.

2) info.qop seems to hold the value(s) specified in the challenge from the server, which can be something like "auth-int, auth". This exact string is then used in the response calculation, the request and in internal comparison. Instead, one of the qop-values must be picked:
Only one qop-value is allowed in the request (message-qop) and 'if ( info.qop == "auth-int" )' fails, if info.qop is "auth-int, auth".

3) The entity-body is appended to authString where its hash should be used:
authStr += ':'; authStr += info.entityBody;
vs. RFC 2617 - 3.2.2.3 (notice the H):
A2       = Method ":" digest-uri-value ":" H(entity-body)
Comment 28 Dawit Alemayehu 2010-12-04 21:04:15 UTC
(In reply to comment #27)
> I don't have developer versions, so parts may already be fixed, but a quick
> look in the trunk suggests that the bugs are still there.
> 
> 1) It seems that the entity-body can't be accessed. So "auth-int" should not be
> used at all.
> 
> 2) info.qop seems to hold the value(s) specified in the challenge from the
> server, which can be something like "auth-int, auth". This exact string is then
> used in the response calculation, the request and in internal comparison.
> Instead, one of the qop-values must be picked:
> Only one qop-value is allowed in the request (message-qop) and 'if ( info.qop
> == "auth-int" )' fails, if info.qop is "auth-int, auth".
> 
> 3) The entity-body is appended to authString where its hash should be used:
> authStr += ':'; authStr += info.entityBody;
> vs. RFC 2617 - 3.2.2.3 (notice the H):
> A2       = Method ":" digest-uri-value ":" H(entity-body)

http://websvn.kde.org/?view=revision&revision=1203598
Comment 29 Ahmad Samir 2020-05-31 15:54:28 UTC
Is this still an issue?
Comment 30 Bug Janitor Service 2020-06-15 04:33:08 UTC
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 31 Bug Janitor Service 2020-06-30 04:33:07 UTC
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!