openbsd-ports/www/lighttpd/patches/patch-src_http_auth_c

$OpenBSD: patch-src_http_auth_c,v 1.5 2012/04/28 09:25:25 sthen Exp $

Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617).

--- src/http_auth.c.orig	Tue Nov 29 06:36:18 2011
+++ src/http_auth.c	Mon Apr 23 00:09:35 2012
@@ -1095,7 +1095,9 @@ int http_auth_digest_check(server *srv, connection *co
 	if (algorithm &&
 	    strcasecmp(algorithm, "md5-sess") == 0) {
 		li_MD5_Init(&Md5Ctx);
-		li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
+		/* Errata ID 1649: http://www.rfc-editor.org/errata_search.php?rfc=2617 */
+		CvtHex(HA1, a1);
+		li_MD5_Update(&Md5Ctx, (unsigned char *)a1, 32);
 		li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
 		li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
 		li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
lighttpd fixes, from upstream via Brad. - Fix handling of empty header list entries in http_request_split_value. - Fix access log escaping of " and \\. - Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617). - Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround. - Fix splitting :port with IPv6. 2012-04-28 05:25:25 -04:00			$OpenBSD: patch-src_http_auth_c,v 1.5 2012/04/28 09:25:25 sthen Exp $

			`Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617).`

			`--- src/http_auth.c.orig Tue Nov 29 06:36:18 2011`
			`+++ src/http_auth.c Mon Apr 23 00:09:35 2012`
			`@@ -1095,7 +1095,9 @@ int http_auth_digest_check(server srv, connection co`
			`if (algorithm &&`
			`strcasecmp(algorithm, "md5-sess") == 0) {`
			`li_MD5_Init(&Md5Ctx);`
			`- li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);`
			`+ /* Errata ID 1649: http://www.rfc-editor.org/errata_search.php?rfc=2617 */`
			`+ CvtHex(HA1, a1);`
			`+ li_MD5_Update(&Md5Ctx, (unsigned char *)a1, 32);`
			`li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);`
			`li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));`
			`li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);`