Re: [squid-users] empty basic/digest realm

From: Khaled Blah <khaled.blah_at_googlemail.com>
Date: Tue, 6 Jul 2010 11:46:30 +0200

Hi Henrik,

I am not sure what your point is so I'll be trying to make my point
again. First of all, the RFC specifies the realm to be a quoted-string
as you can see here:

realm = "realm" "=" realm-value
realm-value = quoted-string

In the whole RFC there is no statement that says the realm has to have
a certain length. So it can also have the length 0 which translates to
the empty string. I have written an auth helper which is able to cope
with the empty string as a realm but Squid cannot cope with it. This
is the reason for my email in the first place.

The empy realm leads to an H(A1) like this: H(A1) == HEX(MD5(login
"::" password))
This computes to a perfectly valid MD5 hash with which IE and Firefox
have no problem.

I hope I have made my intentions more clear now.

Regards,
Khaled

2010/7/1 Henrik Nordström <henrik_at_henriknordstrom.net>:
> The normal digest ldap helper in plain text passord mode expects just the plain text password in ldap, without realm.
>
> If you store H(A1) value then it`s always realm specific. And to my knowledge there is no basic auth helper capable of verifying to a H(A1) value but technically it can be done regardless of what realm were used in the H(A1).
>
> If you use some other helper which expects realm:password or realm:H(A1) then it would most likely expect :H(A1) and not H(A1) if realm is empty.
>
> Keep in mind that Digest A1 value is login:realm:password. And H is HEX MD5 which makes H(A1) == HEX(MD5(login ":" realm ":" password))
>
> So i still do not quite umderstand what yo want to accomplish with an empty realm.
>
> Regards
> Henrik
Received on Tue Jul 06 2010 - 09:46:33 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 07 2010 - 12:00:13 MDT