Re: [twsocket] Digest authentication via THttpCli?
Paul Read wrote: @Paul: Does that fix the issue? Yes! :-) Thanks, I just checked in a fix, rev. #861 Log: Digest Authentication - Fixed backward compatibility with RFC 2069. - Handle more than one qop and algorithm in server challenge. Available via SVN now or included in the next nightly snapshot ZIP. http://wiki.overbyte.be/wiki/index.php/ICS_Download -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Thanks Arno. Well done. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -Message d'origine- De : twsocket-boun...@elists.org [mailto:twsocket-boun...@elists.org] De la part de Arno Garrels Envoyé : mardi 10 janvier 2012 13:41 À : ICS support mailing Objet : Re: [twsocket] Digest authentication via THttpCli? Paul Read wrote: @Paul: Does that fix the issue? Yes! :-) Thanks, I just checked in a fix, rev. #861 Log: Digest Authentication - Fixed backward compatibility with RFC 2069. - Handle more than one qop and algorithm in server challenge. Available via SVN now or included in the next nightly snapshot ZIP. http://wiki.overbyte.be/wiki/index.php/ICS_Download -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
François Piette wrote:
Maybe a new component options would let the developer select the
behaviour ? Or maybe first try with on option and then automatically
switch to the other if it fails ?
Think I found the bug in OverbyteIcsDigestAuth.pas, will update SVN
later :
{code}
procedure AuthDigestCalcResponse(
[..]
{ calculate response }
MD5Init(Md5Ctx);
MD5UpdateBuffer(Md5Ctx, HA1);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, Nonce);
if Qop '' then begin // (if auth-int or auth) rfc2617 3.2.2.1
Request-Digest
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, NonceCount);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, CNonce);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, Qop);
// MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM); // == removed
end;
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM); // == added
MD5UpdateBuffer(Md5Ctx, HA2Hex);
MD5Final(RespHash, Md5Ctx);
Response := MD5DigestToLowerHexA(RespHash); { V1.01 }
end;
{code}
@Paul: Does that fix the issue?
Also in the curl-7.23.1 source code I found a very interesting note:
/* So IE browsers v7 cut off the URI part at the query part when they
evaluate the MD5 and some (IIS?) servers work with them so we may need to
do the Digest IE-style. Note that the different ways cause different MD5
sums to get sent.
Apache servers can be set to do the Digest IE-style automatically using
the BrowserMatch feature:
http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
Further details on Digest implementation differences:
http://www.fngtps.com/2006/09/http-authentication
Likely we have to add an additional option DigestAuthIEStyle.
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
@Paul: Does that fix the issue?
Yes! :-)
On 09/01/2012 10:36, Arno Garrels wrote:
François Piette wrote:
Maybe a new component options would let the developer select the
behaviour ? Or maybe first try with on option and then automatically
switch to the other if it fails ?
Think I found the bug in OverbyteIcsDigestAuth.pas, will update SVN
later :
{code}
procedure AuthDigestCalcResponse(
[..]
{ calculate response }
MD5Init(Md5Ctx);
MD5UpdateBuffer(Md5Ctx, HA1);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, Nonce);
if Qop '' then begin // (if auth-int or auth) rfc2617 3.2.2.1
Request-Digest
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, NonceCount);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, CNonce);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, Qop);
// MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM); // == removed
end;
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM); //== added
MD5UpdateBuffer(Md5Ctx, HA2Hex);
MD5Final(RespHash, Md5Ctx);
Response := MD5DigestToLowerHexA(RespHash); { V1.01 }
end;
{code}
@Paul: Does that fix the issue?
Also in the curl-7.23.1 source code I found a very interesting note:
/* So IE browsers v7 cut off the URI part at the query part when they
evaluate the MD5 and some (IIS?) servers work with them so we may need to
do the Digest IE-style. Note that the different ways cause different MD5
sums to get sent.
Apache servers can be set to do the Digest IE-style automatically using
the BrowserMatch feature:
http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
Further details on Digest implementation differences:
http://www.fngtps.com/2006/09/http-authentication
Likely we have to add an additional option DigestAuthIEStyle.
--
*Paul Read*
Partner and Senior Engineer
nSolve Ltd http://www.nsolve.com/?empr
Tel: +44 (0)845 8626777
Tel: +44 (0)1993 402011
Tel (US): +1 617 273 2304
nSolve http://www.nsolve.com/?empr nCall
http://www.nsolve.com/nCall-overview.shtml?empr nTasktic
http://www.ntasktic.com/?empr
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Paul Read wrote: THanks for that information I therefore tweaked 'AuthDigestParseChallenge' so that Info.Qop is set to 'auth' if no Qop value is given and now the right MD5 is calculated and the server accepts the data. I'd say this is a server-side bug. It obviously understands a RFC 2617 digest however sends an obsolete RFC 2069 WWW-Authenticate response header. If I'm not totally misreading this sentence: qop-options This directive is optional, but is made so only for backward compatibility with RFC 2069 [6]; it means that if the qop directive is missing we have to assume RFC 2069 which calculates the digest differently. That cURL works is perhaps because it doesn't try to support obsolete RFC 2069? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Hello, This is what MSDN says about it : The qop-options directive, as specified in [RFC2617] section 3.2.1, is optional; but it is used for backward compatibility with digest access authentication, as specified in [RFC2069]. The qop-options directive SHOULD be used by all implementations compliant with this version of the digest authentication mechanism and SHOULD be enclosed in quotation marks. AG Paul Read wrote: THanks for that information I therefore tweaked 'AuthDigestParseChallenge' so that Info.Qop is set to 'auth' if no Qop value is given and now the right MD5 is calculated and the server accepts the data. AG I'd say this is a server-side bug. It obviously understands a RFC 2617 AG digest however sends an obsolete RFC 2069 WWW-Authenticate response header. AG If I'm not totally misreading this sentence: AG qop-options AG This directive is optional, but is made so only for backward AG compatibility with RFC 2069 [6]; AG it means that if the qop directive is missing we have to assume RFC 2069 AG which calculates the digest differently. That cURL works is perhaps because AG it doesn't try to support obsolete RFC 2069? -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Arno Garrels wrote: Paul Read wrote: THanks for that information I therefore tweaked 'AuthDigestParseChallenge' so that Info.Qop is set to 'auth' if no Qop value is given and now the right MD5 is calculated and the server accepts the data. I'd say this is a server-side bug. Though it might be a ICS bug in the RFC 2069 implementation as well, but I have no idea where. Digest calculation is simple in RFC 2069 and the same calculation is also used as one part of the RFC 2617 calc. It obviously understands a RFC 2617 digest however sends an obsolete RFC 2069 WWW-Authenticate response header. Well, that seems OK as long as the server supports both RFC 2069 and RFC 2617 clients. If I'm not totally misreading this sentence: qop-options This directive is optional, but is made so only for backward compatibility with RFC 2069 [6]; it means that if the qop directive is missing we have to assume RFC 2069 which calculates the digest differently. If not, ICS clients won't be able to authenticate with true old RFC 2069 servers...? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Maybe a new component options would let the developer select the behaviour ? Or maybe first try with on option and then automatically switch to the other if it fails ? -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -Message d'origine- De : twsocket-boun...@elists.org [mailto:twsocket-boun...@elists.org] De la part de Arno Garrels Envoyé : dimanche 8 janvier 2012 19:30 À : ICS support mailing Objet : Re: [twsocket] Digest authentication via THttpCli? Arno Garrels wrote: Paul Read wrote: THanks for that information I therefore tweaked 'AuthDigestParseChallenge' so that Info.Qop is set to 'auth' if no Qop value is given and now the right MD5 is calculated and the server accepts the data. I'd say this is a server-side bug. Though it might be a ICS bug in the RFC 2069 implementation as well, but I have no idea where. Digest calculation is simple in RFC 2069 and the same calculation is also used as one part of the RFC 2617 calc. It obviously understands a RFC 2617 digest however sends an obsolete RFC 2069 WWW-Authenticate response header. Well, that seems OK as long as the server supports both RFC 2069 and RFC 2617 clients. If I'm not totally misreading this sentence: qop-options This directive is optional, but is made so only for backward compatibility with RFC 2069 [6]; it means that if the qop directive is missing we have to assume RFC 2069 which calculates the digest differently. If not, ICS clients won't be able to authenticate with true old RFC 2069 servers...? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Paul Read wrote: I was using version 708 using the latest (721) I now at least get the response to the 401 being sent back :-) But still the request is rejected by the server. Wireshark shows that the digest authorization response calculated by ICS is different to that calculated by cURL. (THe nonce given was the same for ICS and cURL). The cURL response is accepted, the ICS response is not. cURL: Digest username=\bob\, realm=\PUSH Authentication\, nonce=\132577494\, uri=\/push\, response=\ce032cf8dad4898084e1a3f7f34148c8\, algorithm=\MD5\ ICS: Digest username=\bob\,realm=\PUSH Authentication\,nonce=\132577494\,uri=\/push\,response=\7e843d8e80bd9265b467916afbc9cb2e\ How can I be sure ICS is using MD5 and not MD4 or something else? It does use MD5, see digest source in OverbyteIcsDigestAuth.pas. As per RFC 2617 MD5 is the default algorithm and optionally (some browsers don't send it either): algorithm A string indicating a pair of algorithms used to produce the digest and a checksum. If this is not present it is assumed to be MD5. Also I recently tested digest authentication against various proxy servers successfully. Please post the server challenge, does it by any chance request auth-int? auth-int is not supported yet. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Please post the server challenge, What does this look like? does it by any chance request auth-int? auth-int is not supported yet. I don't see 'auth-int' within the packets but maybe I am looking in the right area. The first response from the server is: HTTP/1.1 401 Unauthorized Server: Polycom SoundPoint IP Telephone HTTPd Date: SAT, 07 JAN 2012 08:36:26 GMT Connection: close WWW-Authenticate: Digest realm=PUSH Authentication, nonce=132577494, algorithm=MD5 Content-type: text/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlheadtitle401 Unauthorized/title/headbody Authorization failed. /body/html Many thanks for your suggestions and help so far Paul On 07/01/2012 08:25, Arno Garrels wrote: Paul Read wrote: I was using version 708 using the latest (721) I now at least get the response to the 401 being sent back :-) But still the request is rejected by the server. Wireshark shows that the digest authorization response calculated by ICS is different to that calculated by cURL. (THe nonce given was the same for ICS and cURL). The cURL response is accepted, the ICS response is not. cURL: Digest username=\bob\, realm=\PUSH Authentication\, nonce=\132577494\, uri=\/push\, response=\ce032cf8dad4898084e1a3f7f34148c8\, algorithm=\MD5\ ICS: Digest username=\bob\,realm=\PUSH Authentication\,nonce=\132577494\,uri=\/push\,response=\7e843d8e80bd9265b467916afbc9cb2e\ How can I be sure ICS is using MD5 and not MD4 or something else? It does use MD5, see digest source in OverbyteIcsDigestAuth.pas. As per RFC 2617 MD5 is the default algorithm and optionally (some browsers don't send it either): algorithm A string indicating a pair of algorithms used to produce the digest and a checksum. If this is not present it is assumed to be MD5. Also I recently tested digest authentication against various proxy servers successfully. Please post the server challenge, does it by any chance request auth-int? auth-int is not supported yet. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Paul Read wrote: Please post the server challenge, What does this look like? does it by any chance request auth-int? auth-int is not supported yet. I don't see 'auth-int' within the packets but maybe I am looking in the right area. The first response from the server is: WWW-Authenticate: Digest realm=PUSH Authentication, nonce=132577494, algorithm=MD5 That looks strange since the opaque data string is missing which doesn't seem to be optionally, and since qop directive is also missing it's likely an obsolete version of digest auth (RFC 2069) ICS _might not properly support: http://www.faqs.org/rfcs/rfc2617.html / 3.2.1 The WWW-Authenticate Response Header qop-options This directive is optional, but is made so only for backward compatibility with RFC 2069 [6]; http://www.faqs.org/rfcs/rfc2069.html Someone had to dig into both specs and compare them with ICS' RFC 2617 implementation. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Still struggling to post data via THttpCli using Digest Authentication. Looking via Wireshark I can see that THttpCli did not response to the 401 Unauthorized sent by the server, so the data I want to send does not get through (whilst if I use cURL it works fine). I have configured THttpCli like this: Username = 'bob' Password = '1234' ContentTypePost = 'application/x-com-polycom-spipx' RequestVer = '1.1' FollowRelocation = True ServerAuth = httpAuthDigest SocksAuthentication = socksNoAuthentication ProxyAuth = httpAuthNone Options = [] URL = http://192.168.1.155/push;; RcvdStream = NULL; SendStream = DataOut; And then call THttpCli-Post(); What more should I be doing? Many thanks Paul On 05/01/2012 22:42, Paul Read wrote: The server I am trying to connect to, via my C++Builder 2007 application using ICS, requires Digest Authentication. To use THttpCli do I simply set the Username and Password properties, set the ServerAuth property to httpAuthDigest and then call SendStream? Many thanks Paul -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Paul Read wrote: Still struggling to post data via THttpCli using Digest Authentication. Looking via Wireshark I can see that THttpCli did not response to the 401 Unauthorized sent by the server, What ICS version do you use? THttpCli got some fixes recently related to authentication AFAIR. Try latest ICSv7 from here: http://wiki.overbyte.be/wiki/index.php/ICS_Download I have no problem POSTing with the POST demo and HttpTst demo with digest auth to the Webserver demo (Delphi demos). so the data I want to send does not get through (whilst if I use cURL it works fine). What do you mean by cURL? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
On 06-01-2012 17:31, Arno Garrels wrote: What do you mean by cURL? http://curl.haxx.se/ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
RTT wrote: On 06-01-2012 17:31, Arno Garrels wrote: What do you mean by cURL? http://curl.haxx.se/ :-) I thought it's some kind of URL/URI I never heard of. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
What ICS version do you use? THttpCli got some fixes recently related to authentication AFAIR. Try latest ICSv7 from here: http://wiki.overbyte.be/wiki/index.php/ICS_Download I was using version 708 using the latest (721) I now at least get the response to the 401 being sent back :-) But still the request is rejected by the server. Wireshark shows that the digest authorization response calculated by ICS is different to that calculated by cURL. (THe nonce given was the same for ICS and cURL). The cURL response is accepted, the ICS response is not. cURL: Digest username=\bob\, realm=\PUSH Authentication\, nonce=\132577494\, uri=\/push\, response=\ce032cf8dad4898084e1a3f7f34148c8\, algorithm=\MD5\ ICS: Digest username=\bob\,realm=\PUSH Authentication\,nonce=\132577494\,uri=\/push\,response=\7e843d8e80bd9265b467916afbc9cb2e\ How can I be sure ICS is using MD5 and not MD4 or something else? Paul On 06/01/2012 18:20, Arno Garrels wrote: RTT wrote: On 06-01-2012 17:31, Arno Garrels wrote: What do you mean by cURL? http://curl.haxx.se/ :-) I thought it's some kind of URL/URI I never heard of. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Digest authentication via THttpCli?
Stepping through ICS source I can see AuthDigestCalcResponse is called and the MD5 response is calculated. I note Qop is empty. What aspects of THttpCli can effect the calculated digest response? Paul On 06/01/2012 22:27, Paul Read wrote: What ICS version do you use? THttpCli got some fixes recently related to authentication AFAIR. Try latest ICSv7 from here: http://wiki.overbyte.be/wiki/index.php/ICS_Download I was using version 708 using the latest (721) I now at least get the response to the 401 being sent back :-) But still the request is rejected by the server. Wireshark shows that the digest authorization response calculated by ICS is different to that calculated by cURL. (THe nonce given was the same for ICS and cURL). The cURL response is accepted, the ICS response is not. cURL: Digest username=\bob\, realm=\PUSH Authentication\, nonce=\132577494\, uri=\/push\, response=\ce032cf8dad4898084e1a3f7f34148c8\, algorithm=\MD5\ ICS: Digest username=\bob\,realm=\PUSH Authentication\,nonce=\132577494\,uri=\/push\,response=\7e843d8e80bd9265b467916afbc9cb2e\ How can I be sure ICS is using MD5 and not MD4 or something else? Paul On 06/01/2012 18:20, Arno Garrels wrote: RTT wrote: On 06-01-2012 17:31, Arno Garrels wrote: What do you mean by cURL? http://curl.haxx.se/ :-) I thought it's some kind of URL/URI I never heard of. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] Digest authentication via THttpCli?
The server I am trying to connect to, via my C++Builder 2007 application using ICS, requires Digest Authentication. To use THttpCli do I simply set the Username and Password properties, set the ServerAuth property to httpAuthDigest and then call SendStream? Many thanks Paul -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
