Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

davfs2 Digest Authentication failure

2008-06-04
2013-04-16
  • Shoukry Kattan
    Shoukry Kattan
    2008-06-04

    We have implemented a WebDAV server on top of a file system. Webdav works fine without authentication, but when adding digest authentication, authentication keeps failing, while it works all other webdav clients.

    Here are authentication headers that go back and forth :

    Server WWW-Authenticate Header :

    WWW-Authenticate Digest realm="G.ho.st" , nonce="3XRsYfE/zr1/FVfHlhVMQ5HIySI=" , stale="false" , opaque="1212564987374" , algorithm=MD5

    DAVFS authorization header as received :
    Authorization Header Value Digest username="shoukry.kattan", realm="G.ho.st" ", nonce="3XRsYfE/zr1/FVfHlhVMQ5HIySI=" ", uri="/vcweb/dav/files/GhostFileSystem/", response="f9429d2181ba93466d7c358fa0b4630f", algorithm="MD5", opaque="1212564987374" "

    The Correct value for the KD (Hash)
    KD 9abad601092d385a7d5d067a8d74163c

    response contains a wrong hash value while password i have set is right .

    One weird thing is the extra quotes in authorization header. maybe they are used while calulating KD in the Hash ? 

    Any Ideas ???

    Thank you in advance ......

    ShoukryK

     
    • Werner Baumann
      Werner Baumann
      2008-06-04

      Hello Shoukry,

      digest authentication in davfs2 is done by the neon library (davfs2 only supplies the credentials, when asked for by neon). As the neon library is used in many projects, I would be suprised, if digest authentication in neon would be as broken as you tell. Especially as it works fine, when davfs2 communicates with apache.

      1. Please tell me the exact versions of davfs2 and neon you are using.

      2. The authentication headers, send by you, seem not to be the real thing. It would be very surprising, if your server or even davfs2 would send headers like this. What you have send, has beeen edited before. In this case it's no use to ask me for the origin of these extra quotation marks. Please send the real thing: complete requests and responses as seen *on the wire*, without any changes.

      3. To check wether the value in "response" is correct, I would need the password too.

      Werner

       
      • Shoukry Kattan
        Shoukry Kattan
        2008-06-05

        Hi,

        The requests and responses i have sent you are same as the ones seen on the wire, those were the ones i captured using a java servlet , anyways here are the real requests and responses as captured by ethereal ( wireshark)  included in the request the version number of davfs and neon .

        First Client Request:
        OPTIONS /vcweb/dav/files/GhostFileSystem/ HTTP/1.1
        Host: 192.168.0.48:8080
        User-Agent: davfs2/1.2.1 neon/0.26.3
        Keep-Alive:
        Connection: TE, Keep-Alive
        TE: trailers

        Server Response :
        HTTP/1.1 401 Unauthorized
        WWW-Authenticate: Digest realm="G.ho.st" , nonce="N4EHAwyNbl7rquZICrnI8R+/Rfk=" , stale="false" , opaque="1212648468740" , algorithm=MD5
        Content-Type: text/html;charset=ISO-8859-1
        Content-Language: en-US
        Content-Length: 934
        Date: Thu, 05 Jun 2008 06:47:48 GMT
        Server: Apache-Coyote/1.1

        Request :

        OPTIONS /vcweb/dav/files/GhostFileSystem/ HTTP/1.1
        Host: 192.168.0.48:8080
        User-Agent: davfs2/1.2.1 neon/0.26.3
        Keep-Alive:
        Connection: TE, Keep-Alive
        TE: trailers
        Authorization: Digest username="shoukry.kattan", realm="G.ho.st" ", nonce="KXqpOFpTOhwL2YF1o0Uq+rm3wN0=" ", uri="/vcweb/dav/files/GhostFileSystem/", response="88ec6d832c6a0edbf2c28d8e51d3385c", algorithm="MD5", opaque="1212648467340" "

        Thanks a lot in advance ..
        Regards
        Shoukry K

         
        • Shoukry Kattan
          Shoukry Kattan
          2008-06-05

          As you can see there are the extra quotes in the requests coming from neon / davfs , i am guessing that the problem is caused by these extra quotations, but again its just a guess.

          The original value of the password is:  devpass

          Thanks a lot

          Shoukry K

           
    • Werner Baumann
      Werner Baumann
      2008-06-06

      Hello Shoukry,

      finally I could reproduce the error and I also found out what's confusing neon.

      Neon is confused by the space before the separator-character "," in the "WWW-Authenticate:"-header sent by your server. As I understand RFC 2616 and RFC 2617, these spaces are perfectly legal, though not required. It is a bug in neon. Nevertheless, the easy solution would be to remove the spaces around the ","-seperators, or only to use them *after* ",".

      The authentication-header, sent by the server, would look like this (it is one line):

      WWW-Authenticate: Digest realm="G.ho.st","nonce="N4EHAwyNbl7rquZICrnI8R+/Rfk=",stale="false",opaque="1212648468740",algorithm=MD5

      In this case davfs2/neon will send (testet with neon 0.26.2 and neon 0.28.0):

      OPTIONS /vcweb/dav/files/GhostFileSystem/ HTTP/1.1
      Host: localhost:5555
      User-Agent: davfs2/1.3.2 neon/0.26.2
      Keep-Alive:
      Connection: TE, Keep-Alive
      TE: trailers
      Authorization: Digest username="shoukry.kattan", realm="G.ho.st", nonce="N4EHAwyNbl7rquZICrnI8R+/Rfk=", uri="/vcweb/dav/files/GhostFileSystem/", response="45255663146784dd5733362edb8eb5cd", algorithm="MD5", opaque="1212648468740"

      The different version of davfs2 should not matter, as davfs2 only provides username and password, but is not involved in Digest Authentication otherwise. I could reproduce the error (and the work aroud) with davfs2-1.3.2 too.

      But you might as well consider to send a bug-report to Neon. If I have some time, I will *try* whether I can find the bug in the neon-sources and fix it.

      Cheers
      Werner

       
    • Werner Baumann
      Werner Baumann
      2008-06-07

      Hello Shoukry,

      fixing the bug in neon turned out to be easier than expected. Here is a patch for neon:

      --- neon-0.28.2/src/ne_auth.c.orig      2008-02-29 17:30:12.000000000 +0100
      +++ neon-0.28.2/src/ne_auth.c   2008-06-07 17:15:45.000000000 +0200
      @@ -1246,7 +1246,8 @@
                  continue;
              }

      -       /* Strip quotes off value. */
      +       /* Strip LWS and quotes off value. */
      +       val = ne_shave(val, " \r\n\t");
              val = ne_shave(val, "\"'");

              if (ne_strcasecmp(key, "realm") == 0) {

      The patch is against neon-0.28.2, but should work with most older versions too.

      I also sent a bug report and this patch to the maintainer of neon.

      Cheers
      Werner