uac_auth: parse Authorization nonce-count as hex in checkAuthentication#556
Open
hecko wants to merge 1 commit into
Open
uac_auth: parse Authorization nonce-count as hex in checkAuthentication#556hecko wants to merge 1 commit into
hecko wants to merge 1 commit into
Conversation
UACAuth::checkAuthentication() reads the digest "nc" (nonce-count)
attribute from an incoming Authorization header and parses it with
str2i(), which interprets the value as decimal. Per RFC 2617/7616 the
nonce-count is an 8-digit hexadecimal number ("00000001", "0000000a",
...). SEMS then recomputes the expected response digest from that value
via int2hex(nonce_count, true).
For nonce-counts below 0x0a the two representations agree, but once a
client using qop=auth/auth-int reaches its 10th request under one nonce
it sends nc=0000000a: str2i() fails on the 'a' and the request is
rejected; higher values such as nc=00000010 (decimal-parsed as 10 =>
"0000000a") produce a digest mismatch. Either way a correctly
authenticating client starts getting spurious 401s once its nonce-count
contains a hex digit a-f, breaking long-lived authenticated flows.
Feed the client's original nc string straight into the digest instead of
re-parsing and re-formatting it: uac_calc_response() now takes the
nonce-count as a string; the UAS path passes the request's verbatim nc
and the UAC (do_auth) path passes int2hex(nonce_count, true). This also
makes the response comparison exact with respect to the client's
formatting.
Mirrors yeti-switch/sems commits a563fd5b and af6a7a16.
Author: @hecko
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
When SEMS validates an incoming request as a UAS,
UACAuth::checkAuthentication(core/plug-in/uac_auth/UACAuth.cpp) reads the digestnc(nonce-count) attribute from theAuthorizationheader and parses it withstr2i, i.e. as decimal:Per RFC 2617 / RFC 7616 the nonce-count is an 8-digit hexadecimal value (
00000001,00000002, …0000000a, …).uac_calc_responsethen re-formats the parsed integer back to hex viaint2hex(nonce_count, true)to build the digest.For nonce-counts below
0x0athe decimal and hex forms coincide, so the bug is invisible on the first few requests. But a client usingqop=auth/auth-intthat reuses a nonce hitsnc=0000000aon its 10th request:str2ifails on theaand the request is rejected. Larger values such asnc=00000010are decimal-parsed as10→ re-formatted to0000000a≠ the client's00000010, giving a digest mismatch. Either way, a correctly-authenticating client starts receiving spurious401s once its nonce-count contains a hex digita–f, breaking long-lived authenticated flows.Fix
Feed the client's original
ncstring straight into the digest instead of re-parsing and re-formatting it:uac_calc_response()now takes the nonce-count as aconst string&rather thanunsigned int.checkAuthentication) passes the request's verbatimncstring.do_auth) passesint2hex(nonce_count, true), preserving its previous behaviour exactly.This makes the recomputed response match the client's regardless of the nc magnitude, and also makes the comparison exact with respect to the client's formatting.
Validation
masterthatcheckAuthenticationparsesncwithstr2iand thatuac_calc_responseinternally appliedint2hex(nonce_count, true).do_auth,checkAuthentication) and the declaration inUACAuth.hare updated;git grepshows no other callers.g++ -fsyntax-only -std=c++17on the translation unit passes. No behavioural change for the client (UAC) path or forncvalues ≤0x09.Acknowledgement
Backport of the intent of the yeti-switch/sems fixes, commits
a563fd5b("UACAuth: use hex2int to parse nonce_count") andaf6a7a16("Fixed nonce count processing case-sensivity"). This tree lacks yeti'shex2inthelper, so the string-passthrough form is used instead. Thanks to the yeti-switch maintainers.Generated by Claude Code