François Piette wrote:
> Maybe a new component options would let the developer select the
> behaviour ? Or maybe first try with on option and then automatically
> switch to the other if it fails ?
Think I found the bug in OverbyteIcsDigestAuth.pas, will update SVN
later :
{code}
procedure AuthDigestCalcResponse(
[..]
{ calculate response }
MD5Init(Md5Ctx);
MD5UpdateBuffer(Md5Ctx, HA1);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, Nonce);
if Qop <> '' then begin // (if auth-int or auth) rfc2617 3.2.2.1
Request-Digest
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, NonceCount);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, CNonce);
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM);
MD5UpdateBuffer(Md5Ctx, Qop);
// MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM); // ==> removed
end;
MD5UpdateBuffer(Md5Ctx, AUTH_DIGEST_DELIM); // <== added
MD5UpdateBuffer(Md5Ctx, HA2Hex);
MD5Final(RespHash, Md5Ctx);
Response := MD5DigestToLowerHexA(RespHash); { V1.01 }
end;
{code}
@Paul: Does that fix the issue?
Also in the curl-7.23.1 source code I found a very interesting note:
/* So IE browsers < v7 cut off the URI part at the query part when they
evaluate the MD5 and some (IIS?) servers work with them so we may need to
do the Digest IE-style. Note that the different ways cause different MD5
sums to get sent.
Apache servers can be set to do the Digest IE-style automatically using
the BrowserMatch feature:
http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
Further details on Digest implementation differences:
http://www.fngtps.com/2006/09/http-authentication
Likely we have to add an additional option "DigestAuthIEStyle".
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
