具体的实现方法

Posted on 2007-06-11 10:40 小蚂蚁 阅读(209) 评论(1)  编辑  收藏 所属分类: 天国之路

研究htdigest有一段时间了,在网上能找到的资料对具体的算法描述都很模糊,硬着头皮看RFC 2671对算法大概有了认识,然后参考shttpd的源代码终于搞清楚了,其实也很简单:
response=MD5(ha1:nonce:nc:cnone:qop:a2)
其中:
ha1=MD5(username:realm:password)
a2=MD5(method:uri)

学习源码是硬道理,网上写这些东西的人不是相互对抄就是对RFC 2671简单的翻译,要不然就是我太笨了,郁闷...

sniffer备注:
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: obol.kmip.net
Connection: Keep-Alive

 

 

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="My Site",
 nonce="3266a84c73f7e0e13f4fa6ba1d52d4ce",
 qop="auth"
 
Content-Type: text/html
Content-Length: 351
Date: Sun, 10 Jun 2007 23:52:57 GMT
Server: lighttpd/1.4.13

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>401 - Unauthorized</title>
 </head>
 <body>
  <h1>401 - Unauthorized</h1>
 </body>
</html>

 

 

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: obol.kmip.net
Connection: Keep-Alive
Authorization: Digest username="test",
 realm="My Site",
 qop="auth",
 algorithm="MD5",
 uri="/",
 nonce="3266a84c73f7e0e13f4fa6ba1d52d4ce",
 nc=00000001,
 cnonce="5886b782b452993f7559cbd83b6b611b",
 response="932dd7f51f34d766997923876508e620"

 

 

HTTP/1.1 200 OK
Content-Type: text/html
ETag: "972667827"
Accept-Ranges: bytes
Last-Modified: Sun, 22 Apr 2007 05:10:52 GMT
Content-Length: 2878
Date: Sun, 10 Jun 2007 23:56:44 GMT
Server: lighttpd/1.4.13

Feedback

# re: 具体的实现方法  回复  更多评论   

2007-10-31 07:57 by zyx
RFC 2617 HTTP Authentication: Basic and Digest Access Authentication

只有注册用户登录后才能发表评论。


网站导航: