Posted on 2007-06-11 10:40
小蚂蚁 阅读(203)
评论(1) 编辑 收藏 所属分类:
天国之路
研究htdigest有一段时间了,在网上能找到的资料对具体的算法描述都很模糊,硬着头皮看RFC 2671对算法大概有了认识,然后参考shttpd的源代码终于搞清楚了,其实也很简单:
response=MD5(ha1:nonce:nc:cnone:qop:a2)
其中:
ha1=MD5(username:realm:password)
a2=MD5(method:uri)
学习源码是硬道理,网上写这些东西的人不是相互对抄就是对RFC 2671简单的翻译,要不然就是我太笨了,郁闷...
sniffer备注:
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: obol.kmip.net
Connection: Keep-Alive
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="My Site",
nonce="3266a84c73f7e0e13f4fa6ba1d52d4ce",
qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Sun, 10 Jun 2007 23:52:57 GMT
Server: lighttpd/1.4.13
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>401 - Unauthorized</title>
</head>
<body>
<h1>401 - Unauthorized</h1>
</body>
</html>
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: obol.kmip.net
Connection: Keep-Alive
Authorization: Digest username="test",
realm="My Site",
qop="auth",
algorithm="MD5",
uri="/",
nonce="3266a84c73f7e0e13f4fa6ba1d52d4ce",
nc=00000001,
cnonce="5886b782b452993f7559cbd83b6b611b",
response="932dd7f51f34d766997923876508e620"
HTTP/1.1 200 OK
Content-Type: text/html
ETag: "972667827"
Accept-Ranges: bytes
Last-Modified: Sun, 22 Apr 2007 05:10:52 GMT
Content-Length: 2878
Date: Sun, 10 Jun 2007 23:56:44 GMT
Server: lighttpd/1.4.13