Only accept auth=qop for digest authentication
Since we implement the digest authentication process and require
auth=qop in our authorization request from the client, a valid
response must include auth=qop as well.
Change-Id: I2ecd4bc8568ad432ac7f54d82e465be06dc01993
Signed-off-by: Shawn O. Pearce <sop@google.com>
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/ProjectDigestFilter.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/ProjectDigestFilter.java
index f67f12f..929d034 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/ProjectDigestFilter.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/ProjectDigestFilter.java
@@ -126,6 +126,7 @@
|| nonce == null //
|| uri == null //
|| response == null //
+ || !"auth".equals(qop) //
|| !REALM_NAME.equals(realm)) {
context.log("Invalid header: " + AUTHORIZATION + ": " + hdr);
rsp.sendError(SC_FORBIDDEN);
@@ -146,14 +147,8 @@
final String A1 = username + ":" + realm + ":" + passwd;
final String A2 = method + ":" + uri;
-
- final String expect;
- if ("auth".equals(qop)) {
- expect = KD(H(A1), //
- nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + H(A2));
- } else {
- expect = KD(H(A1), nonce + ":" + H(A2));
- }
+ final String expect =
+ KD(H(A1), nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + H(A2));
if (expect.equals(response)) {
try {
