1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* 18 * mod_auth_digest: MD5 digest authentication 19 * 20 * Originally by Alexei Kosut <akosut@nueva.pvt.k12.ca.us> 21 * Updated to RFC-2617 by Ronald Tschal�r <ronald@innovation.ch> 22 * based on mod_auth, by Rob McCool and Robert S. Thau 23 * 24 * This module an updated version of modules/standard/mod_digest.c 25 * It is still fairly new and problems may turn up - submit problem 26 * reports to the Apache bug-database, or send them directly to me 27 * at ronald@innovation.ch. 28 * 29 * Requires either /dev/random (or equivalent) or the truerand library, 30 * available for instance from 31 * ftp://research.att.com/dist/mab/librand.shar 32 * 33 * Open Issues: 34 * - qop=auth-int (when streams and trailer support available) 35 * - nonce-format configurability 36 * - Proxy-Authorization-Info header is set by this module, but is 37 * currently ignored by mod_proxy (needs patch to mod_proxy) 38 * - generating the secret takes a while (~ 8 seconds) if using the 39 * truerand library 40 * - The source of the secret should be run-time directive (with server 41 * scope: RSRC_CONF). However, that could be tricky when trying to 42 * choose truerand vs. file... 43 * - shared-mem not completely tested yet. Seems to work ok for me, 44 * but... (definitely won't work on Windoze) 45 * - Sharing a realm among multiple servers has following problems: 46 * o Server name and port can't be included in nonce-hash 47 * (we need two nonce formats, which must be configured explicitly) 48 * o Nonce-count check can't be for equal, or then nonce-count checking 49 * must be disabled. What we could do is the following: 50 * (expected < received) ? set expected = received : issue error 51 * The only problem is that it allows replay attacks when somebody 52 * captures a packet sent to one server and sends it to another 53 * one. Should we add "AuthDigestNcCheck Strict"? 54 * - expired nonces give amaya fits. 55 */ 56 57#include "apr_sha1.h" 58#include "apr_base64.h" 59#include "apr_lib.h" 60#include "apr_time.h" 61#include "apr_errno.h" 62#include "apr_global_mutex.h" 63#include "apr_strings.h" 64 65#define APR_WANT_STRFUNC 66#include "apr_want.h" 67 68#include "ap_config.h" 69#include "httpd.h" 70#include "http_config.h" 71#include "http_core.h" 72#include "http_request.h" 73#include "http_log.h" 74#include "http_protocol.h" 75#include "apr_uri.h" 76#include "util_md5.h" 77#include "util_mutex.h" 78#include "apr_shm.h" 79#include "apr_rmm.h" 80#include "ap_provider.h" 81 82#include "mod_auth.h" 83 84#if APR_HAVE_UNISTD_H 85#include <unistd.h> 86#endif 87 88/* struct to hold the configuration info */ 89 90typedef struct digest_config_struct { 91 const char *dir_name; 92 authn_provider_list *providers; 93 const char *realm; 94 apr_array_header_t *qop_list; 95 apr_sha1_ctx_t nonce_ctx; 96 apr_time_t nonce_lifetime; 97 const char *nonce_format; 98 int check_nc; 99 const char *algorithm; 100 char *uri_list; 101 const char *ha1; 102} digest_config_rec; 103 104 105#define DFLT_ALGORITHM "MD5" 106 107#define DFLT_NONCE_LIFE apr_time_from_sec(300) 108#define NEXTNONCE_DELTA apr_time_from_sec(30) 109 110 111#define NONCE_TIME_LEN (((sizeof(apr_time_t)+2)/3)*4) 112#define NONCE_HASH_LEN (2*APR_SHA1_DIGESTSIZE) 113#define NONCE_LEN (int )(NONCE_TIME_LEN + NONCE_HASH_LEN) 114 115#define SECRET_LEN 20 116 117 118/* client list definitions */ 119 120typedef struct hash_entry { 121 unsigned long key; /* the key for this entry */ 122 struct hash_entry *next; /* next entry in the bucket */ 123 unsigned long nonce_count; /* for nonce-count checking */ 124 char ha1[2*APR_MD5_DIGESTSIZE+1]; /* for algorithm=MD5-sess */ 125 char last_nonce[NONCE_LEN+1]; /* for one-time nonce's */ 126} client_entry; 127 128static struct hash_table { 129 client_entry **table; 130 unsigned long tbl_len; 131 unsigned long num_entries; 132 unsigned long num_created; 133 unsigned long num_removed; 134 unsigned long num_renewed; 135} *client_list; 136 137 138/* struct to hold a parsed Authorization header */ 139 140enum hdr_sts { NO_HEADER, NOT_DIGEST, INVALID, VALID }; 141 142typedef struct digest_header_struct { 143 const char *scheme; 144 const char *realm; 145 const char *username; 146 char *nonce; 147 const char *uri; 148 const char *method; 149 const char *digest; 150 const char *algorithm; 151 const char *cnonce; 152 const char *opaque; 153 unsigned long opaque_num; 154 const char *message_qop; 155 const char *nonce_count; 156 /* the following fields are not (directly) from the header */ 157 const char *raw_request_uri; 158 apr_uri_t *psd_request_uri; 159 apr_time_t nonce_time; 160 enum hdr_sts auth_hdr_sts; 161 int needed_auth; 162 client_entry *client; 163} digest_header_rec; 164 165 166/* (mostly) nonce stuff */ 167 168typedef union time_union { 169 apr_time_t time; 170 unsigned char arr[sizeof(apr_time_t)]; 171} time_rec; 172 173static unsigned char secret[SECRET_LEN]; 174 175/* client-list, opaque, and one-time-nonce stuff */ 176 177static apr_shm_t *client_shm = NULL; 178static apr_rmm_t *client_rmm = NULL; 179static unsigned long *opaque_cntr; 180static apr_time_t *otn_counter; /* one-time-nonce counter */ 181static apr_global_mutex_t *client_lock = NULL; 182static apr_global_mutex_t *opaque_lock = NULL; 183static const char *client_mutex_type = "authdigest-client"; 184static const char *opaque_mutex_type = "authdigest-opaque"; 185static const char *client_shm_filename; 186 187#define DEF_SHMEM_SIZE 1000L /* ~ 12 entries */ 188#define DEF_NUM_BUCKETS 15L 189#define HASH_DEPTH 5 190 191static apr_size_t shmem_size = DEF_SHMEM_SIZE; 192static unsigned long num_buckets = DEF_NUM_BUCKETS; 193 194 195module AP_MODULE_DECLARE_DATA auth_digest_module; 196 197/* 198 * initialization code 199 */ 200 201static apr_status_t cleanup_tables(void *not_used) 202{ 203 ap_log_error(APLOG_MARK, APLOG_INFO, 0, NULL, APLOGNO(01756) 204 "cleaning up shared memory"); 205 206 if (client_rmm) { 207 apr_rmm_destroy(client_rmm); 208 client_rmm = NULL; 209 } 210 211 if (client_shm) { 212 apr_shm_destroy(client_shm); 213 client_shm = NULL; 214 } 215 216 if (client_lock) { 217 apr_global_mutex_destroy(client_lock); 218 client_lock = NULL; 219 } 220 221 if (opaque_lock) { 222 apr_global_mutex_destroy(opaque_lock); 223 opaque_lock = NULL; 224 } 225 226 client_list = NULL; 227 228 return APR_SUCCESS; 229} 230 231static apr_status_t initialize_secret(server_rec *s) 232{ 233 apr_status_t status; 234 235 ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01757) 236 "generating secret for digest authentication ..."); 237 238#if APR_HAS_RANDOM 239 status = apr_generate_random_bytes(secret, sizeof(secret)); 240#else 241#error APR random number support is missing; you probably need to install the truerand library. 242#endif 243 244 if (status != APR_SUCCESS) { 245 ap_log_error(APLOG_MARK, APLOG_CRIT, status, s, APLOGNO(01758) 246 "error generating secret"); 247 return status; 248 } 249 250 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01759) "done"); 251 252 return APR_SUCCESS; 253} 254 255static void log_error_and_cleanup(char *msg, apr_status_t sts, server_rec *s) 256{ 257 ap_log_error(APLOG_MARK, APLOG_ERR, sts, s, APLOGNO(01760) 258 "%s - all nonce-count checking, one-time nonces, and " 259 "MD5-sess algorithm disabled", msg); 260 261 cleanup_tables(NULL); 262} 263 264#if APR_HAS_SHARED_MEMORY 265 266static int initialize_tables(server_rec *s, apr_pool_t *ctx) 267{ 268 unsigned long idx; 269 apr_status_t sts; 270 271 /* set up client list */ 272 273 /* Create the shared memory segment */ 274 275 /* 276 * Create a unique filename using our pid. This information is 277 * stashed in the global variable so the children inherit it. 278 */ 279 client_shm_filename = ap_runtime_dir_relative(ctx, "authdigest_shm"); 280 client_shm_filename = ap_append_pid(ctx, client_shm_filename, "."); 281 282 /* Now create that segment */ 283 sts = apr_shm_create(&client_shm, shmem_size, 284 client_shm_filename, ctx); 285 if (APR_SUCCESS != sts) { 286 ap_log_error(APLOG_MARK, APLOG_ERR, sts, s, APLOGNO(01762) 287 "Failed to create shared memory segment on file %s", 288 client_shm_filename); 289 log_error_and_cleanup("failed to initialize shm", sts, s); 290 return HTTP_INTERNAL_SERVER_ERROR; 291 } 292 293 sts = apr_rmm_init(&client_rmm, 294 NULL, /* no lock, we'll do the locking ourselves */ 295 apr_shm_baseaddr_get(client_shm), 296 shmem_size, ctx); 297 if (sts != APR_SUCCESS) { 298 log_error_and_cleanup("failed to initialize rmm", sts, s); 299 return !OK; 300 } 301 302 client_list = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*client_list) + 303 sizeof(client_entry*)*num_buckets)); 304 if (!client_list) { 305 log_error_and_cleanup("failed to allocate shared memory", -1, s); 306 return !OK; 307 } 308 client_list->table = (client_entry**) (client_list + 1); 309 for (idx = 0; idx < num_buckets; idx++) { 310 client_list->table[idx] = NULL; 311 } 312 client_list->tbl_len = num_buckets; 313 client_list->num_entries = 0; 314 315 sts = ap_global_mutex_create(&client_lock, NULL, client_mutex_type, NULL, 316 s, ctx, 0); 317 if (sts != APR_SUCCESS) { 318 log_error_and_cleanup("failed to create lock (client_lock)", sts, s); 319 return !OK; 320 } 321 322 323 /* setup opaque */ 324 325 opaque_cntr = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*opaque_cntr))); 326 if (opaque_cntr == NULL) { 327 log_error_and_cleanup("failed to allocate shared memory", -1, s); 328 return !OK; 329 } 330 *opaque_cntr = 1UL; 331 332 sts = ap_global_mutex_create(&opaque_lock, NULL, opaque_mutex_type, NULL, 333 s, ctx, 0); 334 if (sts != APR_SUCCESS) { 335 log_error_and_cleanup("failed to create lock (opaque_lock)", sts, s); 336 return !OK; 337 } 338 339 340 /* setup one-time-nonce counter */ 341 342 otn_counter = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*otn_counter))); 343 if (otn_counter == NULL) { 344 log_error_and_cleanup("failed to allocate shared memory", -1, s); 345 return !OK; 346 } 347 *otn_counter = 0; 348 /* no lock here */ 349 350 351 /* success */ 352 return OK; 353} 354 355#endif /* APR_HAS_SHARED_MEMORY */ 356 357static int pre_init(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) 358{ 359 apr_status_t rv; 360 361 rv = ap_mutex_register(pconf, client_mutex_type, NULL, APR_LOCK_DEFAULT, 0); 362 if (rv == APR_SUCCESS) { 363 rv = ap_mutex_register(pconf, opaque_mutex_type, NULL, APR_LOCK_DEFAULT, 364 0); 365 } 366 if (rv != APR_SUCCESS) { 367 return rv; 368 } 369 370 return OK; 371} 372 373static int initialize_module(apr_pool_t *p, apr_pool_t *plog, 374 apr_pool_t *ptemp, server_rec *s) 375{ 376 /* initialize_module() will be called twice, and if it's a DSO 377 * then all static data from the first call will be lost. Only 378 * set up our static data on the second call. */ 379 if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) 380 return OK; 381 382 if (initialize_secret(s) != APR_SUCCESS) { 383 return !OK; 384 } 385 386#if APR_HAS_SHARED_MEMORY 387 /* Note: this stuff is currently fixed for the lifetime of the server, 388 * i.e. even across restarts. This means that A) any shmem-size 389 * configuration changes are ignored, and B) certain optimizations, 390 * such as only allocating the smallest necessary entry for each 391 * client, can't be done. However, the alternative is a nightmare: 392 * we can't call apr_shm_destroy on a graceful restart because there 393 * will be children using the tables, and we also don't know when the 394 * last child dies. Therefore we can never clean up the old stuff, 395 * creating a creeping memory leak. 396 */ 397 if (initialize_tables(s, p) != OK) { 398 return !OK; 399 } 400 /* Call cleanup_tables on exit or restart */ 401 apr_pool_cleanup_register(p, NULL, cleanup_tables, apr_pool_cleanup_null); 402#endif /* APR_HAS_SHARED_MEMORY */ 403 return OK; 404} 405 406static void initialize_child(apr_pool_t *p, server_rec *s) 407{ 408 apr_status_t sts; 409 410 if (!client_shm) { 411 return; 412 } 413 414 /* Get access to rmm in child */ 415 sts = apr_rmm_attach(&client_rmm, 416 NULL, 417 apr_shm_baseaddr_get(client_shm), 418 p); 419 if (sts != APR_SUCCESS) { 420 log_error_and_cleanup("failed to attach to rmm", sts, s); 421 return; 422 } 423 424 sts = apr_global_mutex_child_init(&client_lock, 425 apr_global_mutex_lockfile(client_lock), 426 p); 427 if (sts != APR_SUCCESS) { 428 log_error_and_cleanup("failed to create lock (client_lock)", sts, s); 429 return; 430 } 431 sts = apr_global_mutex_child_init(&opaque_lock, 432 apr_global_mutex_lockfile(opaque_lock), 433 p); 434 if (sts != APR_SUCCESS) { 435 log_error_and_cleanup("failed to create lock (opaque_lock)", sts, s); 436 return; 437 } 438} 439 440/* 441 * configuration code 442 */ 443 444static void *create_digest_dir_config(apr_pool_t *p, char *dir) 445{ 446 digest_config_rec *conf; 447 448 if (dir == NULL) { 449 return NULL; 450 } 451 452 conf = (digest_config_rec *) apr_pcalloc(p, sizeof(digest_config_rec)); 453 if (conf) { 454 conf->qop_list = apr_array_make(p, 2, sizeof(char *)); 455 conf->nonce_lifetime = DFLT_NONCE_LIFE; 456 conf->dir_name = apr_pstrdup(p, dir); 457 conf->algorithm = DFLT_ALGORITHM; 458 } 459 460 return conf; 461} 462 463static const char *set_realm(cmd_parms *cmd, void *config, const char *realm) 464{ 465 digest_config_rec *conf = (digest_config_rec *) config; 466 467 /* The core already handles the realm, but it's just too convenient to 468 * grab it ourselves too and cache some setups. However, we need to 469 * let the core get at it too, which is why we decline at the end - 470 * this relies on the fact that http_core is last in the list. 471 */ 472 conf->realm = realm; 473 474 /* we precompute the part of the nonce hash that is constant (well, 475 * the host:port would be too, but that varies for .htaccess files 476 * and directives outside a virtual host section) 477 */ 478 apr_sha1_init(&conf->nonce_ctx); 479 apr_sha1_update_binary(&conf->nonce_ctx, secret, sizeof(secret)); 480 apr_sha1_update_binary(&conf->nonce_ctx, (const unsigned char *) realm, 481 strlen(realm)); 482 483 return DECLINE_CMD; 484} 485 486static const char *add_authn_provider(cmd_parms *cmd, void *config, 487 const char *arg) 488{ 489 digest_config_rec *conf = (digest_config_rec*)config; 490 authn_provider_list *newp; 491 492 newp = apr_pcalloc(cmd->pool, sizeof(authn_provider_list)); 493 newp->provider_name = arg; 494 495 /* lookup and cache the actual provider now */ 496 newp->provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, 497 newp->provider_name, 498 AUTHN_PROVIDER_VERSION); 499 500 if (newp->provider == NULL) { 501 /* by the time they use it, the provider should be loaded and 502 registered with us. */ 503 return apr_psprintf(cmd->pool, 504 "Unknown Authn provider: %s", 505 newp->provider_name); 506 } 507 508 if (!newp->provider->get_realm_hash) { 509 /* if it doesn't provide the appropriate function, reject it */ 510 return apr_psprintf(cmd->pool, 511 "The '%s' Authn provider doesn't support " 512 "Digest Authentication", newp->provider_name); 513 } 514 515 /* Add it to the list now. */ 516 if (!conf->providers) { 517 conf->providers = newp; 518 } 519 else { 520 authn_provider_list *last = conf->providers; 521 522 while (last->next) { 523 last = last->next; 524 } 525 last->next = newp; 526 } 527 528 return NULL; 529} 530 531static const char *set_qop(cmd_parms *cmd, void *config, const char *op) 532{ 533 digest_config_rec *conf = (digest_config_rec *) config; 534 535 if (!strcasecmp(op, "none")) { 536 apr_array_clear(conf->qop_list); 537 *(const char **)apr_array_push(conf->qop_list) = "none"; 538 return NULL; 539 } 540 541 if (!strcasecmp(op, "auth-int")) { 542 return "AuthDigestQop auth-int is not implemented"; 543 } 544 else if (strcasecmp(op, "auth")) { 545 return apr_pstrcat(cmd->pool, "Unrecognized qop: ", op, NULL); 546 } 547 548 *(const char **)apr_array_push(conf->qop_list) = op; 549 550 return NULL; 551} 552 553static const char *set_nonce_lifetime(cmd_parms *cmd, void *config, 554 const char *t) 555{ 556 char *endptr; 557 long lifetime; 558 559 lifetime = strtol(t, &endptr, 10); 560 if (endptr < (t+strlen(t)) && !apr_isspace(*endptr)) { 561 return apr_pstrcat(cmd->pool, 562 "Invalid time in AuthDigestNonceLifetime: ", 563 t, NULL); 564 } 565 566 ((digest_config_rec *) config)->nonce_lifetime = apr_time_from_sec(lifetime); 567 return NULL; 568} 569 570static const char *set_nonce_format(cmd_parms *cmd, void *config, 571 const char *fmt) 572{ 573 ((digest_config_rec *) config)->nonce_format = fmt; 574 return "AuthDigestNonceFormat is not implemented (yet)"; 575} 576 577static const char *set_nc_check(cmd_parms *cmd, void *config, int flag) 578{ 579#if !APR_HAS_SHARED_MEMORY 580 if (flag) { 581 return "AuthDigestNcCheck: ERROR: nonce-count checking " 582 "is not supported on platforms without shared-memory " 583 "support"; 584 } 585#endif 586 587 ((digest_config_rec *) config)->check_nc = flag; 588 return NULL; 589} 590 591static const char *set_algorithm(cmd_parms *cmd, void *config, const char *alg) 592{ 593 if (!strcasecmp(alg, "MD5-sess")) { 594 return "AuthDigestAlgorithm: ERROR: algorithm `MD5-sess' " 595 "is not fully implemented"; 596 } 597 else if (strcasecmp(alg, "MD5")) { 598 return apr_pstrcat(cmd->pool, "Invalid algorithm in AuthDigestAlgorithm: ", alg, NULL); 599 } 600 601 ((digest_config_rec *) config)->algorithm = alg; 602 return NULL; 603} 604 605static const char *set_uri_list(cmd_parms *cmd, void *config, const char *uri) 606{ 607 digest_config_rec *c = (digest_config_rec *) config; 608 if (c->uri_list) { 609 c->uri_list[strlen(c->uri_list)-1] = '\0'; 610 c->uri_list = apr_pstrcat(cmd->pool, c->uri_list, " ", uri, "\"", NULL); 611 } 612 else { 613 c->uri_list = apr_pstrcat(cmd->pool, ", domain=\"", uri, "\"", NULL); 614 } 615 return NULL; 616} 617 618static const char *set_shmem_size(cmd_parms *cmd, void *config, 619 const char *size_str) 620{ 621 char *endptr; 622 long size, min; 623 624 size = strtol(size_str, &endptr, 10); 625 while (apr_isspace(*endptr)) endptr++; 626 if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') { 627 ; 628 } 629 else if (*endptr == 'k' || *endptr == 'K') { 630 size *= 1024; 631 } 632 else if (*endptr == 'm' || *endptr == 'M') { 633 size *= 1048576; 634 } 635 else { 636 return apr_pstrcat(cmd->pool, "Invalid size in AuthDigestShmemSize: ", 637 size_str, NULL); 638 } 639 640 min = sizeof(*client_list) + sizeof(client_entry*) + sizeof(client_entry); 641 if (size < min) { 642 return apr_psprintf(cmd->pool, "size in AuthDigestShmemSize too small: " 643 "%ld < %ld", size, min); 644 } 645 646 shmem_size = size; 647 num_buckets = (size - sizeof(*client_list)) / 648 (sizeof(client_entry*) + HASH_DEPTH * sizeof(client_entry)); 649 if (num_buckets == 0) { 650 num_buckets = 1; 651 } 652 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01763) 653 "Set shmem-size: %" APR_SIZE_T_FMT ", num-buckets: %ld", 654 shmem_size, num_buckets); 655 656 return NULL; 657} 658 659static const command_rec digest_cmds[] = 660{ 661 AP_INIT_TAKE1("AuthName", set_realm, NULL, OR_AUTHCFG, 662 "The authentication realm (e.g. \"Members Only\")"), 663 AP_INIT_ITERATE("AuthDigestProvider", add_authn_provider, NULL, OR_AUTHCFG, 664 "specify the auth providers for a directory or location"), 665 AP_INIT_ITERATE("AuthDigestQop", set_qop, NULL, OR_AUTHCFG, 666 "A list of quality-of-protection options"), 667 AP_INIT_TAKE1("AuthDigestNonceLifetime", set_nonce_lifetime, NULL, OR_AUTHCFG, 668 "Maximum lifetime of the server nonce (seconds)"), 669 AP_INIT_TAKE1("AuthDigestNonceFormat", set_nonce_format, NULL, OR_AUTHCFG, 670 "The format to use when generating the server nonce"), 671 AP_INIT_FLAG("AuthDigestNcCheck", set_nc_check, NULL, OR_AUTHCFG, 672 "Whether or not to check the nonce-count sent by the client"), 673 AP_INIT_TAKE1("AuthDigestAlgorithm", set_algorithm, NULL, OR_AUTHCFG, 674 "The algorithm used for the hash calculation"), 675 AP_INIT_ITERATE("AuthDigestDomain", set_uri_list, NULL, OR_AUTHCFG, 676 "A list of URI's which belong to the same protection space as the current URI"), 677 AP_INIT_TAKE1("AuthDigestShmemSize", set_shmem_size, NULL, RSRC_CONF, 678 "The amount of shared memory to allocate for keeping track of clients"), 679 {NULL} 680}; 681 682 683/* 684 * client list code 685 * 686 * Each client is assigned a number, which is transferred in the opaque 687 * field of the WWW-Authenticate and Authorization headers. The number 688 * is just a simple counter which is incremented for each new client. 689 * Clients can't forge this number because it is hashed up into the 690 * server nonce, and that is checked. 691 * 692 * The clients are kept in a simple hash table, which consists of an 693 * array of client_entry's, each with a linked list of entries hanging 694 * off it. The client's number modulo the size of the array gives the 695 * bucket number. 696 * 697 * The clients are garbage collected whenever a new client is allocated 698 * but there is not enough space left in the shared memory segment. A 699 * simple semi-LRU is used for this: whenever a client entry is accessed 700 * it is moved to the beginning of the linked list in its bucket (this 701 * also makes for faster lookups for current clients). The garbage 702 * collecter then just removes the oldest entry (i.e. the one at the 703 * end of the list) in each bucket. 704 * 705 * The main advantages of the above scheme are that it's easy to implement 706 * and it keeps the hash table evenly balanced (i.e. same number of entries 707 * in each bucket). The major disadvantage is that you may be throwing 708 * entries out which are in active use. This is not tragic, as these 709 * clients will just be sent a new client id (opaque field) and nonce 710 * with a stale=true (i.e. it will just look like the nonce expired, 711 * thereby forcing an extra round trip). If the shared memory segment 712 * has enough headroom over the current client set size then this should 713 * not occur too often. 714 * 715 * To help tune the size of the shared memory segment (and see if the 716 * above algorithm is really sufficient) a set of counters is kept 717 * indicating the number of clients held, the number of garbage collected 718 * clients, and the number of erroneously purged clients. These are printed 719 * out at each garbage collection run. Note that access to the counters is 720 * not synchronized because they are just indicaters, and whether they are 721 * off by a few doesn't matter; and for the same reason no attempt is made 722 * to guarantee the num_renewed is correct in the face of clients spoofing 723 * the opaque field. 724 */ 725 726/* 727 * Get the client given its client number (the key). Returns the entry, 728 * or NULL if it's not found. 729 * 730 * Access to the list itself is synchronized via locks. However, access 731 * to the entry returned by get_client() is NOT synchronized. This means 732 * that there are potentially problems if a client uses multiple, 733 * simultaneous connections to access url's within the same protection 734 * space. However, these problems are not new: when using multiple 735 * connections you have no guarantee of the order the requests are 736 * processed anyway, so you have problems with the nonce-count and 737 * one-time nonces anyway. 738 */ 739static client_entry *get_client(unsigned long key, const request_rec *r) 740{ 741 int bucket; 742 client_entry *entry, *prev = NULL; 743 744 745 if (!key || !client_shm) return NULL; 746 747 bucket = key % client_list->tbl_len; 748 entry = client_list->table[bucket]; 749 750 apr_global_mutex_lock(client_lock); 751 752 while (entry && key != entry->key) { 753 prev = entry; 754 entry = entry->next; 755 } 756 757 if (entry && prev) { /* move entry to front of list */ 758 prev->next = entry->next; 759 entry->next = client_list->table[bucket]; 760 client_list->table[bucket] = entry; 761 } 762 763 apr_global_mutex_unlock(client_lock); 764 765 if (entry) { 766 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01764) 767 "get_client(): client %lu found", key); 768 } 769 else { 770 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01765) 771 "get_client(): client %lu not found", key); 772 } 773 774 return entry; 775} 776 777 778/* A simple garbage-collecter to remove unused clients. It removes the 779 * last entry in each bucket and updates the counters. Returns the 780 * number of removed entries. 781 */ 782static long gc(void) 783{ 784 client_entry *entry, *prev; 785 unsigned long num_removed = 0, idx; 786 787 /* garbage collect all last entries */ 788 789 for (idx = 0; idx < client_list->tbl_len; idx++) { 790 entry = client_list->table[idx]; 791 prev = NULL; 792 while (entry->next) { /* find last entry */ 793 prev = entry; 794 entry = entry->next; 795 } 796 if (prev) { 797 prev->next = NULL; /* cut list */ 798 } 799 else { 800 client_list->table[idx] = NULL; 801 } 802 if (entry) { /* remove entry */ 803 apr_rmm_free(client_rmm, apr_rmm_offset_get(client_rmm, entry)); 804 num_removed++; 805 } 806 } 807 808 /* update counters and log */ 809 810 client_list->num_entries -= num_removed; 811 client_list->num_removed += num_removed; 812 813 return num_removed; 814} 815 816 817/* 818 * Add a new client to the list. Returns the entry if successful, NULL 819 * otherwise. This triggers the garbage collection if memory is low. 820 */ 821static client_entry *add_client(unsigned long key, client_entry *info, 822 server_rec *s) 823{ 824 int bucket; 825 client_entry *entry; 826 827 828 if (!key || !client_shm) { 829 return NULL; 830 } 831 832 bucket = key % client_list->tbl_len; 833 834 apr_global_mutex_lock(client_lock); 835 836 /* try to allocate a new entry */ 837 838 entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry))); 839 if (!entry) { 840 long num_removed = gc(); 841 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01766) 842 "gc'd %ld client entries. Total new clients: " 843 "%ld; Total removed clients: %ld; Total renewed clients: " 844 "%ld", num_removed, 845 client_list->num_created - client_list->num_renewed, 846 client_list->num_removed, client_list->num_renewed); 847 entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry))); 848 if (!entry) { 849 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01767) 850 "unable to allocate new auth_digest client"); 851 apr_global_mutex_unlock(client_lock); 852 return NULL; /* give up */ 853 } 854 } 855 856 /* now add the entry */ 857 858 memcpy(entry, info, sizeof(client_entry)); 859 entry->key = key; 860 entry->next = client_list->table[bucket]; 861 client_list->table[bucket] = entry; 862 client_list->num_created++; 863 client_list->num_entries++; 864 865 apr_global_mutex_unlock(client_lock); 866 867 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01768) 868 "allocated new client %lu", key); 869 870 return entry; 871} 872 873 874/* 875 * Authorization header parser code 876 */ 877 878/* Parse the Authorization header, if it exists */ 879static int get_digest_rec(request_rec *r, digest_header_rec *resp) 880{ 881 const char *auth_line; 882 apr_size_t l; 883 int vk = 0, vv = 0; 884 char *key, *value; 885 886 auth_line = apr_table_get(r->headers_in, 887 (PROXYREQ_PROXY == r->proxyreq) 888 ? "Proxy-Authorization" 889 : "Authorization"); 890 if (!auth_line) { 891 resp->auth_hdr_sts = NO_HEADER; 892 return !OK; 893 } 894 895 resp->scheme = ap_getword_white(r->pool, &auth_line); 896 if (strcasecmp(resp->scheme, "Digest")) { 897 resp->auth_hdr_sts = NOT_DIGEST; 898 return !OK; 899 } 900 901 l = strlen(auth_line); 902 903 key = apr_palloc(r->pool, l+1); 904 value = apr_palloc(r->pool, l+1); 905 906 while (auth_line[0] != '\0') { 907 908 /* find key */ 909 910 while (apr_isspace(auth_line[0])) { 911 auth_line++; 912 } 913 vk = 0; 914 while (auth_line[0] != '=' && auth_line[0] != ',' 915 && auth_line[0] != '\0' && !apr_isspace(auth_line[0])) { 916 key[vk++] = *auth_line++; 917 } 918 key[vk] = '\0'; 919 while (apr_isspace(auth_line[0])) { 920 auth_line++; 921 } 922 923 /* find value */ 924 925 if (auth_line[0] == '=') { 926 auth_line++; 927 while (apr_isspace(auth_line[0])) { 928 auth_line++; 929 } 930 931 vv = 0; 932 if (auth_line[0] == '\"') { /* quoted string */ 933 auth_line++; 934 while (auth_line[0] != '\"' && auth_line[0] != '\0') { 935 if (auth_line[0] == '\\' && auth_line[1] != '\0') { 936 auth_line++; /* escaped char */ 937 } 938 value[vv++] = *auth_line++; 939 } 940 if (auth_line[0] != '\0') { 941 auth_line++; 942 } 943 } 944 else { /* token */ 945 while (auth_line[0] != ',' && auth_line[0] != '\0' 946 && !apr_isspace(auth_line[0])) { 947 value[vv++] = *auth_line++; 948 } 949 } 950 value[vv] = '\0'; 951 } 952 953 while (auth_line[0] != ',' && auth_line[0] != '\0') { 954 auth_line++; 955 } 956 if (auth_line[0] != '\0') { 957 auth_line++; 958 } 959 960 if (!strcasecmp(key, "username")) 961 resp->username = apr_pstrdup(r->pool, value); 962 else if (!strcasecmp(key, "realm")) 963 resp->realm = apr_pstrdup(r->pool, value); 964 else if (!strcasecmp(key, "nonce")) 965 resp->nonce = apr_pstrdup(r->pool, value); 966 else if (!strcasecmp(key, "uri")) 967 resp->uri = apr_pstrdup(r->pool, value); 968 else if (!strcasecmp(key, "response")) 969 resp->digest = apr_pstrdup(r->pool, value); 970 else if (!strcasecmp(key, "algorithm")) 971 resp->algorithm = apr_pstrdup(r->pool, value); 972 else if (!strcasecmp(key, "cnonce")) 973 resp->cnonce = apr_pstrdup(r->pool, value); 974 else if (!strcasecmp(key, "opaque")) 975 resp->opaque = apr_pstrdup(r->pool, value); 976 else if (!strcasecmp(key, "qop")) 977 resp->message_qop = apr_pstrdup(r->pool, value); 978 else if (!strcasecmp(key, "nc")) 979 resp->nonce_count = apr_pstrdup(r->pool, value); 980 } 981 982 if (!resp->username || !resp->realm || !resp->nonce || !resp->uri 983 || !resp->digest 984 || (resp->message_qop && (!resp->cnonce || !resp->nonce_count))) { 985 resp->auth_hdr_sts = INVALID; 986 return !OK; 987 } 988 989 if (resp->opaque) { 990 resp->opaque_num = (unsigned long) strtol(resp->opaque, NULL, 16); 991 } 992 993 resp->auth_hdr_sts = VALID; 994 return OK; 995} 996 997 998/* Because the browser may preemptively send auth info, incrementing the 999 * nonce-count when it does, and because the client does not get notified 1000 * if the URI didn't need authentication after all, we need to be sure to 1001 * update the nonce-count each time we receive an Authorization header no 1002 * matter what the final outcome of the request. Furthermore this is a 1003 * convenient place to get the request-uri (before any subrequests etc 1004 * are initiated) and to initialize the request_config. 1005 * 1006 * Note that this must be called after mod_proxy had its go so that 1007 * r->proxyreq is set correctly. 1008 */ 1009static int parse_hdr_and_update_nc(request_rec *r) 1010{ 1011 digest_header_rec *resp; 1012 int res; 1013 1014 if (!ap_is_initial_req(r)) { 1015 return DECLINED; 1016 } 1017 1018 resp = apr_pcalloc(r->pool, sizeof(digest_header_rec)); 1019 resp->raw_request_uri = r->unparsed_uri; 1020 resp->psd_request_uri = &r->parsed_uri; 1021 resp->needed_auth = 0; 1022 resp->method = r->method; 1023 ap_set_module_config(r->request_config, &auth_digest_module, resp); 1024 1025 res = get_digest_rec(r, resp); 1026 resp->client = get_client(resp->opaque_num, r); 1027 if (res == OK && resp->client) { 1028 resp->client->nonce_count++; 1029 } 1030 1031 return DECLINED; 1032} 1033 1034 1035/* 1036 * Nonce generation code 1037 */ 1038 1039/* The hash part of the nonce is a SHA-1 hash of the time, realm, server host 1040 * and port, opaque, and our secret. 1041 */ 1042static void gen_nonce_hash(char *hash, const char *timestr, const char *opaque, 1043 const server_rec *server, 1044 const digest_config_rec *conf) 1045{ 1046 unsigned char sha1[APR_SHA1_DIGESTSIZE]; 1047 apr_sha1_ctx_t ctx; 1048 1049 memcpy(&ctx, &conf->nonce_ctx, sizeof(ctx)); 1050 /* 1051 apr_sha1_update_binary(&ctx, (const unsigned char *) server->server_hostname, 1052 strlen(server->server_hostname)); 1053 apr_sha1_update_binary(&ctx, (const unsigned char *) &server->port, 1054 sizeof(server->port)); 1055 */ 1056 apr_sha1_update_binary(&ctx, (const unsigned char *) timestr, strlen(timestr)); 1057 if (opaque) { 1058 apr_sha1_update_binary(&ctx, (const unsigned char *) opaque, 1059 strlen(opaque)); 1060 } 1061 apr_sha1_final(sha1, &ctx); 1062 1063 ap_bin2hex(sha1, APR_SHA1_DIGESTSIZE, hash); 1064} 1065 1066 1067/* The nonce has the format b64(time)+hash . 1068 */ 1069static const char *gen_nonce(apr_pool_t *p, apr_time_t now, const char *opaque, 1070 const server_rec *server, 1071 const digest_config_rec *conf) 1072{ 1073 char *nonce = apr_palloc(p, NONCE_LEN+1); 1074 time_rec t; 1075 1076 if (conf->nonce_lifetime != 0) { 1077 t.time = now; 1078 } 1079 else if (otn_counter) { 1080 /* this counter is not synch'd, because it doesn't really matter 1081 * if it counts exactly. 1082 */ 1083 t.time = (*otn_counter)++; 1084 } 1085 else { 1086 /* XXX: WHAT IS THIS CONSTANT? */ 1087 t.time = 42; 1088 } 1089 apr_base64_encode_binary(nonce, t.arr, sizeof(t.arr)); 1090 gen_nonce_hash(nonce+NONCE_TIME_LEN, nonce, opaque, server, conf); 1091 1092 return nonce; 1093} 1094 1095 1096/* 1097 * Opaque and hash-table management 1098 */ 1099 1100/* 1101 * Generate a new client entry, add it to the list, and return the 1102 * entry. Returns NULL if failed. 1103 */ 1104static client_entry *gen_client(const request_rec *r) 1105{ 1106 unsigned long op; 1107 client_entry new_entry = { 0, NULL, 0, "", "" }, *entry; 1108 1109 if (!opaque_cntr) { 1110 return NULL; 1111 } 1112 1113 apr_global_mutex_lock(opaque_lock); 1114 op = (*opaque_cntr)++; 1115 apr_global_mutex_unlock(opaque_lock); 1116 1117 if (!(entry = add_client(op, &new_entry, r->server))) { 1118 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01769) 1119 "failed to allocate client entry - ignoring client"); 1120 return NULL; 1121 } 1122 1123 return entry; 1124} 1125 1126 1127/* 1128 * MD5-sess code. 1129 * 1130 * If you want to use algorithm=MD5-sess you must write get_userpw_hash() 1131 * yourself (see below). The dummy provided here just uses the hash from 1132 * the auth-file, i.e. it is only useful for testing client implementations 1133 * of MD5-sess . 1134 */ 1135 1136/* 1137 * get_userpw_hash() will be called each time a new session needs to be 1138 * generated and is expected to return the equivalent of 1139 * 1140 * h_urp = ap_md5(r->pool, 1141 * apr_pstrcat(r->pool, username, ":", ap_auth_name(r), ":", passwd)) 1142 * ap_md5(r->pool, 1143 * (unsigned char *) apr_pstrcat(r->pool, h_urp, ":", resp->nonce, ":", 1144 * resp->cnonce, NULL)); 1145 * 1146 * or put differently, it must return 1147 * 1148 * MD5(MD5(username ":" realm ":" password) ":" nonce ":" cnonce) 1149 * 1150 * If something goes wrong, the failure must be logged and NULL returned. 1151 * 1152 * You must implement this yourself, which will probably consist of code 1153 * contacting the password server with the necessary information (typically 1154 * the username, realm, nonce, and cnonce) and receiving the hash from it. 1155 * 1156 * TBD: This function should probably be in a separate source file so that 1157 * people need not modify mod_auth_digest.c each time they install a new 1158 * version of apache. 1159 */ 1160static const char *get_userpw_hash(const request_rec *r, 1161 const digest_header_rec *resp, 1162 const digest_config_rec *conf) 1163{ 1164 return ap_md5(r->pool, 1165 (unsigned char *) apr_pstrcat(r->pool, conf->ha1, ":", resp->nonce, 1166 ":", resp->cnonce, NULL)); 1167} 1168 1169 1170/* Retrieve current session H(A1). If there is none and "generate" is 1171 * true then a new session for MD5-sess is generated and stored in the 1172 * client struct; if generate is false, or a new session could not be 1173 * generated then NULL is returned (in case of failure to generate the 1174 * failure reason will have been logged already). 1175 */ 1176static const char *get_session_HA1(const request_rec *r, 1177 digest_header_rec *resp, 1178 const digest_config_rec *conf, 1179 int generate) 1180{ 1181 const char *ha1 = NULL; 1182 1183 /* return the current sessions if there is one */ 1184 if (resp->opaque && resp->client && resp->client->ha1[0]) { 1185 return resp->client->ha1; 1186 } 1187 else if (!generate) { 1188 return NULL; 1189 } 1190 1191 /* generate a new session */ 1192 if (!resp->client) { 1193 resp->client = gen_client(r); 1194 } 1195 if (resp->client) { 1196 ha1 = get_userpw_hash(r, resp, conf); 1197 if (ha1) { 1198 memcpy(resp->client->ha1, ha1, sizeof(resp->client->ha1)); 1199 } 1200 } 1201 1202 return ha1; 1203} 1204 1205 1206static void clear_session(const digest_header_rec *resp) 1207{ 1208 if (resp->client) { 1209 resp->client->ha1[0] = '\0'; 1210 } 1211} 1212 1213/* 1214 * Authorization challenge generation code (for WWW-Authenticate) 1215 */ 1216 1217static const char *ltox(apr_pool_t *p, unsigned long num) 1218{ 1219 if (num != 0) { 1220 return apr_psprintf(p, "%lx", num); 1221 } 1222 else { 1223 return ""; 1224 } 1225} 1226 1227static void note_digest_auth_failure(request_rec *r, 1228 const digest_config_rec *conf, 1229 digest_header_rec *resp, int stale) 1230{ 1231 const char *qop, *opaque, *opaque_param, *domain, *nonce; 1232 1233 /* Setup qop */ 1234 if (apr_is_empty_array(conf->qop_list)) { 1235 qop = ", qop=\"auth\""; 1236 } 1237 else if (!strcasecmp(*(const char **)(conf->qop_list->elts), "none")) { 1238 qop = ""; 1239 } 1240 else { 1241 qop = apr_pstrcat(r->pool, ", qop=\"", 1242 apr_array_pstrcat(r->pool, conf->qop_list, ','), 1243 "\"", 1244 NULL); 1245 } 1246 1247 /* Setup opaque */ 1248 1249 if (resp->opaque == NULL) { 1250 /* new client */ 1251 if ((conf->check_nc || conf->nonce_lifetime == 0 1252 || !strcasecmp(conf->algorithm, "MD5-sess")) 1253 && (resp->client = gen_client(r)) != NULL) { 1254 opaque = ltox(r->pool, resp->client->key); 1255 } 1256 else { 1257 opaque = ""; /* opaque not needed */ 1258 } 1259 } 1260 else if (resp->client == NULL) { 1261 /* client info was gc'd */ 1262 resp->client = gen_client(r); 1263 if (resp->client != NULL) { 1264 opaque = ltox(r->pool, resp->client->key); 1265 stale = 1; 1266 client_list->num_renewed++; 1267 } 1268 else { 1269 opaque = ""; /* ??? */ 1270 } 1271 } 1272 else { 1273 opaque = resp->opaque; 1274 /* we're generating a new nonce, so reset the nonce-count */ 1275 resp->client->nonce_count = 0; 1276 } 1277 1278 if (opaque[0]) { 1279 opaque_param = apr_pstrcat(r->pool, ", opaque=\"", opaque, "\"", NULL); 1280 } 1281 else { 1282 opaque_param = NULL; 1283 } 1284 1285 /* Setup nonce */ 1286 1287 nonce = gen_nonce(r->pool, r->request_time, opaque, r->server, conf); 1288 if (resp->client && conf->nonce_lifetime == 0) { 1289 memcpy(resp->client->last_nonce, nonce, NONCE_LEN+1); 1290 } 1291 1292 /* Setup MD5-sess stuff. Note that we just clear out the session 1293 * info here, since we can't generate a new session until the request 1294 * from the client comes in with the cnonce. 1295 */ 1296 1297 if (!strcasecmp(conf->algorithm, "MD5-sess")) { 1298 clear_session(resp); 1299 } 1300 1301 /* setup domain attribute. We want to send this attribute wherever 1302 * possible so that the client won't send the Authorization header 1303 * unnecessarily (it's usually > 200 bytes!). 1304 */ 1305 1306 1307 /* don't send domain 1308 * - for proxy requests 1309 * - if it's not specified 1310 */ 1311 if (r->proxyreq || !conf->uri_list) { 1312 domain = NULL; 1313 } 1314 else { 1315 domain = conf->uri_list; 1316 } 1317 1318 apr_table_mergen(r->err_headers_out, 1319 (PROXYREQ_PROXY == r->proxyreq) 1320 ? "Proxy-Authenticate" : "WWW-Authenticate", 1321 apr_psprintf(r->pool, "Digest realm=\"%s\", " 1322 "nonce=\"%s\", algorithm=%s%s%s%s%s", 1323 ap_auth_name(r), nonce, conf->algorithm, 1324 opaque_param ? opaque_param : "", 1325 domain ? domain : "", 1326 stale ? ", stale=true" : "", qop)); 1327 1328} 1329 1330static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type) 1331{ 1332 request_rec *mainreq; 1333 digest_header_rec *resp; 1334 digest_config_rec *conf; 1335 1336 if (strcasecmp(auth_type, "Digest")) 1337 return DECLINED; 1338 1339 /* get the client response and mark */ 1340 1341 mainreq = r; 1342 while (mainreq->main != NULL) { 1343 mainreq = mainreq->main; 1344 } 1345 while (mainreq->prev != NULL) { 1346 mainreq = mainreq->prev; 1347 } 1348 resp = (digest_header_rec *) ap_get_module_config(mainreq->request_config, 1349 &auth_digest_module); 1350 resp->needed_auth = 1; 1351 1352 1353 /* get our conf */ 1354 1355 conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config, 1356 &auth_digest_module); 1357 1358 note_digest_auth_failure(r, conf, resp, 0); 1359 1360 return OK; 1361} 1362 1363 1364/* 1365 * Authorization header verification code 1366 */ 1367 1368static authn_status get_hash(request_rec *r, const char *user, 1369 digest_config_rec *conf) 1370{ 1371 authn_status auth_result; 1372 char *password; 1373 authn_provider_list *current_provider; 1374 1375 current_provider = conf->providers; 1376 do { 1377 const authn_provider *provider; 1378 1379 /* For now, if a provider isn't set, we'll be nice and use the file 1380 * provider. 1381 */ 1382 if (!current_provider) { 1383 provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, 1384 AUTHN_DEFAULT_PROVIDER, 1385 AUTHN_PROVIDER_VERSION); 1386 1387 if (!provider || !provider->get_realm_hash) { 1388 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01770) 1389 "No Authn provider configured"); 1390 auth_result = AUTH_GENERAL_ERROR; 1391 break; 1392 } 1393 apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, AUTHN_DEFAULT_PROVIDER); 1394 } 1395 else { 1396 provider = current_provider->provider; 1397 apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, current_provider->provider_name); 1398 } 1399 1400 1401 /* We expect the password to be md5 hash of user:realm:password */ 1402 auth_result = provider->get_realm_hash(r, user, conf->realm, 1403 &password); 1404 1405 apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE); 1406 1407 /* Something occured. Stop checking. */ 1408 if (auth_result != AUTH_USER_NOT_FOUND) { 1409 break; 1410 } 1411 1412 /* If we're not really configured for providers, stop now. */ 1413 if (!conf->providers) { 1414 break; 1415 } 1416 1417 current_provider = current_provider->next; 1418 } while (current_provider); 1419 1420 if (auth_result == AUTH_USER_FOUND) { 1421 conf->ha1 = password; 1422 } 1423 1424 return auth_result; 1425} 1426 1427static int check_nc(const request_rec *r, const digest_header_rec *resp, 1428 const digest_config_rec *conf) 1429{ 1430 unsigned long nc; 1431 const char *snc = resp->nonce_count; 1432 char *endptr; 1433 1434 if (conf->check_nc && !client_shm) { 1435 /* Shouldn't happen, but just in case... */ 1436 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01771) 1437 "cannot check nonce count without shared memory"); 1438 return OK; 1439 } 1440 1441 if (!conf->check_nc || !client_shm) { 1442 return OK; 1443 } 1444 1445 if (!apr_is_empty_array(conf->qop_list) && 1446 !strcasecmp(*(const char **)(conf->qop_list->elts), "none")) { 1447 /* qop is none, client must not send a nonce count */ 1448 if (snc != NULL) { 1449 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01772) 1450 "invalid nc %s received - no nonce count allowed when qop=none", 1451 snc); 1452 return !OK; 1453 } 1454 /* qop is none, cannot check nonce count */ 1455 return OK; 1456 } 1457 1458 nc = strtol(snc, &endptr, 16); 1459 if (endptr < (snc+strlen(snc)) && !apr_isspace(*endptr)) { 1460 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01773) 1461 "invalid nc %s received - not a number", snc); 1462 return !OK; 1463 } 1464 1465 if (!resp->client) { 1466 return !OK; 1467 } 1468 1469 if (nc != resp->client->nonce_count) { 1470 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01774) 1471 "Warning, possible replay attack: nonce-count " 1472 "check failed: %lu != %lu", nc, 1473 resp->client->nonce_count); 1474 return !OK; 1475 } 1476 1477 return OK; 1478} 1479 1480static int check_nonce(request_rec *r, digest_header_rec *resp, 1481 const digest_config_rec *conf) 1482{ 1483 apr_time_t dt; 1484 time_rec nonce_time; 1485 char tmp, hash[NONCE_HASH_LEN+1]; 1486 1487 if (strlen(resp->nonce) != NONCE_LEN) { 1488 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) 1489 "invalid nonce %s received - length is not %d", 1490 resp->nonce, NONCE_LEN); 1491 note_digest_auth_failure(r, conf, resp, 1); 1492 return HTTP_UNAUTHORIZED; 1493 } 1494 1495 tmp = resp->nonce[NONCE_TIME_LEN]; 1496 resp->nonce[NONCE_TIME_LEN] = '\0'; 1497 apr_base64_decode_binary(nonce_time.arr, resp->nonce); 1498 gen_nonce_hash(hash, resp->nonce, resp->opaque, r->server, conf); 1499 resp->nonce[NONCE_TIME_LEN] = tmp; 1500 resp->nonce_time = nonce_time.time; 1501 1502 if (strcmp(hash, resp->nonce+NONCE_TIME_LEN)) { 1503 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01776) 1504 "invalid nonce %s received - hash is not %s", 1505 resp->nonce, hash); 1506 note_digest_auth_failure(r, conf, resp, 1); 1507 return HTTP_UNAUTHORIZED; 1508 } 1509 1510 dt = r->request_time - nonce_time.time; 1511 if (conf->nonce_lifetime > 0 && dt < 0) { 1512 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01777) 1513 "invalid nonce %s received - user attempted " 1514 "time travel", resp->nonce); 1515 note_digest_auth_failure(r, conf, resp, 1); 1516 return HTTP_UNAUTHORIZED; 1517 } 1518 1519 if (conf->nonce_lifetime > 0) { 1520 if (dt > conf->nonce_lifetime) { 1521 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0,r, APLOGNO(01778) 1522 "user %s: nonce expired (%.2f seconds old " 1523 "- max lifetime %.2f) - sending new nonce", 1524 r->user, (double)apr_time_sec(dt), 1525 (double)apr_time_sec(conf->nonce_lifetime)); 1526 note_digest_auth_failure(r, conf, resp, 1); 1527 return HTTP_UNAUTHORIZED; 1528 } 1529 } 1530 else if (conf->nonce_lifetime == 0 && resp->client) { 1531 if (memcmp(resp->client->last_nonce, resp->nonce, NONCE_LEN)) { 1532 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01779) 1533 "user %s: one-time-nonce mismatch - sending " 1534 "new nonce", r->user); 1535 note_digest_auth_failure(r, conf, resp, 1); 1536 return HTTP_UNAUTHORIZED; 1537 } 1538 } 1539 /* else (lifetime < 0) => never expires */ 1540 1541 return OK; 1542} 1543 1544/* The actual MD5 code... whee */ 1545 1546/* RFC-2069 */ 1547static const char *old_digest(const request_rec *r, 1548 const digest_header_rec *resp, const char *ha1) 1549{ 1550 const char *ha2; 1551 1552 ha2 = ap_md5(r->pool, (unsigned char *)apr_pstrcat(r->pool, resp->method, ":", 1553 resp->uri, NULL)); 1554 return ap_md5(r->pool, 1555 (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce, 1556 ":", ha2, NULL)); 1557} 1558 1559/* RFC-2617 */ 1560static const char *new_digest(const request_rec *r, 1561 digest_header_rec *resp, 1562 const digest_config_rec *conf) 1563{ 1564 const char *ha1, *ha2, *a2; 1565 1566 if (resp->algorithm && !strcasecmp(resp->algorithm, "MD5-sess")) { 1567 ha1 = get_session_HA1(r, resp, conf, 1); 1568 if (!ha1) { 1569 return NULL; 1570 } 1571 } 1572 else { 1573 ha1 = conf->ha1; 1574 } 1575 1576 if (resp->message_qop && !strcasecmp(resp->message_qop, "auth-int")) { 1577 a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, ":", 1578 ap_md5(r->pool, (const unsigned char*) ""), NULL); 1579 /* TBD */ 1580 } 1581 else { 1582 a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); 1583 } 1584 ha2 = ap_md5(r->pool, (const unsigned char *)a2); 1585 1586 return ap_md5(r->pool, 1587 (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce, 1588 ":", resp->nonce_count, ":", 1589 resp->cnonce, ":", 1590 resp->message_qop, ":", ha2, 1591 NULL)); 1592} 1593 1594 1595static void copy_uri_components(apr_uri_t *dst, 1596 apr_uri_t *src, request_rec *r) { 1597 if (src->scheme && src->scheme[0] != '\0') { 1598 dst->scheme = src->scheme; 1599 } 1600 else { 1601 dst->scheme = (char *) "http"; 1602 } 1603 1604 if (src->hostname && src->hostname[0] != '\0') { 1605 dst->hostname = apr_pstrdup(r->pool, src->hostname); 1606 ap_unescape_url(dst->hostname); 1607 } 1608 else { 1609 dst->hostname = (char *) ap_get_server_name(r); 1610 } 1611 1612 if (src->port_str && src->port_str[0] != '\0') { 1613 dst->port = src->port; 1614 } 1615 else { 1616 dst->port = ap_get_server_port(r); 1617 } 1618 1619 if (src->path && src->path[0] != '\0') { 1620 dst->path = apr_pstrdup(r->pool, src->path); 1621 ap_unescape_url(dst->path); 1622 } 1623 else { 1624 dst->path = src->path; 1625 } 1626 1627 if (src->query && src->query[0] != '\0') { 1628 dst->query = apr_pstrdup(r->pool, src->query); 1629 ap_unescape_url(dst->query); 1630 } 1631 else { 1632 dst->query = src->query; 1633 } 1634 1635 dst->hostinfo = src->hostinfo; 1636} 1637 1638/* These functions return 0 if client is OK, and proper error status 1639 * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or 1640 * HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we 1641 * couldn't figure out how to tell if the client is authorized or not. 1642 * 1643 * If they return DECLINED, and all other modules also decline, that's 1644 * treated by the server core as a configuration error, logged and 1645 * reported as such. 1646 */ 1647 1648/* Determine user ID, and check if the attributes are correct, if it 1649 * really is that user, if the nonce is correct, etc. 1650 */ 1651 1652static int authenticate_digest_user(request_rec *r) 1653{ 1654 digest_config_rec *conf; 1655 digest_header_rec *resp; 1656 request_rec *mainreq; 1657 const char *t; 1658 int res; 1659 authn_status return_code; 1660 1661 /* do we require Digest auth for this URI? */ 1662 1663 if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest")) { 1664 return DECLINED; 1665 } 1666 1667 if (!ap_auth_name(r)) { 1668 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01780) 1669 "need AuthName: %s", r->uri); 1670 return HTTP_INTERNAL_SERVER_ERROR; 1671 } 1672 1673 1674 /* get the client response and mark */ 1675 1676 mainreq = r; 1677 while (mainreq->main != NULL) { 1678 mainreq = mainreq->main; 1679 } 1680 while (mainreq->prev != NULL) { 1681 mainreq = mainreq->prev; 1682 } 1683 resp = (digest_header_rec *) ap_get_module_config(mainreq->request_config, 1684 &auth_digest_module); 1685 resp->needed_auth = 1; 1686 1687 1688 /* get our conf */ 1689 1690 conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config, 1691 &auth_digest_module); 1692 1693 1694 /* check for existence and syntax of Auth header */ 1695 1696 if (resp->auth_hdr_sts != VALID) { 1697 if (resp->auth_hdr_sts == NOT_DIGEST) { 1698 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01781) 1699 "client used wrong authentication scheme `%s': %s", 1700 resp->scheme, r->uri); 1701 } 1702 else if (resp->auth_hdr_sts == INVALID) { 1703 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01782) 1704 "missing user, realm, nonce, uri, digest, " 1705 "cnonce, or nonce_count in authorization header: %s", 1706 r->uri); 1707 } 1708 /* else (resp->auth_hdr_sts == NO_HEADER) */ 1709 note_digest_auth_failure(r, conf, resp, 0); 1710 return HTTP_UNAUTHORIZED; 1711 } 1712 1713 r->user = (char *) resp->username; 1714 r->ap_auth_type = (char *) "Digest"; 1715 1716 /* check the auth attributes */ 1717 1718 if (strcmp(resp->uri, resp->raw_request_uri)) { 1719 /* Hmm, the simple match didn't work (probably a proxy modified the 1720 * request-uri), so lets do a more sophisticated match 1721 */ 1722 apr_uri_t r_uri, d_uri; 1723 1724 copy_uri_components(&r_uri, resp->psd_request_uri, r); 1725 if (apr_uri_parse(r->pool, resp->uri, &d_uri) != APR_SUCCESS) { 1726 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01783) 1727 "invalid uri <%s> in Authorization header", 1728 resp->uri); 1729 return HTTP_BAD_REQUEST; 1730 } 1731 1732 if (d_uri.hostname) { 1733 ap_unescape_url(d_uri.hostname); 1734 } 1735 if (d_uri.path) { 1736 ap_unescape_url(d_uri.path); 1737 } 1738 1739 if (d_uri.query) { 1740 ap_unescape_url(d_uri.query); 1741 } 1742 else if (r_uri.query) { 1743 /* MSIE compatibility hack. MSIE has some RFC issues - doesn't 1744 * include the query string in the uri Authorization component 1745 * or when computing the response component. the second part 1746 * works out ok, since we can hash the header and get the same 1747 * result. however, the uri from the request line won't match 1748 * the uri Authorization component since the header lacks the 1749 * query string, leaving us incompatable with a (broken) MSIE. 1750 * 1751 * the workaround is to fake a query string match if in the proper 1752 * environment - BrowserMatch MSIE, for example. the cool thing 1753 * is that if MSIE ever fixes itself the simple match ought to 1754 * work and this code won't be reached anyway, even if the 1755 * environment is set. 1756 */ 1757 1758 if (apr_table_get(r->subprocess_env, 1759 "AuthDigestEnableQueryStringHack")) { 1760 1761 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01784) 1762 "applying AuthDigestEnableQueryStringHack " 1763 "to uri <%s>", resp->raw_request_uri); 1764 1765 d_uri.query = r_uri.query; 1766 } 1767 } 1768 1769 if (r->method_number == M_CONNECT) { 1770 if (!r_uri.hostinfo || strcmp(resp->uri, r_uri.hostinfo)) { 1771 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01785) 1772 "uri mismatch - <%s> does not match " 1773 "request-uri <%s>", resp->uri, r_uri.hostinfo); 1774 return HTTP_BAD_REQUEST; 1775 } 1776 } 1777 else if ( 1778 /* check hostname matches, if present */ 1779 (d_uri.hostname && d_uri.hostname[0] != '\0' 1780 && strcasecmp(d_uri.hostname, r_uri.hostname)) 1781 /* check port matches, if present */ 1782 || (d_uri.port_str && d_uri.port != r_uri.port) 1783 /* check that server-port is default port if no port present */ 1784 || (d_uri.hostname && d_uri.hostname[0] != '\0' 1785 && !d_uri.port_str && r_uri.port != ap_default_port(r)) 1786 /* check that path matches */ 1787 || (d_uri.path != r_uri.path 1788 /* either exact match */ 1789 && (!d_uri.path || !r_uri.path 1790 || strcmp(d_uri.path, r_uri.path)) 1791 /* or '*' matches empty path in scheme://host */ 1792 && !(d_uri.path && !r_uri.path && resp->psd_request_uri->hostname 1793 && d_uri.path[0] == '*' && d_uri.path[1] == '\0')) 1794 /* check that query matches */ 1795 || (d_uri.query != r_uri.query 1796 && (!d_uri.query || !r_uri.query 1797 || strcmp(d_uri.query, r_uri.query))) 1798 ) { 1799 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01786) 1800 "uri mismatch - <%s> does not match " 1801 "request-uri <%s>", resp->uri, resp->raw_request_uri); 1802 return HTTP_BAD_REQUEST; 1803 } 1804 } 1805 1806 if (resp->opaque && resp->opaque_num == 0) { 1807 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01787) 1808 "received invalid opaque - got `%s'", 1809 resp->opaque); 1810 note_digest_auth_failure(r, conf, resp, 0); 1811 return HTTP_UNAUTHORIZED; 1812 } 1813 1814 if (!conf->realm) { 1815 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02533) 1816 "realm mismatch - got `%s' but no realm specified", 1817 resp->realm); 1818 note_digest_auth_failure(r, conf, resp, 0); 1819 return HTTP_UNAUTHORIZED; 1820 } 1821 1822 if (!resp->realm || strcmp(resp->realm, conf->realm)) { 1823 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01788) 1824 "realm mismatch - got `%s' but expected `%s'", 1825 resp->realm, conf->realm); 1826 note_digest_auth_failure(r, conf, resp, 0); 1827 return HTTP_UNAUTHORIZED; 1828 } 1829 1830 if (resp->algorithm != NULL 1831 && strcasecmp(resp->algorithm, "MD5") 1832 && strcasecmp(resp->algorithm, "MD5-sess")) { 1833 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01789) 1834 "unknown algorithm `%s' received: %s", 1835 resp->algorithm, r->uri); 1836 note_digest_auth_failure(r, conf, resp, 0); 1837 return HTTP_UNAUTHORIZED; 1838 } 1839 1840 return_code = get_hash(r, r->user, conf); 1841 1842 if (return_code == AUTH_USER_NOT_FOUND) { 1843 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01790) 1844 "user `%s' in realm `%s' not found: %s", 1845 r->user, conf->realm, r->uri); 1846 note_digest_auth_failure(r, conf, resp, 0); 1847 return HTTP_UNAUTHORIZED; 1848 } 1849 else if (return_code == AUTH_USER_FOUND) { 1850 /* we have a password, so continue */ 1851 } 1852 else if (return_code == AUTH_DENIED) { 1853 /* authentication denied in the provider before attempting a match */ 1854 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01791) 1855 "user `%s' in realm `%s' denied by provider: %s", 1856 r->user, conf->realm, r->uri); 1857 note_digest_auth_failure(r, conf, resp, 0); 1858 return HTTP_UNAUTHORIZED; 1859 } 1860 else { 1861 /* AUTH_GENERAL_ERROR (or worse) 1862 * We'll assume that the module has already said what its error 1863 * was in the logs. 1864 */ 1865 return HTTP_INTERNAL_SERVER_ERROR; 1866 } 1867 1868 if (resp->message_qop == NULL) { 1869 /* old (rfc-2069) style digest */ 1870 if (strcmp(resp->digest, old_digest(r, resp, conf->ha1))) { 1871 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792) 1872 "user %s: password mismatch: %s", r->user, 1873 r->uri); 1874 note_digest_auth_failure(r, conf, resp, 0); 1875 return HTTP_UNAUTHORIZED; 1876 } 1877 } 1878 else { 1879 const char *exp_digest; 1880 int match = 0, idx; 1881 const char **tmp = (const char **)(conf->qop_list->elts); 1882 for (idx = 0; idx < conf->qop_list->nelts; idx++) { 1883 if (!strcasecmp(*tmp, resp->message_qop)) { 1884 match = 1; 1885 break; 1886 } 1887 ++tmp; 1888 } 1889 1890 if (!match 1891 && !(apr_is_empty_array(conf->qop_list) 1892 && !strcasecmp(resp->message_qop, "auth"))) { 1893 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01793) 1894 "invalid qop `%s' received: %s", 1895 resp->message_qop, r->uri); 1896 note_digest_auth_failure(r, conf, resp, 0); 1897 return HTTP_UNAUTHORIZED; 1898 } 1899 1900 exp_digest = new_digest(r, resp, conf); 1901 if (!exp_digest) { 1902 /* we failed to allocate a client struct */ 1903 return HTTP_INTERNAL_SERVER_ERROR; 1904 } 1905 if (strcmp(resp->digest, exp_digest)) { 1906 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01794) 1907 "user %s: password mismatch: %s", r->user, 1908 r->uri); 1909 note_digest_auth_failure(r, conf, resp, 0); 1910 return HTTP_UNAUTHORIZED; 1911 } 1912 } 1913 1914 if (check_nc(r, resp, conf) != OK) { 1915 note_digest_auth_failure(r, conf, resp, 0); 1916 return HTTP_UNAUTHORIZED; 1917 } 1918 1919 /* Note: this check is done last so that a "stale=true" can be 1920 generated if the nonce is old */ 1921 if ((res = check_nonce(r, resp, conf))) { 1922 return res; 1923 } 1924 1925 return OK; 1926} 1927 1928/* 1929 * Authorization-Info header code 1930 */ 1931 1932static int add_auth_info(request_rec *r) 1933{ 1934 const digest_config_rec *conf = 1935 (digest_config_rec *) ap_get_module_config(r->per_dir_config, 1936 &auth_digest_module); 1937 digest_header_rec *resp = 1938 (digest_header_rec *) ap_get_module_config(r->request_config, 1939 &auth_digest_module); 1940 const char *ai = NULL, *nextnonce = ""; 1941 1942 if (resp == NULL || !resp->needed_auth || conf == NULL) { 1943 return OK; 1944 } 1945 1946 /* 2069-style entity-digest is not supported (it's too hard, and 1947 * there are no clients which support 2069 but not 2617). */ 1948 1949 /* setup nextnonce 1950 */ 1951 if (conf->nonce_lifetime > 0) { 1952 /* send nextnonce if current nonce will expire in less than 30 secs */ 1953 if ((r->request_time - resp->nonce_time) > (conf->nonce_lifetime-NEXTNONCE_DELTA)) { 1954 nextnonce = apr_pstrcat(r->pool, ", nextnonce=\"", 1955 gen_nonce(r->pool, r->request_time, 1956 resp->opaque, r->server, conf), 1957 "\"", NULL); 1958 if (resp->client) 1959 resp->client->nonce_count = 0; 1960 } 1961 } 1962 else if (conf->nonce_lifetime == 0 && resp->client) { 1963 const char *nonce = gen_nonce(r->pool, 0, resp->opaque, r->server, 1964 conf); 1965 nextnonce = apr_pstrcat(r->pool, ", nextnonce=\"", nonce, "\"", NULL); 1966 memcpy(resp->client->last_nonce, nonce, NONCE_LEN+1); 1967 } 1968 /* else nonce never expires, hence no nextnonce */ 1969 1970 1971 /* do rfc-2069 digest 1972 */ 1973 if (!apr_is_empty_array(conf->qop_list) && 1974 !strcasecmp(*(const char **)(conf->qop_list->elts), "none") 1975 && resp->message_qop == NULL) { 1976 /* use only RFC-2069 format */ 1977 ai = nextnonce; 1978 } 1979 else { 1980 const char *resp_dig, *ha1, *a2, *ha2; 1981 1982 /* calculate rspauth attribute 1983 */ 1984 if (resp->algorithm && !strcasecmp(resp->algorithm, "MD5-sess")) { 1985 ha1 = get_session_HA1(r, resp, conf, 0); 1986 if (!ha1) { 1987 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01795) 1988 "internal error: couldn't find session " 1989 "info for user %s", resp->username); 1990 return !OK; 1991 } 1992 } 1993 else { 1994 ha1 = conf->ha1; 1995 } 1996 1997 if (resp->message_qop && !strcasecmp(resp->message_qop, "auth-int")) { 1998 a2 = apr_pstrcat(r->pool, ":", resp->uri, ":", 1999 ap_md5(r->pool,(const unsigned char *) ""), NULL); 2000 /* TBD */ 2001 } 2002 else { 2003 a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); 2004 } 2005 ha2 = ap_md5(r->pool, (const unsigned char *)a2); 2006 2007 resp_dig = ap_md5(r->pool, 2008 (unsigned char *)apr_pstrcat(r->pool, ha1, ":", 2009 resp->nonce, ":", 2010 resp->nonce_count, ":", 2011 resp->cnonce, ":", 2012 resp->message_qop ? 2013 resp->message_qop : "", 2014 ":", ha2, NULL)); 2015 2016 /* assemble Authentication-Info header 2017 */ 2018 ai = apr_pstrcat(r->pool, 2019 "rspauth=\"", resp_dig, "\"", 2020 nextnonce, 2021 resp->cnonce ? ", cnonce=\"" : "", 2022 resp->cnonce 2023 ? ap_escape_quotes(r->pool, resp->cnonce) 2024 : "", 2025 resp->cnonce ? "\"" : "", 2026 resp->nonce_count ? ", nc=" : "", 2027 resp->nonce_count ? resp->nonce_count : "", 2028 resp->message_qop ? ", qop=" : "", 2029 resp->message_qop ? resp->message_qop : "", 2030 NULL); 2031 } 2032 2033 if (ai && ai[0]) { 2034 apr_table_mergen(r->headers_out, 2035 (PROXYREQ_PROXY == r->proxyreq) 2036 ? "Proxy-Authentication-Info" 2037 : "Authentication-Info", 2038 ai); 2039 } 2040 2041 return OK; 2042} 2043 2044static void register_hooks(apr_pool_t *p) 2045{ 2046 static const char * const cfgPost[]={ "http_core.c", NULL }; 2047 static const char * const parsePre[]={ "mod_proxy.c", NULL }; 2048 2049 ap_hook_pre_config(pre_init, NULL, NULL, APR_HOOK_MIDDLE); 2050 ap_hook_post_config(initialize_module, NULL, cfgPost, APR_HOOK_MIDDLE); 2051 ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE); 2052 ap_hook_post_read_request(parse_hdr_and_update_nc, parsePre, NULL, APR_HOOK_MIDDLE); 2053 ap_hook_check_authn(authenticate_digest_user, NULL, NULL, APR_HOOK_MIDDLE, 2054 AP_AUTH_INTERNAL_PER_CONF); 2055 2056 ap_hook_fixups(add_auth_info, NULL, NULL, APR_HOOK_MIDDLE); 2057 ap_hook_note_auth_failure(hook_note_digest_auth_failure, NULL, NULL, 2058 APR_HOOK_MIDDLE); 2059 2060} 2061 2062AP_DECLARE_MODULE(auth_digest) = 2063{ 2064 STANDARD20_MODULE_STUFF, 2065 create_digest_dir_config, /* dir config creater */ 2066 NULL, /* dir merger --- default is to override */ 2067 NULL, /* server config */ 2068 NULL, /* merge server config */ 2069 digest_cmds, /* command table */ 2070 register_hooks /* register hooks */ 2071}; 2072 2073