You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/08/29 01:56:41 UTC

DO NOT REPLY [Bug 30920] New: - Digest authentication via mod_digest no longer works in 1.3.31.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30920>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30920

Digest authentication via mod_digest no longer works in 1.3.31.

           Summary: Digest authentication via mod_digest no longer works in
                    1.3.31.
           Product: Apache httpd-1.3
           Version: 1.3.31
          Platform: Macintosh
        OS/Version: MacOS X
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: albegley@apple.com


Digest authentication via mod_digest no longer works in 1.3.31, apparently due to ap_auth_nonce() 
returning different values.

I added a log message to the ap_auth_nonce() function in the standard version of http_core.c from 
Apache 1.3.31. (This function was added in 1.3.31). It's short so here's the whole function with the log 
message:

API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
{
    core_dir_config *conf;
    conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
                                                   &core_module);
    if (conf->ap_auth_nonce)
       return conf->ap_auth_nonce;

    /* Ideally we'd want to mix in some per-directory style
     * information; as we are likely to want to detect replay
     * across those boundaries and some randomness. But that
     * is harder due to the adhoc nature of .htaccess memory
     * structures, restarts and forks.
     *
     * But then again - you should use AuthDigestRealmSeed in your config
     * file if you care. So the adhoc value should do.
     */
	char* nonce = ap_psprintf(r->pool,"%pp%pp%pp%pp%pp",
           (void *)&((r->connection->local_addr).sin_addr ),
           (void *)ap_user_name,
           (void *)ap_listeners,
           (void *)ap_server_argv0,
           (void *)ap_pid_fname);
	ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r->server,
             "nonce = '%s'", nonce);

	return nonce;
}

The log message shows that this function returns one value when called to provide the nonce to pass to 
the client, and a different value when called later to verify that the nonce received from the client was 
the one sent (check_nonce()). So the check fails, and the client cannot access the realm. The change is 
in the first of the 5 concatenated addresses (the one based on the request record address):

[Sat Aug 28 16:40:53 2004] [info] nonce = '82b834813e608261c0bffffd52803b98'

(User enters name and password at a WebDAV client...)

[Sat Aug 28 16:40:58 2004] [info] nonce = '82e834813e608261c0bffffd52803b98'
[Sat Aug 28 16:40:58 2004] [error] [client 17.221.41.169] Client is using a nonce which was not issued 
by this server for this context: /
[Sat Aug 28 16:40:58 2004] [info] nonce = '82e834813e608261c0bffffd52803b98'

(User gets the name and password dialog again...)

The problem can be worked around by specifying the AuthDigestRealmSeed directive, or by switching 
to mod_auth_digest, but existing configurations are broken by this.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org