You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/08/29 01:56:41 UTC
DO NOT REPLY [Bug 30920] New: -
Digest authentication via mod_digest no longer works in 1.3.31.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30920>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30920
Digest authentication via mod_digest no longer works in 1.3.31.
Summary: Digest authentication via mod_digest no longer works in
1.3.31.
Product: Apache httpd-1.3
Version: 1.3.31
Platform: Macintosh
OS/Version: MacOS X
Status: NEW
Severity: Normal
Priority: Other
Component: core
AssignedTo: bugs@httpd.apache.org
ReportedBy: albegley@apple.com
Digest authentication via mod_digest no longer works in 1.3.31, apparently due to ap_auth_nonce()
returning different values.
I added a log message to the ap_auth_nonce() function in the standard version of http_core.c from
Apache 1.3.31. (This function was added in 1.3.31). It's short so here's the whole function with the log
message:
API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
{
core_dir_config *conf;
conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
&core_module);
if (conf->ap_auth_nonce)
return conf->ap_auth_nonce;
/* Ideally we'd want to mix in some per-directory style
* information; as we are likely to want to detect replay
* across those boundaries and some randomness. But that
* is harder due to the adhoc nature of .htaccess memory
* structures, restarts and forks.
*
* But then again - you should use AuthDigestRealmSeed in your config
* file if you care. So the adhoc value should do.
*/
char* nonce = ap_psprintf(r->pool,"%pp%pp%pp%pp%pp",
(void *)&((r->connection->local_addr).sin_addr ),
(void *)ap_user_name,
(void *)ap_listeners,
(void *)ap_server_argv0,
(void *)ap_pid_fname);
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r->server,
"nonce = '%s'", nonce);
return nonce;
}
The log message shows that this function returns one value when called to provide the nonce to pass to
the client, and a different value when called later to verify that the nonce received from the client was
the one sent (check_nonce()). So the check fails, and the client cannot access the realm. The change is
in the first of the 5 concatenated addresses (the one based on the request record address):
[Sat Aug 28 16:40:53 2004] [info] nonce = '82b834813e608261c0bffffd52803b98'
(User enters name and password at a WebDAV client...)
[Sat Aug 28 16:40:58 2004] [info] nonce = '82e834813e608261c0bffffd52803b98'
[Sat Aug 28 16:40:58 2004] [error] [client 17.221.41.169] Client is using a nonce which was not issued
by this server for this context: /
[Sat Aug 28 16:40:58 2004] [info] nonce = '82e834813e608261c0bffffd52803b98'
(User gets the name and password dialog again...)
The problem can be worked around by specifying the AuthDigestRealmSeed directive, or by switching
to mod_auth_digest, but existing configurations are broken by this.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org