You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2004/04/15 17:51:52 UTC
cvs commit: apache-1.3/src/support httpd.exp
jim 2004/04/15 08:51:52
Modified: src ApacheCore.def ApacheCoreOS2.def CHANGES
src/include ap_mmn.h hsregex.h http_core.h
src/main http_core.c http_protocol.c
src/modules/standard mod_digest.c
src/os/netware ApacheCore.imp
src/support httpd.exp
Log:
Add in suggested patch for AuthDigestRealmSeed issue
Revision Changes Path
1.36 +1 -0 apache-1.3/src/ApacheCore.def
Index: ApacheCore.def
===================================================================
RCS file: /home/cvs/apache-1.3/src/ApacheCore.def,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- ApacheCore.def 18 Jun 2002 04:19:46 -0000 1.35
+++ ApacheCore.def 15 Apr 2004 15:51:51 -0000 1.36
@@ -447,3 +447,4 @@
ap_getline @439
ap_get_chunk_size @440
ap_escape_logitem @441
+ ap_auth_nonce @442
1.14 +1 -0 apache-1.3/src/ApacheCoreOS2.def
Index: ApacheCoreOS2.def
===================================================================
RCS file: /home/cvs/apache-1.3/src/ApacheCoreOS2.def,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- ApacheCoreOS2.def 22 May 2003 09:45:28 -0000 1.13
+++ ApacheCoreOS2.def 15 Apr 2004 15:51:51 -0000 1.14
@@ -430,3 +430,4 @@
ap_escape_logitem @441
ap_popenf_ex @442
ap_psocket_ex @443
+ ap_auth_nonce @444
1.1936 +6 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1935
retrieving revision 1.1936
diff -u -r1.1935 -r1.1936
--- CHANGES 9 Apr 2004 17:01:50 -0000 1.1935
+++ CHANGES 15 Apr 2004 15:51:51 -0000 1.1936
@@ -1,5 +1,11 @@
Changes with Apache 1.3.31
+ *) SECURITY: CAN-2003-0987 (cve.mitre.org)
+ Verification as to whether the nonce returned in the client response
+ is one we issued ourselves by means of a AuthNonce secret exposed as an
+ md5(). See mod_digest documentation for more details. The experimental
+ mod_auth_digest.c does not have this issue. [Dirk-Willem van Gulik]
+
Changes with Apache 1.3.30
*) Fix memory corruption problem with ap_custom_response() function.
1.68 +2 -0 apache-1.3/src/include/ap_mmn.h
Index: ap_mmn.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/ap_mmn.h,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- ap_mmn.h 16 Feb 2004 22:25:08 -0000 1.67
+++ ap_mmn.h 15 Apr 2004 15:51:51 -0000 1.68
@@ -201,6 +201,8 @@
* ap_popenf_ex() and ap_psocket_ex().
* 19990320.15 - ap_is_recursion_limit_exceeded()
* 19990320.16 - ap_escape_errorlog_item()
+ * 19990320.17 - ap_auth_nonce() and ap_auth_nonce added
+ * in core_dir_config.
*/
#define MODULE_MAGIC_COOKIE 0x41503133UL /* "AP13" */
1.18 +1 -2 apache-1.3/src/include/hsregex.h
Index: hsregex.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/hsregex.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- hsregex.h 6 Mar 2002 13:03:15 -0000 1.17
+++ hsregex.h 15 Apr 2004 15:51:51 -0000 1.18
@@ -16,8 +16,7 @@
#endif
#endif
-#undef ap_private_extern
-#if defined(MAC_OS) || defined(MAC_OS_X_SERVER) || (defined(DARWIN) && defined(__DYNAMIC__))
+#if defined(MAC_OS) || defined(MAC_OS_X_SERVER)
#define ap_private_extern __private_extern__
#else
#define ap_private_extern
1.75 +4 -0 apache-1.3/src/include/http_core.h
Index: http_core.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -r1.74 -r1.75
--- http_core.h 29 Mar 2004 18:35:29 -0000 1.74
+++ http_core.h 15 Apr 2004 15:51:51 -0000 1.75
@@ -119,6 +119,7 @@
API_EXPORT(const char *) ap_auth_type (request_rec *);
API_EXPORT(const char *) ap_auth_name (request_rec *);
+API_EXPORT(const char *) ap_auth_nonce (request_rec *);
API_EXPORT(int) ap_satisfies (request_rec *r);
API_EXPORT(const array_header *) ap_requires (request_rec *);
@@ -313,6 +314,9 @@
* direct command line parameters or argv elements?
*/
ap_flag_e cgi_command_args;
+
+ /* Digest auth. */
+ char *ap_auth_nonce;
} core_dir_config;
1.333 +54 -0 apache-1.3/src/main/http_core.c
Index: http_core.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.332
retrieving revision 1.333
diff -u -r1.332 -r1.333
--- http_core.c 29 Mar 2004 18:35:29 -0000 1.332
+++ http_core.c 15 Apr 2004 15:51:51 -0000 1.333
@@ -202,6 +202,9 @@
if (new->ap_auth_name) {
conf->ap_auth_name = new->ap_auth_name;
}
+ if (new->ap_auth_nonce) {
+ conf->ap_auth_nonce = new->ap_auth_nonce;
+ }
if (new->ap_requires) {
conf->ap_requires = new->ap_requires;
}
@@ -543,6 +546,32 @@
return conf->ap_auth_name;
}
+API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
+{
+ core_dir_config *conf;
+ conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
+ &core_module);
+ if (conf->ap_auth_nonce)
+ return conf->ap_auth_nonce;
+
+ /* Ideally we'd want to mix in some per-directory style
+ * information; as we are likely to want to detect replay
+ * across those boundaries and some randomness. But that
+ * is harder due to the adhoc nature of .htaccess memory
+ * structures, restarts and forks.
+ *
+ * But then again - you should use AuthDigestRealmSeed in your config
+ * file if you care. So the adhoc value should do.
+ */
+ return ap_psprintf(r->pool,"%lu%lu%lu%lu%lu%s",
+ *(unsigned long *)&((r->connection->local_addr).sin_addr ),
+ *(unsigned long *)ap_user_name,
+ *(unsigned long *)ap_listeners,
+ *(unsigned long *)ap_server_argv0,
+ *(unsigned long *)ap_pid_fname,
+ "WHAT_THE_HECK_GOES_HERE?");
+}
+
API_EXPORT(const char *) ap_default_type(request_rec *r)
{
core_dir_config *conf;
@@ -2811,6 +2840,28 @@
return NULL;
}
+/*
+ * Load an authorisation nonce into our location configuration, and
+ * force it to be in the 0-9/A-Z realm.
+ */
+static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1)
+{
+ core_dir_config *aconfig = (core_dir_config *)mconfig;
+ int i;
+
+ aconfig->ap_auth_nonce = ap_escape_quotes(cmd->pool, word1);
+
+ if (strlen(aconfig->ap_auth_nonce) > 510)
+ return "AuthDigestRealmSeed length limited to 510 chars for browser compatibility";
+
+ for(i=0;i<strlen(aconfig->ap_auth_nonce );i++)
+ if (!ap_isalnum(aconfig->ap_auth_nonce [i]))
+ return "AuthDigestRealmSeed limited to 0-9 and A-Z range for browser compatibility";
+
+ return NULL;
+}
+
+
#ifdef _OSD_POSIX /* BS2000 Logon Passwd file */
static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name)
{
@@ -3425,6 +3476,9 @@
"An HTTP authorization type (e.g., \"Basic\")" },
{ "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1,
"The authentication realm (e.g. \"Members Only\")" },
+{ "AuthDigestRealmSeed", set_authnonce, NULL, OR_AUTHCFG, TAKE1,
+ "An authentication token which should be different for each logical realm. "\
+ "A random value or the servers IP may be a good choise.\n" },
{ "Require", require, NULL, OR_AUTHCFG, RAW_ARGS,
"Selects which authenticated users or groups may access a protected space" },
{ "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1,
1.335 +17 -2 apache-1.3/src/main/http_protocol.c
Index: http_protocol.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.334
retrieving revision 1.335
diff -u -r1.334 -r1.335
--- http_protocol.c 29 Mar 2004 18:23:03 -0000 1.334
+++ http_protocol.c 15 Apr 2004 15:51:51 -0000 1.335
@@ -33,6 +33,7 @@
#include "util_date.h" /* For parseHTTPdate and BAD_DATE */
#include <stdarg.h>
#include "http_conf_globals.h"
+#include "util_md5.h" /* For digestAuth */
#define SET_BYTES_SENT(r) \
do { if (r->sent_bodyct) \
@@ -1348,11 +1349,25 @@
API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
{
+ /* We need to create a nonce which:
+ * a) changes all the time (see r->request_time)
+ * below and
+ * b) of which we can verify that it is our own
+ * fairly easily when it comes to veryfing
+ * the digest coming back in the response.
+ * c) and which as a whole should not
+ * be unlikely to be in use anywhere else.
+ */
+ char * nonce_prefix = ap_md5(r->pool,
+ (unsigned char *)
+ ap_psprintf(r->pool, "%s%lu",
+ ap_auth_nonce(r), r->request_time));
+
ap_table_setn(r->err_headers_out,
r->proxyreq == STD_PROXY ? "Proxy-Authenticate"
: "WWW-Authenticate",
- ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"",
- ap_auth_name(r), r->request_time));
+ ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s%lu\"",
+ ap_auth_name(r), nonce_prefix, r->request_time));
}
API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
1.55 +26 -0 apache-1.3/src/modules/standard/mod_digest.c
Index: mod_digest.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_digest.c,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- mod_digest.c 20 Feb 2004 20:37:40 -0000 1.54
+++ mod_digest.c 15 Apr 2004 15:51:52 -0000 1.55
@@ -273,6 +273,23 @@
/* The actual MD5 code... whee */
+/* Check that a given nonce is actually one which was
+ * issued by this server in the right context.
+ */
+static int check_nonce(pool *p, const char *prefix, const char *nonce) {
+ char *timestamp = (char *)nonce + 2 * MD5_DIGESTSIZE;
+ char *md5;
+
+ if (strlen(nonce) < MD5_DIGESTSIZE)
+ return AUTH_REQUIRED;
+
+ md5 = ap_md5(p, (unsigned char *)ap_pstrcat(p, prefix, timestamp, NULL));
+
+ return strncmp(md5, nonce, 2 * MD5_DIGESTSIZE);
+}
+
+/* Check the digest itself.
+ */
static char *find_digest(request_rec *r, digest_header_rec * h, char *a1)
{
return ap_md5(r->pool,
@@ -312,6 +329,15 @@
if (!sec->pwfile)
return DECLINED;
+
+ /* Check that the nonce was one we actually issued. */
+ if (check_nonce(r->pool, ap_auth_nonce(r), response->nonce)) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+ "Client is using a nonce which was not issued by "
+ "this server for this context: %s", r->uri);
+ ap_note_digest_auth_failure(r);
+ return AUTH_REQUIRED;
+ }
if (!(a1 = get_hash(r, c->user, sec->pwfile))) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
1.17 +1 -0 apache-1.3/src/os/netware/ApacheCore.imp
Index: ApacheCore.imp
===================================================================
RCS file: /home/cvs/apache-1.3/src/os/netware/ApacheCore.imp,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- ApacheCore.imp 16 Jan 2003 22:49:16 -0000 1.16
+++ ApacheCore.imp 15 Apr 2004 15:51:52 -0000 1.17
@@ -16,6 +16,7 @@
ap_array_cat,
ap_auth_name,
ap_auth_type,
+ ap_auth_nonce,
ap_basic_http_header,
ap_bclose,
ap_bcreate,
1.43 +1 -0 apache-1.3/src/support/httpd.exp
Index: httpd.exp
===================================================================
RCS file: /home/cvs/apache-1.3/src/support/httpd.exp,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- httpd.exp 28 Jan 2004 21:22:21 -0000 1.42
+++ httpd.exp 15 Apr 2004 15:51:52 -0000 1.43
@@ -22,6 +22,7 @@
ap_array_cat
ap_array_pstrcat
ap_auth_name
+ap_auth_nonce
ap_auth_type
ap_base64encode
ap_base64encode_binary