httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject cvs commit: apache-1.3/src/support httpd.exp
Date Thu, 15 Apr 2004 15:51:52 GMT
jim         2004/04/15 08:51:52

  Modified:    src      ApacheCore.def ApacheCoreOS2.def CHANGES
               src/include ap_mmn.h hsregex.h http_core.h
               src/main http_core.c http_protocol.c
               src/modules/standard mod_digest.c
               src/os/netware ApacheCore.imp
               src/support httpd.exp
  Log:
  Add in suggested patch for AuthDigestRealmSeed issue
  
  Revision  Changes    Path
  1.36      +1 -0      apache-1.3/src/ApacheCore.def
  
  Index: ApacheCore.def
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/ApacheCore.def,v
  retrieving revision 1.35
  retrieving revision 1.36
  diff -u -r1.35 -r1.36
  --- ApacheCore.def	18 Jun 2002 04:19:46 -0000	1.35
  +++ ApacheCore.def	15 Apr 2004 15:51:51 -0000	1.36
  @@ -447,3 +447,4 @@
           ap_getline @439
           ap_get_chunk_size @440
           ap_escape_logitem @441
  +        ap_auth_nonce @442
  
  
  
  1.14      +1 -0      apache-1.3/src/ApacheCoreOS2.def
  
  Index: ApacheCoreOS2.def
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/ApacheCoreOS2.def,v
  retrieving revision 1.13
  retrieving revision 1.14
  diff -u -r1.13 -r1.14
  --- ApacheCoreOS2.def	22 May 2003 09:45:28 -0000	1.13
  +++ ApacheCoreOS2.def	15 Apr 2004 15:51:51 -0000	1.14
  @@ -430,3 +430,4 @@
   	ap_escape_logitem @441
   	ap_popenf_ex @442
   	ap_psocket_ex @443
  +       ap_auth_nonce @444
  
  
  
  1.1936    +6 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1935
  retrieving revision 1.1936
  diff -u -r1.1935 -r1.1936
  --- CHANGES	9 Apr 2004 17:01:50 -0000	1.1935
  +++ CHANGES	15 Apr 2004 15:51:51 -0000	1.1936
  @@ -1,5 +1,11 @@
   Changes with Apache 1.3.31
   
  +  *) SECURITY: CAN-2003-0987 (cve.mitre.org)
  +     Verification as to whether the nonce returned in the client response 
  +     is one we issued ourselves by means of a AuthNonce secret exposed as an 
  +     md5(). See mod_digest documentation for more details. The experimental
  +     mod_auth_digest.c does not have this issue.  [Dirk-Willem van Gulik]
  +
   Changes with Apache 1.3.30
   
     *) Fix memory corruption problem with ap_custom_response() function.
  
  
  
  1.68      +2 -0      apache-1.3/src/include/ap_mmn.h
  
  Index: ap_mmn.h
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/include/ap_mmn.h,v
  retrieving revision 1.67
  retrieving revision 1.68
  diff -u -r1.67 -r1.68
  --- ap_mmn.h	16 Feb 2004 22:25:08 -0000	1.67
  +++ ap_mmn.h	15 Apr 2004 15:51:51 -0000	1.68
  @@ -201,6 +201,8 @@
    *                        ap_popenf_ex() and ap_psocket_ex().
    * 19990320.15          - ap_is_recursion_limit_exceeded()
    * 19990320.16          - ap_escape_errorlog_item()
  + * 19990320.17          - ap_auth_nonce() and ap_auth_nonce added
  + *                        in core_dir_config.
    */
   
   #define MODULE_MAGIC_COOKIE 0x41503133UL /* "AP13" */
  
  
  
  1.18      +1 -2      apache-1.3/src/include/hsregex.h
  
  Index: hsregex.h
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/include/hsregex.h,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- hsregex.h	6 Mar 2002 13:03:15 -0000	1.17
  +++ hsregex.h	15 Apr 2004 15:51:51 -0000	1.18
  @@ -16,8 +16,7 @@
   #endif
   #endif
   
  -#undef ap_private_extern
  -#if defined(MAC_OS) || defined(MAC_OS_X_SERVER) || (defined(DARWIN) && defined(__DYNAMIC__))
  +#if defined(MAC_OS) || defined(MAC_OS_X_SERVER)
   #define ap_private_extern __private_extern__
   #else
   #define ap_private_extern
  
  
  
  1.75      +4 -0      apache-1.3/src/include/http_core.h
  
  Index: http_core.h
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v
  retrieving revision 1.74
  retrieving revision 1.75
  diff -u -r1.74 -r1.75
  --- http_core.h	29 Mar 2004 18:35:29 -0000	1.74
  +++ http_core.h	15 Apr 2004 15:51:51 -0000	1.75
  @@ -119,6 +119,7 @@
        
   API_EXPORT(const char *) ap_auth_type (request_rec *);
   API_EXPORT(const char *) ap_auth_name (request_rec *);     
  +API_EXPORT(const char *) ap_auth_nonce (request_rec *);
   API_EXPORT(int) ap_satisfies (request_rec *r);
   API_EXPORT(const array_header *) ap_requires (request_rec *);    
   
  @@ -313,6 +314,9 @@
        * direct command line parameters or argv elements?
        */
       ap_flag_e cgi_command_args;
  +
  +    /* Digest auth. */
  +    char *ap_auth_nonce;
   
   } core_dir_config;
   
  
  
  
  1.333     +54 -0     apache-1.3/src/main/http_core.c
  
  Index: http_core.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
  retrieving revision 1.332
  retrieving revision 1.333
  diff -u -r1.332 -r1.333
  --- http_core.c	29 Mar 2004 18:35:29 -0000	1.332
  +++ http_core.c	15 Apr 2004 15:51:51 -0000	1.333
  @@ -202,6 +202,9 @@
       if (new->ap_auth_name) {
           conf->ap_auth_name = new->ap_auth_name;
       }
  +    if (new->ap_auth_nonce) {
  +        conf->ap_auth_nonce = new->ap_auth_nonce;
  +    }
       if (new->ap_requires) {
           conf->ap_requires = new->ap_requires;
       }
  @@ -543,6 +546,32 @@
       return conf->ap_auth_name;
   }
   
  +API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
  +{
  +    core_dir_config *conf;
  +    conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
  +                                                   &core_module);
  +    if (conf->ap_auth_nonce)
  +       return conf->ap_auth_nonce;
  +
  +    /* Ideally we'd want to mix in some per-directory style
  +     * information; as we are likely to want to detect replay
  +     * across those boundaries and some randomness. But that
  +     * is harder due to the adhoc nature of .htaccess memory
  +     * structures, restarts and forks.
  +     *
  +     * But then again - you should use AuthDigestRealmSeed in your config
  +     * file if you care. So the adhoc value should do.
  +     */
  +    return ap_psprintf(r->pool,"%lu%lu%lu%lu%lu%s",
  +           *(unsigned long *)&((r->connection->local_addr).sin_addr ),
  +           *(unsigned long *)ap_user_name,
  +           *(unsigned long *)ap_listeners,
  +           *(unsigned long *)ap_server_argv0,
  +           *(unsigned long *)ap_pid_fname,
  +           "WHAT_THE_HECK_GOES_HERE?");
  +}
  +
   API_EXPORT(const char *) ap_default_type(request_rec *r)
   {
       core_dir_config *conf;
  @@ -2811,6 +2840,28 @@
       return NULL;
   }
   
  +/*
  + * Load an authorisation nonce into our location configuration, and
  + * force it to be in the 0-9/A-Z realm.
  + */
  +static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1)
  +{
  +    core_dir_config *aconfig = (core_dir_config *)mconfig;
  +    int i;
  +
  +    aconfig->ap_auth_nonce = ap_escape_quotes(cmd->pool, word1);
  +
  +    if (strlen(aconfig->ap_auth_nonce) > 510)
  +       return "AuthDigestRealmSeed length limited to 510 chars for browser compatibility";
  +
  +    for(i=0;i<strlen(aconfig->ap_auth_nonce );i++)
  +       if (!ap_isalnum(aconfig->ap_auth_nonce [i]))
  +         return "AuthDigestRealmSeed limited to 0-9 and A-Z range for browser compatibility";
  +
  +    return NULL;
  +}
  +
  +
   #ifdef _OSD_POSIX /* BS2000 Logon Passwd file */
   static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name)
   {
  @@ -3425,6 +3476,9 @@
     "An HTTP authorization type (e.g., \"Basic\")" },
   { "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1,
     "The authentication realm (e.g. \"Members Only\")" },
  +{ "AuthDigestRealmSeed", set_authnonce, NULL, OR_AUTHCFG, TAKE1,
  +  "An authentication token which should be different for each logical realm. "\
  +  "A random value or the servers IP may be a good choise.\n" },
   { "Require", require, NULL, OR_AUTHCFG, RAW_ARGS,
     "Selects which authenticated users or groups may access a protected space" },
   { "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1,
  
  
  
  1.335     +17 -2     apache-1.3/src/main/http_protocol.c
  
  Index: http_protocol.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
  retrieving revision 1.334
  retrieving revision 1.335
  diff -u -r1.334 -r1.335
  --- http_protocol.c	29 Mar 2004 18:23:03 -0000	1.334
  +++ http_protocol.c	15 Apr 2004 15:51:51 -0000	1.335
  @@ -33,6 +33,7 @@
   #include "util_date.h"          /* For parseHTTPdate and BAD_DATE */
   #include <stdarg.h>
   #include "http_conf_globals.h"
  +#include "util_md5.h"           /* For digestAuth */
   
   #define SET_BYTES_SENT(r) \
     do { if (r->sent_bodyct) \
  @@ -1348,11 +1349,25 @@
   
   API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
   {
  +    /* We need to create a nonce which:
  +     * a) changes all the time (see r->request_time)
  +     *    below and
  +     * b) of which we can verify that it is our own
  +     *    fairly easily when it comes to veryfing
  +     *    the digest coming back in the response.
  +     * c) and which as a whole should not
  +     *    be unlikely to be in use anywhere else.
  +     */
  +    char * nonce_prefix = ap_md5(r->pool,
  +           (unsigned char *)
  +           ap_psprintf(r->pool, "%s%lu",
  +                       ap_auth_nonce(r), r->request_time));
  +
       ap_table_setn(r->err_headers_out,
   	    r->proxyreq == STD_PROXY ? "Proxy-Authenticate"
   		  : "WWW-Authenticate",
  -	    ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"",
  -		ap_auth_name(r), r->request_time));
  +           ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s%lu\"",
  +               ap_auth_name(r), nonce_prefix, r->request_time));
   }
   
   API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
  
  
  
  1.55      +26 -0     apache-1.3/src/modules/standard/mod_digest.c
  
  Index: mod_digest.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_digest.c,v
  retrieving revision 1.54
  retrieving revision 1.55
  diff -u -r1.54 -r1.55
  --- mod_digest.c	20 Feb 2004 20:37:40 -0000	1.54
  +++ mod_digest.c	15 Apr 2004 15:51:52 -0000	1.55
  @@ -273,6 +273,23 @@
   
   /* The actual MD5 code... whee */
   
  +/* Check that a given nonce is actually one which was
  + * issued by this server in the right context.
  + */
  +static int check_nonce(pool *p, const char *prefix, const char *nonce) {
  +    char *timestamp = (char *)nonce + 2 * MD5_DIGESTSIZE;
  +    char *md5;
  +
  +    if (strlen(nonce) < MD5_DIGESTSIZE)
  +       return AUTH_REQUIRED;
  +
  +    md5 = ap_md5(p, (unsigned char *)ap_pstrcat(p, prefix, timestamp, NULL));
  +
  +    return strncmp(md5, nonce, 2 * MD5_DIGESTSIZE);
  +}
  +
  +/* Check the digest itself.
  + */
   static char *find_digest(request_rec *r, digest_header_rec * h, char *a1)
   {
       return ap_md5(r->pool,
  @@ -312,6 +329,15 @@
   
       if (!sec->pwfile)
   	return DECLINED;
  +
  +    /* Check that the nonce was one we actually issued. */
  +    if (check_nonce(r->pool, ap_auth_nonce(r), response->nonce)) {
  +        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  +            "Client is using a nonce which was not issued by "
  +            "this server for this context: %s", r->uri);
  +        ap_note_digest_auth_failure(r);
  +        return AUTH_REQUIRED;
  +    }
   
       if (!(a1 = get_hash(r, c->user, sec->pwfile))) {
   	ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  
  
  
  1.17      +1 -0      apache-1.3/src/os/netware/ApacheCore.imp
  
  Index: ApacheCore.imp
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/os/netware/ApacheCore.imp,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- ApacheCore.imp	16 Jan 2003 22:49:16 -0000	1.16
  +++ ApacheCore.imp	15 Apr 2004 15:51:52 -0000	1.17
  @@ -16,6 +16,7 @@
    ap_array_cat,
    ap_auth_name,
    ap_auth_type,
  + ap_auth_nonce,
    ap_basic_http_header,
    ap_bclose,
    ap_bcreate,
  
  
  
  1.43      +1 -0      apache-1.3/src/support/httpd.exp
  
  Index: httpd.exp
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/support/httpd.exp,v
  retrieving revision 1.42
  retrieving revision 1.43
  diff -u -r1.42 -r1.43
  --- httpd.exp	28 Jan 2004 21:22:21 -0000	1.42
  +++ httpd.exp	15 Apr 2004 15:51:52 -0000	1.43
  @@ -22,6 +22,7 @@
   ap_array_cat
   ap_array_pstrcat
   ap_auth_name
  +ap_auth_nonce
   ap_auth_type
   ap_base64encode
   ap_base64encode_binary
  
  
  

Mime
View raw message