httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <>
Subject Updated mod_digest (fwd)
Date Wed, 02 Jun 1999 06:48:10 GMT
Heh, yeah we're not compliant... and someone has been working on it.  :)


---------- Forwarded message ----------
From: "Life is hard, and then you die." <>
Subject: Updated mod_digest
Date: Fri, 20 Nov 1998 10:42:11 +0100 (MET)

I've mentioned that I've been working on a new version of mod_digest, so
here it is. The changes from the current mod_digest include:

  - Update to latest digest draft (draft-ietf-http-authentication-03);
    includes handling of new attributes: qop, algorithm, cnonce, and
    nonce_count. Still handles RFC-2069 clients.

  - New config directives: AuthDigestQop, AuthDigestNonceLifetime,
  			   AuthDigestNonceFormat, AuthDigestNcCheck,
  			   AuthDigestAlgorithm, and AuthDigestDomain

  - A cryptographically secure random nonce is used (160 bit secret
    hashed up with time and realm using SHA-1).

  - Response nonce is now checked, and nonce expiry implemented.

  - "stale=true" is generated on expired nonces (if the response is correct

  - In general, much more checking is done (the realm, algorithm, uri, and
    qop attributes are all checked for validity).

  - The (Proxy-)Authentication-Info header is generated (with nextnonce)

  - Improved header parser: correctly deals with whitespace, handles
    escaped chars in quoted strings, is "maximally loose" (should accept
    anything that is parseable), is faster, etc.

  - note_digest_auth_failure() is not part of public api anymore. This is
    because it needs much more info to generate the header, and nobody
    besides mod_digest seems to need it anyway.

  - mod_digest must be invoked after mod_proxy (i.e. it must be listed
    before in the Configuration file) because the WWW-Authenticate and
    Proxy-Authenticate headers are parsed in the post-read-request phase
    and need to know if this is a proxy request or not.

  - Requires the "truerand" library (-> slow startup)

There are some open issues, as mentioned in the header comment and as
marked with TBD (To Be Done). I plan on trying to rip off the shared
memory and locking stuff from http_main and then implementing
nonce-count checking, one-time nonces, and session management for
MD5-sess. This'll happen hopefully in the next couple weeks.

Attached are the (unified) diffs and the complete mod_digest.c and
mod_digest.html . If anybody is looking for a client to run against
the new module and have java installed on their machine, then you
can get the lastest snapshot of my client at
Also attached is the patch for Configuration.tmpl to move mod_proxy
up earlier in the processing.

One thing: there is a binary version of base64-encoding and decoding 
(i.e. binary -> string (encoding), and string -> binary (decoding)
in this mod_digest - it might be useful to extract them and put them
in util as ap_base64encode_binary() and ap_base64decode_binary().
ap_uuencode() and ap_uudecode() could then be implemented in terms
of these binary versions. If you think this is reasonable I'll supply
the patches.

Another thing: mod_proxy currently totally ignores any headers set by
any module. This prevents the Proxy-Authentication-Info header from
being sent. I've therefore also attached a couple patches to
proxy_http.c and proxy_ftp.c which simply merge in the headers set by
other modules (with the proxy generated headers overriding the others).
I'm not completely sure this is correct way to do it, though. I think
the best solution would be for the proxy to generate the headers in an
earlier phase so that the fixup handler could just add the
Proxy-Authorization-Info header.



[patch trimmed -dean]

View raw message