httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Updated mod_digest (fwd)
Date Wed, 02 Jun 1999 06:48:10 GMT
Heh, yeah we're not compliant... and someone has been working on it.  :)

Dean

---------- Forwarded message ----------
From: "Life is hard, and then you die." <ronald@innovation.ch>
Subject: Updated mod_digest
To: new-httpd@apache.org
Date: Fri, 20 Nov 1998 10:42:11 +0100 (MET)
Reply-To: new-httpd@apache.org


I've mentioned that I've been working on a new version of mod_digest, so
here it is. The changes from the current mod_digest include:

  - Update to latest digest draft (draft-ietf-http-authentication-03);
    includes handling of new attributes: qop, algorithm, cnonce, and
    nonce_count. Still handles RFC-2069 clients.

  - New config directives: AuthDigestQop, AuthDigestNonceLifetime,
  			   AuthDigestNonceFormat, AuthDigestNcCheck,
  			   AuthDigestAlgorithm, and AuthDigestDomain

  - A cryptographically secure random nonce is used (160 bit secret
    hashed up with time and realm using SHA-1).

  - Response nonce is now checked, and nonce expiry implemented.

  - "stale=true" is generated on expired nonces (if the response is correct
    otherwise).

  - In general, much more checking is done (the realm, algorithm, uri, and
    qop attributes are all checked for validity).

  - The (Proxy-)Authentication-Info header is generated (with nextnonce)

  - Improved header parser: correctly deals with whitespace, handles
    escaped chars in quoted strings, is "maximally loose" (should accept
    anything that is parseable), is faster, etc.

  - note_digest_auth_failure() is not part of public api anymore. This is
    because it needs much more info to generate the header, and nobody
    besides mod_digest seems to need it anyway.

  - mod_digest must be invoked after mod_proxy (i.e. it must be listed
    before in the Configuration file) because the WWW-Authenticate and
    Proxy-Authenticate headers are parsed in the post-read-request phase
    and need to know if this is a proxy request or not.

  - Requires the "truerand" library (-> slow startup)

There are some open issues, as mentioned in the header comment and as
marked with TBD (To Be Done). I plan on trying to rip off the shared
memory and locking stuff from http_main and then implementing
nonce-count checking, one-time nonces, and session management for
MD5-sess. This'll happen hopefully in the next couple weeks.

Attached are the (unified) diffs and the complete mod_digest.c and
mod_digest.html . If anybody is looking for a client to run against
the new module and have java installed on their machine, then you
can get the lastest snapshot of my client at
http://www.innovation.ch/java/HTTPClient/V0.4-dev/
Also attached is the patch for Configuration.tmpl to move mod_proxy
up earlier in the processing.

One thing: there is a binary version of base64-encoding and decoding 
(i.e. binary -> string (encoding), and string -> binary (decoding)
in this mod_digest - it might be useful to extract them and put them
in util as ap_base64encode_binary() and ap_base64decode_binary().
ap_uuencode() and ap_uudecode() could then be implemented in terms
of these binary versions. If you think this is reasonable I'll supply
the patches.

Another thing: mod_proxy currently totally ignores any headers set by
any module. This prevents the Proxy-Authentication-Info header from
being sent. I've therefore also attached a couple patches to
proxy_http.c and proxy_ftp.c which simply merge in the headers set by
other modules (with the proxy generated headers overriding the others).
I'm not completely sure this is correct way to do it, though. I think
the best solution would be for the proxy to generate the headers in an
earlier phase so that the fixup handler could just add the
Proxy-Authorization-Info header.


  Cheers,

  Ronald

[patch trimmed -dean]


Mime
View raw message