Lines Matching defs:nonce
31 * - nonce-format configurability
39 * o Server name and port can't be included in nonce-hash
40 * (we need two nonce formats, which must be configured explicitly)
41 * o Nonce-count check can't be for equal, or then nonce-count checking
118 unsigned long nonce_count; /* for nonce-count checking */
119 char last_nonce[NONCE_LEN+1]; /* for one-time nonce's */
140 char *nonce;
160 /* (mostly) nonce stuff */
169 /* client-list, opaque, and one-time-nonce stuff */
174 static apr_time_t *otn_counter; /* one-time-nonce counter */
228 "%s - all nonce-count checking and one-time nonces "
310 /* setup one-time-nonce counter */
466 /* we precompute the part of the nonce hash that is constant (well,
572 return "AuthDigestNcCheck: ERROR: nonce-count checking "
659 "Maximum lifetime of the server nonce (seconds)"),
661 "The format to use when generating the server nonce"),
663 "Whether or not to check the nonce-count sent by the client"),
681 * server nonce, and that is checked.
700 * clients will just be sent a new client id (opaque field) and nonce
701 * with a stale=true (i.e. it will just look like the nonce expired,
727 * processed anyway, so you have problems with the nonce-count and
955 else if (!strcasecmp(key, "nonce"))
956 resp->nonce = apr_pstrdup(r->pool, value);
973 if (!resp->username || !resp->realm || !resp->nonce || !resp->uri
990 * nonce-count when it does, and because the client does not get notified
992 * update the nonce-count each time we receive an Authorization header no
1030 /* The hash part of the nonce is a SHA-1 hash of the time, realm, server host
1058 /* The nonce has the format b64(time)+hash .
1064 char *nonce = apr_palloc(p, NONCE_LEN+1);
1080 apr_base64_encode_binary(nonce, t.arr, sizeof(t.arr));
1081 gen_nonce_hash(nonce+NONCE_TIME_LEN, nonce, opaque, server, conf);
1083 return nonce;
1136 const char *qop, *opaque, *opaque_param, *domain, *nonce;
1178 /* we're generating a new nonce, so reset the nonce-count */
1189 /* Setup nonce */
1191 nonce = gen_nonce(r->pool, r->request_time, opaque, r->server, conf);
1193 memcpy(resp->client->last_nonce, nonce, NONCE_LEN+1);
1217 "nonce=\"%s\", algorithm=%s%s%s%s%s",
1218 ap_auth_name(r), nonce, conf->algorithm,
1332 "cannot check nonce count without shared memory");
1342 /* qop is none, client must not send a nonce count */
1345 "invalid nc %s received - no nonce count allowed when qop=none",
1349 /* qop is none, cannot check nonce count */
1366 "Warning, possible replay attack: nonce-count "
1382 if (strlen(resp->nonce) != NONCE_LEN) {
1384 "invalid nonce %s received - length is not %d",
1385 resp->nonce, NONCE_LEN);
1390 tmp = resp->nonce[NONCE_TIME_LEN];
1391 resp->nonce[NONCE_TIME_LEN] = '\0';
1392 apr_base64_decode_binary(nonce_time.arr, resp->nonce);
1393 gen_nonce_hash(hash, resp->nonce, resp->opaque, r->server, conf);
1394 resp->nonce[NONCE_TIME_LEN] = tmp;
1397 if (strcmp(hash, resp->nonce+NONCE_TIME_LEN)) {
1399 "invalid nonce %s received - hash is not %s",
1400 resp->nonce, hash);
1408 "invalid nonce %s received - user attempted "
1409 "time travel", resp->nonce);
1417 "user %s: nonce expired (%.2f seconds old "
1418 "- max lifetime %.2f) - sending new nonce",
1426 if (memcmp(resp->client->last_nonce, resp->nonce, NONCE_LEN)) {
1428 "user %s: one-time-nonce mismatch - sending "
1429 "new nonce", r->user);
1450 (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce,
1467 (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce,
1529 * really is that user, if the nonce is correct, etc.
1584 "missing user, realm, nonce, uri, digest, "
1802 generated if the nonce is old */
1834 /* send nextnonce if current nonce will expire in less than 30 secs */
1845 const char *nonce = gen_nonce(r->pool, 0, resp->opaque, r->server,
1847 nextnonce = apr_pstrcat(r->pool, ", nextnonce=\"", nonce, "\"", NULL);
1848 memcpy(resp->client->last_nonce, nonce, NONCE_LEN+1);
1850 /* else nonce never expires, hence no nextnonce */
1873 resp->nonce, ":",