mod_auth_digest.c revision 612b906e8dd17ebb1704b6663caf5d9ab321f971
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen/* ====================================================================
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * The Apache Software License, Version 1.1
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * Redistribution and use in source and binary forms, with or without
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * modification, are permitted provided that the following conditions
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * 1. Redistributions of source code must retain the above copyright
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * notice, this list of conditions and the following disclaimer.
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * 2. Redistributions in binary form must reproduce the above copyright
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * notice, this list of conditions and the following disclaimer in
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * the documentation and/or other materials provided with the
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * distribution.
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * 3. The end-user documentation included with the redistribution,
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * if any, must include the following acknowledgment:
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * "This product includes software developed by the
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * Apache Software Foundation (http://www.apache.org/)."
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * Alternately, this acknowledgment may appear in the software itself,
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * if and wherever such third-party acknowledgments normally appear.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * 4. The names "Apache" and "Apache Software Foundation" must
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * not be used to endorse or promote products derived from this
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * software without prior written permission. For written
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * permission, please contact apache@apache.org.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * 5. Products derived from this software may not be called "Apache",
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * nor may "Apache" appear in their name, without prior written
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * permission of the Apache Software Foundation.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * ====================================================================
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * This software consists of voluntary contributions made by many
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * individuals on behalf of the Apache Software Foundation. For more
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * information on the Apache Software Foundation, please see
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * Portions of this software are based upon public domain software
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * originally written at the National Center for Supercomputing Applications,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * University of Illinois, Urbana-Champaign.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * mod_auth_digest: MD5 digest authentication
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * Originally by Alexei Kosut <akosut@nueva.pvt.k12.ca.us>
12b42c76672a66c2d4ea7212c14f8f1b5a62b78dTom Gundersen * Updated to RFC-2617 by Ronald Tschal�r <ronald@innovation.ch>
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * based on mod_auth, by Rob McCool and Robert S. Thau
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * This module an updated version of modules/standard/mod_digest.c
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * It is still fairly new and problems may turn up - submit problem
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * reports to the Apache bug-database, or send them directly to me
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * at ronald@innovation.ch.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * Requires either /dev/random (or equivalent) or the truerand library,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * available for instance from
12b42c76672a66c2d4ea7212c14f8f1b5a62b78dTom Gundersen * ftp://research.att.com/dist/mab/librand.shar
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * - qop=auth-int (when streams and trailer support available)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * - nonce-format configurability
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * - Proxy-Authorization-Info header is set by this module, but is
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * currently ignored by mod_proxy (needs patch to mod_proxy)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * - generating the secret takes a while (~ 8 seconds) if using the
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * truerand library
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * - The source of the secret should be run-time directive (with server
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * scope: RSRC_CONF). However, that could be tricky when trying to
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * choose truerand vs. file...
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * - shared-mem not completely tested yet. Seems to work ok for me,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * but... (definitely won't work on Windoze)
102bd40e1ed71c7ab980a90435a1c23d4c786c63Lennart Poettering * - Sharing a realm among multiple servers has following problems:
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * o Server name and port can't be included in nonce-hash
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * (we need two nonce formats, which must be configured explicitly)
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * o Nonce-count check can't be for equal, or then nonce-count checking
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * must be disabled. What we could do is the following:
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * (expected < received) ? set expected = received : issue error
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * The only problem is that it allows replay attacks when somebody
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen * captures a packet sent to one server and sends it to another
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * one. Should we add "AuthDigestNcCheck Strict"?
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * - expired nonces give amaya fits.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* Disable shmem until pools/init gets sorted out - remove next line when fixed */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* just provide dummies - the code does run-time checks anyway */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t apr_shm_init(apr_shmem_t **m, apr_size_t reqsize, const char *file, apr_pool_t *cont) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek return APR_ENOTIMPL;
5256e00e8b9015dd1a976d647fc71dc7efbd8cf8Tom Gundersenstatic apr_status_t apr_shm_destroy(apr_shmem_t *m) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic void *apr_shm_malloc(apr_shmem_t *c, apr_size_t reqsize) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic void *apr_shm_calloc(apr_shmem_t *shared, apr_size_t size) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t apr_shm_free(apr_shmem_t *shared, void *free) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t apr_shm_name_get(apr_shmem_t *c, apr_shm_name_t **name) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek return APR_ENOTIMPL;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t apr_shm_name_set(apr_shmem_t *c, apr_shm_name_t *name) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek return APR_ENOTIMPL;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t apr_shm_open(apr_shmem_t *c) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek return APR_ENOTIMPL;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t apr_shm_avail(apr_shmem_t *c, apr_size_t *avail) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek return APR_ENOTIMPL;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#endif /* ndef APR_HAS_SHARED_MEMORY */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* struct to hold the configuration info */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmektypedef struct digest_config_struct {
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen const char *ha1;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#define DFLT_NONCE_LIFE (300*APR_USEC_PER_SEC)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#define NEXTNONCE_DELTA (30*APR_USEC_PER_SEC)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#define NONCE_TIME_LEN (((sizeof(apr_time_t)+2)/3)*4)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#define NONCE_HASH_LEN (2*APR_SHA1_DIGESTSIZE)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#define NONCE_LEN (NONCE_TIME_LEN + NONCE_HASH_LEN)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* client list definitions */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek unsigned long key; /* the key for this entry */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek struct hash_entry *next; /* next entry in the bucket */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek unsigned long nonce_count; /* for nonce-count checking */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek char ha1[2*MD5_DIGESTSIZE+1]; /* for algorithm=MD5-sess */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek char last_nonce[NONCE_LEN+1]; /* for one-time nonce's */
1ff28eaee33d9d0cee46bd176b6d6f8805c95036Tom Gundersen unsigned long tbl_len;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* struct to hold a parsed Authorization header */
1c25683e0f40c6169676cc44fa1897082597feecTom Gundersenenum hdr_sts { NO_HEADER, NOT_DIGEST, INVALID, VALID };
2e229e0c4c29e8a827be9ffe361741cf5e9aa7afTom Gundersen unsigned long opaque_num;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek /* the following fields are not (directly) from the header */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* (mostly) nonce stuff */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek unsigned char arr[sizeof(apr_time_t)];
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic unsigned char secret[SECRET_LEN];
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek/* client-list, opaque, and one-time-nonce stuff */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_shmem_t *client_shm = NULL;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic unsigned long *opaque_cntr;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_time_t *otn_counter; /* one-time-nonce counter */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_lock_t *client_lock = NULL;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_lock_t *opaque_lock = NULL;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic char client_lock_name[L_tmpnam];
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#define DEF_SHMEM_SIZE 1000L /* ~ 12 entries */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic long shmem_size = DEF_SHMEM_SIZE;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic long num_buckets = DEF_NUM_BUCKETS;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekmodule AP_MODULE_DECLARE_DATA auth_digest_module;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * initialization code
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t cleanup_tables(void *not_used)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_rerror(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "Digest: cleaning up shared memory");
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic apr_status_t initialize_secret(server_rec *s)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0, s,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "Digest: generating secret for digest authentication ...");
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek status = apr_generate_random_bytes(secret, sizeof(secret));
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#error APR random number support is missing; you probably need to install the truerand library.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_error(APLOG_MARK, APLOG_CRIT, status, s,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "Digest: error generating secret: %s",
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek apr_strerror(status, buf, sizeof(buf)));
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0, s, "Digest: done");
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic void log_error_and_cleanup(char *msg, apr_status_t sts, server_rec *s)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek ap_log_error(APLOG_MARK, APLOG_ERR, sts, s,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "Digest: %s - all nonce-count checking, one-time nonces, and "
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek "MD5-sess algorithm disabled", msg);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic void initialize_tables(server_rec *s, apr_pool_t *ctx)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek /* set up client list */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek sts = apr_shm_init(&client_shm, shmem_size, tmpnam(NULL), ctx);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek log_error_and_cleanup("failed to create shared memory segments", sts, s);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek client_list = apr_shm_malloc(client_shm, sizeof(*client_list) +
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek sizeof(client_entry*)*num_buckets);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek log_error_and_cleanup("failed to allocate shared memory", -1, s);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek client_list->table = (client_entry**) (client_list + 1);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek for (idx = 0; idx < num_buckets; idx++) {
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek client_list->tbl_len = num_buckets;
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek sts = apr_lock_create(&client_lock, APR_READWRITE, APR_LOCKALL,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek APR_LOCK_DEFAULT, client_lock_name, ctx);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek log_error_and_cleanup("failed to create lock", sts, s);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek /* setup opaque */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek opaque_cntr = apr_shm_malloc(client_shm, sizeof(*opaque_cntr));
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek log_error_and_cleanup("failed to allocate shared memory", -1, s);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek sts = apr_lock_create(&opaque_lock, APR_MUTEX, APR_LOCKALL,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek APR_LOCK_DEFAULT, opaque_lock_name, ctx);
12b42c76672a66c2d4ea7212c14f8f1b5a62b78dTom Gundersen log_error_and_cleanup("failed to create lock", sts, s);
7abaad1ab099b077ebd6452b14ef351483831245poma /* setup one-time-nonce counter */
7abaad1ab099b077ebd6452b14ef351483831245poma otn_counter = apr_shm_malloc(client_shm, sizeof(*otn_counter));
7abaad1ab099b077ebd6452b14ef351483831245poma log_error_and_cleanup("failed to allocate shared memory", -1, s);
7abaad1ab099b077ebd6452b14ef351483831245poma /* no lock here */
7abaad1ab099b077ebd6452b14ef351483831245poma /* success */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek#endif /* APR_HAS_SHARED_MEMORY */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmekstatic int initialize_module(apr_pool_t *p, apr_pool_t *plog,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek apr_pool_t *ptemp, server_rec *s)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek const char *userdata_key = "auth_digest_init";
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek /* initialize_module() will be called twice, and if it's a DSO
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * then all static data from the first call will be lost. Only
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek * set up our static data on the second call. */
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek apr_pool_userdata_get(&data, userdata_key, s->process->pool);
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek apr_pool_userdata_setn((const void *)1, userdata_key,
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek apr_pool_cleanup_null, s->process->pool);
return !OK;
initialize_tables(s, p);
return OK;
if (!client_shm) {
!= APR_SUCCESS
!= APR_SUCCESS) {
return NULL;
if (conf) {
return conf;
return DECLINE_CMD;
const char *file)
return NULL;
const char *file)
return NULL;
char **tmp;
int cnt;
return NULL;
return NULL;
char *endptr;
long lifetime;
t, NULL);
return NULL;
const char *fmt)
return NULL;
if (!client_shm) {
return NULL;
if (c->uri_list) {
return NULL;
const char *size_str)
char *endptr;
if (num_buckets == 0) {
return NULL;
{NULL}
int bucket;
if (entry) {
return entry;
static long gc(void)
if (prev) {
num_removed++;
return num_removed;
server_rec *s)
int bucket;
return NULL;
if (!entry) {
if (!entry) {
return entry;
const char *auth_line;
size_t l;
if (!auth_line) {
return !OK;
return !OK;
auth_line++;
vk = 0;
auth_line++;
auth_line++;
auth_line++;
vv = 0;
auth_line++;
auth_line++;
auth_line++;
auth_line++;
return !OK;
return OK;
int res;
if (!ap_is_initial_req(r)) {
return DECLINED;
return DECLINED;
int idx;
if (opaque) {
int len;
time_rec t;
else if (otn_counter) {
return nonce;
unsigned long op;
if (!opaque_cntr) {
return NULL;
return NULL;
return entry;
* people need not modify mod_auth_digest.c each time they install a new
int generate)
else if (!generate) {
return NULL;
if (ha1) {
return ha1;
return dir;
return "http://0.0.0.0/";
return dir;
return tmp;
if (num != 0) {
int cnt;
if (opaque[0]) {
if (r->proxyreq) {
ap_configfile_t *f;
char l[MAX_STRING_LEN];
const char *rpw;
return NULL;
rpw = l;
ap_cfg_closefile(f);
ap_cfg_closefile(f);
return NULL;
unsigned long nc;
char *endptr;
return OK;
return !OK;
return !OK;
return !OK;
return OK;
int len;
return HTTP_UNAUTHORIZED;
return HTTP_UNAUTHORIZED;
return HTTP_UNAUTHORIZED;
return HTTP_UNAUTHORIZED;
return HTTP_UNAUTHORIZED;
return OK;
const char *ha2;
if (!ha1) {
return NULL;
NULL));
int res;
return DECLINED;
if (!ap_auth_name(r)) {
return HTTP_INTERNAL_SERVER_ERROR;
mainreq = r;
r->uri);
return HTTP_UNAUTHORIZED;
return HTTP_BAD_REQUEST;
return HTTP_BAD_REQUEST;
return HTTP_BAD_REQUEST;
return HTTP_UNAUTHORIZED;
return HTTP_UNAUTHORIZED;
return HTTP_UNAUTHORIZED;
return DECLINED;
return HTTP_UNAUTHORIZED;
r->uri);
return HTTP_UNAUTHORIZED;
const char *exp_digest;
if (!match
return HTTP_UNAUTHORIZED;
if (!exp_digest) {
return HTTP_INTERNAL_SERVER_ERROR;
r->uri);
return HTTP_UNAUTHORIZED;
return HTTP_UNAUTHORIZED;
return res;
return OK;
const char *grpfile)
ap_configfile_t *f;
char l[MAX_STRING_LEN];
return NULL;
return NULL;
ll = l;
while (ll[0]) {
ap_cfg_closefile(f);
return grps;
int m = r->method_number;
int method_restricted = 0;
return DECLINED;
if (!reqs_arr) {
return OK;
return OK;
return OK;
if (!grpstatus) {
return DECLINED;
return OK;
return DECLINED;
if (!method_restricted) {
return OK;
return HTTP_UNAUTHORIZED;
#ifdef SEND_DIGEST
if (val) {
return val;
return OK;
#ifdef SEND_DIGEST
char *entity_info =
date :
NULL));
digest =
NULL));
conf);
if (digest) {
if (!ha1) {
return !OK;
NULL);
ai);
return OK;