diff options
| author | Stef Walter <stef@memberwebs.com> | 2008-06-11 22:03:08 +0000 |
|---|---|---|
| committer | Stef Walter <stef@memberwebs.com> | 2008-06-11 22:03:08 +0000 |
| commit | de44fe7893da8d8c9903f1a7268fa6fe03446d36 (patch) | |
| tree | d551e17b64d6bef889179b32ab1bdd991e3c0fbf | |
| parent | 0cb3f6098d959479a96c26a92d91becc2110b30d (diff) | |
Allow better migration of live digest sessions between httpauth
daemons by using the 'stale' flag when things seem out of date.
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | daemon/bd.c | 2 | ||||
| -rw-r--r-- | daemon/digest.c | 9 | ||||
| -rw-r--r-- | daemon/digest.h | 4 |
4 files changed, 11 insertions, 6 deletions
@@ -2,6 +2,8 @@ - Support sending access groups to mod_httpauth apache2x module. - Support retrieving LDAP access groups for users. - Build warning fixes. + - Allow better migration of live digest sessions between httpauth + daemons by using the 'stale' flag when things seem out of date. 0.9.2 [22-05-2008] - Authenticate sub requests properly in the apache module. diff --git a/daemon/bd.c b/daemon/bd.c index eb0bec0..277a3f7 100644 --- a/daemon/bd.c +++ b/daemon/bd.c @@ -423,7 +423,7 @@ static int do_digest_response(ha_request_t* rq, bd_context_t* ctx, const char* h cached = (prepare_digest_from_cached (ctx, &dg, rq, nonce) == HA_OK); /* Check the majority of the fields */ - ret = digest_pre_check (&dg, rq->context, rq->buf); + ret = digest_pre_check (&dg, rq->context, rq->buf, &stale); if (ret != HA_OK) { if (ret == HA_BADREQ) { ret = HA_FALSE; diff --git a/daemon/digest.c b/daemon/digest.c index 21cb453..93f433b 100644 --- a/daemon/digest.c +++ b/daemon/digest.c @@ -242,20 +242,22 @@ int digest_parse(const char* head, ha_buffer_t* buf, digest_header_t* rec) return HA_OK; } -int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf) +int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf, int *stale) { int r; - r = digest_pre_check(dg, opts, buf); + r = digest_pre_check(dg, opts, buf, stale); if(r == HA_OK) r = digest_complete_check(dg, opts, buf); return r; } -int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf) +int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, + ha_buffer_t* buf, int *stale) { ASSERT(buf && buf && dg); + ASSERT(stale); /* Check for digest */ if(!dg->client.digest || !dg->client.digest[0]) @@ -337,6 +339,7 @@ int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t ha_messagex(NULL, LOG_WARNING, "digest response has wrong nc value: %s " "possible replay attack, should be: %d", dg->client.nc, dg->server_nc); + *stale = 1; return HA_FALSE; } } diff --git a/daemon/digest.h b/daemon/digest.h index 7a0f59c..fb9bfd7 100644 --- a/daemon/digest.h +++ b/daemon/digest.h @@ -73,8 +73,8 @@ const char* digest_challenge(ha_buffer_t* buf, const char* nonce_str, * Validate digest headers once they've been parsed. Note that it's up * to the caller to validate the 'username' and 'nonce' fields. */ -int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf); -int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf); +int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf, int *stale); +int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf, int *stale); /* This assumes a digest_context that's been prechecked successfully */ int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf); |