1 files changed, 48 insertions, 10 deletions

diff --git a/daemon/ldap.c b/daemon/ldap.c
index 440c531..3321c6a 100644
--- a/daemon/ldap.c
+++ b/daemon/ldap.c
@@ -83,6 +83,10 @@ typedef struct ldap_context
 
   LDAP** pool;            /* Pool of available connections */
   int pool_mark;          /* Amount of connections allocated */
+
+#ifdef _DEBUG
+  const char* debug_nonce;
+#endif
 }
 ldap_context_t;
 
@@ -110,6 +114,9 @@ static const ldap_context_t ldap_defaults =
   NULL,               /* cache */
   NULL,               /* pool */
   0                   /* pool_mark */
+#ifdef _DEBUG
+  , NULL              /* debug_nonce */
+#endif
 };
 
 
@@ -925,12 +932,22 @@ static int digest_ldap_challenge(ldap_context_t* ctx, ha_response_t* resp,
 
   ASSERT(ctx && resp && buf);
 
-  /* Generate an nonce */
-  digest_makenonce(nonce, g_ldap_secret, NULL);
-  nonce_str = ha_bufenchex(buf, nonce, DIGEST_NONCE_LEN);
+#ifdef _DEBUG
+  if(ctx->debug_nonce)
+  {
+    nonce_str = ctx->debug_nonce;
+    ha_messagex(LOG_WARNING, "using debug nonce. security non-existant.");
+  }
+  else
+#endif
+  {
+    unsigned char nonce[DIGEST_NONCE_LEN];
+    digest_makenonce(nonce, g_ldap_secret, NULL);
 
-  if(!nonce_str)
-    return HA_ERROR;
+    nonce_str = ha_bufenchex(buf, nonce, DIGEST_NONCE_LEN);
+    if(!nonce_str)
+      return HA_ERROR;
+  }
 
   /* Now generate a message to send */
   header = digest_challenge(buf, nonce_str, ctx->realm, ctx->domains, stale);
@@ -966,15 +983,36 @@ static int digest_ldap_response(ldap_context_t* ctx, const char* header,
   if(digest_parse(header, buf, &dg, nonce) == HA_ERROR)
     return HA_ERROR;
 
-  r = digest_checknonce(nonce, g_ldap_secret, &expiry);
-  if(r != HA_OK)
+#ifdef _DEBUG
+  if(ctx->debug_nonce)
   {
-    if(r == HA_FALSE)
+    if(dg.nonce && strcmp(dg.nonce, ctx->debug_nonce) != 0)
+    {
+      ret = HA_FALSE;
       ha_messagex(LOG_WARNING, "digest response contains invalid nonce");
+      goto finally;
+    }
 
-    ret = r;
-    goto finally;
+    /* Do a rough hash into the real nonce, for use as a key */
+    md5_string(nonce, ctx->debug_nonce);
+
+    /* Debug nonce's never expire */
+    expiry = time(NULL);
   }
+  else
+#endif
+  {
+    r = digest_checknonce(nonce, g_ldap_secret, &expiry);
+    if(r != HA_OK)
+    {
+      if(r == HA_FALSE)
+        ha_messagex(LOG_WARNING, "digest response contains invalid nonce");
+
+      ret = r;
+      goto finally;
+    }
+  }
+
 
   rec = get_cached_digest(ctx, nonce);