summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog2
-rw-r--r--daemon/bd.c2
-rw-r--r--daemon/digest.c9
-rw-r--r--daemon/digest.h4
4 files changed, 11 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index c35abaf..1ab0d41 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,8 @@
- Support sending access groups to mod_httpauth apache2x module.
- Support retrieving LDAP access groups for users.
- Build warning fixes.
+ - Allow better migration of live digest sessions between httpauth
+ daemons by using the 'stale' flag when things seem out of date.
0.9.2 [22-05-2008]
- Authenticate sub requests properly in the apache module.
diff --git a/daemon/bd.c b/daemon/bd.c
index eb0bec0..277a3f7 100644
--- a/daemon/bd.c
+++ b/daemon/bd.c
@@ -423,7 +423,7 @@ static int do_digest_response(ha_request_t* rq, bd_context_t* ctx, const char* h
cached = (prepare_digest_from_cached (ctx, &dg, rq, nonce) == HA_OK);
/* Check the majority of the fields */
- ret = digest_pre_check (&dg, rq->context, rq->buf);
+ ret = digest_pre_check (&dg, rq->context, rq->buf, &stale);
if (ret != HA_OK) {
if (ret == HA_BADREQ) {
ret = HA_FALSE;
diff --git a/daemon/digest.c b/daemon/digest.c
index 21cb453..93f433b 100644
--- a/daemon/digest.c
+++ b/daemon/digest.c
@@ -242,20 +242,22 @@ int digest_parse(const char* head, ha_buffer_t* buf, digest_header_t* rec)
return HA_OK;
}
-int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf)
+int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf, int *stale)
{
int r;
- r = digest_pre_check(dg, opts, buf);
+ r = digest_pre_check(dg, opts, buf, stale);
if(r == HA_OK)
r = digest_complete_check(dg, opts, buf);
return r;
}
-int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf)
+int digest_pre_check(digest_context_t* dg, const ha_context_t* opts,
+ ha_buffer_t* buf, int *stale)
{
ASSERT(buf && buf && dg);
+ ASSERT(stale);
/* Check for digest */
if(!dg->client.digest || !dg->client.digest[0])
@@ -337,6 +339,7 @@ int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t
ha_messagex(NULL, LOG_WARNING, "digest response has wrong nc value: %s "
"possible replay attack, should be: %d",
dg->client.nc, dg->server_nc);
+ *stale = 1;
return HA_FALSE;
}
}
diff --git a/daemon/digest.h b/daemon/digest.h
index 7a0f59c..fb9bfd7 100644
--- a/daemon/digest.h
+++ b/daemon/digest.h
@@ -73,8 +73,8 @@ const char* digest_challenge(ha_buffer_t* buf, const char* nonce_str,
* Validate digest headers once they've been parsed. Note that it's up
* to the caller to validate the 'username' and 'nonce' fields.
*/
-int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf);
-int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf);
+int digest_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf, int *stale);
+int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf, int *stale);
/* This assumes a digest_context that's been prechecked successfully */
int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t* buf);