From: Daniel Earl Poirier Date: Thu, 10 Sep 2009 12:12:58 +0000 (+0000) Subject: Fail server startup when mod_auth_digest is unable to X-Git-Tag: 2.3.3~323 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cc4511fcf246523e9d1766ac5bb7b82e30febd8c;p=apache Fail server startup when mod_auth_digest is unable to provide the security checks configured. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@813396 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index ad0f248730..ca96923d40 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.3.3 + *) mod_auth_digest: Fail server start when nonce count checking + is configured without shared memory, or md5-sess algorithm is + configured. [Dan Poirier] + *) mod_proxy_connect: The connect method doesn't work if the client is connecting to the apache proxy through an ssl socket. Fixed. PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand, diff --git a/docs/manual/mod/mod_auth_digest.xml b/docs/manual/mod/mod_auth_digest.xml index 53b3274041..b2f704701b 100644 --- a/docs/manual/mod/mod_auth_digest.xml +++ b/docs/manual/mod/mod_auth_digest.xml @@ -88,6 +88,8 @@ support digest authentication. Since digest authentication is not as widely implemented as basic authentication, you should use it only in environments where all users will have supporting browsers.

+

mod_auth_digest only works properly on platforms + where APR supports shared memory.

@@ -329,7 +331,7 @@ of clients server.

The size is normally expressed in Bytes, but you - may let the number follow a K or an M to + may follow the number with a K or an M to express your value as KBytes or MBytes. For example, the following directives are all equivalent:

diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index 34dfea6c7f..8bc2934ac2 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -592,13 +592,13 @@ static const char *set_nonce_format(cmd_parms *cmd, void *config, static const char *set_nc_check(cmd_parms *cmd, void *config, int flag) { - if (flag && !client_shm) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, - cmd->server, "Digest: WARNING: nonce-count checking " +#if !APR_HAS_SHARED_MEMORY + if (flag) { + return "AuthDigestNcCheck: ERROR: nonce-count checking " "is not supported on platforms without shared-memory " - "support - disabling check"); - flag = 0; + "support"; } +#endif ((digest_config_rec *) config)->check_nc = flag; return NULL; @@ -607,13 +607,8 @@ static const char *set_nc_check(cmd_parms *cmd, void *config, int flag) static const char *set_algorithm(cmd_parms *cmd, void *config, const char *alg) { if (!strcasecmp(alg, "MD5-sess")) { - if (!client_shm) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, - cmd->server, "Digest: WARNING: algorithm `MD5-sess' " - "is not supported on platforms without shared-memory " - "support - reverting to MD5"); - alg = "MD5"; - } + return "AuthDigestAlgorithm: ERROR: algorithm `MD5-sess' " + "is not fully implemented"; } else if (strcasecmp(alg, "MD5")) { return apr_pstrcat(cmd->pool, "Invalid algorithm in AuthDigestAlgorithm: ", alg, NULL); @@ -1432,6 +1427,13 @@ static int check_nc(const request_rec *r, const digest_header_rec *resp, const char *snc = resp->nonce_count; char *endptr; + if (conf->check_nc && !client_shm) { + /* Shouldn't happen, but just in case... */ + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "Digest: cannot check nonce count without shared memory"); + return OK; + } + if (!conf->check_nc || !client_shm) { return OK; }