cvs commit: apache-1.3/src/modules/experimental mod_auth_digest.c
ronald 99/12/08 21:21:02
Modified:src CHANGES
src/modules/experimental mod_auth_digest.c
Log:
mod_auth_digest fixes:
- better comparing of request-uri with uri parameter in Authorization
header
- added a check for a MUST condition in the spec
- fixed SEGV
Revision ChangesPath
1.1475+7 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1474
retrieving revision 1.1475
diff -u -r1.1474 -r1.1475
--- CHANGES 1999/12/08 23:01:46 1.1474
+++ CHANGES 1999/12/09 05:20:52 1.1475
@@ -1,5 +1,12 @@
Changes with Apache 1.3.10
+ *) more fixes to mod_auth_digest:
+ - better comparing of request-uri with uri parameter in Authorization
+ header
+ - added a check for a MUST condition in the spec
+ - fixed SEGV
+ [Ronald Tschalär]
+
*) mod_proxy now works on TPF.
[Joe Moenich [EMAIL PROTECTED]]
1.12 +81 -28apache-1.3/src/modules/experimental/mod_auth_digest.c
Index: mod_auth_digest.c
===
RCS file: /home/cvs/apache-1.3/src/modules/experimental/mod_auth_digest.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- mod_auth_digest.c 1999/11/28 12:41:59 1.11
+++ mod_auth_digest.c 1999/12/09 05:21:00 1.12
@@ -212,7 +212,8 @@
/* the following fields are not (directly) from the header */
time_tnonce_time;
enum hdr_sts auth_hdr_sts;
-uri_components *request_uri;
+const char *raw_request_uri;
+uri_components *psd_request_uri;
int needed_auth;
client_entry *client;
} digest_header_rec;
@@ -498,9 +499,9 @@
* and directives outside a virtual host section)
*/
ap_SHA1Init(conf-nonce_ctx);
+ap_SHA1Update_binary(conf-nonce_ctx, secret, sizeof(secret));
ap_SHA1Update_binary(conf-nonce_ctx, (const unsigned char *) realm,
strlen(realm));
-ap_SHA1Update_binary(conf-nonce_ctx, secret, sizeof(secret));
return DECLINE_CMD;
}
@@ -911,7 +912,8 @@
}
if (!resp-username || !resp-realm || !resp-nonce || !resp-uri
- || !resp-digest) {
+ || !resp-digest
+ || (resp-message_qop (!resp-cnonce || !resp-nonce_count))) {
resp-auth_hdr_sts = INVALID;
return !OK;
}
@@ -944,7 +946,8 @@
return DECLINED;
resp = ap_pcalloc(r-pool, sizeof(digest_header_rec));
-resp-request_uri = r-parsed_uri;
+resp-raw_request_uri = r-unparsed_uri;
+resp-psd_request_uri = r-parsed_uri;
resp-needed_auth = 0;
ap_set_module_config(r-request_config, digest_auth_module, resp);
@@ -1273,7 +1276,7 @@
domain = conf-uri_list;
else {
/* They didn't specify any domain, so let's guess at it */
- domain = guess_domain(r-pool, resp-request_uri-path, r-filename,
+ domain = guess_domain(r-pool, resp-psd_request_uri-path, r-filename,
conf-dir_name);
if (domain[0] == '/' domain[1] == '\0')
domain = NULL; /* / is the default, so no need to send it */
@@ -1460,6 +1463,36 @@
}
+static void copy_uri_components(uri_components *dst, uri_components *src,
+ request_rec *r) {
+if (src-scheme src-scheme[0] != '\0')
+ dst-scheme = src-scheme;
+else
+ dst-scheme = (char *) http;
+
+if (src-hostname src-hostname[0] != '\0') {
+ dst-hostname = ap_pstrdup(r-pool, src-hostname);
+ ap_unescape_url(dst-hostname);
+}
+else
+ dst-hostname = (char *) ap_get_server_name(r);
+
+if (src-port_str src-port_str[0] != '\0')
+ dst-port = src-port;
+else
+ dst-port = ap_get_server_port(r);
+
+if (src-path src-path[0] != '\0') {
+ dst-path = ap_pstrdup(r-pool, src-path);
+ ap_unescape_url(dst-path);
+}
+
+if (src-query src-query[0] != '\0') {
+ dst-query = ap_pstrdup(r-pool, src-query);
+ ap_unescape_url(dst-query);
+}
+}
+
/* These functions return 0 if client is OK, and proper error status
* if not... either AUTH_REQUIRED, if we made a check, and it failed, or
* SERVER_ERROR, if things are so totally confused that we couldn't
@@ -1521,8 +1554,9 @@
`%s': %s, resp-scheme, r-uri);
else if (resp-auth_hdr_sts == INVALID)
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
- Digest: missing user, realm, nonce, uri, or digest
- in authorization header: %s, r-uri);
+ Digest: missing
cvs commit: apache-2.0/src/modules/standard mod_auth_digest.c
ronald 99/11/03 22:09:58
Modified:src/modules/standard mod_auth_digest.c
Log:
First cut at port to apache-2.0. Simple tests are working.
Error handling is still not quite clear in some cases (especially in
conjunction with ap_pcfg_openfile), and random-number generation
still needs to be moved into APR.
Revision ChangesPath
1.3 +114 -64 apache-2.0/src/modules/standard/mod_auth_digest.c
Index: mod_auth_digest.c
===
RCS file: /home/cvs/apache-2.0/src/modules/standard/mod_auth_digest.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- mod_auth_digest.c 1999/10/22 16:01:25 1.2
+++ mod_auth_digest.c 1999/11/04 06:09:54 1.3
@@ -130,6 +130,12 @@
#include util_uri.h
#include util_md5.h
#include ap_sha1.h
+
+#ifdef WIN32
+/* Crypt APIs are available on Win95 with OSR 2 */
+#include wincrypt.h
+#endif
+
#ifdef HAVE_SHMEM_MM
#include mm.h
#endif /* HAVE_SHMEM_MM */
@@ -160,7 +166,7 @@
#define NONCE_TIME_LEN (((sizeof(time_t)+2)/3)*4)
-#define NONCE_HASH_LEN 40
+#define NONCE_HASH_LEN (2*SHA_DIGESTSIZE)
#define NONCE_LEN(NONCE_TIME_LEN + NONCE_HASH_LEN)
#define SECRET_LEN 20
@@ -172,12 +178,12 @@
unsigned long key; /* the key for this entry*/
struct hash_entry *next; /* next entry in the bucket */
unsigned long nonce_count; /* for nonce-count checking */
-char ha1[17]; /* for
algorithm=MD5-sess*/
+char ha1[2*MD5_DIGESTSIZE+1]; /* for
algorithm=MD5-sess*/
char last_nonce[NONCE_LEN+1]; /* for one-time nonce's
*/
} client_entry;
static struct hash_table {
-client_entry **table;
+client_entry **ap_table_t;
unsigned long tbl_len;
unsigned long num_entries;
unsigned long num_created;
@@ -249,7 +255,7 @@
*/
#ifdef HAVE_SHMEM_MM
-static void cleanup_tables(void *not_used)
+static ap_status_t cleanup_tables(void *not_used)
{
fprintf(stderr, Digest: cleaning up shared memory\n);
fflush(stderr);
@@ -268,43 +274,64 @@
mm_destroy(otn_count_mm);
otn_count_mm = NULL;
}
+
+return APR_SUCCESS;
}
#endif /* HAVE_SHMEM_MM */
+#ifdef WIN32
+/* TODO: abstract out the random number generation. APR? */
+static void initialize_secret(server_rec *s)
+{
+HCRYPTPROV hProv;
+
+ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, s,
+ Digest: generating secret for digest authentication ...);
+if (!CryptAcquireContext(hProv,NULL,NULL,PROV_RSA_FULL,0)) {
+ap_log_error(APLOG_MARK, APLOG_CRIT, s,
+ Digest: Error acquiring context. Errno = %d,
+ GetLastError());
+exit(EXIT_FAILURE);
+}
+if (!CryptGenRandom(hProv,sizeof(secret),secret)) {
+ap_log_error(APLOG_MARK, APLOG_CRIT, s,
+ Digest: Error generating secret. Errno = %d,
+ GetLastError());
+exit(EXIT_FAILURE);
+}
+
+ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, s, Digest: done);
+}
+#else
static void initialize_secret(server_rec *s)
{
#ifdef DEV_RANDOM
-FILE *rnd;
+int rnd;
size_t got, tot;
#else
extern int randbyte(void); /* from the truerand library */
unsigned int idx;
#endif
-ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, s,
+ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0, s,
Digest: generating secret for digest authentication ...);
#ifdef DEV_RANDOM
#define XSTR(x) #x
#define STR(x) XSTR(x)
-if ((rnd = fopen(STR(DEV_RANDOM), rb)) == NULL) {
+if ((rnd = open(STR(DEV_RANDOM), O_RDONLY)) == NULL) {
ap_log_error(APLOG_MARK, APLOG_CRIT, s,
Digest: Couldn't open STR(DEV_RANDOM));
exit(EXIT_FAILURE);
}
-if (setvbuf(rnd, NULL, _IONBF, 0) != 0) {
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_CRIT, s,
- Digest: Error trying to disable buffering for
STR(DEV_RANDOM));
- exit(EXIT_FAILURE);
-}
for (tot=0; totsizeof(secret); tot += got) {
- if ((got = fread(secret+tot, 1, sizeof(secret)-tot, rnd)) 1) {
+ if ((got = read(rnd, secret+tot, sizeof(secret)-tot)) 0) {
ap_log_error(APLOG_MARK, APLOG_CRIT, s,
Digest: Error reading STR(DEV_RANDOM));
exit(EXIT_FAILURE);
}
}
-fclose(rnd);
+close(rnd);
#undef STR
#undef XSTR
#else/* use truerand */
@@ -315,8 +342,9 @@
secret
cvs commit: apache-2.0/src Configure
ronald 99/11/01 21:08:53 Modified:src Configure Log: get rid of error under solaris 2.6 Revision ChangesPath 1.16 +1 -1 apache-2.0/src/Configure Index: Configure === RCS file: /home/cvs/apache-2.0/src/Configure,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- Configure 1999/10/29 13:20:10 1.15 +++ Configure 1999/11/02 05:08:51 1.16 @@ -1735,7 +1735,7 @@ (cd lib/apr autoconf autoheader) fi echo + configuring Apache Portable Runtime (APR) -APR_FLAGS=`egrep ^APR_FLAGS= $file|sed -e 's/APR_FLAGS='//` +APR_FLAGS=`egrep '^APR_FLAGS=' $file|sed -e 's/APR_FLAGS='//` if [ x$APR_FLAGS != x ]; then echo o with flags: $APR_FLAGS fi
cvs commit: apache-2.0/src/ap ap_base64.c
ronald 99/09/11 00:15:57 Modified:src/ap ap_base64.c Log: don't Nul-terminate binary output Revision ChangesPath 1.2 +1 -1 apache-2.0/src/ap/ap_base64.c Index: ap_base64.c === RCS file: /home/cvs/apache-2.0/src/ap/ap_base64.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- ap_base64.c 1999/08/24 05:50:30 1.1 +++ ap_base64.c 1999/09/11 07:15:56 1.2 @@ -139,6 +139,7 @@ for (i = 0; i len; i++) bufplain[i] = os_toebcdic[bufplain[i]]; #endif /* CHARSET_EBCDIC */ +bufplain[len] = '\0'; return len; } @@ -186,7 +187,6 @@ (unsigned char) (pr2six[bufin[2]] 6 | pr2six[bufin[3]]); } -*(bufout++) = '\0'; nbytesdecoded -= (4 - nprbytes) 3; return nbytesdecoded; }
cvs commit: apache-1.3/src/ap ap_md5c.c
ronald 99/08/15 15:14:56 Modified:src/ap ap_md5c.c Log: Aarg: typo... Revision ChangesPath 1.32 +1 -1 apache-1.3/src/ap/ap_md5c.c Index: ap_md5c.c === RCS file: /home/cvs/apache-1.3/src/ap/ap_md5c.c,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- ap_md5c.c 1999/08/15 21:55:09 1.31 +++ ap_md5c.c 1999/08/15 22:14:55 1.32 @@ -527,7 +527,7 @@ * Now make the output string. We know our limitations, so we * can use the string routines without bounds checking. */ -ap_cpystrn(passwd, AP_MD5PW_ID, AP_MD5PW_ID + 1); +ap_cpystrn(passwd, AP_MD5PW_ID, AP_MD5PW_IDLEN + 1); ap_cpystrn(passwd + AP_MD5PW_IDLEN, (char *)sp, sl + 1); passwd[AP_MD5PW_IDLEN + sl] = '$'; passwd[AP_MD5PW_IDLEN + sl + 1] = '\0';
cvs commit: apache-1.3/src/modules/experimental mod_auth_digest.c
ronald 99/08/13 00:18:08
Modified:src/modules/experimental mod_auth_digest.c
Log:
- Print out pointer to Rule DEV_RANDOM when truerand lib not found
- Fix test-compile check to check for randbyte instead of trand32
- use ap_base64encode_binary/decode instead of our own copy
- Tweak to make Amaya happier
Revision ChangesPath
1.5 +14 -174 apache-1.3/src/modules/experimental/mod_auth_digest.c
Index: mod_auth_digest.c
===
RCS file: /home/cvs/apache-1.3/src/modules/experimental/mod_auth_digest.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- mod_auth_digest.c 1999/08/10 15:47:56 1.4
+++ mod_auth_digest.c 1999/08/13 07:18:05 1.5
@@ -95,13 +95,14 @@
RULE_DEV_RANDOM=/dev/urandom
else
RULE_DEV_RANDOM=truerand
- if helpers/TestCompile func trand32; then
+ if helpers/TestCompile func randbyte; then
:
- elif helpers/TestCompile lib rand trand32; then
+ elif helpers/TestCompile lib rand randbyte; then
:
else
echo (mod_auth_digest) truerand library missing!
echo ** This will most probably defeat successful compilation.
+ echo ** See Rule DEV_RANDOM in src/Configuration.tmpl for more
information.
fi
fi
fi
@@ -387,7 +388,7 @@
return;
failed:
-if (!client_mm || (client_list client_list-table !opaque_mm)
+if (!client_mm || (client_list client_list-table !opaque_mm)
|| (opaque_cntr !otn_count_mm))
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
Digest: failed to create shared memory segments; reason
@@ -605,169 +606,6 @@
};
-/*
- * base-64 encoding helpers
- */
-
-/* this is copied from util.c, with toascii folded into the table for EBCDIC
*/
-static const unsigned char pr2six[256] =
-{
-#ifndef CHARSET_EBCDIC
-/* ASCII table */
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
-52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
-64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
-15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
-64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
-41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
-#else /*CHARSET_EBCDIC*/
-/* EBCDIC table */
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 63, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 64, 64, 64, 64, 64, 64,
-64, 35, 36, 37, 38, 39, 40, 41, 42, 43, 64, 64, 64, 64, 64, 64,
-64, 64, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64, 64,
-64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 64, 64, 64, 64, 64, 64,
-64, 9, 10, 11, 12, 13, 14, 15, 16, 17, 64, 64, 64, 64, 64, 64,
-64, 64, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 64,
-52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
-#endif /*CHARSET_EBCDIC*/
-};
-
-/* this is the same as ap_uudecode in util.c, but returns the length instead
- * of a pointer to the decoded data and takes a pointer to the decoded buffer
- * as a third parameter. Also, for EBCDIC machines the toebcdic[] on the
ouput
- * is left out because we want a binary result.
- */
-static int base64decode(pool *p, const char *bufcoded, unsigned char
**bufplain)
-{
-int nbytesdecoded;
-register const unsigned char *bufin;
-register unsigned char *bufout;
-register int
cvs commit: apache-1.3/src CHANGES
ronald 99/08/08 17:04:32 Modified:.STATUS src CHANGES Log: updated to reflect added modules/experimental/mod_auth_digest Revision ChangesPath 1.737 +5 -4 apache-1.3/STATUS Index: STATUS === RCS file: /home/cvs/apache-1.3/STATUS,v retrieving revision 1.736 retrieving revision 1.737 diff -u -r1.736 -r1.737 --- STATUS1999/08/06 17:52:37 1.736 +++ STATUS1999/08/09 00:04:29 1.737 @@ -1,5 +1,5 @@ 1.3 STATUS: - Last modified at [$Date: 1999/08/06 17:52:37 $] + Last modified at [$Date: 1999/08/09 00:04:29 $] Release: @@ -184,9 +184,10 @@ Message-ID: [EMAIL PROTECTED] Status: -* Ronald Tschalär's major update of mod_digest -Message-ID: [EMAIL PROTECTED] -Status: Big change -- needs review. +* Ronald Tschalär's patch to mod_proxy to allow other modules to + set headers too (needed by mod_auth_digest) +Message-ID: [EMAIL PROTECTED] +Status: * Greg's XML Handling patch Message-ID: [EMAIL PROTECTED] 1.1412+3 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1411 retrieving revision 1.1412 diff -u -r1.1411 -r1.1412 --- CHANGES 1999/08/06 16:21:28 1.1411 +++ CHANGES 1999/08/09 00:04:30 1.1412 @@ -1,5 +1,8 @@ Changes with Apache 1.3.8 + *) Added updated mod_digest as modules/experimental/mod_auth_digest. + [Ronald Tschalär [EMAIL PROTECTED]] + *) Fix a memory leak where the module counts were getting messed up across restarts. [David Harris [EMAIL PROTECTED]]
cvs commit: apache-1.3/src/ap ap_checkpass.c
ronald 99/08/08 10:57:30 Modified:src/ap ap_checkpass.c Log: removed unneccesary #include Revision ChangesPath 1.2 +0 -3 apache-1.3/src/ap/ap_checkpass.c Index: ap_checkpass.c === RCS file: /home/cvs/apache-1.3/src/ap/ap_checkpass.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- ap_checkpass.c1999/08/02 10:13:44 1.1 +++ ap_checkpass.c1999/08/08 17:57:29 1.2 @@ -63,9 +63,6 @@ #include ap_md5.h #include ap_sha1.h #include ap.h -#ifdef CHARSET_EBCDIC -#include ebcdic.h -#endif /*CHARSET_EBCDIC*/ #if HAVE_CRYPT_H #include crypt.h #endif
cvs commit: apache-1.3/src/include ap_sha1.h
ronald 99/08/08 10:58:36 Modified:src/ap ap_sha1.c src/include ap_sha1.h Log: removed obsolete reference to base64 code from metamail Revision ChangesPath 1.5 +2 -18 apache-1.3/src/ap/ap_sha1.c Index: ap_sha1.c === RCS file: /home/cvs/apache-1.3/src/ap/ap_sha1.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- ap_sha1.c 1999/08/08 11:45:15 1.4 +++ ap_sha1.c 1999/08/08 17:58:34 1.5 @@ -53,7 +53,7 @@ * For more information on the Apache Group and the Apache HTTP server * project, please see http://www.apache.org/. * - * The only exported function: + * The exported function: * *ap_sha1_base64(const char *clear, int len, char *out); * @@ -73,29 +73,13 @@ * See also the documentation in support/SHA1 as to hints on how to * migrate an existing netscape installation and other supplied utitlites. * - * This software also makes use of the following components: + * This software also makes use of the following component: * * NIST Secure Hash Algorithm * heavily modified by Uwe Hollerbach [EMAIL PROTECTED] edu * from Peter C. Gutmann's implementation as found in * Applied Cryptography by Bruce Schneier * This code is hereby placed in the public domain - * - * MIME Base 64 encoding based on src/metamail/codes.c in metamail, - * available at: ftp://thumper.bellcore.com/pub/nsb/ - * - * Metamail's copyright is: - * Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore) - * Permission to use, copy, modify, and distribute this material - * for any purpose and without fee is hereby granted, provided - * that the above copyright notice and this permission notice - * appear in all copies, and that the name of Bellcore not be - * used in advertising or publicity pertaining to this - * material without the specific, prior written permission - * of an authorized representative of Bellcore. BELLCORE - * MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY - * OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED AS IS, - * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. */ #include string.h 1.5 +0 -17 apache-1.3/src/include/ap_sha1.h Index: ap_sha1.h === RCS file: /home/cvs/apache-1.3/src/include/ap_sha1.h,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- ap_sha1.h 1999/08/08 11:45:16 1.4 +++ ap_sha1.h 1999/08/08 17:58:35 1.5 @@ -58,23 +58,6 @@ * from Peter C. Gutmann's implementation as found in * Applied Cryptography by Bruce Schneier * This code is hereby placed in the public domain - * - * MIME Base 64 encoding based on src/metamail/codes.c in metamail, - * available at: ftp://thumper.bellcore.com/pub/nsb/ - * - * Metamail's copyright is: - * Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore) - * - * Permission to use, copy, modify, and distribute this material - * for any purpose and without fee is hereby granted, provided - * that the above copyright notice and this permission notice - * appear in all copies, and that the name of Bellcore not be - * used in advertising or publicity pertaining to this - * material without the specific, prior written permission - * of an authorized representative of Bellcore. BELLCORE - * MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY - * OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED AS IS, - * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. */ #ifndef APACHE_SHA1_H
cvs commit: apache-1.3/src/ap Makefile.tmpl
ronald 99/08/08 10:59:29 Modified:src/ap Makefile.tmpl Log: added dependency for ap_sha1.o Revision ChangesPath 1.35 +2 -0 apache-1.3/src/ap/Makefile.tmpl Index: Makefile.tmpl === RCS file: /home/cvs/apache-1.3/src/ap/Makefile.tmpl,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- Makefile.tmpl 1999/08/08 11:45:15 1.34 +++ Makefile.tmpl 1999/08/08 17:59:28 1.35 @@ -59,6 +59,8 @@ $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h $(OSDIR)/os-inline.c \ $(INCDIR)/ap_ctype.h $(INCDIR)/hsregex.h $(INCDIR)/ap_md5.h \ $(INCDIR)/ap.h +ap_sha1.o: ap_sha1.c $(INCDIR)/ap_config.h $(INCDIR)/ap_sha1.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h $(OSDIR)/os-inline.c ap_signal.o: ap_signal.c $(INCDIR)/httpd.h $(INCDIR)/ap_config.h \ $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h $(INCDIR)/hsregex.h \
cvs commit: apache-1.3/src/modules/experimental mod_auth_digest.c Makefile.tmpl
ronald 99/08/08 15:34:25 Modified:src/modules/experimental Makefile.tmpl Added: src/modules/experimental mod_auth_digest.c Log: updated version of mod_digest; in experimental until further tested Revision ChangesPath 1.14 +9 -0 apache-1.3/src/modules/experimental/Makefile.tmpl Index: Makefile.tmpl === RCS file: /home/cvs/apache-1.3/src/modules/experimental/Makefile.tmpl,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- Makefile.tmpl 1998/09/07 06:59:34 1.13 +++ Makefile.tmpl 1999/08/08 22:34:24 1.14 @@ -12,3 +12,12 @@ $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ $(INCDIR)/http_log.h $(INCDIR)/http_protocol.h \ $(INCDIR)/http_request.h $(INCDIR)/http_core.h +mod_digest.o: mod_digest.c $(INCDIR)/httpd.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(INCDIR)/ap_ctype.h $(INCDIR)/hsregex.h \ + $(INCDIR)/alloc.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_core.h $(INCDIR)/http_log.h \ + $(INCDIR)/http_protocol.h $(INCDIR)/util_md5.h \ + $(INCDIR)/ap_md5.h 1.1 apache-1.3/src/modules/experimental/mod_auth_digest.c Index: mod_auth_digest.c === /* * Copyright (c) 1995-1999 The Apache Group. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright *notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright *notice, this list of conditions and the following disclaimer in *the documentation and/or other materials provided with the *distribution. * * 3. All advertising materials mentioning features or use of this *software must display the following acknowledgment: *This product includes software developed by the Apache Group *for use in the Apache HTTP server project (http://www.apache.org/). * * 4. The names Apache Server and Apache Group must not be used to *endorse or promote products derived from this software without *prior written permission. For written permission, please contact *[EMAIL PROTECTED] * * 5. Products derived from this software may not be called Apache *nor may Apache appear in their names without prior written *permission of the Apache Group. * * 6. Redistributions of any form whatsoever must retain the following *acknowledgment: *This product includes software developed by the Apache Group *for use in the Apache HTTP server project (http://www.apache.org/). * * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Group and was originally based * on public domain software written at the National Center for * Supercomputing Applications, University of Illinois, Urbana-Champaign. * For more information on the Apache Group and the Apache HTTP server * project, please see http://www.apache.org/. * */ /* * mod_auth_digest: MD5 digest authentication * * Originally by Alexei Kosut [EMAIL PROTECTED] * Updated to RFC-2617 by Ronald Tschalär [EMAIL PROTECTED] * based on mod_auth, by Rob McCool and Robert S. Thau * * This module an updated version of modules/standard/mod_digest.c * However, it has not been extensively tested yet, and is therefore * currently marked experimental. Send problem reports to me * ([EMAIL PROTECTED]) * * Requires either /dev/random (or equivalent) or the truerand library, * available for instance from * ftp
cvs commit: apache-1.3/htdocs/manual/mod mod_auth_digest.html index.html
ronald 99/08/08 15:37:17 Modified:src Configuration.tmpl htdocs/manual/mod index.html Added: htdocs/manual/mod mod_auth_digest.html Log: changes for new modules/experimental/mod_auth_digest Revision ChangesPath 1.118 +25 -5 apache-1.3/src/Configuration.tmpl Index: Configuration.tmpl === RCS file: /home/cvs/apache-1.3/src/Configuration.tmpl,v retrieving revision 1.117 retrieving revision 1.118 diff -u -r1.117 -r1.118 --- Configuration.tmpl1999/06/22 15:33:10 1.117 +++ Configuration.tmpl1999/08/08 22:37:14 1.118 @@ -124,12 +124,12 @@ # functions. The format is: Rule RULE=value # # At present, only the following RULES are known: WANTHSREGEX, SOCKS4, -# SOCKS5, IRIXNIS, IRIXN32 and PARANOID. +# SOCKS5, IRIXNIS, IRIXN32, PARANOID, and DEV_RANDOM. # -# For all Rules, if set to yes, then Configure knows we want that -# capability and does what is required to add it in. If set to default -# then Configure makes a best guess; if set to anything else, or not -# present, then nothing is done. +# For all Rules except DEV_RANDOM, if set to yes, then Configure knows +# we want that capability and does what is required to add it in. If set +# to default then Configure makes a best guess; if set to anything +# else, or not present, then nothing is done. # # SOCKS4: # If SOCKS4 is set to 'yes', be sure that you add the socks library @@ -174,6 +174,19 @@ Rule PARANOID=no Rule EXPAT=default +# DEV_RANDOM: +# Note: this rule is only used when compiling mod_auth_digest. +# mod_auth_digest requires a cryptographically strong random seed for its +# random number generator. It knows two ways of getting this: 1) from +# a file or device (such as /dev/random), or 2) from the truerand +# library. If this rule is set to 'default' then Configure will choose +# to use /dev/random if it exists, else /dev/urandom if it exists, +# else the truerand library. To override this behaviour set DEV_RANDOM +# either to 'truerand' (to use the library) or to a device or file +# (e.g. '/dev/urandom'). If the truerand library is selected, Configure +# will assume -L/usr/local/lib -lrand. +Rule DEV_RANDOM=default + # The following rules should be set automatically by Configure. However, if # they are not set by Configure (because we don't know the correct value for # your platform), or are set incorrectly, you may override them here. @@ -308,6 +321,13 @@ ## and a common prefix, e.g., /~user , /usr/web/user , etc. AddModule modules/standard/mod_userdir.o + +## digest implements HTTP Digest Authentication rather than the less +## secure Basic Auth used by the other modules. This is an updated +## version of mod_digest, but it is not well tested and is therefore +## marked experimental + +# AddModule modules/experimental/mod_auth_digest.o ## The proxy module enables the server to act as a proxy for outside ## http and ftp services. It's not as complete as it could be yet. 1.28 +2 -0 apache-1.3/htdocs/manual/mod/index.html Index: index.html === RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/index.html,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- index.html1999/06/22 00:51:23 1.27 +++ index.html1999/08/08 22:37:15 1.28 @@ -42,6 +42,8 @@ DDUser authentication using Berkeley DB files. DTA HREF=mod_auth_dbm.htmlmod_auth_dbm/A DDUser authentication using DBM files. +DTA HREF=mod_auth_digest.htmlmod_auth_digest/A +DDMD5 authentication (experimental) DTA HREF=mod_autoindex.htmlmod_autoindex/A DDAutomatic directory listings. DTA HREF=mod_browser.htmlmod_browser/A Apache 1.2.* only 1.1 apache-1.3/htdocs/manual/mod/mod_auth_digest.html Index: mod_auth_digest.html === !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN HTML HEAD TITLEApache module mod_auth_digest/TITLE /HEAD !-- Background white, links blue (unvisited), navy (visited), red (active) -- BODY BGCOLOR=#FF TEXT=#00 LINK=#FF VLINK=#80 ALINK=#FF !--#include virtual=header.html -- H1 ALIGN=CENTERModule mod_auth_digest/H1 This module is contained in the CODEmod_auth_digest.c/CODE file, and is not compiled in by default. It is only available in Apache 1.3.8 and later. It provides for user authentication using MD5 Digest Authentication. PNote this is an updated version of A HREF=mod_digest.htmlmod_digest/A. However, it has not been extensively tested and is therefore marked experimental. If you use this module, you must make sure to emnot/em use
cvs commit: apache-1.3/src Configuration.tmpl
ronald 99/08/08 15:45:11 Modified:src Configuration.tmpl Log: Aargh - forgot the note about needing the truerand library for mod_auth_digest Revision ChangesPath 1.119 +5 -1 apache-1.3/src/Configuration.tmpl Index: Configuration.tmpl === RCS file: /home/cvs/apache-1.3/src/Configuration.tmpl,v retrieving revision 1.118 retrieving revision 1.119 diff -u -r1.118 -r1.119 --- Configuration.tmpl1999/08/08 22:37:14 1.118 +++ Configuration.tmpl1999/08/08 22:45:10 1.119 @@ -325,7 +325,11 @@ ## digest implements HTTP Digest Authentication rather than the less ## secure Basic Auth used by the other modules. This is an updated ## version of mod_digest, but it is not well tested and is therefore -## marked experimental +## marked experimental. +## Note: if you add this module in then you might also need the +## truerand library (available for example from +## ftp://research.att.com/dist/mab/librand.shar) - see the Rule +## DEV_RANDOM above for more info. # AddModule modules/experimental/mod_auth_digest.o
cvs commit: apache-1.3/src/main util.c
ronald 99/04/10 16:21:23
Modified:src CHANGES
src/main util.c
Log:
ap_uuencode was not allocating space for terminating '\0'
ap_uudecode was running past the beginning of the buffer for empty input
strings, and past the end of the buffer for certain (invalid) input
PR: 3422
Reviewed by: Dean Gaudet
Revision ChangesPath
1.1307+4 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1306
retrieving revision 1.1307
diff -u -r1.1306 -r1.1307
--- CHANGES 1999/04/10 21:51:01 1.1306
+++ CHANGES 1999/04/10 23:21:21 1.1307
@@ -1,5 +1,9 @@
Changes with Apache 1.3.7
+ *) Fix buffer overflows in ap_uuencode and ap_uudecode pointed out
+ by Peter 'Luna' Altberg [EMAIL PROTECTED] and PR#3422
+ [Peter 'Luna' Altberg [EMAIL PROTECTED], Ronald Tschalär]
+
*) Make {Set,Unset,Pass}Env per-directory instead of per-server.
[Ben Laurie]
1.157 +23 -15apache-1.3/src/main/util.c
Index: util.c
===
RCS file: /home/cvs/apache-1.3/src/main/util.c,v
retrieving revision 1.156
retrieving revision 1.157
diff -u -r1.156 -r1.157
--- util.c1999/03/20 15:41:07 1.156
+++ util.c1999/04/10 23:21:23 1.157
@@ -1962,7 +1962,7 @@
bufin = (const unsigned char *) bufcoded;
-while (nprbytes 0) {
+while (nprbytes 4) {
*(bufout++) =
(unsigned char) (pr2six[*bufin] 2 | pr2six[bufin[1]] 4);
*(bufout++) =
@@ -1973,13 +1973,15 @@
nprbytes -= 4;
}
-if (nprbytes 03) {
- if (pr2six[bufin[-2]] 63)
- nbytesdecoded -= 2;
- else
- nbytesdecoded -= 1;
+/* Note: (nprbytes == 1) would be an error, so just ingore that case */
+if (nprbytes 1) {
+ *(bufout++) =
+ (unsigned char) (pr2six[*bufin] 2 | pr2six[bufin[1]] 4);
}
-bufplain[nbytesdecoded] = '\0';
+if (nprbytes 2) {
+ *(bufout++) =
+ (unsigned char) (pr2six[bufin[1]] 4 | pr2six[bufin[2]] 2);
+}
#else /*CHARSET_EBCDIC*/
bufin = (const unsigned char *) bufcoded;
while (pr2six[os_toascii[(unsigned char)*(bufin++)]] = 63);
@@ -1991,7 +1993,7 @@
bufin = (const unsigned char *) bufcoded;
-while (nprbytes 0) {
+while (nprbytes 4) {
*(bufout++) = os_toebcdic[
(unsigned char) (pr2six[os_toascii[*bufin]] 2 |
pr2six[os_toascii[bufin[1]]] 4)];
*(bufout++) = os_toebcdic[
@@ -2002,14 +2004,20 @@
nprbytes -= 4;
}
-if (nprbytes 03) {
- if (pr2six[os_toascii[bufin[-2]]] 63)
- nbytesdecoded -= 2;
- else
- nbytesdecoded -= 1;
+/* Note: (nprbytes == 1) would be an error, so just ingore that case */
+if (nprbytes 1) {
+ *(bufout++) = os_toebcdic[
+ (unsigned char) (pr2six[os_toascii[*bufin]] 2 |
pr2six[os_toascii[bufin[1]]] 4)];
}
-bufplain[nbytesdecoded] = '\0';
+if (nprbytes 2) {
+ *(bufout++) = os_toebcdic[
+ (unsigned char) (pr2six[os_toascii[bufin[1]]] 4 |
pr2six[os_toascii[bufin[2]]] 2)];
+}
#endif /*CHARSET_EBCDIC*/
+
+nbytesdecoded -= (4 - nprbytes) 3;
+bufplain[nbytesdecoded] = '\0';
+
return bufplain;
}
@@ -2020,7 +2028,7 @@
{
int i, len = strlen(string);
char *p;
-char *encoded = (char *) ap_palloc(a, (len+2) / 3 * 4);
+char *encoded = (char *) ap_palloc(a, ((len+2) / 3 * 4) + 1);
p = encoded;
#ifndef CHARSET_EBCDIC
