DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30920>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30920 Digest authentication via mod_digest no longer works in 1.3.31. Summary: Digest authentication via mod_digest no longer works in 1.3.31. Product: Apache httpd-1.3 Version: 1.3.31 Platform: Macintosh OS/Version: MacOS X Status: NEW Severity: Normal Priority: Other Component: core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Digest authentication via mod_digest no longer works in 1.3.31, apparently due to ap_auth_nonce() returning different values. I added a log message to the ap_auth_nonce() function in the standard version of http_core.c from Apache 1.3.31. (This function was added in 1.3.31). It's short so here's the whole function with the log message: API_EXPORT(const char *) ap_auth_nonce(request_rec *r) { core_dir_config *conf; conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module); if (conf->ap_auth_nonce) return conf->ap_auth_nonce; /* Ideally we'd want to mix in some per-directory style * information; as we are likely to want to detect replay * across those boundaries and some randomness. But that * is harder due to the adhoc nature of .htaccess memory * structures, restarts and forks. * * But then again - you should use AuthDigestRealmSeed in your config * file if you care. So the adhoc value should do. */ char* nonce = ap_psprintf(r->pool,"%pp%pp%pp%pp%pp", (void *)&((r->connection->local_addr).sin_addr ), (void *)ap_user_name, (void *)ap_listeners, (void *)ap_server_argv0, (void *)ap_pid_fname); ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r->server, "nonce = '%s'", nonce); return nonce; } The log message shows that this function returns one value when called to provide the nonce to pass to the client, and a different value when called later to verify that the nonce received from the client was the one sent (check_nonce()). So the check fails, and the client cannot access the realm. The change is in the first of the 5 concatenated addresses (the one based on the request record address): [Sat Aug 28 16:40:53 2004] [info] nonce = '82b834813e608261c0bffffd52803b98' (User enters name and password at a WebDAV client...) [Sat Aug 28 16:40:58 2004] [info] nonce = '82e834813e608261c0bffffd52803b98' [Sat Aug 28 16:40:58 2004] [error] [client 17.221.41.169] Client is using a nonce which was not issued by this server for this context: / [Sat Aug 28 16:40:58 2004] [info] nonce = '82e834813e608261c0bffffd52803b98' (User gets the name and password dialog again...) The problem can be worked around by specifying the AuthDigestRealmSeed directive, or by switching to mod_auth_digest, but existing configurations are broken by this. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
