summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 18:22:10 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 18:22:10 -0400
commit6ad325c659c4f602584c9450242204f410e74952 (patch)
treeb83da57289d5b7e5bad50191caa3c1710ac5dbd9
parentc81bd354b258121f6491f44f924bc7c715bd9389 (diff)
downloadlighttpd1.4-6ad325c659c4f602584c9450242204f410e74952.tar.gz
lighttpd1.4-6ad325c659c4f602584c9450242204f410e74952.zip
[mod_auth] Authentication-Info: nextnonce=...
send Authentication-Info nextnonce when nonce is approaching expiration
-rw-r--r--src/mod_auth.c34
1 files changed, 33 insertions, 1 deletions
diff --git a/src/mod_auth.c b/src/mod_auth.c
index 49ab7a85..34e5e91a 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -881,6 +881,33 @@ static void mod_auth_digest_www_authenticate(buffer *b, time_t cur_ts, const str
}
}
+static void mod_auth_digest_authentication_info(buffer *b, time_t cur_ts, int dalgo) {
+ const int rnd = li_rand_pseudo();
+ void(*append_nonce)(buffer *, time_t, int);
+ switch (dalgo) {
+ #ifdef USE_OPENSSL_CRYPTO
+ #ifdef SHA512_256_DIGEST_LENGTH
+ case HTTP_AUTH_DIGEST_SHA512_256:
+ append_nonce = mod_auth_digest_nonce_sha512_256;
+ break;
+ #endif
+ case HTTP_AUTH_DIGEST_SHA256:
+ append_nonce = mod_auth_digest_nonce_sha256;
+ break;
+ #endif
+ /*case HTTP_AUTH_DIGEST_MD5:*/
+ default:
+ append_nonce = mod_auth_digest_nonce_md5;
+ break;
+ }
+ buffer_clear(b);
+ buffer_append_string_len(b, CONST_STR_LEN("nextnonce=\""));
+ buffer_append_uint_hex(b, (uintmax_t)cur_ts);
+ buffer_append_string_len(b, CONST_STR_LEN(":"));
+ (append_nonce)(b, cur_ts, rnd);
+ buffer_append_string_len(b, CONST_STR_LEN("\""));
+}
+
typedef struct {
const char *key;
int key_len;
@@ -1136,7 +1163,12 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
/* nonce is stale; have client regenerate digest */
buffer_free(b);
return mod_auth_send_401_unauthorized_digest(srv, con, require, ai.dalgo);
- } /*(future: might send nextnonce when expiration is imminent)*/
+ }
+ else if (srv->cur_ts - ts > 540) { /*(9 mins)*/
+ /*(send nextnonce when expiration is approaching)*/
+ mod_auth_digest_authentication_info(srv->tmp_buf, srv->cur_ts, ai.dalgo);
+ http_header_response_set(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Authentication-Info"), CONST_BUF_LEN(srv->tmp_buf));
+ }
}
http_auth_setenv(con, ai.username, ai.ulen, CONST_STR_LEN("Digest"));