[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
/*****************************************************************************/
/*
Digest.c
This module implements the DIGEST authentication functionality. The actual
RSA MD5 digest code is contained in its own module MD5.c, and is almost
exclusively the example implementation code presented in RFC1321. This module
implements the digest access authentication as proposed in the HTTP Working
Group's, IETF draft, RFC2069, January 1997.
NOTE: Digest authentication relies on the storage of specially digested
password being available for 'reverse' generation into an MD5 digest and
subsequent comparison with the digest supplied from the browser. Therefore,
authenication sources that cannot provide this digested password cannot use
Digest authorization. This most certainly includes SYSUAF and authorization
agents. For such environments and circumstances where both Basic and Digest
methods are available a Digest challenge SHOULD NOT BE generated and returned
to the browser indicating that Digest method is applicable to this request.
The nonce is generated using three 8 digit, zero-filled, hexadecimal numbers.
The client's 32 bit IP address, and each of the least and most significant
longwords of the request's binary time. The nonce therefore comprises a
string of 24 hexadecimal digits. It does not rely on any non-public value
or format for its operation.
This format allows the returned nonce to have the IP address and timestamp
easily extracted and checked. If the client's IP address and the nonce's
IP address do not match then it is rejected. If the timestamp indicates
an unacceptable period between generation and use of the nonce has occured
then it is rejected with a 'stale nonce' flag. The period is varied for
different methods. Very much shorter for PUT and POST methods, etc., longer
for GET, etc.
BOOM! Tweaked and revalidated (28-AUG-2012) using Chrome 21.0, Firefox 15.0,
MSIE 9.0, Opera 12.0 and Safari 6.0. All comply with RFC2069 which WASD is
based on, not the more recent RFC2617.
NOTE! Checked (27-JUL-2003) for compliance against Mozilla 1.4 (one of the
very few agents supporting Digest authentication).
WARNING! To date (09-JUL-1996) this functionality has only been tested with
NCSA X Mosaic 2.7-4 .. This version of Mosaic seems a bit flakey with digest
authentication.
NCSA X Mosaic 2.7-4 seems to require the 'opaque' header field to generate a
correct digest response. I thought it was optional, but I'll put in a dummy
anyway.
VERSION HISTORY
---------------
28-AUG-2012 MGD (yes - all but a decade on) numerious tweaks
27-JUL-2003 MGD (overdue) revision (against Mozilla 1.4)
04-AUG-2001 MGD support module WATCHing
29-APR-2000 MGD proxy authorization
30-OCT-1997 MGD a little maintenance
01-JUL-1996 MGD initial development of "Digest" authentication
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <libdef.h>
#include <libdtdef.h>
#include <ssdef.h>
#include <stsdef.h>
/* application related header files */
#include "wasd.h"
#define WASD_MODULE "DIGEST"
#define DefaultNonceLifeTimeSeconds 60
/********************/
/* external storage */
/********************/
#ifdef DBUG
extern BOOL Debug;
#else
#define Debug 0
#endif
extern int ToLowerCase[],
ToUpperCase[];
extern char SoftwareID[];
extern CONFIG_STRUCT Config;
extern MSG_STRUCT Msgs;
extern WATCH_STRUCT Watch;
/**********************/
/* external functions */
/**********************/
Md5Digest (char*, int, MD5_HASH*);
Md5HexString (char*, int, char*);
/*****************************************************************************/
/*
Convert the octets to a hexadecimal string.
*/
DigestHexString
(
unsigned char *cptr,
int cnt,
unsigned char *sptr
)
{
static char HexDigits [] = "0123456789abcdef";
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "DigestHexString()");
while (cnt--)
{
*sptr++ = HexDigits[(*cptr & 0xf0) >> 4];
*sptr++ = HexDigits[*cptr++ & 0x0f];
}
*sptr = '\0';
}
/*****************************************************************************/
/*
Create an MD5 16 byte digest of the username, realm and password.
*/
int DigestA1
(
char *UserName,
char *Realm,
char *Password,
unsigned char *A1Digest
)
{
char *cptr, *sptr, *zptr;
char A1String [256];
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "DigestA1() !&Z !&Z !UL",
UserName, Realm, strlen(Password));
zptr = (sptr = A1String) + sizeof(A1String)-1;
for (cptr = UserName; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
for (cptr = Realm; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
for (cptr = Password; *cptr && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
Md5Digest (A1String, sptr-A1String, (MD5_HASH*)A1Digest);
return (SS$_NORMAL);
}
/*****************************************************************************/
/*
Generate the request-digest/response string.
*/
int DigestResponse
(
unsigned char *A1HexDigest,
char *Nonce,
char *Method,
char *Uri,
char *ResponseHexDigest
)
{
char *cptr, *sptr, *zptr;
char A2HexDigest [33],
A2String [1024],
ResponseString [256];
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER,
"DigestResponse() !&Z !&Z !&Z !&Z",
A1HexDigest, Nonce, Method, Uri);
ResponseHexDigest[0] = '\0';
zptr = (sptr = A2String) + sizeof(A2String)-1;
for (cptr = Method; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
for (cptr = Uri; *cptr && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
Md5HexString (A2String, sptr-A2String, A2HexDigest);
zptr = (sptr = ResponseString) + sizeof(ResponseString)-1;
for (cptr = A1HexDigest; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
for (cptr = Nonce; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
for (cptr = A2HexDigest; *cptr && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
Md5HexString (ResponseString, sptr-ResponseString, ResponseHexDigest);
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "!&Z", ResponseHexDigest);
return (SS$_NORMAL);
}
/*****************************************************************************/
/*
Generate a basic DIGEST challenge string, comprising the authentication realm
and the nonce. Store this null-terminated string in dynamically allocated
memory pointed to by 'rqptr->rqAuth.DigestChallengePtr'. The 'Other' allows
other digest fields to be included, for example ", stale=true".
*/
int DigestChallenge
(
REQUEST_STRUCT *rqptr,
char *Other
)
{
static $DESCRIPTOR (NonceFaoDsc, "!8XL!8XL!8XL");
ulong *qtime;
char Nonce [25],
AuthHeader [1024];
char *cptr, *sptr, *zptr;
$DESCRIPTOR (NonceDsc, Nonce);
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "DigestChallenge()");
qtime = &rqptr->rqTime.BeginTime64;
sys$fao (&NonceFaoDsc, 0, &NonceDsc,
IPADDRESS_ADR4(&rqptr->ClientPtr->IpAddress), qtime[0], qtime[1]);
Nonce[sizeof(Nonce)-1] = '\0';
zptr = (sptr = AuthHeader) + sizeof(AuthHeader)-1;
if (rqptr->ServicePtr->ProxyAuthRequired)
cptr = "Proxy-Authenticate";
else
cptr = "WWW-Authenticate";
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
for (cptr = ": Digest realm=\""; *cptr && sptr < zptr; *sptr++ = *cptr++);
for (cptr = rqptr->rqAuth.RealmDescrPtr; *cptr && sptr < zptr; *sptr++ = *cptr++);
for (cptr = "\", nonce=\""; *cptr && sptr < zptr; *sptr++ = *cptr++);
for (cptr = Nonce; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = '\"';
for (cptr = Other; *cptr && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
/* allocate heap memory */
rqptr->rqAuth.DigestChallengePtr = VmGetHeap (rqptr, sptr-AuthHeader);
strcpy (rqptr->rqAuth.DigestChallengePtr, AuthHeader);
return (SS$_NORMAL);
}
/*****************************************************************************/
/*
Parse the "Digest" authorization HTTP header field. Extract and store the
digest response, nonce, realm, username, and digest URI.
*/
int DigestAuthorization (REQUEST_STRUCT *rqptr)
{
int status;
char Algorithm [16],
Nonce [25],
Opaque [33],
Realm [16],
Response [33],
Uri [1024],
UserName [33];
char *cptr, *sptr, *zptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "DigestAuthorization() !&Z",
rqptr->rqAuth.RequestAuthorizationPtr);
rqptr->rqAuth.Scheme = rqptr->rqAuth.ChallengeScheme = AUTH_SCHEME_DIGEST;
cptr = rqptr->rqAuth.RequestAuthorizationPtr;
/* skip across the authorization scheme name ("digest") */
while (*cptr && !ISLWS(*cptr)) cptr++;
/* skip over white-space between scheme and digest parameters */
while (*cptr && ISLWS(*cptr)) cptr++;
/****************/
/* parse values */
/****************/
Algorithm[0] = Nonce[0] = Opaque[0] = Realm[0] =
Response[0] = Uri[0] = UserName[0] = '\0';
while (*cptr)
{
while (ISLWS(*cptr) || *cptr == ',') cptr++;
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "!&Z", cptr);
if (TOUP(*cptr) == 'A' && strsame (cptr, "algorithm=", 10))
zptr = (sptr = Algorithm) + sizeof(Algorithm)-1;
else
if (TOUP(*cptr) == 'N' && strsame (cptr, "nonce=", 6))
zptr = (sptr = Nonce) + sizeof(Nonce)-1;
else
if (TOUP(*cptr) == 'O' && strsame (cptr, "opaque=", 7))
zptr = (sptr = Opaque) + sizeof(Opaque)-1;
else
if (TOUP(*cptr) == 'R' && strsame (cptr, "realm=", 6))
zptr = (sptr = Realm) + sizeof(Realm)-1;
else
if (TOUP(*cptr) == 'R' && strsame (cptr, "response=", 9))
zptr = (sptr = Response) + sizeof(Response)-1;
else
if (TOUP(*cptr) == 'U' && strsame (cptr, "uri=", 4))
zptr = (sptr = Uri) + sizeof(Uri)-1;
else
if (TOUP(*cptr) == 'U' && strsame (cptr, "username=", 9))
zptr = (sptr = UserName) + sizeof(UserName)-1;
else
{
rqptr->rqResponse.HttpStatus = 400;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_REQUEST_FORMAT), FI_LI);
return (STS$K_ERROR);
}
while (*cptr && *cptr != '=') cptr++;
if (*cptr) cptr++;
if (*cptr == '\"')
{
cptr++;
while (*cptr && *cptr != '\"' && sptr < zptr) *sptr++ = *cptr++;
if (*cptr) cptr++;
}
else
while (*cptr && !ISLWS(*cptr) && *cptr != ',' && sptr < zptr)
*sptr++ = *cptr++;
if (sptr > zptr)
{
rqptr->rqResponse.HttpStatus = 400;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_REQUEST_FORMAT), FI_LI);
return (STS$K_ERROR);
}
*sptr = '\0';
}
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER,
"algorithm:!&Z nonce:!&Z opaque:!&Z realm:!&Z \
response:!&Z username:!&Z uri:!&Z",
Algorithm, Nonce, Opaque, Realm, Response, UserName, Uri);
/****************/
/* check values */
/****************/
if ((Algorithm[0] && !strsame (Algorithm, "MD5", -1)) ||
!Nonce[0] ||
!Realm[0] ||
!Response[0] ||
!Uri[0] ||
!UserName[0] ||
strcmp (rqptr->rqHeader.RequestUriPtr, Uri) ||
strcmp (rqptr->rqAuth.RealmDescrPtr, Realm) ||
strlen(Nonce) != 24)
{
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_FAILED), FI_LI);
return (STS$K_ERROR);
}
if (VMSnok (status = DigestCheckNonce (rqptr, Nonce)))
return (status);
/****************/
/* store values */
/****************/
rqptr->rqAuth.DigestNoncePtr = VmGetHeap (rqptr, strlen(Nonce));
strcpy (rqptr->rqAuth.DigestNoncePtr, Nonce);
rqptr->rqAuth.RealmDescrPtr = VmGetHeap (rqptr, strlen(Realm));
strcpy (rqptr->rqAuth.RealmDescrPtr, Realm);
rqptr->rqAuth.DigestResponsePtr = VmGetHeap (rqptr, strlen(Response));
strcpy (rqptr->rqAuth.DigestResponsePtr, Response);
rqptr->rqAuth.DigestUriPtr = VmGetHeap (rqptr, strlen(Uri));
strcpy (rqptr->rqAuth.DigestUriPtr, Uri);
if (strlen(UserName) >= sizeof(rqptr->RemoteUser))
{
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneralOverflow (rqptr, FI_LI);
return (STS$K_ERROR);
}
/* user names are always upper case for us! */
sptr = rqptr->RemoteUser;
for (cptr = UserName; *cptr; *sptr++ = TOUP(*cptr++));
*sptr = '\0';
rqptr->RemoteUserLength = sptr - rqptr->RemoteUser;
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "!&Z", rqptr->RemoteUser);
return (SS$_NORMAL);
}
/*****************************************************************************/
/*
The nonce comprises three 8 digit, zero-filled, hexadecimal numbers. The
client's 32 bit IP address, and each of the least and most significant
longwords of the request's binary time. The nonce is therefore a string of 24
hexadecimal digits.
This format allows the returned nonce to have the IP address and timestamp
easily extracted and checked. If the client's IP address and the nonce's
IP address do not match then it is rejected. If the timestamp indicates
an unacceptable period between generation and use of the nonce has occured
then it is rejected with a 'stale nonce' flag.
*/
int DigestCheckNonce
(
REQUEST_STRUCT *rqptr,
char *Nonce
)
{
static unsigned long LibSecondOfYear = LIB$K_SECOND_OF_YEAR;
int status;
unsigned long NonceLifeTimeSeconds,
NonceSecondOfYear,
SecondOfYear;
unsigned long NonceBinaryTime [2];
IPADDRESS ClientIpAddress;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "DigestCheckNonce()");
/* lib$cvt_htb() returns a 1 for OK or a 0 for conversion error */
if (status = lib$cvt_htb (8, Nonce, IPADDRESS_ADR4(&ClientIpAddress)))
if (status = lib$cvt_htb (8, Nonce+8, &NonceBinaryTime[0]))
status = lib$cvt_htb (8, Nonce+16, &NonceBinaryTime[1]);
if (status != 1)
{
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "!&S", status);
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_FAILED), FI_LI);
return (STS$K_ERROR);
}
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER, "!&X !&X !%D",
IPADDRESS_ADR4(&ClientIpAddress),
IPADDRESS_ADR4(&rqptr->ClientPtr->IpAddress),
&NonceBinaryTime);
if (!MATCH0 (IPADDRESS_ADR4(&ClientIpAddress),
IPADDRESS_ADR4(&rqptr->ClientPtr->IpAddress),
IPADDRESS_SIZE(&rqptr->ClientPtr->IpAddress)))
{
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_FAILED), FI_LI);
return (STS$K_ERROR);
}
lib$cvt_from_internal_time (&LibSecondOfYear, &SecondOfYear,
&rqptr->rqTime.BeginTime64);
lib$cvt_from_internal_time (&LibSecondOfYear, &NonceSecondOfYear,
&NonceBinaryTime);
if ((rqptr->rqHeader.Method & HTTP_METHOD_GET) ||
(rqptr->rqHeader.Method & HTTP_METHOD_HEAD))
NonceLifeTimeSeconds = Config.cfAuth.DigestNonceGetLifeTime;
else
NonceLifeTimeSeconds = Config.cfAuth.DigestNoncePutLifeTime;
if (!NonceLifeTimeSeconds)
NonceLifeTimeSeconds = DefaultNonceLifeTimeSeconds;
if (WATCH_MODULE(WATCH_MOD__OTHER))
WatchThis (WATCHALL, WATCH_MOD__OTHER,
"SecondOfYear:!UL Nonce:!UL LifeTime:!UL Stale:!&B",
SecondOfYear, NonceSecondOfYear, NonceLifeTimeSeconds,
(NonceSecondOfYear+NonceLifeTimeSeconds<SecondOfYear));
if (NonceSecondOfYear + NonceLifeTimeSeconds < SecondOfYear)
{
/*
Nonce is stale. But otherwise fine.
Now I know this test will break once a year :^(
(midnight, New Year's Eve) but too bad, it's simple :^)
*/
/* generate a special "stale nonce" challenge */
rqptr->rqAuth.Scheme = rqptr->rqAuth.ChallengeScheme = AUTH_SCHEME_DIGEST;
DigestChallenge (rqptr, ", stale=true");
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_FAILED), FI_LI);
}
return (SS$_NORMAL);
}
/*****************************************************************************/