From 0fb04cb2f043061adf4dd521794253ae0c286d5c Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sun, 28 Jul 2013 22:00:55 +1000
Subject: [PATCH] ENH: filter enhancements on mod-digest (with test cases) for
 apache-auth (httpd-2.4.4)

---
 config/filter.d/apache-auth.conf              |  15 ++-
 testcases/files/config/apache-auth/digest.py  |  99 ++++++++++++++++++
 .../config/apache-auth/digest_time/.htaccess  |   7 ++
 .../apache-auth/digest_time/.htaccess.swp     | Bin 0 -> 12288 bytes
 .../config/apache-auth/digest_time/.htpasswd  |   1 +
 testcases/files/logs/apache-auth              |  32 ++++++
 6 files changed, 146 insertions(+), 8 deletions(-)
 create mode 100755 testcases/files/config/apache-auth/digest.py
 create mode 100644 testcases/files/config/apache-auth/digest_time/.htaccess
 create mode 100644 testcases/files/config/apache-auth/digest_time/.htaccess.swp
 create mode 100644 testcases/files/config/apache-auth/digest_time/.htpasswd

diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index 4a275a4b..d1a2ffcb 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -35,15 +35,14 @@ failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server config
             ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
             ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
             ^%(_apache_error_client)s (AH0179[01]: )?(Digest: )?user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
-            ^%(_apache_error_client)s user .* authorization failure: \S*\s*$
             ^%(_apache_error_client)s (AH01631: )?user .* authorization failure for "\S*": \s*$
-            ^%(_apache_error_client)s invalid nonce .* received - (length|hash) is not \S+\s*$
-            ^%(_apache_error_client)s invalid nonce .* received - user attempted time travel\s*$
-            ^%(_apache_error_client)s user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
-            ^%(_apache_error_client)s user .*: one-time-nonce mismatch - sending new nonce\s*$
-            ^%(_apache_error_client)s realm mismatch - got `.*' but expected `.+'\s*$
-            ^%(_apache_error_client)s unknown algorithm `\S+' received: \S*\s*"$
-            ^%(_apache_error_client)s invalid qop `.*' received: \S*\s*"$
+            ^%(_apache_error_client)s (AH0177[56]: )?invalid nonce .* received - (length|hash) is not \S+\s*$
+            ^%(_apache_error_client)s (AH01788: )?realm mismatch - got `.*' but expected `.+'\s*$
+            ^%(_apache_error_client)s (AH01789: )?unknown algorithm `\S+' received: \S*\s*"$
+            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*"$
+            ^%(_apache_error_client)s (AH01777: )?invalid nonce .* received - user attempted time travel\s*$
+            ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
+            ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
 
 
 
diff --git a/testcases/files/config/apache-auth/digest.py b/testcases/files/config/apache-auth/digest.py
new file mode 100755
index 00000000..ed0e18eb
--- /dev/null
+++ b/testcases/files/config/apache-auth/digest.py
@@ -0,0 +1,99 @@
+#!/bin/env python
+import requests
+import md5
+
+
+def auth(v):
+
+    ha1 = md5.new(username + ':' + realm + ':' + password).hexdigest()
+    ha2 = md5.new("GET:" + url).hexdigest()
+    
+    #response = md5.new(ha1 + ':' + v['nonce'][1:-1] + ':' + v['nc'] + ':' + v['cnonce'][1:-1]
+    #                  + ':' + v['qop'][1:-1] + ':' + ha2).hexdigest()
+    
+    nonce = v['nonce'][1:-1]
+    nc=v.get('nc') or ''
+    cnonce = v.get('cnonce') or ''
+    qop = v['qop'][1:-1]
+    algorithm = v['algorithm']
+    response = md5.new(ha1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2).hexdigest()
+    
+    p = requests.Request('GET', host + url).prepare()
+    #p.headers['Authentication-Info'] = response 
+    p.headers['Authorization'] = """
+        Digest username="%s",
+        algorithm="%s",
+        realm="%s",
+        uri="%s",
+        nonce="%s",
+        cnonce="",
+        nc="",
+        qop=%s,
+        response="%s"
+    """ % ( username, algorithm, realm, url, nonce, qop, response )
+    
+    s =  requests.Session()
+    return s.send(p)
+
+def preauth():
+    r = requests.get(host + url)
+    r.headers['www-authenticate'].split(', ')
+    return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ])
+
+
+url='/digest/'
+host = 'http://localhost:801'
+
+v = preauth()
+
+#print v
+username="username"
+password = "password"
+
+realm = 'so far away'
+r = auth(v)
+
+realm = v['Digest realm'][1:-1]
+
+# [Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area'
+
+
+algorithm = v['algorithm']
+v['algorithm'] = 'super funky chicken'
+r = auth(v)
+
+# [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
+
+print r.status_code,r.headers, r.text
+v['algorithm'] = algorithm
+
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+
+nonce = v['nonce']
+v['nonce']=v['nonce'][5:-5]
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+
+# [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
+
+
+v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:]
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+
+#[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
+
+
+url='/digest_time/'
+v=preauth()
+
+import time
+time.sleep(1)
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+
diff --git a/testcases/files/config/apache-auth/digest_time/.htaccess b/testcases/files/config/apache-auth/digest_time/.htaccess
new file mode 100644
index 00000000..44036f57
--- /dev/null
+++ b/testcases/files/config/apache-auth/digest_time/.htaccess
@@ -0,0 +1,7 @@
+AuthType Digest
+AuthName "digest private area"
+AuthDigestDomain /digest_time/
+AuthBasicProvider file
+AuthUserFile /var/www/html/digest_time/.htpasswd
+AuthDigestNonceLifetime 1
+Require valid-user
diff --git a/testcases/files/config/apache-auth/digest_time/.htaccess.swp b/testcases/files/config/apache-auth/digest_time/.htaccess.swp
new file mode 100644
index 0000000000000000000000000000000000000000..1d14e6f29e6247f67d618dc791a6b6791672ed5f
GIT binary patch
literal 12288
zcmeI&!Aiq07zglgL-8bvdx1F5Tc<ndK@Z9h1RYbHSNYavF4C?wNn1Sm2tI&s;hXp-
z9=vPXO;8aByAA(=kB}x`lKyU`-=KAMawc}0ZE|g$=<)sSytY)O_JAnhaq)C!GYR`L
z;&C&KeGY>-V)bjHm$CNpJoiR63cWzxNMo<9ilo;ZS@wNt%*?Z}00I!0Lm;)o#@;Hm
zceYza_EvpU)HeEaY=jgDKmY;|fB*y_009U<U{M8ZQlSTT`ReoqR;GRBM?W2+g8&2|
z009U<00Izz00bZa0SG`~0R=c9T3#bMa8dmK|NQ=cb>kNo&n})^+`8zwDAw(}K!X4T
zAOHafKmY;|fB*y_009X68-WXXmntnq#-R!tsgarvQ#<OEmF?Yl?8{R%ltqQR*e+-K
zZppC<rTDWHK4D|>piDSoqx_zZGZjcJhA#EX37xXiUVN*hFQ>cgPOMJ~>_wtg##Rc}
PlI!L4<$WT><dXCOwwrD;

literal 0
HcmV?d00001

diff --git a/testcases/files/config/apache-auth/digest_time/.htpasswd b/testcases/files/config/apache-auth/digest_time/.htpasswd
new file mode 100644
index 00000000..cc649515
--- /dev/null
+++ b/testcases/files/config/apache-auth/digest_time/.htpasswd
@@ -0,0 +1 @@
+username:digest private area:fad48d3a7c63f61b5b3567a4105bbb04
diff --git a/testcases/files/logs/apache-auth b/testcases/files/logs/apache-auth
index e6d1aaad..95397cb5 100644
--- a/testcases/files/logs/apache-auth
+++ b/testcases/files/logs/apache-auth
@@ -66,3 +66,35 @@
 
 # failJSON: { "time": "2013-07-20T21:45:28", "match": true , "host": "127.0.0.1" } 
 [Sat Jul 20 21:45:28.890523 2013] [auth_digest:error] [pid 17540:tid 140122972485376] [client 127.0.0.1:51408] AH01790: user `username' in realm `digest private area' not found: /digest_wrongrelm/cant_get_me.html
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:05:31", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:12:44", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:12:44 2013] [error] [client 127.0.0.1] Digest: invalid nonce JDiBAA=db9372522295196b7ac31db99e10cd1106c received - length is not 52
+
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:16:37", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:16:37 2013] [error] [client 127.0.0.1] Digest: invalid nonce l19lgpDiBAZZZf1ec3d9613f3b3ef43660e3628d78455fd8b937 received - hash is not 6fda8bbcbcf85ff1ebfe7d1c43faba583bc53a02
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:18:11", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:30:02", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:30:02 2013] [error] [client 127.0.0.1] Digest: realm mismatch - got `so far away' but expected `digest private area'
+
+# failJSON: { "time": "2013-07-28T21:27:56", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area'
+
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:41:20", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
+
+# failJSON: { "time": "2013-07-28T21:42:03", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:42:03.930190 2013] [auth_digest:error] [pid 24835:tid 139895505884928] [client 127.0.0.1:57115] AH01789: unknown algorithm `super funky chicken' received: /digest/