diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index d1a2ffcb..0db34523 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -35,11 +35,11 @@ failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server config ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$ ^%(_apache_error_client)s (AH0179[01]: )?(Digest: )?user `.*' in realm `.+' (not found|denied by provider): \S*\s*$ - ^%(_apache_error_client)s (AH01631: )?user .* authorization failure for "\S*": \s*$ - ^%(_apache_error_client)s (AH0177[56]: )?invalid nonce .* received - (length|hash) is not \S+\s*$ - ^%(_apache_error_client)s (AH01788: )?realm mismatch - got `.*' but expected `.+'\s*$ - ^%(_apache_error_client)s (AH01789: )?unknown algorithm `\S+' received: \S*\s*"$ - ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*"$ + ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$ + ^%(_apache_error_client)s (AH0177[56]: )?(Digest: )?invalid nonce .* received - (length|hash) is not \S+\s*$ + ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$ + ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$ + ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$ ^%(_apache_error_client)s (AH01777: )?invalid nonce .* received - user attempted time travel\s*$ ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ diff --git a/testcases/files/config/apache-auth/digest.py b/testcases/files/config/apache-auth/digest.py index ed0e18eb..c12b1b33 100755 --- a/testcases/files/config/apache-auth/digest.py +++ b/testcases/files/config/apache-auth/digest.py @@ -37,18 +37,19 @@ def auth(v): def preauth(): r = requests.get(host + url) + print r r.headers['www-authenticate'].split(', ') return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ]) url='/digest/' -host = 'http://localhost:801' +host = 'http://localhost:802' v = preauth() -#print v username="username" password = "password" +print v realm = 'so far away' r = auth(v) @@ -97,3 +98,52 @@ time.sleep(1) r = auth(v) print r.status_code,r.headers, r.text +# Obtained by putting the following code in modules/aaa/mod_auth_digest.c +# in the function initialize_secret +# { +# const char *hex = "0123456789abcdef"; +# char secbuff[SECRET_LEN * 4]; +# char *hash = secbuff; +# int idx; + +# for (idx=0; idx> 4]; +# *hash++ = hex[secret[idx] & 0xF]; +# } +# *hash = '\0'; +# /* remove comment in below for apache-2.4+ */ +# ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, /* APLOGNO(11759) */ "secret: %s", secbuff); +# } + + +import sha +import binascii +import base64 +import struct + +apachesecret = binascii.unhexlify('cc969f83b4029e672115f2e8ff7dd21a976728f9') +s = sha.sha(apachesecret) + +v=preauth() + +print v['nonce'] +realm = v['Digest realm'][1:-1] + +(t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13])) + +# whee, time travel +t = t + 5540 + +timepac = base64.b64encode(struct.pack('l',t)) + +s.update(realm) +s.update(timepac) + +v['nonce'] = v['nonce'][0] + timepac + s.hexdigest() + v['nonce'][-1] + +print v + +r = auth(v) +#[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel +print r.status_code,r.headers, r.text + diff --git a/testcases/files/logs/apache-auth b/testcases/files/logs/apache-auth index 95397cb5..915fabc1 100644 --- a/testcases/files/logs/apache-auth +++ b/testcases/files/logs/apache-auth @@ -50,6 +50,8 @@ # failJSON: { "time": "2013-07-20T22:11:43", "match": true , "host": "127.0.0.1" } [Sat Jul 20 22:11:43.147674 2013] [authz_owner:error] [pid 17540:tid 140122922129152] [client 127.0.0.1:51548] AH01637: Authorization of user username to access /basic/authz_owner/cant_get_me.html failed, reason: file owner dan does not match + +# wget --http-user=username --http-password=password http://localhost/basic/authz_owner/cant_get_me.html -O /dev/null # failJSON: { "time": "2013-07-20T21:42:44", "match": true , "host": "127.0.0.1" } [Sat Jul 20 21:42:44.304159 2013] [authz_core:error] [pid 17484:tid 140123095914240] [client 127.0.0.1:51397] AH01631: user username: authorization failure for "/basic/authz_owner/cant_get_me.html": @@ -98,3 +100,12 @@ # failJSON: { "time": "2013-07-28T21:42:03", "match": true , "host": "127.0.0.1" } [Sun Jul 28 21:42:03.930190 2013] [auth_digest:error] [pid 24835:tid 139895505884928] [client 127.0.0.1:57115] AH01789: unknown algorithm `super funky chicken' received: /digest/ + +# ./testcases/files/config/apache-auth/digest.py +# failJSON: { "time": "2013-07-29T02:15:26", "match": true , "host": "127.0.0.1" } +[Mon Jul 29 02:15:26 2013] [error] [client 127.0.0.1] Digest: invalid nonce LWEDr5TiBAA=ceddd011628c30e3646f7acda4f1a0ab6b7c5ae6 received - user attempted time travel + + + +# failJSON: { "time": "2013-07-29T02:12:55", "match": true , "host": "127.0.0.1" } +[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel