Fail server startup when mod_auth_digest is unable to

provide the security checks configured. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@813396 13f79535-47bb-0310-9956-ffa450edef68
2025-11-06 16:49:32 +03:00 · 2009-09-10 12:12:58 +00:00
parent 7198d7e4d4
commit cc4511fcf2
3 changed files with 21 additions and 13 deletions
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -592,13 +592,13 @@ static const char *set_nonce_format(cmd_parms *cmd, void *config,

 static const char *set_nc_check(cmd_parms *cmd, void *config, int flag)
 {
-    if (flag && !client_shm) {
-        ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
-                     cmd->server, "Digest: WARNING: nonce-count checking "
+#if !APR_HAS_SHARED_MEMORY
+    if (flag) {
+        return "AuthDigestNcCheck: ERROR: nonce-count checking "
                     "is not supported on platforms without shared-memory "
-                     "support - disabling check");
-        flag = 0;
+                     "support";
    }
+#endif

    ((digest_config_rec *) config)->check_nc = flag;
    return NULL;
@@ -607,13 +607,8 @@ static const char *set_nc_check(cmd_parms *cmd, void *config, int flag)
 static const char *set_algorithm(cmd_parms *cmd, void *config, const char *alg)
 {
    if (!strcasecmp(alg, "MD5-sess")) {
-        if (!client_shm) {
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
-                         cmd->server, "Digest: WARNING: algorithm `MD5-sess' "
-                         "is not supported on platforms without shared-memory "
-                         "support - reverting to MD5");
-            alg = "MD5";
-        }
+        return "AuthDigestAlgorithm: ERROR: algorithm `MD5-sess' "
+                "is not fully implemented";
    }
    else if (strcasecmp(alg, "MD5")) {
        return apr_pstrcat(cmd->pool, "Invalid algorithm in AuthDigestAlgorithm: ", alg, NULL);
@@ -1432,6 +1427,13 @@ static int check_nc(const request_rec *r, const digest_header_rec *resp,
    const char *snc = resp->nonce_count;
    char *endptr;

+    if (conf->check_nc && !client_shm) {
+        /* Shouldn't happen, but just in case... */
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                      "Digest: cannot check nonce count without shared memory");
+        return OK;
+    }
+
    if (!conf->check_nc || !client_shm) {
        return OK;
    }