Add additional configuration options to the DIGEST authenticator

This is the fix for CVE-2011-1184

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1087655 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/catalina/authenticator/LocalStrings.properties

@@ -28,6 +28,8 @@ authenticator.sessionExpired=The time allowed for the login process has been exc
 authenticator.unauthorized=Cannot authenticate with the provided credentials
 authenticator.userDataConstraint=This request violates a User Data constraint for this application
 
+digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
+
 formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
 formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
 

java/org/apache/catalina/authenticator/mbeans-descriptors.xml

@@ -90,10 +90,26 @@
                type="java.lang.String"
                writeable="false"/>
 
+    <attribute name="cnonceCacheSize"
+               description="The size of the cnonce cache used to prevent replay attacks"
+               type="int"/>
+
     <attribute name="disableProxyCaching"
                description="Controls the caching of pages that are protected by security constraints"
                type="boolean"/>
 
+    <attribute name="key"
+               description="The secret key used by digest authentication"
+               type="java.lang.String"/>
+
+    <attribute name="nonceValidity"
+               description="The time, in milliseconds, for which a server issued nonce will be valid"
+               type="long"/>
+
+    <attribute name="opaque"
+               description="The opaque server string used by digest authentication"
+               type="java.lang.String"/>
+
     <attribute name="securePagesWithPragma"
                description="Controls the caching of pages that are protected by security constraints"
                type="boolean"/>
@@ -114,6 +130,10 @@
                description="The name of the LifecycleState that this component is currently in"
                type="java.lang.String"
                writeable="false"/>
+
+    <attribute name="validateUri"
+               description="Should the uri be validated as required by RFC2617?"
+               type="boolean"/>
   </mbean>
 
   <mbean name="FormAuthenticator"

java/org/apache/catalina/realm/RealmBase.java

@@ -364,8 +364,13 @@ public Principal authenticate(String username, String clientDigest,
         String md5a1 = getDigest(username, realm);
         if (md5a1 == null)
             return null;
-        String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
-            + cnonce + ":" + qop + ":" + md5a2;
+        String serverDigestValue;
+        if (qop == null) {
+            serverDigestValue = md5a1 + ":" + nOnce + ":" + md5a2;
+        } else {
+            serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":" +
+                    cnonce + ":" + qop + ":" + md5a2;
+        }
 
         byte[] valueBytes = null;
         if(getDigestEncoding() == null) {