[mod_auth] fix Digest auth to be better than Basic (fixes #1844)

Make Digest authentication more compliant with RFC.

Excerpt from https://www.rfc-editor.org/rfc/rfc7616.txt Section 5.13:
    The bottom line is that any compliant implementation will be
    relatively weak by cryptographic standards, but any compliant
    implementation will be far superior to Basic Authentication.

x-ref:
  "Serious security problem in Digest Authentication"
  https://redmine.lighttpd.net/issues/1844

1 files changed, 6 insertions, 1 deletions

diff --git a/src/mod_auth.c b/src/mod_auth.c
index cfadba4b..d4520ad6 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -287,7 +287,7 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 		}
 	}
 
-	if (!auth_satisfied) {
+	if (1 != auth_satisfied) { /*(0 or -2)*/
 		data_string *method, *realm;
 		method = (data_string *)array_get_element(req, "method");
 		realm = (data_string *)array_get_element(req, "realm");
@@ -311,8 +311,13 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
 			buffer_copy_string_len(p->tmp_buf, CONST_STR_LEN("Digest realm=\""));
 			buffer_append_string_buffer(p->tmp_buf, realm->value);
 			buffer_append_string_len(p->tmp_buf, CONST_STR_LEN("\", charset=\"UTF-8\", nonce=\""));
+			buffer_append_uint_hex(p->tmp_buf, (uintmax_t)srv->cur_ts);
+			buffer_append_string_len(p->tmp_buf, CONST_STR_LEN(":"));
 			buffer_append_string(p->tmp_buf, hh);
 			buffer_append_string_len(p->tmp_buf, CONST_STR_LEN("\", qop=\"auth\""));
+			if (-2 == auth_satisfied) {
+				buffer_append_string_len(p->tmp_buf, CONST_STR_LEN(", stale=true"));
+			}
 
 			response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(p->tmp_buf));
 		} else {