src/auth/digest/UserRequest.cc

   1 #include "squid.h"
   2 #include "auth/digest/auth_digest.h"
   3 #include "auth/digest/User.h"
   4 #include "auth/digest/UserRequest.h"
   5 #include "auth/State.h"
   6 #include "charset.h"
   7 #include "HttpReply.h"
   8 #include "HttpRequest.h"
   9 #include "SquidTime.h"
  10
  11 Auth::Digest::UserRequest::UserRequest() :
  12         nonceb64(NULL),
  13         cnonce(NULL),
  14         realm(NULL),
  15         pszPass(NULL),
  16         algorithm(NULL),
  17         pszMethod(NULL),
  18         qop(NULL),
  19         uri(NULL),
  20         response(NULL),
  21         nonce(NULL)
  22 {}
  23
  24 /**
  25  * Delete the digest request structure.
  26  * Does NOT delete related AuthUser structures
  27  */
  28 Auth::Digest::UserRequest::~UserRequest()
  29 {
  30     assert(RefCountCount()==0);
  31
  32     safe_free(nonceb64);
  33     safe_free(cnonce);
  34     safe_free(realm);
  35     safe_free(pszPass);
  36     safe_free(algorithm);
  37     safe_free(pszMethod);
  38     safe_free(qop);
  39     safe_free(uri);
  40     safe_free(response);
  41
  42     if (nonce)
  43         authDigestNonceUnlink(nonce);
  44 }
  45
  46 int
  47 Auth::Digest::UserRequest::authenticated() const
  48 {
  49     if (user() != NULL && user()->credentials() == Auth::Ok)
  50         return 1;
  51
  52     return 0;
  53 }
  54
  55 /** log a digest user in
  56  */
  57 void
  58 Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type)
  59 {
  60     HASHHEX SESSIONKEY;
  61     HASHHEX HA2 = "";
  62     HASHHEX Response;
  63
  64     /* if the check has corrupted the user, just return */
  65     if (user() == NULL || user()->credentials() == Auth::Failed) {
  66         return;
  67     }
  68
  69     Auth::User::Pointer auth_user = user();
  70
  71     Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User*>(auth_user.getRaw());
  72     assert(digest_user != NULL);
  73
  74     Auth::Digest::UserRequest *digest_request = this;
  75
  76     /* do we have the HA1 */
  77     if (!digest_user->HA1created) {
  78         auth_user->credentials(Auth::Pending);
  79         return;
  80     }
  81
  82     if (digest_request->nonce == NULL) {
  83         /* this isn't a nonce we issued */
  84         auth_user->credentials(Auth::Failed);
  85         return;
  86     }
  87
  88     DigestCalcHA1(digest_request->algorithm, NULL, NULL, NULL,
  89                   authenticateDigestNonceNonceb64(digest_request->nonce),
  90                   digest_request->cnonce,
  91                   digest_user->HA1, SESSIONKEY);
  92     DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
  93                        digest_request->nc, digest_request->cnonce, digest_request->qop,
  94                        RequestMethodStr(request->method), digest_request->uri, HA2, Response);
  95
  96     debugs(29, 9, "\nResponse = '" << digest_request->response << "'\nsquid is = '" << Response << "'");
  97
  98     if (strcasecmp(digest_request->response, Response) != 0) {
  99         if (!digest_request->flags.helper_queried) {
 100             /* Query the helper in case the password has changed */
 101             digest_request->flags.helper_queried = 1;
 102             auth_user->credentials(Auth::Pending);
 103             return;
 104         }
 105
 106         if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->PostWorkaround && request->method != METHOD_GET) {
 107             /* Ugly workaround for certain very broken browsers using the
 108              * wrong method to calculate the request-digest on POST request.
 109              * This should be deleted once Digest authentication becomes more
 110              * widespread and such broken browsers no longer are commonly
 111              * used.
 112              */
 113             DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
 114                                digest_request->nc, digest_request->cnonce, digest_request->qop,
 115                                RequestMethodStr(METHOD_GET), digest_request->uri, HA2, Response);
 116
 117             if (strcasecmp(digest_request->response, Response)) {
 118                 auth_user->credentials(Auth::Failed);
 119                 digest_request->flags.invalid_password = 1;
 120                 digest_request->setDenyMessage("Incorrect password");
 121                 return;
 122             } else {
 123                 const char *useragent = request->header.getStr(HDR_USER_AGENT);
 124
 125                 static Ip::Address last_broken_addr;
 126                 static int seen_broken_client = 0;
 127
 128                 if (!seen_broken_client) {
 129                     last_broken_addr.SetNoAddr();
 130                     seen_broken_client = 1;
 131                 }
 132
 133                 if (last_broken_addr != request->client_addr) {
 134                     debugs(29, DBG_IMPORTANT, "Digest POST bug detected from " <<
 135                            request->client_addr << " using '" <<
 136                            (useragent ? useragent : "-") <<
 137                            "'. Please upgrade browser. See Bug #630 for details.");
 138
 139                     last_broken_addr = request->client_addr;
 140                 }
 141             }
 142         } else {
 143             auth_user->credentials(Auth::Failed);
 144             digest_request->flags.invalid_password = 1;
 145             digest_request->setDenyMessage("Incorrect password");
 146             return;
 147         }
 148
 149         /* check for stale nonce */
 150         if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
 151             debugs(29, 3, HERE << "user '" << auth_user->username() << "' validated OK but nonce stale");
 152             auth_user->credentials(Auth::Failed);
 153             digest_request->setDenyMessage("Stale nonce");
 154             return;
 155         }
 156     }
 157
 158     auth_user->credentials(Auth::Ok);
 159
 160     /* password was checked and did match */
 161     debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated OK");
 162
 163     /* auth_user is now linked, we reset these values
 164      * after external auth occurs anyway */
 165     auth_user->expiretime = current_time.tv_sec;
 166     return;
 167 }
 168
 169 Auth::Direction
 170 Auth::Digest::UserRequest::module_direction()
 171 {
 172     if (user()->auth_type != Auth::AUTH_DIGEST)
 173         return Auth::CRED_ERROR;
 174
 175     switch (user()->credentials()) {
 176
 177     case Auth::Ok:
 178         return Auth::CRED_VALID;
 179
 180     case Auth::Failed:
 181         /* send new challenge */
 182         return Auth::CRED_CHALLENGE;
 183
 184     case Auth::Unchecked:
 185     case Auth::Pending:
 186         return Auth::CRED_LOOKUP;
 187
 188     default:
 189         return Auth::CRED_ERROR;
 190     }
 191 }
 192
 193 void
 194 Auth::Digest::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
 195 {
 196     http_hdr_type type;
 197
 198     /* don't add to authentication error pages */
 199
 200     if ((!accel && rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED)
 201             || (accel && rep->sline.status == HTTP_UNAUTHORIZED))
 202         return;
 203
 204     type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
 205
 206 #if WAITING_FOR_TE
 207     /* test for http/1.1 transfer chunked encoding */
 208     if (chunkedtest)
 209         return;
 210 #endif
 211
 212     if ((static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
 213         flags.authinfo_sent = 1;
 214         debugs(29, 9, HERE << "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
 215         httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
 216     }
 217 }
 218
 219 #if WAITING_FOR_TE
 220 void
 221 Auth::Digest::UserRequest::addAuthenticationInfoTrailer(HttpReply * rep, int accel)
 222 {
 223     int type;
 224
 225     if (!auth_user_request)
 226         return;
 227
 228     /* has the header already been send? */
 229     if (flags.authinfo_sent)
 230         return;
 231
 232     /* don't add to authentication error pages */
 233     if ((!accel && rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED)
 234             || (accel && rep->sline.status == HTTP_UNAUTHORIZED))
 235         return;
 236
 237     type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
 238
 239     if ((static_cast<Auth::Digest::Config*>(digestScheme::GetInstance()->getConfig())->authenticate) && authDigestNonceLastRequest(nonce)) {
 240         debugs(29, 9, HERE << "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
 241         httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
 242     }
 243 }
 244 #endif
 245
 246 /* send the initial data to a digest authenticator module */
 247 void
 248 Auth::Digest::UserRequest::module_start(RH * handler, void *data)
 249 {
 250     char buf[8192];
 251
 252     assert(user() != NULL && user()->auth_type == Auth::AUTH_DIGEST);
 253     debugs(29, 9, HERE << "'\"" << user()->username() << "\":\"" << realm << "\"'");
 254
 255     if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram == NULL) {
 256         debugs(29, DBG_CRITICAL, "ERROR: No Digest authentication program configured.");
 257         handler(data, NULL);
 258         return;
 259     }
 260
 261     if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->utf8) {
 262         char userstr[1024];
 263         latin1_to_utf8(userstr, sizeof(userstr), user()->username());
 264         snprintf(buf, 8192, "\"%s\":\"%s\"\n", userstr, realm);
 265     } else {
 266         snprintf(buf, 8192, "\"%s\":\"%s\"\n", user()->username(), realm);
 267     }
 268
 269     helperSubmit(digestauthenticators, buf, Auth::Digest::UserRequest::HandleReply,
 270                  new Auth::StateData(this, handler, data));
 271 }
 272
 273 void
 274 Auth::Digest::UserRequest::HandleReply(void *data, char *reply)
 275 {
 276     Auth::StateData *replyData = static_cast<Auth::StateData *>(data);
 277     char *t = NULL;
 278     void *cbdata;
 279     debugs(29, 9, HERE << "{" << (reply ? reply : "<NULL>") << "}");
 280
 281     if (reply) {
 282         if ((t = strchr(reply, ' ')))
 283             *t++ = '\0';
 284
 285         if (*reply == '\0' || *reply == '\n')
 286             reply = NULL;
 287     }
 288
 289     assert(replyData->auth_user_request != NULL);
 290     Auth::UserRequest::Pointer auth_user_request = replyData->auth_user_request;
 291
 292     if (reply && (strncasecmp(reply, "ERR", 3) == 0)) {
 293         /* allow this because the digest_request pointer is purely local */
 294         Auth::Digest::UserRequest *digest_request = dynamic_cast<Auth::Digest::UserRequest *>(auth_user_request.getRaw());
 295         assert(digest_request);
 296
 297         digest_request->user()->credentials(Auth::Failed);
 298         digest_request->flags.invalid_password = 1;
 299
 300         if (t && *t)
 301             digest_request->setDenyMessage(t);
 302     } else if (reply) {
 303         /* allow this because the digest_request pointer is purely local */
 304         Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
 305         assert(digest_user != NULL);
 306
 307         CvtBin(reply, digest_user->HA1);
 308         digest_user->HA1created = 1;
 309     }
 310
 311     if (cbdataReferenceValidDone(replyData->data, &cbdata))
 312         replyData->handler(cbdata, NULL);
 313
 314     delete replyData;
 315 }