]> git.ipfire.org Git - thirdparty/squid.git/blame - src/auth/digest/Config.cc
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Source Format Enforcement (#763)
[thirdparty/squid.git] / src / auth / digest / Config.cc
CommitLineData
2d70df72 1/*
f70aedc4 2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
2d70df72 3 *
bbc27441
AJ		 4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
2d70df72 7 */
8
bbc27441
AJ		 9/* DEBUG: section 29 Authenticator */
10
2d70df72 11/* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
14
582c2af2 15#include "squid.h"
fde785ee 16#include "auth/CredentialsCache.h"
12daeef6 17#include "auth/digest/Config.h"
616cfc4c 18#include "auth/digest/Scheme.h"
aa110616 19#include "auth/digest/User.h"
616cfc4c 20#include "auth/digest/UserRequest.h"
3ad63615 21#include "auth/Gadgets.h"
aa110616 22#include "auth/State.h"
7e851a3e 23#include "auth/toUtf.h"
a0655385 24#include "base/LookupTable.h"
602d9612 25#include "cache_cf.h"
a553a5a3 26#include "event.h"
24438ec5 27#include "helper.h"
a5bac1d2 28#include "HttpHeaderTools.h"
924f73bc 29#include "HttpReply.h"
602d9612 30#include "HttpRequest.h"
b20ce974 31#include "md5.h"
602d9612
A		 32#include "mgr/Registration.h"
33#include "rfc2617.h"
65e41a45 34#include "sbuf/SBuf.h"
7e851a3e 35#include "sbuf/StringConvert.h"
cc192b50 36#include "SquidTime.h"
602d9612 37#include "Store.h"
28204b3b 38#include "StrList.h"
602d9612 39#include "wordlist.h"
c78aa667 40
ed6e9fb9
AJ		 41/* digest_nonce_h still uses explicit alloc()/freeOne() MemPool calls.
42 * XXX: convert to MEMPROXY_CLASS() API
43 */
44#include "mem/Pool.h"
2d70df72 45
42df4209
AJ		 46#include <random>
47
2d70df72 48static AUTHSSTATS authenticateDigestStats;
2d70df72 49
928f3421 50helper *digestauthenticators = NULL;
2d70df72 51
52static hash_table *digest_nonce_cache;
53
2d70df72 54static int authdigest_initialised = 0;
a3efa961 55static MemAllocator *digest_nonce_pool = NULL;
2d70df72 56
9abd1514 57enum http_digest_attr_type {
d6b7a3c4 58 DIGEST_USERNAME,
cb14509d
HN		 59 DIGEST_REALM,
60 DIGEST_QOP,
61 DIGEST_ALGORITHM,
62 DIGEST_URI,
63 DIGEST_NONCE,
64 DIGEST_NC,
65 DIGEST_CNONCE,
66 DIGEST_RESPONSE,
ae22f65a 67 DIGEST_INVALID_ATTR
a15e94ec 68};
a0655385
FC		 69
70static const LookupTable<http_digest_attr_type>::Record
4be4fedc 71DigestAttrs[] = {
a0655385
FC		 72 {"username", DIGEST_USERNAME},
73 {"realm", DIGEST_REALM},
74 {"qop", DIGEST_QOP},
75 {"algorithm", DIGEST_ALGORITHM},
76 {"uri", DIGEST_URI},
77 {"nonce", DIGEST_NONCE},
78 {"nc", DIGEST_NC},
79 {"cnonce", DIGEST_CNONCE},
80 {"response", DIGEST_RESPONSE},
ae22f65a 81 {nullptr, DIGEST_INVALID_ATTR}
a0655385
FC		 82};
83
84LookupTable<http_digest_attr_type>
f5ef79c0 85DigestFieldsLookupTable(DIGEST_INVALID_ATTR, DigestAttrs);
a0655385 86
2d70df72 87/*
88 *
89 * Nonce Functions
90 *
91 */
92
93static void authenticateDigestNonceCacheCleanup(void *data);
b20ce974 94static digest_nonce_h *authenticateDigestNonceFindNonce(const char *noncehex);
c78aa667 95static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
c193c972 96static void authenticateDigestNonceSetup(void);
c78aa667 97static void authDigestNonceEncode(digest_nonce_h * nonce);
c78aa667 98static void authDigestNonceLink(digest_nonce_h * nonce);
c78aa667 99static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
2d70df72 100
c78aa667 101static void
2d70df72 102authDigestNonceEncode(digest_nonce_h * nonce)
103{
104 if (!nonce)
62e76326 105 return;
106
4a8b20e8 107 if (nonce->key)
62e76326 108 xfree(nonce->key);
109
b20ce974 110 SquidMD5_CTX Md5Ctx;
111 HASH H;
112 SquidMD5Init(&Md5Ctx);
113 SquidMD5Update(&Md5Ctx, reinterpret_cast<const uint8_t *>(&nonce->noncedata), sizeof(nonce->noncedata));
114 SquidMD5Final(reinterpret_cast<uint8_t *>(H), &Md5Ctx);
115
116 nonce->key = xcalloc(sizeof(HASHHEX), 1);
117 CvtHex(H, static_cast<char *>(nonce->key));
2d70df72 118}
119
572d2e31 120digest_nonce_h *
c193c972 121authenticateDigestNonceNew(void)
2d70df72 122{
b001e822 123 digest_nonce_h *newnonce = static_cast < digest_nonce_h * >(digest_nonce_pool->alloc());
2d70df72 124
62e76326 125 /* NONCE CREATION - NOTES AND REASONING. RBC 20010108
126 * === EXCERPT FROM RFC 2617 ===
127 * The contents of the nonce are implementation dependent. The quality
128 * of the implementation depends on a good choice. A nonce might, for
129 * example, be constructed as the base 64 encoding of
26ac0430 130 *
62e76326 131 * time-stamp H(time-stamp ":" ETag ":" private-key)
26ac0430 132 *
62e76326 133 * where time-stamp is a server-generated time or other non-repeating
134 * value, ETag is the value of the HTTP ETag header associated with
135 * the requested entity, and private-key is data known only to the
136 * server. With a nonce of this form a server would recalculate the
137 * hash portion after receiving the client authentication header and
138 * reject the request if it did not match the nonce from that header
139 * or if the time-stamp value is not recent enough. In this way the
140 * server can limit the time of the nonce's validity. The inclusion of
141 * the ETag prevents a replay request for an updated version of the
142 * resource. (Note: including the IP address of the client in the
143 * nonce would appear to offer the server the ability to limit the
144 * reuse of the nonce to the same client that originally got it.
145 * However, that would break proxy farms, where requests from a single
146 * user often go through different proxies in the farm. Also, IP
147 * address spoofing is not that hard.)
148 * ====
26ac0430 149 *
62e76326 150 * Now for my reasoning:
151 * We will not accept a unrecognised nonce->we have all recognisable
b20ce974 152 * nonces stored. If we send out unique encodings we guarantee
62e76326 153 * that a given nonce applies to only one user (barring attacks or
154 * really bad timing with expiry and creation). Using a random
155 * component in the nonce allows us to loop to find a unique nonce.
2f8abb64 156 * We use H(nonce_data) so the nonce is meaningless to the receiver.
b8639683 157 * So our nonce looks like hex(H(timestamp,randomdata))
42df4209 158 * And even if our randomness is not very random we don't really care
b8639683 159 * - the timestamp also guarantees local uniqueness in the input to
160 * the hash function.
62e76326 161 */
42df4209
AJ		 162 // NP: this will likely produce the same randomness sequences for each worker
163 // since they should all start within the 1-second resolution of seed value.
164 static std::mt19937 mt(static_cast<uint32_t>(getCurrentTime() & 0xFFFFFFFF));
8ed8fa40 165 static xuniform_int_distribution<uint32_t> newRandomData;
2d70df72 166
167 /* create a new nonce */
168 newnonce->nc = 0;
3dd52a0b 169 newnonce->flags.valid = true;
2d70df72 170 newnonce->noncedata.creationtime = current_time.tv_sec;
42df4209 171 newnonce->noncedata.randomdata = newRandomData(mt);
2d70df72 172
173 authDigestNonceEncode(newnonce);
62e76326 174
42df4209 175 // ensure temporal uniqueness by checking for existing nonce
3812fb2c 176 while (authenticateDigestNonceFindNonce((char const *) (newnonce->key))) {
62e76326 177 /* create a new nonce */
42df4209 178 newnonce->noncedata.randomdata = newRandomData(mt);
62e76326 179 authDigestNonceEncode(newnonce);
2d70df72 180 }
62e76326 181
4a8b20e8 182 hash_join(digest_nonce_cache, newnonce);
2d70df72 183 /* the cache's link */
184 authDigestNonceLink(newnonce);
3dd52a0b 185 newnonce->flags.incache = true;
a4c3b397 186 debugs(29, 5, "created nonce " << newnonce << " at " << newnonce->noncedata.creationtime);
2d70df72 187 return newnonce;
188}
189
c78aa667 190static void
2d70df72 191authenticateDigestNonceDelete(digest_nonce_h * nonce)
192{
193 if (nonce) {
62e76326 194 assert(nonce->references == 0);
2d70df72 195#if UNREACHABLECODE
62e76326 196
197 if (nonce->flags.incache)
198 hash_remove_link(digest_nonce_cache, nonce);
199
2d70df72 200#endif
62e76326 201
3dd52a0b 202 assert(!nonce->flags.incache);
62e76326 203
204 safe_free(nonce->key);
205
dc47f531 206 digest_nonce_pool->freeOne(nonce);
2d70df72 207 }
208}
209
c78aa667 210static void
c193c972 211authenticateDigestNonceSetup(void)
2d70df72 212{
213 if (!digest_nonce_pool)
04eb0689 214 digest_nonce_pool = memPoolCreate("Digest Scheme nonce's", sizeof(digest_nonce_h));
62e76326 215
2d70df72 216 if (!digest_nonce_cache) {
30abd221 217 digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
62e76326 218 assert(digest_nonce_cache);
dc79fed8 219 eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->nonceGCInterval, 1);
2d70df72 220 }
221}
222
d6374be6 223void
c193c972 224authenticateDigestNonceShutdown(void)
2d70df72 225{
62e76326 226 /*
2d70df72 227 * We empty the cache of any nonces left in there.
228 */
229 digest_nonce_h *nonce;
62e76326 230
2d70df72 231 if (digest_nonce_cache) {
a4c3b397 232 debugs(29, 2, "Shutting down nonce cache");
62e76326 233 hash_first(digest_nonce_cache);
234
235 while ((nonce = ((digest_nonce_h *) hash_next(digest_nonce_cache)))) {
236 assert(nonce->flags.incache);
237 authDigestNoncePurge(nonce);
238 }
2d70df72 239 }
62e76326 240
2f44bd34 241#if DEBUGSHUTDOWN
2d70df72 242 if (digest_nonce_pool) {
b001e822 243 delete digest_nonce_pool;
244 digest_nonce_pool = NULL;
2d70df72 245 }
62e76326 246
2f44bd34 247#endif
a4c3b397 248 debugs(29, 2, "Nonce cache shutdown");
2d70df72 249}
250
c78aa667 251static void
ced8def3 252authenticateDigestNonceCacheCleanup(void *)
2d70df72 253{
254 /*
b20ce974 255 * We walk the hash by noncehex as that is the unique key we
74830fc8 256 * use. For big hash tables we could consider stepping through
257 * the cache, 100/200 entries at a time. Lets see how it flies
258 * first.
2d70df72 259 */
260 digest_nonce_h *nonce;
a4c3b397
AJ		 261 debugs(29, 3, "Cleaning the nonce cache now");
262 debugs(29, 3, "Current time: " << current_time.tv_sec);
2d70df72 263 hash_first(digest_nonce_cache);
62e76326 264
2d70df72 265 while ((nonce = ((digest_nonce_h *) hash_next(digest_nonce_cache)))) {
a4c3b397
AJ		 266 debugs(29, 3, "nonce entry : " << nonce << " '" << (char *) nonce->key << "'");
267 debugs(29, 4, "Creation time: " << nonce->noncedata.creationtime);
62e76326 268
269 if (authDigestNonceIsStale(nonce)) {
a4c3b397 270 debugs(29, 4, "Removing nonce " << (char *) nonce->key << " from cache due to timeout.");
62e76326 271 assert(nonce->flags.incache);
272 /* invalidate nonce so future requests fail */
3dd52a0b 273 nonce->flags.valid = false;
62e76326 274 /* if it is tied to a auth_user, remove the tie */
275 authDigestNonceUserUnlink(nonce);
276 authDigestNoncePurge(nonce);
277 }
2d70df72 278 }
62e76326 279
a4c3b397 280 debugs(29, 3, "Finished cleaning the nonce cache.");
62e76326 281
dc79fed8
AJ		 282 if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->active())
283 eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->nonceGCInterval, 1);
2d70df72 284}
285
c78aa667 286static void
2d70df72 287authDigestNonceLink(digest_nonce_h * nonce)
288{
289 assert(nonce != NULL);
742a021b 290 ++nonce->references;
aba0474c 291 assert(nonce->references != 0); // no overflows
a4c3b397 292 debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
2d70df72 293}
294
928f3421 295void
2d70df72 296authDigestNonceUnlink(digest_nonce_h * nonce)
297{
298 assert(nonce != NULL);
62e76326 299
2d70df72 300 if (nonce->references > 0) {
a2f5277a 301 -- nonce->references;
2d70df72 302 } else {
a4c3b397 303 debugs(29, DBG_IMPORTANT, "Attempt to lower nonce " << nonce << " refcount below 0!");
2d70df72 304 }
62e76326 305
a4c3b397 306 debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
62e76326 307
2d70df72 308 if (nonce->references == 0)
62e76326 309 authenticateDigestNonceDelete(nonce);
2d70df72 310}
311
928f3421 312const char *
b20ce974 313authenticateDigestNonceNonceHex(const digest_nonce_h * nonce)
2d70df72 314{
315 if (!nonce)
62e76326 316 return NULL;
317
2f44bd34 318 return (char const *) nonce->key;
2d70df72 319}
320
c78aa667 321static digest_nonce_h *
b20ce974 322authenticateDigestNonceFindNonce(const char *noncehex)
2d70df72 323{
324 digest_nonce_h *nonce = NULL;
62e76326 325
b20ce974 326 if (noncehex == NULL)
62e76326 327 return NULL;
328
b20ce974 329 debugs(29, 9, "looking for noncehex '" << noncehex << "' in the nonce cache.");
62e76326 330
b20ce974 331 nonce = static_cast < digest_nonce_h * >(hash_lookup(digest_nonce_cache, noncehex));
62e76326 332
b20ce974 333 if ((nonce == NULL) || (strcmp(authenticateDigestNonceNonceHex(nonce), noncehex)))
62e76326 334 return NULL;
335
a4c3b397 336 debugs(29, 9, "Found nonce '" << nonce << "'");
62e76326 337
2d70df72 338 return nonce;
339}
340
928f3421 341int
2d70df72 342authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9])
343{
d205783b 344 unsigned long intnc;
2d70df72 345 /* do we have a nonce ? */
62e76326 346
2d70df72 347 if (!nonce)
62e76326 348 return 0;
349
d205783b 350 intnc = strtol(nc, NULL, 16);
62e76326 351
f5292c64 352 /* has it already been invalidated ? */
353 if (!nonce->flags.valid) {
a4c3b397 354 debugs(29, 4, "Nonce already invalidated");
f5292c64 355 return 0;
356 }
357
358 /* is the nonce-count ok ? */
dc79fed8 359 if (!static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->CheckNonceCount) {
572d2e31
HN		 360 /* Ignore client supplied NC */
361 intnc = nonce->nc + 1;
f5292c64 362 }
363
dc79fed8 364 if ((static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->NonceStrictness && intnc != nonce->nc + 1) ||
62e76326 365 intnc < nonce->nc + 1) {
a4c3b397 366 debugs(29, 4, "Nonce count doesn't match");
3dd52a0b 367 nonce->flags.valid = false;
62e76326 368 return 0;
2d70df72 369 }
62e76326 370
d205783b 371 /* increment the nonce count - we've already checked that intnc is a
372 * valid representation for us, so we don't need the test here.
373 */
374 nonce->nc = intnc;
62e76326 375
572d2e31 376 return !authDigestNonceIsStale(nonce);
2d70df72 377}
378
572d2e31 379int
2d70df72 380authDigestNonceIsStale(digest_nonce_h * nonce)
381{
382 /* do we have a nonce ? */
62e76326 383
2d70df72 384 if (!nonce)
62e76326 385 return -1;
386
572d2e31
HN		 387 /* Is it already invalidated? */
388 if (!nonce->flags.valid)
389 return -1;
390
2d70df72 391 /* has it's max duration expired? */
dc79fed8 392 if (nonce->noncedata.creationtime + static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration < current_time.tv_sec) {
a4c3b397 393 debugs(29, 4, "Nonce is too old. " <<
4a7a3d56 394 nonce->noncedata.creationtime << " " <<
dc79fed8 395 static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration << " " <<
4a7a3d56 396 current_time.tv_sec);
bf8fe701 397
3dd52a0b 398 nonce->flags.valid = false;
62e76326 399 return -1;
2d70df72 400 }
62e76326 401
2d70df72 402 if (nonce->nc > 99999998) {
a4c3b397 403 debugs(29, 4, "Nonce count overflow");
3dd52a0b 404 nonce->flags.valid = false;
62e76326 405 return -1;
2d70df72 406 }
62e76326 407
dc79fed8 408 if (nonce->nc > static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxuses) {
a4c3b397 409 debugs(29, 4, "Nonce count over user limit");
3dd52a0b 410 nonce->flags.valid = false;
62e76326 411 return -1;
2d70df72 412 }
62e76326 413
2d70df72 414 /* seems ok */
415 return 0;
416}
417
928f3421
AJ		 418/**
419 * \retval 0 the digest is not stale yet
420 * \retval -1 the digest will be stale on the next request
421 */
1dc746da 422int
2d70df72 423authDigestNonceLastRequest(digest_nonce_h * nonce)
424{
425 if (!nonce)
62e76326 426 return -1;
427
2d70df72 428 if (nonce->nc == 99999997) {
a4c3b397 429 debugs(29, 4, "Nonce count about to overflow");
62e76326 430 return -1;
2d70df72 431 }
62e76326 432
dc79fed8 433 if (nonce->nc >= static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxuses - 1) {
a4c3b397 434 debugs(29, 4, "Nonce count about to hit user limit");
62e76326 435 return -1;
2d70df72 436 }
62e76326 437
2d70df72 438 /* and other tests are possible. */
439 return 0;
440}
441
aa110616 442void
2d70df72 443authDigestNoncePurge(digest_nonce_h * nonce)
444{
445 if (!nonce)
62e76326 446 return;
447
2d70df72 448 if (!nonce->flags.incache)
62e76326 449 return;
450
4a8b20e8 451 hash_remove_link(digest_nonce_cache, nonce);
62e76326 452
3dd52a0b 453 nonce->flags.incache = false;
62e76326 454
2d70df72 455 /* the cache's link */
456 authDigestNonceUnlink(nonce);
457}
458
0bcb6908 459void
372fccd6 460Auth::Digest::Config::rotateHelpers()
0bcb6908
AJ		 461{
462 /* schedule closure of existing helpers */
463 if (digestauthenticators) {
464 helperShutdown(digestauthenticators);
465 }
466
467 /* NP: dynamic helper restart will ensure they start up again as needed. */
468}
469
3616c90c 470bool
dc79fed8 471Auth::Digest::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
2d70df72 472{
dc79fed8 473 if (!Auth::SchemeConfig::dump(entry, name, scheme))
3616c90c 474 return false;
62e76326 475
3616c90c 476 storeAppendPrintf(entry, "%s %s nonce_max_count %d\n%s %s nonce_max_duration %d seconds\n%s %s nonce_garbage_interval %d seconds\n",
f5691f9c 477 name, "digest", noncemaxuses,
478 name, "digest", (int) noncemaxduration,
479 name, "digest", (int) nonceGCInterval);
3616c90c 480 return true;
2d70df72 481}
482
f5691f9c 483bool
372fccd6 484Auth::Digest::Config::active() const
2d70df72 485{
f5691f9c 486 return authdigest_initialised == 1;
2d70df72 487}
62e76326 488
f5691f9c 489bool
372fccd6 490Auth::Digest::Config::configured() const
2d70df72 491{
58ee2093 492 if ((authenticateProgram != NULL) &&
48d54e4d 493 (authenticateChildren.n_max != 0) &&
ec980001 494 !realm.isEmpty() && (noncemaxduration > -1))
f5691f9c 495 return true;
62e76326 496
f5691f9c 497 return false;
2d70df72 498}
499
2d70df72 500/* add the [www-|Proxy-]authenticate header on a 407 or 401 reply */
501void
789217a2 502Auth::Digest::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
2d70df72 503{
58ee2093 504 if (!authenticateProgram)
82b045dc 505 return;
506
572d2e31
HN		 507 bool stale = false;
508 digest_nonce_h *nonce = NULL;
62e76326 509
572d2e31 510 /* on a 407 or 401 we always use a new nonce */
a33a428a 511 if (auth_user_request != NULL) {
572d2e31 512 Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
62e76326 513
572d2e31
HN		 514 if (digest_user) {
515 stale = digest_user->credentials() == Auth::Handshake;
516 if (stale) {
517 nonce = digest_user->currentNonce();
518 }
519 }
520 }
521 if (!nonce) {
522 nonce = authenticateDigestNonceNew();
2d70df72 523 }
82b045dc 524
a4c3b397 525 debugs(29, 9, "Sending type:" << hdrType <<
ec980001 526 " header: 'Digest realm=\"" << realm << "\", nonce=\"" <<
b20ce974 527 authenticateDigestNonceNonceHex(nonce) << "\", qop=\"" << QOP_AUTH <<
bf8fe701 528 "\", stale=" << (stale ? "true" : "false"));
82b045dc 529
530 /* in the future, for WWW auth we may want to support the domain entry */
ec980001 531 httpHeaderPutStrf(&rep->header, hdrType, "Digest realm=\"" SQUIDSBUFPH "\", nonce=\"%s\", qop=\"%s\", stale=%s",
b20ce974 532 SQUIDSBUFPRINT(realm), authenticateDigestNonceNonceHex(nonce), QOP_AUTH, stale ? "true" : "false");
2d70df72 533}
534
2d70df72 535/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
536 * config file */
f5691f9c 537void
dc79fed8 538Auth::Digest::Config::init(Auth::SchemeConfig *)
2d70df72 539{
58ee2093 540 if (authenticateProgram) {
62e76326 541 authenticateDigestNonceSetup();
542 authdigest_initialised = 1;
543
544 if (digestauthenticators == NULL)
48d54e4d 545 digestauthenticators = new helper("digestauthenticator");
62e76326 546
58ee2093 547 digestauthenticators->cmdline = authenticateProgram;
62e76326 548
1af735c7 549 digestauthenticators->childs.updateLimits(authenticateChildren);
62e76326 550
551 digestauthenticators->ipc_type = IPC_STREAM;
552
553 helperOpenServers(digestauthenticators);
2d70df72 554 }
555}
556
62ee09ca 557void
372fccd6 558Auth::Digest::Config::registerWithCacheManager(void)
62ee09ca 559{
8822ebee 560 Mgr::RegisterAction("digestauthenticator",
d9fc6862
A		 561 "Digest User Authenticator Stats",
562 authenticateDigestStats, 0, 1);
62ee09ca 563}
2d70df72 564
565/* free any allocated configuration details */
566void
372fccd6 567Auth::Digest::Config::done()
2d70df72 568{
dc79fed8 569 Auth::SchemeConfig::done();
d4806c91 570
d6374be6
AJ		 571 authdigest_initialised = 0;
572
573 if (digestauthenticators)
574 helperShutdown(digestauthenticators);
575
d6374be6
AJ		 576 if (!shutting_down)
577 return;
578
579 delete digestauthenticators;
580 digestauthenticators = NULL;
581
58ee2093
AJ		 582 if (authenticateProgram)
583 wordlistDestroy(&authenticateProgram);
f5691f9c 584}
62e76326 585
d13b829b 586Auth::Digest::Config::Config() :
f53969cc
SM		 587 nonceGCInterval(5*60),
588 noncemaxduration(30*60),
589 noncemaxuses(50),
590 NonceStrictness(0),
591 CheckNonceCount(1),
b2b09838 592 PostWorkaround(0)
d13b829b 593{}
2d70df72 594
f5691f9c 595void
dc79fed8 596Auth::Digest::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
2d70df72 597{
97838141 598 if (strcmp(param_str, "nonce_garbage_interval") == 0) {
f5691f9c 599 parse_time_t(&nonceGCInterval);
a37d6070 600 } else if (strcmp(param_str, "nonce_max_duration") == 0) {
f5691f9c 601 parse_time_t(&noncemaxduration);
a37d6070 602 } else if (strcmp(param_str, "nonce_max_count") == 0) {
f5691f9c 603 parse_int((int *) &noncemaxuses);
a37d6070 604 } else if (strcmp(param_str, "nonce_strictness") == 0) {
f5691f9c 605 parse_onoff(&NonceStrictness);
a37d6070 606 } else if (strcmp(param_str, "check_nonce_count") == 0) {
f5691f9c 607 parse_onoff(&CheckNonceCount);
a37d6070 608 } else if (strcmp(param_str, "post_workaround") == 0) {
f5691f9c 609 parse_onoff(&PostWorkaround);
d4806c91 610 } else
dc79fed8 611 Auth::SchemeConfig::parse(scheme, n_configured, param_str);
2d70df72 612}
613
f5691f9c 614const char *
372fccd6 615Auth::Digest::Config::type() const
f5691f9c 616{
d6374be6 617 return Auth::Digest::Scheme::GetInstance()->type();
f5691f9c 618}
619
2d70df72 620static void
621authenticateDigestStats(StoreEntry * sentry)
622{
bf3e8d5a
AJ		 623 if (digestauthenticators)
624 digestauthenticators->packStatsInto(sentry, "Digest Authenticator Statistics");
2d70df72 625}
626
627/* NonceUserUnlink: remove the reference to auth_user and unlink the node from the list */
628
c78aa667 629static void
2d70df72 630authDigestNonceUserUnlink(digest_nonce_h * nonce)
631{
aa110616 632 Auth::Digest::User *digest_user;
2d70df72 633 dlink_node *link, *tmplink;
62e76326 634
2d70df72 635 if (!nonce)
62e76326 636 return;
637
f5691f9c 638 if (!nonce->user)
62e76326 639 return;
640
f5691f9c 641 digest_user = nonce->user;
62e76326 642
643 /* unlink from the user list. Yes we're crossing structures but this is the only
2d70df72 644 * time this code is needed
645 */
646 link = digest_user->nonces.head;
62e76326 647
2d70df72 648 while (link) {
62e76326 649 tmplink = link;
650 link = link->next;
651
652 if (tmplink->data == nonce) {
653 dlinkDelete(tmplink, &digest_user->nonces);
654 authDigestNonceUnlink(static_cast < digest_nonce_h * >(tmplink->data));
195b97bf 655 delete tmplink;
62e76326 656 link = NULL;
657 }
2d70df72 658 }
62e76326 659
f5691f9c 660 /* this reference to user was not locked because freeeing the user frees
26ac0430 661 * the nonce too.
2d70df72 662 */
f5691f9c 663 nonce->user = NULL;
2d70df72 664}
665
572d2e31
HN		 666/* authDigesteserLinkNonce: add a nonce to a given user's struct */
667void
aa110616 668authDigestUserLinkNonce(Auth::Digest::User * user, digest_nonce_h * nonce)
2d70df72 669{
670 dlink_node *node;
62e76326 671
d8d76b36 672 if (!user || !nonce || !nonce->user)
62e76326 673 return;
674
aa110616 675 Auth::Digest::User *digest_user = user;
62e76326 676
2d70df72 677 node = digest_user->nonces.head;
62e76326 678
2d70df72 679 while (node && (node->data != nonce))
62e76326 680 node = node->next;
681
2d70df72 682 if (node)
62e76326 683 return;
684
195b97bf 685 node = new dlink_node;
62e76326 686
2d70df72 687 dlinkAddTail(nonce, node, &digest_user->nonces);
62e76326 688
2d70df72 689 authDigestNonceLink(nonce);
62e76326 690
2d70df72 691 /* ping this nonce to this auth user */
4e9d4067 692 assert((nonce->user == NULL) || (nonce->user == user));
62e76326 693
f5691f9c 694 /* we don't lock this reference because removing the user removes the
2d70df72 695 * hash too. Of course if that changes we're stuffed so read the code huh?
696 */
f5691f9c 697 nonce->user = user;
2d70df72 698}
699
700/* setup the necessary info to log the username */
c7baff40 701static Auth::UserRequest::Pointer
d4806c91 702authDigestLogUsername(char *username, Auth::UserRequest::Pointer auth_user_request, const char *requestRealm)
2d70df72 703{
f5691f9c 704 assert(auth_user_request != NULL);
2d70df72 705
706 /* log the username */
1032a194 707 debugs(29, 9, "Creating new user for logging '" << (username?username:"[no username]") << "'");
dc79fed8 708 Auth::User::Pointer digest_user = new Auth::Digest::User(static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest")), requestRealm);
2d70df72 709 /* save the credentials */
f5691f9c 710 digest_user->username(username);
2d70df72 711 /* set the auth_user type */
616cfc4c 712 digest_user->auth_type = Auth::AUTH_BROKEN;
2d70df72 713 /* link the request to the user */
f5691f9c 714 auth_user_request->user(digest_user);
f5691f9c 715 return auth_user_request;
2d70df72 716}
717
718/*
719 * Decode a Digest [Proxy-]Auth string, placing the results in the passed
720 * Auth_user structure.
721 */
c7baff40 722Auth::UserRequest::Pointer
7e851a3e 723Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request, const char *aRequestRealm)
2d70df72 724{
2d70df72 725 const char *item;
726 const char *p;
727 const char *pos = NULL;
728 char *username = NULL;
729 digest_nonce_h *nonce;
730 int ilen;
2d70df72 731
a4c3b397 732 debugs(29, 9, "beginning");
2d70df72 733
c7baff40 734 Auth::Digest::UserRequest *digest_request = new Auth::Digest::UserRequest();
2d70df72 735
736 /* trim DIGEST from string */
62e76326 737
ba53f4b8 738 while (xisgraph(*proxy_auth))
742a021b 739 ++proxy_auth;
2d70df72 740
741 /* Trim leading whitespace before decoding */
742 while (xisspace(*proxy_auth))
742a021b 743 ++proxy_auth;
2d70df72 744
30abd221 745 String temp(proxy_auth);
62e76326 746
2d70df72 747 while (strListGetItem(&temp, ',', &item, &ilen, &pos)) {
df604ac0 748 /* isolate directive name & value */
6d97f5f1 749 size_t nlen;
a0133f10 750 size_t vlen;
6d97f5f1 751 if ((p = (const char *)memchr(item, '=', ilen)) && (p - item < ilen)) {
f207fe64
FC		 752 nlen = p - item;
753 ++p;
a0133f10 754 vlen = ilen - (p - item);
df604ac0 755 } else {
6d97f5f1 756 nlen = ilen;
a0133f10
A		 757 vlen = 0;
758 }
9abd1514 759
f2853dd9 760 SBuf keyName(item, nlen);
df604ac0 761 String value;
6a90c2d1 762
a0133f10 763 if (vlen > 0) {
6a90c2d1
AJ		 764 // see RFC 2617 section 3.2.1 and 3.2.2 for details on the BNF
765
f2853dd9 766 if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) {
6a90c2d1
AJ		 767 // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"'
768 // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain
fb73497a 769 if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
2fe0439c 770 value.assign(p+1, vlen-2);
6a90c2d1 771 }
f2853dd9 772 } else if (keyName == SBuf("qop",3)) {
6a90c2d1
AJ		 773 // qop is more special.
774 // On request this must not be quoted-string de-quoted. But is several values wrapped in '"'
775 // On response this is a single un-quoted token.
fb73497a 776 if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
2fe0439c 777 value.assign(p+1, vlen-2);
6a90c2d1 778 } else {
2fe0439c 779 value.assign(p, vlen);
6a90c2d1
AJ		 780 }
781 } else if (*p == '"') {
34460e19 782 if (!httpHeaderParseQuotedString(p, vlen, &value)) {
a4c3b397 783 debugs(29, 9, "Failed to parse attribute '" << item << "' in '" << temp << "'");
a0133f10
A		 784 continue;
785 }
786 } else {
2fe0439c 787 value.assign(p, vlen);
a0133f10
A		 788 }
789 } else {
a4c3b397 790 debugs(29, 9, "Failed to parse attribute '" << item << "' in '" << temp << "'");
6d97f5f1
A		 791 continue;
792 }
9abd1514 793
6d97f5f1 794 /* find type */
f5ef79c0 795 const http_digest_attr_type t = DigestFieldsLookupTable.lookup(keyName);
9abd1514 796
9dca980d 797 switch (t) {
6d97f5f1 798 case DIGEST_USERNAME:
bbe0ed86 799 safe_free(username);
7e851a3e
SK		 800 if (value.size() != 0) {
801 const auto v = value.termedBuf();
802 if (utf8 && !isValidUtf8String(v, v + value.size())) {
803 auto str = isCP1251EncodingAllowed(request) ? Cp1251ToUtf8(v) : Latin1ToUtf8(v);
804 value = SBufToString(str);
805 }
98b0d0a4 806 username = xstrndup(value.rawBuf(), value.size() + 1);
7e851a3e 807 }
a4c3b397 808 debugs(29, 9, "Found Username '" << username << "'");
6d97f5f1 809 break;
62e76326 810
6d97f5f1 811 case DIGEST_REALM:
bbe0ed86 812 safe_free(digest_request->realm);
98b0d0a4
FB		 813 if (value.size() != 0)
814 digest_request->realm = xstrndup(value.rawBuf(), value.size() + 1);
a4c3b397 815 debugs(29, 9, "Found realm '" << digest_request->realm << "'");
6d97f5f1 816 break;
62e76326 817
6d97f5f1 818 case DIGEST_QOP:
bbe0ed86 819 safe_free(digest_request->qop);
98b0d0a4
FB		 820 if (value.size() != 0)
821 digest_request->qop = xstrndup(value.rawBuf(), value.size() + 1);
a4c3b397 822 debugs(29, 9, "Found qop '" << digest_request->qop << "'");
6d97f5f1 823 break;
62e76326 824
6d97f5f1 825 case DIGEST_ALGORITHM:
bbe0ed86 826 safe_free(digest_request->algorithm);
98b0d0a4
FB		 827 if (value.size() != 0)
828 digest_request->algorithm = xstrndup(value.rawBuf(), value.size() + 1);
a4c3b397 829 debugs(29, 9, "Found algorithm '" << digest_request->algorithm << "'");
6d97f5f1 830 break;
62e76326 831
6d97f5f1 832 case DIGEST_URI:
bbe0ed86 833 safe_free(digest_request->uri);
98b0d0a4
FB		 834 if (value.size() != 0)
835 digest_request->uri = xstrndup(value.rawBuf(), value.size() + 1);
a4c3b397 836 debugs(29, 9, "Found uri '" << digest_request->uri << "'");
6d97f5f1 837 break;
62e76326 838
6d97f5f1 839 case DIGEST_NONCE:
b20ce974 840 safe_free(digest_request->noncehex);
98b0d0a4 841 if (value.size() != 0)
b20ce974 842 digest_request->noncehex = xstrndup(value.rawBuf(), value.size() + 1);
843 debugs(29, 9, "Found nonce '" << digest_request->noncehex << "'");
6d97f5f1 844 break;
62e76326 845
6d97f5f1
A		 846 case DIGEST_NC:
847 if (value.size() != 8) {
a4c3b397 848 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
6d97f5f1 849 }
9abd1514 850 xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
a4c3b397 851 debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
6d97f5f1 852 break;
62e76326 853
6d97f5f1 854 case DIGEST_CNONCE:
bbe0ed86 855 safe_free(digest_request->cnonce);
98b0d0a4
FB		 856 if (value.size() != 0)
857 digest_request->cnonce = xstrndup(value.rawBuf(), value.size() + 1);
a4c3b397 858 debugs(29, 9, "Found cnonce '" << digest_request->cnonce << "'");
6d97f5f1 859 break;
62e76326 860
6d97f5f1 861 case DIGEST_RESPONSE:
bbe0ed86 862 safe_free(digest_request->response);
98b0d0a4
FB		 863 if (value.size() != 0)
864 digest_request->response = xstrndup(value.rawBuf(), value.size() + 1);
a4c3b397 865 debugs(29, 9, "Found response '" << digest_request->response << "'");
6d97f5f1 866 break;
9abd1514 867
6d97f5f1 868 default:
a4c3b397 869 debugs(29, 3, "Unknown attribute '" << item << "' in '" << temp << "'");
0e134176 870 break;
62e76326 871 }
2d70df72 872 }
62e76326 873
30abd221 874 temp.clean();
2d70df72 875
2d70df72 876 /* now we validate the data given to us */
877
74830fc8 878 /*
879 * TODO: on invalid parameters we should return 400, not 407.
880 * Find some clean way of doing this. perhaps return a valid
881 * struct, and set the direction to clientwards combined with
882 * a change to the clientwards handling code (ie let the
883 * clientwards call set the error type (but limited to known
884 * correct values - 400/401/407
885 */
2d70df72 886
59a98343 887 /* 2069 requirements */
62e76326 888
1aca58c0
FC		 889 // return value.
890 Auth::UserRequest::Pointer rv;
59a98343
HN		 891 /* do we have a username ? */
892 if (!username || username[0] == '\0') {
1aca58c0 893 debugs(29, 2, "Empty or not present username");
d4806c91 894 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 895 safe_free(username);
896 return rv;
2d70df72 897 }
62e76326 898
920d1c9d
HN		 899 /* Sanity check of the username.
900 * " can not be allowed in usernames until * the digest helper protocol
901 * have been redone
902 */
903 if (strchr(username, '"')) {
1aca58c0 904 debugs(29, 2, "Unacceptable username '" << username << "'");
d4806c91 905 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 906 safe_free(username);
907 return rv;
2d70df72 908 }
62e76326 909
59a98343
HN		 910 /* do we have a realm ? */
911 if (!digest_request->realm || digest_request->realm[0] == '\0') {
1aca58c0 912 debugs(29, 2, "Empty or not present realm");
d4806c91 913 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 914 safe_free(username);
915 return rv;
2d70df72 916 }
62e76326 917
59a98343 918 /* and a nonce? */
b20ce974 919 if (!digest_request->noncehex || digest_request->noncehex[0] == '\0') {
1aca58c0 920 debugs(29, 2, "Empty or not present nonce");
d4806c91 921 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 922 safe_free(username);
923 return rv;
2d70df72 924 }
62e76326 925
74830fc8 926 /* we can't check the URI just yet. We'll check it in the
6649f955 927 * authenticate phase, but needs to be given */
59a98343 928 if (!digest_request->uri || digest_request->uri[0] == '\0') {
1aca58c0 929 debugs(29, 2, "Missing URI field");
d4806c91 930 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 931 safe_free(username);
932 return rv;
6649f955 933 }
2d70df72 934
935 /* is the response the correct length? */
2d70df72 936 if (!digest_request->response || strlen(digest_request->response) != 32) {
1aca58c0 937 debugs(29, 2, "Response length invalid");
d4806c91 938 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 939 safe_free(username);
940 return rv;
2d70df72 941 }
62e76326 942
59a98343
HN		 943 /* check the algorithm is present and supported */
944 if (!digest_request->algorithm)
945 digest_request->algorithm = xstrndup("MD5", 4);
946 else if (strcmp(digest_request->algorithm, "MD5")
947 && strcmp(digest_request->algorithm, "MD5-sess")) {
1aca58c0 948 debugs(29, 2, "invalid algorithm specified!");
d4806c91 949 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 950 safe_free(username);
951 return rv;
2d70df72 952 }
62e76326 953
59a98343
HN		 954 /* 2617 requirements, indicated by qop */
955 if (digest_request->qop) {
956
6d97f5f1
A		 957 /* check the qop is what we expected. */
958 if (strcmp(digest_request->qop, QOP_AUTH) != 0) {
959 /* we received a qop option we didn't send */
1aca58c0 960 debugs(29, 2, "Invalid qop option received");
d4806c91 961 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 962 safe_free(username);
963 return rv;
6d97f5f1
A		 964 }
965
966 /* check cnonce */
967 if (!digest_request->cnonce || digest_request->cnonce[0] == '\0') {
1aca58c0 968 debugs(29, 2, "Missing cnonce field");
d4806c91 969 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 970 safe_free(username);
971 return rv;
6d97f5f1
A		 972 }
973
974 /* check nc */
975 if (strlen(digest_request->nc) != 8 || strspn(digest_request->nc, "0123456789abcdefABCDEF") != 8) {
1aca58c0 976 debugs(29, 2, "invalid nonce count");
d4806c91 977 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 978 safe_free(username);
979 return rv;
6d97f5f1 980 }
59a98343 981 } else {
6d97f5f1 982 /* cnonce and nc both require qop */
7830d88a 983 if (digest_request->cnonce || digest_request->nc[0] != '\0') {
1aca58c0 984 debugs(29, 2, "missing qop!");
d4806c91 985 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 986 safe_free(username);
987 return rv;
6d97f5f1 988 }
2d70df72 989 }
62e76326 990
59a98343
HN		 991 /** below nonce state dependent **/
992
993 /* now the nonce */
b20ce974 994 nonce = authenticateDigestNonceFindNonce(digest_request->noncehex);
572d2e31
HN		 995 /* check that we're not being hacked / the username hasn't changed */
996 if (nonce && nonce->user && strcmp(username, nonce->user->username())) {
997 debugs(29, 2, "Username for the nonce does not equal the username for the request");
998 nonce = NULL;
999 }
6b634dc3 1000
59a98343
HN		 1001 if (!nonce) {
1002 /* we couldn't find a matching nonce! */
572d2e31
HN		 1003 debugs(29, 2, "Unexpected or invalid nonce received from " << username);
1004 Auth::UserRequest::Pointer auth_request = authDigestLogUsername(username, digest_request, aRequestRealm);
1005 auth_request->user()->credentials(Auth::Handshake);
1aca58c0 1006 safe_free(username);
572d2e31 1007 return auth_request;
2d70df72 1008 }
62e76326 1009
59a98343
HN		 1010 digest_request->nonce = nonce;
1011 authDigestNonceLink(nonce);
1012
1013 /* check that we're not being hacked / the username hasn't changed */
1014 if (nonce->user && strcmp(username, nonce->user->username())) {
1aca58c0 1015 debugs(29, 2, "Username for the nonce does not equal the username for the request");
d4806c91 1016 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
1aca58c0
FC		 1017 safe_free(username);
1018 return rv;
2d70df72 1019 }
62e76326 1020
2d70df72 1021 /* the method we'll check at the authenticate step as well */
1022
2f8abb64 1023 /* we don't send or parse opaques. Ok so we're flexible ... */
2d70df72 1024
1025 /* find the user */
aa110616 1026 Auth::Digest::User *digest_user;
f5691f9c 1027
d87154ee 1028 Auth::User::Pointer auth_user;
2d70df72 1029
d4806c91 1030 SBuf key = Auth::User::BuildUserKey(username, aRequestRealm);
0593bae5 1031 if (key.isEmpty() || !(auth_user = Auth::Digest::User::Cache()->lookup(key))) {
62e76326 1032 /* the user doesn't exist in the username cache yet */
a4c3b397 1033 debugs(29, 9, "Creating new digest user '" << username << "'");
d4806c91 1034 digest_user = new Auth::Digest::User(this, aRequestRealm);
f5691f9c 1035 /* auth_user is a parent */
1036 auth_user = digest_user;
62e76326 1037 /* save the username */
f5691f9c 1038 digest_user->username(username);
62e76326 1039 /* set the user type */
616cfc4c 1040 digest_user->auth_type = Auth::AUTH_DIGEST;
62e76326 1041 /* this auth_user struct is the one to get added to the
1042 * username cache */
1043 /* store user in hash's */
f5691f9c 1044 digest_user->addToNameCache();
df80d445 1045
62e76326 1046 /*
1047 * Add the digest to the user so we can tell if a hacking
1048 * or spoofing attack is taking place. We do this by assuming
1049 * the user agent won't change user name without warning.
1050 */
f5691f9c 1051 authDigestUserLinkNonce(digest_user, nonce);
65cbd5a7
GD		 1052
1053 /* auth_user is now linked, we reset these values
1054 * after external auth occurs anyway */
1055 auth_user->expiretime = current_time.tv_sec;
2d70df72 1056 } else {
a4c3b397 1057 debugs(29, 9, "Found user '" << username << "' in the user cache as '" << auth_user << "'");
aa110616 1058 digest_user = static_cast<Auth::Digest::User *>(auth_user.getRaw());
156c3aae 1059 digest_user->credentials(Auth::Unchecked);
62e76326 1060 xfree(username);
2d70df72 1061 }
62e76326 1062
2d70df72 1063 /*link the request and the user */
f5691f9c 1064 assert(digest_request != NULL);
82b045dc 1065
f5691f9c 1066 digest_request->user(digest_user);
a4c3b397 1067 debugs(29, 9, "username = '" << digest_user->username() << "'\nrealm = '" <<
bf8fe701 1068 digest_request->realm << "'\nqop = '" << digest_request->qop <<
1069 "'\nalgorithm = '" << digest_request->algorithm << "'\nuri = '" <<
b20ce974 1070 digest_request->uri << "'\nnonce = '" << digest_request->noncehex <<
bf8fe701 1071 "'\nnc = '" << digest_request->nc << "'\ncnonce = '" <<
1072 digest_request->cnonce << "'\nresponse = '" <<
1073 digest_request->response << "'\ndigestnonce = '" << nonce << "'");
2d70df72 1074
f5691f9c 1075 return digest_request;
2d70df72 1076}
f53969cc 1077
Mirror of https://github.com/squid-cache/squid.git