[thirdparty/squid.git] / src / auth / digest / UserRequest.cc

/*
 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "AccessLogEntry.h"
#include "auth/digest/Config.h"
#include "auth/digest/User.h"
#include "auth/digest/UserRequest.h"
#include "auth/State.h"
#include "charset.h"
#include "format/Format.h"
#include "helper.h"
#include "helper/Reply.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "MemBuf.h"
#include "SquidTime.h"

Auth::Digest::UserRequest::UserRequest() :
    nonceb64(NULL),
    cnonce(NULL),
    realm(NULL),
    pszPass(NULL),
    algorithm(NULL),
    pszMethod(NULL),
    qop(NULL),
    uri(NULL),
    response(NULL),
    nonce(NULL)
{
    memset(nc, 0, sizeof(nc));
    memset(&flags, 0, sizeof(flags));
}

/**
 * Delete the digest request structure.
 * Does NOT delete related AuthUser structures
 */
Auth::Digest::UserRequest::~UserRequest()
{
    assert(LockCount()==0);

    safe_free(nonceb64);
    safe_free(cnonce);
    safe_free(realm);
    safe_free(pszPass);
    safe_free(algorithm);
    safe_free(pszMethod);
    safe_free(qop);
    safe_free(uri);
    safe_free(response);

    if (nonce)
        authDigestNonceUnlink(nonce);
}

int
Auth::Digest::UserRequest::authenticated() const
{
    if (user() != NULL && user()->credentials() == Auth::Ok)
        return 1;

    return 0;
}

const char *
Auth::Digest::UserRequest::credentialsStr()
{
    return realm;
}

/** log a digest user in
 */
void
Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData *, Http::HdrType)
{
    HASHHEX SESSIONKEY;
    HASHHEX HA2 = "";
    HASHHEX Response;

    /* if the check has corrupted the user, just return */
    if (user() == NULL || user()->credentials() == Auth::Failed) {
        return;
    }

    Auth::User::Pointer auth_user = user();

    Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User*>(auth_user.getRaw());
    assert(digest_user != NULL);

    Auth::Digest::UserRequest *digest_request = this;

    /* do we have the HA1 */
    if (!digest_user->HA1created) {
        auth_user->credentials(Auth::Pending);
        return;
    }

    if (digest_request->nonce == NULL) {
        /* this isn't a nonce we issued */
        auth_user->credentials(Auth::Failed);
        return;
    }

    DigestCalcHA1(digest_request->algorithm, NULL, NULL, NULL,
                  authenticateDigestNonceNonceb64(digest_request->nonce),
                  digest_request->cnonce,
                  digest_user->HA1, SESSIONKEY);
    SBuf sTmp = request->method.image();
    DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
                       digest_request->nc, digest_request->cnonce, digest_request->qop,
                       sTmp.c_str(), digest_request->uri, HA2, Response);

    debugs(29, 9, "\nResponse = '" << digest_request->response << "'\nsquid is = '" << Response << "'");

    if (strcasecmp(digest_request->response, Response) != 0) {
        if (!digest_request->flags.helper_queried) {
            /* Query the helper in case the password has changed */
            digest_request->flags.helper_queried = true;
            auth_user->credentials(Auth::Pending);
            return;
        }

        if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->PostWorkaround && request->method != Http::METHOD_GET) {
            /* Ugly workaround for certain very broken browsers using the
             * wrong method to calculate the request-digest on POST request.
             * This should be deleted once Digest authentication becomes more
             * widespread and such broken browsers no longer are commonly
             * used.
             */
            sTmp = HttpRequestMethod(Http::METHOD_GET).image();
            DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
                               digest_request->nc, digest_request->cnonce, digest_request->qop,
                               sTmp.c_str(), digest_request->uri, HA2, Response);

            if (strcasecmp(digest_request->response, Response)) {
                auth_user->credentials(Auth::Failed);
                digest_request->flags.invalid_password = true;
                digest_request->setDenyMessage("Incorrect password");
                return;
            } else {
                const char *useragent = request->header.getStr(Http::HdrType::USER_AGENT);

                static Ip::Address last_broken_addr;
                static int seen_broken_client = 0;

                if (!seen_broken_client) {
                    last_broken_addr.setNoAddr();
                    seen_broken_client = 1;
                }

                if (last_broken_addr != request->client_addr) {
                    debugs(29, DBG_IMPORTANT, "Digest POST bug detected from " <<
                           request->client_addr << " using '" <<
                           (useragent ? useragent : "-") <<
                           "'. Please upgrade browser. See Bug #630 for details.");

                    last_broken_addr = request->client_addr;
                }
            }
        } else {
            auth_user->credentials(Auth::Failed);
            digest_request->flags.invalid_password = true;
            digest_request->setDenyMessage("Incorrect password");
            return;
        }
    }

    /* check for stale nonce */
    /* check Auth::Pending to avoid loop */

    if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) {
        debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
        /* Pending prevent banner and makes a ldap control */
        auth_user->credentials(Auth::Pending);
        nonce->flags.valid = false;
        authDigestNoncePurge(nonce);
        return;
    }

    auth_user->credentials(Auth::Ok);

    /* password was checked and did match */
    debugs(29, 4, "user '" << auth_user->username() << "' validated OK");
}

Auth::Direction
Auth::Digest::UserRequest::module_direction()
{
    if (user()->auth_type != Auth::AUTH_DIGEST)
        return Auth::CRED_ERROR;

    switch (user()->credentials()) {

    case Auth::Ok:
        return Auth::CRED_VALID;

    case Auth::Handshake:
    case Auth::Failed:
        /* send new challenge */
        return Auth::CRED_CHALLENGE;

    case Auth::Unchecked:
    case Auth::Pending:
        return Auth::CRED_LOOKUP;

    default:
        return Auth::CRED_ERROR;
    }
}

void
Auth::Digest::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
{
    Http::HdrType type;

    /* don't add to authentication error pages */
    if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
            || (accel && rep->sline.status() == Http::scUnauthorized))
        return;

    type = accel ? Http::HdrType::AUTHENTICATION_INFO : Http::HdrType::PROXY_AUTHENTICATION_INFO;

#if WAITING_FOR_TE
    /* test for http/1.1 transfer chunked encoding */
    if (chunkedtest)
        return;
#endif

    if ((static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
        flags.authinfo_sent = true;
        Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(user().getRaw());
        if (!digest_user)
            return;

        digest_nonce_h *nextnonce = digest_user->currentNonce();
        if (!nextnonce || authDigestNonceLastRequest(nonce)) {
            nextnonce = authenticateDigestNonceNew();
            authDigestUserLinkNonce(digest_user, nextnonce);
        }
        debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nextnonce) << "\"");
        httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nextnonce));
    }
}

#if WAITING_FOR_TE
void
Auth::Digest::UserRequest::addAuthenticationInfoTrailer(HttpReply * rep, int accel)
{
    int type;

    if (!auth_user_request)
        return;

    /* has the header already been send? */
    if (flags.authinfo_sent)
        return;

    /* don't add to authentication error pages */
    if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
            || (accel && rep->sline.status() == Http::scUnauthorized))
        return;

    type = accel ? Http::HdrType::AUTHENTICATION_INFO : Http::HdrType::PROXY_AUTHENTICATION_INFO;

    if ((static_cast<Auth::Digest::Config*>(digestScheme::GetInstance()->getConfig())->authenticate) && authDigestNonceLastRequest(nonce)) {
        Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
        nonce = digest_user->currentNonce();
        if (!nonce) {
            nonce = authenticateDigestNonceNew();
            authDigestUserLinkNonce(digest_user, nonce);
        }
        debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
        httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
    }
}
#endif

/* send the initial data to a digest authenticator module */
void
Auth::Digest::UserRequest::startHelperLookup(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
{
    char buf[8192];

    assert(user() != NULL && user()->auth_type == Auth::AUTH_DIGEST);
    debugs(29, 9, HERE << "'\"" << user()->username() << "\":\"" << realm << "\"'");

    if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram == NULL) {
        debugs(29, DBG_CRITICAL, "ERROR: No Digest authentication program configured.");
        handler(data);
        return;
    }

    const char *keyExtras = helperRequestKeyExtras(request, al);
    if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->utf8) {
        char userstr[1024];
        latin1_to_utf8(userstr, sizeof(userstr), user()->username());
        if (keyExtras)
            snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", userstr, realm, keyExtras);
        else
            snprintf(buf, 8192, "\"%s\":\"%s\"\n", userstr, realm);
    } else {
        if (keyExtras)
            snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", user()->username(), realm, keyExtras);
        else
            snprintf(buf, 8192, "\"%s\":\"%s\"\n", user()->username(), realm);
    }

    helperSubmit(digestauthenticators, buf, Auth::Digest::UserRequest::HandleReply,
                 new Auth::StateData(this, handler, data));
}

void
Auth::Digest::UserRequest::HandleReply(void *data, const Helper::Reply &reply)
{
    Auth::StateData *replyData = static_cast<Auth::StateData *>(data);
    debugs(29, 9, HERE << "reply=" << reply);

    assert(replyData->auth_user_request != NULL);
    Auth::UserRequest::Pointer auth_user_request = replyData->auth_user_request;

    // add new helper kv-pair notes to the credentials object
    // so that any transaction using those credentials can access them
    auth_user_request->user()->notes.appendNewOnly(&reply.notes);
    // remove any private credentials detail which got added.
    auth_user_request->user()->notes.remove("ha1");

    static bool oldHelperWarningDone = false;
    switch (reply.result) {
    case Helper::Unknown: {
        // Squid 3.3 and older the digest helper only returns a HA1 hash (no "OK")
        // the HA1 will be found in content() for these responses.
        if (!oldHelperWarningDone) {
            debugs(29, DBG_IMPORTANT, "WARNING: Digest auth helper returned old format HA1 response. It needs to be upgraded.");
            oldHelperWarningDone=true;
        }

        /* allow this because the digest_request pointer is purely local */
        Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
        assert(digest_user != NULL);

        CvtBin(reply.other().content(), digest_user->HA1);
        digest_user->HA1created = 1;
    }
    break;

    case Helper::Okay: {
        /* allow this because the digest_request pointer is purely local */
        Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
        assert(digest_user != NULL);

        if (const char *ha1Note = reply.notes.findFirst("ha1")) {
            CvtBin(ha1Note, digest_user->HA1);
            digest_user->HA1created = 1;
        } else {
            debugs(29, DBG_IMPORTANT, "ERROR: Digest auth helper did not produce a HA1. Using the wrong helper program? received: " << reply);
        }
    }
    break;

    case Helper::TT:
        debugs(29, DBG_IMPORTANT, "ERROR: Digest auth does not support the result code received. Using the wrong helper program? received: " << reply);
    // fall through to next case. Handle this as an ERR response.

    case Helper::TimedOut:
    case Helper::BrokenHelper:
    // TODO retry the broken lookup on another helper?
    // fall through to next case for now. Handle this as an ERR response silently.
    case Helper::Error: {
        /* allow this because the digest_request pointer is purely local */
        Auth::Digest::UserRequest *digest_request = dynamic_cast<Auth::Digest::UserRequest *>(auth_user_request.getRaw());
        assert(digest_request);

        digest_request->user()->credentials(Auth::Failed);
        digest_request->flags.invalid_password = true;

        SBuf msgNote;
        if (reply.notes.find(msgNote, "message")) {
            digest_request->setDenyMessage(msgNote.c_str());
        } else if (reply.other().hasContent()) {
            // old helpers did send ERR result but a bare message string instead of message= key name.
            digest_request->setDenyMessage(reply.other().content());
            if (!oldHelperWarningDone) {
                debugs(29, DBG_IMPORTANT, "WARNING: Digest auth helper returned old format ERR response. It needs to be upgraded.");
                oldHelperWarningDone=true;
            }
        }
    }
    break;
    }

    void *cbdata = NULL;
    if (cbdataReferenceValidDone(replyData->data, &cbdata))
        replyData->handler(cbdata);

    delete replyData;
}
Commit	Line	Data
bbc27441	1	/*
5b74111a	2	* Copyright (C) 1996-2018 The Squid Software Foundation and contributors
bbc27441 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
f7f3304a	9	#include "squid.h"
d4806c91	10	#include "AccessLogEntry.h"
12daeef6	11	#include "auth/digest/Config.h"
aa110616	12	#include "auth/digest/User.h"
616cfc4c	13	#include "auth/digest/UserRequest.h"
928f3421	14	#include "auth/State.h"
25f98340	15	#include "charset.h"
86c63190	16	#include "format/Format.h"
24438ec5 AJ	17	#include "helper.h"
24438ec5 AJ	18	#include "helper/Reply.h"
a5bac1d2	19	#include "HttpHeaderTools.h"
928f3421 AJ	20	#include "HttpReply.h"
928f3421 AJ	21	#include "HttpRequest.h"
d4806c91	22	#include "MemBuf.h"
928f3421 AJ	23	#include "SquidTime.h"
928f3421 AJ	24
c7baff40	25	Auth::Digest::UserRequest::UserRequest() :
f53969cc SM	26	nonceb64(NULL),
	27	cnonce(NULL),
	28	realm(NULL),
	29	pszPass(NULL),
	30	algorithm(NULL),
	31	pszMethod(NULL),
	32	qop(NULL),
	33	uri(NULL),
	34	response(NULL),
	35	nonce(NULL)
1032a194 AJ	36	{
	37	memset(nc, 0, sizeof(nc));
	38	memset(&flags, 0, sizeof(flags));
	39	}
928f3421 AJ	40
	41	/**
	42	* Delete the digest request structure.
	43	* Does NOT delete related AuthUser structures
	44	*/
c7baff40	45	Auth::Digest::UserRequest::~UserRequest()
928f3421	46	{
8bf217bd	47	assert(LockCount()==0);
ea0695f2	48
928f3421 AJ	49	safe_free(nonceb64);
	50	safe_free(cnonce);
	51	safe_free(realm);
	52	safe_free(pszPass);
	53	safe_free(algorithm);
	54	safe_free(pszMethod);
	55	safe_free(qop);
	56	safe_free(uri);
	57	safe_free(response);
	58
	59	if (nonce)
	60	authDigestNonceUnlink(nonce);
	61	}
	62
928f3421	63	int
c7baff40	64	Auth::Digest::UserRequest::authenticated() const
928f3421	65	{
d87154ee	66	if (user() != NULL && user()->credentials() == Auth::Ok)
928f3421 AJ	67	return 1;
	68
	69	return 0;
	70	}
	71
d4806c91 CT	72	const char *
	73	Auth::Digest::UserRequest::credentialsStr()
	74	{
	75	return realm;
	76	}
	77
928f3421 AJ	78	/** log a digest user in
	79	*/
	80	void
789217a2	81	Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData *, Http::HdrType)
928f3421	82	{
928f3421 AJ	83	HASHHEX SESSIONKEY;
	84	HASHHEX HA2 = "";
	85	HASHHEX Response;
	86
928f3421	87	/* if the check has corrupted the user, just return */
d87154ee	88	if (user() == NULL \|\| user()->credentials() == Auth::Failed) {
928f3421 AJ	89	return;
	90	}
	91
d87154ee	92	Auth::User::Pointer auth_user = user();
928f3421	93
aa110616	94	Auth::Digest::User digest_user = dynamic_cast<Auth::Digest::User>(auth_user.getRaw());
56a49fda	95	assert(digest_user != NULL);
928f3421	96
c7baff40	97	Auth::Digest::UserRequest *digest_request = this;
56a49fda AJ	98
56a49fda AJ	99	/* do we have the HA1 */
928f3421	100	if (!digest_user->HA1created) {
d87154ee	101	auth_user->credentials(Auth::Pending);
928f3421 AJ	102	return;
	103	}
	104
	105	if (digest_request->nonce == NULL) {
	106	/* this isn't a nonce we issued */
d87154ee	107	auth_user->credentials(Auth::Failed);
928f3421 AJ	108	return;
	109	}
	110
	111	DigestCalcHA1(digest_request->algorithm, NULL, NULL, NULL,
	112	authenticateDigestNonceNonceb64(digest_request->nonce),
	113	digest_request->cnonce,
	114	digest_user->HA1, SESSIONKEY);
7f06a3d8	115	SBuf sTmp = request->method.image();
928f3421 AJ	116	DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
928f3421 AJ	117	digest_request->nc, digest_request->cnonce, digest_request->qop,
7f06a3d8	118	sTmp.c_str(), digest_request->uri, HA2, Response);
928f3421 AJ	119
	120	debugs(29, 9, "\nResponse = '" << digest_request->response << "'\nsquid is = '" << Response << "'");
	121
	122	if (strcasecmp(digest_request->response, Response) != 0) {
	123	if (!digest_request->flags.helper_queried) {
	124	/* Query the helper in case the password has changed */
3dd52a0b	125	digest_request->flags.helper_queried = true;
d87154ee	126	auth_user->credentials(Auth::Pending);
928f3421 AJ	127	return;
	128	}
	129
dc79fed8	130	if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->PostWorkaround && request->method != Http::METHOD_GET) {
928f3421 AJ	131	/* Ugly workaround for certain very broken browsers using the
	132	* wrong method to calculate the request-digest on POST request.
	133	* This should be deleted once Digest authentication becomes more
	134	* widespread and such broken browsers no longer are commonly
	135	* used.
	136	*/
7f06a3d8	137	sTmp = HttpRequestMethod(Http::METHOD_GET).image();
928f3421 AJ	138	DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
928f3421 AJ	139	digest_request->nc, digest_request->cnonce, digest_request->qop,
7f06a3d8	140	sTmp.c_str(), digest_request->uri, HA2, Response);
928f3421 AJ	141
928f3421 AJ	142	if (strcasecmp(digest_request->response, Response)) {
d87154ee	143	auth_user->credentials(Auth::Failed);
3dd52a0b	144	digest_request->flags.invalid_password = true;
928f3421 AJ	145	digest_request->setDenyMessage("Incorrect password");
	146	return;
	147	} else {
789217a2	148	const char *useragent = request->header.getStr(Http::HdrType::USER_AGENT);
928f3421	149
08acdd08	150	static Ip::Address last_broken_addr;
928f3421 AJ	151	static int seen_broken_client = 0;
	152
	153	if (!seen_broken_client) {
4dd643d5	154	last_broken_addr.setNoAddr();
928f3421 AJ	155	seen_broken_client = 1;
	156	}
	157
	158	if (last_broken_addr != request->client_addr) {
c7baff40	159	debugs(29, DBG_IMPORTANT, "Digest POST bug detected from " <<
928f3421 AJ	160	request->client_addr << " using '" <<
	161	(useragent ? useragent : "-") <<
	162	"'. Please upgrade browser. See Bug #630 for details.");
	163
	164	last_broken_addr = request->client_addr;
	165	}
	166	}
	167	} else {
d87154ee	168	auth_user->credentials(Auth::Failed);
3dd52a0b	169	digest_request->flags.invalid_password = true;
928f3421 AJ	170	digest_request->setDenyMessage("Incorrect password");
	171	return;
	172	}
c9dbe80f	173	}
928f3421	174
c9dbe80f	175	/* check for stale nonce */
6b634dc3 FB	176	/* check Auth::Pending to avoid loop */
	177
	178	if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) {
	179	debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
	180	/* Pending prevent banner and makes a ldap control */
	181	auth_user->credentials(Auth::Pending);
	182	nonce->flags.valid = false;
	183	authDigestNoncePurge(nonce);
c9dbe80f	184	return;
928f3421 AJ	185	}
928f3421 AJ	186
d87154ee	187	auth_user->credentials(Auth::Ok);
928f3421 AJ	188
928f3421 AJ	189	/* password was checked and did match */
65cbd5a7	190	debugs(29, 4, "user '" << auth_user->username() << "' validated OK");
928f3421 AJ	191	}
928f3421 AJ	192
51a3dd58	193	Auth::Direction
c7baff40	194	Auth::Digest::UserRequest::module_direction()
928f3421	195	{
616cfc4c	196	if (user()->auth_type != Auth::AUTH_DIGEST)
51a3dd58	197	return Auth::CRED_ERROR;
928f3421	198
d232141d	199	switch (user()->credentials()) {
928f3421	200
d87154ee	201	case Auth::Ok:
51a3dd58	202	return Auth::CRED_VALID;
928f3421	203
572d2e31	204	case Auth::Handshake:
d87154ee	205	case Auth::Failed:
928f3421	206	/* send new challenge */
51a3dd58	207	return Auth::CRED_CHALLENGE;
d232141d	208
d87154ee AJ	209	case Auth::Unchecked:
d87154ee AJ	210	case Auth::Pending:
51a3dd58	211	return Auth::CRED_LOOKUP;
d232141d AJ	212
d232141d AJ	213	default:
51a3dd58	214	return Auth::CRED_ERROR;
928f3421	215	}
928f3421 AJ	216	}
928f3421 AJ	217
928f3421	218	void
c7baff40	219	Auth::Digest::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
928f3421	220	{
789217a2	221	Http::HdrType type;
928f3421 AJ	222
928f3421 AJ	223	/* don't add to authentication error pages */
9b769c67 AJ	224	if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
9b769c67 AJ	225	\|\| (accel && rep->sline.status() == Http::scUnauthorized))
928f3421 AJ	226	return;
928f3421 AJ	227
789217a2	228	type = accel ? Http::HdrType::AUTHENTICATION_INFO : Http::HdrType::PROXY_AUTHENTICATION_INFO;
928f3421 AJ	229
	230	#if WAITING_FOR_TE
	231	/* test for http/1.1 transfer chunked encoding */
	232	if (chunkedtest)
	233	return;
	234	#endif
	235
dc79fed8	236	if ((static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
3dd52a0b	237	flags.authinfo_sent = true;
572d2e31	238	Auth::Digest::User digest_user = dynamic_cast<Auth::Digest::User >(user().getRaw());
3d01c5ab AJ	239	if (!digest_user)
	240	return;
	241
572d2e31 HN	242	digest_nonce_h *nextnonce = digest_user->currentNonce();
	243	if (!nextnonce \|\| authDigestNonceLastRequest(nonce)) {
	244	nextnonce = authenticateDigestNonceNew();
	245	authDigestUserLinkNonce(digest_user, nextnonce);
	246	}
	247	debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nextnonce) << "\"");
	248	httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nextnonce));
928f3421 AJ	249	}
	250	}
	251
	252	#if WAITING_FOR_TE
928f3421	253	void
c7baff40	254	Auth::Digest::UserRequest::addAuthenticationInfoTrailer(HttpReply * rep, int accel)
928f3421 AJ	255	{
	256	int type;
	257
	258	if (!auth_user_request)
	259	return;
	260
	261	/* has the header already been send? */
	262	if (flags.authinfo_sent)
	263	return;
	264
	265	/* don't add to authentication error pages */
9b769c67 AJ	266	if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
9b769c67 AJ	267	\|\| (accel && rep->sline.status() == Http::scUnauthorized))
928f3421 AJ	268	return;
928f3421 AJ	269
789217a2	270	type = accel ? Http::HdrType::AUTHENTICATION_INFO : Http::HdrType::PROXY_AUTHENTICATION_INFO;
928f3421	271
372fccd6	272	if ((static_cast<Auth::Digest::Config*>(digestScheme::GetInstance()->getConfig())->authenticate) && authDigestNonceLastRequest(nonce)) {
572d2e31 HN	273	Auth::Digest::User digest_user = dynamic_cast<Auth::Digest::User >(auth_user_request->user().getRaw());
	274	nonce = digest_user->currentNonce();
	275	if (!nonce) {
	276	nonce = authenticateDigestNonceNew();
	277	authDigestUserLinkNonce(digest_user, nonce);
	278	}
	279	debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
928f3421 AJ	280	httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
	281	}
	282	}
	283	#endif
	284
	285	/* send the initial data to a digest authenticator module */
	286	void
30c3f584	287	Auth::Digest::UserRequest::startHelperLookup(HttpRequest request, AccessLogEntry::Pointer &al, AUTHCB handler, void *data)
928f3421	288	{
928f3421	289	char buf[8192];
56a49fda	290
616cfc4c	291	assert(user() != NULL && user()->auth_type == Auth::AUTH_DIGEST);
c7baff40	292	debugs(29, 9, HERE << "'\"" << user()->username() << "\":\"" << realm << "\"'");
928f3421	293
dc79fed8	294	if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram == NULL) {
d232141d	295	debugs(29, DBG_CRITICAL, "ERROR: No Digest authentication program configured.");
4c535e87	296	handler(data);
928f3421 AJ	297	return;
	298	}
	299
d4806c91	300	const char *keyExtras = helperRequestKeyExtras(request, al);
dc79fed8	301	if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->utf8) {
928f3421	302	char userstr[1024];
56a49fda	303	latin1_to_utf8(userstr, sizeof(userstr), user()->username());
d4806c91 CT	304	if (keyExtras)
	305	snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", userstr, realm, keyExtras);
	306	else
	307	snprintf(buf, 8192, "\"%s\":\"%s\"\n", userstr, realm);
928f3421	308	} else {
d4806c91 CT	309	if (keyExtras)
	310	snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", user()->username(), realm, keyExtras);
	311	else
	312	snprintf(buf, 8192, "\"%s\":\"%s\"\n", user()->username(), realm);
928f3421 AJ	313	}
928f3421 AJ	314
c7baff40	315	helperSubmit(digestauthenticators, buf, Auth::Digest::UserRequest::HandleReply,
1c756645	316	new Auth::StateData(this, handler, data));
928f3421 AJ	317	}
	318
	319	void
24438ec5	320	Auth::Digest::UserRequest::HandleReply(void *data, const Helper::Reply &reply)
928f3421	321	{
1c756645	322	Auth::StateData replyData = static_cast<Auth::StateData >(data);
e166785a	323	debugs(29, 9, HERE << "reply=" << reply);
928f3421 AJ	324
928f3421 AJ	325	assert(replyData->auth_user_request != NULL);
c7baff40	326	Auth::UserRequest::Pointer auth_user_request = replyData->auth_user_request;
928f3421	327
71e7400c AJ	328	// add new helper kv-pair notes to the credentials object
	329	// so that any transaction using those credentials can access them
	330	auth_user_request->user()->notes.appendNewOnly(&reply.notes);
c10ebce8 AJ	331	// remove any private credentials detail which got added.
c10ebce8 AJ	332	auth_user_request->user()->notes.remove("ha1");
71e7400c	333
c69199bb	334	static bool oldHelperWarningDone = false;
dacb64b9	335	switch (reply.result) {
2428ce02	336	case Helper::Unknown: {
c69199bb AJ	337	// Squid 3.3 and older the digest helper only returns a HA1 hash (no "OK")
	338	// the HA1 will be found in content() for these responses.
	339	if (!oldHelperWarningDone) {
	340	debugs(29, DBG_IMPORTANT, "WARNING: Digest auth helper returned old format HA1 response. It needs to be upgraded.");
	341	oldHelperWarningDone=true;
	342	}
56a49fda	343
c69199bb AJ	344	/* allow this because the digest_request pointer is purely local */
	345	Auth::Digest::User digest_user = dynamic_cast<Auth::Digest::User >(auth_user_request->user().getRaw());
	346	assert(digest_user != NULL);
928f3421	347
c69199bb AJ	348	CvtBin(reply.other().content(), digest_user->HA1);
c69199bb AJ	349	digest_user->HA1created = 1;
e166785a	350	}
dacb64b9	351	break;
e166785a	352
2428ce02	353	case Helper::Okay: {
56a49fda	354	/* allow this because the digest_request pointer is purely local */
aa110616	355	Auth::Digest::User digest_user = dynamic_cast<Auth::Digest::User >(auth_user_request->user().getRaw());
56a49fda AJ	356	assert(digest_user != NULL);
56a49fda AJ	357
75d47340	358	if (const char *ha1Note = reply.notes.findFirst("ha1")) {
cf9f0261	359	CvtBin(ha1Note, digest_user->HA1);
c69199bb AJ	360	digest_user->HA1created = 1;
	361	} else {
	362	debugs(29, DBG_IMPORTANT, "ERROR: Digest auth helper did not produce a HA1. Using the wrong helper program? received: " << reply);
	363	}
928f3421	364	}
dacb64b9	365	break;
e166785a	366
2428ce02	367	case Helper::TT:
c69199bb	368	debugs(29, DBG_IMPORTANT, "ERROR: Digest auth does not support the result code received. Using the wrong helper program? received: " << reply);
f53969cc	369	// fall through to next case. Handle this as an ERR response.
c69199bb	370
32fd6d8a	371	case Helper::TimedOut:
2428ce02	372	case Helper::BrokenHelper:
f53969cc SM	373	// TODO retry the broken lookup on another helper?
f53969cc SM	374	// fall through to next case for now. Handle this as an ERR response silently.
2428ce02	375	case Helper::Error: {
c69199bb AJ	376	/* allow this because the digest_request pointer is purely local */
	377	Auth::Digest::UserRequest digest_request = dynamic_cast<Auth::Digest::UserRequest >(auth_user_request.getRaw());
	378	assert(digest_request);
	379
	380	digest_request->user()->credentials(Auth::Failed);
3dd52a0b	381	digest_request->flags.invalid_password = true;
c69199bb	382
75d47340 CT	383	SBuf msgNote;
	384	if (reply.notes.find(msgNote, "message")) {
	385	digest_request->setDenyMessage(msgNote.c_str());
c69199bb AJ	386	} else if (reply.other().hasContent()) {
	387	// old helpers did send ERR result but a bare message string instead of message= key name.
	388	digest_request->setDenyMessage(reply.other().content());
	389	if (!oldHelperWarningDone) {
	390	debugs(29, DBG_IMPORTANT, "WARNING: Digest auth helper returned old format ERR response. It needs to be upgraded.");
	391	oldHelperWarningDone=true;
	392	}
	393	}
	394	}
	395	break;
e166785a	396	}
928f3421	397
e166785a	398	void *cbdata = NULL;
928f3421	399	if (cbdataReferenceValidDone(replyData->data, &cbdata))
4c535e87	400	replyData->handler(cbdata);
928f3421	401
1c756645	402	delete replyData;
928f3421	403	}
f53969cc	404