]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/digest/Config.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Improved 'stateless' helper-related classes (#1480)
[thirdparty/squid.git] / src / auth / digest / Config.cc
1 /*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 29 Authenticator */
10
11 /* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
14
15 #include "squid.h"
16 #include "auth/CredentialsCache.h"
17 #include "auth/digest/Config.h"
18 #include "auth/digest/Scheme.h"
19 #include "auth/digest/User.h"
20 #include "auth/digest/UserRequest.h"
21 #include "auth/Gadgets.h"
22 #include "auth/State.h"
23 #include "auth/toUtf.h"
24 #include "base/LookupTable.h"
25 #include "base/Random.h"
26 #include "cache_cf.h"
27 #include "event.h"
28 #include "helper.h"
29 #include "HttpHeaderTools.h"
30 #include "HttpReply.h"
31 #include "HttpRequest.h"
32 #include "md5.h"
33 #include "mgr/Registration.h"
34 #include "rfc2617.h"
35 #include "sbuf/SBuf.h"
36 #include "sbuf/StringConvert.h"
37 #include "Store.h"
38 #include "StrList.h"
39 #include "wordlist.h"
40
41 /* digest_nonce_h still uses explicit alloc()/freeOne() MemPool calls.
42 * XXX: convert to MEMPROXY_CLASS() API
43 */
44 #include "mem/Allocator.h"
45 #include "mem/Pool.h"
46
47 static AUTHSSTATS authenticateDigestStats;
48
49 Helper::ClientPointer digestauthenticators;
50
51 static hash_table *digest_nonce_cache;
52
53 static int authdigest_initialised = 0;
54 static Mem::Allocator *digest_nonce_pool = nullptr;
55
56 enum http_digest_attr_type {
57 DIGEST_USERNAME,
58 DIGEST_REALM,
59 DIGEST_QOP,
60 DIGEST_ALGORITHM,
61 DIGEST_URI,
62 DIGEST_NONCE,
63 DIGEST_NC,
64 DIGEST_CNONCE,
65 DIGEST_RESPONSE,
66 DIGEST_INVALID_ATTR
67 };
68
69 static const LookupTable<http_digest_attr_type>::Record
70 DigestAttrs[] = {
71 {"username", DIGEST_USERNAME},
72 {"realm", DIGEST_REALM},
73 {"qop", DIGEST_QOP},
74 {"algorithm", DIGEST_ALGORITHM},
75 {"uri", DIGEST_URI},
76 {"nonce", DIGEST_NONCE},
77 {"nc", DIGEST_NC},
78 {"cnonce", DIGEST_CNONCE},
79 {"response", DIGEST_RESPONSE},
80 {nullptr, DIGEST_INVALID_ATTR}
81 };
82
83 LookupTable<http_digest_attr_type>
84 DigestFieldsLookupTable(DIGEST_INVALID_ATTR, DigestAttrs);
85
86 /*
87 *
88 * Nonce Functions
89 *
90 */
91
92 static void authenticateDigestNonceCacheCleanup(void *data);
93 static digest_nonce_h *authenticateDigestNonceFindNonce(const char *noncehex);
94 static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
95 static void authenticateDigestNonceSetup(void);
96 static void authDigestNonceEncode(digest_nonce_h * nonce);
97 static void authDigestNonceLink(digest_nonce_h * nonce);
98 static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
99
100 static void
101 authDigestNonceEncode(digest_nonce_h * nonce)
102 {
103 if (!nonce)
104 return;
105
106 if (nonce->key)
107 xfree(nonce->key);
108
109 SquidMD5_CTX Md5Ctx;
110 HASH H;
111 SquidMD5Init(&Md5Ctx);
112 SquidMD5Update(&Md5Ctx, reinterpret_cast<const uint8_t *>(&nonce->noncedata), sizeof(nonce->noncedata));
113 SquidMD5Final(reinterpret_cast<uint8_t *>(H), &Md5Ctx);
114
115 nonce->key = xcalloc(sizeof(HASHHEX), 1);
116 CvtHex(H, static_cast<char *>(nonce->key));
117 }
118
119 digest_nonce_h *
120 authenticateDigestNonceNew(void)
121 {
122 digest_nonce_h *newnonce = static_cast < digest_nonce_h * >(digest_nonce_pool->alloc());
123
124 /* NONCE CREATION - NOTES AND REASONING. RBC 20010108
125 * === EXCERPT FROM RFC 2617 ===
126 * The contents of the nonce are implementation dependent. The quality
127 * of the implementation depends on a good choice. A nonce might, for
128 * example, be constructed as the base 64 encoding of
129 *
130 * time-stamp H(time-stamp ":" ETag ":" private-key)
131 *
132 * where time-stamp is a server-generated time or other non-repeating
133 * value, ETag is the value of the HTTP ETag header associated with
134 * the requested entity, and private-key is data known only to the
135 * server. With a nonce of this form a server would recalculate the
136 * hash portion after receiving the client authentication header and
137 * reject the request if it did not match the nonce from that header
138 * or if the time-stamp value is not recent enough. In this way the
139 * server can limit the time of the nonce's validity. The inclusion of
140 * the ETag prevents a replay request for an updated version of the
141 * resource. (Note: including the IP address of the client in the
142 * nonce would appear to offer the server the ability to limit the
143 * reuse of the nonce to the same client that originally got it.
144 * However, that would break proxy farms, where requests from a single
145 * user often go through different proxies in the farm. Also, IP
146 * address spoofing is not that hard.)
147 * ====
148 *
149 * Now for my reasoning:
150 * We will not accept a unrecognised nonce->we have all recognisable
151 * nonces stored. If we send out unique encodings we guarantee
152 * that a given nonce applies to only one user (barring attacks or
153 * really bad timing with expiry and creation). Using a random
154 * component in the nonce allows us to loop to find a unique nonce.
155 * We use H(nonce_data) so the nonce is meaningless to the receiver.
156 * So our nonce looks like hex(H(timestamp,randomdata))
157 * And even if our randomness is not very random we don't really care
158 * - the timestamp also guarantees local uniqueness in the input to
159 * the hash function.
160 */
161 static std::mt19937 mt(RandomSeed32());
162 static std::uniform_int_distribution<uint32_t> newRandomData;
163
164 /* create a new nonce */
165 newnonce->nc = 0;
166 newnonce->flags.valid = true;
167 newnonce->noncedata.creationtime = current_time.tv_sec;
168 newnonce->noncedata.randomdata = newRandomData(mt);
169
170 authDigestNonceEncode(newnonce);
171
172 // ensure temporal uniqueness by checking for existing nonce
173 while (authenticateDigestNonceFindNonce((char const *) (newnonce->key))) {
174 /* create a new nonce */
175 newnonce->noncedata.randomdata = newRandomData(mt);
176 authDigestNonceEncode(newnonce);
177 }
178
179 hash_join(digest_nonce_cache, newnonce);
180 /* the cache's link */
181 authDigestNonceLink(newnonce);
182 newnonce->flags.incache = true;
183 debugs(29, 5, "created nonce " << newnonce << " at " << newnonce->noncedata.creationtime);
184 return newnonce;
185 }
186
187 static void
188 authenticateDigestNonceDelete(digest_nonce_h * nonce)
189 {
190 if (nonce) {
191 assert(nonce->references == 0);
192 assert(!nonce->flags.incache);
193
194 safe_free(nonce->key);
195
196 digest_nonce_pool->freeOne(nonce);
197 }
198 }
199
200 static void
201 authenticateDigestNonceSetup(void)
202 {
203 if (!digest_nonce_pool)
204 digest_nonce_pool = memPoolCreate("Digest Scheme nonce's", sizeof(digest_nonce_h));
205
206 if (!digest_nonce_cache) {
207 digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
208 assert(digest_nonce_cache);
209 eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, nullptr, static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->nonceGCInterval, 1);
210 }
211 }
212
213 void
214 authenticateDigestNonceShutdown(void)
215 {
216 /*
217 * We empty the cache of any nonces left in there.
218 */
219 digest_nonce_h *nonce;
220
221 if (digest_nonce_cache) {
222 debugs(29, 2, "Shutting down nonce cache");
223 hash_first(digest_nonce_cache);
224
225 while ((nonce = ((digest_nonce_h *) hash_next(digest_nonce_cache)))) {
226 assert(nonce->flags.incache);
227 authDigestNoncePurge(nonce);
228 }
229 }
230
231 debugs(29, 2, "Nonce cache shutdown");
232 }
233
234 static void
235 authenticateDigestNonceCacheCleanup(void *)
236 {
237 /*
238 * We walk the hash by noncehex as that is the unique key we
239 * use. For big hash tables we could consider stepping through
240 * the cache, 100/200 entries at a time. Lets see how it flies
241 * first.
242 */
243 digest_nonce_h *nonce;
244 debugs(29, 3, "Cleaning the nonce cache now");
245 debugs(29, 3, "Current time: " << current_time.tv_sec);
246 hash_first(digest_nonce_cache);
247
248 while ((nonce = ((digest_nonce_h *) hash_next(digest_nonce_cache)))) {
249 debugs(29, 3, "nonce entry : " << nonce << " '" << (char *) nonce->key << "'");
250 debugs(29, 4, "Creation time: " << nonce->noncedata.creationtime);
251
252 if (authDigestNonceIsStale(nonce)) {
253 debugs(29, 4, "Removing nonce " << (char *) nonce->key << " from cache due to timeout.");
254 assert(nonce->flags.incache);
255 /* invalidate nonce so future requests fail */
256 nonce->flags.valid = false;
257 /* if it is tied to a auth_user, remove the tie */
258 authDigestNonceUserUnlink(nonce);
259 authDigestNoncePurge(nonce);
260 }
261 }
262
263 debugs(29, 3, "Finished cleaning the nonce cache.");
264
265 if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->active())
266 eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, nullptr, static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->nonceGCInterval, 1);
267 }
268
269 static void
270 authDigestNonceLink(digest_nonce_h * nonce)
271 {
272 assert(nonce != nullptr);
273 ++nonce->references;
274 assert(nonce->references != 0); // no overflows
275 debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
276 }
277
278 void
279 authDigestNonceUnlink(digest_nonce_h * nonce)
280 {
281 assert(nonce != nullptr);
282
283 if (nonce->references > 0) {
284 -- nonce->references;
285 } else {
286 debugs(29, DBG_IMPORTANT, "Attempt to lower nonce " << nonce << " refcount below 0!");
287 }
288
289 debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
290
291 if (nonce->references == 0)
292 authenticateDigestNonceDelete(nonce);
293 }
294
295 const char *
296 authenticateDigestNonceNonceHex(const digest_nonce_h * nonce)
297 {
298 if (!nonce)
299 return nullptr;
300
301 return (char const *) nonce->key;
302 }
303
304 static digest_nonce_h *
305 authenticateDigestNonceFindNonce(const char *noncehex)
306 {
307 digest_nonce_h *nonce = nullptr;
308
309 if (noncehex == nullptr)
310 return nullptr;
311
312 debugs(29, 9, "looking for noncehex '" << noncehex << "' in the nonce cache.");
313
314 nonce = static_cast < digest_nonce_h * >(hash_lookup(digest_nonce_cache, noncehex));
315
316 if ((nonce == nullptr) || (strcmp(authenticateDigestNonceNonceHex(nonce), noncehex)))
317 return nullptr;
318
319 debugs(29, 9, "Found nonce '" << nonce << "'");
320
321 return nonce;
322 }
323
324 int
325 authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9])
326 {
327 unsigned long intnc;
328 /* do we have a nonce ? */
329
330 if (!nonce)
331 return 0;
332
333 intnc = strtol(nc, nullptr, 16);
334
335 /* has it already been invalidated ? */
336 if (!nonce->flags.valid) {
337 debugs(29, 4, "Nonce already invalidated");
338 return 0;
339 }
340
341 /* is the nonce-count ok ? */
342 if (!static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->CheckNonceCount) {
343 /* Ignore client supplied NC */
344 intnc = nonce->nc + 1;
345 }
346
347 if ((static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->NonceStrictness && intnc != nonce->nc + 1) ||
348 intnc < nonce->nc + 1) {
349 debugs(29, 4, "Nonce count doesn't match");
350 nonce->flags.valid = false;
351 return 0;
352 }
353
354 /* increment the nonce count - we've already checked that intnc is a
355 * valid representation for us, so we don't need the test here.
356 */
357 nonce->nc = intnc;
358
359 return !authDigestNonceIsStale(nonce);
360 }
361
362 int
363 authDigestNonceIsStale(digest_nonce_h * nonce)
364 {
365 /* do we have a nonce ? */
366
367 if (!nonce)
368 return -1;
369
370 /* Is it already invalidated? */
371 if (!nonce->flags.valid)
372 return -1;
373
374 /* has it's max duration expired? */
375 if (nonce->noncedata.creationtime + static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration < current_time.tv_sec) {
376 debugs(29, 4, "Nonce is too old. " <<
377 nonce->noncedata.creationtime << " " <<
378 static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration << " " <<
379 current_time.tv_sec);
380
381 nonce->flags.valid = false;
382 return -1;
383 }
384
385 if (nonce->nc > 99999998) {
386 debugs(29, 4, "Nonce count overflow");
387 nonce->flags.valid = false;
388 return -1;
389 }
390
391 if (nonce->nc > static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxuses) {
392 debugs(29, 4, "Nonce count over user limit");
393 nonce->flags.valid = false;
394 return -1;
395 }
396
397 /* seems ok */
398 return 0;
399 }
400
401 /**
402 * \retval 0 the digest is not stale yet
403 * \retval -1 the digest will be stale on the next request
404 */
405 int
406 authDigestNonceLastRequest(digest_nonce_h * nonce)
407 {
408 if (!nonce)
409 return -1;
410
411 if (nonce->nc == 99999997) {
412 debugs(29, 4, "Nonce count about to overflow");
413 return -1;
414 }
415
416 if (nonce->nc >= static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxuses - 1) {
417 debugs(29, 4, "Nonce count about to hit user limit");
418 return -1;
419 }
420
421 /* and other tests are possible. */
422 return 0;
423 }
424
425 void
426 authDigestNoncePurge(digest_nonce_h * nonce)
427 {
428 if (!nonce)
429 return;
430
431 if (!nonce->flags.incache)
432 return;
433
434 hash_remove_link(digest_nonce_cache, nonce);
435
436 nonce->flags.incache = false;
437
438 /* the cache's link */
439 authDigestNonceUnlink(nonce);
440 }
441
442 void
443 Auth::Digest::Config::rotateHelpers()
444 {
445 /* schedule closure of existing helpers */
446 if (digestauthenticators) {
447 helperShutdown(digestauthenticators);
448 }
449
450 /* NP: dynamic helper restart will ensure they start up again as needed. */
451 }
452
453 bool
454 Auth::Digest::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
455 {
456 if (!Auth::SchemeConfig::dump(entry, name, scheme))
457 return false;
458
459 storeAppendPrintf(entry, "%s %s nonce_max_count %d\n%s %s nonce_max_duration %d seconds\n%s %s nonce_garbage_interval %d seconds\n",
460 name, "digest", noncemaxuses,
461 name, "digest", (int) noncemaxduration,
462 name, "digest", (int) nonceGCInterval);
463 return true;
464 }
465
466 bool
467 Auth::Digest::Config::active() const
468 {
469 return authdigest_initialised == 1;
470 }
471
472 bool
473 Auth::Digest::Config::configured() const
474 {
475 if ((authenticateProgram != nullptr) &&
476 (authenticateChildren.n_max != 0) &&
477 !realm.isEmpty() && (noncemaxduration > -1))
478 return true;
479
480 return false;
481 }
482
483 /* add the [www-|Proxy-]authenticate header on a 407 or 401 reply */
484 void
485 Auth::Digest::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
486 {
487 if (!authenticateProgram)
488 return;
489
490 bool stale = false;
491 digest_nonce_h *nonce = nullptr;
492
493 /* on a 407 or 401 we always use a new nonce */
494 if (auth_user_request != nullptr) {
495 Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
496
497 if (digest_user) {
498 stale = digest_user->credentials() == Auth::Handshake;
499 if (stale) {
500 nonce = digest_user->currentNonce();
501 }
502 }
503 }
504 if (!nonce) {
505 nonce = authenticateDigestNonceNew();
506 }
507
508 debugs(29, 9, "Sending type:" << hdrType <<
509 " header: 'Digest realm=\"" << realm << "\", nonce=\"" <<
510 authenticateDigestNonceNonceHex(nonce) << "\", qop=\"" << QOP_AUTH <<
511 "\", stale=" << (stale ? "true" : "false"));
512
513 /* in the future, for WWW auth we may want to support the domain entry */
514 httpHeaderPutStrf(&rep->header, hdrType, "Digest realm=\"" SQUIDSBUFPH "\", nonce=\"%s\", qop=\"%s\", stale=%s",
515 SQUIDSBUFPRINT(realm), authenticateDigestNonceNonceHex(nonce), QOP_AUTH, stale ? "true" : "false");
516 }
517
518 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
519 * config file */
520 void
521 Auth::Digest::Config::init(Auth::SchemeConfig *)
522 {
523 if (authenticateProgram) {
524 authenticateDigestNonceSetup();
525 authdigest_initialised = 1;
526
527 if (digestauthenticators == nullptr)
528 digestauthenticators = Helper::Client::Make("digestauthenticator");
529
530 digestauthenticators->cmdline = authenticateProgram;
531
532 digestauthenticators->childs.updateLimits(authenticateChildren);
533
534 digestauthenticators->ipc_type = IPC_STREAM;
535
536 helperOpenServers(digestauthenticators);
537 }
538 }
539
540 void
541 Auth::Digest::Config::registerWithCacheManager(void)
542 {
543 Mgr::RegisterAction("digestauthenticator",
544 "Digest User Authenticator Stats",
545 authenticateDigestStats, 0, 1);
546 }
547
548 /* free any allocated configuration details */
549 void
550 Auth::Digest::Config::done()
551 {
552 Auth::SchemeConfig::done();
553
554 authdigest_initialised = 0;
555
556 if (digestauthenticators)
557 helperShutdown(digestauthenticators);
558
559 if (!shutting_down)
560 return;
561
562 digestauthenticators = nullptr;
563
564 if (authenticateProgram)
565 wordlistDestroy(&authenticateProgram);
566 }
567
568 Auth::Digest::Config::Config() :
569 nonceGCInterval(5*60),
570 noncemaxduration(30*60),
571 noncemaxuses(50),
572 NonceStrictness(0),
573 CheckNonceCount(1),
574 PostWorkaround(0)
575 {}
576
577 void
578 Auth::Digest::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
579 {
580 if (strcmp(param_str, "nonce_garbage_interval") == 0) {
581 parse_time_t(&nonceGCInterval);
582 } else if (strcmp(param_str, "nonce_max_duration") == 0) {
583 parse_time_t(&noncemaxduration);
584 } else if (strcmp(param_str, "nonce_max_count") == 0) {
585 parse_int((int *) &noncemaxuses);
586 } else if (strcmp(param_str, "nonce_strictness") == 0) {
587 parse_onoff(&NonceStrictness);
588 } else if (strcmp(param_str, "check_nonce_count") == 0) {
589 parse_onoff(&CheckNonceCount);
590 } else if (strcmp(param_str, "post_workaround") == 0) {
591 parse_onoff(&PostWorkaround);
592 } else
593 Auth::SchemeConfig::parse(scheme, n_configured, param_str);
594 }
595
596 const char *
597 Auth::Digest::Config::type() const
598 {
599 return Auth::Digest::Scheme::GetInstance()->type();
600 }
601
602 static void
603 authenticateDigestStats(StoreEntry * sentry)
604 {
605 if (digestauthenticators)
606 digestauthenticators->packStatsInto(sentry, "Digest Authenticator Statistics");
607 }
608
609 /* NonceUserUnlink: remove the reference to auth_user and unlink the node from the list */
610
611 static void
612 authDigestNonceUserUnlink(digest_nonce_h * nonce)
613 {
614 Auth::Digest::User *digest_user;
615 dlink_node *link, *tmplink;
616
617 if (!nonce)
618 return;
619
620 if (!nonce->user)
621 return;
622
623 digest_user = nonce->user;
624
625 /* unlink from the user list. Yes we're crossing structures but this is the only
626 * time this code is needed
627 */
628 link = digest_user->nonces.head;
629
630 while (link) {
631 tmplink = link;
632 link = link->next;
633
634 if (tmplink->data == nonce) {
635 dlinkDelete(tmplink, &digest_user->nonces);
636 authDigestNonceUnlink(static_cast < digest_nonce_h * >(tmplink->data));
637 delete tmplink;
638 link = nullptr;
639 }
640 }
641
642 /* this reference to user was not locked because freeeing the user frees
643 * the nonce too.
644 */
645 nonce->user = nullptr;
646 }
647
648 /* authDigesteserLinkNonce: add a nonce to a given user's struct */
649 void
650 authDigestUserLinkNonce(Auth::Digest::User * user, digest_nonce_h * nonce)
651 {
652 dlink_node *node;
653
654 if (!user || !nonce || !nonce->user)
655 return;
656
657 Auth::Digest::User *digest_user = user;
658
659 node = digest_user->nonces.head;
660
661 while (node && (node->data != nonce))
662 node = node->next;
663
664 if (node)
665 return;
666
667 node = new dlink_node;
668
669 dlinkAddTail(nonce, node, &digest_user->nonces);
670
671 authDigestNonceLink(nonce);
672
673 /* ping this nonce to this auth user */
674 assert((nonce->user == nullptr) || (nonce->user == user));
675
676 /* we don't lock this reference because removing the user removes the
677 * hash too. Of course if that changes we're stuffed so read the code huh?
678 */
679 nonce->user = user;
680 }
681
682 /* setup the necessary info to log the username */
683 static Auth::UserRequest::Pointer
684 authDigestLogUsername(char *username, Auth::UserRequest::Pointer auth_user_request, const char *requestRealm)
685 {
686 assert(auth_user_request != nullptr);
687
688 /* log the username */
689 debugs(29, 9, "Creating new user for logging '" << (username?username:"[no username]") << "'");
690 Auth::User::Pointer digest_user = new Auth::Digest::User(static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest")), requestRealm);
691 /* save the credentials */
692 digest_user->username(username);
693 /* set the auth_user type */
694 digest_user->auth_type = Auth::AUTH_BROKEN;
695 /* link the request to the user */
696 auth_user_request->user(digest_user);
697 return auth_user_request;
698 }
699
700 /*
701 * Decode a Digest [Proxy-]Auth string, placing the results in the passed
702 * Auth_user structure.
703 */
704 Auth::UserRequest::Pointer
705 Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request, const char *aRequestRealm)
706 {
707 const char *item;
708 const char *p;
709 const char *pos = nullptr;
710 char *username = nullptr;
711 digest_nonce_h *nonce;
712 int ilen;
713
714 debugs(29, 9, "beginning");
715
716 Auth::Digest::UserRequest *digest_request = new Auth::Digest::UserRequest();
717
718 /* trim DIGEST from string */
719
720 while (xisgraph(*proxy_auth))
721 ++proxy_auth;
722
723 /* Trim leading whitespace before decoding */
724 while (xisspace(*proxy_auth))
725 ++proxy_auth;
726
727 String temp(proxy_auth);
728
729 while (strListGetItem(&temp, ',', &item, &ilen, &pos)) {
730 /* isolate directive name & value */
731 size_t nlen;
732 size_t vlen;
733 if ((p = (const char *)memchr(item, '=', ilen)) && (p - item < ilen)) {
734 nlen = p - item;
735 ++p;
736 vlen = ilen - (p - item);
737 } else {
738 nlen = ilen;
739 vlen = 0;
740 }
741
742 SBuf keyName(item, nlen);
743 String value;
744
745 if (vlen > 0) {
746 // see RFC 2617 section 3.2.1 and 3.2.2 for details on the BNF
747
748 if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) {
749 // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"'
750 // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain
751 if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
752 value.assign(p+1, vlen-2);
753 }
754 } else if (keyName == SBuf("qop",3)) {
755 // qop is more special.
756 // On request this must not be quoted-string de-quoted. But is several values wrapped in '"'
757 // On response this is a single un-quoted token.
758 if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
759 value.assign(p+1, vlen-2);
760 } else {
761 value.assign(p, vlen);
762 }
763 } else if (*p == '"') {
764 if (!httpHeaderParseQuotedString(p, vlen, &value)) {
765 debugs(29, 9, "Failed to parse attribute '" << item << "' in '" << temp << "'");
766 continue;
767 }
768 } else {
769 value.assign(p, vlen);
770 }
771 } else {
772 debugs(29, 9, "Failed to parse attribute '" << item << "' in '" << temp << "'");
773 continue;
774 }
775
776 /* find type */
777 const http_digest_attr_type t = DigestFieldsLookupTable.lookup(keyName);
778
779 switch (t) {
780 case DIGEST_USERNAME:
781 safe_free(username);
782 if (value.size() != 0) {
783 const auto v = value.termedBuf();
784 if (utf8 && !isValidUtf8String(v, v + value.size())) {
785 auto str = isCP1251EncodingAllowed(request) ? Cp1251ToUtf8(v) : Latin1ToUtf8(v);
786 value = SBufToString(str);
787 }
788 username = xstrndup(value.rawBuf(), value.size() + 1);
789 }
790 debugs(29, 9, "Found Username '" << username << "'");
791 break;
792
793 case DIGEST_REALM:
794 safe_free(digest_request->realm);
795 if (value.size() != 0)
796 digest_request->realm = xstrndup(value.rawBuf(), value.size() + 1);
797 debugs(29, 9, "Found realm '" << digest_request->realm << "'");
798 break;
799
800 case DIGEST_QOP:
801 safe_free(digest_request->qop);
802 if (value.size() != 0)
803 digest_request->qop = xstrndup(value.rawBuf(), value.size() + 1);
804 debugs(29, 9, "Found qop '" << digest_request->qop << "'");
805 break;
806
807 case DIGEST_ALGORITHM:
808 safe_free(digest_request->algorithm);
809 if (value.size() != 0)
810 digest_request->algorithm = xstrndup(value.rawBuf(), value.size() + 1);
811 debugs(29, 9, "Found algorithm '" << digest_request->algorithm << "'");
812 break;
813
814 case DIGEST_URI:
815 safe_free(digest_request->uri);
816 if (value.size() != 0)
817 digest_request->uri = xstrndup(value.rawBuf(), value.size() + 1);
818 debugs(29, 9, "Found uri '" << digest_request->uri << "'");
819 break;
820
821 case DIGEST_NONCE:
822 safe_free(digest_request->noncehex);
823 if (value.size() != 0)
824 digest_request->noncehex = xstrndup(value.rawBuf(), value.size() + 1);
825 debugs(29, 9, "Found nonce '" << digest_request->noncehex << "'");
826 break;
827
828 case DIGEST_NC:
829 if (value.size() != 8) {
830 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
831 }
832 xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
833 debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
834 break;
835
836 case DIGEST_CNONCE:
837 safe_free(digest_request->cnonce);
838 if (value.size() != 0)
839 digest_request->cnonce = xstrndup(value.rawBuf(), value.size() + 1);
840 debugs(29, 9, "Found cnonce '" << digest_request->cnonce << "'");
841 break;
842
843 case DIGEST_RESPONSE:
844 safe_free(digest_request->response);
845 if (value.size() != 0)
846 digest_request->response = xstrndup(value.rawBuf(), value.size() + 1);
847 debugs(29, 9, "Found response '" << digest_request->response << "'");
848 break;
849
850 default:
851 debugs(29, 3, "Unknown attribute '" << item << "' in '" << temp << "'");
852 break;
853 }
854 }
855
856 temp.clean();
857
858 /* now we validate the data given to us */
859
860 /*
861 * TODO: on invalid parameters we should return 400, not 407.
862 * Find some clean way of doing this. perhaps return a valid
863 * struct, and set the direction to clientwards combined with
864 * a change to the clientwards handling code (ie let the
865 * clientwards call set the error type (but limited to known
866 * correct values - 400/401/407
867 */
868
869 /* 2069 requirements */
870
871 // return value.
872 Auth::UserRequest::Pointer rv;
873 /* do we have a username ? */
874 if (!username || username[0] == '\0') {
875 debugs(29, 2, "Empty or not present username");
876 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
877 safe_free(username);
878 return rv;
879 }
880
881 /* Sanity check of the username.
882 * " can not be allowed in usernames until * the digest helper protocol
883 * have been redone
884 */
885 if (strchr(username, '"')) {
886 debugs(29, 2, "Unacceptable username '" << username << "'");
887 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
888 safe_free(username);
889 return rv;
890 }
891
892 /* do we have a realm ? */
893 if (!digest_request->realm || digest_request->realm[0] == '\0') {
894 debugs(29, 2, "Empty or not present realm");
895 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
896 safe_free(username);
897 return rv;
898 }
899
900 /* and a nonce? */
901 if (!digest_request->noncehex || digest_request->noncehex[0] == '\0') {
902 debugs(29, 2, "Empty or not present nonce");
903 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
904 safe_free(username);
905 return rv;
906 }
907
908 /* we can't check the URI just yet. We'll check it in the
909 * authenticate phase, but needs to be given */
910 if (!digest_request->uri || digest_request->uri[0] == '\0') {
911 debugs(29, 2, "Missing URI field");
912 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
913 safe_free(username);
914 return rv;
915 }
916
917 /* is the response the correct length? */
918 if (!digest_request->response || strlen(digest_request->response) != 32) {
919 debugs(29, 2, "Response length invalid");
920 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
921 safe_free(username);
922 return rv;
923 }
924
925 /* check the algorithm is present and supported */
926 if (!digest_request->algorithm)
927 digest_request->algorithm = xstrndup("MD5", 4);
928 else if (strcmp(digest_request->algorithm, "MD5")
929 && strcmp(digest_request->algorithm, "MD5-sess")) {
930 debugs(29, 2, "invalid algorithm specified!");
931 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
932 safe_free(username);
933 return rv;
934 }
935
936 /* 2617 requirements, indicated by qop */
937 if (digest_request->qop) {
938
939 /* check the qop is what we expected. */
940 if (strcmp(digest_request->qop, QOP_AUTH) != 0) {
941 /* we received a qop option we didn't send */
942 debugs(29, 2, "Invalid qop option received");
943 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
944 safe_free(username);
945 return rv;
946 }
947
948 /* check cnonce */
949 if (!digest_request->cnonce || digest_request->cnonce[0] == '\0') {
950 debugs(29, 2, "Missing cnonce field");
951 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
952 safe_free(username);
953 return rv;
954 }
955
956 /* check nc */
957 if (strlen(digest_request->nc) != 8 || strspn(digest_request->nc, "0123456789abcdefABCDEF") != 8) {
958 debugs(29, 2, "invalid nonce count");
959 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
960 safe_free(username);
961 return rv;
962 }
963 } else {
964 /* cnonce and nc both require qop */
965 if (digest_request->cnonce || digest_request->nc[0] != '\0') {
966 debugs(29, 2, "missing qop!");
967 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
968 safe_free(username);
969 return rv;
970 }
971 }
972
973 /** below nonce state dependent **/
974
975 /* now the nonce */
976 nonce = authenticateDigestNonceFindNonce(digest_request->noncehex);
977 /* check that we're not being hacked / the username hasn't changed */
978 if (nonce && nonce->user && strcmp(username, nonce->user->username())) {
979 debugs(29, 2, "Username for the nonce does not equal the username for the request");
980 nonce = nullptr;
981 }
982
983 if (!nonce) {
984 /* we couldn't find a matching nonce! */
985 debugs(29, 2, "Unexpected or invalid nonce received from " << username);
986 Auth::UserRequest::Pointer auth_request = authDigestLogUsername(username, digest_request, aRequestRealm);
987 auth_request->user()->credentials(Auth::Handshake);
988 safe_free(username);
989 return auth_request;
990 }
991
992 digest_request->nonce = nonce;
993 authDigestNonceLink(nonce);
994
995 /* check that we're not being hacked / the username hasn't changed */
996 if (nonce->user && strcmp(username, nonce->user->username())) {
997 debugs(29, 2, "Username for the nonce does not equal the username for the request");
998 rv = authDigestLogUsername(username, digest_request, aRequestRealm);
999 safe_free(username);
1000 return rv;
1001 }
1002
1003 /* the method we'll check at the authenticate step as well */
1004
1005 /* we don't send or parse opaques. Ok so we're flexible ... */
1006
1007 /* find the user */
1008 Auth::Digest::User *digest_user;
1009
1010 Auth::User::Pointer auth_user;
1011
1012 SBuf key = Auth::User::BuildUserKey(username, aRequestRealm);
1013 if (key.isEmpty() || !(auth_user = Auth::Digest::User::Cache()->lookup(key))) {
1014 /* the user doesn't exist in the username cache yet */
1015 debugs(29, 9, "Creating new digest user '" << username << "'");
1016 digest_user = new Auth::Digest::User(this, aRequestRealm);
1017 /* auth_user is a parent */
1018 auth_user = digest_user;
1019 /* save the username */
1020 digest_user->username(username);
1021 /* set the user type */
1022 digest_user->auth_type = Auth::AUTH_DIGEST;
1023 /* this auth_user struct is the one to get added to the
1024 * username cache */
1025 /* store user in hash's */
1026 digest_user->addToNameCache();
1027
1028 /*
1029 * Add the digest to the user so we can tell if a hacking
1030 * or spoofing attack is taking place. We do this by assuming
1031 * the user agent won't change user name without warning.
1032 */
1033 authDigestUserLinkNonce(digest_user, nonce);
1034
1035 /* auth_user is now linked, we reset these values
1036 * after external auth occurs anyway */
1037 auth_user->expiretime = current_time.tv_sec;
1038 } else {
1039 debugs(29, 9, "Found user '" << username << "' in the user cache as '" << auth_user << "'");
1040 digest_user = static_cast<Auth::Digest::User *>(auth_user.getRaw());
1041 digest_user->credentials(Auth::Unchecked);
1042 xfree(username);
1043 }
1044
1045 /*link the request and the user */
1046 assert(digest_request != nullptr);
1047
1048 digest_request->user(digest_user);
1049 debugs(29, 9, "username = '" << digest_user->username() << "'\nrealm = '" <<
1050 digest_request->realm << "'\nqop = '" << digest_request->qop <<
1051 "'\nalgorithm = '" << digest_request->algorithm << "'\nuri = '" <<
1052 digest_request->uri << "'\nnonce = '" << digest_request->noncehex <<
1053 "'\nnc = '" << digest_request->nc << "'\ncnonce = '" <<
1054 digest_request->cnonce << "'\nresponse = '" <<
1055 digest_request->response << "'\ndigestnonce = '" << nonce << "'");
1056
1057 return digest_request;
1058 }
1059
Mirror of https://github.com/squid-cache/squid.git