]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/digest/UserRequest.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Source Maintenance - manual run
[thirdparty/squid.git] / src / auth / digest / UserRequest.cc
1 #include "squid.h"
2 #include "AccessLogEntry.h"
3 #include "auth/digest/auth_digest.h"
4 #include "auth/digest/User.h"
5 #include "auth/digest/UserRequest.h"
6 #include "auth/State.h"
7 #include "charset.h"
8 #include "format/Format.h"
9 #include "HttpHeaderTools.h"
10 #include "HttpReply.h"
11 #include "HttpRequest.h"
12 #include "MemBuf.h"
13 #include "SquidTime.h"
14
15 Auth::Digest::UserRequest::UserRequest() :
16 nonceb64(NULL),
17 cnonce(NULL),
18 realm(NULL),
19 pszPass(NULL),
20 algorithm(NULL),
21 pszMethod(NULL),
22 qop(NULL),
23 uri(NULL),
24 response(NULL),
25 nonce(NULL)
26 {
27 memset(nc, 0, sizeof(nc));
28 memset(&flags, 0, sizeof(flags));
29 }
30
31 /**
32 * Delete the digest request structure.
33 * Does NOT delete related AuthUser structures
34 */
35 Auth::Digest::UserRequest::~UserRequest()
36 {
37 assert(LockCount()==0);
38
39 safe_free(nonceb64);
40 safe_free(cnonce);
41 safe_free(realm);
42 safe_free(pszPass);
43 safe_free(algorithm);
44 safe_free(pszMethod);
45 safe_free(qop);
46 safe_free(uri);
47 safe_free(response);
48
49 if (nonce)
50 authDigestNonceUnlink(nonce);
51 }
52
53 int
54 Auth::Digest::UserRequest::authenticated() const
55 {
56 if (user() != NULL && user()->credentials() == Auth::Ok)
57 return 1;
58
59 return 0;
60 }
61
62 const char *
63 Auth::Digest::UserRequest::credentialsStr()
64 {
65 return realm;
66 }
67
68 /** log a digest user in
69 */
70 void
71 Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type)
72 {
73 HASHHEX SESSIONKEY;
74 HASHHEX HA2 = "";
75 HASHHEX Response;
76
77 /* if the check has corrupted the user, just return */
78 if (user() == NULL || user()->credentials() == Auth::Failed) {
79 return;
80 }
81
82 Auth::User::Pointer auth_user = user();
83
84 Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User*>(auth_user.getRaw());
85 assert(digest_user != NULL);
86
87 Auth::Digest::UserRequest *digest_request = this;
88
89 /* do we have the HA1 */
90 if (!digest_user->HA1created) {
91 auth_user->credentials(Auth::Pending);
92 return;
93 }
94
95 if (digest_request->nonce == NULL) {
96 /* this isn't a nonce we issued */
97 auth_user->credentials(Auth::Failed);
98 return;
99 }
100
101 DigestCalcHA1(digest_request->algorithm, NULL, NULL, NULL,
102 authenticateDigestNonceNonceb64(digest_request->nonce),
103 digest_request->cnonce,
104 digest_user->HA1, SESSIONKEY);
105 DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
106 digest_request->nc, digest_request->cnonce, digest_request->qop,
107 RequestMethodStr(request->method), digest_request->uri, HA2, Response);
108
109 debugs(29, 9, "\nResponse = '" << digest_request->response << "'\nsquid is = '" << Response << "'");
110
111 if (strcasecmp(digest_request->response, Response) != 0) {
112 if (!digest_request->flags.helper_queried) {
113 /* Query the helper in case the password has changed */
114 digest_request->flags.helper_queried = true;
115 auth_user->credentials(Auth::Pending);
116 return;
117 }
118
119 if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->PostWorkaround && request->method != Http::METHOD_GET) {
120 /* Ugly workaround for certain very broken browsers using the
121 * wrong method to calculate the request-digest on POST request.
122 * This should be deleted once Digest authentication becomes more
123 * widespread and such broken browsers no longer are commonly
124 * used.
125 */
126 DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
127 digest_request->nc, digest_request->cnonce, digest_request->qop,
128 RequestMethodStr(Http::METHOD_GET), digest_request->uri, HA2, Response);
129
130 if (strcasecmp(digest_request->response, Response)) {
131 auth_user->credentials(Auth::Failed);
132 digest_request->flags.invalid_password = true;
133 digest_request->setDenyMessage("Incorrect password");
134 return;
135 } else {
136 const char *useragent = request->header.getStr(HDR_USER_AGENT);
137
138 static Ip::Address last_broken_addr;
139 static int seen_broken_client = 0;
140
141 if (!seen_broken_client) {
142 last_broken_addr.setNoAddr();
143 seen_broken_client = 1;
144 }
145
146 if (last_broken_addr != request->client_addr) {
147 debugs(29, DBG_IMPORTANT, "Digest POST bug detected from " <<
148 request->client_addr << " using '" <<
149 (useragent ? useragent : "-") <<
150 "'. Please upgrade browser. See Bug #630 for details.");
151
152 last_broken_addr = request->client_addr;
153 }
154 }
155 } else {
156 auth_user->credentials(Auth::Failed);
157 digest_request->flags.invalid_password = true;
158 digest_request->setDenyMessage("Incorrect password");
159 return;
160 }
161 }
162
163 /* check for stale nonce */
164 if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
165 debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
166 auth_user->credentials(Auth::Failed);
167 digest_request->setDenyMessage("Stale nonce");
168 return;
169 }
170
171 auth_user->credentials(Auth::Ok);
172
173 /* password was checked and did match */
174 debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated OK");
175
176 /* auth_user is now linked, we reset these values
177 * after external auth occurs anyway */
178 auth_user->expiretime = current_time.tv_sec;
179 return;
180 }
181
182 Auth::Direction
183 Auth::Digest::UserRequest::module_direction()
184 {
185 if (user()->auth_type != Auth::AUTH_DIGEST)
186 return Auth::CRED_ERROR;
187
188 switch (user()->credentials()) {
189
190 case Auth::Ok:
191 return Auth::CRED_VALID;
192
193 case Auth::Failed:
194 /* send new challenge */
195 return Auth::CRED_CHALLENGE;
196
197 case Auth::Unchecked:
198 case Auth::Pending:
199 return Auth::CRED_LOOKUP;
200
201 default:
202 return Auth::CRED_ERROR;
203 }
204 }
205
206 void
207 Auth::Digest::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
208 {
209 http_hdr_type type;
210
211 /* don't add to authentication error pages */
212 if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
213 || (accel && rep->sline.status() == Http::scUnauthorized))
214 return;
215
216 type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
217
218 #if WAITING_FOR_TE
219 /* test for http/1.1 transfer chunked encoding */
220 if (chunkedtest)
221 return;
222 #endif
223
224 if ((static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
225 flags.authinfo_sent = true;
226 debugs(29, 9, HERE << "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
227 httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
228 }
229 }
230
231 #if WAITING_FOR_TE
232 void
233 Auth::Digest::UserRequest::addAuthenticationInfoTrailer(HttpReply * rep, int accel)
234 {
235 int type;
236
237 if (!auth_user_request)
238 return;
239
240 /* has the header already been send? */
241 if (flags.authinfo_sent)
242 return;
243
244 /* don't add to authentication error pages */
245 if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
246 || (accel && rep->sline.status() == Http::scUnauthorized))
247 return;
248
249 type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
250
251 if ((static_cast<Auth::Digest::Config*>(digestScheme::GetInstance()->getConfig())->authenticate) && authDigestNonceLastRequest(nonce)) {
252 debugs(29, 9, HERE << "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
253 httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
254 }
255 }
256 #endif
257
258 /* send the initial data to a digest authenticator module */
259 void
260 Auth::Digest::UserRequest::module_start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
261 {
262 char buf[8192];
263
264 assert(user() != NULL && user()->auth_type == Auth::AUTH_DIGEST);
265 debugs(29, 9, HERE << "'\"" << user()->username() << "\":\"" << realm << "\"'");
266
267 if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram == NULL) {
268 debugs(29, DBG_CRITICAL, "ERROR: No Digest authentication program configured.");
269 handler(data);
270 return;
271 }
272
273 const char *keyExtras = helperRequestKeyExtras(request, al);
274 if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->utf8) {
275 char userstr[1024];
276 latin1_to_utf8(userstr, sizeof(userstr), user()->username());
277 if (keyExtras)
278 snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", userstr, realm, keyExtras);
279 else
280 snprintf(buf, 8192, "\"%s\":\"%s\"\n", userstr, realm);
281 } else {
282 if (keyExtras)
283 snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", user()->username(), realm, keyExtras);
284 else
285 snprintf(buf, 8192, "\"%s\":\"%s\"\n", user()->username(), realm);
286 }
287
288 helperSubmit(digestauthenticators, buf, Auth::Digest::UserRequest::HandleReply,
289 new Auth::StateData(this, handler, data));
290 }
291
292 void
293 Auth::Digest::UserRequest::HandleReply(void *data, const HelperReply &reply)
294 {
295 Auth::StateData *replyData = static_cast<Auth::StateData *>(data);
296 debugs(29, 9, HERE << "reply=" << reply);
297
298 assert(replyData->auth_user_request != NULL);
299 Auth::UserRequest::Pointer auth_user_request = replyData->auth_user_request;
300
301 // add new helper kv-pair notes to the credentials object
302 // so that any transaction using those credentials can access them
303 auth_user_request->user()->notes.appendNewOnly(&reply.notes);
304
305 static bool oldHelperWarningDone = false;
306 switch (reply.result) {
307 case HelperReply::Unknown: {
308 // Squid 3.3 and older the digest helper only returns a HA1 hash (no "OK")
309 // the HA1 will be found in content() for these responses.
310 if (!oldHelperWarningDone) {
311 debugs(29, DBG_IMPORTANT, "WARNING: Digest auth helper returned old format HA1 response. It needs to be upgraded.");
312 oldHelperWarningDone=true;
313 }
314
315 /* allow this because the digest_request pointer is purely local */
316 Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
317 assert(digest_user != NULL);
318
319 CvtBin(reply.other().content(), digest_user->HA1);
320 digest_user->HA1created = 1;
321 }
322 break;
323
324 case HelperReply::Okay: {
325 /* allow this because the digest_request pointer is purely local */
326 Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
327 assert(digest_user != NULL);
328
329 const char *ha1Note = reply.notes.findFirst("ha1");
330 if (ha1Note != NULL) {
331 CvtBin(ha1Note, digest_user->HA1);
332 digest_user->HA1created = 1;
333 } else {
334 debugs(29, DBG_IMPORTANT, "ERROR: Digest auth helper did not produce a HA1. Using the wrong helper program? received: " << reply);
335 }
336 }
337 break;
338
339 case HelperReply::TT:
340 debugs(29, DBG_IMPORTANT, "ERROR: Digest auth does not support the result code received. Using the wrong helper program? received: " << reply);
341 // fall through to next case. Handle this as an ERR response.
342
343 case HelperReply::BrokenHelper:
344 // TODO retry the broken lookup on another helper?
345 // fall through to next case for now. Handle this as an ERR response silently.
346
347 case HelperReply::Error: {
348 /* allow this because the digest_request pointer is purely local */
349 Auth::Digest::UserRequest *digest_request = dynamic_cast<Auth::Digest::UserRequest *>(auth_user_request.getRaw());
350 assert(digest_request);
351
352 digest_request->user()->credentials(Auth::Failed);
353 digest_request->flags.invalid_password = true;
354
355 const char *msgNote = reply.notes.find("message");
356 if (msgNote != NULL) {
357 digest_request->setDenyMessage(msgNote);
358 } else if (reply.other().hasContent()) {
359 // old helpers did send ERR result but a bare message string instead of message= key name.
360 digest_request->setDenyMessage(reply.other().content());
361 if (!oldHelperWarningDone) {
362 debugs(29, DBG_IMPORTANT, "WARNING: Digest auth helper returned old format ERR response. It needs to be upgraded.");
363 oldHelperWarningDone=true;
364 }
365 }
366 }
367 break;
368 }
369
370 void *cbdata = NULL;
371 if (cbdataReferenceValidDone(replyData->data, &cbdata))
372 replyData->handler(cbdata);
373
374 delete replyData;
375 }
Mirror of https://github.com/squid-cache/squid.git