/*
- * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
#include "auth/digest/User.h"
#include "auth/digest/UserRequest.h"
#include "auth/State.h"
-#include "charset.h"
#include "format/Format.h"
#include "helper.h"
#include "helper/Reply.h"
#include "SquidTime.h"
Auth::Digest::UserRequest::UserRequest() :
- nonceb64(NULL),
+ noncehex(NULL),
cnonce(NULL),
realm(NULL),
pszPass(NULL),
{
assert(LockCount()==0);
- safe_free(nonceb64);
+ safe_free(noncehex);
safe_free(cnonce);
safe_free(realm);
safe_free(pszPass);
}
DigestCalcHA1(digest_request->algorithm, NULL, NULL, NULL,
- authenticateDigestNonceNonceb64(digest_request->nonce),
+ authenticateDigestNonceNonceHex(digest_request->nonce),
digest_request->cnonce,
digest_user->HA1, SESSIONKEY);
SBuf sTmp = request->method.image();
- DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
+ DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceHex(digest_request->nonce),
digest_request->nc, digest_request->cnonce, digest_request->qop,
sTmp.c_str(), digest_request->uri, HA2, Response);
return;
}
- if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->PostWorkaround && request->method != Http::METHOD_GET) {
+ if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->PostWorkaround && request->method != Http::METHOD_GET) {
/* Ugly workaround for certain very broken browsers using the
* wrong method to calculate the request-digest on POST request.
* This should be deleted once Digest authentication becomes more
* used.
*/
sTmp = HttpRequestMethod(Http::METHOD_GET).image();
- DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
+ DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceHex(digest_request->nonce),
digest_request->nc, digest_request->cnonce, digest_request->qop,
sTmp.c_str(), digest_request->uri, HA2, Response);
/* check Auth::Pending to avoid loop */
if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) {
- debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
+ debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->noncehex);
/* Pending prevent banner and makes a ldap control */
auth_user->credentials(Auth::Pending);
nonce->flags.valid = false;
auth_user->credentials(Auth::Ok);
/* password was checked and did match */
- debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated OK");
-
- /* auth_user is now linked, we reset these values
- * after external auth occurs anyway */
- auth_user->expiretime = current_time.tv_sec;
- return;
+ debugs(29, 4, "user '" << auth_user->username() << "' validated OK");
}
Auth::Direction
return;
#endif
- if ((static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
+ if ((static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
flags.authinfo_sent = true;
Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(user().getRaw());
if (!digest_user)
nextnonce = authenticateDigestNonceNew();
authDigestUserLinkNonce(digest_user, nextnonce);
}
- debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nextnonce) << "\"");
- httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nextnonce));
+ debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceHex(nextnonce) << "\"");
+ httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceHex(nextnonce));
}
}
nonce = authenticateDigestNonceNew();
authDigestUserLinkNonce(digest_user, nonce);
}
- debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
- httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
+ debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceHex(nonce) << "\"");
+ httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceHex(nonce));
}
}
#endif
assert(user() != NULL && user()->auth_type == Auth::AUTH_DIGEST);
debugs(29, 9, HERE << "'\"" << user()->username() << "\":\"" << realm << "\"'");
- if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram == NULL) {
+ if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram == NULL) {
debugs(29, DBG_CRITICAL, "ERROR: No Digest authentication program configured.");
handler(data);
return;
}
const char *keyExtras = helperRequestKeyExtras(request, al);
- if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->utf8) {
- char userstr[1024];
- latin1_to_utf8(userstr, sizeof(userstr), user()->username());
- if (keyExtras)
- snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", userstr, realm, keyExtras);
- else
- snprintf(buf, 8192, "\"%s\":\"%s\"\n", userstr, realm);
- } else {
- if (keyExtras)
- snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", user()->username(), realm, keyExtras);
- else
- snprintf(buf, 8192, "\"%s\":\"%s\"\n", user()->username(), realm);
- }
+ if (keyExtras)
+ snprintf(buf, 8192, "\"%s\":\"%s\" %s\n", user()->username(), realm, keyExtras);
+ else
+ snprintf(buf, 8192, "\"%s\":\"%s\"\n", user()->username(), realm);
helperSubmit(digestauthenticators, buf, Auth::Digest::UserRequest::HandleReply,
new Auth::StateData(this, handler, data));
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
- auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ static const NotePairs::Names appendables = { SBuf("group"), SBuf("nonce"), SBuf("tag") };
+ auth_user_request->user()->notes.replaceOrAddOrAppend(&reply.notes, appendables);
// remove any private credentials detail which got added.
auth_user_request->user()->notes.remove("ha1");
Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
assert(digest_user != NULL);
- const char *ha1Note = reply.notes.findFirst("ha1");
- if (ha1Note != NULL) {
+ if (const char *ha1Note = reply.notes.findFirst("ha1")) {
CvtBin(ha1Note, digest_user->HA1);
digest_user->HA1created = 1;
} else {
digest_request->user()->credentials(Auth::Failed);
digest_request->flags.invalid_password = true;
- const char *msgNote = reply.notes.find("message");
- if (msgNote != NULL) {
- digest_request->setDenyMessage(msgNote);
+ SBuf msgNote;
+ if (reply.notes.find(msgNote, "message")) {
+ digest_request->setDenyMessage(msgNote.c_str());
} else if (reply.other().hasContent()) {
// old helpers did send ERR result but a bare message string instead of message= key name.
digest_request->setDenyMessage(reply.other().content());