Digest rfc 2617 conformance fixes

diff --git a/src/acl.cc b/src/acl.cc
index 03f6d844f52882b7700377365999b3f88871f8b5..07b4cfab863da4bdd2838b7a13ed045a1e1d6a15 100644 (file)
--- a/src/acl.cc
+++ b/src/acl.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: acl.cc,v 1.270 2001/12/21 09:47:34 hno Exp $
+ * $Id: acl.cc,v 1.271 2002/01/13 01:08:43 robertc Exp $
  *
  * DEBUG: section 28    Access Control
  * AUTHOR: Duane Wessels
@@ -1206,7 +1206,6 @@ aclMatchProxyAuth(void *data, http_hdr_type headertype,
     squid_acl acltype)
 {
     /* checklist is used to register user name when identified, nothing else */
-
     /* General program flow in proxy_auth acls
      * 1. Consistency checks: are we getting sensible data
      * 2. Call the authenticate* functions to establish a authenticated user
@@ -1669,7 +1668,6 @@ aclMatchAcl(acl * ae, aclCheck_t * checklist)
            fatal("Invalid response from match routine\n");
            break;
        }
-
        /* NOTREACHED */
 #if SQUID_SNMP
     case ACL_SNMP_COMMUNITY:

diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc
index fc9bd17158bdfad67dbb4d9a072ef2faf138df49..dc2d12ca3380c828b83323f892cf506e48f4c43f 100644 (file)
--- a/src/auth/digest/auth_digest.cc
+++ b/src/auth/digest/auth_digest.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: auth_digest.cc,v 1.10 2001/10/24 05:26:14 hno Exp $
+ * $Id: auth_digest.cc,v 1.11 2002/01/13 01:08:44 robertc Exp $
  *
  * DEBUG: section 29    Authenticator
  * AUTHOR: Robert Collins
@@ -338,12 +338,13 @@ authenticateDigestNonceFindNonce(const char *nonceb64)
 static int
 authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9])
 {
-    int intnc;
+    unsigned long intnc;
     /* do we have a nonce ? */
     if (!nonce)
        return 0;
-    intnc = atoi(nc);
-    if (intnc != nonce->nc + 1) {
+    intnc = strtol(nc, NULL, 16);
+    if ((digestConfig->NonceStrictness && intnc != nonce->nc + 1) ||
+       intnc < nonce->nc + 1) {
        debug(29, 4) ("authDigestNonceIsValid: Nonce count doesn't match\n");
        nonce->flags.valid = 0;
        return 0;
@@ -354,6 +355,10 @@ authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9])
        return 0;
     }
     /* seems ok */
+    /* increment the nonce count - we've already checked that intnc is a
+     *  valid representation for us, so we don't need the test here.
+     */
+    nonce->nc = intnc;
     return -1;
 }
 
@@ -393,7 +398,7 @@ authDigestNonceLastRequest(digest_nonce_h * nonce)
        debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to overflow\n");
        return -1;
     }
-    if (nonce->nc == digestConfig->noncemaxuses - 1) {
+    if (nonce->nc >= digestConfig->noncemaxuses - 1) {
        debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to hit user limit\n");
        return -1;
     }
@@ -919,6 +924,8 @@ authDigestParse(authScheme * scheme, int n_configured, char *param_str)
        digestConfig->noncemaxduration = 30 * 60;
        /* 50 requests */
        digestConfig->noncemaxuses = 50;
+       /* strict nonce count behaviour */
+       digestConfig->NonceStrictness = 1;
     }
     digestConfig = scheme->scheme_data;
     if (strcasecmp(param_str, "program") == 0) {
@@ -936,6 +943,8 @@ authDigestParse(authScheme * scheme, int n_configured, char *param_str)
        parse_time_t(&digestConfig->noncemaxduration);
     } else if (strcasecmp(param_str, "nonce_max_count") == 0) {
        parse_int(&digestConfig->noncemaxuses);
+    } else if (strcasecmp(param_str, "nonce_strictness") == 0) {
+        parse_onoff(&digestConfig->NonceStrictness);
     } else {
        debug(28, 0) ("unrecognised digest auth scheme parameter '%s'\n", param_str);
     }
@@ -1104,17 +1113,19 @@ authenticateDigestDecodeAuth(auth_user_request_t * auth_user_request, const char
            /* white space */
            while (xisspace(*p))
                p++;
-           /* quote mark */
-           p++;
-           digest_request->qop = xstrndup(p, strchr(p, '"') + 1 - p);
+           if (*p == '\"')
+               /* quote mark */
+               p++;
+           digest_request->qop = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1);
            debug(29, 9) ("authDigestDecodeAuth: Found qop '%s'\n", digest_request->qop);
        } else if (!strncmp(item, "algorithm", ilen)) {
            /* white space */
            while (xisspace(*p))
                p++;
-           /* quote mark */
-           p++;
-           digest_request->algorithm = xstrndup(p, strchr(p, '"') + 1 - p);
+           if (*p == '\"')
+               /* quote mark */
+               p++;
+           digest_request->algorithm = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}")+1);
            debug(29, 9) ("authDigestDecodeAuth: Found algorithm '%s'\n", digest_request->algorithm);
        } else if (!strncmp(item, "uri", ilen)) {
            /* white space */
@@ -1193,12 +1204,11 @@ authenticateDigestDecodeAuth(auth_user_request_t * auth_user_request, const char
        return;
     }
     digest_request->nonce = nonce;
-    /* increment the nonce count */
-    nonce->nc++;
     authDigestNonceLink(nonce);
 
-    /* check the qop is what we expected */
-    if (digest_request->qop && strcmp(digest_request->qop, QOP_AUTH)) {
+    /* check the qop is what we expected. Note that for compatability with 
+     * RFC 2069 we should support a missing qop. Tough. */
+    if (!digest_request->qop || strcmp(digest_request->qop, QOP_AUTH)) {
        /* we recieved a qop option we didn't send */
        debug(29, 4) ("authenticateDigestDecode: Invalid qop option recieved\n");
        authDigestLogUsername(auth_user_request, username);
@@ -1254,8 +1264,9 @@ authenticateDigestDecodeAuth(auth_user_request_t * auth_user_request, const char
        return;
     }
     /* check the algorithm is present and supported */
-    if (digest_request->algorithm
-       && strcmp(digest_request->algorithm, "MD5")
+    if (!digest_request->algorithm)
+        digest_request->algorithm = xstrndup ("MD5", 4);
+    else if (strcmp(digest_request->algorithm, "MD5")
        && strcmp(digest_request->algorithm, "MD5-sess")) {
        debug(29, 4) ("authenticateDigestDecode: invalid algorithm specified!\n");
        authDigestLogUsername(auth_user_request, username);

diff --git a/src/auth/digest/auth_digest.h b/src/auth/digest/auth_digest.h
index 5fc0f3122308d4c482483129d2c5a6d8bcc9ba03..06816aa12b9be294c3c77ce356bd2f24bd4d8544 100644 (file)
--- a/src/auth/digest/auth_digest.h
+++ b/src/auth/digest/auth_digest.h
@@ -82,6 +82,7 @@ struct _auth_digest_config {
     time_t nonceGCInterval;
     time_t noncemaxduration;
     int noncemaxuses;
+    int NonceStrictness;
 };
 
 typedef struct _auth_digest_config auth_digest_config;

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index db831c2b2cbda35d18193a8cc5b033028987ccbc..c91b9a405ead0a6bf8d49ff63c93cde87e8cd525 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: cache_cf.cc,v 1.397 2002/01/06 00:44:13 hno Exp $
+ * $Id: cache_cf.cc,v 1.398 2002/01/13 01:08:43 robertc Exp $
  *
  * DEBUG: section 3     Configuration File Parsing
  * AUTHOR: Harvest Derived
@@ -1737,7 +1737,7 @@ dump_onoff(StoreEntry * entry, const char *name, int var)
     storeAppendPrintf(entry, "%s %s\n", name, var ? "on" : "off");
 }
 
-static void
+void
 parse_onoff(int *var)
 {
     char *token = strtok(NULL, w_space);

diff --git a/src/cf.data.pre b/src/cf.data.pre
index fc70d19b62ccef53f917190efef6fb6711c2ace6..54eacf82e79ebe99d1421cd4a094e6f96b2b2e85 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.246 2001/12/25 05:46:35 adrian Exp $
+# $Id: cf.data.pre,v 1.247 2002/01/13 01:08:43 robertc Exp $
 #
 #
 # SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -1315,6 +1315,11 @@ DOC_START
        "nonce_max_count" number
        Specifies the maximum number of times a given nonce can be used.
 
+       "nonce_strictness" on|off
+       Determines if squid requires increment-by-1 behaviour for nonce counts 
+       (on - the default), or strictly incrementing (off - for use when useragents
+       generate nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
+
        === NTLM scheme options follow ===
 
        "program" cmdline

diff --git a/src/protos.h b/src/protos.h
index 7729f9514e60cbb8718f1a24f992e819acc2bfe7..dbdc1adac53a859be124afe0d45be9ca23705cd4 100644 (file)
--- a/src/protos.h
+++ b/src/protos.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: protos.h,v 1.422 2002/01/06 00:44:13 hno Exp $
+ * $Id: protos.h,v 1.423 2002/01/13 01:08:44 robertc Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -94,6 +94,7 @@ extern int GetInteger(void);
 
 /* extra functions from cache_cf.c useful for lib modules */
 extern void parse_int(int *var);
+extern void parse_onoff(int *var);
 extern void parse_eol(char *volatile *var);
 extern void parse_wordlist(wordlist ** list);
 extern void requirePathnameExists(const char *name, const char *path);