From: Christos Tsantilas Date: Thu, 22 Dec 2011 07:22:38 +0000 (-0700) Subject: Bug 2519: ssl_bump + Authentication (LDAP Digest) issues X-Git-Tag: SQUID_3_2_0_15~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26b535d6a2452be025962d07b1ada82181704d75;p=thirdparty%2Fsquid.git Bug 2519: ssl_bump + Authentication (LDAP Digest) issues When the ssl_bump and authentication iare both enabled for an ssl-bumped port all SSL enabled websites prompt the user for authentication information once per FQDN. This patch inherits the authentication info from the CONNECT request to the sslbumped requests. --- diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc index e061e8c638..4c0fdb5379 100644 --- a/src/acl/FilledChecklist.cc +++ b/src/acl/FilledChecklist.cc @@ -24,8 +24,9 @@ ACLFilledChecklist::checkCallback(allow_t answer) if (auth_user_request != NULL) { /* the filled_checklist lock */ auth_user_request = NULL; - /* it might have been connection based */ - if (conn()) { + // It might have been connection based + // In the case of sslBump we need to preserve authentication info + if (conn() && !conn()->switchedToHttps()) { conn()->auth_user_request = NULL; } } diff --git a/src/auth/Acl.cc b/src/auth/Acl.cc index 0974f94a79..aa8f5946fa 100644 --- a/src/auth/Acl.cc +++ b/src/auth/Acl.cc @@ -19,6 +19,13 @@ AuthenticateAcl(ACLChecklist *ch) if (NULL == request) { fatal ("requiresRequest SHOULD have been true for this ACL!!"); return 0; + } else if (request->flags.sslBumped) { + debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate"); + checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request; + if (checklist->auth_user_request != NULL) + return 1; + else + return 0; } else if (request->flags.accelerated) { /* WWW authorization on accelerated requests */ headertype = HDR_AUTHORIZATION; diff --git a/src/client_side.cc b/src/client_side.cc index 4b3b6f5f79..8d90adfc57 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2547,6 +2547,12 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c request->flags.sslBumped = conn->switchedToHttps(); request->flags.ignore_cc = conn->port->ignore_cc; request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0; +#if USE_AUTH + if (request->flags.sslBumped) { + if (conn->auth_user_request != NULL) + request->auth_user_request = conn->auth_user_request; + } +#endif /** \par * If transparent or interception mode is working clone the transparent and interception flags diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 95934aaaa4..80cb800cfb 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -764,7 +764,10 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer) if (require_auth) { #if USE_AUTH - if (!http->flags.accel) { + if (http->request->flags.sslBumped) { + /*SSL Bumped request, authentication is not possible*/ + status = HTTP_FORBIDDEN; + } else if (!http->flags.accel) { /* Proxy authorisation needed */ status = HTTP_PROXY_AUTHENTICATION_REQUIRED; } else { @@ -1369,6 +1372,11 @@ ClientHttpRequest::sslBumpEstablish(comm_err_t errflag) return; } +#if USE_AUTH + // Preserve authentication info for the ssl-bumped request + if (request->auth_user_request != NULL) + getConn()->auth_user_request = request->auth_user_request; +#endif getConn()->switchToHttps(request->GetHost()); }