From: Frederic Bourgeois Date: Mon, 19 Jan 2015 16:42:41 +0000 (-0800) Subject: Bug 4066: Digest auth nonce indefinite rollover X-Git-Tag: SQUID_3_4_12~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60041c976c1c50f02d09fac7b8f38660390bd4cb;p=thirdparty%2Fsquid.git Bug 4066: Digest auth nonce indefinite rollover --- diff --git a/src/auth/digest/UserRequest.cc b/src/auth/digest/UserRequest.cc index 9107d739f6..011f10941e 100644 --- a/src/auth/digest/UserRequest.cc +++ b/src/auth/digest/UserRequest.cc @@ -152,10 +152,14 @@ Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData * c } /* check for stale nonce */ - if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) { - debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale"); - auth_user->credentials(Auth::Handshake); - digest_request->setDenyMessage("Stale nonce"); + /* check Auth::Pending to avoid loop */ + + if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) { + debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64); + /* Pending prevent banner and makes a ldap control */ + auth_user->credentials(Auth::Pending); + nonce->flags.valid = false; + authDigestNoncePurge(nonce); return; } diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc index 7cc32766d7..610f547175 100644 --- a/src/auth/digest/auth_digest.cc +++ b/src/auth/digest/auth_digest.cc @@ -1038,12 +1038,7 @@ Auth::Digest::Config::decode(char const *proxy_auth) debugs(29, 2, "Username for the nonce does not equal the username for the request"); nonce = NULL; } - /* check for stale nonce */ - if (authDigestNonceIsStale(nonce)) { - debugs(29, 3, "The received nonce is stale from " << username); - digest_request->setDenyMessage("Stale nonce"); - nonce = NULL; - } + if (!nonce) { /* we couldn't find a matching nonce! */ debugs(29, 2, "Unexpected or invalid nonce received from " << username);