From: robertc <> Date: Sun, 13 Jan 2002 08:08:43 +0000 (+0000) Subject: Digest rfc 2617 conformance fixes X-Git-Tag: SQUID_3_0_PRE1~1205 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d205783bb679417d45e9e9741d2fbb5f51f8cfad;p=thirdparty%2Fsquid.git Digest rfc 2617 conformance fixes --- diff --git a/src/acl.cc b/src/acl.cc index 03f6d844f5..07b4cfab86 100644 --- a/src/acl.cc +++ b/src/acl.cc @@ -1,6 +1,6 @@ /* - * $Id: acl.cc,v 1.270 2001/12/21 09:47:34 hno Exp $ + * $Id: acl.cc,v 1.271 2002/01/13 01:08:43 robertc Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -1206,7 +1206,6 @@ aclMatchProxyAuth(void *data, http_hdr_type headertype, squid_acl acltype) { /* checklist is used to register user name when identified, nothing else */ - /* General program flow in proxy_auth acls * 1. Consistency checks: are we getting sensible data * 2. Call the authenticate* functions to establish a authenticated user @@ -1669,7 +1668,6 @@ aclMatchAcl(acl * ae, aclCheck_t * checklist) fatal("Invalid response from match routine\n"); break; } - /* NOTREACHED */ #if SQUID_SNMP case ACL_SNMP_COMMUNITY: diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc index fc9bd17158..dc2d12ca33 100644 --- a/src/auth/digest/auth_digest.cc +++ b/src/auth/digest/auth_digest.cc @@ -1,6 +1,6 @@ /* - * $Id: auth_digest.cc,v 1.10 2001/10/24 05:26:14 hno Exp $ + * $Id: auth_digest.cc,v 1.11 2002/01/13 01:08:44 robertc Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Robert Collins @@ -338,12 +338,13 @@ authenticateDigestNonceFindNonce(const char *nonceb64) static int authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9]) { - int intnc; + unsigned long intnc; /* do we have a nonce ? */ if (!nonce) return 0; - intnc = atoi(nc); - if (intnc != nonce->nc + 1) { + intnc = strtol(nc, NULL, 16); + if ((digestConfig->NonceStrictness && intnc != nonce->nc + 1) || + intnc < nonce->nc + 1) { debug(29, 4) ("authDigestNonceIsValid: Nonce count doesn't match\n"); nonce->flags.valid = 0; return 0; @@ -354,6 +355,10 @@ authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9]) return 0; } /* seems ok */ + /* increment the nonce count - we've already checked that intnc is a + * valid representation for us, so we don't need the test here. + */ + nonce->nc = intnc; return -1; } @@ -393,7 +398,7 @@ authDigestNonceLastRequest(digest_nonce_h * nonce) debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to overflow\n"); return -1; } - if (nonce->nc == digestConfig->noncemaxuses - 1) { + if (nonce->nc >= digestConfig->noncemaxuses - 1) { debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to hit user limit\n"); return -1; } @@ -919,6 +924,8 @@ authDigestParse(authScheme * scheme, int n_configured, char *param_str) digestConfig->noncemaxduration = 30 * 60; /* 50 requests */ digestConfig->noncemaxuses = 50; + /* strict nonce count behaviour */ + digestConfig->NonceStrictness = 1; } digestConfig = scheme->scheme_data; if (strcasecmp(param_str, "program") == 0) { @@ -936,6 +943,8 @@ authDigestParse(authScheme * scheme, int n_configured, char *param_str) parse_time_t(&digestConfig->noncemaxduration); } else if (strcasecmp(param_str, "nonce_max_count") == 0) { parse_int(&digestConfig->noncemaxuses); + } else if (strcasecmp(param_str, "nonce_strictness") == 0) { + parse_onoff(&digestConfig->NonceStrictness); } else { debug(28, 0) ("unrecognised digest auth scheme parameter '%s'\n", param_str); } @@ -1104,17 +1113,19 @@ authenticateDigestDecodeAuth(auth_user_request_t * auth_user_request, const char /* white space */ while (xisspace(*p)) p++; - /* quote mark */ - p++; - digest_request->qop = xstrndup(p, strchr(p, '"') + 1 - p); + if (*p == '\"') + /* quote mark */ + p++; + digest_request->qop = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1); debug(29, 9) ("authDigestDecodeAuth: Found qop '%s'\n", digest_request->qop); } else if (!strncmp(item, "algorithm", ilen)) { /* white space */ while (xisspace(*p)) p++; - /* quote mark */ - p++; - digest_request->algorithm = xstrndup(p, strchr(p, '"') + 1 - p); + if (*p == '\"') + /* quote mark */ + p++; + digest_request->algorithm = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}")+1); debug(29, 9) ("authDigestDecodeAuth: Found algorithm '%s'\n", digest_request->algorithm); } else if (!strncmp(item, "uri", ilen)) { /* white space */ @@ -1193,12 +1204,11 @@ authenticateDigestDecodeAuth(auth_user_request_t * auth_user_request, const char return; } digest_request->nonce = nonce; - /* increment the nonce count */ - nonce->nc++; authDigestNonceLink(nonce); - /* check the qop is what we expected */ - if (digest_request->qop && strcmp(digest_request->qop, QOP_AUTH)) { + /* check the qop is what we expected. Note that for compatability with + * RFC 2069 we should support a missing qop. Tough. */ + if (!digest_request->qop || strcmp(digest_request->qop, QOP_AUTH)) { /* we recieved a qop option we didn't send */ debug(29, 4) ("authenticateDigestDecode: Invalid qop option recieved\n"); authDigestLogUsername(auth_user_request, username); @@ -1254,8 +1264,9 @@ authenticateDigestDecodeAuth(auth_user_request_t * auth_user_request, const char return; } /* check the algorithm is present and supported */ - if (digest_request->algorithm - && strcmp(digest_request->algorithm, "MD5") + if (!digest_request->algorithm) + digest_request->algorithm = xstrndup ("MD5", 4); + else if (strcmp(digest_request->algorithm, "MD5") && strcmp(digest_request->algorithm, "MD5-sess")) { debug(29, 4) ("authenticateDigestDecode: invalid algorithm specified!\n"); authDigestLogUsername(auth_user_request, username); diff --git a/src/auth/digest/auth_digest.h b/src/auth/digest/auth_digest.h index 5fc0f31223..06816aa12b 100644 --- a/src/auth/digest/auth_digest.h +++ b/src/auth/digest/auth_digest.h @@ -82,6 +82,7 @@ struct _auth_digest_config { time_t nonceGCInterval; time_t noncemaxduration; int noncemaxuses; + int NonceStrictness; }; typedef struct _auth_digest_config auth_digest_config; diff --git a/src/cache_cf.cc b/src/cache_cf.cc index db831c2b2c..c91b9a405e 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -1,6 +1,6 @@ /* - * $Id: cache_cf.cc,v 1.397 2002/01/06 00:44:13 hno Exp $ + * $Id: cache_cf.cc,v 1.398 2002/01/13 01:08:43 robertc Exp $ * * DEBUG: section 3 Configuration File Parsing * AUTHOR: Harvest Derived @@ -1737,7 +1737,7 @@ dump_onoff(StoreEntry * entry, const char *name, int var) storeAppendPrintf(entry, "%s %s\n", name, var ? "on" : "off"); } -static void +void parse_onoff(int *var) { char *token = strtok(NULL, w_space); diff --git a/src/cf.data.pre b/src/cf.data.pre index fc70d19b62..54eacf82e7 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.246 2001/12/25 05:46:35 adrian Exp $ +# $Id: cf.data.pre,v 1.247 2002/01/13 01:08:43 robertc Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1315,6 +1315,11 @@ DOC_START "nonce_max_count" number Specifies the maximum number of times a given nonce can be used. + "nonce_strictness" on|off + Determines if squid requires increment-by-1 behaviour for nonce counts + (on - the default), or strictly incrementing (off - for use when useragents + generate nonce counts that occasionally miss 1 (ie, 1,2,4,6)). + === NTLM scheme options follow === "program" cmdline diff --git a/src/protos.h b/src/protos.h index 7729f9514e..dbdc1adac5 100644 --- a/src/protos.h +++ b/src/protos.h @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.422 2002/01/06 00:44:13 hno Exp $ + * $Id: protos.h,v 1.423 2002/01/13 01:08:44 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -94,6 +94,7 @@ extern int GetInteger(void); /* extra functions from cache_cf.c useful for lib modules */ extern void parse_int(int *var); +extern void parse_onoff(int *var); extern void parse_eol(char *volatile *var); extern void parse_wordlist(wordlist ** list); extern void requirePathnameExists(const char *name, const char *path);