PageRenderTime 52ms CodeModel.GetById 25ms RepoModel.GetById 0ms app.codeStats 0ms

/src/auth/digest/UserRequest.cc

https://github.com/dkurochkin/squid
C++ | 315 lines | 228 code | 59 blank | 28 comment | 71 complexity | 6f9f8df889348434bfa556d322937846 MD5 | raw file
    

  1. #include "config.h"
    2. 

  2. #include "auth/digest/auth_digest.h"
    3. 

  3. #include "auth/digest/User.h"
    4. 

  4. #include "auth/digest/UserRequest.h"
    5. 

  5. #include "auth/State.h"
    6. 

  6. #include "charset.h"
    7. 

  7. #include "HttpReply.h"
    8. 

  8. #include "HttpRequest.h"
    9. 

  9. #include "SquidTime.h"
    10. 

  10. 

  11. AuthDigestUserRequest::AuthDigestUserRequest() :
    12. 

  12.         nonceb64(NULL),
    13. 

  13.         cnonce(NULL),
    14. 

  14.         realm(NULL),
    15. 

  15.         pszPass(NULL),
    16. 

  16.         algorithm(NULL),
    17. 

  17.         pszMethod(NULL),
    18. 

  18.         qop(NULL),
    19. 

  19.         uri(NULL),
    20. 

  20.         response(NULL),
    21. 

  21.         nonce(NULL)
    22. 

  22. {}
    23. 

  23. 

  24. /**
    25. 

  25.  * Delete the digest request structure.
    26. 

  26.  * Does NOT delete related AuthUser structures
    27. 

  27.  */
    28. 

  28. AuthDigestUserRequest::~AuthDigestUserRequest()
    29. 

  29. {
    30. 

  30.     assert(RefCountCount()==0);
    31. 

  31. 

  32.     safe_free(nonceb64);
    33. 

  33.     safe_free(cnonce);
    34. 

  34.     safe_free(realm);
    35. 

  35.     safe_free(pszPass);
    36. 

  36.     safe_free(algorithm);
    37. 

  37.     safe_free(pszMethod);
    38. 

  38.     safe_free(qop);
    39. 

  39.     safe_free(uri);
    40. 

  40.     safe_free(response);
    41. 

  41. 

  42.     if (nonce)
    43. 

  43.         authDigestNonceUnlink(nonce);
    44. 

  44. }
    45. 

  45. 

  46. int
    47. 

  47. AuthDigestUserRequest::authenticated() const
    48. 

  48. {
    49. 

  49.     if (user() != NULL && user()->credentials() == Auth::Ok)
    50. 

  50.         return 1;
    51. 

  51. 

  52.     return 0;
    53. 

  53. }
    54. 

  54. 

  55. /** log a digest user in
    56. 

  56.  */
    57. 

  57. void
    58. 

  58. AuthDigestUserRequest::authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type)
    59. 

  59. {
    60. 

  60.     HASHHEX SESSIONKEY;
    61. 

  61.     HASHHEX HA2 = "";
    62. 

  62.     HASHHEX Response;
    63. 

  63. 

  64.     /* if the check has corrupted the user, just return */
    65. 

  65.     if (user() == NULL || user()->credentials() == Auth::Failed) {
    66. 

  66.         return;
    67. 

  67.     }
    68. 

  68. 

  69.     Auth::User::Pointer auth_user = user();
    70. 

  70. 

  71.     Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User*>(auth_user.getRaw());
    72. 

  72.     assert(digest_user != NULL);
    73. 

  73. 

  74.     AuthDigestUserRequest *digest_request = this;
    75. 

  75. 

  76.     /* do we have the HA1 */
    77. 

  77.     if (!digest_user->HA1created) {
    78. 

  78.         auth_user->credentials(Auth::Pending);
    79. 

  79.         return;
    80. 

  80.     }
    81. 

  81. 

  82.     if (digest_request->nonce == NULL) {
    83. 

  83.         /* this isn't a nonce we issued */
    84. 

  84.         auth_user->credentials(Auth::Failed);
    85. 

  85.         return;
    86. 

  86.     }
    87. 

  87. 

  88.     DigestCalcHA1(digest_request->algorithm, NULL, NULL, NULL,
    89. 

  89.                   authenticateDigestNonceNonceb64(digest_request->nonce),
    90. 

  90.                   digest_request->cnonce,
    91. 

  91.                   digest_user->HA1, SESSIONKEY);
    92. 

  92.     DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
    93. 

  93.                        digest_request->nc, digest_request->cnonce, digest_request->qop,
    94. 

  94.                        RequestMethodStr(request->method), digest_request->uri, HA2, Response);
    95. 

  95. 

  96.     debugs(29, 9, "\nResponse = '" << digest_request->response << "'\nsquid is = '" << Response << "'");
    97. 

  97. 

  98.     if (strcasecmp(digest_request->response, Response) != 0) {
    99. 

  99.         if (!digest_request->flags.helper_queried) {
    100. 

  100.             /* Query the helper in case the password has changed */
    101. 

  101.             digest_request->flags.helper_queried = 1;
    102. 

  102.             auth_user->credentials(Auth::Pending);
    103. 

  103.             return;
    104. 

  104.         }
    105. 

  105. 

  106.         if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->PostWorkaround && request->method != METHOD_GET) {
    107. 

  107.             /* Ugly workaround for certain very broken browsers using the
    108. 

  108.              * wrong method to calculate the request-digest on POST request.
    109. 

  109.              * This should be deleted once Digest authentication becomes more
    110. 

  110.              * widespread and such broken browsers no longer are commonly
    111. 

  111.              * used.
    112. 

  112.              */
    113. 

  113.             DigestCalcResponse(SESSIONKEY, authenticateDigestNonceNonceb64(digest_request->nonce),
    114. 

  114.                                digest_request->nc, digest_request->cnonce, digest_request->qop,
    115. 

  115.                                RequestMethodStr(METHOD_GET), digest_request->uri, HA2, Response);
    116. 

  116. 

  117.             if (strcasecmp(digest_request->response, Response)) {
    118. 

  118.                 auth_user->credentials(Auth::Failed);
    119. 

  119.                 digest_request->flags.invalid_password = 1;
    120. 

  120.                 digest_request->setDenyMessage("Incorrect password");
    121. 

  121.                 return;
    122. 

  122.             } else {
    123. 

  123.                 const char *useragent = request->header.getStr(HDR_USER_AGENT);
    124. 

  124. 

  125.                 static Ip::Address last_broken_addr;
    126. 

  126.                 static int seen_broken_client = 0;
    127. 

  127. 

  128.                 if (!seen_broken_client) {
    129. 

  129.                     last_broken_addr.SetNoAddr();
    130. 

  130.                     seen_broken_client = 1;
    131. 

  131.                 }
    132. 

  132. 

  133.                 if (last_broken_addr != request->client_addr) {
    134. 

  134.                     debugs(29, 1, "\nDigest POST bug detected from " <<
    135. 

  135.                            request->client_addr << " using '" <<
    136. 

  136.                            (useragent ? useragent : "-") <<
    137. 

  137.                            "'. Please upgrade browser. See Bug #630 for details.");
    138. 

  138. 

  139.                     last_broken_addr = request->client_addr;
    140. 

  140.                 }
    141. 

  141.             }
    142. 

  142.         } else {
    143. 

  143.             auth_user->credentials(Auth::Failed);
    144. 

  144.             digest_request->flags.invalid_password = 1;
    145. 

  145.             digest_request->setDenyMessage("Incorrect password");
    146. 

  146.             return;
    147. 

  147.         }
    148. 

  148. 

  149.         /* check for stale nonce */
    150. 

  150.         if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
    151. 

  151.             debugs(29, 3, "authenticateDigestAuthenticateuser: user '" << auth_user->username() << "' validated OK but nonce stale");
    152. 

  152.             auth_user->credentials(Auth::Failed);
    153. 

  153.             digest_request->setDenyMessage("Stale nonce");
    154. 

  154.             return;
    155. 

  155.         }
    156. 

  156.     }
    157. 

  157. 

  158.     auth_user->credentials(Auth::Ok);
    159. 

  159. 

  160.     /* password was checked and did match */
    161. 

  161.     debugs(29, 4, "authenticateDigestAuthenticateuser: user '" << auth_user->username() << "' validated OK");
    162. 

  162. 

  163.     /* auth_user is now linked, we reset these values
    164. 

  164.      * after external auth occurs anyway */
    165. 

  165.     auth_user->expiretime = current_time.tv_sec;
    166. 

  166.     return;
    167. 

  167. }
    168. 

  168. 

  169. Auth::Direction
    170. 

  170. AuthDigestUserRequest::module_direction()
    171. 

  171. {
    172. 

  172.     if (user()->auth_type != Auth::AUTH_DIGEST)
    173. 

  173.         return Auth::CRED_ERROR;
    174. 

  174. 

  175.     switch (user()->credentials()) {
    176. 

  176. 

  177.     case Auth::Ok:
    178. 

  178.         return Auth::CRED_VALID;
    179. 

  179. 

  180.     case Auth::Failed:
    181. 

  181.         /* send new challenge */
    182. 

  182.         return Auth::CRED_CHALLENGE;
    183. 

  183. 

  184.     case Auth::Unchecked:
    185. 

  185.     case Auth::Pending:
    186. 

  186.         return Auth::CRED_LOOKUP;
    187. 

  187. 

  188.     default:
    189. 

  189.         return Auth::CRED_ERROR;
    190. 

  190.     }
    191. 

  191. }
    192. 

  192. 

  193. void
    194. 

  194. AuthDigestUserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
    195. 

  195. {
    196. 

  196.     http_hdr_type type;
    197. 

  197. 

  198.     /* don't add to authentication error pages */
    199. 

  199. 

  200.     if ((!accel && rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED)
    201. 

  201.             || (accel && rep->sline.status == HTTP_UNAUTHORIZED))
    202. 

  202.         return;
    203. 

  203. 

  204.     type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
    205. 

  205. 

  206. #if WAITING_FOR_TE
    207. 

  207.     /* test for http/1.1 transfer chunked encoding */
    208. 

  208.     if (chunkedtest)
    209. 

  209.         return;
    210. 

  210. #endif
    211. 

  211. 

  212.     if ((static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
    213. 

  213.         flags.authinfo_sent = 1;
    214. 

  214.         debugs(29, 9, "authDigestAddHead: Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
    215. 

  215.         httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
    216. 

  216.     }
    217. 

  217. }
    218. 

  218. 

  219. #if WAITING_FOR_TE
    220. 

  220. void
    221. 

  221. AuthDigestUserRequest::addAuthenticationInfoTrailer(HttpReply * rep, int accel)
    222. 

  222. {
    223. 

  223.     int type;
    224. 

  224. 

  225.     if (!auth_user_request)
    226. 

  226.         return;
    227. 

  227. 

  228.     /* has the header already been send? */
    229. 

  229.     if (flags.authinfo_sent)
    230. 

  230.         return;
    231. 

  231. 

  232.     /* don't add to authentication error pages */
    233. 

  233.     if ((!accel && rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED)
    234. 

  234.             || (accel && rep->sline.status == HTTP_UNAUTHORIZED))
    235. 

  235.         return;
    236. 

  236. 

  237.     type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
    238. 

  238. 

  239.     if ((static_cast<Auth::Digest::Config*>(digestScheme::GetInstance()->getConfig())->authenticate) && authDigestNonceLastRequest(nonce)) {
    240. 

  240.         debugs(29, 9, "authDigestAddTrailer: Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
    241. 

  241.         httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
    242. 

  242.     }
    243. 

  243. }
    244. 

  244. #endif
    245. 

  245. 

  246. /* send the initial data to a digest authenticator module */
    247. 

  247. void
    248. 

  248. AuthDigestUserRequest::module_start(RH * handler, void *data)
    249. 

  249. {
    250. 

  250.     char buf[8192];
    251. 

  251. 

  252.     assert(user() != NULL && user()->auth_type == Auth::AUTH_DIGEST);
    253. 

  253.     debugs(29, 9, "authenticateStart: '\"" << user()->username() << "\":\"" << realm << "\"'");
    254. 

  254. 

  255.     if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram == NULL) {
    256. 

  256.         debugs(29, DBG_CRITICAL, "ERROR: No Digest authentication program configured.");
    257. 

  257.         handler(data, NULL);
    258. 

  258.         return;
    259. 

  259.     }
    260. 

  260. 

  261.     if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->utf8) {
    262. 

  262.         char userstr[1024];
    263. 

  263.         latin1_to_utf8(userstr, sizeof(userstr), user()->username());
    264. 

  264.         snprintf(buf, 8192, "\"%s\":\"%s\"\n", userstr, realm);
    265. 

  265.     } else {
    266. 

  266.         snprintf(buf, 8192, "\"%s\":\"%s\"\n", user()->username(), realm);
    267. 

  267.     }
    268. 

  268. 

  269.     helperSubmit(digestauthenticators, buf, AuthDigestUserRequest::HandleReply,
    270. 

  270.                  new Auth::StateData(this, handler, data));
    271. 

  271. }
    272. 

  272. 

  273. void
    274. 

  274. AuthDigestUserRequest::HandleReply(void *data, char *reply)
    275. 

  275. {
    276. 

  276.     Auth::StateData *replyData = static_cast<Auth::StateData *>(data);
    277. 

  277.     char *t = NULL;
    278. 

  278.     void *cbdata;
    279. 

  279.     debugs(29, 9, HERE << "{" << (reply ? reply : "<NULL>") << "}");
    280. 

  280. 

  281.     if (reply) {
    282. 

  282.         if ((t = strchr(reply, ' ')))
    283. 

  283.             *t++ = '\0';
    284. 

  284. 

  285.         if (*reply == '\0' || *reply == '\n')
    286. 

  286.             reply = NULL;
    287. 

  287.     }
    288. 

  288. 

  289.     assert(replyData->auth_user_request != NULL);
    290. 

  290.     AuthUserRequest::Pointer auth_user_request = replyData->auth_user_request;
    291. 

  291. 

  292.     if (reply && (strncasecmp(reply, "ERR", 3) == 0)) {
    293. 

  293.         /* allow this because the digest_request pointer is purely local */
    294. 

  294.         AuthDigestUserRequest *digest_request = dynamic_cast<AuthDigestUserRequest *>(auth_user_request.getRaw());
    295. 

  295.         assert(digest_request);
    296. 

  296. 

  297.         digest_request->user()->credentials(Auth::Failed);
    298. 

  298.         digest_request->flags.invalid_password = 1;
    299. 

  299. 

  300.         if (t && *t)
    301. 

  301.             digest_request->setDenyMessage(t);
    302. 

  302.     } else if (reply) {
    303. 

  303.         /* allow this because the digest_request pointer is purely local */
    304. 

  304.         Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(auth_user_request->user().getRaw());
    305. 

  305.         assert(digest_user != NULL);
    306. 

  306. 

  307.         CvtBin(reply, digest_user->HA1);
    308. 

  308.         digest_user->HA1created = 1;
    309. 

  309.     }
    310. 

  310. 

  311.     if (cbdataReferenceValidDone(replyData->data, &cbdata))
    312. 

  312.         replyData->handler(cbdata, NULL);
    313. 

  313. 

  314.     delete replyData;
    315. 

  315. }
    316. 

  316.