Re: Problem with digest authentification and credential backend

FredB <fredbmail@xxxxxxx> · Thu, 18 Dec 2014 15:38:33 +0100 (CET)

Patch for squid 3.5.0.3

| Tested with both nonce_count and nonce_max_duration, no problem. Do you known if it works with squid 3.5 ? 

Be careful chech_nonce_count is broken, you can see in your log that there are many unexpected 407, my advice is to set the value check_nonce_count to off
It's an old bug but fortunately it's transparent for users.

For me still two problems with digest:

1) chech_nonce_count -> but not annoying for me ...
2) smp aware -> http://bugs.squid-cache.org/show_bug.cgi?id=3517 because we can reduce the cpu load with smp


Amos, I can't post the patch in bugzilla: The function Bugzilla::Attachment->create requires a description argument, and that argument was not set 
I tried some different descriptions without more success (Firefox 34.0)

Regards,

Fred

http://numsys.eu
http://e2guardian.org
diff -aburN src/auth/digest/Config.cc ../squid-3.4.5-good/src/auth/digest/auth_digest.cc

--- src/auth/digest/Config.cc	2014-05-02 14:09:05.000000000 +0200
@@ -1038,12 +1038,7 @@
         debugs(29, 2, "Username for the nonce does not equal the username for the request");
         nonce = NULL;
     }
-    /* check for stale nonce */
-    if (authDigestNonceIsStale(nonce)) {
-        debugs(29, 3, "The received nonce is stale from " << username);
-        digest_request->setDenyMessage("Stale nonce");
-        nonce = NULL;
-    }
+
     if (!nonce) {
         /* we couldn't find a matching nonce! */
         debugs(29, 2, "Unexpected or invalid nonce received from " << username);
diff -aburN src/auth/digest/UserRequest.cc ../squid-3.4.5-good/src/auth/digest/UserRequest.cc
--- src/auth/digest/UserRequest.cc	2014-05-02 14:09:05.000000000 +0200
+++ ../squid-3.4.5-good/src/auth/digest/UserRequest.cc	2014-06-11 13:43:31.000000000 +0200
@@ -152,10 +152,15 @@
     }
 
     /* check for stale nonce */
-    if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
-        debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
-        auth_user->credentials(Auth::Handshake);
-        digest_request->setDenyMessage("Stale nonce");
+    /* And check for nonce expired */
+    /* check Auth::Pending to avoid loop */
+
+    if ((!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) || authDigestNonceIsStale(nonce)) && ( user()->credentials() != Auth::Pending )) {
+       debugs(29, 3, HERE << auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
+       /* Pending prevent banner and makes a ldap control */
+       auth_user->credentials(Auth::Pending);
+       nonce->flags.valid = false;
+       authDigestNoncePurge(nonce);
         return;
     }
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




