Patch for squid 3.5.0.3
| Tested with both nonce_count and nonce_max_duration, no problem. Do you known if it works with squid 3.5 ?
Be careful chech_nonce_count is broken, you can see in your log that there are many unexpected 407, my advice is to set the value check_nonce_count to off
It's an old bug but fortunately it's transparent for users.
For me still two problems with digest:
1) chech_nonce_count -> but not annoying for me ...
2) smp aware -> http://bugs.squid-cache.org/show_bug.cgi?id=3517 because we can reduce the cpu load with smp
Amos, I can't post the patch in bugzilla: The function Bugzilla::Attachment->create requires a description argument, and that argument was not set
I tried some different descriptions without more success (Firefox 34.0)
Regards,
Fred
http://numsys.eu
http://e2guardian.org
diff -aburN src/auth/digest/Config.cc ../squid-3.4.5-good/src/auth/digest/auth_digest.cc
--- src/auth/digest/Config.cc 2014-05-02 14:09:05.000000000 +0200
@@ -1038,12 +1038,7 @@
debugs(29, 2, "Username for the nonce does not equal the username for the request");
nonce = NULL;
}
- /* check for stale nonce */
- if (authDigestNonceIsStale(nonce)) {
- debugs(29, 3, "The received nonce is stale from " << username);
- digest_request->setDenyMessage("Stale nonce");
- nonce = NULL;
- }
+
if (!nonce) {
/* we couldn't find a matching nonce! */
debugs(29, 2, "Unexpected or invalid nonce received from " << username);
diff -aburN src/auth/digest/UserRequest.cc ../squid-3.4.5-good/src/auth/digest/UserRequest.cc
--- src/auth/digest/UserRequest.cc 2014-05-02 14:09:05.000000000 +0200
+++ ../squid-3.4.5-good/src/auth/digest/UserRequest.cc 2014-06-11 13:43:31.000000000 +0200
@@ -152,10 +152,15 @@
}
/* check for stale nonce */
- if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
- debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
- auth_user->credentials(Auth::Handshake);
- digest_request->setDenyMessage("Stale nonce");
+ /* And check for nonce expired */
+ /* check Auth::Pending to avoid loop */
+
+ if ((!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) || authDigestNonceIsStale(nonce)) && ( user()->credentials() != Auth::Pending )) {
+ debugs(29, 3, HERE << auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
+ /* Pending prevent banner and makes a ldap control */
+ auth_user->credentials(Auth::Pending);
+ nonce->flags.valid = false;
+ authDigestNoncePurge(nonce);
return;
}
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users