--------------------- PatchSet 3486 Date: 2001/12/23 10:28:45 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: Fix parsing of the request nonce count; add an option to allow strictly incrementing (as opposed to monotonically incrementing) nonce counts Members: src/cf.data.pre:1.1.1.3.4.1.2.18.2.33->1.1.1.3.4.1.2.18.2.34 src/auth/digest/auth_digest.c:1.1.20.8->1.1.20.9 src/auth/digest/auth_digest.h:1.1.20.5->1.1.20.6 Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.1.1.3.4.1.2.18.2.33 retrieving revision 1.1.1.3.4.1.2.18.2.34 diff -u -r1.1.1.3.4.1.2.18.2.33 -r1.1.1.3.4.1.2.18.2.34 --- squid/src/cf.data.pre 23 Dec 2001 09:10:17 -0000 1.1.1.3.4.1.2.18.2.33 +++ squid/src/cf.data.pre 23 Dec 2001 10:28:45 -0000 1.1.1.3.4.1.2.18.2.34 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.33 2001/12/23 09:10:17 rbcollins Exp $ +# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.34 2001/12/23 10:28:45 rbcollins Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1315,6 +1315,11 @@ "nonce_max_count" number Specifies the maximum number of times a given nonce can be used. + "nonce_strictness" on|off + Determines if squid requires increment-by-1 behaviour for nonce counts + (on - the default), or strictly incrementing (off - for use when useragents + generate nonce counts that occasionally miss 1 (ie, 1,2,4,6)). + === NTLM scheme options follow === "program" cmdline Index: squid/src/auth/digest/auth_digest.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/digest/auth_digest.c,v retrieving revision 1.1.20.8 retrieving revision 1.1.20.9 diff -u -r1.1.20.8 -r1.1.20.9 --- squid/src/auth/digest/auth_digest.c 28 Nov 2001 06:47:19 -0000 1.1.20.8 +++ squid/src/auth/digest/auth_digest.c 23 Dec 2001 10:28:45 -0000 1.1.20.9 @@ -338,12 +338,16 @@ static int authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9]) { - int intnc; + unsigned long intnc; /* do we have a nonce ? */ if (!nonce) return 0; - intnc = atoi(nc); - if (intnc != nonce->nc + 1) { + intnc = strtol(nc, NULL, 16); + /* increment the nonce count */ + + nonce->nc++; + if ((digestConfig->NonceStrictness && intnc != nonce->nc + 1) || + intnc <= nonce->nc + 1) { debug(29, 4) ("authDigestNonceIsValid: Nonce count doesn't match\n"); nonce->flags.valid = 0; return 0; @@ -354,6 +358,10 @@ return 0; } /* seems ok */ + /* increment the nonce count - we've already checked that intnc is a + * valid representation for us, so we don't need the test here. + */ + nonce->nc = intnc; return -1; } @@ -393,7 +401,7 @@ debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to overflow\n"); return -1; } - if (nonce->nc == digestConfig->noncemaxuses - 1) { + if (nonce->nc >= digestConfig->noncemaxuses - 1) { debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to hit user limit\n"); return -1; } @@ -919,6 +927,8 @@ digestConfig->noncemaxduration = 30 * 60; /* 50 requests */ digestConfig->noncemaxuses = 50; + /* strict nonce count behaviour */ + digestConfig->NonceStrictness = 1; } digestConfig = scheme->scheme_data; if (strcasecmp(param_str, "program") == 0) { @@ -936,6 +946,8 @@ parse_time_t(&digestConfig->noncemaxduration); } else if (strcasecmp(param_str, "nonce_max_count") == 0) { parse_int(&digestConfig->noncemaxuses); + } else if (strcasecmp(param_str, "nonce_strictness") == 0) { + parse_onoff(&digestConfig->NonceStrictness); } else { debug(28, 0) ("unrecognised digest auth scheme parameter '%s'\n", param_str); } @@ -1193,8 +1205,6 @@ return; } digest_request->nonce = nonce; - /* increment the nonce count */ - nonce->nc++; authDigestNonceLink(nonce); /* check the qop is what we expected */ Index: squid/src/auth/digest/auth_digest.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/digest/auth_digest.h,v retrieving revision 1.1.20.5 retrieving revision 1.1.20.6 diff -u -r1.1.20.5 -r1.1.20.6 --- squid/src/auth/digest/auth_digest.h 28 Nov 2001 06:47:19 -0000 1.1.20.5 +++ squid/src/auth/digest/auth_digest.h 23 Dec 2001 10:28:45 -0000 1.1.20.6 @@ -82,6 +82,7 @@ time_t nonceGCInterval; time_t noncemaxduration; int noncemaxuses; + int NonceStrictness; }; typedef struct _auth_digest_config auth_digest_config;