--------------------- PatchSet 888 Date: 2000/12/04 12:36:10 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: lifetime expiry for ntlm challenges Members: src/cf.data.pre:1.1.1.3.4.1.2.18.2.1->1.1.1.3.4.1.2.18.2.2 src/auth/ntlm/auth_ntlm.c:1.1.2.8->1.1.2.9 src/auth/ntlm/auth_ntlm.h:1.1.2.2->1.1.2.3 Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.1.1.3.4.1.2.18.2.1 retrieving revision 1.1.1.3.4.1.2.18.2.2 diff -u -r1.1.1.3.4.1.2.18.2.1 -r1.1.1.3.4.1.2.18.2.2 --- squid/src/cf.data.pre 4 Dec 2000 12:22:11 -0000 1.1.1.3.4.1.2.18.2.1 +++ squid/src/cf.data.pre 4 Dec 2000 12:36:10 -0000 1.1.1.3.4.1.2.18.2.2 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.1 2000/12/04 12:22:11 rbcollins Exp $ +# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.2 2000/12/04 12:36:10 rbcollins Exp $ # # # SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -1116,7 +1116,8 @@ DOC_START The maximum number of times a challenge given by a ntlm authentication helper can be reused. Increasing this number increases your exposure to replay attacks - on your network. See max_ntlm_challenge_lifetime for more information. + on your network. 0 means use the challenge only once. (disable challenge caching) + See max_ntlm_challenge_lifetime for more information. DOC_END NAME: max_ntlm_challenge_lifetime Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.1.2.8 retrieving revision 1.1.2.9 diff -u -r1.1.2.8 -r1.1.2.9 --- squid/src/auth/ntlm/auth_ntlm.c 4 Dec 2000 12:22:12 -0000 1.1.2.8 +++ squid/src/auth/ntlm/auth_ntlm.c 4 Dec 2000 12:36:10 -0000 1.1.2.9 @@ -141,6 +141,7 @@ ntlmauthenticators->OnEmptyQueue=authenticateNTLMHelperServerOnEmpty; helperStatefulOpenServers(ntlmauthenticators); /* TODO: In here send the initial YR */ + /* Think about this... currently we ask when the challenge is needed. Better?*/ if (!ntlminit) { cachemgrRegister("ntlmauthenticator", "User NTLM Authenticator Stats", @@ -257,7 +258,6 @@ if (strncasecmp(reply, "CH ", 3) == 0) { #else if (strncasecmp(reply, "TT ", 3) == 0) { - /* TODO: Here we update the challenge associated with the helper */ #endif reply += 3; /* we have been given a Challenge */ @@ -270,6 +270,8 @@ helperstate=helperStatefulServerGetData(lastserver); if (helperstate == NULL) fatal ("lost NTLm helper state! quitting\n"); helperstate->challenge=xstrndup(reply, NTLM_CHALLENGE_SZ+5); + helperstate->challengeuses=0; + helperstate->renewed=squid_curtime; /* and we satisfy the request that happended on the refresh boundary */ #endif /* note this code is now in two places FIXME */ @@ -407,6 +409,7 @@ /* this is needed because we have to starve the helper until all old * requests have been satisfied */ if (helperstate->challengeuses>Config.ntlmchallengeuses) return 1; + if (helperstate->renewed+Config.ntlmchallengelifetime>=squid_curtime) return 1; /* TODO: check the lifetime */ return 0; } @@ -569,6 +572,7 @@ debug(29,6)("authenticateNTLMHelperServerOnEmpty: resetting challenge details\n"); statedata->starve=0; statedata->challengeuses=0; + statedata->renewed=0; xfree(statedata->challenge); statedata->challenge=NULL; } Index: squid/src/auth/ntlm/auth_ntlm.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.h,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/src/auth/ntlm/auth_ntlm.h 4 Dec 2000 12:22:12 -0000 1.1.2.2 +++ squid/src/auth/ntlm/auth_ntlm.h 4 Dec 2000 12:36:11 -0000 1.1.2.3 @@ -10,6 +10,7 @@ char *challenge; /* the challenge to use with this helper */ int starve; /* 0= normal operation. 1=don't hand out any more challenges */ int challengeuses; /* the number of times this challenge has been issued */ + time_t renewed; }; typedef struct _ntlm_helper_state_t ntlm_helper_state_t;