--------------------- PatchSet 928 Date: 2000/12/15 16:19:17 Author: rbcollins Branch: auth_digest Tag: (none) Log: and a helper Members: include/rfc2617.h:1.1->1.1.2.1 lib/Makefile.in:1.1.1.2.10.2.2.3->1.1.1.2.10.2.2.3.2.1 lib/rfc2617.c:1.1->1.1.2.1 src/cf.data.pre:1.1.1.3.4.1.2.18.2.4->1.1.1.3.4.1.2.18.2.4.2.1 src/structs.h:1.1.1.3.4.1.2.26.2.12->1.1.1.3.4.1.2.26.2.12.2.1 src/auth/basic/auth_basic.c:1.1.2.6->1.1.2.6.2.1 src/auth/digest/auth_digest.c:1.1.2.2->1.1.2.3 --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/include/rfc2617.h Wed Feb 14 00:47:16 2007 @@ -0,0 +1,42 @@ +#ifndef __RFC6217__ +#define __RFC2617__ + +#include "md5.h" + +#define HASHLEN 16 +typedef char HASH[HASHLEN]; +#define HASHHEXLEN 32 +typedef char HASHHEX[HASHHEXLEN+1]; +#define IN +#define OUT + +/* calculate H(A1) as per HTTP Digest spec */ +void DigestCalcHA1( + IN char * pszAlg, + IN char * pszUserName, + IN char * pszRealm, + IN char * pszPassword, + IN char * pszNonce, + IN char * pszCNonce, + OUT HASHHEX SessionKey + ); + +/* calculate request-digest/response-digest as per HTTP Digest spec */ +void DigestCalcResponse( + IN HASHHEX HA1, /* H(A1) */ + IN char * pszNonce, /* nonce from server */ + IN char * pszNonceCount, /* 8 hex digits */ + IN char * pszCNonce, /* client nonce */ + IN char * pszQop, /* qop-value: "", "auth", "auth-int" */ + IN char * pszMethod, /* method from the request */ + IN char * pszDigestUri, /* requested URL */ + IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ + OUT HASHHEX Response /* request-digest or response-digest */ + ); + +void CvtHex( + IN HASH Bin, + OUT HASHHEX Hex + ); + +#endif /* RFC 2617 */ Index: squid/lib/Makefile.in =================================================================== RCS file: /cvsroot/squid-sf//squid/lib/Attic/Makefile.in,v retrieving revision 1.1.1.2.10.2.2.3 retrieving revision 1.1.1.2.10.2.2.3.2.1 diff -u -r1.1.1.2.10.2.2.3 -r1.1.1.2.10.2.2.3.2.1 --- squid/lib/Makefile.in 14 Dec 2000 11:21:33 -0000 1.1.1.2.10.2.2.3 +++ squid/lib/Makefile.in 15 Dec 2000 16:19:18 -0000 1.1.1.2.10.2.2.3.2.1 @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.1.1.2.10.2.2.3 2000/12/14 11:21:33 rbcollins Exp $ +# $Id: Makefile.in,v 1.1.1.2.10.2.2.3.2.1 2000/12/15 16:19:18 rbcollins Exp $ # prefix = @prefix@ top_srcdir = @top_srcdir@ @@ -24,6 +24,7 @@ UTILOBJS = rfc1123.o \ rfc1738.o \ rfc1035.o \ + rfc2617.o \ util.o \ getfullhostname.o \ base64.o \ --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/lib/rfc2617.c Wed Feb 14 00:47:16 2007 @@ -0,0 +1,111 @@ +#include "config.h" +#include +#include "rfc2617.h" + +void CvtHex( + IN HASH Bin, + OUT HASHHEX Hex + ) +{ + unsigned short i; + unsigned char j; + + for (i = 0; i < HASHLEN; i++) { + j = (Bin[i] >> 4) & 0xf; + if (j <= 9) + Hex[i*2] = (j + '0'); + else + Hex[i*2] = (j + 'a' - 10); + j = Bin[i] & 0xf; + if (j <= 9) + Hex[i*2+1] = (j + '0'); + else + Hex[i*2+1] = (j + 'a' - 10); + }; + Hex[HASHHEXLEN] = '\0'; +}; + + +/* calculate H(A1) as per spec */ +void DigestCalcHA1( + IN char * pszAlg, + IN char * pszUserName, + IN char * pszRealm, + IN char * pszPassword, + IN char * pszNonce, + IN char * pszCNonce, + OUT HASHHEX SessionKey + ) +{ + MD5_CTX Md5Ctx; + HASH HA1; + + MD5Init(&Md5Ctx); + MD5Update(&Md5Ctx, pszUserName, strlen(pszUserName)); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszRealm, strlen(pszRealm)); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszPassword, strlen(pszPassword)); + MD5Final(HA1, &Md5Ctx); + if (stricmp(pszAlg, "md5-sess") == 0) { + MD5Init(&Md5Ctx); + MD5Update(&Md5Ctx, HA1, HASHLEN); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); + MD5Final(HA1, &Md5Ctx); + }; + CvtHex(HA1, SessionKey); +}; + +/* calculate request-digest/response-digest as per HTTP Digest spec */ +void DigestCalcResponse( + IN HASHHEX HA1, /* H(A1) */ + IN char * pszNonce, /* nonce from server */ + IN char * pszNonceCount, /* 8 hex digits */ + IN char * pszCNonce, /* client nonce */ + IN char * pszQop, /* qop-value: "", "auth", "auth-int" */ + IN char * pszMethod, /* method from the request */ + IN char * pszDigestUri, /* requested URL */ + IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ + OUT HASHHEX Response /* request-digest or response-digest */ + ) +{ + MD5_CTX Md5Ctx; + HASH HA2; + HASH RespHash; + HASHHEX HA2Hex; + + // calculate H(A2) + MD5Init(&Md5Ctx); + MD5Update(&Md5Ctx, pszMethod, strlen(pszMethod)); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri)); + if (stricmp(pszQop, "auth-int") == 0) { + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, HEntity, HASHHEXLEN); + }; + MD5Final(HA2, &Md5Ctx); + CvtHex(HA2, HA2Hex); + + // calculate response + MD5Init(&Md5Ctx); + MD5Update(&Md5Ctx, HA1, HASHHEXLEN); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); + MD5Update(&Md5Ctx, ":", 1); + if (*pszQop) { + MD5Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount)); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); + MD5Update(&Md5Ctx, ":", 1); + MD5Update(&Md5Ctx, pszQop, strlen(pszQop)); + MD5Update(&Md5Ctx, ":", 1); + }; + MD5Update(&Md5Ctx, HA2Hex, HASHHEXLEN); + MD5Final(RespHash, &Md5Ctx); + CvtHex(RespHash, Response); +}; + + Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.1.1.3.4.1.2.18.2.4 retrieving revision 1.1.1.3.4.1.2.18.2.4.2.1 diff -u -r1.1.1.3.4.1.2.18.2.4 -r1.1.1.3.4.1.2.18.2.4.2.1 --- squid/src/cf.data.pre 13 Dec 2000 01:23:30 -0000 1.1.1.3.4.1.2.18.2.4 +++ squid/src/cf.data.pre 15 Dec 2000 16:19:18 -0000 1.1.1.3.4.1.2.18.2.4.2.1 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.4 2000/12/13 01:23:30 rbcollins Exp $ +# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.4.2.1 2000/12/15 16:19:18 rbcollins Exp $ # # # SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -1089,6 +1089,33 @@ are sent. DOC_END +NAME: authenticate_program_digest +TYPE: wordlist +LOC: Config.Program.digestauthenticate +DEFAULT: none +DOC_START + Specify the command for the external digest authenticator. Such a + program reads a line containing the uuencoded NEGOTIATE and replies + with the ntlm CHALLENGE, then waits for the response and answers with + "OK" or "ERR" in an endless loop. If you use an ntlm authenticator, + make sure you have 1 acl of type proxy_auth. By default, the + ntlm authenticator_program is not used. + + authenticate_program_digest @DEFAULT_PREFIX@/bin/ntlm_auth +DOC_END + +NAME: authenticate_children_digest +TYPE: int +DEFAULT: 5 +LOC: Config.digestauthenticateChildren +DOC_START + The number of ntlm authenticator processes to spawn (default 5). If you + start too few Squid will have to wait for them to process a backlog + of usercode/password verifications, slowing it down. When password + verifications are done via a (slow) network you are likely to need + lots of ntlm authenticator processes. +DOC_END + NAME: authenticate_program_ntlm TYPE: wordlist LOC: Config.Program.ntlmauthenticate @@ -1869,13 +1896,23 @@ NAME: proxy_auth_realm TYPE: eol DEFAULT: Squid proxy-caching web server -LOC: Config.proxyAuthRealm +LOC: Config.basicAuthRealm DOC_START Specifies the realm name which is to be reported to the client for proxy authentication (part of the text the user will see when prompted their username and password). DOC_END +NAME: digest_auth_realm +TYPE: eol +DEFAULT: Squid proxy-caching web server +LOC: Config.digestAuthRealm +DOC_START + Specifies the realm name which is to be reported to the client for + proxy authentication (part of the text the user will see when + prompted their username and password). +DOC_END + NAME: ident_lookup_access TYPE: acl_access Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.1.1.3.4.1.2.26.2.12 retrieving revision 1.1.1.3.4.1.2.26.2.12.2.1 diff -u -r1.1.1.3.4.1.2.26.2.12 -r1.1.1.3.4.1.2.26.2.12.2.1 --- squid/src/structs.h 13 Dec 2000 01:23:31 -0000 1.1.1.3.4.1.2.26.2.12 +++ squid/src/structs.h 15 Dec 2000 16:19:18 -0000 1.1.1.3.4.1.2.26.2.12.2.1 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.12 2000/12/13 01:23:31 rbcollins Exp $ + * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.12.2.1 2000/12/15 16:19:18 rbcollins Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -370,7 +370,9 @@ #endif wordlist *redirect; wordlist *authenticate; + wordlist *digestauthenticate; wordlist *ntlmauthenticate; + #if USE_ICMP char *pinger; #endif @@ -386,6 +388,7 @@ time_t authenticateGCInterval; time_t authenticateTTL; time_t authenticateIpTTL; + int digestauthenticateChildren; int ntlmauthenticateChildren; int ntlmchallengeuses; time_t ntlmchallengelifetime; @@ -511,7 +514,8 @@ acl_access *redirector; } accessList; acl_deny_info_list *denyInfoList; - char *proxyAuthRealm; + char *basicAuthRealm; + char *digestAuthRealm; struct { size_t list_width; int list_wrap; Index: squid/src/auth/basic/auth_basic.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/auth_basic.c,v retrieving revision 1.1.2.6 retrieving revision 1.1.2.6.2.1 diff -u -r1.1.2.6 -r1.1.2.6.2.1 --- squid/src/auth/basic/auth_basic.c 11 Dec 2000 23:32:15 -0000 1.1.2.6 +++ squid/src/auth/basic/auth_basic.c 15 Dec 2000 16:19:19 -0000 1.1.2.6.2.1 @@ -213,8 +213,8 @@ void authenticateBasicFixErrorHeader(auth_user_t *auth_user, HttpReply *rep, http_hdr_type type, request_t * request){ if (Config.Program.authenticate){ - debug(29, 5) ("authenticateFixErrorHeader: Sending type:%d header: 'Basic realm=\"%s\"'\n",type,Config.proxyAuthRealm); - httpHeaderPutStrf(&rep->header, type, "Basic realm=\"%s\"", Config.proxyAuthRealm); + debug(29, 5) ("authenticateFixErrorHeader: Sending type:%d header: 'Basic realm=\"%s\"'\n",type,Config.basicAuthRealm); + httpHeaderPutStrf(&rep->header, type, "Basic realm=\"%s\"", Config.basicAuthRealm); } } Index: squid/src/auth/digest/auth_digest.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/digest/auth_digest.c,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/src/auth/digest/auth_digest.c 15 Dec 2000 05:06:23 -0000 1.1.2.2 +++ squid/src/auth/digest/auth_digest.c 15 Dec 2000 16:19:19 -0000 1.1.2.3 @@ -40,7 +40,7 @@ #include "squid.h" #include "auth_digest.h" -#include "md5.h" +#include "rfc2617.h" static void authenticateStateFree(authenticateStateData * r) @@ -76,143 +76,6 @@ * */ -#define HASHLEN 16 -typedef char HASH[HASHLEN]; -#define HASHHEXLEN 32 -typedef char HASHHEX[HASHHEXLEN+1]; -#define IN -#define OUT - -/* calculate H(A1) as per HTTP Digest spec */ -void DigestCalcHA1( - IN char * pszAlg, - IN char * pszUserName, - IN char * pszRealm, - IN char * pszPassword, - IN char * pszNonce, - IN char * pszCNonce, - OUT HASHHEX SessionKey - ); - -/* calculate request-digest/response-digest as per HTTP Digest spec */ -void DigestCalcResponse( - IN HASHHEX HA1, /* H(A1) */ - IN char * pszNonce, /* nonce from server */ - IN char * pszNonceCount, /* 8 hex digits */ - IN char * pszCNonce, /* client nonce */ - IN char * pszQop, /* qop-value: "", "auth", "auth-int" */ - IN char * pszMethod, /* method from the request */ - IN char * pszDigestUri, /* requested URL */ - IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ - OUT HASHHEX Response /* request-digest or response-digest */ - ); - - -void CvtHex( - IN HASH Bin, - OUT HASHHEX Hex - ) -{ - unsigned short i; - unsigned char j; - - for (i = 0; i < HASHLEN; i++) { - j = (Bin[i] >> 4) & 0xf; - if (j <= 9) - Hex[i*2] = (j + '0'); - else - Hex[i*2] = (j + 'a' - 10); - j = Bin[i] & 0xf; - if (j <= 9) - Hex[i*2+1] = (j + '0'); - else - Hex[i*2+1] = (j + 'a' - 10); - }; - Hex[HASHHEXLEN] = '\0'; -}; - -/* calculate H(A1) as per spec */ -void DigestCalcHA1( - IN char * pszAlg, - IN char * pszUserName, - IN char * pszRealm, - IN char * pszPassword, - IN char * pszNonce, - IN char * pszCNonce, - OUT HASHHEX SessionKey - ) -{ - MD5_CTX Md5Ctx; - HASH HA1; - - MD5Init(&Md5Ctx); - MD5Update(&Md5Ctx, pszUserName, strlen(pszUserName)); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszRealm, strlen(pszRealm)); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszPassword, strlen(pszPassword)); - MD5Final(HA1, &Md5Ctx); - if (stricmp(pszAlg, "md5-sess") == 0) { - MD5Init(&Md5Ctx); - MD5Update(&Md5Ctx, HA1, HASHLEN); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); - MD5Final(HA1, &Md5Ctx); - }; - CvtHex(HA1, SessionKey); -}; - -/* calculate request-digest/response-digest as per HTTP Digest spec */ -void DigestCalcResponse( - IN HASHHEX HA1, /* H(A1) */ - IN char * pszNonce, /* nonce from server */ - IN char * pszNonceCount, /* 8 hex digits */ - IN char * pszCNonce, /* client nonce */ - IN char * pszQop, /* qop-value: "", "auth", "auth-int" */ - IN char * pszMethod, /* method from the request */ - IN char * pszDigestUri, /* requested URL */ - IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ - OUT HASHHEX Response /* request-digest or response-digest */ - ) -{ - MD5_CTX Md5Ctx; - HASH HA2; - HASH RespHash; - HASHHEX HA2Hex; - - // calculate H(A2) - MD5Init(&Md5Ctx); - MD5Update(&Md5Ctx, pszMethod, strlen(pszMethod)); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri)); - if (stricmp(pszQop, "auth-int") == 0) { - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, HEntity, HASHHEXLEN); - }; - MD5Final(HA2, &Md5Ctx); - CvtHex(HA2, HA2Hex); - - // calculate response - MD5Init(&Md5Ctx); - MD5Update(&Md5Ctx, HA1, HASHHEXLEN); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); - MD5Update(&Md5Ctx, ":", 1); - if (*pszQop) { - MD5Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount)); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); - MD5Update(&Md5Ctx, ":", 1); - MD5Update(&Md5Ctx, pszQop, strlen(pszQop)); - MD5Update(&Md5Ctx, ":", 1); - }; - MD5Update(&Md5Ctx, HA2Hex, HASHHEXLEN); - MD5Final(RespHash, &Md5Ctx); - CvtHex(RespHash, Response); -}; - digest_nonce_ptr * authenticateDigestNonceCreate() { @@ -276,7 +139,7 @@ // authscheme->parsefunc = storeUfsDirParse; // authscheme->reconfigurefunc = storeUfsDirReconfigure; authscheme->Active =authenticateDigestActive; - if (Config.Program.authenticate){ + if (Config.Program.digestauthenticate){ authscheme->authAuthenticate = authenticateDigestAuthenticateUser; authscheme->authFixErrorHeader=authenticateDigestFixErrorHeader; authscheme->FreeUser =authenticateDigestFreeUser; @@ -295,8 +158,8 @@ authdigest_initialised = 1; if (digestauthenticators == NULL) digestauthenticators = helperCreate("digestauthenticator"); - digestauthenticators->cmdline = Config.Program.authenticate; - digestauthenticators->n_to_start = Config.authenticateChildren; + digestauthenticators->cmdline = Config.Program.digestauthenticate; + digestauthenticators->n_to_start = Config.digestauthenticateChildren; digestauthenticators->ipc_type = IPC_TCP_SOCKET; helperOpenServers(digestauthenticators); if (!init) { @@ -439,8 +302,8 @@ debug(29, 5) ("authenticateFixErrorHeader: Sending type:%d header: 'Digest realm=\"%s\"'\n",type,Config.proxyAuthRealm); httpHeaderPutStrf(&rep->header, type, "Digest realm=\"%s\"", Config.proxyAuthRealm); #endif - debug(29, 5) ("authenticateFixErrorHeader: Sending type:%d header: 'Digest realm=\"Robsserver\", nonce=\"%s\"\n",type,nonce->nonce); - httpHeaderPutStrf(&rep->header, type, "Digest realm=\"Robsserver\", nonce=\"%s\", qop=\"auth\"",nonce->nonce); + debug(29, 5) ("authenticateFixErrorHeader: Sending type:%d header: 'Digest realm=\"%s\", nonce=\"%s\"\n",type,Config.digestAuthRealm,nonce->nonce); + httpHeaderPutStrf(&rep->header, type, "Digest realm=\"Robsserver\", nonce=\"%s\", qop=\"auth\"",Config.digestAuthRealm,nonce->nonce); } }