On 02/12/2013 03:33 PM, Henrik Nordström wrote:
> tis 2013-02-12 klockan 14:41 -0700 skrev Alex Rousskov:
>> Could somebody with better authentication and helper knowledge clarify
>> whether the token field is indeed required for Nagotiate ERR and NA
>> responses? If not, can we just remove the above quoted fatalf() blob and
>> make the following line conditional on the token presence?
> Squid-2 negotiate expects
>
> NA<SPACE>blob<SPACE>message<NEWLINE>
>
> but do not require any of them to be present.
Is the attached fix on the right track? It makes the "token" part of the
helper response optional and, hence, removes the fatalf() message. No
other changes were intended, but this trunk patch is untested.
Thank you,
Alex.
Do not FATAL and quit when handling an NA or ERR negotiate helper response
without a challenge token.
=== modified file 'src/auth/negotiate/UserRequest.cc'
--- src/auth/negotiate/UserRequest.cc 2013-01-28 16:56:05 +0000
+++ src/auth/negotiate/UserRequest.cc 2013-02-13 00:30:07 +0000
@@ -310,53 +310,51 @@
* challenge-response nature of the protocol.
* Just free the temporary auth_user after merging as
* much of it new state into the existing one as possible */
usernamehash->user()->absorb(local_auth_user);
/* from here on we are working with the original cached credentials. */
local_auth_user = usernamehash->user();
auth_user_request->user(local_auth_user);
} else {
/* store user in hash's */
local_auth_user->addToNameCache();
}
/* set these to now because this is either a new login from an
* existing user or a new user */
local_auth_user->expiretime = current_time.tv_sec;
auth_user_request->user()->credentials(Auth::Ok);
debugs(29, 4, HERE << "Successfully validated user via Negotiate. Username '" << auth_user_request->user()->username() << "'");
}
break;
case HelperReply::Error: {
- Note::Pointer messageNote = reply.notes.find("message");
- Note::Pointer tokenNote = reply.notes.find("token");
- if (tokenNote == NULL) {
- /* protocol error */
- fatalf("authenticateNegotiateHandleReply: *** Unsupported helper response ***, '%s'\n", reply.other().content());
- break;
- }
-
/* authentication failure (wrong password, etc.) */
+
+ Note::Pointer messageNote = reply.notes.find("message");
auth_user_request->denyMessage(messageNote->firstValue());
auth_user_request->user()->credentials(Auth::Failed);
+
safe_free(lm_request->server_blob);
- lm_request->server_blob = xstrdup(tokenNote->firstValue());
+ Note::Pointer tokenNote = reply.notes.find("token");
+ if (tokenNote != NULL)
+ lm_request->server_blob = xstrdup(tokenNote->firstValue());
+
lm_request->releaseAuthServer();
debugs(29, 4, HERE << "Failed validating user via Negotiate. Error returned '" << reply << "'");
}
break;
case HelperReply::Unknown:
debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper '" << reply.whichServer << "' crashed!.");
/* continue to the next case */
case HelperReply::BrokenHelper: {
/* TODO kick off a refresh process. This can occur after a YR or after
* a KK. If after a YR release the helper and resubmit the request via
* Authenticate Negotiate start.
* If after a KK deny the user's request w/ 407 and mark the helper as
* Needing YR. */
Note::Pointer errNote = reply.notes.find("message");
if (reply.result == HelperReply::Unknown)
auth_user_request->denyMessage("Internal Error");
else if (errNote != NULL)
auth_user_request->denyMessage(errNote->firstValue());
