[patch] authFixHeader and failed requests

From: Henrik Nordström <henrik_at_henriknordstrom.net>
Date: Sat, 06 Mar 2010 00:58:03 +0100

While investigating why digest auth wrongly indicated stale=false on
unknown nonces even when all the logics for fixing that has been
forwardported since way back I stumbled across this little difference
between Squid-2 & Squid-3 in how they fix up auth headers on failed auth
requests. In Squid-2 the current active auth scheme gets the
auth_user_request sent to it, while in Squid-3 none of them does..

The Squid-2 commit message says:

        Support for the Negotiate authentication scheme, and
        corresponding rewrite of the NTLM authentication scheme.
        The Negotiate authentication scheme is quite similar to NTLM,
        only difference is that the number of handshakes varies (one or
        three), and that there is a final blob sent to the client on
        successful authentication.
        In this rewrite the challenge reuse functionality previously
        found in the NTLM scheme has been ripped out. Was causing lots
        of headaches, and never really working properly. Instead we will
        be looking into a more efficient helper protocol to deal with
        this in a correct manner.

Unfortunately I do not quite remember why Negotiate needed this header
fixup on failed requests.

What I do know is that it hides the digest nonce issue.. but that's now
fixed more proper in Squid-3.

The attached patch is a forward-port of the auth_user_request passing
change from squid-2. Dumped here in case some one wants to look into if
squid-3 needs this for Negotiate.. have a nagging feeling it does for
passing the final server blob on auth failure, but not time to test

Received on Fri Mar 05 2010 - 23:58:08 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 06 2010 - 12:00:03 MST