Bug 1330186

Summary: digest doesn't properly work with squid 3.3 on CentOS 7
Product: Red Hat Enterprise Linux 7 Reporter: Fabrice Prigent <fabrice.prigent>
Component: squidAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Martin Frodl <mfrodl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: fabrice.prigent, isenfeld, ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid-3.5.10-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 21:17:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabrice Prigent 2016-04-25 14:47:31 UTC 
Description of problem:
digest doesn't properly work with squid 3.3 on CentOS 7.. All authentication are "forgotten" as soon as they have been done.. It's a known bug of 3.3. (corrected in 3.4).

Version-Release number of selected component (if applicable):
3.3.8

How reproducible:


Steps to Reproduce:
1. Configure digest authentication.
2.
3.

Actual results:
reauthentication for each component of a page

Expected results:
no reauthentication for at least 10 minutes (configurable by parameters).

Additional info:
Comment 1 Fabrice Prigent 2016-04-25 14:48:40 UTC 
The bug can be corrected with these steps :

get this patch ftp://ftp.tuwien.ac.at/.vhost/www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13098.patch [^] in
/root/rpmbuild/SOURCES

modify it with

--- src/auth/digest/UserRequest.cc 2013-11-29 10:55:53 +0000
+++ src/auth/digest/UserRequest.cc 2014-03-05 02:48:25 +0000
@@ -153,7 +153,7 @@
         /* check for stale nonce */
         if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
             debugs(29, 3, HERE << "user '" << auth_user->username() << "' validated OK but nonce stale");
- auth_user->credentials(Auth::Failed);
+ auth_user->credentials(Auth::Handshake);
             digest_request->setDenyMessage("Stale nonce");
             return;
         }

AND

@ -214,8 +215,14 @@
 
     if ((static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
         flags.authinfo_sent = 1;
- debugs(29, 9, HERE << "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nonce) << "\"");
- httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nonce));
+ Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(user().getRaw());
+ digest_nonce_h *nextnonce = digest_user->currentNonce();
+ if (!nextnonce || authDigestNonceLastRequest(nonce)) {
+ nextnonce = authenticateDigestNonceNew();
+ authDigestUserLinkNonce(digest_user, nextnonce);
+ }
+ debugs(29, 9, "Sending type:" << type << " header: 'nextnonce=\"" << authenticateDigestNonceNonceb64(nextnonce) << "\"");
+ httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(nextnonce));
     }
 }


THEN change the squid.spec in /root/rpmbuild/SPECS

7 Release: 28%{?dist}
...
55 Patch217: squid-3.4-13098.patch
...
134 %patch217 -p0


then it works....
Comment 6 Martin Frodl 2016-08-16 09:47:50 UTC 
Fabrice, could you provide me with a more specific reproducer? I was unable to recreate the problem by just 'configuring digest authentication' in the affected Squid version.

This is what I tried:

# rpm -q squid
squid-3.3.8-26.el7.x86_64

# htdigest -c /etc/squid/passwd moria gandalf
Adding password for gandalf in realm moria.
New password: mellon
Re-type new password: mellon

# cat /etc/squid/squid.conf
auth_param digest program /usr/lib64/squid/digest_file_auth -c /etc/squid/passwd
auth_param digest children 5
auth_param digest realm moria
acl foo proxy_auth REQUIRED
http_access allow foo
http_access deny all
http_port 3128

# systemctl start squid

Now, when I configure Firefox to use this Squid instance as an HTTP proxy and navigate to, say, www.squid-cache.org, the whole page is loaded at once, without the necessity of re-entering the credentials for each downloaded file.

Similarly, when downloading a file with curl:

# curl -v --proxy-digest -U gandalf:mellon -x localhost:3128 www.squid-cache.org

the Proxy-Authorization header can be reused for future proxied requests without re-entering the credentials as well.

So I wonder, what am I missing?
Comment 7 Martin Frodl 2016-08-16 13:38:02 UTC 
Never mind, I found the necessary configuration here:

https://bugzilla.mozilla.org/show_bug.cgi?id=378152#c0
Comment 10 errata-xmlrpc 2016-11-03 21:17:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2600.html