This patch is generated from the authinfo-2_4 branch of s2_4 in squid Fri Jan 30 10:13:34 2004 GMT See http://devel.squid-cache.org/ Index: squid/ChangeLog diff -u squid/ChangeLog:1.4.4.6 squid/ChangeLog:1.4.4.6.2.1 --- squid/ChangeLog:1.4.4.6 Wed Mar 21 15:46:10 2001 +++ squid/ChangeLog Fri Apr 13 14:24:36 2001 @@ -107,6 +107,9 @@ - Prevent NULL pointer access in store_repl_lru.c for entries that exist in the hash but not the LRU list. + - Extended authenticator protocol to allow for more detailed responses + and to verify the client IP address. (Pedro Lineu Orso) + Changes to Squid-2.4.DEVEL4 (): - Added --enable-auth-modules=... configure option Index: squid/auth_modules/NCSA_PLUS/Makefile.in diff -u /dev/null squid/auth_modules/NCSA_PLUS/Makefile.in:1.1.56.1 --- /dev/null Fri Jan 30 02:12:12 2004 +++ squid/auth_modules/NCSA_PLUS/Makefile.in Fri Apr 13 14:24:36 2001 @@ -0,0 +1,100 @@ +# +# Makefile for the Squid Object Cache server +# +# $Id: squid-authinfo-2_4-s2_4,v 1.2 2004/09/29 00:22:49 hno Exp $ +# +# Uncomment and customize the following to suit your needs: +# + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +exec_suffix = @exec_suffix@ +cgi_suffix = @cgi_suffix@ +top_srcdir = @top_srcdir@ +bindir = @bindir@ +libexecdir = @libexecdir@ +sysconfdir = @sysconfdir@ +localstatedir = @localstatedir@ +srcdir = @srcdir@ +VPATH = @srcdir@ + +# Gotta love the DOS legacy +# +NCSA_AUTH_EXE = ncsa_auth_plus$(exec_suffix) + +DEFAULT_PASSWD_FILE = $(sysconfdir)/passwd + +CC = @CC@ +MAKEDEPEND = @MAKEDEPEND@ +INSTALL = @INSTALL@ +INSTALL_BIN = @INSTALL_PROGRAM@ +INSTALL_FILE = @INSTALL_DATA@ +INSTALL_SUID = @INSTALL_PROGRAM@ -o root -m 4755 +RANLIB = @RANLIB@ +LN_S = @LN_S@ +PERL = @PERL@ +CRYPTLIB = @CRYPTLIB@ +REGEXLIB = @REGEXLIB@ +PTHREADLIB = @PTHREADLIB@ +SNMPLIB = @SNMPLIB@ +MALLOCLIB = @LIB_MALLOC@ +AC_CFLAGS = @CFLAGS@ +LDFLAGS = @LDFLAGS@ +XTRA_LIBS = @XTRA_LIBS@ +XTRA_OBJS = @XTRA_OBJS@ +MV = @MV@ +RM = @RM@ +SHELL = /bin/sh + + +INCLUDE = -I. -I../../include -I$(top_srcdir)/include +CFLAGS = $(AC_CFLAGS) $(INCLUDE) $(DEFINES) +AUTH_LIBS = -L../../lib -lmiscutil $(CRYPTLIB) $(XTRA_LIBS) + +PROGS = $(NCSA_AUTH_EXE) +OBJS = ncsa_auth_plus.o + +all: $(NCSA_AUTH_EXE) + +$(OBJS): $(top_srcdir)/include/version.h + +$(NCSA_AUTH_EXE): ncsa_auth_plus.o + $(CC) $(LDFLAGS) ncsa_auth_plus.o -o $@ $(AUTH_LIBS) + +install-mkdirs: + -@if test ! -d $(prefix); then \ + echo "mkdir $(prefix)"; \ + mkdir $(prefix); \ + fi + -@if test ! -d $(bindir); then \ + echo "mkdir $(bindir)"; \ + mkdir $(bindir); \ + fi + +# Michael Lupp wants to know about additions +# to the install target. +install: all install-mkdirs + @for f in $(PROGS); do \ + if test -f $(bindir)/$$f; then \ + echo $(MV) $(bindir)/$$f $(bindir)/-$$f; \ + $(MV) $(bindir)/$$f $(bindir)/-$$f; \ + fi; \ + echo $(INSTALL_BIN) $$f $(bindir); \ + $(INSTALL_BIN) $$f $(bindir); \ + if test -f $(bindir)/-$$f; then \ + echo $(RM) -f $(bindir)/-$$f; \ + $(RM) -f $(bindir)/-$$f; \ + fi; \ + done + +clean: + -rm -rf *.o *pure_* core $(PROGS) + +distclean: clean + -rm -f Makefile + +tags: + ctags *.[ch] ../include/*.h ../lib/*.[ch] + +depend: + $(MAKEDEPEND) -I../include -I. -fMakefile *.c Index: squid/auth_modules/NCSA_PLUS/ncsa_auth_plus.c diff -u /dev/null squid/auth_modules/NCSA_PLUS/ncsa_auth_plus.c:1.1.56.1 --- /dev/null Fri Jan 30 02:12:12 2004 +++ squid/auth_modules/NCSA_PLUS/ncsa_auth_plus.c Fri Apr 13 14:24:36 2001 @@ -0,0 +1,271 @@ +/* + * ncsa_auth_plus.c + * + * AUTHOR: Pedro Lineu Orso + * + * Adapted from ncsa_auth from Arjan de Vet + * + * Passwod age and IP Address control implemented. + * + * The password file must have the cahcnged date and the + * IP Address authorized for the user in the following format: + * + * user:password:changed_date:ip_address + * + * with expiration date and ip address control: + * Eg.: user01:owiGx.YxAufGU:2000-08-20:192.168.10.1 + * + * without expiration date and with ip address control: + * Eg.: user01:owiGx.YxAufGU:*:192.168.10.1 + * + * with expiration date and without ip address control: + * Eg.: user01:owiGx.YxAufGU:2000-08-20:* + * + * with expiration date and ip address control: + * Eg.: user01:owiGx.YxAufGU:*:* + * + * You must set the EXPIRATION_NDAYS ndays variable. The default is 30 days. + * + */ + +#include "config.h" +#if HAVE_STDIO_H +#include +#endif +#if HAVE_STDLIB_H +#include +#endif +#if HAVE_UNISTD_H +#include +#endif +#if HAVE_STRING_H +#include +#endif +#if HAVE_SYS_TYPES_H +#include +#endif +#if HAVE_SYS_STAT_H +#include +#endif +#if HAVE_CRYPT_H +#include +#endif + +#include "util.h" +#include "hash.h" + +#define EXPIRATION_NDAYS 30 + +static hash_table *hash = NULL; +static HASHFREE my_free; + +typedef struct _user_data { + /* first two items must be same as hash_link */ + char *user; + struct _user_data *next; + char *passwd; + int passwd_ok; /* 1 = passwd checked OK */ + long expiretime; + char *ipaddr; /* IP addr this user authenticated from */ + time_t ip_expiretime; + char *pwd_last_change; + char *authorized_ip; +} user_data; + +static void +my_free(void *p) +{ + user_data *u = p; + xfree(u->user); + xfree(u->passwd); + xfree(u->pwd_last_change); + xfree(u->authorized_ip); + xfree(u); +} + +static void +getword(char *word, char *line, char stop) +{ + int x = 0,y; + + for(x=0;((line[x]) && (line[x] != stop ));x++) + word[x] = line[x]; + + word[x] = '\0'; + if(line[x]) ++x; + y=0; + + while((line[y++] = line[x++])); +} + +static void +read_passwd_file(const char *passwdfile) +{ + FILE *f; + char buf[8192]; + user_data *u; + char *user; + char *passwd; + char *pwd_last_change; + char *authorized_ip; + if (hash != NULL) { + hashFreeItems(hash, my_free); + } + /* initial setup */ + hash = hash_create((HASHCMP *) strcmp, 7921, hash_string); + if (NULL == hash) { + fprintf(stderr, "ncsa_auth: cannot create hash table\n"); + exit(1); + } + f = fopen(passwdfile, "r"); + while (fgets(buf, 8192, f) != NULL) { + if ((buf[0] == '#') || (buf[0] == ' ') || (buf[0] == '\t') || + (buf[0] == '\n')) + continue; + user = strtok(buf, ":\n"); + passwd = strtok(NULL, ":\n"); + pwd_last_change = strtok(NULL, ":\n"); + authorized_ip = strtok(NULL, ":\n"); + if ((strlen(user) > 0) && passwd) { + u = xmalloc(sizeof(*u)); + u->user = xstrdup(user); + u->passwd = xstrdup(passwd); + if(pwd_last_change != NULL) + u->pwd_last_change = xstrdup(pwd_last_change); + else u->pwd_last_change = xstrdup("\0"); + if(authorized_ip != NULL) + u->authorized_ip = xstrdup(authorized_ip); + else u->authorized_ip = xstrdup("\0"); + hash_join(hash, (hash_link *) u); + } + } + fclose(f); +} + +int calcdate(char *last) +{ + time_t tm; + struct tm *t; + + char mdays[12][3]={"31","28","31","30","31","30","31","31","30","31","30","31"}; + char y1[5], y2[5]; + char m1[3], m2[3]; + char d1[3], d2[3]; + char w[20], wlast[20]; + int div=4; + int x=0, n=0; + int jul1=0; + int jul2=0; + + strcpy(wlast,last); + getword(y1,wlast,'-'); + getword(m1,wlast,'-'); + getword(d1,wlast,'-'); + + tm = time(NULL); + t = localtime(&tm); + strftime(y2, 5, "%Y", t); + strftime(m2, 3, "%m", t); + strftime(d2, 3, "%d", t); + + if(atoi(m1) < 2) + jul1=atoi(d1); + else { + for(x=1; x<=atoi(m1)-1; x++) + jul1+=atoi(mdays[x-1]); + jul1+=atoi(d1); + if(strncmp(y1+2,"00",2) == 0) { + div=400; + n=366; + } else n=365; + if(!atoi(y1)%div) + jul1++; + } + + if(atoi(m2) < 2) + jul2=atoi(d2); + else { + for(x=1; x<=atoi(m2)-1; x++) + jul2+=atoi(mdays[x-1]); + jul2+=atoi(d2); + if(strncmp(y2+2,"00",2) == 0) + div=400; + if(!atoi(y2)%div) + jul2++; + } + + if(jul2\n"); + exit(1); + } + if (stat(argv[1], &sb) != 0) { + fprintf(stderr, "cannot stat %s\n", argv[1]); + exit(1); + } + while (fgets(buf, 256, stdin) != NULL) { + if ((p = strchr(buf, '\n')) != NULL) + *p = '\0'; /* strip \n */ + if (stat(argv[1], &sb) == 0) { + if (sb.st_mtime != change_time) { + read_passwd_file(argv[1]); + change_time = sb.st_mtime; + } + } + if ((user = strtok(buf, " ")) == NULL) { + printf("ERR\n"); + continue; + } + if ((passwd = strtok(NULL, " ")) == NULL) { + printf("ERR\n"); + continue; + } + if ((ipaddr = strtok(NULL, " ")) == NULL) { + printf("ERR\n"); + continue; + } + u = hash_lookup(hash, user); + + days = 0; + if(u->pwd_last_change[0] != '\0' && u->pwd_last_change[0] != '*') + days=calcdate(u->pwd_last_change); + if(u->authorized_ip[0] == '\0' || u->authorized_ip[0] == '*') + u->authorized_ip = xstrdup(ipaddr); + + if (u == NULL) { + printf("ERR\n"); + } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd))) { + printf("ERR\n"); + } else if (days >= EXPIRATION_NDAYS) { + printf("EXP\n"); + } else if (strncmp(ipaddr,u->authorized_ip,strlen(ipaddr)) != 0) { + printf("NIP\n"); + } else { + printf("OK\n"); + } + } + exit(0); +} Index: squid/errors/Bulgarian/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Bulgarian/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:13 2004 +++ squid/errors/Bulgarian/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Bulgarian/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Bulgarian/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:13 2004 +++ squid/errors/Bulgarian/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Czech/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Czech/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:13 2004 +++ squid/errors/Czech/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Czech/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Czech/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:13 2004 +++ squid/errors/Czech/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Danish/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Danish/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:13 2004 +++ squid/errors/Danish/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Danish/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Danish/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:13 2004 +++ squid/errors/Danish/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Dutch/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Dutch/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:14 2004 +++ squid/errors/Dutch/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Dutch/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Dutch/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:14 2004 +++ squid/errors/Dutch/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/English/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/English/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:14 2004 +++ squid/errors/English/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/English/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/English/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:14 2004 +++ squid/errors/English/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:36 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Estonian/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Estonian/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:15 2004 +++ squid/errors/Estonian/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Estonian/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Estonian/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:15 2004 +++ squid/errors/Estonian/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Finnish/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Finnish/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:15 2004 +++ squid/errors/Finnish/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Finnish/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Finnish/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:16 2004 +++ squid/errors/Finnish/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/French/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/French/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:16 2004 +++ squid/errors/French/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/French/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/French/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:16 2004 +++ squid/errors/French/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/German/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/German/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:16 2004 +++ squid/errors/German/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/German/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/German/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:16 2004 +++ squid/errors/German/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Hungarian/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Hungarian/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:17 2004 +++ squid/errors/Hungarian/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Hungarian/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Hungarian/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:17 2004 +++ squid/errors/Hungarian/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Italian/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Italian/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:18 2004 +++ squid/errors/Italian/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Italian/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Italian/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:18 2004 +++ squid/errors/Italian/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Japanese/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Japanese/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:29 2004 +++ squid/errors/Japanese/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Japanese/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Japanese/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:29 2004 +++ squid/errors/Japanese/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Korean/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Korean/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:30 2004 +++ squid/errors/Korean/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Korean/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Korean/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:30 2004 +++ squid/errors/Korean/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Polish/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Polish/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:31 2004 +++ squid/errors/Polish/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Polish/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Polish/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:31 2004 +++ squid/errors/Polish/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Portuguese/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Portuguese/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:31 2004 +++ squid/errors/Portuguese/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Senha expirada.

+
+

+

+Você precisa alterar sua senha. +

+

+ Index: squid/errors/Portuguese/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Portuguese/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:31 2004 +++ squid/errors/Portuguese/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Endereço IP não autorizado.

+
+

+

+Você não está autorizado para acesso ao cache através do endereço IP '%i'; +

+

+ Index: squid/errors/Portuguese/README diff -u squid/errors/Portuguese/README:1.1.1.1 squid/errors/Portuguese/README:1.1.1.1.108.1 --- squid/errors/Portuguese/README:1.1.1.1 Tue Jan 25 19:21:47 2000 +++ squid/errors/Portuguese/README Fri Apr 13 14:24:37 2001 @@ -1,2 +1,2 @@ -Thank you to Pedro Lineu Orso for +Thank you to Pedro Lineu Orso for creating these error pages in Portugese! Index: squid/errors/Romanian/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Romanian/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:32 2004 +++ squid/errors/Romanian/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Romanian/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Romanian/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:32 2004 +++ squid/errors/Romanian/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Russian-1251/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Russian-1251/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:32 2004 +++ squid/errors/Russian-1251/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Russian-1251/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Russian-1251/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:32 2004 +++ squid/errors/Russian-1251/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Russian-koi8-r/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Russian-koi8-r/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:33 2004 +++ squid/errors/Russian-koi8-r/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Russian-koi8-r/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Russian-koi8-r/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:33 2004 +++ squid/errors/Russian-koi8-r/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Simplify_Chinese/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Simplify_Chinese/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:34 2004 +++ squid/errors/Simplify_Chinese/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Simplify_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Simplify_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:34 2004 +++ squid/errors/Simplify_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Slovak/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Slovak/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:34 2004 +++ squid/errors/Slovak/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Slovak/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Slovak/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:34 2004 +++ squid/errors/Slovak/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Spanish/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Spanish/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:35 2004 +++ squid/errors/Spanish/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Spanish/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Spanish/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:35 2004 +++ squid/errors/Spanish/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:37 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Swedish/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Swedish/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:35 2004 +++ squid/errors/Swedish/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:38 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Swedish/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Swedish/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:35 2004 +++ squid/errors/Swedish/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:38 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Traditional_Chinese/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Traditional_Chinese/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:36 2004 +++ squid/errors/Traditional_Chinese/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:38 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Traditional_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Traditional_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:36 2004 +++ squid/errors/Traditional_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:38 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/errors/Turkish/ERR_REQ_PWD_CHANGE diff -u /dev/null squid/errors/Turkish/ERR_REQ_PWD_CHANGE:1.1.56.1 --- /dev/null Fri Jan 30 02:12:37 2004 +++ squid/errors/Turkish/ERR_REQ_PWD_CHANGE Fri Apr 13 14:24:38 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Expired User Password.

+
+

+

+You need to change your password. +

+

+ Index: squid/errors/Turkish/ERR_UNAUTHORIZED_IP_ADDRESS diff -u /dev/null squid/errors/Turkish/ERR_UNAUTHORIZED_IP_ADDRESS:1.1.56.1 --- /dev/null Fri Jan 30 02:12:37 2004 +++ squid/errors/Turkish/ERR_UNAUTHORIZED_IP_ADDRESS Fri Apr 13 14:24:38 2001 @@ -0,0 +1,10 @@ + +

ERROR

+

Unauthorized IP Address.

+
+

+

+You are not authorized to access the cache using IP Address '%i'. +

+

+ Index: squid/src/acl.c diff -u squid/src/acl.c:1.4.4.3 squid/src/acl.c:1.4.4.3.2.1 --- squid/src/acl.c:1.4.4.3 Thu Feb 1 06:05:41 2001 +++ squid/src/acl.c Fri Apr 13 14:24:38 2001 @@ -1081,6 +1081,8 @@ * 1 : user validated OK * -1 : check the password for this user via an external authenticator * -2 : invalid Proxy-authorization: header; + * -3 : user password expired; + * -4 : unauthorized IP Address for user * ask for Proxy-Authorization: header */ @@ -1107,6 +1109,26 @@ assert(auth_user == checklist->auth_user); checklist->auth_user = NULL; /* get rid of that special reference */ /* Check result from external validation */ + if (auth_user->passwd_ok == 2) { + /* password expired */ + assert(auth_user->passwd_ok == 2); + debug(28, 1) ("aclMatchProxyAuth: password expired for user '%s'\n", + user); + aclFreeProxyAuthUser(auth_user); + if (!*checklist->request->user_ident) + xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); + return -3; + } + if (auth_user->passwd_ok == 3) { + /* unauthorized ip address */ + assert(auth_user->passwd_ok == 3); + debug(28, 1) ("aclMatchProxyAuth: unauthorized ip address '%s' for user '%s'\n", + inet_ntoa(checklist->src_addr), user); + aclFreeProxyAuthUser(auth_user); + if (!*checklist->request->user_ident) + xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); + return -4; + } if (auth_user->passwd_ok != 1) { /* password was checked but did not match */ assert(auth_user->passwd_ok == 0); @@ -1225,6 +1247,7 @@ auth_user->passwd = xstrdup(password); auth_user->passwd_ok = -1; auth_user->expiretime = -1; + auth_user->ipaddr = checklist->src_addr; checklist->auth_user = auth_user; authenticateStart(checklist->auth_user, aclLookupProxyAuthDone, checklist); @@ -1520,6 +1543,14 @@ case 1: /* user validated OK */ return 1; + case -4: + /* unauthorized IP Address for user */ + checklist->state[ACL_PROXY_AUTH] = ACL_UNAUTHORIZED_IP_ADDRESS; + return 0; + case -3: + /* user password expired */ + checklist->state[ACL_PROXY_AUTH] = ACL_EXPIRED_PASSWORD; + return 0; case -2: /* no such user OR we need a proxy authentication header */ checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; @@ -1665,6 +1696,14 @@ aclLookupProxyAuthStart(checklist); checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_PENDING; return; + } else if (checklist->state[ACL_PROXY_AUTH] == ACL_EXPIRED_PASSWORD) { + debug(28, 3) ("aclCheck: user password expired, must be changed\n"); + allow = ACCESS_REQ_PWD_CHANGE; + match = -3; + } else if (checklist->state[ACL_PROXY_AUTH] == ACL_UNAUTHORIZED_IP_ADDRESS) { + debug(28, 3) ("aclCheck: unauthorized IP Address for user\n"); + allow = ACCESS_UNAUTHORIZED_IP_ADDRESS; + match = -4; } else if (checklist->state[ACL_PROXY_AUTH] == ACL_PROXY_AUTH_NEEDED) { /* Special case. Client is required to resend the request * with authentication. The request is denied. @@ -1794,15 +1833,21 @@ static void aclLookupProxyAuthDone(void *data, char *result) { + aclCheck_t *checklist = data; checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_DONE; debug(28, 4) ("aclLookupProxyAuthDone: result = %s\n", result ? result : "NULL"); - if (result && (strncasecmp(result, "OK", 2) == 0)) - checklist->auth_user->passwd_ok = 1; - else - checklist->auth_user->passwd_ok = 0; - aclCheck(checklist); + if (result && (strncasecmp(result, "OK", 2) == 0)) + checklist->auth_user->passwd_ok = 1; + else if (result && (strncasecmp(result, "EXP", 3) == 0)) + checklist->auth_user->passwd_ok = 2; + else if (result && (strncasecmp(result, "NIP", 3) == 0)) + checklist->auth_user->passwd_ok = 3; + else + checklist->auth_user->passwd_ok = 0; + aclCheck(checklist); + } aclCheck_t * Index: squid/src/authenticate.c diff -u squid/src/authenticate.c:1.4.4.1 squid/src/authenticate.c:1.4.4.1.2.2 --- squid/src/authenticate.c:1.4.4.1 Mon Jan 15 14:49:18 2001 +++ squid/src/authenticate.c Sat Apr 14 11:40:05 2001 @@ -100,8 +100,8 @@ cbdataLock(data); r->data = data; r->auth_user = auth_user; - snprintf(buf, 8192, "%s %s\n", hashKeyStr(&r->auth_user->hash), - r->auth_user->passwd); + snprintf(buf, 8192, "%s %s %s\n", hashKeyStr(&r->auth_user->hash), + r->auth_user->passwd, inet_ntoa(r->auth_user->ipaddr)); helperSubmit(authenticators, buf, authenticateHandleReply, r); } Index: squid/src/client_side.c diff -u squid/src/client_side.c:1.5.2.7 squid/src/client_side.c:1.5.2.7.2.1 --- squid/src/client_side.c:1.5.2.7 Sun Mar 4 05:50:21 2001 +++ squid/src/client_side.c Fri Apr 13 14:24:38 2001 @@ -243,20 +243,31 @@ http->log_type = LOG_TCP_DENIED; http->entry = clientCreateStoreEntry(http, http->request->method, null_request_flags); - if (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) { - if (!http->flags.accel) { - /* Proxy authorisation needed */ - status = HTTP_PROXY_AUTHENTICATION_REQUIRED; - } else { + if (answer == ACCESS_REQ_PROXY_AUTH || \ + answer == ACCESS_REQ_PWD_CHANGE || \ + answer == ACCESS_UNAUTHORIZED_IP_ADDRESS || \ + aclIsProxyAuth(AclMatchedName)) { + if (!http->flags.accel) { + if (answer == ACCESS_REQ_PWD_CHANGE || answer == ACCESS_UNAUTHORIZED_IP_ADDRESS) + status = HTTP_FORBIDDEN; + else + /* Proxy authorisation needed */ + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; + } else /* WWW authorisation needed */ status = HTTP_UNAUTHORIZED; - } - if (page_id <= 0) - page_id = ERR_CACHE_ACCESS_DENIED; + if (page_id <= 0) { + if (answer == ACCESS_REQ_PWD_CHANGE) + page_id = ERR_REQ_PWD_CHANGE; + else if (answer == ACCESS_UNAUTHORIZED_IP_ADDRESS) + page_id = ERR_UNAUTHORIZED_IP_ADDRESS; + else + page_id = ERR_CACHE_ACCESS_DENIED; + } } else { - status = HTTP_FORBIDDEN; + status = HTTP_FORBIDDEN; if (page_id <= 0) - page_id = ERR_ACCESS_DENIED; + page_id = ERR_ACCESS_DENIED; } err = errorCon(page_id, status); err->request = requestLink(http->request); Index: squid/src/enums.h diff -u squid/src/enums.h:1.5.2.2 squid/src/enums.h:1.5.2.2.4.1 --- squid/src/enums.h:1.5.2.2 Mon Jan 15 14:49:19 2001 +++ squid/src/enums.h Fri Apr 13 14:24:38 2001 @@ -89,6 +89,8 @@ ERR_FTP_UNAVAILABLE, ERR_ONLY_IF_CACHED_MISS, /* failure to satisfy only-if-cached request */ ERR_TOO_BIG, + ERR_REQ_PWD_CHANGE, + ERR_UNAUTHORIZED_IP_ADDRESS, ERR_MAX } err_type; @@ -130,7 +132,9 @@ ACL_LOOKUP_NEEDED, ACL_LOOKUP_PENDING, ACL_LOOKUP_DONE, - ACL_PROXY_AUTH_NEEDED + ACL_PROXY_AUTH_NEEDED, + ACL_EXPIRED_PASSWORD, + ACL_UNAUTHORIZED_IP_ADDRESS } acl_lookup_state; enum { @@ -489,7 +493,9 @@ typedef enum { ACCESS_DENIED, ACCESS_ALLOWED, - ACCESS_REQ_PROXY_AUTH + ACCESS_REQ_PROXY_AUTH, + ACCESS_REQ_PWD_CHANGE, + ACCESS_UNAUTHORIZED_IP_ADDRESS } allow_t; #if SQUID_SNMP