--------------------- PatchSet 6404 Date: 2005/02/01 12:00:11 Author: hno Branch: authinfo-2_5 Tag: (none) Log: Extend authenticator protocol to allow returning of error messages explaining why the login was rejected. This is then available as %m in error pages. Members: helpers/basic_auth/LDAP/squid_ldap_auth.c:1.1.2.15->1.1.2.15.2.1 helpers/basic_auth/NCSA/ncsa_auth.c:1.1.2.4->1.1.2.4.4.1 helpers/digest_auth/password/digest_pw_auth.c:1.1.2.2->1.1.2.2.22.1 src/cf.data.pre:1.49.2.67->1.49.2.67.2.1 src/auth/basic/auth_basic.c:1.17.6.8->1.17.6.8.4.1 src/auth/digest/auth_digest.c:1.12.6.12->1.12.6.12.4.1 src/auth/ntlm/auth_ntlm.c:1.18.2.14->1.18.2.14.4.1 Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/basic_auth/LDAP/squid_ldap_auth.c,v retrieving revision 1.1.2.15 retrieving revision 1.1.2.15.2.1 diff -u -r1.1.2.15 -r1.1.2.15.2.1 --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c 18 Jan 2005 03:16:44 -0000 1.1.2.15 +++ squid/helpers/basic_auth/LDAP/squid_ldap_auth.c 1 Feb 2005 12:00:11 -0000 1.1.2.15.2.1 @@ -513,7 +513,7 @@ rfc1738_unescape(user); rfc1738_unescape(passwd); if (!validUsername(user)) { - printf("ERR\n"); + printf("ERR No such user\n"); continue; } tryagain = (ld != NULL); @@ -527,7 +527,7 @@ ld = NULL; goto recover; } - printf("ERR\n"); + printf("ERR %s\n", ldap_err2string(squid_ldap_errno(ld))); } else { printf("OK\n"); } Index: squid/helpers/basic_auth/NCSA/ncsa_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/basic_auth/NCSA/ncsa_auth.c,v retrieving revision 1.1.2.4 retrieving revision 1.1.2.4.4.1 diff -u -r1.1.2.4 -r1.1.2.4.4.1 --- squid/helpers/basic_auth/NCSA/ncsa_auth.c 26 Sep 2004 02:14:22 -0000 1.1.2.4 +++ squid/helpers/basic_auth/NCSA/ncsa_auth.c 1 Feb 2005 12:00:12 -0000 1.1.2.4.4.1 @@ -138,9 +138,9 @@ rfc1738_unescape(passwd); u = hash_lookup(hash, user); if (u == NULL) { - printf("ERR\n"); + printf("ERR No such user\n"); } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd))) { - printf("ERR\n"); + printf("ERR Wrong password\n"); } else { printf("OK\n"); } Index: squid/helpers/digest_auth/password/digest_pw_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/digest_auth/password/digest_pw_auth.c,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.2.22.1 diff -u -r1.1.2.2 -r1.1.2.2.22.1 --- squid/helpers/digest_auth/password/digest_pw_auth.c 17 Oct 2002 21:21:29 -0000 1.1.2.2 +++ squid/helpers/digest_auth/password/digest_pw_auth.c 1 Feb 2005 12:00:12 -0000 1.1.2.2.22.1 @@ -149,7 +149,7 @@ } u = hash_lookup(hash, user); if (u == NULL) { - printf("ERR\n"); + printf("ERR No such user\n"); } else { DigestCalcHA1("md5", user, realm, u->passwd, NULL, NULL, HA1, HHA1); printf("%s\n", HHA1); Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.49.2.67 retrieving revision 1.49.2.67.2.1 diff -u -r1.49.2.67 -r1.49.2.67.2.1 --- squid/src/cf.data.pre 25 Jan 2005 03:28:16 -0000 1.49.2.67 +++ squid/src/cf.data.pre 1 Feb 2005 12:00:13 -0000 1.49.2.67.2.1 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.49.2.67 2005/01/25 03:28:16 squidadm Exp $ +# $Id: cf.data.pre,v 1.49.2.67.2.1 2005/02/01 12:00:13 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1304,7 +1304,8 @@ "program" cmdline Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies "OK" or - "ERR" in an endless loop. + "ERR" in an endless loop. "ERR" responses may optionally be followed + by a error description available as %m in the returned error page. By default, the basic authentication sheme is not used unless a program is specified. @@ -1357,6 +1358,8 @@ reads a line containing "username":"realm" and replies with the appropriate H(A1) value base64 encoded or ERR if the user (or his H(A1) hash) does not exists. See rfc 2616 for the definition of H(A1). + "ERR" responses may optionally be followed by a error description + available as %m in the returned error page. By default, the digest authentication scheme is not used unless a program is specified. Index: squid/src/auth/basic/auth_basic.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/auth_basic.c,v retrieving revision 1.17.6.8 retrieving revision 1.17.6.8.4.1 diff -u -r1.17.6.8 -r1.17.6.8.4.1 --- squid/src/auth/basic/auth_basic.c 26 Sep 2004 02:14:26 -0000 1.17.6.8 +++ squid/src/auth/basic/auth_basic.c 1 Feb 2005 12:00:14 -0000 1.17.6.8.4.1 @@ -270,7 +270,7 @@ debug(29, 9) ("authenticateBasicHandleReply: {%s}\n", reply ? reply : ""); if (reply) { if ((t = strchr(reply, ' '))) - *t = '\0'; + *t++ = '\0'; if (*reply == '\0') reply = NULL; } @@ -280,8 +280,12 @@ basic_auth = auth_user->scheme_data; if (reply && (strncasecmp(reply, "OK", 2) == 0)) basic_auth->flags.credentials_ok = 1; - else + else { basic_auth->flags.credentials_ok = 3; + safe_free(r->auth_user_request->message); + if (t && *t) + r->auth_user_request->message = xstrdup(t); + } basic_auth->credentials_checkedtime = squid_curtime; valid = cbdataValid(r->data); if (valid) Index: squid/src/auth/digest/auth_digest.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/digest/auth_digest.c,v retrieving revision 1.12.6.12 retrieving revision 1.12.6.12.4.1 diff -u -r1.12.6.12 -r1.12.6.12.4.1 --- squid/src/auth/digest/auth_digest.c 29 Aug 2004 02:13:58 -0000 1.12.6.12 +++ squid/src/auth/digest/auth_digest.c 1 Feb 2005 12:00:14 -0000 1.12.6.12.4.1 @@ -720,6 +720,8 @@ RequestMethodStr[METHOD_GET], digest_request->uri, HA2, Response); if (strcasecmp(digest_request->response, Response)) { digest_request->flags.credentials_ok = 3; + safe_free(auth_user_request->message); + auth_user_request->message = xstrdup("Incorrect password"); return; } else { const char *useragent = httpHeaderGetStr(&request->header, HDR_USER_AGENT); @@ -737,6 +739,8 @@ } } else { digest_request->flags.credentials_ok = 3; + safe_free(auth_user_request->message); + auth_user_request->message = xstrdup("Incorrect password"); return; } } @@ -746,6 +750,8 @@ digest_user->username); digest_request->flags.nonce_stale = 1; digest_request->flags.credentials_ok = 3; + safe_free(auth_user_request->message); + auth_user_request->message = xstrdup("Stale nonce"); return; } /* password was checked and did match */ @@ -892,7 +898,7 @@ debug(29, 9) ("authenticateDigestHandleReply: {%s}\n", reply ? reply : ""); if (reply) { if ((t = strchr(reply, ' '))) - *t = '\0'; + *t++ = '\0'; if (*reply == '\0' || *reply == '\n') reply = NULL; } @@ -901,9 +907,12 @@ assert(auth_user_request->scheme_data != NULL); digest_request = auth_user_request->scheme_data; digest_user = auth_user_request->auth_user->scheme_data; - if (reply && (strncasecmp(reply, "ERR", 3) == 0)) + if (reply && (strncasecmp(reply, "ERR", 3) == 0)) { digest_request->flags.credentials_ok = 3; - else if (reply) { + safe_free(auth_user_request->message); + if (t && *t) + auth_user_request->message = xstrdup(t); + } else if (reply) { CvtBin(reply, digest_user->HA1); digest_user->HA1created = 1; } Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.18.2.14 retrieving revision 1.18.2.14.4.1 diff -u -r1.18.2.14 -r1.18.2.14.4.1 --- squid/src/auth/ntlm/auth_ntlm.c 8 Dec 2004 03:16:19 -0000 1.18.2.14 +++ squid/src/auth/ntlm/auth_ntlm.c 1 Feb 2005 12:00:15 -0000 1.18.2.14.4.1 @@ -547,6 +547,10 @@ ntlm_request->auth_state = AUTHENTICATE_STATE_FAILED; authenticateNTLMResetServer(ntlm_request); debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply); + reply += 3; + safe_free(auth_user_request->message); + if (*reply) + auth_user_request->message = xstrdup(reply); } else if (strncasecmp(reply, "BH ", 3) == 0) { /* TODO kick off a refresh process. This can occur after a YR or after * a KK. If after a YR release the helper and resubmit the request via @@ -579,6 +583,10 @@ /* the helper broke on a KK */ debug(29, 1) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply); ntlm_request->auth_state = AUTHENTICATE_STATE_FAILED; + reply += 3; + safe_free(auth_user_request->message); + if (*reply) + auth_user_request->message = xstrdup(reply); } } else { fatalf("authenticateNTLMHandleReply: *** Unsupported helper response ***, '%s'\n", reply);