--------------------- PatchSet 1670 Date: 2001/02/26 12:26:28 Author: rbcollins Branch: generic_modules Tag: (none) Log: auth API changes propogated to ntlm & digest, authenticate.c updated. (Modules now install a parserName). Makefile updated to handle squid.exe -c internalonly -c all for suqid.conf generation. cf_gen updated to provide a legacy copy of squid.conf. Members: src/Makefile.in:1.7.4.7->1.7.4.8 src/authenticate.c:1.12.4.1->1.12.4.2 src/cache_cf.c:1.18.4.16->1.18.4.17 src/cf.data.pre:1.21.4.10->1.21.4.11 src/cf_gen.c:1.7.8.9->1.7.8.10 src/main.c:1.19.4.4->1.19.4.5 src/protos.h:1.18.4.13->1.18.4.14 src/structs.h:1.24.4.12->1.24.4.13 src/typedefs.h:1.15.4.10->1.15.4.11 src/auth/basic/auth_basic.c:1.9.4.4->1.9.4.5 src/auth/digest/auth_digest.c:1.4.4.2->1.4.4.3 src/auth/ntlm/auth_ntlm.c:1.7.6.2->1.7.6.3 Index: squid/src/Makefile.in =================================================================== RCS file: /cvsroot/squid-sf//squid/src/Attic/Makefile.in,v retrieving revision 1.7.4.7 retrieving revision 1.7.4.8 diff -u -r1.7.4.7 -r1.7.4.8 --- squid/src/Makefile.in 26 Feb 2001 04:40:02 -0000 1.7.4.7 +++ squid/src/Makefile.in 26 Feb 2001 12:26:28 -0000 1.7.4.8 @@ -1,7 +1,7 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.in,v 1.7.4.7 2001/02/26 04:40:02 rbcollins Exp $ +# $Id: Makefile.in,v 1.7.4.8 2001/02/26 12:26:28 rbcollins Exp $ # # Uncomment and customize the following to suit your needs: # @@ -200,12 +200,7 @@ DEFAULTS = \ -DDEFAULT_CONFIG_FILE=\"$(DEFAULT_CONFIG_FILE)\" -all: squid.conf squid.conf.old - @for dir in $(SUBDIRS); do \ - echo "Making $@ in $$dir..."; \ - (cd $$dir ; $(MAKE) $(MFLAGS) prefix="$(prefix)" $@) || exit 1; \ - done - @$(MAKE) $(MFLAGS) $(PROGS) $(UTILS) $(SUID_UTILS) $(CGIPROGS) +all: squid.conf squid.conf.old $(PROGS) $(UTILS) $(SUID_UTILS) $(CGIPROGS) $(OBJS): $(top_srcdir)/include/version.h ../include/autoconf.h @@ -250,8 +245,7 @@ cache_cf.o: cf_parser.c squid.conf.old: cf_parser.c - @sh -c "test -f squid.conf || ./cf_gen cf.data" - @sh -c "mv squid.conf squid.conf.old" + @sh -c "test -f squid.conf.old || ./cf_gen cf.data" squid.conf: $(SQUID_EXE) @sh -c "./$(SQUID_EXE) -c internalonly -c all > squid.conf" @@ -284,17 +278,23 @@ s%@DEFAULT_PREFIX@%$(DEFAULT_PREFIX)%g;"\ < $(srcdir)/cf.data.pre >$@ -$(STORE_OBJS): - @sh -c "cd `dirname $@` && $(MAKE) $(MFLAGS) `basename $@`" +$(STORE_OBJS): store_modules -$(REPL_OBJS): - @sh -c "cd `dirname $@` && $(MAKE) $(MFLAGS) `basename $@`" +store_modules: + @echo "Making all in fs..."; \ + (cd fs ; $(MAKE) $(MFLAGS) prefix="$(prefix)" all) || exit 1; -repl_modules repl/stamp: - @sh -c "cd repl && $(MAKE) all" +$(REPL_OBJS): repl_modules -$(AUTH_OBJS): - @sh -c "cd `dirname $@` && $(MAKE) $(MFLAGS) `basename $@`" +repl_modules: + @echo "Making all in repl..."; \ + (cd repl ; $(MAKE) $(MFLAGS) prefix="$(prefix)" all) || exit 1; + +$(AUTH_OBJS): auth_modules + +auth_modules: + @echo "Making all in auth..."; \ + (cd auth ; $(MAKE) $(MFLAGS) prefix="$(prefix)" all) || exit 1; internal_modules.c: internal_modules.sh Makefile sh $(srcdir)/internal_modules.sh $(INTERNAL_MODULES) $(AUTH_MODULES) $(REPL_POLICIES) $(STORE_MODULES) >internal_modules.c @@ -302,8 +302,11 @@ internal_modules.o: internal_modules.c $(CC) -c internal_modules.c $(CFLAGS) -I$(srcdir) -$(INTERNAL_MODULE_OBJS): - @sh -c "cd `dirname $@` && $(MAKE) $(MFLAGS) `basename $@`" +$(INTERNAL_MODULE_OBJS): internal_modules + +internal_modules: + @echo "Making all in modules..."; \ + (cd modules ; $(MAKE) $(MFLAGS) prefix="$(prefix)" all) || exit 1; install-mkdirs: -@if test ! -d $(prefix); then \ Index: squid/src/authenticate.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/authenticate.c,v retrieving revision 1.12.4.1 retrieving revision 1.12.4.2 diff -u -r1.12.4.1 -r1.12.4.2 --- squid/src/authenticate.c 14 Feb 2001 13:40:58 -0000 1.12.4.1 +++ squid/src/authenticate.c 26 Feb 2001 12:26:28 -0000 1.12.4.2 @@ -1,6 +1,6 @@ /* - * $Id: authenticate.c,v 1.12.4.1 2001/02/14 13:40:58 rbcollins Exp $ + * $Id: authenticate.c,v 1.12.4.2 2001/02/26 12:26:28 rbcollins Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -59,8 +59,8 @@ { authScheme *scheme; int i; - for (i = 0; i < Config.authConfig.n_configured; i++) { - scheme = Config.authConfig.schemes + i; + for (i = 0; i < Config.authSchemes.n_configured; i++) { + scheme = Config.authSchemes.schemes + i; if ((strncasecmp(proxy_auth, scheme->typestr, strlen(scheme->typestr)) == 0) && (authscheme_list[scheme->Id].Active())) return 1; @@ -343,14 +343,14 @@ } void -authenticateInit(authConfig * config) +authenticateInit(authSchemes * config) { int i; authScheme *scheme; for (i = 0; i < config->n_configured; i++) { scheme = config->schemes + i; if (authscheme_list[scheme->Id].init && authscheme_list[scheme->Id].configured()) { - authscheme_list[scheme->Id].init(scheme); + authscheme_list[scheme->Id].init(); } } if (!proxy_auth_username_cache) @@ -408,8 +408,8 @@ int i; authScheme *scheme; /* call each configured & running authscheme */ - for (i = 0; i < Config.authConfig.n_configured; i++) { - scheme = Config.authConfig.schemes + i; + for (i = 0; i < Config.authSchemes.n_configured; i++) { + scheme = Config.authSchemes.schemes + i; if (authscheme_list[scheme->Id].Active()) authscheme_list[scheme->Id].authFixHeader(auth_user_request, rep, type, request); Index: squid/src/cache_cf.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cache_cf.c,v retrieving revision 1.18.4.16 retrieving revision 1.18.4.17 diff -u -r1.18.4.16 -r1.18.4.17 --- squid/src/cache_cf.c 26 Feb 2001 04:40:03 -0000 1.18.4.16 +++ squid/src/cache_cf.c 26 Feb 2001 12:26:28 -0000 1.18.4.17 @@ -1,6 +1,6 @@ /* - * $Id: cache_cf.c,v 1.18.4.16 2001/02/26 04:40:03 rbcollins Exp $ + * $Id: cache_cf.c,v 1.18.4.17 2001/02/26 12:26:28 rbcollins Exp $ * * DEBUG: section 3 Configuration File Parsing * AUTHOR: Harvest Derived @@ -1013,71 +1013,66 @@ return s == NULL; } +/* + * TODO: this is a bit clunky... + * + */ + static void -allocate_new_authScheme(authConfig * cfg) +allocate_new_authScheme(authSchemes * cfg) { if (cfg->schemes == NULL) { - cfg->n_allocated = 4; - cfg->schemes = xcalloc(cfg->n_allocated, sizeof(authScheme)); + cfg->n_allocated = 4; + cfg->schemes = xcalloc(cfg->n_allocated, sizeof(authScheme)); } if (cfg->n_allocated == cfg->n_configured) { - authScheme *tmp; - cfg->n_allocated <<= 1; - tmp = xcalloc(cfg->n_allocated, sizeof(authScheme)); - xmemcpy(tmp, cfg->schemes, cfg->n_configured * sizeof(authScheme)); - xfree(cfg->schemes); - cfg->schemes = tmp; + authScheme *tmp; + cfg->n_allocated <<= 1; + tmp = xcalloc(cfg->n_allocated, sizeof(authScheme)); + xmemcpy(tmp, cfg->schemes, cfg->n_configured * sizeof(authScheme)); + xfree(cfg->schemes); + cfg->schemes = tmp; } } -/* todo: turn these into wordlists - * The auth modules should implement the parsing themselves */ - static void -parse_authparam(parserNameNode *parserName, void * data) +parse_authscheme(parserNameNode *parserName, void * data) { - authConfig * config=data; + authSchemes * config=(authSchemes *) data; char *type_str; - char *param_str; authScheme *scheme = NULL; int type, i; if ((type_str = strtok(NULL, w_space)) == NULL) - self_destruct(); - - if ((param_str = strtok(NULL, w_space)) == NULL) - self_destruct(); + self_destruct(); if ((type = authenticateAuthSchemeId(type_str)) == -1) { - debug(3, 0) ("Parsing Config File: Unknown authentication scheme '%s'.\n", type_str); - return; + debug(3, 0) ("Parsing Config File: Unknown authentication scheme '%s'.\n", type_str); + return; } for (i = 0; i < config->n_configured; i++) { - if (config->schemes[i].Id == type) { - scheme = config->schemes + i; - } + if (config->schemes[i].Id == type) { + scheme = config->schemes + i; + } } if (scheme == NULL) { - allocate_new_authScheme(config); - scheme = config->schemes + config->n_configured; - config->n_configured++; - scheme->Id = type; - scheme->typestr = authscheme_list[type].typestr; + allocate_new_authScheme(config); + scheme = config->schemes + config->n_configured; + config->n_configured++; + scheme->Id = type; + scheme->typestr = authscheme_list[type].typestr; } } static void -free_authparam(parserNameNode *parserName, void * data) +free_authscheme(parserNameNode *parserName, void * data) { - authConfig * cfg=data; - authScheme *scheme; + authSchemes * cfg=(authSchemes *) data; + authScheme *scheme = NULL; int i; - /* DON'T FREE THESE FOR RECONFIGURE */ - if (reconfiguring) - return; for (i = 0; i < cfg->n_configured; i++) { - scheme = cfg->schemes + i; + scheme = cfg->schemes + i; } safe_free(cfg->schemes); cfg->schemes = NULL; @@ -1086,17 +1081,19 @@ } static void -dump_authparam(StoreEntry * entry, const char *name, void const * const data) +dump_authscheme(StoreEntry * entry, const char *name, void const * data) { - authConfig cfg=*(authConfig *)data; + authSchemes * cfg=*(authSchemes **) data; authScheme *scheme; int i; - for (i = 0; i < cfg.n_configured; i++) { - scheme = cfg.schemes + i; + for (i = 0; i < cfg->n_configured; i++) { + scheme = cfg->schemes + i; + storeAppendPrintf(entry, "%s %s\n", name, scheme->typestr); } } + CBDATA_TYPE(modNode); /* Operation of modNode cbdata: * config allocates the record, and free frees it. Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.21.4.10 retrieving revision 1.21.4.11 diff -u -r1.21.4.10 -r1.21.4.11 --- squid/src/cf.data.pre 26 Feb 2001 04:40:03 -0000 1.21.4.10 +++ squid/src/cf.data.pre 26 Feb 2001 12:26:28 -0000 1.21.4.11 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.21.4.10 2001/02/26 04:40:03 rbcollins Exp $ +# $Id: cf.data.pre,v 1.21.4.11 2001/02/26 12:26:28 rbcollins Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1206,17 +1206,14 @@ are sent. DOC_END -NAME: authentication_scheme -TYPE: authparam -LOC: Config.authConfig +NAME: authenticate_scheme +TYPE: authscheme +LOC: Config.authSchemes DEFAULT: none DOC_START - This is used to pass parameters to the various authentication - schemes. - format: auth_param scheme parameter [setting] - - auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - would tell the basic authentication scheme it's program parameter. + What order the configured authentication schemes should be + presented to the user agent. + format: authenticate_scheme scheme The order that authentication prompts are presented to the client_agent is dependant on the order the scheme first appears in config file. @@ -1226,105 +1223,6 @@ have difficulties (don't recognise the schemes offered even if you are using basic) then either put basic first, or disable the other schemes (by commenting out their program entry). - - Once an authentication scheme is fully configured, it can only be shutdown - by shutting squid down and restarting. Changes can be made on the fly and - activated with a reconfigure. I.E. You can change to a different helper, - but not unconfigure the helper completely. - - === Parameters for the digest scheme follow === - - "program" cmdline - Specify the command for the external authenticator. Such a - program reads a line containing "username":"realm" and replies - with the appropriate H(A1) value base64 encoded. See rfc 2616 for - the definition of H(A1). If you use an authenticator, - make sure you have 1 acl of type proxy_auth. By default, - authentication is not used. - - If you want to use build a authenticator, - jump over to the ../digest_auth_modules directory and choose the - authenticator to use. It it's directory type - % make - % make install - - Then, set this line to something like - - auth_param digest program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass - - - "children" numberofchildren - The number of authenticator processes to spawn (no default). If you - start too few Squid will have to wait for them to process a backlog - of H(A1) calculations, slowing it down. When the H(A1) calculations - are done via a (slow) network you are likely to need lots of - authenticator processes. - auth_param digest children 5 - - "realm" realmstring - Specifies the realm name which is to be reported to the client for - the digest proxy authentication scheme (part of the text the user will - see when prompted their username and password). There is no default. - auth_param digest realm Squid proxy-caching web server - - "nonce_garbage_interval" timeinterval - Specifies the interval that nonces that have been issued to client_agent's - are checked for validity. - - "nonce_max_duration" timeinterval - Specifies the maximum length of time a given nonce will be valid for. - - "nonce_max_count" number - Specifies the maximum number of times a given nonce can be used. - - === NTLM scheme options follow === - - "program" cmdline - Specify the command for the external ntlm authenticator. Such a - program reads a line containing the uuencoded NEGOTIATE and replies - with the ntlm CHALLENGE, then waits for the response and answers with - "OK" or "ERR" in an endless loop. If you use an ntlm authenticator, - make sure you have 1 acl of type proxy_auth. By default, the - ntlm authenticator_program is not used. - - auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth - - "children" numberofchildren - The number of authenticator processes to spawn (no default). If you - start too few Squid will have to wait for them to process a backlog - of credential verifications, slowing it down. When crendential - verifications are done via a (slow) network you are likely to need - lots of authenticator processes. - auth_param ntlm children 5 - - "max_challenge_reuses" number - The maximum number of times a challenge given by a ntlm authentication - helper can be reused. Increasing this number increases your exposure - to replay attacks on your network. 0 means use the challenge only once. - (disable challenge caching) - See max_ntlm_challenge_lifetime for more information. - auth_param ntlm max_challenge_reuses 0 - - "max_challenge_lifetime" timespan - The maximum time period that a ntlm challenge is reused over. - The actual period will be the minimum of this time AND the number of - reused challenges. - auth_param ntlm max_challenge_lifetime 2 minutes - -NOCOMMENT_START -#Recommended minimum configuration: -#auth_param digest program -#auth_param digest children 5 -#auth_param digest realm Squid proxy-caching web server -#auth_param digest nonce_garbage_interval 5 minutes -#auth_param digest nonce_max_duration 30 minutes -#auth_param digest nonce_max_count 50 -#auth_param ntlm program -#auth_param ntlm children 5 -#auth_param ntlm max_challenge_reuses 0 -#auth_param ntlm max_challenge_lifetime 2 minutes -#auth_param basic program -NOCOMMENT_END DOC_END NAME: authenticate_cache_garbage_interval Index: squid/src/cf_gen.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf_gen.c,v retrieving revision 1.7.8.9 retrieving revision 1.7.8.10 diff -u -r1.7.8.9 -r1.7.8.10 --- squid/src/cf_gen.c 24 Feb 2001 23:16:17 -0000 1.7.8.9 +++ squid/src/cf_gen.c 26 Feb 2001 12:26:28 -0000 1.7.8.10 @@ -1,6 +1,6 @@ /* - * $Id: cf_gen.c,v 1.7.8.9 2001/02/24 23:16:17 rbcollins Exp $ + * $Id: cf_gen.c,v 1.7.8.10 2001/02/26 12:26:28 rbcollins Exp $ * * DEBUG: none Generate squid.conf and cf_parser.c * AUTHOR: Max Okumoto @@ -44,8 +44,8 @@ * values, parserRegisterAllTypes() which registers * all the cf.data.pre types, parserRegisterAllNames() * which registers all the cf.data.pre Names. - * squid.conf - default configuration file given to the server - * administrator. + * squid.conf.old - legacy version of th default configuration + * file given to the server administrator. *****************************************************************************/ #include "config.h" @@ -77,7 +77,7 @@ #define MAX_LINE 1024 /* longest configuration line */ #define _PATH_PARSER "cf_parser.c" -#define _PATH_SQUID_CONF "squid.conf" +#define _PATH_SQUID_CONF "squid.conf.old" enum State { sSTART, Index: squid/src/main.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/main.c,v retrieving revision 1.19.4.4 retrieving revision 1.19.4.5 diff -u -r1.19.4.4 -r1.19.4.5 --- squid/src/main.c 24 Feb 2001 03:04:01 -0000 1.19.4.4 +++ squid/src/main.c 26 Feb 2001 12:26:28 -0000 1.19.4.5 @@ -1,6 +1,6 @@ /* - * $Id: main.c,v 1.19.4.4 2001/02/24 03:04:01 rbcollins Exp $ + * $Id: main.c,v 1.19.4.5 2001/02/26 12:26:28 rbcollins Exp $ * * DEBUG: section 1 Startup and Main Loop * AUTHOR: Harvest Derived @@ -369,7 +369,7 @@ idnsInit(); #endif redirectInit(); - authenticateInit(&Config.authConfig); + authenticateInit(&Config.authSchemes); #if USE_WCCP wccpInit(); #endif @@ -410,7 +410,7 @@ dnsInit(); #endif redirectInit(); - authenticateInit(&Config.authConfig); + authenticateInit(&Config.authSchemes); } static void @@ -490,7 +490,7 @@ idnsInit(); #endif redirectInit(); - authenticateInit(&Config.authConfig); + authenticateInit(&Config.authSchemes); useragentOpenLog(); refererOpenLog(); httpHeaderInitModule(); /* must go before any header processing (e.g. the one in errorInitialize) */ Index: squid/src/protos.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/protos.h,v retrieving revision 1.18.4.13 retrieving revision 1.18.4.14 diff -u -r1.18.4.13 -r1.18.4.14 --- squid/src/protos.h 25 Feb 2001 21:49:10 -0000 1.18.4.13 +++ squid/src/protos.h 26 Feb 2001 12:26:28 -0000 1.18.4.14 @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.18.4.13 2001/02/25 21:49:10 rbcollins Exp $ + * $Id: protos.h,v 1.18.4.14 2001/02/26 12:26:28 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -102,10 +102,11 @@ /* support for dynamic cache types */ extern void parserRegisterType(const char *, PARSER_PARSE *, PARSER_FREE *, PARSER_DUMP *); extern void parserDeregisterType(parserTypeNode *); -extern parserTypeNode *parserTypeByName(const char *typestr); +extern parserTypeNode *parserTypeByName(const char *); /* name, type */ extern void parserRegisterName(const char *, parserTypeNode *, void *, PARSER_DEFAULT_NONE *, PARSER_NAME_DOCUMENT *); extern void parserDeregisterName(parserNameNode *); +extern parserNameNode *parserNameByName(const char *); /* @@ -736,7 +737,7 @@ extern auth_user_t *authenticateAuthUserNew(const char *); extern int authenticateAuthSchemeId(const char *typestr); extern void authenticateStart(auth_user_request_t *, RH *, void *); -extern void authenticateInit(authConfig *); +extern void authenticateInit(authSchemes *); extern void authenticateShutdown(void); extern void authenticateFixHeader(HttpReply *, auth_user_request_t *, request_t *, int); extern void authenticateAddTrailer(HttpReply *, auth_user_request_t *, request_t *, int); Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.24.4.12 retrieving revision 1.24.4.13 diff -u -r1.24.4.12 -r1.24.4.13 --- squid/src/structs.h 26 Feb 2001 04:40:03 -0000 1.24.4.12 +++ squid/src/structs.h 26 Feb 2001 12:26:28 -0000 1.24.4.13 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.24.4.12 2001/02/26 04:40:03 rbcollins Exp $ + * $Id: structs.h,v 1.24.4.13 2001/02/26 12:26:28 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -594,11 +594,11 @@ acl_access *reply; } accessList; acl_deny_info_list *denyInfoList; - struct _authConfig { + struct _authSchemes { authScheme *schemes; int n_allocated; - int n_configured; - } authConfig; + int n_configured; + } authSchemes; struct { size_t list_width; int list_wrap; Index: squid/src/typedefs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/typedefs.h,v retrieving revision 1.15.4.10 retrieving revision 1.15.4.11 diff -u -r1.15.4.10 -r1.15.4.11 --- squid/src/typedefs.h 26 Feb 2001 04:40:03 -0000 1.15.4.10 +++ squid/src/typedefs.h 26 Feb 2001 12:26:29 -0000 1.15.4.11 @@ -1,6 +1,6 @@ /* - * $Id: typedefs.h,v 1.15.4.10 2001/02/26 04:40:03 rbcollins Exp $ + * $Id: typedefs.h,v 1.15.4.11 2001/02/26 12:26:29 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -154,7 +154,7 @@ typedef struct _StatCounters StatCounters; typedef struct _tlv tlv; typedef struct _storeSwapLogData storeSwapLogData; -typedef struct _authConfig authConfig; +typedef struct _authSchemes authSchemes; typedef struct _cacheSwap cacheSwap; typedef struct _StatHist StatHist; typedef struct _String String; @@ -321,7 +321,7 @@ typedef void AUTHSFREE(auth_user_t *); typedef char *AUTHSUSERNAME(auth_user_t *); typedef void AUTHSONCLOSEC(ConnStateData *); -typedef void AUTHSINIT(authScheme *); +typedef void AUTHSINIT(void); typedef void AUTHSREQFREE(auth_user_request_t *); typedef void AUTHSSETUP(authscheme_entry_t *); typedef void AUTHSSHUTDOWN(void); Index: squid/src/auth/basic/auth_basic.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/auth_basic.c,v retrieving revision 1.9.4.4 retrieving revision 1.9.4.5 diff -u -r1.9.4.4 -r1.9.4.5 --- squid/src/auth/basic/auth_basic.c 26 Feb 2001 04:40:04 -0000 1.9.4.4 +++ squid/src/auth/basic/auth_basic.c 26 Feb 2001 12:26:29 -0000 1.9.4.5 @@ -84,19 +84,19 @@ printf("# TAG: authenticate_basic_program cmdline\n" "#\tSpecify the command for the external authenticator. Such a\n" "#\tprogram reads a line containing \"username password\" and replies\n" -"#\t \"OK\" or \"ERR\" in an endless loop. If you use an authenticator,\n" -"#\t make sure you have 1 acl of type proxy_auth. By default, the\n" -"#\t authenticate_program is not used.\n" +"#\t\"OK\" or \"ERR\" in an endless loop. If you use an authenticator,\n" +"#\tmake sure you have 1 acl of type proxy_auth. By default, the\n" +"#\tauthenticate_program is not used.\n" "#\n" -"#\t If you want to use the traditional proxy authentication,\n" -"#\t jump over to the ../auth_modules/NCSA directory and\n" -"#\t type:\n" -"#\t %% make\n" -"#\t %% make install\n" +"#\tIf you want to use the traditional proxy authentication,\n" +"#\tjump over to the src/auth/basic/helpers/NCSA directory and\n" +"#\ttype:\n" +"#\t %% make\n" +"#\t %% make install\n" "#\n" -"#\t Then, set this line to something like\n" +"#\tThen, set this line to something like\n" "#\n" -"#\t auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd\n\n"); +"#\tauth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd\n\n"); } static void @@ -118,7 +118,7 @@ printf("# TAG: authenticate_basic_realm realm\n" "#\tSpecifies the realm name which is to be reported to the client for\n" "#\tthe basic proxy authentication scheme (part of the text the user will\n" -"#\tsee when prompted their username and password). Their is no default.\n" +"#\tsee when prompted their username and password).\n" "#\tauth_param basic realm Squid proxy-caching web server\n" "#Default:\n" "# authenticate_basic_realm Squid proxy-caching web server\n\n"); @@ -153,12 +153,23 @@ default_line("authenticate_basic_realm Squid proxy-caching web server"); parserRegisterName("authenticate_basic_ttl", parserTypeByName("time_t"), &basicConfig.credentialsTTL, NULL, authBasicDocumentTTL); default_line("authenticate_basic_ttl 2 hours"); + + /* until we support mod_uninstall we need to keep the names active indefinately */ + cbdataLock(parserNameByName("authenticate_basic_program")); + cbdataLock(parserNameByName("authenticate_basic_children")); + cbdataLock(parserNameByName("authenticate_basic_realm")); + cbdataLock(parserNameByName("authenticate_basic_ttl")); } /* deregister as a module */ unsigned int mod_uninstall_basic(const char *namestr) { - /* deregistration not supported for this module */ + /* deregistration should simply _queue_ the wish to deregister. + * Actual deregistration takes place when their are no more references + * to anything. + * this work will be undertaken in auth_rewrite when the configuration + * and modules work is merged via HEAD. + */ return 0; } @@ -215,6 +226,7 @@ if ((basicConfig.authenticate != NULL) && (basicConfig.authenticateChildren != 0) && (basicConfig.basicAuthRealm != NULL)) { + requirePathnameExists("authenticate_basic_program", basicConfig.authenticate->key); debug(29, 9) ("authBasicConfigured: returning configured\n"); return 1; } @@ -549,7 +561,7 @@ /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the * config file */ static void -authBasicInit(authScheme * scheme) +authBasicInit(void) { static int init = 0; if (basicConfig.authenticate) { Index: squid/src/auth/digest/auth_digest.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/digest/auth_digest.c,v retrieving revision 1.4.4.2 retrieving revision 1.4.4.3 diff -u -r1.4.4.2 -r1.4.4.3 --- squid/src/auth/digest/auth_digest.c 25 Feb 2001 14:08:01 -0000 1.4.4.2 +++ squid/src/auth/digest/auth_digest.c 26 Feb 2001 12:26:30 -0000 1.4.4.3 @@ -64,12 +64,9 @@ static AUTHSCONFIGURED authDigestConfigured; static AUTHSDIRECTION authenticateDigestDirection; static AUTHSDECODE authenticateDigestDecodeAuth; -static AUTHSDUMP authDigestCfgDump; static AUTHSFIXERR authenticateDigestFixHeader; static AUTHSFREE authenticateDigestUserFree; -static AUTHSFREECONFIG authDigestFreeConfig; static AUTHSINIT authDigestInit; -static AUTHSPARSE authDigestParse; static AUTHSREQFREE authDigestAURequestFree; static AUTHSSTART authenticateDigestStart; static AUTHSSTATS authenticateDigestStats; @@ -80,7 +77,7 @@ static hash_table *digest_nonce_cache; -static auth_digest_config *digestConfig = NULL; +static auth_digest_config digestConfig = { 0, NULL, NULL, 0, 0, 0}; static int authdigest_initialised = 0; MemPool *digest_user_pool = NULL; @@ -211,7 +208,7 @@ if (!digest_nonce_cache) { digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); assert(digest_nonce_cache); - eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, digestConfig->nonceGCInterval, 1); + eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, digestConfig.nonceGCInterval, 1); } } @@ -271,7 +268,7 @@ } debug(29, 3) ("authenticateDigestNonceCacheCleanup: Finished cleaning the nonce cache.\n"); if (authenticateDigestActive()) - eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, digestConfig->nonceGCInterval, 1); + eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, digestConfig.nonceGCInterval, 1); } void @@ -357,8 +354,8 @@ if (!nonce) return -1; /* has it's max duration expired? */ - if (nonce->noncedata.creationtime + digestConfig->noncemaxduration < current_time.tv_sec) { - debug(29, 4) ("authDigestNonceIsStale: Nonce is too old. %d %d %d\n", nonce->noncedata.creationtime, digestConfig->noncemaxduration, current_time.tv_sec); + if (nonce->noncedata.creationtime + digestConfig.noncemaxduration < current_time.tv_sec) { + debug(29, 4) ("authDigestNonceIsStale: Nonce is too old. %d %d %d\n", nonce->noncedata.creationtime, digestConfig.noncemaxduration, current_time.tv_sec); nonce->flags.valid = 0; return -1; } @@ -367,7 +364,7 @@ nonce->flags.valid = 0; return -1; } - if (nonce->nc > digestConfig->noncemaxuses) { + if (nonce->nc > digestConfig.noncemaxuses) { debug(29, 4) ("authDigestNoncelastRequest: Nonce count over user limit\n"); nonce->flags.valid = 0; return -1; @@ -386,7 +383,7 @@ debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to overflow\n"); return -1; } - if (nonce->nc == digestConfig->noncemaxuses - 1) { + if (nonce->nc == digestConfig.noncemaxuses - 1) { debug(29, 4) ("authDigestNoncelastRequest: Nonce count about to hit user limit\n"); return -1; } @@ -555,30 +552,101 @@ debug(29, 2) ("authenticateDigestDone: Digest authentication shut down.\n"); } +/* register as a module */ + static void -authDigestCfgDump(StoreEntry * entry, const char *name, authScheme * scheme) +authDigestDocumentProgram(void) { - auth_digest_config *config = scheme->scheme_data; - wordlist *list = config->authenticate; - debug(29, 9) ("authDigestCfgDump: Dumping configuration\n"); - storeAppendPrintf(entry, "%s %s", name, "digest"); - while (list != NULL) { - storeAppendPrintf(entry, " %s", list->key); - list = list->next; - } - storeAppendPrintf(entry, "\n%s %s realm %s\n%s %s children %d\n%s %s nonce_max_count %d\n%s %s nonce_max_duration %d seconds\n%s %s nonce_garbage_interval %d seconds\n", - name, "digest", config->digestAuthRealm, - name, "digest", config->authenticateChildren, - name, "digest", config->noncemaxuses, - name, "digest", config->noncemaxduration, - name, "digest", config->nonceGCInterval); + printf("# TAG: authenticate_digest_program cmdline\n" +"#\tSpecify the command for the external authenticator. Such a\n" +"#\tprogram reads a line containing \"username\":\"realm\" and replies\n" +"#\twith the appropriate H(A1) value base64 encoded. See rfc 2616 for\n" +"#\tthe definition of H(A1). If you use an authenticator,\n" +"#\tmake sure you have 1 acl of type proxy_auth. By default,\n" +"#\tauthentication is not used.\n" +"#\n" +"#\tIf you want to use build a authenticator,\n" +"#\tjump over to the ../digest_auth_modules directory and choose the\n" +"#\tauthenticator to use. It it's directory type\n" +"#\t %% make\n" +"#\t %% make install\n" +"#\n" +"#\tThen, set this line to something like\n" +"#\n" +"#\tauthenticate_digest_program @DEFAULT_PREFIX@/bin/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass\n\n"); +} + +static void +authBasicDocumentChildren(void) +{ + printf("# TAG: authenticate_digest_children numberofchildren\n" +"#\tThe number of authenticator processes to spawn (no default). If you\n" +"#\tstart too few Squid will have to wait for them to process a backlog\n" +"#\tof H(A1) calculations, slowing it down. When the H(A1) calculations\n" +"#\tare done via a (slow) network you are likely to need lots of\n" +"#\tauthenticator processes.\n" +"#Default:\n" +"# authenticate_digest_childrem 5\n\n"); +} + +static void +authBasicDocumentRealm(void) +{ + printf("# TAG: authenticate_digest_realm realmstring\n" +"#\tSpecifies the realm name which is to be reported to the client for\n" +"#\tthe digest proxy authentication scheme (part of the text the user will\n" +"#\tsee when prompted their username and password).\n" +"#\tauth_param digest realm Squid proxy-caching web server\n" +"#Default:\n" +"# authenticate_digest_realm Squid proxy-caching web server\n\n"); +} + +static void +authBasicDocumentGCInterval(void) +{ + printf("# TAG: authenticate_digest_nonce_garbage_interval interval\n" +"#\tSpecifies the interval that nonces that have been issued to client_agent's\n" +"#\tare checked for validity.\n" +"#Default:\n" +"# authenticate_digest_nonce_garbage_interval 5 minutes\n\n"); +} + +static void +authBasicDocumentNonceDuration(void) +{ + printf("# TAG: authenticate_digest_nonce_max_duration duration\n" +"#\tSpecifies the maximum length of time a given nonce will be valid for.\n" +"#Default:\n" +"# authenticate_digest_nonce_max_duration 30 minutes\n\n"); +} + +static void +authBasicDocumentNonceCount(void) +{ + printf("# TAG: authenticate_digest_nonce_max_count count\n" +"#\tSpecifies the maximum number of times a given nonce can be used.\n" +"#Default:\n" +"# authenticate_digest_nonce_max_count 50\n\n"); } -/* register as a module */ void mod_install_digest (const char *namestr) { authSchemeAdd(namestr, authSchemeSetup_digest); + parserRegisterName("authenticate_digest_program", parserTypeByName("wordlist"), &digestConfig.authenticate, NULL, authDigestDocumentProgram); + parserRegisterName("authenticate_digest_children", parserTypeByName("int"), &digestConfig.authenticateChildren, NULL, authBasicDocumentChildren); + parserRegisterName("authenticate_digest_realm", parserTypeByName("eol"), &digestConfig.digestAuthRealm, NULL, authBasicDocumentRealm); + parserRegisterName("authenticate_digest_nonce_garbage_interval", parserTypeByName("time_t"), &digestConfig.nonceGCInterval, NULL, authBasicDocumentGCInterval); + parserRegisterName("authenticate_digest_nonce_max_duration", parserTypeByName("time_t"), &digestConfig.noncemaxduration, NULL, authBasicDocumentNonceDuration); + parserRegisterName("authenticate_digest_nonce_max_count", parserTypeByName("int"), &digestConfig.noncemaxuses, NULL, authBasicDocumentNonceCount); + + /* until we support mod_uninstall we need to keep the names active indefinately */ + cbdataLock(parserNameByName("authenticate_digest_program")); + cbdataLock(parserNameByName("authenticate_digest_children")); + cbdataLock(parserNameByName("authenticate_digest_realm")); + cbdataLock(parserNameByName("authenticate_digest_nonce_garbage_interval")); + cbdataLock(parserNameByName("authenticate_digest_nonce_max_duration")); + cbdataLock(parserNameByName("authenticate_digest_nonce_max_count")); } /* deregister as a module */ @@ -594,9 +662,6 @@ assert(!authdigest_initialised); authscheme->Active = authenticateDigestActive; authscheme->configured = authDigestConfigured; - authscheme->parse = authDigestParse; - authscheme->freeconfig = authDigestFreeConfig; - authscheme->dump = authDigestCfgDump; authscheme->init = authDigestInit; authscheme->authAuthenticate = authenticateDigestAuthenticateUser; authscheme->authenticated = authDigestAuthenticated; @@ -624,10 +689,12 @@ int authDigestConfigured() { - if ((digestConfig != NULL) && (digestConfig->authenticate != NULL) && - (digestConfig->authenticateChildren != 0) && - (digestConfig->digestAuthRealm != NULL) && (digestConfig->noncemaxduration > -1)) + if ((digestConfig.authenticate != NULL) && + (digestConfig.authenticateChildren != 0) && + (digestConfig.digestAuthRealm != NULL) && (digestConfig.noncemaxduration > -1)) { + requirePathnameExists("authenticate_digest_program", digestConfig.authenticate->key); return 1; + } return 0; } @@ -750,7 +817,7 @@ return; #endif - if ((digestConfig->authenticate) && authDigestNonceLastRequest(digest_request->nonce)) { + if ((digestConfig.authenticate) && authDigestNonceLastRequest(digest_request->nonce)) { digest_request->flags.authinfo_sent = 1; debug(29, 9) ("authDigestAddHead: Sending type:%d header: 'nextnonce=\"%s\"", type, authenticateDigestNonceNonceb64(digest_request->nonce)); httpHeaderPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(digest_request->nonce)); @@ -776,7 +843,7 @@ return; type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO; - if ((digestConfig->authenticate) && authDigestNonceLastRequest(digest_request->nonce)) { + if ((digestConfig.authenticate) && authDigestNonceLastRequest(digest_request->nonce)) { debug(29, 9) ("authDigestAddTrailer: Sending type:%d header: 'nextnonce=\"%s\"", type, authenticateDigestNonceNonceb64(digest_request->nonce)); httpTrailerPutStrf(&rep->header, type, "nextnonce=\"%s\"", authenticateDigestNonceNonceb64(digest_request->nonce)); } @@ -794,10 +861,10 @@ digest_request = auth_user_request->scheme_data; stale = authDigestNonceIsStale(digest_request->nonce); } - if (digestConfig->authenticate) { - debug(29, 9) ("authenticateFixHeader: Sending type:%d header: 'Digest realm=\"%s\", nonce=\"%s\", qop=\"%s\", stale=%s\n", type, digestConfig->digestAuthRealm, authenticateDigestNonceNonceb64(nonce), QOP_AUTH, stale ? "true" : "false"); + if (digestConfig.authenticate) { + debug(29, 9) ("authenticateFixHeader: Sending type:%d header: 'Digest realm=\"%s\", nonce=\"%s\", qop=\"%s\", stale=%s\n", type, digestConfig.digestAuthRealm, authenticateDigestNonceNonceb64(nonce), QOP_AUTH, stale ? "true" : "false"); /* in the future, for WWW auth we may want to support the domain entry */ - httpHeaderPutStrf(&rep->header, type, "Digest realm=\"%s\", nonce=\"%s\", qop=\"%s\", stale=%s", digestConfig->digestAuthRealm, authenticateDigestNonceNonceb64(nonce), QOP_AUTH, stale ? "true" : "false"); + httpHeaderPutStrf(&rep->header, type, "Digest realm=\"%s\", nonce=\"%s\", qop=\"%s\", stale=%s", digestConfig.digestAuthRealm, authenticateDigestNonceNonceb64(nonce), QOP_AUTH, stale ? "true" : "false"); } } @@ -862,18 +929,18 @@ /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the * config file */ static void -authDigestInit(authScheme * scheme) +authDigestInit(void) { static int init = 0; - if (digestConfig->authenticate) { + if (digestConfig.authenticate) { authDigestUserSetup(); authDigestRequestSetup(); authenticateDigestNonceSetup(); authdigest_initialised = 1; if (digestauthenticators == NULL) digestauthenticators = helperCreate("digestauthenticator"); - digestauthenticators->cmdline = digestConfig->authenticate; - digestauthenticators->n_to_start = digestConfig->authenticateChildren; + digestauthenticators->cmdline = digestConfig.authenticate; + digestauthenticators->n_to_start = digestConfig.authenticateChildren; digestauthenticators->ipc_type = IPC_TCP_SOCKET; helperOpenServers(digestauthenticators); if (!init) { @@ -885,61 +952,6 @@ } } - -/* free any allocated configuration details */ -void -authDigestFreeConfig(authScheme * scheme) -{ - if (digestConfig == NULL) - return; - assert(digestConfig == scheme->scheme_data); - if (digestConfig->authenticate) - wordlistDestroy(&digestConfig->authenticate); - if (digestConfig->digestAuthRealm) - safe_free(digestConfig->digestAuthRealm); - xfree(digestConfig); - digestConfig = NULL; -} - -static void -authDigestParse(parserNameNode *parserName, authScheme * scheme, int n_configured, char *param_str) -{ - if (scheme->scheme_data == NULL) { - assert(digestConfig == NULL); - /* this is the first param to be found */ - scheme->scheme_data = xmalloc(sizeof(auth_digest_config)); - memset(scheme->scheme_data, 0, sizeof(auth_digest_config)); - digestConfig = scheme->scheme_data; - digestConfig->authenticateChildren = 5; - /* 5 minutes */ - digestConfig->nonceGCInterval = 5 * 60; - /* 30 minutes */ - digestConfig->noncemaxduration = 30 * 60; - /* 50 requests */ - digestConfig->noncemaxuses = 50; - } - digestConfig = scheme->scheme_data; - if (strcasecmp(param_str, "program") == 0) { - if (digestConfig->authenticate) - free_wordlist(parserName, &digestConfig->authenticate); - parse_wordlist(parserName, &digestConfig->authenticate); - requirePathnameExists("authparam digest program", digestConfig->authenticate->key); - } else if (strcasecmp(param_str, "children") == 0) { - parse_int(parserName, &digestConfig->authenticateChildren); - } else if (strcasecmp(param_str, "realm") == 0) { - parse_eol(parserName, &digestConfig->digestAuthRealm); - } else if (strcasecmp(param_str, "nonce_garbage_interval") == 0) { - parse_time_t(parserName, &digestConfig->nonceGCInterval); - } else if (strcasecmp(param_str, "nonce_max_duration") == 0) { - parse_time_t(parserName, &digestConfig->noncemaxduration); - } else if (strcasecmp(param_str, "nonce_max_count") == 0) { - parse_int(parserName, &digestConfig->noncemaxuses); - } else { - debug(28, 0) ("unrecognised digest auth scheme parameter '%s'\n", param_str); - } -} - - static void authenticateDigestStats(StoreEntry * sentry) { @@ -1326,7 +1338,7 @@ digest_user = auth_user_request->auth_user->scheme_data; debug(29, 9) ("authenticateStart: '\"%s\":\"%s\"'\n", digest_user->username, digest_request->realm); - if (digestConfig->authenticate == NULL) { + if (digestConfig.authenticate == NULL) { handler(data, NULL); return; } Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.7.6.2 retrieving revision 1.7.6.3 diff -u -r1.7.6.2 -r1.7.6.3 --- squid/src/auth/ntlm/auth_ntlm.c 25 Feb 2001 14:08:01 -0000 1.7.6.2 +++ squid/src/auth/ntlm/auth_ntlm.c 26 Feb 2001 12:26:30 -0000 1.7.6.3 @@ -61,13 +61,10 @@ static AUTHSFREE authenticateNTLMFreeUser; static AUTHSDIRECTION authenticateNTLMDirection; static AUTHSDECODE authenticateDecodeNTLMAuth; -static AUTHSDUMP authNTLMCfgDump; -static AUTHSFREECONFIG authNTLMFreeConfig; static AUTHSINIT authNTLMInit; static AUTHSONCLOSEC authenticateNTLMOnCloseConnection; static AUTHSUSERNAME authenticateNTLMUsername; static AUTHSREQFREE authNTLMAURequestFree; -static AUTHSPARSE authNTLMParse; static AUTHSSTART authenticateNTLMStart; static AUTHSSTATS authenticateNTLMStats; static AUTHSSHUTDOWN authNTLMDone; @@ -85,7 +82,7 @@ MemPool *ntlm_helper_state_pool = NULL; MemPool *ntlm_user_pool = NULL; MemPool *ntlm_request_pool = NULL; -static auth_ntlm_config *ntlmConfig = NULL; +static auth_ntlm_config ntlmConfig = { 0, NULL, 0, 0 }; static hash_table *proxy_auth_cache = NULL; @@ -93,13 +90,82 @@ * Module support */ +/* parse functions */ + +static void +authNTLMDocumentProgram(void) +{ + printf("# TAG: authenticate_ntlm_program cmdline\n" +"#\tSpecify the command for the external ntlm authenticator. Such a\n" +"#\tprogram reads a line containing the uuencoded NEGOTIATE and replies\n" +"#\twith the ntlm CHALLENGE, then waits for the response and answers with\n" +"#\t\"OK\" or \"ERR\" in an endless loop. If you use an ntlm authenticator,\n" +"#\tmake sure you have 1 acl of type proxy_auth. By default, the\n" +"#\tntlm authenticator_program is not used.\n" +"#\n" +"#\tauth_param ntlm program /usr/local/squid/bin/ntlm_auth\n\n"); +} + +static void +authNTLMDocumentChildren(void) +{ + printf("# TAG: authenticate_ntlm_children children\n" +"#\tThe number of authenticator processes to spawn (no default). If you\n" +"#\tstart too few Squid will have to wait for them to process a backlog\n" +"#\tof credential verifications, slowing it down. When crendential\n" +"#\tverifications are done via a (slow) network you are likely to need\n" +"#\tlots of authenticator processes.\n" +"#Default:\n" +"# authenticate_ntlm_children 5\n\n"); +} + +static void +authNTLMDocumentChallengeUses(void) +{ + printf("# TAG: authenticate_ntlm_max_challenge_reuses reusecount\n" +"#\tThe maximum number of times a challenge given by a ntlm authentication\n" +"#\thelper can be reused. Increasing this number increases your exposure\n" +"#\tto replay attacks on your network. 0 means use the challenge only once.\n" +"#\t(disable challenge caching)\n" +"#\tSee max_ntlm_challenge_lifetime for more information.\n" +"#Default:\n" +"# authenticate_ntlm_max_challenge_reuses 0\n\n"); +} + +static void +authNTLMDocumentChallengeLifetime(void) +{ + printf("# TAG: authenticate_ntlm_max_challenge_lifetime lifetime\n" +"#\tThe maximum time period that a ntlm challenge is reused over.\n" +"#\tThe actual period will be the minimum of this time AND the number of\n" +"#\treused challenges.\n" +"#Default:\n" +"# authenticate_ntlm_max_challenge_lifetime 2 minutes\n\n"); +} + /* register as a module */ void mod_install_ntlm (const char *namestr) { authSchemeAdd(namestr, authSchemeSetup_ntlm); + parserRegisterName("authenticate_ntlm_program", parserTypeByName("wordlist"), &ntlmConfig.authenticate, NULL, authNTLMDocumentProgram); + parserRegisterName("authenticate_ntlm_children", parserTypeByName("int"), &ntlmConfig.authenticateChildren, NULL, authNTLMDocumentChildren); + default_line("authenticate_ntlm_children 5"); + parserRegisterName("authenticate_ntlm_max_challenge_reuses", parserTypeByName("int"), &ntlmConfig.challengeuses, NULL, authNTLMDocumentChallengeUses); + default_line("authenticate_ntlm_max_challenge_reuses 0"); + parserRegisterName("authenticate_ntlm_max_challenge_lifetime", parserTypeByName("time_t"), &ntlmConfig.challengelifetime, NULL, authNTLMDocumentChallengeLifetime); + default_line("authenticate_ntlm_max_challenge_lifetime 2 minutes"); + + /* until we support mod_uninstall we need to keep the names active indefinately */ + cbdataLock(parserNameByName("authenticate_ntlm_program")); + cbdataLock(parserNameByName("authenticate_ntlm_children")); + cbdataLock(parserNameByName("authenticate_max_challenge_reuses")); + cbdataLock(parserNameByName("authenticate_max_challenge_lifetime")); } + + + /* deregister as a module */ unsigned int mod_uninstall_ntlm(const char *namestr) { @@ -144,77 +210,13 @@ debug(29, 2) ("authNTLMDone: NTLM authentication Shutdown.\n"); } -/* free any allocated configuration details */ -void -authNTLMFreeConfig(authScheme * scheme) -{ - if (ntlmConfig == NULL) - return; - assert(ntlmConfig == scheme->scheme_data); - if (ntlmConfig->authenticate) - wordlistDestroy(&ntlmConfig->authenticate); - xfree(ntlmConfig); - ntlmConfig = NULL; -} - -static void -authNTLMCfgDump(StoreEntry * entry, const char *name, authScheme * scheme) -{ - auth_ntlm_config *config = scheme->scheme_data; - wordlist *list = config->authenticate; - storeAppendPrintf(entry, "%s %s", name, "ntlm"); - while (list != NULL) { - storeAppendPrintf(entry, " %s", list->key); - list = list->next; - } - storeAppendPrintf(entry, "\n%s %s children %d\n%s %s max_challenge_reuses %d\n%s %s max_challenge_lifetime %d seconds\n", - name, "ntlm", config->authenticateChildren, - name, "ntlm", config->challengeuses, - name, "ntlm", config->challengelifetime); - -} - -static void -authNTLMParse(parserNameNode *parserName, authScheme * scheme, int n_configured, char *param_str) -{ - if (scheme->scheme_data == NULL) { - assert(ntlmConfig == NULL); - /* this is the first param to be found */ - scheme->scheme_data = xmalloc(sizeof(auth_ntlm_config)); - memset(scheme->scheme_data, 0, sizeof(auth_ntlm_config)); - ntlmConfig = scheme->scheme_data; - ntlmConfig->authenticateChildren = 5; - ntlmConfig->challengeuses = 0; - ntlmConfig->challengelifetime = 60; - } - ntlmConfig = scheme->scheme_data; - if (strcasecmp(param_str, "program") == 0) { - if (ntlmConfig->authenticate) - free_wordlist(parserName, &ntlmConfig->authenticate); - parse_wordlist(parserName, &ntlmConfig->authenticate); - requirePathnameExists("authparam ntlm program", ntlmConfig->authenticate->key); - } else if (strcasecmp(param_str, "children") == 0) { - parse_int(parserName, &ntlmConfig->authenticateChildren); - } else if (strcasecmp(param_str, "max_challenge_reuses") == 0) { - parse_int(parserName, &ntlmConfig->challengeuses); - } else if (strcasecmp(param_str, "max_challenge_lifetime") == 0) { - parse_time_t(parserName, &ntlmConfig->challengelifetime); - } else { - debug(28, 0) ("unrecognised ntlm auth scheme parameter '%s'\n", param_str); - } -} - - static void authSchemeSetup_ntlm(authscheme_entry_t * authscheme) { assert(!authntlm_initialised); authscheme->Active = authenticateNTLMActive; authscheme->configured = authNTLMConfigured; - authscheme->parse = authNTLMParse; - authscheme->dump = authNTLMCfgDump; authscheme->requestFree = authNTLMAURequestFree; - authscheme->freeconfig = authNTLMFreeConfig; authscheme->init = authNTLMInit; authscheme->authAuthenticate = authenticateNTLMAuthenticateUser; authscheme->authenticated = authNTLMAuthenticated; @@ -232,10 +234,10 @@ /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the * config file */ static void -authNTLMInit(authScheme * scheme) +authNTLMInit(void) { static int ntlminit = 0; - if (ntlmConfig->authenticate) { + if (ntlmConfig.authenticate) { if (!ntlm_helper_state_pool) ntlm_helper_state_pool = memPoolCreate("NTLM Helper State data", sizeof(ntlm_helper_state_t)); if (!ntlm_user_pool) @@ -248,8 +250,8 @@ if (!proxy_auth_cache) proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); assert(proxy_auth_cache); - ntlmauthenticators->cmdline = ntlmConfig->authenticate; - ntlmauthenticators->n_to_start = ntlmConfig->authenticateChildren; + ntlmauthenticators->cmdline = ntlmConfig.authenticate; + ntlmauthenticators->n_to_start = ntlmConfig.authenticateChildren; ntlmauthenticators->ipc_type = IPC_TCP_SOCKET; ntlmauthenticators->datapool = ntlm_helper_state_pool; ntlmauthenticators->IsAvailable = authenticateNTLMHelperServerAvailable; @@ -277,9 +279,10 @@ int authNTLMConfigured() { - if ((ntlmConfig != NULL) && (ntlmConfig->authenticate != NULL) && - (ntlmConfig->authenticateChildren != 0) && (ntlmConfig->challengeuses > -1) - && (ntlmConfig->challengelifetime > -1)) { + if ((ntlmConfig.authenticate != NULL) && + (ntlmConfig.authenticateChildren != 0) && (ntlmConfig.challengeuses > -1) + && (ntlmConfig.challengelifetime > -1)) { + requirePathnameExists("authenticate_ntlm_program", ntlmConfig.authenticate->key); debug(29, 9) ("authNTLMConfigured: returning configured\n"); return 1; } @@ -318,7 +321,7 @@ authenticateNTLMFixErrorHeader(auth_user_request_t * auth_user_request, HttpReply * rep, http_hdr_type type, request_t * request) { ntlm_request_t *ntlm_request; - if (ntlmConfig->authenticate) { + if (ntlmConfig.authenticate) { /* New request, no user details */ if (auth_user_request == NULL) { debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM'\n", type); @@ -590,9 +593,9 @@ /* don't check for invalid challenges just for expiry choices */ /* this is needed because we have to starve the helper until all old * requests have been satisfied */ - if (helperstate->challengeuses > ntlmConfig->challengeuses) + if (helperstate->challengeuses > ntlmConfig.challengeuses) return 1; - if (helperstate->renewed + ntlmConfig->challengelifetime >= squid_curtime) + if (helperstate->renewed + ntlmConfig.challengelifetime >= squid_curtime) return 1; return 0; } @@ -641,7 +644,7 @@ debug(29, 9) ("authenticateNTLMStart: state '%d'\n", ntlm_request->auth_state); debug(29, 9) ("authenticateNTLMStart: '%s'\n", sent_string); - if (ntlmConfig->authenticate == NULL) { + if (ntlmConfig.authenticate == NULL) { debug(29, 0) ("authenticateNTLMStart: no NTLM program specified:'%s'\n", sent_string); handler(data, NULL); return;