--------------------- PatchSet 1696 Date: 2001/03/08 12:01:12 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: changes to ntlm - bug fixes for production use by Kinkie Members: ChangeLog:1.1.1.3.10.7.2.5->1.1.1.3.10.7.2.6 acconfig.h:1.1.1.3.10.8.2.2->1.1.1.3.10.8.2.3 configure.in:1.1.1.3.10.17.2.18->1.1.1.3.10.17.2.19 src/acl.c:1.1.1.3.12.26.2.44->1.1.1.3.12.26.2.45 src/authenticate.c:1.1.1.3.12.17.2.38->1.1.1.3.12.17.2.39 src/client_side.c:1.1.1.3.4.1.2.30.2.23->1.1.1.3.4.1.2.30.2.24 src/auth/ntlm/auth_ntlm.c:1.1.2.37->1.1.2.38 src/auth/ntlm/helpers/NTLMSSP/ntlm.h:1.1.2.5->1.1.2.6 src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c:1.1.2.14->1.1.2.15 src/auth/ntlm/helpers/NTLMSSP/smbval/smbencrypt.c:1.1.2.2->1.1.2.3 Index: squid/ChangeLog =================================================================== RCS file: /cvsroot/squid-sf//squid/ChangeLog,v retrieving revision 1.1.1.3.10.7.2.5 retrieving revision 1.1.1.3.10.7.2.6 diff -u -r1.1.1.3.10.7.2.5 -r1.1.1.3.10.7.2.6 --- squid/ChangeLog 23 Jan 2001 10:14:14 -0000 1.1.1.3.10.7.2.5 +++ squid/ChangeLog 8 Mar 2001 12:01:12 -0000 1.1.1.3.10.7.2.6 @@ -4,7 +4,7 @@ - Major rewrite of proxy authentication to support other schemes than basic. First in the line is NTLM support but others can easily be added (digest is on the way). See Programmers Guide. - (Robert Collins & Chemolli Francesco) + (Robert Collins & Francesco Chemolli) - Reworked how request bodies are passed down to the protocols. Now all client side processing is inside client_side.c, and the pass and pump modules is no longer used. Index: squid/acconfig.h =================================================================== RCS file: /cvsroot/squid-sf//squid/Attic/acconfig.h,v retrieving revision 1.1.1.3.10.8.2.2 retrieving revision 1.1.1.3.10.8.2.3 diff -u -r1.1.1.3.10.8.2.2 -r1.1.1.3.10.8.2.3 --- squid/acconfig.h 26 Feb 2001 05:27:02 -0000 1.1.1.3.10.8.2.2 +++ squid/acconfig.h 8 Mar 2001 12:01:12 -0000 1.1.1.3.10.8.2.3 @@ -23,7 +23,7 @@ #ifndef __CONFIGURE_H__ #define __CONFIGURE_H__ @TOP@ -/* $Id: acconfig.h,v 1.1.1.3.10.8.2.2 2001/02/26 05:27:02 rbcollins Exp $ */ +/* $Id: acconfig.h,v 1.1.1.3.10.8.2.3 2001/03/08 12:01:12 rbcollins Exp $ */ /********************************* * START OF CONFIGURABLE OPTIONS * @@ -132,6 +132,9 @@ */ #undef USE_CARP +/* Define if NTLM is allowed to fail gracefully when a helper has problems */ +#undef NTLM_FAIL_OPEN + /******************************** * END OF CONFIGURABLE OPTIONS * ********************************/ Index: squid/configure.in =================================================================== RCS file: /cvsroot/squid-sf//squid/configure.in,v retrieving revision 1.1.1.3.10.17.2.18 retrieving revision 1.1.1.3.10.17.2.19 diff -u -r1.1.1.3.10.17.2.18 -r1.1.1.3.10.17.2.19 --- squid/configure.in 26 Feb 2001 05:27:02 -0000 1.1.1.3.10.17.2.18 +++ squid/configure.in 8 Mar 2001 12:01:12 -0000 1.1.1.3.10.17.2.19 @@ -3,13 +3,13 @@ dnl dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9) dnl -dnl $Id: configure.in,v 1.1.1.3.10.17.2.18 2001/02/26 05:27:02 rbcollins Exp $ +dnl $Id: configure.in,v 1.1.1.3.10.17.2.19 2001/03/08 12:01:12 rbcollins Exp $ dnl dnl dnl AC_INIT(src/main.c) AC_CONFIG_HEADER(include/autoconf.h) -AC_REVISION($Revision: 1.1.1.3.10.17.2.18 $)dnl +AC_REVISION($Revision: 1.1.1.3.10.17.2.19 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AC_CONFIG_AUX_DIR(cfgaux) @@ -812,6 +812,16 @@ fi AC_SUBST(DIGEST_AUTH_HELPERS) +dnl Enable "NTLM fail open" +AC_ARG_ENABLE(ntlm-fail-open, +[ --enable-ntlm-fail-open Enable NTLM fail open, where a helper that fails one of the + Authentication steps can allow squid to still authenticate + the user.], +[ if test "$enableval" = "yes" ; then + AC_DEFINE(NTLM_FAIL_OPEN) + fi +]) + dnl Disable "unlinkd" code AC_ARG_ENABLE(unlinkd, [ --disable-unlinkd Do not use unlinkd], Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.26.2.44 retrieving revision 1.1.1.3.12.26.2.45 diff -u -r1.1.1.3.12.26.2.44 -r1.1.1.3.12.26.2.45 --- squid/src/acl.c 26 Feb 2001 05:27:02 -0000 1.1.1.3.12.26.2.44 +++ squid/src/acl.c 8 Mar 2001 12:01:13 -0000 1.1.1.3.12.26.2.45 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.26.2.44 2001/02/26 05:27:02 rbcollins Exp $ + * $Id: acl.c,v 1.1.1.3.12.26.2.45 2001/03/08 12:01:13 rbcollins Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -103,7 +103,8 @@ static SPLAYCMP aclArpCompare; static SPLAYWALKEE aclDumpArpListWalkee; #endif -static int aclCacheMatchAcl(dlink_list * cache, squid_acl acltype, void *data, char *MatchParam); +static int aclCacheMatchAcl(dlink_list * cache, squid_acl acltype, void *data, + char *MatchParam); static char * strtokFile(void) @@ -574,8 +575,7 @@ default: debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseTimeSpec: Bad Day '%c'\n", - *t); + debug(28, 0) ("aclParseTimeSpec: Bad Day '%c'\n", *t); break; } } @@ -1101,8 +1101,7 @@ Top = splay_splay(user, Top, (SPLAYCMP *) strcmp); /* Top=splay_splay(user,Top,(SPLAYCMP *)dumping_strcmp); */ debug(28, 7) ("aclMatchUser: returning %d,Top is %p, Top->data is %s\n", - !splayLastResult, - Top, (Top ? Top->data : "Unavailable")); + !splayLastResult, Top, (Top ? Top->data : "Unavailable")); data->names = Top; return !splayLastResult; } @@ -1134,8 +1133,7 @@ while (link) { auth_match = link->data; if (auth_match->acl_data == data) { - debug(28, 4) ("aclCacheMatchAcl: cache hit on acl '%d'\n", - data); + debug(28, 4) ("aclCacheMatchAcl: cache hit on acl '%d'\n", data); return auth_match->matchrv; } link = link->next; @@ -1184,7 +1182,8 @@ */ static int aclMatchProxyAuth(void *data, http_hdr_type headertype, - auth_user_request_t * auth_user_request, aclCheck_t * checklist, squid_acl acltype) + auth_user_request_t * auth_user_request, aclCheck_t * checklist, + squid_acl acltype) { /* checklist is used to register user name when identified, nothing else */ const char *proxy_auth; @@ -1209,7 +1208,15 @@ */ return 0; } - if (((proxy_auth == NULL) && (checklist->conn->auth_type == AUTH_UNKNOWN)) || (checklist->conn->auth_type == AUTH_BROKEN)) { + + /* + * a note on proxy_auth logix here: + * proxy_auth==NULL -> unauthenticated request || already authenticated connection + * so we test for an authenticated connection when we recieve no authentication + * header. + */ + if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(auth_user_request))) + || (checklist->conn->auth_type == AUTH_BROKEN)) { /* no header or authentication failed/got corrupted - restart */ checklist->conn->auth_type = AUTH_UNKNOWN; debug(28, 4) ("aclMatchProxyAuth: broken auth or no proxy_auth header. Requesting auth header.\n"); @@ -1226,11 +1233,14 @@ * not had bungled connection oriented authentication happen on it. */ debug(28, 9) ("aclMatchProxyAuth: header %s.\n", proxy_auth); if (auth_user_request == NULL) { - debug(28, 9) ("aclMatchProxyAuth: This is a new request on FD:%d\n", checklist->conn->fd); - if ((!checklist->request->auth_user_request) && (checklist->conn->auth_type == AUTH_UNKNOWN)) { + debug(28, 9) ("aclMatchProxyAuth: This is a new request on FD:%d\n", + checklist->conn->fd); + if ((!checklist->request->auth_user_request) + && (checklist->conn->auth_type == AUTH_UNKNOWN)) { /* beginning of a new request check */ debug(28, 4) ("aclMatchProxyAuth: no connection authentication type\n"); - if (!authenticateValidateUser(auth_user_request = authenticateGetAuthUser(proxy_auth))) { + if (!authenticateValidateUser(auth_user_request = + authenticateGetAuthUser(proxy_auth))) { /* the decode might have left a username for logging, or a message to * the user */ if (authenticateUserRequestUsername(auth_user_request)) { @@ -1254,7 +1264,9 @@ authenticateAuthUserRequestLock(auth_user_request); } else { /* failed connection based authentication */ - debug(28, 4) ("aclMatchProxyAuth: Auth user request %d conn-auth user request %d conn type %d authentication failed.\n", auth_user_request, checklist->conn->auth_user_request, checklist->conn->auth_type); + debug(28, 4) ("aclMatchProxyAuth: Auth user request %d conn-auth user request %d conn type %d authentication failed.\n", + auth_user_request, checklist->conn->auth_user_request, + checklist->conn->auth_type); return -2; } } @@ -1263,8 +1275,10 @@ checklist->auth_user_request = NULL; if (!authenticateUserAuthenticated(auth_user_request)) { /* User not logged in. Log them in */ - authenticateAuthUserRequestSetIp(auth_user_request, checklist->src_addr); - authenticateAuthenticateUser(auth_user_request, checklist->request, checklist->conn, headertype); + authenticateAuthUserRequestSetIp(auth_user_request, + checklist->src_addr); + authenticateAuthenticateUser(auth_user_request, checklist->request, + checklist->conn, headertype); switch (authenticateDirection(auth_user_request)) { case 1: /* this ACL check is finished. Unlock. */ @@ -1313,8 +1327,9 @@ /* this ACL check completed */ authenticateAuthUserRequestUnlock(auth_user_request); /* check to see if we have matched the user-acl before */ - return aclCacheMatchAcl(&auth_user_request->auth_user->proxy_match_cache, - acltype, data, authenticateUserRequestUsername(auth_user_request)); + return aclCacheMatchAcl(&auth_user_request->auth_user-> + proxy_match_cache, acltype, data, + authenticateUserRequestUsername(auth_user_request)); } /* this acl check completed */ authenticateAuthUserRequestUnlock(auth_user_request); @@ -1666,8 +1681,7 @@ case ACL_REP_MIME_TYPE: if (!checklist->reply) return 0; - header = httpHeaderGetStr(&checklist->reply->header, - HDR_CONTENT_TYPE); + header = httpHeaderGetStr(&checklist->reply->header, HDR_CONTENT_TYPE); if (NULL == header) header = ""; return aclMatchRegex(ae->data, header); @@ -1736,20 +1750,17 @@ if (checklist->state[ACL_DST_IP] == ACL_LOOKUP_NEEDED) { checklist->state[ACL_DST_IP] = ACL_LOOKUP_PENDING; ipcache_nbgethostbyname(checklist->request->host, - aclLookupDstIPDone, - checklist); + aclLookupDstIPDone, checklist); return; } else if (checklist->state[ACL_DST_ASN] == ACL_LOOKUP_NEEDED) { checklist->state[ACL_DST_ASN] = ACL_LOOKUP_PENDING; ipcache_nbgethostbyname(checklist->request->host, - aclLookupDstIPforASNDone, - checklist); + aclLookupDstIPforASNDone, checklist); return; } else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NEEDED) { checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_PENDING; fqdncache_nbgethostbyaddr(checklist->src_addr, - aclLookupSrcFQDNDone, - checklist); + aclLookupSrcFQDNDone, checklist); return; } else if (checklist->state[ACL_DST_DOMAIN] == ACL_LOOKUP_NEEDED) { ia = ipcacheCheckNumeric(checklist->request->host); @@ -1760,8 +1771,7 @@ checklist->dst_addr = ia->in_addrs[0]; checklist->state[ACL_DST_DOMAIN] = ACL_LOOKUP_PENDING; fqdncache_nbgethostbyaddr(checklist->dst_addr, - aclLookupDstFQDNDone, - checklist); + aclLookupDstFQDNDone, checklist); return; } else if (checklist->state[ACL_PROXY_AUTH] == ACL_LOOKUP_NEEDED) { debug(28, 3) @@ -1927,9 +1937,7 @@ } aclCheck_t * -aclChecklistCreate(const acl_access * A, - request_t * request, - const char *ident) +aclChecklistCreate(const acl_access * A, request_t * request, const char *ident) { int i; aclCheck_t *checklist; @@ -2302,10 +2310,7 @@ t->weekbits & ACL_THURSDAY ? 'H' : '-', t->weekbits & ACL_FRIDAY ? 'F' : '-', t->weekbits & ACL_SATURDAY ? 'A' : '-', - t->start / 60, - t->start % 60, - t->stop / 60, - t->stop % 60); + t->start / 60, t->start % 60, t->stop / 60, t->stop % 60); wordlistAdd(&W, buf); t = t->next; } @@ -2662,8 +2667,7 @@ arpReq.arp_ha.sa_data[2] & 0xff, arpReq.arp_ha.sa_data[3] & 0xff, arpReq.arp_ha.sa_data[4] & 0xff, - arpReq.arp_ha.sa_data[5] & 0xff, - ifr->ifr_name); + arpReq.arp_ha.sa_data[5] & 0xff, ifr->ifr_name); /* Do lookup */ *Top = splay_splay(&arpReq.arp_ha.sa_data, *Top, aclArpCompare); /* Return if match, otherwise continue to other interfaces */ @@ -2703,8 +2707,7 @@ arpReq.arp_ha.sa_data[1] == 0 && arpReq.arp_ha.sa_data[2] == 0 && arpReq.arp_ha.sa_data[3] == 0 && - arpReq.arp_ha.sa_data[4] == 0 && - arpReq.arp_ha.sa_data[5] == 0) + arpReq.arp_ha.sa_data[4] == 0 && arpReq.arp_ha.sa_data[5] == 0) return 0; debug(28, 4) ("Got address %02x:%02x:%02x:%02x:%02x:%02x\n", arpReq.arp_ha.sa_data[0] & 0xff, arpReq.arp_ha.sa_data[1] & 0xff, Index: squid/src/authenticate.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/authenticate.c,v retrieving revision 1.1.1.3.12.17.2.38 retrieving revision 1.1.1.3.12.17.2.39 diff -u -r1.1.1.3.12.17.2.38 -r1.1.1.3.12.17.2.39 --- squid/src/authenticate.c 10 Feb 2001 18:14:07 -0000 1.1.1.3.12.17.2.38 +++ squid/src/authenticate.c 8 Mar 2001 12:01:13 -0000 1.1.1.3.12.17.2.39 @@ -1,6 +1,6 @@ /* - * $Id: authenticate.c,v 1.1.1.3.12.17.2.38 2001/02/10 18:14:07 hno Exp $ + * $Id: authenticate.c,v 1.1.1.3.12.17.2.39 2001/03/08 12:01:13 rbcollins Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -289,7 +289,8 @@ int authenticateUserAuthenticated(auth_user_request_t * auth_user_request) { - assert(authenticateValidateUser(auth_user_request)); + if (!authenticateValidateUser(auth_user_request)) + return 0; if (auth_user_request->auth_user->auth_module > 0) return authscheme_list[auth_user_request->auth_user->auth_module - 1].authenticated(auth_user_request); else Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/client_side.c,v retrieving revision 1.1.1.3.4.1.2.30.2.23 retrieving revision 1.1.1.3.4.1.2.30.2.24 diff -u -r1.1.1.3.4.1.2.30.2.23 -r1.1.1.3.4.1.2.30.2.24 --- squid/src/client_side.c 26 Feb 2001 05:27:03 -0000 1.1.1.3.4.1.2.30.2.23 +++ squid/src/client_side.c 8 Mar 2001 12:01:13 -0000 1.1.1.3.4.1.2.30.2.24 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.1.1.3.4.1.2.30.2.23 2001/02/26 05:27:03 rbcollins Exp $ + * $Id: client_side.c,v 1.1.1.3.4.1.2.30.2.24 2001/03/08 12:01:13 rbcollins Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -258,13 +258,22 @@ if (page_id == ERR_NONE) page_id = ERR_CACHE_ACCESS_DENIED; } else { +#ifdef KINKIES_407_HACK /* return a 407 */ + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; + if (page_id == ERR_NONE) + page_id=ERR_CACHE_ACCESS_DENIED; +#else /* return a 403 */ status = HTTP_FORBIDDEN; if (page_id == ERR_NONE) page_id = ERR_ACCESS_DENIED; +#endif } err = errorCon(page_id, status); err->request = requestLink(http->request); err->src_addr = http->conn->peer.sin_addr; +#ifdef KINKIES_407_HACK + if (answer==ACCESS_REQ_PROXY_AUTH) { /* second part, by Kinkie */ +#endif if (http->conn->auth_user_request) err->auth_user_request = http->conn->auth_user_request; else if (http->request->auth_user_request) @@ -272,6 +281,9 @@ /* lock for the error state */ if (err->auth_user_request) authenticateAuthUserRequestLock(err->auth_user_request); +#ifdef KINKIES_407_HACK + } +#endif err->callback_data = NULL; errorAppendEntry(http->entry, err); } Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.1.2.37 retrieving revision 1.1.2.38 diff -u -r1.1.2.37 -r1.1.2.38 --- squid/src/auth/ntlm/auth_ntlm.c 10 Feb 2001 18:14:07 -0000 1.1.2.37 +++ squid/src/auth/ntlm/auth_ntlm.c 8 Mar 2001 12:01:36 -0000 1.1.2.38 @@ -320,6 +320,11 @@ debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM %s'\n", type, ntlm_request->authchallenge); httpHeaderPutStrf(&rep->header, type, "NTLM %s", ntlm_request->authchallenge); break; +#ifdef KINKIES_407_HACK + case AUTHENTICATE_STATE_DONE: /* HACK by Kinkie */ + /* nothing */ + break; +#endif /* KINKIES_407_HACK */ default: debug(29, 0) ("authenticateNTLMFixErrorHeader: state %d.\n", ntlm_request->auth_state); fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n"); @@ -453,6 +458,40 @@ ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ); ntlm_request->authhelper = NULL; auth_user->flags.credentials_ok = 1; /* login ok */ +#ifdef NTLM_FAIL_OPEN + } else if (strncasecmp(reply, "LD ", 3) == 0) { + /* This is a variant of BH, which rather than deny access + * allows the user through. The helper is starved and then refreshed + * via YR, all pending authentications are likely to fail also. + * It is meant for those helpers which occasionally fail for + * no reason at all (casus belli, NTLMSSP helper on NT domain, + * failing about 1 auth out of 1k. + * The code is a merge from the BH case with snippets of the AF + * case */ + /* AF code: mark user as authenticated */ + reply += 3; + assert(r->auth_user_request != NULL); + assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM); + auth_user_request = r->auth_user_request; + assert(auth_user_request->scheme_data != NULL); + ntlm_request = auth_user_request->scheme_data; + auth_user = auth_user_request->auth_user; + ntlm_user = auth_user_request->auth_user->scheme_data; + assert(ntlm_user != NULL); + result = S_HELPER_RELEASE; + /* we only expect OK when finishing the handshake */ + assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE); + ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ); + helperstate = helperStatefulServerGetData(ntlm_request->authhelper); + ntlm_request->authhelper = NULL; + auth_user->flags.credentials_ok = 1; /* login ok */ + /* BH code: mark helper as broken */ + /* Not a valid helper response to a YR request. Assert so the helper + * programmer will fix their bugs! */ + assert(ntlm_request->auth_state != AUTHENTICATE_STATE_NEGOTIATE); + /* mark it for starving */ + helperstate->starve = 1; +#endif } else if (strncasecmp(reply, "NA ", 3) == 0) { /* TODO: only work with auth_user here if it exists */ assert(r->auth_user_request != NULL); @@ -552,6 +591,7 @@ int authenticateNTLMValidChallenge(ntlm_helper_state_t * helperstate) { + debug(29, 9) ("authenticateNTLMValidChallenge: Challenge is %s\n", helperstate->challenge ? "Valid" : "Invalid"); if (helperstate->challenge == NULL) return 0; return 1; @@ -578,7 +618,7 @@ debug(29, 4) ("authenticateNTLMChangeChallenge: Challenge exceeded max lifetime by %d seconds\n", squid_curtime - (helperstate->renewed + ntlmConfig->challengelifetime)); return 1; } - debug(29, 6) ("Challenge is to be reused\n"); + debug(29, 9) ("Challenge is to be reused\n"); return 0; } Index: squid/src/auth/ntlm/helpers/NTLMSSP/ntlm.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP/Attic/ntlm.h,v retrieving revision 1.1.2.5 retrieving revision 1.1.2.6 diff -u -r1.1.2.5 -r1.1.2.6 --- squid/src/auth/ntlm/helpers/NTLMSSP/ntlm.h 10 Feb 2001 17:32:49 -0000 1.1.2.5 +++ squid/src/auth/ntlm/helpers/NTLMSSP/ntlm.h 8 Mar 2001 12:01:36 -0000 1.1.2.6 @@ -57,14 +57,19 @@ #define debug(X...) /* */ #endif /* DEBUG */ #else /* __GNUC__ */ -#define debug(char *format, ...) {} /* Too lazy to write va_args stuff */ +static void debug(char *format, ...) {} #endif /* A couple of harmless helper macros */ #define SEND(X) debug("sending '%s' to squid\n",X); printf(X); printf("\n"); +#ifdef __GNUC__ #define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X,Y);\ printf("\n"); +#else +/* no gcc, no debugging. varargs macros are a gcc extension */ +#define SEND2 printf +#endif extern int ntlm_errno; #define NTLM_NO_ERROR 0 Index: squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP/Attic/ntlm_auth.c,v retrieving revision 1.1.2.14 retrieving revision 1.1.2.15 diff -u -r1.1.2.14 -r1.1.2.15 --- squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c 10 Feb 2001 18:14:07 -0000 1.1.2.14 +++ squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c 8 Mar 2001 12:01:36 -0000 1.1.2.15 @@ -126,17 +126,7 @@ void usage() { - fprintf(stderr, - "%s usage:\n" - "%s [-b] [-f] domain\\controller [domain\\controller ...]\n" - "-b, if specified, enables load-balancing among controllers\n" - "-f, if specified, enables failover among controllers\n" - "-l, if specified, changes behavior on domain controller failyures to" - "\tlast-ditch\n\n" - "You MUST specify at least one Domain Controller.\n" - "You can use either \\ or / as separator between the domain name \n" - "\tand the controller name\n", - my_program_name, my_program_name); + fprintf(stderr, "%s usage:\n%s [-b] [-f] domain\\controller [domain\\controller ...]\n-b, if specified, enables load-balancing among controllers\n-f, if specified, enables failover among controllers\n-l, if specified, changes behavior on domain controller failyures to\tlast-ditch\n\nYou MUST specify at least one Domain Controller.\nYou can use either \\ or / as separator between the domain name \n\tand the controller name\n", my_program_name, my_program_name); } @@ -225,7 +215,7 @@ debug("obtain_challenge: getting new challenge\n"); for (j = 0; j < numcontrollers; j++) { if (current_dc->status == DC_OK) { - debug("getting challenge from %s\%s\n", current_dc->domain, current_dc->controller); + debug("getting challenge from %s%s\n", current_dc->domain, current_dc->controller); ch = make_challenge(current_dc->domain, current_dc->controller); if (ch) return ch; /* All went OK, returning */ @@ -296,85 +286,8 @@ /* notreached */ case NTLM_AUTHENTICATE: /* check against the DC */ - plen = strlen(buf) * 3 / 4; /* we only need it here. Optimization */ + plen = strlen(buf) * 3 / 4; /* we only need it here. Optimization */ cred = ntlm_check_auth((ntlm_authenticate *) decoded, plen); -#ifdef OLDCRUFT - if (cred == NULL) { - int errorclass, errorcode; -#ifdef DEBUG - SMB_Get_Error_Msg(SMB_Get_Last_SMB_Err(), error_messages_buffer, BUFFER_SIZE); - debug("Authentication failure. SMB error: %d: %s\n. Class=%d, Code=%d\n", - SMB_Get_Last_SMB_Err(), error_messages_buffer, - SMB_Get_Last_SMB_Err() & 0xff, SMB_Get_Last_SMB_Err() >> 16); - RFCNB_Get_Error_Msg(RFCNB_Get_Last_Error(), error_messages_buffer, BUFFER_SIZE); - debug("RFCNB error status: code=%d (%s)\n", RFCNB_Get_Last_Error(), error_messages_buffer); -#endif - /* This is kind of a special case, which happens when the - * client sends credentials in a domain which is not trusted - * by the domain we're using when authenticating. Unfortunately, - * it can't currently be accommodated in the current framework so - * I'll leave it hanging here, waiting for the general framework - * to be expanded to better accommodate the generale case. */ - errorclass = SMB_Get_Last_SMB_Err() & 0xff; - errorcode = SMB_Get_Last_SMB_Err() >> 16; - if (errorclass == 1 && errorcode == 5) { - SEND("NA Wrong password or untrusted domain"); - return; - } - switch (ntlm_errno) { - case NTLM_LOGON_ERROR: - SEND("NA authentication failure"); - /* I must have been drugged when I wrote the following two lines */ - /* dc_disconnect(); - * current_dc = current_dc->next; */ - return; - case NTLM_SERVER_ERROR: - send_bh_or_ld("BH Domain Controller Error", (ntlm_authenticate *) decoded, plen); - /* SEND("BH Domain Controller Error"); */ - /* we don't really need to disconnect NOW. - * Besides, we asked squid to force a reconnect. This way, if we - * have authentications in flight, we might even succeed. - */ - /* dc_disconnect(); */ - - SMB_Get_Error_Msg(SMB_Get_Last_Error(), smb_error_buffer, 1000); - debug("Last error was: %s, RFC errno=%d\n", smb_error_buffer, RFCNB_Get_Last_Errno()); - if (failover_enabled) - current_dc = current_dc->next; - return; - case NTLM_PROTOCOL_ERROR: - send_bh_or_ld("BH Domain Controller communication error", (ntlm_authenticate *) decoded, plen); - /* SEND("BH Domain Controller communication error"); */ - /* dc_disconnect(); */ - if (failover_enabled) - current_dc = current_dc->next; - return; - case NTLM_NOT_CONNECTED: - send_bh_or_ld("BH Domain Controller (or network) died on us", (ntlm_authenticate *) decoded, plen); - /* SEND("BH Domain Controller (or network) died on us"); */ - /* dc_disconnect(); */ - if (failover_enabled) - current_dc = current_dc->next; - return; - case NTLM_BAD_PROTOCOL: - send_bh_or_ld("BH Domain controller failure", (ntlm_authenticate *) decoded, plen); - /* SEND("BH Domain controller failure"); */ - /* dc_disconnect(); *//* maybe we're overreacting? */ - SMB_Get_Error_Msg(SMB_Get_Last_Error(), smb_error_buffer, 1000); - debug("Last error was: %s. RFCNB errno=%d\n", smb_error_buffer, RFCNB_Get_Last_Errno()); - if (failover_enabled) - current_dc = current_dc->next; - return; - default: - send_bh_or_ld("BH Unhandled error while talking to Domain Controller", (ntlm_authenticate *) decoded, plen); - /* SEND("BH Unhandled error while talking to Domain Controller"); */ - /* dc_disconnect(); *//* maybe we're overreacting? */ - if (failover_enabled) - current_dc = current_dc->next; - return; - } - } -#else /* OLDCRUFT */ if (cred == NULL) { int smblib_err, smb_errorclass, smb_errorcode, nb_error; /* there was an error. We have two errno's to look at. @@ -385,8 +298,7 @@ smb_errorclass = SMBlib_Error_Class(SMB_Get_Last_SMB_Err()); smb_errorcode = SMBlib_Error_Code(SMB_Get_Last_SMB_Err()); nb_error = RFCNB_Get_Last_Error(); - debug("No creds. SMBlib error %d, SMB error class %d, " - "SMB error code %d, NB error %d\n", smblib_err, smb_errorclass, smb_errorcode, nb_error); + debug("No creds. SMBlib error %d, SMB error class %d, SMB error code %d, NB error %d\n", smblib_err, smb_errorclass, smb_errorcode, nb_error); /* Should I use smblib_err? Actually it seems I can do as well * without it.. */ if (nb_error != 0) { /* netbios-level error */ @@ -447,7 +359,6 @@ return; } } -#endif /* OLDCRUFT */ lc(cred); /* let's lowercase them for our convenience */ SEND2("AF %s", cred); return; @@ -486,7 +397,7 @@ debug("ntlm_auth build " __DATE__ ", " __TIME__ " starting up...\n"); #ifdef DEBUG - debug("changing dir to /tmp"); + debug("changing dir to /tmp\n"); chdir("/tmp"); #endif Index: squid/src/auth/ntlm/helpers/NTLMSSP/smbval/smbencrypt.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP/smbval/Attic/smbencrypt.c,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/src/auth/ntlm/helpers/NTLMSSP/smbval/smbencrypt.c 8 Jan 2001 00:14:58 -0000 1.1.2.2 +++ squid/src/auth/ntlm/helpers/NTLMSSP/smbval/smbencrypt.c 8 Mar 2001 12:01:36 -0000 1.1.2.3 @@ -22,10 +22,8 @@ #include #include -//#include #include #include -//#include #include #include