--------------------- PatchSet 255 Date: 2000/05/03 11:22:56 Author: asd Branch: ntlm Tag: (none) Log: I'm commiting what I have, since I'm changing jobs RSN. There's a lot more to be done, however state is now tracked just a little better (meaning the USE_NTLM test isn't littered all over the place). Not sure if this compiles. I will fix, hopefully later today. Members: src/acl.c:1.1.1.3.12.3->1.1.1.3.12.4 src/authenticate.c:1.1.1.3.12.2->1.1.1.3.12.3 src/client_side.c:1.1.1.3.4.1.2.8->1.1.1.3.4.1.2.9 src/enums.h:1.1.1.3.12.1->1.1.1.3.12.2 src/errorpage.c:1.1.1.3.10.2->1.1.1.3.10.3 src/mem.c:1.1.1.3.12.1->1.1.1.3.12.2 src/protos.h:1.1.1.3.12.3->1.1.1.3.12.4 src/structs.h:1.1.1.3.4.1.2.4->1.1.1.3.4.1.2.5 src/typedefs.h:1.1.1.3.12.2->1.1.1.3.12.3 Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.3 retrieving revision 1.1.1.3.12.4 diff -u -r1.1.1.3.12.3 -r1.1.1.3.12.4 --- squid/src/acl.c 17 Apr 2000 00:13:09 -0000 1.1.1.3.12.3 +++ squid/src/acl.c 3 May 2000 11:22:56 -0000 1.1.1.3.12.4 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.3 2000/04/17 00:13:09 hno Exp $ + * $Id: acl.c,v 1.1.1.3.12.4 2000/05/03 11:22:56 asd Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -42,6 +42,7 @@ static hash_table *proxy_auth_cache = NULL; static void aclParseDomainList(void *curlist); +static void aclParseProxyAuthList(void *curlist); static void aclParseIpList(void *curlist); static void aclParseIntlist(void *curlist); static void aclParseWordList(void *curlist); @@ -619,6 +620,33 @@ wordlistAdd(curlist, t); } +static void +aclParseProxyAuthList(void *curlist) +{ + acl_proxy_auth_data *pad; + char *t = NULL; + + pad = memAllocate(MEM_ACL_PROXY_AUTH_DATA); + pad->names = NULL; + *(acl_proxy_auth_data **)curlist = pad; + t = strtokFile(); + + if (!strcmp(t, "basic")) + pad->type = AUTHENTICATE_TYPE_BASIC; +#if USE_NTLM + else if (!strcmp(t, "ntlm")) + pad->type = AUTHENTICATE_TYPE_NTLM; +#endif + else { + debug(28, 0) ("%s line %d: %s\n", + cfg_filename, config_lineno, config_input_line); + debug(28, 0) ("aclParseProxyAuthList: Invalid auth type '%s'\n", t); + return; + } + while ((t = strtokFile())) + wordlistAdd(&pad->names, t); +} + /**********************/ /* aclParseDomainList */ /**********************/ @@ -727,7 +755,11 @@ aclParseMethodList(&A->data); break; case ACL_PROXY_AUTH: +#if 0 + aclParseProxyAuthList(&A->data); +#else aclParseWordList(&A->data); +#endif if (!proxy_auth_cache) { /* First time around, 7921 should be big enough */ proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); @@ -998,13 +1030,10 @@ } static int -aclDecodeProxyAuth(const char *proxy_auth, char **user, char **password, char *buf, size_t bufsize) +aclDecodeProxyAuth(const char *proxy_auth, int *type, char **user, char **password, char *buf, size_t bufsize) { char *sent_auth; char *cleartext; -#if USE_NTLM - int ntlm = 0; -#endif if (proxy_auth == NULL) return 0; @@ -1012,10 +1041,11 @@ if (strncasecmp(proxy_auth, "Basic ", 6) == 0) { proxy_auth += 6; + *type = AUTHENTICATE_TYPE_BASIC; #if USE_NTLM } else if (strncmp("NTLM ", proxy_auth, 5) == 0) { - ntlm = 1; proxy_auth += 5; + *type = AUTHENTICATE_TYPE_NTLM; #endif } else { debug(28, 1) ("aclDecodeProxyAuth: Unsupported proxy-auth sheme, '%s'\n", proxy_auth); @@ -1030,47 +1060,48 @@ strtok(sent_auth, "\n"); cleartext = uudecode(sent_auth); xfree(sent_auth); - /* - * Don't allow NL or CR in the credentials. - * Oezguer Kesim - */ - strtok(cleartext, "\r\n"); - debug(28, 6) ("aclDecodeProxyAuth: cleartext = '%s'\n", cleartext); - xstrncpy(buf, cleartext, bufsize); - -#ifdef USE_NTLM - if (ntlm) { - if (ntlmCheckHeader((struct ntlmhdr *)cleartext, NTLM_NEGOTIATE)) { - /* Assume this is the authentication request */ - ntlmDecodeAuth((struct ntlm_authenticate *)cleartext, buf, - bufsize, user, password); - xfree(cleartext); + + switch (*type) { + case AUTHENTICATE_TYPE_BASIC: + /* + * Don't allow NL or CR in the credentials. + * Oezguer Kesim + */ + strtok(cleartext, "\r\n"); + debug(28, 6) ("aclDecodeProxyAuth: cleartext = '%s'\n", cleartext); + xstrncpy(buf, cleartext, bufsize); + xfree(cleartext); + *user = buf; + + if ((*password = strchr(*user, ':')) != NULL) + *(*password)++ = '\0'; + if (*password == NULL) { + debug(28, 1) ("aclDecodeProxyAuth: no password in proxy authorization header '%s'\n", proxy_auth); + return 0; + } + if (**password == '\0') { + debug(28, 1) ("aclDecodeProxyAuth: Disallowing empty password," + "user is '%s'\n", *user); + return 0; + } + break; +#if USE_NTLM + case AUTHENTICATE_TYPE_NTLM: + /* If this is a negotiation requst, we return a challenge */ + if (!ntlmCheckHeader((struct ntlmhdr *)cleartext, NTLM_NEGOTIATE)) + return 2; + + /* Assume this is an authentication request */ + rv = ntlmDecodeAuth((struct ntlm_authenticate *)cleartext, buf, bufsize, + user, password); + xfree(cleartext); - if (*user == NULL || *password == NULL) { - debug(28, 1) ("aclDecodeProxyAuth: no NT response in NTLM authorization header\n"); - return 0; - } - return 1; + if (rv || *user == NULL || *password == NULL) { + debug(28, 1) ("aclDecodeProxyAuth: NTLM authorization botched\n"); + return 0; } - - /* Otherwise assume it's the negotiation request */ - return 2; - } + break; #endif - - xfree(cleartext); - *user = buf; - - if ((*password = strchr(*user, ':')) != NULL) - *(*password)++ = '\0'; - if (*password == NULL) { - debug(28, 1) ("aclDecodeProxyAuth: no password in proxy authorization header '%s'\n", proxy_auth); - return 0; - } - if (**password == '\0') { - debug(28, 1) ("aclDecodeProxyAuth: Disallowing empty password," - "user is '%s'\n", *user); - return 0; } return 1; } @@ -1088,16 +1119,17 @@ { /* checklist is used to register user name when identified, nothing else */ LOCAL_ARRAY(char, login_buf, USER_IDENT_SZ); - char *user, *password, rv; + char *user, *password; + int type, rv; /* Don't repeatedly ask for authentication on a persistent connection. */ - if (checklist->conn && checklist->conn->authenticated) + if (checklist->auth_state == AUTHENTICATE_STATE_DONE) return 1; - switch (aclDecodeProxyAuth(proxy_auth, &user, &password, login_buf, sizeof(login_buf))) { + switch (aclDecodeProxyAuth(proxy_auth, &type, &user, &password, login_buf, sizeof(login_buf))) { #if USE_NTLM case 2: /* Send an NTLM challenge */ - checklist->ntlm_challenge = 1; + checklist->auth_state = AUTHENTICATE_STATE_CHALLENGE; /* FALLTHROUGH */ #endif case 0: /* User denied access */ @@ -1162,7 +1194,8 @@ xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); rv = aclMatchUser(data, user); if (checklist->conn) { - checklist->conn->authenticated = rv; /* XXX THIS IS NOT SAFE */ + if (rv) + checklist->auth_state = AUTHENTICATE_STATE_DONE; #if USE_NTLM xstrncpy(checklist->conn->ident, user, USER_IDENT_SZ); #endif @@ -1197,7 +1230,7 @@ LOCAL_ARRAY(char, login_buf, USER_IDENT_SZ); const char *proxy_auth; char *user, *password; - int ok; + int ok, auth_type; acl_proxy_auth_user *auth_user; assert(!checklist->auth_user); if (!checklist->request->flags.accelerated) { @@ -1209,7 +1242,7 @@ proxy_auth = httpHeaderGetStr(&checklist->request->header, HDR_AUTHORIZATION); } - ok = aclDecodeProxyAuth(proxy_auth, &user, &password, login_buf, + ok = aclDecodeProxyAuth(proxy_auth, &auth_type, &user, &password, login_buf, sizeof(login_buf)); /* * if aclDecodeProxyAuth() fails, the same call should have failed @@ -1223,6 +1256,7 @@ auth_user->passwd = xstrdup(password); auth_user->passwd_ok = -1; auth_user->expiretime = -1; + auth_user->auth_type = auth_type; checklist->auth_user = auth_user; authenticateStart(checklist->auth_user, aclLookupProxyAuthDone, checklist); @@ -1799,10 +1833,7 @@ if (ident) xstrncpy(checklist->ident, ident, USER_IDENT_SZ); #endif -#ifdef USE_NTLM - /* Initially we don't have to issue a challenge */ - checklist->ntlm_challenge = 0; -#endif + checklist->auth_state = AUTHENTICATE_STATE_NONE; checklist->auth_user = NULL; /* init to NULL */ return checklist; } Index: squid/src/authenticate.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/authenticate.c,v retrieving revision 1.1.1.3.12.2 retrieving revision 1.1.1.3.12.3 diff -u -r1.1.1.3.12.2 -r1.1.1.3.12.3 --- squid/src/authenticate.c 17 Apr 2000 00:13:09 -0000 1.1.1.3.12.2 +++ squid/src/authenticate.c 3 May 2000 11:22:56 -0000 1.1.1.3.12.3 @@ -1,6 +1,6 @@ /* - * $Id: authenticate.c,v 1.1.1.3.12.2 2000/04/17 00:13:09 hno Exp $ + * $Id: authenticate.c,v 1.1.1.3.12.3 2000/05/03 11:22:56 asd Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -163,16 +163,25 @@ } void -authenticateFixErrorHeader(HttpReply * rep, int type, int ntlm_challenge) +authenticateFixErrorHeader(HttpReply * rep, int type, int auth_type, int auth_state) { char *fmt, *data; #ifdef USE_NTLM + struct ntlm_challenge chal; int len; +#endif - if (Config.authenticate_ntlm_domain != NULL) { - struct ntlm_challenge chal; + switch (auth_type) { + case AUTHENTICATE_TYPE_BASIC: + fmt = "Basic realm=\"%s\""; + data = Config.proxyAuthRealm; + break; + +#ifdef USE_NTLM + case AUTHENTICATE_TYPE_NTLM: +/* if (Config.authenticate_ntlm_domain == NULL) */ - if (ntlm_challenge) { + if (auth_state) { ntlmMakeChallenge(&chal); fmt = "NTLM %s"; len = sizeof(chal) - sizeof(chal.pad) + SSWAP(chal.target.maxlen); @@ -180,11 +189,7 @@ data = (char *)base64_encode_bin((char *)&chal, len); } else fmt = "NTLM"; - } else #endif - { - fmt = "Basic realm=\"%s\""; - data = Config.proxyAuthRealm; } httpHeaderPutStrf(&rep->header, type, fmt, data); @@ -277,8 +282,10 @@ o = WSWAP(str->offset); /* Sanity checks. XXX values arbitrarialy chosen */ - if (l <= 0 || l >= 32 || o >= 256) + if (l <= 0 || l >= 32 || o >= 256) { + debug(29, 5) ("ntlmGetString: insane: l:%d o:%d\n", l, o); return (NULL); + } if ((flags & 2) == 0) { /* UNICODE string */ @@ -371,7 +378,7 @@ debug(29, 5) ("ntlmDecodeAuth: ntresponse: %s\n", *pass); } - return 1; + return 0; } #endif /* USE_NTLM */ Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/client_side.c,v retrieving revision 1.1.1.3.4.1.2.8 retrieving revision 1.1.1.3.4.1.2.9 diff -u -r1.1.1.3.4.1.2.8 -r1.1.1.3.4.1.2.9 --- squid/src/client_side.c 17 Apr 2000 00:13:09 -0000 1.1.1.3.4.1.2.8 +++ squid/src/client_side.c 3 May 2000 11:22:56 -0000 1.1.1.3.4.1.2.9 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.1.1.3.4.1.2.8 2000/04/17 00:13:09 hno Exp $ + * $Id: client_side.c,v 1.1.1.3.4.1.2.9 2000/05/03 11:22:56 asd Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -199,9 +199,9 @@ int page_id = -1; http_status status; ErrorState *err = NULL; -#ifdef USE_NTLM - int ntlm_challenge = http->acl_checklist->ntlm_challenge; -#endif + int auth_type = http->acl_checklist->auth_type; + int auth_state = http->acl_checklist->auth_state; + debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n", RequestMethodStr[http->request->method], http->uri, answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED", @@ -245,9 +245,8 @@ err = errorCon(page_id, status); err->request = requestLink(http->request); err->src_addr = http->conn->peer.sin_addr; -#ifdef USE_NTLM - err->ntlm_challenge = ntlm_challenge; -#endif + err->auth_type = auth_type; + err->auth_state = auth_state; errorAppendEntry(http->entry, err); } } Index: squid/src/enums.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/enums.h,v retrieving revision 1.1.1.3.12.1 retrieving revision 1.1.1.3.12.2 diff -u -r1.1.1.3.12.1 -r1.1.1.3.12.2 --- squid/src/enums.h 17 Apr 2000 00:13:09 -0000 1.1.1.3.12.1 +++ squid/src/enums.h 3 May 2000 11:22:56 -0000 1.1.1.3.12.2 @@ -1,6 +1,6 @@ /* - * $Id: enums.h,v 1.1.1.3.12.1 2000/04/17 00:13:09 hno Exp $ + * $Id: enums.h,v 1.1.1.3.12.2 2000/05/03 11:22:56 asd Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -502,6 +502,7 @@ MEM_ACL_IP_DATA, MEM_ACL_LIST, MEM_ACL_NAME_LIST, + MEM_ACL_PROXY_AUTH_DATA, MEM_ACL_PROXY_AUTH_USER, MEM_ACL_TIME_DATA, MEM_AIO_RESULT_T, Index: squid/src/errorpage.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/errorpage.c,v retrieving revision 1.1.1.3.10.2 retrieving revision 1.1.1.3.10.3 diff -u -r1.1.1.3.10.2 -r1.1.1.3.10.3 --- squid/src/errorpage.c 17 Apr 2000 00:13:09 -0000 1.1.1.3.10.2 +++ squid/src/errorpage.c 3 May 2000 11:22:56 -0000 1.1.1.3.10.3 @@ -1,6 +1,6 @@ /* - * $Id: errorpage.c,v 1.1.1.3.10.2 2000/04/17 00:13:09 hno Exp $ + * $Id: errorpage.c,v 1.1.1.3.10.3 2000/05/03 11:22:56 asd Exp $ * * DEBUG: section 4 Error Generation * AUTHOR: Duane Wessels @@ -280,15 +280,11 @@ switch (err->http_status) { case HTTP_PROXY_AUTHENTICATION_REQUIRED: /* Proxy authorisation needed */ -#ifdef USE_NTLM - authenticateFixErrorHeader(rep, HDR_PROXY_AUTHENTICATE, err->ntlm_challenge); -#else - authenticateFixErrorHeader(rep, HDR_PROXY_AUTHENTICATE, 0); -#endif + authenticateFixErrorHeader(rep, HDR_PROXY_AUTHENTICATE, err->auth_type, err->auth_state); break; case HTTP_UNAUTHORIZED: /* WWW Authorisation needed */ - authenticateFixErrorHeader(rep, HDR_WWW_AUTHENTICATE, 0); + authenticateFixErrorHeader(rep, HDR_WWW_AUTHENTICATE, 0, 0); break; default: /* Keep GCC happy */ Index: squid/src/mem.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/mem.c,v retrieving revision 1.1.1.3.12.1 retrieving revision 1.1.1.3.12.2 diff -u -r1.1.1.3.12.1 -r1.1.1.3.12.2 --- squid/src/mem.c 17 Apr 2000 00:13:10 -0000 1.1.1.3.12.1 +++ squid/src/mem.c 3 May 2000 11:22:56 -0000 1.1.1.3.12.2 @@ -1,6 +1,6 @@ /* - * $Id: mem.c,v 1.1.1.3.12.1 2000/04/17 00:13:10 hno Exp $ + * $Id: mem.c,v 1.1.1.3.12.2 2000/05/03 11:22:56 asd Exp $ * * DEBUG: section 13 High Level Memory Pool Management * AUTHOR: Harvest Derived @@ -203,6 +203,8 @@ memDataInit(MEM_ACL_TIME_DATA, "acl_time_data", sizeof(acl_time_data), 0); memDataInit(MEM_ACL_PROXY_AUTH_USER, "acl_proxy_auth_user", sizeof(acl_proxy_auth_user), 0); + memDataInit(MEM_ACL_PROXY_AUTH_DATA, "acl_proxy_auth_data", + sizeof(acl_proxy_auth_data), 0); memDataInit(MEM_AIO_RESULT_T, "aio_result_t", sizeof(aio_result_t), 0); memDataInit(MEM_CACHEMGR_PASSWD, "cachemgr_passwd", sizeof(cachemgr_passwd), 0); Index: squid/src/protos.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/protos.h,v retrieving revision 1.1.1.3.12.3 retrieving revision 1.1.1.3.12.4 diff -u -r1.1.1.3.12.3 -r1.1.1.3.12.4 --- squid/src/protos.h 17 Apr 2000 00:13:10 -0000 1.1.1.3.12.3 +++ squid/src/protos.h 3 May 2000 11:22:56 -0000 1.1.1.3.12.4 @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.1.1.3.12.3 2000/04/17 00:13:10 hno Exp $ + * $Id: protos.h,v 1.1.1.3.12.4 2000/05/03 11:22:56 asd Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -702,7 +702,7 @@ extern void authenticateStart(acl_proxy_auth_user *, RH *, void *); extern void authenticateInit(void); extern void authenticateShutdown(void); -extern void authenticateFixErrorHeader(HttpReply *, int, int); +extern void authenticateFixErrorHeader(HttpReply *, int, int, int); extern void refreshAddToList(const char *, int, time_t, int, time_t); extern int refreshIsCachable(const StoreEntry *); Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.1.1.3.4.1.2.4 retrieving revision 1.1.1.3.4.1.2.5 diff -u -r1.1.1.3.4.1.2.4 -r1.1.1.3.4.1.2.5 --- squid/src/structs.h 17 Apr 2000 00:13:11 -0000 1.1.1.3.4.1.2.4 +++ squid/src/structs.h 3 May 2000 11:22:56 -0000 1.1.1.3.4.1.2.5 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.1.1.3.4.1.2.4 2000/04/17 00:13:11 hno Exp $ + * $Id: structs.h,v 1.1.1.3.4.1.2.5 2000/05/03 11:22:56 asd Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -62,6 +62,11 @@ acl_time_data *next; }; +struct _acl_proxy_auth_data { + int type; + wordlist *names; +}; + struct _acl_name_list { char name[ACL_NAME_SZ]; acl_name_list *next; @@ -72,6 +77,7 @@ char *user; acl_proxy_auth_user *next; /* extra fields for proxy_auth */ + int auth_type; char *passwd; #ifdef USE_NTLM char *lmresponse; @@ -156,9 +162,7 @@ ConnStateData *conn; /* hack for ident */ char ident[USER_IDENT_SZ]; #endif -#if USE_NTLM - int ntlm_challenge; /* need to issue NTLM challenge */ -#endif + int auth_state; acl_proxy_auth_user *auth_user; acl_lookup_state state[ACL_ENUM_MAX]; #if SQUID_SNMP @@ -914,7 +918,6 @@ struct in_addr log_addr; char ident[USER_IDENT_SZ]; int nrequests; - int authenticated; struct { int n; time_t until; @@ -1548,9 +1551,8 @@ err_type type; int page_id; http_status http_status; -#ifdef USE_NTLM - int ntlm_challenge; /* NTLM: got negotiation, send challenge */ -#endif + int auth_type; + int auth_state; request_t *request; char *url; int xerrno; Index: squid/src/typedefs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/typedefs.h,v retrieving revision 1.1.1.3.12.2 retrieving revision 1.1.1.3.12.3 diff -u -r1.1.1.3.12.2 -r1.1.1.3.12.3 --- squid/src/typedefs.h 17 Apr 2000 00:13:11 -0000 1.1.1.3.12.2 +++ squid/src/typedefs.h 3 May 2000 11:22:56 -0000 1.1.1.3.12.3 @@ -1,6 +1,6 @@ /* - * $Id: typedefs.h,v 1.1.1.3.12.2 2000/04/17 00:13:11 hno Exp $ + * $Id: typedefs.h,v 1.1.1.3.12.3 2000/05/03 11:22:56 asd Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -58,6 +58,7 @@ typedef struct _acl_ip_data acl_ip_data; typedef struct _acl_time_data acl_time_data; +typedef struct _acl_proxy_auth_data acl_proxy_auth_data; typedef struct _acl_name_list acl_name_list; typedef struct _acl_deny_info_list acl_deny_info_list; typedef struct _acl_proxy_auth acl_proxy_auth;