--------------------- PatchSet 2685 Date: 2001/07/31 10:29:22 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: preparing for merge to HEAD Members: configure.in:1.1.1.3.10.17.2.22->1.1.1.3.10.17.2.23 src/acl.c:1.1.1.3.12.26.2.51->1.1.1.3.12.26.2.52 src/authenticate.c:1.1.1.3.12.17.2.42->1.1.1.3.12.17.2.43 src/cf.data.pre:1.1.1.3.4.1.2.18.2.28->1.1.1.3.4.1.2.18.2.29 src/client_side.c:1.1.1.3.4.1.2.30.2.32->1.1.1.3.4.1.2.30.2.33 src/enums.h:1.1.1.3.12.15.2.17->1.1.1.3.12.15.2.18 src/protos.h:1.1.1.3.12.17.2.34->1.1.1.3.12.17.2.35 src/structs.h:1.1.1.3.4.1.2.26.2.39->1.1.1.3.4.1.2.26.2.40 src/typedefs.h:1.1.1.3.12.13.2.31->1.1.1.3.12.13.2.32 src/auth/basic/auth_basic.c:1.1.2.39->1.1.2.40 src/auth/digest/auth_digest.c:1.1.20.4->1.1.20.5 src/auth/ntlm/auth_ntlm.c:1.1.2.41->1.1.2.42 src/auth/ntlm/auth_ntlm.h:1.1.2.8->1.1.2.9 src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c:1.1.2.22->1.1.2.23 Index: squid/configure.in =================================================================== RCS file: /cvsroot/squid-sf//squid/configure.in,v retrieving revision 1.1.1.3.10.17.2.22 retrieving revision 1.1.1.3.10.17.2.23 diff -u -r1.1.1.3.10.17.2.22 -r1.1.1.3.10.17.2.23 --- squid/configure.in 16 Jul 2001 21:44:16 -0000 1.1.1.3.10.17.2.22 +++ squid/configure.in 31 Jul 2001 10:29:22 -0000 1.1.1.3.10.17.2.23 @@ -3,13 +3,13 @@ dnl dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9) dnl -dnl $Id: configure.in,v 1.1.1.3.10.17.2.22 2001/07/16 21:44:16 rbcollins Exp $ +dnl $Id: configure.in,v 1.1.1.3.10.17.2.23 2001/07/31 10:29:22 rbcollins Exp $ dnl dnl dnl AC_INIT(src/main.c) AC_CONFIG_HEADER(include/autoconf.h) -AC_REVISION($Revision: 1.1.1.3.10.17.2.22 $)dnl +AC_REVISION($Revision: 1.1.1.3.10.17.2.23 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AC_CONFIG_AUX_DIR(cfgaux) @@ -1054,6 +1054,8 @@ varargs.h \ byteswap.h \ glib.h \ + stdint.h \ + inttypes.h \ ) AC_C_CONST Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.26.2.51 retrieving revision 1.1.1.3.12.26.2.52 diff -u -r1.1.1.3.12.26.2.51 -r1.1.1.3.12.26.2.52 --- squid/src/acl.c 16 Jul 2001 21:44:17 -0000 1.1.1.3.12.26.2.51 +++ squid/src/acl.c 31 Jul 2001 10:29:22 -0000 1.1.1.3.12.26.2.52 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.26.2.51 2001/07/16 21:44:17 rbcollins Exp $ + * $Id: acl.c,v 1.1.1.3.12.26.2.52 2001/07/31 10:29:22 rbcollins Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -67,6 +67,10 @@ #if SQUID_SNMP static int aclMatchWordList(wordlist *, const char *); #endif +static void aclParseUserMaxIP(void * data); +static void aclDestroyUserMaxIP(void * data); +static wordlist *aclDumpUserMaxIP(void *data); +static int aclMatchUserMaxIP(void *, auth_user_request_t *, struct in_addr); static squid_acl aclStrToType(const char *s); static int decode_addr(const char *, struct in_addr *, struct in_addr *); static void aclCheck(aclCheck_t * checklist); @@ -220,6 +224,8 @@ return ACL_REQ_MIME_TYPE; if (!strcmp(s, "rep_mime_type")) return ACL_REP_MIME_TYPE; + if (!strcmp(s, "max_user_ip")) + return ACL_MAX_USER_IP; return ACL_NONE; } @@ -288,6 +294,8 @@ return "req_mime_type"; if (type == ACL_REP_MIME_TYPE) return "rep_mime_type"; + if (type == ACL_MAX_USER_IP) + return "max_user_ip"; return "ERROR"; } @@ -784,6 +792,9 @@ case ACL_DST_ASN: aclParseIntlist(&A->data); break; + case ACL_MAX_USER_IP: + aclParseUserMaxIP(&A->data); + break; #if SRC_RTT_NOT_YET_FINISHED case ACL_NETDB_SRC_RTT: aclParseIntlist(&A->data); @@ -1088,14 +1099,14 @@ if (user == NULL) return 0; - if (data->flags.case_insensitive) - Tolower(user); - if (data->flags.required) { debug(28, 7) ("aclMatchUser: user REQUIRED and auth-info present.\n"); return 1; } - Top = splay_splay(user, Top, (SPLAYCMP *) strcmp); + if (data->flags.case_insensitive) + Top = splay_splay(user, Top, (SPLAYCMP *) strcasecmp); + else + Top = splay_splay(user, Top, (SPLAYCMP *) strcmp); /* Top=splay_splay(user,Top,(SPLAYCMP *)dumping_strcmp); */ debug(28, 7) ("aclMatchUser: returning %d,Top is %p, Top->data is %s\n", !splayLastResult, Top, (Top ? Top->data : "Unavailable")); @@ -1171,170 +1182,308 @@ } } -/* aclMatchProxyAuth can return four exit codes: - * 0 : Authenticated OK, Authorisation for this ACL failed. - * 1 : Authenticated OK, Authorisation OK. - * -1 : send data to an external authenticator - * -2 : send data to the client - */ -static int -aclMatchProxyAuth(void *data, http_hdr_type headertype, - auth_user_request_t * auth_user_request, aclCheck_t * checklist, - squid_acl acltype) -{ - /* checklist is used to register user name when identified, nothing else */ - const char *proxy_auth; - /* consistent parameters ? */ - assert(auth_user_request == checklist->auth_user_request); - /* General program flow in proxy_auth acls - * 1. Consistency checks: are we getting sensible data - * 2. Call the authenticate* functions to establish a authenticated user - * 4. look up the username in acltype (and cache the result against the - * username + /* THIS IS FOR BUGFIXING BELOW... ***** + * Is this an already authenticated connection with a new auth header? + * FIXME: This breaks the abstraction model. Even if it is just for bug hunting + * It's really really ugly. */ + #include "auth/ntlm/auth_ntlm.h" +/* returns one of + * AUTH_ACL_CHALLENGE, + * AUTH_ACL_HELPER, + * AUTH_ACL_CANNOT_AUTHENTICATE, + * AUTH_AUTHENTICATED + * + * How to use: In your proxy-auth dependent acl code, use the following + * construct: + * int rv; + * if ((rv = AuthenticateAuthenticate()) != AUTH_AUTHENTICATED) + * return rv; + * + * when this code is reached, the request/connection is authenticated. + * + * if you have non-acl code, but want to force authentication, you need a + * callback mechanism like the acl testing routines that will send a 40[1|7] to + * the client when rv==AUTH_ACL_CHALLENGE, and will communicate with + * the authenticateStart routine for rv==AUTH_ACL_HELPER + */ +static auth_acl_t +AuthenticateAuthenticate(auth_user_request_t ** auth_user_request, http_hdr_type headertype, request_t *request, ConnStateData *conn, struct in_addr src_addr) +{ + const char * proxy_auth; assert(headertype != 0); - proxy_auth = httpHeaderGetStr(&checklist->request->header, headertype); + proxy_auth = httpHeaderGetStr(&request->header, headertype); - if (checklist->conn == NULL) { + if (conn == NULL) { debug(28, 1) ("aclMatchProxyAuth: no connection data, cannot process authentication\n"); - /* + /* * deny access: clientreadrequest requires conn data, and it is always * compiled in so we should have it too. */ - return 0; + return AUTH_ACL_CANNOT_AUTHENTICATE; } + /* * a note on proxy_auth logix here: * proxy_auth==NULL -> unauthenticated request || already authenticated connection * so we test for an authenticated connection when we recieve no authentication * header. */ - if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(auth_user_request ? auth_user_request : checklist->conn->auth_user_request))) - || (checklist->conn->auth_type == AUTH_BROKEN)) { - /* no header or authentication failed/got corrupted - restart */ - checklist->conn->auth_type = AUTH_UNKNOWN; - debug(28, 4) ("aclMatchProxyAuth: broken auth or no proxy_auth header. Requesting auth header.\n"); - /* something wrong with the AUTH credentials. Force a new attempt */ - checklist->auth_user_request = NULL; - checklist->conn->auth_user_request = NULL; - if (auth_user_request) { - /* unlock the ACL lock */ - authenticateAuthUserRequestUnlock(auth_user_request); - } - return -2; + if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(*auth_user_request ? *auth_user_request : conn->auth_user_request))) + || (conn->auth_type == AUTH_BROKEN)) { + /* no header or authentication failed/got corrupted - restart */ + conn->auth_type = AUTH_UNKNOWN; + debug(28, 4) ("aclMatchProxyAuth: broken auth or no proxy_auth header. Requesting auth header.\n"); + /* something wrong with the AUTH credentials. Force a new attempt */ + conn->auth_user_request = NULL; + if (*auth_user_request) { + /* unlock the ACL lock */ + authenticateAuthUserRequestUnlock(*auth_user_request); + auth_user_request = NULL; + } + return AUTH_ACL_CHALLENGE; + } + + /* + * Is this an already authenticated connection with a new auth header? + * FIXME: This breaks the abstraction model. Even if it is just for bug hunting + * It's really really ugly. + */ + if (proxy_auth && conn->auth_user_request && + authenticateUserAuthenticated(conn->auth_user_request) + && strcmp(proxy_auth, ((ntlm_request_t *)(conn->auth_user_request->scheme_data))->ntlmauthenticate)) { + debug(28,1) ("aclMatchProxyAuth: DUPLICATE AUTH - authentication header on already authenticated connection!. Current user '%s' proxy_auth %s, authenticate request %s\n", authenticateUserRequestUsername(conn->auth_user_request), proxy_auth, ((ntlm_request_t *)(conn->auth_user_request->scheme_data))->ntlmauthenticate); + /* remove this request struct - the link is already authed and it can't be to + * reauth. + */ + + /* This should _only_ ever occur on the first pass through aclMatchProxyAuth */ + assert(*auth_user_request == NULL); + /* unlock the conn lock on the auth_user_request */ + authenticateAuthUserRequestUnlock(conn->auth_user_request); + /* mark the conn as non-authed. */ + conn->auth_user_request=NULL; + /* Set the connection auth type */ + conn->auth_type = AUTH_UNKNOWN; } + /* we have a proxy auth header and as far as we know this connection has * not had bungled connection oriented authentication happen on it. */ debug(28, 9) ("aclMatchProxyAuth: header %s.\n", proxy_auth); - if (auth_user_request == NULL) { - debug(28, 9) ("aclMatchProxyAuth: This is a new request on FD:%d\n", - checklist->conn->fd); - if ((!checklist->request->auth_user_request) - && (checklist->conn->auth_type == AUTH_UNKNOWN)) { - /* beginning of a new request check */ - debug(28, 4) ("aclMatchProxyAuth: no connection authentication type\n"); - if (!authenticateValidateUser(auth_user_request = - authenticateGetAuthUser(proxy_auth))) { - /* the decode might have left a username for logging, or a message to - * the user */ - if (authenticateUserRequestUsername(auth_user_request)) { - /* lock the user for the request structure link */ - authenticateAuthUserRequestLock(auth_user_request); - checklist->request->auth_user_request = auth_user_request; - /* unlock the ACL reference. */ - authenticateAuthUserRequestUnlock(auth_user_request); - } - return -2; - } - /* the user_request comes prelocked for the caller to GetAuthUser (us) */ - } else if (checklist->request->auth_user_request) { - auth_user_request = checklist->request->auth_user_request; - /* lock the user request for this ACL processing */ - authenticateAuthUserRequestLock(auth_user_request); - } else { - if (checklist->conn->auth_user_request != NULL) { - auth_user_request = checklist->conn->auth_user_request; - /* lock the user request for this ACL processing */ - authenticateAuthUserRequestLock(auth_user_request); - } else { - /* failed connection based authentication */ - debug(28, 4) ("aclMatchProxyAuth: Auth user request %d conn-auth user request %d conn type %d authentication failed.\n", - auth_user_request, checklist->conn->auth_user_request, - checklist->conn->auth_type); - return -2; - } - } + if (*auth_user_request == NULL) { + debug(28, 9) ("aclMatchProxyAuth: This is a new checklist test on FD:%d\n", + conn->fd); + if ((!request->auth_user_request) + && (conn->auth_type == AUTH_UNKNOWN)) { + /* beginning of a new request check */ + debug(28, 4) ("aclMatchProxyAuth: no connection authentication type\n"); + if (!authenticateValidateUser(*auth_user_request = + authenticateGetAuthUser(proxy_auth))) { + /* the decode might have left a username for logging, or a message to + * the user */ + if (authenticateUserRequestUsername(*auth_user_request)) { + /* lock the user for the request structure link */ + authenticateAuthUserRequestLock(*auth_user_request); + request->auth_user_request = *auth_user_request; + /* unlock the ACL reference. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + } + return AUTH_ACL_CHALLENGE; + } + /* the user_request comes prelocked for the caller to GetAuthUser (us) */ + } else if (request->auth_user_request) { + *auth_user_request = request->auth_user_request; + /* lock the user request for this ACL processing */ + authenticateAuthUserRequestLock(*auth_user_request); + } else { + if (conn->auth_user_request != NULL) { + *auth_user_request = conn->auth_user_request; + /* lock the user request for this ACL processing */ + authenticateAuthUserRequestLock(*auth_user_request); + } else { + /* failed connection based authentication */ + debug(28, 4) ("aclMatchProxyAuth: Auth user request %d conn-auth user request %d conn type %d authentication failed.\n", + *auth_user_request, conn->auth_user_request, conn->auth_type); + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + } + } + } + + if (!authenticateUserAuthenticated(*auth_user_request)) { + /* User not logged in. Log them in */ + authenticateAuthenticateUser(*auth_user_request, request, + conn, headertype); + switch (authenticateDirection(*auth_user_request)) { + case 1: + /* this ACL check is finished. Unlock. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + case -1: + /* we are partway through authentication within squid, + * the *auth_user_request variables stores the auth_user_request + * for the callback to here - Do not Unlock */ + return AUTH_ACL_HELPER; + case -2: + /* this ACL check is finished. Unlock. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + } + /* on 0 the authentication is finished - fallthrough */ + /* See of user authentication failed for some reason */ + if (!authenticateUserAuthenticated(*auth_user_request)) { + if ((authenticateUserRequestUsername(*auth_user_request))) { + if (!request->auth_user_request) { + /* lock the user for the request structure link */ + authenticateAuthUserRequestLock(*auth_user_request); + request->auth_user_request = *auth_user_request; + } + } + /* this ACL check is finished. Unlock. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + } } - /* Clear the reference in the checklist */ - checklist->auth_user_request = NULL; - if (!authenticateUserAuthenticated(auth_user_request)) { - /* User not logged in. Log them in */ - authenticateAuthUserRequestSetIp(auth_user_request, - checklist->src_addr); - authenticateAuthenticateUser(auth_user_request, checklist->request, - checklist->conn, headertype); - switch (authenticateDirection(auth_user_request)) { - case 1: - /* this ACL check is finished. Unlock. */ - authenticateAuthUserRequestUnlock(auth_user_request); - return -2; - case -1: - /* we are partway through authentication within squid - * store the auth_user for the callback to here */ - checklist->auth_user_request = auth_user_request; - /* we will be called back here. Do not Unlock */ - return -1; - case -2: - /* this ACL check is finished. Unlock. */ - authenticateAuthUserRequestUnlock(auth_user_request); - return -2; - } /* on 0 the authentication is finished - fallthrough */ - /* See of user authentication failed for some reason */ - if (!authenticateUserAuthenticated(auth_user_request)) { - if ((!checklist->rfc931[0]) && - (authenticateUserRequestUsername(auth_user_request))) { - if (!checklist->request->auth_user_request) { - /* lock the user for the request structure link */ - authenticateAuthUserRequestLock(auth_user_request); - checklist->request->auth_user_request = auth_user_request; - } - } - /* this ACL check is finished. Unlock. */ - authenticateAuthUserRequestUnlock(auth_user_request); - return -2; - - } - } - /* User authenticated ok */ - assert(authenticateUserAuthenticated(auth_user_request)); - + /* copy username to request for logging on client-side */ /* the credentials are correct at this point */ - if (!checklist->request->auth_user_request) { + if (!request->auth_user_request) { /* lock the user for the request structure link */ - authenticateAuthUserRequestLock(auth_user_request); - checklist->request->auth_user_request = auth_user_request; + authenticateAuthUserRequestLock(*auth_user_request); + request->auth_user_request = *auth_user_request; + authenticateAuthUserRequestSetIp(*auth_user_request, src_addr); } - if (authenticateCheckAuthUserIP(checklist->src_addr, auth_user_request)) { - /* Once the match is completed we have finished with the - * auth_user structure */ - /* this ACL check completed */ - authenticateAuthUserRequestUnlock(auth_user_request); - /* check to see if we have matched the user-acl before */ - return aclCacheMatchAcl(&auth_user_request->auth_user-> - proxy_match_cache, acltype, data, - authenticateUserRequestUsername(auth_user_request)); + + /* Unlock the request - we've authenticated it */ + authenticateAuthUserRequestUnlock(*auth_user_request); + return AUTH_AUTHENTICATED; +} + +/* aclMatchProxyAuth can return four exit codes: + * 0 : Authorisation for this ACL failed. (Did not match) + * 1 : Authorisation OK. (Matched) + */ +static int +aclMatchProxyAuth(void *data, http_hdr_type headertype, + auth_user_request_t * auth_user_request, aclCheck_t * checklist, + squid_acl acltype) +{ + /* checklist is used to register user name when identified, nothing else */ + + /* General program flow in proxy_auth acls + * 1. Consistency checks: are we getting sensible data + * 2. Call the authenticate* functions to establish a authenticated user + * 4. look up the username in acltype (and cache the result against the + * username + */ + + /* for completeness */ + authenticateAuthUserRequestLock(auth_user_request); + + /* consistent parameters ? */ + assert(authenticateUserAuthenticated(auth_user_request)); + /* this ACL check completed */ + authenticateAuthUserRequestUnlock(auth_user_request); + /* check to see if we have matched the user-acl before */ + return aclCacheMatchAcl(&auth_user_request->auth_user-> + proxy_match_cache, acltype, data, + authenticateUserRequestUsername(auth_user_request)); +} + +CBDATA_TYPE (acl_user_ip_data); + +void +aclParseUserMaxIP(void * data) +{ + acl_user_ip_data ** acldata = data; + char *t = NULL; + CBDATA_INIT_TYPE (acl_user_ip_data); + if (*acldata) { + debug (28, 1) ("Attempting to alter already set User max IP acl\n"); + return; + } + + *acldata = cbdataAlloc (acl_user_ip_data); + if ((t = strtokFile())) { + debug(28, 5) ("aclParseUserMaxIP: First token is %s\n", t); + if (strcmp("-s", t) == 0) { + debug(28, 5) ("aclParseUserMaxIP: Going strict\n"); + (*acldata)->flags.strict = 1; + } else { + (*acldata)->max = atoi(t); + debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (*acldata)->max); + } + } else + fatal("aclParseUserMaxIP: Malformed ACL %d\n"); +} + +void +aclDestroyUserMaxIP(void * data) +{ + acl_user_ip_data ** acldata = data; + if (*acldata) + cbdataFree (*acldata); + *acldata = NULL; +} + +wordlist * +aclDumpUserMaxIP(void * data) +{ + acl_user_ip_data *acldata = data; + wordlist *W = NULL; + char buf[128]; + if (acldata->flags.strict) + wordlistAdd(&W, "-s"); + snprintf(buf, sizeof(buf), "%d", acldata->max); + wordlistAdd(&W, buf); + return W; +} + +/* aclMatchUserMaxIP - check for users logging in from multiple IP's + * 0 : No match + * 1 : Match + */ +int +aclMatchUserMaxIP(void *data, auth_user_request_t *auth_user_request, + struct in_addr src_addr) +{ +/* + > the logic for flush the ip list when the limit is hit vs keep it sorted in most recent access order and just drop the oldest one off is currently undecided +*/ + acl_user_ip_data *acldata = data; + + if (authenticateAuthUserRequestIPCount(auth_user_request) <= acldata->max) + return 0; + + /* this is a match */ + if (acldata->flags.strict) { + /* simply deny access - the user name is already associated with + * the request + */ + /* remove _this_ ip, as it is the culprit for going over the limit */ + authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); + debug (28,4) ("aclMatchUserMaxIP: Denying access in strict mode\n"); } else { + /* non-strict - remove some/all of the cached entries + * ie to allow the user to move machines easily + */ + authenticateAuthUserRequestClearIp(auth_user_request); + debug (28,4) ("aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache\n"); + } +#if 0 debug(28, 1) ("XXX authenticateCheckAuthUserIP returned 0, somebody " - "make sure the username gets logged to access.log.\n"); + "make sure the username gets logged to access.log.\n"); debug(28, 1) ("XXX if it works, tell developers to remove this " - "message\n"); - } - /* this acl check completed */ - authenticateAuthUserRequestUnlock(auth_user_request); - return 0; + "message\n"); +#endif + + return 1; } static void @@ -1443,7 +1592,7 @@ char *esc_buf; const char *header; const char *browser; - int k; + int k,ti; http_hdr_type headertype; if (!ae) return 0; @@ -1602,6 +1751,8 @@ /* NOTREACHED */ case ACL_PROXY_AUTH: case ACL_PROXY_AUTH_REGEX: + case ACL_MAX_USER_IP: + /* ALL authentication predicated ACL's live here */ if (NULL == r) { return -1; } else if (!r->flags.accelerated) { @@ -1619,9 +1770,46 @@ return -1; #endif } + /* get authed here */ + if ((ti = AuthenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn, checklist->src_addr)) != AUTH_AUTHENTICATED) { + switch (ti) { + case 0: + /* Authenticated but not Authorised for this ACL */ + debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n"); + return 0; + case 1: + fatal("AUTH_AUTHENTICATED == 1\n"); + break; + case -1: + /* Send data to the helper */ + debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n"); + checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED; + return 0; + case -2: + /* Send a challenge to the client */ + debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n"); + checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; + return 0; + } + } + /* then, switch on type again to do the correct match routine :> */ + switch (ae->type) { + case ACL_PROXY_AUTH: + case ACL_PROXY_AUTH_REGEX: + ti = aclMatchProxyAuth(ae->data, headertype, + checklist->auth_user_request, checklist, ae->type); + break; + case ACL_MAX_USER_IP: + ti = aclMatchUserMaxIP(ae->data, checklist->auth_user_request, + checklist->src_addr); + break; + default: + /* Keep GCC happy */ + break; + } + checklist->auth_user_request = NULL; /* Check the credentials */ - switch (aclMatchProxyAuth(ae->data, headertype, - checklist->auth_user_request, checklist, ae->type)) { + switch (ti) { case 0: debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n"); /* Authenticated but not Authorised for this ACL */ @@ -1631,20 +1819,11 @@ /* Authenticated and Authorised for this ACL */ return 1; case -2: - debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n"); - /* Authentication credentials invalid or missing. */ - /* Or partway through NTLM handshake. A proxy_Authenticate header - * gets sent to the client. */ - checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; - return 0; case -1: - debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n"); - /* - * we need to validate the password - */ - checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED; - return 0; + fatal("Invalid response from match routine\n"); + break; } + /* NOTREACHED */ #if SQUID_SNMP case ACL_SNMP_COMMUNITY: @@ -1919,12 +2098,11 @@ checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_DONE; if (result != NULL) fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n"); - /* state info check */ - assert(checklist->conn != NULL); auth_user_request = checklist->auth_user_request; - if (!authenticateValidateUser(auth_user_request)) { + if (!authenticateValidateUser(auth_user_request) || checklist->conn == NULL) { /* credentials could not be checked either way * restart the whole process */ + /* OR the connection was closed, there's no way to continue */ checklist->conn->auth_user_request = NULL; checklist->conn->auth_type = AUTH_BROKEN; checklist->auth_user_request = NULL; @@ -2080,6 +2258,9 @@ case ACL_MAXCONN: intlistDestroy((intlist **) & a->data); break; + case ACL_MAX_USER_IP: + aclDestroyUserMaxIP(&a->data); + break; case ACL_URL_PORT: case ACL_MY_PORT: aclDestroyIntRange(a->data); @@ -2417,6 +2598,8 @@ case ACL_MAXCONN: case ACL_DST_ASN: return aclDumpIntlistList(a->data); + case ACL_MAX_USER_IP: + return aclDumpUserMaxIP(a->data); case ACL_URL_PORT: case ACL_MY_PORT: return aclDumpIntRangeList(a->data); Index: squid/src/authenticate.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/authenticate.c,v retrieving revision 1.1.1.3.12.17.2.42 retrieving revision 1.1.1.3.12.17.2.43 diff -u -r1.1.1.3.12.17.2.42 -r1.1.1.3.12.17.2.43 --- squid/src/authenticate.c 16 Jul 2001 21:44:17 -0000 1.1.1.3.12.17.2.42 +++ squid/src/authenticate.c 31 Jul 2001 10:29:23 -0000 1.1.1.3.12.17.2.43 @@ -1,6 +1,6 @@ /* - * $Id: authenticate.c,v 1.1.1.3.12.17.2.42 2001/07/16 21:44:17 rbcollins Exp $ + * $Id: authenticate.c,v 1.1.1.3.12.17.2.43 2001/07/31 10:29:23 rbcollins Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -40,6 +40,8 @@ #include "squid.h" +CBDATA_TYPE (auth_user_ip_t); + static void authenticateDecodeAuth(const char *proxy_auth, auth_user_request_t * auth_user_request); @@ -175,6 +177,7 @@ auth_user_t *temp_auth; temp_auth = memAllocate(MEM_AUTH_USER_T); assert(temp_auth != NULL); + memset (temp_auth, '\0', sizeof (auth_user_t)); temp_auth->auth_type = AUTH_UNKNOWN; temp_auth->references = 0; temp_auth->auth_module = authenticateAuthSchemeId(scheme) + 1; @@ -241,11 +244,113 @@ void authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr) { - if (auth_user_request->auth_user) - if (!auth_user_request->auth_user->ipaddr.s_addr) - auth_user_request->auth_user->ipaddr = ipaddr; + auth_user_ip_t *ipdata, *tempnode; + auth_user_t *auth_user; + CBDATA_INIT_TYPE (auth_user_ip_t); + if (!auth_user_request->auth_user) + return; + auth_user = auth_user_request->auth_user; + ipdata = (auth_user_ip_t *) auth_user->ip_list.head; + while (ipdata) { + tempnode = (auth_user_ip_t *) ipdata->node.next; + /* walk the ip list */ + if (ipdata->ipaddr.s_addr == ipaddr.s_addr) { + /* This ip has alreadu been seen. */ + /* update IP ttl */ + ipdata->ip_expiretime = squid_curtime; + return; + } + if (ipdata->ip_expiretime + Config.authenticateIpTTL < squid_curtime) { + /* This IP has expired - remove from the seen list */ + dlinkDelete (&ipdata->node, &auth_user->ip_list); + cbdataFree (ipdata); + /* catch incipient underflow */ + assert(auth_user->ipcount); + auth_user->ipcount--; + } + ipdata = tempnode; + } + + /* This ip is not in the seen list */ + ipdata = cbdataAlloc (auth_user_ip_t); + ipdata->ip_expiretime = squid_curtime; + ipdata->ipaddr = ipaddr; + dlinkAddTail(ipdata, &ipdata->node, &auth_user->ip_list); + auth_user->ipcount++; + +#if 0 +username = authenticateUserRequestUsername(auth_user_request); +char *ip1 = xstrdup(inet_ntoa(auth_user_request->auth_user->ipaddr)); +char *ip2 = xstrdup(inet_ntoa(request_src_addr)); +debug(29, 1) ("aclMatchProxyAuth: user '%s' has changed IP address (%s, %s)\n ", username, ip1, ip2); +safe_free(ip1); +safe_free(ip2); +#endif +} + +void +authenticateAuthUserRequestRemoveIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr) +{ + auth_user_ip_t *ipdata; + auth_user_t *auth_user; + if (!auth_user_request->auth_user) + return; + auth_user = auth_user_request->auth_user; + ipdata = (auth_user_ip_t *) auth_user->ip_list.head; + while (ipdata) { + /* walk the ip list */ + if (ipdata->ipaddr.s_addr == ipaddr.s_addr) { + /* remove the node */ + dlinkDelete (&ipdata->node, &auth_user->ip_list); + cbdataFree (ipdata); + /* catch incipient underflow */ + assert(auth_user->ipcount); + auth_user->ipcount--; + return; + } + ipdata = (auth_user_ip_t *) ipdata->node.next; + } + +} + +static void +authenticateAuthUserClearIp(auth_user_t * auth_user) +{ + auth_user_ip_t *ipdata, *tempnode; + if (!auth_user) + return; + ipdata = (auth_user_ip_t *) auth_user->ip_list.head; + while (ipdata) { + tempnode = (auth_user_ip_t *) ipdata->node.next; + /* walk the ip list */ + dlinkDelete (&ipdata->node, &auth_user->ip_list); + cbdataFree (ipdata); + /* catch incipient underflow */ + assert(auth_user->ipcount); + auth_user->ipcount--; + ipdata = tempnode; + } + /* integrity check */ + assert (auth_user->ipcount == 0); } + +void +authenticateAuthUserRequestClearIp(auth_user_request_t * auth_user_request) +{ + if (auth_user_request) + authenticateAuthUserClearIp(auth_user_request->auth_user); +} + +size_t +authenticateAuthUserRequestIPCount(auth_user_request_t * auth_user_request) +{ + assert (auth_user_request); + assert (auth_user_request->auth_user); + return auth_user_request->auth_user->ipcount; +} + + /* Get Auth User: Return a filled out auth_user structure for the given * Proxy Auth (or Auth) header. It may be a cached Auth User or a new * Unauthenticated structure. The structure is given an inital lock here. @@ -608,6 +713,8 @@ } /* free cached acl results */ aclCacheMatchFlush(&u->proxy_match_cache); + /* free seen ip address's */ + authenticateAuthUserClearIp(u); if (u->scheme_data && u->auth_module > 0) authscheme_list[u->auth_module - 1].FreeUser(u); /* prevent accidental reuse */ @@ -740,45 +847,3 @@ /* lock for presence in the cache */ authenticateAuthUserLock(auth_user); } - - - -/* - * check the user for ip changes timeouts - * 0 = failed check - * 1 = ip requirements are ok. - */ -/* TODO: - * ip_expire data should be in a struct of it's own - for code reuse */ -int -authenticateCheckAuthUserIP(struct in_addr request_src_addr, auth_user_request_t * auth_user_request) -{ - char *username = authenticateUserRequestUsername(auth_user_request); - if (request_src_addr.s_addr == auth_user_request->auth_user->ipaddr.s_addr || auth_user_request->auth_user->ip_expiretime + Config.authenticateIpTTL <= squid_curtime) { - /* user has not moved ip or had the ip timeout expire */ - if ((auth_user_request->auth_user->auth_type == AUTH_UNKNOWN) || - (auth_user_request->auth_user->auth_type == AUTH_BROKEN)) { - debug(29, 1) ("authenticateCheckProxyAuthIP: broken or unknown auth type %d.\n", auth_user_request->auth_user->auth_type); - return 0; - } - username = authenticateUserRequestUsername(auth_user_request); - /* Update IP ttl */ - auth_user_request->auth_user->ip_expiretime = squid_curtime; - auth_user_request->auth_user->ipaddr = request_src_addr; - return 1; - } else { - char *ip1 = xstrdup(inet_ntoa(auth_user_request->auth_user->ipaddr)); - char *ip2 = xstrdup(inet_ntoa(request_src_addr)); - if (Config.onoff.authenticateIpTTLStrict) { - debug(29, 1) ("aclMatchProxyAuth: user '%s' tried to use multiple IP addresses! (%s, %s)\n ", username, ip1, ip2); - } else { - /* Non-strict mode. Reassign ownership to the new IP */ - auth_user_request->auth_user->ipaddr.s_addr = request_src_addr.s_addr; - debug(29, 1) ("aclMatchProxyAuth: user '%s' has changed IP address (%s, %s)\n ", username, ip1, ip2); - } - safe_free(ip1); - safe_free(ip2); - /* and deny access */ - return 0; - } -} Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.1.1.3.4.1.2.18.2.28 retrieving revision 1.1.1.3.4.1.2.18.2.29 diff -u -r1.1.1.3.4.1.2.18.2.28 -r1.1.1.3.4.1.2.18.2.29 --- squid/src/cf.data.pre 29 Jul 2001 05:04:36 -0000 1.1.1.3.4.1.2.18.2.28 +++ squid/src/cf.data.pre 31 Jul 2001 10:29:23 -0000 1.1.1.3.4.1.2.18.2.29 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.28 2001/07/29 05:04:36 rbcollins Exp $ +# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.29 2001/07/31 10:29:23 rbcollins Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1898,6 +1898,15 @@ # This will be matched when the client's IP address has # more than HTTP connections established. + acl aclname max_user_ip + # This will be matched when the user attempts to log in from more + # than different ip address's. The authenticate_ip_ttl + # parameter controls the timeout on the ip entries. + # NOTE: in acceleration mode, clients may appear to come from + # multiple address's if they are going through proxy farms, + # so a limit of 1 may cause user problems. + + acl aclname req_mime_type mime-type1 ... # regex match agains the mime type of the request generated # by the client. Can be used to detect file upload or some Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/client_side.c,v retrieving revision 1.1.1.3.4.1.2.30.2.32 retrieving revision 1.1.1.3.4.1.2.30.2.33 diff -u -r1.1.1.3.4.1.2.30.2.32 -r1.1.1.3.4.1.2.30.2.33 --- squid/src/client_side.c 29 Jul 2001 05:04:36 -0000 1.1.1.3.4.1.2.30.2.32 +++ squid/src/client_side.c 31 Jul 2001 10:29:23 -0000 1.1.1.3.4.1.2.30.2.33 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.1.1.3.4.1.2.30.2.32 2001/07/29 05:04:36 rbcollins Exp $ + * $Id: client_side.c,v 1.1.1.3.4.1.2.30.2.33 2001/07/31 10:29:23 rbcollins Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -204,7 +204,7 @@ e = storeCreateEntry(h->uri, h->log_uri, flags, m); h->sc = storeClientListAdd(e, h); #if DELAY_POOLS - delaySetStoreClient(h->sc, delayClient(h->request)); + delaySetStoreClient(h->sc, delayClient(h)); #endif storeClientCopy(h->sc, e, 0, 0, CLIENT_SOCK_SZ, memAllocate(MEM_CLIENT_SOCK_BUF), clientSendMoreData, h); @@ -397,7 +397,7 @@ http->sc = storeClientListAdd(entry, http); #if DELAY_POOLS /* delay_id is already set on original store client */ - delaySetStoreClient(http->sc, delayClient(http->request)); + delaySetStoreClient(http->sc, delayClient(http)); #endif http->request->lastmod = http->old_entry->lastmod; debug(33, 5) ("clientProcessExpired: lastmod %d\n", (int) entry->lastmod); @@ -2317,7 +2317,7 @@ http->entry->mem_obj->method = r->method; http->sc = storeClientListAdd(http->entry, http); #if DELAY_POOLS - delaySetStoreClient(http->sc, delayClient(r)); + delaySetStoreClient(http->sc, delayClient(http)); #endif storeClientCopy(http->sc, http->entry, http->out.offset, Index: squid/src/enums.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/enums.h,v retrieving revision 1.1.1.3.12.15.2.17 retrieving revision 1.1.1.3.12.15.2.18 diff -u -r1.1.1.3.12.15.2.17 -r1.1.1.3.12.15.2.18 --- squid/src/enums.h 17 May 2001 09:17:37 -0000 1.1.1.3.12.15.2.17 +++ squid/src/enums.h 31 Jul 2001 10:29:23 -0000 1.1.1.3.12.15.2.18 @@ -1,6 +1,6 @@ /* - * $Id: enums.h,v 1.1.1.3.12.15.2.17 2001/05/17 09:17:37 rbcollins Exp $ + * $Id: enums.h,v 1.1.1.3.12.15.2.18 2001/07/31 10:29:23 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -129,6 +129,7 @@ ACL_MAXCONN, ACL_REQ_MIME_TYPE, ACL_REP_MIME_TYPE, + ACL_MAX_USER_IP, ACL_ENUM_MAX } squid_acl; @@ -506,6 +507,13 @@ } allow_t; typedef enum { + AUTH_ACL_CHALLENGE = -2, + AUTH_ACL_HELPER = -1, + AUTH_ACL_CANNOT_AUTHENTICATE = 0, + AUTH_AUTHENTICATED = 1, +} auth_acl_t; + +typedef enum { AUTH_UNKNOWN, /* default */ AUTH_BASIC, AUTH_NTLM, Index: squid/src/protos.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/protos.h,v retrieving revision 1.1.1.3.12.17.2.34 retrieving revision 1.1.1.3.12.17.2.35 diff -u -r1.1.1.3.12.17.2.34 -r1.1.1.3.12.17.2.35 --- squid/src/protos.h 29 Jul 2001 05:04:36 -0000 1.1.1.3.12.17.2.34 +++ squid/src/protos.h 31 Jul 2001 10:29:23 -0000 1.1.1.3.12.17.2.35 @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.1.1.3.12.17.2.34 2001/07/29 05:04:36 rbcollins Exp $ + * $Id: protos.h,v 1.1.1.3.12.17.2.35 2001/07/31 10:29:23 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -746,6 +746,9 @@ extern char *authenticateAuthUserRequestMessage(auth_user_request_t *); extern int authenticateAuthUserInuse(auth_user_t * auth_user); extern void authenticateAuthUserRequestSetIp(auth_user_request_t *, struct in_addr); +extern void authenticateAuthUserRequestRemoveIp(auth_user_request_t *, struct in_addr); +extern void authenticateAuthUserRequestClearIp(auth_user_request_t *); +extern size_t authenticateAuthUserRequestIPCount(auth_user_request_t *); extern int authenticateDirection(auth_user_request_t *); extern FREE authenticateFreeProxyAuthUser; extern void authenticateFreeProxyAuthUserACLResults(void *data); Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.1.1.3.4.1.2.26.2.39 retrieving revision 1.1.1.3.4.1.2.26.2.40 diff -u -r1.1.1.3.4.1.2.26.2.39 -r1.1.1.3.4.1.2.26.2.40 --- squid/src/structs.h 29 Jul 2001 05:04:37 -0000 1.1.1.3.4.1.2.26.2.39 +++ squid/src/structs.h 31 Jul 2001 10:29:23 -0000 1.1.1.3.4.1.2.26.2.40 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.39 2001/07/29 05:04:37 rbcollins Exp $ + * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.40 2001/07/31 10:29:23 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -53,6 +53,12 @@ } flags; }; +struct _acl_user_ip_data { + size_t max; + struct { + unsigned int strict:1; + } flags; +}; struct _acl_ip_data { struct in_addr addr1; /* if addr2 non-zero then its a range */ @@ -87,6 +93,13 @@ dlink_node link; /* other hash entries that point to the same auth_user */ }; +struct _auth_user_ip_t { + dlink_node node; + /* IP addr this user authenticated from */ + struct in_addr ipaddr; + time_t ip_expiretime; +}; + struct _auth_user_t { /* extra fields for proxy_auth */ /* this determines what scheme owns the user data. */ @@ -98,13 +111,12 @@ /* we may have many proxy-authenticate strings that decode to the same user */ dlink_list proxy_auth_list; dlink_list proxy_match_cache; + dlink_list ip_list; + size_t ipcount; struct { unsigned int credentials_ok:2; /*0=unchecked,1=ok,2=failed */ } flags; long expiretime; - /* IP addr this user authenticated from */ - struct in_addr ipaddr; - time_t ip_expiretime; /* how many references are outstanding to this instance */ size_t references; /* the auth scheme has it's own private data area */ Index: squid/src/typedefs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/typedefs.h,v retrieving revision 1.1.1.3.12.13.2.31 retrieving revision 1.1.1.3.12.13.2.32 diff -u -r1.1.1.3.12.13.2.31 -r1.1.1.3.12.13.2.32 --- squid/src/typedefs.h 29 Jul 2001 05:04:37 -0000 1.1.1.3.12.13.2.31 +++ squid/src/typedefs.h 31 Jul 2001 10:29:23 -0000 1.1.1.3.12.13.2.32 @@ -1,6 +1,6 @@ /* - * $Id: typedefs.h,v 1.1.1.3.12.13.2.31 2001/07/29 05:04:37 rbcollins Exp $ + * $Id: typedefs.h,v 1.1.1.3.12.13.2.32 2001/07/31 10:29:23 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -64,10 +64,12 @@ typedef struct _auth_user_t auth_user_t; typedef struct _auth_user_request_t auth_user_request_t; typedef struct _auth_user_hash_pointer auth_user_hash_pointer; +typedef struct _auth_user_ip_t auth_user_ip_t; typedef struct _acl_proxy_auth_match_cache acl_proxy_auth_match_cache; typedef struct _authscheme_entry authscheme_entry_t; typedef struct _authScheme authScheme; typedef struct _acl_user_data acl_user_data; +typedef struct _acl_user_ip_data acl_user_ip_data; typedef struct _acl_arp_data acl_arp_data; typedef struct _acl acl; typedef struct _acl_snmp_comm acl_snmp_comm; Index: squid/src/auth/basic/auth_basic.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/auth_basic.c,v retrieving revision 1.1.2.39 retrieving revision 1.1.2.40 diff -u -r1.1.2.39 -r1.1.2.40 --- squid/src/auth/basic/auth_basic.c 10 Apr 2001 11:52:13 -0000 1.1.2.39 +++ squid/src/auth/basic/auth_basic.c 31 Jul 2001 10:29:23 -0000 1.1.2.40 @@ -200,7 +200,6 @@ /* Decode now takes care of finding the auth_user struct in the cache */ /* after external auth occurs anyway */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; return; } @@ -392,17 +391,14 @@ authBasicAuthUserFindUsername(const char *username) { auth_user_hash_pointer *usernamehash; - auth_user_t *auth_user; debug(29, 9) ("authBasicAuthUserFindUsername: Looking for user '%s'\n", username); if (username && (usernamehash = hash_lookup(proxy_auth_username_cache, username))) { - while ((usernamehash->auth_user->auth_type != AUTH_BASIC) && - (usernamehash->next)) + while (usernamehash) { + if ((usernamehash->auth_user->auth_type == AUTH_BASIC) && + !strcmp (username, usernamehash->key)) + return usernamehash->auth_user; usernamehash = usernamehash->next; - auth_user = NULL; - if (usernamehash->auth_user->auth_type == AUTH_BASIC) { - auth_user = usernamehash->auth_user; } - return auth_user; } return NULL; } @@ -510,7 +506,6 @@ auth_user->auth_type = AUTH_BASIC; /* current time for timeouts */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; /* this auth_user struct is the 'lucky one' to get added to the username cache */ /* the requests after this link to the auth_user */ Index: squid/src/auth/digest/auth_digest.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/digest/auth_digest.c,v retrieving revision 1.1.20.4 retrieving revision 1.1.20.5 diff -u -r1.1.20.4 -r1.1.20.5 --- squid/src/auth/digest/auth_digest.c 9 Mar 2001 08:32:29 -0000 1.1.20.4 +++ squid/src/auth/digest/auth_digest.c 31 Jul 2001 10:29:24 -0000 1.1.20.5 @@ -686,7 +686,6 @@ /* auth_user is now linked, we reset these values * after external auth occurs anyway */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; return; } Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.1.2.41 retrieving revision 1.1.2.42 diff -u -r1.1.2.41 -r1.1.2.42 --- squid/src/auth/ntlm/auth_ntlm.c 20 May 2001 22:24:48 -0000 1.1.2.41 +++ squid/src/auth/ntlm/auth_ntlm.c 31 Jul 2001 10:29:24 -0000 1.1.2.42 @@ -449,7 +449,7 @@ result = S_HELPER_DEFER; debug(29, 9) ("authenticateNTLMHandleReply: helper '%d'\n", lastserver); assert(ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE); - ntlm_request->authhelper = lastserver; + ntlm_request->authserver = lastserver; ntlm_request->authchallenge = xstrndup(reply, NTLM_CHALLENGE_SZ + 5); } else if (strncasecmp(reply, "AF ", 3) == 0) { /* we're finished, release the helper */ @@ -466,7 +466,7 @@ /* we only expect OK when finishing the handshake */ assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE); ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ); - ntlm_request->authhelper = NULL; + ntlm_request->authserver = NULL; auth_user->flags.credentials_ok = 1; /* login ok */ #ifdef NTLM_FAIL_OPEN } else if (strncasecmp(reply, "LD ", 3) == 0) { @@ -492,8 +492,8 @@ /* we only expect OK when finishing the handshake */ assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE); ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ); - helperstate = helperStatefulServerGetData(ntlm_request->authhelper); - ntlm_request->authhelper = NULL; + helperstate = helperStatefulServerGetData(ntlm_request->authserver); + ntlm_request->authserver = NULL; auth_user->flags.credentials_ok = 1; /* login ok */ /* BH code: mark helper as broken */ /* Not a valid helper response to a YR request. Assert so the helper @@ -514,7 +514,7 @@ assert((ntlm_user != NULL) && (ntlm_request != NULL)); /* todo: action of Negotiate state on error */ result = S_HELPER_RELEASE; /*some error has occured. no more requests */ - ntlm_request->authhelper = NULL; + ntlm_request->authserver = NULL; auth_user->flags.credentials_ok = 2; /* Login/Usercode failed */ debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply); ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; @@ -536,8 +536,8 @@ assert((ntlm_user != NULL) && (ntlm_request != NULL)); result = S_HELPER_RELEASE; /*some error has occured. no more requests for * this helper */ - helperstate = helperStatefulServerGetData(ntlm_request->authhelper); - ntlm_request->authhelper = NULL; + helperstate = helperStatefulServerGetData(ntlm_request->authserver); + ntlm_request->authserver = NULL; if (ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE) { /* The helper broke on YR. It automatically * resets */ @@ -574,7 +574,7 @@ /* restart the authentication process */ ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; auth_user->flags.credentials_ok = 3; /* cannot process */ - ntlm_request->authhelper = NULL; + ntlm_request->authserver = NULL; } } else { fatal("authenticateNTLMHandleReply: called with no result string\n"); @@ -661,8 +661,8 @@ break; case AUTHENTICATE_STATE_RESPONSE: sent_string = xstrdup(ntlm_request->ntlmauthenticate); - assert(ntlm_request->authhelper); - debug(29, 9) ("authenticateNTLMStart: Asking NTLMauthenticator '%d'.\n", ntlm_request->authhelper); + assert(ntlm_request->authserver); + debug(29, 9) ("authenticateNTLMStart: Asking NTLMauthenticator '%d'.\n", ntlm_request->authserver); break; default: fatal("Invalid authenticate state for NTLMStart"); @@ -688,7 +688,7 @@ r->data = data; r->auth_user_request = auth_user_request; snprintf(buf, 8192, "%s\n", sent_string); - helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); + helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver); debug(29, 9) ("authenticateNTLMstart: finished\n"); #else /* this is ugly TODO: move the challenge generation routines to their own function and @@ -714,7 +714,7 @@ if (server == NULL) debug(29, 9) ("unable to get a deferred ntlm helper... all helpers are refreshing challenges. Queuing as a placeholder request.\n"); - ntlm_request->authhelper = server; + ntlm_request->authserver = server; /* tell the log what helper we have been given */ debug(29, 9) ("authenticateNTLMStart: helper '%d' assigned\n", server); /* valid challenge? */ @@ -725,10 +725,10 @@ r->data = data; r->auth_user_request = auth_user_request; if (server == NULL) { - helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, ntlm_request->authhelper); + helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, ntlm_request->authserver); } else { snprintf(buf, 8192, "YR\n"); - helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); + helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver); } } else { /* we have a valid challenge */ @@ -748,7 +748,7 @@ r->data = data; r->auth_user_request = auth_user_request; snprintf(buf, 8192, "KK %s\n", sent_string); - helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); + helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver); debug(29, 9) ("authenticateNTLMstart: finished\n"); break; default: @@ -795,15 +795,15 @@ /* clear the NTLM helper of being reserved for future requests */ void -authenticateNTLMReleasehelper(auth_user_request_t * auth_user_request) +authenticateNTLMReleaseServer(auth_user_request_t * auth_user_request) { ntlm_request_t *ntlm_request; assert(auth_user_request->auth_user->auth_type == AUTH_NTLM); assert(auth_user_request->scheme_data != NULL); ntlm_request = auth_user_request->scheme_data; - debug(29, 9) ("authenticateNTLMReleasehelper: releasing helper '%d'\n", ntlm_request->authhelper); - helperStatefulReleaseServer(ntlm_request->authhelper); - ntlm_request->authhelper = NULL; + debug(29, 9) ("authenticateNTLMReleaseServer: releasing server '%d'\n", ntlm_request->authserver); + helperStatefulReleaseServer(ntlm_request->authserver); + ntlm_request->authserver = NULL; } /* clear any connection related authentication details */ @@ -815,8 +815,8 @@ if (conn->auth_user_request != NULL) { assert(conn->auth_user_request->scheme_data != NULL); ntlm_request = conn->auth_user_request->scheme_data; - if (ntlm_request->authhelper != NULL) - authenticateNTLMReleasehelper(conn->auth_user_request); + if (ntlm_request->authserver != NULL) + authenticateNTLMReleaseServer(conn->auth_user_request); /* unlock the connection based lock */ debug(29, 9) ("authenticateNTLMOnCloseConnection: Unlocking auth_user from the connection.\n"); authenticateAuthUserRequestUnlock(conn->auth_user_request); @@ -957,7 +957,7 @@ } else { debug(29, 4) ("authenticateNTLMAuthenticateUser: ntlm proxy-auth cache hit\n"); /* throw away the temporary entry */ - authenticateNTLMReleasehelper(auth_user_request); + authenticateNTLMReleaseServer(auth_user_request); authenticateAuthUserMerge(auth_user, proxy_auth_hash->auth_user); auth_user = proxy_auth_hash->auth_user; auth_user_request->auth_user = auth_user; @@ -972,7 +972,6 @@ /* on ntlm auth we do not unlock the auth_user until the * connection is dropped. Thank MS for this quirk */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; } return; break; @@ -1015,7 +1014,6 @@ /* set these to now because this is either a new login from an * existing user or a new user */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; auth_user->flags.credentials_ok = 1; /*authenticated ok */ return; break; Index: squid/src/auth/ntlm/auth_ntlm.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.h,v retrieving revision 1.1.2.8 retrieving revision 1.1.2.9 diff -u -r1.1.2.8 -r1.1.2.9 --- squid/src/auth/ntlm/auth_ntlm.h 10 Jan 2001 23:02:40 -0000 1.1.2.8 +++ squid/src/auth/ntlm/auth_ntlm.h 31 Jul 2001 10:29:24 -0000 1.1.2.9 @@ -28,8 +28,8 @@ char *authchallenge; /* what authenticate string did we get? */ char *ntlmauthenticate; - /*we need to store the NTLM helper between requests */ - helper_stateful_server *authhelper; + /*we need to store the NTLM server between requests */ + helper_stateful_server *authserver; /* how far through the authentication process are we? */ auth_state_t auth_state; }; Index: squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP/Attic/ntlm_auth.c,v retrieving revision 1.1.2.22 retrieving revision 1.1.2.23 diff -u -r1.1.2.22 -r1.1.2.23 --- squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c 10 Apr 2001 11:52:13 -0000 1.1.2.22 +++ squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c 31 Jul 2001 10:29:24 -0000 1.1.2.23 @@ -213,7 +213,7 @@ obtain_challenge() { int j = 0; - const char *ch; + const char *ch = NULL; debug("obtain_challenge: getting new challenge\n"); for (j = 0; j < numcontrollers; j++) { if (current_dc->status == DC_OK) {