--------------------- PatchSet 4078 Date: 2002/04/27 12:55:18 Author: serassio Branch: nt-2_5 Tag: (none) Log: Reworked NTLM and Basic NT native Authenticators: now both are SSPI based and support NT Allowed/Disallowed Group membership check Members: configure.in:1.42.2.5.4.8->1.42.2.5.4.9 port/win32/squid.dsw:1.1.2.10->1.1.2.11 port/win32/include/libsspwin32.h:1.1->1.1.2.1 port/win32/nt_auth/nt_auth.dsp:1.1.2.2->1.1.2.3 port/win32/ntlm_win32_auth/ntlm_win32_auth.dsp:1.1.2.2->1.1.2.3 port/win32/src/libsspwin32.c:1.1->1.1.2.1 src/auth/basic/helpers/win32_locallogon/Makefile.am:1.1.22.1->1.1.22.2 src/auth/basic/helpers/win32_locallogon/NT_auth.c:1.1.38.2->1.1.38.3 src/auth/basic/helpers/win32_locallogon/README.txt:1.1.38.1->1.1.38.2 src/auth/basic/helpers/win32_locallogon/valid.c:1.1.38.2->1.1.38.3 src/auth/basic/helpers/win32_locallogon/valid.h:1.1.38.2->1.1.38.3 src/auth/ntlm/helpers/Makefile.am:1.4->1.4.10.1 src/auth/ntlm/helpers/NTLMSSP-WIN32/Makefile.am:1.1.2.1->1.1.2.2 src/auth/ntlm/helpers/NTLMSSP-WIN32/libsspwin32.c:1.1.2.2->1.1.2.3(DEAD) src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm.h:1.1.2.2->1.1.2.3 src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm_auth.c:1.1.2.2->1.1.2.3 src/auth/ntlm/helpers/NTLMSSP-WIN32/readme.txt:1.1.2.1->1.1.2.2 Index: squid/configure.in =================================================================== RCS file: /cvsroot/squid-sf//squid/configure.in,v retrieving revision 1.42.2.5.4.8 retrieving revision 1.42.2.5.4.9 diff -u -r1.42.2.5.4.8 -r1.42.2.5.4.9 --- squid/configure.in 22 Apr 2002 16:54:35 -0000 1.42.2.5.4.8 +++ squid/configure.in 27 Apr 2002 12:55:18 -0000 1.42.2.5.4.9 @@ -3,7 +3,7 @@ dnl dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9) dnl -dnl $Id: configure.in,v 1.42.2.5.4.8 2002/04/22 16:54:35 serassio Exp $ +dnl $Id: configure.in,v 1.42.2.5.4.9 2002/04/27 12:55:18 serassio Exp $ dnl dnl dnl @@ -11,7 +11,7 @@ AC_CONFIG_AUX_DIR(cfgaux) AM_INIT_AUTOMAKE(squid, 2.5.PRE6-CVS) AM_CONFIG_HEADER(include/autoconf.h) -AC_REVISION($Revision: 1.42.2.5.4.8 $)dnl +AC_REVISION($Revision: 1.42.2.5.4.9 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE @@ -2173,6 +2173,7 @@ src/auth/ntlm/helpers/no_check/Makefile \ src/auth/ntlm/helpers/NTLMSSP/Makefile \ src/auth/ntlm/helpers/NTLMSSP/smbval/Makefile \ + src/auth/ntlm/helpers/NTLMSSP-WIN32/Makefile \ contrib/Makefile \ snmplib/Makefile \ icons/Makefile \ Index: squid/port/win32/squid.dsw =================================================================== RCS file: /cvsroot/squid-sf//squid/port/win32/Attic/squid.dsw,v retrieving revision 1.1.2.10 retrieving revision 1.1.2.11 diff -u -r1.1.2.10 -r1.1.2.11 --- squid/port/win32/squid.dsw 21 Apr 2002 20:37:34 -0000 1.1.2.10 +++ squid/port/win32/squid.dsw 27 Apr 2002 12:55:19 -0000 1.1.2.11 @@ -260,6 +260,9 @@ Package=<4> {{{ + Begin Project Dependency + Project_Dep_Name libmiscutil + End Project Dependency }}} ############################################################################### --- /dev/null Wed Feb 14 00:55:47 2007 +++ squid/port/win32/include/libsspwin32.h Wed Feb 14 00:58:20 2007 @@ -0,0 +1,37 @@ +/* + * (C) 2002 Guido Serassio + * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran + * + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + */ + +#ifndef _LIBSSPWIN32_H_ +#define _LIBSSPWIN32_H_ +#define SECURITY_WIN32 +#define NTLM_PACKAGE_NAME "NTLM" + +#include +#include +#include + +#define WINNT_SECURITY_DLL "security.dll" +#define WIN9X_SECURITY_DLL "secur32.dll" + +#define SSP_BASIC 1 +#define SSP_NTLM 2 + +HMODULE LoadSecurityDll(int); +void UnloadSecurityDll(void); +BOOL WINAPI SSPLogonUser(PTSTR, PTSTR, PTSTR); + +#endif /* LIBSSPWIN32_H_ */ Index: squid/port/win32/nt_auth/nt_auth.dsp =================================================================== RCS file: /cvsroot/squid-sf//squid/port/win32/nt_auth/Attic/nt_auth.dsp,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/port/win32/nt_auth/nt_auth.dsp 27 Mar 2002 21:01:14 -0000 1.1.2.2 +++ squid/port/win32/nt_auth/nt_auth.dsp 27 Apr 2002 12:55:20 -0000 1.1.2.3 @@ -87,6 +87,10 @@ # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" # Begin Source File +SOURCE=..\src\libsspwin32.c +# End Source File +# Begin Source File + SOURCE=..\..\..\src\auth\basic\helpers\win32_locallogon\NT_auth.c # End Source File # Begin Source File Index: squid/port/win32/ntlm_win32_auth/ntlm_win32_auth.dsp =================================================================== RCS file: /cvsroot/squid-sf//squid/port/win32/ntlm_win32_auth/Attic/ntlm_win32_auth.dsp,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/port/win32/ntlm_win32_auth/ntlm_win32_auth.dsp 26 Apr 2002 20:31:48 -0000 1.1.2.2 +++ squid/port/win32/ntlm_win32_auth/ntlm_win32_auth.dsp 27 Apr 2002 12:55:20 -0000 1.1.2.3 @@ -91,7 +91,7 @@ # End Source File # Begin Source File -SOURCE="..\..\..\src\auth\ntlm\helpers\NTLMSSP-WIN32\libsspwin32.c" +SOURCE=..\src\libsspwin32.c # End Source File # Begin Source File --- /dev/null Wed Feb 14 00:55:47 2007 +++ squid/port/win32/src/libsspwin32.c Wed Feb 14 00:58:20 2007 @@ -0,0 +1,399 @@ +/* + * (C) 2002 Guido Serassio + * Based on previous work of Francesco Chemolli, Robert Collins + * + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + */ + +#include "squid.h" +#include "libsspwin32.h" +#include + +typedef struct _AUTH_SEQ { + BOOL fInitialized; + BOOL fHaveCredHandle; + BOOL fHaveCtxtHandle; + CredHandle hcred; + struct _SecHandle hctxt; +} AUTH_SEQ, *PAUTH_SEQ; + +static HMODULE hModule; +static int NTLM_mode = SSP_BASIC; +SECURITY_STATUS ss = SEC_E_OK; + +/* Function pointers */ +ACCEPT_SECURITY_CONTEXT_FN _AcceptSecurityContext = NULL; +ACQUIRE_CREDENTIALS_HANDLE_FN _AcquireCredentialsHandle = NULL; +COMPLETE_AUTH_TOKEN_FN _CompleteAuthToken = NULL; +DELETE_SECURITY_CONTEXT_FN _DeleteSecurityContext = NULL; +FREE_CONTEXT_BUFFER_FN _FreeContextBuffer = NULL; +FREE_CREDENTIALS_HANDLE_FN _FreeCredentialsHandle = NULL; +INITIALIZE_SECURITY_CONTEXT_FN _InitializeSecurityContext = NULL; +QUERY_SECURITY_PACKAGE_INFO_FN _QuerySecurityPackageInfo = NULL; + + +void UnloadSecurityDll(void) +{ + if (hModule) + FreeLibrary(hModule); + _AcceptSecurityContext = NULL; + _AcquireCredentialsHandle = NULL; + _CompleteAuthToken = NULL; + _DeleteSecurityContext = NULL; + _FreeContextBuffer = NULL; + _FreeCredentialsHandle = NULL; + _InitializeSecurityContext = NULL; + _QuerySecurityPackageInfo = NULL; + hModule = NULL; +} + + +HMODULE LoadSecurityDll(int mode) +{ + BOOL fAllFunctionsLoaded = FALSE; + TCHAR lpszDLL[MAX_PATH]; + OSVERSIONINFO VerInfo; +/* + * Find out which security DLL to use, depending on + * whether we are on NT or Win95 or 2000 or XP or .NET Server + * We have to use security.dll on Windows NT 4.0. + * All other operating systems, we have to use Secur32.dll + */ + hModule = NULL; + if ((mode != SSP_BASIC) && (mode != SSP_NTLM)) + return hModule; + NTLM_mode = mode; + VerInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); + if (!GetVersionEx (&VerInfo)) { /* If this fails, something has gone wrong */ + return hModule; + } + if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT && + VerInfo.dwMajorVersion == 4 && + VerInfo.dwMinorVersion == 0) + { + lstrcpy (lpszDLL, _T(WINNT_SECURITY_DLL)); + } else { + lstrcpy (lpszDLL, _T(WIN9X_SECURITY_DLL)); + } + hModule = LoadLibrary(lpszDLL); + if (!hModule) + return hModule; + __try { + _AcceptSecurityContext = (ACCEPT_SECURITY_CONTEXT_FN) + GetProcAddress(hModule, "AcceptSecurityContext"); + if (!_AcceptSecurityContext) + __leave; +#ifdef UNICODE + _AcquireCredentialsHandle = (ACQUIRE_CREDENTIALS_HANDLE_FN) + GetProcAddress(hModule, "AcquireCredentialsHandleW"); +#else + _AcquireCredentialsHandle = (ACQUIRE_CREDENTIALS_HANDLE_FN) + GetProcAddress(hModule, "AcquireCredentialsHandleA"); +#endif + if (!_AcquireCredentialsHandle) + __leave; +/* CompleteAuthToken is not present on Windows 9x Secur32.dll + * Do not check for the availablity of the function if it is NULL + */ + _CompleteAuthToken = (COMPLETE_AUTH_TOKEN_FN) + GetProcAddress(hModule, "CompleteAuthToken"); + _DeleteSecurityContext = (DELETE_SECURITY_CONTEXT_FN) + GetProcAddress(hModule, "DeleteSecurityContext"); + if (!_DeleteSecurityContext) + __leave; + _FreeContextBuffer = (FREE_CONTEXT_BUFFER_FN) + GetProcAddress(hModule, "FreeContextBuffer"); + if (!_FreeContextBuffer) + __leave; + _FreeCredentialsHandle = (FREE_CREDENTIALS_HANDLE_FN) + GetProcAddress(hModule, "FreeCredentialsHandle"); + if (!_FreeCredentialsHandle) + __leave; +#ifdef UNICODE + _InitializeSecurityContext = (INITIALIZE_SECURITY_CONTEXT_FN) + GetProcAddress(hModule, "InitializeSecurityContextW"); +#else + _InitializeSecurityContext = (INITIALIZE_SECURITY_CONTEXT_FN) + GetProcAddress(hModule, "InitializeSecurityContextA"); +#endif + if (!_InitializeSecurityContext) + __leave; +#ifdef UNICODE + _QuerySecurityPackageInfo = (QUERY_SECURITY_PACKAGE_INFO_FN) + GetProcAddress(hModule, "QuerySecurityPackageInfoW"); +#else + _QuerySecurityPackageInfo = (QUERY_SECURITY_PACKAGE_INFO_FN) + GetProcAddress(hModule, "QuerySecurityPackageInfoA"); +#endif + if (!_QuerySecurityPackageInfo) + __leave; + fAllFunctionsLoaded = TRUE; + } __finally { + if (!fAllFunctionsLoaded) { + UnloadSecurityDll(); + hModule = NULL; + } + } + return hModule; +} + + +BOOL GenClientContext(PAUTH_SEQ pAS, PSEC_WINNT_AUTH_IDENTITY pAuthIdentity, + PVOID pIn, DWORD cbIn, PVOID pOut, PDWORD pcbOut, PBOOL pfDone) +{ +/* + * Routine Description: + * + * Optionally takes an input buffer coming from the server and returns + * a buffer of information to send back to the server. Also returns + * an indication of whether or not the context is complete. + * + * Return Value: + * Returns TRUE if successful; otherwise FALSE. + */ + TimeStamp tsExpiry; + SecBufferDesc sbdOut; + SecBuffer sbOut; + SecBufferDesc sbdIn; + SecBuffer sbIn; + ULONG fContextAttr; + + if (!pAS->fInitialized) { + ss = _AcquireCredentialsHandle(NULL, _T(NTLM_PACKAGE_NAME), + SECPKG_CRED_OUTBOUND, NULL, (NTLM_mode == SSP_NTLM) ? NULL : pAuthIdentity, NULL, NULL, + &pAS->hcred, &tsExpiry); + if (ss < 0) { + fprintf(stderr, "AcquireCredentialsHandle failed with %08X\n", ss); + return FALSE; + } + pAS->fHaveCredHandle = TRUE; + } + + /* Prepare output buffer */ + sbdOut.ulVersion = 0; + sbdOut.cBuffers = 1; + sbdOut.pBuffers = &sbOut; + sbOut.cbBuffer = *pcbOut; + sbOut.BufferType = SECBUFFER_TOKEN; + sbOut.pvBuffer = pOut; + + /* Prepare input buffer */ + if (pAS->fInitialized) { + sbdIn.ulVersion = 0; + sbdIn.cBuffers = 1; + sbdIn.pBuffers = &sbIn; + sbIn.cbBuffer = cbIn; + sbIn.BufferType = SECBUFFER_TOKEN; + sbIn.pvBuffer = pIn; + } + ss = _InitializeSecurityContext(&pAS->hcred, + pAS->fInitialized ? &pAS->hctxt : NULL, NULL, 0, 0, + SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn : NULL, + 0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry); + if (ss < 0) { + // + fprintf(stderr, "InitializeSecurityContext failed with %08X\n", ss); + return FALSE; + } + pAS->fHaveCtxtHandle = TRUE; + + /* If necessary, complete token */ + if (ss == SEC_I_COMPLETE_NEEDED || ss == SEC_I_COMPLETE_AND_CONTINUE) { + if (_CompleteAuthToken) { + ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut); + if (ss < 0) { + fprintf(stderr, "CompleteAuthToken failed with %08X\n", ss); + return FALSE; + } + } else { + fprintf (stderr, "CompleteAuthToken not supported.\n"); + return FALSE; + } + } + *pcbOut = sbOut.cbBuffer; + if (!pAS->fInitialized) + pAS->fInitialized = TRUE; + *pfDone = !(ss == SEC_I_CONTINUE_NEEDED + || ss == SEC_I_COMPLETE_AND_CONTINUE ); + return TRUE; +} + + +BOOL GenServerContext(PAUTH_SEQ pAS, PVOID pIn, DWORD cbIn, PVOID pOut, + PDWORD pcbOut, PBOOL pfDone) +{ +/* + * Routine Description: + * + * Takes an input buffer coming from the client and returns a buffer + * to be sent to the client. Also returns an indication of whether or + * not the context is complete. + * + * Return Value: + * + * Returns TRUE if successful; otherwise FALSE. + */ + + TimeStamp tsExpiry; + SecBufferDesc sbdOut; + SecBuffer sbOut; + SecBufferDesc sbdIn; + SecBuffer sbIn; + ULONG fContextAttr; + + if (!pAS->fInitialized) { + ss = _AcquireCredentialsHandle(NULL, _T("NTLM"), + SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &pAS->hcred, + &tsExpiry); + if (ss < 0) { + fprintf(stderr, "AcquireCredentialsHandle failed with %08X\n", ss); + return FALSE; + } + pAS->fHaveCredHandle = TRUE; + } + + /* Prepare output buffer */ + sbdOut.ulVersion = 0; + sbdOut.cBuffers = 1; + sbdOut.pBuffers = &sbOut; + sbOut.cbBuffer = *pcbOut; + sbOut.BufferType = SECBUFFER_TOKEN; + sbOut.pvBuffer = pOut; + + /* Prepare input buffer */ + sbdIn.ulVersion = 0; + sbdIn.cBuffers = 1; + sbdIn.pBuffers = &sbIn; + sbIn.cbBuffer = cbIn; + sbIn.BufferType = SECBUFFER_TOKEN; + sbIn.pvBuffer = pIn; + ss = _AcceptSecurityContext(&pAS->hcred, + pAS->fInitialized ? &pAS->hctxt : NULL, &sbdIn, (NTLM_mode == SSP_NTLM) ? ASC_REQ_DELEGATE : 0, + SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, &fContextAttr, + &tsExpiry); + if (ss < 0) { + fprintf(stderr, "AcceptSecurityContext failed with %08X\n", ss); + return FALSE; + } + pAS->fHaveCtxtHandle = TRUE; + + /* If necessary, complete token */ + if (ss == SEC_I_COMPLETE_NEEDED || ss == SEC_I_COMPLETE_AND_CONTINUE) { + if (_CompleteAuthToken) { + ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut); + if (ss < 0) { + fprintf(stderr, "CompleteAuthToken failed with %08X\n", ss); + return FALSE; + } + } else { + fprintf (stderr, "CompleteAuthToken not supported.\n"); + return FALSE; + } + } + *pcbOut = sbOut.cbBuffer; + if (!pAS->fInitialized) + pAS->fInitialized = TRUE; + *pfDone = !(ss = SEC_I_CONTINUE_NEEDED + || ss == SEC_I_COMPLETE_AND_CONTINUE); + return TRUE; +} + + +BOOL WINAPI SSPLogonUser(PTSTR szUser, PTSTR szPassword, PTSTR szDomain) +{ + AUTH_SEQ asServer = {0}; + AUTH_SEQ asClient = {0}; + BOOL fDone = FALSE; + BOOL fResult = FALSE; + DWORD cbOut = 0; + DWORD cbIn = 0; + DWORD cbMaxToken = 0; + PVOID pClientBuf = NULL; + PVOID pServerBuf = NULL; + PSecPkgInfo pSPI = NULL; + + SEC_WINNT_AUTH_IDENTITY ai; + + __try { + if (!hModule) + __leave; + /* Get max token size */ + _QuerySecurityPackageInfo(_T("NTLM"), &pSPI); + cbMaxToken = pSPI->cbMaxToken; + _FreeContextBuffer(pSPI); + + /* Allocate buffers for client and server messages */ + pClientBuf = xcalloc(cbMaxToken, sizeof(char)); + pServerBuf = xcalloc(cbMaxToken, sizeof(char)); + + /* Initialize auth identity structure */ + ZeroMemory(&ai, sizeof(ai)); + ai.Domain = szDomain; + ai.DomainLength = lstrlen(szDomain); + ai.User = szUser; + ai.UserLength = lstrlen(szUser); + ai.Password = szPassword; + ai.PasswordLength = lstrlen(szPassword); +#if defined(UNICODE) || defined(_UNICODE) + ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; +#else + ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; +#endif + + /* Prepare client message (negotiate) */ + cbOut = cbMaxToken; + if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf, &cbOut, &fDone)) + __leave; + + /* Prepare server message (challenge) */ + cbIn = cbOut; + cbOut = cbMaxToken; + if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, + &fDone)) + __leave; +/* Most likely failure: AcceptServerContext fails with SEC_E_LOGON_DENIED + * in the case of bad szUser or szPassword. + * Unexpected Result: Logon will succeed if you pass in a bad szUser and + * the guest account is enabled in the specified domain. + */ + + /* Prepare client message (authenticate) */ + cbIn = cbOut; + cbOut = cbMaxToken; + if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, &cbOut, + &fDone)) + __leave; + + /* Prepare server message (authentication) */ + cbIn = cbOut; + cbOut = cbMaxToken; + if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, + &fDone)) + __leave; + fResult = TRUE; + } __finally { + + /* Clean up resources */ + if (asClient.fHaveCtxtHandle) + _DeleteSecurityContext(&asClient.hctxt); + if (asClient.fHaveCredHandle) + _FreeCredentialsHandle(&asClient.hcred); + if (asServer.fHaveCtxtHandle) + _DeleteSecurityContext(&asServer.hctxt); + if (asServer.fHaveCredHandle) + _FreeCredentialsHandle(&asServer.hcred); + xfree(pClientBuf); + xfree(pServerBuf); + } + return fResult; +} Index: squid/src/auth/basic/helpers/win32_locallogon/Makefile.am =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/helpers/win32_locallogon/Attic/Makefile.am,v retrieving revision 1.1.22.1 retrieving revision 1.1.22.2 diff -u -r1.1.22.1 -r1.1.22.2 --- squid/src/auth/basic/helpers/win32_locallogon/Makefile.am 18 Mar 2002 22:39:44 -0000 1.1.22.1 +++ squid/src/auth/basic/helpers/win32_locallogon/Makefile.am 27 Apr 2002 12:55:22 -0000 1.1.22.2 @@ -9,7 +9,7 @@ libexec_PROGRAMS = nt_auth -nt_auth_SOURCES = NT_auth.c valid.c +nt_auth_SOURCES = NT_auth.c valid.c ../../../../../port/win32/src/libsspwin32.c LDADD = -lnetapi32 Index: squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/helpers/win32_locallogon/Attic/NT_auth.c,v retrieving revision 1.1.38.2 retrieving revision 1.1.38.3 diff -u -r1.1.38.2 -r1.1.38.3 --- squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c 11 Apr 2002 20:15:56 -0000 1.1.38.2 +++ squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c 27 Apr 2002 12:55:22 -0000 1.1.38.3 @@ -1,13 +1,11 @@ /* - NT_auth - Version 1.11 + NT_auth - Version 2.0 Modified to act as a Squid authenticator module. - Can run as dll on NT native port. Removed all Pike stuff. Returns OK for a successful authentication, or ERR upon error. Guido Serassio, Torino - Italy - Sun Jun 17 14:34:26 CST 2001 Uses code from - Antonino Iannella 2000 @@ -15,21 +13,17 @@ Richard Sharpe 1996 Bill Welliver 1999 - Released under GNU Public License - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. */ #include "squid.h" @@ -39,13 +33,65 @@ #include "valid.h" +static char NTGroup[256]; +char * NTAllowedGroup; +char * NTDisAllowedGroup; +int UseDisallowedGroup = 0; +int UseAllowedGroup = 0; + +/* + * options: + * -a can specify a Windows Local Group name allowed to authenticate. + * -d can specify a Windows Local Group name not allowed to authenticate. + * -D can specify the default Domain against to authenticate. + */ +char *my_program_name = NULL; + +void +usage() +{ + fprintf(stderr, + "%s usage:\n%s [-a UserGroup] [-d UserGroup] [-D DefaultDomain] \n" + "-a can specify a Windows Local Group name allowed to authenticate.\n" + "-d can specify a Windows Local Group name not allowed to authenticate.\n", + "-D can specify the default Domain against to authenticate.\n\n", + my_program_name, my_program_name); +} + +void +process_options(int argc, char *argv[]) +{ + int opt, had_error = 0; + while (-1 != (opt = getopt(argc, argv, "a:d:D:"))) { + switch (opt) { + case 'a': + safe_free(NTAllowedGroup); + NTAllowedGroup=xstrdup(optarg); + UseAllowedGroup = 1; + break; + case 'd': + safe_free(NTDisAllowedGroup); + NTDisAllowedGroup=xstrdup(optarg); + UseDisallowedGroup = 1; + break; + case 'D': + strcpy(Default_NTDomain, optarg); + break; + default: + fprintf(stderr, "unknown option: -%c. Exiting\n", opt); + had_error = 1; + } + } + if (had_error) { + usage(); + exit(1); + } +} + /* Main program for simple authentication. Scans and checks for Squid input, and attempts to validate the user. */ -static char NTGroup[256]; -extern char Default_NTDomain[256]; - int main(int argc, char **argv) @@ -55,13 +101,19 @@ char password[256]; char *p; - if ((argc < 2) || (argc > 3)) { - fprintf(stderr, "Usage: NT_auth []\n"); + my_program_name = argv[0]; + process_options(argc, argv); + + if (LoadSecurityDll(SSP_BASIC) == NULL) { + fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); exit(1); } - strcpy(NTGroup, argv[1]); - if (argc == 3) - strcpy(Default_NTDomain, argv[2]); + atexit(UnloadSecurityDll); + + /* initialize FDescs */ + setbuf(stdout, NULL); + setbuf(stderr, NULL); + while (1) { /* Read whole line from standard input. Terminate on break. */ if (fgets(wstr, 255, stdin) == NULL) Index: squid/src/auth/basic/helpers/win32_locallogon/README.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/helpers/win32_locallogon/Attic/README.txt,v retrieving revision 1.1.38.1 retrieving revision 1.1.38.2 diff -u -r1.1.38.1 -r1.1.38.2 --- squid/src/auth/basic/helpers/win32_locallogon/README.txt 18 Mar 2002 22:39:44 -0000 1.1.38.1 +++ squid/src/auth/basic/helpers/win32_locallogon/README.txt 27 Apr 2002 12:55:22 -0000 1.1.38.2 @@ -7,6 +7,12 @@ It's possible to authenticate against NT trusted domains specifyng the username in the domain\username Microsoft notation. +nt_auth [-a UserGroup] [-d UserGroup] [-D DefaultDomain] + +-a can specify a Windows Local Group name allowed to authenticate. +-d can specify a Windows Local Group name not allowed to authenticate. +-D can specify the default Domain against to authenticate. + This is released under the GNU General Public License and is available from http://www.serassio.it. Index: squid/src/auth/basic/helpers/win32_locallogon/valid.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/helpers/win32_locallogon/Attic/valid.c,v retrieving revision 1.1.38.2 retrieving revision 1.1.38.3 diff -u -r1.1.38.2 -r1.1.38.3 --- squid/src/auth/basic/helpers/win32_locallogon/valid.c 11 Apr 2002 20:15:57 -0000 1.1.38.2 +++ squid/src/auth/basic/helpers/win32_locallogon/valid.c 27 Apr 2002 12:55:22 -0000 1.1.38.3 @@ -1,3 +1,31 @@ +/* + NT_auth - Version 2.0 + + Modified to act as a Squid authenticator module. + Removed all Pike stuff. + Returns OK for a successful authentication, or ERR upon error. + + Guido Serassio, Torino - Italy + + Uses code from - + Antonino Iannella 2000 + Andrew Tridgell 1997 + Richard Sharpe 1996 + Bill Welliver 1999 + + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. +*/ + #include "squid.h" /* Check if we try to compile on a Windows Platform */ @@ -13,22 +41,11 @@ char Default_NTDomain[256] = NTV_DEFAULT_DOMAIN; -/* Valid_User return codes - - 0 - User authenticated successfully. - 1 - Server error. - 2 - Protocol error. - 3 - Logon error; Incorrect password or username given. -*/ - +/* returns 1 on success, 0 on failure */ int -Valid_User(char *UserName, char *Password, char *Group) +Valid_Group(char *UserName, char *Group) { - HANDLE hToken = INVALID_HANDLE_VALUE; - int result = NTV_LOGON_ERROR; - int error; - char NTDomain[256]; - char *domain_qualify; - char DomainUser[256]; + int result = FALSE; WCHAR wszUserName[256]; // Unicode user name WCHAR wszGroup[256]; // Unicode Group @@ -50,24 +67,9 @@ sizeof(wszUserName) / sizeof(wszUserName[0])); MultiByteToWideChar(CP_ACP, 0, Group, strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); - strcpy(NTDomain, UserName); - if ((domain_qualify = strchr(NTDomain, '\\')) == NULL) { - strcpy(DomainUser, NTDomain); - strcpy(NTDomain, Default_NTDomain); - } else { - strcpy(DomainUser, domain_qualify + 1); - domain_qualify[0] = '\0'; - } - /* Log the client on to the local computer. */ - if (!LogonUser(DomainUser, - NTDomain, - Password, - LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)) { - result = NTV_LOGON_ERROR; - error = GetLastError(); - } else { - /* - * Call the NetUserGetLocalGroups function + + /* + * Call the NetUserGetLocalGroups function * specifying information level 0. * * The LG_INCLUDE_INDIRECT flag specifies that the @@ -82,32 +84,71 @@ /* * If the call succeeds, */ - if (nStatus == NERR_Success) { - if ((pTmpBuf = pBuf) != NULL) { - for (i = 0; i < dwEntriesRead; i++) { - assert(pTmpBuf != NULL); - if (pTmpBuf == NULL) { - result = NTV_SERVER_ERROR; - break; - } - if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { - result = NTV_NO_ERROR; - break; - } - pTmpBuf++; - dwTotalCount++; + if (nStatus == NERR_Success) { + if ((pTmpBuf = pBuf) != NULL) { + for (i = 0; i < dwEntriesRead; i++) { + assert(pTmpBuf != NULL); + if (pTmpBuf == NULL) { + result = FALSE; + break; } + if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { + result = TRUE; + break; + } + pTmpBuf++; + dwTotalCount++; } - } else - result = NTV_SERVER_ERROR; - /* - * Free the allocated memory. - */ - if (pBuf != NULL) - NetApiBufferFree(pBuf); + } + } else + result = FALSE; +/* + * Free the allocated memory. + */ + if (pBuf != NULL) + NetApiBufferFree(pBuf); + return result; +} + +/* Valid_User return codes - + 0 - User authenticated successfully. + 1 - Server error. + 2 - Protocol error. + 3 - Logon error; Incorrect password or username given. +*/ + +int +Valid_User(char *UserName, char *Password, char *Group) +{ + int result = NTV_LOGON_ERROR; + char NTDomain[256]; + char *domain_qualify; + char DomainUser[256]; + + strcpy(NTDomain, UserName); + if ((domain_qualify = strchr(NTDomain, '\\')) == NULL) { + strcpy(DomainUser, NTDomain); + strcpy(NTDomain, Default_NTDomain); + } else { + strcpy(DomainUser, domain_qualify + 1); + domain_qualify[0] = '\0'; + } + /* Log the client on to the local computer. */ + if (!SSPLogonUser(DomainUser, Password, NTDomain)) { + result = NTV_LOGON_ERROR; + } else { + result = NTV_NO_ERROR; + if (UseAllowedGroup) { + if (!Valid_Group(UserName, NTAllowedGroup)) { + result = NTV_LOGON_ERROR; + } + } + if (UseDisallowedGroup) { + if (Valid_Group(UserName, NTDisAllowedGroup)) { + result = NTV_LOGON_ERROR; + } + } } - if (hToken != INVALID_HANDLE_VALUE) - CloseHandle(hToken); return result; } #else /* NON Windows Platform !!! */ Index: squid/src/auth/basic/helpers/win32_locallogon/valid.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/helpers/win32_locallogon/Attic/valid.h,v retrieving revision 1.1.38.2 retrieving revision 1.1.38.3 diff -u -r1.1.38.2 -r1.1.38.3 --- squid/src/auth/basic/helpers/win32_locallogon/valid.h 11 Apr 2002 20:15:57 -0000 1.1.38.2 +++ squid/src/auth/basic/helpers/win32_locallogon/valid.h 27 Apr 2002 12:55:22 -0000 1.1.38.3 @@ -1,5 +1,36 @@ +/* + NT_auth - Version 2.0 + + Modified to act as a Squid authenticator module. + Removed all Pike stuff. + Returns OK for a successful authentication, or ERR upon error. + + Guido Serassio, Torino - Italy + + Uses code from - + Antonino Iannella 2000 + Andrew Tridgell 1997 + Richard Sharpe 1996 + Bill Welliver 1999 + + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. +*/ + #ifndef _VALID_H_ #define _VALID_H_ + +#include "libsspwin32.h" + /* SMB User verification function */ #define NTV_NO_ERROR 0 @@ -13,6 +44,12 @@ #define NTV_DEFAULT_DOMAIN "." +extern char * NTAllowedGroup; +extern char * NTDisAllowedGroup; +extern int UseDisallowedGroup; +extern int UseAllowedGroup; +extern char Default_NTDomain[256]; + int Valid_User(char *,char *, char *); #endif Index: squid/src/auth/ntlm/helpers/Makefile.am =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/Attic/Makefile.am,v retrieving revision 1.4 retrieving revision 1.4.10.1 diff -u -r1.4 -r1.4.10.1 --- squid/src/auth/ntlm/helpers/Makefile.am 30 Nov 2001 12:28:25 -0000 1.4 +++ squid/src/auth/ntlm/helpers/Makefile.am 27 Apr 2002 12:55:22 -0000 1.4.10.1 @@ -3,5 +3,5 @@ # $Id$ # -DIST_SUBDIRS = fakeauth no_check NTLMSSP +DIST_SUBDIRS = fakeauth no_check NTLMSSP NTLMSSP-WIN32 SUBDIRS = @NTLM_AUTH_HELPERS@ Index: squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/Makefile.am =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/Attic/Makefile.am,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -u -r1.1.2.1 -r1.1.2.2 --- squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/Makefile.am 21 Apr 2002 20:35:06 -0000 1.1.2.1 +++ squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/Makefile.am 27 Apr 2002 12:55:22 -0000 1.1.2.2 @@ -1,14 +1,14 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.1.2.1 2002/04/21 20:35:06 serassio Exp $ +# $Id: Makefile.am,v 1.1.2.2 2002/04/27 12:55:22 serassio Exp $ # SUBDIRS = smbval libexec_PROGRAMS = ntlm_auth -ntlm_auth_SOURCES = libntlmssp.c ntlm_auth.c ntlm.h +ntlm_auth_SOURCES = libntlmssp.c ntlm_auth.c ../../../../../port/win32/src/libsspwin32.c ntlm.h INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ -I$(srcdir)/smbval -LDADD = smbval/libsmbvalid.a -L$(top_builddir)/lib -lntlmauth \ + -I$(top_srcdir)/src/ +LDADD = -L$(top_builddir)/lib -lntlmauth \ -lmiscutil $(CRYPTLIB) $(XTRA_LIBS) --- squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/libsspwin32.c Wed Feb 14 00:58:20 2007 +++ /dev/null Wed Feb 14 00:55:47 2007 @@ -1,454 +0,0 @@ -/* - * (C) 2002 Guido Serassio - * Based on previous work of Francesco Chemolli, Robert Collins - * - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -#include "squid.h" -#include "ntlm.h" -#include - -typedef struct _AUTH_SEQ { - BOOL fInitialized; - BOOL fHaveCredHandle; - BOOL fHaveCtxtHandle; - CredHandle hcred; - struct _SecHandle hctxt; -} AUTH_SEQ, *PAUTH_SEQ; - -static HMODULE hModule = NULL; -SECURITY_STATUS ss = SEC_E_OK; - -/* Function pointers */ -ACCEPT_SECURITY_CONTEXT_FN _AcceptSecurityContext = NULL; -ACQUIRE_CREDENTIALS_HANDLE_FN _AcquireCredentialsHandle = NULL; -COMPLETE_AUTH_TOKEN_FN _CompleteAuthToken = NULL; -DELETE_SECURITY_CONTEXT_FN _DeleteSecurityContext = NULL; -FREE_CONTEXT_BUFFER_FN _FreeContextBuffer = NULL; -FREE_CREDENTIALS_HANDLE_FN _FreeCredentialsHandle = NULL; -INITIALIZE_SECURITY_CONTEXT_FN _InitializeSecurityContext = NULL; -QUERY_SECURITY_PACKAGE_INFO_FN _QuerySecurityPackageInfo = NULL; - - -void UnloadSecurityDll(void) -{ - if (hModule) - FreeLibrary(hModule); - _AcceptSecurityContext = NULL; - _AcquireCredentialsHandle = NULL; - _CompleteAuthToken = NULL; - _DeleteSecurityContext = NULL; - _FreeContextBuffer = NULL; - _FreeCredentialsHandle = NULL; - _InitializeSecurityContext = NULL; - _QuerySecurityPackageInfo = NULL; - hModule = NULL; -} - - -HMODULE LoadSecurityDll(void) -{ - BOOL fAllFunctionsLoaded = FALSE; - TCHAR lpszDLL[MAX_PATH]; - OSVERSIONINFO VerInfo; - - // - // Find out which security DLL to use, depending on - // whether we are on NT or Win95 or 2000 or XP or .NET Server - // We have to use security.dll on Windows NT 4.0. - // All other operating systems, we have to use Secur32.dll - // - VerInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); - if (!GetVersionEx (&VerInfo)) // If this fails, something has gone wrong - { - return FALSE; - } - - if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT && - VerInfo.dwMajorVersion == 4 && - VerInfo.dwMinorVersion == 0) - { - lstrcpy (lpszDLL, _T(WINNT_SECURITY_DLL)); - } - else - { - lstrcpy (lpszDLL, _T(WIN9X_SECURITY_DLL)); - } - - hModule = LoadLibrary(lpszDLL); - if (!hModule) - return hModule; - - __try { - - _AcceptSecurityContext = (ACCEPT_SECURITY_CONTEXT_FN) - GetProcAddress(hModule, "AcceptSecurityContext"); - if (!_AcceptSecurityContext) - __leave; - -#ifdef UNICODE - _AcquireCredentialsHandle = (ACQUIRE_CREDENTIALS_HANDLE_FN) - GetProcAddress(hModule, "AcquireCredentialsHandleW"); -#else - _AcquireCredentialsHandle = (ACQUIRE_CREDENTIALS_HANDLE_FN) - GetProcAddress(hModule, "AcquireCredentialsHandleA"); -#endif - if (!_AcquireCredentialsHandle) - __leave; - - // CompleteAuthToken is not present on Windows 9x Secur32.dll - // Do not check for the availablity of the function if it is NULL; - _CompleteAuthToken = (COMPLETE_AUTH_TOKEN_FN) - GetProcAddress(hModule, "CompleteAuthToken"); - - _DeleteSecurityContext = (DELETE_SECURITY_CONTEXT_FN) - GetProcAddress(hModule, "DeleteSecurityContext"); - if (!_DeleteSecurityContext) - __leave; - - _FreeContextBuffer = (FREE_CONTEXT_BUFFER_FN) - GetProcAddress(hModule, "FreeContextBuffer"); - if (!_FreeContextBuffer) - __leave; - - _FreeCredentialsHandle = (FREE_CREDENTIALS_HANDLE_FN) - GetProcAddress(hModule, "FreeCredentialsHandle"); - if (!_FreeCredentialsHandle) - __leave; - -#ifdef UNICODE - _InitializeSecurityContext = (INITIALIZE_SECURITY_CONTEXT_FN) - GetProcAddress(hModule, "InitializeSecurityContextW"); -#else - _InitializeSecurityContext = (INITIALIZE_SECURITY_CONTEXT_FN) - GetProcAddress(hModule, "InitializeSecurityContextA"); -#endif - if (!_InitializeSecurityContext) - __leave; - -#ifdef UNICODE - _QuerySecurityPackageInfo = (QUERY_SECURITY_PACKAGE_INFO_FN) - GetProcAddress(hModule, "QuerySecurityPackageInfoW"); -#else - _QuerySecurityPackageInfo = (QUERY_SECURITY_PACKAGE_INFO_FN) - GetProcAddress(hModule, "QuerySecurityPackageInfoA"); -#endif - if (!_QuerySecurityPackageInfo) - __leave; - - fAllFunctionsLoaded = TRUE; - - } __finally { - - if (!fAllFunctionsLoaded) { - UnloadSecurityDll(); - hModule = NULL; - } - - } - return hModule; -} - - /////////////////////////////////////////////////////////////////////////////// - -BOOL GenClientContext(PAUTH_SEQ pAS, PSEC_WINNT_AUTH_IDENTITY pAuthIdentity, - PVOID pIn, DWORD cbIn, PVOID pOut, PDWORD pcbOut, PBOOL pfDone) { - - /*++ - - Routine Description: - - Optionally takes an input buffer coming from the server and returns - a buffer of information to send back to the server. Also returns - an indication of whether or not the context is complete. - - Return Value: - - Returns TRUE if successful; otherwise FALSE. - - --*/ - - TimeStamp tsExpiry; - SecBufferDesc sbdOut; - SecBuffer sbOut; - SecBufferDesc sbdIn; - SecBuffer sbIn; - ULONG fContextAttr; - - if (!pAS->fInitialized) { - - ss = _AcquireCredentialsHandle(NULL, _T(NTLM_PACKAGE_NAME), - SECPKG_CRED_OUTBOUND, NULL, NULL, NULL, NULL, - &pAS->hcred, &tsExpiry); - if (ss < 0) { - fprintf(stderr, "AcquireCredentialsHandle failed with %08X\n", ss); - return FALSE; - } - - pAS->fHaveCredHandle = TRUE; - } - - // Prepare output buffer - sbdOut.ulVersion = 0; - sbdOut.cBuffers = 1; - sbdOut.pBuffers = &sbOut; - - sbOut.cbBuffer = *pcbOut; - sbOut.BufferType = SECBUFFER_TOKEN; - sbOut.pvBuffer = pOut; - - // Prepare input buffer - if (pAS->fInitialized) { - sbdIn.ulVersion = 0; - sbdIn.cBuffers = 1; - sbdIn.pBuffers = &sbIn; - - sbIn.cbBuffer = cbIn; - sbIn.BufferType = SECBUFFER_TOKEN; - sbIn.pvBuffer = pIn; - } - - ss = _InitializeSecurityContext(&pAS->hcred, - pAS->fInitialized ? &pAS->hctxt : NULL, NULL, 0, 0, - SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn : NULL, - 0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry); - if (ss < 0) { - // - fprintf(stderr, "InitializeSecurityContext failed with %08X\n", ss); - return FALSE; - } - - pAS->fHaveCtxtHandle = TRUE; - - // If necessary, complete token - if (ss == SEC_I_COMPLETE_NEEDED || ss == SEC_I_COMPLETE_AND_CONTINUE) { - - if (_CompleteAuthToken) { - ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut); - if (ss < 0) { - fprintf(stderr, "CompleteAuthToken failed with %08X\n", ss); - return FALSE; - } - } - else { - fprintf (stderr, "CompleteAuthToken not supported.\n"); - return FALSE; - } - } - - *pcbOut = sbOut.cbBuffer; - - if (!pAS->fInitialized) - pAS->fInitialized = TRUE; - - *pfDone = !(ss == SEC_I_CONTINUE_NEEDED - || ss == SEC_I_COMPLETE_AND_CONTINUE ); - - return TRUE; - } - - /////////////////////////////////////////////////////////////////////////////// - - BOOL GenServerContext(PAUTH_SEQ pAS, PVOID pIn, DWORD cbIn, PVOID pOut, - PDWORD pcbOut, PBOOL pfDone) { - - /*++ - - Routine Description: - - Takes an input buffer coming from the client and returns a buffer - to be sent to the client. Also returns an indication of whether or - not the context is complete. - - Return Value: - - Returns TRUE if successful; otherwise FALSE. - - --*/ - - TimeStamp tsExpiry; - SecBufferDesc sbdOut; - SecBuffer sbOut; - SecBufferDesc sbdIn; - SecBuffer sbIn; - ULONG fContextAttr; - - if (!pAS->fInitialized) { - - ss = _AcquireCredentialsHandle(NULL, _T("NTLM"), - SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &pAS->hcred, - &tsExpiry); - if (ss < 0) { - fprintf(stderr, "AcquireCredentialsHandle failed with %08X\n", ss); - return FALSE; - } - - pAS->fHaveCredHandle = TRUE; - } - - // Prepare output buffer - sbdOut.ulVersion = 0; - sbdOut.cBuffers = 1; - sbdOut.pBuffers = &sbOut; - - sbOut.cbBuffer = *pcbOut; - sbOut.BufferType = SECBUFFER_TOKEN; - sbOut.pvBuffer = pOut; - - // Prepare input buffer - sbdIn.ulVersion = 0; - sbdIn.cBuffers = 1; - sbdIn.pBuffers = &sbIn; - - sbIn.cbBuffer = cbIn; - sbIn.BufferType = SECBUFFER_TOKEN; - sbIn.pvBuffer = pIn; - - ss = _AcceptSecurityContext(&pAS->hcred, - pAS->fInitialized ? &pAS->hctxt : NULL, &sbdIn, ASC_REQ_DELEGATE, - SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, &fContextAttr, - &tsExpiry); - if (ss < 0) { - fprintf(stderr, "AcceptSecurityContext failed with %08X\n", ss); - return FALSE; - } - - pAS->fHaveCtxtHandle = TRUE; - - // If necessary, complete token - if (ss == SEC_I_COMPLETE_NEEDED || ss == SEC_I_COMPLETE_AND_CONTINUE) { - - if (_CompleteAuthToken) { - ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut); - if (ss < 0) { - fprintf(stderr, "CompleteAuthToken failed with %08X\n", ss); - return FALSE; - } - } - else { - fprintf (stderr, "CompleteAuthToken not supported.\n"); - return FALSE; - } - } - - *pcbOut = sbOut.cbBuffer; - - if (!pAS->fInitialized) - pAS->fInitialized = TRUE; - - *pfDone = !(ss = SEC_I_CONTINUE_NEEDED - || ss == SEC_I_COMPLETE_AND_CONTINUE); - - return TRUE; - } - - -BOOL WINAPI SSPLogonUser(PTSTR szUser, PTSTR szPassword, PTSTR szDomain) -{ - AUTH_SEQ asServer = {0}; - AUTH_SEQ asClient = {0}; - BOOL fDone = FALSE; - BOOL fResult = FALSE; - DWORD cbOut = 0; - DWORD cbIn = 0; - DWORD cbMaxToken = 0; - PVOID pClientBuf = NULL; - PVOID pServerBuf = NULL; - PSecPkgInfo pSPI = NULL; - - SEC_WINNT_AUTH_IDENTITY ai; - - __try { - if (!hModule) - __leave; - - // Get max token size - _QuerySecurityPackageInfo(_T("NTLM"), &pSPI); - cbMaxToken = pSPI->cbMaxToken; - _FreeContextBuffer(pSPI); - - // Allocate buffers for client and server messages - pClientBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbMaxToken); - pServerBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbMaxToken); - - // Initialize auth identity structure - ZeroMemory(&ai, sizeof(ai)); - ai.Domain = szDomain; - ai.DomainLength = lstrlen(szDomain); - ai.User = szUser; - ai.UserLength = lstrlen(szUser); - ai.Password = szPassword; - ai.PasswordLength = lstrlen(szPassword); -#if defined(UNICODE) || defined(_UNICODE) - ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; -#else - ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; -#endif - - // Prepare client message (negotiate) . - cbOut = cbMaxToken; - if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf, &cbOut, &fDone)) - __leave; - - // Prepare server message (challenge) . - cbIn = cbOut; - cbOut = cbMaxToken; - if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, - &fDone)) - __leave; - // Most likely failure: AcceptServerContext fails with SEC_E_LOGON_DENIED - // in the case of bad szUser or szPassword. - // Unexpected Result: Logon will succeed if you pass in a bad szUser and - // the guest account is enabled in the specified domain. - - // Prepare client message (authenticate) . - cbIn = cbOut; - cbOut = cbMaxToken; - if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, &cbOut, - &fDone)) - __leave; - - // Prepare server message (authentication) . - cbIn = cbOut; - cbOut = cbMaxToken; - if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, - &fDone)) - __leave; - - fResult = TRUE; - - } __finally { - - // Clean up resources - if (asClient.fHaveCtxtHandle) - _DeleteSecurityContext(&asClient.hctxt); - - if (asClient.fHaveCredHandle) - _FreeCredentialsHandle(&asClient.hcred); - - if (asServer.fHaveCtxtHandle) - _DeleteSecurityContext(&asServer.hctxt); - - if (asServer.fHaveCredHandle) - _FreeCredentialsHandle(&asServer.hcred); - - - HeapFree(GetProcessHeap(), 0, pClientBuf); - HeapFree(GetProcessHeap(), 0, pServerBuf); - - } - - return fResult; - } - Index: squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/Attic/ntlm.h,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm.h 26 Apr 2002 19:52:07 -0000 1.1.2.2 +++ squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm.h 27 Apr 2002 12:55:23 -0000 1.1.2.3 @@ -17,14 +17,12 @@ #ifndef _NTLM_H_ #define _NTLM_H_ -#define SECURITY_WIN32 -#define NTLM_PACKAGE_NAME "NTLM" +#include "libsspwin32.h" #include #include #include #include "ntlmauth.h" - #undef debug /************* CONFIGURATION ***************/ @@ -47,9 +45,6 @@ #include -#define WINNT_SECURITY_DLL "security.dll" -#define WIN9X_SECURITY_DLL "secur32.dll" - /* Debugging stuff */ #ifdef __GNUC__ /* this is really a gcc-ism */ @@ -112,10 +107,6 @@ #define NTLM_NOT_CONNECTED SEC_E_SECPKG_NOT_FOUND #define NTLM_BAD_NTGROUP -1 -HMODULE LoadSecurityDll(void); -void UnloadSecurityDll(void); -BOOL WINAPI SSPLogonUser(PTSTR, PTSTR, PTSTR); - extern void uc(char *); const char *make_challenge(void); Index: squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/Attic/ntlm_auth.c,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm_auth.c 26 Apr 2002 19:52:07 -0000 1.1.2.2 +++ squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/ntlm_auth.c 27 Apr 2002 12:55:23 -0000 1.1.2.3 @@ -85,10 +85,10 @@ /* * options: - * -b try load-balancing the domain-controllers - * -f fail-over to another DC if DC connection fails. - * DEPRECATED and VERBOSELY IGNORED. This is on by default now. - * -l last-ditch-mode + * -v enables debugging statements if DEBUG was defined at build-time. + * -l if specified, changes behavior on failures to last-ditch. + * -a can specify a Windows Local Group name allowed to authenticate. + * -d can specify a Windows Local Group name not allowed to authenticate. * domain\controller ... */ char *my_program_name = NULL; @@ -97,11 +97,17 @@ usage() { fprintf(stderr, - "%s usage:\n%s [-d] [-A UserGroup] [-D UserGroup]\n" - "-d enables debugging statements if DEBUG was defined at build-time.\n" +#ifdef NTLM_FAIL_OPEN + "%s usage:\n%s [-v] [-a UserGroup] [-d UserGroup] [-l]\n" +#else + "%s usage:\n%s [-v] [-a UserGroup] [-d UserGroup]\n" +#endif + "-v enables verbose debugging statements if DEBUG was defined at build-time.\n" +#ifdef NTLM_FAIL_OPEN "-l if specified, changes behavior on failures to last-ditch.\n" - "-A specify the Windows Local Group name allowed to authenticate.\n" - "-D can specify aWindows Local Group name not allowed to authenticate.\n\n", +#endif + "-a can specify a Windows Local Group name allowed to authenticate.\n" + "-d can specify a Windows Local Group name not allowed to authenticate.\n\n", my_program_name, my_program_name); } @@ -110,14 +116,18 @@ process_options(int argc, char *argv[]) { int opt, had_error = 0; - while (-1 != (opt = getopt(argc, argv, "dlA:D:"))) { +#ifdef NTLM_FAIL_OPEN + while (-1 != (opt = getopt(argc, argv, "vla:d:"))) { +#else + while (-1 != (opt = getopt(argc, argv, "va:d:"))) { +#endif switch (opt) { - case 'A': + case 'a': safe_free(NTAllowedGroup); NTAllowedGroup=xstrdup(optarg); UseAllowedGroup = 1; break; - case 'D': + case 'd': safe_free(NTDisAllowedGroup); NTDisAllowedGroup=xstrdup(optarg); UseDisallowedGroup = 1; @@ -127,7 +137,7 @@ last_ditch_enabled = 1; break; #endif - case 'd': + case 'v': debug_enabled=1; break; default: @@ -248,8 +258,6 @@ SEND("BH Helper detected protocol error"); return; /********* END ********/ - - } int @@ -263,7 +271,7 @@ debug("options processed OK\n"); srand( (unsigned)time( NULL ) ); - if (LoadSecurityDll() == NULL) { + if (LoadSecurityDll(SSP_NTLM) == NULL) { fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); exit(1); } Index: squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/readme.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/Attic/readme.txt,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -u -r1.1.2.1 -r1.1.2.2 --- squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/readme.txt 26 Apr 2002 19:52:07 -0000 1.1.2.1 +++ squid/src/auth/ntlm/helpers/NTLMSSP-WIN32/readme.txt 27 Apr 2002 12:55:23 -0000 1.1.2.2 @@ -4,9 +4,9 @@ Usage: -ntlm_auth [-d] [-A UserGroup] [-D UserGroup] +ntlm_auth [-v] [-a UserGroup] [-d UserGroup] [-l] --d enables debugging statements if DEBUG was defined at build-time. +-v enables debugging statements if DEBUG was defined at build-time. -l if specified, changes behavior on failures to last-ditch. --A can specify a Windows Local Group name allowed to authenticate. --D can specify a Windows Local Group name not allowed to authenticate. +-a can specify a Windows Local Group name allowed to authenticate. +-d can specify a Windows Local Group name not allowed to authenticate.