--------------------- PatchSet 5929 Date: 2003/09/13 10:46:39 Author: serassio Branch: nt-2_5 Tag: (none) Log: Revised Win32 NTLM helper error handling and merged latest changes from winbindd NTLM helper Members: helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c:1.1.4.4->1.1.4.5 helpers/ntlm_auth/NTLMSSP-WIN32/ntlm.h:1.1.4.6->1.1.4.7 helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c:1.1.4.8->1.1.4.9 Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/libntlmssp.c,v retrieving revision 1.1.4.4 retrieving revision 1.1.4.5 diff -u -r1.1.4.4 -r1.1.4.5 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c 8 Sep 2003 22:22:16 -0000 1.1.4.4 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c 13 Sep 2003 10:46:39 -0000 1.1.4.5 @@ -224,7 +224,7 @@ if (tmp.str == NULL || tmp.l == 0) { debug("No domain supplied. Returning no-auth\n"); - ntlm_errno = NTLM_LOGON_ERROR; + ntlm_errno = NTLM_BAD_REQUEST; return NULL; } if (Use_Unicode) { @@ -239,7 +239,7 @@ tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->user); if (tmp.str == NULL || tmp.l == 0) { debug("No username supplied. Returning no-auth\n"); - ntlm_errno = NTLM_LOGON_ERROR; + ntlm_errno = NTLM_BAD_REQUEST; return NULL; } if (Use_Unicode) { @@ -262,7 +262,7 @@ debug("Login attempt had result %d\n", rv); if (!rv) { /* failed */ - ntlm_errno = ss; + ntlm_errno = NTLM_SSPI_ERROR; return NULL; } Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm.h =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/ntlm.h,v retrieving revision 1.1.4.6 retrieving revision 1.1.4.7 diff -u -r1.1.4.6 -r1.1.4.7 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm.h 8 Sep 2003 22:22:16 -0000 1.1.4.6 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm.h 13 Sep 2003 10:46:39 -0000 1.1.4.7 @@ -89,14 +89,10 @@ extern int UseAllowedGroup; extern int ntlm_errno; -#define NTLM_NO_ERROR SEC_E_OK -#define NTLM_SERVER_ERROR SEC_E_NOT_SUPPORTED -#define NTLM_PROTOCOL_ERROR SEC_E_INCOMPLETE_MESSAGE -#define NTLM_LOGON_ERROR SEC_E_LOGON_DENIED -#define NTLM_UNTRUSTED_DOMAIN SEC_E_NO_AUTHENTICATING_AUTHORITY -#define NTLM_BAD_PROTOCOL SEC_E_BAD_PKGID -#define NTLM_NOT_CONNECTED SEC_E_SECPKG_NOT_FOUND -#define NTLM_BAD_NTGROUP -1 +#define NTLM_NO_ERROR 0 +#define NTLM_SSPI_ERROR 1 +#define NTLM_BAD_NTGROUP 2 +#define NTLM_BAD_REQUEST 3 #define NEGOTIATE_LENGTH 16 Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/ntlm_auth.c,v retrieving revision 1.1.4.8 retrieving revision 1.1.4.9 diff -u -r1.1.4.8 -r1.1.4.9 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c 8 Sep 2003 22:22:16 -0000 1.1.4.8 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c 13 Sep 2003 10:46:39 -0000 1.1.4.9 @@ -48,8 +48,6 @@ #define BUFFER_SIZE 10240 -#define FAKE_NEGOTIATE 1 - #ifdef NTLM_FAIL_OPEN int last_ditch_enabled = 0; #endif @@ -212,7 +210,7 @@ } -void +int manage_request() { ntlmhdr *fast_header; @@ -221,19 +219,18 @@ char *c, *decoded, *cred; int plen; int oversized = 0; + char * ErrorMessage; try_again: - if (fgets(buf, BUFFER_SIZE, stdin) == NULL) { - debug("fgets() failed! dying..... errno=%d (%s)\n", errno, - strerror(errno)); - exit(1); /* BIIG buffer */ - } + if (fgets(buf, BUFFER_SIZE, stdin) == NULL) + return 0; + c = memchr(buf, '\n', BUFFER_SIZE); /* safer against overrun than strchr */ if (c) { if (oversized) { helperfail("illegal request received"); fprintf(stderr, "Illegal request received: '%s'\n", buf); - return; + return 1; } *c = '\0'; } else { @@ -248,20 +245,20 @@ hex_dump(decoded, ((strlen(buf) - 3) * 3) / 4); } else debug("Got '%s' from Squid\n", buf); -#if FAKE_NEGOTIATE - if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ - decoded = base64_decode(ntlm_make_negotiate()); -#else +#if NTLM_TRUE_NEGOTIATE if (memcmp(buf, "YR ", 3) == 0) { /* refresh-request */ /* figure out what we got */ decoded = base64_decode(buf + 3); /* Note: we don't need to manage memory at this point, since * base64_decode returns a pointer to static storage. */ +#else + if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ + decoded = base64_decode(ntlm_make_negotiate()); #endif if (!decoded) { /* decoding failure, return error */ SEND("NA Packet format error, couldn't base64-decode"); - return; + return 1; } /* fast-track-decode request type. */ fast_header = (struct _ntlmhdr *) decoded; @@ -269,15 +266,15 @@ /* sanity-check: it IS a NTLMSSP packet, isn't it? */ if (memcmp(fast_header->signature, "NTLMSSP", 8) != 0) { SEND("NA Broken authentication packet"); - return; + return 1; } switch (fast_header->type) { case NTLM_NEGOTIATE: /* Obtain challenge against SSPI */ -#if FAKE_NEGOTIATE - plen = NEGOTIATE_LENGTH; -#else +#if NTLM_TRUE_NEGOTIATE plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ +#else + plen = NEGOTIATE_LENGTH; #endif if ((c = (char *) obtain_challenge((ntlm_negotiate *) decoded, plen)) != NULL ) { @@ -292,27 +289,27 @@ have_challenge = 1; } else helperfail("can't obtain challenge"); - return; + return 1; /* notreached */ case NTLM_CHALLENGE: SEND ("NA Got a challenge. We refuse to have our authority disputed"); - return; + return 1; /* notreached */ case NTLM_AUTHENTICATE: SEND("NA Got authentication request instead of negotiate request"); - return; + return 1; /* notreached */ default: helperfail("unknown refresh-request packet type"); - return; + return 1; } - return; + return 1; } if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */ if (!have_challenge) { helperfail("invalid challenge"); - return; + return 1; } /* figure out what we got */ decoded = base64_decode(buf + 3); @@ -322,7 +319,7 @@ if (!decoded) { /* decoding failure, return error */ SEND("NA Packet format error, couldn't base64-decode"); - return; + return 1; } /* fast-track-decode request type. */ fast_header = (struct _ntlmhdr *) decoded; @@ -330,17 +327,17 @@ /* sanity-check: it IS a NTLMSSP packet, isn't it? */ if (memcmp(fast_header->signature, "NTLMSSP", 8) != 0) { SEND("NA Broken authentication packet"); - return; + return 1; } switch (fast_header->type) { case NTLM_NEGOTIATE: SEND("NA Invalid negotiation request received"); - return; + return 1; /* notreached */ case NTLM_CHALLENGE: SEND ("NA Got a challenge. We refuse to have our authority disputed"); - return; + return 1; /* notreached */ case NTLM_AUTHENTICATE: /* check against SSPI */ @@ -348,36 +345,51 @@ cred = ntlm_check_auth((ntlm_authenticate *) decoded, plen); if (cred == NULL) { switch (ntlm_errno) { - case NTLM_LOGON_ERROR: - SEND("NA Logon Failure"); - return; case NTLM_BAD_NTGROUP: SEND("NA Incorrect Group Membership"); - return; - case NTLM_UNTRUSTED_DOMAIN: - SEND("NA No authority could be contacted for authentication"); - return; + return 1; + case NTLM_BAD_REQUEST: + SEND("NA Incorrect Request Format"); + return 1; + case NTLM_SSPI_ERROR: + FormatMessage( + FORMAT_MESSAGE_ALLOCATE_BUFFER | + FORMAT_MESSAGE_FROM_SYSTEM | + FORMAT_MESSAGE_IGNORE_INSERTS, + NULL, + GetLastError(), + MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language + (LPTSTR) &ErrorMessage, + 0, + NULL); + if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n') + ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; + if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r') + ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; + SEND2("NA %s", ErrorMessage); + LocalFree(ErrorMessage); + return 1; default: - SEND("NA SSPI Error"); - return; + SEND("NA Unknown Error"); + return 1; } } lc(cred); /* let's lowercase them for our convenience */ SEND2("AF %s", cred); have_challenge = 0; - return; + return 1; default: helperfail("unknown authentication packet type"); - return; + return 1; } - return; - } else { /* not an auth-request */ + return 1; + } else { /* not an auth-request */ helperfail("illegal request received"); fprintf(stderr, "Illegal request received: '%s'\n", buf); - return; + return 1; } helperfail("detected protocol error"); - return; + return 1; /********* END ********/ } @@ -402,8 +414,8 @@ setbuf(stdout, NULL); setbuf(stderr, NULL); - while (1) { - manage_request(); + while (manage_request()) { + /* everything is done within manage_request */ } return 0; }