--------------------- PatchSet 6154 Date: 2004/02/21 11:46:03 Author: serassio Branch: nt-2_5 Tag: (none) Log: Now native Windows NTLM authenticator has automatic support for NTLM NEGOTIATE packets Members: helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c:1.1.4.7->1.1.4.8 helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c:1.1.4.16->1.1.4.17 helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt:1.1.4.7->1.1.4.8 Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/libntlmssp.c,v retrieving revision 1.1.4.7 retrieving revision 1.1.4.8 diff -u -r1.1.4.7 -r1.1.4.8 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c 30 Nov 2003 11:44:38 -0000 1.1.4.7 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c 21 Feb 2004 11:46:03 -0000 1.1.4.8 @@ -303,6 +303,7 @@ 0 ); encoded = base64_encode_bin((char *) &ne, NEGOTIATE_LENGTH); + debug("Negotiate packet not supplied - self generated\n"); return encoded; } Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/ntlm_auth.c,v retrieving revision 1.1.4.16 retrieving revision 1.1.4.17 diff -u -r1.1.4.16 -r1.1.4.17 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c 3 Jan 2004 14:45:46 -0000 1.1.4.16 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c 21 Feb 2004 11:46:03 -0000 1.1.4.17 @@ -30,11 +30,15 @@ * * History: * + * Version 1.21 + * 21-02-2004 Guido Serassio + * Removed control of use of NTLM NEGOTIATE packet from + * command line, now the support is automatic. * Version 1.20 * 30-11-2003 Guido Serassio * Added support for NTLM local calls. - Added control of use of NTLM NEGOTIATE packet from - command line. + * Added control of use of NTLM NEGOTIATE packet from + * command line. * Updated documentation. * Version 1.10 * 07-09-2003 Guido Serassio @@ -66,14 +70,10 @@ char * NTDisAllowedGroup; int UseDisallowedGroup = 0; int UseAllowedGroup = 0; -int UseNtlmNegotiate = 0; #ifdef FAIL_DEBUG int fail_debug_enabled = 0; #endif -char YR_String[4] = "YR"; -int YR_Length = 2; - /* makes a null-terminated string upper-case. Changes CONTENTS! */ void uc(char *string) @@ -112,7 +112,6 @@ -l if specified, changes behavior on failures to last-ditch. -A can specify a Windows Local Group name allowed to authenticate. -D can specify a Windows Local Group name not allowed to authenticate. - -N enable use of NTLM NEGOTIATE packet */ char *my_program_name = NULL; @@ -121,9 +120,9 @@ { fprintf(stderr, #ifdef NTLM_FAIL_OPEN - "Usage: %s [-d] [-v] [-N] [-A|D LocalUserGroup] [-l] [-h]\n" + "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-l] [-h]\n" #else - "Usage: %s [-d] [-v] [-N] [-A|D LocalUserGroup] [-h]\n" + "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-h]\n" #endif " -d enable debugging.\n" " -v enable verbose NTLM packet debugging.\n" @@ -132,7 +131,6 @@ #endif " -A specify a Windows Local Group name allowed to authenticate\n" " -D specify a Windows Local Group name not allowed to authenticate\n" - " -N enable use of NTLM NEGOTIATE packet\n" " -h this message\n\n", my_program_name); } @@ -145,9 +143,9 @@ opterr =0; #ifdef NTLM_FAIL_OPEN - while (-1 != (opt = getopt(argc, argv, "hdvlA:D:N"))) { + while (-1 != (opt = getopt(argc, argv, "hdvlA:D:"))) { #else - while (-1 != (opt = getopt(argc, argv, "hdvA:D:N"))) { + while (-1 != (opt = getopt(argc, argv, "hdvA:D:"))) { #endif switch (opt) { case 'A': @@ -160,11 +158,6 @@ NTDisAllowedGroup=xstrdup(optarg); UseDisallowedGroup = 1; break; - case 'N': - UseNtlmNegotiate = 1; - strcpy(YR_String, "YR "); - YR_Length = 3; - break; #ifdef NTLM_FAIL_OPEN case 'l': last_ditch_enabled = 1; @@ -244,9 +237,9 @@ hex_dump(decoded, ((strlen(buf) - 3) * 3) / 4); } else debug("Got '%s' from Squid\n", buf); - if (memcmp(buf, YR_String, YR_Length) == 0) { /* refresh-request */ + if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ /* figure out what we got */ - if (UseNtlmNegotiate) + if (strlen(buf) > 3) decoded = base64_decode(buf + 3); else decoded = base64_decode(ntlm_make_negotiate()); @@ -268,7 +261,7 @@ switch (fast_header->type) { case NTLM_NEGOTIATE: /* Obtain challenge against SSPI */ - if (UseNtlmNegotiate) + if (strlen(buf) > 3) plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ else plen = NEGOTIATE_LENGTH; Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/readme.txt,v retrieving revision 1.1.4.7 retrieving revision 1.1.4.8 diff -u -r1.1.4.7 -r1.1.4.8 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt 29 Nov 2003 14:25:17 -0000 1.1.4.7 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt 21 Feb 2004 11:46:03 -0000 1.1.4.8 @@ -1,19 +1,19 @@ ntlm_auth.exe -Native Windows NTLM/NTLMv2 authenticator for Squid 2.5. +Native Windows NTLM/NTLMv2 authenticator for Squid 2.5 with +automatic support for NTLM NEGOTIATE packets. ===== Usage ===== -ntlm_auth [-d] [-v] [-N] [-A|D LocalUserGroup] [-l] [-h] +ntlm_auth [-d] [-v] [-A|D LocalUserGroup] [-l] [-h] -d enables debugging. -v enables verbose NTLM packet debugging. -l if specified, changes behavior on failures to last-ditch. -A specify a Windows Local Group name allowed to authenticate. -D specify a Windows Local Group name not allowed to authenticate. --N enable use of NTLM NEGOTIATE packet. -h print program usage This is released under the GNU General Public License @@ -38,18 +38,18 @@ Squid.conf typical minimal required changes: -auth_param ntlm program c:/squid/libexec/ntlm_auth.exe -N +auth_param ntlm program c:/squid/libexec/ntlm_auth.exe auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes -auth_param ntlm use_ntlm_negotiate on <== needs (or needed by) -N option +auth_param ntlm use_ntlm_negotiate on acl password proxy_auth REQUIRED http_access allow password http_access deny all -When using -N option, "use_ntlm_negotiate on" is MANDATORY and +When using "use_ntlm_negotiate on" max_challenge_reuses and max_challenge_lifetime parameters must be specified but they are are ignored.