--------------------- PatchSet 696 Date: 2000/10/22 11:57:22 Author: rbcollins Branch: ntlm Tag: (none) Log: indented the source. Members: src/acl.c:1.1.1.3.12.22->1.1.1.3.12.23 Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.22 retrieving revision 1.1.1.3.12.23 diff -u -r1.1.1.3.12.22 -r1.1.1.3.12.23 --- squid/src/acl.c 22 Oct 2000 07:36:54 -0000 1.1.1.3.12.22 +++ squid/src/acl.c 22 Oct 2000 11:57:22 -0000 1.1.1.3.12.23 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.22 2000/10/22 07:36:54 rbcollins Exp $ + * $Id: acl.c,v 1.1.1.3.12.23 2000/10/22 11:57:22 rbcollins Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -89,7 +89,8 @@ #endif #ifdef USE_NTLM static void aclLookupProxyStatefulAuthStart(aclCheck_t * checklist); -static void aclLookupProxyNTLMAuthDone(void *data, void * lastserver, char *result); +static void aclLookupProxyNTLMAuthDone(void *data, void *lastserver, + char *result); #endif static wordlist *aclDumpIpList(void *); static wordlist *aclDumpDomainList(void *data); @@ -116,7 +117,7 @@ #endif #if defined(USE_NTLM) && defined( NTLM_CACHING) -static hash_table *ntlmauthcache=NULL; +static hash_table *ntlmauthcache = NULL; #endif static char * @@ -483,7 +484,10 @@ if (!decode_addr(addr1, &q->addr1, &q->mask)) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown first address '%s'\n", addr1); + debug(28, + 0) + ("aclParseIpData: Ignoring invalid IP acl entry: unknown first address '%s'\n", + addr1); safe_free(q); return NULL; } @@ -491,7 +495,10 @@ if (*addr2 && !decode_addr(addr2, &q->addr2, &q->mask)) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown second address '%s'\n", addr2); + debug(28, + 0) + ("aclParseIpData: Ignoring invalid IP acl entry: unknown second address '%s'\n", + addr2); safe_free(q); return NULL; } @@ -499,7 +506,10 @@ if (*mask && !decode_addr(mask, &q->mask, NULL)) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown netmask '%s'\n", mask); + debug(28, + 0) + ("aclParseIpData: Ignoring invalid IP acl entry: unknown netmask '%s'\n", + mask); safe_free(q); return NULL; } @@ -572,8 +582,7 @@ default: debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseTimeSpec: Bad Day '%c'\n", - *t); + debug(28, 0) ("aclParseTimeSpec: Bad Day '%c'\n", *t); break; } } @@ -591,7 +600,8 @@ if (q->start > q->stop) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseTimeSpec: IGNORING Reversed time range\n"); + debug(28, + 0) ("aclParseTimeSpec: IGNORING Reversed time range\n"); memFree(q, MEM_ACL_TIME_DATA); return; } @@ -629,7 +639,8 @@ regerror(errcode, &comp, errbuf, sizeof errbuf); debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseRegexList: Invalid regular expression '%s': %s\n", + debug(28, + 0) ("aclParseRegexList: Invalid regular expression '%s': %s\n", t, errbuf); continue; } @@ -737,7 +748,10 @@ new_acl = 1; } else { if (acltype != A->type) { - debug(28, 0) ("aclParseAclLine: ACL '%s' already exists with different type, skipping.\n", A->name); + debug(28, + 0) + ("aclParseAclLine: ACL '%s' already exists with different type, skipping.\n", + A->name); return; } debug(28, 3) ("aclParseAclLine: Appending to '%s'\n", aclname); @@ -801,16 +815,17 @@ #ifdef USE_BASIC_AUTH if (!proxy_auth_cache) { /* First time around, 7921 should be big enough */ - proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); + proxy_auth_cache = + hash_create((HASHCMP *) strcmp, 7921, hash_string); assert(proxy_auth_cache); } #endif #if defined (NTLM_CACHING) && defined (USE_NTLM) - if (!ntlmauthcache) { - /* First time around, 7921 should be big enough */ - ntlmauthcache = hash_create((HASHCMP *) strcmp, 7921 , hash_string); - assert(ntlmauthcache); - } + if (!ntlmauthcache) { + /* First time around, 7921 should be big enough */ + ntlmauthcache = hash_create((HASHCMP *) strcmp, 7921, hash_string); + assert(ntlmauthcache); + } #endif break; case ACL_PROXY_AUTH_REGEX: @@ -818,16 +833,17 @@ #ifdef USE_BASIC_AUTH if (!proxy_auth_cache) { /* First time around, 7921 should be big enough */ - proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); + proxy_auth_cache = + hash_create((HASHCMP *) strcmp, 7921, hash_string); assert(proxy_auth_cache); } #endif #if defined (NTLM_CACHING) && defined (USE_NTLM) - if (!ntlmauthcache) { - /* First time around, 7921 should be big enough */ - ntlmauthcache = hash_create((HASHCMP *) strcmp, 7921 , hash_string); - assert(ntlmauthcache); - } + if (!ntlmauthcache) { + /* First time around, 7921 should be big enough */ + ntlmauthcache = hash_create((HASHCMP *) strcmp, 7921, hash_string); + assert(ntlmauthcache); + } #endif break; #if SQUID_SNMP @@ -924,7 +940,8 @@ if ((t = strtok(NULL, w_space)) == NULL) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseDenyInfoLine: missing 'error page' parameter.\n"); + debug(28, + 0) ("aclParseDenyInfoLine: missing 'error page' parameter.\n"); return; } A = memAllocate(MEM_ACL_DENY_INFO_LIST); @@ -942,7 +959,9 @@ if (A->acl_list == NULL) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseDenyInfoLine: deny_info line contains no ACL's, skipping\n"); + debug(28, + 0) + ("aclParseDenyInfoLine: deny_info line contains no ACL's, skipping\n"); memFree(A, MEM_ACL_DENY_INFO_LIST); return; } @@ -977,7 +996,9 @@ else { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseAccessLine: expecting 'allow' or 'deny', got '%s'.\n", t); + debug(28, + 0) ("aclParseAccessLine: expecting 'allow' or 'deny', got '%s'.\n", + t); memFree(A, MEM_ACL_ACCESS); return; } @@ -1009,7 +1030,9 @@ if (A->acl_list == NULL) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseAccessLine: Access line contains no ACL's, skipping\n"); + debug(28, + 0) + ("aclParseAccessLine: Access line contains no ACL's, skipping\n"); memFree(A, MEM_ACL_ACCESS); return; } @@ -1087,7 +1110,8 @@ debug(28, 3) ("aclMatchUser: checking '%s'\n", user); while (data) { debug(28, 3) ("aclMatchUser: looking for '%s'\n", data->key); - if (strcmp(data->key, "REQUIRED") == 0 && *user != '\0' && strcmp(user, "-") != 0) + if (strcmp(data->key, "REQUIRED") == 0 && *user != '\0' + && strcmp(user, "-") != 0) return 1; if (strcmp(data->key, user) == 0) return 1; @@ -1102,7 +1126,8 @@ 2: ntlm */ static int -aclDecodeProxyAuth(const char *proxy_auth, int *type, char **user, char **password, char *buf, size_t bufsize) +aclDecodeProxyAuth(const char *proxy_auth, int *type, char **user, + char **password, char *buf, size_t bufsize) { char *sent_auth; char *cleartext; @@ -1110,26 +1135,28 @@ /* if (proxy_auth == NULL) return 0; *///checked by aclMatchProxy. - assert(proxy_auth!=NULL); + assert(proxy_auth != NULL); debug(28, 6) ("aclDecodeProxyAuth: header = '%s'\n", proxy_auth); #ifdef USE_BASIC_AUTH if (strncasecmp(proxy_auth, "Basic ", 6) == 0) { proxy_auth += 6; *type = AUTH_BASIC; - } else + } else #endif #ifdef USE_NTLM if (strncmp("NTLM ", proxy_auth, 5) == 0) { proxy_auth += 5; *type = AUTH_NTLM; - } else + } else #endif { - debug(28, 1) ("aclDecodeProxyAuth: Unsupported proxy-auth scheme, '%s'\n", proxy_auth); + debug(28, + 1) ("aclDecodeProxyAuth: Unsupported proxy-auth scheme, '%s'\n", + proxy_auth); return AUTH_UNKNOWN; } - + /* Trim leading whitespace before decoding */ while (xisspace(*proxy_auth)) proxy_auth++; @@ -1142,36 +1169,39 @@ switch (*type) { #if USE_BASIC_AUTH case AUTH_BASIC: - /* - * Don't allow NL or CR in the credentials. - * Oezguer Kesim - */ - strtok(cleartext, "\r\n"); - debug(28, 6) ("aclDecodeProxyAuth: cleartext = '%s'\n", cleartext); - xstrncpy(buf, cleartext, bufsize); - xfree(cleartext); - *user = buf; - - if ((*password = strchr(*user, ':')) != NULL) - *(*password)++ = '\0'; - if (*password == NULL) { - debug(28, 1) ("aclDecodeProxyAuth: no password in proxy authorization header '%s'\n", proxy_auth); + /* + * Don't allow NL or CR in the credentials. + * Oezguer Kesim + */ + strtok(cleartext, "\r\n"); + debug(28, 6) ("aclDecodeProxyAuth: cleartext = '%s'\n", cleartext); + xstrncpy(buf, cleartext, bufsize); + xfree(cleartext); + *user = buf; + + if ((*password = strchr(*user, ':')) != NULL) + *(*password)++ = '\0'; + if (*password == NULL) { + debug(28, + 1) + ("aclDecodeProxyAuth: no password in proxy authorization header '%s'\n", + proxy_auth); return AUTH_BROKEN; - } - if (**password == '\0') { - debug(28, 1) ("aclDecodeProxyAuth: Disallowing empty password," - "user is '%s'\n", *user); + } + if (**password == '\0') { + debug(28, 1) ("aclDecodeProxyAuth: Disallowing empty password," + "user is '%s'\n", *user); return AUTH_BROKEN; - } + } return AUTH_BASIC; - break; + break; #endif #if USE_NTLM case AUTH_NTLM: - /* all we have to do is identify that it's NTLM - the helper does the rest */ - debug(28,7)("aclDecodeProxyAuth: NTLM authentication\n"); + /* all we have to do is identify that it's NTLM - the helper does the rest */ + debug(28, 7) ("aclDecodeProxyAuth: NTLM authentication\n"); return AUTH_NTLM; - break; + break; #endif } /* UNREACHABLE */ @@ -1190,7 +1220,8 @@ */ static int -aclMatchProxyAuth(void *data, const char *proxy_auth, acl_proxy_auth_user * auth_user, aclCheck_t * checklist, squid_acl acltype) +aclMatchProxyAuth(void *data, const char *proxy_auth, + acl_proxy_auth_user * auth_user, aclCheck_t * checklist, squid_acl acltype) { /* checklist is used to register user name when identified, nothing else */ LOCAL_ARRAY(char, login_buf, USER_IDENT_SZ); @@ -1200,212 +1231,250 @@ int rv; #endif - /* state machine for ntlm authentication on a connection - should be easily modified to support Digest via the - -state input state output -NONE NTLM NEGOTIATE NEGOTIATE NEGOTIATE TO HELPER -NEGOTIATE CHALLENGE CHALLENGE CHALLENGE TO CLIENT -CHALLENGE RESPONSE RESPONSE RESPONSE TO HELPER -RESPONSE OK DONE PAGE TO CLIENT -RESPONSE ERR NONE ERROR TO CLIENT -NONE NONE NONE OFFER AUTH TYPES - still thinking about basic state process -NONE BASIC HEADER NONE - - -*/ + /* state machine for ntlm authentication on a connection + * should be easily modified to support Digest via the + * + * state input connectionstate output + * NONE NTLM NEGOTIATE NEGOTIATE NEGOTIATE TO HELPER + * NEGOTIATE CHALLENGE CHALLENGE CHALLENGE TO CLIENT + * CHALLENGE RESPONSE RESPONSE RESPONSE TO HELPER + * RESPONSE OK DONE PAGE TO CLIENT + * RESPONSE ERR NONE ERROR TO CLIENT + * NONE NONE NONE OFFER AUTH TYPES + * still thinking about basic state process + * NONE BASIC HEADER NONE + */ - if (checklist->conn==NULL){ - debug (28,1)("aclMatchProxyAuth: no connection data, denying access\n"); - /* - * deny access clientreadrequest requires conn data, we should have it too? - */ - return 0; - } - debug(28,6)("aclMatchAcl:auth state State %d.\n",checklist->conn->auth_state); - debug(28,6)("aclMatchAcl:auth state type %d.\n",checklist->conn->auth_type); - - switch (checklist->conn->auth_state){ - case AUTHENTICATE_STATE_NONE: /* this is a new connection */ - if ((proxy_auth==NULL)||(checklist->conn->auth_type==AUTH_BROKEN)) /* no header, request one */ - { - checklist->conn->auth_type=AUTH_UNKNOWN; - return -2; - } - debug(28,6)("aclMatchProxyAuth: auth state none with header %s.\n",proxy_auth); - switch (aclDecodeProxyAuth(proxy_auth, &type, &user, &password, login_buf, sizeof(login_buf))) { + if (checklist->conn == NULL) { + debug(28, + 1) ("aclMatchProxyAuth: no connection data, denying access\n"); + /* + * deny access clientreadrequest requires conn data, we should have it too? + */ + return 0; + } + debug(28, 6) ("aclMatchAcl:auth state State %d.\n", + checklist->conn->auth_state); + debug(28, 6) ("aclMatchAcl:auth state type %d.\n", + checklist->conn->auth_type); + + switch (checklist->conn->auth_state) { + case AUTHENTICATE_STATE_NONE: /* this is a new connection */ + if ((proxy_auth == NULL) || (checklist->conn->auth_type == AUTH_BROKEN)) { /* no header, request one */ + checklist->conn->auth_type = AUTH_UNKNOWN; + return -2; + } + debug(28, 6) ("aclMatchProxyAuth: auth state none with header %s.\n", + proxy_auth); + switch (aclDecodeProxyAuth(proxy_auth, &type, &user, &password, + login_buf, sizeof(login_buf))) { #ifdef USE_BASIC_AUTH - case AUTH_BASIC: - /* legacy non-stateful basic authentication code - * Keep the state set to NONE. + case AUTH_BASIC: + /* legacy non-stateful basic authentication code + * Keep the state set to NONE because Basic auth is per request. + */ + debug(28, 5) ("aclMatchProxyAuth: auth state type basic.\n", + proxy_auth); + debug(28, 5) ("aclMatchProxyAuth: checking user '%s'\n", user); + if (auth_user) { + /* + * This should be optimized to a boolean argument indicating that the + * password is invalid, instead of passing full acl_proxy_auth_user + * structures, and all messing with checklist->proxy_auth should + * be restricted the functions that deal with the authenticator. + */ + assert(auth_user == checklist->auth_user); + checklist->auth_user = NULL; /* get rid of that special reference */ + /* Check result from external validation */ + if (auth_user->passwd_ok != 1) { + /* password was checked but did not match */ + assert(auth_user->passwd_ok == 0); + debug(28, 4) + ("aclMatchProxyAuth: authentication failed for user '%s'\n", + user); + aclFreeProxyAuthUser(auth_user); + /* + * copy username to request for logging on client-side + * unless ident is known (do not override ident with + * false proxy auth names) */ - debug(28,5)("aclMatchProxyAuth: auth state type basic.\n",proxy_auth); - debug(28, 5) ("aclMatchProxyAuth: checking user '%s'\n", user); - if (auth_user) { - /* - * This should be optimized to a boolean argument indicating that the - * password is invalid, instead of passing full acl_proxy_auth_user - * structures, and all messing with checklist->proxy_auth should - * be restricted the functions that deal with the authenticator. - */ - assert(auth_user == checklist->auth_user); - checklist->auth_user = NULL; /* get rid of that special reference */ - /* Check result from external validation */ - if (auth_user->passwd_ok != 1) { - /* password was checked but did not match */ - assert(auth_user->passwd_ok == 0); - debug(28, 4) ("aclMatchProxyAuth: authentication failed for user '%s'\n", - user); - aclFreeProxyAuthUser(auth_user); - /* - * copy username to request for logging on client-side - * unless ident is known (do not override ident with - * false proxy auth names) - */ - if (!*checklist->request->user_ident) - xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); - return -2; - } else { - /* password was checked and did match */ - debug(28, 4) ("aclMatchProxyAuth: user '%s' validated OK\n", user); - /* store validated user in hash, after filling in expiretime */ - xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); - auth_user->expiretime = current_time.tv_sec + Config.authenticateTTL; - auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL; - auth_user->ipaddr = checklist->src_addr; - hash_join(proxy_auth_cache, (hash_link *) auth_user); - /* Continue checking below, as normal */ - } - } - /* see if we already know this user */ - auth_user = hash_lookup(proxy_auth_cache, user); - if (!auth_user) { - /* user not yet known, ask external authenticator */ - debug(28, 4) ("aclMatchProxyAuth: user '%s' not yet known\n", user); - return -1; - } else if ((0 == strcmp(auth_user->passwd, password)) && - (auth_user->expiretime > current_time.tv_sec)) { - if (checklist->src_addr.s_addr == auth_user->ipaddr.s_addr - || auth_user->ip_expiretime <= squid_curtime) { - /* user already known and valid */ - debug(28, 5) ("aclMatchProxyAuth: user '%s' previously validated\n", - user); - /* Update IP ttl */ - auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL; - auth_user->ipaddr = checklist->src_addr; - /* copy username to request for logging on client-side */ - xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); - switch (acltype) { - case ACL_PROXY_AUTH: - return aclMatchUser(data, user); - break; - case ACL_PROXY_AUTH_REGEX: - return aclMatchRegex(data, user); - default: - fatal("aclMatchProxyAuth: unknown ACL type"); - return 0; /* NOTREACHED */ + if (!*checklist->request->user_ident) + xstrncpy(checklist->request->user_ident, user, + USER_IDENT_SZ); + return -2; + } else { + /* password was checked and did match */ + debug(28, 4) ("aclMatchProxyAuth: user '%s' validated OK\n", + user); + /* store validated user in hash, after filling in expiretime */ + xstrncpy(checklist->request->user_ident, user, + USER_IDENT_SZ); + auth_user->expiretime = + current_time.tv_sec + Config.authenticateTTL; + auth_user->ip_expiretime = + squid_curtime + Config.authenticateIpTTL; + auth_user->ipaddr = checklist->src_addr; + hash_join(proxy_auth_cache, (hash_link *) auth_user); + /* Continue checking below, as normal */ + } } - } else { - if (Config.onoff.authenticateIpTTLStrict) { - /* Access from some other IP address than the one owning - * this user ID. Deny access - */ - debug(28, 1) ("aclMatchProxyAuth: user '%s' tries to use multple IP addresses!\n", user); - return 0; + /* see if we already know this user */ + auth_user = hash_lookup(proxy_auth_cache, user); + if (!auth_user) { + /* user not yet known, ask external authenticator */ + debug(28, 4) ("aclMatchProxyAuth: user '%s' not yet known\n", + user); + return -1; + } else if ((0 == strcmp(auth_user->passwd, password)) && + (auth_user->expiretime > current_time.tv_sec)) { + if (checklist->src_addr.s_addr == auth_user->ipaddr.s_addr + || auth_user->ip_expiretime <= squid_curtime) { + /* user already known and valid */ + debug(28, + 5) + ("aclMatchProxyAuth: user '%s' previously validated\n", + user); + /* Update IP ttl */ + auth_user->ip_expiretime = + squid_curtime + Config.authenticateIpTTL; + auth_user->ipaddr = checklist->src_addr; + /* copy username to request for logging on client-side */ + xstrncpy(checklist->request->user_ident, user, + USER_IDENT_SZ); + switch (acltype) { + case ACL_PROXY_AUTH: + return aclMatchUser(data, user); + break; + case ACL_PROXY_AUTH_REGEX: + return aclMatchRegex(data, user); + default: + fatal("aclMatchProxyAuth: unknown ACL type"); + return 0; /* NOTREACHED */ + } + } else { + if (Config.onoff.authenticateIpTTLStrict) { + /* Access from some other IP address than the one owning + * this user ID. Deny access + */ + debug(28, + 1) + ("aclMatchProxyAuth: user '%s' tries to use multple IP addresses!\n", + user); + return 0; + } else { + /* user has switched to another IP addr */ + debug(28, + 1) + ("aclMatchProxyAuth: user '%s' has changed IP address\n", + user); + /* remove this user from the hash, making him unknown */ + hash_remove_link(proxy_auth_cache, + (hash_link *) auth_user); + aclFreeProxyAuthUser(auth_user); + /* require the user to reauthenticate */ + return -2; + } + } } else { - /* user has switched to another IP addr */ - debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user); + /* password mismatch/timeout */ + debug(28, + 4) + ("aclMatchProxyAuth: user '%s' password mismatch/timeout\n", + user); /* remove this user from the hash, making him unknown */ hash_remove_link(proxy_auth_cache, (hash_link *) auth_user); aclFreeProxyAuthUser(auth_user); - /* require the user to reauthenticate */ - return -2; + /* ask the external authenticator in case the password is changed */ + /* wrong password will be trapped above so this does not loop */ + return -1; } - } - } else { - /* password mismatch/timeout */ - debug(28, 4) ("aclMatchProxyAuth: user '%s' password mismatch/timeout\n", - user); - /* remove this user from the hash, making him unknown */ - hash_remove_link(proxy_auth_cache, (hash_link *) auth_user); - aclFreeProxyAuthUser(auth_user); - /* ask the external authenticator in case the password is changed */ - /* wrong password will be trapped above so this does not loop */ - return -1; - } - /* not reached */ - return 0; - break; + /* not reached */ + return 0; + break; #endif #ifdef USE_NTLM - case AUTH_NTLM: - /* we've recieved a negotiate request. pass to a helper */ - debug(28,5)("aclMatchProxyAuth: auth state type ntlm.\n",proxy_auth); - checklist->conn->auth_state=AUTHENTICATE_STATE_NEGOTIATE; - checklist->conn->auth_type =AUTH_NTLM; - return -3; - break; - case AUTH_UNKNOWN: - debug(28,1)("aclMatchProxyAuth: auth state no type with header %s.\n",proxy_auth); - break; - } - break; - case AUTHENTICATE_STATE_NEGOTIATE: - debug(28,5)("aclMatchProxyAuth: auth state negotiate with header %s.\n",proxy_auth); - debug(28,6)("aclMatchProxyAuth: auth state negotiate with challenge %s.\n",checklist->conn->authchallenge); - checklist->conn->auth_state=AUTHENTICATE_STATE_CHALLENGE; - return -4; - break; - case AUTHENTICATE_STATE_CHALLENGE: - /* we should have recieved a NTLM challenge. pass it to the same helper process*/ - debug(28,5)("aclMatchProxyAuth: auth state challenge with header %s.\n",proxy_auth); - checklist->conn->auth_state=AUTHENTICATE_STATE_RESPONSE; - return -3; - break; - case AUTHENTICATE_STATE_RESPONSE: - debug(28,5)("aclMatchProxyAuth: auth state response with header %s.\n",proxy_auth); - fatal("aclMatchProxyAuth: this state location should never be reached.\n"); - break; - case AUTHENTICATE_STATE_DONE: - debug(28,5)("aclMatchProxyAuth: not checking due to state Done.\n"); - - /* we have a valid username. Do they match the acl? NTLM only at this point */ - /* store the username in the request for logging*/ - xstrncpy(checklist->request->user_ident, checklist->conn->authuser, USER_IDENT_SZ); - - switch (acltype) { - case ACL_PROXY_AUTH: - rv = aclMatchUser(data, checklist->conn->authuser); -// if (!rv) checklist->conn->auth_state = AUTHENTICATE_STATE_NONE; /* not permitted in this ACL */ -// else { - xstrncpy(checklist->conn->ident, checklist->conn->authuser, USER_IDENT_SZ);/*using ident hack.. do we need this? */ -// } /* auth user was "user" before */ - return rv; - break; - case ACL_PROXY_AUTH_REGEX: - rv = aclMatchRegex(data, checklist->conn->authuser); -// if (!rv) checklist->conn->auth_state = AUTHENTICATE_STATE_NONE; /* not permitted in this ACL */ -// else { - xstrncpy(checklist->conn->ident, checklist->conn->authuser, USER_IDENT_SZ);/*using ident hack.. do we need this? */ -// } - return rv; - default: - fatal("aclMatchProxyAuth: unknown ACL type"); - return 0; /* NOTREACHED */ - } -#endif - fatal("aclMatchProxyAuth:End of auth state checking code... should be unreachable\n"); - break; + case AUTH_NTLM: + /* we've recieved a negotiate request. pass to a helper */ + debug(28, 5) ("aclMatchProxyAuth: auth state type ntlm.\n", + proxy_auth); + checklist->conn->auth_state = AUTHENTICATE_STATE_NEGOTIATE; + checklist->conn->auth_type = AUTH_NTLM; + return -3; + break; + case AUTH_UNKNOWN: + debug(28, + 1) ("aclMatchProxyAuth: auth state no type with header %s.\n", + proxy_auth); + break; + } + break; + case AUTHENTICATE_STATE_NEGOTIATE: + debug(28, + 5) ("aclMatchProxyAuth: auth state negotiate with header %s.\n", + proxy_auth); + debug(28, + 6) ("aclMatchProxyAuth: auth state negotiate with challenge %s.\n", + checklist->conn->authchallenge); + checklist->conn->auth_state = AUTHENTICATE_STATE_CHALLENGE; + return -4; + break; + case AUTHENTICATE_STATE_CHALLENGE: + /* we should have recieved a NTLM challenge. pass it to the same helper process */ + debug(28, + 5) ("aclMatchProxyAuth: auth state challenge with header %s.\n", + proxy_auth); + checklist->conn->auth_state = AUTHENTICATE_STATE_RESPONSE; + return -3; + break; + case AUTHENTICATE_STATE_RESPONSE: + debug(28, + 5) ("aclMatchProxyAuth: auth state response with header %s.\n", + proxy_auth); + fatal + ("aclMatchProxyAuth: this state location should never be reached.\n"); + break; + case AUTHENTICATE_STATE_DONE: + debug(28, 5) ("aclMatchProxyAuth: not checking due to state Done.\n"); + + /* we have a valid username. Do they match the acl? NTLM only at this point */ + /* store the username in the request for logging */ + xstrncpy(checklist->request->user_ident, checklist->conn->authuser, + USER_IDENT_SZ); + + switch (acltype) { + case ACL_PROXY_AUTH: + rv = aclMatchUser(data, checklist->conn->authuser); +// if (!rv) checklist->conn->auth_state = AUTHENTICATE_STATE_NONE; /* not permitted in this ACL */ +// else { + xstrncpy(checklist->conn->ident, checklist->conn->authuser, USER_IDENT_SZ); /*using ident hack.. do we need this? */ +// } /* auth user was "user" before */ + return rv; + break; + case ACL_PROXY_AUTH_REGEX: + rv = aclMatchRegex(data, checklist->conn->authuser); +// if (!rv) checklist->conn->auth_state = AUTHENTICATE_STATE_NONE; /* not permitted in this ACL */ +// else { + xstrncpy(checklist->conn->ident, checklist->conn->authuser, USER_IDENT_SZ); /*using ident hack.. do we need this? */ +// } + return rv; + default: + fatal("aclMatchProxyAuth: unknown ACL type"); + return 0; /* NOTREACHED */ + } +#endif + fatal + ("aclMatchProxyAuth:End of auth state checking code... should be unreachable\n"); + break; /* #endif default: fatal("unknown auth type\n"); }*/ - } - fatal("aclMatchProxyAuth:END Of MatchACL routine... should be unreachable\n"); - return 0; + } + fatal + ("aclMatchProxyAuth:END Of MatchACL routine... should be unreachable\n"); + return 0; } #ifdef USE_BASIC_AUTH @@ -1427,17 +1496,18 @@ proxy_auth = httpHeaderGetStr(&checklist->request->header, HDR_AUTHORIZATION); } - if (proxy_auth!=NULL) /* there was a auth_header */ - { - ok = aclDecodeProxyAuth(proxy_auth, &auth_type, &user, &password, login_buf, - sizeof(login_buf)); - /* - * if aclDecodeProxyAuth() fails, the same call should have failed - * in aclMatchProxyAuth, and we should never get this far. - */ - assert(ok); + if (proxy_auth != NULL) { /* there was a auth_header */ + ok = + aclDecodeProxyAuth(proxy_auth, &auth_type, &user, &password, + login_buf, sizeof(login_buf)); + /* + * if aclDecodeProxyAuth() fails, the same call should have failed + * in aclMatchProxyAuth, and we should never get this far. + */ + assert(ok); } - debug(28, 4) ("aclLookupProxyAuthStart: going to ask authenticator on %s\n", user); + debug(28, 4) ("aclLookupProxyAuthStart: going to ask authenticator on %s\n", + user); /* we must still check this user's password */ auth_user = memAllocate(MEM_ACL_PROXY_AUTH_USER); auth_user->user = xstrdup(user); @@ -1446,8 +1516,7 @@ auth_user->expiretime = -1; auth_user->auth_type = auth_type; checklist->auth_user = auth_user; - authenticateStart(checklist->auth_user, aclLookupProxyAuthDone, - checklist); + authenticateStart(checklist->auth_user, aclLookupProxyAuthDone, checklist); } #endif @@ -1462,7 +1531,7 @@ #ifdef NTLM_CACHING NTLMAuthEntry *authentry; #endif - int ok,auth_type; + int ok, auth_type; if (!checklist->request->flags.accelerated) { /* Proxy auth on proxy requests */ @@ -1473,62 +1542,71 @@ proxy_auth = httpHeaderGetStr(&checklist->request->header, HDR_AUTHORIZATION); } - assert (proxy_auth!=NULL); - /* there was no auth_header - * stateful auth helpers (all types) start with a client request - */ + assert(proxy_auth != NULL); + /* there was no auth_header + * stateful auth helpers (all types) start with a client request + */ ok = aclDecodeProxyAuth(proxy_auth, &auth_type, &user, &password, login_buf, sizeof(login_buf)); /* * if aclDecodeProxyAuth() fails, the same call should have failed * in aclMatchProxyAuth, and we should never get this far. */ - assert(ok==AUTH_NTLM); + assert(ok == AUTH_NTLM); /* to add a new stateful auth method. add identifiers in DecodeProxy * add authenticateAUTHMETODStart and aclLookupProxyAUTHMETHODDone functions, and _if needed_ new storage to the connection structure * You should be able to reuse the auth* variable in the connection structure as the state machine _should_ avoid collisions. */ - debug(28, 5) ("aclLookupProxyStatefulAuthStart: going to ask NTLM authenticator on %s\n", proxy_auth); + debug(28, + 5) + ("aclLookupProxyStatefulAuthStart: going to ask NTLM authenticator on %s\n", + proxy_auth); /* stateful authentication has no timeouts/ip storage etc */ - sent_string=xstrdup(proxy_auth); - while(!xisspace(*sent_string)) /*trim NTLM/BASIC/whatever*/ - sent_string++; - while(xisspace(*sent_string)) /*trim leading spaces*/ - sent_string++; - if(checklist->conn->auth_state!=AUTHENTICATE_STATE_NEGOTIATE) - { + sent_string = xstrdup(proxy_auth); + while (!xisspace(*sent_string)) /*trim NTLM/BASIC/whatever */ + sent_string++; + while (xisspace(*sent_string)) /*trim leading spaces */ + sent_string++; + if (checklist->conn->auth_state != AUTHENTICATE_STATE_NEGOTIATE) { /* we are checking on the authenticate string here */ - assert(checklist->conn->authhelper); - xstrncpy(checklist->conn->ntlmauthenticate,sent_string,NTLM_CHALLENGE_SZ); + assert(checklist->conn->authhelper); + xstrncpy(checklist->conn->ntlmauthenticate, sent_string, + NTLM_CHALLENGE_SZ); #ifdef NTLM_CACHING - /* this is where we can 'cheat' and check for a cache hit */ - debug(28,0)("looking for a hash entry with Authenticate %s\n",checklist->conn->ntlmauthenticate ); - if (ntlmauthcache) - { - authentry=hash_lookup(ntlmauthcache,checklist->conn->ntlmauthenticate); - if (authentry){ - /* we found one */ - /* we need to walk the list, but lets prove concept first */ - debug(28,0)("found matching cache entry\n"); - debug(28,0)("Username to be used is %s\n",authentry->authuser); - checklist->conn->auth_state=AUTHENTICATE_STATE_DONE; - xstrncpy(checklist->conn->authuser,authentry->authuser,USER_IDENT_SZ); -assert(checklist); - authenticateNTLMStart("RESET", aclLookupProxyNTLMAuthDone, checklist, checklist->conn->authhelper); - return; /* the rest of this function applies to cache misses */ - } - } + /* this is where we can 'cheat' and check for a cache hit */ + debug(28, 0) ("looking for a hash entry with Authenticate %s\n", + checklist->conn->ntlmauthenticate); + if (ntlmauthcache) { + authentry = + hash_lookup(ntlmauthcache, checklist->conn->ntlmauthenticate); + if (authentry) { + /* we found one */ + /* we need to walk the list, but lets prove concept first */ + debug(28, 0) ("found matching cache entry\n"); + debug(28, 0) ("Username to be used is %s\n", + authentry->authuser); + checklist->conn->auth_state = AUTHENTICATE_STATE_DONE; + xstrncpy(checklist->conn->authuser, authentry->authuser, + USER_IDENT_SZ); + assert(checklist); + authenticateNTLMStart("RESET", aclLookupProxyNTLMAuthDone, + checklist, checklist->conn->authhelper); + return; /* the rest of this function applies to cache misses */ + } + } #endif - debug(28,6)("aclLookupProxyStatefulAuthStart: Asking NTLM authenticator '%d' on FD '%d'\n",checklist->conn->authhelper,checklist->conn->fd); - } -assert(checklist); - authenticateNTLMStart(sent_string, aclLookupProxyNTLMAuthDone, checklist, checklist->conn->authhelper); + debug(28, + 6) + ("aclLookupProxyStatefulAuthStart: Asking NTLM authenticator '%d' on FD '%d'\n", + checklist->conn->authhelper, checklist->conn->fd); + } + assert(checklist); + authenticateNTLMStart(sent_string, aclLookupProxyNTLMAuthDone, checklist, + checklist->conn->authhelper); } #endif /*NTLM*/ - - -static int + static int aclMatchInteger(intlist * data, int i) { intlist *first, *prev; @@ -1666,7 +1744,8 @@ return aclMatchDomainList(&ae->data, "none"); /* NOTREACHED */ case ACL_SRC_DOMAIN: - fqdn = fqdncache_gethostbyaddr(checklist->src_addr, FQDN_LOOKUP_IF_MISS); + fqdn = + fqdncache_gethostbyaddr(checklist->src_addr, FQDN_LOOKUP_IF_MISS); if (fqdn) { return aclMatchDomainList(&ae->data, fqdn); } else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NONE) { @@ -1692,7 +1771,8 @@ return aclMatchRegex(ae->data, "none"); /* NOTREACHED */ case ACL_SRC_DOM_REGEX: - fqdn = fqdncache_gethostbyaddr(checklist->src_addr, FQDN_LOOKUP_IF_MISS); + fqdn = + fqdncache_gethostbyaddr(checklist->src_addr, FQDN_LOOKUP_IF_MISS); if (fqdn) { return aclMatchRegex(ae->data, fqdn); } else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NONE) { @@ -1778,7 +1858,10 @@ header = httpHeaderGetStr(&checklist->request->header, HDR_AUTHORIZATION); #else - debug(28, 1) ("aclMatchAcl: proxy_auth %s not applicable on accelerated requests.\n", ae->name); + debug(28, + 1) + ("aclMatchAcl: proxy_auth %s not applicable on accelerated requests.\n", + ae->name); return -1; #endif } @@ -1789,10 +1872,7 @@ r->flags.used_proxy_auth = 1; /* Check the password */ switch (aclMatchProxyAuth(ae->data, - header, - checklist->auth_user, - checklist, - ae->type)) { + header, checklist->auth_user, checklist, ae->type)) { case 0: /* Correct password, but was not allowed in this ACL */ return 0; @@ -1802,7 +1882,7 @@ case -2: /* no such user OR we need a proxy authentication header */ checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; - debug(28,6)("aclmatchAcl:we need a proxyauth header\n"); + debug(28, 6) ("aclmatchAcl:we need a proxyauth header\n"); /* * XXX This is a bit oddly done.. should perhaps use different * return codes here @@ -1818,15 +1898,15 @@ /* * we need a external program to generate data for the client */ - checklist->state[ACL_PROXY_AUTH] = ACL_HELPER_START; - return 0; - case -4: - /* - * we have the response, send to the client - */ - checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; - debug(28,6)("aclmatchAcl:we need a second proxyauth header\n"); - return 0; + checklist->state[ACL_PROXY_AUTH] = ACL_HELPER_START; + return 0; + case -4: + /* + * we have the response, send to the client + */ + checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; + debug(28, 6) ("aclmatchAcl:we need a second proxyauth header\n"); + return 0; } /* NOTREACHED */ #if SQUID_SNMP @@ -1876,7 +1956,7 @@ { while (list) { AclMatchedName = list->acl->name; - debug(28, 3) ("aclMatchAclList: checking %s%s\n", + debug(28, 3) ("aclMatchAclList: checking %s%s\n", list->op ? null_string : "!", list->acl->name); if (aclMatchAcl(list->acl, checklist) != list->op) { debug(28, 3) ("aclMatchAclList: returning 0\n"); @@ -1926,20 +2006,17 @@ if (checklist->state[ACL_DST_IP] == ACL_LOOKUP_NEEDED) { checklist->state[ACL_DST_IP] = ACL_LOOKUP_PENDING; ipcache_nbgethostbyname(checklist->request->host, - aclLookupDstIPDone, - checklist); + aclLookupDstIPDone, checklist); return; } else if (checklist->state[ACL_DST_ASN] == ACL_LOOKUP_NEEDED) { checklist->state[ACL_DST_ASN] = ACL_LOOKUP_PENDING; ipcache_nbgethostbyname(checklist->request->host, - aclLookupDstIPforASNDone, - checklist); + aclLookupDstIPforASNDone, checklist); return; } else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NEEDED) { checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_PENDING; fqdncache_nbgethostbyaddr(checklist->src_addr, - aclLookupSrcFQDNDone, - checklist); + aclLookupSrcFQDNDone, checklist); return; } else if (checklist->state[ACL_DST_DOMAIN] == ACL_LOOKUP_NEEDED) { ia = ipcacheCheckNumeric(checklist->request->host); @@ -1950,30 +2027,32 @@ checklist->dst_addr = ia->in_addrs[0]; checklist->state[ACL_DST_DOMAIN] = ACL_LOOKUP_PENDING; fqdncache_nbgethostbyaddr(checklist->dst_addr, - aclLookupDstFQDNDone, - checklist); + aclLookupDstFQDNDone, checklist); return; - } + } #ifdef USE_BASIC_AUTH else if (checklist->state[ACL_PROXY_AUTH] == ACL_LOOKUP_NEEDED) { - debug(28, 3) ("aclCheck: checking password via basic authenticator\n"); + debug(28, + 3) ("aclCheck: checking password via basic authenticator\n"); aclLookupProxyAuthStart(checklist); checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_PENDING; return; } -#endif +#endif else if (checklist->state[ACL_PROXY_AUTH] == ACL_PROXY_AUTH_NEEDED) { /* Special case. Client is required to resend the request * with authentication. The request is denied. */ - debug(28,6)("aclCheck: requiring Proxy Auth header.\n"); + debug(28, 6) ("aclCheck: requiring Proxy Auth header.\n"); allow = ACCESS_REQ_PROXY_AUTH; match = -1; - } + } #ifdef USE_NTLM - else if (checklist->state[ACL_PROXY_AUTH] == ACL_HELPER_START) { + else if (checklist->state[ACL_PROXY_AUTH] == ACL_HELPER_START) { /* we are using an external helper to do __everything__ in a STATEFUL fashion */ - debug(28,3) ("aclCheck: handing Proxy Auth header to stateful authenticator\n"); + debug(28, + 3) + ("aclCheck: handing Proxy Auth header to stateful authenticator\n"); aclLookupProxyStatefulAuthStart(checklist); checklist->state[ACL_PROXY_AUTH] = ACL_HELPER_PENDING; return; @@ -1988,7 +2067,9 @@ checklist->state[ACL_IDENT] = ACL_LOOKUP_PENDING; return; } else { - debug(28, 1) ("aclCheck: Can't start ident lookup. No client connection\n"); + debug(28, + 1) + ("aclCheck: Can't start ident lookup. No client connection\n"); cbdataUnlock(checklist->conn); checklist->conn = NULL; allow = 0; @@ -2052,7 +2133,8 @@ aclCheck_t *checklist = data; if (ident) { xstrncpy(checklist->ident, ident, sizeof(checklist->ident)); - xstrncpy(checklist->request->user_ident, ident, sizeof(checklist->request->user_ident)); + xstrncpy(checklist->request->user_ident, ident, + sizeof(checklist->request->user_ident)); } else { xstrncpy(checklist->ident, "-", sizeof(checklist->ident)); } @@ -2061,7 +2143,8 @@ * over and over on persistent connections */ if (cbdataValid(checklist->conn) && !checklist->conn->ident[0]) - xstrncpy(checklist->conn->ident, checklist->ident, sizeof(checklist->conn->ident)); + xstrncpy(checklist->conn->ident, checklist->ident, + sizeof(checklist->conn->ident)); aclCheck(checklist); } #endif @@ -2115,7 +2198,7 @@ #endif #ifdef USE_NTLM static void -aclLookupProxyNTLMAuthDone(void *data, void * lastserver, char *result) +aclLookupProxyNTLMAuthDone(void *data, void *lastserver, char *result) { aclCheck_t *checklist = data; #ifdef NTLM_CACHING @@ -2124,57 +2207,71 @@ checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_DONE; debug(28, 4) ("aclLookupProxyStatefulAuthDone: result = %s\n", result ? result : "NULL"); -/* check format */ +/* check format */ /* state info check */ - assert(checklist->conn!=NULL); + assert(checklist->conn != NULL); #ifdef NTLM_CACHING - assert((checklist->conn->auth_state==AUTHENTICATE_STATE_NEGOTIATE)||(checklist->conn->auth_state==AUTHENTICATE_STATE_RESPONSE)||(checklist->conn->auth_state==AUTHENTICATE_STATE_DONE)); + assert((checklist->conn->auth_state == AUTHENTICATE_STATE_NEGOTIATE) + || (checklist->conn->auth_state == AUTHENTICATE_STATE_RESPONSE) + || (checklist->conn->auth_state == AUTHENTICATE_STATE_DONE)); #else - assert((checklist->conn->auth_state==AUTHENTICATE_STATE_NEGOTIATE)||(checklist->conn->auth_state==AUTHENTICATE_STATE_RESPONSE)); + assert((checklist->conn->auth_state == AUTHENTICATE_STATE_NEGOTIATE) + || (checklist->conn->auth_state == AUTHENTICATE_STATE_RESPONSE)); #endif - assert(checklist->conn->auth_type ==AUTH_NTLM); - switch(checklist->conn->auth_state){ + assert(checklist->conn->auth_type == AUTH_NTLM); + switch (checklist->conn->auth_state) { case AUTHENTICATE_STATE_NONE: case AUTHENTICATE_STATE_CHALLENGE: - fatal("aclLookupProxyNTLMAuthDone: unexpected NTLM authentication state\n"); - break; + fatal + ("aclLookupProxyNTLMAuthDone: unexpected NTLM authentication state\n"); + break; case AUTHENTICATE_STATE_DONE: - if (result && (strncasecmp(result, "RESET OK", 3) == 0)){ + if (result && (strncasecmp(result, "RESET OK", 3) == 0)) { - debug(28,0)("aclLookupProxyNTLMAuthDone: returned RESET OK from helper in state done - assuming this was a cache hit.\n"); - } - checklist->conn->authhelper= NULL; - break; + debug(28, + 0) + ("aclLookupProxyNTLMAuthDone: returned RESET OK from helper in state done - assuming this was a cache hit.\n"); + } + checklist->conn->authhelper = NULL; + break; case AUTHENTICATE_STATE_NEGOTIATE: - xstrncpy(checklist->conn->authchallenge,result,NTLM_CHALLENGE_SZ); + xstrncpy(checklist->conn->authchallenge, result, NTLM_CHALLENGE_SZ); assert(!checklist->conn->authhelper); - checklist->conn->authhelper=lastserver; /*save the handler*/ - if(result &&(strncasecmp(result, "ERR", 3)==0)){ - /* - * The helper rejected the negotiate. It automatically resets - */ - /* ERRS get trapped by authenicate. so we don't need to free the helper for other requests */ - checklist->conn->auth_type = AUTH_BROKEN; - checklist->conn->auth_state= AUTHENTICATE_STATE_NONE; - checklist->conn->authhelper= NULL; - debug(28,1)("aclLookupProxyNTLMAuthDone: bad NTLM negotiate request recieved on FD:%d.\n",checklist->conn->fd); - } - break; - case AUTHENTICATE_STATE_RESPONSE: - if (result && (strncasecmp(result, "OK ", 3) == 0)){ - checklist->conn->auth_state=AUTHENTICATE_STATE_DONE; /* they are a valid domain user */ - result+=3; - xstrncpy(checklist->conn->authuser,result,MAX_LOGIN_SZ); + checklist->conn->authhelper = lastserver; /*save the handler */ + if (result && (strncasecmp(result, "ERR", 3) == 0)) { + /* + * The helper rejected the negotiate. It automatically resets + */ + /* ERRS get trapped by authenicate. so we don't need to free the helper for other requests */ + checklist->conn->auth_type = AUTH_BROKEN; + checklist->conn->auth_state = AUTHENTICATE_STATE_NONE; + checklist->conn->authhelper = NULL; + debug(28, + 1) + ("aclLookupProxyNTLMAuthDone: bad NTLM negotiate request recieved on FD:%d.\n", + checklist->conn->fd); + } + break; + case AUTHENTICATE_STATE_RESPONSE: + if (result && (strncasecmp(result, "OK ", 3) == 0)) { + checklist->conn->auth_state = AUTHENTICATE_STATE_DONE; /* they are a valid domain user */ + result += 3; + xstrncpy(checklist->conn->authuser, result, MAX_LOGIN_SZ); #ifdef NTLM_CACHING - /* add to the hash table. we only reach here if we had to do an auth so we know they are not in the hash table. */ -// debug(28,1)("adding ch %s\nauth %s\nauthuser %s\n", checklist->conn->authchallenge,checklist->conn->ntlmauthenticate,checklist->conn->authuser); - authentry=memAllocate(MEM_NTLM_AUTH_CACHE); - authentry->challenge=xstrndup(checklist->conn->authchallenge,NTLM_CHALLENGE_SZ); - authentry->authenticate=xstrndup(checklist->conn->ntlmauthenticate,NTLM_CHALLENGE_SZ); - xstrncpy(authentry->authuser,checklist->conn->authuser,USER_IDENT_SZ); - authentry->atime=time(NULL); - debug(28,0)("adding ch %s\nauth %s\nauthuser %s\n",authentry->challenge,authentry->authenticate,authentry->authuser); - hash_join(ntlmauthcache,(hash_link *) authentry); + /* add to the hash table. we only reach here if we had to do an auth so we know they are not in the hash table. */ +// debug(28,1)("adding ch %s\nauth %s\nauthuser %s\n", checklist->conn->authchallenge,checklist->conn->ntlmauthenticate,checklist->conn->authuser); + authentry = memAllocate(MEM_NTLM_AUTH_CACHE); + authentry->challenge = + xstrndup(checklist->conn->authchallenge, NTLM_CHALLENGE_SZ); + authentry->authenticate = + xstrndup(checklist->conn->ntlmauthenticate, NTLM_CHALLENGE_SZ); + xstrncpy(authentry->authuser, checklist->conn->authuser, + USER_IDENT_SZ); + authentry->atime = time(NULL); + debug(28, 0) ("adding ch %s\nauth %s\nauthuser %s\n", + authentry->challenge, authentry->authenticate, + authentry->authuser); + hash_join(ntlmauthcache, (hash_link *) authentry); /* debug(28, 4) ("aclMatchProxyAuth: user '%s' validated OK\n", user); @@ -2184,27 +2281,26 @@ auth_user->ipaddr = checklist->src_addr; hash_join(proxy_auth_cache, (hash_link *) auth_user); */ - + #endif - } - else - { - checklist->conn->auth_state=AUTHENTICATE_STATE_NONE; /* something botched.. restart */ - checklist->conn->auth_type = AUTH_BROKEN; - debug(28,6)("aclLookupProxyNTLMAuthDone: failed NTLM authentication on FD:%d error '%s'\n",checklist->conn->fd,result); - } - assert(checklist->conn->authhelper); - checklist->conn->authhelper=0; /*clear the handler*/ - break; - } + } else { + checklist->conn->auth_state = AUTHENTICATE_STATE_NONE; /* something botched.. restart */ + checklist->conn->auth_type = AUTH_BROKEN; + debug(28, + 6) + ("aclLookupProxyNTLMAuthDone: failed NTLM authentication on FD:%d error '%s'\n", + checklist->conn->fd, result); + } + assert(checklist->conn->authhelper); + checklist->conn->authhelper = 0; /*clear the handler */ + break; + } aclCheck(checklist); } #endif aclCheck_t * -aclChecklistCreate(const acl_access * A, - request_t * request, - const char *ident) +aclChecklistCreate(const acl_access * A, request_t * request, const char *ident) { int i; aclCheck_t *checklist = memAllocate(MEM_ACLCHECK_T); @@ -2433,8 +2529,14 @@ } if (ret == 0) { debug(28, 0) ("WARNING: '%s' is a subdomain of '%s'\n", d1, d2); - debug(28, 0) ("WARNING: because of this '%s' is ignored to keep splay tree searching predictable\n", a); - debug(28, 0) ("WARNING: You should probably remove '%s' from the ACL named '%s'\n", d1, AclMatchedName); + debug(28, + 0) + ("WARNING: because of this '%s' is ignored to keep splay tree searching predictable\n", + a); + debug(28, + 0) + ("WARNING: You should probably remove '%s' from the ACL named '%s'\n", + d1, AclMatchedName); } return ret; } @@ -2542,10 +2644,7 @@ t->weekbits & ACL_THURSDAY ? 'H' : '-', t->weekbits & ACL_FRIDAY ? 'F' : '-', t->weekbits & ACL_SATURDAY ? 'A' : '-', - t->start / 60, - t->start % 60, - t->stop / 60, - t->stop % 60); + t->start / 60, t->start % 60, t->stop / 60, t->stop % 60); wordlistAdd(&W, buf); t = t->next; } @@ -2783,7 +2882,10 @@ if (!decode_eth(eth, q->eth)) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseArpData: Ignoring invalid ARP acl entry: can't parse '%s'\n", eth); + debug(28, + 0) + ("aclParseArpData: Ignoring invalid ARP acl entry: can't parse '%s'\n", + eth); safe_free(q); return NULL; } @@ -2912,8 +3014,7 @@ arpReq.arp_ha.sa_data[2] & 0xff, arpReq.arp_ha.sa_data[3] & 0xff, arpReq.arp_ha.sa_data[4] & 0xff, - arpReq.arp_ha.sa_data[5] & 0xff, - ifr->ifr_name); + arpReq.arp_ha.sa_data[5] & 0xff, ifr->ifr_name); /* Do lookup */ *Top = splay_splay(&arpReq.arp_ha.sa_data, *Top, aclArpCompare); /* Return if match, otherwise continue to other interfaces */ @@ -2953,8 +3054,7 @@ arpReq.arp_ha.sa_data[1] == 0 && arpReq.arp_ha.sa_data[2] == 0 && arpReq.arp_ha.sa_data[3] == 0 && - arpReq.arp_ha.sa_data[4] == 0 && - arpReq.arp_ha.sa_data[5] == 0) + arpReq.arp_ha.sa_data[4] == 0 && arpReq.arp_ha.sa_data[5] == 0) return 0; debug(28, 4) ("Got address %02x:%02x:%02x:%02x:%02x:%02x\n", arpReq.arp_ha.sa_data[0] & 0xff, arpReq.arp_ha.sa_data[1] & 0xff,