--------------------- PatchSet 8039 Date: 2006/05/27 10:21:40 Author: serassio Branch: nt Tag: (none) Log: Cleaned old Windows native helpers Members: helpers/basic_auth/win32_locallogon/.cvsignore:1.1.36.1->1.1.36.2(DEAD) helpers/basic_auth/win32_locallogon/Makefile.am:1.1.36.1->1.1.36.2(DEAD) helpers/basic_auth/win32_locallogon/NT_auth.c:1.1.36.2->1.1.36.3(DEAD) helpers/basic_auth/win32_locallogon/README.txt:1.1.36.1->1.1.36.2(DEAD) helpers/basic_auth/win32_locallogon/valid.c:1.1.36.2->1.1.36.3(DEAD) helpers/basic_auth/win32_locallogon/valid.h:1.1.36.1->1.1.36.2(DEAD) helpers/basic_auth/winbind/.cvsignore:1.1->1.1.66.1(DEAD) helpers/external_acl/win32_group/.cvsignore:1.1.36.1->1.1.36.2(DEAD) helpers/external_acl/win32_group/Makefile.am:1.1.36.1->1.1.36.2(DEAD) helpers/external_acl/win32_group/readme.txt:1.1.36.1->1.1.36.2(DEAD) helpers/external_acl/win32_group/win32_check_group.c:1.1.36.1->1.1.36.2(DEAD) helpers/external_acl/win32_group/win32_check_group.h:1.1.36.1->1.1.36.2(DEAD) helpers/external_acl/winbind_group/.cvsignore:1.1->1.1.66.1(DEAD) helpers/negotiate_auth/Win32/.cvsignore:1.1.10.1->1.1.10.2(DEAD) helpers/negotiate_auth/Win32/Makefile.am:1.1.10.1->1.1.10.2(DEAD) helpers/negotiate_auth/Win32/libnegotiatessp.c:1.1.10.1->1.1.10.2(DEAD) helpers/negotiate_auth/Win32/negotiate.h:1.1.10.1->1.1.10.2(DEAD) helpers/negotiate_auth/Win32/negotiate_auth.c:1.1.10.1->1.1.10.2(DEAD) helpers/negotiate_auth/Win32/readme.txt:1.1.10.1->1.1.10.2(DEAD) helpers/ntlm_auth/NTLMSSP-WIN32/.cvsignore:1.1.36.1->1.1.36.2(DEAD) helpers/ntlm_auth/NTLMSSP-WIN32/Makefile.am:1.1.36.1->1.1.36.2(DEAD) helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c:1.1.36.1->1.1.36.2(DEAD) helpers/ntlm_auth/NTLMSSP-WIN32/ntlm.h:1.1.36.1->1.1.36.2(DEAD) helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c:1.1.36.1->1.1.36.2(DEAD) helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt:1.1.36.1->1.1.36.2(DEAD) helpers/ntlm_auth/winbind/.cvsignore:1.1->1.1.66.1(DEAD) helpers/ntlm_auth/winbind/patches/.cvsignore:1.1->1.1.66.1(DEAD) --- squid/helpers/basic_auth/win32_locallogon/.cvsignore Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in --- squid/helpers/basic_auth/win32_locallogon/Makefile.am Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,23 +0,0 @@ -# -# Makefile for the Squid Object Cache server -# -# $Id: Makefile.am,v 1.1.36.1 2006/05/16 21:05:57 serassio Exp $ -# -# Uncomment and customize the following to suit your needs: -# - - -libexec_PROGRAMS = win32_auth - -win32_auth_SOURCES = NT_auth.c valid.c valid.h - -LDADD = -L$(top_builddir)/lib -lnetapi32 -ladvapi32 -lsspwin32 \ - -lmiscutil $(XTRA_LIBS) - -if ENABLE_MINGW32SPECIFIC -INCLUDES = -I$(top_srcdir)/port/win32/include -I$(top_srcdir)/include -I$(top_srcdir)/src -else -INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/src -endif - -EXTRA_DIST = README.txt --- squid/helpers/basic_auth/win32_locallogon/NT_auth.c Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,188 +0,0 @@ -/* - NT_auth - Version 2.0 - - Returns OK for a successful authentication, or ERR upon error. - - Guido Serassio, Torino - Italy - - Uses code from - - Antonino Iannella 2000 - Andrew Tridgell 1997 - Richard Sharpe 1996 - Bill Welliver 1999 - - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. -*/ - -#include "config.h" -#include -#include -#include "util.h" - -/* Check if we try to compile on a Windows Platform */ -#ifdef _SQUID_WIN32_ - -#include "valid.h" - -static char NTGroup[256]; -char * NTAllowedGroup; -char * NTDisAllowedGroup; -int UseDisallowedGroup = 0; -int UseAllowedGroup = 0; -int debug_enabled = 0; - -/* - * options: - * -A can specify a Windows Local Group name allowed to authenticate. - * -D can specify a Windows Local Group name not allowed to authenticate. - * -O can specify the default Domain against to authenticate. - */ -char *my_program_name = NULL; - -void -usage() -{ - fprintf(stderr, - "%s usage:\n%s [-A|D UserGroup][-O DefaultDomain][-d]\n" - "-A can specify a Windows Local Group name allowed to authenticate\n" - "-D can specify a Windows Local Group name not allowed to authenticate\n" - "-O can specify the default Domain against to authenticate\n" - "-d enable debugging.\n" - "-h this message\n\n", - my_program_name, my_program_name); -} - -void -process_options(int argc, char *argv[]) -{ - int opt, had_error = 0; - while (-1 != (opt = getopt(argc, argv, "dhA:D:O:"))) { - switch (opt) { - case 'A': - safe_free(NTAllowedGroup); - NTAllowedGroup=xstrdup(optarg); - UseAllowedGroup = 1; - break; - case 'D': - safe_free(NTDisAllowedGroup); - NTDisAllowedGroup=xstrdup(optarg); - UseDisallowedGroup = 1; - break; - case 'O': - strncpy(Default_NTDomain, optarg, DNLEN); - break; - case 'd': - debug_enabled = 1; - break; - case 'h': - usage(argv[0]); - exit(0); - case '?': - opt = optopt; - /* fall thru to default */ - default: - fprintf(stderr, "Unknown option: -%c. Exiting\n", opt); - had_error = 1; - } - } - if (had_error) { - usage(); - exit(1); - } -} - -/* Main program for simple authentication. - Scans and checks for Squid input, and attempts to validate the user. -*/ - -int -main(int argc, char **argv) - -{ - char wstr[256]; - char username[256]; - char password[256]; - char *p; - int err = 0; - - my_program_name = argv[0]; - process_options(argc, argv); - - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); - - if (LoadSecurityDll(SSP_BASIC, NTLM_PACKAGE_NAME) == NULL) { - fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); - exit(1); - } - debug("SSPI initialized OK\n"); - - atexit(UnloadSecurityDll); - - /* initialize FDescs */ - setbuf(stdout, NULL); - setbuf(stderr, NULL); - - while (1) { - /* Read whole line from standard input. Terminate on break. */ - if (fgets(wstr, 255, stdin) == NULL) - break; - - if (NULL == strchr(wstr, '\n')) { - err = 1; - continue; - } - if (err) { - fprintf(stderr, "Oversized message\n"); - puts("ERR"); - goto error; - } - - if ((p = strchr(wstr, '\n')) != NULL) - *p = '\0'; /* strip \n */ - if ((p = strchr(wstr, '\r')) != NULL) - *p = '\0'; /* strip \r */ - /* Clear any current settings */ - username[0] = '\0'; - password[0] = '\0'; - sscanf(wstr, "%s %s", username, password); /* Extract parameters */ - - debug("Got %s from Squid\n", wstr); - - /* Check for invalid or blank entries */ - if ((username[0] == '\0') || (password[0] == '\0')) { - fprintf(stderr, "Invalid Request\n"); - puts("ERR"); - fflush(stdout); - continue; - } - rfc1738_unescape(username); - rfc1738_unescape(password); - - debug("Trying to validate; %s %s\n", username, password); - - if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) - puts("OK"); - else - printf("ERR %s\n", errormsg); -error: - err = 0; - fflush(stdout); - } - return 0; -} - -#else /* NON Windows Platform !!! */ - -#error NON WINDOWS PLATFORM - -#endif --- squid/helpers/basic_auth/win32_locallogon/README.txt Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,101 +0,0 @@ -This is a simple authentication module for the Squid proxy server running on Windows NT -to authenticate users on an NT domain in native WIN32 mode. - -Usage is simple. It accepts a username and password on standard input -and will return OK if the username/password is valid for the domain/machine, -or ERR if there was some problem. -It's possible to authenticate against NT trusted domains specifyng the username -in the domain\\username Microsoft notation. - - -============== -Program Syntax -============== - -win32_auth [-A UserGroup][-D UserGroup][-O DefaultDomain][-d] - --A can specify a Windows Local Group name allowed to authenticate. --D can specify a Windows Local Group name not allowed to authenticate. --O can specify the default Domain against to authenticate. --d enable debugging. - -This is released under the GNU General Public License. - - -============== -Allowing Users -============== - -Users that are allowed to access the web proxy must have the Windows NT -User Rights "logon from the network" and must be included in the NT LOCAL User Groups -specified in the Authenticator's command line. -This can be accomplished creating a local user group on the NT machine, grant the privilege, -and adding users to it. - -Refer to Squid documentation for the required changes to squid.conf. - - -============ -Installation -============ - -Type 'make', then 'make install', then 'make clean'. - -On Cygwin the default is to install 'win32_auth' into /usr/local/squid/libexec, -with other Windows environments into c:/squid/libexec. - -Refer to Squid documentation for the required changes to squid.conf. -You will need to set the following line to enable the authenticator: - -auth_param basic program /usr/local/squid/libexec/win32_auth [options] - -or - -auth_param basic program c:/squid/libexec/win32_auth [options] - -You will need to set the following lines to enable authentication for -your access list - - - acl proxy_auth REQUIRED - http_access allow - -You will need to specify the absolute path to win32_auth in the -'auth_param basic program' directive, and check the 'auth_param basic children' -and 'auth_param basic credentialsttl'. - - -================== -Compilation issues -================== - -The Makefile assumes that GCC is in the current PATH. -win32_auth compile ONLY on Cygwin Environment, MinGW + MSYS Environment -or MS VC++. - - -======= -Testing -======= - -I strongly urge that win32_auth is tested prior to being used in a -production environment. It may behave differently on different platforms. -To test it, run it from the command line. Enter username and password -pairs separated by a space. Press ENTER to get an OK or ERR message. -Make sure pressing behaves the same as a carriage return. -Make sure pressing aborts the program. - -Test that entering no details does not result in an OK or ERR message. -Test that entering an invalid username and password results in an ERR message. -Note that if NT guest user access is allowed on the PDC, an OK message -may be returned instead of ERR. -Test that entering an valid username and password results in an OK message. -Test that entering a guest username and password returns the correct -response for the site's access policy. - - -=============== -Contact details -=============== - -To contact the maintainer of this package, e-mail on squidnt@acmeconsulting.it. - --- squid/helpers/basic_auth/win32_locallogon/valid.c Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,181 +0,0 @@ -/* - NT_auth - Version 2.0 - - Modified to act as a Squid authenticator module. - Removed all Pike stuff. - Returns OK for a successful authentication, or ERR upon error. - - Guido Serassio, Torino - Italy - - Uses code from - - Antonino Iannella 2000 - Andrew Tridgell 1997 - Richard Sharpe 1996 - Bill Welliver 1999 - - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. -*/ - -#include "util.h" - -/* Check if we try to compile on a Windows Platform */ -#ifdef _SQUID_WIN32_ - -#if defined(_SQUID_CYGWIN_) -#include -#endif -#include "valid.h" - -char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN; -const char * errormsg; - -const char NTV_SERVER_ERROR_MSG[] = "Internal server errror"; -const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache"; -const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password"; -const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/"; - -/* returns 1 on success, 0 on failure */ -int -Valid_Group(char *UserName, char *Group) -{ - int result = FALSE; - WCHAR wszUserName[256]; // Unicode user name - WCHAR wszGroup[256]; // Unicode Group - - LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; - LPLOCALGROUP_USERS_INFO_0 pTmpBuf; - DWORD dwLevel = 0; - DWORD dwFlags = LG_INCLUDE_INDIRECT; - DWORD dwPrefMaxLen = -1; - DWORD dwEntriesRead = 0; - DWORD dwTotalEntries = 0; - NET_API_STATUS nStatus; - DWORD i; - DWORD dwTotalCount = 0; - -/* Convert ANSI User Name and Group to Unicode */ - - MultiByteToWideChar(CP_ACP, 0, UserName, - strlen(UserName) + 1, wszUserName, - sizeof(wszUserName) / sizeof(wszUserName[0])); - MultiByteToWideChar(CP_ACP, 0, Group, - strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); - - /* - * Call the NetUserGetLocalGroups function - * specifying information level 0. - * - * The LG_INCLUDE_INDIRECT flag specifies that the - * function should also return the names of the local - * groups in which the user is indirectly a member. - */ - nStatus = NetUserGetLocalGroups(NULL, - wszUserName, - dwLevel, - dwFlags, - (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); - /* - * If the call succeeds, - */ - if (nStatus == NERR_Success) { - if ((pTmpBuf = pBuf) != NULL) { - for (i = 0; i < dwEntriesRead; i++) { - if (pTmpBuf == NULL) { - result = FALSE; - break; - } - if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { - result = TRUE; - break; - } - pTmpBuf++; - dwTotalCount++; - } - } - } else - result = FALSE; -/* - * Free the allocated memory. - */ - if (pBuf != NULL) - NetApiBufferFree(pBuf); - return result; -} - -/* Valid_User return codes - - 0 - User authenticated successfully. - 1 - Server error. - 2 - Group membership error. - 3 - Logon error; Incorrect password or username given. -*/ - -int -Valid_User(char *UserName, char *Password, char *Group) -{ - int result = NTV_SERVER_ERROR; - size_t i; - char NTDomain[256]; - char *domain_qualify; - char DomainUser[256]; - char User[256]; - - errormsg = NTV_SERVER_ERROR_MSG; - strncpy(NTDomain, UserName, sizeof(NTDomain)); - - for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); i++) { - if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL) - break; - } - if (domain_qualify == NULL) { - strcpy(User, NTDomain); - strcpy(NTDomain, Default_NTDomain); - } else { - strcpy(User, domain_qualify + 1); - domain_qualify[0] = '\0'; - } - /* Log the client on to the local computer. */ - if (!SSP_LogonUser(User, Password, NTDomain)) { - result = NTV_LOGON_ERROR; - errormsg = NTV_LOGON_ERROR_MSG; - debug("%s\n", errormsg); - } else { - result = NTV_NO_ERROR; - if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0) - strcpy(DomainUser, User); - else { - strcpy(DomainUser, NTDomain); - strcat(DomainUser, "\\"); - strcat(DomainUser, User); - } - if (UseAllowedGroup) { - if (!Valid_Group(DomainUser, NTAllowedGroup)) { - result = NTV_GROUP_ERROR; - errormsg = NTV_GROUP_ERROR_MSG; - debug("%s\n", errormsg); - } - } - if (UseDisallowedGroup) { - if (Valid_Group(DomainUser, NTDisAllowedGroup)) { - result = NTV_GROUP_ERROR; - errormsg = NTV_GROUP_ERROR_MSG; - debug("%s\n", errormsg); - } - } - } - return result; -} -#else /* NON Windows Platform !!! */ - -#error NON WINDOWS PLATFORM - -#endif --- squid/helpers/basic_auth/win32_locallogon/valid.h Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,107 +0,0 @@ -/* - NT_auth - Version 2.0 - - Modified to act as a Squid authenticator module. - Returns OK for a successful authentication, or ERR upon error. - - Guido Serassio, Torino - Italy - - Uses code from - - Antonino Iannella 2000 - Andrew Tridgell 1997 - Richard Sharpe 1996 - Bill Welliver 1999 - - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. -*/ - -#ifndef _VALID_H_ -#define _VALID_H_ - -#ifdef _SQUID_CYGWIN_ -#include -#endif -#include -#include "sspwin32.h" -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -#define safe_free(x) if (x) { free(x); x = NULL; } - -/* SMB User verification function */ - -#define NTV_NO_ERROR 0 -#define NTV_SERVER_ERROR 1 -#define NTV_GROUP_ERROR 2 -#define NTV_LOGON_ERROR 3 - -#ifndef LOGON32_LOGON_NETWORK -#define LOGON32_LOGON_NETWORK 3 -#endif - -#define NTV_DEFAULT_DOMAIN "." - -extern char * NTAllowedGroup; -extern char * NTDisAllowedGroup; -extern int UseDisallowedGroup; -extern int UseAllowedGroup; -extern int debug_enabled; -extern char Default_NTDomain[DNLEN+1]; -extern const char * errormsg; - -#include - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"nt_auth[%d](%s:%d): ", getpid(), \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ - if (debug_enabled) { - va_list args; - - va_start(args,format); - fprintf(stderr, "nt_auth[%d]: ",getpid()); - vfprintf(stderr, format, args); - va_end(args); - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - -int Valid_User(char *,char *, char *); - -#endif --- squid/helpers/basic_auth/winbind/.cvsignore Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in --- squid/helpers/external_acl/win32_group/.cvsignore Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in --- squid/helpers/external_acl/win32_group/Makefile.am Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,23 +0,0 @@ -# -# Makefile for the Squid Object Cache server -# -# $Id: Makefile.am,v 1.1.36.1 2006/05/16 21:05:57 serassio Exp $ -# -# Uncomment and customize the following to suit your needs: -# - - -libexec_PROGRAMS = win32_check_group - -win32_check_group_SOURCES = win32_check_group.c win32_check_group.h - -if ENABLE_MINGW32SPECIFIC -INCLUDES = -I$(top_srcdir)/port/win32/include -I$(top_srcdir)/include -I$(top_srcdir)/src -else -INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/src -endif - -LDADD = -L$(top_builddir)/lib -lmiscutil -lnetapi32 -ladvapi32 \ - -lntdll $(XTRA_LIBS) - -EXTRA_DIST = readme.txt --- squid/helpers/external_acl/win32_group/readme.txt Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,86 +0,0 @@ - -This is the readme.txt file for win32_check_group, an external -helper fo the External ACL Scheme for Squid. - - -This helper must be used in with an authentication scheme, tipically -basic or NTLM, based on Windows NT/2000 domain users. -It reads from the standard input the domain username and a list of groups -and tries to match it against the groups membership of the specified -username. - - -============== -Program Syntax -============== - -win32_check_group [-D domain][-G][-P][-c][-d][-h] - --D domain specify the default user's domain --G start helper in Domain Global Group mode --P use ONLY PDCs for group validation --c use case insensitive compare --d enable debugging --h this message - - -================ -squid.conf usage -================ - -external_acl_type NT_global_group %LOGIN c:/squid/libexec/win32_check_group.exe -G -external_acl_type NT_local_group %LOGIN c:/squid/libexec/win32_check_group.exe - -acl GProxyUsers external NT_global_group GProxyUsers -acl LProxyUsers external NT_local_group LProxyUsers -acl password proxy_auth REQUIRED - -http_access allow password GProxyUsers -http_access allow password LProxyUsers -http_access deny all - -In the previous example all validated NT users member of GProxyUsers Global -domain group or member of LProxyUsers machine local group are allowed to -use the cache. - -Groups with spaces in name, for example "Domain Users", must be quoted and -the acl data ("Domain Users") must be placed into a separate file included -by specifying "/path/to/file". The previous example will be: - -acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers" - -and the DomainUsers files will contain only the following line: - -"Domain Users" - -NOTES: -- The standard group name comparation is case sensitive, so group name - must be specified with same case as in the NT/2000 Domain. - It's possible to enable not case sensitive group name comparation (-c), - but on on some non - English locales, the results can be unexpected. -- Native WIN32 NTLM and Basic Helpers must be used without the - -A & -D switches. - -Refer to Squid documentation for the more details on squid.conf. - - -======= -Testing -======= - -I strongly urge that win32_check_group is tested prior to being used in a -production environment. It may behave differently on different platforms. -To test it, run it from the command line. Enter username and group -pairs separated by a space (username must entered with domain\\username -syntax). Press ENTER to get an OK or ERR message. -Make sure pressing behaves the same as a carriage return. -Make sure pressing aborts the program. - -Test that entering no details does not result in an OK or ERR message. -Test that entering an invalid username and group results in an ERR message. -Test that entering an valid username and group results in an OK message. - --- -Serassio Guido -squidnt at acmeconsulting dot it - --- squid/helpers/external_acl/win32_group/win32_check_group.c Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,644 +0,0 @@ -/* - * win32_group: lookup group membership in a Windows NT/2000 domain - * - * (C)2002,2005 Guido Serassio - Acme Consulting S.r.l. - * - * Authors: - * Guido Serassio - * Acme Consulting S.r.l., Italy - * - * With contributions from others mentioned in the change history section - * below. - * - * In part based on check_group by Rodrigo Albani de Campos. - * - * Dependencies: Windows NT4 SP4 and later. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - * - * History: - * - * Version 1.22 - * 08-07-2005 Guido Serassio - * Added -P option for force usage of PDCs for group validation. - * Added support for '/' char as domain separator. - * Fixed Bugzilla #1336. - * Version 1.21 - * 23-04-2005 Guido Serassio - * Added -D option for specify default user's domain. - * Version 1.20 - * 13-06-2004 Guido Serassio - * Added support for running on a Domain Controller. - * Version 1.10 - * 01-05-2003 Guido Serassio - * Added option for case insensitive group name comparation. - * More debug info. - * Updated documentation. - * Segfault bug fix (Bugzilla #574) - * Version 1.0 - * 24-06-2002 Guido Serassio - * Using the main function from check_group and sections - * from wbinfo wrote win32_group - * - * This is a helper for the external ACL interface for Squid Cache - * - * It reads from the standard input the domain username and a list of - * groups and tries to match it against the groups membership of the - * specified username. - * - * Returns `OK' if the user belongs to a group or `ERR' otherwise, as - * described on http://devel.squid-cache.org/external_acl/config.html - * - */ - -#include "config.h" -#ifdef _SQUID_CYGWIN_ -#include -int _wcsicmp(const wchar_t*, const wchar_t*); -#endif -#if HAVE_STDIO_H -#include -#endif -#if HAVE_CTYPE_H -#include -#endif -#ifdef HAVE_STRING_H -#include -#endif -#if HAVE_GETOPT_H -#include -#endif -#undef assert -#include -#include -#include -#include - -#include "util.h" - -#define BUFSIZE 8192 /* the stdin buffer size */ -int use_global = 0; -int use_PDC_only = 0; -char debug_enabled = 0; -char *myname; -pid_t mypid; -char * machinedomain; -int use_case_insensitive_compare = 0; -char * DefaultDomain = NULL; -const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/"; - -#include "win32_check_group.h" - -char * -strwordtok(char *buf, char **t) -{ - unsigned char *word = NULL; - unsigned char *p = (unsigned char *) buf; - unsigned char *d; - unsigned char ch; - int quoted = 0; - if (!p) - p = (unsigned char *) *t; - if (!p) - goto error; - while (*p && isspace(*p)) - p++; - if (!*p) - goto error; - word = d = p; - while ((ch = *p)) { - switch (ch) { - case '\\': - p++; - *d++ = ch = *p; - if (ch) - p++; - break; - case '"': - quoted = !quoted; - p++; - break; - default: - if (!quoted && isspace(*p)) { - p++; - goto done; - } - *d++ = *p++; - break; - } - } - done: - *d++ = '\0'; - error: - *t = (char *) p; - return (char *) word; -} - - -char * AllocStrFromLSAStr(LSA_UNICODE_STRING LsaStr) -{ - size_t len; - static char * target; - - len = LsaStr.Length/sizeof(WCHAR) + 1; - - /* allocate buffer for str + null termination */ - safe_free(target); - target = (char *)xmalloc(len); - if (target == NULL) - return NULL; - - /* copy unicode buffer */ - WideCharToMultiByte(CP_ACP, 0, LsaStr.Buffer, LsaStr.Length, target, len, NULL, NULL ); - - /* add null termination */ - target[len-1] = '\0'; - return target; -} - - -char * GetDomainName(void) - -{ - LSA_HANDLE PolicyHandle; - LSA_OBJECT_ATTRIBUTES ObjectAttributes; - NTSTATUS status; - PPOLICY_PRIMARY_DOMAIN_INFO ppdiDomainInfo; - PWKSTA_INFO_100 pwkiWorkstationInfo; - DWORD netret; - char * DomainName = NULL; - - /* - * Always initialize the object attributes to all zeroes. - */ - memset(&ObjectAttributes, '\0', sizeof(ObjectAttributes)); - - /* - * You need the local workstation name. Use NetWkstaGetInfo at level - * 100 to retrieve a WKSTA_INFO_100 structure. - * - * The wki100_computername field contains a pointer to a UNICODE - * string containing the local computer name. - */ - netret = NetWkstaGetInfo(NULL, 100, (LPBYTE *)&pwkiWorkstationInfo); - if (netret == NERR_Success) { - /* - * We have the workstation name in: - * pwkiWorkstationInfo->wki100_computername - * - * Next, open the policy object for the local system using - * the LsaOpenPolicy function. - */ - status = LsaOpenPolicy( - NULL, - &ObjectAttributes, - GENERIC_READ | POLICY_VIEW_LOCAL_INFORMATION, - &PolicyHandle - ); - - /* - * Error checking. - */ - if (status) { - debug("OpenPolicy Error: %ld\n", status); - } else { - - /* - * You have a handle to the policy object. Now, get the - * domain information using LsaQueryInformationPolicy. - */ - status = LsaQueryInformationPolicy(PolicyHandle, - PolicyPrimaryDomainInformation, - (PVOID *)&ppdiDomainInfo); - if (status) { - debug("LsaQueryInformationPolicy Error: %ld\n", status); - } else { - - /* Get name in useable format */ - DomainName = AllocStrFromLSAStr(ppdiDomainInfo->Name); - - /* - * Check the Sid pointer, if it is null, the - * workstation is either a stand-alone computer - * or a member of a workgroup. - */ - if (ppdiDomainInfo->Sid) { - - /* - * Member of a domain. Display it in debug mode. - */ - debug("Member of Domain %s\n",DomainName); - } else { - DomainName = NULL; - } - } - } - - /* - * Clean up all the memory buffers created by the LSA and - * Net* APIs. - */ - NetApiBufferFree(pwkiWorkstationInfo); - LsaFreeMemory((LPVOID)ppdiDomainInfo); - } else - debug("NetWkstaGetInfo Error: %ld\n", netret); - return DomainName; -} - -/* returns 0 on match, -1 if no match */ -static int wcstrcmparray(const wchar_t *str, const char **array) -{ - WCHAR wszGroup[GNLEN+1]; // Unicode Group - - while (*array) { - MultiByteToWideChar(CP_ACP, 0, *array, - strlen(*array) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); - debug("Windows group: %S, Squid group: %S\n", str, wszGroup); - if ((use_case_insensitive_compare ? _wcsicmp(str, wszGroup) : wcscmp(str, wszGroup)) == 0) - return 0; - array++; - } - return -1; -} - -/* returns 1 on success, 0 on failure */ -int -Valid_Local_Groups(char *UserName, const char **Groups) -{ - int result = 0; - char * Domain_Separator; - WCHAR wszUserName[UNLEN+1]; // Unicode user name - - LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; - LPLOCALGROUP_USERS_INFO_0 pTmpBuf; - DWORD dwLevel = 0; - DWORD dwFlags = LG_INCLUDE_INDIRECT; - DWORD dwPrefMaxLen = -1; - DWORD dwEntriesRead = 0; - DWORD dwTotalEntries = 0; - NET_API_STATUS nStatus; - DWORD i; - DWORD dwTotalCount = 0; - - if ((Domain_Separator = strchr(UserName, '/')) != NULL) - *Domain_Separator = '\\'; - - debug("Valid_Local_Groups: checking group membership of '%s'.\n", UserName); - -/* Convert ANSI User Name and Group to Unicode */ - - MultiByteToWideChar(CP_ACP, 0, UserName, - strlen(UserName) + 1, wszUserName, sizeof(wszUserName) / sizeof(wszUserName[0])); - - /* - * Call the NetUserGetLocalGroups function - * specifying information level 0. - * - * The LG_INCLUDE_INDIRECT flag specifies that the - * function should also return the names of the local - * groups in which the user is indirectly a member. - */ - nStatus = NetUserGetLocalGroups( - NULL, - wszUserName, - dwLevel, - dwFlags, - (LPBYTE *) &pBuf, - dwPrefMaxLen, - &dwEntriesRead, - &dwTotalEntries); - /* - * If the call succeeds, - */ - if (nStatus == NERR_Success) { - if ((pTmpBuf = pBuf) != NULL) { - for (i = 0; i < dwEntriesRead; i++) { - assert(pTmpBuf != NULL); - if (pTmpBuf == NULL) { - result = 0; - break; - } - if (wcstrcmparray(pTmpBuf->lgrui0_name, Groups) == 0) { - result = 1; - break; - } - pTmpBuf++; - dwTotalCount++; - } - } - } else - result = 0; -/* - * Free the allocated memory. - */ - if (pBuf != NULL) - NetApiBufferFree(pBuf); - return result; -} - - -/* returns 1 on success, 0 on failure */ -int -Valid_Global_Groups(char *UserName, const char **Groups) -{ - int result = 0; - WCHAR wszUserName[UNLEN+1]; // Unicode user name - WCHAR wszLocalDomain[DNLEN+1]; // Unicode Local Domain - WCHAR wszUserDomain[DNLEN+1]; // Unicode User Domain - - char NTDomain[DNLEN+UNLEN+2]; - char *domain_qualify; - char User[UNLEN+1]; - size_t j; - - LPWSTR LclDCptr = NULL; - LPWSTR UsrDCptr = NULL; - LPGROUP_USERS_INFO_0 pUsrBuf = NULL; - LPGROUP_USERS_INFO_0 pTmpBuf; - LPSERVER_INFO_101 pSrvBuf = NULL; - DWORD dwLevel = 0; - DWORD dwPrefMaxLen = -1; - DWORD dwEntriesRead = 0; - DWORD dwTotalEntries = 0; - NET_API_STATUS nStatus; - DWORD i; - DWORD dwTotalCount = 0; - - strncpy(NTDomain, UserName, sizeof(NTDomain)); - - for (j=0; j < strlen(NTV_VALID_DOMAIN_SEPARATOR); j++) { - if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[j])) != NULL) - break; - } - if (domain_qualify == NULL) { - strcpy(User, NTDomain); - strcpy(NTDomain, DefaultDomain); - } else { - strcpy(User, domain_qualify + 1); - domain_qualify[0] = '\0'; - strlwr(NTDomain); - } - - debug("Valid_Global_Groups: checking group membership of '%s\\%s'.\n", NTDomain, User); - - /* Convert ANSI User Name and Group to Unicode */ - - MultiByteToWideChar(CP_ACP, 0, User, - strlen(User) + 1, wszUserName, - sizeof(wszUserName) / sizeof(wszUserName[0])); - MultiByteToWideChar(CP_ACP, 0, machinedomain, - strlen(machinedomain) + 1, wszLocalDomain, sizeof(wszLocalDomain) / sizeof(wszLocalDomain[0])); - - -/* Call the NetServerGetInfo function for local computer, specifying level 101. */ - dwLevel = 101; - nStatus = NetServerGetInfo(NULL, dwLevel, (LPBYTE *)&pSrvBuf); - - if (nStatus == NERR_Success) - { - /* Check if we are running on a Domain Controller */ - if ((pSrvBuf->sv101_type & SV_TYPE_DOMAIN_CTRL) || - (pSrvBuf->sv101_type & SV_TYPE_DOMAIN_BAKCTRL)) - { - LclDCptr = NULL; - debug("Running on a DC.\n"); - } - else - nStatus = (use_PDC_only ? NetGetDCName(NULL, wszLocalDomain, (LPBYTE *) & LclDCptr) : NetGetAnyDCName(NULL, wszLocalDomain, (LPBYTE *) & LclDCptr)); - } else { - fprintf(stderr, "%s NetServerGetInfo() failed.'\n", myname); - if (pSrvBuf != NULL) - NetApiBufferFree(pSrvBuf); - return result; - } - - if (nStatus == NERR_Success) { - debug("Using '%S' as DC for '%S' local domain.\n", LclDCptr, wszLocalDomain); - - if (strcmp(NTDomain, machinedomain) != 0) { - MultiByteToWideChar(CP_ACP, 0, NTDomain, - strlen(NTDomain) + 1, wszUserDomain, sizeof(wszUserDomain) / sizeof(wszUserDomain[0])); - nStatus = (use_PDC_only ? NetGetDCName(LclDCptr, wszUserDomain, (LPBYTE *) & UsrDCptr) : NetGetAnyDCName(LclDCptr, wszUserDomain, (LPBYTE *) & UsrDCptr)); - if (nStatus != NERR_Success) { - fprintf(stderr, "%s Can't find DC for user's domain '%s'\n", myname, NTDomain); - if (pSrvBuf != NULL) - NetApiBufferFree(pSrvBuf); - if (LclDCptr != NULL) - NetApiBufferFree((LPVOID) LclDCptr); - if (UsrDCptr != NULL) - NetApiBufferFree((LPVOID) UsrDCptr); - return result; - } - } else - UsrDCptr = LclDCptr; - - debug("Using '%S' as DC for '%s' user's domain.\n", UsrDCptr, NTDomain); - /* - * Call the NetUserGetGroups function - * specifying information level 0. - */ - dwLevel = 0; - nStatus = NetUserGetGroups(UsrDCptr, - wszUserName, - dwLevel, - (LPBYTE *) & pUsrBuf, - dwPrefMaxLen, - &dwEntriesRead, - &dwTotalEntries); - /* - * If the call succeeds, - */ - if (nStatus == NERR_Success) { - if ((pTmpBuf = pUsrBuf) != NULL) { - for (i = 0; i < dwEntriesRead; i++) { - assert(pTmpBuf != NULL); - if (pTmpBuf == NULL) { - result = 0; - break; - } - if (wcstrcmparray(pTmpBuf->grui0_name, Groups) == 0) { - result = 1; - break; - } - pTmpBuf++; - dwTotalCount++; - } - } - } else { - result = 0; - fprintf(stderr, "%s NetUserGetGroups() failed.'\n", myname); - } - } else { - fprintf(stderr, "%s Can't find DC for local domain '%s'\n", myname, machinedomain); - } - /* - * Free the allocated memory. - */ - if (pSrvBuf != NULL) - NetApiBufferFree(pSrvBuf); - if (pUsrBuf != NULL) - NetApiBufferFree(pUsrBuf); - if ((UsrDCptr != NULL) && (UsrDCptr != LclDCptr)) - NetApiBufferFree((LPVOID) UsrDCptr); - if (LclDCptr != NULL) - NetApiBufferFree((LPVOID) LclDCptr); - return result; -} - -static void -usage(char *program) -{ - fprintf(stderr,"Usage: %s [-D domain][-G][-P][-c][-d][-h]\n" - " -D default user Domain\n" - " -G enable Domain Global group mode\n" - " -P use ONLY PDCs for group validation\n" - " -c use case insensitive compare\n" - " -d enable debugging\n" - " -h this message\n", - program); -} - -void -process_options(int argc, char *argv[]) -{ - int opt; - - opterr = 0; - while (-1 != (opt = getopt(argc, argv, "D:GPcdh"))) { - switch (opt) { - case 'D': - DefaultDomain = xstrndup(optarg, DNLEN + 1); - strlwr(DefaultDomain); - break; - case 'G': - use_global = 1; - break; - case 'P': - use_PDC_only = 1; - break; - case 'c': - use_case_insensitive_compare = 1; - break; - case 'd': - debug_enabled = 1; - break; - case 'h': - usage(argv[0]); - exit(0); - case '?': - opt = optopt; - /* fall thru to default */ - default: - fprintf(stderr, "%s Unknown option: -%c. Exiting\n", myname, opt); - usage(argv[0]); - exit(1); - break; /* not reached */ - } - } - return; -} - - -int -main (int argc, char *argv[]) -{ - char *p, *t; - char buf[BUFSIZE]; - char *username; - char *group; - int err = 0; - const char *groups[512]; - int n; - - if (argc > 0) { /* should always be true */ - myname=strrchr(argv[0],'/'); - if (myname==NULL) - myname=argv[0]; - } else { - myname="(unknown)"; - } - mypid=getpid(); - - setbuf(stdout, NULL); - setbuf(stderr, NULL); - - /* Check Command Line */ - process_options(argc, argv); - - if (use_global) { - if ((machinedomain = GetDomainName()) == NULL) { - fprintf(stderr, "%s Can't read machine domain\n", myname); - exit(1); - } - strlwr(machinedomain); - if (!DefaultDomain) - DefaultDomain = xstrdup(machinedomain); - } - - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); - if (use_global) - debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); - if (use_case_insensitive_compare) - debug("Warning: running in case insensitive mode !!!\n"); - if (use_PDC_only) - debug("Warning: using only PDCs for group validation !!!\n"); - - /* Main Loop */ - while (fgets (buf, sizeof(buf), stdin)) - { - if (NULL == strchr(buf, '\n')) { - /* too large message received.. skip and deny */ - fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf); - while (fgets(buf, sizeof(buf), stdin)) { - fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf); - if (strchr(buf, '\n') != NULL) - break; - } - goto error; - } - - if ((p = strchr(buf, '\n')) != NULL) - *p = '\0'; /* strip \n */ - if ((p = strchr(buf, '\r')) != NULL) - *p = '\0'; /* strip \r */ - - debug("Got '%s' from Squid (length: %d).\n",buf,strlen(buf)); - - if (buf[0] == '\0') { - fprintf(stderr, "Invalid Request\n"); - goto error; - } - - username = strwordtok(buf, &t); - for (n = 0; (group = strwordtok(NULL, &t)) != NULL; n++) - groups[n] = group; - groups[n] = NULL; - - if (NULL == username) { - fprintf(stderr, "Invalid Request\n"); - goto error; - } - - if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) { - printf ("OK\n"); - } else { -error: - printf ("ERR\n"); - } - err = 0; - } - return 0; -} --- squid/helpers/external_acl/win32_group/win32_check_group.h Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,79 +0,0 @@ -/* - * (C) 2002, 2005 Guido Serassio - * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran - * - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -/************* END CONFIGURATION ***************/ - -#include - -#define safe_free(x) if (x) { free(x); x = NULL; } - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -extern char debug_enabled; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"%s[%d](%s:%d): ", myname, mypid, \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -extern char debug_enabled; -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ - if (debug_enabled) { - va_list args; - - va_start(args,format); - fprintf(stderr, "%s[%d]: ", myname, mypid); - vfprintf(stderr, format, args); - fprintf(stderr, "\n"); - va_end(args); - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - - -/* A couple of harmless helper macros */ -#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); -#ifdef __GNUC__ -#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#else -/* no gcc, no debugging. varargs macros are a gcc extension */ -#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#endif --- squid/helpers/external_acl/winbind_group/.cvsignore Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in --- squid/helpers/negotiate_auth/Win32/.cvsignore Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in --- squid/helpers/negotiate_auth/Win32/Makefile.am Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,20 +0,0 @@ -# -# Makefile for the Squid Object Cache server -# -# $Id: Makefile.am,v 1.1.10.1 2006/05/16 21:05:57 serassio Exp $ -# - -libexec_PROGRAMS = win32_negotiate_auth - -win32_negotiate_auth_SOURCES = libnegotiatessp.c negotiate_auth.c negotiate.h - -if ENABLE_MINGW32SPECIFIC -INCLUDES = -I. -I$(top_srcdir)/port/win32/include -I$(top_srcdir)/include -I$(top_srcdir)/src -else -INCLUDES = -I. -I$(top_srcdir)/include -I$(top_srcdir)/src -endif - -LDADD = -L$(top_builddir)/lib -lntlmauth -lsspwin32 -lnetapi32 \ - -ladvapi32 -lmiscutil $(CRYPTLIB) $(XTRA_LIBS) - -EXTRA_DIST = readme.txt --- squid/helpers/negotiate_auth/Win32/libnegotiatessp.c Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,83 +0,0 @@ -/* - * (C) 2002 Guido Serassio - * Based on previous work of Francesco Chemolli and Robert Collins - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -typedef unsigned char uchar; - -#include "util.h" -#include "negotiate.h" -#if HAVE_CTYPE_H -#include -#endif - -void hex_dump(void *data, int size) -{ - /* dumps size bytes of *data to stdout. Looks like: - * [0000] 75 6E 6B 6E 6F 77 6E 20 - * 30 FF 00 00 00 00 39 00 unknown 0.....9. - * (in a single line of course) - */ - - if (!data) - return; - - if (debug_enabled) { - unsigned char *p = data; - unsigned char c; - int n; - char bytestr[4] = {0}; - char addrstr[10] = {0}; - char hexstr[ 16*3 + 5] = {0}; - char charstr[16*1 + 5] = {0}; - for(n=1;n<=size;n++) { - if (n%16 == 1) { - /* store address for this line */ - snprintf(addrstr, sizeof(addrstr), "%.4x", - ((unsigned int)p-(unsigned int)data) ); - } - - c = *p; - if (isalnum(c) == 0) { - c = '.'; - } - - /* store hex str (for left side) */ - snprintf(bytestr, sizeof(bytestr), "%02X ", *p); - strncat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1); - - /* store char str (for right side) */ - snprintf(bytestr, sizeof(bytestr), "%c", c); - strncat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1); - - if(n%16 == 0) { - /* line completed */ - fprintf(stderr, "[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); - hexstr[0] = 0; - charstr[0] = 0; - } else if(n%8 == 0) { - /* half line: add whitespaces */ - strncat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1); - strncat(charstr, " ", sizeof(charstr)-strlen(charstr)-1); - } - p++; /* next byte */ - } - - if (strlen(hexstr) > 0) { - /* print rest of buffer if not empty */ - fprintf(stderr, "[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); - } - } -} - --- squid/helpers/negotiate_auth/Win32/negotiate.h Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,116 +0,0 @@ -/* - * (C) 2002 Guido Serassio - * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran - * - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -#ifndef _NTLM_H_ -#define _NTLM_H_ - -#include "sspwin32.h" -#include -#include -#include -#include "ntlmauth.h" -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -#define FAIL_DEBUG 0 - -/************* END CONFIGURATION ***************/ - -#include - -extern int debug_enabled; -#if FAIL_DEBUG -extern int fail_debug_enabled; -#endif - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"ntlm-auth[%d](%s:%d): ", getpid(), \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ -#if FAIL_DEBUG - if (debug_enabled || fail_debug_enabled) { -#else - if (debug_enabled) { -#endif - va_list args; - - va_start(args,format); - fprintf(stderr, "negotiate-auth[%d]: ",getpid()); - vfprintf(stderr, format, args); - va_end(args); -#if FAIL_DEBUG - fail_debug_enabled = 0; -#endif - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - - -/* A couple of harmless helper macros */ -#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); -#ifdef __GNUC__ -#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#else -/* no gcc, no debugging. varargs macros are a gcc extension */ -#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z); -#endif - -extern int ntlm_errno; - -#define NTLM_NO_ERROR 0 -#define NTLM_SSPI_ERROR 1 -#define NTLM_BAD_NTGROUP 2 -#define NTLM_BAD_REQUEST 3 - -#define NEGOTIATE_LENGTH 16 - -extern void uc(char *); - -extern char *negotiate_check_auth(SSP_blobP auth, int auth_length); -extern void hex_dump(void *, int); - -#define safe_free(x) if (x) { free(x); x = NULL; } - -#endif /* _NTLM_H_ */ --- squid/helpers/negotiate_auth/Win32/negotiate_auth.c Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,316 +0,0 @@ -/* - * win32_ntlm_auth: helper for NTLM Authentication for Squid Cache - * - * (C)2005 Guido Serassio - Acme Consulting S.r.l. - * - * Authors: - * Guido Serassio - * Acme Consulting S.r.l., Italy - * - * With contributions from others mentioned in the change history section - * below. - * - * Based on previous work of Francesco Chemolli and Robert Collins. - * - * Dependencies: Windows NT4 SP4 and later. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - * - * History: - * - * Version 1.0 - * 29-10-2005 Guido Serassio - * First release. - * - * - */ - -#include "util.h" -#if HAVE_GETOPT_H -#include -#endif -#include "negotiate.h" -#if HAVE_CTYPE_H -#include -#endif - -#define BUFFER_SIZE 10240 - -int debug_enabled = 0; -int Negotiate_packet_debug_enabled = 0; - -static int have_serverblob; - -/* makes a null-terminated string upper-case. Changes CONTENTS! */ -void -uc(char *string) -{ - char *p = string, c; - while ((c = *p)) { - *p = toupper(c); - p++; - } -} - -/* makes a null-terminated string lower-case. Changes CONTENTS! */ -static void -lc(char *string) -{ - char *p = string, c; - while ((c = *p)) { - *p = tolower(c); - p++; - } -} - -void -helperfail(const char *reason) -{ -#if FAIL_DEBUG - fail_debug_enabled =1; -#endif - SEND2("BH %s", reason); -} - -/* - options: - -d enable debugging. - -v enable verbose NTLM packet debugging. - */ -char *my_program_name = NULL; - -void -usage() -{ - fprintf(stderr, - "Usage: %s [-d] [-v] [-h]\n" - " -d enable debugging.\n" - " -v enable verbose NTLM packet debugging.\n" - " -h this message\n\n", - my_program_name); -} - - -void -process_options(int argc, char *argv[]) -{ - int opt, had_error = 0; - - opterr =0; - while (-1 != (opt = getopt(argc, argv, "hdv"))) { - switch (opt) { - case 'd': - debug_enabled = 1; - break; - case 'v': - debug_enabled = 1; - Negotiate_packet_debug_enabled = 1; - break; - case 'h': - usage(); - exit(0); - case '?': - opt = optopt; - /* fall thru to default */ - default: - fprintf(stderr, "unknown option: -%c. Exiting\n", opt); - usage(); - had_error = 1; - } - } - if (had_error) - exit(1); -} - -int -manage_request() -{ - char buf[BUFFER_SIZE]; - char helper_command[3]; - char *c, *decoded; - int plen, status; - int oversized = 0; - char * ErrorMessage; - static char cred[SSP_MAX_CRED_LEN+1]; - BOOL Done = FALSE; - -try_again: - if (fgets(buf, BUFFER_SIZE, stdin) == NULL) - return 0; - - c = memchr(buf, '\n', BUFFER_SIZE); /* safer against overrun than strchr */ - if (c) { - if (oversized) { - helperfail("illegal request received"); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; - } - *c = '\0'; - } else { - fprintf(stderr, "No newline in '%s'\n", buf); - oversized = 1; - goto try_again; - } - - if ((strlen(buf) > 3) && Negotiate_packet_debug_enabled) { - decoded = base64_decode(buf + 3); - strncpy(helper_command, buf, 2); - debug("Got '%s' from Squid with data:\n", helper_command); - hex_dump(decoded, ((strlen(buf) - 3) * 3) / 4); - } else - debug("Got '%s' from Squid\n", buf); - - if (memcmp(buf, "YR ", 3) == 0) { /* refresh-request */ - /* figure out what we got */ - decoded = base64_decode(buf + 3); - /* Note: we don't need to manage memory at this point, since - * base64_decode returns a pointer to static storage. - */ - if (!decoded) { /* decoding failure, return error */ - SEND("NA * Packet format error, couldn't base64-decode"); - return 1; - } - /* Obtain server blob against SSPI */ - plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ - c = (char *) SSP_MakeNegotiateBlob(decoded, plen, &Done, &status, cred); - - if (status == SSP_OK) { - if (Done) { - lc(cred); /* let's lowercase them for our convenience */ - have_serverblob = 0; - Done = FALSE; - if (Negotiate_packet_debug_enabled) { - printf("AF %s %s\n",c,cred); - decoded = base64_decode(c); - debug("sending 'AF' %s to squid with data:\n", cred); - hex_dump(decoded, (strlen(c) * 3) / 4); - } else - SEND3("AF %s %s", c, cred); - } else { - if (Negotiate_packet_debug_enabled) { - printf("TT %s\n",c); - decoded = base64_decode(c); - debug("sending 'TT' to squid with data:\n"); - hex_dump(decoded, (strlen(c) * 3) / 4); - } else { - SEND2("TT %s", c); - } - have_serverblob = 1; - } - } else - helperfail("can't obtain server blob"); - return 1; - } - - if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */ - if (!have_serverblob) { - helperfail("invalid server blob"); - return 1; - } - /* figure out what we got */ - decoded = base64_decode(buf + 3); - /* Note: we don't need to manage memory at this point, since - * base64_decode returns a pointer to static storage. - */ - if (!decoded) { /* decoding failure, return error */ - SEND("NA * Packet format error, couldn't base64-decode"); - return 1; - } - - /* check against SSPI */ - plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ - c = (char *) SSP_ValidateNegotiateCredentials(decoded, plen, &Done, &status, cred); - - if (status == SSP_ERROR) { -#if FAIL_DEBUG - fail_debug_enabled = 1; -#endif - FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, - GetLastError(), - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */ - (LPTSTR) &ErrorMessage, - 0, - NULL); - if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n') - ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r') - ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - SEND2("NA * %s", ErrorMessage); - LocalFree(ErrorMessage); - return 1; - } - - if (Done) { - lc(cred); /* let's lowercase them for our convenience */ - have_serverblob = 0; - Done = FALSE; - if (Negotiate_packet_debug_enabled) { - printf("AF %s %s\n",c,cred); - decoded = base64_decode(c); - debug("sending 'AF' %s to squid with data:\n", cred); - hex_dump(decoded, (strlen(c) * 3) / 4); - } else { - SEND3("AF %s %s", c, cred); - } - return 1; - } else { - if (Negotiate_packet_debug_enabled) { - printf("TT %s\n",c); - decoded = base64_decode(c); - debug("sending 'TT' to squid with data:\n"); - hex_dump(decoded, (strlen(c) * 3) / 4); - } else - SEND2("TT %s", c); - return 1; - } - - } else { /* not an auth-request */ - helperfail("illegal request received"); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; - } - helperfail("detected protocol error"); - return 1; -/********* END ********/ -} - -int -main(int argc, char *argv[]) -{ - my_program_name = argv[0]; - - process_options(argc, argv); - - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); - - if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) { - fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); - exit(1); - } - debug("SSPI initialized OK\n"); - - atexit(UnloadSecurityDll); - - /* initialize FDescs */ - setbuf(stdout, NULL); - setbuf(stderr, NULL); - - while (manage_request()) { - /* everything is done within manage_request */ - } - exit(0); -} --- squid/helpers/negotiate_auth/Win32/readme.txt Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,41 +0,0 @@ -win32_negotiate_auth.exe - -Native Windows Negotiate authenticator for Squid. - -===== -Usage -===== - -win32_negotiate_auth [-d] [-v] [-h] - --d enables debugging. --v enables verbose Negotiate packet debugging. --h print program usage - -This is released under the GNU General Public License - -============== -Allowing Users -============== - -Users that are allowed to access the web proxy must have the Windows NT -User Rights "logon from the network". - -Squid.conf typical minimal required changes: - -auth_param negotiate program c:/squid/libexec/win32_negotiate_auth.exe -auth_param negotiate children 5 - -acl password proxy_auth REQUIRED - -http_access allow password -http_access deny all - -Refer to Squid documentation for more details. - -Currently Internet Explorer has some problems with ftp:// URLs when handling -internal Squid FTP icons. The following squid.conf ACL works around this: - -acl internal_icons urlpath_regex -i /squid-internal-static/icons/ - -http_access allow our_networks internal_icons <== BEFORE authentication ACL !!! --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/.cvsignore Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/Makefile.am Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,20 +0,0 @@ -# -# Makefile for the Squid Object Cache server -# -# $Id: Makefile.am,v 1.1.36.1 2006/05/16 21:05:57 serassio Exp $ -# - -libexec_PROGRAMS = win32_ntlm_auth - -win32_ntlm_auth_SOURCES = libntlmssp.c ntlm_auth.c ntlm.h - -if ENABLE_MINGW32SPECIFIC -INCLUDES = -I. -I$(top_srcdir)/port/win32/include -I$(top_srcdir)/include -I$(top_srcdir)/src -else -INCLUDES = -I. -I$(top_srcdir)/include -I$(top_srcdir)/src -endif - -LDADD = -L$(top_builddir)/lib -lntlmauth -lsspwin32 -lnetapi32 \ - -ladvapi32 -lmiscutil $(CRYPTLIB) $(XTRA_LIBS) - -EXTRA_DIST = readme.txt --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/libntlmssp.c Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,382 +0,0 @@ -/* - * (C) 2002 Guido Serassio - * Based on previous work of Francesco Chemolli and Robert Collins - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -typedef unsigned char uchar; - -#include "util.h" -#include "ntlm.h" -#if HAVE_CTYPE_H -#include -#endif -#include -#include - -/* returns 1 on success, 0 on failure */ -int -Valid_Group(char *UserName, char *Group) -{ - int result = FALSE; - WCHAR wszUserName[UNLEN+1]; // Unicode user name - WCHAR wszGroup[GNLEN+1]; // Unicode Group - - LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; - LPLOCALGROUP_USERS_INFO_0 pTmpBuf; - DWORD dwLevel = 0; - DWORD dwFlags = LG_INCLUDE_INDIRECT; - DWORD dwPrefMaxLen = -1; - DWORD dwEntriesRead = 0; - DWORD dwTotalEntries = 0; - NET_API_STATUS nStatus; - DWORD i; - DWORD dwTotalCount = 0; - -/* Convert ANSI User Name and Group to Unicode */ - - MultiByteToWideChar(CP_ACP, 0, UserName, - strlen(UserName) + 1, wszUserName, - sizeof(wszUserName) / sizeof(wszUserName[0])); - MultiByteToWideChar(CP_ACP, 0, Group, - strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); - - /* - * Call the NetUserGetLocalGroups function - * specifying information level 0. - * - * The LG_INCLUDE_INDIRECT flag specifies that the - * function should also return the names of the local - * groups in which the user is indirectly a member. - */ - nStatus = NetUserGetLocalGroups(NULL, - wszUserName, - dwLevel, - dwFlags, - (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); - /* - * If the call succeeds, - */ - if (nStatus == NERR_Success) { - if ((pTmpBuf = pBuf) != NULL) { - for (i = 0; i < dwEntriesRead; i++) { - if (pTmpBuf == NULL) { - result = FALSE; - break; - } - if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { - result = TRUE; - break; - } - pTmpBuf++; - dwTotalCount++; - } - } - } else - result = FALSE; -/* - * Free the allocated memory. - */ - if (pBuf != NULL) - NetApiBufferFree(pBuf); - return result; -} - - -char * AllocStrFromLSAStr(LSA_UNICODE_STRING LsaStr) -{ - size_t len; - static char * target; - - len = LsaStr.Length/sizeof(WCHAR) + 1; - - /* allocate buffer for str + null termination */ - safe_free(target); - target = (char *)xmalloc(len); - if (target == NULL) - return NULL; - - /* copy unicode buffer */ - WideCharToMultiByte(CP_ACP, 0, LsaStr.Buffer, LsaStr.Length, target, len, NULL, NULL ); - - /* add null termination */ - target[len-1] = '\0'; - return target; -} - - -char * GetDomainName(void) - -{ - LSA_HANDLE PolicyHandle; - LSA_OBJECT_ATTRIBUTES ObjectAttributes; - NTSTATUS status; - PPOLICY_PRIMARY_DOMAIN_INFO ppdiDomainInfo; - PWKSTA_INFO_100 pwkiWorkstationInfo; - DWORD netret; - char * DomainName = NULL; - - /* - * Always initialize the object attributes to all zeroes. - */ - memset(&ObjectAttributes, '\0', sizeof(ObjectAttributes)); - - /* - * You need the local workstation name. Use NetWkstaGetInfo at level - * 100 to retrieve a WKSTA_INFO_100 structure. - * - * The wki100_computername field contains a pointer to a UNICODE - * string containing the local computer name. - */ - netret = NetWkstaGetInfo(NULL, 100, (LPBYTE *)&pwkiWorkstationInfo); - if (netret == NERR_Success) { - /* - * We have the workstation name in: - * pwkiWorkstationInfo->wki100_computername - * - * Next, open the policy object for the local system using - * the LsaOpenPolicy function. - */ - status = LsaOpenPolicy( - NULL, - &ObjectAttributes, - GENERIC_READ | POLICY_VIEW_LOCAL_INFORMATION, - &PolicyHandle - ); - - /* - * Error checking. - */ - if (status) { - debug("OpenPolicy Error: %ld\n", status); - } else { - - /* - * You have a handle to the policy object. Now, get the - * domain information using LsaQueryInformationPolicy. - */ - status = LsaQueryInformationPolicy(PolicyHandle, - PolicyPrimaryDomainInformation, - (void **)&ppdiDomainInfo); - if (status) { - debug("LsaQueryInformationPolicy Error: %ld\n", status); - } else { - - /* Get name in useable format */ - DomainName = AllocStrFromLSAStr(ppdiDomainInfo->Name); - - /* - * Check the Sid pointer, if it is null, the - * workstation is either a stand-alone computer - * or a member of a workgroup. - */ - if (ppdiDomainInfo->Sid) { - - /* - * Member of a domain. Display it in debug mode. - */ - debug("Member of Domain %s\n",DomainName); - } else { - DomainName = NULL; - } - } - } - - /* - * Clean up all the memory buffers created by the LSA and - * Net* APIs. - */ - NetApiBufferFree(pwkiWorkstationInfo); - LsaFreeMemory((LPVOID)ppdiDomainInfo); - } else - debug("NetWkstaGetInfo Error: %ld\n", netret); - return DomainName; -} - - -int ntlm_errno; - - -/* returns NULL on failure, or a pointer to - * the user's credentials (domain\\username) - * upon success. WARNING. It's pointing to static storage. - * In case of problem sets as side-effect ntlm_errno to one of the - * codes defined in ntlm.h - */ -char * -ntlm_check_auth(ntlm_authenticate * auth, int auth_length) -{ - int rv; - char domain[DNLEN+1]; - char user[UNLEN+1]; - static char credentials[DNLEN+UNLEN+2]; /* we can afford to waste */ - - lstring tmp; - - if (!NTLM_LocalCall) { - - tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->domain); - - if (tmp.str == NULL || tmp.l == 0) { - debug("No domain supplied. Returning no-auth\n"); - ntlm_errno = NTLM_BAD_REQUEST; - return NULL; - } - if (Use_Unicode) { - /* copy unicode buffer */ - WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) tmp.str, tmp.l, domain, DNLEN, NULL, NULL ); - /* add null termination */ - domain[tmp.l / sizeof(WCHAR)] = '\0'; - } else { - if (tmp.l > DNLEN) { - debug("Domain string exceeds %d bytes, rejecting\n", DNLEN); - ntlm_errno = NTLM_BAD_REQUEST; - return NULL; - } - memcpy(domain, tmp.str, tmp.l); - domain[tmp.l] = '\0'; - } - tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->user); - if (tmp.str == NULL || tmp.l == 0) { - debug("No username supplied. Returning no-auth\n"); - ntlm_errno = NTLM_BAD_REQUEST; - return NULL; - } - if (Use_Unicode) { - /* copy unicode buffer */ - WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) tmp.str, tmp.l, user, UNLEN, NULL, NULL ); - /* add null termination */ - user[tmp.l / sizeof(WCHAR)] = '\0'; - } else { - if (tmp.l > UNLEN) { - debug("Username string exceeds %d bytes, rejecting\n", UNLEN); - ntlm_errno = NTLM_BAD_REQUEST; - return NULL; - } - memcpy(user, tmp.str, tmp.l); - user[tmp.l] = '\0'; - } - debug("checking domain: '%s', user: '%s'\n", domain, user); - - } else - debug("checking local user\n"); - - rv = SSP_ValidateNTLMCredentials(auth, auth_length, credentials); - - debug("Login attempt had result %d\n", rv); - - if (!rv) { /* failed */ - ntlm_errno = NTLM_SSPI_ERROR; - return NULL; - } - - if (UseAllowedGroup) { - if (!Valid_Group(credentials, NTAllowedGroup)) { - ntlm_errno = NTLM_BAD_NTGROUP; - debug("User %s not in allowed Group %s\n", credentials, NTAllowedGroup); - return NULL; - } - } - if (UseDisallowedGroup) { - if (Valid_Group(credentials, NTDisAllowedGroup)) { - ntlm_errno = NTLM_BAD_NTGROUP; - debug("User %s is in denied Group %s\n", credentials, NTDisAllowedGroup); - return NULL; - } - } - - debug("credentials: %s\n", credentials); - return credentials; -} - - -const char * -ntlm_make_negotiate(void) -{ - ntlm_negotiate ne; - const char *encoded; - memset(&ne, 0, sizeof(ntlm_negotiate)); /* reset */ - memcpy(ne.signature, "NTLMSSP", 8); /* set the signature */ - ne.type = WSWAP(NTLM_NEGOTIATE); /* this is a challenge */ - ne.flags = WSWAP( - NEGOTIATE_ALWAYS_SIGN | - NEGOTIATE_USE_NTLM | - NEGOTIATE_USE_LM | - NEGOTIATE_ASCII | - 0 - ); - encoded = base64_encode_bin((char *) &ne, NEGOTIATE_LENGTH); - debug("Negotiate packet not supplied - self generated\n"); - return encoded; -} - - -void hex_dump(void *data, int size) -{ - /* dumps size bytes of *data to stdout. Looks like: - * [0000] 75 6E 6B 6E 6F 77 6E 20 - * 30 FF 00 00 00 00 39 00 unknown 0.....9. - * (in a single line of course) - */ - - if (!data) - return; - - if (debug_enabled) { - unsigned char *p = data; - unsigned char c; - int n; - char bytestr[4] = {0}; - char addrstr[10] = {0}; - char hexstr[ 16*3 + 5] = {0}; - char charstr[16*1 + 5] = {0}; - for(n=1;n<=size;n++) { - if (n%16 == 1) { - /* store address for this line */ - snprintf(addrstr, sizeof(addrstr), "%.4x", - ((unsigned int)p-(unsigned int)data) ); - } - - c = *p; - if (isalnum(c) == 0) { - c = '.'; - } - - /* store hex str (for left side) */ - snprintf(bytestr, sizeof(bytestr), "%02X ", *p); - strncat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1); - - /* store char str (for right side) */ - snprintf(bytestr, sizeof(bytestr), "%c", c); - strncat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1); - - if(n%16 == 0) { - /* line completed */ - fprintf(stderr, "[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); - hexstr[0] = 0; - charstr[0] = 0; - } else if(n%8 == 0) { - /* half line: add whitespaces */ - strncat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1); - strncat(charstr, " ", sizeof(charstr)-strlen(charstr)-1); - } - p++; /* next byte */ - } - - if (strlen(hexstr) > 0) { - /* print rest of buffer if not empty */ - fprintf(stderr, "[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); - } - } -} - --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm.h Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,119 +0,0 @@ -/* - * (C) 2002 Guido Serassio - * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran - * - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -#ifndef _NTLM_H_ -#define _NTLM_H_ - -#include "sspwin32.h" -#include -#include -#include -#include "ntlmauth.h" -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -#define FAIL_DEBUG 0 - -/************* END CONFIGURATION ***************/ - -#include - -extern int debug_enabled; -#if FAIL_DEBUG -extern int fail_debug_enabled; -#endif - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"ntlm-auth[%d](%s:%d): ", getpid(), \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ -#if FAIL_DEBUG - if (debug_enabled || fail_debug_enabled) { -#else - if (debug_enabled) { -#endif - va_list args; - - va_start(args,format); - fprintf(stderr, "ntlm-auth[%d]: ",getpid()); - vfprintf(stderr, format, args); - va_end(args); -#if FAIL_DEBUG - fail_debug_enabled = 0; -#endif - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - - -/* A couple of harmless helper macros */ -#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); -#ifdef __GNUC__ -#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#else -/* no gcc, no debugging. varargs macros are a gcc extension */ -#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#endif - -extern char * NTAllowedGroup; -extern char * NTDisAllowedGroup; -extern int UseDisallowedGroup; -extern int UseAllowedGroup; -extern int ntlm_errno; - -#define NTLM_NO_ERROR 0 -#define NTLM_SSPI_ERROR 1 -#define NTLM_BAD_NTGROUP 2 -#define NTLM_BAD_REQUEST 3 - -#define NEGOTIATE_LENGTH 16 - -extern void uc(char *); - -extern const char * ntlm_make_negotiate(void); -extern char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length); -extern void hex_dump(void *, int); - -#define safe_free(x) if (x) { free(x); x = NULL; } - -#endif /* _NTLM_H_ */ --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,421 +0,0 @@ -/* - * win32_ntlm_auth: helper for NTLM Authentication for Squid Cache - * - * (C)2002,2003 Guido Serassio - Acme Consulting S.r.l. - * - * Authors: - * Guido Serassio - * Acme Consulting S.r.l., Italy - * - * With contributions from others mentioned in the change history section - * below. - * - * Based on previous work of Francesco Chemolli and Robert Collins. - * - * Dependencies: Windows NT4 SP4 and later. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - * - * History: - * - * Version 1.21 - * 21-02-2004 Guido Serassio - * Removed control of use of NTLM NEGOTIATE packet from - * command line, now the support is automatic. - * Version 1.20 - * 30-11-2003 Guido Serassio - * Added support for NTLM local calls. - * Added control of use of NTLM NEGOTIATE packet from - * command line. - * Updated documentation. - * Version 1.10 - * 07-09-2003 Guido Serassio - * Now is true NTLM authenticator. - * More debug info. - * Updated documentation. - * Version 1.0 - * 29-06-2002 Guido Serassio - * First release. - * - * - */ - -#include "util.h" -#if HAVE_GETOPT_H -#include -#endif -#include "ntlm.h" -#if HAVE_CTYPE_H -#include -#endif - -#define BUFFER_SIZE 10240 - -#ifdef NTLM_FAIL_OPEN -int last_ditch_enabled = 0; -#endif - -int debug_enabled = 0; -int NTLM_packet_debug_enabled = 0; - -static int have_challenge; - -char * NTAllowedGroup; -char * NTDisAllowedGroup; -int UseDisallowedGroup = 0; -int UseAllowedGroup = 0; -#if FAIL_DEBUG -int fail_debug_enabled = 0; -#endif - -/* makes a null-terminated string upper-case. Changes CONTENTS! */ -void -uc(char *string) -{ - char *p = string, c; - while ((c = *p)) { - *p = toupper(c); - p++; - } -} - -/* makes a null-terminated string lower-case. Changes CONTENTS! */ -static void -lc(char *string) -{ - char *p = string, c; - while ((c = *p)) { - *p = tolower(c); - p++; - } -} - -void -helperfail(const char *reason) -{ -#if FAIL_DEBUG - fail_debug_enabled =1; -#endif - SEND2("BH %s", reason); -} - -/* - options: - -d enable debugging. - -v enable verbose NTLM packet debugging. - -l if specified, changes behavior on failures to last-ditch. - -A can specify a Windows Local Group name allowed to authenticate. - -D can specify a Windows Local Group name not allowed to authenticate. - */ -char *my_program_name = NULL; - -void -usage() -{ - fprintf(stderr, -#ifdef NTLM_FAIL_OPEN - "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-l] [-h]\n" -#else - "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-h]\n" -#endif - " -d enable debugging.\n" - " -v enable verbose NTLM packet debugging.\n" -#ifdef NTLM_FAIL_OPEN - " -l if specified, changes behavior on failures to last-ditch\n" -#endif - " -A specify a Windows Local Group name allowed to authenticate\n" - " -D specify a Windows Local Group name not allowed to authenticate\n" - " -h this message\n\n", - my_program_name); -} - - -void -process_options(int argc, char *argv[]) -{ - int opt, had_error = 0; - - opterr =0; -#ifdef NTLM_FAIL_OPEN - while (-1 != (opt = getopt(argc, argv, "hdvlA:D:"))) { -#else - while (-1 != (opt = getopt(argc, argv, "hdvA:D:"))) { -#endif - switch (opt) { - case 'A': - safe_free(NTAllowedGroup); - NTAllowedGroup=xstrdup(optarg); - UseAllowedGroup = 1; - break; - case 'D': - safe_free(NTDisAllowedGroup); - NTDisAllowedGroup=xstrdup(optarg); - UseDisallowedGroup = 1; - break; -#ifdef NTLM_FAIL_OPEN - case 'l': - last_ditch_enabled = 1; - break; -#endif - case 'd': - debug_enabled = 1; - break; - case 'v': - debug_enabled = 1; - NTLM_packet_debug_enabled = 1; - break; - case 'h': - usage(); - exit(0); - case '?': - opt = optopt; - /* fall thru to default */ - default: - fprintf(stderr, "unknown option: -%c. Exiting\n", opt); - usage(); - had_error = 1; - } - } - if (had_error) - exit(1); -} - - -const char * -obtain_challenge(ntlm_negotiate * nego, int nego_length) -{ - const char *ch = NULL; - - debug("attempting SSPI challenge retrieval\n"); - ch = SSP_MakeChallenge(nego, nego_length); - if (ch) { - debug("Got it\n"); - return ch; /* All went OK, returning */ - } - return NULL; -} - - -int -manage_request() -{ - ntlmhdr *fast_header; - char buf[BUFFER_SIZE]; - char helper_command[3]; - char *c, *decoded, *cred; - int plen; - int oversized = 0; - char * ErrorMessage; - -try_again: - if (fgets(buf, BUFFER_SIZE, stdin) == NULL) - return 0; - - c = memchr(buf, '\n', BUFFER_SIZE); /* safer against overrun than strchr */ - if (c) { - if (oversized) { - helperfail("illegal request received"); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; - } - *c = '\0'; - } else { - fprintf(stderr, "No newline in '%s'\n", buf); - oversized = 1; - goto try_again; - } - if ((strlen(buf) > 3) && NTLM_packet_debug_enabled) { - decoded = base64_decode(buf + 3); - strncpy(helper_command, buf, 2); - debug("Got '%s' from Squid with data:\n", helper_command); - hex_dump(decoded, ((strlen(buf) - 3) * 3) / 4); - } else - debug("Got '%s' from Squid\n", buf); - if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ - /* figure out what we got */ - if (strlen(buf) > 3) - decoded = base64_decode(buf + 3); - else - decoded = base64_decode(ntlm_make_negotiate()); - /* Note: we don't need to manage memory at this point, since - * base64_decode returns a pointer to static storage. - */ - if (!decoded) { /* decoding failure, return error */ - SEND("NA Packet format error, couldn't base64-decode"); - return 1; - } - /* fast-track-decode request type. */ - fast_header = (struct _ntlmhdr *) decoded; - - /* sanity-check: it IS a NTLMSSP packet, isn't it? */ - if (memcmp(fast_header->signature, "NTLMSSP", 8) != 0) { - SEND("NA Broken authentication packet"); - return 1; - } - switch (fast_header->type) { - case NTLM_NEGOTIATE: - /* Obtain challenge against SSPI */ - if (strlen(buf) > 3) - plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ - else - plen = NEGOTIATE_LENGTH; - if ((c = (char *) obtain_challenge((ntlm_negotiate *) decoded, plen)) != NULL ) - { - if (NTLM_packet_debug_enabled) { - printf("TT %s\n",c); - decoded = base64_decode(c); - debug("sending 'TT' to squid with data:\n"); - hex_dump(decoded, (strlen(c) * 3) / 4); - if (NTLM_LocalCall) - debug("NTLM Local Call detected\n"); - } else { - SEND2("TT %s", c); - } - have_challenge = 1; - } else - helperfail("can't obtain challenge"); - return 1; - /* notreached */ - case NTLM_CHALLENGE: - SEND - ("NA Got a challenge. We refuse to have our authority disputed"); - return 1; - /* notreached */ - case NTLM_AUTHENTICATE: - SEND("NA Got authentication request instead of negotiate request"); - return 1; - /* notreached */ - default: - helperfail("unknown refresh-request packet type"); - return 1; - } - return 1; - } - if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */ - if (!have_challenge) { - helperfail("invalid challenge"); - return 1; - } - /* figure out what we got */ - decoded = base64_decode(buf + 3); - /* Note: we don't need to manage memory at this point, since - * base64_decode returns a pointer to static storage. - */ - - if (!decoded) { /* decoding failure, return error */ - SEND("NA Packet format error, couldn't base64-decode"); - return 1; - } - /* fast-track-decode request type. */ - fast_header = (struct _ntlmhdr *) decoded; - - /* sanity-check: it IS a NTLMSSP packet, isn't it? */ - if (memcmp(fast_header->signature, "NTLMSSP", 8) != 0) { - SEND("NA Broken authentication packet"); - return 1; - } - switch (fast_header->type) { - case NTLM_NEGOTIATE: - SEND("NA Invalid negotiation request received"); - return 1; - /* notreached */ - case NTLM_CHALLENGE: - SEND - ("NA Got a challenge. We refuse to have our authority disputed"); - return 1; - /* notreached */ - case NTLM_AUTHENTICATE: - /* check against SSPI */ - plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ - cred = ntlm_check_auth((ntlm_authenticate *) decoded, plen); - have_challenge = 0; - if (cred == NULL) { -#if FAIL_DEBUG - fail_debug_enabled =1; -#endif - switch (ntlm_errno) { - case NTLM_BAD_NTGROUP: - SEND("NA Incorrect Group Membership"); - return 1; - case NTLM_BAD_REQUEST: - SEND("NA Incorrect Request Format"); - return 1; - case NTLM_SSPI_ERROR: - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | - FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, - GetLastError(), - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language - (LPTSTR) &ErrorMessage, - 0, - NULL); - if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n') - ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r') - ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - SEND2("NA %s", ErrorMessage); - LocalFree(ErrorMessage); - return 1; - default: - SEND("NA Unknown Error"); - return 1; - } - } - lc(cred); /* let's lowercase them for our convenience */ - SEND2("AF %s", cred); - return 1; - default: - helperfail("unknown authentication packet type"); - return 1; - } - return 1; - } else { /* not an auth-request */ - helperfail("illegal request received"); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; - } - helperfail("detected protocol error"); - return 1; -/********* END ********/ -} - -int -main(int argc, char *argv[]) -{ - my_program_name = argv[0]; - - process_options(argc, argv); - - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); - - if (LoadSecurityDll(SSP_NTLM, NTLM_PACKAGE_NAME) == NULL) { - fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); - exit(1); - } - debug("SSPI initialized OK\n"); - - atexit(UnloadSecurityDll); - - /* initialize FDescs */ - setbuf(stdout, NULL); - setbuf(stderr, NULL); - - while (manage_request()) { - /* everything is done within manage_request */ - } - exit(0); -} --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,70 +0,0 @@ -win32_ntlm_auth.exe - -Native Windows NTLM/NTLMv2 authenticator for Squid 2.5 with -automatic support for NTLM NEGOTIATE packets. - -===== -Usage -===== - -win32_ntlm_auth [-d] [-v] [-A|D LocalUserGroup] [-h] - --d enables debugging. --v enables verbose NTLM packet debugging. --A specify a Windows Local Group name allowed to authenticate. --D specify a Windows Local Group name not allowed to authenticate. --h print program usage - -This is released under the GNU General Public License - -============== -Allowing Users -============== - -Users that are allowed to access the web proxy must have the Windows NT -User Rights "logon from the network". -Optionally the authenticator can verify the NT LOCAL group membership of -the user against the User Group specified in the Authenticator's command -line. -This can be accomplished creating a local user group on the NT machine, -grant the privilege, and adding users to it, it works only with MACHINE -Local Groups, not Domain Local Groups. -Better group checking is available with External Acl, see win32_check_group -documentation. - -The use of NTLM NEGOTIATE packet allow full NTLM/NTLMv2 support, but -Squid too must be configured to use NTLM NEGOTIATE, see squid.conf. - -Squid.conf typical minimal required changes: - -auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe -auth_param ntlm children 5 -auth_param ntlm max_challenge_reuses 0 -auth_param ntlm max_challenge_lifetime 2 minutes -auth_param ntlm use_ntlm_negotiate on - -acl password proxy_auth REQUIRED - -http_access allow password -http_access deny all - -When using "use_ntlm_negotiate on" -max_challenge_reuses and max_challenge_lifetime parameters must be specified -but they are are ignored. - -Refer to Squid documentation for more details. - -Currently Internet Explorer has some problems with ftp:// URLs when handling -internal Squid FTP icons. The following squid.conf ACL works around this: - -acl internal_icons urlpath_regex -i /squid-internal-static/icons/ - -http_access allow our_networks internal_icons <== BEFORE authentication ACL !!! - - -=============== -Contact details -=============== - -To contact the maintainer of this package, e-mail on squidnt@acmeconsulting.it. -The latest version may be found on http://www.acmeconsulting.it/SquidNT.htm. --- squid/helpers/ntlm_auth/winbind/.cvsignore Wed Feb 14 01:15:52 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in --- squid/helpers/ntlm_auth/winbind/patches/.cvsignore Wed Feb 14 01:15:53 2007 +++ /dev/null Wed Feb 14 01:15:49 2007 @@ -1,2 +0,0 @@ -.cvsignore -Makefile.in