---------------------
PatchSet 9693
Date: 2007/06/30 09:31:24
Author: amosjeffries
Branch: ipv6
Tag: (none)
Log:
Removing Legacy code from 2.5 attempt at IPv6
Patch kept and stored in branch website.
Members:
acconfig.h:1.3.6.6->1.3.6.7(DEAD)
doc/squid.8:1.1.42.1->1.1.42.2(DEAD)
doc/release-notes/release-2.5.html:1.7.6.1->1.7.6.2(DEAD)
doc/release-notes/release-2.5.sgml:1.7.6.1->1.7.6.2(DEAD)
helpers/basic_auth/winbind/Makefile.am:1.3.32.1->1.3.32.2(DEAD)
helpers/basic_auth/winbind/wb_basic_auth.c:1.6.32.1->1.6.32.2(DEAD)
helpers/basic_auth/winbind/wb_common.c:1.2.54.1->1.2.54.2(DEAD)
helpers/basic_auth/winbind/wbntlm.h:1.3.36.1->1.3.36.2(DEAD)
helpers/external_acl/winbind_group/Makefile.am:1.3.18.1->1.3.18.2(DEAD)
helpers/external_acl/winbind_group/readme.txt:1.2.20.1->1.2.20.2(DEAD)
helpers/external_acl/winbind_group/wb_check_group.c:1.7.6.1->1.7.6.2(DEAD)
helpers/external_acl/winbind_group/wb_common.c:1.2.52.1->1.2.52.2(DEAD)
helpers/external_acl/winbind_group/wb_common.h:1.1.14.1->1.1.14.2(DEAD)
helpers/external_acl/winbind_group/wbntlm.h:1.2.52.1->1.2.52.2(DEAD)
helpers/ntlm_auth/winbind/Makefile.am:1.2.54.1->1.2.54.2(DEAD)
helpers/ntlm_auth/winbind/wb_common.c:1.2.54.1->1.2.54.2(DEAD)
helpers/ntlm_auth/winbind/wb_ntlm_auth.c:1.7.14.1->1.7.14.2(DEAD)
helpers/ntlm_auth/winbind/wbntlm.h:1.2.54.1->1.2.54.2(DEAD)
helpers/ntlm_auth/winbind/patches/wb_common.patch:1.2.54.1->1.2.54.2(DEAD)
helpers/ntlm_auth/winbind/patches/winbind_nss_config.patch:1.2.54.1->1.2.54.2(DEAD)
include/samba/README.txt:1.1.12.1->1.1.12.2(DEAD)
include/samba/nsswitch/sys_nss.h:1.1.12.1->1.1.12.2(DEAD)
include/samba/nsswitch/winbind_nss_config.h:1.1.12.1->1.1.12.2(DEAD)
include/samba/nsswitch/winbindd_nss.h:1.1.12.1->1.1.12.2(DEAD)
scripts/RunAccel.in:1.2.6.1->1.2.6.2(DEAD)
src/ETag.c:1.3.6.1->1.3.6.2(DEAD)
src/cachemgr.c:1.3.6.4->1.3.6.5(DEAD)
src/client.c:1.3.6.4->1.3.6.5(DEAD)
src/wais.c:1.3.6.4->1.3.6.5(DEAD)
src/auth/basic/Makefile.am:1.2.26.2->1.2.26.3(DEAD)
src/auth/digest/Makefile.am:1.2.26.2->1.2.26.3(DEAD)
src/auth/ntlm/Makefile.am:1.2.26.2->1.2.26.3(DEAD)
src/fs/aufs/Makefile.am:1.2.26.1->1.2.26.2(DEAD)
src/fs/coss/Makefile.am:1.2.26.1->1.2.26.2(DEAD)
src/fs/diskd/Makefile.am:1.2.26.1->1.2.26.2(DEAD)
src/fs/null/Makefile.am:1.2.26.1->1.2.26.2(DEAD)
src/fs/ufs/Makefile.am:1.2.26.1->1.2.26.2(DEAD)
--- squid/acconfig.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,409 +0,0 @@
-/*
- * All configurable options are enabled by using --enable-....
- * when running configure. See configure --help for a list
- * of all available options.
- *
- * You are free to edit this file, but it will be overwritten
- * each time you run configure. You may need to edit this file
- * if configure falsely picks up a library function or structure
- * that doesn't really work on your system.
- *
- * Another way to block a function that should not be detected
- * is to
- * setenv ac_cv_func_ no
- * before running configure, as in
- * setenv ac_cv_func_setresuid no
- *
- * It is possible to enable some of the configurable options
- * by editing this file alone, but some of them requires changes
- * in the Makefiles, wich is done automatically by configure.
- *
- */
-
-#ifndef __CONFIGURE_H__
-#define __CONFIGURE_H__
-@TOP@
-/* $Id: acconfig.h,v 1.3.6.6 2005/02/10 02:40:02 hno Exp $ */
-
-/*
- * configure command line used to configure Squid
- */
-#undef SQUID_CONFIGURE_OPTIONS
-
-/*********************************
- * START OF CONFIGURABLE OPTIONS *
- *********************************/
-/*
- * If you are upset that the cachemgr.cgi form comes up with the hostname
- * field blank, then define this to getfullhostname()
- */
-#undef CACHEMGR_HOSTNAME
-
-/*
- * What default TCP port to use for HTTP listening?
- */
-#ifndef CACHE_HTTP_PORT
-#undef CACHE_HTTP_PORT
-#endif
-
-/*
- * What default UDP port to use for ICP listening?
- */
-#ifndef CACHE_ICP_PORT
-#undef CACHE_ICP_PORT
-#endif
-
-/* Define to do simple malloc debugging */
-#undef XMALLOC_DEBUG
-
-/* Define for log file trace of mem alloc/free */
-#undef MEM_GEN_TRACE
-
-/* Define to have malloc statistics */
-#undef XMALLOC_STATISTICS
-
-/* Define to have a detailed trace of memory allocations */
-#undef XMALLOC_TRACE
-
-#undef FORW_VIA_DB
-
-/* Defines how many threads aufs uses for I/O */
-#undef AUFS_IO_THREADS
-
-/*
- * If you want to use Squid's ICMP features (highly recommended!) then
- * define this. When USE_ICMP is defined, Squid will send ICMP pings
- * to origin server sites. This information is used in numerous ways:
- * - Sent in ICP replies so neighbor caches know how close
- * you are to the source.
- * - For finding the closest instance of a URN.
- * - With the 'test_reachability' option. Squid will return
- * ICP_OP_MISS_NOFETCH for sites which it cannot ping.
- */
-#undef USE_ICMP
-
-/*
- * Traffic management via "delay pools".
- */
-#undef DELAY_POOLS
-
-/*
- * If you want to log User-Agent request header values, define this.
- * By default, they are written to useragent.log in the Squid log
- * directory.
- */
-#undef USE_USERAGENT_LOG
-
-/*
- * If you want to log Referer request header values, define this.
- * By default, they are written to referer.log in the Squid log
- * directory.
- */
-#undef USE_REFERER_LOG
-
-/*
- * A dangerous feature which causes Squid to kill its parent process
- * (presumably the RunCache script) upon receipt of SIGTERM or SIGINT.
- * Use with caution.
- */
-#undef KILL_PARENT_OPT
-
-/* Define to enable SNMP monitoring of Squid */
-#undef SQUID_SNMP
-
-/*
- * Define to enable WCCP
- */
-#define USE_WCCP 1
-
-/*
- * Squid frequently calls gettimeofday() for accurate timestamping.
- * If you are concerned that gettimeofday() is called too often, and
- * could be causing performance degradation, then you can define
- * ALARM_UPDATES_TIME and cause Squid's clock to be updated at regular
- * intervals (one second) with ALARM signals.
- */
-#undef ALARM_UPDATES_TIME
-
-/*
- * Define this to include code which lets you specify access control
- * elements based on ethernet hardware addresses. This code uses
- * functions found in 4.4 BSD derviations (e.g. FreeBSD, ?).
- */
-#undef USE_ARP_ACL
-
-/*
- * Define this to include code for the Hypertext Cache Protocol (HTCP)
- */
-#undef USE_HTCP
-
-/*
- * Use Cache Digests for locating objects in neighbor caches. This
- * code is still semi-experimental.
- */
-#undef USE_CACHE_DIGESTS
-
-/*
- * Cache Array Routing Protocol
- */
-#undef USE_CARP
-
-/* Define if NTLM is allowed to fail gracefully when a helper has problems */
-#undef NTLM_FAIL_OPEN
-
-/********************************
- * END OF CONFIGURABLE OPTIONS *
- ********************************/
-
-/* Define if struct tm has tm_gmtoff member */
-#undef HAVE_TM_GMTOFF
-
-/* Define if struct mallinfo has mxfast member */
-#undef HAVE_EXT_MALLINFO
-
-/* Default FD_SETSIZE value */
-#undef DEFAULT_FD_SETSIZE
-
-/* Maximum number of open filedescriptors */
-#undef SQUID_MAXFD
-
-/* UDP send buffer size */
-#undef SQUID_UDP_SO_SNDBUF
-
-/* UDP receive buffer size */
-#undef SQUID_UDP_SO_RCVBUF
-
-/* TCP send buffer size */
-#undef SQUID_TCP_SO_SNDBUF
-
-/* TCP receive buffer size */
-#undef SQUID_TCP_SO_RCVBUF
-
-/* Host type from configure */
-#undef CONFIG_HOST_TYPE
-
-/* If we need to declare sys_errlist[] as external */
-#undef NEED_SYS_ERRLIST
-
-/* If gettimeofday is known to take only one argument */
-#undef GETTIMEOFDAY_NO_TZP
-
-/* If libresolv.a has been hacked to export _dns_ttl_ */
-#undef LIBRESOLV_DNS_TTL_HACK
-
-/* Define if struct ip has ip_hl member */
-#undef HAVE_IP_HL
-
-/* Define if your compiler supports prototyping */
-#undef HAVE_ANSI_PROTOTYPES
-
-/* Define if we should use GNU regex */
-#undef USE_GNUREGEX
-
-/* signed size_t, grr */
-#undef ssize_t
-
-/*
- * Yay! Another Linux brokenness. Its not good enough to know that
- * setresuid() exists, because RedHat 5.0 declare setresuid() but
- * doesn't implement it.
- */
-#undef HAVE_SETRESUID
-
-/* Define if you have struct rusage */
-#undef HAVE_STRUCT_RUSAGE
-
-/*
- * This makes warnings go away. If you have socklen_t defined in your
- * /usr/include files, then this should remain undef'd. Otherwise it
- * should be defined to int.
- */
-#undef socklen_t
-
-/*
- * By default (for now anyway) Squid includes options which allows
- * the cache administrator to violate the HTTP protocol specification
- * in terms of cache behaviour. Setting this to '0' will disable
- * such code.
- */
-#define HTTP_VIOLATIONS 1
-
-/*
- * Enable support for Transparent Proxy on systems using IP-Filter
- * address redirection. This provides "masquerading" support for non
- * Linux system.
- */
-#undef IPF_TRANSPARENT
-
-/*
- * Enable support for Transparent Proxy on systems using PF address
- * redirection. This provides "masquerading" support for OpenBSD.
- */
-#undef PF_TRANSPARENT
-
-/*
- * Enable code for assiting in finding memory leaks. Hacker stuff only.
- */
-#undef USE_LEAKFINDER
-
-/*
- * type of fd_set array
- */
-#undef fd_mask
-
-/*
- * If _res structure has nsaddr_list member
- */
-#undef HAVE_RES_NSADDR_LIST
-
-/*
- * If _res structure has ns_list member
- */
-#undef HAVE_RES_NS_LIST
-
-/*
- * Compile in support for Ident (RFC 931) lookups? Enabled by default.
- */
-#define USE_IDENT 1
-
-/*
- * If your system has statvfs(), and if it actually works!
- */
-#undef HAVE_STATVFS
-
-/*
- * If --disable-internal-dns was given to configure, then we'll use
- * the dnsserver processes instead.
- */
-#undef USE_DNSSERVERS
-
-/*
- * we check for the existance of struct mallinfo
- */
-#undef HAVE_STRUCT_MALLINFO
-
-/*
- * Some systems dont have va_copy */
-#undef HAVE_VA_COPY
-
-/*
- * Some systems support __va_copy */
-#undef HAVE___VA_COPY
-
-
-/*
- * Do we want to use truncate(2) or unlink(2)?
- */
-#undef USE_TRUNCATE
-
-/*
- * Allow underscores in host names
- */
-#undef ALLOW_HOSTNAME_UNDERSCORES
-
-/*
- * Use the heap-based replacement techniques
- */
-#undef HEAP_REPLACEMENT
-
-/*
- * message type for message queues
- */
-#undef mtyp_t
-
-/*
- * Define this to include code for SSL encryption.
- */
-#undef USE_SSL
-
-/*
- * Define this to make use of the OpenSSL libraries for
- * MD5 calculation rather than Squid's own MD5 implementation
- * or if building with SSL encryption (USE_SSL)
- */
-#undef USE_OPENSSL
-
-/* Define if you want to set the COSS membuf size */
-#undef COSS_MEMBUF_SZ
-
-/* Print stacktraces on fatal errors */
-#undef PRINT_STACK_TRACE
-
-/*
- * Define this if unlinkd is required
- * (strongly recommended for ufs storage type)
- */
-#undef USE_UNLINKD
-
-/*
- * Enable support for Transparent Proxy on Linux 2.4 systems
- */
-#undef LINUX_NETFILTER
-
-/*
- * Do we have unix sockets? (required for the winbind ntlm helper
- */
-#undef HAVE_UNIXSOCKET
-
-/*
- * Known-size integers
- */
-
-#undef int16_t
-
-#undef u_int16_t
-
-#undef int32_t
-
-#undef u_int32_t
-
-#undef int64_t
-
-#undef u_int64_t
-
-/* The number of bytes in a __int64. */
-#undef SIZEOF___INT64
-
-/* The number of bytes in a int16_t. */
-#undef SIZEOF_INT16_T
-
-/* The number of bytes in a int32_t. */
-#undef SIZEOF_INT32_T
-
-/* The number of bytes in a int64_t. */
-#undef SIZEOF_INT64_T
-
-/* The number of bytes in a off_t. */
-#undef SIZEOF_OFF_T
-
-/* The number of bytes in a size_t. */
-#undef SIZEOF_SIZE_T
-
-/* The number of bytes in a u_int16_t. */
-#undef SIZEOF_U_INT16_T
-
-/* The number of bytes in a u_int32_t. */
-#undef SIZEOF_U_INT32_T
-
-/* The number of bytes in a u_int64_t. */
-#undef SIZEOF_U_INT64_T
-
-/* The number of bytes in a uint16_t. */
-#undef SIZEOF_UINT16_T
-
-/* The number of bytes in a uint32_t. */
-#undef SIZEOF_UINT32_T
-
-/* The number of bytes in a uint64_t. */
-#undef SIZEOF_UINT64_T
-
-/*
- * Enable support for the X-Accelerator-Vary HTTP header
- */
-#undef X_ACCELERATOR_VARY
-
-#undef INET6
-
-@BOTTOM@
-
-#endif /* __CONFIGURE_H__ */
--- squid/doc/squid.8 Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,115 +0,0 @@
-.TH squid 8 "squid version 2.0"
-.\" Copyright and licensing information
-.\" goes here.
-.SH NAME
-squid \- proxy caching server
-.SH SYNOPSIS
-.B squid
-[
-.B \-dhsvzCDFNRVYX
-] [
-.BI \-f " config-file"
-] [
-\-[
-.B au
-]
-.I port
-] [
-.B \-k " signal"
-]
-.SH DESCRIPTION
-.B squid
-is a high-performance proxy caching server for web clients,
-supporting FTP, gopher, and HTTP data objects. Unlike traditional
-caching software,
-.B squid
-handles all requests in a single, non-blocking, I/O-driven process.
-.PP
-.B squid
-keeps meta data and especially hot objects cached in RAM,
-caches DNS lookups, supports non-blocking DNS lookups, and implements
-negative caching of failed requests.
-.PP
-.B squid
-supports SSL, extensive access controls, and full request
-logging. By using the lightweight Internet Cache Protocol,
-.B squid
-caches can be arranged in a hierarchy or mesh for additional
-bandwidth savings.
-.PP
-.B squid
-consists of a main server program squid, a Domain Name System
-lookup program dnsserver, some optional programs for rewriting
-requests and performing authentication, and some management and client
-tools. When squid starts up, it spawns a configurable number of
-dnsserver processes, each of which can perform a single, blocking
-Domain Name System (DNS) lookup. This reduces the amount of time the
-cache waits for DNS lookups.
-.PP
-.B squid
-is derived from the ARPA-funded Harvest Project
-http://harvest.cs.colorado.edu/
-.PP
-This manual page only lists the command line arguments. For details
-on how to configure
-.B squid
-see the file
-.BI /etc/squid/squid.conf,
-the FAQ included with the distribution
-and the documentation at the
-.B squid
-home page http://www.squid-cache.org
-.PP
-.SH OPTIONS
-.IP "-a port"
-Specify HTTP port number (default: 3128).
-.IP "-d level"
-Write debugging to stderr also.
-.IP "-f file"
-Use the given config-file instead of
-.I /etc/squid/squid.conf
-.IP -h
-Print help message.
-.IP "-k reconfigure | rotate | shutdown | interrupt | kill | debug | check | parse"
-Parse configuration file, then send signal to running copy
-(except -k parse) and exit.
-.IP -s
-Enable logging to syslog.
-.IP "-u port"
-Specify ICP port number (default: 3130), disable with 0.
-.IP -v
-Print version.
-.IP -z
-Create swap directories
-.IP -C
-Do not catch fatal signals.
-.IP -D
-Disable initial DNS tests.
-.IP -F
-Don't serve any requests until store is rebuilt.
-.IP -N
-No daemon mode.
-.IP -R
-Do not set REUSEADDR on port.
-.IP -V
-Virtual host httpd-accelerator.
-.IP -X
-Force full debugging.
-.IP -Y
-Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
-.SH FILES
-.I /etc/squid/squid.conf
-.RS
-The main configuration file. You must initially make
-changes to this file for
-.B squid
-to work. For example, the default configuration does not
-allow access from any browser.
-
-.\" Could add the following sections:
-.\" .SH ENVIRONMENT
-.\" .SH DIAGNOSTICS
-.\" .SH BUGS
-.\" .SH AUTHOR
-.\" .SH SEE ALSO
-
--- squid/doc/release-notes/release-2.5.html Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,376 +0,0 @@
-
-
-
-
- Squid 2.5 release notes
-
-
-Squid 2.5 release notes
-
-Squid Developers
$Id: release-2.5.html,v 1.7.6.1 2005/02/10 02:40:06 hno Exp $
-
-This document contains the release notes for version 2.5 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.
-
-
-
-
-
-- Major rewrite of proxy authentication to support other schemes
-than basic. First in the line is NTLM support but others can
-easily be added (minimal digest is present). See the Programmers
-Guide for the internals.
-Thanks to the SAMBA team for some excellent collaboration on the
-NTLM support!
-(Robert Collins & Francesco Chemolli)
-- Optimized searching in proxy_auth and ident ACL types. Squid
-should now handle large access lists a lot more efficiently.
-(Francesco Chemolli)
-- Fixed forwarding/peer loop detection code (Brian Degenhardt) -
-now a peer is ignored if it turns out to be us, rather than
-committing suicide
-- Changed the internal URL code to obey appendDomain for
-internal objects if it needs appending. This fixes weirdnesses
-where a machine can think it is "foo.bar.com", and "foo" is
-requested.
-(Brian Degenhardt)
-- Added the use of Automake to create the Makefile.in's in the
-squid source tree. This will allow libtool in the future, and
-immediately allows better dependency tracking - with or
-without gcc - as well as the dist-all and distcheck targets
-for developers which respectively build a tar.gz and a tar.bz2
-distribution, and check that what will be distributed builds.
-(Robert Collins)
-- Added TOS and source address selection based on ACLs,
-written by Roger Venning. This allows administrators to set
-the TOS precedence bits and/or the source IP from a set of
-available IPs based upon some ACLs, generally to map different
-users to different outgoing links and traffic profiles.
-- Added 'max-conn' option to 'cache_peer'
-- Added SSL gatewaying support, allowing Squid to act as a SSL
-server in accelerator setups.
-- Many new authentication helpers.
-- no_cache now applies to cache hits as well as cache misses
-- the Gopher client in Squid has been significantly improved
-- Squid now sanity checks FTP data connections to ensure the
-connection is from the requested server. Can be disabled if
-needed by turning off the ftp_sanitycheck option.
-- external acl support. A mechanism where flexible ACL checks
-can be driven by external helpers. See the external_acl_type
-and acl external directives. (MARA Systems AB)
-- Countless other small things and fixes
-- HTML pages generated by Squid or CacheMgr as well as the
-ERR documents now contain a doctype declaration so that
-browsers know which HTML specification the document uses.
-In addition to that they have a new look
-(background-color, font) and are valid according to the HTML
-standards at www.w3.org.
-(Clemens Löser)
-- Login and password send to Basic auth helpers is now URL
-escaped to allow for spaces and other "odd" characters in
-logins and passwords
-- Proxy Authentication is no longer blindly forwarded to peer
-caches if not used locally. If forwarding of proxy authentication
-is desired then it must now be configured with the login=PASS
-cache_peer option.
-- Responses with Vary: in the header are now cached by squid.
-(Henrik Nordstrom).
-- Support for openBSD pf interface in interception mode.
-- It is now possible to send complex arguments to helpers
-by quoting the arguments by " and/or \
-- The directory structure has changed slightly. The squid binary
-has been moved into sbin, errors and icons into share/, and the libexec
-programs are now in libexec/ (was previously libexec/squid/). See
-configure --help for instructions on how to move these around to
-exacly where you want to have them in your system.
-
-
-
-
-
-
-
-- http_port
Allows ip address specification.
-- https_port
This is an option for use with SSL acceleration - it determines where squid listens for SSL requests.
-- ssl_unclean_shutdown
This is used to handle some bugs in browsers that don't fully support SSL.
-- tcp_incoming_address
This has been removed - use the http_port line to specify ip address's.
-- cache_peer
login= has been extended to allow pass through authentication, fixed password authentication and maximum connection limits.
-- hosts_file
Directs squid to read in a set of name-address associations upon startup and reconfiguration.
-- authenticate_program
-
-
- authenticate_children
-
-
- proxy_auth_realm
Removed. See auth_param.
-- auth_param
This replaces the authenticate_program directive. It allows configuration of multiple authentication helpers, one for each of the supported authentication schemes. Such schemes include "NTLM", "Digest (from RFC 2617)", and "Basic".
-- authenticate_cache_garbage_interval
This directive sets the garbage collection interval for the authentication cache.
-- external_acl_type
This directive configures the new external ACL Helper interface. VERY useful for authenticating by group membership - i.e. from an LDAP server or NT domain.
-- request_body_max_size
The default for this is now 0 - unlimited.
-- reply_body_max_size
Now multiple size limits are allowed based on ACL lists.
-- refresh_pattern
The default is now blank - users must uncomment the suggested default to use it. This allows the use of a blank refresh pattern if desired.
-- request_timeout
Raised the default to 5 minutes.
-- persistent_request_timeout
New directive - how long to wait after a reply is completed before closing the connection.
-- acl
New acl types
-
-- referer_regex (match Referer headers),
-- max_user_ip (limit concurrent IP's a single user may use)
-- rep_mime_type (filter replies based on their content type).
-- external (use an external helper)
-
-
-- http_reply_access
Limit HTTP replies based on ACL's. This is complementary to http_access.
-- tcp_outgoing_tos
-
-
- tcp_outgoing_ds
-
-
- tcp_outgoing_dscp
These three directives allow marking of outbound connections at the IP level - i.e. for choosing routes based on the usercode.
-- tcp_outgoing_address
Allows mapping of requests onto specific outbound IP address's.
-- anonymize_headers
Removed. See header_access.
-- header_access
Allow granular filtering of HTTP headers.
-- header_replace
Replace specific headers with custom values.
-- pipeline_prefetch
Now defaults to off for bandwidth management and access logging reasons.
-- vary_ignore_expire
Enables a workaround for web servers that immediately expire Varied objects because they think squid is unable to handle Vary:.
-- sleep_after_fork
Give the OS a small amount of time to accomodate the fork+exec used to launch helpers - if squid has a lot of virtual memory allocated the OS may run out of virtual memory during helper spawning otherwise.
-- reference_age
This has been removed - starting with Squid-2.4 this directive have had no effect and has now been fully removed to avoid confusion.
-- siteselect_timeout
This has been removed - it is not referenced anywhere in the source code.
-- minimum_retry_timeout
This has been removed - it is not referenced anywhere in the source code.
-- forward_timeout
New directive in 2.5.STABLE5 complement connect_timeout in
-management of timeouts while connecting to origin servers or peers
-- short_icon_urls
New directive in 2.5.STABLE5 to enable an alternative way of referring to icons in FTP directory listings etc.
-- acl urllogin
New acl type in 2.5.STABLE5 to match the login component of Internet style URLs (protocol://user:password@host/path/to/file)
-- balance_on_multiple_ip
New directive in 2.5.STABLE7 to make it possible to disable the automatic round-robin load balancing on multiple IP addresses normally done by Squid.
-- reply_header_max_size
New directive in 2.5.STABLE7 limiting the size of HTTP reply headers, similar to request_header_max_size but in the reply direction (from servers to clients). Default is 20KB.
-- acl req_hdr/resp_hdr
New acl types in 2.5.STABLE7 to match arbitrary HTTP headers, useful to block certain malware/spyware etc.
-- relaxed_http_parser
New directive in 2.5.STABLE8 to control how strict the HTTP parser should be.
-
-
-
-
-
-There is a few known issues and limitations in this version of Squid which we hope to correct in a later release
-
-
-- Bug
-#761
assertion failed: cbdata.c:249: "c->locks > 0" when using diskd
-- Bug
-#1193
Interception fails if intercepting multiple ports and Squid is not listening on the same ports
-- Bug
-#1094
cachemgr.cgi should have a built-in access control layer to prevent malicious use
-- Bug
-#649
Problems refreshing pages stored with 'vary' information
-- Bug
-#779
users going above their allowed IP count no longer logged in cache.log
-- Bug
-#1204
FTP listings uses "BASE HREF" much more than it needs to
-
-
-
-
-In addition there is a set of limitations in this version of Squid which we hope to correct later
-
-
-- Bug
-#1059
mime.conf and referenced icons must be within chroot
-- Bug
-#1033
CARP ignores cache_peer_access and cache_peer_domain
-- Bug
-#692
tcp_outgoing_address using an ident ACL does not work
-- Bug
-#581
acl max_user_ip and multiple authentication schemes
-- Bug
-#528
miss_access fails on "slow" acl types such as dst.
-- Bug
-#513
squid -F is starting server sockets to early
-- Bug
-#518
wb_auth fails on TRU64 and probably other 64 bit platforms
-- Bug
-#500
delay_pools stops working on -k reconfigure
-- Bug
-#457
does not handle swap.state corruption properly
-- Bug
-#410
unstable if runs out of disk space
-- Bug
-#355
diskd may appear slow on low loads
-
-
-
-
-
-
-
-- authentication now works in most access directives if
-first enforced in http_access
-- contrib files included in the distribution again
-- aufs bugfixes to address both stability and data
-corruption issues, and some aufs performance improvements.
-- now possible to specify acl values with spaces in them
-via the "include file" technique
-- winbind helpers updated to match Samba-2.2.7a and should
-work with Samba-2.2.6 or later (required). For compability with
-older Samba versions A new configure option --with-samba-sources=...
-has been added to allow you to specify which Samba version the
-helpers should be built for if different than the above versions.
-- squid_ldap_group updated to correctly handle LDAP groups
-- new experimental configure option --disable-hostname-checks to make Squid not validate that received hostnames are valid for use within HTTP. Required to participate in testbeds for international domain names etc.
-- several assertion or segmentation faults corrected
-- a large number of minor bugfixes. See the list of
-squid-2.5.STABLE1 patches and the
-ChangeLog file for details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-- several memory leaks corrected
-- segmentation fault if more than one deny_info corrected
-- Lithuanian error messages added
-- a crash related to ftpTimeout: timeout in SENT_PASV state corrected
-- http_reply_access deny now logs the request with
-TCP_DENIED to allow them to be accounted for properly in statistics
-- minimum_retry_timeout configuration directive removed. If
-you have this directive in your existing squid.conf you will
-need to remove the line.
-- Improvements to the (experimental) COSS storage scheme.
-- Updates to allow Squid to be compiled with GCC-3.3
-- POST now works well with NTLM and Digest authentication
-- http_header_access now works in combination with cache_peer
-- Most Squid generated errors are now logged as TCP_DENIED/XXX
-rather than TCP_MISS/XXX or NONE/XXX. This to work around issues
-relating to access controls.
-- external_acl_type concurrency= option renamed to children=
-to prepare for Squid-3 upgrade. The old syntax is still accepted
-but you may want to upgrade your configuration now to save you
-from the trouble when upgrading to Squid-3 later.
-- a large number of minor bugfixes. See the list of
-squid-2.5.STABLE3 patches and the
-ChangeLog file for details.
-
-
-
-
-
-
-
-- redirector interface modified to try to deal with login names
-containing spaces or other odd characters. This is accomplished
-by URL-encoding the login name before sent to redirectors. Note:
-Existing redirectors or their configuration may need to be slightly
-modified in how they process the ident column to support the new
-username format (only applies to redirectors looking into the username)
-- new forward_timeout option to complement connect_timeout in
-management of timeouts while connecting to origin servers or peers
-- various timeouts adjusted: connect_timeout 1 minute (was 2 minutes
-which is now forward_timeout), negative_dns_ttl 1 minute (was 5 minutes)
-and is now also used as minimum positive dns ttl, dns_timeout 2 minutes
-(was 5 minutes)
-- "short_icon_urls on" can be used to simplify the URLs used for
-icons etc to avoid issues with proxy host naming and authentication
-when requesting icons.
-- A new "urllogin" ACL type has been introducing allowing regex
-matches to the "login" component of Internet style URLs
-(protocol://user:password@host/path/to/file).
-- Squid now respects the Telnet protocol on connections to FTP
-servers. The ftp_telnet_protocol directice can be used to revert back
-to the old incorrect implementation.
-- Several NTLM related bugfixes and improvements fixing the problem
-of random auth popups and account lockouts. Support for the NEGOTIATE
-NTLM packet is also added to allow Samba-3.0.2 or later to negotiate the
-use of NTLMv2.
-- Several authentication related bugfixes to allow authentication
-to work in additional acl driven directives, correct an number
-of assertion or segmentation and some memory leaks.
-- The default mime.conf has been updated with many new mime types
-and a few minor corrections. In addition the download and view links
-is used more frequently to allow view/download of different ftp://
-contents regardless of their mime type assignment.
-- url_regex enhanced to allow matching of %00
-- a large number of minor and cosmetic bugfixes. See the list of
-squid-2.5.STABLE4 patches and the
-ChangeLog file for details.
-
-
-
-
-
-
-
-- Several "Assertion error" bugs fixed
-- Several "Segmentation fault" bugs fixes
-- Corrects a security issue in the old ntlm_auth NTLM helper
-used in transparent NTLM authentication to a NT domain without
-using samba.
-- Processing of Vary: * and Vary on error messages corrected
-- a large number of minor and cosmetic bugfixes. See the list of
-squid-2.5.STABLE5 patches and the
-ChangeLog file for details.
-
-
-
-
-
-
-
-- SNMP related Denial of Service issue corrected (CAN-2004-0918)
-- NTLM related bugfix noticed by the Samba group
-- UFS cache_dir bugfix to issue introduced in STABLE6 causing
-no objects to get cached in some configurations.
-- cache_effective_user now sets supplementary group list
-if cache_effective_group not set
-- cache_effective_group now used if specified even if not started
-as root. If you do not start Squid as root you may need to remove this
-directive from your squid.conf if not set correctly.
-- request_header_max_size directive corrected. You may need to increase
-this value after upgrading if set very low. The default have been increased
-from 10 KB to 20 KB which should be sufficient for most uses.
-- reply_header_max_size directive added
-- http_header_access & replace now support arbitrary headers,
-not only the well known headers known by Squid
-- new acl types req_hdr and resp_hdr to match arbitrary HTTP headers,
-useful to block certain malware/spyware etc.
-- new balance_on_multiple_ip squid.conf directive
-- a number of other minor and cosmetic bugfixes. See the list of
-squid-2.5.STABLE6 patches and the
-ChangeLog file for details.
-
-
-
-
-
-
-
-- Squid no longer closes all open filedescriptors. Previous Squid
-versions have for increased security closed any open filedescriptors left
-open by the process starting Squid, but this is not really our business
-and causes problems for certain libraries opening internal filedescriptors
-in some conditions (some SSL libraries, syslog, DNS resolver etc).
-- Configuration parser made more strict and consistent. Previously empty acl
-declarations were ignored in http_access causing some unexpected results.
-Now empty acl declarations are allowed (matching nothing) and http_access
-requires all listed acls to be defined.
-- A minor information leak in error messages due to malformed host
-names corrected
-- Several HTTP security fixes to prevent cache pollution attacks or theft
-of user confidential information. New relaxed_http_parser directive to control
-how strict the HTTP parser should be.
-- Buffer overflow fix in gopherToHTML.
-- Corrected a Segmentation fault on malformed WCCP packets.
-- squid_ldap_auth now sanity checks usernames
-- Corrected a Segmentation fault and other malfunctions on failed PUT/POST
-requests.
-- Properly handle oversized reply headers
-- a number of other minor and cosmetic bugfixes. See the list of
-squid-2.5.STABLE7 patches and the
-ChangeLog file for details.
-
-
-
-
-
--- squid/doc/release-notes/release-2.5.sgml Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,343 +0,0 @@
-
-
-Squid 2.5 release notes
-Squid Developers
-$Id: release-2.5.sgml,v 1.7.6.1 2005/02/10 02:40:07 hno Exp $
-
-
-This document contains the release notes for version 2.5 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.
-
-
-
-
-Key changes from squid 2.4:
-
-
- - Major rewrite of proxy authentication to support other schemes
- than basic. First in the line is NTLM support but others can
- easily be added (minimal digest is present). See the Programmers
- Guide for the internals.
- Thanks to the SAMBA team for some excellent collaboration on the
- NTLM support!
- (Robert Collins & Francesco Chemolli)
-
- Optimized searching in proxy_auth and ident ACL types. Squid
- should now handle large access lists a lot more efficiently.
- (Francesco Chemolli)
-
- Fixed forwarding/peer loop detection code (Brian Degenhardt) -
- now a peer is ignored if it turns out to be us, rather than
- committing suicide
-
- Changed the internal URL code to obey appendDomain for
- internal objects if it needs appending. This fixes weirdnesses
- where a machine can think it is "foo.bar.com", and "foo" is
- requested.
- (Brian Degenhardt)
-
- Added the use of Automake to create the Makefile.in's in the
- squid source tree. This will allow libtool in the future, and
- immediately allows better dependency tracking - with or
- without gcc - as well as the dist-all and distcheck targets
- for developers which respectively build a tar.gz and a tar.bz2
- distribution, and check that what will be distributed builds.
- (Robert Collins)
-
- Added TOS and source address selection based on ACLs,
- written by Roger Venning. This allows administrators to set
- the TOS precedence bits and/or the source IP from a set of
- available IPs based upon some ACLs, generally to map different
- users to different outgoing links and traffic profiles.
-
- Added 'max-conn' option to 'cache_peer'
-
- Added SSL gatewaying support, allowing Squid to act as a SSL
- server in accelerator setups.
-
- Many new authentication helpers.
-
- no_cache now applies to cache hits as well as cache misses
-
- the Gopher client in Squid has been significantly improved
-
- Squid now sanity checks FTP data connections to ensure the
- connection is from the requested server. Can be disabled if
- needed by turning off the ftp_sanitycheck option.
-
- external acl support. A mechanism where flexible ACL checks
- can be driven by external helpers. See the external_acl_type
- and acl external directives. (MARA Systems AB)
-
- Countless other small things and fixes
-
- HTML pages generated by Squid or CacheMgr as well as the
- ERR documents now contain a doctype declaration so that
- browsers know which HTML specification the document uses.
- In addition to that they have a new look
- (background-color, font) and are valid according to the HTML
- standards at www.w3.org.
- (Clemens Löser)
-
- Login and password send to Basic auth helpers is now URL
- escaped to allow for spaces and other "odd" characters in
- logins and passwords
-
- Proxy Authentication is no longer blindly forwarded to peer
- caches if not used locally. If forwarding of proxy authentication
- is desired then it must now be configured with the login=PASS
- cache_peer option.
-
- Responses with Vary: in the header are now cached by squid.
- (Henrik Nordstrom).
-
- Support for openBSD pf interface in interception mode.
-
- It is now possible to send complex arguments to helpers
- by quoting the arguments by " and/or \
-
- The directory structure has changed slightly. The squid binary
- has been moved into sbin, errors and icons into share/, and the libexec
- programs are now in libexec/ (was previously libexec/squid/). See
- configure --help for instructions on how to move these around to
- exacly where you want to have them in your system.
-
-
-Changes to squid.conf
-
-http_portAllows ip address specification.
-https_portThis is an option for use with SSL acceleration - it determines where squid listens for SSL requests.
-ssl_unclean_shutdownThis is used to handle some bugs in browsers that don't fully support SSL.
-tcp_incoming_addressThis has been removed - use the http_port line to specify ip address's.
-cache_peerlogin= has been extended to allow pass through authentication, fixed password authentication and maximum connection limits.
-hosts_fileDirects squid to read in a set of name-address associations upon startup and reconfiguration.
-authenticate_programauthenticate_children
proxy_auth_realmRemoved. See auth_param.
-auth_paramThis replaces the authenticate_program directive. It allows configuration of multiple authentication helpers, one for each of the supported authentication schemes. Such schemes include "NTLM", "Digest (from RFC 2617)", and "Basic".
-authenticate_cache_garbage_intervalThis directive sets the garbage collection interval for the authentication cache.
-external_acl_typeThis directive configures the new external ACL Helper interface. VERY useful for authenticating by group membership - i.e. from an LDAP server or NT domain.
-request_body_max_sizeThe default for this is now 0 - unlimited.
-reply_body_max_sizeNow multiple size limits are allowed based on ACL lists.
-refresh_patternThe default is now blank - users must uncomment the suggested default to use it. This allows the use of a blank refresh pattern if desired.
-request_timeoutRaised the default to 5 minutes.
-persistent_request_timeout New directive - how long to wait after a reply is completed before closing the connection.
-aclNew acl types- referer_regex (match Referer headers),
-
- max_user_ip (limit concurrent IP's a single user may use)
-
- rep_mime_type (filter replies based on their content type).
-
- external (use an external helper)
-http_reply_accessLimit HTTP replies based on ACL's. This is complementary to http_access.
-tcp_outgoing_tos
tcp_outgoing_ds
tcp_outgoing_dscpThese three directives allow marking of outbound connections at the IP level - i.e. for choosing routes based on the usercode.
-tcp_outgoing_addressAllows mapping of requests onto specific outbound IP address's.
-anonymize_headersRemoved. See header_access.
-header_accessAllow granular filtering of HTTP headers.
-header_replaceReplace specific headers with custom values.
-pipeline_prefetchNow defaults to off for bandwidth management and access logging reasons.
-vary_ignore_expireEnables a workaround for web servers that immediately expire Varied objects because they think squid is unable to handle Vary:.
-sleep_after_forkGive the OS a small amount of time to accomodate the fork+exec used to launch helpers - if squid has a lot of virtual memory allocated the OS may run out of virtual memory during helper spawning otherwise.
-reference_ageThis has been removed - starting with Squid-2.4 this directive have had no effect and has now been fully removed to avoid confusion.
-siteselect_timeoutThis has been removed - it is not referenced anywhere in the source code.
-minimum_retry_timeoutThis has been removed - it is not referenced anywhere in the source code.
-forward_timeoutNew directive in 2.5.STABLE5 complement connect_timeout in
-management of timeouts while connecting to origin servers or peers
-short_icon_urlsNew directive in 2.5.STABLE5 to enable an alternative way of referring to icons in FTP directory listings etc.
-acl urlloginNew acl type in 2.5.STABLE5 to match the login component of Internet style URLs (protocol://user:password@host/path/to/file)
-balance_on_multiple_ipNew directive in 2.5.STABLE7 to make it possible to disable the automatic round-robin load balancing on multiple IP addresses normally done by Squid.
-reply_header_max_sizeNew directive in 2.5.STABLE7 limiting the size of HTTP reply headers, similar to request_header_max_size but in the reply direction (from servers to clients). Default is 20KB.
-acl req_hdr/resp_hdrNew acl types in 2.5.STABLE7 to match arbitrary HTTP headers, useful to block certain malware/spyware etc.
-relaxed_http_parserNew directive in 2.5.STABLE8 to control how strict the HTTP parser should be.
-
-
-Known issues and limitations
-
-There is a few known issues and limitations in this version of Squid which we hope to correct in a later release
-
-
-Bug assertion failed: cbdata.c:249: "c->locks > 0" when using diskd
-Bug Interception fails if intercepting multiple ports and Squid is not listening on the same ports
-Bug cachemgr.cgi should have a built-in access control layer to prevent malicious use
-Bug Problems refreshing pages stored with 'vary' information
-Bug users going above their allowed IP count no longer logged in cache.log
-Bug FTP listings uses "BASE HREF" much more than it needs to
-
-
-
-
In addition there is a set of limitations in this version of Squid which we hope to correct later
-
-
-Bug mime.conf and referenced icons must be within chroot
-Bug CARP ignores cache_peer_access and cache_peer_domain
-Bug tcp_outgoing_address using an ident ACL does not work
-Bug acl max_user_ip and multiple authentication schemes
-Bug miss_access fails on "slow" acl types such as dst.
-Bug squid -F is starting server sockets to early
-Bug wb_auth fails on TRU64 and probably other 64 bit platforms
-Bug delay_pools stops working on -k reconfigure
-Bug does not handle swap.state corruption properly
-Bug unstable if runs out of disk space
-Bug diskd may appear slow on low loads
-
-
-Key changes squid-2.5.STABLE1 to 2.5.STABLE2:
-
-
-
- - authentication now works in most access directives if
- first enforced in http_access
-
- contrib files included in the distribution again
-
- aufs bugfixes to address both stability and data
- corruption issues, and some aufs performance improvements.
-
- now possible to specify acl values with spaces in them
- via the "include file" technique
-
- winbind helpers updated to match Samba-2.2.7a and should
- work with Samba-2.2.6 or later (required). For compability with
- older Samba versions A new configure option --with-samba-sources=...
- has been added to allow you to specify which Samba version the
- helpers should be built for if different than the above versions.
-
- squid_ldap_group updated to correctly handle LDAP groups
-
- new experimental configure option --disable-hostname-checks to make Squid not validate that received hostnames are valid for use within HTTP. Required to participate in testbeds for international domain names etc.
-
- several assertion or segmentation faults corrected
-
- a large number of minor bugfixes. See the list of and the file for details.
-
-
-Key changes squid-2.5.STABLE2 to 2.5.STABLE3:
-
-
-
- - a large number of minor bug fixes. See the list of and the file for details.
-
-
-Key changes squid-2.5.STABLE3 to 2.5.STABLE4:
-
-
-
- - several memory leaks corrected
-
- segmentation fault if more than one deny_info corrected
-
- Lithuanian error messages added
-
- a crash related to ftpTimeout: timeout in SENT_PASV state corrected
-
- http_reply_access deny now logs the request with
- TCP_DENIED to allow them to be accounted for properly in statistics
-
- minimum_retry_timeout configuration directive removed. If
- you have this directive in your existing squid.conf you will
- need to remove the line.
-
- Improvements to the (experimental) COSS storage scheme.
-
- Updates to allow Squid to be compiled with GCC-3.3
-
- POST now works well with NTLM and Digest authentication
-
- http_header_access now works in combination with cache_peer
-
- Most Squid generated errors are now logged as TCP_DENIED/XXX
- rather than TCP_MISS/XXX or NONE/XXX. This to work around issues
- relating to access controls.
-
- external_acl_type concurrency= option renamed to children=
- to prepare for Squid-3 upgrade. The old syntax is still accepted
- but you may want to upgrade your configuration now to save you
- from the trouble when upgrading to Squid-3 later.
-
- a large number of minor bugfixes. See the list of and the file for details.
-
-
-Key changes squid-2.5.STABLE4 to 2.5.STABLE5:
-
-
-
- - redirector interface modified to try to deal with login names
- containing spaces or other odd characters. This is accomplished
- by URL-encoding the login name before sent to redirectors. Note:
- Existing redirectors or their configuration may need to be slightly
- modified in how they process the ident column to support the new
- username format (only applies to redirectors looking into the username)
-
- new forward_timeout option to complement connect_timeout in
- management of timeouts while connecting to origin servers or peers
-
- various timeouts adjusted: connect_timeout 1 minute (was 2 minutes
- which is now forward_timeout), negative_dns_ttl 1 minute (was 5 minutes)
- and is now also used as minimum positive dns ttl, dns_timeout 2 minutes
- (was 5 minutes)
-
- "short_icon_urls on" can be used to simplify the URLs used for
- icons etc to avoid issues with proxy host naming and authentication
- when requesting icons.
-
- A new "urllogin" ACL type has been introducing allowing regex
- matches to the "login" component of Internet style URLs
- (protocol://user:password@host/path/to/file).
-
- Squid now respects the Telnet protocol on connections to FTP
- servers. The ftp_telnet_protocol directice can be used to revert back
- to the old incorrect implementation.
-
- Several NTLM related bugfixes and improvements fixing the problem
- of random auth popups and account lockouts. Support for the NEGOTIATE
- NTLM packet is also added to allow Samba-3.0.2 or later to negotiate the
- use of NTLMv2.
-
- Several authentication related bugfixes to allow authentication
- to work in additional acl driven directives, correct an number
- of assertion or segmentation and some memory leaks.
-
- The default mime.conf has been updated with many new mime types
- and a few minor corrections. In addition the download and view links
- is used more frequently to allow view/download of different ftp://
- contents regardless of their mime type assignment.
-
- url_regex enhanced to allow matching of %00
-
- a large number of minor and cosmetic bugfixes. See the list of and the file for details.
-
-
-Key changes squid-2.5.STABLE5 to 2.5.STABLE6:
-
-
-
- - Several "Assertion error" bugs fixed
-
- Several "Segmentation fault" bugs fixes
-
- Corrects a security issue in the old ntlm_auth NTLM helper
- used in transparent NTLM authentication to a NT domain without
- using samba.
-
- Processing of Vary: * and Vary on error messages corrected
-
- a large number of minor and cosmetic bugfixes. See the list of and the file for details.
-
-
-Key changes squid-2.5.STABLE6 to 2.5.STABLE7:
-
-
-
- - SNMP related Denial of Service issue corrected (CAN-2004-0918)
-
- NTLM related bugfix noticed by the Samba group
-
- UFS cache_dir bugfix to issue introduced in STABLE6 causing
- no objects to get cached in some configurations.
-
- cache_effective_user now sets supplementary group list
- if cache_effective_group not set
-
- cache_effective_group now used if specified even if not started
- as root. If you do not start Squid as root you may need to remove this
- directive from your squid.conf if not set correctly.
-
- request_header_max_size directive corrected. You may need to increase
- this value after upgrading if set very low. The default have been increased
- from 10 KB to 20 KB which should be sufficient for most uses.
-
- reply_header_max_size directive added
-
- http_header_access & replace now support arbitrary headers,
- not only the well known headers known by Squid
-
- new acl types req_hdr and resp_hdr to match arbitrary HTTP headers,
- useful to block certain malware/spyware etc.
-
- new balance_on_multiple_ip squid.conf directive
-
- a number of other minor and cosmetic bugfixes. See the list of and the file for details.
-
-
-Key changes squid-2.5.STABLE7 to 2.5.STABLE8:
-
-
-
- - Squid no longer closes all open filedescriptors. Previous Squid
- versions have for increased security closed any open filedescriptors left
- open by the process starting Squid, but this is not really our business
- and causes problems for certain libraries opening internal filedescriptors
- in some conditions (some SSL libraries, syslog, DNS resolver etc).
-
- Configuration parser made more strict and consistent. Previously empty acl
- declarations were ignored in http_access causing some unexpected results.
- Now empty acl declarations are allowed (matching nothing) and http_access
- requires all listed acls to be defined.
-
- A minor information leak in error messages due to malformed host
- names corrected
-
- Several HTTP security fixes to prevent cache pollution attacks or theft
- of user confidential information. New relaxed_http_parser directive to control
- how strict the HTTP parser should be.
-
- Buffer overflow fix in gopherToHTML.
-
- Corrected a Segmentation fault on malformed WCCP packets.
-
- squid_ldap_auth now sanity checks usernames
-
- Corrected a Segmentation fault and other malfunctions on failed PUT/POST
- requests.
-
- Properly handle oversized reply headers
-
- a number of other minor and cosmetic bugfixes. See the list of and the file for details.
-
-
-
-
--- squid/helpers/basic_auth/winbind/Makefile.am Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,10 +0,0 @@
-#
-# Makefile for the Squid Object Cache server
-#
-# $Id: Makefile.am,v 1.3.32.1 2005/02/10 02:40:48 hno Exp $
-#
-
-libexec_PROGRAMS = wb_auth
-wb_auth_SOURCES = wb_basic_auth.c wb_common.c wbntlm.h
-INCLUDES = -I$(top_srcdir)/include -I@SAMBASOURCES@
-LDADD = -L$(top_builddir)/lib -lmiscutil -lntlmauth $(XTRA_LIBS)
--- squid/helpers/basic_auth/winbind/wb_basic_auth.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,194 +0,0 @@
-/*
- * (C) 2000 Francesco Chemolli
- *
- * Distributed freely under the terms of the GNU General Public License,
- * version 2. See the file COPYING for licensing details
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
- */
-
-
-#include "wbntlm.h"
-#include "util.h"
-/* stdio.h is included in wbntlm.h */
-#include
-#include
-#include
-#include /* for gettimeofday */
-#include /* BUG: is this portable? */
-
-#include "nsswitch/winbind_nss_config.h"
-#include "nsswitch/winbindd_nss.h"
-
-char debug_enabled=0;
-char *myname;
-pid_t mypid;
-
-NSS_STATUS winbindd_request(int req_type,
- struct winbindd_request *request,
- struct winbindd_response *response);
-
-
-void do_authenticate(char *user, char *pass)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- NSS_STATUS winbindd_result;
-
- memset(&request,0,sizeof(struct winbindd_request));
- memset(&response,0,sizeof(struct winbindd_response));
-
- strncpy(request.data.auth.user,user,sizeof(fstring)-1);
- strncpy(request.data.auth.pass,pass,sizeof(fstring)-1);
-
- winbindd_result = winbindd_request(WINBINDD_PAM_AUTH,
- &request, &response);
- debug("winbindd result: %d\n",winbindd_result);
-
- if (winbindd_result==NSS_STATUS_SUCCESS) {
- SEND("OK");
- } else {
- SEND("ERR");
- }
-
- return; /* useless */
-}
-
-static void
-usage(char *program)
-{
- fprintf(stderr,"Usage: %s [-d] [-h]\n"
- " -d enable debugging\n"
- " -h this message\n",
- program);
-}
-
-void
-process_options(int argc, char *argv[])
-{
- int opt;
-
- opterr = 0;
- while (-1 != (opt = getopt(argc, argv, "dh"))) {
- switch (opt) {
- case 'd':
- debug_enabled = 1;
- break;
- case 'h':
- usage(argv[0]);
- exit(0);
- case '?':
- opt = optopt;
- /* fall thru to default */
- default:
- warn("Unknown option: -%c\n\n", opt);
- usage(argv[0]);
- exit(1);
- break; /* not reached */
- }
- }
- return;
-}
-
-int manage_request(void)
-{
- char buf[BUFFER_SIZE+1];
- int length;
- char *c, *user, *pass;
-
- if (fgets(buf, BUFFER_SIZE, stdin) == NULL)
- return 0;
-
- c=memchr(buf,'\n',BUFFER_SIZE);
- if (c) {
- *c = '\0';
- length = c-buf;
- } else {
- warn("Oversized message\n");
- fgets(buf, BUFFER_SIZE, stdin);
- SEND("ERR");
- return 1;
- }
-
- debug("Got '%s' from squid (length: %d).\n",buf,length);
-
- if (buf[0] == '\0') {
- warn("Invalid Request\n");
- SEND("ERR");
- return 1;
- }
-
- user=buf;
-
- pass=memchr(buf,' ',length);
- if (!pass) {
- warn("Password not found. Denying access\n");
- SEND("ERR");
- return 1;
- }
- *pass='\0';
- pass++;
-
- rfc1738_unescape(user);
- rfc1738_unescape(pass);
-
- do_authenticate(user,pass);
- return 1;
-}
-
-void
-check_winbindd()
-{
- NSS_STATUS r;
- int retry=10;
- struct winbindd_request request;
- struct winbindd_response response;
- do {
- r = winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response);
- if (r != NSS_STATUS_SUCCESS)
- retry--;
- } while (r != NSS_STATUS_SUCCESS && retry);
- if (r != NSS_STATUS_SUCCESS) {
- warn("Can't contact winbindd. Dying\n");
- exit(1);
- }
- if (response.data.interface_version != WINBIND_INTERFACE_VERSION) {
- warn("Winbind protocol mismatch. Align squid and samba. Dying\n");
- exit(1);
- }
-}
-
-
-int main (int argc, char ** argv)
-{
- if (argc > 0) { /* should always be true */
- myname=strrchr(argv[0],'/');
- if (myname==NULL)
- myname=argv[0];
- } else {
- myname="(unknown)";
- }
- mypid=getpid();
- process_options(argc, argv);
-
- debug("basic winbindd auth helper build " __DATE__ ", " __TIME__
- " starting up...\n");
- /* initialize FDescs */
- setbuf(stdout, NULL);
- setbuf(stderr, NULL);
-
- check_winbindd();
-
- while(manage_request()) {
- /* everything is done within manage_request */
- }
- return 0;
-}
--- squid/helpers/basic_auth/winbind/wb_common.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,398 +0,0 @@
-/*
- Unix SMB/Netbios implementation.
- Version 2.0
-
- winbind client common code
-
- Copyright (C) Tim Potter 2000
- Copyright (C) Andrew Tridgell 2000
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
-*/
-
-#include "nsswitch/winbind_nss_config.h"
-#include "nsswitch/winbindd_nss.h"
-#include "config.h"
-
-
-/* Global variables. These are effectively the client state information */
-
-int winbindd_fd = -1; /* fd for winbindd socket */
-static char *excluded_domain;
-
-/* Free a response structure */
-
-void free_response(struct winbindd_response *response)
-{
- /* Free any allocated extra_data */
-
- if (response)
- SAFE_FREE(response->extra_data);
-}
-
-/*
- smbd needs to be able to exclude lookups for its own domain
-*/
-void winbind_exclude_domain(const char *domain)
-{
- SAFE_FREE(excluded_domain);
- excluded_domain = strdup(domain);
-}
-
-
-/* Initialise a request structure */
-
-void init_request(struct winbindd_request *request, int request_type)
-{
- static char *domain_env;
- static BOOL initialised;
-
- request->length = sizeof(struct winbindd_request);
-
- request->cmd = (enum winbindd_cmd)request_type;
- request->pid = getpid();
- request->domain[0] = '\0';
-
- if (!initialised) {
- initialised = True;
- domain_env = getenv(WINBINDD_DOMAIN_ENV);
- }
-
- if (domain_env) {
- strncpy(request->domain, domain_env,
- sizeof(request->domain) - 1);
- request->domain[sizeof(request->domain) - 1] = '\0';
- }
-}
-
-/* Initialise a response structure */
-
-void init_response(struct winbindd_response *response)
-{
- /* Initialise return value */
-
- response->result = WINBINDD_ERROR;
-}
-
-/* Close established socket */
-
-void close_sock(void)
-{
- if (winbindd_fd != -1) {
- close(winbindd_fd);
- winbindd_fd = -1;
- }
-}
-
-/* Connect to winbindd socket */
-
-int winbind_open_pipe_sock(void)
-{
- struct sockaddr_un sunaddr;
- static pid_t our_pid;
- struct stat st;
- pstring path;
-
- if (our_pid != getpid()) {
- close_sock();
- our_pid = getpid();
- }
-
- if (winbindd_fd != -1) {
- return winbindd_fd;
- }
-
- /* Check permissions on unix socket directory */
-
- if (lstat(WINBINDD_SOCKET_DIR, &st) == -1) {
- return -1;
- }
-
- if (!S_ISDIR(st.st_mode) ||
- (st.st_uid != 0 && st.st_uid != geteuid())) {
- return -1;
- }
-
- /* Connect to socket */
-
- strncpy(path, WINBINDD_SOCKET_DIR, sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, "/", sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, WINBINDD_SOCKET_NAME, sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- ZERO_STRUCT(sunaddr);
- sunaddr.sun_family = AF_UNIX;
- strncpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path) - 1);
-
- /* If socket file doesn't exist, don't bother trying to connect
- with retry. This is an attempt to make the system usable when
- the winbindd daemon is not running. */
-
- if (lstat(path, &st) == -1) {
- return -1;
- }
-
- /* Check permissions on unix socket file */
-
- if (!S_ISSOCK(st.st_mode) ||
- (st.st_uid != 0 && st.st_uid != geteuid())) {
- return -1;
- }
-
- /* Connect to socket */
-
- if ((winbindd_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
- return -1;
- }
-
- if (connect(winbindd_fd, (struct sockaddr *)&sunaddr,
- sizeof(sunaddr)) == -1) {
- close_sock();
- return -1;
- }
-
- return winbindd_fd;
-}
-
-/* Write data to winbindd socket with timeout */
-
-int write_sock(void *buffer, int count)
-{
- int result, nwritten;
-
- /* Open connection to winbind daemon */
-
- restart:
-
- if (winbind_open_pipe_sock() == -1) {
- return -1;
- }
-
- /* Write data to socket */
-
- nwritten = 0;
-
- while(nwritten < count) {
- struct timeval tv;
- fd_set r_fds;
-
- /* Catch pipe close on other end by checking if a read()
- call would not block by calling select(). */
-
- FD_ZERO(&r_fds);
- FD_SET(winbindd_fd, &r_fds);
- ZERO_STRUCT(tv);
-
- if (select(winbindd_fd + 1, &r_fds, NULL, NULL, &tv) == -1) {
- close_sock();
- return -1; /* Select error */
- }
-
- /* Write should be OK if fd not available for reading */
-
- if (!FD_ISSET(winbindd_fd, &r_fds)) {
-
- /* Do the write */
-
- result = write(winbindd_fd,
- (char *)buffer + nwritten,
- count - nwritten);
-
- if ((result == -1) || (result == 0)) {
-
- /* Write failed */
-
- close_sock();
- return -1;
- }
-
- nwritten += result;
-
- } else {
-
- /* Pipe has closed on remote end */
-
- close_sock();
- goto restart;
- }
- }
-
- return nwritten;
-}
-
-/* Read data from winbindd socket with timeout */
-
-static int read_sock(void *buffer, int count)
-{
- int result = 0, nread = 0;
-
- /* Read data from socket */
-
- while(nread < count) {
-
- result = read(winbindd_fd, (char *)buffer + nread,
- count - nread);
-
- if ((result == -1) || (result == 0)) {
-
- /* Read failed. I think the only useful thing we
- can do here is just return -1 and fail since the
- transaction has failed half way through. */
-
- close_sock();
- return -1;
- }
-
- nread += result;
- }
-
- return result;
-}
-
-/* Read reply */
-
-int read_reply(struct winbindd_response *response)
-{
- int result1, result2 = 0;
-
- if (!response) {
- return -1;
- }
-
- /* Read fixed length response */
-
- if ((result1 = read_sock(response, sizeof(struct winbindd_response)))
- == -1) {
-
- return -1;
- }
-
- /* We actually send the pointer value of the extra_data field from
- the server. This has no meaning in the client's address space
- so we clear it out. */
-
- response->extra_data = NULL;
-
- /* Read variable length response */
-
- if (response->length > sizeof(struct winbindd_response)) {
- int extra_data_len = response->length -
- sizeof(struct winbindd_response);
-
- /* Mallocate memory for extra data */
-
- if (!(response->extra_data = malloc(extra_data_len))) {
- return -1;
- }
-
- if ((result2 = read_sock(response->extra_data, extra_data_len))
- == -1) {
- free_response(response);
- return -1;
- }
- }
-
- /* Return total amount of data read */
-
- return result1 + result2;
-}
-
-/*
- * send simple types of requests
- */
-
-NSS_STATUS winbindd_send_request(int req_type, struct winbindd_request *request)
-{
- struct winbindd_request lrequest;
-
- /* Check for our tricky environment variable */
-
- if (getenv(WINBINDD_DONT_ENV)) {
- return NSS_STATUS_NOTFOUND;
- }
-
- /* smbd may have excluded this domain */
- if (excluded_domain &&
- strcasecmp(excluded_domain, request->domain) == 0) {
- return NSS_STATUS_NOTFOUND;
- }
-
- if (!request) {
- ZERO_STRUCT(lrequest);
- request = &lrequest;
- }
-
- /* Fill in request and send down pipe */
-
- init_request(request, req_type);
-
- if (write_sock(request, sizeof(*request)) == -1) {
- return NSS_STATUS_UNAVAIL;
- }
-
- return NSS_STATUS_SUCCESS;
-}
-
-/*
- * Get results from winbindd request
- */
-
-NSS_STATUS winbindd_get_response(struct winbindd_response *response)
-{
- struct winbindd_response lresponse;
-
- if (!response) {
- ZERO_STRUCT(lresponse);
- response = &lresponse;
- }
-
- init_response(response);
-
- /* Wait for reply */
- if (read_reply(response) == -1) {
- return NSS_STATUS_UNAVAIL;
- }
-
- /* Throw away extra data if client didn't request it */
- if (response == &lresponse) {
- free_response(response);
- }
-
- /* Copy reply data from socket */
- if (response->result != WINBINDD_OK) {
- return NSS_STATUS_NOTFOUND;
- }
-
- return NSS_STATUS_SUCCESS;
-}
-
-/* Handle simple types of requests */
-
-NSS_STATUS winbindd_request(int req_type,
- struct winbindd_request *request,
- struct winbindd_response *response)
-{
- NSS_STATUS status;
-
- status = winbindd_send_request(req_type, request);
- if (status != NSS_STATUS_SUCCESS)
- return(status);
- return winbindd_get_response(response);
-}
--- squid/helpers/basic_auth/winbind/wbntlm.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,88 +0,0 @@
-/*
- * (C) 2000 Francesco Chemolli ,
- *
- * Distributed freely under the terms of the GNU General Public License,
- * version 2. See the file COPYING for licensing details
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- */
-
-#ifndef _WBNTLM_H_
-#define _WBNTLM_H_
-
-#include "config.h"
-#include "ntlmauth.h"
-#include
-#include
-#include
-#include
-
-
-/*************** CONFIGURATION ***************/
-#ifndef DEBUG
-#define DEBUG
-#endif
-
-/* the attempted entropy source. If it doesn't exist, random() is uesed */
-#define ENTROPY_SOURCE "/dev/urandom"
-
-/************* END CONFIGURATION *************/
-
-/* Debugging stuff */
-extern char *myname;
-static char *__foo;
-extern pid_t mypid;
-extern char debug_enabled;
-
-#ifdef DEBUG
-#define __DO_DEBUG 1
-#else
-#define __DO_DEBUG 0
-#endif
-
-#ifdef __GNUC__ /* this is really a gcc-ism */
-#define warn(X...) fprintf(stderr,"%s[%d](%s:%d): ", myname, mypid, \
- ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\
- __LINE__);\
- fprintf(stderr,X)
-#define debug(X...) if(__DO_DEBUG && debug_enabled) { warn(X); }
-#else /* __GNUC__ */
-static void
-debug(char *format,...)
-{
-}
-static void
-warn(char *format,...)
-{
-}
-#endif /* __GNUC__ */
-
-
-
-/* A couple of harmless helper macros */
-#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
-#ifdef __GNUC__
-#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); \
- printf(X "\n",Y)
-#else
-/* no gcc, no debugging. varargs macros are a gcc extension */
-#define SEND2 printf
-#endif
-
-typedef enum {
- YES,
- NO,
- DONTKNOW
-} tristate;
-
-#define CHALLENGE_LEN 8
-#define BUFFER_SIZE 2010
-
-#endif /* _WBNTLM_H_ */
--- squid/helpers/external_acl/winbind_group/Makefile.am Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,12 +0,0 @@
-#
-# Makefile for the wb_group external_acl helper
-#
-# $Id: Makefile.am,v 1.3.18.1 2005/02/10 02:40:50 hno Exp $
-#
-
-libexec_PROGRAMS = wb_group
-wb_group_SOURCES = wb_check_group.c wb_common.c wbntlm.h wb_common.h
-EXTRA_DIST = readme.txt
-INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_srcdir)/src -I@SAMBASOURCES@
-LDADD = -L$(top_builddir)/lib $(XTRA_LIBS)
--- squid/helpers/external_acl/winbind_group/readme.txt Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,87 +0,0 @@
-This is the README file for wb_group, an external
-helper fo the External ACL Scheme for Squid based on
-Samba Winbindd from Samba 2.2.4 or greater.
-
-
-This helper must be used in with an authentication scheme, tipically
-basic or NTLM, based on Windows NT/2000 domain users.
-It reads from the standard input the domain username and a list of groups
-and tries to match it against the groups membership of the specified
-username.
-
-Before compile or configure it, look at the Squid winbind authenticators
-instructions: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
-
-When used in Windows 2000 domains, permissions compatible with pre-Windows
-2000 servers are required. See the Q257988 Microsoft KB article for more
-details.
-
-
-==============
-Program Syntax
-==============
-
-wb_group [-c][-d][-h]
-
--c use case insensitive compare
--d enable debugging
--h this message
-
-
-================
-squid.conf usage
-================
-
-external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wb_group
-
-acl ProxyUsers external NT_global_group ProxyUsers
-acl password proxy_auth REQUIRED
-
-http_access allow password ProxyUsers
-http_access deny all
-
-In the previous example all validated NT users member of ProxyUsers Global
-domain group are allowed to use the cache.
-
-Groups name can be specified in both domain-qualified group notation
-(DOMAIN\Groupname) or simple group name notation.
-
-Groups with spaces in name, for example "Domain Users", must be quoted and
-the acl data ("Domain Users") must be placed into a separate file included
-by specifying "/path/to/file". The previous example will be:
-
-acl ProxyUsers external NT_global_group "/usr/local/squid/etc/DomainUsers"
-
-and the DomainUsers files will contain only the following line:
-
-"Domain Users"
-
-NOTE: the standard group name comparation is case sensitive, so group name
-must be specified with same case as in the NT/2000 Domain.
-It's possible to enable not case sensitive group name comparation (-c),
-but on on some non - English locales, the results can be unexpected.
-For details see toupper man page, BUGS section.
-
-
-=======
-Testing
-=======
-
-I strongly urge that wb_group is tested prior to being used in a
-production environment. It may behave differently on different platforms.
-To test it, run it from the command line. Enter username and group
-pairs separated by a space (username must entered with domain\\username
-syntax). Press ENTER to get an OK or ERR message.
-Make sure pressing behaves the same as a carriage return.
-Make sure pressing aborts the program.
-
-Test that entering no details does not result in an OK or ERR message.
-Test that entering an invalid username and group results in an ERR message.
-Test that entering an valid username and group results in an OK message.
-
-To check winbind functionality use wbinfo provided with Samba,
-try -t, -g and -r options.
-
---
-Serassio Guido
-guido.serassio@acmeconsulting.it
--- squid/helpers/external_acl/winbind_group/wb_check_group.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,393 +0,0 @@
-/*
- * winbind_group: lookup group membership in a Windows NT/2000 domain
- *
- * (C)2002,2003 Guido Serassio - Acme Consulting S.r.l.
- *
- * Authors:
- * Guido Serassio
- * Acme Consulting S.r.l., Italy
- *
- * With contributions from others mentioned in the change history section
- * below.
- *
- * In part based on check_group by Rodrigo Albani de Campos and wbinfo
- * from Samba Project.
- *
- * Dependencies: Samba 2.2.4 or later with Winbindd.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
- * History:
- *
- * Version 1.20
- * 10-05-2003 Roberto Moreda
- * Added support for domain-qualified group Microsoft notation
- * (DOMAIN\Groupname).
- * Guido Serassio
- * More debug info.
- * Updated documentation.
- * Version 1.10
- * 26-04-2003 Guido Serassio
- * Added option for case insensitive group name comparation.
- * More debug info.
- * Updated documentation.
- * 21-03-2003 Nicolas Chaillot
- * Segfault bug fix (Bugzilla #574)
- * Version 1.0
- * 02-07-2002 Guido Serassio
- * Using the main function from check_group and sections
- * from wbinfo wrote winbind_group
- *
- * This is a helper for the external ACL interface for Squid Cache
- *
- * It reads from the standard input the domain username and a list of
- * groups and tries to match it against the groups membership of the
- * specified username.
- *
- * Returns `OK' if the user belongs to a group or `ERR' otherwise, as
- * described on http://devel.squid-cache.org/external_acl/config.html
- *
- */
-#include "wbntlm.h"
-#include "util.h"
-
-#include
-#include
-#include
-#include
-#include
-
-#include "nsswitch/winbind_nss_config.h"
-#include "nsswitch/winbindd_nss.h"
-#include "wb_common.h"
-
-#define BUFSIZE 8192 /* the stdin buffer size */
-char debug_enabled=0;
-const char *myname;
-pid_t mypid;
-static int use_case_insensitive_compare=0;
-
-static char *
-strwordtok(char *buf, char **t)
-{
- unsigned char *word = NULL;
- unsigned char *p = (unsigned char *) buf;
- unsigned char *d;
- unsigned char ch;
- int quoted = 0;
- if (!p)
- p = (unsigned char *) *t;
- if (!p)
- goto error;
- while (*p && isspace(*p))
- p++;
- if (!*p)
- goto error;
- word = d = p;
- while ((ch = *p)) {
- switch (ch) {
- case '\\':
- p++;
- *d++ = ch = *p;
- if (ch)
- p++;
- break;
- case '"':
- quoted = !quoted;
- p++;
- break;
- default:
- if (!quoted && isspace(*p)) {
- p++;
- goto done;
- }
- *d++ = *p++;
- break;
- }
- }
- done:
- *d++ = '\0';
- error:
- *t = (char *) p;
- return (char *) word;
-}
-
-
-static int strCaseCmp (const char *s1, const char *s2)
-{
- while (*s1 && toupper (*s1) == toupper (*s2)) s1++, s2++;
- return *s1 - *s2;
-}
-
-/* Convert sid to string */
-
-static char * wbinfo_lookupsid(char * group, char *sid)
-{
- struct winbindd_request request;
- struct winbindd_response response;
-
- memset(&request,0,sizeof(struct winbindd_request));
- memset(&response,0,sizeof(struct winbindd_response));
-
- /* Send off request */
-
- strncpy(request.data.sid, sid,sizeof(fstring)-1);
-
- if (winbindd_request(WINBINDD_LOOKUPSID, &request, &response) !=
- NSS_STATUS_SUCCESS)
- return NULL;
-
- /* Display response */
-
- strcpy(group,response.data.name.dom_name);
- strcat(group,"\\");
- strcat(group,response.data.name.name);
- return group;
-}
-
-/* Convert gid to sid */
-
-static char * wbinfo_gid_to_sid(char * sid, gid_t gid)
-{
- struct winbindd_request request;
- struct winbindd_response response;
-
- memset(&request,0,sizeof(struct winbindd_request));
- memset(&response,0,sizeof(struct winbindd_response));
-
- /* Send request */
-
- request.data.gid = gid;
-
- if (winbindd_request(WINBINDD_GID_TO_SID, &request, &response) !=
- NSS_STATUS_SUCCESS)
- return NULL;
-
- /* Display response */
-
- strcpy(sid, response.data.sid.sid);
-
- return sid;
-}
-
-/* returns 0 on match, -1 if no match */
-static inline int strcmparray(const char *str, const char **array)
-{
- const char *wgroup;
-
- while (*array) {
- /* If the groups we want to match are specified as 'group', and
- * not as 'DOMAIN\group' we strip the domain from the group to
- * match against */
- if (strstr(*array,"\\") == NULL) {
- wgroup = strstr(str,"\\") + 1;
- debug("Stripping domain from group name %s\n", str);
- } else {
- wgroup = str;
- }
-
- debug("Windows group: %s, Squid group: %s\n", wgroup, *array);
- if ((use_case_insensitive_compare ? strCaseCmp(wgroup, *array) : strcmp(wgroup, *array)) == 0)
- return 0;
- array++;
- }
- return -1;
-}
-
-/* returns 1 on success, 0 on failure */
-static int
-Valid_Groups(char *UserName, const char **UserGroups)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- NSS_STATUS result;
- int i;
- char sid[FSTRING_LEN];
- char group[FSTRING_LEN];
- int match = 0;
-
- memset(&request,0,sizeof(struct winbindd_request));
- memset(&response,0,sizeof(struct winbindd_response));
-
- /* Send request */
-
- strncpy(request.data.username,UserName,sizeof(fstring)-1);
-
- result = winbindd_request(WINBINDD_GETGROUPS, &request, &response);
-
- if (result != NSS_STATUS_SUCCESS) {
- warn("Warning: Can't enum user groups.\n");
- return match;
- }
-
- for (i = 0; i < response.data.num_entries; i++) {
- if ((wbinfo_gid_to_sid(sid, (int)((gid_t *)response.extra_data)[i])) != NULL) {
- debug("SID: %s\n", sid);
- if (wbinfo_lookupsid(group,sid) == NULL) {
- warn("Can't lookup group SID.\n");
- break;
- }
- if (strcmparray(group, UserGroups) == 0) {
- match = 1;
- break;
- }
- } else {
- return match;
- }
- }
- SAFE_FREE(response.extra_data);
-
- return match;
-}
-
-static void
-usage(char *program)
-{
- fprintf(stderr,"Usage: %s [-c] [-d] [-h]\n"
- " -c use case insensitive compare\n"
- " -d enable debugging\n"
- " -h this message\n",
- program);
-}
-
-static void
-process_options(int argc, char *argv[])
-{
- int opt;
-
- opterr = 0;
- while (-1 != (opt = getopt(argc, argv, "cdh"))) {
- switch (opt) {
- case 'c':
- use_case_insensitive_compare = 1;
- break;
- case 'd':
- debug_enabled = 1;
- break;
- case 'h':
- usage(argv[0]);
- exit(0);
- case '?':
- opt = optopt;
- /* fall thru to default */
- default:
- warn("Unknown option: -%c\n\n", opt);
- usage(argv[0]);
- exit(1);
- break; /* not reached */
- }
- }
- return;
-}
-
-void
-check_winbindd()
-{
- NSS_STATUS r;
- int retry=10;
- struct winbindd_request request;
- struct winbindd_response response;
- do {
- r = winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response);
- if (r != NSS_STATUS_SUCCESS)
- retry--;
- } while (r != NSS_STATUS_SUCCESS && retry);
- if (r != NSS_STATUS_SUCCESS) {
- warn("Can't contact winbindd. Dying\n");
- exit(1);
- }
- if (response.data.interface_version != WINBIND_INTERFACE_VERSION) {
- warn("Winbind protocol mismatch. Align squid and samba. Dying\n");
- exit(1);
- }
-}
-
-int
-main (int argc, char *argv[])
-{
- char *p, *t;
- char buf[BUFSIZE];
- char *username;
- char *group;
- int err = 0;
- const char *groups[512];
- int n;
-
- if (argc > 0) { /* should always be true */
- myname=strrchr(argv[0],'/');
- if (myname==NULL)
- myname=argv[0];
- } else {
- myname="(unknown)";
- }
- mypid=getpid();
-
- /* make standard output line buffered */
- setvbuf (stdout, NULL, _IOLBF, 0);
-
- /* Check Command Line */
- process_options(argc, argv);
-
- debug("External ACL winbindd group helper build " __DATE__ ", " __TIME__
- " starting up...\n");
- if (use_case_insensitive_compare)
- debug("Warning: running in case insensitive mode !!!\n");
-
- check_winbindd();
-
- /* Main Loop */
- while (fgets (buf, BUFSIZE, stdin))
- {
- if (NULL == strchr(buf, '\n')) {
- err = 1;
- continue;
- }
- if (err) {
- warn("Oversized message\n");
- goto error;
- }
-
- if ((p = strchr(buf, '\n')) != NULL)
- *p = '\0'; /* strip \n */
- if ((p = strchr(buf, '\r')) != NULL)
- *p = '\0'; /* strip \r */
-
- debug("Got '%s' from Squid (length: %d).\n",buf,strlen(buf));
-
- if (buf[0] == '\0') {
- warn("Invalid Request\n");
- goto error;
- }
-
- username = strwordtok(buf, &t);
- for (n = 0; (group = strwordtok(NULL, &t)) != NULL; n++)
- groups[n] = group;
- groups[n] = NULL;
-
- if (NULL == username) {
- warn("Invalid Request\n");
- goto error;
- }
-
- if (Valid_Groups(username, groups)) {
- printf ("OK\n");
- } else {
-error:
- printf ("ERR\n");
- }
- err = 0;
- }
- return 0;
-}
--- squid/helpers/external_acl/winbind_group/wb_common.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,399 +0,0 @@
-/*
- Unix SMB/Netbios implementation.
- Version 2.0
-
- winbind client common code
-
- Copyright (C) Tim Potter 2000
- Copyright (C) Andrew Tridgell 2000
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
-*/
-
-#include "nsswitch/winbind_nss_config.h"
-#include "nsswitch/winbindd_nss.h"
-#include "config.h"
-#include "wb_common.h"
-
-
-/* Global variables. These are effectively the client state information */
-
-int winbindd_fd = -1; /* fd for winbindd socket */
-static char *excluded_domain;
-
-/* Free a response structure */
-
-void free_response(struct winbindd_response *response)
-{
- /* Free any allocated extra_data */
-
- if (response)
- SAFE_FREE(response->extra_data);
-}
-
-/*
- smbd needs to be able to exclude lookups for its own domain
-*/
-void winbind_exclude_domain(const char *domain)
-{
- SAFE_FREE(excluded_domain);
- excluded_domain = strdup(domain);
-}
-
-
-/* Initialise a request structure */
-
-void init_request(struct winbindd_request *request, int request_type)
-{
- static char *domain_env;
- static BOOL initialised;
-
- request->length = sizeof(struct winbindd_request);
-
- request->cmd = (enum winbindd_cmd)request_type;
- request->pid = getpid();
- request->domain[0] = '\0';
-
- if (!initialised) {
- initialised = True;
- domain_env = getenv(WINBINDD_DOMAIN_ENV);
- }
-
- if (domain_env) {
- strncpy(request->domain, domain_env,
- sizeof(request->domain) - 1);
- request->domain[sizeof(request->domain) - 1] = '\0';
- }
-}
-
-/* Initialise a response structure */
-
-void init_response(struct winbindd_response *response)
-{
- /* Initialise return value */
-
- response->result = WINBINDD_ERROR;
-}
-
-/* Close established socket */
-
-void close_sock(void)
-{
- if (winbindd_fd != -1) {
- close(winbindd_fd);
- winbindd_fd = -1;
- }
-}
-
-/* Connect to winbindd socket */
-
-int winbind_open_pipe_sock(void)
-{
- struct sockaddr_un sunaddr;
- static pid_t our_pid;
- struct stat st;
- pstring path;
-
- if (our_pid != getpid()) {
- close_sock();
- our_pid = getpid();
- }
-
- if (winbindd_fd != -1) {
- return winbindd_fd;
- }
-
- /* Check permissions on unix socket directory */
-
- if (lstat(WINBINDD_SOCKET_DIR, &st) == -1) {
- return -1;
- }
-
- if (!S_ISDIR(st.st_mode) ||
- (st.st_uid != 0 && st.st_uid != geteuid())) {
- return -1;
- }
-
- /* Connect to socket */
-
- strncpy(path, WINBINDD_SOCKET_DIR, sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, "/", sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, WINBINDD_SOCKET_NAME, sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- ZERO_STRUCT(sunaddr);
- sunaddr.sun_family = AF_UNIX;
- strncpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path) - 1);
-
- /* If socket file doesn't exist, don't bother trying to connect
- with retry. This is an attempt to make the system usable when
- the winbindd daemon is not running. */
-
- if (lstat(path, &st) == -1) {
- return -1;
- }
-
- /* Check permissions on unix socket file */
-
- if (!S_ISSOCK(st.st_mode) ||
- (st.st_uid != 0 && st.st_uid != geteuid())) {
- return -1;
- }
-
- /* Connect to socket */
-
- if ((winbindd_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
- return -1;
- }
-
- if (connect(winbindd_fd, (struct sockaddr *)&sunaddr,
- sizeof(sunaddr)) == -1) {
- close_sock();
- return -1;
- }
-
- return winbindd_fd;
-}
-
-/* Write data to winbindd socket with timeout */
-
-int write_sock(void *buffer, int count)
-{
- int result, nwritten;
-
- /* Open connection to winbind daemon */
-
- restart:
-
- if (winbind_open_pipe_sock() == -1) {
- return -1;
- }
-
- /* Write data to socket */
-
- nwritten = 0;
-
- while(nwritten < count) {
- struct timeval tv;
- fd_set r_fds;
-
- /* Catch pipe close on other end by checking if a read()
- call would not block by calling select(). */
-
- FD_ZERO(&r_fds);
- FD_SET(winbindd_fd, &r_fds);
- ZERO_STRUCT(tv);
-
- if (select(winbindd_fd + 1, &r_fds, NULL, NULL, &tv) == -1) {
- close_sock();
- return -1; /* Select error */
- }
-
- /* Write should be OK if fd not available for reading */
-
- if (!FD_ISSET(winbindd_fd, &r_fds)) {
-
- /* Do the write */
-
- result = write(winbindd_fd,
- (char *)buffer + nwritten,
- count - nwritten);
-
- if ((result == -1) || (result == 0)) {
-
- /* Write failed */
-
- close_sock();
- return -1;
- }
-
- nwritten += result;
-
- } else {
-
- /* Pipe has closed on remote end */
-
- close_sock();
- goto restart;
- }
- }
-
- return nwritten;
-}
-
-/* Read data from winbindd socket with timeout */
-
-static int read_sock(void *buffer, int count)
-{
- int result = 0, nread = 0;
-
- /* Read data from socket */
-
- while(nread < count) {
-
- result = read(winbindd_fd, (char *)buffer + nread,
- count - nread);
-
- if ((result == -1) || (result == 0)) {
-
- /* Read failed. I think the only useful thing we
- can do here is just return -1 and fail since the
- transaction has failed half way through. */
-
- close_sock();
- return -1;
- }
-
- nread += result;
- }
-
- return result;
-}
-
-/* Read reply */
-
-int read_reply(struct winbindd_response *response)
-{
- int result1, result2 = 0;
-
- if (!response) {
- return -1;
- }
-
- /* Read fixed length response */
-
- if ((result1 = read_sock(response, sizeof(struct winbindd_response)))
- == -1) {
-
- return -1;
- }
-
- /* We actually send the pointer value of the extra_data field from
- the server. This has no meaning in the client's address space
- so we clear it out. */
-
- response->extra_data = NULL;
-
- /* Read variable length response */
-
- if (response->length > sizeof(struct winbindd_response)) {
- int extra_data_len = response->length -
- sizeof(struct winbindd_response);
-
- /* Mallocate memory for extra data */
-
- if (!(response->extra_data = malloc(extra_data_len))) {
- return -1;
- }
-
- if ((result2 = read_sock(response->extra_data, extra_data_len))
- == -1) {
- free_response(response);
- return -1;
- }
- }
-
- /* Return total amount of data read */
-
- return result1 + result2;
-}
-
-/*
- * send simple types of requests
- */
-
-NSS_STATUS winbindd_send_request(int req_type, struct winbindd_request *request)
-{
- struct winbindd_request lrequest;
-
- /* Check for our tricky environment variable */
-
- if (getenv(WINBINDD_DONT_ENV)) {
- return NSS_STATUS_NOTFOUND;
- }
-
- /* smbd may have excluded this domain */
- if (excluded_domain &&
- strcasecmp(excluded_domain, request->domain) == 0) {
- return NSS_STATUS_NOTFOUND;
- }
-
- if (!request) {
- ZERO_STRUCT(lrequest);
- request = &lrequest;
- }
-
- /* Fill in request and send down pipe */
-
- init_request(request, req_type);
-
- if (write_sock(request, sizeof(*request)) == -1) {
- return NSS_STATUS_UNAVAIL;
- }
-
- return NSS_STATUS_SUCCESS;
-}
-
-/*
- * Get results from winbindd request
- */
-
-NSS_STATUS winbindd_get_response(struct winbindd_response *response)
-{
- struct winbindd_response lresponse;
-
- if (!response) {
- ZERO_STRUCT(lresponse);
- response = &lresponse;
- }
-
- init_response(response);
-
- /* Wait for reply */
- if (read_reply(response) == -1) {
- return NSS_STATUS_UNAVAIL;
- }
-
- /* Throw away extra data if client didn't request it */
- if (response == &lresponse) {
- free_response(response);
- }
-
- /* Copy reply data from socket */
- if (response->result != WINBINDD_OK) {
- return NSS_STATUS_NOTFOUND;
- }
-
- return NSS_STATUS_SUCCESS;
-}
-
-/* Handle simple types of requests */
-
-NSS_STATUS winbindd_request(int req_type,
- struct winbindd_request *request,
- struct winbindd_response *response)
-{
- NSS_STATUS status;
-
- status = winbindd_send_request(req_type, request);
- if (status != NSS_STATUS_SUCCESS)
- return(status);
- return winbindd_get_response(response);
-}
--- squid/helpers/external_acl/winbind_group/wb_common.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,12 +0,0 @@
-/* wb_common.c */
-void free_response(struct winbindd_response *response);
-void winbind_exclude_domain(const char *domain);
-void init_request(struct winbindd_request *request, int request_type);
-void init_response(struct winbindd_response *response);
-void close_sock(void);
-int winbind_open_pipe_sock(void);
-int write_sock(void *buffer, int count);
-int read_reply(struct winbindd_response *response);
-NSS_STATUS winbindd_send_request(int req_type, struct winbindd_request *request);
-NSS_STATUS winbindd_get_response(struct winbindd_response *response);
-NSS_STATUS winbindd_request(int req_type, struct winbindd_request *request, struct winbindd_response *response);
--- squid/helpers/external_acl/winbind_group/wbntlm.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,90 +0,0 @@
-/*
- * (C) 2000 Francesco Chemolli ,
- *
- * Distributed freely under the terms of the GNU General Public License,
- * version 2. See the file COPYING for licensing details
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- */
-
-#ifndef _WBNTLM_H_
-#define _WBNTLM_H_
-
-#include "config.h"
-#include "ntlmauth.h"
-#include
-#include
-#include
-#include
-
-
-/*************** CONFIGURATION ***************/
-#ifndef DEBUG
-#define DEBUG
-#endif
-
-/* the attempted entropy source. If it doesn't exist, random() is uesed */
-#define ENTROPY_SOURCE "/dev/urandom"
-
-#define DOMAIN "GCSINT" /* TODO: fix ntlm_make_challenge */
-
-/************* END CONFIGURATION *************/
-
-/* Debugging stuff */
-extern const char *myname;
-static const char *__foo;
-extern pid_t mypid;
-extern char debug_enabled;
-
-#ifdef DEBUG
-#define __DO_DEBUG 1
-#else
-#define __DO_DEBUG 0
-#endif
-
-#ifdef __GNUC__ /* this is really a gcc-ism */
-#define warn(X...) fprintf(stderr,"%s[%d](%s:%d): ", myname, mypid, \
- ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\
- __LINE__);\
- fprintf(stderr,X)
-#define debug(X...) if(__DO_DEBUG && debug_enabled) { warn(X); }
-#else /* __GNUC__ */
-static void
-debug(char *format,...)
-{
-}
-static void
-warn(char *format,...)
-{
-}
-#endif /* __GNUC__ */
-
-
-
-/* A couple of harmless helper macros */
-#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
-#ifdef __GNUC__
-#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); \
- printf(X "\n",Y)
-#else
-/* no gcc, no debugging. varargs macros are a gcc extension */
-#define SEND2 printf
-#endif
-
-typedef enum {
- YES,
- NO,
- DONTKNOW
-} tristate;
-
-#define CHALLENGE_LEN 8
-#define BUFFER_SIZE 2010
-
-#endif /* _WBNTLM_H_ */
--- squid/helpers/ntlm_auth/winbind/Makefile.am Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,14 +0,0 @@
-#
-# Makefile for the Squid Object Cache server
-#
-# $Id: Makefile.am,v 1.2.54.1 2005/02/10 02:40:52 hno Exp $
-#
-
-libexec_PROGRAMS = wb_ntlmauth
-wb_ntlmauth_SOURCES = wb_ntlm_auth.c wb_common.c wbntlm.h
-EXTRA_DIST = \
- patches/wb_common.patch \
- patches/winbind_nss_config.patch
-INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_srcdir)/src -I@SAMBASOURCES@
-LDADD = -L$(top_builddir)/lib -lmiscutil -lntlmauth $(XTRA_LIBS)
--- squid/helpers/ntlm_auth/winbind/wb_common.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,403 +0,0 @@
-/*
- Unix SMB/Netbios implementation.
- Version 2.0
-
- winbind client common code
-
- Copyright (C) Tim Potter 2000
- Copyright (C) Andrew Tridgell 2000
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
-*/
-
-#include "nsswitch/winbind_nss_config.h"
-#include "nsswitch/winbindd_nss.h"
-#include "config.h"
-
-
-/* Global variables. These are effectively the client state information */
-
-int winbindd_fd = -1; /* fd for winbindd socket */
-static char *excluded_domain;
-
-/* Free a response structure */
-
-void
-free_response(struct winbindd_response *response)
-{
- /* Free any allocated extra_data */
-
- if (response)
- SAFE_FREE(response->extra_data);
-}
-
-/*
- smbd needs to be able to exclude lookups for its own domain
-*/
-void
-winbind_exclude_domain(const char *domain)
-{
- SAFE_FREE(excluded_domain);
- excluded_domain = strdup(domain);
-}
-
-
-/* Initialise a request structure */
-
-void
-init_request(struct winbindd_request *request, int request_type)
-{
- static char *domain_env;
- static BOOL initialised;
-
- request->length = sizeof(struct winbindd_request);
-
- request->cmd = (enum winbindd_cmd) request_type;
- request->pid = getpid();
- request->domain[0] = '\0';
-
- if (!initialised) {
- initialised = True;
- domain_env = getenv(WINBINDD_DOMAIN_ENV);
- }
-
- if (domain_env) {
- strncpy(request->domain, domain_env, sizeof(request->domain) - 1);
- request->domain[sizeof(request->domain) - 1] = '\0';
- }
-}
-
-/* Initialise a response structure */
-
-void
-init_response(struct winbindd_response *response)
-{
- /* Initialise return value */
-
- response->result = WINBINDD_ERROR;
-}
-
-/* Close established socket */
-
-void
-close_sock(void)
-{
- if (winbindd_fd != -1) {
- close(winbindd_fd);
- winbindd_fd = -1;
- }
-}
-
-/* Connect to winbindd socket */
-
-int
-winbind_open_pipe_sock(void)
-{
- struct sockaddr_un sunaddr;
- static pid_t our_pid;
- struct stat st;
- pstring path;
-
- if (our_pid != getpid()) {
- close_sock();
- our_pid = getpid();
- }
-
- if (winbindd_fd != -1) {
- return winbindd_fd;
- }
-
- /* Check permissions on unix socket directory */
-
- if (lstat(WINBINDD_SOCKET_DIR, &st) == -1) {
- return -1;
- }
-
- if (!S_ISDIR(st.st_mode) || (st.st_uid != 0 && st.st_uid != geteuid())) {
- return -1;
- }
-
- /* Connect to socket */
-
- strncpy(path, WINBINDD_SOCKET_DIR, sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, "/", sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, WINBINDD_SOCKET_NAME, sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- ZERO_STRUCT(sunaddr);
- sunaddr.sun_family = AF_UNIX;
- strncpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path) - 1);
-
- /* If socket file doesn't exist, don't bother trying to connect
- * with retry. This is an attempt to make the system usable when
- * the winbindd daemon is not running. */
-
- if (lstat(path, &st) == -1) {
- return -1;
- }
-
- /* Check permissions on unix socket file */
-
- if (!S_ISSOCK(st.st_mode) || (st.st_uid != 0 && st.st_uid != geteuid())) {
- return -1;
- }
-
- /* Connect to socket */
-
- if ((winbindd_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
- return -1;
- }
-
- if (connect(winbindd_fd, (struct sockaddr *) &sunaddr,
- sizeof(sunaddr)) == -1) {
- close_sock();
- return -1;
- }
-
- return winbindd_fd;
-}
-
-/* Write data to winbindd socket with timeout */
-
-int
-write_sock(void *buffer, int count)
-{
- int result, nwritten;
-
- /* Open connection to winbind daemon */
-
- restart:
-
- if (winbind_open_pipe_sock() == -1) {
- return -1;
- }
-
- /* Write data to socket */
-
- nwritten = 0;
-
- while (nwritten < count) {
- struct timeval tv;
- fd_set r_fds;
-
- /* Catch pipe close on other end by checking if a read()
- * call would not block by calling select(). */
-
- FD_ZERO(&r_fds);
- FD_SET(winbindd_fd, &r_fds);
- ZERO_STRUCT(tv);
-
- if (select(winbindd_fd + 1, &r_fds, NULL, NULL, &tv) == -1) {
- close_sock();
- return -1; /* Select error */
- }
-
- /* Write should be OK if fd not available for reading */
-
- if (!FD_ISSET(winbindd_fd, &r_fds)) {
-
- /* Do the write */
-
- result = write(winbindd_fd,
- (char *) buffer + nwritten, count - nwritten);
-
- if ((result == -1) || (result == 0)) {
-
- /* Write failed */
-
- close_sock();
- return -1;
- }
-
- nwritten += result;
-
- } else {
-
- /* Pipe has closed on remote end */
-
- close_sock();
- goto restart;
- }
- }
-
- return nwritten;
-}
-
-/* Read data from winbindd socket with timeout */
-
-static int
-read_sock(void *buffer, int count)
-{
- int result = 0, nread = 0;
-
- /* Read data from socket */
-
- while (nread < count) {
-
- result = read(winbindd_fd, (char *) buffer + nread, count - nread);
-
- if ((result == -1) || (result == 0)) {
-
- /* Read failed. I think the only useful thing we
- * can do here is just return -1 and fail since the
- * transaction has failed half way through. */
-
- close_sock();
- return -1;
- }
-
- nread += result;
- }
-
- return result;
-}
-
-/* Read reply */
-
-int
-read_reply(struct winbindd_response *response)
-{
- int result1, result2 = 0;
-
- if (!response) {
- return -1;
- }
-
- /* Read fixed length response */
-
- if ((result1 = read_sock(response, sizeof(struct winbindd_response)))
- == -1) {
-
- return -1;
- }
-
- /* We actually send the pointer value of the extra_data field from
- * the server. This has no meaning in the client's address space
- * so we clear it out. */
-
- response->extra_data = NULL;
-
- /* Read variable length response */
-
- if (response->length > sizeof(struct winbindd_response)) {
- int extra_data_len = response->length -
- sizeof(struct winbindd_response);
-
- /* Mallocate memory for extra data */
-
- if (!(response->extra_data = malloc(extra_data_len))) {
- return -1;
- }
-
- if ((result2 = read_sock(response->extra_data, extra_data_len))
- == -1) {
- free_response(response);
- return -1;
- }
- }
-
- /* Return total amount of data read */
-
- return result1 + result2;
-}
-
-/*
- * send simple types of requests
- */
-
-NSS_STATUS
-winbindd_send_request(int req_type, struct winbindd_request * request)
-{
- struct winbindd_request lrequest;
-
- /* Check for our tricky environment variable */
-
- if (getenv(WINBINDD_DONT_ENV)) {
- return NSS_STATUS_NOTFOUND;
- }
-
- /* smbd may have excluded this domain */
- if (excluded_domain && strcasecmp(excluded_domain, request->domain) == 0) {
- return NSS_STATUS_NOTFOUND;
- }
-
- if (!request) {
- ZERO_STRUCT(lrequest);
- request = &lrequest;
- }
-
- /* Fill in request and send down pipe */
-
- init_request(request, req_type);
-
- if (write_sock(request, sizeof(*request)) == -1) {
- return NSS_STATUS_UNAVAIL;
- }
-
- return NSS_STATUS_SUCCESS;
-}
-
-/*
- * Get results from winbindd request
- */
-
-NSS_STATUS
-winbindd_get_response(struct winbindd_response * response)
-{
- struct winbindd_response lresponse;
-
- if (!response) {
- ZERO_STRUCT(lresponse);
- response = &lresponse;
- }
-
- init_response(response);
-
- /* Wait for reply */
- if (read_reply(response) == -1) {
- return NSS_STATUS_UNAVAIL;
- }
-
- /* Throw away extra data if client didn't request it */
- if (response == &lresponse) {
- free_response(response);
- }
-
- /* Copy reply data from socket */
- if (response->result != WINBINDD_OK) {
- return NSS_STATUS_NOTFOUND;
- }
-
- return NSS_STATUS_SUCCESS;
-}
-
-/* Handle simple types of requests */
-
-NSS_STATUS
-winbindd_request(int req_type,
- struct winbindd_request * request, struct winbindd_response * response)
-{
- NSS_STATUS status;
-
- status = winbindd_send_request(req_type, request);
- if (status != NSS_STATUS_SUCCESS)
- return (status);
- return winbindd_get_response(response);
-}
--- squid/helpers/ntlm_auth/winbind/wb_ntlm_auth.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,457 +0,0 @@
-/*
- * (C) 2000 Francesco Chemolli
- * (C) 2002 Andrew Bartlett
- *
- * Distributed freely under the terms of the GNU General Public License,
- * version 2. See the file COPYING for licensing details
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
- */
-/*
- * TODO:
- * -move all squid-helper-protocol-related operations to helper functions
- *
- * - MAYBE move squid-helper-protocol-related opetations to an external
- * library?
- */
-
-
-#include "wbntlm.h"
-#include "util.h"
-/* stdio.h is included in wbntlm.h */
-#include
-#include
-#include
-#include /* for gettimeofday */
-#include /* BUG: is this portable? */
-
-#ifdef HAVE_CTYPE_H
-#include
-#endif
-
-#ifdef HAVE_UNISTD_H
-#include
-#endif
-#if HAVE_GETOPT_H
-#include
-#endif
-
-#include "nsswitch/winbind_nss_config.h"
-#include "nsswitch/winbindd_nss.h"
-
-#ifndef min
-#define min(x,y) ((x)<(y)?(x):(y))
-#endif
-
-void
-authfail(char *domain, char *user, char *reason)
-{
- /* TODO: -move away from SEND-type gcc-isms
- * -prepare for protocol extension as soon as rbcollins is ready
- */
- SEND2("NA %s\\%s auth failure because: %s", domain, user, reason);
-}
-
-void
-authok(const char *domain, const char *user)
-{
- SEND2("AF %s\\%s", domain, user);
-}
-
-void
-sendchallenge(const char *challenge)
-{
- SEND2("TT %s", challenge);
-}
-
-void
-helperfail(const char *reason)
-{
- SEND2("BH %s", reason);
-}
-
-char debug_enabled = 0;
-char *myname;
-pid_t mypid;
-
-static void
-lc(char *string)
-{
- char *p = string, c;
- while ((c = *p)) {
- *p = tolower(c);
- p++;
- }
-}
-
-static void
-uc(char *string)
-{
- char *p = string, c;
- while ((c = *p)) {
- *p = toupper(c);
- p++;
- }
-}
-
-
-
-NSS_STATUS winbindd_request(int req_type,
- struct winbindd_request *request, struct winbindd_response *response);
-
-
-static tristate have_urandom = DONTKNOW;
-FILE *urandom_file = NULL;
-
-void
-init_random()
-{
- if (have_urandom == DONTKNOW) {
- int result = 0;
- struct stat st;
- result = stat(ENTROPY_SOURCE, &st);
- if (result != 0 || !(S_ISCHR(st.st_mode) || S_ISBLK(st.st_mode))) {
- debug("Entropy source " ENTROPY_SOURCE " is unavailable\n");
- have_urandom = NO;
- }
- if ((urandom_file = fopen(ENTROPY_SOURCE, "r")) == NULL) {
- unsigned int seed;
- struct timeval t;
- warn("Can't open entropy source " ENTROPY_SOURCE "\n");
- have_urandom = NO;
- gettimeofday(&t, NULL);
- seed = squid_random() * getpid() * t.tv_sec * t.tv_usec;
- squid_srandom(seed);
- } else {
- have_urandom = YES;
- }
- }
-}
-
-static unsigned char challenge[CHALLENGE_LEN + 1];
-static char *
-build_challenge(void)
-{
- size_t gotchars;
- unsigned char j;
- switch (have_urandom) {
- case YES:
- if ((gotchars = fread(&challenge, CHALLENGE_LEN, 1, urandom_file)) == 0) {
- /* couldn't get a challenge. Fall back to random() and friends.
- * notice that even a single changed byte is good enough for us */
- have_urandom = NO;
- return build_challenge();
- }
- return challenge;
- case NO:
- if (!(squid_random() % 100)) { /* sometimes */
- init_random();
- }
- for (j = 0; j < CHALLENGE_LEN; j++)
- challenge[j] = (unsigned char) (squid_random() % 256);
- return challenge;
- default:
- warn("Critical internal error. Somebody forgot to initialize "
- "the random system. Exiting.\n");
- exit(1);
- }
-}
-
-lstring lmhash, nthash;
-static char have_nthash = 0; /* simple flag. A tad dirty.. */
-
-void
-do_authenticate(ntlm_authenticate * auth, int auth_length)
-{
- lstring tmp;
- int tocopy;
- NSS_STATUS winbindd_result;
- struct winbindd_request request;
- struct winbindd_response response;
- char *domain, *user;
-
- memset(&request, 0, sizeof(struct winbindd_request));
-
- memset(&response, 0, sizeof(struct winbindd_response));
-
- /* domain */
- tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->domain);
- if (tmp.str == NULL || tmp.l == 0) { /* no domain supplied */
- request.data.auth_crap.domain[0] = 0;
- } else {
- tocopy = min(tmp.l + 1, sizeof(fstring));
- xstrncpy(request.data.auth_crap.domain, tmp.str, tocopy);
- }
-
- domain = request.data.auth_crap.domain; /* just a shortcut */
-
- /* username */
- tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->user);
- if (tmp.str == NULL || tmp.l == 0) {
- authfail(domain, "-", "No username in request");
- return;
- }
-
- tocopy = min(sizeof(fstring), tmp.l + 1);
- xstrncpy(request.data.auth_crap.user, tmp.str, tocopy);
- user = request.data.auth_crap.user;
-
- /* now the LM hash */
- lmhash = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
- switch (lmhash.l) {
- case 0:
- warn("No lm hash provided by user %s\\%s\n", domain, user);
- request.data.auth_crap.lm_resp_len = 0;
- break;
- case 24:
- memcpy(request.data.auth_crap.lm_resp, lmhash.str, 24);
- request.data.auth_crap.lm_resp_len = 24;
- break;
- default:
- authfail(domain, user, "Broken LM hash response");
- return;
- }
-
- nthash = ntlm_fetch_string((char *) auth, auth_length, &auth->ntresponse);
- switch (nthash.l) {
- case 0:
- debug("no nthash\n");
- request.data.auth_crap.nt_resp_len = 0;
- break;
- case 24:
- memcpy(request.data.auth_crap.nt_resp, nthash.str, 24);
- request.data.auth_crap.nt_resp_len = 24;
- break;
- default:
- debug("nthash len = %d\n", nthash.l);
- authfail(domain, user, "Broken NT hash response");
- return;
- }
-
- debug("Checking user '%s\\%s' lmhash len =%d, have_nthash=%d, "
- "nthash len=%d\n", domain, user, lmhash.l, have_nthash, nthash.l);
-
- memcpy(request.data.auth_crap.chal, challenge, CHALLENGE_LEN);
-
- winbindd_result = winbindd_request(WINBINDD_PAM_AUTH_CRAP,
- &request, &response);
- debug("winbindd result: %d\n", winbindd_result);
-
- if (winbindd_result == NSS_STATUS_SUCCESS) {
- lc(domain);
- lc(user);
- authok(domain, user);
- } else {
- char error_buf[200];
- snprintf(error_buf, sizeof(error_buf), "Authentication Failure (%s)",
- response.data.auth.error_string);
- authfail(domain, user, error_buf);
- }
- return; /* useless */
-}
-
-int
-manage_request(char *target_domain)
-{
- char buf[BUFFER_SIZE + 1];
- char *c, *decoded;
- ntlmhdr *fast_header;
- int oversized = 0;
-
-
-try_again:
- if (fgets(buf, BUFFER_SIZE, stdin) == NULL)
- return 0;
-
- c = memchr(buf, '\n', BUFFER_SIZE);
- if (c) {
- if (oversized) {
- helperfail("illegal request received");
- warn("Illegal request received: '%s'\n", buf);
- return 1;
- }
- *c = '\0';
- }
- else {
- warn("No newline in '%s'\n", buf);
- oversized = 1;
- goto try_again;
- }
-
- debug("Got '%s' from squid.\n", buf);
- if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */
- sendchallenge(ntlm_make_challenge(target_domain, NULL,
- build_challenge(), CHALLENGE_LEN));
- return 1;
- }
- if (strncmp(buf, "KK ", 3) != 0) { /* not an auth-request */
- helperfail("illegal request received");
- warn("Illegal request received: '%s'\n", buf);
- return 1;
- }
- /* At this point I'm sure it's a KK */
- decoded = base64_decode(buf + 3);
- if (!decoded) { /* decoding failure, return error */
- authfail("-", "-", "Auth-format error, base64-decoding error");
- return 1;
- }
- fast_header = (struct _ntlmhdr *) decoded;
-
- /* sanity-check: it IS a NTLMSSP packet, isn't it? */
- if (memcmp(fast_header->signature, "NTLMSSP", 8) != 0) {
- authfail("-", "-", "Broken NTLM packet, missing NTLMSSP signature");
- return 1;
- }
- /* Understand what we got */
- switch WSWAP(fast_header->type) {
- case NTLM_NEGOTIATE:
- authfail("-", "-", "Received neg-request while expecting auth packet");
- return 1;
- case NTLM_CHALLENGE:
- authfail("-", "-", "Received challenge. Refusing to abide");
- return 1;
- case NTLM_AUTHENTICATE:
- do_authenticate((ntlm_authenticate *) decoded,
- (strlen(buf) - 3) * 3 / 4);
- return 1;
- default:
- helperfail("Unknown authentication packet type");
- return 1;
- }
- /* notreached */
- return 1;
-}
-
-static char *
-get_winbind_domain(void)
-{
- struct winbindd_response response;
- char *domain;
-
- ZERO_STRUCT(response);
-
- /* Send off request */
-
- if (winbindd_request(WINBINDD_DOMAIN_NAME, NULL, &response) !=
- NSS_STATUS_SUCCESS) {
- warn("could not obtain winbind domain name!\n");
- exit(1);
- }
-
- domain = strdup(response.data.domain_name);
- uc(domain);
-
- warn("target domain is %s\n", domain);
- return domain;
-}
-
-static void
-usage(char *program)
-{
- fprintf(stderr,"Usage: %s [-d] [-h] [domain]\n"
- " -d enable debugging\n"
- " -h this message\n"
- " domain target domain, if different from the winbind configuration\n",
- program);
-}
-
-char *
-process_options(int argc, char *argv[])
-{
- int opt;
- char *target_domain = NULL;
-
- opterr = 0;
- while (-1 != (opt = getopt(argc, argv, "dh"))) {
- switch (opt) {
- case 'd':
- debug_enabled = 1;
- break;
- case 'h':
- usage(argv[0]);
- exit(0);
- case '?':
- opt = optopt;
- /* fall thru to default */
- default:
- warn("Unknown option: -%c\n\n", opt);
- usage(argv[0]);
- exit(1);
- break; /* not reached */
- }
- }
- if (optind < argc) {
- target_domain = argv[optind++];
- warn("target domain is %s\n", target_domain);
- if (optind < argc) {
- warn("Unknown argument: %s\n\n", argv[optind]);
- usage(argv[0]);
- exit(1);
- }
- }
- return target_domain;
-}
-
-void
-check_winbindd()
-{
- NSS_STATUS r;
- int retry=10;
- struct winbindd_request request;
- struct winbindd_response response;
- do {
- r = winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response);
- if (r != NSS_STATUS_SUCCESS)
- retry--;
- } while (r != NSS_STATUS_SUCCESS && retry);
- if (r != NSS_STATUS_SUCCESS) {
- warn("Can't contact winbindd. Dying\n");
- exit(1);
- }
- if (response.data.interface_version != WINBIND_INTERFACE_VERSION) {
- warn("Winbind protocol mismatch. Align squid and samba. Dying\n");
- exit(1);
- }
-}
-
-int
-main(int argc, char **argv)
-{
- char *target_domain;
- if (argc > 0) { /* should always be true */
- myname = strrchr(argv[0], '/');
- if (myname == NULL)
- myname = argv[0];
- else
- myname++;
- } else {
- myname = "(unknown)";
- }
- mypid = getpid();
- target_domain = process_options(argc, argv);
- debug("ntlm winbindd auth helper build " __DATE__ ", " __TIME__
- " starting up...\n");
-
- check_winbindd();
-
- if (target_domain == NULL) {
- target_domain = get_winbind_domain();
- }
-
- /* initialize FDescs */
- setbuf(stdout, NULL);
- setbuf(stderr, NULL);
- init_random();
- while (manage_request(target_domain)) {
- /* everything is done within manage_request */
- }
- return 0;
-}
--- squid/helpers/ntlm_auth/winbind/wbntlm.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,88 +0,0 @@
-/*
- * (C) 2000 Francesco Chemolli ,
- *
- * Distributed freely under the terms of the GNU General Public License,
- * version 2. See the file COPYING for licensing details
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- */
-
-#ifndef _WBNTLM_H_
-#define _WBNTLM_H_
-
-#include "config.h"
-#include "ntlmauth.h"
-#include
-#include
-#include
-#include
-
-
-/*************** CONFIGURATION ***************/
-#ifndef DEBUG
-#define DEBUG
-#endif
-
-/* the attempted entropy source. If it doesn't exist, random() is uesed */
-#define ENTROPY_SOURCE "/dev/urandom"
-
-/************* END CONFIGURATION *************/
-
-/* Debugging stuff */
-extern char *myname;
-static char *__foo;
-extern pid_t mypid;
-extern char debug_enabled;
-
-#ifdef DEBUG
-#define __DO_DEBUG 1
-#else
-#define __DO_DEBUG 0
-#endif
-
-#if defined(__GNUC__) || defined(__ICC) /* this is really a gcc-ism */
-#define warn(X...) fprintf(stderr,"%s[%d](%s:%d): ", myname, mypid, \
- ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\
- __LINE__);\
- fprintf(stderr,X)
-#define debug(X...) if(__DO_DEBUG && debug_enabled) { warn(X); }
-#else /* __GNUC__ */
-static void
-debug(char *format,...)
-{
-}
-static void
-warn(char *format,...)
-{
-}
-#endif /* __GNUC__ */
-
-
-
-/* A couple of harmless helper macros */
-#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
-#if defined(__GNUC__) || defined (__ICC)
-#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); \
- printf(X "\n",Y)
-#else
-/* no gcc, no debugging. varargs macros are a gcc extension */
-#define SEND2 printf
-#endif
-
-typedef enum {
- YES,
- NO,
- DONTKNOW
-} tristate;
-
-#define CHALLENGE_LEN 8
-#define BUFFER_SIZE 2010
-
-#endif /* _WBNTLM_H_ */
--- squid/helpers/ntlm_auth/winbind/patches/wb_common.patch Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,11 +0,0 @@
---- samba-HEAD/source/nsswitch/wb_common.c Sat Jan 12 23:12:11 2002
-+++ squid-ntlm/src/auth/ntlm/helpers/winbind/wb_common.c Sat Jan 12 23:45:03 2002
-@@ -25,6 +25,8 @@
-
- #include "winbind_nss_config.h"
- #include "winbindd_nss.h"
-+#include "config.h"
-+
-
- /* Global variables. These are effectively the client state information */
-
--- squid/helpers/ntlm_auth/winbind/patches/winbind_nss_config.patch Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,20 +0,0 @@
---- samba-HEAD/source/nsswitch/winbind_nss_config.h Wed Sep 5 10:11:16 2001
-+++ squid-ntlm/src/auth/ntlm/helpers/winbind/winbind_nss_config.h Sat Nov 24 00:32:05 2001
-@@ -27,7 +27,7 @@
-
- /* Include header files from data in config.h file */
-
--#include
-+#include "config.h"
-
- #include
-
-@@ -63,7 +63,7 @@
- #include
- #include
- #include
--#include "nsswitch/nss.h"
-+#include "samba_nss.h"
-
- /* Declarations for functions in winbind_nss.c
- needed in winbind_nss_solaris.c (solaris wrapper to nss) */
--- squid/include/samba/README.txt Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,7 +0,0 @@
-These files are copies of Samba internal headers from Samba-2.2.7a
-required by the winbind helpers to Squid.
-
-If you compile the winbind helpers with other versions of Samba you may
-need to copy the relevant headers from the Samba version you are using
-here, or use the --with-samba-source=... configure option to tell Squid
-where the Samba sources can be found.
--- squid/include/samba/nsswitch/sys_nss.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,104 +0,0 @@
-#ifndef _NSSWITCH_SYS_NSS_H
-#define _NSSWITCH_SYS_NSS_H
-/*
- Unix SMB/CIFS implementation.
-
- a common place to work out how to define NSS_STATUS on various
- platforms
-
- Copyright (C) Tim Potter 2000
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
-*/
-
-#ifdef HAVE_NSS_COMMON_H
-
-/* Sun Solaris */
-
-#include
-#include
-#include
-
-typedef nss_status_t NSS_STATUS;
-
-#define NSS_STATUS_SUCCESS NSS_SUCCESS
-#define NSS_STATUS_NOTFOUND NSS_NOTFOUND
-#define NSS_STATUS_UNAVAIL NSS_UNAVAIL
-#define NSS_STATUS_TRYAGAIN NSS_TRYAGAIN
-
-#elif HAVE_NSS_H
-
-/* GNU */
-
-#include
-
-typedef enum nss_status NSS_STATUS;
-
-#elif HAVE_NS_API_H
-
-/* SGI IRIX */
-
-/* following required to prevent warnings of double definition
- * of datum from ns_api.h
-*/
-#ifdef DATUM
-#define _DATUM_DEFINED
-#endif
-
-#include
-
-typedef enum
-{
- NSS_STATUS_SUCCESS=NS_SUCCESS,
- NSS_STATUS_NOTFOUND=NS_NOTFOUND,
- NSS_STATUS_UNAVAIL=NS_UNAVAIL,
- NSS_STATUS_TRYAGAIN=NS_TRYAGAIN
-} NSS_STATUS;
-
-#define NSD_MEM_STATIC 0
-#define NSD_MEM_VOLATILE 1
-#define NSD_MEM_DYNAMIC 2
-
-#elif defined(HPUX) && defined(HAVE_NSSWITCH_H)
-/* HP-UX 11 */
-
-#include "nsswitch/hp_nss_common.h"
-#include "nsswitch/hp_nss_dbdefs.h"
-#include
-
-#ifndef _HAVE_TYPEDEF_NSS_STATUS
-#define _HAVE_TYPEDEF_NSS_STATUS
-typedef nss_status_t NSS_STATUS;
-
-#define NSS_STATUS_SUCCESS NSS_SUCCESS
-#define NSS_STATUS_NOTFOUND NSS_NOTFOUND
-#define NSS_STATUS_UNAVAIL NSS_UNAVAIL
-#define NSS_STATUS_TRYAGAIN NSS_TRYAGAIN
-#endif /* HPUX */
-
-#else /* Nothing's defined. Neither gnu nor sun nor hp */
-
-typedef enum
-{
- NSS_STATUS_SUCCESS=0,
- NSS_STATUS_NOTFOUND=1,
- NSS_STATUS_UNAVAIL=2,
- NSS_STATUS_TRYAGAIN=3
-} NSS_STATUS;
-
-#endif
-
-#endif /* _NSSWITCH_SYS_NSS_H */
--- squid/include/samba/nsswitch/winbind_nss_config.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,155 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Winbind daemon for ntdom nss module
-
- Copyright (C) Tim Potter 2000
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
-*/
-
-#ifndef _WINBIND_NSS_CONFIG_H
-#define _WINBIND_NSS_CONFIG_H
-
-/* Include header files from data in config.h file */
-
-#include
-
-#include
-
-#ifdef HAVE_STDLIB_H
-#include
-#endif
-
-#ifdef HAVE_UNISTD_H
-#include
-#endif
-
-#ifdef HAVE_SYS_SELECT_H
-#include
-#endif
-
-#ifdef HAVE_SYS_SOCKET_H
-#include
-#endif
-
-#ifdef HAVE_UNIXSOCKET
-#include
-#endif
-
-#ifdef HAVE_SYS_TIME_H
-#include
-#endif
-
-#ifdef HAVE_GRP_H
-#include
-#endif
-
-#ifdef HAVE_STRING_H
-#include
-#endif
-
-#include
-#include
-#include
-#include
-#include "nsswitch/sys_nss.h"
-
-/* Declarations for functions in winbind_nss.c
- needed in winbind_nss_solaris.c (solaris wrapper to nss) */
-
-NSS_STATUS _nss_winbind_setpwent(void);
-NSS_STATUS _nss_winbind_endpwent(void);
-NSS_STATUS _nss_winbind_getpwent_r(struct passwd* result, char* buffer,
- size_t buflen, int* errnop);
-NSS_STATUS _nss_winbind_getpwuid_r(uid_t, struct passwd*, char* buffer,
- size_t buflen, int* errnop);
-NSS_STATUS _nss_winbind_getpwnam_r(const char* name, struct passwd* result,
- char* buffer, size_t buflen, int* errnop);
-
-NSS_STATUS _nss_winbind_setgrent(void);
-NSS_STATUS _nss_winbind_endgrent(void);
-NSS_STATUS _nss_winbind_getgrent_r(struct group* result, char* buffer,
- size_t buflen, int* errnop);
-NSS_STATUS _nss_winbind_getgrnam_r(const char *name,
- struct group *result, char *buffer,
- size_t buflen, int *errnop);
-NSS_STATUS _nss_winbind_getgrgid_r(gid_t gid,
- struct group *result, char *buffer,
- size_t buflen, int *errnop);
-
-/* I'm trying really hard not to include anything from smb.h with the
- result of some silly looking redeclaration of structures. */
-
-#ifndef _PSTRING
-#define _PSTRING
-#define PSTRING_LEN 1024
-#define FSTRING_LEN 256
-typedef char pstring[PSTRING_LEN];
-typedef char fstring[FSTRING_LEN];
-#endif
-
-#ifndef _BOOL
-#define _BOOL /* So we don't typedef BOOL again in vfs.h */
-#define False (0)
-#define True (1)
-#define Auto (2)
-typedef int BOOL;
-#endif
-
-#if !defined(uint32)
-#if (SIZEOF_INT == 4)
-#define uint32 unsigned int
-#elif (SIZEOF_LONG == 4)
-#define uint32 unsigned long
-#elif (SIZEOF_SHORT == 4)
-#define uint32 unsigned short
-#endif
-#endif
-
-#if !defined(uint16)
-#if (SIZEOF_SHORT == 4)
-#define uint16 __ERROR___CANNOT_DETERMINE_TYPE_FOR_INT16;
-#else /* SIZEOF_SHORT != 4 */
-#define uint16 unsigned short
-#endif /* SIZEOF_SHORT != 4 */
-#endif
-
-#ifndef uint8
-#define uint8 unsigned char
-#endif
-
-/* zero a structure */
-#ifndef ZERO_STRUCT
-#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
-#endif
-
-/* zero a structure given a pointer to the structure */
-#ifndef ZERO_STRUCTP
-#define ZERO_STRUCTP(x) { if ((x) != NULL) memset((char *)(x), 0, sizeof(*(x))); }
-#endif
-
-/* Some systems (SCO) treat UNIX domain sockets as FIFOs */
-
-#ifndef S_IFSOCK
-#define S_IFSOCK S_IFIFO
-#endif
-
-#ifndef S_ISSOCK
-#define S_ISSOCK(mode) ((mode & S_IFSOCK) == S_IFSOCK)
-#endif
-
-#endif
--- squid/include/samba/nsswitch/winbindd_nss.h Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,229 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Winbind daemon for ntdom nss module
-
- Copyright (C) Tim Potter 2000
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
-*/
-
-#ifndef SAFE_FREE
-#define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
-#endif
-
-#ifndef _WINBINDD_NTDOM_H
-#define _WINBINDD_NTDOM_H
-
-#define WINBINDD_SOCKET_NAME "pipe" /* Name of PF_UNIX socket */
-#define WINBINDD_SOCKET_DIR "/tmp/.winbindd" /* Name of PF_UNIX dir */
-
-#define WINBINDD_DOMAIN_ENV "WINBINDD_DOMAIN" /* Environment variables */
-#define WINBINDD_DONT_ENV "_NO_WINBINDD"
-
-/* Update this when you change the interface. */
-
-#define WINBIND_INTERFACE_VERSION 4
-
-/* Socket commands */
-
-enum winbindd_cmd {
-
- WINBINDD_INTERFACE_VERSION, /* Always a well known value */
-
- /* Get users and groups */
-
- WINBINDD_GETPWNAM,
- WINBINDD_GETPWUID,
- WINBINDD_GETGRNAM,
- WINBINDD_GETGRGID,
- WINBINDD_GETGROUPS,
-
- /* Enumerate users and groups */
-
- WINBINDD_SETPWENT,
- WINBINDD_ENDPWENT,
- WINBINDD_GETPWENT,
- WINBINDD_SETGRENT,
- WINBINDD_ENDGRENT,
- WINBINDD_GETGRENT,
-
- /* PAM authenticate and password change */
-
- WINBINDD_PAM_AUTH,
- WINBINDD_PAM_AUTH_CRAP,
- WINBINDD_PAM_CHAUTHTOK,
-
- /* List various things */
-
- WINBINDD_LIST_USERS, /* List w/o rid->id mapping */
- WINBINDD_LIST_GROUPS, /* Ditto */
- WINBINDD_LIST_TRUSTDOM,
-
- /* SID conversion */
-
- WINBINDD_LOOKUPSID,
- WINBINDD_LOOKUPNAME,
-
- /* Lookup functions */
-
- WINBINDD_SID_TO_UID,
- WINBINDD_SID_TO_GID,
- WINBINDD_UID_TO_SID,
- WINBINDD_GID_TO_SID,
-
- /* Miscellaneous other stuff */
-
- WINBINDD_CHECK_MACHACC, /* Check machine account pw works */
- WINBINDD_PING, /* Just tell me winbind is running */
- WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
- WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */
-
- WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
-
- /* WINS commands */
-
- WINBINDD_WINS_BYIP,
- WINBINDD_WINS_BYNAME,
-
- /* Placeholder for end of cmd list */
-
- WINBINDD_NUM_CMDS
-};
-
-/* Winbind request structure */
-
-struct winbindd_request {
- uint32 length;
- enum winbindd_cmd cmd; /* Winbindd command to execute */
- pid_t pid; /* pid of calling process */
-
- union {
- fstring winsreq; /* WINS request */
- fstring username; /* getpwnam */
- fstring groupname; /* getgrnam */
- uid_t uid; /* getpwuid, uid_to_sid */
- gid_t gid; /* getgrgid, gid_to_sid */
- struct {
- /* We deliberatedly don't split into domain/user to
- avoid having the client know what the separator
- character is. */
- fstring user;
- fstring pass;
- } auth; /* pam_winbind auth module */
- struct {
- unsigned char chal[8];
- fstring user;
- fstring domain;
- fstring lm_resp;
- uint16 lm_resp_len;
- fstring nt_resp;
- uint16 nt_resp_len;
- } auth_crap;
- struct {
- fstring user;
- fstring oldpass;
- fstring newpass;
- } chauthtok; /* pam_winbind passwd module */
- fstring sid; /* lookupsid, sid_to_[ug]id */
- struct {
- fstring dom_name; /* lookupname */
- fstring name;
- } name;
- uint32 num_entries; /* getpwent, getgrent */
- } data;
- fstring domain; /* {set,get,end}{pw,gr}ent() */
-};
-
-/* Response values */
-
-enum winbindd_result {
- WINBINDD_ERROR,
- WINBINDD_OK
-};
-
-/* Winbind response structure */
-
-struct winbindd_response {
-
- /* Header information */
-
- uint32 length; /* Length of response */
- enum winbindd_result result; /* Result code */
-
- /* Fixed length return data */
-
- union {
- int interface_version; /* Try to ensure this is always in the same spot... */
-
- fstring winsresp; /* WINS response */
-
- /* getpwnam, getpwuid */
-
- struct winbindd_pw {
- fstring pw_name;
- fstring pw_passwd;
- uid_t pw_uid;
- gid_t pw_gid;
- fstring pw_gecos;
- fstring pw_dir;
- fstring pw_shell;
- } pw;
-
- /* getgrnam, getgrgid */
-
- struct winbindd_gr {
- fstring gr_name;
- fstring gr_passwd;
- gid_t gr_gid;
- int num_gr_mem;
- int gr_mem_ofs; /* offset to group membership */
- } gr;
-
- uint32 num_entries; /* getpwent, getgrent */
- struct winbindd_sid {
- fstring sid; /* lookupname, [ug]id_to_sid */
- int type;
- } sid;
- struct winbindd_name {
- fstring dom_name; /* lookupsid */
- fstring name;
- int type;
- } name;
- uid_t uid; /* sid_to_uid */
- gid_t gid; /* sid_to_gid */
- struct winbindd_info {
- char winbind_separator;
- fstring samba_version;
- } info;
- fstring domain_name;
-
- struct auth_reply {
- uint32 nt_status;
- fstring nt_status_string;
- fstring error_string;
- int pam_error;
- } auth;
- } data;
-
- uint32 nt_status; /* Extended error information */
-
- /* Variable length return data */
-
- void *extra_data; /* getgrnam, getgrgid, getgrent */
-};
-
-#endif
--- squid/scripts/RunAccel.in Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,36 +0,0 @@
-#!/bin/sh
-#
-# $Id: RunAccel.in,v 1.2.6.1 2005/02/10 02:40:56 hno Exp $
-
-# enable HTTP requests on port 80
-port="-a 80"
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-logdir=@localstatedir@
-PATH=@sbindir@:/bin:/usr/bin
-export PATH
-
-if test $# = 1 ; then
- conf="-f $1"
- shift
-fi
-
-failcount=0
-while : ; do
- echo "Running: squid $port -s $conf >> $logdir/squid.out 2>&1"
- start=`date '+%d%H%M%S'`
- squid -N $port -s $conf >> $logdir/squid.out 2>&1
- stop=`date '+%d%H%M%S'`
- t=`expr $stop - $start`
- if test 0 -le $t -a $t -lt 5 ; then
- failcount=`expr $failcount + 1`
- else
- failcount=0
- fi
- if test $failcount -gt 5 ; then
- echo "RunCache: EXITING DUE TO REPEATED, FREQUENT FAILURES" >&2
- exit 1
- fi
- sleep 10
-done
--- squid/src/ETag.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,68 +0,0 @@
-
-/*
- * $Id: ETag.c,v 1.3.6.1 2001/02/27 14:18:50 rvenning Exp $
- *
- * DEBUG: none ETag parsing support
- * AUTHOR: Alex Rousskov
- *
- * SQUID Web Proxy Cache http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- * Squid is the result of efforts by numerous individuals from
- * the Internet community; see the CONTRIBUTORS file for full
- * details. Many organizations have provided support for Squid's
- * development; see the SPONSORS file for full details. Squid is
- * Copyrighted (C) 2001 by the Regents of the University of
- * California; see the COPYRIGHT file for full details. Squid
- * incorporates software developed and/or copyrighted by other
- * sources; see the CREDITS file for full details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
- */
-
-#include "squid.h"
-
-/*
- * Note: ETag is not an http "field" like, for example HttpHdrRange. ETag is a
- * field-value that maybe used in many http fields.
- */
-
-/* parses a string as weak or strong entity-tag; returns true on success */
-/* note: we do not duplicate "str"! */
-int
-etagParseInit(ETag * etag, const char *str)
-{
- int len;
- assert(etag && str);
- etag->str = NULL;
- etag->weak = !strncmp(str, "W/", 2);
- if (etag->weak)
- str += 2;
- /* check format (quoted-string) */
- len = strlen(str);
- if (len >= 2 && str[0] == '"' && str[len - 1] == '"')
- etag->str = str;
- return etag->str != NULL;
-}
-
-/* returns true if etags are equal */
-int
-etagIsEqual(const ETag * tag1, const ETag * tag2)
-{
- assert(tag1 && tag2);
- assert(!tag1->weak && !tag2->weak); /* weak comparison not implemented yet */
- return !strcmp(tag1->str, tag2->str);
-}
--- squid/src/cachemgr.c Sun Jul 1 00:19:58 2007
+++ /dev/null Sun Jul 1 00:19:58 2007
@@ -1,756 +0,0 @@
-
-/*
- * $Id: cachemgr.c,v 1.3.6.4 2005/02/10 02:41:02 hno Exp $
- *
- * DEBUG: section 0 CGI Cache Manager
- * AUTHOR: Duane Wessels
- *
- * SQUID Web Proxy Cache http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- * Squid is the result of efforts by numerous individuals from
- * the Internet community; see the CONTRIBUTORS file for full
- * details. Many organizations have provided support for Squid's
- * development; see the SPONSORS file for full details. Squid is
- * Copyrighted (C) 2001 by the Regents of the University of
- * California; see the COPYRIGHT file for full details. Squid
- * incorporates software developed and/or copyrighted by other
- * sources; see the CREDITS file for full details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
- */
-
-#include "config.h"
-
-#if HAVE_UNISTD_H
-#include
-#endif
-#if HAVE_STDLIB_H
-#include
-#endif
-#if HAVE_STDIO_H
-#include
-#endif
-#if HAVE_SYS_TYPES_H
-#include
-#endif
-#if HAVE_CTYPE_H
-#include
-#endif
-#if HAVE_ERRNO_H
-#include
-#endif
-#if HAVE_FCNTL_H
-#include
-#endif
-#if HAVE_GRP_H
-#include
-#endif
-#if HAVE_GNUMALLOC_H
-#include
-#elif HAVE_MALLOC_H && !defined(_SQUID_FREEBSD_) && !defined(_SQUID_NEXT_)
-#include
-#endif
-#if HAVE_MEMORY_H
-#include
-#endif
-#if HAVE_NETDB_H && !defined(_SQUID_NETDB_H_) /* protect NEXTSTEP */
-#define _SQUID_NETDB_H_
-#include
-#endif
-#if HAVE_PWD_H
-#include
-#endif
-#if HAVE_SIGNAL_H
-#include
-#endif
-#if HAVE_TIME_H
-#include
-#endif
-#if HAVE_SYS_PARAM_H
-#include
-#endif
-#if HAVE_SYS_TIME_H
-#include
-#endif
-#if HAVE_SYS_RESOURCE_H
-#include /* needs sys/time.h above it */
-#endif
-#if HAVE_SYS_SOCKET_H
-#include
-#endif
-#if HAVE_NETINET_IN_H
-#include
-#endif
-#if HAVE_ARPA_INET_H
-#include
-#endif
-#if HAVE_SYS_STAT_H
-#include
-#endif
-#if HAVE_SYS_UN_H
-#include
-#endif
-#if HAVE_SYS_WAIT_H
-#include
-#endif
-#if HAVE_LIBC_H
-#include
-#endif
-#if HAVE_STRING_H
-#include
-#endif
-#if HAVE_STRINGS_H
-#include
-#endif
-#if HAVE_BSTRING_H
-#include
-#endif
-#if HAVE_CRYPT_H
-#include
-#endif
-#if HAVE_SYS_SELECT_H
-#include
-#endif
-
-#include
-
-#include "util.h"
-#include "snprintf.h"
-#include "defines.h"
-
-typedef struct {
- char *hostname;
- int port;
- char *action;
- char *user_name;
- char *passwd;
- char *pub_auth;
-} cachemgr_request;
-
-/*
- * Debugging macros (info goes to error_log on your web server)
- * Note: do not run cache manager with non zero debugging level
- * if you do not debug, it may write a lot of [sensitive]
- * information to your error log.
- */
-
-/* debugging level 0 (disabled) - 3 (max) */
-#define DEBUG_LEVEL 0
-#undef debug
-#define debug(level) if ((level) <= DEBUG_LEVEL && DEBUG_LEVEL > 0)
-
-/*
- * Static variables and constants
- */
-static const time_t passwd_ttl = 60 * 60 * 3; /* in sec */
-static const char *script_name = "/cgi-bin/cachemgr.cgi";
-static const char *progname = NULL;
-static time_t now;
-static struct IN_ADDR no_addr;
-
-/*
- * Function prototypes
- */
-#undef safe_free
-#define safe_free(str) { if (str) { xfree(str); (str) = NULL; } }
-static const char *safe_str(const char *str);
-static const char *xstrtok(char **str, char del);
-static void print_trailer(void);
-static void auth_html(const char *host, int port, const char *user_name);
-static void error_html(const char *msg);
-static char *menu_url(cachemgr_request * req, const char *action);
-static int parse_status_line(const char *sline, const char **statusStr);
-static cachemgr_request *read_request(void);
-static char *read_get_request(void);
-static char *read_post_request(void);
-
-static void make_pub_auth(cachemgr_request * req);
-static void decode_pub_auth(cachemgr_request * req);
-static void reset_auth(cachemgr_request * req);
-static const char *make_auth_header(const cachemgr_request * req);
-
-
-static const char *
-safe_str(const char *str)
-{
- return str ? str : "";
-}
-
-/* relaxed number format */
-static int
-is_number(const char *str)
-{
- return strspn(str, "\t -+01234567890./\n") == strlen(str);
-}
-
-static const char *
-xstrtok(char **str, char del)
-{
- if (*str) {
- char *p = strchr(*str, del);
- char *tok = *str;
- int len;
- if (p) {
- *str = p + 1;
- *p = '\0';
- } else
- *str = NULL;
- /* trim */
- len = strlen(tok);
- while (len && xisspace(tok[len - 1]))
- tok[--len] = '\0';
- while (xisspace(*tok))
- tok++;
- return tok;
- } else
- return "";
-}
-
-static void
-print_trailer(void)
-{
- printf("
\n");
- printf("\n");
- printf("Generated %s, by %s/%s@%s\n",
- mkrfc1123(now), progname, VERSION, getfullhostname());
- printf("