diff -ruN squid-2.6.STABLE17/ChangeLog squid-2.6.STABLE18/ChangeLog --- squid-2.6.STABLE17/ChangeLog 2007-11-26 14:36:10.000000000 +0100 +++ squid-2.6.STABLE18/ChangeLog 2008-01-10 13:30:57.000000000 +0100 @@ -1,3 +1,13 @@ +Changes to squid-2.6.STABLE18 (10 Jan 2008) + + - Fix 2 assertion failures related to the fix for SQUID-2007:2 + - GPL license cleanup to GPLv2 or later. One file in edir_digest_auth + was GPLv2 only, now replaced with a GPLv2 or later licensed vesion. + - Minor cleanups to make certain 64-bit platforms happier + - Several Digest authentication bugs fixed wich was causing random + authenitcation popups or failures. + - --with-valgrind-debug updated for valgrind-3.3.0. + Changes to squid-2.6.STABLE17 (26 Nov 2007) - Fix compile error with old GCC 2.x or other ANSI-C compilers before diff -ruN squid-2.6.STABLE17/configure squid-2.6.STABLE18/configure --- squid-2.6.STABLE17/configure 2007-11-26 14:39:31.000000000 +0100 +++ squid-2.6.STABLE18/configure 2008-01-10 13:34:23.000000000 +0100 @@ -1,7 +1,7 @@ #! /bin/sh -# From configure.in Revision: 1.416.2.22 . +# From configure.in Revision: 1.416.2.24 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61 for Squid Web Proxy 2.6.STABLE17. +# Generated by GNU Autoconf 2.61 for Squid Web Proxy 2.6.STABLE18. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='2.6.STABLE17' -PACKAGE_STRING='Squid Web Proxy 2.6.STABLE17' +PACKAGE_VERSION='2.6.STABLE18' +PACKAGE_STRING='Squid Web Proxy 2.6.STABLE18' PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/' ac_default_prefix=/usr/local/squid @@ -1314,7 +1314,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 2.6.STABLE17 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 2.6.STABLE18 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1384,7 +1384,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE17:";; + short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE18:";; esac cat <<\_ACEOF @@ -1662,7 +1662,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 2.6.STABLE17 +Squid Web Proxy configure 2.6.STABLE18 generated by GNU Autoconf 2.61 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1676,7 +1676,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 2.6.STABLE17, which was +It was created by Squid Web Proxy $as_me 2.6.STABLE18, which was generated by GNU Autoconf 2.61. Invocation command line was $ $0 $@ @@ -2349,7 +2349,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='2.6.STABLE17' + VERSION='2.6.STABLE18' cat >>confdefs.h <<_ACEOF @@ -27276,7 +27276,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 2.6.STABLE17, which was +This file was extended by Squid Web Proxy $as_me 2.6.STABLE18, which was generated by GNU Autoconf 2.61. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27329,7 +27329,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -Squid Web Proxy config.status 2.6.STABLE17 +Squid Web Proxy config.status 2.6.STABLE18 configured by $0, generated by GNU Autoconf 2.61, with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" diff -ruN squid-2.6.STABLE17/configure.in squid-2.6.STABLE18/configure.in --- squid-2.6.STABLE17/configure.in 2007-11-26 14:39:31.000000000 +0100 +++ squid-2.6.STABLE18/configure.in 2008-01-10 13:34:23.000000000 +0100 @@ -1,16 +1,16 @@ dnl dnl Configuration input file for Squid dnl -dnl $Id: configure.in,v 1.416.2.22 2007/11/26 13:34:35 hno Exp $ +dnl $Id: configure.in,v 1.416.2.24 2008/01/10 12:30:57 hno Exp $ dnl dnl dnl -AC_INIT(Squid Web Proxy, 2.6.STABLE17, http://www.squid-cache.org/bugs/, squid) +AC_INIT(Squid Web Proxy, 2.6.STABLE18, http://www.squid-cache.org/bugs/, squid) AC_PREREQ(2.52) AM_CONFIG_HEADER(include/autoconf.h) AC_CONFIG_AUX_DIR(cfgaux) AM_INIT_AUTOMAKE -AC_REVISION($Revision: 1.416.2.22 $)dnl +AC_REVISION($Revision: 1.416.2.24 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE diff -ruN squid-2.6.STABLE17/COPYRIGHT squid-2.6.STABLE18/COPYRIGHT --- squid-2.6.STABLE17/COPYRIGHT 2001-01-12 01:37:09.000000000 +0100 +++ squid-2.6.STABLE18/COPYRIGHT 2008-01-02 17:20:20.000000000 +0100 @@ -22,4 +22,4 @@ Suite 330 Boston, MA 02111, USA -Or contact info@ircache.net +Or contact info@squid-cache.org diff -ruN squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.c squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.c --- squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.c 2007-08-31 16:16:18.000000000 +0200 +++ squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.c 2008-01-02 17:29:22.000000000 +0100 @@ -1,27 +1,31 @@ /* - * Copyright (C) 2002-2004 Novell, Inc. + * NDS LDAP helper functions + * Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the + * limited functionality needed to access the plain text password only * - * edir_ldapext.c LDAP extension for reading eDirectory universal password - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of version 2 of the GNU General Public License as published - * by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, contact Novell, Inc. + * Original copyright & license follows: * - * To contact Novell about this file by physical or electronic mail, you may - * find current contact information at www.novell.com. - */ + * Copyright (C) Vince Brimhall 2004-2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * +*/ #include "digest_common.h" -#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ +#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ #define snprintf _snprintf #include @@ -43,63 +47,45 @@ #include #endif +#include #include "edir_ldapext.h" -/* NMAS error codes */ -#define NMAS_E_BASE (-1600) +#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3" +#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4" +#define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11" +#define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12" +#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13" +#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14" + +#define NMAS_LDAP_EXT_VERSION 1 + +#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem) +#define DEBUG(level, args) + +/********************************************************************** + Take the request BER value and input data items and BER encodes the + data into the BER value +**********************************************************************/ -#define NMAS_SUCCESS 0 -#define NMAS_E_SUCCESS NMAS_SUCCESS /* Alias */ -#define NMAS_OK NMAS_SUCCESS /* Alias */ - -#define NMAS_E_FRAG_FAILURE (NMAS_E_BASE-31) /* -1631 0xFFFFF9A1 */ -#define NMAS_E_BUFFER_OVERFLOW (NMAS_E_BASE-33) /* -1633 0xFFFFF99F */ -#define NMAS_E_SYSTEM_RESOURCES (NMAS_E_BASE-34) /* -1634 0xFFFFF99E */ -#define NMAS_E_INSUFFICIENT_MEMORY (NMAS_E_BASE-35) /* -1635 0xFFFFF99D */ -#define NMAS_E_NOT_SUPPORTED (NMAS_E_BASE-36) /* -1636 0xFFFFF99C */ -#define NMAS_E_INVALID_PARAMETER (NMAS_E_BASE-43) /* -1643 0xFFFFF995 */ -#define NMAS_E_INVALID_VERSION (NMAS_E_BASE-52) /* -1652 0xFFFFF98C */ - -/* OID of LDAP extenstion calls to read Universal Password */ -#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13" -#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14" - -#define NMAS_LDAP_EXT_VERSION 1 - - - -/* ------------------------------------------------------------------------ - * berEncodePasswordData - * ============================== - * RequestBer contents: - * clientVersion INTEGER - * targetObjectDN OCTET STRING - * password1 OCTET STRING - * password2 OCTET STRING - * - * Description: - * This function takes the request BER value and input data items - * and BER encodes the data into the BER value - * - * ------------------------------------------------------------------------ */ -int berEncodePasswordData( +static int berEncodePasswordData( struct berval **requestBV, - char *objectDN, - char *password, - char *password2) + const char *objectDN, + const char *password, + const char *password2) { int err = 0, rc=0; BerElement *requestBer = NULL; - char * utf8ObjPtr = NULL; + const char * utf8ObjPtr = NULL; int utf8ObjSize = 0; - char * utf8PwdPtr = NULL; + const char * utf8PwdPtr = NULL; int utf8PwdSize = 0; - char * utf8Pwd2Ptr = NULL; + const char * utf8Pwd2Ptr = NULL; int utf8Pwd2Size = 0; + /* Convert objectDN and tag strings from Unicode to UTF-8 */ utf8ObjSize = strlen(objectDN)+1; utf8ObjPtr = objectDN; @@ -115,10 +101,10 @@ utf8Pwd2Ptr = password2; } - /* Allocate a BerElement for the request parameters.*/ + /* Allocate a BerElement for the request parameters. */ if((requestBer = ber_alloc()) == NULL) { - err = NMAS_E_FRAG_FAILURE; + err = LDAP_ENCODING_ERROR; goto Cleanup; } @@ -140,7 +126,7 @@ if (rc < 0) { - err = NMAS_E_FRAG_FAILURE; + err = LDAP_ENCODING_ERROR; goto Cleanup; } else @@ -148,12 +134,10 @@ err = 0; } - /* - * Convert the BER we just built to a berval that we'll send with the extended request. - */ + /* Convert the BER we just built to a berval that we'll send with the extended request. */ if(ber_flatten(requestBer, requestBV) == LBER_ERROR) { - err = NMAS_E_FRAG_FAILURE; + err = LDAP_ENCODING_ERROR; goto Cleanup; } @@ -165,50 +149,133 @@ } return err; -} /* End of berEncodePasswordData */ +} -/* ------------------------------------------------------------------------ - * berDecodeLoginData() - * ============================== - * ResponseBer contents: - * serverVersion INTEGER - * error INTEGER - * data OCTET STRING - * - * Description: - * This function takes the reply BER Value and decodes the - * NMAS server version and return code and if a non null retData - * buffer was supplied, tries to decode the the return data and length - * - * ------------------------------------------------------------------------ */ -int berDecodeLoginData( +/********************************************************************** + Take the request BER value and input data items and BER encodes the + data into the BER value +**********************************************************************/ + +static int berEncodeLoginData( + struct berval **requestBV, + char *objectDN, + unsigned int methodIDLen, + unsigned int *methodID, + char *tag, + size_t putDataLen, + void *putData) +{ + int err = 0; + BerElement *requestBer = NULL; + + unsigned int i; + unsigned int elemCnt = methodIDLen / sizeof(unsigned int); + + char *utf8ObjPtr=NULL; + int utf8ObjSize = 0; + + char *utf8TagPtr = NULL; + int utf8TagSize = 0; + + utf8ObjPtr = objectDN; + utf8ObjSize = strlen(utf8ObjPtr)+1; + + utf8TagPtr = tag; + utf8TagSize = strlen(utf8TagPtr)+1; + + /* Allocate a BerElement for the request parameters. */ + if((requestBer = ber_alloc()) == NULL) + { + err = LDAP_ENCODING_ERROR; + goto Cleanup; + } + + /* BER encode the NMAS Version and the objectDN */ + err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0; + + /* BER encode the MethodID Length and value */ + if (!err) + { + err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0; + } + + for (i = 0; !err && i < elemCnt; i++) + { + err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0; + } + + if (!err) + { + err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0; + } + + if(putData) + { + /* BER Encode the the tag and data */ + err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0; + } + else + { + /* BER Encode the the tag */ + err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0; + } + + if (err) + { + goto Cleanup; + } + + /* Convert the BER we just built to a berval that we'll send with the extended request. */ + if(ber_flatten(requestBer, requestBV) == LBER_ERROR) + { + err = LDAP_ENCODING_ERROR; + goto Cleanup; + } + +Cleanup: + + if(requestBer) + { + ber_free(requestBer, 1); + } + + return err; +} + +/********************************************************************** + Takes the reply BER Value and decodes the NMAS server version and + return code and if a non null retData buffer was supplied, tries to + decode the the return data and length +**********************************************************************/ + +static int berDecodeLoginData( struct berval *replyBV, int *serverVersion, size_t *retDataLen, void *retData ) { - int rc=0, err = 0; + int err = 0; BerElement *replyBer = NULL; char *retOctStr = NULL; size_t retOctStrLen = 0; if((replyBer = ber_init(replyBV)) == NULL) { - err = NMAS_E_SYSTEM_RESOURCES; + err = LDAP_OPERATIONS_ERROR; goto Cleanup; } if(retData) { retOctStrLen = *retDataLen + 1; - retOctStr = (char *)malloc(retOctStrLen); + retOctStr = SMB_MALLOC_ARRAY(char, retOctStrLen); if(!retOctStr) { - err = NMAS_E_SYSTEM_RESOURCES; + err = LDAP_OPERATIONS_ERROR; goto Cleanup; } - - if( (rc = ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen)) != -1) + + if(ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != -1) { if (*retDataLen >= retOctStrLen) { @@ -216,23 +283,23 @@ } else if (!err) { - err = NMAS_E_BUFFER_OVERFLOW; + err = LDAP_NO_MEMORY; } *retDataLen = retOctStrLen; } else if (!err) { - err = NMAS_E_FRAG_FAILURE; + err = LDAP_DECODING_ERROR; } } else { - if( (rc = ber_scanf(replyBer, "{ii}", serverVersion, &err)) == -1) + if(ber_scanf(replyBer, "{ii}", serverVersion, &err) == -1) { if (!err) { - err = NMAS_E_FRAG_FAILURE; + err = LDAP_DECODING_ERROR; } } } @@ -251,23 +318,180 @@ } return err; -} /* End of berDecodeLoginData */ +} -/* ----------------------------------------------------------------------- - * nmasldap_get_password() - * ============================== - * - * Description: - * This API attempts to get the universal password - * - * ------------------------------------------------------------------------ */ -int nmasldap_get_password( +/********************************************************************** + Retrieves data in the login configuration of the specified object + that is tagged with the specified methodID and tag. +**********************************************************************/ + +static int getLoginConfig( LDAP *ld, char *objectDN, - size_t *pwdSize, // in bytes + unsigned int methodIDLen, + unsigned int *methodID, + char *tag, + size_t *dataLen, + void *data ) +{ + int err = 0; + struct berval *requestBV = NULL; + char *replyOID = NULL; + struct berval *replyBV = NULL; + int serverVersion = 0; + + /* Validate unicode parameters. */ + if((strlen(objectDN) == 0) || ld == NULL) + { + return LDAP_NO_SUCH_ATTRIBUTE; + } + + err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL); + if(err) + { + goto Cleanup; + } + + /* Call the ldap_extended_operation (synchronously) */ + if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST, + requestBV, NULL, NULL, &replyOID, &replyBV))) + { + goto Cleanup; + } + + /* Make sure there is a return OID */ + if(!replyOID) + { + err = LDAP_NOT_SUPPORTED; + goto Cleanup; + } + + /* Is this what we were expecting to get back. */ + if(strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE)) + { + err = LDAP_NOT_SUPPORTED; + goto Cleanup; + } + + /* Do we have a good returned berval? */ + if(!replyBV) + { + /* No; returned berval means we experienced a rather drastic error. */ + /* Return operations error. */ + err = LDAP_OPERATIONS_ERROR; + goto Cleanup; + } + + err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data); + + if(serverVersion != NMAS_LDAP_EXT_VERSION) + { + err = LDAP_OPERATIONS_ERROR; + goto Cleanup; + } + +Cleanup: + + if(replyBV) + { + ber_bvfree(replyBV); + } + + /* Free the return OID string if one was returned. */ + if(replyOID) + { + ldap_memfree(replyOID); + } + + /* Free memory allocated while building the request ber and berval. */ + if(requestBV) + { + ber_bvfree(requestBV); + } + + /* Return the appropriate error/success code. */ + return err; +} + +/********************************************************************** + Attempts to get the Simple Password +**********************************************************************/ + +static int nmasldap_get_simple_pwd( + LDAP *ld, + char *objectDN, + size_t pwdLen, char *pwd ) { int err = 0; + unsigned int methodID = 0; + unsigned int methodIDLen = sizeof(methodID); + char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0}; + char *pwdBuf=NULL; + size_t pwdBufLen, bufferLen; + + bufferLen = pwdBufLen = pwdLen+2; + pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen); /* digest and null */ + if(pwdBuf == NULL) + { + return LDAP_NO_MEMORY; + } + + err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf); + if (err == 0) + { + if (pwdBufLen !=0) + { + pwdBuf[pwdBufLen] = 0; /* null terminate */ + + switch (pwdBuf[0]) + { + case 1: /* cleartext password */ + break; + case 2: /* SHA1 HASH */ + case 3: /* MD5_ID */ + case 4: /* UNIXCrypt_ID */ + case 8: /* SSHA_ID */ + default: /* Unknown digest */ + err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */ + break; + } + + if (!err) + { + if (pwdLen >= pwdBufLen-1) + { + memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */ + } + else + { + err = LDAP_NO_MEMORY; + } + } + } + } + + if (pwdBuf != NULL) + { + memset(pwdBuf, 0, bufferLen); + free(pwdBuf); + } + + return err; +} + + +/********************************************************************** + Attempts to get the Universal Password +**********************************************************************/ + +static int nmasldap_get_password( + LDAP *ld, + char *objectDN, + size_t *pwdSize, /* in bytes */ + unsigned char *pwd ) +{ + int err = 0; struct berval *requestBV = NULL; char *replyOID = NULL; @@ -276,27 +500,19 @@ char *pwdBuf; size_t pwdBufLen, bufferLen; -#ifdef NOT_N_PLAT_NLM - int currentThreadGroupID; -#endif - - /* Validate char parameters. */ + /* Validate char parameters. */ if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL) { - return NMAS_E_INVALID_PARAMETER; + return LDAP_NO_SUCH_ATTRIBUTE; } bufferLen = pwdBufLen = *pwdSize; - pwdBuf = (char *)malloc(pwdBufLen+2); + pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen+2); if(pwdBuf == NULL) { - return NMAS_E_INSUFFICIENT_MEMORY; + return LDAP_NO_MEMORY; } -#ifdef NOT_N_PLAT_NLM - currentThreadGroupID = SetThreadGroupID(nmasLDAPThreadGroupID); -#endif - err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL); if(err) { @@ -312,25 +528,23 @@ /* Make sure there is a return OID */ if(!replyOID) { - err = NMAS_E_NOT_SUPPORTED; + err = LDAP_NOT_SUPPORTED; goto Cleanup; } /* Is this what we were expecting to get back. */ if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) { - err = NMAS_E_NOT_SUPPORTED; + err = LDAP_NOT_SUPPORTED; goto Cleanup; } /* Do we have a good returned berval? */ if(!replyBV) { - /* - * No; returned berval means we experienced a rather drastic error. - * Return operations error. - */ - err = NMAS_E_SYSTEM_RESOURCES; + /* No; returned berval means we experienced a rather drastic error. */ + /* Return operations error. */ + err = LDAP_OPERATIONS_ERROR; goto Cleanup; } @@ -338,7 +552,7 @@ if(serverVersion != NMAS_LDAP_EXT_VERSION) { - err = NMAS_E_INVALID_VERSION; + err = LDAP_OPERATIONS_ERROR; goto Cleanup; } @@ -377,10 +591,47 @@ free(pwdBuf); } -#ifdef NOT_N_PLAT_NLM - SetThreadGroupID(currentThreadGroupID); -#endif - /* Return the appropriate error/success code. */ return err; -} /* end of nmasldap_get_password */ +} + +/********************************************************************** + Get the user's password from NDS. + *********************************************************************/ + +int nds_get_password( + LDAP *ld, + char *object_dn, + size_t *pwd_len, + char *pwd ) +{ + int rc = -1; + + rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd); + if (rc == LDAP_SUCCESS) { +#ifdef DEBUG_PASSWORD + DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn)); +#endif + DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn)); + } else { + DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn)); + } + + if (rc != LDAP_SUCCESS) { + rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd); + if (rc == LDAP_SUCCESS) { +#ifdef DEBUG_PASSWORD + DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn)); +#endif + DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn)); + } else { + /* We couldn't get the password */ + DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn)); + return LDAP_INVALID_CREDENTIALS; + } + } + + /* We got the password */ + return LDAP_SUCCESS; +} + diff -ruN squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.h squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.h --- squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.h 2007-08-31 16:16:18.000000000 +0200 +++ squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.h 2008-01-02 17:29:22.000000000 +0100 @@ -1,14 +1 @@ -/* - * edir_ldapext.h - * - * AUTHOR: Guy Antony Halse - * - * stubs for FreeRadius's edir_ldapext.h - * - */ -#define UNIVERSAL_PASS_LEN 256 -#define NMAS_SUCCESS 0 - -extern int berEncodePasswordData(struct berval **requestBV, char *objectDN, char *password, char *password2); -extern int berDecodeLoginData(struct berval *replyBV, int *serverVersion, size_t *retDataLen, void *retData); -extern int nmasldap_get_password(LDAP *ld, char *objectDN, size_t *pwdSize, char *pwd); +int nds_get_password(LDAP *ld, char *object_dn, size_t * pwd_len, char *pwd); diff -ruN squid-2.6.STABLE17/helpers/digest_auth/eDirectory/ldap_backend.c squid-2.6.STABLE18/helpers/digest_auth/eDirectory/ldap_backend.c --- squid-2.6.STABLE17/helpers/digest_auth/eDirectory/ldap_backend.c 2007-08-31 16:16:18.000000000 +0200 +++ squid-2.6.STABLE18/helpers/digest_auth/eDirectory/ldap_backend.c 2008-01-02 17:29:22.000000000 +0100 @@ -49,14 +49,14 @@ /* Globals */ static LDAP *ld = NULL; -static char *passattr = NULL; +static const char *passattr = NULL; static char *ldapServer = NULL; -static char *userbasedn = NULL; -static char *userdnattr = NULL; -static char *usersearchfilter = NULL; -static char *binddn = NULL; -static char *bindpasswd = NULL; -static char *delimiter = ":"; +static const char *userbasedn = NULL; +static const char *userdnattr = NULL; +static const char *usersearchfilter = NULL; +static const char *binddn = NULL; +static const char *bindpasswd = NULL; +static const char *delimiter = ":"; static int encrpass = 0; static int searchscope = LDAP_SCOPE_SUBTREE; static int persistent = 0; @@ -80,7 +80,7 @@ #endif static void ldapconnect(void); -static int readSecret(char *filename); +static int readSecret(const char *filename); /* Yuck.. we need to glue to different versions of the API */ @@ -198,7 +198,7 @@ char filter[8192]; char searchbase[8192]; char *universal_password = NULL; - size_t universal_password_len = UNIVERSAL_PASS_LEN; + size_t universal_password_len = 256; int nmas_res = 0; int rc = -1; if (ld) { @@ -252,28 +252,28 @@ if (rc == LDAP_SUCCESS) { entry = ldap_first_entry(ld, res); if (entry) { - if (debug) - printf("ldap dn: %s\n", ldap_get_dn(ld, entry)); - if (edir_universal_passwd) { - - /* allocate some memory for the universal password returned by NMAS */ - universal_password = malloc(universal_password_len); - memset(universal_password, 0, universal_password_len); - values = malloc(sizeof(char *)); - - /* actually talk to NMAS to get a password */ - nmas_res = nmasldap_get_password(ld, ldap_get_dn(ld, entry), &universal_password_len, universal_password); - if (nmas_res == NMAS_SUCCESS && universal_password) { - if (debug) - printf("NMAS returned value %s\n", universal_password); - values[0] = universal_password; - } else { - if (debug) - printf("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res)); - } - } else { - values = ldap_get_values(ld, entry, passattr); - } + if (debug) + printf("ldap dn: %s\n", ldap_get_dn(ld, entry)); + if (edir_universal_passwd) { + + /* allocate some memory for the universal password returned by NMAS */ + universal_password = malloc(universal_password_len); + memset(universal_password, 0, universal_password_len); + values = malloc(sizeof(char *)); + + /* actually talk to NMAS to get a password */ + nmas_res = nds_get_password(ld, ldap_get_dn(ld, entry), &universal_password_len, universal_password); + if (nmas_res == LDAP_SUCCESS && universal_password) { + if (debug) + printf("NMAS returned value %s\n", universal_password); + values[0] = universal_password; + } else { + if (debug) + printf("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res)); + } + } else { + values = ldap_get_values(ld, entry, passattr); + } } else { ldap_msgfree(res); return NULL; @@ -281,8 +281,8 @@ if (!values) { if (debug) printf("No attribute value found\n"); - if (edir_universal_passwd) - free(universal_password); + if (edir_universal_passwd) + free(universal_password); ldap_msgfree(res); return NULL; } @@ -303,12 +303,12 @@ printf("password: %s\n", password); if (password) password = strdup(password); - if (edir_universal_passwd) { - free(values); - free(universal_password); - } else { - ldap_value_free(values); - } + if (edir_universal_passwd) { + free(values); + free(universal_password); + } else { + ldap_value_free(values); + } ldap_msgfree(res); return password; } else { @@ -427,7 +427,7 @@ setbuf(stdout, NULL); while (argc > 1 && argv[1][0] == '-') { - char *value = ""; + const char *value = ""; char option = argv[1][1]; switch (option) { case 'P': @@ -437,8 +437,8 @@ case 'g': case 'e': case 'S': - case 'n': - case 'd': + case 'n': + case 'd': break; default: if (strlen(argv[1]) > 2) { @@ -604,7 +604,7 @@ } if (!ldapServer) - ldapServer = "localhost"; + ldapServer = (char *) "localhost"; if (!userbasedn || !((passattr != NULL) || (edir_universal_passwd && usersearchfilter && version == LDAP_VERSION3 && use_tls))) { fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n"); @@ -644,7 +644,7 @@ return 0; } static int -readSecret(char *filename) +readSecret(const char *filename) { char buf[BUFSIZ]; char *e = 0; @@ -665,13 +665,10 @@ if ((e = strrchr(buf, '\r'))) *e = 0; - bindpasswd = (char *) calloc(sizeof(char), strlen(buf) + 1); - if (bindpasswd) { - strcpy(bindpasswd, buf); - } else { + bindpasswd = strdup(buf); + if (!bindpasswd) { fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); } - fclose(f); return 0; @@ -680,7 +677,7 @@ void LDAPHHA1(RequestData * requestData) { - char *password = ""; + char *password; ldapconnect(); password = getpassword(requestData->user, requestData->realm); if (password != NULL) { diff -ruN squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c --- squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c 2007-06-25 00:29:14.000000000 +0200 +++ squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c 2008-01-02 17:15:47.000000000 +0100 @@ -1,263 +1,263 @@ -/* ----------------------------------------------------------------------------- - * spnegohelp.c defines RFC 2478 SPNEGO GSS-API mechanism APIs. - * - * Author: Frank Balluffi - * - * Copyright (C) 2002-2003 All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. - * - * ----------------------------------------------------------------------------- - */ - -#include "spnegohelp.h" -#include "spnego.h" - -#include - -int makeNegTokenTarg (const unsigned char * kerberosToken, - size_t kerberosTokenLength, - const unsigned char ** negTokenTarg, - size_t * negTokenTargLength) -{ - SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL; - int rc1 = 1; - int rc2 = SPNEGO_E_SUCCESS; - - /* Check arguments. */ - - if (!kerberosToken || - !negTokenTarg || - !negTokenTargLength) - return 10; - - /* Does IIS reply with 1.2.840.48018.1.2.2 or 1.2.840.113554.1.2.2? */ - - /* Does IIS always reply with accept_completed? */ - - /* IIS does not include a MIC. */ - - rc2 = spnegoCreateNegTokenTarg (spnego_mech_oid_Kerberos_V5_Legacy, - spnego_negresult_success, - (unsigned char *) kerberosToken, - kerberosTokenLength, - NULL, - 0, - &hSpnegoToken); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+100; - goto cleanup; - } - - /* Get NegTokenTarg length. */ - - rc2 = spnegoTokenGetBinary (hSpnegoToken, - NULL, - (unsigned long*) negTokenTargLength); - - if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL) - { - rc1 = abs(rc2)+200; - goto cleanup; - } - - *negTokenTarg = malloc (*negTokenTargLength); - - if (!*negTokenTarg) - { - rc1 = abs(rc2)+300; - goto cleanup; - } - - /* Get NegTokenTarg data. */ - - rc2 = spnegoTokenGetBinary (hSpnegoToken, - (unsigned char *) *negTokenTarg, - (unsigned long*) negTokenTargLength); - - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+400; - goto error; - } - - rc1 = 0; - - goto cleanup; - -error: - - if (*negTokenTarg) - { - free ((unsigned char *) *negTokenTarg); - *negTokenTarg = NULL; - *negTokenTargLength = 0; - } - -cleanup: - - if (hSpnegoToken) - spnegoFreeData (hSpnegoToken); - - LOG(("makeNegTokenTarg returned %d\n",rc1)); - return rc1; -} - -int parseNegTokenInit (const unsigned char * negTokenInit, - size_t negTokenInitLength, - const unsigned char ** kerberosToken, - size_t * kerberosTokenLength) -{ - SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL; - int pindex = -1; - int rc1 = 1; - int rc2 = SPNEGO_E_SUCCESS; - unsigned char reqFlags = 0; - int tokenType = 0; - - /* Check arguments. */ - - if (!negTokenInit || - !kerberosToken || - !kerberosTokenLength) - return 10; - - /* Decode SPNEGO token. */ - - rc2 = spnegoInitFromBinary ((unsigned char *) negTokenInit, - negTokenInitLength, - &hSpnegoToken); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+100; - goto cleanup; - } - - /* Check for negTokenInit choice. */ - - rc2 = spnegoGetTokenType (hSpnegoToken, - &tokenType); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+200; - goto cleanup; - } - - if (tokenType != SPNEGO_TOKEN_INIT) - { - rc1 = abs(rc2)+300; - goto cleanup; - } - - /* - Check that first mechType is 1.2.840.113554.1.2.2 or 1.2.840.48018.1.2.2. - */ - - /* - IE seems to reply with 1.2.840.48018.1.2.2 and then 1.2.840.113554.1.2.2. - */ - - rc2 = spnegoIsMechTypeAvailable (hSpnegoToken, - spnego_mech_oid_Kerberos_V5_Legacy, - &pindex); - - if (rc2 != SPNEGO_E_SUCCESS || - pindex != 0) - { - rc2 = spnegoIsMechTypeAvailable (hSpnegoToken, - spnego_mech_oid_Kerberos_V5, - &pindex); - - if (rc2 != SPNEGO_E_SUCCESS || - pindex != 0) - { - rc1 = abs(rc2)+400; - goto cleanup; - } - } - - /* Check for no reqFlags. */ - - /* Does IE ever send reqFlags? */ - - rc2 = spnegoGetContextFlags (hSpnegoToken, - &reqFlags); - - if (rc2 == SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+500; - goto cleanup; - } - - /* Get mechanism token length. */ - - rc2 = spnegoGetMechToken (hSpnegoToken, - NULL, - (unsigned long*) kerberosTokenLength); - - if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL) - { - rc1 = abs(rc2)+600; - goto cleanup; - } - - *kerberosToken = malloc (*kerberosTokenLength); - - if (!*kerberosToken) - { - rc1 = abs(rc2)+700; - goto cleanup; - } - - /* Get mechanism token data. */ - - rc2 = spnegoGetMechToken (hSpnegoToken, - (unsigned char *) *kerberosToken, - (unsigned long*) kerberosTokenLength); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+800; - goto error; - } - - /* According to Microsoft, IE does not send a MIC. */ - - rc1 = 0; - - goto cleanup; - -error: - - if (*kerberosToken) - { - free ((unsigned char *) *kerberosToken); - *kerberosToken = NULL; - *kerberosTokenLength = 0; - } - -cleanup: - - if (hSpnegoToken) - spnegoFreeData (hSpnegoToken); - - LOG(("parseNegTokenInit returned %d\n",rc1)); - return rc1; -} +/* ----------------------------------------------------------------------------- + * spnegohelp.c defines RFC 2478 SPNEGO GSS-API mechanism APIs. + * + * Author: Frank Balluffi + * + * Copyright (C) 2002-2003 All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ + +#include "spnegohelp.h" +#include "spnego.h" + +#include + +int makeNegTokenTarg (const unsigned char * kerberosToken, + size_t kerberosTokenLength, + const unsigned char ** negTokenTarg, + size_t * negTokenTargLength) +{ + SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL; + int rc1 = 1; + int rc2 = SPNEGO_E_SUCCESS; + + /* Check arguments. */ + + if (!kerberosToken || + !negTokenTarg || + !negTokenTargLength) + return 10; + + /* Does IIS reply with 1.2.840.48018.1.2.2 or 1.2.840.113554.1.2.2? */ + + /* Does IIS always reply with accept_completed? */ + + /* IIS does not include a MIC. */ + + rc2 = spnegoCreateNegTokenTarg (spnego_mech_oid_Kerberos_V5_Legacy, + spnego_negresult_success, + (unsigned char *) kerberosToken, + kerberosTokenLength, + NULL, + 0, + &hSpnegoToken); + + if (rc2 != SPNEGO_E_SUCCESS) + { + rc1 = abs(rc2)+100; + goto cleanup; + } + + /* Get NegTokenTarg length. */ + + rc2 = spnegoTokenGetBinary (hSpnegoToken, + NULL, + (unsigned long*) negTokenTargLength); + + if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL) + { + rc1 = abs(rc2)+200; + goto cleanup; + } + + *negTokenTarg = malloc (*negTokenTargLength); + + if (!*negTokenTarg) + { + rc1 = abs(rc2)+300; + goto cleanup; + } + + /* Get NegTokenTarg data. */ + + rc2 = spnegoTokenGetBinary (hSpnegoToken, + (unsigned char *) *negTokenTarg, + (unsigned long*) negTokenTargLength); + + + if (rc2 != SPNEGO_E_SUCCESS) + { + rc1 = abs(rc2)+400; + goto error; + } + + rc1 = 0; + + goto cleanup; + +error: + + if (*negTokenTarg) + { + free ((unsigned char *) *negTokenTarg); + *negTokenTarg = NULL; + *negTokenTargLength = 0; + } + +cleanup: + + if (hSpnegoToken) + spnegoFreeData (hSpnegoToken); + + LOG(("makeNegTokenTarg returned %d\n",rc1)); + return rc1; +} + +int parseNegTokenInit (const unsigned char * negTokenInit, + size_t negTokenInitLength, + const unsigned char ** kerberosToken, + size_t * kerberosTokenLength) +{ + SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL; + int pindex = -1; + int rc1 = 1; + int rc2 = SPNEGO_E_SUCCESS; + unsigned char reqFlags = 0; + int tokenType = 0; + + /* Check arguments. */ + + if (!negTokenInit || + !kerberosToken || + !kerberosTokenLength) + return 10; + + /* Decode SPNEGO token. */ + + rc2 = spnegoInitFromBinary ((unsigned char *) negTokenInit, + negTokenInitLength, + &hSpnegoToken); + + if (rc2 != SPNEGO_E_SUCCESS) + { + rc1 = abs(rc2)+100; + goto cleanup; + } + + /* Check for negTokenInit choice. */ + + rc2 = spnegoGetTokenType (hSpnegoToken, + &tokenType); + + if (rc2 != SPNEGO_E_SUCCESS) + { + rc1 = abs(rc2)+200; + goto cleanup; + } + + if (tokenType != SPNEGO_TOKEN_INIT) + { + rc1 = abs(rc2)+300; + goto cleanup; + } + + /* + Check that first mechType is 1.2.840.113554.1.2.2 or 1.2.840.48018.1.2.2. + */ + + /* + IE seems to reply with 1.2.840.48018.1.2.2 and then 1.2.840.113554.1.2.2. + */ + + rc2 = spnegoIsMechTypeAvailable (hSpnegoToken, + spnego_mech_oid_Kerberos_V5_Legacy, + &pindex); + + if (rc2 != SPNEGO_E_SUCCESS || + pindex != 0) + { + rc2 = spnegoIsMechTypeAvailable (hSpnegoToken, + spnego_mech_oid_Kerberos_V5, + &pindex); + + if (rc2 != SPNEGO_E_SUCCESS || + pindex != 0) + { + rc1 = abs(rc2)+400; + goto cleanup; + } + } + + /* Check for no reqFlags. */ + + /* Does IE ever send reqFlags? */ + + rc2 = spnegoGetContextFlags (hSpnegoToken, + &reqFlags); + + if (rc2 == SPNEGO_E_SUCCESS) + { + rc1 = abs(rc2)+500; + goto cleanup; + } + + /* Get mechanism token length. */ + + rc2 = spnegoGetMechToken (hSpnegoToken, + NULL, + (unsigned long*) kerberosTokenLength); + + if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL) + { + rc1 = abs(rc2)+600; + goto cleanup; + } + + *kerberosToken = malloc (*kerberosTokenLength); + + if (!*kerberosToken) + { + rc1 = abs(rc2)+700; + goto cleanup; + } + + /* Get mechanism token data. */ + + rc2 = spnegoGetMechToken (hSpnegoToken, + (unsigned char *) *kerberosToken, + (unsigned long*) kerberosTokenLength); + + if (rc2 != SPNEGO_E_SUCCESS) + { + rc1 = abs(rc2)+800; + goto error; + } + + /* According to Microsoft, IE does not send a MIC. */ + + rc1 = 0; + + goto cleanup; + +error: + + if (*kerberosToken) + { + free ((unsigned char *) *kerberosToken); + *kerberosToken = NULL; + *kerberosTokenLength = 0; + } + +cleanup: + + if (hSpnegoToken) + spnegoFreeData (hSpnegoToken); + + LOG(("parseNegTokenInit returned %d\n",rc1)); + return rc1; +} diff -ruN squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h --- squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h 2007-06-03 02:47:39.000000000 +0200 +++ squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h 2008-01-02 17:15:47.000000000 +0100 @@ -1,58 +1,58 @@ -/* ----------------------------------------------------------------------------- - * spnegohelp.c declares RFC 2478 SPNEGO GSS-API mechanism APIs. - * - * Author: Frank Balluffi - * - * Copyright (C) 2002-2003. All rights reserved. - * ----------------------------------------------------------------------------- - */ - -#ifndef SPNEGOHELP_H -#define SPNEGOHELP_H - -#ifdef __cplusplus -extern "C" { -#endif - -#include - -/* ----------------------------------------------------------------------------- - * makeNegTokenTarg makes an RFC 2478 SPNEGO NegTokenTarg (token) from an - * RFC 1964 Kerberos GSS-API token. - * - * If makeNegTokenTarg is successful, call free (*negTokenTarg) to free the - * memory allocated by parseNegTokenInit. - * - * Returns 0 if successful, 1 otherwise. - * ----------------------------------------------------------------------------- - */ - -int makeNegTokenTarg (const unsigned char * kerberosToken, - size_t kerberosTokenLength, - const unsigned char ** negTokenTarg, - size_t * negTokenTargLength); - -/* ----------------------------------------------------------------------------- - * parseNegTokenInit parses an RFC 2478 SPNEGO NegTokenInit (token) to extract - * an RFC 1964 Kerberos GSS-API token. - * - * If the NegTokenInit does cotain a Kerberos GSS-API token, parseNegTokenInit - * returns an error. - * - * If parseNegTokenInit is successful, call free (*kerberosToken) to - * free the memory allocated by parseNegTokenInit. - * - * Returns 0 if successful, 1 otherwise. - * ----------------------------------------------------------------------------- - */ - -int parseNegTokenInit (const unsigned char * negTokenInit, - size_t negTokenInitLength, - const unsigned char ** kerberosToken, - size_t * kerberosTokenLength); - -#ifdef __cplusplus -} -#endif - -#endif /* SPNEGOHELP_H */ +/* ----------------------------------------------------------------------------- + * spnegohelp.c declares RFC 2478 SPNEGO GSS-API mechanism APIs. + * + * Author: Frank Balluffi + * + * Copyright (C) 2002-2003. All rights reserved. + * ----------------------------------------------------------------------------- + */ + +#ifndef SPNEGOHELP_H +#define SPNEGOHELP_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include + +/* ----------------------------------------------------------------------------- + * makeNegTokenTarg makes an RFC 2478 SPNEGO NegTokenTarg (token) from an + * RFC 1964 Kerberos GSS-API token. + * + * If makeNegTokenTarg is successful, call free (*negTokenTarg) to free the + * memory allocated by parseNegTokenInit. + * + * Returns 0 if successful, 1 otherwise. + * ----------------------------------------------------------------------------- + */ + +int makeNegTokenTarg (const unsigned char * kerberosToken, + size_t kerberosTokenLength, + const unsigned char ** negTokenTarg, + size_t * negTokenTargLength); + +/* ----------------------------------------------------------------------------- + * parseNegTokenInit parses an RFC 2478 SPNEGO NegTokenInit (token) to extract + * an RFC 1964 Kerberos GSS-API token. + * + * If the NegTokenInit does cotain a Kerberos GSS-API token, parseNegTokenInit + * returns an error. + * + * If parseNegTokenInit is successful, call free (*kerberosToken) to + * free the memory allocated by parseNegTokenInit. + * + * Returns 0 if successful, 1 otherwise. + * ----------------------------------------------------------------------------- + */ + +int parseNegTokenInit (const unsigned char * negTokenInit, + size_t negTokenInitLength, + const unsigned char ** kerberosToken, + size_t * kerberosTokenLength); + +#ifdef __cplusplus +} +#endif + +#endif /* SPNEGOHELP_H */ diff -ruN squid-2.6.STABLE17/include/version.h squid-2.6.STABLE18/include/version.h --- squid-2.6.STABLE17/include/version.h 2007-11-26 14:39:31.000000000 +0100 +++ squid-2.6.STABLE18/include/version.h 2008-01-10 13:34:23.000000000 +0100 @@ -9,5 +9,5 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1196084366 +#define SQUID_RELEASE_TIME 1199968458 #endif diff -ruN squid-2.6.STABLE17/lib/Array.c squid-2.6.STABLE18/lib/Array.c --- squid-2.6.STABLE17/lib/Array.c 2007-11-26 12:06:12.000000000 +0100 +++ squid-2.6.STABLE18/lib/Array.c 2008-01-09 14:02:07.000000000 +0100 @@ -1,5 +1,5 @@ /* - * $Id: Array.c,v 1.8.2.1 2007/11/26 11:06:12 adrian Exp $ + * $Id: Array.c,v 1.8.2.2 2008/01/09 13:02:07 adrian Exp $ * * AUTHOR: Alex Rousskov * @@ -142,7 +142,7 @@ void arrayShrink(Array *a, int new_count) { - assert(new_count < a->capacity); + assert(new_count <= a->capacity); assert(new_count >= 0); a->count = new_count; } diff -ruN squid-2.6.STABLE17/lib/rfc2617.c squid-2.6.STABLE18/lib/rfc2617.c --- squid-2.6.STABLE17/lib/rfc2617.c 2007-01-13 17:06:42.000000000 +0100 +++ squid-2.6.STABLE18/lib/rfc2617.c 2008-01-02 18:07:26.000000000 +0100 @@ -13,7 +13,7 @@ /* - * $Id: rfc2617.c,v 1.8 2007/01/13 16:06:42 hno Exp $ + * $Id: rfc2617.c,v 1.8.2.1 2008/01/02 17:07:26 hno Exp $ * * DEBUG: * AUTHOR: RFC 2617 & Robert Collins @@ -94,7 +94,7 @@ else Bin[i / 2] |= n; } - for (; i <= HASHHEXLEN; i++) { + for (i = i / 2; i < HASHLEN; i++) { Bin[i] = '\0'; } } diff -ruN squid-2.6.STABLE17/RELEASENOTES.html squid-2.6.STABLE18/RELEASENOTES.html --- squid-2.6.STABLE17/RELEASENOTES.html 2007-11-26 14:40:06.000000000 +0100 +++ squid-2.6.STABLE18/RELEASENOTES.html 2008-01-10 13:34:58.000000000 +0100 @@ -2,12 +2,12 @@ - Squid 2.6.STABLE17 release notes + Squid 2.6.STABLE18 release notes -

Squid 2.6.STABLE17 release notes

+

Squid 2.6.STABLE18 release notes

-

Squid Developers

$Id: release-2.6.html,v 1.44.2.15 2007/11/26 13:34:35 hno Exp $ +

Squid Developers

$Id: release-2.6.html,v 1.44.2.16 2008/01/09 14:20:09 hno Exp $
This document contains the release notes for version 2.6 of Squid. Squid is a WWW Cache application developed by the Web Caching community. @@ -78,6 +78,9 @@

22. Key changes squid-2.6.STABLE16 to 2.6.STABLE17

+

+

23. Key changes squid-2.6.STABLE17 to 2.6.STABLE18

+

1. Key changes from squid 2.5

@@ -762,5 +765,19 @@

+

23. Key changes squid-2.6.STABLE17 to 2.6.STABLE18

+ +

+

    +
  • 2 assertion failures related to the fix for SQUID-2007:2
    • +
  • Digest authentication bugfixes, fixing random auth popups and failures when using digest authentication (auth_param digest ..)
    • +
  • License cleanup of edir_digest_auth
    • +
  • Code cleanups and portability fixes
    • +
  • See also the list of +squid-2.6.STABLE16 changes and the +ChangeLog file for details.
    • +
+

+ diff -ruN squid-2.6.STABLE17/src/auth/digest/auth_digest.c squid-2.6.STABLE18/src/auth/digest/auth_digest.c --- squid-2.6.STABLE17/src/auth/digest/auth_digest.c 2007-08-31 16:08:53.000000000 +0200 +++ squid-2.6.STABLE18/src/auth/digest/auth_digest.c 2008-01-02 18:07:26.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: auth_digest.c,v 1.21.2.1 2007/08/31 14:08:53 hno Exp $ + * $Id: auth_digest.c,v 1.21.2.2 2008/01/02 17:07:26 hno Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Robert Collins @@ -741,6 +741,7 @@ } } else { digest_request->flags.credentials_ok = 3; + digest_request->flags.invalid_password = 1; safe_free(auth_user_request->message); auth_user_request->message = xstrdup("Incorrect password"); return; @@ -750,7 +751,6 @@ if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) { debug(29, 3) ("authenticateDigestAuthenticateuser: user '%s' validated OK but nonce stale\n", digest_user->username); - digest_request->flags.nonce_stale = 1; digest_request->flags.credentials_ok = 3; safe_free(auth_user_request->message); auth_user_request->message = xstrdup("Stale nonce"); @@ -781,11 +781,8 @@ return 0; case 2: /* partway through checking. */ return -1; - case 3: /* authentication process failed. */ - if (digest_request->flags.nonce_stale) - /* nonce is stale, send new challenge */ - return 1; - return -2; + case 3: /* authentication process failed. Challenge. */ + return 1; } return -2; } @@ -855,7 +852,7 @@ digest_nonce_h *nonce = authenticateDigestNonceNew(); if (auth_user_request && auth_user_request->scheme_data) { digest_request = auth_user_request->scheme_data; - stale = digest_request->flags.nonce_stale; + stale = !digest_request->flags.invalid_password; } if (digestConfig->authenticate) { debug(29, 9) ("authenticateFixHeader: Sending type:%d header: 'Digest realm=\"%s\", nonce=\"%s\", qop=\"%s\", stale=%s\n", type, digestConfig->digestAuthRealm, authenticateDigestNonceNonceb64(nonce), QOP_AUTH, stale ? "true" : "false"); @@ -911,6 +908,7 @@ digest_user = auth_user_request->auth_user->scheme_data; if (reply && (strncasecmp(reply, "ERR", 3) == 0)) { digest_request->flags.credentials_ok = 3; + digest_request->flags.invalid_password = 1; safe_free(auth_user_request->message); if (t && *t) auth_user_request->message = xstrdup(t); @@ -1273,10 +1271,7 @@ /* we couldn't find a matching nonce! */ debug(29, 4) ("authenticateDigestDecode: Unexpected or invalid nonce received\n"); authDigestLogUsername(auth_user_request, username); - - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; + auth_user_request->scheme_data = digest_request; return; } digest_request->nonce = nonce; @@ -1284,7 +1279,7 @@ /* check the qop is what we expected. Note that for compatability with * RFC 2069 we should support a missing qop. Tough. */ - if (!digest_request->qop || strcmp(digest_request->qop, QOP_AUTH)) { + if (digest_request->qop && strcmp(digest_request->qop, QOP_AUTH) != 0) { /* we received a qop option we didn't send */ debug(29, 4) ("authenticateDigestDecode: Invalid qop option received\n"); authDigestLogUsername(auth_user_request, username); diff -ruN squid-2.6.STABLE17/src/auth/digest/auth_digest.h squid-2.6.STABLE18/src/auth/digest/auth_digest.h --- squid-2.6.STABLE17/src/auth/digest/auth_digest.h 2006-07-08 15:26:26.000000000 +0200 +++ squid-2.6.STABLE18/src/auth/digest/auth_digest.h 2008-01-02 18:07:26.000000000 +0100 @@ -43,7 +43,7 @@ struct { unsigned int authinfo_sent:1; unsigned int credentials_ok:2; /*0=unchecked,1=ok,2=helper,3=failed */ - unsigned int nonce_stale:1; + unsigned int invalid_password:1; unsigned int helper_queried:1; } flags; digest_nonce_h *nonce; diff -ruN squid-2.6.STABLE17/src/cbdata.c squid-2.6.STABLE18/src/cbdata.c --- squid-2.6.STABLE17/src/cbdata.c 2006-05-13 00:04:59.000000000 +0200 +++ squid-2.6.STABLE18/src/cbdata.c 2008-01-02 18:06:50.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: cbdata.c,v 1.46 2006/05/12 22:04:59 hno Exp $ + * $Id: cbdata.c,v 1.46.2.1 2008/01/02 17:06:50 hno Exp $ * * DEBUG: section 45 Callback Data Registry * ORIGINAL AUTHOR: Duane Wessels @@ -122,7 +122,7 @@ } #else -#define OFFSET_OF(type, member) ((int)(char *)&((type *)0L)->member) +#define OFFSET_OF(type, member) ((size_t)(char *)&((type *)0L)->member) #endif void diff -ruN squid-2.6.STABLE17/src/HttpHeader.c squid-2.6.STABLE18/src/HttpHeader.c --- squid-2.6.STABLE17/src/HttpHeader.c 2007-11-26 12:06:13.000000000 +0100 +++ squid-2.6.STABLE18/src/HttpHeader.c 2007-12-21 10:56:53.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: HttpHeader.c,v 1.91.2.3 2007/11/26 11:06:13 adrian Exp $ + * $Id: HttpHeader.c,v 1.91.2.4 2007/12/21 09:56:53 adrian Exp $ * * DEBUG: section 55 HTTP Header * AUTHOR: Alex Rousskov @@ -391,7 +391,8 @@ pos = 0; while (dp < hdr->entries.count) { for (; dp < hdr->entries.count && hdr->entries.items[dp] == NULL; dp++); - assert(dp < hdr->entries.count); + if (dp >= hdr->entries.count) + break; hdr->entries.items[pos] = hdr->entries.items[dp]; if (dp != pos) hdr->entries.items[dp] = NULL; diff -ruN squid-2.6.STABLE17/src/MemPool.c squid-2.6.STABLE18/src/MemPool.c --- squid-2.6.STABLE17/src/MemPool.c 2006-09-19 00:54:39.000000000 +0200 +++ squid-2.6.STABLE18/src/MemPool.c 2008-01-09 14:58:12.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: MemPool.c,v 1.39 2006/09/18 22:54:39 hno Exp $ + * $Id: MemPool.c,v 1.39.2.1 2008/01/09 13:58:12 hno Exp $ * * DEBUG: section 63 Low Level Memory Pool Management * AUTHOR: Alex Rousskov @@ -266,16 +266,16 @@ gb_inc(&TheMeter.saved, pool->obj_size); obj = stackPop(&pool->pstack); #if DEBUG_MEMPOOL - (void) VALGRIND_MAKE_READABLE(obj, pool->real_obj_size + sizeof(struct mempool_cookie)); + (void) VALGRIND_MAKE_MEM_DEFINED(obj, pool->real_obj_size + sizeof(struct mempool_cookie)); #else - (void) VALGRIND_MAKE_READABLE(obj, pool->obj_size); + (void) VALGRIND_MAKE_MEM_DEFINED(obj, pool->obj_size); #endif #if DEBUG_MEMPOOL { struct mempool_cookie *cookie = (void *) (((unsigned char *) obj) + pool->real_obj_size); assert(cookie->cookie == MEMPOOL_COOKIE(obj)); assert(cookie->pool == pool); - (void) VALGRIND_MAKE_NOACCESS(cookie, sizeof(cookie)); + (void) VALGRIND_MAKE_MEM_NOACCESS(cookie, sizeof(cookie)); } #endif } else { @@ -289,7 +289,7 @@ cookie = (struct mempool_cookie *) (((unsigned char *) obj) + pool->real_obj_size); cookie->cookie = MEMPOOL_COOKIE(obj); cookie->pool = pool; - (void) VALGRIND_MAKE_NOACCESS(cookie, sizeof(cookie)); + (void) VALGRIND_MAKE_MEM_NOACCESS(cookie, sizeof(cookie)); } #else obj = xcalloc(1, pool->obj_size); @@ -305,11 +305,11 @@ memMeterDec(pool->meter.inuse); memMeterDel(TheMeter.inuse, pool->obj_size); mem_pool_free_calls++; - (void) VALGRIND_CHECK_WRITABLE(obj, pool->obj_size); + (void) VALGRIND_CHECK_MEM_IS_ADDRESSABLE(obj, pool->obj_size); #if DEBUG_MEMPOOL { struct mempool_cookie *cookie = (void *) (((unsigned char *) obj) + pool->real_obj_size); - (void) VALGRIND_MAKE_READABLE(cookie, sizeof(cookie)); + (void) VALGRIND_MAKE_MEM_DEFINED(cookie, sizeof(cookie)); assert(cookie->cookie == MEMPOOL_COOKIE(obj)); assert(cookie->pool == pool); } @@ -319,9 +319,9 @@ memMeterAdd(TheMeter.idle, pool->obj_size); memset(obj, 0, pool->obj_size); #if DEBUG_MEMPOOL - (void) VALGRIND_MAKE_NOACCESS(obj, pool->real_obj_size + sizeof(struct mempool_cookie)); + (void) VALGRIND_MAKE_MEM_NOACCESS(obj, pool->real_obj_size + sizeof(struct mempool_cookie)); #else - (void) VALGRIND_MAKE_NOACCESS(obj, pool->obj_size); + (void) VALGRIND_MAKE_MEM_NOACCESS(obj, pool->obj_size); #endif stackPush(&pool->pstack, obj); } else { diff -ruN squid-2.6.STABLE17/src/pinger.c squid-2.6.STABLE18/src/pinger.c --- squid-2.6.STABLE17/src/pinger.c 2006-05-22 21:20:30.000000000 +0200 +++ squid-2.6.STABLE18/src/pinger.c 2008-01-02 18:06:50.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: pinger.c,v 1.50 2006/05/22 19:20:30 serassio Exp $ + * $Id: pinger.c,v 1.50.2.1 2008/01/02 17:06:50 hno Exp $ * * DEBUG: section 42 ICMP Pinger program * AUTHOR: Duane Wessels @@ -307,7 +307,7 @@ icmp->icmp_seq = (u_short) icmp_pkts_sent++; echo = (icmpEchoData *) (icmp + 1); echo->opcode = (unsigned char) opcode; - echo->tv = current_time; + memcpy(&echo->tv, ¤t_time, sizeof(current_time)); icmp_pktsize += sizeof(struct timeval) + sizeof(char); if (payload) { if (len > MAX_PAYLOAD) @@ -345,6 +345,7 @@ struct timeval now; icmpEchoData *echo; static pingerReplyData preply; + struct timeval tv; if (pkt == NULL) pkt = xmalloc(MAX_PKT_SZ); @@ -380,7 +381,8 @@ preply.from = from.sin_addr; preply.opcode = echo->opcode; preply.hops = ipHops(ip->ip_ttl); - preply.rtt = tvSubMsec(echo->tv, now); + memcpy(&tv, &echo->tv, sizeof(tv)); + preply.rtt = tvSubMsec(tv, now); preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT_SZ); pingerSendtoSquid(&preply); pingerLog(icmp, from.sin_addr, preply.rtt, preply.hops); diff -ruN squid-2.6.STABLE17/src/squid.h squid-2.6.STABLE18/src/squid.h --- squid-2.6.STABLE17/src/squid.h 2006-09-08 21:41:24.000000000 +0200 +++ squid-2.6.STABLE18/src/squid.h 2008-01-09 14:58:12.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: squid.h,v 1.244 2006/09/08 19:41:24 serassio Exp $ + * $Id: squid.h,v 1.244.2.1 2008/01/09 13:58:12 hno Exp $ * * AUTHOR: Duane Wessels * @@ -529,12 +529,19 @@ */ #if WITH_VALGRIND #include +#ifndef VALGRIND_MAKE_MEM_NOACCESS +/* A little glue for older valgrind version prior to 3.2.0 */ +#define VALGRIND_MAKE_MEM_NOACCESS VALGRIND_MAKE_NOACCESS +#define VALGRIND_MAME_MEM_UNDEFINED VALGRIND_MAME_WRITABLE +#define VALGRIND_MAKE_MEM_DEFINED VALGRIND_MAKE_READABLE +#define VALGRIND_CHECK_MEM_IS_ADDRESSABLE VALGRIND_CHECK_WRITABLE +#endif #else -#define VALGRIND_MAKE_NOACCESS(a,b) (0) -#define VALGRIND_MAKE_WRITABLE(a,b) (0) -#define VALGRIND_MAKE_READABLE(a,b) (0) -#define VALGRIND_CHECK_WRITABLE(a,b) (0) -#define VALGRIND_CHECK_READABLE(a,b) (0) +#define VALGRIND_MAKE_MEM_NOACCESS(a,b) (0) +#define VALGRIND_MAKE_MEM_UNDEFINED(a,b) (0) +#define VALGRIND_MAKE_MEM_DEFINED(a,b) (0) +#define VALGRIND_CHECK_MEM_IS_ADDRESSABLE(a,b) (0) +#define VALGRIND_CHECK_MEM_IS_DEFINED(a,b) (0) #define VALGRIND_MALLOCLIKE_BLOCK(a,b,c,d) #define VALGRIND_FREELIKE_BLOCK(a,b) #define RUNNING_ON_VALGRIND 0 diff -ruN squid-2.6.STABLE17/src/tools.c squid-2.6.STABLE18/src/tools.c --- squid-2.6.STABLE17/src/tools.c 2007-09-01 22:09:50.000000000 +0200 +++ squid-2.6.STABLE18/src/tools.c 2008-01-02 18:06:50.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: tools.c,v 1.250.2.3 2007/09/01 20:09:50 hno Exp $ + * $Id: tools.c,v 1.250.2.4 2008/01/02 17:06:50 hno Exp $ * * DEBUG: section 21 Misc Functions * AUTHOR: Harvest Derived @@ -976,7 +976,7 @@ * 2 until it becomes positive again. */ kb_t x; - x.kb = 1 << 31; + x.kb = 1L << 31; while (x.kb && ((k->kb + x.kb) < 0)) { x.kb <<= 1; } @@ -1295,7 +1295,7 @@ void setUmask(mode_t mask) { - static mode_t orig_umask = ~0; + static mode_t orig_umask = (mode_t) ~ 0; if (orig_umask == (mode_t) ~ 0) { /* Unfortunately, there is no way to get the current * umask value without setting it.