Patch file generated Fri Aug 3 00:45:41 EST 2001 from CVS branch auth_rewrite CVS repository: rbcollins@cvs.squid.sourceforge.net:/cvsroot/squid CVS module: squid Index: squid/configure.in diff -u squid/configure.in:1.22 squid/configure.in:1.1.1.3.10.17.2.23 --- squid/configure.in:1.22 Sun Jun 10 23:55:01 2001 +++ squid/configure.in Tue Jul 31 03:29:22 2001 @@ -1054,6 +1054,8 @@ varargs.h \ byteswap.h \ glib.h \ + stdint.h \ + inttypes.h \ ) AC_C_CONST Index: squid/src/acl.c diff -u squid/src/acl.c:1.31 squid/src/acl.c:1.1.1.3.12.26.2.54 --- squid/src/acl.c:1.31 Fri Jun 29 01:23:33 2001 +++ squid/src/acl.c Thu Aug 2 07:18:52 2001 @@ -67,6 +67,10 @@ #if SQUID_SNMP static int aclMatchWordList(wordlist *, const char *); #endif +static void aclParseUserMaxIP(void * data); +static void aclDestroyUserMaxIP(void * data); +static wordlist *aclDumpUserMaxIP(void *data); +static int aclMatchUserMaxIP(void *, auth_user_request_t *, struct in_addr); static squid_acl aclStrToType(const char *s); static int decode_addr(const char *, struct in_addr *, struct in_addr *); static void aclCheck(aclCheck_t * checklist); @@ -220,6 +224,8 @@ return ACL_REQ_MIME_TYPE; if (!strcmp(s, "rep_mime_type")) return ACL_REP_MIME_TYPE; + if (!strcmp(s, "max_user_ip")) + return ACL_MAX_USER_IP; return ACL_NONE; } @@ -288,6 +294,8 @@ return "req_mime_type"; if (type == ACL_REP_MIME_TYPE) return "rep_mime_type"; + if (type == ACL_MAX_USER_IP) + return "max_user_ip"; return "ERROR"; } @@ -784,6 +792,9 @@ case ACL_DST_ASN: aclParseIntlist(&A->data); break; + case ACL_MAX_USER_IP: + aclParseUserMaxIP(&A->data); + break; #if SRC_RTT_NOT_YET_FINISHED case ACL_NETDB_SRC_RTT: aclParseIntlist(&A->data); @@ -1088,14 +1099,14 @@ if (user == NULL) return 0; - if (data->flags.case_insensitive) - Tolower(user); - if (data->flags.required) { debug(28, 7) ("aclMatchUser: user REQUIRED and auth-info present.\n"); return 1; } - Top = splay_splay(user, Top, (SPLAYCMP *) strcmp); + if (data->flags.case_insensitive) + Top = splay_splay(user, Top, (SPLAYCMP *) strcasecmp); + else + Top = splay_splay(user, Top, (SPLAYCMP *) strcmp); /* Top=splay_splay(user,Top,(SPLAYCMP *)dumping_strcmp); */ debug(28, 7) ("aclMatchUser: returning %d,Top is %p, Top->data is %s\n", !splayLastResult, Top, (Top ? Top->data : "Unavailable")); @@ -1171,11 +1182,9 @@ } } -/* aclMatchProxyAuth can return four exit codes: - * 0 : Authenticated OK, Authorisation for this ACL failed. - * 1 : Authenticated OK, Authorisation OK. - * -1 : send data to an external authenticator - * -2 : send data to the client +/* aclMatchProxyAuth can return two exit codes: + * 0 : Authorisation for this ACL failed. (Did not match) + * 1 : Authorisation OK. (Matched) */ static int aclMatchProxyAuth(void *data, http_hdr_type headertype, @@ -1183,158 +1192,117 @@ squid_acl acltype) { /* checklist is used to register user name when identified, nothing else */ - const char *proxy_auth; - /* consistent parameters ? */ - assert(auth_user_request == checklist->auth_user_request); - + /* General program flow in proxy_auth acls * 1. Consistency checks: are we getting sensible data * 2. Call the authenticate* functions to establish a authenticated user * 4. look up the username in acltype (and cache the result against the * username */ + + /* for completeness */ + authenticateAuthUserRequestLock(auth_user_request); + + /* consistent parameters ? */ + assert(authenticateUserAuthenticated(auth_user_request)); + /* this ACL check completed */ + authenticateAuthUserRequestUnlock(auth_user_request); + /* check to see if we have matched the user-acl before */ + return aclCacheMatchAcl(&auth_user_request->auth_user-> + proxy_match_cache, acltype, data, + authenticateUserRequestUsername(auth_user_request)); +} - assert(headertype != 0); - proxy_auth = httpHeaderGetStr(&checklist->request->header, headertype); +CBDATA_TYPE (acl_user_ip_data); - if (checklist->conn == NULL) { - debug(28, 1) ("aclMatchProxyAuth: no connection data, cannot process authentication\n"); - /* - * deny access: clientreadrequest requires conn data, and it is always - * compiled in so we should have it too. - */ - return 0; - } - /* - * a note on proxy_auth logix here: - * proxy_auth==NULL -> unauthenticated request || already authenticated connection - * so we test for an authenticated connection when we recieve no authentication - * header. - */ - if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(auth_user_request ? auth_user_request : checklist->conn->auth_user_request))) - || (checklist->conn->auth_type == AUTH_BROKEN)) { - /* no header or authentication failed/got corrupted - restart */ - checklist->conn->auth_type = AUTH_UNKNOWN; - debug(28, 4) ("aclMatchProxyAuth: broken auth or no proxy_auth header. Requesting auth header.\n"); - /* something wrong with the AUTH credentials. Force a new attempt */ - checklist->auth_user_request = NULL; - checklist->conn->auth_user_request = NULL; - if (auth_user_request) { - /* unlock the ACL lock */ - authenticateAuthUserRequestUnlock(auth_user_request); - } - return -2; - } - /* we have a proxy auth header and as far as we know this connection has - * not had bungled connection oriented authentication happen on it. */ - debug(28, 9) ("aclMatchProxyAuth: header %s.\n", proxy_auth); - if (auth_user_request == NULL) { - debug(28, 9) ("aclMatchProxyAuth: This is a new request on FD:%d\n", - checklist->conn->fd); - if ((!checklist->request->auth_user_request) - && (checklist->conn->auth_type == AUTH_UNKNOWN)) { - /* beginning of a new request check */ - debug(28, 4) ("aclMatchProxyAuth: no connection authentication type\n"); - if (!authenticateValidateUser(auth_user_request = - authenticateGetAuthUser(proxy_auth))) { - /* the decode might have left a username for logging, or a message to - * the user */ - if (authenticateUserRequestUsername(auth_user_request)) { - /* lock the user for the request structure link */ - authenticateAuthUserRequestLock(auth_user_request); - checklist->request->auth_user_request = auth_user_request; - /* unlock the ACL reference. */ - authenticateAuthUserRequestUnlock(auth_user_request); - } - return -2; - } - /* the user_request comes prelocked for the caller to GetAuthUser (us) */ - } else if (checklist->request->auth_user_request) { - auth_user_request = checklist->request->auth_user_request; - /* lock the user request for this ACL processing */ - authenticateAuthUserRequestLock(auth_user_request); - } else { - if (checklist->conn->auth_user_request != NULL) { - auth_user_request = checklist->conn->auth_user_request; - /* lock the user request for this ACL processing */ - authenticateAuthUserRequestLock(auth_user_request); - } else { - /* failed connection based authentication */ - debug(28, 4) ("aclMatchProxyAuth: Auth user request %d conn-auth user request %d conn type %d authentication failed.\n", - auth_user_request, checklist->conn->auth_user_request, - checklist->conn->auth_type); - return -2; - } - } +void +aclParseUserMaxIP(void * data) +{ + acl_user_ip_data ** acldata = data; + char *t = NULL; + CBDATA_INIT_TYPE (acl_user_ip_data); + if (*acldata) { + debug (28, 1) ("Attempting to alter already set User max IP acl\n"); + return; } - /* Clear the reference in the checklist */ - checklist->auth_user_request = NULL; - if (!authenticateUserAuthenticated(auth_user_request)) { - /* User not logged in. Log them in */ - authenticateAuthUserRequestSetIp(auth_user_request, - checklist->src_addr); - authenticateAuthenticateUser(auth_user_request, checklist->request, - checklist->conn, headertype); - switch (authenticateDirection(auth_user_request)) { - case 1: - /* this ACL check is finished. Unlock. */ - authenticateAuthUserRequestUnlock(auth_user_request); - return -2; - case -1: - /* we are partway through authentication within squid - * store the auth_user for the callback to here */ - checklist->auth_user_request = auth_user_request; - /* we will be called back here. Do not Unlock */ - return -1; - case -2: - /* this ACL check is finished. Unlock. */ - authenticateAuthUserRequestUnlock(auth_user_request); - return -2; - } /* on 0 the authentication is finished - fallthrough */ - /* See of user authentication failed for some reason */ - if (!authenticateUserAuthenticated(auth_user_request)) { - if ((!checklist->rfc931[0]) && - (authenticateUserRequestUsername(auth_user_request))) { - if (!checklist->request->auth_user_request) { - /* lock the user for the request structure link */ - authenticateAuthUserRequestLock(auth_user_request); - checklist->request->auth_user_request = auth_user_request; - } - } - /* this ACL check is finished. Unlock. */ - authenticateAuthUserRequestUnlock(auth_user_request); - return -2; + *acldata = cbdataAlloc (acl_user_ip_data); + if ((t = strtokFile())) { + debug(28, 5) ("aclParseUserMaxIP: First token is %s\n", t); + if (strcmp("-s", t) == 0) { + debug(28, 5) ("aclParseUserMaxIP: Going strict\n"); + (*acldata)->flags.strict = 1; + } else { + (*acldata)->max = atoi(t); + debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (*acldata)->max); } - } - /* User authenticated ok */ - assert(authenticateUserAuthenticated(auth_user_request)); + } else + fatal("aclParseUserMaxIP: Malformed ACL %d\n"); +} - /* copy username to request for logging on client-side */ - /* the credentials are correct at this point */ - if (!checklist->request->auth_user_request) { - /* lock the user for the request structure link */ - authenticateAuthUserRequestLock(auth_user_request); - checklist->request->auth_user_request = auth_user_request; - } - if (authenticateCheckAuthUserIP(checklist->src_addr, auth_user_request)) { - /* Once the match is completed we have finished with the - * auth_user structure */ - /* this ACL check completed */ - authenticateAuthUserRequestUnlock(auth_user_request); - /* check to see if we have matched the user-acl before */ - return aclCacheMatchAcl(&auth_user_request->auth_user-> - proxy_match_cache, acltype, data, - authenticateUserRequestUsername(auth_user_request)); +void +aclDestroyUserMaxIP(void * data) +{ + acl_user_ip_data ** acldata = data; + if (*acldata) + cbdataFree (*acldata); + *acldata = NULL; +} + +wordlist * +aclDumpUserMaxIP(void * data) +{ + acl_user_ip_data *acldata = data; + wordlist *W = NULL; + char buf[128]; + if (acldata->flags.strict) + wordlistAdd(&W, "-s"); + snprintf(buf, sizeof(buf), "%d", acldata->max); + wordlistAdd(&W, buf); + return W; +} + +/* aclMatchUserMaxIP - check for users logging in from multiple IP's + * 0 : No match + * 1 : Match + */ +int +aclMatchUserMaxIP(void *data, auth_user_request_t *auth_user_request, + struct in_addr src_addr) +{ +/* + > the logic for flush the ip list when the limit is hit vs keep it sorted in most recent access order and just drop the oldest one off is currently undecided +*/ + acl_user_ip_data *acldata = data; + + if (authenticateAuthUserRequestIPCount(auth_user_request) <= acldata->max) + return 0; + + /* this is a match */ + if (acldata->flags.strict) { + /* simply deny access - the user name is already associated with + * the request + */ + /* remove _this_ ip, as it is the culprit for going over the limit */ + authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); + debug (28,4) ("aclMatchUserMaxIP: Denying access in strict mode\n"); } else { - debug(28, 1) ("XXX authenticateCheckAuthUserIP returned 0, somebody " - "make sure the username gets logged to access.log.\n"); - debug(28, 1) ("XXX if it works, tell developers to remove this " - "message\n"); + /* non-strict - remove some/all of the cached entries + * ie to allow the user to move machines easily + */ + authenticateAuthUserRequestClearIp(auth_user_request); + debug (28,4) ("aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache\n"); } - /* this acl check completed */ - authenticateAuthUserRequestUnlock(auth_user_request); - return 0; + /* We had reports about the username being lost when denying due to + * IP limits. That should be fixed in the new lazy-proxy code, but + * This note note is a reminder! + */ + debug(28, 1) ("XXX aclMatchUserMaxIP returned 0, somebody " + "make sure the username gets logged to access.log.\n"); + debug(28, 1) ("XXX if it works, tell developers to remove this " + "message\n"); + + return 1; } static void @@ -1443,7 +1411,7 @@ char *esc_buf; const char *header; const char *browser; - int k; + int k,ti; http_hdr_type headertype; if (!ae) return 0; @@ -1602,6 +1570,8 @@ /* NOTREACHED */ case ACL_PROXY_AUTH: case ACL_PROXY_AUTH_REGEX: + case ACL_MAX_USER_IP: + /* ALL authentication predicated ACL's live here */ if (NULL == r) { return -1; } else if (!r->flags.accelerated) { @@ -1619,9 +1589,46 @@ return -1; #endif } + /* get authed here */ + if ((ti = authenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn, checklist->src_addr)) != AUTH_AUTHENTICATED) { + switch (ti) { + case 0: + /* Authenticated but not Authorised for this ACL */ + debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n"); + return 0; + case 1: + fatal("AUTH_AUTHENTICATED == 1\n"); + break; + case -1: + /* Send data to the helper */ + debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n"); + checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED; + return 0; + case -2: + /* Send a challenge to the client */ + debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n"); + checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; + return 0; + } + } + /* then, switch on type again to do the correct match routine :> */ + switch (ae->type) { + case ACL_PROXY_AUTH: + case ACL_PROXY_AUTH_REGEX: + ti = aclMatchProxyAuth(ae->data, headertype, + checklist->auth_user_request, checklist, ae->type); + break; + case ACL_MAX_USER_IP: + ti = aclMatchUserMaxIP(ae->data, checklist->auth_user_request, + checklist->src_addr); + break; + default: + /* Keep GCC happy */ + break; + } + checklist->auth_user_request = NULL; /* Check the credentials */ - switch (aclMatchProxyAuth(ae->data, headertype, - checklist->auth_user_request, checklist, ae->type)) { + switch (ti) { case 0: debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n"); /* Authenticated but not Authorised for this ACL */ @@ -1631,20 +1638,11 @@ /* Authenticated and Authorised for this ACL */ return 1; case -2: - debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n"); - /* Authentication credentials invalid or missing. */ - /* Or partway through NTLM handshake. A proxy_Authenticate header - * gets sent to the client. */ - checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; - return 0; case -1: - debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n"); - /* - * we need to validate the password - */ - checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED; - return 0; + fatal("Invalid response from match routine\n"); + break; } + /* NOTREACHED */ #if SQUID_SNMP case ACL_SNMP_COMMUNITY: @@ -1919,12 +1917,11 @@ checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_DONE; if (result != NULL) fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n"); - /* state info check */ - assert(checklist->conn != NULL); auth_user_request = checklist->auth_user_request; - if (!authenticateValidateUser(auth_user_request)) { + if (!authenticateValidateUser(auth_user_request) || checklist->conn == NULL) { /* credentials could not be checked either way * restart the whole process */ + /* OR the connection was closed, there's no way to continue */ checklist->conn->auth_user_request = NULL; checklist->conn->auth_type = AUTH_BROKEN; checklist->auth_user_request = NULL; @@ -2080,6 +2077,9 @@ case ACL_MAXCONN: intlistDestroy((intlist **) & a->data); break; + case ACL_MAX_USER_IP: + aclDestroyUserMaxIP(&a->data); + break; case ACL_URL_PORT: case ACL_MY_PORT: aclDestroyIntRange(a->data); @@ -2417,6 +2417,8 @@ case ACL_MAXCONN: case ACL_DST_ASN: return aclDumpIntlistList(a->data); + case ACL_MAX_USER_IP: + return aclDumpUserMaxIP(a->data); case ACL_URL_PORT: case ACL_MY_PORT: return aclDumpIntRangeList(a->data); Index: squid/src/authenticate.c diff -u squid/src/authenticate.c:1.15 squid/src/authenticate.c:1.1.1.3.12.17.2.46 --- squid/src/authenticate.c:1.15 Thu Jul 12 15:33:15 2001 +++ squid/src/authenticate.c Thu Aug 2 07:42:40 2001 @@ -40,6 +40,8 @@ #include "squid.h" +CBDATA_TYPE (auth_user_ip_t); + static void authenticateDecodeAuth(const char *proxy_auth, auth_user_request_t * auth_user_request); @@ -175,6 +177,7 @@ auth_user_t *temp_auth; temp_auth = memAllocate(MEM_AUTH_USER_T); assert(temp_auth != NULL); + memset (temp_auth, '\0', sizeof (auth_user_t)); temp_auth->auth_type = AUTH_UNKNOWN; temp_auth->references = 0; temp_auth->auth_module = authenticateAuthSchemeId(scheme) + 1; @@ -241,11 +244,110 @@ void authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr) { - if (auth_user_request->auth_user) - if (!auth_user_request->auth_user->ipaddr.s_addr) - auth_user_request->auth_user->ipaddr = ipaddr; + auth_user_ip_t *ipdata, *tempnode; + auth_user_t *auth_user; + char *ip1; + CBDATA_INIT_TYPE (auth_user_ip_t); + if (!auth_user_request->auth_user) + return; + auth_user = auth_user_request->auth_user; + ipdata = (auth_user_ip_t *) auth_user->ip_list.head; + /* we walk the entire list to prevent the first item in the list preventing + * old entries being flushed and locking a user out after a timeout+reconfigure + */ + while (ipdata) { + tempnode = (auth_user_ip_t *) ipdata->node.next; + /* walk the ip list */ + if (ipdata->ipaddr.s_addr == ipaddr.s_addr) { + /* This ip has alreadu been seen. */ + /* update IP ttl */ + ipdata->ip_expiretime = squid_curtime; + } else if (ipdata->ip_expiretime + Config.authenticateIpTTL < squid_curtime) { + /* This IP has expired - remove from the seen list */ + dlinkDelete (&ipdata->node, &auth_user->ip_list); + cbdataFree (ipdata); + /* catch incipient underflow */ + assert(auth_user->ipcount); + auth_user->ipcount--; + } + ipdata = tempnode; + } + + /* This ip is not in the seen list */ + ipdata = cbdataAlloc (auth_user_ip_t); + ipdata->ip_expiretime = squid_curtime; + ipdata->ipaddr = ipaddr; + dlinkAddTail(ipdata, &ipdata->node, &auth_user->ip_list); + auth_user->ipcount++; + + ip1 = xstrdup(inet_ntoa(ipaddr)); + debug(29, 1) ("authenticateAuthUserRequestSetIp: user '%s' has been seen at a new IP address (%s, %s)\n ", authenticateUserUsername(auth_user), ip1); + safe_free(ip1); +} + +void +authenticateAuthUserRequestRemoveIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr) +{ + auth_user_ip_t *ipdata; + auth_user_t *auth_user; + if (!auth_user_request->auth_user) + return; + auth_user = auth_user_request->auth_user; + ipdata = (auth_user_ip_t *) auth_user->ip_list.head; + while (ipdata) { + /* walk the ip list */ + if (ipdata->ipaddr.s_addr == ipaddr.s_addr) { + /* remove the node */ + dlinkDelete (&ipdata->node, &auth_user->ip_list); + cbdataFree (ipdata); + /* catch incipient underflow */ + assert(auth_user->ipcount); + auth_user->ipcount--; + return; + } + ipdata = (auth_user_ip_t *) ipdata->node.next; + } + +} + +static void +authenticateAuthUserClearIp(auth_user_t * auth_user) +{ + auth_user_ip_t *ipdata, *tempnode; + if (!auth_user) + return; + ipdata = (auth_user_ip_t *) auth_user->ip_list.head; + while (ipdata) { + tempnode = (auth_user_ip_t *) ipdata->node.next; + /* walk the ip list */ + dlinkDelete (&ipdata->node, &auth_user->ip_list); + cbdataFree (ipdata); + /* catch incipient underflow */ + assert(auth_user->ipcount); + auth_user->ipcount--; + ipdata = tempnode; + } + /* integrity check */ + assert (auth_user->ipcount == 0); +} + + +void +authenticateAuthUserRequestClearIp(auth_user_request_t * auth_user_request) +{ + if (auth_user_request) + authenticateAuthUserClearIp(auth_user_request->auth_user); +} + +size_t +authenticateAuthUserRequestIPCount(auth_user_request_t * auth_user_request) +{ + assert (auth_user_request); + assert (auth_user_request->auth_user); + return auth_user_request->auth_user->ipcount; } + /* Get Auth User: Return a filled out auth_user structure for the given * Proxy Auth (or Auth) header. It may be a cached Auth User or a new * Unauthenticated structure. The structure is given an inital lock here. @@ -256,6 +358,7 @@ auth_user_request_t *auth_user_request = authenticateAuthUserRequestNew(); /* and lock for the callers instance */ authenticateAuthUserRequestLock(auth_user_request); + /* The scheme is allowed to provide a cached auth_user or a new one */ authenticateDecodeAuth(proxy_auth, auth_user_request); return auth_user_request; } @@ -275,11 +378,12 @@ } /* - * authenticateAuthenticateUser: log this user request in. + * authenticateAuthenticateUser: call the module specific code to + * log this user request in. * Cache hits may change the auth_user pointer in the structure if needed. * This is basically a handle approach. */ -void +static void authenticateAuthenticateUser(auth_user_request_t * auth_user_request, request_t * request, ConnStateData * conn, http_hdr_type type) { assert(auth_user_request != NULL); @@ -287,6 +391,184 @@ authscheme_list[auth_user_request->auth_user->auth_module - 1].authAuthenticate(auth_user_request, request, conn, type); } +/* returns one of + * AUTH_ACL_CHALLENGE, + * AUTH_ACL_HELPER, + * AUTH_ACL_CANNOT_AUTHENTICATE, + * AUTH_AUTHENTICATED + * + * How to use: In your proxy-auth dependent acl code, use the following + * construct: + * int rv; + * if ((rv = AuthenticateAuthenticate()) != AUTH_AUTHENTICATED) + * return rv; + * + * when this code is reached, the request/connection is authenticated. + * + * if you have non-acl code, but want to force authentication, you need a + * callback mechanism like the acl testing routines that will send a 40[1|7] to + * the client when rv==AUTH_ACL_CHALLENGE, and will communicate with + * the authenticateStart routine for rv==AUTH_ACL_HELPER + */ +auth_acl_t +authenticateAuthenticate(auth_user_request_t ** auth_user_request, http_hdr_type headertype, request_t *request, ConnStateData *conn, struct in_addr src_addr) +{ + const char * proxy_auth; + assert(headertype != 0); + proxy_auth = httpHeaderGetStr(&request->header, headertype); + + if (conn == NULL) { + debug(28, 1) ("authenticateAuthenticate: no connection data, cannot process authentication\n"); + /* + * deny access: clientreadrequest requires conn data, and it is always + * compiled in so we should have it too. + */ + return AUTH_ACL_CANNOT_AUTHENTICATE; + } + + /* + * a note on proxy_auth logix here: + * proxy_auth==NULL -> unauthenticated request || already authenticated connection + * so we test for an authenticated connection when we recieve no authentication + * header. + */ + if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(*auth_user_request ? *auth_user_request : conn->auth_user_request))) + || (conn->auth_type == AUTH_BROKEN)) { + /* no header or authentication failed/got corrupted - restart */ + conn->auth_type = AUTH_UNKNOWN; + debug(28, 4) ("authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header.\n"); + /* something wrong with the AUTH credentials. Force a new attempt */ + conn->auth_user_request = NULL; + if (*auth_user_request) { + /* unlock the ACL lock */ + authenticateAuthUserRequestUnlock(*auth_user_request); + auth_user_request = NULL; + } + return AUTH_ACL_CHALLENGE; + } + + /* + * Is this an already authenticated connection with a new auth header? + * No check for function required in the if: its compulsory for conn based + * auth modules + */ + if (proxy_auth && conn->auth_user_request && + authenticateUserAuthenticated(conn->auth_user_request) && + strcmp(proxy_auth, authscheme_list[conn->auth_user_request->auth_user->auth_module - 1].authConnLastHeader(conn->auth_user_request))) { + debug(28,1) ("authenticateAuthenticate: DUPLICATE AUTH - authentication header on already authenticated connection!. Current user '%s' proxy_auth %s\n", authenticateUserRequestUsername(conn->auth_user_request), proxy_auth); + /* remove this request struct - the link is already authed and it can't be to + * reauth. + */ + + /* This should _only_ ever occur on the first pass through + * authenticateAuthenticate + */ + assert(*auth_user_request == NULL); + /* unlock the conn lock on the auth_user_request */ + authenticateAuthUserRequestUnlock(conn->auth_user_request); + /* mark the conn as non-authed. */ + conn->auth_user_request=NULL; + /* Set the connection auth type */ + conn->auth_type = AUTH_UNKNOWN; + } + + /* we have a proxy auth header and as far as we know this connection has + * not had bungled connection oriented authentication happen on it. */ + debug(28, 9) ("authenticateAuthenticate: header %s.\n", proxy_auth); + if (*auth_user_request == NULL) { + debug(28, 9) ("authenticateAuthenticate: This is a new checklist test on FD:%d\n", + conn->fd); + if ((!request->auth_user_request) + && (conn->auth_type == AUTH_UNKNOWN)) { + /* beginning of a new request check */ + debug(28, 4) ("authenticateAuthenticate: no connection authentication type\n"); + if (!authenticateValidateUser(*auth_user_request = + authenticateGetAuthUser(proxy_auth))) { + /* the decode might have left a username for logging, or a message to + * the user */ + if (authenticateUserRequestUsername(*auth_user_request)) { + /* lock the user for the request structure link */ + authenticateAuthUserRequestLock(*auth_user_request); + request->auth_user_request = *auth_user_request; + /* unlock the ACL reference. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + } + return AUTH_ACL_CHALLENGE; + } + /* the user_request comes prelocked for the caller to GetAuthUser (us) */ + } else if (request->auth_user_request) { + *auth_user_request = request->auth_user_request; + /* lock the user request for this ACL processing */ + authenticateAuthUserRequestLock(*auth_user_request); + } else { + if (conn->auth_user_request != NULL) { + *auth_user_request = conn->auth_user_request; + /* lock the user request for this ACL processing */ + authenticateAuthUserRequestLock(*auth_user_request); + } else { + /* failed connection based authentication */ + debug(28, 4) ("authenticateAuthenticate: Auth user request %d conn-auth user request %d conn type %d authentication failed.\n", + *auth_user_request, conn->auth_user_request, conn->auth_type); + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + } + } + } + + if (!authenticateUserAuthenticated(*auth_user_request)) { + /* User not logged in. Log them in */ + authenticateAuthenticateUser(*auth_user_request, request, + conn, headertype); + switch (authenticateDirection(*auth_user_request)) { + case 1: + /* this ACL check is finished. Unlock. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + case -1: + /* we are partway through authentication within squid, + * the *auth_user_request variables stores the auth_user_request + * for the callback to here - Do not Unlock */ + return AUTH_ACL_HELPER; + case -2: + /* this ACL check is finished. Unlock. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + } + /* on 0 the authentication is finished - fallthrough */ + /* See of user authentication failed for some reason */ + if (!authenticateUserAuthenticated(*auth_user_request)) { + if ((authenticateUserRequestUsername(*auth_user_request))) { + if (!request->auth_user_request) { + /* lock the user for the request structure link */ + authenticateAuthUserRequestLock(*auth_user_request); + request->auth_user_request = *auth_user_request; + } + } + /* this ACL check is finished. Unlock. */ + authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; + return AUTH_ACL_CHALLENGE; + } + } + + /* copy username to request for logging on client-side */ + /* the credentials are correct at this point */ + if (!request->auth_user_request) { + /* lock the user for the request structure link */ + authenticateAuthUserRequestLock(*auth_user_request); + request->auth_user_request = *auth_user_request; + authenticateAuthUserRequestSetIp(*auth_user_request, src_addr); + } + + /* Unlock the request - we've authenticated it */ + authenticateAuthUserRequestUnlock(*auth_user_request); + return AUTH_AUTHENTICATED; +} + + /* authenticateUserUsername: return a pointer to the username in the */ char * authenticateUserUsername(auth_user_t * auth_user) @@ -563,6 +845,8 @@ } /* free cached acl results */ aclCacheMatchFlush(&u->proxy_match_cache); + /* free seen ip address's */ + authenticateAuthUserClearIp(u); if (u->scheme_data && u->auth_module > 0) authscheme_list[u->auth_module - 1].FreeUser(u); /* prevent accidental reuse */ @@ -672,46 +956,4 @@ auth_user->usernamehash = usernamehash; /* lock for presence in the cache */ authenticateAuthUserLock(auth_user); -} - - - -/* - * check the user for ip changes timeouts - * 0 = failed check - * 1 = ip requirements are ok. - */ -/* TODO: - * ip_expire data should be in a struct of it's own - for code reuse */ -int -authenticateCheckAuthUserIP(struct in_addr request_src_addr, auth_user_request_t * auth_user_request) -{ - char *username = authenticateUserRequestUsername(auth_user_request); - if (request_src_addr.s_addr == auth_user_request->auth_user->ipaddr.s_addr || auth_user_request->auth_user->ip_expiretime + Config.authenticateIpTTL <= squid_curtime) { - /* user has not moved ip or had the ip timeout expire */ - if ((auth_user_request->auth_user->auth_type == AUTH_UNKNOWN) || - (auth_user_request->auth_user->auth_type == AUTH_BROKEN)) { - debug(29, 1) ("authenticateCheckProxyAuthIP: broken or unknown auth type %d.\n", auth_user_request->auth_user->auth_type); - return 0; - } - username = authenticateUserRequestUsername(auth_user_request); - /* Update IP ttl */ - auth_user_request->auth_user->ip_expiretime = squid_curtime; - auth_user_request->auth_user->ipaddr = request_src_addr; - return 1; - } else { - char *ip1 = xstrdup(inet_ntoa(auth_user_request->auth_user->ipaddr)); - char *ip2 = xstrdup(inet_ntoa(request_src_addr)); - if (Config.onoff.authenticateIpTTLStrict) { - debug(29, 1) ("aclMatchProxyAuth: user '%s' tried to use multiple IP addresses! (%s, %s)\n ", username, ip1, ip2); - } else { - /* Non-strict mode. Reassign ownership to the new IP */ - auth_user_request->auth_user->ipaddr.s_addr = request_src_addr.s_addr; - debug(29, 1) ("aclMatchProxyAuth: user '%s' has changed IP address (%s, %s)\n ", username, ip1, ip2); - } - safe_free(ip1); - safe_free(ip2); - /* and deny access */ - return 0; - } } Index: squid/src/cf.data.pre diff -u squid/src/cf.data.pre:1.30 squid/src/cf.data.pre:1.1.1.3.4.1.2.18.2.30 --- squid/src/cf.data.pre:1.30 Sat Jul 28 15:34:19 2001 +++ squid/src/cf.data.pre Thu Aug 2 07:34:11 2001 @@ -1403,20 +1403,9 @@ the user to redial without hassle. If all your users are stationary then higher values may be used. - See also authenticate_ip_ttl_is_strict + See also the acl max_user_ip. DOC_END -NAME: authenticate_ip_ttl_is_strict -TYPE: onoff -LOC: Config.onoff.authenticateIpTTLStrict -DEFAULT: on -DOC_START - This option makes authenticate_ip_ttl a bit stricter. With this - enabled authenticate_ip_ttl will deny all access from other IP - addresses until the TTL has expired, and the IP address "owning" - the userid will not be forced to reauthenticate. -DOC_END - COMMENT_START OPTIONS FOR TUNING THE CACHE ----------------------------------------------------------------------------- @@ -1897,6 +1886,15 @@ acl aclname maxconn number # This will be matched when the client's IP address has # more than HTTP connections established. + + acl aclname max_user_ip + # This will be matched when the user attempts to log in from more + # than different ip address's. The authenticate_ip_ttl + # parameter controls the timeout on the ip entries. + # NOTE: in acceleration mode, clients may appear to come from + # multiple address's if they are going through proxy farms, + # so a limit of 1 may cause user problems. + acl aclname req_mime_type mime-type1 ... # regex match agains the mime type of the request generated Index: squid/src/client_side.c diff -u squid/src/client_side.c:1.32 squid/src/client_side.c:1.1.1.3.4.1.2.30.2.34 --- squid/src/client_side.c:1.32 Sat Jul 28 15:34:19 2001 +++ squid/src/client_side.c Thu Aug 2 06:42:36 2001 @@ -204,7 +204,7 @@ e = storeCreateEntry(h->uri, h->log_uri, flags, m); h->sc = storeClientListAdd(e, h); #if DELAY_POOLS - delaySetStoreClient(h->sc, delayClient(h->request)); + delaySetStoreClient(h->sc, delayClient(h)); #endif storeClientCopy(h->sc, e, 0, 0, CLIENT_SOCK_SZ, memAllocate(MEM_CLIENT_SOCK_BUF), clientSendMoreData, h); @@ -385,7 +385,7 @@ http->sc = storeClientListAdd(entry, http); #if DELAY_POOLS /* delay_id is already set on original store client */ - delaySetStoreClient(http->sc, delayClient(http->request)); + delaySetStoreClient(http->sc, delayClient(http)); #endif http->request->lastmod = http->old_entry->lastmod; debug(33, 5) ("clientProcessExpired: lastmod %d\n", (int) entry->lastmod); @@ -2305,7 +2305,7 @@ http->entry->mem_obj->method = r->method; http->sc = storeClientListAdd(http->entry, http); #if DELAY_POOLS - delaySetStoreClient(http->sc, delayClient(r)); + delaySetStoreClient(http->sc, delayClient(http)); #endif storeClientCopy(http->sc, http->entry, http->out.offset, Index: squid/src/enums.h diff -u squid/src/enums.h:1.21 squid/src/enums.h:1.1.1.3.12.15.2.18 --- squid/src/enums.h:1.21 Fri Apr 20 14:35:33 2001 +++ squid/src/enums.h Tue Jul 31 03:29:23 2001 @@ -129,6 +129,7 @@ ACL_MAXCONN, ACL_REQ_MIME_TYPE, ACL_REP_MIME_TYPE, + ACL_MAX_USER_IP, ACL_ENUM_MAX } squid_acl; @@ -504,6 +505,13 @@ ACCESS_ALLOWED, ACCESS_REQ_PROXY_AUTH } allow_t; + +typedef enum { + AUTH_ACL_CHALLENGE = -2, + AUTH_ACL_HELPER = -1, + AUTH_ACL_CANNOT_AUTHENTICATE = 0, + AUTH_AUTHENTICATED = 1, +} auth_acl_t; typedef enum { AUTH_UNKNOWN, /* default */ Index: squid/src/helper.c diff -u squid/src/helper.c:1.11 squid/src/helper.c:1.1.1.3.12.13.2.17 --- squid/src/helper.c:1.11 Mon May 21 11:51:19 2001 +++ squid/src/helper.c Thu Aug 2 06:42:37 2001 @@ -183,6 +183,10 @@ srv->flags.alive = 1; srv->flags.reserved = S_HELPER_FREE; srv->deferred_requests = 0; + srv->stats.deferbyfunc = 0; + srv->stats.deferbycb = 0; + srv->stats.submits = 0; + srv->stats.releases = 0; srv->index = k; srv->rfd = rfd; srv->wfd = wfd; @@ -260,8 +264,19 @@ cbdataLock(r->data); if ((buf != NULL) && lastserver) { debug(29, 5) ("StatefulSubmit with lastserver %d\n", lastserver); - if (lastserver->flags.reserved != S_HELPER_RESERVED) + /* the queue doesn't count for this assert because queued requests + * have already gone through here and been tested. + * It's legal to have deferred_requests == 0 and queue entries + * and status of S_HELPEER_DEFERRED. + * BUT: It's not legal to submit a new request w/lastserver in + * that state. + */ + assert (!(lastserver->deferred_requests == 0 && + lastserver->flags.reserved == S_HELPER_DEFERRED)); + if (lastserver->flags.reserved != S_HELPER_RESERVED) { + lastserver->stats.submits++; lastserver->deferred_requests--; + } if (!(lastserver->request)) { debug(29, 5) ("StatefulSubmit dispatching\n"); helperStatefulDispatch(lastserver, r); @@ -314,8 +329,20 @@ debug(29, 1) ("helperStatefulDefer: None available.\n"); return NULL; } + /* consistency check: + * when the deferred count is 0, + * submits + releases == deferbyfunc + deferbycb + * Or in english, when there are no deferred requests, the amount + * we have submitted to the queue or cancelled must equal the amount + * we have said we wanted to be able to submit or cancel + */ + if (rv->deferred_requests == 0) + assert (rv->stats.submits + rv->stats.releases == + rv->stats.deferbyfunc + rv->stats.deferbycb); + rv->flags.reserved = S_HELPER_DEFERRED; rv->deferred_requests++; + rv->stats.deferbyfunc++; return rv; } @@ -337,7 +364,6 @@ helperStatefulRequestFree(r); srv->request = NULL; } - debug(29, 1) ("helperStatefulReset reset helper %s #%d\n", hlp->id_name, srv->index + 1); srv->flags.busy = 0; if (srv->queue.head) { srv->flags.reserved = S_HELPER_DEFERRED; @@ -354,8 +380,11 @@ helperStatefulReleaseServer(helper_stateful_server * srv) /*decrease the number of 'waiting' clients that set the helper to be DEFERRED */ { - if (srv->deferred_requests > 0) + srv->stats.releases++; + if (srv->flags.reserved == S_HELPER_DEFERRED) { + assert (srv->deferred_requests); srv->deferred_requests--; + } if (!(srv->deferred_requests) && (srv->flags.reserved == S_HELPER_DEFERRED) && !(srv->queue.head)) { srv->flags.reserved = S_HELPER_FREE; if ((srv->parent->OnEmptyQueue != NULL) && (srv->data)) @@ -747,7 +776,7 @@ fatal("helperStatefulHandleRead: either a non-state aware callback was give to the stateful helper routines, or an uninitialised callback response was recieved.\n"); break; case S_HELPER_RELEASE: /* helper finished with */ - if (!srv->queue.head) { + if (!srv->deferred_requests && !srv->queue.head) { srv->flags.reserved = S_HELPER_FREE; if ((srv->parent->OnEmptyQueue != NULL) && (srv->data)) srv->parent->OnEmptyQueue(srv->data); @@ -759,6 +788,7 @@ break; case S_HELPER_RESERVE: /* 'pin' this helper for the caller */ if (!srv->queue.head) { + assert (srv->deferred_requests == 0); srv->flags.reserved = S_HELPER_RESERVED; debug(29, 5) ("StatefulHandleRead: reserving %s #%d\n", hlp->id_name, srv->index + 1); } else { @@ -771,6 +801,7 @@ */ srv->flags.reserved = S_HELPER_DEFERRED; srv->deferred_requests++; + srv->stats.deferbycb++; debug(29, 5) ("StatefulHandleRead: reserving %s #%d for deferred requests.\n", hlp->id_name, srv->index + 1); break; default: Index: squid/src/protos.h diff -u squid/src/protos.h:1.30 squid/src/protos.h:1.1.1.3.12.17.2.37 --- squid/src/protos.h:1.30 Sat Jul 28 15:34:19 2001 +++ squid/src/protos.h Thu Aug 2 07:18:53 2001 @@ -738,7 +738,7 @@ extern void authenticateFixHeader(HttpReply *, auth_user_request_t *, request_t *, int, int); extern void authenticateAddTrailer(HttpReply *, auth_user_request_t *, request_t *, int); extern auth_user_request_t *authenticateGetAuthUser(const char *proxy_auth); -extern void authenticateAuthenticateUser(auth_user_request_t *, request_t *, ConnStateData *, http_hdr_type); +extern auth_acl_t authenticateAuthenticate(auth_user_request_t **, http_hdr_type, request_t *, ConnStateData *, struct in_addr); extern void authenticateAuthUserUnlock(auth_user_t * auth_user); extern void authenticateAuthUserLock(auth_user_t * auth_user); extern void authenticateAuthUserRequestUnlock(auth_user_request_t *); @@ -746,6 +746,9 @@ extern char *authenticateAuthUserRequestMessage(auth_user_request_t *); extern int authenticateAuthUserInuse(auth_user_t * auth_user); extern void authenticateAuthUserRequestSetIp(auth_user_request_t *, struct in_addr); +extern void authenticateAuthUserRequestRemoveIp(auth_user_request_t *, struct in_addr); +extern void authenticateAuthUserRequestClearIp(auth_user_request_t *); +extern size_t authenticateAuthUserRequestIPCount(auth_user_request_t *); extern int authenticateDirection(auth_user_request_t *); extern FREE authenticateFreeProxyAuthUser; extern void authenticateFreeProxyAuthUserACLResults(void *data); Index: squid/src/structs.h diff -u squid/src/structs.h:1.37 squid/src/structs.h:1.1.1.3.4.1.2.26.2.42 --- squid/src/structs.h:1.37 Sat Jul 28 15:34:19 2001 +++ squid/src/structs.h Thu Aug 2 07:34:11 2001 @@ -53,6 +53,12 @@ } flags; }; +struct _acl_user_ip_data { + size_t max; + struct { + unsigned int strict:1; + } flags; +}; struct _acl_ip_data { struct in_addr addr1; /* if addr2 non-zero then its a range */ @@ -87,6 +93,13 @@ dlink_node link; /* other hash entries that point to the same auth_user */ }; +struct _auth_user_ip_t { + dlink_node node; + /* IP addr this user authenticated from */ + struct in_addr ipaddr; + time_t ip_expiretime; +}; + struct _auth_user_t { /* extra fields for proxy_auth */ /* this determines what scheme owns the user data. */ @@ -98,13 +111,12 @@ /* we may have many proxy-authenticate strings that decode to the same user */ dlink_list proxy_auth_list; dlink_list proxy_match_cache; + dlink_list ip_list; + size_t ipcount; struct { unsigned int credentials_ok:2; /*0=unchecked,1=ok,2=failed */ } flags; long expiretime; - /* IP addr this user authenticated from */ - struct in_addr ipaddr; - time_t ip_expiretime; /* how many references are outstanding to this instance */ size_t references; /* the auth scheme has it's own private data area */ @@ -146,6 +158,7 @@ AUTHSFREECONFIG *freeconfig; AUTHSUSERNAME *authUserUsername; AUTHSONCLOSEC *oncloseconnection; /*optional */ + AUTHSCONNLASTHEADER *authConnLastHeader; AUTHSDECODE *decodeauth; AUTHSDIRECTION *getdirection; AUTHSPARSE *parse; @@ -553,7 +566,6 @@ int digest_generation; #endif int log_ip_on_direct; - int authenticateIpTTLStrict; int ie_refresh; int vary_ignore_expire; int pipeline_prefetch; @@ -2039,6 +2051,10 @@ } flags; struct { int uses; + int submits; + int releases; + int deferbyfunc; + int deferbycb; } stats; size_t deferred_requests; /* current number of deferred requests */ void *data; /* State data used by the calling routines */ Index: squid/src/typedefs.h diff -u squid/src/typedefs.h:1.22 squid/src/typedefs.h:1.1.1.3.12.13.2.33 --- squid/src/typedefs.h:1.22 Sat Jul 28 15:34:19 2001 +++ squid/src/typedefs.h Thu Aug 2 06:42:37 2001 @@ -64,10 +64,12 @@ typedef struct _auth_user_t auth_user_t; typedef struct _auth_user_request_t auth_user_request_t; typedef struct _auth_user_hash_pointer auth_user_hash_pointer; +typedef struct _auth_user_ip_t auth_user_ip_t; typedef struct _acl_proxy_auth_match_cache acl_proxy_auth_match_cache; typedef struct _authscheme_entry authscheme_entry_t; typedef struct _authScheme authScheme; typedef struct _acl_user_data acl_user_data; +typedef struct _acl_user_ip_data acl_user_ip_data; typedef struct _acl_arp_data acl_arp_data; typedef struct _acl acl; typedef struct _acl_snmp_comm acl_snmp_comm; @@ -313,6 +315,7 @@ typedef void AUTHSSHUTDOWN(void); typedef void AUTHSSTART(auth_user_request_t *, RH *, void *); typedef void AUTHSSTATS(StoreEntry *); +typedef const char * AUTHSCONNLASTHEADER(auth_user_request_t *); /* append/vprintf's for Packer */ typedef void (*append_f) (void *, const char *buf, int size); Index: squid/src/auth/basic/auth_basic.c diff -u squid/src/auth/basic/auth_basic.c:1.11 squid/src/auth/basic/auth_basic.c:1.1.2.42 --- squid/src/auth/basic/auth_basic.c:1.11 Wed Mar 21 15:43:33 2001 +++ squid/src/auth/basic/auth_basic.c Thu Aug 2 07:18:53 2001 @@ -1,4 +1,3 @@ - /* * $Id$ * @@ -104,6 +103,7 @@ authscheme->oncloseconnection = NULL; authscheme->decodeauth = authenticateBasicDecodeAuth; authscheme->donefunc = authBasicDone; + authscheme->authConnLastHeader = NULL; } /* internal functions */ @@ -193,7 +193,6 @@ /* Decode now takes care of finding the auth_user struct in the cache */ /* after external auth occurs anyway */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; return; } @@ -385,17 +384,14 @@ authBasicAuthUserFindUsername(const char *username) { auth_user_hash_pointer *usernamehash; - auth_user_t *auth_user; debug(29, 9) ("authBasicAuthUserFindUsername: Looking for user '%s'\n", username); if (username && (usernamehash = hash_lookup(proxy_auth_username_cache, username))) { - while ((usernamehash->auth_user->auth_type != AUTH_BASIC) && - (usernamehash->next)) + while (usernamehash) { + if ((usernamehash->auth_user->auth_type == AUTH_BASIC) && + !strcmp (username, usernamehash->key)) + return usernamehash->auth_user; usernamehash = usernamehash->next; - auth_user = NULL; - if (usernamehash->auth_user->auth_type == AUTH_BASIC) { - auth_user = usernamehash->auth_user; } - return auth_user; } return NULL; } @@ -503,7 +499,6 @@ auth_user->auth_type = AUTH_BASIC; /* current time for timeouts */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; /* this auth_user struct is the 'lucky one' to get added to the username cache */ /* the requests after this link to the auth_user */ Index: squid/src/auth/digest/auth_digest.c diff -u squid/src/auth/digest/auth_digest.c:1.5 squid/src/auth/digest/auth_digest.c:1.1.20.6 --- squid/src/auth/digest/auth_digest.c:1.5 Sat Mar 3 02:44:33 2001 +++ squid/src/auth/digest/auth_digest.c Thu Aug 2 06:42:37 2001 @@ -456,7 +456,8 @@ hash_first(proxy_auth_username_cache); while ((usernamehash = ((auth_user_hash_pointer *) hash_next(proxy_auth_username_cache)))) { auth_user = usernamehash->auth_user; - if (strcmp(authscheme_list[auth_user->auth_module - 1].typestr, "digest") == 0) + if (authscheme_list[auth_user->auth_module - 1].typestr && + strcmp(authscheme_list[auth_user->auth_module - 1].typestr, "digest") == 0) /* it's digest */ authenticateAuthUserUnlock(auth_user); } @@ -597,6 +598,7 @@ authscheme->decodeauth = authenticateDigestDecodeAuth; authscheme->donefunc = authDigestDone; authscheme->requestFree = authDigestAURequestFree; + authscheme->authConnLastHeader = NULL; } int @@ -686,7 +688,6 @@ /* auth_user is now linked, we reset these values * after external auth occurs anyway */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; return; } Index: squid/src/auth/ntlm/auth_ntlm.c diff -u squid/src/auth/ntlm/auth_ntlm.c:1.10 squid/src/auth/ntlm/auth_ntlm.c:1.1.2.44 --- squid/src/auth/ntlm/auth_ntlm.c:1.10 Mon May 21 11:51:19 2001 +++ squid/src/auth/ntlm/auth_ntlm.c Thu Aug 2 07:18:53 2001 @@ -62,6 +62,7 @@ static AUTHSFREECONFIG authNTLMFreeConfig; static AUTHSINIT authNTLMInit; static AUTHSONCLOSEC authenticateNTLMOnCloseConnection; +static AUTHSCONNLASTHEADER NTLMLastHeader; static AUTHSUSERNAME authenticateNTLMUsername; static AUTHSREQFREE authNTLMAURequestFree; static AUTHSPARSE authNTLMParse; @@ -74,6 +75,7 @@ static HLPSONEQ authenticateNTLMHelperServerOnEmpty; static statefulhelper *ntlmauthenticators = NULL; +static wordlist *ntlmprevauthline = NULL; CBDATA_TYPE(authenticateStateData); @@ -92,17 +94,34 @@ * */ +static int +wordliststrcmp (wordlist *a, wordlist *b) +{ + int i; + while (a && b) { + if ((i = strcmp(a->key, b->key))) + return i; + a = a->next; + b = b->next; + } + if (a && ! b) + return -1; + if (b && ! a) + return 1; + return 0; +} + void authNTLMDone(void) { debug(29, 2) ("authNTLMDone: shutting down NTLM authentication.\n"); - if (ntlmauthenticators) - helperStatefulShutdown(ntlmauthenticators); authntlm_initialised = 0; if (!shutting_down) return; - if (ntlmauthenticators) + if (ntlmauthenticators) { + helperStatefulShutdown(ntlmauthenticators); helperStatefulFree(ntlmauthenticators); + } ntlmauthenticators = NULL; if (ntlm_helper_state_pool) { assert(memPoolInUseCount(ntlm_helper_state_pool) == 0); @@ -215,6 +234,7 @@ authscheme->decodeauth = authenticateDecodeNTLMAuth; authscheme->donefunc = authNTLMDone; authscheme->oncloseconnection = authenticateNTLMOnCloseConnection; + authscheme->authConnLastHeader = NTLMLastHeader; } /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the @@ -242,7 +262,13 @@ ntlmauthenticators->datapool = ntlm_helper_state_pool; ntlmauthenticators->IsAvailable = authenticateNTLMHelperServerAvailable; ntlmauthenticators->OnEmptyQueue = authenticateNTLMHelperServerOnEmpty; - helperStatefulOpenServers(ntlmauthenticators); + if (wordliststrcmp(ntlmprevauthline, ntlmConfig->authenticate)) { + helperStatefulShutdown(ntlmauthenticators); + helperStatefulOpenServers(ntlmauthenticators); + if (ntlmprevauthline) + wordlistDestroy (&ntlmprevauthline); + ntlmprevauthline = wordlistDup (ntlmConfig->authenticate); + } /* TODO: In here send the initial YR to preinitialise the challenge cache */ /* Think about this... currently we ask when the challenge is needed. Better? */ if (!ntlminit) { @@ -398,6 +424,10 @@ assert(r->auth_user_request); /* standard callback stuff */ valid = cbdataValid(r->data); + if (!valid) { + debug(29, 1) ("AuthenticateNTLMHandlePlacheholder: invalid callback data.\n"); + return result; + } /* call authenticateNTLMStart to retry this request */ debug(29, 9) ("authenticateNTLMHandleplaceholder: calling authenticateNTLMStart\n"); authenticateNTLMStart(r->auth_user_request, r->handler, r->data); @@ -430,7 +460,7 @@ /* copy the challenge to the state data */ helperstate = helperStatefulServerGetData(lastserver); if (helperstate == NULL) - fatal("lost NTLm helper state! quitting\n"); + fatal("lost NTLM helper state! quitting\n"); helperstate->challenge = xstrndup(reply, NTLM_CHALLENGE_SZ + 5); helperstate->challengeuses = 0; helperstate->renewed = squid_curtime; @@ -442,9 +472,11 @@ ntlm_request = auth_user_request->scheme_data; assert(ntlm_request != NULL); result = S_HELPER_DEFER; + /* reserve the server for future authentication */ + ntlm_request->authserver_deferred = 1; debug(29, 9) ("authenticateNTLMHandleReply: helper '%d'\n", lastserver); assert(ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE); - ntlm_request->authhelper = lastserver; + ntlm_request->authserver = lastserver; ntlm_request->authchallenge = xstrndup(reply, NTLM_CHALLENGE_SZ + 5); } else if (strncasecmp(reply, "AF ", 3) == 0) { /* we're finished, release the helper */ @@ -461,7 +493,7 @@ /* we only expect OK when finishing the handshake */ assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE); ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ); - ntlm_request->authhelper = NULL; + ntlm_request->authserver = NULL; auth_user->flags.credentials_ok = 1; /* login ok */ #ifdef NTLM_FAIL_OPEN } else if (strncasecmp(reply, "LD ", 3) == 0) { @@ -487,8 +519,8 @@ /* we only expect OK when finishing the handshake */ assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE); ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ); - helperstate = helperStatefulServerGetData(ntlm_request->authhelper); - ntlm_request->authhelper = NULL; + helperstate = helperStatefulServerGetData(ntlm_request->authserver); + ntlm_request->authserver = NULL; auth_user->flags.credentials_ok = 1; /* login ok */ /* BH code: mark helper as broken */ /* Not a valid helper response to a YR request. Assert so the helper @@ -509,7 +541,7 @@ assert((ntlm_user != NULL) && (ntlm_request != NULL)); /* todo: action of Negotiate state on error */ result = S_HELPER_RELEASE; /*some error has occured. no more requests */ - ntlm_request->authhelper = NULL; + ntlm_request->authserver = NULL; auth_user->flags.credentials_ok = 2; /* Login/Usercode failed */ debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply); ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; @@ -531,8 +563,8 @@ assert((ntlm_user != NULL) && (ntlm_request != NULL)); result = S_HELPER_RELEASE; /*some error has occured. no more requests for * this helper */ - helperstate = helperStatefulServerGetData(ntlm_request->authhelper); - ntlm_request->authhelper = NULL; + helperstate = helperStatefulServerGetData(ntlm_request->authserver); + ntlm_request->authserver = NULL; if (ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE) { /* The helper broke on YR. It automatically * resets */ @@ -569,7 +601,7 @@ /* restart the authentication process */ ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; auth_user->flags.credentials_ok = 3; /* cannot process */ - ntlm_request->authhelper = NULL; + ntlm_request->authserver = NULL; } } else { fatal("authenticateNTLMHandleReply: called with no result string\n"); @@ -604,7 +636,7 @@ /* does our policy call for changing the challenge now? */ int -authenticateNTLMChangeChallenge(ntlm_helper_state_t * helperstate) +authenticateNTLMChangeChallenge_p(ntlm_helper_state_t * helperstate) { /* don't check for invalid challenges just for expiry choices */ /* this is needed because we have to starve the helper until all old @@ -612,15 +644,15 @@ if (!helperstate->renewed) { /* first use, no challenge has been set. Without this check, it will * loop forever */ - debug(29, 5) ("authenticateNTLMChangeChallenge: first use\n"); + debug(29, 5) ("authenticateNTLMChangeChallenge_p: first use\n"); return 0; } if (helperstate->challengeuses > ntlmConfig->challengeuses) { - debug(29, 4) ("authenticateNTLMChangeChallenge: Challenge uses (%d) exceeded max uses (%d)\n", helperstate->challengeuses, ntlmConfig->challengeuses); + debug(29, 4) ("authenticateNTLMChangeChallenge_p: Challenge uses (%d) exceeded max uses (%d)\n", helperstate->challengeuses, ntlmConfig->challengeuses); return 1; } if (helperstate->renewed + ntlmConfig->challengelifetime < squid_curtime) { - debug(29, 4) ("authenticateNTLMChangeChallenge: Challenge exceeded max lifetime by %d seconds\n", squid_curtime - (helperstate->renewed + ntlmConfig->challengelifetime)); + debug(29, 4) ("authenticateNTLMChangeChallenge_p: Challenge exceeded max lifetime by %d seconds\n", squid_curtime - (helperstate->renewed + ntlmConfig->challengelifetime)); return 1; } debug(29, 9) ("Challenge is to be reused\n"); @@ -656,8 +688,8 @@ break; case AUTHENTICATE_STATE_RESPONSE: sent_string = xstrdup(ntlm_request->ntlmauthenticate); - assert(ntlm_request->authhelper); - debug(29, 9) ("authenticateNTLMStart: Asking NTLMauthenticator '%d'.\n", ntlm_request->authhelper); + assert(ntlm_request->authserver); + debug(29, 9) ("authenticateNTLMStart: Asking NTLMauthenticator '%d'.\n", ntlm_request->authserver); break; default: fatal("Invalid authenticate state for NTLMStart"); @@ -676,16 +708,6 @@ handler(data, NULL); return; } -#ifdef NTLMHELPPROTOCOLV2 - r = cbdataAlloc(authenticateStateData); - r->handler = handler; - cbdataLock(data); - r->data = data; - r->auth_user_request = auth_user_request; - snprintf(buf, 8192, "%s\n", sent_string); - helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); - debug(29, 9) ("authenticateNTLMstart: finished\n"); -#else /* this is ugly TODO: move the challenge generation routines to their own function and * tidy the logic up to make use of the efficiency we now have */ switch (ntlm_request->auth_state) { @@ -697,11 +719,12 @@ */ server = helperStatefulDefer(ntlmauthenticators); helperstate = server ? helperStatefulServerGetData(server) : NULL; - while ((server != NULL) && authenticateNTLMChangeChallenge(helperstate)) { + while ((server != NULL) && authenticateNTLMChangeChallenge_p(helperstate)) { /* flag this helper for challenge changing */ helperstate->starve = 1; /* and release the deferred request */ helperStatefulReleaseServer(server); + /* Get another deferrable server */ server = helperStatefulDefer(ntlmauthenticators); if (server != NULL) helperstate = helperStatefulServerGetData(server); @@ -709,29 +732,35 @@ if (server == NULL) debug(29, 9) ("unable to get a deferred ntlm helper... all helpers are refreshing challenges. Queuing as a placeholder request.\n"); - ntlm_request->authhelper = server; + ntlm_request->authserver = server; /* tell the log what helper we have been given */ debug(29, 9) ("authenticateNTLMStart: helper '%d' assigned\n", server); - /* valid challenge? */ + /* server and valid challenge? */ if ((server == NULL) || !authenticateNTLMValidChallenge(helperstate)) { + /* No server, or server with invalid challenge */ r = cbdataAlloc(authenticateStateData); r->handler = handler; cbdataLock(data); r->data = data; r->auth_user_request = auth_user_request; if (server == NULL) { - helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, ntlm_request->authhelper); + helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, NULL); } else { + /* Server with invalid challenge */ snprintf(buf, 8192, "YR\n"); - helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); + helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver); } } else { - /* we have a valid challenge */ + /* (server != NULL and we have a valid challenge) */ /* TODO: turn the below into a function and call from here and handlereply */ /* increment the challenge uses */ helperstate->challengeuses++; /* assign the challenge */ ntlm_request->authchallenge = xstrndup(helperstate->challenge, NTLM_CHALLENGE_SZ + 5); + /* we're not actually submitting a request, so we need to release the helper should + * the connection close unexpectedly + */ + ntlm_request->authserver_deferred = 1; handler(data, NULL); } @@ -743,13 +772,14 @@ r->data = data; r->auth_user_request = auth_user_request; snprintf(buf, 8192, "KK %s\n", sent_string); - helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); + /* getting rid of deferred request status */ + ntlm_request->authserver_deferred = 0; + helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver); debug(29, 9) ("authenticateNTLMstart: finished\n"); break; default: fatal("Invalid authenticate state for NTLMStart"); } -#endif } /* callback used by stateful helper routines */ @@ -790,15 +820,15 @@ /* clear the NTLM helper of being reserved for future requests */ void -authenticateNTLMReleasehelper(auth_user_request_t * auth_user_request) +authenticateNTLMReleaseServer(auth_user_request_t * auth_user_request) { ntlm_request_t *ntlm_request; assert(auth_user_request->auth_user->auth_type == AUTH_NTLM); assert(auth_user_request->scheme_data != NULL); ntlm_request = auth_user_request->scheme_data; - debug(29, 9) ("authenticateNTLMReleasehelper: releasing helper '%d'\n", ntlm_request->authhelper); - helperStatefulReleaseServer(ntlm_request->authhelper); - ntlm_request->authhelper = NULL; + debug(29, 9) ("authenticateNTLMReleaseServer: releasing server '%d'\n", ntlm_request->authserver); + helperStatefulReleaseServer(ntlm_request->authserver); + ntlm_request->authserver = NULL; } /* clear any connection related authentication details */ @@ -810,8 +840,8 @@ if (conn->auth_user_request != NULL) { assert(conn->auth_user_request->scheme_data != NULL); ntlm_request = conn->auth_user_request->scheme_data; - if (ntlm_request->authhelper != NULL) - authenticateNTLMReleasehelper(conn->auth_user_request); + if (ntlm_request->authserver != NULL && ntlm_request->authserver_deferred) + authenticateNTLMReleaseServer(conn->auth_user_request); /* unlock the connection based lock */ debug(29, 9) ("authenticateNTLMOnCloseConnection: Unlocking auth_user from the connection.\n"); authenticateAuthUserRequestUnlock(conn->auth_user_request); @@ -829,6 +859,18 @@ return NULL; } +/* NTLMLastHeader: return a pointer to the last header used in authenticating + * the request/conneciton + */ +const char * +NTLMLastHeader(auth_user_request_t * auth_user_request) +{ + ntlm_request_t *ntlm_request; + assert(auth_user_request != NULL); + assert(auth_user_request->scheme_data != NULL); + ntlm_request = auth_user_request->scheme_data; + return ntlm_request->ntlmauthenticate; +} /* * Decode an NTLM [Proxy-]Auth string, placing the results in the passed @@ -844,6 +886,7 @@ auth_user_request->auth_user->auth_type = AUTH_NTLM; auth_user_request->auth_user->scheme_data = memPoolAlloc(ntlm_user_pool); auth_user_request->scheme_data = memPoolAlloc(ntlm_request_pool); + memset (auth_user_request->scheme_data, '\0', sizeof (ntlm_request_t)); /* lock for the auth_user_request link */ authenticateAuthUserLock(auth_user_request->auth_user); node = dlinkNodeNew(); @@ -860,15 +903,28 @@ return strcmp(u1->username, u2->username); } + +/* there is a known race where a single client recieves the same challenge + * and sends the same response to squid on a single select cycle. + * Check for this and if found ignore the new link + */ void authenticateProxyAuthCacheAddLink(const char *key, auth_user_t * auth_user) { auth_user_hash_pointer *proxy_auth_hash; + dlink_node *node; ntlm_user_t *ntlm_user; + ntlm_user = auth_user->scheme_data; + node = ntlm_user->proxy_auth_list.head; + /* prevent duplicates */ + while (node) { + if (!strcmp(key, ((auth_user_hash_pointer *)node->data)->key)) + return; + node=node->next; + } proxy_auth_hash = memAllocate(MEM_AUTH_USER_HASH); proxy_auth_hash->key = xstrdup(key); proxy_auth_hash->auth_user = auth_user; - ntlm_user = auth_user->scheme_data; dlinkAddTail(proxy_auth_hash, &proxy_auth_hash->link, &ntlm_user->proxy_auth_list); hash_join(proxy_auth_cache, (hash_link *) proxy_auth_hash); } @@ -922,6 +978,8 @@ break; case AUTHENTICATE_STATE_NEGOTIATE: ntlm_request->auth_state = AUTHENTICATE_STATE_CHALLENGE; + /* We _MUST_ have the auth challenge by now */ + assert(ntlm_request->authchallenge); return; break; case AUTHENTICATE_STATE_CHALLENGE: @@ -952,7 +1010,7 @@ } else { debug(29, 4) ("authenticateNTLMAuthenticateUser: ntlm proxy-auth cache hit\n"); /* throw away the temporary entry */ - authenticateNTLMReleasehelper(auth_user_request); + authenticateNTLMReleaseServer(auth_user_request); authenticateAuthUserMerge(auth_user, proxy_auth_hash->auth_user); auth_user = proxy_auth_hash->auth_user; auth_user_request->auth_user = auth_user; @@ -967,7 +1025,6 @@ /* on ntlm auth we do not unlock the auth_user until the * connection is dropped. Thank MS for this quirk */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; } return; break; @@ -1010,7 +1067,6 @@ /* set these to now because this is either a new login from an * existing user or a new user */ auth_user->expiretime = current_time.tv_sec; - auth_user->ip_expiretime = squid_curtime; auth_user->flags.credentials_ok = 1; /*authenticated ok */ return; break; Index: squid/src/auth/ntlm/auth_ntlm.h diff -u squid/src/auth/ntlm/auth_ntlm.h:1.3 squid/src/auth/ntlm/auth_ntlm.h:1.1.2.10 --- squid/src/auth/ntlm/auth_ntlm.h:1.3 Wed Jan 10 16:05:18 2001 +++ squid/src/auth/ntlm/auth_ntlm.h Thu Aug 2 06:42:37 2001 @@ -28,10 +28,12 @@ char *authchallenge; /* what authenticate string did we get? */ char *ntlmauthenticate; - /*we need to store the NTLM helper between requests */ - helper_stateful_server *authhelper; + /*we need to store the NTLM server between requests */ + helper_stateful_server *authserver; /* how far through the authentication process are we? */ auth_state_t auth_state; + /* have we got the helper-server in a deferred state? */ + int authserver_deferred; }; struct _ntlm_helper_state_t { Index: squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c diff -u squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c:1.8 squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c:1.1.2.23 --- squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c:1.8 Wed Mar 21 15:58:33 2001 +++ squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c Tue Jul 31 03:29:24 2001 @@ -213,7 +213,7 @@ obtain_challenge() { int j = 0; - const char *ch; + const char *ch = NULL; debug("obtain_challenge: getting new challenge\n"); for (j = 0; j < numcontrollers; j++) { if (current_dc->status == DC_OK) {