diff -w -B -r -u -N squid-2.7.STABLE6/configure.in squid-2.7.STABLE6-krb5/configure.in --- squid-2.7.STABLE6/configure.in 2009-02-04 00:44:06.000000000 +0000 +++ squid-2.7.STABLE6-krb5/configure.in 2009-08-01 16:25:06.000000000 +0100 @@ -1423,6 +1423,184 @@ fi AC_SUBST(NEGOTIATE_AUTH_HELPERS) +old_CPPFLAGS=$CPPFLAGS +old_LIBS=$LIBS +AC_ARG_WITH(krb5-config, + [ --with-krb5-config=PATH specify path to krb5-config @<:@default=detect@:>@], + [if test x"$withval" = xyes; then + unset krb5confpath + elif test x"$withval" != xno; then + krb5confpath=$withval + else + krb5confpath=no + fi]) + +if test x"$krb5confpath" != xno; then + if test x"$krb5confpath" != x; then + if ! test -x "$krb5confpath"; then + AC_MSG_WARN([krb5-config '$krb5confpath' not executable, ignoring]) + AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no) + krb5confpath=krb5-config + fi + krb5_config_path=`dirname $krb5confpath` + AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no, $krb5_config_path) + else + AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no) + krb5confpath=krb5-config + fi +fi + +if test "x$ac_krb5_config" = "xyes" ; then + ac_heimdal=`$krb5confpath --version 2>/dev/null | grep -i heimdal` + ac_solaris=`$krb5confpath --version 2>/dev/null | grep -i solaris` + if test "x$ac_heimdal" != "x" ; then + AC_DEFINE(HAVE_HEIMDAL_KERBEROS,1,[Define to 1 if you have Heimdal Kerberos]) + else + AC_DEFINE(HAVE_MIT_KERBEROS,1,[Define to 1 if you have MIT Kerberos]) + fi + if test "x$ac_solaris" != "x" ; then + KRB5INCS=`$krb5confpath --cflags krb5 2>/dev/null` + KRB5LIBS=`$krb5confpath --libs krb5 2>/dev/null` + KRB5INCS="-I/usr/include/gssapi $KRB5INCS" + KRB5LIBS="-L/usr/lib -R/usr/lib -lgss -lresolv -lsocket -lnsl $KRB5LIBS" + else + KRB5INCS=`$krb5confpath --cflags krb5 2>/dev/null` + KRB5LIBS=`$krb5confpath --libs krb5 2>/dev/null` + KRB5INCS="`$krb5confpath --cflags gssapi 2>/dev/null` $KRB5INCS" + KRB5LIBS="`$krb5confpath --libs gssapi 2>/dev/null` $KRB5LIBS" + fi + CPPFLAGS="$CPPFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) + if test "x$ac_heimdal" == "x" ; then + AC_CHECK_HEADERS(gssapi/gssapi_generic.h) + fi + AC_CHECK_HEADERS(krb5.h com_err.h) + if test "x$ac_heimdal" == "x" ; then + AC_CHECK_HEADERS(profile.h) + fi + AC_CHECK_LIB(krb5,krb5_kt_free_entry, + AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1,[Define to 1 if you have krb5_kt_free_entry]),) + AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab, + AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1,[Define to 1 if you have krb5_get_init_creds_keytab]),) + AC_CHECK_LIB(krb5,krb5_get_max_time_skew, + AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1,[Define to 1 if you have krb5_get_max_time_skew]),) + AC_MSG_CHECKING([for memory cache]) + AC_TRY_RUN([ +#include +main() +{ + krb5_context context; + krb5_ccache cc; + + krb5_init_context(&context); + return krb5_cc_resolve(context, "MEMORY:test_cache", &cc); +}], + [AC_DEFINE(HAVE_KRB5_MEMORY_CACHE,1, [Define to 1 if you have MEMORY: cache support]) + AC_MSG_RESULT(yes)], + AC_MSG_RESULT(no)) + + AC_MSG_CHECKING([for working gssapi]) + AC_TRY_RUN([ +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif + +#ifdef HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif + +#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif + +#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#include +#endif +int +main(void) +{ + OM_uint32 val; + gss_OID_set set; + + gss_create_empty_oid_set(&val, &set); + + return 0; +} +], [AC_DEFINE(HAVE_GSSAPI, 1, [GSSAPI support]) + AC_MSG_RESULT(yes)], + AC_MSG_RESULT(no)) + AC_MSG_CHECKING([for spnego support]) + AC_TRY_RUN([ +#ifdef HAVE_HEIMDAL_KERBEROS +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif defined(HAVE_GSSAPI_H) +#include +#endif +#else +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif defined(HAVE_GSSAPI_H) +#include +#endif +#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif +#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#include +#endif +#endif +#include +int main(int argc, char *argv[]) { + OM_uint32 major_status,minor_status; + gss_OID_set gss_mech_set; + int i; + +static gss_OID_desc _gss_mech_spnego = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; +gss_OID gss_mech_spnego = &_gss_mech_spnego; + + major_status = gss_indicate_mechs( &minor_status, &gss_mech_set); + + for (i=0;icount;i++) { + if (!memcmp(gss_mech_set->elements[i].elements,gss_mech_spnego->elements,gss_mech_set->elements[i].length)) { + return 0; + } + } + + return 1; +}], + [ac_cv_have_spnego=yes + AC_DEFINE(HAVE_SPNEGO,1, [Define to 1 if you have SPNEGO support]) + AC_MSG_RESULT(yes)], + [ac_cv_have_spnego=no + AC_MSG_RESULT(no)]) + AC_MSG_CHECKING([for working krb5]) + AC_TRY_RUN([ +#ifdef HAVE_KRB5_H +#include +#endif + +int +main(void) +{ + krb5_context context; + + krb5_init_context(&context); + + return 0; +} +], [AC_DEFINE(HAVE_KRB5, 1, [KRB5 support]) + AC_MSG_RESULT(yes)], + AC_MSG_RESULT(no)) + LIBS=$old_LIBS + CPPFLAGS=$old_CPPFLAGS + AC_SUBST(KRB5INCS) + AC_SUBST(KRB5LIBS) +fi + dnl Enable "NTLM fail open" AC_ARG_ENABLE(ntlm-fail-open, [ --enable-ntlm-fail-open Enable NTLM fail open, where a helper that fails one of the diff -w -B -r -u -N squid-2.7.STABLE6/src/http.c squid-2.7.STABLE6-krb5/src/http.c --- squid-2.7.STABLE6/src/http.c 2008-09-25 03:33:37.000000000 +0100 +++ squid-2.7.STABLE6-krb5/src/http.c 2009-07-28 23:15:59.000000000 +0100 @@ -1307,6 +1307,14 @@ } } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) { /* Nothing to do */ +#if HAVE_KRB5 && HAVE_GSSAPI + } else if (strcmp(orig_request->peer_login, "NEGOTIATE") == 0) { + char *Token; + Token = peer_proxy_negotiate_auth(NULL,request->peer_host); + if (Token) { + httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Negotiate %s",Token); + } +#endif /* HAVE_KRB5 && HAVE_GSSAPI */ } else { httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s", base64_encode(orig_request->peer_login)); @@ -1471,6 +1479,7 @@ httpState->flags.http11 = httpState->peer->options.http11; else httpState->flags.http11 = Config.onoff.server_http11; + req->peer_host=httpState->peer?httpState->peer->host:NULL; memBufDefInit(&mb); httpBuildRequestPrefix(req, httpState->orig_request, diff -w -B -r -u -N squid-2.7.STABLE6/src/Makefile.am squid-2.7.STABLE6-krb5/src/Makefile.am --- squid-2.7.STABLE6/src/Makefile.am 2008-01-02 15:50:39.000000000 +0000 +++ squid-2.7.STABLE6-krb5/src/Makefile.am 2009-07-28 22:45:19.000000000 +0100 @@ -97,6 +97,7 @@ SUBDIRS = fs repl auth INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include +INCLUDES += @KRB5INCS@ EXTRA_PROGRAMS = \ unlinkd \ @@ -220,6 +221,7 @@ pconn.c \ peer_digest.c \ peer_monitor.c \ + peer_proxy_negotiate_auth.c \ peer_select.c \ peer_sourcehash.c \ peer_userhash.c \ @@ -284,8 +286,8 @@ @LIB_EPOLL@ \ -lmiscutil \ @XTRA_LIBS@ \ - $(MINGWEXLIB) - + $(MINGWEXLIB) \ + @KRB5LIBS@ squid_DEPENDENCIES = \ $(REPL_OBJS) \ $(STORE_OBJS) \ diff -w -B -r -u -N squid-2.7.STABLE6/src/peer_proxy_negotiate_auth.c squid-2.7.STABLE6-krb5/src/peer_proxy_negotiate_auth.c --- squid-2.7.STABLE6/src/peer_proxy_negotiate_auth.c 1970-01-01 01:00:00.000000000 +0100 +++ squid-2.7.STABLE6-krb5/src/peer_proxy_negotiate_auth.c 2009-08-01 16:28:17.000000000 +0100 @@ -0,0 +1,473 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ +/* + * Hosted at http://sourceforge.net/projects/squidkerbauth + */ + +#include + +#if HAVE_KRB5 && HAVE_GSSAPI +#ifdef __cplusplus +extern "C" +{ +#endif + +#if HAVE_PROFILE_H +#include +#endif /* HAVE_PROFILE_H */ +#if HAVE_KRB5_H +#include +#endif /* HAVE_KRB5_H */ +#if HAVE_COM_ERR_H +#include +#endif /* HAVE_COM_ERR_H */ + +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif /* HAVE_GSSAPI_H */ +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_EXT_H */ +#if HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */ +#if HAVE_GSSAPI_GSSAPI_GENERIC_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ + +#ifndef gss_nt_service_name +#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE +#endif + +#if HAVE_HEIMDAL_KERBEROS +#define error_message(code) krb5_get_err_text(kparam.context,code) +#endif + +#ifndef gss_mech_spnego +static gss_OID_desc _gss_mech_spnego = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; +gss_OID gss_mech_spnego = &_gss_mech_spnego; +#endif + +#if HAVE_NAS_KERBEROS +#include +const char *KRB5_CALLCONV error_message(long code) { + char *msg=NULL; + krb5_svc_get_msg(code,&msg); + return msg; +} +#endif + +static struct kstruct { + krb5_context context; + char* mem_cache_env; + krb5_ccache cc; +} kparam = {NULL, NULL, NULL}; + +int krb5_create_cache(char* keytab_filename, char* principal_name); +void krb5_cleanup(void); + +int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function); + +int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function){ + if (GSS_ERROR(major_status)) { + OM_uint32 maj_stat,min_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + char buf[1024]; + size_t len; + + len = 0; + msg_ctx = 0; + while (!msg_ctx) { + /* convert major status code (GSS-API error) to text */ + maj_stat = gss_display_status(&min_stat, major_status, + GSS_C_GSS_CODE, + GSS_C_NULL_OID, + &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length + 1) { + memcpy(buf+len, status_string.value, status_string.length); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + if (sizeof(buf) > len + 2) { + strcpy(buf+len, ". "); + len += 2; + } + msg_ctx = 0; + while (!msg_ctx) { + /* convert minor status code (underlying routine error) to text */ + maj_stat = gss_display_status(&min_stat, minor_status, + GSS_C_MECH_CODE, + GSS_C_NULL_OID, + &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length ) { + memcpy(buf+len, status_string.value, status_string.length); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + debug(11, 5) ("%s failed: %s\n", function, buf); + return(1); + } + return(0); +} + +void krb5_cleanup() { + debug(11, 5) ("Cleanup kerberos context\n"); + if (kparam.context) { + if (kparam.cc) + krb5_cc_destroy(kparam.context,kparam.cc); + kparam.cc=NULL; + krb5_free_context(kparam.context); + kparam.context=NULL; + if (kparam.mem_cache_env) + xfree(kparam.mem_cache_env); + kparam.mem_cache_env=NULL; + } +} + +int krb5_create_cache(char* kf, char* pn){ + +#define KT_PATH_MAX 256 +#define MAX_RENEW_TIME "365d" + + static char *keytab_filename=NULL, *principal_name=NULL; + static krb5_keytab keytab = 0; + static krb5_keytab_entry entry; + static krb5_kt_cursor cursor; + static krb5_creds *creds=NULL; +#if HAVE_HEIMDAL_KERBEROS + static krb5_creds creds2; +#endif + static krb5_principal principal = NULL; + static krb5_deltat skew; + + krb5_get_init_creds_opt options; + krb5_error_code code = 0; + krb5_deltat rlife; +#if HAVE_PROFILE_H + profile_t profile; +#else + krb5_kdc_flags flags; + krb5_realm *client_realm; +#endif + char* mem_cache; + +restart: + if (creds && + (creds->times.endtime - time(0) > skew) && + (creds->times.renew_till - time(0) > 2*skew)) + { + if (creds->times.endtime - time(0) < 2*skew) + { +#if !HAVE_HEIMDAL_KERBEROS + /* renew ticket */ + code = krb5_get_renewed_creds(kparam.context, creds, principal, kparam.cc, NULL); +#else + /* renew ticket */ + flags.i = 0; + flags.b.renewable = flags.b.renew = 1; + + code = krb5_cc_get_principal(kparam.context, kparam.cc, &creds2.client); + if (code) + { + debug(11, 5) ("Error while getting principal from credential cache : %s\n", error_message(code)); + return(1) ; + } + client_realm = krb5_princ_realm (kparam.context, creds2.client); + code = krb5_make_principal(kparam.context, &creds2.server, *client_realm, + KRB5_TGS_NAME, *client_realm, NULL); + if (code) + { + debug(11, 5) ("Error while getting krbtgt principal : %s\n", error_message(code)); + return(1) ; + } + code = krb5_get_kdc_cred(kparam.context, kparam.cc, flags, NULL, NULL, &creds2, &creds); +#endif + if (code) + { + if ( code == KRB5KRB_AP_ERR_TKT_EXPIRED ) + { + creds=NULL; + /* this can happen because of clock skew */ + goto restart; + } + debug(11, 5) ("Error while get credentials : %s\n", error_message(code)); + return(1) ; + } + } + } + else + { + /* reinit */ + if (!kparam.context) + { + code = krb5_init_context(&kparam.context); + if (code) + { + debug(11, 5) ("Error while initialising Kerberos library : %s\n", error_message(code)); + return(1) ; + } + kparam.mem_cache_env=NULL; + } + +#if HAVE_PROFILE_H + code = krb5_get_profile (kparam.context, &profile); + if (code) + { + if (profile) + profile_release(profile); + debug(11, 5) ("Error while getting profile : %s\n", error_message(code)); + return(1) ; + } + code = profile_get_integer(profile, "libdefaults", "clockskew", 0, 5 * 60, &skew); + if (profile) + profile_release(profile); + if (code) + { + debug(11, 5) ("Error while getting clockskew : %s\n", error_message(code)); + return(1) ; + } +#else +#if HAVE_KRB5_GET_MAX_TIME_SKEW + skew=krb5_get_max_time_skew(kparam.context); +#else + skew=kparam.context->max_skew; +#endif +#endif + + if (!kf) + { + char buf[KT_PATH_MAX], *p; + + krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX); + p = strchr(buf, ':'); + if (p) p++; + if (keytab_filename) + xfree(keytab_filename); + keytab_filename = xstrdup(p ? p : buf); + } + else { + keytab_filename = xstrdup(kf); + } + + code = krb5_kt_resolve(kparam.context, keytab_filename, &keytab); + if (code) + { + debug(11, 5) ("Error while resolving keytab filename %s : %s\n", keytab_filename, error_message(code)); + return(1); + } + + if (!pn) + { + code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor); + if (code) + { + debug(11, 5) ("Error while starting keytab scan : %s\n", error_message(code)); + return(1); + } + code = krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor); + krb5_copy_principal(kparam.context,entry.principal,&principal); + if (code && code != KRB5_KT_END) + { + debug(11, 5) ("Error while scanning keytab : %s\n", error_message(code)); + return(1); + } + + code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor); + if (code) + { + debug(11, 5) ("Error while ending keytab scan : %s\n", error_message(code)); + return(1); + } +#if HAVE_HEIMDAL_KERBEROS || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) + code = krb5_kt_free_entry(kparam.context,&entry); +#else + code = krb5_free_keytab_entry_contents(kparam.context,&entry); +#endif + if (code) + { + debug(11, 5) ("Error while freeing keytab entry : %s\n", error_message(code)); + return(1); + } + + } + else { + principal_name=xstrdup(pn); + } + + if (!principal) + { + code = krb5_parse_name(kparam.context, principal_name, &principal); + if (code) + { + debug(11, 5) ("Error while parsing principal name %s : %s\n", principal_name, error_message(code)); + return (1); + } + } + + creds = (krb5_creds *)xmalloc(sizeof(*creds)); + memset(creds, 0, sizeof(*creds)); + krb5_get_init_creds_opt_init(&options); + code = krb5_string_to_deltat((char *)MAX_RENEW_TIME, &rlife); + if (code != 0 || rlife == 0) + { + debug(11, 5) ("Error bad lifetime value %s : %s\n", MAX_RENEW_TIME, error_message(code)); + return (1); + } + krb5_get_init_creds_opt_set_renew_life(&options, rlife); + + code = krb5_get_init_creds_keytab(kparam.context, creds, principal, keytab, 0, NULL, &options); + if (code) + { + debug(11, 5) ("Error while initializing credentials from keytab : %s\n", error_message(code)); + return (1); + } + +#if !HAVE_KRB5_MEMORY_CACHE + mem_cache=(char *)xmalloc(strlen("FILE:/tmp/squid_proxy_auth_")+16); + snprintf(mem_cache,strlen("FILE:/tmp/squid_proxy_auth_")+16,"FILE:/tmp/squid_proxy_auth_%d",getpid()); +#else + mem_cache=(char *)xmalloc(strlen("MEMORY:squid_proxy_auth_")+16); + snprintf(mem_cache,strlen("MEMORY:squid_proxy_auth_")+16,"MEMORY:squid_proxy_auth_%d",getpid()); +#endif + + kparam.mem_cache_env=(char *)xmalloc(strlen("KRB5CCNAME=")+strlen(mem_cache)+1); + strcpy(kparam.mem_cache_env,"KRB5CCNAME="); + strcat(kparam.mem_cache_env,mem_cache); + putenv(kparam.mem_cache_env); + code = krb5_cc_resolve(kparam.context, mem_cache , &kparam.cc); + if (mem_cache) + xfree(mem_cache); + if (code) + { + debug(11, 5) ("Error while resolving memory credential cache : %s\n", error_message(code)); + return(1) ; + } + code = krb5_cc_initialize(kparam.context, kparam.cc, principal); + if (code) + { + debug(11, 5) ("Error while initializing memory credential cache : %s\n", error_message(code)); + return(1) ; + } + code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); + if (code) + { + debug(11, 5) ("Error while storing credentials : %s\n", error_message(code)); + return(1) ; + } + + if (!creds->times.starttime) + creds->times.starttime = creds->times.authtime; + } + return(0); +} + +char *peer_proxy_negotiate_auth(char* principal_name, char *proxy) { + int rc=0; + OM_uint32 major_status, minor_status; + gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; + gss_name_t server_name = GSS_C_NO_NAME; + gss_buffer_desc service = GSS_C_EMPTY_BUFFER; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; + char *token = NULL; + + setbuf(stdout,NULL); + setbuf(stdin,NULL); + + if (!proxy ) { + debug(11, 5) ("Error : No proxy server name\n"); + return NULL; + } + + debug(11, 5) ("Creating credential cache\n"); + rc = krb5_create_cache(NULL,principal_name); + if (rc) { + debug(11, 5) ("Error : Failed to create Kerberos cache\n"); + krb5_cleanup(); + return NULL; + } + + service.value = (void *)xmalloc(strlen("HTTP")+strlen(proxy)+2); + snprintf((char *)service.value,strlen("HTTP")+strlen(proxy)+2,"%s@%s","HTTP",proxy); + service.length = strlen((char *)service.value); + + debug(11, 5) ("Import gss name\n"); + major_status = gss_import_name(&minor_status, &service, + gss_nt_service_name, &server_name); + + if (check_gss_err(major_status,minor_status,"gss_import_name()") ) + goto cleanup; + + debug(11, 5) ("Initialize gss security context\n"); + major_status = gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &gss_context, + server_name, + gss_mech_spnego, + 0, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, + NULL, + &output_token, + NULL, + NULL); + + if (check_gss_err(major_status,minor_status,"gss_init_sec_context()") ) + goto cleanup; + + debug(11, 5) ("Got token with length %d\n",output_token.length); + if (output_token.length) { + + token = (char *)base64_encode_bin((const char*)output_token.value,output_token.length); + } + + +cleanup: + gss_delete_sec_context(&minor_status, &gss_context, NULL); + gss_release_buffer(&minor_status, &service); + gss_release_buffer(&minor_status, &input_token); + gss_release_buffer(&minor_status, &output_token); + gss_release_name(&minor_status, &server_name); + + return token; +} +#ifdef __cplusplus +} +#endif +#endif /* HAVE_KRB5 && HAVE_GSSAPI */ + diff -w -B -r -u -N squid-2.7.STABLE6/src/protos.h squid-2.7.STABLE6-krb5/src/protos.h --- squid-2.7.STABLE6/src/protos.h 2008-06-27 22:52:56.000000000 +0100 +++ squid-2.7.STABLE6-krb5/src/protos.h 2009-07-28 22:48:49.000000000 +0100 @@ -1496,5 +1496,5 @@ extern void clientStoreURLRewriteStart(clientHttpRequest * http); extern void clientStoreURLRewriteDone(void *data, char *result); - +extern char *peer_proxy_negotiate_auth(char *principal_name, char *proxy); #endif /* SQUID_PROTOS_H */ diff -w -B -r -u -N squid-2.7.STABLE6/src/ssl.c squid-2.7.STABLE6-krb5/src/ssl.c --- squid-2.7.STABLE6/src/ssl.c 2008-05-05 00:23:13.000000000 +0100 +++ squid-2.7.STABLE6-krb5/src/ssl.c 2009-07-28 22:51:19.000000000 +0100 @@ -628,6 +628,7 @@ } sslState->servers = fs; sslState->host = fs->peer ? fs->peer->host : request->host; + request->peer_host = fs->peer ? fs->peer->host : NULL; if (fs->peer == NULL) { sslState->port = request->port; } else if (fs->peer->http_port != 0) { diff -w -B -r -u -N squid-2.7.STABLE6/src/structs.h squid-2.7.STABLE6-krb5/src/structs.h --- squid-2.7.STABLE6/src/structs.h 2008-09-25 03:33:37.000000000 +0100 +++ squid-2.7.STABLE6-krb5/src/structs.h 2009-07-28 22:40:45.000000000 +0100 @@ -1949,6 +1949,7 @@ HierarchyLogEntry hier; err_type err_type; char *peer_login; /* Configured peer login:password */ + char *peer_host; /* Selected peer host*/ time_t lastmod; /* Used on refreshes */ char *vary_hdr; /* Used when varying entities are detected. Changes how the store key is calculated */ char *vary_headers; /* Used when varying entities are detected. Changes how the store key is calculated */