diff -ruBEN trunk/helpers/negotiate_auth/kerberos/base64.cc SQUID_3_2/helpers/negotiate_auth/kerberos/base64.cc --- trunk/helpers/negotiate_auth/kerberos/base64.cc 2011-03-13 22:54:56.000000000 +0000 +++ SQUID_3_2/helpers/negotiate_auth/kerberos/base64.cc 2011-03-13 22:56:10.000000000 +0000 @@ -15,7 +15,7 @@ #define BASE64_VALUE_SZ 256 int base64_value[BASE64_VALUE_SZ]; const char base64_code[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static void @@ -71,7 +71,7 @@ /* adopted from http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with adjustments */ void ska_base64_encode(char *result, const char *data, int result_size, - int data_size) + int data_size) { int bits = 0; int char_count = 0; @@ -130,7 +130,7 @@ result[out_cnt++] = '='; } } -end: + end: if (out_cnt >= result_size) { result[result_size - 1] = '\0'; /* terminate */ } else { diff -ruBEN trunk/helpers/negotiate_auth/kerberos/base64.h SQUID_3_2/helpers/negotiate_auth/kerberos/base64.h --- trunk/helpers/negotiate_auth/kerberos/base64.h 2011-03-13 22:54:56.000000000 +0000 +++ SQUID_3_2/helpers/negotiate_auth/kerberos/base64.h 2011-03-13 22:56:10.000000000 +0000 @@ -4,7 +4,7 @@ void ska_base64_decode(char *result, const char *data, int result_size); void ska_base64_encode(char *result, const char *data, int result_size, - int data_size); + int data_size); int ska_base64_encode_len(int len); int ska_base64_decode_len(const char *data); diff -ruBEN trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 SQUID_3_2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 --- trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2011-03-13 22:54:56.000000000 +0000 +++ SQUID_3_2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2011-03-13 22:56:10.000000000 +0000 @@ -37,7 +37,7 @@ .PP See FAQ wiki page for examples of how to write configuration snippets. (TBD) .PP This helper is intended to be used as an -.B external_acl_type +.B authentication helper in .B squid.conf. .if !'po4a'hide' .P diff -ruBEN trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc SQUID_3_2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc --- trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2011-03-13 22:54:56.000000000 +0000 +++ SQUID_3_2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2011-03-13 22:56:10.000000000 +0000 @@ -82,15 +82,16 @@ #define MAX_AUTHTOKEN_LEN 65535 #endif #ifndef SQUID_KERB_AUTH_VERSION -#define SQUID_KERB_AUTH_VERSION "3.0.3sq" +#define SQUID_KERB_AUTH_VERSION "3.0.4sq" #endif int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function, int log); + const char *function, int log); char *gethost_name(void); static const char *LogTime(void); -static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}; +static const unsigned char ntlmProtocol[] = +{'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}; static const char * LogTime() @@ -122,14 +123,14 @@ rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX)); if (rc) { fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n", - LogTime(), PROGRAM, hostname); + LogTime(), PROGRAM, hostname); return NULL; } rc = getaddrinfo(hostname, NULL, NULL, &hres); if (rc != 0) { fprintf(stderr, - "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n", - LogTime(), PROGRAM, gai_strerror(rc)); + "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n", + LogTime(), PROGRAM, gai_strerror(rc)); return NULL; } hres_list = hres; @@ -139,11 +140,11 @@ hres_list = hres_list->ai_next; } rc = getnameinfo(hres->ai_addr, hres->ai_addrlen, hostname, - sizeof(hostname), NULL, 0, 0); + sizeof(hostname), NULL, 0, 0); if (rc != 0) { fprintf(stderr, - "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n", - LogTime(), PROGRAM, gai_strerror(rc)); + "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n", + LogTime(), PROGRAM, gai_strerror(rc)); freeaddrinfo(hres); return NULL; } @@ -154,7 +155,7 @@ int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function, int log) + const char *function, int log) { if (GSS_ERROR(major_status)) { OM_uint32 maj_stat, min_stat; @@ -165,44 +166,42 @@ len = 0; msg_ctx = 0; - while (!msg_ctx) { + do { /* convert major status code (GSS-API error) to text */ maj_stat = gss_display_status(&min_stat, major_status, - GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { + GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) { if (sizeof(buf) > len + status_string.length + 1) { snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); len += status_string.length; } - gss_release_buffer(&min_stat, &status_string); - break; - } + } else + msg_ctx = 0; gss_release_buffer(&min_stat, &status_string); - } + } while (msg_ctx); if (sizeof(buf) > len + 2) { snprintf(buf + len, (sizeof(buf) - len), "%s", ". "); len += 2; } msg_ctx = 0; - while (!msg_ctx) { + do { /* convert minor status code (underlying routine error) to text */ maj_stat = gss_display_status(&min_stat, minor_status, - GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { + GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) { if (sizeof(buf) > len + status_string.length) { snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); len += status_string.length; } - gss_release_buffer(&min_stat, &status_string); - break; - } + } else + msg_ctx = 0; gss_release_buffer(&min_stat, &status_string); - } + } while (msg_ctx); debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf); fprintf(stdout, "BH %s failed: %s\n", function, buf); if (log) fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(), - PROGRAM); + PROGRAM); return (1); } return (0); @@ -261,12 +260,12 @@ fprintf(stderr, "-s service principal name\n"); fprintf(stderr, "-h help\n"); fprintf(stderr, - "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); + "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n"); exit(0); default: fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), - PROGRAM, opt); + PROGRAM, opt); } } @@ -278,14 +277,14 @@ host_name = gethost_name(); if (!host_name) { fprintf(stderr, - "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n", - LogTime(), PROGRAM); + "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n", + LogTime(), PROGRAM); fprintf(stdout, "BH hostname error\n"); exit(-1); } service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2); snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2, - "%s@%s", service_name, host_name); + "%s@%s", service_name, host_name); service.length = strlen((char *) service.value); } @@ -293,8 +292,8 @@ if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { if (ferror(stdin)) { debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", - LogTime(), PROGRAM, ferror(stdin), - strerror(ferror(stdin))); + LogTime(), PROGRAM, ferror(stdin), + strerror(ferror(stdin))); fprintf(stdout, "BH input error\n"); exit(1); /* BIIG buffer */ @@ -378,27 +377,27 @@ } input_token.length = ska_base64_decode_len(buf + 3); debug((char *) "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n", - LogTime(), PROGRAM, buf + 3, (int) input_token.length); + LogTime(), PROGRAM, buf + 3, (int) input_token.length); input_token.value = xmalloc(input_token.length); ska_base64_decode((char *) input_token.value, buf + 3, input_token.length); if ((input_token.length >= sizeof ntlmProtocol + 1) && - (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { + (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { debug((char *) "%s| %s: WARNING: received type %d NTLM token\n", - LogTime(), PROGRAM, - (int) *((unsigned char *) input_token.value + - sizeof ntlmProtocol)); + LogTime(), PROGRAM, + (int) *((unsigned char *) input_token.value + + sizeof ntlmProtocol)); fprintf(stdout, "BH received type %d NTLM token\n", - (int) *((unsigned char *) input_token.value + - sizeof ntlmProtocol)); + (int) *((unsigned char *) input_token.value + + sizeof ntlmProtocol)); goto cleanup; } if (service_principal) { if (strcasecmp(service_principal, "GSS_C_NO_NAME")) { major_status = gss_import_name(&minor_status, &service, - (gss_OID) GSS_C_NULL_OID, &server_name); + (gss_OID) GSS_C_NULL_OID, &server_name); } else { server_name = GSS_C_NO_NAME; @@ -406,7 +405,7 @@ } } else { major_status = gss_import_name(&minor_status, &service, - gss_nt_service_name, &server_name); + gss_nt_service_name, &server_name); } if (check_gss_err(major_status, minor_status, "gss_import_name()", log)) @@ -414,16 +413,16 @@ major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); + GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log)) goto cleanup; major_status = gss_accept_sec_context(&minor_status, - &gss_context, - server_creds, - &input_token, - GSS_C_NO_CHANNEL_BINDINGS, - &client_name, NULL, &output_token, &ret_flags, NULL, NULL); + &gss_context, + server_creds, + &input_token, + GSS_C_NO_CHANNEL_BINDINGS, + &client_name, NULL, &output_token, &ret_flags, NULL, NULL); if (output_token.length) { @@ -436,7 +435,7 @@ goto cleanup; } ska_base64_encode(token, (const char *) spnegoToken, - ska_base64_encode_len(spnegoTokenLength), spnegoTokenLength); + ska_base64_encode_len(spnegoTokenLength), spnegoTokenLength); if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log)) goto cleanup; @@ -448,7 +447,7 @@ gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, - NULL); + NULL); if (check_gss_err(major_status, minor_status, "gss_display_name()", log)) goto cleanup; @@ -467,7 +466,7 @@ debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user); if (log) fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); + PROGRAM, user); goto cleanup; } else { if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log)) @@ -480,7 +479,7 @@ gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, - NULL); + NULL); if (check_gss_err(major_status, minor_status, "gss_display_name()", log)) goto cleanup; @@ -502,10 +501,10 @@ debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user); if (log) fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); + PROGRAM, user); } -cleanup: + cleanup: gss_release_buffer(&minor_status, &input_token); gss_release_buffer(&minor_status, &output_token); gss_release_cred(&minor_status, &server_creds); diff -ruBEN trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc SQUID_3_2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc --- trunk/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2011-03-13 22:54:56.000000000 +0000 +++ SQUID_3_2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2011-03-13 22:56:10.000000000 +0000 @@ -76,7 +76,7 @@ static const char *LogTime(void); int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function); + const char *function); const char *squid_kerb_proxy_auth(char *proxy); @@ -100,13 +100,14 @@ } #ifndef gss_mech_spnego -static gss_OID_desc _gss_mech_spnego = {6, (void *) "\x2b\x06\x01\x05\x05\x02"}; +static gss_OID_desc _gss_mech_spnego = +{6, (void *) "\x2b\x06\x01\x05\x05\x02"}; gss_OID gss_mech_spnego = &_gss_mech_spnego; #endif int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function) + const char *function) { if (GSS_ERROR(major_status)) { OM_uint32 maj_stat, min_stat; @@ -117,41 +118,39 @@ len = 0; msg_ctx = 0; - while (!msg_ctx) { + do { /* convert major status code (GSS-API error) to text */ maj_stat = gss_display_status(&min_stat, major_status, - GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { + GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) { if (sizeof(buf) > len + status_string.length + 1) { snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); len += status_string.length; } - gss_release_buffer(&min_stat, &status_string); - break; - } + } else + msg_ctx = 0; gss_release_buffer(&min_stat, &status_string); - } + } while (msg_ctx); if (sizeof(buf) > len + 2) { snprintf(buf + len, (sizeof(buf) - len), "%s", ". "); len += 2; } msg_ctx = 0; - while (!msg_ctx) { + do { /* convert minor status code (underlying routine error) to text */ maj_stat = gss_display_status(&min_stat, minor_status, - GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { + GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) { if (sizeof(buf) > len + status_string.length) { snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); len += status_string.length; } - gss_release_buffer(&min_stat, &status_string); - break; - } + } else + msg_ctx = 0; gss_release_buffer(&min_stat, &status_string); - } + } while (msg_ctx); fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function, - buf); + buf); return (1); } return (0); @@ -173,7 +172,7 @@ if (!proxy) { fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(), - PROGRAM); + PROGRAM); return NULL; } service.value = xmalloc(strlen("HTTP") + strlen(proxy) + 2); @@ -181,18 +180,18 @@ service.length = strlen((char *) service.value); major_status = gss_import_name(&minor_status, &service, - gss_nt_service_name, &server_name); + gss_nt_service_name, &server_name); if (check_gss_err(major_status, minor_status, "gss_import_name()")) goto cleanup; major_status = gss_init_sec_context(&minor_status, - GSS_C_NO_CREDENTIAL, &gss_context, server_name, - gss_mech_spnego, - 0, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &input_token, NULL, &output_token, NULL, NULL); + GSS_C_NO_CREDENTIAL, &gss_context, server_name, + gss_mech_spnego, + 0, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, NULL, &output_token, NULL, NULL); if (check_gss_err(major_status, minor_status, "gss_init_sec_context()")) goto cleanup; @@ -200,9 +199,9 @@ if (output_token.length) { token = (char *) xmalloc(ska_base64_encode_len(output_token.length)); ska_base64_encode(token, (const char *) output_token.value, - ska_base64_encode_len(output_token.length), output_token.length); + ska_base64_encode_len(output_token.length), output_token.length); } -cleanup: + cleanup: gss_delete_sec_context(&minor_status, &gss_context, NULL); gss_release_buffer(&minor_status, &service); gss_release_buffer(&minor_status, &input_token); @@ -221,7 +220,7 @@ if (argc < 2) { fprintf(stderr, "%s| %s: Error: No proxy server name given\n", - LogTime(), PROGRAM); + LogTime(), PROGRAM); exit(99); } if (argc == 3) {