From: wessels <> Date: Wed, 9 May 2007 14:07:23 +0000 (+0000) Subject: Port of 2.6/changesets/11280.patch X-Git-Tag: SQUID_3_0_PRE6~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71ee0c43b8de65e9c1192486d4e737e00d3fd245;p=thirdparty%2Fsquid.git Port of 2.6/changesets/11280.patch This is a port of http://www.squid-cache.org/Versions/v2/2.6/changesets/11280.patch to Squid-3. It seems that this particular patch was skipped or missed when other squid-2 changes were ported to squid-3. This patch removes the AUTHENTICATE_STATE_FINISHED state from authentication code. It also moves some medium sized blocks of code from the ::authenticate() method to the to authenticateFooHandleReply() function. --- diff --git a/src/auth/negotiate/auth_negotiate.cc b/src/auth/negotiate/auth_negotiate.cc index 064858b1bd..6f41f290d4 100644 --- a/src/auth/negotiate/auth_negotiate.cc +++ b/src/auth/negotiate/auth_negotiate.cc @@ -1,6 +1,6 @@ /* - * $Id: auth_negotiate.cc,v 1.16 2007/05/09 07:36:31 wessels Exp $ + * $Id: auth_negotiate.cc,v 1.17 2007/05/09 08:07:23 wessels Exp $ * * DEBUG: section 29 Negotiate Authenticator * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli @@ -247,9 +247,6 @@ AuthNegotiateUserRequest::module_direction() assert(server_blob); return 1; /* send to client */ - case AUTHENTICATE_STATE_FINISHED: - return 0; /* do nothing */ - case AUTHENTICATE_STATE_DONE: return 0; /* do nothing */ @@ -316,7 +313,6 @@ AuthNegotiateConfig::fixHeader(AuthUserRequest *auth_user_request, HttpReply *re request->flags.proxy_keepalive = 0; /* fall through */ - case AUTHENTICATE_STATE_FINISHED: case AUTHENTICATE_STATE_DONE: /* Special case: authentication finished OK but disallowed by ACL. * Need to start over to give the client another chance. @@ -452,11 +448,39 @@ authenticateNegotiateHandleReply(void *data, void *lastserver, char *reply) authenticateNegotiateReleaseServer(negotiate_request); - negotiate_request->auth_state = AUTHENTICATE_STATE_FINISHED; + negotiate_request->auth_state = AUTHENTICATE_STATE_DONE; result = S_HELPER_RELEASE; debugs(29, 4, "authenticateNegotiateHandleReply: Successfully validated user via NEGOTIATE. Username '" << blob << "'"); + + /* connection is authenticated */ + debugs(29, 4, "AuthNegotiateUserRequest::authenticate: authenticated user " << negotiate_user->username()); + /* see if this is an existing user with a different proxy_auth + * string */ + auth_user_hash_pointer *usernamehash = static_cast(hash_lookup(proxy_auth_username_cache, negotiate_user->username())); + auth_user_t *local_auth_user = negotiate_request->user(); + while (usernamehash && (usernamehash->user()->auth_type != AUTH_NEGOTIATE || strcmp(usernamehash->user()->username(), negotiate_user->username()) != 0)) + usernamehash = static_cast(usernamehash->next); + if (usernamehash) { + /* we can't seamlessly recheck the username due to the + * challenge-response nature of the protocol. + * Just free the temporary auth_user */ + usernamehash->user()->absorb(local_auth_user); + //authenticateAuthUserMerge(local_auth_user, usernamehash->user()); + local_auth_user = usernamehash->user(); + negotiate_request->_auth_user = local_auth_user; + } else { + /* store user in hash's */ + local_auth_user->addToNameCache(); + // authenticateUserNameCacheAdd(local_auth_user); + } + /* set these to now because this is either a new login from an + * existing user or a new user */ + local_auth_user->expiretime = current_time.tv_sec; + authenticateNegotiateReleaseServer(negotiate_request); + negotiate_request->auth_state = AUTHENTICATE_STATE_DONE; + } else if (strncasecmp(reply, "NA ", 3) == 0 && arg != NULL) { /* authentication failure (wrong password, etc.) */ @@ -632,9 +656,6 @@ AuthNegotiateUserRequest::authenticate(HttpRequest * request, ConnStateData::Poi { const char *proxy_auth, *blob; - //ProxyAuthCachePointer *proxy_auth_hash = NULL; - auth_user_hash_pointer *usernamehash; - /* TODO: rename this!! */ auth_user_t *local_auth_user; negotiate_user_t *negotiate_user; @@ -717,55 +738,19 @@ AuthNegotiateUserRequest::authenticate(HttpRequest * request, ConnStateData::Poi break; - case AUTHENTICATE_STATE_FINISHED: - /* connection is authenticated */ - debugs(29, 4, "AuthNegotiateUserRequest::authenticate: authenticated user " << negotiate_user->username()); - - /* see if this is an existing user with a different proxy_auth - * string */ - usernamehash = static_cast(hash_lookup(proxy_auth_username_cache, negotiate_user->username())); - - while (usernamehash && (usernamehash->user()->auth_type != AUTH_NEGOTIATE || strcmp(usernamehash->user()->username(), negotiate_user->username()) != 0)) - usernamehash = static_cast(usernamehash->next); - - if (usernamehash) { - /* we can't seamlessly recheck the username due to the - * challenge-response nature of the protocol. - * Just free the temporary auth_user */ - usernamehash->user()->absorb(local_auth_user); - //authenticateAuthUserMerge(local_auth_user, usernamehash->user()); - local_auth_user = usernamehash->user(); - _auth_user = local_auth_user; - } else { - /* store user in hash's */ - local_auth_user->addToNameCache(); - // authenticateUserNameCacheAdd(local_auth_user); - } - - /* set these to now because this is either a new login from an - * existing user or a new user */ - local_auth_user->expiretime = current_time.tv_sec; - - authenticateNegotiateReleaseServer(this); - - auth_state = AUTHENTICATE_STATE_DONE; + case AUTHENTICATE_STATE_FAILED: + /* we've failed somewhere in authentication */ + debugs(29, 9, "AuthNegotiateUserRequest::authenticate: auth state negotiate failed. " << proxy_auth); return; break; case AUTHENTICATE_STATE_DONE: - fatal("AuthNegotiateUserRequest::authenticate: unexpect auth state DONE! Report a bug to the squid developers.\n"); + fatal("AuthNegotiateUserRequest::authenticate: unexpect auth state DONE! Report a bug to the squid developers.\n"); - break; - - case AUTHENTICATE_STATE_FAILED: - /* we've failed somewhere in authentication */ - debugs(29, 9, "AuthNegotiateUserRequest::authenticate: auth state negotiate failed. " << proxy_auth); - - return; + break; - break; } return; diff --git a/src/auth/negotiate/auth_negotiate.h b/src/auth/negotiate/auth_negotiate.h index 624f408b43..035679520f 100644 --- a/src/auth/negotiate/auth_negotiate.h +++ b/src/auth/negotiate/auth_negotiate.h @@ -19,7 +19,6 @@ typedef enum { AUTHENTICATE_STATE_NONE, AUTHENTICATE_STATE_INITIAL, AUTHENTICATE_STATE_IN_PROGRESS, - AUTHENTICATE_STATE_FINISHED, AUTHENTICATE_STATE_DONE, AUTHENTICATE_STATE_FAILED } auth_state_t; /* connection level auth state */ diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index bff9535bb7..313804b2c0 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -1,6 +1,6 @@ /* - * $Id: auth_ntlm.cc,v 1.65 2007/05/09 07:36:31 wessels Exp $ + * $Id: auth_ntlm.cc,v 1.66 2007/05/09 08:07:23 wessels Exp $ * * DEBUG: section 29 NTLM Authenticator * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli @@ -248,9 +248,6 @@ AuthNTLMUserRequest::module_direction() assert(server_blob); return 1; /* send to client */ - case AUTHENTICATE_STATE_FINISHED: - return 0; /* do nothing */ - case AUTHENTICATE_STATE_DONE: return 0; /* do nothing */ @@ -292,7 +289,6 @@ AuthNTLMConfig::fixHeader(AuthUserRequest *auth_user_request, HttpReply *rep, ht request->flags.proxy_keepalive = 0; /* fall through */ - case AUTHENTICATE_STATE_FINISHED: case AUTHENTICATE_STATE_DONE: /* Special case: authentication finished OK but disallowed by ACL. * Need to start over to give the client another chance. @@ -395,10 +391,37 @@ authenticateNTLMHandleReply(void *data, void *lastserver, char *reply) auth_user_request->denyMessage("Login successful"); safe_free(ntlm_request->server_blob); authenticateNTLMReleaseServer(ntlm_request); - ntlm_request->auth_state = AUTHENTICATE_STATE_FINISHED; + ntlm_request->auth_state = AUTHENTICATE_STATE_DONE; result = S_HELPER_RELEASE; debugs(29, 4, "authenticateNTLMHandleReply: Successfully validated user via NTLM. Username '" << blob << "'"); + /* connection is authenticated */ + debugs(29, 4, "AuthNTLMUserRequest::authenticate: authenticated user " << ntlm_user->username()); + /* see if this is an existing user with a different proxy_auth + * string */ + auth_user_hash_pointer *usernamehash = static_cast(hash_lookup(proxy_auth_username_cache, ntlm_user->username())); + auth_user_t *local_auth_user = ntlm_request->user(); + ntlm_user_t *ntlm_user = NULL;; + while (usernamehash && (usernamehash->user()->auth_type != AUTH_NTLM || strcmp(usernamehash->user()->username(), ntlm_user->username()) != 0)) + usernamehash = static_cast(usernamehash->next); + if (usernamehash) { + /* we can't seamlessly recheck the username due to the + * challenge-response nature of the protocol. + * Just free the temporary auth_user */ + usernamehash->user()->absorb(local_auth_user); + //authenticateAuthUserMerge(local_auth_user, usernamehash->user()); + local_auth_user = usernamehash->user(); + ntlm_request->_auth_user = local_auth_user; + } else { + /* store user in hash's */ + local_auth_user->addToNameCache(); + // authenticateUserNameCacheAdd(local_auth_user); + } + /* set these to now because this is either a new login from an + * existing user or a new user */ + local_auth_user->expiretime = current_time.tv_sec; + authenticateNTLMReleaseServer(ntlm_request); + ntlm_request->auth_state = AUTHENTICATE_STATE_DONE; } else if (strncasecmp(reply, "NA ", 3) == 0) { /* authentication failure (wrong password, etc.) */ auth_user_request->denyMessage(blob); @@ -563,9 +586,6 @@ AuthNTLMUserRequest::authenticate(HttpRequest * request, ConnStateData::Pointer { const char *proxy_auth, *blob; - //ProxyAuthCachePointer *proxy_auth_hash = NULL; - auth_user_hash_pointer *usernamehash; - /* TODO: rename this!! */ auth_user_t *local_auth_user; ntlm_user_t *ntlm_user; @@ -648,47 +668,10 @@ AuthNTLMUserRequest::authenticate(HttpRequest * request, ConnStateData::Pointer break; - case AUTHENTICATE_STATE_FINISHED: - /* connection is authenticated */ - debugs(29, 4, "AuthNTLMUserRequest::authenticate: authenticated user " << ntlm_user->username()); - - /* see if this is an existing user with a different proxy_auth - * string */ - usernamehash = static_cast(hash_lookup(proxy_auth_username_cache, ntlm_user->username())); - - while (usernamehash && (usernamehash->user()->auth_type != AUTH_NTLM || strcmp(usernamehash->user()->username(), ntlm_user->username()) != 0)) - usernamehash = static_cast(usernamehash->next); - - if (usernamehash) { - /* we can't seamlessly recheck the username due to the - * challenge-response nature of the protocol. - * Just free the temporary auth_user */ - usernamehash->user()->absorb(local_auth_user); - //authenticateAuthUserMerge(local_auth_user, usernamehash->user()); - local_auth_user = usernamehash->user(); - _auth_user = local_auth_user; - } else { - /* store user in hash's */ - local_auth_user->addToNameCache(); - // authenticateUserNameCacheAdd(local_auth_user); - } - - /* set these to now because this is either a new login from an - * existing user or a new user */ - local_auth_user->expiretime = current_time.tv_sec; - - authenticateNTLMReleaseServer(this); - - auth_state = AUTHENTICATE_STATE_DONE; - - return; - - break; - case AUTHENTICATE_STATE_DONE: - fatal("AuthNTLMUserRequest::authenticate: unexpect auth state DONE! Report a bug to the squid developers.\n"); + fatal("AuthNTLMUserRequest::authenticate: unexpect auth state DONE! Report a bug to the squid developers.\n"); - break; + break; case AUTHENTICATE_STATE_FAILED: /* we've failed somewhere in authentication */ diff --git a/src/auth/ntlm/auth_ntlm.h b/src/auth/ntlm/auth_ntlm.h index 8006d6b03c..f4454f2780 100644 --- a/src/auth/ntlm/auth_ntlm.h +++ b/src/auth/ntlm/auth_ntlm.h @@ -19,7 +19,6 @@ typedef enum { AUTHENTICATE_STATE_NONE, AUTHENTICATE_STATE_INITIAL, AUTHENTICATE_STATE_IN_PROGRESS, - AUTHENTICATE_STATE_FINISHED, AUTHENTICATE_STATE_DONE, AUTHENTICATE_STATE_FAILED } auth_state_t; /* connection level auth state */