From: Amos Jeffries Date: Wed, 16 Sep 2009 09:53:46 +0000 (-0600) Subject: Author: Source Maintenance X-Git-Tag: SQUID_3_2_0_1~712 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f54f527e1ba07927377e9398827b9cdf400a1303;p=thirdparty%2Fsquid.git Author: Source Maintenance SourceFormat enforcement --- diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/ldap_group/squid_ldap_group.c index ee8588c295..afdb8d491a 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.c +++ b/helpers/external_acl/ldap_group/squid_ldap_group.c @@ -233,7 +233,7 @@ main(int argc, char **argv) case 'd': case 'g': case 'S': - case 'K': + case 'K': break; default: if (strlen(argv[1]) > 2) { diff --git a/helpers/ntlm_auth/smb_lm/libntlmssp.c b/helpers/ntlm_auth/smb_lm/libntlmssp.c index 65bc9942ca..11fcd69b19 100644 --- a/helpers/ntlm_auth/smb_lm/libntlmssp.c +++ b/helpers/ntlm_auth/smb_lm/libntlmssp.c @@ -261,8 +261,8 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length) #if 1 debug("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" - "(length: %d)\n", - user,lmencoded_empty_pass,tmp.str,tmp.l); + "(length: %d)\n", + user,lmencoded_empty_pass,tmp.str,tmp.l); if (memcmp(tmp.str,lmencoded_empty_pass,ENCODED_PASS_LEN)==0) { fprintf(stderr,"Empty LM password supplied for user %s\\%s. " "No-auth\n",domain,user); @@ -273,8 +273,8 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length) tmp = ntlm_fetch_string ((char *) auth, auth_length, &auth->ntresponse); if (tmp.str != NULL && tmp.l != 0) { debug("Empty NT pass detection: user: '%s', ours:'%s', his: '%s'" - "(length: %d)\n", - user,ntencoded_empty_pass,tmp.str,tmp.l); + "(length: %d)\n", + user,ntencoded_empty_pass,tmp.str,tmp.l); if (memcmp(tmp.str,lmencoded_empty_pass,ENCODED_PASS_LEN)==0) { fprintf(stderr,"Empty NT password supplied for user %s\\%s. " "No-auth\n",domain,user); diff --git a/helpers/url_rewrite/fake/fake.cc b/helpers/url_rewrite/fake/fake.cc index 59604cc0eb..d373cc54f9 100644 --- a/helpers/url_rewrite/fake/fake.cc +++ b/helpers/url_rewrite/fake/fake.cc @@ -86,8 +86,7 @@ main(int argc, char *argv[]) if ((p = strchr(buf, '\n')) != NULL) { *p = '\0'; /* strip \n */ buflen = p - buf; /* length is known already */ - } - else + } else buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */ debug("Got %d bytes '%s' from Squid\n", buflen, buf); diff --git a/include/RefCount.h b/include/RefCount.h index d1ef4d6270..f648fe48cf 100644 --- a/include/RefCount.h +++ b/include/RefCount.h @@ -119,7 +119,7 @@ struct RefCountable_ { /* Not private, to allow class hierarchies */ void RefCountReference() const { #if REFCOUNT_DEBUG - old_debug(0,1)("Incrementing this %p from count %u\n",this,count_); + old_debug(0,1)("Incrementing this %p from count %u\n",this,count_); #endif ++count_; diff --git a/src/HttpStatusLine.cc b/src/HttpStatusLine.cc index eb797c5a17..8ed8a4686b 100644 --- a/src/HttpStatusLine.cc +++ b/src/HttpStatusLine.cc @@ -73,7 +73,7 @@ httpStatusLinePackInto(const HttpStatusLine * sline, Packer * p) debugs(57, 9, "packing sline " << sline << " using " << p << ":"); debugs(57, 9, "FORMAT=" << HttpStatusLineFormat ); debugs(57, 9, "HTTP/" << sline->version.major << "." << sline->version.minor << - " " << sline->status << " " << (sline->reason ? sline->reason : httpStatusString(sline->status)) ); + " " << sline->status << " " << (sline->reason ? sline->reason : httpStatusString(sline->status)) ); packerPrintf(p, HttpStatusLineFormat, sline->version.major, sline->version.minor, sline->status, httpStatusLineReason(sline)); } diff --git a/src/cbdata.h b/src/cbdata.h index 5a85b08fad..5c4b0320e5 100644 --- a/src/cbdata.h +++ b/src/cbdata.h @@ -336,7 +336,7 @@ extern cbdata_type cbdataInternalAddType(cbdata_type type, const char *label, in /** * \ingroup CBDATAAPI - * + * * This needs to be defined LAST in teh class definition. It plays with private/public states in C++. */ #define CBDATA_CLASS2(type) \ diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 088ee53b47..aa2d608b47 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -747,7 +747,7 @@ clientCheckPinning(ClientHttpRequest * http) * a client connection */ if (!http_conn) - return; + return; request->flags.connection_auth_disabled = http_conn->port->connection_auth_disabled; if (!request->flags.connection_auth_disabled) { diff --git a/src/http.cc b/src/http.cc index dca3be0c13..7a83a32959 100644 --- a/src/http.cc +++ b/src/http.cc @@ -1460,58 +1460,58 @@ httpFixupAuthentication(HttpRequest * request, HttpRequest * orig_request, const /* Nothing to do unless we are forwarding to a peer */ if (!request->flags.proxying) - return; + return; /* Needs to be explicitly enabled */ if (!orig_request->peer_login) - return; + return; /* Maybe already dealt with? */ if (hdr_out->has(header)) - return; + return; /* Nothing to do here for PASSTHRU */ if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) - return; + return; /* PROXYPASS is a special case, single-signon to servers with the proxy password (basic only) */ if (flags.originpeer && strcmp(orig_request->peer_login, "PROXYPASS") == 0 && hdr_in->has(HDR_PROXY_AUTHORIZATION)) { - const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION); + const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION); - if (auth && strncasecmp(auth, "basic ", 6) == 0) { - hdr_out->putStr(header, auth); - return; - } + if (auth && strncasecmp(auth, "basic ", 6) == 0) { + hdr_out->putStr(header, auth); + return; + } } /* Special mode to pass the username to the upstream cache */ if (*orig_request->peer_login == '*') { - char loginbuf[256]; - const char *username = "-"; + char loginbuf[256]; + const char *username = "-"; - if (orig_request->extacl_user.size()) - username = orig_request->extacl_user.termedBuf(); - else if (orig_request->auth_user_request) - username = orig_request->auth_user_request->username(); + if (orig_request->extacl_user.size()) + username = orig_request->extacl_user.termedBuf(); + else if (orig_request->auth_user_request) + username = orig_request->auth_user_request->username(); - snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1); + snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1); - httpHeaderPutStrf(hdr_out, header, "Basic %s", - base64_encode(loginbuf)); - return; + httpHeaderPutStrf(hdr_out, header, "Basic %s", + base64_encode(loginbuf)); + return; } /* external_acl provided credentials */ if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size() && - (strcmp(orig_request->peer_login, "PASS") == 0 || - strcmp(orig_request->peer_login, "PROXYPASS") == 0)) { - char loginbuf[256]; - snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH, - SQUIDSTRINGPRINT(orig_request->extacl_user), - SQUIDSTRINGPRINT(orig_request->extacl_passwd)); - httpHeaderPutStrf(hdr_out, header, "Basic %s", - base64_encode(loginbuf)); - return; + (strcmp(orig_request->peer_login, "PASS") == 0 || + strcmp(orig_request->peer_login, "PROXYPASS") == 0)) { + char loginbuf[256]; + snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH, + SQUIDSTRINGPRINT(orig_request->extacl_user), + SQUIDSTRINGPRINT(orig_request->extacl_passwd)); + httpHeaderPutStrf(hdr_out, header, "Basic %s", + base64_encode(loginbuf)); + return; } /* Kerberos login to peer */ @@ -1531,7 +1531,7 @@ httpFixupAuthentication(HttpRequest * request, HttpRequest * orig_request, const #endif /* HAVE_KRB5 && HAVE_GSSAPI */ httpHeaderPutStrf(hdr_out, header, "Basic %s", - base64_encode(orig_request->peer_login)); + base64_encode(orig_request->peer_login)); return; } @@ -1741,9 +1741,9 @@ copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, co * authentication forwarding is explicitly enabled */ if (!flags.originpeer && flags.proxying && orig_request->peer_login && - (strcmp(orig_request->peer_login, "PASS") == 0 || - strcmp(orig_request->peer_login, "PROXYPASS") == 0 || - strcmp(orig_request->peer_login, "PASSTHRU") == 0)) { + (strcmp(orig_request->peer_login, "PASS") == 0 || + strcmp(orig_request->peer_login, "PROXYPASS") == 0 || + strcmp(orig_request->peer_login, "PASSTHRU") == 0)) { hdr_out->addEntry(e->clone()); } break; diff --git a/src/ip/IpIntercept.cc b/src/ip/IpIntercept.cc index 9f2edeb2cb..4bd3b8b156 100644 --- a/src/ip/IpIntercept.cc +++ b/src/ip/IpIntercept.cc @@ -446,12 +446,12 @@ IpIntercept::ProbeForTproxy(IpAddress &test) #if LINUX_TPROXY2 #if USE_IPV6 - /* TPROXYv2 is not IPv6 capable. Force wildcard sockets to IPv4. Die on IPv6 IPs */ - debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << test << " (TPROXYv2 interception enabled)"); - if ( test.IsIPv6() && !test.SetIPv4() ) { - debugs(3, DBG_CRITICAL, "IPv6 requires TPROXYv4 support. You only have TPROXYv2 for " << test ); - return false; - } + /* TPROXYv2 is not IPv6 capable. Force wildcard sockets to IPv4. Die on IPv6 IPs */ + debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << test << " (TPROXYv2 interception enabled)"); + if ( test.IsIPv6() && !test.SetIPv4() ) { + debugs(3, DBG_CRITICAL, "IPv6 requires TPROXYv4 support. You only have TPROXYv2 for " << test ); + return false; + } #endif /* USE_IPV6 */ return true; @@ -473,8 +473,8 @@ IpIntercept::ProbeForTproxy(IpAddress &test) tmp.GetSockAddr(tmp_ip6); if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 && - setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 && - bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) { + setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 && + bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) { debugs(3, 3, "IPv6 TPROXY support detected. Using."); close(tmp_sock); @@ -502,8 +502,8 @@ IpIntercept::ProbeForTproxy(IpAddress &test) tmp.GetSockAddr(tmp_ip4); if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 && - setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 && - bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) { + setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 && + bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) { debugs(3, 3, "IPv4 TPROXY support detected. Using."); close(tmp_sock); diff --git a/src/ip/IpIntercept.h b/src/ip/IpIntercept.h index 541e9c600c..15ba9496b2 100644 --- a/src/ip/IpIntercept.h +++ b/src/ip/IpIntercept.h @@ -39,7 +39,7 @@ public: * Test system networking calls for TPROXY support. * Detects IPv6 and IPv4 level of support matches the address being listened on * and if the compiled v2/v4 is usable as far down as a bind()ing. - * + * * \param test Address set on the http(s)_port being checked. * \retval true TPROXY is available. * \retval false TPROXY is not available. diff --git a/src/logfile.cc b/src/logfile.cc index d746170ac4..0c86333f40 100644 --- a/src/logfile.cc +++ b/src/logfile.cc @@ -220,8 +220,8 @@ logfileRotate(Logfile * lf) void logfileWrite(Logfile * lf, void *buf, size_t len) { - /* AYJ: this write gets called once per line? Squid-2 did it in lineEnd which we dont have. */ - lf->sequence_number++; + /* AYJ: this write gets called once per line? Squid-2 did it in lineEnd which we dont have. */ + lf->sequence_number++; #if HAVE_SYSLOG diff --git a/src/peer_proxy_negotiate_auth.cc b/src/peer_proxy_negotiate_auth.cc index d1e2028c38..c0bf3591a3 100644 --- a/src/peer_proxy_negotiate_auth.cc +++ b/src/peer_proxy_negotiate_auth.cc @@ -29,8 +29,7 @@ #if HAVE_KRB5 && HAVE_GSSAPI #ifdef __cplusplus -extern "C" -{ +extern "C" { #endif #if HAVE_PROFILE_H @@ -69,479 +68,472 @@ extern "C" #elif !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERROR_MESSAGE #define error_message(code) krb5_get_error_message(kparam.context,code) #elif !HAVE_ERROR_MESSAGE -static char err_code[17]; -const char *KRB5_CALLCONV -error_message(long code) -{ - snprintf(err_code,16,"%ld",code); - return err_code; -} + static char err_code[17]; + const char *KRB5_CALLCONV + error_message(long code) { + snprintf(err_code,16,"%ld",code); + return err_code; + } #endif #ifndef gss_mech_spnego static gss_OID_desc _gss_mech_spnego = - { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; + { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; gss_OID gss_mech_spnego = &_gss_mech_spnego; #endif #if HAVE_NAS_KERBEROS #include - const char *KRB5_CALLCONV error_message(long code) - { - char *msg = NULL; - krb5_svc_get_msg(code, &msg); - return msg; + const char *KRB5_CALLCONV error_message(long code) { + char *msg = NULL; + krb5_svc_get_msg(code, &msg); + return msg; } #endif -/* - * Kerberos context and cache structure - * Caches authentication details to reduce - * number of authentication requests to kdc - */ - static struct kstruct - { - krb5_context context; - krb5_ccache cc; + /* + * Kerberos context and cache structure + * Caches authentication details to reduce + * number of authentication requests to kdc + */ + static struct kstruct { + krb5_context context; + krb5_ccache cc; } kparam = { - NULL, NULL}; - -/* - * krb5_create_cache creates a Kerberos file credential cache or a memory - * credential cache if supported. The initial key for the principal - * principal_name is extracted from the keytab keytab_filename. - * - * If keytab_filename is NULL the default will be used. - * If principal_name is NULL the first working entry of the keytab will be used. - */ + NULL, NULL}; + + /* + * krb5_create_cache creates a Kerberos file credential cache or a memory + * credential cache if supported. The initial key for the principal + * principal_name is extracted from the keytab keytab_filename. + * + * If keytab_filename is NULL the default will be used. + * If principal_name is NULL the first working entry of the keytab will be used. + */ int krb5_create_cache(char *keytab_filename, char *principal_name); -/* - * krb5_cleanup clears used Keberos memory - */ + /* + * krb5_cleanup clears used Keberos memory + */ void krb5_cleanup(void); -/* - * check_gss_err checks for gssapi error codes, extracts the error message - * and prints it. - */ + /* + * check_gss_err checks for gssapi error codes, extracts the error message + * and prints it. + */ int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function); + const char *function); int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function) - { - if (GSS_ERROR(major_status)) { - OM_uint32 maj_stat, min_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - char buf[1024]; - size_t len; - - len = 0; - msg_ctx = 0; - while (!msg_ctx) { - /* convert major status code (GSS-API error) to text */ - maj_stat = gss_display_status(&min_stat, major_status, - GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length + 1) { - memcpy(buf + len, status_string.value, - status_string.length); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - if (sizeof(buf) > len + 2) { - strcpy(buf + len, ". "); - len += 2; - } - msg_ctx = 0; - while (!msg_ctx) { - /* convert minor status code (underlying routine error) to text */ - maj_stat = gss_display_status(&min_stat, minor_status, - GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length) { - memcpy(buf + len, status_string.value, - status_string.length); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - debugs(11, 5, HERE << function << "failed: " << buf); - return (1); - } - return (0); + const char *function) { + if (GSS_ERROR(major_status)) { + OM_uint32 maj_stat, min_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + char buf[1024]; + size_t len; + + len = 0; + msg_ctx = 0; + while (!msg_ctx) { + /* convert major status code (GSS-API error) to text */ + maj_stat = gss_display_status(&min_stat, major_status, + GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length + 1) { + memcpy(buf + len, status_string.value, + status_string.length); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + if (sizeof(buf) > len + 2) { + strcpy(buf + len, ". "); + len += 2; + } + msg_ctx = 0; + while (!msg_ctx) { + /* convert minor status code (underlying routine error) to text */ + maj_stat = gss_display_status(&min_stat, minor_status, + GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length) { + memcpy(buf + len, status_string.value, + status_string.length); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + debugs(11, 5, HERE << function << "failed: " << buf); + return (1); + } + return (0); } - void krb5_cleanup() - { - debugs(11, 5, HERE << "Cleanup kerberos context"); - if (kparam.context) { - if (kparam.cc) - krb5_cc_destroy(kparam.context, kparam.cc); - kparam.cc = NULL; - krb5_free_context(kparam.context); - kparam.context = NULL; - } + void krb5_cleanup() { + debugs(11, 5, HERE << "Cleanup kerberos context"); + if (kparam.context) { + if (kparam.cc) + krb5_cc_destroy(kparam.context, kparam.cc); + kparam.cc = NULL; + krb5_free_context(kparam.context); + kparam.context = NULL; + } } - int krb5_create_cache(char *kf, char *pn) - { + int krb5_create_cache(char *kf, char *pn) { #define KT_PATH_MAX 256 #define MAX_RENEW_TIME "365d" #define DEFAULT_SKEW (krb5_deltat) 600 - static char *keytab_filename = NULL, *principal_name = NULL; - static krb5_keytab keytab = 0; - static krb5_keytab_entry entry; - static krb5_kt_cursor cursor; - static krb5_creds *creds = NULL; + static char *keytab_filename = NULL, *principal_name = NULL; + static krb5_keytab keytab = 0; + static krb5_keytab_entry entry; + static krb5_kt_cursor cursor; + static krb5_creds *creds = NULL; #if HAVE_HEIMDAL_KERBEROS - static krb5_creds creds2; + static krb5_creds creds2; #endif - static krb5_principal principal = NULL; - static krb5_deltat skew; - - krb5_get_init_creds_opt options; - krb5_error_code code = 0; - krb5_deltat rlife; -#if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE - profile_t profile; + static krb5_principal principal = NULL; + static krb5_deltat skew; + + krb5_get_init_creds_opt options; + krb5_error_code code = 0; + krb5_deltat rlife; +#if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE + profile_t profile; #endif #if HAVE_HEIMDAL_KERBEROS - krb5_kdc_flags flags; - krb5_realm *client_realm; + krb5_kdc_flags flags; + krb5_realm *client_realm; #endif - char *mem_cache; - - restart: -/* - * Check if credentials need to be renewed - */ - if (creds && - (creds->times.endtime - time(0) > skew) && - (creds->times.renew_till - time(0) > 2 * skew)) { - if (creds->times.endtime - time(0) < 2 * skew) { + char *mem_cache; + +restart: + /* + * Check if credentials need to be renewed + */ + if (creds && + (creds->times.endtime - time(0) > skew) && + (creds->times.renew_till - time(0) > 2 * skew)) { + if (creds->times.endtime - time(0) < 2 * skew) { #if !HAVE_HEIMDAL_KERBEROS - /* renew ticket */ - code = - krb5_get_renewed_creds(kparam.context, creds, principal, - kparam.cc, NULL); + /* renew ticket */ + code = + krb5_get_renewed_creds(kparam.context, creds, principal, + kparam.cc, NULL); #else - /* renew ticket */ - flags.i = 0; - flags.b.renewable = flags.b.renew = 1; - - code = - krb5_cc_get_principal(kparam.context, kparam.cc, - &creds2.client); - if (code) { - debugs(11, 5, - HERE << - "Error while getting principal from credential cache : " - << error_message(code)); - return (1); - } - client_realm = krb5_princ_realm(kparam.context, creds2.client); - code = - krb5_make_principal(kparam.context, &creds2.server, - *client_realm, KRB5_TGS_NAME, *client_realm, NULL); - if (code) { - debugs(11, 5, - HERE << "Error while getting krbtgt principal : " << - error_message(code)); - return (1); - } - code = - krb5_get_kdc_cred(kparam.context, kparam.cc, flags, NULL, - NULL, &creds2, &creds); - krb5_free_creds(kparam.context, &creds2); + /* renew ticket */ + flags.i = 0; + flags.b.renewable = flags.b.renew = 1; + + code = + krb5_cc_get_principal(kparam.context, kparam.cc, + &creds2.client); + if (code) { + debugs(11, 5, + HERE << + "Error while getting principal from credential cache : " + << error_message(code)); + return (1); + } + client_realm = krb5_princ_realm(kparam.context, creds2.client); + code = + krb5_make_principal(kparam.context, &creds2.server, + *client_realm, KRB5_TGS_NAME, *client_realm, NULL); + if (code) { + debugs(11, 5, + HERE << "Error while getting krbtgt principal : " << + error_message(code)); + return (1); + } + code = + krb5_get_kdc_cred(kparam.context, kparam.cc, flags, NULL, + NULL, &creds2, &creds); + krb5_free_creds(kparam.context, &creds2); #endif - if (code) { - if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) { - krb5_free_creds(kparam.context, creds); - creds = NULL; - /* this can happen because of clock skew */ - goto restart; - } - debugs(11, 5, - HERE << "Error while get credentials : " << - error_message(code)); - return (1); - } - } - } else { - /* reinit */ - if (!kparam.context) { - code = krb5_init_context(&kparam.context); - if (code) { - debugs(11, 5, - HERE << "Error while initialising Kerberos library : " - << error_message(code)); - return (1); - } - } -#if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE - code = krb5_get_profile(kparam.context, &profile); - if (code) { - if (profile) - profile_release(profile); - debugs(11, 5, - HERE << "Error while getting profile : " << - error_message(code)); - return (1); - } - code = - profile_get_integer(profile, "libdefaults", "clockskew", 0, - 5 * 60, &skew); - if (profile) - profile_release(profile); - if (code) { - debugs(11, 5, - HERE << "Error while getting clockskew : " << - error_message(code)); - return (1); - } + if (code) { + if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) { + krb5_free_creds(kparam.context, creds); + creds = NULL; + /* this can happen because of clock skew */ + goto restart; + } + debugs(11, 5, + HERE << "Error while get credentials : " << + error_message(code)); + return (1); + } + } + } else { + /* reinit */ + if (!kparam.context) { + code = krb5_init_context(&kparam.context); + if (code) { + debugs(11, 5, + HERE << "Error while initialising Kerberos library : " + << error_message(code)); + return (1); + } + } +#if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE + code = krb5_get_profile(kparam.context, &profile); + if (code) { + if (profile) + profile_release(profile); + debugs(11, 5, + HERE << "Error while getting profile : " << + error_message(code)); + return (1); + } + code = + profile_get_integer(profile, "libdefaults", "clockskew", 0, + 5 * 60, &skew); + if (profile) + profile_release(profile); + if (code) { + debugs(11, 5, + HERE << "Error while getting clockskew : " << + error_message(code)); + return (1); + } #elif HAVE_KRB5_GET_MAX_TIME_SKEW && HAVE_HEIMDAL_KERBEROS - skew = krb5_get_max_time_skew(kparam.context); + skew = krb5_get_max_time_skew(kparam.context); #elif HAVE_MAX_SKEW_IN_KRB5_CONTEXT && HAVE_HEIMDAL_KERBEROS - skew = kparam.context->max_skew; + skew = kparam.context->max_skew; #else - skew = DEFAULT_SKEW; + skew = DEFAULT_SKEW; #endif - if (!kf) { - char buf[KT_PATH_MAX], *p; - - krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX); - p = strchr(buf, ':'); - if (p) - p++; - if (keytab_filename) - xfree(keytab_filename); - keytab_filename = xstrdup(p ? p : buf); - } else { - keytab_filename = xstrdup(kf); - } - - code = krb5_kt_resolve(kparam.context, keytab_filename, &keytab); - if (code) { - debugs(11, 5, - HERE << "Error while resolving keytab filename " << - keytab_filename << " : " << error_message(code)); - return (1); - } - - if (!pn) { - code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor); - if (code) { - debugs(11, 5, - HERE << "Error while starting keytab scan : " << - error_message(code)); - return (1); - } - code = - krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor); - krb5_copy_principal(kparam.context, entry.principal, - &principal); - if (code && code != KRB5_KT_END) { - debugs(11, 5, - HERE << "Error while scanning keytab : " << - error_message(code)); - return (1); - } - - code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor); - if (code) { - debugs(11, 5, - HERE << "Error while ending keytab scan : " << - error_message(code)); - return (1); - } + if (!kf) { + char buf[KT_PATH_MAX], *p; + + krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX); + p = strchr(buf, ':'); + if (p) + p++; + if (keytab_filename) + xfree(keytab_filename); + keytab_filename = xstrdup(p ? p : buf); + } else { + keytab_filename = xstrdup(kf); + } + + code = krb5_kt_resolve(kparam.context, keytab_filename, &keytab); + if (code) { + debugs(11, 5, + HERE << "Error while resolving keytab filename " << + keytab_filename << " : " << error_message(code)); + return (1); + } + + if (!pn) { + code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor); + if (code) { + debugs(11, 5, + HERE << "Error while starting keytab scan : " << + error_message(code)); + return (1); + } + code = + krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor); + krb5_copy_principal(kparam.context, entry.principal, + &principal); + if (code && code != KRB5_KT_END) { + debugs(11, 5, + HERE << "Error while scanning keytab : " << + error_message(code)); + return (1); + } + + code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor); + if (code) { + debugs(11, 5, + HERE << "Error while ending keytab scan : " << + error_message(code)); + return (1); + } #if HAVE_HEIMDAL_KERBEROS || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) - code = krb5_kt_free_entry(kparam.context, &entry); + code = krb5_kt_free_entry(kparam.context, &entry); #else - code = krb5_free_keytab_entry_contents(kparam.context, &entry); + code = krb5_free_keytab_entry_contents(kparam.context, &entry); #endif - if (code) { - debugs(11, 5, - HERE << "Error while freeing keytab entry : " << - error_message(code)); - return (1); - } - - } else { - principal_name = xstrdup(pn); - } - - if (!principal) { - code = - krb5_parse_name(kparam.context, principal_name, &principal); - if (code) { - debugs(11, 5, - HERE << "Error while parsing principal name " << - principal_name << " : " << error_message(code)); - return (1); - } - } - - creds = (krb5_creds *) xmalloc(sizeof(*creds)); - memset(creds, 0, sizeof(*creds)); - krb5_get_init_creds_opt_init(&options); - code = krb5_string_to_deltat((char *) MAX_RENEW_TIME, &rlife); - if (code != 0 || rlife == 0) { - debugs(11, 5, - HERE << "Error bad lifetime value " << MAX_RENEW_TIME << - " : " << error_message(code)); - return (1); - } - krb5_get_init_creds_opt_set_renew_life(&options, rlife); - - code = - krb5_get_init_creds_keytab(kparam.context, creds, principal, - keytab, 0, NULL, &options); - if (code) { - debugs(11, 5, - HERE << - "Error while initializing credentials from keytab : " << - error_message(code)); - return (1); - } + if (code) { + debugs(11, 5, + HERE << "Error while freeing keytab entry : " << + error_message(code)); + return (1); + } + + } else { + principal_name = xstrdup(pn); + } + + if (!principal) { + code = + krb5_parse_name(kparam.context, principal_name, &principal); + if (code) { + debugs(11, 5, + HERE << "Error while parsing principal name " << + principal_name << " : " << error_message(code)); + return (1); + } + } + + creds = (krb5_creds *) xmalloc(sizeof(*creds)); + memset(creds, 0, sizeof(*creds)); + krb5_get_init_creds_opt_init(&options); + code = krb5_string_to_deltat((char *) MAX_RENEW_TIME, &rlife); + if (code != 0 || rlife == 0) { + debugs(11, 5, + HERE << "Error bad lifetime value " << MAX_RENEW_TIME << + " : " << error_message(code)); + return (1); + } + krb5_get_init_creds_opt_set_renew_life(&options, rlife); + + code = + krb5_get_init_creds_keytab(kparam.context, creds, principal, + keytab, 0, NULL, &options); + if (code) { + debugs(11, 5, + HERE << + "Error while initializing credentials from keytab : " << + error_message(code)); + return (1); + } #if !HAVE_KRB5_MEMORY_CACHE - mem_cache = - (char *) xmalloc(strlen("FILE:/tmp/peer_proxy_negotiate_auth_") - + 16); - snprintf(mem_cache, - strlen("FILE:/tmp/peer_proxy_negotiate_auth_") + 16, - "FILE:/tmp/peer_proxy_negotiate_auth_%d", (int) getpid()); + mem_cache = + (char *) xmalloc(strlen("FILE:/tmp/peer_proxy_negotiate_auth_") + + 16); + snprintf(mem_cache, + strlen("FILE:/tmp/peer_proxy_negotiate_auth_") + 16, + "FILE:/tmp/peer_proxy_negotiate_auth_%d", (int) getpid()); #else - mem_cache = - (char *) xmalloc(strlen("MEMORY:peer_proxy_negotiate_auth_") + - 16); - snprintf(mem_cache, - strlen("MEMORY:peer_proxy_negotiate_auth_") + 16, - "MEMORY:peer_proxy_negotiate_auth_%d", (int) getpid()); + mem_cache = + (char *) xmalloc(strlen("MEMORY:peer_proxy_negotiate_auth_") + + 16); + snprintf(mem_cache, + strlen("MEMORY:peer_proxy_negotiate_auth_") + 16, + "MEMORY:peer_proxy_negotiate_auth_%d", (int) getpid()); #endif - setenv("KRB5CCNAME", mem_cache, 1); - code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc); - if (mem_cache) - xfree(mem_cache); - if (code) { - debugs(11, 5, - HERE << "Error while resolving memory credential cache : " - << error_message(code)); - return (1); - } - code = krb5_cc_initialize(kparam.context, kparam.cc, principal); - if (code) { - debugs(11, 5, - HERE << - "Error while initializing memory credential cache : " << - error_message(code)); - return (1); - } - code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); - if (code) { - debugs(11, 5, - HERE << "Error while storing credentials : " << - error_message(code)); - return (1); - } - - if (!creds->times.starttime) - creds->times.starttime = creds->times.authtime; - } - return (0); + setenv("KRB5CCNAME", mem_cache, 1); + code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc); + if (mem_cache) + xfree(mem_cache); + if (code) { + debugs(11, 5, + HERE << "Error while resolving memory credential cache : " + << error_message(code)); + return (1); + } + code = krb5_cc_initialize(kparam.context, kparam.cc, principal); + if (code) { + debugs(11, 5, + HERE << + "Error while initializing memory credential cache : " << + error_message(code)); + return (1); + } + code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); + if (code) { + debugs(11, 5, + HERE << "Error while storing credentials : " << + error_message(code)); + return (1); + } + + if (!creds->times.starttime) + creds->times.starttime = creds->times.authtime; + } + return (0); } -/* - * peer_proxy_negotiate_auth gets a GSSAPI token for principal_name - * and base64 encodes it. - */ - char *peer_proxy_negotiate_auth(char *principal_name, char *proxy) - { - int rc = 0; - OM_uint32 major_status, minor_status; - gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; - gss_name_t server_name = GSS_C_NO_NAME; - gss_buffer_desc service = GSS_C_EMPTY_BUFFER; - gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; - gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; - char *token = NULL; - - setbuf(stdout, NULL); - setbuf(stdin, NULL); - - if (!proxy) { - debugs(11, 5, HERE << "Error : No proxy server name"); - return NULL; - } - - if (principal_name) - debugs(11, 5, - HERE << "Creating credential cache for " << principal_name); - else - debugs(11, 5, HERE << "Creating credential cache"); - rc = krb5_create_cache(NULL, principal_name); - if (rc) { - debugs(11, 5, HERE << "Error : Failed to create Kerberos cache"); - krb5_cleanup(); - return NULL; - } - - service.value = (void *) xmalloc(strlen("HTTP") + strlen(proxy) + 2); - snprintf((char *) service.value, strlen("HTTP") + strlen(proxy) + 2, - "%s@%s", "HTTP", proxy); - service.length = strlen((char *) service.value); - - debugs(11, 5, HERE << "Import gss name"); - major_status = gss_import_name(&minor_status, &service, - gss_nt_service_name, &server_name); - - if (check_gss_err(major_status, minor_status, "gss_import_name()")) - goto cleanup; - - debugs(11, 5, HERE << "Initialize gss security context"); - major_status = gss_init_sec_context(&minor_status, - GSS_C_NO_CREDENTIAL, - &gss_context, - server_name, - gss_mech_spnego, - 0, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &input_token, NULL, &output_token, NULL, NULL); - - if (check_gss_err(major_status, minor_status, "gss_init_sec_context()")) - goto cleanup; - - debugs(11, 5, HERE << "Got token with length " << output_token.length); - if (output_token.length) { - - token = - (char *) base64_encode_bin((const char *) output_token.value, - output_token.length); - } - - - cleanup: - gss_delete_sec_context(&minor_status, &gss_context, NULL); - gss_release_buffer(&minor_status, &service); - gss_release_buffer(&minor_status, &input_token); - gss_release_buffer(&minor_status, &output_token); - gss_release_name(&minor_status, &server_name); - - return token; + /* + * peer_proxy_negotiate_auth gets a GSSAPI token for principal_name + * and base64 encodes it. + */ + char *peer_proxy_negotiate_auth(char *principal_name, char *proxy) { + int rc = 0; + OM_uint32 major_status, minor_status; + gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; + gss_name_t server_name = GSS_C_NO_NAME; + gss_buffer_desc service = GSS_C_EMPTY_BUFFER; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; + char *token = NULL; + + setbuf(stdout, NULL); + setbuf(stdin, NULL); + + if (!proxy) { + debugs(11, 5, HERE << "Error : No proxy server name"); + return NULL; + } + + if (principal_name) + debugs(11, 5, + HERE << "Creating credential cache for " << principal_name); + else + debugs(11, 5, HERE << "Creating credential cache"); + rc = krb5_create_cache(NULL, principal_name); + if (rc) { + debugs(11, 5, HERE << "Error : Failed to create Kerberos cache"); + krb5_cleanup(); + return NULL; + } + + service.value = (void *) xmalloc(strlen("HTTP") + strlen(proxy) + 2); + snprintf((char *) service.value, strlen("HTTP") + strlen(proxy) + 2, + "%s@%s", "HTTP", proxy); + service.length = strlen((char *) service.value); + + debugs(11, 5, HERE << "Import gss name"); + major_status = gss_import_name(&minor_status, &service, + gss_nt_service_name, &server_name); + + if (check_gss_err(major_status, minor_status, "gss_import_name()")) + goto cleanup; + + debugs(11, 5, HERE << "Initialize gss security context"); + major_status = gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &gss_context, + server_name, + gss_mech_spnego, + 0, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, NULL, &output_token, NULL, NULL); + + if (check_gss_err(major_status, minor_status, "gss_init_sec_context()")) + goto cleanup; + + debugs(11, 5, HERE << "Got token with length " << output_token.length); + if (output_token.length) { + + token = + (char *) base64_encode_bin((const char *) output_token.value, + output_token.length); + } + + +cleanup: + gss_delete_sec_context(&minor_status, &gss_context, NULL); + gss_release_buffer(&minor_status, &service); + gss_release_buffer(&minor_status, &input_token); + gss_release_buffer(&minor_status, &output_token); + gss_release_name(&minor_status, &server_name); + + return token; } #ifdef __cplusplus diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc index c868acf1cb..e71920c991 100644 --- a/tools/cachemgr.cc +++ b/tools/cachemgr.cc @@ -895,8 +895,8 @@ main(int argc, char *argv[]) if ((s = getenv("SCRIPT_NAME")) != NULL) script_name = xstrdup(s); - char **args = argv; - while (argc > 1 && args[1][0] == '-') { + char **args = argv; + while (argc > 1 && args[1][0] == '-') { // const char *value = ""; char option = args[1][1]; switch (option) { @@ -1034,7 +1034,7 @@ read_request(void) make_pub_auth(req); debug("cmgr: got req: host: '%s' port: %d uname: '%s' passwd: '%s' auth: '%s' oper: '%s'\n", - safe_str(req->hostname), req->port, safe_str(req->user_name), safe_str(req->passwd), safe_str(req->pub_auth), safe_str(req->action)); + safe_str(req->hostname), req->port, safe_str(req->user_name), safe_str(req->passwd), safe_str(req->pub_auth), safe_str(req->action)); return req; }