From 721b0310764ca3c211ce95fabcdc554413f73af7 Mon Sep 17 00:00:00 2001 From: hno <> Date: Mon, 21 May 2001 10:50:57 +0000 Subject: [PATCH] auth_rewrite update from Robert Collins * src/authenticate.c (authenticateValidateUser): Check for user scheme data. Increase the debug level for "validated". (authenticateFixHeader): Add a hint for internal responses versus proxied responses. Use it to prevent erroneous challenges when external sites request authentication. * src/client_side.c (clientRedirectDone): Reference lock any auth use when creating a new request. (clientBuildReplyHeader): Hint to authenticateFixHeader that this is a proxied response. * src/errorpage.c (errorAppendEntry): Hint to authenticateFixHeader that this is an internal response. * src/helper.c (helperStatefulSubmit): Handle broken allocators that don't clear memory. Better descriptive comments. Remove an redundant cbdata check. * src/protos.h (authenticateFixHeader): New prototype. * src/auth/basic/helpers/multi-domain-NTLM/README.txt Updated email address. * src/auth/basic/helpers/multi-domain-NTLM/smb_auth.pl Disable debug mode for default. Replace actual machine names with samples. * src/auth/ntlm/auth_ntlm.c (authNTLMParse): Disable pipelining if NTLM is configured to avoid race condition with IE misbehaving. --- .../basic_auth/multi-domain-NTLM/README.txt | 2 +- .../basic_auth/multi-domain-NTLM/smb_auth.pl | 9 ++-- src/auth/ntlm/auth_ntlm.cc | 12 ++++- src/authenticate.cc | 17 +++++-- src/client_side.cc | 5 +- src/errorpage.cc | 4 +- src/helper.cc | 46 ++++++++++--------- src/protos.h | 4 +- 8 files changed, 61 insertions(+), 38 deletions(-) diff --git a/helpers/basic_auth/multi-domain-NTLM/README.txt b/helpers/basic_auth/multi-domain-NTLM/README.txt index 5ea1f409ca..4efd101f64 100644 --- a/helpers/basic_auth/multi-domain-NTLM/README.txt +++ b/helpers/basic_auth/multi-domain-NTLM/README.txt @@ -1,5 +1,5 @@ -From: "Chemolli Francesco (USI)" +From: "Francesco Chemolli" Subject: Multiple NT domains authenticator Date: Fri, 7 Jul 2000 15:37:32 +0200 diff --git a/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl b/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl index 34972a77f8..e52116f9f5 100644 --- a/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl +++ b/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl @@ -1,7 +1,8 @@ #!/usr/bin/perl +# $Id: smb_auth.pl,v 1.2 2001/05/21 04:50:58 hno Exp $ #if you define this, debugging output will be printed to STDERR. -$debug=1; +#$debug=1; #to force using some DC for some domains, fill in this hash. #the key is a regexp matched against the domain name @@ -10,12 +11,11 @@ $debug=1; #i.e.: # %controllers = ( "domain" => ["pdc","bdc"]); -#%controllers = ( ".*" => ["tlc5",undef]); +#%controllers = ( ".*" => ["pdcname","bdcname"]); #define this if you wish to use a WINS server. If undefined, broadcast # will be attempted. -$wins_server="c0wins"; - +#$wins_server="winsservername"; # Some servers (at least mine) really really want to be called by address. # If this variable is defined, we'll ask nmblookup to do a reverse DNS on the @@ -36,6 +36,7 @@ use Authen::Smb; # %pdc used to cache the domain -> pdc_ip values. IT NEVER EXPIRES! +$|=1; while (<>) { if (! m;([^\\]+)(\\|/)(\S+)\s(.*); ) { #parse the line print "ERR\n"; diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index cb8c67f621..87cac78ef7 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -1,6 +1,6 @@ /* - * $Id: auth_ntlm.cc,v 1.8 2001/03/10 00:55:37 hno Exp $ + * $Id: auth_ntlm.cc,v 1.9 2001/05/21 04:50:58 hno Exp $ * * DEBUG: section 29 NTLM Authenticator * AUTHOR: Robert Collins @@ -180,6 +180,16 @@ authNTLMParse(authScheme * scheme, int n_configured, char *param_str) } else { debug(28, 0) ("unrecognised ntlm auth scheme parameter '%s'\n", param_str); } + /* disable client side request pipelining. There is a race with NTLM when the client + * sends a second request on an NTLM connection before the authenticate challenge is + * sent. + * With this patch, the client may fail to authenticate, but squid's state will be + * preserved. + * Caveats: this should be a post-parse test, but that can wait for the modular + * parser to be integrated. + */ + if (ntlmConfig->authenticate) + Config.onoff.pipeline_prefetch=0; } diff --git a/src/authenticate.cc b/src/authenticate.cc index 0ab1d1fd9e..cd9e3a1745 100644 --- a/src/authenticate.cc +++ b/src/authenticate.cc @@ -1,6 +1,6 @@ /* - * $Id: authenticate.cc,v 1.22 2001/03/10 00:55:36 hno Exp $ + * $Id: authenticate.cc,v 1.23 2001/05/21 04:50:57 hno Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -155,12 +155,16 @@ authenticateValidateUser(auth_user_request_t * auth_user_request) debug(29, 4) ("authenticateValidateUser: Auth_user '%p' is broken for it's scheme.\n", auth_user_request->auth_user); return 0; } + if (!auth_user_request->auth_user->scheme_data) { + debug(29, 4) ("authenticateValidateUser: auth_user '%p' has no scheme data\n", auth_user_request->auth_user); + return 0; + } /* any other sanity checks that we need in the future */ /* Thus should a module call to something like authValidate */ /* finally return ok */ - debug(29, 4) ("authenticateValidateUser: Validated Auth_user request '%p'.\n", auth_user_request); + debug(29, 5) ("authenticateValidateUser: Validated Auth_user request '%p'.\n", auth_user_request); return 1; } @@ -382,7 +386,7 @@ authenticateShutdown(void) } void -authenticateFixHeader(HttpReply * rep, auth_user_request_t * auth_user_request, request_t * request, int accelerated) +authenticateFixHeader(HttpReply * rep, auth_user_request_t * auth_user_request, request_t * request, int accelerated, int internal) /* send the auth types we are configured to support (and have compiled in!) */ { /* auth_type_t auth_type=err->auth_type; @@ -406,8 +410,8 @@ authenticateFixHeader(HttpReply * rep, auth_user_request_t * auth_user_request, break; } debug(29, 9) ("authenticateFixHeader: headertype:%d authuser:%p\n", type, auth_user_request); - if ((rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED) - || (rep->sline.status == HTTP_UNAUTHORIZED)) + if (((rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED) + || (rep->sline.status == HTTP_UNAUTHORIZED)) && internal) /* this is a authenticate-needed response */ { if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0)) @@ -426,6 +430,9 @@ authenticateFixHeader(HttpReply * rep, auth_user_request_t * auth_user_request, } } } + /* allow protocol specific headers to be _added_ to the existing response - ie + * digest auth + */ if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0) && (authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader)) authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader(auth_user_request, rep, accelerated); diff --git a/src/client_side.cc b/src/client_side.cc index 2454e06e74..dee590c449 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side.cc,v 1.537 2001/05/04 13:37:41 hno Exp $ + * $Id: client_side.cc,v 1.538 2001/05/21 04:50:57 hno Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -311,6 +311,7 @@ clientRedirectDone(void *data, char *result) new_request->my_port = old_request->my_port; new_request->flags.redirected = 1; new_request->auth_user_request = old_request->auth_user_request; + authenticateAuthUserRequestLock(new_request->auth_user_request); if (old_request->body_connection) { new_request->body_connection = old_request->body_connection; old_request->body_connection = NULL; @@ -1342,7 +1343,7 @@ clientBuildReplyHeader(clientHttpRequest * http, HttpReply * rep) } /* Handle authentication headers */ if (request->auth_user_request) - authenticateFixHeader(rep, request->auth_user_request, request, http->flags.accel); + authenticateFixHeader(rep, request->auth_user_request, request, http->flags.accel, 0); /* Append X-Cache */ httpHeaderPutStrf(hdr, HDR_X_CACHE, "%s from %s", is_hit ? "HIT" : "MISS", getMyHostname()); diff --git a/src/errorpage.cc b/src/errorpage.cc index 43511f77fc..096c71f0e5 100644 --- a/src/errorpage.cc +++ b/src/errorpage.cc @@ -1,6 +1,6 @@ /* - * $Id: errorpage.cc,v 1.164 2001/04/14 00:03:22 hno Exp $ + * $Id: errorpage.cc,v 1.165 2001/05/21 04:50:57 hno Exp $ * * DEBUG: section 4 Error Generation * AUTHOR: Duane Wessels @@ -282,7 +282,7 @@ errorAppendEntry(StoreEntry * entry, ErrorState * err) * depends on authenticate behaviour: all schemes to date send no extra data * on 407/401 responses, and do not check the accel state on 401/407 responses */ - authenticateFixHeader(rep, err->auth_user_request, err->request, 0); + authenticateFixHeader(rep, err->auth_user_request, err->request, 0, 1); httpReplySwapOut(rep, entry); httpReplyAbsorb(mem->reply, rep); EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); diff --git a/src/helper.cc b/src/helper.cc index 2a858c6871..a3d6e22899 100644 --- a/src/helper.cc +++ b/src/helper.cc @@ -1,6 +1,6 @@ /* - * $Id: helper.cc,v 1.27 2001/04/14 00:03:23 hno Exp $ + * $Id: helper.cc,v 1.28 2001/05/21 04:50:57 hno Exp $ * * DEBUG: section 29 Helper process maintenance * AUTHOR: Harvest Derived? @@ -235,6 +235,9 @@ helperSubmit(helper * hlp, const char *buf, HLPCB * callback, void *data) debug(29, 9) ("helperSubmit: %s\n", buf); } +/* lastserver = "server last used as part of a deferred or reserved + * request sequence" + */ void helperStatefulSubmit(statefulhelper * hlp, const char *buf, HLPSCB * callback, void *data, helper_stateful_server * lastserver) { @@ -247,10 +250,13 @@ helperStatefulSubmit(statefulhelper * hlp, const char *buf, HLPSCB * callback, v } r->callback = callback; r->data = data; - if (buf != NULL) + if (buf != NULL) { r->buf = xstrdup(buf); - else + r->placeholder = 0; + } else { + r->buf = NULL; r->placeholder = 1; + } cbdataLock(r->data); if ((buf != NULL) && lastserver) { debug(29, 5) ("StatefulSubmit with lastserver %d\n", lastserver); @@ -987,24 +993,22 @@ helperStatefulDispatch(helper_stateful_server * srv, helper_stateful_request * r debug(29, 9) ("helperStatefulDispatch busying helper %s #%d\n", hlp->id_name, srv->index + 1); if (r->placeholder == 1) { /* a callback is needed before this request can _use_ a helper. */ - if (cbdataValid(r->data)) { - /* we don't care about releasing/deferring this helper. The request NEVER - * gets to the helper. So we throw away the return code */ - r->callback(r->data, srv, NULL); - /* throw away the placeholder */ - helperStatefulRequestFree(r); - /* and push the queue. Note that the callback may have call submit again - - * which is why we test for the request*/ - if (srv->request == NULL) { - if (srv->flags.shutdown) { - comm_close(srv->wfd); - srv->wfd = -1; - } else { - if (srv->queue.head) - helperStatefulServerKickQueue(srv); - else - helperStatefulKickQueue(hlp); - } + /* we don't care about releasing/deferring this helper. The request NEVER + * gets to the helper. So we throw away the return code */ + r->callback(r->data, srv, NULL); + /* throw away the placeholder */ + helperStatefulRequestFree(r); + /* and push the queue. Note that the callback may have submitted a new + * request to the helper which is why we test for the request*/ + if (srv->request == NULL) { + if (srv->flags.shutdown) { + comm_close(srv->wfd); + srv->wfd = -1; + } else { + if (srv->queue.head) + helperStatefulServerKickQueue(srv); + else + helperStatefulKickQueue(hlp); } } return; diff --git a/src/protos.h b/src/protos.h index 7a7863dfe9..08686527ff 100644 --- a/src/protos.h +++ b/src/protos.h @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.406 2001/05/20 00:09:25 hno Exp $ + * $Id: protos.h,v 1.407 2001/05/21 04:50:57 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -734,7 +734,7 @@ extern void authenticateStart(auth_user_request_t *, RH *, void *); extern void authenticateSchemeInit(void); extern void authenticateInit(authConfig *); extern void authenticateShutdown(void); -extern void authenticateFixHeader(HttpReply *, auth_user_request_t *, request_t *, int); +extern void authenticateFixHeader(HttpReply *, auth_user_request_t *, request_t *, int, int); extern void authenticateAddTrailer(HttpReply *, auth_user_request_t *, request_t *, int); extern auth_user_request_t *authenticateGetAuthUser(const char *proxy_auth); extern void authenticateAuthenticateUser(auth_user_request_t *, request_t *, ConnStateData *, http_hdr_type); -- 2.47.2