From: Amos Jeffries Date: Thu, 24 Jul 2014 10:16:22 +0000 (-0700) Subject: ntlm_sspi_auth: fix various build errors X-Git-Tag: SQUID_3_4_7~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27b12a44cfe2d97fbeb82d018eea29100f9d2444;p=thirdparty%2Fsquid.git ntlm_sspi_auth: fix various build errors * Fix MinGW portability build errors * Upgrade to current helper protocol. Also, add SEND_TT helper macro for NTLM helpers --- diff --git a/helpers/defines.h b/helpers/defines.h index 429887aa86..46a6abf3fc 100644 --- a/helpers/defines.h +++ b/helpers/defines.h @@ -46,4 +46,7 @@ /* send ERR result to Squid with a string parameter. */ #define SEND_BH(x) fprintf(stdout, "BH %s\n",x) +/* send TT result to Squid with a string parameter. */ +#define SEND_TT(x) fprintf(stdout, "TT %s\n",x) + #endif /* __SQUID_HELPERS_DEFINES_H */ diff --git a/helpers/ntlm_auth/SSPI/Makefile.am b/helpers/ntlm_auth/SSPI/Makefile.am index be6fdcd95c..64d6810275 100644 --- a/helpers/ntlm_auth/SSPI/Makefile.am +++ b/helpers/ntlm_auth/SSPI/Makefile.am @@ -9,6 +9,7 @@ ntlm_sspi_auth_SOURCES = ntlm_sspi_auth.cc LDADD = \ $(top_builddir)/lib/ntlmauth/libntlmauth.la \ -L$(top_builddir)/lib -lsspwin32 \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ -lnetapi32 \ -ladvapi32 \ diff --git a/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc b/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc index 054b9b81f4..3050a611b3 100644 --- a/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc +++ b/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc @@ -61,12 +61,13 @@ /************* END CONFIGURATION ***************/ -typedef unsigned char uchar; +//typedef unsigned char uchar; #include "squid.h" +#include "base64.h" #include "helpers/defines.h" -#include "libntlmauth/ntlmauth.h" -#include "libntlmauth/support_bits.h" +#include "ntlmauth/ntlmauth.h" +#include "ntlmauth/support_bits.cci" #include "sspwin32.h" #include "util.h" @@ -82,8 +83,6 @@ typedef unsigned char uchar; #include #include -#define BUFFER_SIZE 10240 - int NTLM_packet_debug_enabled = 0; static int have_challenge; char * NTAllowedGroup; @@ -272,10 +271,10 @@ char * GetDomainName(void) return DomainName; } -/* returns NULL on failure, or a pointer to - * the user's credentials (domain\\username) - * upon success. WARNING. It's pointing to static storage. - * In case of problem sets as side-effect ntlm_errno to one of the +/* + * Fills auth with the user's credentials. + * + * In case of problem returns one of the * codes defined in libntlmauth/ntlmauth.h */ int @@ -284,7 +283,6 @@ ntlm_check_auth(ntlm_authenticate * auth, char *user, char *domain, int auth_len int x; int rv; char credentials[DNLEN+UNLEN+2]; /* we can afford to waste */ - lstring tmp; if (!NTLM_LocalCall) { @@ -341,7 +339,7 @@ helperfail(const char *reason) #if FAIL_DEBUG fail_debug_enabled =1; #endif - SEND2("BH %s", reason); + SEND_BH(reason); } /* @@ -411,11 +409,10 @@ int manage_request() { ntlmhdr *fast_header; - char buf[BUFFER_SIZE]; - char decoded[BUFFER_SIZE]; + char buf[HELPER_INPUT_BUFFER]; + char decoded[HELPER_INPUT_BUFFER]; int decodedLen; char helper_command[3]; - char *c, *cred; int oversized = 0; char * ErrorMessage; static ntlm_negotiate local_nego; @@ -424,38 +421,40 @@ manage_request() /* NP: for some reason this helper sometimes needs to accept * from clients that send no negotiate packet. */ - if (memcpy(local_nego.signature, "NTLMSSP", 8) != 0) { + if (memcpy(local_nego.hdr.signature, "NTLMSSP", 8) != 0) { memset(&local_nego, 0, sizeof(ntlm_negotiate)); /* reset */ - memcpy(local_nego.signature, "NTLMSSP", 8); /* set the signature */ - local_nego.type = le32toh(NTLM_NEGOTIATE); /* this is a challenge */ + memcpy(local_nego.hdr.signature, "NTLMSSP", 8); /* set the signature */ + local_nego.hdr.type = le32toh(NTLM_NEGOTIATE); /* this is a challenge */ local_nego.flags = le32toh(NTLM_NEGOTIATE_ALWAYS_SIGN | NTLM_NEGOTIATE_USE_NTLM | NTLM_NEGOTIATE_USE_LM | NTLM_NEGOTIATE_ASCII ); } -try_again: - if (fgets(buf, BUFFER_SIZE, stdin) == NULL) - return 0; + do { + if (fgets(buf, sizeof(buf), stdin) == NULL) + return 0; - c = memchr(buf, '\n', BUFFER_SIZE); /* safer against overrun than strchr */ - if (c) { - if (oversized) { - helperfail("illegal request received"); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; + char *c = static_cast(memchr(buf, '\n', sizeof(buf))); + if (c) { + if (oversized) { + helperfail("messge=\"illegal request received\""); + fprintf(stderr, "Illegal request received: '%s'\n", buf); + return 1; + } + *c = '\0'; + } else { + fprintf(stderr, "No newline in '%s'\n", buf); + oversized = 1; + continue; } - *c = '\0'; - } else { - fprintf(stderr, "No newline in '%s'\n", buf); - oversized = 1; - goto try_again; - } + } while (false); + if ((strlen(buf) > 3) && NTLM_packet_debug_enabled) { decodedLen = base64_decode(decoded, sizeof(decoded), buf+3); strncpy(helper_command, buf, 2); debug("Got '%s' from Squid with data:\n", helper_command); - hex_dump(decoded, decodedLen); + hex_dump(reinterpret_cast(decoded), decodedLen); } else debug("Got '%s' from Squid\n", buf); if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ @@ -464,11 +463,11 @@ try_again: decodedLen = base64_decode(decoded, sizeof(decoded), buf+3); else { debug("Negotiate packet not supplied - self generated\n"); - memcpy(decoded, local_lego, sizeof(local_nego)); - decodedLen = sizeof(localnego); + memcpy(decoded, &local_nego, sizeof(local_nego)); + decodedLen = sizeof(local_nego); } if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */ - SEND("NA Packet format error, couldn't base64-decode"); + SEND_ERR("message=\"Packet format error, couldn't base64-decode\""); return 1; } /* fast-track-decode request type. */ @@ -476,54 +475,55 @@ try_again: /* sanity-check: it IS a NTLMSSP packet, isn't it? */ if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) { - SEND("NA Broken authentication packet"); + SEND_ERR("message=\"Broken authentication packet\""); return 1; } switch (fast_header->type) { - case NTLM_NEGOTIATE: + case NTLM_NEGOTIATE: { /* Obtain challenge against SSPI */ debug("attempting SSPI challenge retrieval\n"); - if ((c = (char *) SSP_MakeChallenge((ntlm_negotiate *) decoded, decodedLen)) != NULL ) { + char *c = (char *) SSP_MakeChallenge((ntlm_negotiate *) decoded, decodedLen); + if (c) { + SEND_TT(c); if (NTLM_packet_debug_enabled) { - printf("TT %s\n",c); decodedLen = base64_decode(decoded, sizeof(decoded), c); - debug("sending 'TT' to squid with data:\n"); - hex_dump(decoded, decodedLen); - if (NTLM_LocalCall) + debug("send 'TT' to squid with data:\n"); + hex_dump(reinterpret_cast(decoded), decodedLen); + if (NTLM_LocalCall) { debug("NTLM Local Call detected\n"); - } else { - SEND2("TT %s", c); + } } have_challenge = 1; } else - helperfail("can't obtain challenge"); + helperfail("message=\"can't obtain challenge\""); return 1; - /* notreached */ + } + /* notreached */ case NTLM_CHALLENGE: - SEND("NA Got a challenge. We refuse to have our authority disputed"); + SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\""); return 1; /* notreached */ case NTLM_AUTHENTICATE: - SEND("NA Got authentication request instead of negotiate request"); + SEND_ERR("message=\"Got authentication request instead of negotiate request\""); return 1; /* notreached */ default: - helperfail("unknown refresh-request packet type"); + helperfail("message=\"unknown refresh-request packet type\""); return 1; } return 1; } if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */ if (!have_challenge) { - helperfail("invalid challenge"); + helperfail("message=\"invalid challenge\""); return 1; } /* figure out what we got */ decodedLen = base64_decode(decoded, sizeof(decoded), buf+3); if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */ - SEND("NA Packet format error, couldn't base64-decode"); + SEND_ERR("message=\"Packet format error, couldn't base64-decode\""); return 1; } /* fast-track-decode request type. */ @@ -531,35 +531,34 @@ try_again: /* sanity-check: it IS a NTLMSSP packet, isn't it? */ if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) { - SEND("NA Broken authentication packet"); + SEND_ERR("message=\"Broken authentication packet\""); return 1; } switch (fast_header->type) { case NTLM_NEGOTIATE: - SEND("NA Invalid negotiation request received"); + SEND_ERR("message=\"Invalid negotiation request received\""); return 1; /* notreached */ case NTLM_CHALLENGE: - SEND - ("NA Got a challenge. We refuse to have our authority disputed"); + SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\""); return 1; /* notreached */ - case NTLM_AUTHENTICATE: + case NTLM_AUTHENTICATE: { /* check against SSPI */ - err = ntlm_check_auth((ntlm_authenticate *) decoded, user, domain, decodedLen); + int err = ntlm_check_auth((ntlm_authenticate *) decoded, user, domain, decodedLen); have_challenge = 0; if (err != NTLM_ERR_NONE) { #if FAIL_DEBUG fail_debug_enabled =1; #endif - switch (ntlm_errno) { + switch (err) { case NTLM_ERR_NONE: break; case NTLM_BAD_NTGROUP: - SEND("NA Incorrect Group Membership"); + SEND_ERR("message=\"Incorrect Group Membership\""); return 1; case NTLM_BAD_REQUEST: - SEND("NA Incorrect Request Format"); + SEND_ERR("message=\"Incorrect Request Format\""); return 1; case NTLM_SSPI_ERROR: FormatMessage( @@ -576,28 +575,31 @@ try_again: ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r') ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - SEND2("NA %s", ErrorMessage); + SEND_ERR(ErrorMessage); // TODO update to new syntax LocalFree(ErrorMessage); return 1; default: - SEND("NA Unknown Error"); + SEND_ERR("message=\"Unknown Error\""); return 1; } } /* let's lowercase them for our convenience */ - SEND3("AF %s\\%s", lc(domain), lc(user)); + lc(domain); + lc(user); + fprintf(stdout, "OK user=\"%s\\%s\"", domain, user); return 1; + } default: - helperfail("unknown authentication packet type"); + helperfail("message=\"unknown authentication packet type\""); return 1; } return 1; } else { /* not an auth-request */ - helperfail("illegal request received"); + helperfail("message=\"illegal request received\""); fprintf(stderr, "Illegal request received: '%s'\n", buf); return 1; } - helperfail("detected protocol error"); + helperfail("message=\"detected protocol error\""); return 1; /********* END ********/ }