From: Amos Jeffries Date: Wed, 10 Sep 2025 02:26:32 +0000 (+0000) Subject: Remove ntlm_sspi_auth helper (#2223) X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f5accfb389d8ba2a4fc4b87f14d0499030953bce;p=thirdparty%2Fsquid.git Remove ntlm_sspi_auth helper (#2223) As of 2025 Microsoft has officially removed NTLM support from Windows machines entirely. The SSPI mechanisms will no longer provide NTLM authentication for this helper to use. --- diff --git a/CREDITS b/CREDITS index d23339e5da..4ccb7162bf 100644 --- a/CREDITS +++ b/CREDITS @@ -1344,7 +1344,6 @@ src/auth/digest/LDAP/: ============================================================================== src/auth/negotiate/SSPI/, -src/auth/ntlm/SSPI/: * (C)2005 Guido Serassio - Acme Consulting S.r.l. * diff --git a/configure.ac b/configure.ac index 3c611dedfa..9dd4a09aa8 100644 --- a/configure.ac +++ b/configure.ac @@ -2555,7 +2555,6 @@ AC_CONFIG_FILES([ src/auth/negotiate/wrapper/Makefile src/auth/ntlm/Makefile src/auth/ntlm/fake/Makefile - src/auth/ntlm/SSPI/Makefile src/base/Makefile src/clients/Makefile src/comm/Makefile diff --git a/po4a.conf b/po4a.conf index bf62f22e30..0cd5fd3d2f 100644 --- a/po4a.conf +++ b/po4a.conf @@ -38,8 +38,6 @@ [type: man] src/auth/negotiate/SSPI/negotiate_sspi_auth.8 $lang:doc/manuals/$lang/negotiate_sspi_auth.8 -[type: man] src/auth/ntlm/SSPI/ntlm_sspi_auth.8 $lang:doc/manuals/$lang/ntlm_sspi_auth.8 - [type: man] src/security/cert_generators/file/security_file_certgen.8.in $lang:doc/manuals/$lang/security_file_certgen.8.in [type: man] src/squid.8.in $lang:doc/manuals/$lang/squid.8.in diff --git a/src/auth/ntlm/Makefile.am b/src/auth/ntlm/Makefile.am index 3546542b09..d49c5431b6 100644 --- a/src/auth/ntlm/Makefile.am +++ b/src/auth/ntlm/Makefile.am @@ -7,9 +7,7 @@ include $(top_srcdir)/src/Common.am -DIST_SUBDIRS = \ - fake \ - SSPI +DIST_SUBDIRS = fake SUBDIRS= $(NTLM_AUTH_HELPERS) EXTRA_DIST= helpers.m4 diff --git a/src/auth/ntlm/SSPI/Makefile.am b/src/auth/ntlm/SSPI/Makefile.am deleted file mode 100644 index bd4063a581..0000000000 --- a/src/auth/ntlm/SSPI/Makefile.am +++ /dev/null @@ -1,26 +0,0 @@ -## Copyright (C) 1996-2025 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## - -include $(top_srcdir)/src/Common.am - -man_MANS= ntlm_sspi_auth.8 -libexec_PROGRAMS= ntlm_sspi_auth - -ntlm_sspi_auth_SOURCES = ntlm_sspi_auth.cc -ntlm_sspi_auth_LDADD= \ - $(top_builddir)/lib/ntlmauth/libntlmauth.la \ - $(top_builddir)/lib/sspi/libsspwin32.la \ - $(top_builddir)/lib/libmiscencoding.la \ - $(COMPAT_LIB) \ - $(LIBNETTLE_LIBS) \ - -lnetapi32 \ - -ladvapi32 \ - $(XTRA_LIBS) - -EXTRA_DIST= \ - ntlm_sspi_auth.8 \ - required.m4 diff --git a/src/auth/ntlm/SSPI/ntlm_sspi_auth.8 b/src/auth/ntlm/SSPI/ntlm_sspi_auth.8 deleted file mode 100644 index c51b5a9e3e..0000000000 --- a/src/auth/ntlm/SSPI/ntlm_sspi_auth.8 +++ /dev/null @@ -1,140 +0,0 @@ -.if !'po4a'hide' .TH ntlm_sspi_auth.exe 8 -. -.SH NAME -ntlm_sspi_auth.exe \- Native Windows NTLM/NTLMv2 authenticator for Squid -.PP -Version 1.22 -. -.SH SYNOPSIS -.if !'po4a'hide' .B ntlm_sspi_auth.exe -.if !'po4a'hide' .B "[\-dhv] [\-A " -Group Name -.if !'po4a'hide' .B "] [\-D " -Group Name -.if !'po4a'hide' .B "]" -. -.SH DESCRIPTION -.B ntlm_sspi_auth.exe -is an installed binary built on Windows systems. It provides native access to the -Security Service Provider Interface of Windows for authenticating with NTLM / NTLMv2. -It has automatic support for NTLM NEGOTIATE packets. -. -.SH OPTIONS -.if !'po4a'hide' .TP 12 -.if !'po4a'hide' .B \-A -Specify a Windows Local Group name allowed to authenticate. -. -.if !'po4a'hide' .TP -.if !'po4a'hide' .B \-d -Write debug info to stderr. -. -.if !'po4a'hide' .TP -.if !'po4a'hide' .B \-D -Specify a Windows Local Group name which is to be denied authentication. -. -.if !'po4a'hide' .TP -.if !'po4a'hide' .B \-h -Display the binary help and command line syntax info using stderr. -. -.if !'po4a'hide' .TP -.if !'po4a'hide' .B \-v -Enables verbose NTLM packet debugging. -. -.SH CONFIGURATION -.PP -.B Allowing Users -.PP -Users that are allowed to access the web proxy must have the Windows NT -User Rights "logon from the network". -.PP -Optionally the authenticator can verify the NT LOCAL group membership of -the user against the User Group specified in the Authenticator's command -line. -.PP -This can be accomplished creating a local user group on the NT machine, -grant the privilege, and adding users to it, it works only with MACHINE -Local Groups, not Domain Local Groups. -.PP -Better group checking is available with external ACL, see -.B ext_ad_group_acl.exe -documentation. -.PP -.B squid.conf -typical minimal required changes: -.if !'po4a'hide' .RS -.if !'po4a'hide' .B auth_param ntlm program c:/squid/libexec/ntlm_sspi_auth.exe -.if !'po4a'hide' .B auth_param ntlm children 5 -.if !'po4a'hide' .br -.if !'po4a'hide' .B acl password proxy_auth REQUIRED -.if !'po4a'hide' .br -.if !'po4a'hide' .B http_access allow password -.if !'po4a'hide' .B http_access deny all -.if !'po4a'hide' .RE -. -.PP -Refer to Squid documentation for more details. -. -.PP -Internet Explorer has some problems with -.B ftp:// -URLs when handling internal Squid FTP icons. -The following -.B squid.conf -ACL works around this when placed before the authentication ACL: -.if !'po4a'hide' .RS -.if !'po4a'hide' .B acl internal_icons urlpath_regex \-i /squid-internal-static/icons/ -.if !'po4a'hide' .br -.if !'po4a'hide' .B http_access allow our_networks internal_icons -.if !'po4a'hide' .RE -. -.SH AUTHOR -This program was written by -.if !'po4a'hide' .I Guido Serassio -.PP -Based on prior work in by -.if !'po4a'hide' .I Francesco Chemolli -.if !'po4a'hide' .I Robert Collins -.PP -This manual was written by -.if !'po4a'hide' .I Guido Serassio -.if !'po4a'hide' .I Amos Jeffries -. -.SH COPYRIGHT -.PP - * Copyright (C) 1996-2025 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. -.PP -This program and documentation is copyright to the authors named above. -.PP -Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). -. -.SH QUESTIONS -Questions on the usage of this program can be sent to the -.I Squid Users mailing list -.if !'po4a'hide' -. -.SH REPORTING BUGS -Bug reports need to be made in English. -See https://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. -.PP -Report bugs or bug fixes using https://bugs.squid-cache.org/ -.PP -Report serious security bugs to -.I Squid Bugs -.PP -Report ideas for new improvements to the -.I Squid Developers mailing list -.if !'po4a'hide' -. -.SH SEE ALSO -.if !'po4a'hide' .BR squid "(8), " -.if !'po4a'hide' .BR GPL "(7), " -.br -The Squid FAQ wiki -.if !'po4a'hide' https://wiki.squid-cache.org/SquidFaq -.br -The Squid Configuration Manual -.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ diff --git a/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc b/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc deleted file mode 100644 index f94b8f4d46..0000000000 --- a/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc +++ /dev/null @@ -1,545 +0,0 @@ -/* - * Copyright (C) 1996-2025 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* - * ntlm_sspi_auth: helper for NTLM Authentication for Squid Cache - * - * (C)2002,2005 Guido Serassio - Acme Consulting S.r.l. - * - * Authors: - * Guido Serassio - * Acme Consulting S.r.l., Italy - * - * With contributions from others mentioned in the change history section - * below. - * - * Based on previous work of Francesco Chemolli and Robert Collins. - * - * Dependencies: Windows NT4 SP4 and later. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - * - * History: - * - * Version 1.22 - * 29-10-2005 Guido Serassio - * Updated for Negotiate auth support. - * Version 1.21 - * 21-02-2004 Guido Serassio - * Removed control of use of NTLM NEGOTIATE packet from - * command line, now the support is automatic. - * Version 1.20 - * 30-11-2003 Guido Serassio - * Added support for NTLM local calls. - * Added control of use of NTLM NEGOTIATE packet from - * command line. - * Updated documentation. - * Version 1.10 - * 07-09-2003 Guido Serassio - * Now is true NTLM authenticator. - * More debug info. - * Updated documentation. - * Version 1.0 - * 29-06-2002 Guido Serassio - * First release. - * - * - */ - -/************* CONFIGURATION ***************/ - -#define FAIL_DEBUG 0 - -/************* END CONFIGURATION ***************/ - -//typedef unsigned char uchar; - -#include "squid.h" -#include "base64.h" -#include "helper/protocol_defines.h" -#include "ntlmauth/ntlmauth.h" -#include "ntlmauth/support_bits.cci" -#include "sspi/sspwin32.h" -#include "util.h" - -#include -#include -#if HAVE_GETOPT_H -#include -#endif - -int NTLM_packet_debug_enabled = 0; -static int have_challenge; -char * NTAllowedGroup; -char * NTDisAllowedGroup; -int UseDisallowedGroup = 0; -int UseAllowedGroup = 0; - -#if FAIL_DEBUG -int fail_debug_enabled = 0; -#endif - -/* returns 1 on success, 0 on failure */ -static int -Valid_Group(char *UserName, char *Group) -{ - int result = FALSE; - WCHAR wszUserName[UNLEN+1]; // Unicode user name - WCHAR wszGroup[GNLEN+1]; // Unicode Group - - LPLOCALGROUP_USERS_INFO_0 pBuf = nullptr; - LPLOCALGROUP_USERS_INFO_0 pTmpBuf; - DWORD dwLevel = 0; - DWORD dwFlags = LG_INCLUDE_INDIRECT; - DWORD dwPrefMaxLen = -1; - DWORD dwEntriesRead = 0; - DWORD dwTotalEntries = 0; - NET_API_STATUS nStatus; - DWORD i; - DWORD dwTotalCount = 0; - - /* Convert ANSI User Name and Group to Unicode */ - - MultiByteToWideChar(CP_ACP, 0, UserName, - strlen(UserName) + 1, wszUserName, - sizeof(wszUserName) / sizeof(wszUserName[0])); - MultiByteToWideChar(CP_ACP, 0, Group, - strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); - - /* - * Call the NetUserGetLocalGroups function - * specifying information level 0. - * - * The LG_INCLUDE_INDIRECT flag specifies that the - * function should also return the names of the local - * groups in which the user is indirectly a member. - */ - nStatus = NetUserGetLocalGroups(nullptr, - wszUserName, - dwLevel, - dwFlags, - (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); - /* - * If the call succeeds, - */ - if (nStatus == NERR_Success) { - if ((pTmpBuf = pBuf) != NULL) { - for (i = 0; i < dwEntriesRead; ++i) { - if (pTmpBuf == NULL) { - result = FALSE; - break; - } - if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { - result = TRUE; - break; - } - ++pTmpBuf; - ++dwTotalCount; - } - } - } else - result = FALSE; - /* - * Free the allocated memory. - */ - if (pBuf != NULL) - NetApiBufferFree(pBuf); - return result; -} - -/* - * Fills auth with the user's credentials. - * - * In case of problem returns one of the - * codes defined in libntlmauth/ntlmauth.h - */ -static NtlmError -ntlm_check_auth(ntlm_authenticate * auth, char *user, char *domain, int auth_length) -{ - char credentials[DNLEN+UNLEN+2]; /* we can afford to waste */ - - user[0] = '\0'; - domain[0] = '\0'; - if (!NTLM_LocalCall) { - - const auto x = ntlm_unpack_auth(auth, user, domain, auth_length); - - if (x != NtlmError::None) - return x; - - if (domain[0] == '\0') { - debug("No domain supplied. Returning no-auth\n"); - return NtlmError::BadRequest; - } - if (user[0] == '\0') { - debug("No username supplied. Returning no-auth\n"); - return NtlmError::BadRequest; - } - debug("checking domain: '%s', user: '%s'\n", domain, user); - - } else { - debug("checking local user\n"); - } - - snprintf(credentials, DNLEN+UNLEN+2, "%s\\%s", domain, user); - - const auto rv = SSP_ValidateNTLMCredentials(auth, auth_length, credentials); - - debug("Login attempt had result %d\n", rv); - - if (!rv) { /* failed */ - return NtlmError::SspiError; - } - - if (UseAllowedGroup) { - if (!Valid_Group(credentials, NTAllowedGroup)) { - debug("User %s not in allowed Group %s\n", credentials, NTAllowedGroup); - return NtlmError::BadNtGroup; - } - } - if (UseDisallowedGroup) { - if (Valid_Group(credentials, NTDisAllowedGroup)) { - debug("User %s is in denied Group %s\n", credentials, NTDisAllowedGroup); - return NtlmError::BadNtGroup; - } - } - - debug("credentials: %s\n", credentials); - return NtlmError::None; -} - -static void -helperfail(const char *reason) -{ -#if FAIL_DEBUG - fail_debug_enabled =1; -#endif - SEND_BH(reason); -} - -/* - options: - -d enable debugging. - -v enable verbose NTLM packet debugging. - -A can specify a Windows Local Group name allowed to authenticate. - -D can specify a Windows Local Group name not allowed to authenticate. - */ -char *my_program_name = nullptr; - -static void -usage() -{ - fprintf(stderr, - "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-h]\n" - " -d enable debugging.\n" - " -v enable verbose NTLM packet debugging.\n" - " -A specify a Windows Local Group name allowed to authenticate\n" - " -D specify a Windows Local Group name not allowed to authenticate\n" - " -h this message\n\n", - my_program_name); -} - -static void -process_options(int argc, char *argv[]) -{ - int opt, had_error = 0; - - opterr =0; - while (-1 != (opt = getopt(argc, argv, "hdvA:D:"))) { - switch (opt) { - case 'A': - safe_free(NTAllowedGroup); - NTAllowedGroup=xstrdup(optarg); - UseAllowedGroup = 1; - break; - case 'D': - safe_free(NTDisAllowedGroup); - NTDisAllowedGroup=xstrdup(optarg); - UseDisallowedGroup = 1; - break; - case 'd': - debug_enabled = 1; - break; - case 'v': - debug_enabled = 1; - NTLM_packet_debug_enabled = 1; - break; - case 'h': - usage(); - exit(EXIT_SUCCESS); - case '?': - opt = optopt; - [[fallthrough]]; - default: - fprintf(stderr, "unknown option: -%c. Exiting\n", opt); - usage(); - had_error = 1; - } - } - if (had_error) - exit(EXIT_FAILURE); -} - -static bool -token_decode(size_t *decodedLen, uint8_t decoded[], const char *buf) -{ - struct base64_decode_ctx ctx; - base64_decode_init(&ctx); - if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), buf) || - !base64_decode_final(&ctx)) { - SEND_BH("message=\"base64 decode failed\""); - fprintf(stderr, "ERROR: base64 decoding failed for: '%s'\n", buf); - return false; - } - return true; -} - -static int -manage_request() -{ - ntlmhdr *fast_header; - char buf[HELPER_INPUT_BUFFER]; - uint8_t decoded[HELPER_INPUT_BUFFER]; - size_t decodedLen = 0; - char helper_command[3]; - int oversized = 0; - char * ErrorMessage; - static ntlm_negotiate local_nego; - char domain[DNLEN+1]; - char user[UNLEN+1]; - - /* NP: for some reason this helper sometimes needs to accept - * from clients that send no negotiate packet. */ - if (memcmp(local_nego.hdr.signature, "NTLMSSP", 8) != 0) { - memset(&local_nego, 0, sizeof(ntlm_negotiate)); /* reset */ - memcpy(local_nego.hdr.signature, "NTLMSSP", 8); /* set the signature */ - local_nego.hdr.type = le32toh(NTLM_NEGOTIATE); /* this is a challenge */ - local_nego.flags = le32toh(NTLM_NEGOTIATE_ALWAYS_SIGN | - NTLM_NEGOTIATE_USE_NTLM | - NTLM_NEGOTIATE_USE_LM | - NTLM_NEGOTIATE_ASCII ); - } - - do { - if (fgets(buf, sizeof(buf), stdin) == NULL) - return 0; - - char *c = static_cast(memchr(buf, '\n', sizeof(buf))); - if (c) { - if (oversized) { - helperfail("message=\"illegal request received\""); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; - } - *c = '\0'; - } else { - fprintf(stderr, "No newline in '%s'\n", buf); - oversized = 1; - continue; - } - } while (false); - - if ((strlen(buf) > 3) && NTLM_packet_debug_enabled) { - if (!token_decode(&decodedLen, decoded, buf+3)) - return 1; - helper_command[0] = buf[0]; - helper_command[1] = buf[1]; - helper_command[2] = '\0'; - debug("Got '%s' from Squid with data:\n", helper_command); - hex_dump(reinterpret_cast(decoded), decodedLen); - } else - debug("Got '%s' from Squid\n", buf); - if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ - /* figure out what we got */ - if (strlen(buf) > 3) { - if (!decodedLen /* already decoded*/ && !token_decode(&decodedLen, decoded, buf+3)) - return 1; - } else { - debug("Negotiate packet not supplied - self generated\n"); - memcpy(decoded, &local_nego, sizeof(local_nego)); - decodedLen = sizeof(local_nego); - } - if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */ - SEND_ERR("message=\"Packet format error\""); - return 1; - } - /* fast-track-decode request type. */ - fast_header = (struct _ntlmhdr *) decoded; - - /* sanity-check: it IS a NTLMSSP packet, isn't it? */ - if (ntlm_validate_packet(fast_header, NTLM_ANY) != NtlmError::None) { - SEND_ERR("message=\"Broken authentication packet\""); - return 1; - } - switch (fast_header->type) { - case NTLM_NEGOTIATE: { - /* Obtain challenge against SSPI */ - debug("attempting SSPI challenge retrieval\n"); - char *c = (char *) SSP_MakeChallenge((ntlm_negotiate *) decoded, decodedLen); - if (c) { - SEND_TT(c); - if (NTLM_packet_debug_enabled) { - if (!token_decode(&decodedLen, decoded, c)) - return 1; - debug("send 'TT' to squid with data:\n"); - hex_dump(reinterpret_cast(decoded), decodedLen); - if (NTLM_LocalCall) { - debug("NTLM Local Call detected\n"); - } - } - have_challenge = 1; - } else - helperfail("message=\"can't obtain challenge\""); - - return 1; - } - /* notreached */ - case NTLM_CHALLENGE: - SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\""); - return 1; - /* notreached */ - case NTLM_AUTHENTICATE: - SEND_ERR("message=\"Got authentication request instead of negotiate request\""); - return 1; - /* notreached */ - default: - helperfail("message=\"unknown refresh-request packet type\""); - return 1; - } - return 1; - } - if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */ - if (!have_challenge) { - helperfail("message=\"invalid challenge\""); - return 1; - } - /* figure out what we got */ - if (!decodedLen /* already decoded*/ && !token_decode(&decodedLen, decoded, buf+3)) - return 1; - - if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */ - SEND_ERR("message=\"Packet format error\""); - return 1; - } - /* fast-track-decode request type. */ - fast_header = (struct _ntlmhdr *) decoded; - - /* sanity-check: it IS a NTLMSSP packet, isn't it? */ - if (ntlm_validate_packet(fast_header, NTLM_ANY) != NtlmError::None) { - SEND_ERR("message=\"Broken authentication packet\""); - return 1; - } - switch (fast_header->type) { - case NTLM_NEGOTIATE: - SEND_ERR("message=\"Invalid negotiation request received\""); - return 1; - /* notreached */ - case NTLM_CHALLENGE: - SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\""); - return 1; - /* notreached */ - case NTLM_AUTHENTICATE: { - /* check against SSPI */ - const auto err = ntlm_check_auth((ntlm_authenticate *) decoded, user, domain, decodedLen); - have_challenge = 0; - if (err != NtlmError::None) { -#if FAIL_DEBUG - fail_debug_enabled =1; -#endif - switch (err) { - case NtlmError::None: - break; - case NtlmError::BadNtGroup: - SEND_ERR("message=\"Incorrect Group Membership\""); - return 1; - case NtlmError::BadRequest: - SEND_ERR("message=\"Incorrect Request Format\""); - return 1; - case NtlmError::SspiError: - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | - FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - nullptr, - GetLastError(), - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language - (LPTSTR) &ErrorMessage, - 0, - nullptr); - if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n') - ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r') - ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - SEND_ERR(ErrorMessage); // TODO update to new syntax - LocalFree(ErrorMessage); - return 1; - default: - SEND_ERR("message=\"Unknown Error\""); - return 1; - } - } - /* let's lowercase them for our convenience */ - lc(domain); - lc(user); - fprintf(stdout, "OK user=\"%s\\%s\"\n", domain, user); - return 1; - } - default: - helperfail("message=\"unknown authentication packet type\""); - return 1; - } - return 1; - } else { /* not an auth-request */ - helperfail("message=\"illegal request received\""); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; - } - helperfail("message=\"detected protocol error\""); - return 1; - /********* END ********/ -} - -int -main(int argc, char *argv[]) -{ - my_program_name = argv[0]; - - process_options(argc, argv); - - debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name); - - if (LoadSecurityDll(SSP_NTLM, NTLM_PACKAGE_NAME) == NULL) { - fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); - exit(EXIT_FAILURE); - } - debug("SSPI initialized OK\n"); - - atexit(UnloadSecurityDll); - - /* initialize FDescs */ - setbuf(stdout, nullptr); - setbuf(stderr, nullptr); - - while (manage_request()) { - /* everything is done within manage_request */ - } - return EXIT_SUCCESS; -} - diff --git a/src/auth/ntlm/SSPI/required.m4 b/src/auth/ntlm/SSPI/required.m4 deleted file mode 100755 index b7fceec428..0000000000 --- a/src/auth/ntlm/SSPI/required.m4 +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 1996-2025 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## - -SQUID_CHECK_WIN32_SSPI([ - BUILD_HELPER="SSPI" - require_sspi="yes" -]) diff --git a/src/auth/ntlm/helpers.m4 b/src/auth/ntlm/helpers.m4 index aba81c43ac..30bcc80818 100644 --- a/src/auth/ntlm/helpers.m4 +++ b/src/auth/ntlm/helpers.m4 @@ -9,7 +9,6 @@ AS_IF([test "x$enable_auth" != "xno"],[ SQUID_HELPER_FEATURE_CHECK([auth_ntlm],[$enable_auth],[auth/ntlm],[ # NP: we only need this list because m4_include() does not accept variables SQUID_CHECK_HELPER([fake],[auth/ntlm]) - SQUID_CHECK_HELPER([SSPI],[auth/ntlm]) ]) NTLM_AUTH_HELPERS=$squid_cv_BUILD_HELPERS AUTH_MODULES="$AUTH_MODULES ntlm"