diff -u -r -N squid-3.0.STABLE21/ChangeLog squid-3.0.STABLE23/ChangeLog --- squid-3.0.STABLE21/ChangeLog 2009-12-22 19:50:22.000000000 +1300 +++ squid-3.0.STABLE23/ChangeLog 2010-02-02 22:49:51.000000000 +1300 @@ -1,3 +1,18 @@ +Changes to squid-3.0.STABLE23 (02 Feb 2010): + + - Bug 2856: removing assert() required for 3.0 patch for SQUID-2010:1 + - Regression Fix: Build error in Kerberos helper after library removal. + +Changes to squid-3.0.STABLE22 (01 Feb 2010): + + - Regression Fix: Make Squid abort on all config parse failures. + - Bug 2787: Reduce unexpected http status to non-critical warnings. + - Bug 2496: Downloading some variants in full before relaying + - Bug 2452: Add upper limit to external_acl_type entries. + - Removed optional kerberos/spnegohelp/ library due to licensing issues + - Add client_ip_max_connections + - Handle DNS header-only packets as invalid. + Changes to squid-3.0.STABLE21 (22 Dec 2009): - Bug 2830: Clarify where NULL byte is in headers. diff -u -r -N squid-3.0.STABLE21/configure squid-3.0.STABLE23/configure --- squid-3.0.STABLE21/configure 2009-12-22 19:50:35.000000000 +1300 +++ squid-3.0.STABLE23/configure 2010-02-02 22:50:03.000000000 +1300 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.in Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.0.STABLE21. +# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.0.STABLE23. # # Report bugs to . # @@ -751,8 +751,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.0.STABLE21' -PACKAGE_STRING='Squid Web Proxy 3.0.STABLE21' +PACKAGE_VERSION='3.0.STABLE23' +PACKAGE_STRING='Squid Web Proxy 3.0.STABLE23' PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/' ac_unique_file="src/main.cc" @@ -969,8 +969,6 @@ ac_krb5_config KRB5INCS KRB5LIBS -HAVE_SPNEGO_TRUE -HAVE_SPNEGO_FALSE EXTERNAL_ACL_HELPERS LIBSASL ENABLE_UNLINKD_TRUE @@ -1665,7 +1663,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.0.STABLE21 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.0.STABLE23 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1735,7 +1733,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.0.STABLE21:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.0.STABLE23:";; esac cat <<\_ACEOF @@ -2049,7 +2047,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.0.STABLE21 +Squid Web Proxy configure 3.0.STABLE23 generated by GNU Autoconf 2.62 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -2063,7 +2061,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.0.STABLE21, which was +It was created by Squid Web Proxy $as_me 3.0.STABLE23, which was generated by GNU Autoconf 2.62. Invocation command line was $ $0 $@ @@ -2781,7 +2779,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.0.STABLE21' + VERSION='3.0.STABLE23' cat >>confdefs.h <<_ACEOF @@ -5542,7 +5540,7 @@ ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 5545 "configure"' > conftest.$ac_ext + echo '#line 5543 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8165,11 +8163,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8168: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8166: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8172: \$? = $ac_status" >&5 + echo "$as_me:8170: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8455,11 +8453,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8458: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8456: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8462: \$? = $ac_status" >&5 + echo "$as_me:8460: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8559,11 +8557,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8562: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8560: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8566: \$? = $ac_status" >&5 + echo "$as_me:8564: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10959,7 +10957,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:13469: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13475: \$? = $ac_status" >&5 + echo "$as_me:13473: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -13572,11 +13570,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13575: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13573: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13579: \$? = $ac_status" >&5 + echo "$as_me:13577: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -15155,11 +15153,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15158: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15156: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15162: \$? = $ac_status" >&5 + echo "$as_me:15160: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -15259,11 +15257,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15262: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15260: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15266: \$? = $ac_status" >&5 + echo "$as_me:15264: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17474,11 +17472,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17477: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17475: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17481: \$? = $ac_status" >&5 + echo "$as_me:17479: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -17764,11 +17762,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17767: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17765: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17771: \$? = $ac_status" >&5 + echo "$as_me:17769: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -17868,11 +17866,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17871: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17869: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17875: \$? = $ac_status" >&5 + echo "$as_me:17873: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -23467,129 +23465,10 @@ done fi - old_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$CPPFLAGS $KRB5INCS" - old_LIBS=$LIBS - LIBS="$LIBS $KRB5LIBS" - { $as_echo "$as_me:$LINENO: checking for SPNEGO support" >&5 -$as_echo_n "checking for SPNEGO support... " >&6; } -if test "${ac_cv_have_spnego+set}" = set; then - $as_echo_n "(cached) " >&6 -else - if test "$cross_compiling" = yes; then - { { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: cannot run test program while cross compiling -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_H) -#include -#endif -#else -#ifdef HAVE_GSSAPI_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_H) -#include -#endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H -#include -#endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H -#include -#endif -#endif -#include -int main(int argc, char *argv[]) { - OM_uint32 major_status,minor_status; - gss_OID_set gss_mech_set; - int i; - -static gss_OID_desc _gss_mech_spnego = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; -gss_OID gss_mech_spnego = &_gss_mech_spnego; - - major_status = gss_indicate_mechs( &minor_status, &gss_mech_set); - - for (i=0;icount;i++) { - if (!memcmp(gss_mech_set->elements[i].elements,gss_mech_spnego->elements,gss_mech_set->elements[i].length)) { - return 0; - } - } - - return 1; -} -_ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_have_spnego=yes -else - $as_echo "$as_me: program exited with status $ac_status" >&5 -$as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -( exit $ac_status ) -ac_cv_have_spnego=no -fi -rm -rf conftest.dSYM -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_have_spnego" >&5 -$as_echo "$ac_cv_have_spnego" >&6; } - LIBS=$old_LIBS - CPPFLAGS=$old_CPPFLAGS - if test x"$ac_cv_have_spnego" = x"yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_SPNEGO 1 -_ACEOF - - fi - - -fi - if test x"$ac_cv_have_spnego" = x"yes" ; then - HAVE_SPNEGO_TRUE= - HAVE_SPNEGO_FALSE='#' -else - HAVE_SPNEGO_TRUE='#' - HAVE_SPNEGO_FALSE= -fi - - # Check whether --enable-ntlm-fail-open was given. if test "${enable_ntlm_fail_open+set}" = set; then enableval=$enable_ntlm_fail_open; if test "$enableval" = "yes" ; then @@ -47929,13 +47808,6 @@ Usually this means the macro was only invoked conditionally." >&2;} { (exit 1); exit 1; }; } fi -if test -z "${HAVE_SPNEGO_TRUE}" && test -z "${HAVE_SPNEGO_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_SPNEGO\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"HAVE_SPNEGO\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi if test -z "${ENABLE_UNLINKD_TRUE}" && test -z "${ENABLE_UNLINKD_FALSE}"; then { { $as_echo "$as_me:$LINENO: error: conditional \"ENABLE_UNLINKD\" was never defined. Usually this means the macro was only invoked conditionally." >&5 @@ -48335,7 +48207,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.0.STABLE21, which was +This file was extended by Squid Web Proxy $as_me 3.0.STABLE23, which was generated by GNU Autoconf 2.62. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -48388,7 +48260,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_version="\\ -Squid Web Proxy config.status 3.0.STABLE21 +Squid Web Proxy config.status 3.0.STABLE23 configured by $0, generated by GNU Autoconf 2.62, with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" diff -u -r -N squid-3.0.STABLE21/configure.in squid-3.0.STABLE23/configure.in --- squid-3.0.STABLE21/configure.in 2009-12-22 19:50:34.000000000 +1300 +++ squid-3.0.STABLE23/configure.in 2010-02-02 22:50:03.000000000 +1300 @@ -1,7 +1,7 @@ dnl Configuration input file for Squid dnl dnl -AC_INIT(Squid Web Proxy, 3.0.STABLE21, http://www.squid-cache.org/bugs/, squid) +AC_INIT(Squid Web Proxy, 3.0.STABLE23, http://www.squid-cache.org/bugs/, squid) AC_PREREQ(2.52) AM_CONFIG_HEADER(include/autoconf.h) AC_CONFIG_AUX_DIR(cfgaux) @@ -1596,61 +1596,9 @@ fi AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h gssapi/gssapi_generic.h) fi - old_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$CPPFLAGS $KRB5INCS" - old_LIBS=$LIBS - LIBS="$LIBS $KRB5LIBS" - AC_CACHE_CHECK([for SPNEGO support],ac_cv_have_spnego,[ - AC_TRY_RUN([ -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_H) -#include -#endif -#else -#ifdef HAVE_GSSAPI_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_H) -#include -#endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H -#include -#endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H -#include -#endif -#endif -#include -int main(int argc, char *argv[]) { - OM_uint32 major_status,minor_status; - gss_OID_set gss_mech_set; - int i; - -static gss_OID_desc _gss_mech_spnego = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; -gss_OID gss_mech_spnego = &_gss_mech_spnego; - - major_status = gss_indicate_mechs( &minor_status, &gss_mech_set); - - for (i=0;icount;i++) { - if (!memcmp(gss_mech_set->elements[i].elements,gss_mech_spnego->elements,gss_mech_set->elements[i].length)) { - return 0; - } - } - - return 1; -}], - ac_cv_have_spnego=yes, - ac_cv_have_spnego=no)]) - LIBS=$old_LIBS - CPPFLAGS=$old_CPPFLAGS - if test x"$ac_cv_have_spnego" = x"yes"; then - AC_DEFINE(HAVE_SPNEGO,1, [Define to 1 if you have SPNEGO support]) - fi AC_SUBST(KRB5INCS) AC_SUBST(KRB5LIBS) fi -AM_CONDITIONAL(HAVE_SPNEGO, test x"$ac_cv_have_spnego" = x"yes" ) dnl Enable "NTLM fail open" AC_ARG_ENABLE(ntlm-fail-open, diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/Makefile.am squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/Makefile.am --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/Makefile.am 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/Makefile.am 2010-02-02 22:49:58.000000000 +1300 @@ -6,17 +6,12 @@ libexec_PROGRAMS = squid_kerb_auth -SPNEGO = spnegohelp/derparse.c spnegohelp/derparse.h spnegohelp/Makefile spnegohelp/spnego.c spnegohelp/spnego.h spnegohelp/spnegohelp.c spnegohelp/spnegohelp.h spnegohelp/spnegoparse.c spnegohelp/spnegoparse.h SOURCE = squid_kerb_auth.c base64.c base64.h EXTRA_DIST = readme.txt do.sh -if HAVE_SPNEGO squid_kerb_auth_SOURCES = $(SOURCE) -else -squid_kerb_auth_SOURCES = $(SOURCE) $(SPNEGO) -endif -INCLUDES = -I$(top_srcdir)/include $(KERBINCS) -I$(srcdir)/spnegohelp -I. +INCLUDES = -I$(top_srcdir)/include $(KERBINCS) -I. #-I$(top_srcdir)/include -I$(top_srcdir)/src LDADD = $(KERBLIBS) #-L$(top_builddir)/lib -lmiscutil $(XTRA_LIBS) diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/Makefile.in squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/Makefile.in --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/Makefile.in 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/Makefile.in 2010-02-02 22:49:58.000000000 +1300 @@ -52,17 +52,8 @@ am__installdirs = "$(DESTDIR)$(libexecdir)" libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(libexec_PROGRAMS) -am__squid_kerb_auth_SOURCES_DIST = squid_kerb_auth.c base64.c base64.h \ - spnegohelp/derparse.c spnegohelp/derparse.h \ - spnegohelp/Makefile spnegohelp/spnego.c spnegohelp/spnego.h \ - spnegohelp/spnegohelp.c spnegohelp/spnegohelp.h \ - spnegohelp/spnegoparse.c spnegohelp/spnegoparse.h am__objects_1 = squid_kerb_auth.$(OBJEXT) base64.$(OBJEXT) -am__objects_2 = derparse.$(OBJEXT) spnego.$(OBJEXT) \ - spnegohelp.$(OBJEXT) spnegoparse.$(OBJEXT) -@HAVE_SPNEGO_FALSE@am_squid_kerb_auth_OBJECTS = $(am__objects_1) \ -@HAVE_SPNEGO_FALSE@ $(am__objects_2) -@HAVE_SPNEGO_TRUE@am_squid_kerb_auth_OBJECTS = $(am__objects_1) +am_squid_kerb_auth_OBJECTS = $(am__objects_1) squid_kerb_auth_OBJECTS = $(am_squid_kerb_auth_OBJECTS) squid_kerb_auth_LDADD = $(LDADD) am__DEPENDENCIES_1 = @@ -80,7 +71,7 @@ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(squid_kerb_auth_SOURCES) -DIST_SOURCES = $(am__squid_kerb_auth_SOURCES_DIST) +DIST_SOURCES = $(squid_kerb_auth_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -257,12 +248,10 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -SPNEGO = spnegohelp/derparse.c spnegohelp/derparse.h spnegohelp/Makefile spnegohelp/spnego.c spnegohelp/spnego.h spnegohelp/spnegohelp.c spnegohelp/spnegohelp.h spnegohelp/spnegoparse.c spnegohelp/spnegoparse.h SOURCE = squid_kerb_auth.c base64.c base64.h EXTRA_DIST = readme.txt do.sh -@HAVE_SPNEGO_FALSE@squid_kerb_auth_SOURCES = $(SOURCE) $(SPNEGO) -@HAVE_SPNEGO_TRUE@squid_kerb_auth_SOURCES = $(SOURCE) -INCLUDES = -I$(top_srcdir)/include $(KERBINCS) -I$(srcdir)/spnegohelp -I. +squid_kerb_auth_SOURCES = $(SOURCE) +INCLUDES = -I$(top_srcdir)/include $(KERBINCS) -I. #-I$(top_srcdir)/include -I$(top_srcdir)/src LDADD = $(KERBLIBS) #-L$(top_builddir)/lib -lmiscutil $(XTRA_LIBS) @@ -342,10 +331,6 @@ -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/base64.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/derparse.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spnego.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spnegohelp.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spnegoparse.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/squid_kerb_auth.Po@am__quote@ .c.o: @@ -369,62 +354,6 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< -derparse.o: spnegohelp/derparse.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT derparse.o -MD -MP -MF $(DEPDIR)/derparse.Tpo -c -o derparse.o `test -f 'spnegohelp/derparse.c' || echo '$(srcdir)/'`spnegohelp/derparse.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/derparse.Tpo $(DEPDIR)/derparse.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/derparse.c' object='derparse.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o derparse.o `test -f 'spnegohelp/derparse.c' || echo '$(srcdir)/'`spnegohelp/derparse.c - -derparse.obj: spnegohelp/derparse.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT derparse.obj -MD -MP -MF $(DEPDIR)/derparse.Tpo -c -o derparse.obj `if test -f 'spnegohelp/derparse.c'; then $(CYGPATH_W) 'spnegohelp/derparse.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/derparse.c'; fi` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/derparse.Tpo $(DEPDIR)/derparse.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/derparse.c' object='derparse.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o derparse.obj `if test -f 'spnegohelp/derparse.c'; then $(CYGPATH_W) 'spnegohelp/derparse.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/derparse.c'; fi` - -spnego.o: spnegohelp/spnego.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spnego.o -MD -MP -MF $(DEPDIR)/spnego.Tpo -c -o spnego.o `test -f 'spnegohelp/spnego.c' || echo '$(srcdir)/'`spnegohelp/spnego.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/spnego.Tpo $(DEPDIR)/spnego.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/spnego.c' object='spnego.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spnego.o `test -f 'spnegohelp/spnego.c' || echo '$(srcdir)/'`spnegohelp/spnego.c - -spnego.obj: spnegohelp/spnego.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spnego.obj -MD -MP -MF $(DEPDIR)/spnego.Tpo -c -o spnego.obj `if test -f 'spnegohelp/spnego.c'; then $(CYGPATH_W) 'spnegohelp/spnego.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/spnego.c'; fi` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/spnego.Tpo $(DEPDIR)/spnego.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/spnego.c' object='spnego.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spnego.obj `if test -f 'spnegohelp/spnego.c'; then $(CYGPATH_W) 'spnegohelp/spnego.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/spnego.c'; fi` - -spnegohelp.o: spnegohelp/spnegohelp.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spnegohelp.o -MD -MP -MF $(DEPDIR)/spnegohelp.Tpo -c -o spnegohelp.o `test -f 'spnegohelp/spnegohelp.c' || echo '$(srcdir)/'`spnegohelp/spnegohelp.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/spnegohelp.Tpo $(DEPDIR)/spnegohelp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/spnegohelp.c' object='spnegohelp.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spnegohelp.o `test -f 'spnegohelp/spnegohelp.c' || echo '$(srcdir)/'`spnegohelp/spnegohelp.c - -spnegohelp.obj: spnegohelp/spnegohelp.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spnegohelp.obj -MD -MP -MF $(DEPDIR)/spnegohelp.Tpo -c -o spnegohelp.obj `if test -f 'spnegohelp/spnegohelp.c'; then $(CYGPATH_W) 'spnegohelp/spnegohelp.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/spnegohelp.c'; fi` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/spnegohelp.Tpo $(DEPDIR)/spnegohelp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/spnegohelp.c' object='spnegohelp.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spnegohelp.obj `if test -f 'spnegohelp/spnegohelp.c'; then $(CYGPATH_W) 'spnegohelp/spnegohelp.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/spnegohelp.c'; fi` - -spnegoparse.o: spnegohelp/spnegoparse.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spnegoparse.o -MD -MP -MF $(DEPDIR)/spnegoparse.Tpo -c -o spnegoparse.o `test -f 'spnegohelp/spnegoparse.c' || echo '$(srcdir)/'`spnegohelp/spnegoparse.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/spnegoparse.Tpo $(DEPDIR)/spnegoparse.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/spnegoparse.c' object='spnegoparse.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spnegoparse.o `test -f 'spnegohelp/spnegoparse.c' || echo '$(srcdir)/'`spnegohelp/spnegoparse.c - -spnegoparse.obj: spnegohelp/spnegoparse.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spnegoparse.obj -MD -MP -MF $(DEPDIR)/spnegoparse.Tpo -c -o spnegoparse.obj `if test -f 'spnegohelp/spnegoparse.c'; then $(CYGPATH_W) 'spnegohelp/spnegoparse.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/spnegoparse.c'; fi` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/spnegoparse.Tpo $(DEPDIR)/spnegoparse.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='spnegohelp/spnegoparse.c' object='spnegoparse.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spnegoparse.obj `if test -f 'spnegohelp/spnegoparse.c'; then $(CYGPATH_W) 'spnegohelp/spnegoparse.c'; else $(CYGPATH_W) '$(srcdir)/spnegohelp/spnegoparse.c'; fi` - mostlyclean-libtool: -rm -f *.lo diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.c squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.c --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.c 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.c 1970-01-01 12:00:00.000000000 +1200 @@ -1,733 +0,0 @@ -// Copyright (C) 2002 Microsoft Corporation -// All rights reserved. -// -// THIS CODE AND INFORMATION IS PROVIDED "AS IS" -// WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -// OR IMPLIED, INCLUDING BUT NOT LIMITED -// TO THE IMPLIED WARRANTIES OF MERCHANTIBILITY -// AND/OR FITNESS FOR A PARTICULAR PURPOSE. -// -// Date - 10/08/2002 -// Author - Sanj Surati - - -///////////////////////////////////////////////////////////// -// -// DERPARSE.C -// -// SPNEGO Token Handler Source File -// -// Contains implementation of ASN.1 DER read/write functions -// as defined in DERPARSE.H. -// -///////////////////////////////////////////////////////////// - -#include "config.h" -#include -#include -#include -#include "spnego.h" -#include "derparse.h" - -// -// The GSS Mechanism OID enumeration values (SPNEGO_MECH_OID) control which offset in -// the array below, that a mechanism can be found. -// -MECH_OID g_stcMechOIDList [] = -{ - { (unsigned char*) "\x06\x09\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", 11, 9, spnego_mech_oid_Kerberos_V5_Legacy }, // 1.2.840.48018.1.2.2 - { (unsigned char*) "\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", 11, 9, spnego_mech_oid_Kerberos_V5 }, // 1.2.840.113554.1.2.2 - { (unsigned char*) "\x06\x06\x2b\x06\x01\x05\x05\x02", 8, 6, spnego_mech_oid_Spnego }, // 1.3.6.1.1.5.5.2 - { (unsigned char*) "", 0, 0, spnego_mech_oid_NotUsed } // Placeholder -}; - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerGetLength -// -// Parameters: -// [in] pbLengthData - DER Length Data -// [in] nBoundaryLength - Length that value must not exceed. -// [out] pnLength - Filled out with length value -// [out] pnNumLengthBytes - Filled out with number of bytes -// consumed by DER length. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Interprets the data at pbLengthData as a DER length. The length must -// fit within the bounds of nBoundary length. We do not currently -// process lengths that take more than 4 bytes. -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerGetLength( unsigned char* pbLengthData, long nBoundaryLength, long* pnLength, - long* pnNumLengthBytes ) -{ - int nReturn = SPNEGO_E_INVALID_LENGTH; - int nNumLengthBytes = 0; - - // First check if the extended length bit is set - - if ( *pbLengthData & LEN_XTND ) - { - // Lower 7 bits contain the number of trailing bytes that describe the length - nNumLengthBytes = *pbLengthData & LEN_MASK; - - // Check that the number of bytes we are about to read is within our boundary - // constraints - - if ( nNumLengthBytes <= nBoundaryLength - 1 ) - { - - // For now, our handler won't deal with lengths greater than 4 bytes - if ( nNumLengthBytes >= 1 && nNumLengthBytes <= 4 ) - { - // 0 out the initial length - *pnLength = 0L; - - // Bump by 1 byte - pbLengthData++; - - #if defined(__LITTLE_ENDIAN__) || !defined(WORDS_BIGENDIAN) - - // There may be a cleaner way to do this, but for now, this seems to be - // an easy way to do the transformation - switch ( nNumLengthBytes ) - { - case 1: - { - *( ( (unsigned char*) pnLength ) ) = *pbLengthData; - break; - } - - case 2: - { - *( ( (unsigned char*) pnLength ) ) = *(pbLengthData + 1); - *( ( (unsigned char*) pnLength ) + 1 ) = *(pbLengthData); - - break; - } - - case 3: - { - *( ( (unsigned char*) pnLength ) ) = *(pbLengthData + 2); - *( ( (unsigned char*) pnLength ) + 2 ) = *(pbLengthData + 1); - *( ( (unsigned char*) pnLength ) + 3 ) = *(pbLengthData); - break; - } - - case 4: - { - *( ( (unsigned char*) pnLength ) ) = *(pbLengthData + 3); - *( ( (unsigned char*) pnLength ) + 1 ) = *(pbLengthData + 2); - *( ( (unsigned char*) pnLength ) + 2 ) = *(pbLengthData + 1); - *( ( (unsigned char*) pnLength ) + 3 ) = *(pbLengthData); - break; - } - - } // SWITCH ( nNumLengthBytes ) - - #else - // We are Big-Endian, so the length can be copied in from the source - // as is. Ensure that we adjust for the number of bytes we actually - // copy. - - memcpy( ( (unsigned char *) pnLength ) + ( 4 - nNumLengthBytes ), - pbLengthData, nNumLengthBytes ); - #endif - - // Account for the initial length byte - *pnNumLengthBytes = nNumLengthBytes + 1; - nReturn = SPNEGO_E_SUCCESS; - - } // IF Valid Length - - } // IF num bytes to read is within the boundary length - - } // IF xtended length - else - { - - // Extended bit is not set, so the length is in the value and the one - // byte describes the length - *pnLength = *pbLengthData & LEN_MASK; - *pnNumLengthBytes = 1; - nReturn = SPNEGO_E_SUCCESS; - - } - LOG(("ASNDerGetLength returned %d\n",nReturn)); - return nReturn; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerCheckToken -// -// Parameters: -// [in] pbTokenData - Token Data -// [in] nToken - Token identifier to check for -// [in] nLengthWithToken - Expected token length (with data) -// [in] nBoundaryLength - Length that value must not exceed. -// [out] pnLength - Filled out with data length -// [out] pnTokenLength - Filled out with number of bytes -// consumed by token identifier and length. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Checks the data pointed to by pbTokenData for the specified token -// identifier and the length that immediately follows. If -// nLengthWithToken is > 0, the calculated length must match. The -// length must also not exceed the specified boundary length . -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerCheckToken( unsigned char* pbTokenData, unsigned char nToken, - long nLengthWithToken, long nBoundaryLength, - long* pnLength, long* pnTokenLength ) -{ - - int nReturn = SPNEGO_E_INVALID_LENGTH; - long nNumLengthBytes = 0L; - - // Make sure that we've at least got 2 bytes of room to work with - - if ( nBoundaryLength >= 2 ) - { - // The first byte of the token data MUST match the specified token - if ( *pbTokenData == nToken ) - { - // Next byte indicates the length - pbTokenData++; - - // Get the length described by the token - if ( ( nReturn = ASNDerGetLength( pbTokenData, nBoundaryLength, pnLength, - &nNumLengthBytes ) ) == SPNEGO_E_SUCCESS ) - { - // Verify that the length is LESS THAN the boundary length - // (this should prevent us walking out of our buffer) - if ( ( nBoundaryLength - ( nNumLengthBytes + 1 ) < *pnLength ) ) - { - - nReturn = SPNEGO_E_INVALID_LENGTH; - - } - - // If we were passed a length to check, do so now - if ( nLengthWithToken > 0L ) - { - - // Check that the expected length matches - if ( ( nLengthWithToken - ( nNumLengthBytes + 1 ) ) != *pnLength ) - { - - nReturn = SPNEGO_E_INVALID_LENGTH; - - } - - } // IF need to validate length - - if ( SPNEGO_E_SUCCESS == nReturn ) - { - *pnTokenLength = nNumLengthBytes + 1; - } - - } // IF ASNDerGetLength - - } // IF token matches - else - { - nReturn = SPNEGO_E_TOKEN_NOT_FOUND; - } - - } // IF Boundary Length is at least 2 bytes - - LOG(("ASNDerCheckToken returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerCheckOID -// -// Parameters: -// [in] pbTokenData - Token Data -// [in] nMechOID - OID we are looking for -// [in] nBoundaryLength - Length that value must not exceed. -// [out] pnTokenLength - Filled out with number of bytes -// consumed by token and data. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Checks the data pointed to by pbTokenData for the specified OID. -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerCheckOID( unsigned char* pbTokenData, SPNEGO_MECH_OID nMechOID, long nBoundaryLength, - long* pnTokenLength ) -{ - int nReturn = 0L; - long nLength = 0L; - - // Verify that we have an OID token - if ( ( nReturn = ASNDerCheckToken( pbTokenData, OID, 0L, nBoundaryLength, - &nLength, pnTokenLength ) ) == SPNEGO_E_SUCCESS ) - { - // Add the data length to the Token Length - *pnTokenLength += nLength; - - // Token Lengths plus the actual length must match the length in our OID list element. - // If it doesn't, we're done - if ( *pnTokenLength == g_stcMechOIDList[nMechOID].iLen ) - { - // Memcompare the token and the expected field - if ( memcmp( pbTokenData, g_stcMechOIDList[nMechOID].ucOid, *pnTokenLength ) != 0 ) - { - LOG(("ASNDerCheckOID memcmp failed\n")); - nReturn = SPNEGO_E_UNEXPECTED_OID; - } - } - else - { - LOG(("ASNDerCheckOID token length failed\n")); - nReturn = SPNEGO_E_UNEXPECTED_OID; - } - - } // IF OID Token CHecks - - LOG(("ASNDerCheckOID returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerCalcNumLengthBytes -// -// Parameters: -// [in] nLength - Length to calculate length bytes for. -// -// Returns: -// int Number of bytes necessary to represent length -// -// Comments : -// Helper function to calculate the number of length bytes necessary to -// represent a length value. For our purposes, a 32-bit value should be -// enough to describea length. -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerCalcNumLengthBytes( long nLength ) -{ - if ( nLength <= 0x7F ) - { - // A single byte will be sufficient for describing this length. - // The byte will simply contain the length - return 1; - } - else if ( nLength <= 0xFF ) - { - // Two bytes are necessary, one to say how many following bytes - // describe the length, and one to give the length - return 2; - } - else if ( nLength <= 0xFFFF ) - { - // Three bytes are necessary, one to say how many following bytes - // describe the length, and two to give the length - return 3; - } - else if ( nLength <= 0xFFFFFF ) - { - // Four bytes are necessary, one to say how many following bytes - // describe the length, and three to give the length - return 4; - } - else - { - // Five bytes are necessary, one to say how many following bytes - // describe the length, and four to give the length - return 5; - } -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerCalcTokenLength -// -// Parameters: -// [in] nLength - Length to calculate length bytes for. -// [in] nDataLength - Actual Data length value. -// -// Returns: -// long Number of bytes necessary to represent a token, length and data -// -// Comments : -// Helper function to calculate a token and value size, based on a -// supplied length value, and any binary data that will need to be -// written out. -// -//////////////////////////////////////////////////////////////////////////// - -long ASNDerCalcTokenLength( long nLength, long nDataLength ) -{ - // Add a byte to the length size to account for a single byte to - // hold the token type. - long nTotalLength = ASNDerCalcNumLengthBytes( nLength ) + 1; - - return nTotalLength + nDataLength; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerCalcElementLength -// -// Parameters: -// [in] nDataLength - Length of data. -// [out] pnInternalLength - Filled out with length of element -// without sequence info. -// -// Returns: -// long Number of bytes necessary to represent an element -// -// Comments : -// Helper function to calculate an element length. An element consists -// of a sequence token, a type token and then the data. -// -//////////////////////////////////////////////////////////////////////////// - -long ASNDerCalcElementLength( long nDataLength, long* pnInternalLength ) -{ - // First the type token and the actual data - long nTotalLength = ASNDerCalcTokenLength( nDataLength, nDataLength ); - - // Internal length is the length without the element sequence token - if ( NULL != pnInternalLength ) - { - *pnInternalLength = nTotalLength; - } - - // Next add in the element's sequence token (remember that its - // length is the total length of the type token and data) - nTotalLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - return nTotalLength; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerCalcMechListLength -// -// Parameters: -// [in] mechoid - Mech OID to put in list. -// [out] pnInternalLength - Filled out with length of element -// without the primary sequence token. -// -// Returns: -// long Number of bytes necessary to represent a mechList -// -// Comments : -// Helper function to calculate a MechList length. A mechlist consists -// of a NegTokenInit sequence token, a sequence token for the MechList -// and finally a list of OIDs. In our case, we only really have one -// OID. -// -//////////////////////////////////////////////////////////////////////////// - -long ASNDerCalcMechListLength( SPNEGO_MECH_OID mechoid, long* pnInternalLength ) -{ - // First the OID - long nTotalLength = g_stcMechOIDList[mechoid].iLen; - - // Next add in a sequence token - nTotalLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - // Internal length is the length without the element sequence token - if ( NULL != pnInternalLength ) - { - *pnInternalLength = nTotalLength; - } - - // Finally add in the element's sequence token - nTotalLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - return nTotalLength; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerWriteLength -// -// Parameters: -// [out] pbData - Buffer to write into. -// [in] nLength - Length to write out. -// -// Returns: -// int Number of bytes written out -// -// Comments : -// Helper function to write out a length value following DER rules . -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerWriteLength( unsigned char* pbData, long nLength ) -{ - int nNumBytesRequired = ASNDerCalcNumLengthBytes( nLength ); - int nNumLengthBytes = nNumBytesRequired - 1; - - - if ( nNumBytesRequired > 1 ) - { - - // Write out the number of bytes following which will be used - *pbData = (unsigned char ) ( LEN_XTND | nNumLengthBytes ); - - // Point to where we'll actually write the length - pbData++; - -#if defined(__LITTLE_ENDIAN__) || !defined(WORDS_BIGENDIAN) - - // There may be a cleaner way to do this, but for now, this seems to be - // an easy way to do the transformation - switch ( nNumLengthBytes ) - { - case 1: - { - // Cast the length to a single byte, since we know that it - // is 0x7F or less (or we wouldn't only need a single byte). - - *pbData = (unsigned char) nLength; - break; - } - - case 2: - { - *pbData = *( ( (unsigned char*) &nLength ) + 1 ); - *( pbData + 1) = *( ( (unsigned char*) &nLength ) ); - break; - } - - case 3: - { - *pbData = *( ( (unsigned char*) &nLength ) + 3 ); - *( pbData + 1) = *( ( (unsigned char*) &nLength ) + 2 ); - *( pbData + 2) = *( ( (unsigned char*) &nLength ) ); - break; - } - - case 4: - { - *pbData = *( ( (unsigned char*) &nLength ) + 3 ); - *( pbData + 1) = *( ( (unsigned char*) &nLength ) + 2 ); - *( pbData + 2) = *( ( (unsigned char*) &nLength ) + 1 ); - *( pbData + 3) = *( ( (unsigned char*) &nLength ) ); - break; - } - - } // SWITCH ( nNumLengthBytes ) - -#else - // We are Big-Endian, so the length can be copied in from the source - // as is. Ensure that we adjust for the number of bytes we actually - // copy. - - memcpy( pbData, - ( (unsigned char *) &nLength ) + ( 4 - nNumLengthBytes ), nNumLengthBytes ); -#endif - - } // IF > 1 byte for length - else - { - // Cast the length to a single byte, since we know that it - // is 0x7F or less (or we wouldn't only need a single byte). - - *pbData = (unsigned char) nLength; - } - - return nNumBytesRequired; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerWriteToken -// -// Parameters: -// [out] pbData - Buffer to write into. -// [in] ucType - Token Type -// [in] pbTokenValue - Actual Value -// [in] nLength - Length of Data. -// -// Returns: -// int Number of bytes written out -// -// Comments : -// Helper function to write out a token and any associated data. If -// pbTokenValue is non-NULL, then it is written out in addition to the -// token identifier and the length bytes. -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerWriteToken( unsigned char* pbData, unsigned char ucType, - unsigned char* pbTokenValue, long nLength ) -{ - int nTotalBytesWrittenOut = 0L; - int nNumLengthBytesWritten = 0L; - - // Write out the type - *pbData = ucType; - - // Wrote 1 byte, and move data pointer - nTotalBytesWrittenOut++; - pbData++; - - // Now write out the length and adjust the number of bytes written out - nNumLengthBytesWritten = ASNDerWriteLength( pbData, nLength ); - - nTotalBytesWrittenOut += nNumLengthBytesWritten; - pbData += nNumLengthBytesWritten; - - // Write out the token value if we got one. The assumption is that the - // nLength value indicates how many bytes are in pbTokenValue. - - if ( NULL != pbTokenValue ) - { - memcpy( pbData, pbTokenValue, nLength ); - nTotalBytesWrittenOut += nLength; - } - - return nTotalBytesWrittenOut; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerWriteOID -// -// Parameters: -// [out] pbData - Buffer to write into. -// [in] eMechOID - OID to write out. -// -// Returns: -// int Number of bytes written out -// -// Comments : -// Helper function to write out an OID. For these we have the raw bytes -// listed in a global structure. The caller simply indicates which OID -// should be written and we will splat out the data. -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerWriteOID( unsigned char* pbData, SPNEGO_MECH_OID eMechOID ) -{ - - memcpy( pbData, g_stcMechOIDList[eMechOID].ucOid, g_stcMechOIDList[eMechOID].iLen ); - - return g_stcMechOIDList[eMechOID].iLen; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerWriteMechList -// -// Parameters: -// [out] pbData - Buffer to write into. -// [in] eMechOID - OID to put in MechList. -// -// Returns: -// int Number of bytes written out -// -// Comments : -// Helper function to write out a MechList. A MechList consists of the -// Init Token Sequence, a sequence token and then the list of OIDs. In -// our case the OID is from a global array of known OIDs. -// -//////////////////////////////////////////////////////////////////////////// - -long ASNDerWriteMechList( unsigned char* pbData, SPNEGO_MECH_OID mechoid ) -{ - // First get the length - long nInternalLength = 0L; - long nMechListLength = ASNDerCalcMechListLength( mechoid, &nInternalLength ); - long nTempLength = 0L; - - nTempLength = ASNDerWriteToken( pbData, SPNEGO_NEGINIT_ELEMENT_MECHTYPES, - NULL, nInternalLength ); - - // Adjust the data pointer - pbData += nTempLength; - - // Now write the Sequence token and the OID (the OID is a BLOB in the global - // structure. - - nTempLength = ASNDerWriteToken( pbData, SPNEGO_CONSTRUCTED_SEQUENCE, - g_stcMechOIDList[mechoid].ucOid, - g_stcMechOIDList[mechoid].iLen ); - - return nMechListLength; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ASNDerWriteElement -// -// Parameters: -// [out] pbData - Buffer to write into. -// [in] ucElementSequence - Sequence Token -// [in] ucType - Token Type -// [in] pbTokenValue - Actual Value -// [in] nLength - Length of Data. -// -// Returns: -// int Number of bytes written out -// -// Comments : -// Helper function to write out a SPNEGO Token element. An element -// consists of a sequence token, a type token and the associated data. -// -//////////////////////////////////////////////////////////////////////////// - -int ASNDerWriteElement( unsigned char* pbData, unsigned char ucElementSequence, - unsigned char ucType, unsigned char* pbTokenValue, long nLength ) -{ - // First get the length - long nInternalLength = 0L; - long nElementLength = ASNDerCalcElementLength( nLength, &nInternalLength ); - long nTempLength = 0L; - - // Write out the sequence byte and the length of the type and data - nTempLength = ASNDerWriteToken( pbData, ucElementSequence, NULL, nInternalLength ); - - // Adjust the data pointer - pbData += nTempLength; - - // Now write the type and the data. - nTempLength = ASNDerWriteToken( pbData, ucType, pbTokenValue, nLength ); - - return nElementLength; -} - diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.h squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.h --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.h 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.h 1970-01-01 12:00:00.000000000 +1200 @@ -1,207 +0,0 @@ -// Copyright (C) 2002 Microsoft Corporation -// All rights reserved. -// -// THIS CODE AND INFORMATION IS PROVIDED "AS IS" -// WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -// OR IMPLIED, INCLUDING BUT NOT LIMITED -// TO THE IMPLIED WARRANTIES OF MERCHANTIBILITY -// AND/OR FITNESS FOR A PARTICULAR PURPOSE. -// -// Date - 10/08/2002 -// Author - Sanj Surati - -///////////////////////////////////////////////////////////// -// -// DERPARSE.H -// -// SPNEGO Token Handler Header File -// -// Contains the definitions required to properly parse the -// SPNEGO DER encoding. -// -///////////////////////////////////////////////////////////// - -#ifndef __DERPARSE_H__ -#define __DERPARSE_H__ - -// C++ Specific -#if defined(__cplusplus) -extern "C" -{ -#endif - -/* Identifier Types */ -#define IDENTIFIER_MASK 0xC0 // Bits 7 and 8 -#define IDENTIFIER_UNIVERSAL 0x00 // 00 = universal -#define IDENTIFIER_APPLICATION 0x40 // 01 = application -#define IDENTIFIER_CONTEXT_SPECIFIC 0x80 // 10 = context specific -#define IDENTIFIER_PRIVATE 0xC0 // 11 = Private - -/* Encoding type */ - -#define FORM_MASK 0x20 /* Bit 6 */ -#define PRIMITIVE 0x00 /* 0 = primitive */ -#define CONSTRUCTED 0x20 /* 1 = constructed */ - -/* Universal tags */ - -#define TAG_MASK 0x1F /* Bits 5 - 1 */ -#define BOOLEAN 0x01 /* 1: TRUE or FALSE */ -#define INTEGER 0x02 /* 2: Arbitrary precision integer */ -#define BITSTRING 0x03 /* 2: Sequence of bits */ -#define OCTETSTRING 0x04 /* 4: Sequence of bytes */ -#define NULLTAG 0x05 /* 5: NULL */ -#define OID 0x06 /* 6: Object Identifier (numeric sequence) */ -#define OBJDESCRIPTOR 0x07 /* 7: Object Descriptor (human readable) */ -#define EXTERNAL 0x08 /* 8: External / Instance Of */ -#define REAL 0x09 /* 9: Real (Mantissa * Base^Exponent) */ -#define ENUMERATED 0x0A /* 10: Enumerated */ -#define EMBEDDED_PDV 0x0B /* 11: Embedded Presentation Data Value */ -#define SEQUENCE 0x10 /* 16: Constructed Sequence / Sequence Of */ -#define SET 0x11 /* 17: Constructed Set / Set Of */ -#define NUMERICSTR 0x12 /* 18: Numeric String (digits only) */ -#define PRINTABLESTR 0x13 /* 19: Printable String */ -#define T61STR 0x14 /* 20: T61 String (Teletex) */ -#define VIDEOTEXSTR 0x15 /* 21: Videotex String */ -#define IA5STR 0x16 /* 22: IA5 String */ -#define UTCTIME 0x17 /* 23: UTC Time */ -#define GENERALIZEDTIME 0x18 /* 24: Generalized Time */ -#define GRAPHICSTR 0x19 /* 25: Graphic String */ -#define VISIBLESTR 0x1A /* 26: Visible String (ISO 646) */ -#define GENERALSTR 0x1B /* 27: General String */ -#define UNIVERSALSTR 0x1C /* 28: Universal String */ -#define BMPSTR 0x1E /* 30: Basic Multilingual Plane String */ - -/* Length encoding */ - -#define LEN_XTND 0x80 /* Indefinite or long form */ -#define LEN_MASK 0x7f /* Bits 7 - 1 */ - -// -// SPNEGO Token Parsing Constants -// - - -// Fixed Length of NegTokenInit ReqFlags field -#define SPNEGO_NEGINIT_MAXLEN_REQFLAGS 2 - -// Difference in bits for ReqFlags token -#define SPNEGO_NEGINIT_REQFLAGS_BITDIFF 1 - -// Fixed Length of NegTokenTarg NegResult field -#define SPNEGO_NEGTARG_MAXLEN_NEGRESULT 1 - -// Application Specific Construct - Always at the start of a NegTokenInit -#define SPNEGO_NEGINIT_APP_CONSTRUCT ( IDENTIFIER_APPLICATION | CONSTRUCTED ) // 0x60 - -// Constructed Sequence token - after the actual token identifier token -#define SPNEGO_CONSTRUCTED_SEQUENCE ( SEQUENCE | CONSTRUCTED ) - -// MechList Type Identifier -#define SPNEGO_MECHLIST_TYPE ( SEQUENCE | CONSTRUCTED | OID ) - -// -// NegTokenInit - Token Identifier and Elements -// - -// NegTokenInit - 0xa0 -#define SPNEGO_NEGINIT_TOKEN_IDENTIFIER ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_TOKEN_INIT ) - -// Structure elements for NegTokenInit -#define SPNEGO_NEGINIT_MECHTYPES 0x0 // MechTypes is element 0 -#define SPNEGO_NEGINIT_REQFLAGS 0x1 // ReqFlags is element 1 -#define SPNEGO_NEGINIT_MECHTOKEN 0x2 // MechToken is element 2 -#define SPNEGO_NEGINIT_MECHLISTMIC 0x3 // MechListMIC is element 3 - -// MechTypes element is 0xa0 -#define SPNEGO_NEGINIT_ELEMENT_MECHTYPES ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGINIT_MECHTYPES ) - -// ReqFlags element is 0xa1 -#define SPNEGO_NEGINIT_ELEMENT_REQFLAGS ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGINIT_REQFLAGS ) - -// MechToken element is 0xa2 -#define SPNEGO_NEGINIT_ELEMENT_MECHTOKEN ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGINIT_MECHTOKEN ) - -// MechListMIC element is 0xa3 -#define SPNEGO_NEGINIT_ELEMENT_MECHLISTMIC ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGINIT_MECHLISTMIC ) - -// -// NegTokenTarg - Token Identifier and Elements -// - -// NegTokenTarg - 0xa1 -#define SPNEGO_NEGTARG_TOKEN_IDENTIFIER ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_TOKEN_TARG ) - -// Structure elements for NegTokenTarg -#define SPNEGO_NEGTARG_NEGRESULT 0x0 // NegResult is element 0 -#define SPNEGO_NEGTARG_SUPPORTEDMECH 0x1 // SupportedMech is element 1 -#define SPNEGO_NEGTARG_RESPONSETOKEN 0x2 // ResponseToken is element 2 -#define SPNEGO_NEGTARG_MECHLISTMIC 0x3 // MechListMIC is element 3 - -// NegResult element is 0xa0 -#define SPNEGO_NEGTARG_ELEMENT_NEGRESULT ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGTARG_NEGRESULT ) - -// SupportedMech element is 0xa1 -#define SPNEGO_NEGTARG_ELEMENT_SUPPORTEDMECH ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGTARG_SUPPORTEDMECH ) - -// ResponseToken element is 0xa2 -#define SPNEGO_NEGTARG_ELEMENT_RESPONSETOKEN ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGTARG_RESPONSETOKEN ) - -// MechListMIC element is 0xa3 -#define SPNEGO_NEGTARG_ELEMENT_MECHLISTMIC ( IDENTIFIER_CONTEXT_SPECIFIC | CONSTRUCTED | \ - SPNEGO_NEGTARG_MECHLISTMIC ) - -// -// Defines a GSS Mechanism OID. We keep a single static array -// of these which we'll use for validation/searches/parsing. -// - -typedef struct _mechOID -{ - unsigned char* ucOid; // Byte representation of OID - int iLen; // Length of the OID, length and identifier - int iActualDataLen; // Length of the actual OID - SPNEGO_MECH_OID eMechanismOID; // Which OID is this? -} MECH_OID; - - -// -// ASN Der functions -// - -int ASNDerGetLength( unsigned char* pbLengthData, long nBoundaryLength, long* pnLength, - long* pnNumLengthBytes ); -int ASNDerCheckToken( unsigned char* pbTokenData, unsigned char nToken, - long nCheckLength, long nBoundaryLength, long* pnLength, - long* pnTokenLength ); -int ASNDerCheckOID( unsigned char* pbTokenData, SPNEGO_MECH_OID nMechOID, long nBoundaryLength, - long* pnTokenLength ); -int ASNDerCalcNumLengthBytes( long nLength ); -long ASNDerCalcTokenLength( long nLength, long nDataLength ); -long ASNDerCalcElementLength( long nDataLength, long* pnInternalLength ); -long ASNDerCalcMechListLength( SPNEGO_MECH_OID mechoid, long* pnInternalLength ); -int ASNDerWriteLength( unsigned char* pbData, long nLength ); -int ASNDerWriteToken( unsigned char* pbData, unsigned char ucType, - unsigned char* pbTokenValue, long nLength ); -int ASNDerWriteOID( unsigned char* pbData, SPNEGO_MECH_OID eMechOID ); -long ASNDerWriteMechList( unsigned char* pbData, SPNEGO_MECH_OID mechoid ); -int ASNDerWriteElement( unsigned char* pbData, unsigned char ucElementSequence, - unsigned char ucType, unsigned char* pbTokenValue, long nLength ); - - - // C++ Specific -#if defined(__cplusplus) -} -#endif - -#endif - diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/Makefile squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/Makefile --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/Makefile 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/Makefile 1970-01-01 12:00:00.000000000 +1200 @@ -1,51 +0,0 @@ -# -# Linux: -# -D__LITTLE_ENDIAN__ -# Solaris: -# -D__BIG_ENDIAN__ -# - -CFLAGS = -fpic - -LIB = libspnegohelp.a -SLIB = libspnegohelp.so - -OBJS = derparse.o spnego.o spnegohelp.o spnegoparse.o - -all: - make `uname` - -debug: - make CFLAGS="$(CFLAGS) -DDEBUG" `uname` - -SunOS: - make CFLAGS="$(CFLAGS) -D__BIG_ENDIAN__" libs - -AIX: - make CFLAGS="$(CFLAGS) -D__BIG_ENDIAN__" libs - -Linux: - make CFLAGS="$(CFLAGS) -D__LITTLE_ENDIAN__" libs - -libs: $(LIB) $(SLIB) - -$(LIB): $(OBJS) - ar -r $(LIB) $(OBJS) - -$(SLIB): $(OBJS) - gcc --shared -o $(SLIB) $(OBJS) - -derparse.o: derparse.c derparse.h spnego.h Makefile - gcc -c $(CFLAGS) derparse.c -o $@ - -spnego.o: spnego.c derparse.h spnego.h spnegoparse.h Makefile - gcc -c $(CFLAGS) spnego.c -o $@ - -spnegoparse.o: spnegoparse.c derparse.h spnego.h spnegoparse.h Makefile - gcc -c $(CFLAGS) spnegoparse.c -o $@ - -spnegohelp.o: spnegohelp.c spnego.h spnegohelp.h Makefile - gcc -c $(CFLAGS) spnegohelp.c -o $@ - -clean: - rm $(OBJS) $(LIB) $(SLIB) diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.c squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.c --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.c 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.c 1970-01-01 12:00:00.000000000 +1200 @@ -1,806 +0,0 @@ -// Copyright (C) 2002 Microsoft Corporation -// All rights reserved. -// -// THIS CODE AND INFORMATION IS PROVIDED "AS IS" -// WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -// OR IMPLIED, INCLUDING BUT NOT LIMITED -// TO THE IMPLIED WARRANTIES OF MERCHANTIBILITY -// AND/OR FITNESS FOR A PARTICULAR PURPOSE. -// -// Date - 10/08/2002 -// Author - Sanj Surati - -///////////////////////////////////////////////////////////// -// -// SPNEGO.C -// -// SPNEGO Token Handler Source File -// -// Contains implementation of SPNEGO Token Handling API -// as defined in SPNEGO.H. -// -///////////////////////////////////////////////////////////// - -#include -#include -#include -#include "spnego.h" -#include "derparse.h" -#include "spnegoparse.h" - -// -// Defined in DERPARSE.C -// - -extern MECH_OID g_stcMechOIDList []; - - -/**********************************************************************/ -/** **/ -/** **/ -/** **/ -/** **/ -/** SPNEGO Token Handler API implementation **/ -/** **/ -/** **/ -/** **/ -/** **/ -/**********************************************************************/ - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoInitFromBinary -// -// Parameters: -// [in] pbTokenData - Binary Token Data -// [in] ulLength - Length of binary Token Data -// [out] phSpnegoToken - SPNEGO_TOKEN_HANDLE pointer -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Initializes a SPNEGO_TOKEN_HANDLE from the supplied -// binary data. Data is copied locally. Returned data structure -// must be freed by calling spnegoFreeData(). -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoInitFromBinary( unsigned char* pbTokenData, unsigned long ulLength, SPNEGO_TOKEN_HANDLE* phSpnegoToken ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN** ppSpnegoToken = (SPNEGO_TOKEN**) phSpnegoToken; - - // Pass off to a handler function that allows tighter control over how the token structure - // is handled. In this case, we want the token data copied and we want the associated buffer - // freed. - nReturn = InitTokenFromBinary( SPNEGO_TOKEN_INTERNAL_COPYDATA, - SPNEGO_TOKEN_INTERNAL_FLAGS_FREEDATA, pbTokenData, - ulLength, ppSpnegoToken ); - - LOG(("spnegoInitFromBinary returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoCreateNegTokenInit -// -// Parameters: -// [in] MechType - MechType to specify in MechTypeList element -// [in] ucContextFlags - Context Flags element value -// [in] pbMechToken - Pointer to binary MechToken Data -// [in] ulMechTokenLen - Length of MechToken Data -// [in] pbMechListMIC - Pointer to binary MechListMIC Data -// [in] ulMechListMICLen - Length of MechListMIC Data -// [out] phSpnegoToken - SPNEGO_TOKEN_HANDLE pointer -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Initializes a SPNEGO_TOKEN_HANDLE for a NegTokenInit type -// from the supplied parameters. ucContextFlags may be 0 or must be -// a valid flag combination. MechToken data can be NULL - if not, it -// must correspond to the MechType. MechListMIC can also be NULL. -// Returned data structure must be freed by calling spnegoFreeData(). -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoCreateNegTokenInit( SPNEGO_MECH_OID MechType, - unsigned char ucContextFlags, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechListMIC, - unsigned long ulMechListMICLen, SPNEGO_TOKEN_HANDLE* phSpnegoToken ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - long nTokenLength = 0L; - long nInternalTokenLength = 0L; - unsigned char* pbTokenData = NULL; - SPNEGO_TOKEN** ppSpnegoToken = (SPNEGO_TOKEN**) phSpnegoToken; - - if ( NULL != ppSpnegoToken && - IsValidMechOid( MechType ) && - IsValidContextFlags( ucContextFlags ) ) - { - // Get the actual token size - - if ( ( nReturn = CalculateMinSpnegoInitTokenSize( ulMechTokenLen, ulMechListMICLen, - MechType, ( ucContextFlags != 0L ), - &nTokenLength, &nInternalTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Allocate a buffer to hold the data. - pbTokenData = calloc( 1, nTokenLength ); - - if ( NULL != pbTokenData ) - { - - // Now write the token - if ( ( nReturn = CreateSpnegoInitToken( MechType, - ucContextFlags, pbMechToken, - ulMechTokenLen, pbMechListMIC, - ulMechListMICLen, pbTokenData, - nTokenLength, nInternalTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - - // This will copy our allocated pointer, and ensure that the sructure cleans - // up the data later - nReturn = InitTokenFromBinary( SPNEGO_TOKEN_INTERNAL_COPYPTR, - SPNEGO_TOKEN_INTERNAL_FLAGS_FREEDATA, - pbTokenData, nTokenLength, ppSpnegoToken ); - - } - - // Cleanup on failure - if ( SPNEGO_E_SUCCESS != nReturn ) - { - free( pbTokenData ); - } - - } // IF alloc succeeded - else - { - nReturn = SPNEGO_E_OUT_OF_MEMORY; - } - - } // If calculated token size - - } // IF Valid Parameters - - LOG(("spnegoCreateNegTokenInit returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoCreateNegTokenTarg -// -// Parameters: -// [in] MechType - MechType to specify in supported MechType element -// [in] spnegoNegResult - NegResult value -// [in] pbMechToken - Pointer to response MechToken Data -// [in] ulMechTokenLen - Length of MechToken Data -// [in] pbMechListMIC - Pointer to binary MechListMIC Data -// [in] ulMechListMICLen - Length of MechListMIC Data -// [out] phSpnegoToken - SPNEGO_TOKEN_HANDLE pointer -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Initializes a SPNEGO_TOKEN_HANDLE for a NegTokenTarg type -// from the supplied parameters. MechToken data can be NULL - if not, -// it must correspond to the MechType. MechListMIC can also be NULL. -// Returned data structure must be freed by calling spnegoFreeData(). -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoCreateNegTokenTarg( SPNEGO_MECH_OID MechType, - SPNEGO_NEGRESULT spnegoNegResult, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechListMIC, - unsigned long ulMechListMICLen, SPNEGO_TOKEN_HANDLE* phSpnegoToken ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - long nTokenLength = 0L; - long nInternalTokenLength = 0L; - unsigned char* pbTokenData = NULL; - SPNEGO_TOKEN** ppSpnegoToken = (SPNEGO_TOKEN**) phSpnegoToken; - - // - // spnego_mech_oid_NotUsed and spnego_negresult_NotUsed - // are okay here, however a valid MechOid is required - // if spnego_negresult_success or spnego_negresult_incomplete - // is specified. - // - - if ( NULL != ppSpnegoToken && - - ( IsValidMechOid( MechType ) || - spnego_mech_oid_NotUsed == MechType ) && - - ( IsValidNegResult( spnegoNegResult ) || - spnego_negresult_NotUsed == spnegoNegResult ) && - - !( !IsValidMechOid( MechType ) && - ( spnego_negresult_success == spnegoNegResult || - spnego_negresult_incomplete == spnegoNegResult ) ) ) - { - - // Get the actual token size - - if ( ( nReturn = CalculateMinSpnegoTargTokenSize( MechType, spnegoNegResult, ulMechTokenLen, - ulMechListMICLen, &nTokenLength, - &nInternalTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Allocate a buffer to hold the data. - pbTokenData = calloc( 1, nTokenLength ); - - if ( NULL != pbTokenData ) - { - - // Now write the token - if ( ( nReturn = CreateSpnegoTargToken( MechType, - spnegoNegResult, pbMechToken, - ulMechTokenLen, pbMechListMIC, - ulMechListMICLen, pbTokenData, - nTokenLength, nInternalTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - - // This will copy our allocated pointer, and ensure that the sructure cleans - // up the data later - nReturn = InitTokenFromBinary( SPNEGO_TOKEN_INTERNAL_COPYPTR, - SPNEGO_TOKEN_INTERNAL_FLAGS_FREEDATA, - pbTokenData, nTokenLength, ppSpnegoToken ); - - } - - // Cleanup on failure - if ( SPNEGO_E_SUCCESS != nReturn ) - { - free( pbTokenData ); - } - - } // IF alloc succeeded - else - { - nReturn = SPNEGO_E_OUT_OF_MEMORY; - } - - } // If calculated token size - - } // IF Valid Parameters - - LOG(("spnegoCreateNegTokenTarg returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoTokenGetBinary -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [out] pbTokenData - Buffer to copy token into -// [in/out] pulDataLen - Length of pbTokenData buffer, filled out -// with actual size used upon function return. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Copies binary SPNEGO token data from hSpnegoToken into the user -// supplied buffer. If pbTokenData is NULL, or the value in pulDataLen -// is too small, the function will return SPNEGO_E_BUFFER_TOO_SMALL and -// fill out pulDataLen with the minimum required buffer size. -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoTokenGetBinary( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pbTokenData, - unsigned long * pulDataLen ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - - // Check parameters - pbTokenData is optional - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != pulDataLen ) - { - - // Check for Buffer too small conditions - if ( NULL == pbTokenData || - pSpnegoToken->ulBinaryDataLen > *pulDataLen ) - { - *pulDataLen = pSpnegoToken->ulBinaryDataLen; - nReturn = SPNEGO_E_BUFFER_TOO_SMALL; - } - else - { - memcpy( pbTokenData, pSpnegoToken->pbBinaryData, pSpnegoToken->ulBinaryDataLen ); - *pulDataLen = pSpnegoToken->ulBinaryDataLen; - nReturn = SPNEGO_E_SUCCESS; - } - - } // IF parameters OK - - LOG(("spnegoTokenGetBinary returned %d\n",nReturn)); - return nReturn;; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoFreeData -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// -// Returns: -// void -// -// Comments : -// Frees up resources consumed by hSpnegoToken. The supplied data -// pointer is invalidated by this function. -// -//////////////////////////////////////////////////////////////////////////// - -void spnegoFreeData( SPNEGO_TOKEN_HANDLE hSpnegoToken ) -{ - FreeSpnegoToken( (SPNEGO_TOKEN*) hSpnegoToken); - return; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoGetTokenType -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [out] piTokenType - Filled out with token type value. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// The function will analyze hSpnegoToken and return the appropriate -// type in piTokenType. -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoGetTokenType( SPNEGO_TOKEN_HANDLE hSpnegoToken, int * piTokenType ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - - // Check parameters - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != piTokenType && - pSpnegoToken) - { - - // Check that the type in the structure makes sense - if ( SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType || - SPNEGO_TOKEN_TARG == pSpnegoToken->ucTokenType ) - { - *piTokenType = pSpnegoToken->ucTokenType; - nReturn = SPNEGO_E_SUCCESS; - } - - } // IF parameters OK - - LOG(("spnegoGetTokenType returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoIsMechTypeAvailable -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [in] MechOID - MechOID to search MechTypeList for -// [out] piMechTypeIndex - Filled out with index in MechTypeList -// element if MechOID is found. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// hSpnegoToken must reference a token of type NegTokenInit. The -// function will search the MechTypeList element for an OID corresponding -// to the specified MechOID. If one is found, the index (0 based) will -// be passed into the piMechTypeIndex parameter. -// -//////////////////////////////////////////////////////////////////////////// - -// Returns the Initial Mech Type in the MechList element in the NegInitToken. -int spnegoIsMechTypeAvailable( SPNEGO_TOKEN_HANDLE hSpnegoToken, SPNEGO_MECH_OID MechOID, int * piMechTypeIndex ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - - // Check parameters - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != piMechTypeIndex && - IsValidMechOid( MechOID ) && - SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType ) - { - - // Check if MechList is available - if ( pSpnegoToken->aElementArray[SPNEGO_INIT_MECHTYPES_ELEMENT].iElementPresent - == SPNEGO_TOKEN_ELEMENT_AVAILABLE ) - { - // Locate the MechOID in the list element - nReturn = FindMechOIDInMechList( - &pSpnegoToken->aElementArray[SPNEGO_INIT_MECHTYPES_ELEMENT], - MechOID, piMechTypeIndex ); - } - else - { - nReturn = SPNEGO_E_ELEMENT_UNAVAILABLE; - } - - } // IF parameters OK - - LOG(("spnegoIsMechTypeAvailable returned %d\n",nReturn)); - return nReturn;; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoGetContextFlags -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [out] pucContextFlags - Filled out with ContextFlags value. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// hSpnegoToken must reference a token of type NegTokenInit. The -// function will copy data from the ContextFlags element into the -// location pucContextFlags points to. Note that the function will -// fail if the actual ContextFlags data appears invalid. -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoGetContextFlags( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pucContextFlags ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - - // Check parameters - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != pucContextFlags && - SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType ) - { - - // Check if ContextFlags is available - if ( pSpnegoToken->aElementArray[SPNEGO_INIT_REQFLAGS_ELEMENT].iElementPresent - == SPNEGO_TOKEN_ELEMENT_AVAILABLE ) - { - // The length should be two, the value should show a 1 bit difference in the difference byte, and - // the value must be valid - if ( pSpnegoToken->aElementArray[SPNEGO_INIT_REQFLAGS_ELEMENT].nDatalength == SPNEGO_NEGINIT_MAXLEN_REQFLAGS && - pSpnegoToken->aElementArray[SPNEGO_INIT_REQFLAGS_ELEMENT].pbData[0] == SPNEGO_NEGINIT_REQFLAGS_BITDIFF && - IsValidContextFlags( pSpnegoToken->aElementArray[SPNEGO_INIT_REQFLAGS_ELEMENT].pbData[1] ) ) - { - *pucContextFlags = pSpnegoToken->aElementArray[SPNEGO_INIT_REQFLAGS_ELEMENT].pbData[1]; - nReturn = SPNEGO_E_SUCCESS; - } - else - { - nReturn = SPNEGO_E_INVALID_ELEMENT; - } - - } - else - { - nReturn = SPNEGO_E_ELEMENT_UNAVAILABLE; - } - - } // IF parameters OK - - LOG(("spnegoGetContextFlags returned %d\n",nReturn)); - return nReturn;; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoGetNegotiationResult -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [out] pnegResult - Filled out with NegResult value. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// hSpnegoToken must reference a token of type NegTokenTarg. The -// function will copy data from the NegResult element into the -// location pointed to by pnegResult. Note that the function will -// fail if the actual NegResult data appears invalid. -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoGetNegotiationResult( SPNEGO_TOKEN_HANDLE hSpnegoToken, SPNEGO_NEGRESULT* pnegResult ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - - // Check parameters - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != pnegResult && - SPNEGO_TOKEN_TARG == pSpnegoToken->ucTokenType ) - { - - // Check if NegResult is available - if ( pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].iElementPresent - == SPNEGO_TOKEN_ELEMENT_AVAILABLE ) - { - // Must be 1 byte long and a valid value - if ( pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].nDatalength == SPNEGO_NEGTARG_MAXLEN_NEGRESULT && - IsValidNegResult( *pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].pbData ) ) - { - *pnegResult = *pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].pbData; - nReturn = SPNEGO_E_SUCCESS; - } - else - { - nReturn = SPNEGO_E_INVALID_ELEMENT; - } - } - else - { - nReturn = SPNEGO_E_ELEMENT_UNAVAILABLE; - } - - } // IF parameters OK - - LOG(("spnegoGetNegotiationResult returned %d\n",nReturn)); - return nReturn;; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoGetSupportedMechType -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [out] pMechOID - Filled out with Supported MechType value. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// hSpnegoToken must reference a token of type NegTokenTarg. The -// function will check the Supported MechType element, and if it -// corresponds to a supported MechType ( spnego_mech_oid_Kerberos_V5_Legacy -// or spnego_mech_oid_Kerberos_V5 ), will set the location pointed -// to by pMechOID equal to the appropriate value. -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoGetSupportedMechType( SPNEGO_TOKEN_HANDLE hSpnegoToken, SPNEGO_MECH_OID* pMechOID ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - int nCtr = 0L; - long nLength = 0L; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - - // Check parameters - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != pMechOID && - SPNEGO_TOKEN_TARG == pSpnegoToken->ucTokenType ) - { - - // Check if MechList is available - if ( pSpnegoToken->aElementArray[SPNEGO_TARG_SUPPMECH_ELEMENT].iElementPresent - == SPNEGO_TOKEN_ELEMENT_AVAILABLE ) - { - - for ( nCtr = 0; - nReturn != SPNEGO_E_SUCCESS && - g_stcMechOIDList[nCtr].eMechanismOID != spnego_mech_oid_NotUsed; - nCtr++ ) - { - - if ( ( nReturn = ASNDerCheckOID( - pSpnegoToken->aElementArray[SPNEGO_TARG_SUPPMECH_ELEMENT].pbData, - nCtr, - pSpnegoToken->aElementArray[SPNEGO_TARG_SUPPMECH_ELEMENT].nDatalength, - &nLength ) ) == SPNEGO_E_SUCCESS ) - { - *pMechOID = nCtr; - } - - } // For enum MechOIDs - - - } - else - { - nReturn = SPNEGO_E_ELEMENT_UNAVAILABLE; - } - - } // IF parameters OK - - LOG(("spnegoGetSupportedMechType returned %d\n",nReturn)); - return nReturn;; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoTokenGetMechToken -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [out] pbTokenData - Buffer to copy MechToken into -// [in/out] pulDataLen - Length of pbTokenData buffer, filled out -// with actual size used upon function return. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// hSpnegoToken can point to either NegTokenInit or a NegTokenTarg token. -// The function will copy the MechToken (the initial MechToken if -// NegTokenInit, the response MechToken if NegTokenTarg) from the -// underlying token into the buffer pointed to by pbTokenData. If -// pbTokenData is NULL, or the value in pulDataLen is too small, the -// function will return SPNEGO_E_BUFFER_TOO_SMALL and fill out pulDataLen -// with the minimum required buffer size. The token can then be passed -// to a GSS-API function for processing. -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoGetMechToken( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pbTokenData, unsigned long* pulDataLen ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - SPNEGO_ELEMENT* pSpnegoElement = NULL; - - // Check parameters - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != pulDataLen ) - { - - // Point at the proper Element - if ( SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType ) - { - pSpnegoElement = &pSpnegoToken->aElementArray[SPNEGO_INIT_MECHTOKEN_ELEMENT]; - } - else - { - pSpnegoElement = &pSpnegoToken->aElementArray[SPNEGO_TARG_RESPTOKEN_ELEMENT]; - } - - // Check if MechType is available - if ( SPNEGO_TOKEN_ELEMENT_AVAILABLE == pSpnegoElement->iElementPresent ) - { - // Check for Buffer too small conditions - if ( NULL == pbTokenData || - pSpnegoElement->nDatalength > *pulDataLen ) - { - *pulDataLen = pSpnegoElement->nDatalength; - nReturn = SPNEGO_E_BUFFER_TOO_SMALL; - } - else - { - // Copy Memory - memcpy( pbTokenData, pSpnegoElement->pbData, pSpnegoElement->nDatalength ); - *pulDataLen = pSpnegoElement->nDatalength; - nReturn = SPNEGO_E_SUCCESS; - } - } - else - { - nReturn = SPNEGO_E_ELEMENT_UNAVAILABLE; - } - - } // IF parameters OK - - LOG(("spnegoGetMechToken returned %d\n",nReturn)); - return nReturn;; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// spnegoTokenGetMechListMIC -// -// Parameters: -// [in] hSpnegoToken - Initialized SPNEGO_TOKEN_HANDLE -// [out] pbTokenData - Buffer to copy MechListMIC data into -// [in/out] pulDataLen - Length of pbTokenData buffer, filled out -// with actual size used upon function return. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// hSpnegoToken can point to either NegTokenInit or a NegTokenTarg token. -// The function will copy the MechListMIC data from the underlying token -// into the buffer pointed to by pbTokenData. If pbTokenData is NULL, -// or the value in pulDataLen is too small, the function will return -// SPNEGO_E_BUFFER_TOO_SMALL and fill out pulDataLen with the minimum -// required buffer size. -// -//////////////////////////////////////////////////////////////////////////// - -int spnegoGetMechListMIC( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pbMICData, unsigned long* pulDataLen ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) hSpnegoToken; - SPNEGO_ELEMENT* pSpnegoElement = NULL; - - // Check parameters - if ( IsValidSpnegoToken( pSpnegoToken ) && - NULL != pulDataLen ) - { - - // Point at the proper Element - if ( SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType ) - { - pSpnegoElement = &pSpnegoToken->aElementArray[SPNEGO_INIT_MECHLISTMIC_ELEMENT]; - } - else - { - pSpnegoElement = &pSpnegoToken->aElementArray[SPNEGO_TARG_MECHLISTMIC_ELEMENT]; - } - - // Check if MechType is available - if ( SPNEGO_TOKEN_ELEMENT_AVAILABLE == pSpnegoElement->iElementPresent ) - { - // Check for Buffer too small conditions - if ( NULL == pbMICData || - pSpnegoElement->nDatalength > *pulDataLen ) - { - *pulDataLen = pSpnegoElement->nDatalength; - nReturn = SPNEGO_E_BUFFER_TOO_SMALL; - } - else - { - // Copy Memory - memcpy( pbMICData, pSpnegoElement->pbData, pSpnegoElement->nDatalength ); - *pulDataLen = pSpnegoElement->nDatalength; - nReturn = SPNEGO_E_SUCCESS; - } - } - else - { - nReturn = SPNEGO_E_ELEMENT_UNAVAILABLE; - } - - } // IF parameters OK - - LOG(("spnegoGetMechListMIC returned %d\n",nReturn)); - return nReturn;; -} - diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.h squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.h --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.h 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.h 1970-01-01 12:00:00.000000000 +1200 @@ -1,247 +0,0 @@ -// Copyright (C) 2002 Microsoft Corporation -// All rights reserved. -// -// THIS CODE AND INFORMATION IS PROVIDED "AS IS" -// WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -// OR IMPLIED, INCLUDING BUT NOT LIMITED -// TO THE IMPLIED WARRANTIES OF MERCHANTIBILITY -// AND/OR FITNESS FOR A PARTICULAR PURPOSE. -// -// Date - 10/08/2002 -// Author - Sanj Surati - -///////////////////////////////////////////////////////////// -// -// SPNEGO.H -// -// SPNEGO Token Handler Header File -// -// Contains the definitions required to interpret and create -// SPNEGO tokens so that Kerberos GSS tokens can be -// Unpackaged/packaged. -// -///////////////////////////////////////////////////////////// - -#ifndef __SPNEGO_H__ -#define __SPNEGO_H__ - -// C++ Specific -#if defined(__cplusplus) -extern "C" -{ -#endif - -// Type Definitions - -// -// Users of SPNEGO Token Handler API will request -// these as well as free them, -// -typedef void* SPNEGO_TOKEN_HANDLE; - -// -// Defines the element types that are found -// in each of the tokens. -// - -typedef enum spnego_element_type -{ - spnego_element_min, // Lower bound - - // Init token elements - spnego_init_mechtypes, - spnego_init_reqFlags, - spnego_init_mechToken, - spnego_init_mechListMIC, - - // Targ token elements - spnego_targ_negResult, - spnego_targ_supportedMech, - spnego_targ_responseToken, - spnego_targ_mechListMIC, - - spnego_element_max // Upper bound - -} SPNEGO_ELEMENT_TYPE; - -// -// Token Element Availability. Elements in both -// token types are optional. Since there are only -// 4 elements in each Token, we will allocate space -// to hold the information, but we need a way to -// indicate whether or not an element is available -// - -#define SPNEGO_TOKEN_ELEMENT_UNAVAILABLE 0 -#define SPNEGO_TOKEN_ELEMENT_AVAILABLE 1 - -// -// Token type values. SPNEGO has 2 token types: -// NegTokenInit and NegTokenTarg -// - -#define SPNEGO_TOKEN_INIT 0 -#define SPNEGO_TOKEN_TARG 1 - -// -// GSS Mechanism OID enumeration. We only really handle -// 3 different OIDs. These are stored in an array structure -// defined in the parsing code. -// - -typedef enum spnego_mech_oid -{ - // Init token elements - spnego_mech_oid_Kerberos_V5_Legacy, // Really V5, but OID off by 1 bit - spnego_mech_oid_Kerberos_V5, - spnego_mech_oid_Spnego, - spnego_mech_oid_NotUsed = -1 - -} SPNEGO_MECH_OID; - -// -// Defines the negResult values. -// - -typedef enum spnego_negResult -{ - spnego_negresult_success, - spnego_negresult_incomplete, - spnego_negresult_rejected, - spnego_negresult_NotUsed = -1 -} SPNEGO_NEGRESULT; - -// -// Context Flags in NegTokenInit -// - -// -// ContextFlags values MUST be zero or a combination -// of the below -// - -#define SPNEGO_NEGINIT_CONTEXT_DELEG_FLAG 0x80 -#define SPNEGO_NEGINIT_CONTEXT_MUTUAL_FLAG 0x40 -#define SPNEGO_NEGINIT_CONTEXT_REPLAY_FLAG 0x20 -#define SPNEGO_NEGINIT_CONTEXT_SEQUENCE_FLAG 0x10 -#define SPNEGO_NEGINIT_CONTEXT_ANON_FLAG 0x8 -#define SPNEGO_NEGINIT_CONTEXT_CONF_FLAG 0x4 -#define SPNEGO_NEGINIT_CONTEXT_INTEG_FLAG 0x2 - -// -// Mask to retrieve valid values. -// - -#define SPNEGO_NEGINIT_CONTEXT_MASK 0xFE // Logical combination of above flags - -// -// SPNEGO API return codes. -// - -// API function was successful -#define SPNEGO_E_SUCCESS 0 - -// The supplied Token was invalid -#define SPNEGO_E_INVALID_TOKEN -1 - -// An invalid length was encountered -#define SPNEGO_E_INVALID_LENGTH -2 - -// The Token Parse failed -#define SPNEGO_E_PARSE_FAILED -3 - -// The requested value was not found -#define SPNEGO_E_NOT_FOUND -4 - -// The requested element is not available -#define SPNEGO_E_ELEMENT_UNAVAILABLE -5 - -// Out of Memory -#define SPNEGO_E_OUT_OF_MEMORY -6 - -// Not Implemented -#define SPNEGO_E_NOT_IMPLEMENTED -7 - -// Invalid Parameter -#define SPNEGO_E_INVALID_PARAMETER -8 - -// Token Handler encountered an unexpected OID -#define SPNEGO_E_UNEXPECTED_OID -9 - -// The requested token was not found -#define SPNEGO_E_TOKEN_NOT_FOUND -10 - -// An unexpected type was encountered in the encoding -#define SPNEGO_E_UNEXPECTED_TYPE -11 - -// The buffer was too small -#define SPNEGO_E_BUFFER_TOO_SMALL -12 - -// A Token Element was invalid (e.g. improper length or value) -#define SPNEGO_E_INVALID_ELEMENT -13 - -/* Miscelaneous API Functions */ - -// Frees opaque data -void spnegoFreeData( SPNEGO_TOKEN_HANDLE hSpnegoToken ); - -// Initializes SPNEGO_TOKEN structure from DER encoded binary data -int spnegoInitFromBinary( unsigned char* pbTokenData, unsigned long ulLength, SPNEGO_TOKEN_HANDLE* phSpnegoToken ); - -// Initializes SPNEGO_TOKEN structure for a NegTokenInit type using the -// supplied parameters -int spnegoCreateNegTokenInit( SPNEGO_MECH_OID MechType, - unsigned char ucContextFlags, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechTokenMIC, - unsigned long ulMechTokenMIC, SPNEGO_TOKEN_HANDLE* phSpnegoToken ); - -// Initializes SPNEGO_TOKEN structure for a NegTokenTarg type using the -// supplied parameters -int spnegoCreateNegTokenTarg( SPNEGO_MECH_OID MechType, - SPNEGO_NEGRESULT spnegoNegResult, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechListMIC, - unsigned long ulMechListMICLen, SPNEGO_TOKEN_HANDLE* phSpnegoToken ); - -// Copies binary representation of SPNEGO Data into user supplied buffer -int spnegoTokenGetBinary( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pbTokenData, - unsigned long * pulDataLen ); - -// Returns SPNEGO Token Type -int spnegoGetTokenType( SPNEGO_TOKEN_HANDLE hSpnegoToken, int * piTokenType ); - -/* Reading an Init Token */ - -// Returns the Initial Mech Type in the MechList element in the NegInitToken. -int spnegoIsMechTypeAvailable( SPNEGO_TOKEN_HANDLE hSpnegoToken, SPNEGO_MECH_OID MechOID, int * piMechTypeIndex ); - -// Returns the value from the context flags element in the NegInitToken as an unsigned long -int spnegoGetContextFlags( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pucContextFlags ); - -/* Reading a Response Token */ - -// Returns the value from the negResult element (Status code of GSS call - 0,1,2) -int spnegoGetNegotiationResult( SPNEGO_TOKEN_HANDLE hSpnegoToken, SPNEGO_NEGRESULT* pnegResult ); - -// Returns the Supported Mech Type from the NegTokenTarg. -int spnegoGetSupportedMechType( SPNEGO_TOKEN_HANDLE hSpnegoToken, SPNEGO_MECH_OID* pMechOID ); - -/* Reading either Token Type */ - -// Returns the actual Mechanism data from the token (this is what is passed into GSS-API functions -int spnegoGetMechToken( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pbTokenData, unsigned long* pulDataLen ); - -// Returns the Message Integrity BLOB in the token -int spnegoGetMechListMIC( SPNEGO_TOKEN_HANDLE hSpnegoToken, unsigned char* pbMICData, unsigned long* pulDataLen ); - -// C++ Specific -#if defined(__cplusplus) -} -#endif -#ifdef DEBUG -#include - #define PRERR(...) fprintf(stderr, __VA_ARGS__) - #define LOG(x) PRERR x -#else - #define LOG(x) -#endif -#endif diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c 1970-01-01 12:00:00.000000000 +1200 @@ -1,263 +0,0 @@ -/* ----------------------------------------------------------------------------- - * spnegohelp.c defines RFC 2478 SPNEGO GSS-API mechanism APIs. - * - * Author: Frank Balluffi - * - * Copyright (C) 2002-2003 All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. - * - * ----------------------------------------------------------------------------- - */ - -#include "spnegohelp.h" -#include "spnego.h" - -#include - -int makeNegTokenTarg (const unsigned char * kerberosToken, - size_t kerberosTokenLength, - const unsigned char ** negTokenTarg, - size_t * negTokenTargLength) -{ - SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL; - int rc1 = 1; - int rc2 = SPNEGO_E_SUCCESS; - - /* Check arguments. */ - - if (!kerberosToken || - !negTokenTarg || - !negTokenTargLength) - return 10; - - /* Does IIS reply with 1.2.840.48018.1.2.2 or 1.2.840.113554.1.2.2? */ - - /* Does IIS always reply with accept_completed? */ - - /* IIS does not include a MIC. */ - - rc2 = spnegoCreateNegTokenTarg (spnego_mech_oid_Kerberos_V5_Legacy, - spnego_negresult_success, - (unsigned char *) kerberosToken, - kerberosTokenLength, - NULL, - 0, - &hSpnegoToken); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+100; - goto cleanup; - } - - /* Get NegTokenTarg length. */ - - rc2 = spnegoTokenGetBinary (hSpnegoToken, - NULL, - (unsigned long*) negTokenTargLength); - - if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL) - { - rc1 = abs(rc2)+200; - goto cleanup; - } - - *negTokenTarg = malloc (*negTokenTargLength); - - if (!*negTokenTarg) - { - rc1 = abs(rc2)+300; - goto cleanup; - } - - /* Get NegTokenTarg data. */ - - rc2 = spnegoTokenGetBinary (hSpnegoToken, - (unsigned char *) *negTokenTarg, - (unsigned long*) negTokenTargLength); - - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+400; - goto error; - } - - rc1 = 0; - - goto cleanup; - -error: - - if (*negTokenTarg) - { - free ((unsigned char *) *negTokenTarg); - *negTokenTarg = NULL; - *negTokenTargLength = 0; - } - -cleanup: - - if (hSpnegoToken) - spnegoFreeData (hSpnegoToken); - - LOG(("makeNegTokenTarg returned %d\n",rc1)); - return rc1; -} - -int parseNegTokenInit (const unsigned char * negTokenInit, - size_t negTokenInitLength, - const unsigned char ** kerberosToken, - size_t * kerberosTokenLength) -{ - SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL; - int pindex = -1; - int rc1 = 1; - int rc2 = SPNEGO_E_SUCCESS; - unsigned char reqFlags = 0; - int tokenType = 0; - - /* Check arguments. */ - - if (!negTokenInit || - !kerberosToken || - !kerberosTokenLength) - return 10; - - /* Decode SPNEGO token. */ - - rc2 = spnegoInitFromBinary ((unsigned char *) negTokenInit, - negTokenInitLength, - &hSpnegoToken); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+100; - goto cleanup; - } - - /* Check for negTokenInit choice. */ - - rc2 = spnegoGetTokenType (hSpnegoToken, - &tokenType); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+200; - goto cleanup; - } - - if (tokenType != SPNEGO_TOKEN_INIT) - { - rc1 = abs(rc2)+300; - goto cleanup; - } - - /* - Check that first mechType is 1.2.840.113554.1.2.2 or 1.2.840.48018.1.2.2. - */ - - /* - IE seems to reply with 1.2.840.48018.1.2.2 and then 1.2.840.113554.1.2.2. - */ - - rc2 = spnegoIsMechTypeAvailable (hSpnegoToken, - spnego_mech_oid_Kerberos_V5_Legacy, - &pindex); - - if (rc2 != SPNEGO_E_SUCCESS || - pindex != 0) - { - rc2 = spnegoIsMechTypeAvailable (hSpnegoToken, - spnego_mech_oid_Kerberos_V5, - &pindex); - - if (rc2 != SPNEGO_E_SUCCESS || - pindex != 0) - { - rc1 = abs(rc2)+400; - goto cleanup; - } - } - - /* Check for no reqFlags. */ - - /* Does IE ever send reqFlags? */ - - rc2 = spnegoGetContextFlags (hSpnegoToken, - &reqFlags); - - if (rc2 == SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+500; - goto cleanup; - } - - /* Get mechanism token length. */ - - rc2 = spnegoGetMechToken (hSpnegoToken, - NULL, - (unsigned long*) kerberosTokenLength); - - if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL) - { - rc1 = abs(rc2)+600; - goto cleanup; - } - - *kerberosToken = malloc (*kerberosTokenLength); - - if (!*kerberosToken) - { - rc1 = abs(rc2)+700; - goto cleanup; - } - - /* Get mechanism token data. */ - - rc2 = spnegoGetMechToken (hSpnegoToken, - (unsigned char *) *kerberosToken, - (unsigned long*) kerberosTokenLength); - - if (rc2 != SPNEGO_E_SUCCESS) - { - rc1 = abs(rc2)+800; - goto error; - } - - /* According to Microsoft, IE does not send a MIC. */ - - rc1 = 0; - - goto cleanup; - -error: - - if (*kerberosToken) - { - free ((unsigned char *) *kerberosToken); - *kerberosToken = NULL; - *kerberosTokenLength = 0; - } - -cleanup: - - if (hSpnegoToken) - spnegoFreeData (hSpnegoToken); - - LOG(("parseNegTokenInit returned %d\n",rc1)); - return rc1; -} diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h 1970-01-01 12:00:00.000000000 +1200 @@ -1,58 +0,0 @@ -/* ----------------------------------------------------------------------------- - * spnegohelp.c declares RFC 2478 SPNEGO GSS-API mechanism APIs. - * - * Author: Frank Balluffi - * - * Copyright (C) 2002-2003. All rights reserved. - * ----------------------------------------------------------------------------- - */ - -#ifndef SPNEGOHELP_H -#define SPNEGOHELP_H - -#ifdef __cplusplus -extern "C" { -#endif - -#include - -/* ----------------------------------------------------------------------------- - * makeNegTokenTarg makes an RFC 2478 SPNEGO NegTokenTarg (token) from an - * RFC 1964 Kerberos GSS-API token. - * - * If makeNegTokenTarg is successful, call free (*negTokenTarg) to free the - * memory allocated by parseNegTokenInit. - * - * Returns 0 if successful, 1 otherwise. - * ----------------------------------------------------------------------------- - */ - -int makeNegTokenTarg (const unsigned char * kerberosToken, - size_t kerberosTokenLength, - const unsigned char ** negTokenTarg, - size_t * negTokenTargLength); - -/* ----------------------------------------------------------------------------- - * parseNegTokenInit parses an RFC 2478 SPNEGO NegTokenInit (token) to extract - * an RFC 1964 Kerberos GSS-API token. - * - * If the NegTokenInit does cotain a Kerberos GSS-API token, parseNegTokenInit - * returns an error. - * - * If parseNegTokenInit is successful, call free (*kerberosToken) to - * free the memory allocated by parseNegTokenInit. - * - * Returns 0 if successful, 1 otherwise. - * ----------------------------------------------------------------------------- - */ - -int parseNegTokenInit (const unsigned char * negTokenInit, - size_t negTokenInitLength, - const unsigned char ** kerberosToken, - size_t * kerberosTokenLength); - -#ifdef __cplusplus -} -#endif - -#endif /* SPNEGOHELP_H */ diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.c squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.c --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.c 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.c 1970-01-01 12:00:00.000000000 +1200 @@ -1,1880 +0,0 @@ -// Copyright (C) 2002 Microsoft Corporation -// All rights reserved. -// -// THIS CODE AND INFORMATION IS PROVIDED "AS IS" -// WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -// OR IMPLIED, INCLUDING BUT NOT LIMITED -// TO THE IMPLIED WARRANTIES OF MERCHANTIBILITY -// AND/OR FITNESS FOR A PARTICULAR PURPOSE. -// -// Date - 10/08/2002 -// Author - Sanj Surati - -///////////////////////////////////////////////////////////// -// -// SPNEGOPARSE.C -// -// SPNEGO Token Handler Source File -// -// Contains implementation of SPNEGO Token parsing functions. -// -///////////////////////////////////////////////////////////// - -#include -#include -#include -#include "spnego.h" -#include "derparse.h" -#include "spnegoparse.h" - -// -// Defined in DERPARSE.C -// - -extern MECH_OID g_stcMechOIDList []; - -/**********************************************************************/ -/** **/ -/** **/ -/** **/ -/** **/ -/** Local SPNEGO Helper definitions **/ -/** **/ -/** **/ -/** **/ -/** **/ -/**********************************************************************/ - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// CalculateMinSpnegoInitTokenSize -// -// Parameters: -// [in] nMechTokenLength - Length of the MechToken Element -// [in] nMechListMICLength - Length of the MechListMIC Element -// [in] mechOID - OID for MechList -// [in] nReqFlagsAvailable - Is ContextFlags element available -// [out] pnTokenSize - Filled out with total size of token -// [out] pnInternalTokenLength - Filled out with length minus length -// for initial token. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Calculates the required length for a SPNEGO NegTokenInit token based -// on the supplied variable length values and which elements are present. -// Note that because the lengths can be represented by an arbitrary -// number of bytes in DER encodings, we actually calculate the lengths -// backwards, so we always know how many bytes we will potentially be -// writing out. -// -//////////////////////////////////////////////////////////////////////////// - -int CalculateMinSpnegoInitTokenSize( long nMechTokenLength, - long nMechListMICLength, SPNEGO_MECH_OID mechOid, - int nReqFlagsAvailable, long* pnTokenSize, - long* pnInternalTokenLength ) -{ - int nReturn = SPNEGO_E_INVALID_LENGTH; - - // Start at 0. - long nTotalLength = 0; - long nTempLength= 0L; - - // We will calculate this by walking the token backwards - - // Start with MIC Element - if ( nMechListMICLength > 0L ) - { - nTempLength = ASNDerCalcElementLength( nMechListMICLength, NULL ); - - // Check for rollover error - if ( nTempLength < nMechListMICLength ) - { - goto xEndTokenInitLength; - } - - nTotalLength += nTempLength; - } - - // Next is the MechToken - if ( nMechTokenLength > 0L ) - { - nTempLength += ASNDerCalcElementLength( nMechTokenLength, NULL ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenInitLength; - } - - nTotalLength = nTempLength; - } - - // Next is the ReqFlags - if ( nReqFlagsAvailable ) - { - nTempLength += ASNDerCalcElementLength( SPNEGO_NEGINIT_MAXLEN_REQFLAGS, NULL ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenInitLength; - } - - nTotalLength = nTempLength; - } - - // Next is the MechList - This is REQUIRED - nTempLength += ASNDerCalcMechListLength( mechOid, NULL ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenInitLength; - } - - nTotalLength = nTempLength; - - // Following four fields are the basic header tokens - - // Sequence Token - nTempLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenInitLength; - } - - nTotalLength = nTempLength; - - // Neg Token Identifier Token - nTempLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenInitLength; - } - - nTotalLength = nTempLength; - - // SPNEGO OID Token - nTempLength += g_stcMechOIDList[spnego_mech_oid_Spnego].iLen; - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenInitLength; - } - - nTotalLength = nTempLength; - - // App Constructed Token - nTempLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenInitLength; - } - - // The internal length doesn't include the number of bytes - // for the initial token - *pnInternalTokenLength = nTotalLength; - nTotalLength = nTempLength; - - // We're done - *pnTokenSize = nTotalLength; - nReturn = SPNEGO_E_SUCCESS; - -xEndTokenInitLength: - - LOG(("CalculateMinSpnegoInitTokenSize returned %d\n",nReturn)); - return nReturn; - -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// CreateSpnegoInitToken -// -// Parameters: -// [in] MechType - OID in MechList -// [in] ucContextFlags - ContextFlags value -// [in] pbMechToken - Mech Token Binary Data -// [in] ulMechTokenLen - Length of Mech Token -// [in] pbMechListMIC - MechListMIC Binary Data -// [in] ulMechListMICn - Length of MechListMIC -// [out] pbTokenData - Buffer to write token into. -// [in] nTokenLength - Length of pbTokenData buffer -// [in] nInternalTokenLength - Length of full token without leading -// token bytes. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Uses DER to fill out pbTokenData with a SPNEGO NegTokenInit Token -// Note that because the lengths can be represented by an arbitrary -// number of bytes in DER encodings, we actually calculate the lengths -// backwards, so we always know how many bytes we will potentially be -// writing out. -// -//////////////////////////////////////////////////////////////////////////// - -int CreateSpnegoInitToken( SPNEGO_MECH_OID MechType, - unsigned char ucContextFlags, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechListMIC, - unsigned long ulMechListMICLen, unsigned char* pbTokenData, - long nTokenLength, long nInternalTokenLength ) -{ - int nReturn = SPNEGO_E_INVALID_LENGTH; - - // Start at 0. - long nTempLength= 0L; - long nTotalBytesWritten = 0L; - long nInternalLength = 0L; - - unsigned char* pbWriteTokenData = pbTokenData + nTokenLength; - - // Temporary buffer to hold the REQ Flags as BIT String Data - unsigned char abTempReqFlags[SPNEGO_NEGINIT_MAXLEN_REQFLAGS]; - - - // We will write the token out backwards to properly handle the cases - // where the length bytes become adjustable - - // Start with MIC Element - if ( ulMechListMICLen > 0L ) - { - nTempLength = ASNDerCalcElementLength( ulMechListMICLen, &nInternalLength ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteElement( pbWriteTokenData, SPNEGO_NEGINIT_ELEMENT_MECHLISTMIC, - OCTETSTRING, pbMechListMIC, ulMechListMICLen ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenInit; - } - - } // IF MechListMIC is present - - // Next is the MechToken - if ( ulMechTokenLen > 0L ) - { - nTempLength = ASNDerCalcElementLength( ulMechTokenLen, &nInternalLength ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteElement( pbWriteTokenData, SPNEGO_NEGINIT_ELEMENT_MECHTOKEN, - OCTETSTRING, pbMechToken, ulMechTokenLen ); - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenInit; - } - - } // IF MechToken Length is present - - // Next is the ReqFlags - if ( ucContextFlags > 0L ) - { - - nTempLength = ASNDerCalcElementLength( SPNEGO_NEGINIT_MAXLEN_REQFLAGS, &nInternalLength ); - - // We need a byte that indicates how many bits difference between the number - // of bits used in final octet (we only have one) and the max (8) - - abTempReqFlags[0] = SPNEGO_NEGINIT_REQFLAGS_BITDIFF; - abTempReqFlags[1] = ucContextFlags; - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteElement( pbWriteTokenData, SPNEGO_NEGINIT_ELEMENT_REQFLAGS, - BITSTRING, abTempReqFlags, SPNEGO_NEGINIT_MAXLEN_REQFLAGS ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenInit; - } - - } // IF ContextFlags - - // Next is the MechList - This is REQUIRED - nTempLength = ASNDerCalcMechListLength( MechType, &nInternalLength ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteMechList( pbWriteTokenData, MechType ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenInit; - } - - // The next tokens we're writing out reflect the total number of bytes - // we have actually written out. - - // Sequence Token - nTempLength = ASNDerCalcTokenLength( nTotalBytesWritten, 0L ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteToken( pbWriteTokenData, SPNEGO_CONSTRUCTED_SEQUENCE, - NULL, nTotalBytesWritten ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenInit; - } - - // Neg Init Token Identifier Token - nTempLength = ASNDerCalcTokenLength( nTotalBytesWritten, 0L ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteToken( pbWriteTokenData, SPNEGO_NEGINIT_TOKEN_IDENTIFIER, - NULL, nTotalBytesWritten ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenInit; - } - - // SPNEGO OID Token - nTempLength = g_stcMechOIDList[spnego_mech_oid_Spnego].iLen; - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteOID( pbWriteTokenData, spnego_mech_oid_Spnego ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenInit; - } - - // App Constructed Token - nTempLength = ASNDerCalcTokenLength( nTotalBytesWritten, 0L ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteToken( pbWriteTokenData, SPNEGO_NEGINIT_APP_CONSTRUCT, - NULL, nTotalBytesWritten ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - - // Don't adjust the internal token length here, it doesn't account - // the initial bytes written out (we really don't need to keep - // a running count here, but for debugging, it helps to be able - // to see the total number of bytes written out as well as the - // number of bytes left to write). - - if ( nTotalBytesWritten == nTokenLength && nInternalTokenLength == 0 && - pbWriteTokenData == pbTokenData ) - { - nReturn = SPNEGO_E_SUCCESS; - } - -xEndWriteNegTokenInit: - - LOG(("CreateSpnegoInitToken returned %d\n",nReturn)); - return nReturn; - -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// CalculateMinSpnegoTargTokenSize -// -// Parameters: -// [in] MechType - Supported MechType -// [in] spnegoNegResult - Neg Result -// [in] nMechTokenLength - Length of the MechToken Element -// [in] nMechListMICLength - Length of the MechListMIC Element -// [out] pnTokenSize - Filled out with total size of token -// [out] pnInternalTokenLength - Filled out with length minus length -// for initial token. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Calculates the required length for a SPNEGO NegTokenTarg token based -// on the supplied variable length values and which elements are present. -// Note that because the lengths can be represented by an arbitrary -// number of bytes in DER encodings, we actually calculate the lengths -// backwards, so we always know how many bytes we will potentially be -// writing out. -// -//////////////////////////////////////////////////////////////////////////// - -int CalculateMinSpnegoTargTokenSize( SPNEGO_MECH_OID MechType, - SPNEGO_NEGRESULT spnegoNegResult, long nMechTokenLen, - long nMechListMICLen, long* pnTokenSize, - long* pnInternalTokenLength ) -{ - int nReturn = SPNEGO_E_INVALID_LENGTH; - - // Start at 0. - long nTotalLength = 0; - long nTempLength= 0L; - - // We will calculate this by walking the token backwards - - // Start with MIC Element - if ( nMechListMICLen > 0L ) - { - nTempLength = ASNDerCalcElementLength( nMechListMICLen, NULL ); - - // Check for rollover error - if ( nTempLength < nMechListMICLen ) - { - goto xEndTokenTargLength; - } - - nTotalLength += nTempLength; - } - - // Next is the MechToken - if ( nMechTokenLen > 0L ) - { - nTempLength += ASNDerCalcElementLength( nMechTokenLen, NULL ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenTargLength; - } - - nTotalLength = nTempLength; - } - - // Supported MechType - if ( spnego_mech_oid_NotUsed != MechType ) - { - // Supported MechOID element - we use the token function since - // we already know the size of the OID token and value - nTempLength += ASNDerCalcElementLength( g_stcMechOIDList[MechType].iActualDataLen, - NULL ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenTargLength; - } - - nTotalLength = nTempLength; - - } // IF MechType is available - - // NegResult Element - if ( spnego_negresult_NotUsed != spnegoNegResult ) - { - nTempLength += ASNDerCalcElementLength( SPNEGO_NEGTARG_MAXLEN_NEGRESULT, NULL ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenTargLength; - } - - nTotalLength = nTempLength; - - } // IF negResult is available - - // Following two fields are the basic header tokens - - // Sequence Token - nTempLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenTargLength; - } - - nTotalLength = nTempLength; - - // Neg Token Identifier Token - nTempLength += ASNDerCalcTokenLength( nTotalLength, 0L ); - - // Check for rollover error - if ( nTempLength < nTotalLength ) - { - goto xEndTokenTargLength; - } - - // The internal length doesn't include the number of bytes - // for the initial token - *pnInternalTokenLength = nTotalLength; - nTotalLength = nTempLength; - - // We're done - *pnTokenSize = nTotalLength; - nReturn = SPNEGO_E_SUCCESS; - -xEndTokenTargLength: - - LOG(("CalculateMinSpnegoTargTokenSize returned %d\n",nReturn)); - return nReturn; - -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// CreateSpnegoTargToken -// -// Parameters: -// [in] MechType - Supported MechType -// [in] eNegResult - NegResult value -// [in] pbMechToken - Mech Token Binary Data -// [in] ulMechTokenLen - Length of Mech Token -// [in] pbMechListMIC - MechListMIC Binary Data -// [in] ulMechListMICn - Length of MechListMIC -// [out] pbTokenData - Buffer to write token into. -// [in] nTokenLength - Length of pbTokenData buffer -// [in] nInternalTokenLength - Length of full token without leading -// token bytes. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Uses DER to fill out pbTokenData with a SPNEGO NegTokenTarg Token -// Note that because the lengths can be represented by an arbitrary -// number of bytes in DER encodings, we actually calculate the lengths -// backwards, so we always know how many bytes we will potentially be -// writing out. -// -//////////////////////////////////////////////////////////////////////////// - -int CreateSpnegoTargToken( SPNEGO_MECH_OID MechType, - SPNEGO_NEGRESULT eNegResult, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechListMIC, - unsigned long ulMechListMICLen, unsigned char* pbTokenData, - long nTokenLength, long nInternalTokenLength ) -{ - int nReturn = SPNEGO_E_INVALID_LENGTH; - - // Start at 0. - long nTempLength= 0L; - long nTotalBytesWritten = 0L; - long nInternalLength = 0L; - - unsigned char ucTemp = 0; - - // We will write the token out backwards to properly handle the cases - // where the length bytes become adjustable, so the write location - // is initialized to point *just* past the end of the buffer. - - unsigned char* pbWriteTokenData = pbTokenData + nTokenLength; - - - // Start with MIC Element - if ( ulMechListMICLen > 0L ) - { - nTempLength = ASNDerCalcElementLength( ulMechListMICLen, &nInternalLength ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteElement( pbWriteTokenData, SPNEGO_NEGTARG_ELEMENT_MECHLISTMIC, - OCTETSTRING, pbMechListMIC, ulMechListMICLen ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenTarg; - } - - } // IF MechListMIC is present - - // Next is the MechToken - if ( ulMechTokenLen > 0L ) - { - nTempLength = ASNDerCalcElementLength( ulMechTokenLen, &nInternalLength ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteElement( pbWriteTokenData, SPNEGO_NEGTARG_ELEMENT_RESPONSETOKEN, - OCTETSTRING, pbMechToken, ulMechTokenLen ); - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenTarg; - } - - } // IF MechToken Length is present - - // Supported Mech Type - if ( spnego_mech_oid_NotUsed != MechType ) - { - - nTempLength = ASNDerCalcElementLength( g_stcMechOIDList[MechType].iActualDataLen, - &nInternalLength ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteToken( pbWriteTokenData, SPNEGO_NEGTARG_ELEMENT_SUPPORTEDMECH, - g_stcMechOIDList[MechType].ucOid, - g_stcMechOIDList[MechType].iLen ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenTarg; - } - - } // IF MechType is present - - // Neg Result - // NegResult Element - if ( spnego_negresult_NotUsed != eNegResult ) - { - ucTemp = (unsigned char) eNegResult; - - nTempLength = ASNDerCalcElementLength( SPNEGO_NEGTARG_MAXLEN_NEGRESULT, &nInternalLength ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteElement( pbWriteTokenData, SPNEGO_NEGTARG_ELEMENT_NEGRESULT, - ENUMERATED, &ucTemp, SPNEGO_NEGTARG_MAXLEN_NEGRESULT ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenTarg; - } - - } // If eNegResult is available - - // The next tokens we're writing out reflect the total number of bytes - // we have actually written out. - - // Sequence Token - nTempLength = ASNDerCalcTokenLength( nTotalBytesWritten, 0L ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteToken( pbWriteTokenData, SPNEGO_CONSTRUCTED_SEQUENCE, - NULL, nTotalBytesWritten ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - nInternalTokenLength -= nTempLength; - - if ( nTotalBytesWritten > nTokenLength || nInternalTokenLength < 0 ) - { - goto xEndWriteNegTokenTarg; - } - - // Neg Targ Token Identifier Token - nTempLength = ASNDerCalcTokenLength( nTotalBytesWritten, 0L ); - - // Decrease the pbWriteTokenData, now we know the length and - // write it out. - pbWriteTokenData -= nTempLength; - nTempLength = ASNDerWriteToken( pbWriteTokenData, SPNEGO_NEGTARG_TOKEN_IDENTIFIER, - NULL, nTotalBytesWritten ); - - // Adjust Values and sanity check - nTotalBytesWritten += nTempLength; - - // Don't adjust the internal token length here, it doesn't account - // the initial bytes written out (we really don't need to keep - // a running count here, but for debugging, it helps to be able - // to see the total number of bytes written out as well as the - // number of bytes left to write). - - if ( nTotalBytesWritten == nTokenLength && nInternalTokenLength == 0 && - pbWriteTokenData == pbTokenData ) - { - nReturn = SPNEGO_E_SUCCESS; - } - - -xEndWriteNegTokenTarg: - - LOG(("CreateSpnegoTargToken returned %d\n",nReturn)); - return nReturn; - - -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// AllocEmptySpnegoToken -// -// Parameters: -// [in] ucCopyData - Flag to copy data or pointer. -// [in] ulFlags - Flags for SPNEGO_TOKEN data member. -// [in] pbTokenData - Binary token data. -// [in] ulTokenSize - Size of pbTokenData. -// -// Returns: -// SPNEGO_TOKEN* Success - Pointer to initialized SPNEGO_TOKEN struct -// Failure - NULL -// -// Comments : -// Allocates a SPNEGO_TOKEN data structure and initializes it. Based on -// the value of ucCopyData, if non-zero, we copy the data into a buffer -// we allocate in this function, otherwise, we copy the data pointer -// direcly. -// -//////////////////////////////////////////////////////////////////////////// - -SPNEGO_TOKEN* AllocEmptySpnegoToken( unsigned char ucCopyData, unsigned long ulFlags, - unsigned char * pbTokenData, unsigned long ulTokenSize ) -{ - SPNEGO_TOKEN* pSpnegoToken = (SPNEGO_TOKEN*) calloc( 1, sizeof(SPNEGO_TOKEN) ); - - if ( NULL != pSpnegoToken ) - { - // Set the token size - pSpnegoToken->nStructSize = SPNEGO_TOKEN_SIZE; - - // Initialize the element array - InitSpnegoTokenElementArray( pSpnegoToken ); - - // Assign the flags value - pSpnegoToken->ulFlags = ulFlags; - - // - // IF ucCopyData is TRUE, we will allocate a buffer and copy data into it. - // Otherwise, we will just copy the pointer and the length. This is so we - // can cut out additional allocations for performance reasons - // - - if ( SPNEGO_TOKEN_INTERNAL_FLAGS_FREEDATA == ucCopyData ) - { - // Alloc the internal buffer. Cleanup on failure. - pSpnegoToken->pbBinaryData = (unsigned char*) calloc( ulTokenSize, sizeof(unsigned char) ); - - if ( NULL != pSpnegoToken->pbBinaryData ) - { - // We must ALWAYS free this buffer - pSpnegoToken->ulFlags |= SPNEGO_TOKEN_INTERNAL_FLAGS_FREEDATA; - - // Copy the data locally - memcpy( pSpnegoToken->pbBinaryData, pbTokenData, ulTokenSize ); - pSpnegoToken->ulBinaryDataLen = ulTokenSize; - } - else - { - free( pSpnegoToken ); - pSpnegoToken = NULL; - } - - } // IF ucCopyData - else - { - // Copy the pointer and the length directly - ulFlags will control whether or not - // we are allowed to free the value - - pSpnegoToken->pbBinaryData = pbTokenData; - pSpnegoToken->ulBinaryDataLen = ulTokenSize; - } - - } - - return pSpnegoToken; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// FreeSpnegoToken -// -// Parameters: -// [in] pSpnegoToken - Points to SPNEGO_TOKEN to free. -// -// Returns: -// void -// -// Comments : -// If non-NULL, interprets pSpnegoToken, freeing any internal allocations -// and finally the actual structure. -// -//////////////////////////////////////////////////////////////////////////// - -void FreeSpnegoToken( SPNEGO_TOKEN* pSpnegoToken ) -{ - if ( NULL != pSpnegoToken ) - { - - // Cleanup internal allocation per the flags - if ( pSpnegoToken->ulFlags & SPNEGO_TOKEN_INTERNAL_FLAGS_FREEDATA && - NULL != pSpnegoToken->pbBinaryData ) - { - free( pSpnegoToken->pbBinaryData ); - pSpnegoToken->pbBinaryData = NULL; - } - - free ( pSpnegoToken ); - } -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// InitSpnegoTokenElementArray -// -// Parameters: -// [in] pSpnegoToken - Points to SPNEGO_TOKEN structure. -// -// Returns: -// void -// -// Comments : -// Initializes the element array data member of a SPNEGO_TOKEN data -// structure. -// -//////////////////////////////////////////////////////////////////////////// - -void InitSpnegoTokenElementArray( SPNEGO_TOKEN* pSpnegoToken ) -{ - int nCtr; - - // Set the number of elemnts - pSpnegoToken->nNumElements = MAX_NUM_TOKEN_ELEMENTS; - - // - // Initially, all elements are unavailable - // - - for ( nCtr = 0; nCtr < MAX_NUM_TOKEN_ELEMENTS; nCtr++ ) - { - // Set the element size as well - pSpnegoToken->aElementArray[ nCtr ].nStructSize = SPNEGO_ELEMENT_SIZE; - pSpnegoToken->aElementArray[ nCtr ].iElementPresent = SPNEGO_TOKEN_ELEMENT_UNAVAILABLE; - } - -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// InitSpnegoTokenType -// -// Parameters: -// [in] pSpnegoToken - Points to SPNEGO_TOKEN structure. -// [out] pnTokenLength - Filled out with total token length -// [out] pnRemainingTokenLength - Filled out with remaining length -// after header is parsed -// [out] ppbFirstElement - Filled out with pointer to first -// element after header info. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Walks the underlying binary data for a SPNEGO_TOKEN data structure -// and determines the type of the underlying token based on token header -// information. -// -//////////////////////////////////////////////////////////////////////////// - -int InitSpnegoTokenType( SPNEGO_TOKEN* pSpnegoToken, long* pnTokenLength, - long* pnRemainingTokenLength, unsigned char** ppbFirstElement ) -{ - int nReturn = SPNEGO_E_INVALID_TOKEN; - long nActualTokenLength = 0L; - long nBoundaryLength = pSpnegoToken->ulBinaryDataLen; - unsigned char* pbTokenData = pSpnegoToken->pbBinaryData; - - // - // First byte MUST be either an APP_CONSTRUCT or the NEGTARG_TOKEN_TARG - // - - if ( SPNEGO_NEGINIT_APP_CONSTRUCT == *pbTokenData ) - { - // Validate the above token - this will tell us the actual length of the token - // per the encoding (minus the actual token bytes) - if ( ( nReturn = ASNDerCheckToken( pbTokenData, SPNEGO_NEGINIT_APP_CONSTRUCT, 0L, nBoundaryLength, - pnTokenLength, &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Initialize the remaining token length value. This will be used - // to tell the caller how much token there is left once we've parsed - // the header (they could calculate it from the other values, but this - // is a bit friendlier) - *pnRemainingTokenLength = *pnTokenLength; - - // Make adjustments to next token - pbTokenData += nActualTokenLength; - nBoundaryLength -= nActualTokenLength; - - // The next token should be an OID - if ( ( nReturn = ASNDerCheckOID( pbTokenData, spnego_mech_oid_Spnego, nBoundaryLength, - &nActualTokenLength ) ) == SPNEGO_E_SUCCESS ) - { - // Make adjustments to next token - pbTokenData += nActualTokenLength; - nBoundaryLength -= nActualTokenLength; - *pnRemainingTokenLength -= nActualTokenLength; - - // The next token should specify the NegTokenInit - if ( ( nReturn = ASNDerCheckToken( pbTokenData, SPNEGO_NEGINIT_TOKEN_IDENTIFIER, - *pnRemainingTokenLength, nBoundaryLength, pnTokenLength, - &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Make adjustments to next token - pbTokenData += nActualTokenLength; - nBoundaryLength -= nActualTokenLength; - *pnRemainingTokenLength -= nActualTokenLength; - - // The next token should specify the start of a sequence - if ( ( nReturn = ASNDerCheckToken( pbTokenData, SPNEGO_CONSTRUCTED_SEQUENCE, - *pnRemainingTokenLength, nBoundaryLength, pnTokenLength, - &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // NegTokenInit header is now checked out! - - // Make adjustments to next token - *pnRemainingTokenLength -= nActualTokenLength; - - // Store pointer to first element - *ppbFirstElement = pbTokenData + nActualTokenLength; - pSpnegoToken->ucTokenType = SPNEGO_TOKEN_INIT; - } // IF Check Sequence Token - - } // IF Check NegTokenInit token - - - } // IF Check for SPNEGO OID - - - } // IF check app construct token - - } - else if ( SPNEGO_NEGTARG_TOKEN_IDENTIFIER == *pbTokenData ) - { - - // The next token should specify the NegTokenInit - if ( ( nReturn = ASNDerCheckToken( pbTokenData, SPNEGO_NEGTARG_TOKEN_IDENTIFIER, - *pnRemainingTokenLength, nBoundaryLength, pnTokenLength, - &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Initialize the remaining token length value. This will be used - // to tell the caller how much token there is left once we've parsed - // the header (they could calculate it from the other values, but this - // is a bit friendlier) - *pnRemainingTokenLength = *pnTokenLength; - - // Make adjustments to next token - pbTokenData += nActualTokenLength; - nBoundaryLength -= nActualTokenLength; - - // The next token should specify the start of a sequence - if ( ( nReturn = ASNDerCheckToken( pbTokenData, SPNEGO_CONSTRUCTED_SEQUENCE, - *pnRemainingTokenLength, nBoundaryLength, pnTokenLength, - &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // NegTokenInit header is now checked out! - - // Make adjustments to next token - *pnRemainingTokenLength -= nActualTokenLength; - - // Store pointer to first element - *ppbFirstElement = pbTokenData + nActualTokenLength; - pSpnegoToken->ucTokenType = SPNEGO_TOKEN_TARG; - } // IF Check Sequence Token - - } // IF Check NegTokenInit token - - } // ELSE IF it's a NegTokenTarg - - LOG(("InitSpnegoTokenType returned %d\n",nReturn)); - return nReturn; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// GetSpnegoInitTokenMechList -// -// Parameters: -// [in] pbTokenData - Points to binary MechList element -// in NegTokenInit. -// [in] nMechListLength - Length of the MechList -// [out] pSpnegoElement - Filled out with MechList Element -// data. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Checks that pbTokenData is pointing at something that at least -// *looks* like a MechList and then fills out the supplied -// SPNEGO_ELEMENT structure. -// -//////////////////////////////////////////////////////////////////////////// - -int GetSpnegoInitTokenMechList( unsigned char* pbTokenData, int nMechListLength, - SPNEGO_ELEMENT* pSpnegoElement ) -{ - int nReturn = SPNEGO_E_INVALID_TOKEN; - long nLength = 0L; - long nActualTokenLength = 0L; - - // Actual MechList is prepended by a Constructed Sequence Token - if ( ( nReturn = ASNDerCheckToken( pbTokenData, SPNEGO_CONSTRUCTED_SEQUENCE, - nMechListLength, nMechListLength, - &nLength, &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Adjust for this token - nMechListLength -= nActualTokenLength; - pbTokenData += nActualTokenLength; - - // Perform simple validation of the actual MechList (i.e. ensure that - // the OIDs in the MechList are reasonable). - - if ( ( nReturn = ValidateMechList( pbTokenData, nLength ) ) == SPNEGO_E_SUCCESS ) - { - // Initialize the element now - pSpnegoElement->eElementType = spnego_init_mechtypes; - pSpnegoElement->iElementPresent = SPNEGO_TOKEN_ELEMENT_AVAILABLE; - pSpnegoElement->type = SPNEGO_MECHLIST_TYPE; - pSpnegoElement->nDatalength = nLength; - pSpnegoElement->pbData = pbTokenData; - } - - } // IF Check Token - - LOG(("GetSpnegoInitTokenMechList returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// InitSpnegoTokenElementFromBasicType -// -// Parameters: -// [in] pbTokenData - Points to binary element data in -// a SPNEGO token. -// [in] nElementLength - Length of the element -// [in] ucExpectedType - Expected DER type. -// [in] spnegoElementType - Which element is this? -// [out] pSpnegoElement - Filled out with element data. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Checks that pbTokenData is pointing at the specified DER type. If so, -// then we verify that lengths are proper and then fill out the -// SPNEGO_ELEMENT data structure. -// -//////////////////////////////////////////////////////////////////////////// - -int InitSpnegoTokenElementFromBasicType( unsigned char* pbTokenData, int nElementLength, - unsigned char ucExpectedType, - SPNEGO_ELEMENT_TYPE spnegoElementType, - SPNEGO_ELEMENT* pSpnegoElement ) -{ - int nReturn = SPNEGO_E_UNEXPECTED_TYPE; - long nLength = 0L; - long nActualTokenLength = 0L; - - // The type BYTE must match our token data or something is badly wrong - if ( *pbTokenData == ucExpectedType ) - { - - // Check that we are pointing at the specified type - if ( ( nReturn = ASNDerCheckToken( pbTokenData, ucExpectedType, - nElementLength, nElementLength, - &nLength, &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Adjust for this token - nElementLength -= nActualTokenLength; - pbTokenData += nActualTokenLength; - - // Initialize the element now - pSpnegoElement->eElementType = spnegoElementType; - pSpnegoElement->iElementPresent = SPNEGO_TOKEN_ELEMENT_AVAILABLE; - pSpnegoElement->type = ucExpectedType; - pSpnegoElement->nDatalength = nLength; - pSpnegoElement->pbData = pbTokenData; - } - - } // IF type makes sense - - LOG(("InitSpnegoTokenElementFromBasicType returned %d\n",nReturn)); - return nReturn; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// InitSpnegoTokenElementFromOID -// -// Parameters: -// [in] pbTokenData - Points to binary element data in -// a SPNEGO token. -// [in] nElementLength - Length of the element -// [in] spnegoElementType - Which element is this? -// [out] pSpnegoElement - Filled out with element data. -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Initializes a SpnegoElement from an OID - normally, this would have -// used the Basic Type function above, but since we do binary compares -// on the OIDs against the DER information as well as the OID, we need -// to account for that. -// -//////////////////////////////////////////////////////////////////////////// - -int InitSpnegoTokenElementFromOID( unsigned char* pbTokenData, int nElementLength, - SPNEGO_ELEMENT_TYPE spnegoElementType, - SPNEGO_ELEMENT* pSpnegoElement ) -{ - int nReturn = SPNEGO_E_UNEXPECTED_TYPE; - long nLength = 0L; - long nActualTokenLength = 0L; - - // The type BYTE must match our token data or something is badly wrong - if ( *pbTokenData == OID ) - { - - // Check that we are pointing at an OID type - if ( ( nReturn = ASNDerCheckToken( pbTokenData, OID, - nElementLength, nElementLength, - &nLength, &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - // Don't adjust any values for this function - - // Initialize the element now - pSpnegoElement->eElementType = spnegoElementType; - pSpnegoElement->iElementPresent = SPNEGO_TOKEN_ELEMENT_AVAILABLE; - pSpnegoElement->type = OID; - pSpnegoElement->nDatalength = nElementLength; - pSpnegoElement->pbData = pbTokenData; - } - - } // IF type makes sense - - LOG(("InitSpnegoTokenElementFromBasicType returned %d\n",nReturn)); - return nReturn; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// InitSpnegoTokenElements -// -// Parameters: -// [in] pSpnegoToken - Points to SPNEGO_TOKEN struct -// [in] pbTokenData - Points to initial binary element -// data in a SPNEGO token. -// [in] nRemainingTokenLength - Length remaining past header -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Interprets the data at pbTokenData based on the TokenType in -// pSpnegoToken. Since some elements are optional (technically all are -// but the token becomes quite useless if this is so), we check if -// an element exists before filling out the element in the array. -// -//////////////////////////////////////////////////////////////////////////// - -int InitSpnegoTokenElements( SPNEGO_TOKEN* pSpnegoToken, unsigned char* pbTokenData, - long nRemainingTokenLength ) -{ - // - // The following arrays contain the token identifiers for the elements - // comprising the actual token. All values are optional, and there are - // no defaults. - // - - static unsigned char abNegTokenInitElements[] = - { SPNEGO_NEGINIT_ELEMENT_MECHTYPES, SPNEGO_NEGINIT_ELEMENT_REQFLAGS, - SPNEGO_NEGINIT_ELEMENT_MECHTOKEN, SPNEGO_NEGINIT_ELEMENT_MECHLISTMIC }; - - static unsigned char abNegTokenTargElements[] = - { SPNEGO_NEGTARG_ELEMENT_NEGRESULT, SPNEGO_NEGTARG_ELEMENT_SUPPORTEDMECH, - SPNEGO_NEGTARG_ELEMENT_RESPONSETOKEN, SPNEGO_NEGTARG_ELEMENT_MECHLISTMIC }; - - int nReturn = SPNEGO_E_SUCCESS; - int nCtr = 0L; - long nElementLength = 0L; - long nActualTokenLength = 0L; - unsigned char* pbElements = NULL; - - // Point to the correct array - switch( pSpnegoToken->ucTokenType ) - { - case SPNEGO_TOKEN_INIT: - { - pbElements = abNegTokenInitElements; - } - break; - - case SPNEGO_TOKEN_TARG: - { - pbElements = abNegTokenTargElements; - } - break; - - } // SWITCH tokentype - - // - // Enumerate the element arrays and look for the tokens at our current location - // - - for ( nCtr = 0L; - SPNEGO_E_SUCCESS == nReturn && - nCtr < MAX_NUM_TOKEN_ELEMENTS && - nRemainingTokenLength > 0L; - nCtr++ ) - { - - // Check if the token exists - if ( ( nReturn = ASNDerCheckToken( pbTokenData, pbElements[nCtr], - 0L, nRemainingTokenLength, - &nElementLength, &nActualTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - - // Token data should skip over the sequence token and then - // call the appropriate function to initialize the element - pbTokenData += nActualTokenLength; - - // Lengths in the elements should NOT go beyond the element - // length - - // Different tokens mean different elements - if ( SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType ) - { - - // Handle each element as appropriate - switch( pbElements[nCtr] ) - { - - case SPNEGO_NEGINIT_ELEMENT_MECHTYPES: - { - // - // This is a Mech List that specifies which OIDs the - // originator of the Init Token supports. - // - - nReturn = GetSpnegoInitTokenMechList( pbTokenData, nElementLength, - &pSpnegoToken->aElementArray[nCtr] ); - - } - break; - - case SPNEGO_NEGINIT_ELEMENT_REQFLAGS: - { - // - // This is a BITSTRING which specifies the flags that the receiver - // pass to the gss_accept_sec_context() function. - // - - nReturn = InitSpnegoTokenElementFromBasicType( pbTokenData, nElementLength, - BITSTRING, spnego_init_reqFlags, - &pSpnegoToken->aElementArray[nCtr] ); - } - break; - - case SPNEGO_NEGINIT_ELEMENT_MECHTOKEN: - { - // - // This is an OCTETSTRING which contains a GSSAPI token corresponding - // to the first OID in the MechList. - // - - nReturn = InitSpnegoTokenElementFromBasicType( pbTokenData, nElementLength, - OCTETSTRING, spnego_init_mechToken, - &pSpnegoToken->aElementArray[nCtr] ); - } - break; - - case SPNEGO_NEGINIT_ELEMENT_MECHLISTMIC: - { - // - // This is an OCTETSTRING which contains a message integrity BLOB. - // - - nReturn = InitSpnegoTokenElementFromBasicType( pbTokenData, nElementLength, - OCTETSTRING, spnego_init_mechListMIC, - &pSpnegoToken->aElementArray[nCtr] ); - } - break; - - } // SWITCH Element - } - else - { - - switch( pbElements[nCtr] ) - { - - case SPNEGO_NEGTARG_ELEMENT_NEGRESULT: - { - // - // This is an ENUMERATION which specifies result of the last GSS - // token negotiation call. - // - - nReturn = InitSpnegoTokenElementFromBasicType( pbTokenData, nElementLength, - ENUMERATED, spnego_targ_negResult, - &pSpnegoToken->aElementArray[nCtr] ); - } - break; - - case SPNEGO_NEGTARG_ELEMENT_SUPPORTEDMECH: - { - // - // This is an OID which specifies a supported mechanism. - // - - nReturn = InitSpnegoTokenElementFromOID( pbTokenData, nElementLength, - spnego_targ_mechListMIC, - &pSpnegoToken->aElementArray[nCtr] ); - } - break; - - case SPNEGO_NEGTARG_ELEMENT_RESPONSETOKEN: - { - // - // This is an OCTETSTRING which specifies results of the last GSS - // token negotiation call. - // - - nReturn = InitSpnegoTokenElementFromBasicType( pbTokenData, nElementLength, - OCTETSTRING, spnego_targ_responseToken, - &pSpnegoToken->aElementArray[nCtr] ); - } - break; - - case SPNEGO_NEGTARG_ELEMENT_MECHLISTMIC: - { - // - // This is an OCTETSTRING which specifies a message integrity BLOB. - // - - nReturn = InitSpnegoTokenElementFromBasicType( pbTokenData, nElementLength, - OCTETSTRING, spnego_targ_mechListMIC, - &pSpnegoToken->aElementArray[nCtr] ); - } - break; - - } // SWITCH Element - - } // ELSE !NegTokenInit - - // Account for the entire token and following data - nRemainingTokenLength -= ( nActualTokenLength + nElementLength ); - - // Token data should skip past the element length now - pbTokenData += nElementLength; - - } // IF Token found - else if ( SPNEGO_E_TOKEN_NOT_FOUND == nReturn ) - { - // For now, this is a benign error (remember, all elements are optional, so - // if we don't find one, it's okay). - - nReturn = SPNEGO_E_SUCCESS; - } - - } // FOR enum elements - - // - // We should always run down to 0 remaining bytes in the token. If not, we've got - // a bad token. - // - - if ( SPNEGO_E_SUCCESS == nReturn && nRemainingTokenLength != 0L ) - { - nReturn = SPNEGO_E_INVALID_TOKEN; - } - - LOG(("InitSpnegoTokenElements returned %d\n",nReturn)); - return nReturn; -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// FindMechOIDInMechList -// -// Parameters: -// [in] pSpnegoElement - SPNEGO_ELEMENT for MechList -// [in] MechOID - OID we're looking for. -// [out] piMechTypeIndex - Index in the list where OID was -// found -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Walks the MechList for MechOID. When it is found, the index in the -// list is written to piMechTypeIndex. -// -//////////////////////////////////////////////////////////////////////////// - -int FindMechOIDInMechList( SPNEGO_ELEMENT* pSpnegoElement, SPNEGO_MECH_OID MechOID, - int * piMechTypeIndex ) -{ - int nReturn = SPNEGO_E_NOT_FOUND; - int nCtr = 0; - long nLength = 0L; - long nBoundaryLength = pSpnegoElement->nDatalength; - unsigned char* pbMechListData = pSpnegoElement->pbData; - - while( SPNEGO_E_SUCCESS != nReturn && nBoundaryLength > 0L ) - { - - // Use the helper function to check the OID - if ( ( nReturn = ASNDerCheckOID( pbMechListData, MechOID, nBoundaryLength, &nLength ) ) - == SPNEGO_E_SUCCESS ) - { - *piMechTypeIndex = nCtr; - } - - // Adjust for the current OID - pbMechListData += nLength; - nBoundaryLength -= nLength; - nCtr++; - - } // WHILE enuming OIDs - - LOG(("FindMechOIDInMechList returned %d\n",nReturn)); - return nReturn; - -} - - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// ValidateMechList -// -// Parameters: -// [in] pbMechListData - Pointer to binary MechList data -// [in] nBoundaryLength - Length we must not exceed -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Checks the data at pbMechListData to see if it looks like a MechList. -// As part of this, we walk the list and ensure that none of the OIDs -// have a length that takes us outside of nBoundaryLength. -// -//////////////////////////////////////////////////////////////////////////// - -int ValidateMechList( unsigned char* pbMechListData, long nBoundaryLength ) -{ - int nReturn = SPNEGO_E_SUCCESS; - long nLength = 0L; - long nTokenLength = 0L; - - while( SPNEGO_E_SUCCESS == nReturn && nBoundaryLength > 0L ) - { - // Verify that we have something that at least *looks* like an OID - in other - // words it has an OID identifier and specifies a length that doesn't go beyond - // the size of the list. - nReturn = ASNDerCheckToken( pbMechListData, OID, 0L, nBoundaryLength, - &nLength, &nTokenLength ); - - // Adjust for the current OID - pbMechListData += ( nLength + nTokenLength ); - nBoundaryLength -= ( nLength + nTokenLength ); - - } // WHILE enuming OIDs - - LOG(("ValidateMechList returned %d\n",nReturn)); - return nReturn; - -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// IsValidMechOid -// -// Parameters: -// [in] mechOid - mechOID id enumeration -// -// Returns: -// int Success - 1 -// Failure - 0 -// -// Comments : -// Checks for a valid mechOid value. -// -//////////////////////////////////////////////////////////////////////////// - -int IsValidMechOid( SPNEGO_MECH_OID mechOid ) -{ - LOG(("IsValidMechOid returned %d\n",mechOid >= spnego_mech_oid_Kerberos_V5_Legacy && - mechOid <= spnego_mech_oid_Spnego)); - return ( mechOid >= spnego_mech_oid_Kerberos_V5_Legacy && - mechOid <= spnego_mech_oid_Spnego ); -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// IsValidContextFlags -// -// Parameters: -// [in] ucContextFlags - ContextFlags value -// -// Returns: -// int Success - 1 -// Failure - 0 -// -// Comments : -// Checks for a valid ContextFlags value. -// -//////////////////////////////////////////////////////////////////////////// - -int IsValidContextFlags( unsigned char ucContextFlags ) -{ - // Mask out our valid bits. If there is anything leftover, this - // is not a valid value for Context Flags - LOG(("IsValidContextFlags returned %d\n",(( ucContextFlags & ~SPNEGO_NEGINIT_CONTEXT_MASK ) == 0))); - return ( ( ucContextFlags & ~SPNEGO_NEGINIT_CONTEXT_MASK ) == 0 ); -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// IsValidNegResult -// -// Parameters: -// [in] negResult - NegResult value -// -// Returns: -// int Success - 1 -// Failure - 0 -// -// Comments : -// Checks for a valid NegResult value. -// -//////////////////////////////////////////////////////////////////////////// - -int IsValidNegResult( SPNEGO_NEGRESULT negResult ) -{ - LOG(("IsValidNegResult returned %d\n",negResult >= spnego_negresult_success && - negResult <= spnego_negresult_rejected )); - return ( negResult >= spnego_negresult_success && - negResult <= spnego_negresult_rejected ); -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// IsValidSpnegoToken -// -// Parameters: -// [in] pSpnegoToken - Points to SPNEGO_TOKEN data structure -// -// Returns: -// int Success - 1 -// Failure - 0 -// -// Comments : -// Performs simple heuristic on location pointed to by pSpnegoToken. -// -//////////////////////////////////////////////////////////////////////////// - -int IsValidSpnegoToken( SPNEGO_TOKEN* pSpnegoToken ) -{ - int nReturn = 0; - - // Parameter should be non-NULL - if ( NULL != pSpnegoToken ) - { - // Length should be at least the size defined in the header - if ( pSpnegoToken->nStructSize >= SPNEGO_TOKEN_SIZE ) - { - // Number of elements should be >= our maximum - if it's greater, that's - // okay, since we'll only be accessing the elements up to MAX_NUM_TOKEN_ELEMENTS - if ( pSpnegoToken->nNumElements >= MAX_NUM_TOKEN_ELEMENTS ) - { - // Check for proper token type - if ( SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType || - SPNEGO_TOKEN_TARG == pSpnegoToken->ucTokenType ) - { - nReturn = 1; - } - } - - } // IF struct size makes sense - - } // IF non-NULL spnego Token - - LOG(("IsValidSpnegoToken returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// IsValidSpnegoElement -// -// Parameters: -// [in] pSpnegoToken - Points to SPNEGO_TOKEN data structure -// [in] spnegoElement - spnegoElement Type from enumeration -// -// Returns: -// int Success - 1 -// Failure - 0 -// -// Comments : -// Checks that spnegoElement has a valid value and is appropriate for -// the SPNEGO token encapsulated by pSpnegoToken. -// -//////////////////////////////////////////////////////////////////////////// - -int IsValidSpnegoElement( SPNEGO_TOKEN* pSpnegoToken,SPNEGO_ELEMENT_TYPE spnegoElement ) -{ - int nReturn = 0; - - // Check boundaries - if ( spnegoElement > spnego_element_min && - spnegoElement < spnego_element_max ) - { - - // Check for appropriateness to token type - if ( SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType ) - { - nReturn = ( spnegoElement >= spnego_init_mechtypes && - spnegoElement <= spnego_init_mechListMIC ); - } - else - { - nReturn = ( spnegoElement >= spnego_targ_negResult && - spnegoElement <= spnego_targ_mechListMIC ); - } - - } // IF boundary conditions are met - - LOG(("IsValidSpnegoElement returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// CalculateElementArrayIndex -// -// Parameters: -// [in] pSpnegoToken - Points to SPNEGO_TOKEN data structure -// [in] spnegoElement - spnegoElement Type from enumeration -// -// Returns: -// int index in the SPNEGO_TOKEN element array that the element can -// can be found -// -// Comments : -// Based on the Token Type, calculates the index in the element array -// at which the specified element can be found. -// -//////////////////////////////////////////////////////////////////////////// - -int CalculateElementArrayIndex( SPNEGO_TOKEN* pSpnegoToken,SPNEGO_ELEMENT_TYPE spnegoElement ) -{ - int nReturn = 0; - - // Offset is difference between value and initial element identifier - // (these differ based on ucTokenType) - - if ( SPNEGO_TOKEN_INIT == pSpnegoToken->ucTokenType ) - { - nReturn = spnegoElement - spnego_init_mechtypes; - } - else - { - nReturn = spnegoElement - spnego_targ_negResult; - } - - LOG(("CalculateElementArrayIndex returned %d\n",nReturn)); - return nReturn; -} - -///////////////////////////////////////////////////////////////////////////// -// -// Function: -// InitTokenFromBinary -// -// Parameters: -// [in] ucCopyData - Flag indicating if data should be copied -// [in] ulFlags - Flags value for structure -// [in] pnTokenData - Binary Token Data -// [in] ulLength - Length of the data -// [out] ppSpnegoToken - Pointer to call allocated SPNEGO Token -// data structure -// -// Returns: -// int Success - SPNEGO_E_SUCCESS -// Failure - SPNEGO API Error code -// -// Comments : -// Allocates a SPNEGO_TOKEN data structure and fills it out as -// appropriate based in the flags passed into the function. -// -//////////////////////////////////////////////////////////////////////////// - - -// Initializes SPNEGO_TOKEN structure from DER encoded binary data -int InitTokenFromBinary( unsigned char ucCopyData, unsigned long ulFlags, - unsigned char* pbTokenData, unsigned long ulLength, - SPNEGO_TOKEN** ppSpnegoToken ) -{ - int nReturn = SPNEGO_E_INVALID_PARAMETER; - SPNEGO_TOKEN* pSpnegoToken = NULL; - unsigned char* pbFirstElement = NULL; - long nTokenLength = 0L; - long nRemainingTokenLength = 0L; - - // Basic Parameter Validation - - if ( NULL != pbTokenData && - NULL != ppSpnegoToken && - 0L != ulLength ) - { - - // - // Allocate the empty token, then initialize the data structure. - // - - pSpnegoToken = AllocEmptySpnegoToken( ucCopyData, ulFlags, pbTokenData, ulLength ); - - if ( NULL != pSpnegoToken ) - { - - // Copy the binary data locally - - - // Initialize the token type - if ( ( nReturn = InitSpnegoTokenType( pSpnegoToken, &nTokenLength, - &nRemainingTokenLength, &pbFirstElement ) ) - == SPNEGO_E_SUCCESS ) - { - - // Initialize the element array - if ( ( nReturn = InitSpnegoTokenElements( pSpnegoToken, pbFirstElement, - nRemainingTokenLength ) ) - == SPNEGO_E_SUCCESS ) - { - *ppSpnegoToken = pSpnegoToken; - } - - } // IF Init Token Type - - // Cleanup on error condition - if ( SPNEGO_E_SUCCESS != nReturn ) - { - spnegoFreeData( pSpnegoToken ); - } - - } - else - { - nReturn = SPNEGO_E_OUT_OF_MEMORY; - } - - } // IF Valid parameters - - - LOG(("InitTokenFromBinary returned %d\n",nReturn)); - return nReturn; -} diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.h squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.h --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.h 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.h 1970-01-01 12:00:00.000000000 +1200 @@ -1,169 +0,0 @@ -// Copyright (C) 2002 Microsoft Corporation -// All rights reserved. -// -// THIS CODE AND INFORMATION IS PROVIDED "AS IS" -// WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -// OR IMPLIED, INCLUDING BUT NOT LIMITED -// TO THE IMPLIED WARRANTIES OF MERCHANTIBILITY -// AND/OR FITNESS FOR A PARTICULAR PURPOSE. -// -// Date - 10/08/2002 -// Author - Sanj Surati - -///////////////////////////////////////////////////////////// -// -// SPNEGOPARSE.H -// -// SPNEGO Token Parser Header File -// -// Contains the definitions required to properly parse a -// SPNEGO token using ASN.1 DER helpers. -// -///////////////////////////////////////////////////////////// - -#ifndef __SPNEGOPARSE_H__ -#define __SPNEGOPARSE_H__ - -// C++ Specific -#if defined(__cplusplus) -extern "C" -{ -#endif - -// Indicates if we copy data when creating a SPNEGO_TOKEN structure or not -#define SPNEGO_TOKEN_INTERNAL_COPYPTR 0 -#define SPNEGO_TOKEN_INTERNAL_COPYDATA 0x1 - -// Internal flag dictates whether or not we will free the binary data when -// the SPNEG_TOKEN structure is destroyed -#define SPNEGO_TOKEN_INTERNAL_FLAGS_FREEDATA 0x1 - - // -// Each SPNEGO Token Type can be broken down into a -// maximum of 4 separate elements. -// - -#define MAX_NUM_TOKEN_ELEMENTS 4 - -// -// Element offsets in the array -// - -// INIT elements -#define SPNEGO_INIT_MECHTYPES_ELEMENT 0 -#define SPNEGO_INIT_REQFLAGS_ELEMENT 1 -#define SPNEGO_INIT_MECHTOKEN_ELEMENT 2 -#define SPNEGO_INIT_MECHLISTMIC_ELEMENT 3 - -// Response elements -#define SPNEGO_TARG_NEGRESULT_ELEMENT 0 -#define SPNEGO_TARG_SUPPMECH_ELEMENT 1 -#define SPNEGO_TARG_RESPTOKEN_ELEMENT 2 -#define SPNEGO_TARG_MECHLISTMIC_ELEMENT 3 - -// -// Defines an individual SPNEGO Token Element. -// - -typedef struct SpnegoElement -{ - size_t nStructSize; // Size of the element structure - int iElementPresent; // Is the field present? Must be either - // SPNEGO_TOKEN_ELEMENT_UNAVAILABLE or - // SPNEGO_TOKEN_ELEMENT_AVAILABLE - - SPNEGO_ELEMENT_TYPE eElementType; // The Element Type - - unsigned char type; // Data Type - - unsigned char* pbData; // Points to actual Data - - unsigned long nDatalength; // Actual Data Length - -} SPNEGO_ELEMENT; - -// Structure size in case we later choose to extend the structure -#define SPNEGO_ELEMENT_SIZE sizeof(SPNEGO_ELEMENT) - -// -// Packages a SPNEGO Token Encoding. There are two types of -// encodings: NegTokenInit and NegTokenTarg. Each encoding can -// contain up to four distinct, optional elements. -// - -typedef struct SpnegoToken -{ - size_t nStructSize; // Size of the Token structure - unsigned long ulFlags; // Internal Structure Flags - Reserved! - int ucTokenType; // Token Type - Must be - // SPNEGO_TOKEN_INIT or - // SPNEGO_TOKEN_TARG - - unsigned char* pbBinaryData; // Points to binary token data - - unsigned long ulBinaryDataLen; // Length of the actual binary data - int nNumElements; // Number of elements - SPNEGO_ELEMENT aElementArray [MAX_NUM_TOKEN_ELEMENTS]; // Holds the elements for the token -} SPNEGO_TOKEN; - -// Structure size in case we later choose to extend the structure -#define SPNEGO_TOKEN_SIZE sizeof(SPNEGO_TOKEN) - -// -// Function definitions -// - -SPNEGO_TOKEN* AllocEmptySpnegoToken( unsigned char ucCopyData, unsigned long ulFlags, - unsigned char * pbTokenData, unsigned long ulTokenSize ); -void FreeSpnegoToken( SPNEGO_TOKEN* pSpnegoToken ); -void InitSpnegoTokenElementArray( SPNEGO_TOKEN* pSpnegoToken ); -int InitSpnegoTokenType( SPNEGO_TOKEN* pSpnegoToken, long* pnTokenLength, - long* pnRemainingTokenLength, unsigned char** ppbFirstElement ); -int InitSpnegoTokenElements( SPNEGO_TOKEN* pSpnegoToken, unsigned char* pbTokenData, - long nRemainingTokenLength ); -int GetSpnegoInitTokenMechList( unsigned char* pbTokenData, int nMechListLength, - SPNEGO_ELEMENT* pSpnegoElement ); -int InitSpnegoTokenElementFromBasicType( unsigned char* pbTokenData, int nElementLength, - unsigned char ucExpectedType, - SPNEGO_ELEMENT_TYPE spnegoElementType, - SPNEGO_ELEMENT* pSpnegoElement ); -int InitSpnegoTokenElementFromOID( unsigned char* pbTokenData, int nElementLength, - SPNEGO_ELEMENT_TYPE spnegoElementType, - SPNEGO_ELEMENT* pSpnegoElement ); -int FindMechOIDInMechList( SPNEGO_ELEMENT* pSpnegoElement, SPNEGO_MECH_OID MechOID, - int * piMechTypeIndex ); -int ValidateMechList( unsigned char* pbMechListData, long nBoundaryLength ); -int CalculateMinSpnegoInitTokenSize( long nMechTokenLength, long nMechListMICLength, - SPNEGO_MECH_OID mechOid, int nReqFlagsAvailable, - long* plTokenSize, long* plInternalLength ); -int CalculateMinSpnegoTargTokenSize( SPNEGO_MECH_OID MechType, SPNEGO_NEGRESULT spnegoNegResult, - long nMechTokenLen, - long nMechTokenMIC, long* pnTokenSize, - long* pnInternalTokenLength ); -int CreateSpnegoInitToken( SPNEGO_MECH_OID MechType, - unsigned char ucContextFlags, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechListMIC, - unsigned long ulMechListMICLen, unsigned char* pbTokenData, - long nTokenLength, long nInternalTokenLength ); -int CreateSpnegoTargToken( SPNEGO_MECH_OID MechType, - SPNEGO_NEGRESULT eNegResult, unsigned char* pbMechToken, - unsigned long ulMechTokenLen, unsigned char* pbMechListMIC, - unsigned long ulMechListMICLen, unsigned char* pbTokenData, - long nTokenLength, long nInternalTokenLength ); -int IsValidMechOid( SPNEGO_MECH_OID mechOid ); -int IsValidContextFlags( unsigned char ucContextFlags ); -int IsValidNegResult( SPNEGO_NEGRESULT negResult ); -int IsValidSpnegoToken( SPNEGO_TOKEN* pSpnegoToken ); -int IsValidSpnegoElement( SPNEGO_TOKEN* pSpnegoToken,SPNEGO_ELEMENT_TYPE spnegoElement ); -int CalculateElementArrayIndex( SPNEGO_TOKEN* pSpnegoToken,SPNEGO_ELEMENT_TYPE spnegoElement ); -int InitTokenFromBinary( unsigned char ucCopyData, unsigned long ulFlags, - unsigned char* pbTokenData, unsigned long ulLength, - SPNEGO_TOKEN** ppSpnegoToken ); - - // C++ Specific -#if defined(__cplusplus) -} -#endif - -#endif - diff -u -r -N squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c --- squid-3.0.STABLE21/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c 2009-12-22 19:50:30.000000000 +1300 +++ squid-3.0.STABLE23/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c 2010-02-02 22:49:58.000000000 +1300 @@ -34,9 +34,6 @@ #include #include "base64.h" -#ifndef HAVE_SPNEGO -#include "spnegohelp.h" -#endif // AYJ: must match the definition in src/auth/negotiate/auth_negotiate.cc #define MAX_AUTHTOKEN_LEN 32768 @@ -209,10 +206,6 @@ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; const unsigned char *kerberosToken = NULL; -#ifndef HAVE_SPNEGO - int rc; - size_t kerberosTokenLength = 0; -#endif const unsigned char *spnegoToken = NULL ; size_t spnegoTokenLength = 0; @@ -357,36 +350,6 @@ base64_decode(input_token.value,buf+3,input_token.length); -#ifndef HAVE_SPNEGO - if (( rc=parseNegTokenInit (input_token.value, - input_token.length, - &kerberosToken, - &kerberosTokenLength))!=0 ){ - if (debug) - fprintf(stderr, "%s| %s: parseNegTokenInit failed with rc=%d\n", LogTime(), PROGRAM, rc); - - /* if between 100 and 200 it might be a GSSAPI token and not a SPNEGO token */ - if ( rc < 100 || rc > 199 ) { - if (debug) - fprintf(stderr, "%s| %s: Invalid GSS-SPNEGO query [%s]\n", LogTime(), PROGRAM, buf); - fprintf(stdout, "NA Invalid GSS-SPNEGO query\n"); - goto cleanup; - } - if ((input_token.length >= sizeof ntlmProtocol + 1) && - (!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { - if (debug) - fprintf(stderr, "%s| %s: received type %d NTLM token\n", LogTime(), PROGRAM, (int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); - fprintf(stdout, "NA received type %d NTLM token\n",(int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); - goto cleanup; - } - spnego_flag=0; - } else { - gss_release_buffer(&minor_status, &input_token); - input_token.length=kerberosTokenLength; - input_token.value=(void *)kerberosToken; - spnego_flag=1; - } -#else if ((input_token.length >= sizeof ntlmProtocol + 1) && (!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { if (debug) @@ -394,7 +357,6 @@ fprintf(stdout, "NA received type %d NTLM token\n",(int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); goto cleanup; } -#endif if ( service_principal ) { if ( strcasecmp(service_principal,"GSS_C_NO_NAME") ){ @@ -433,25 +395,8 @@ if (output_token.length) { -#ifndef HAVE_SPNEGO - if (spnego_flag) { - if ((rc=makeNegTokenTarg (output_token.value, - output_token.length, - &spnegoToken, - &spnegoTokenLength))!=0 ) { - if (debug) - fprintf(stderr, "%s| %s: makeNegTokenTarg failed with rc=%d\n", LogTime(), PROGRAM, rc); - fprintf(stdout, "NA makeNegTokenTarg failed with rc=%d\n",rc); - goto cleanup; - } - } else { - spnegoToken = output_token.value; - spnegoTokenLength = output_token.length; - } -#else spnegoToken = output_token.value; spnegoTokenLength = output_token.length; -#endif token = malloc(base64_encode_len(spnegoTokenLength)); if (token == NULL) { if (debug) diff -u -r -N squid-3.0.STABLE21/include/autoconf.h.in squid-3.0.STABLE23/include/autoconf.h.in --- squid-3.0.STABLE21/include/autoconf.h.in 2009-12-22 19:50:31.000000000 +1300 +++ squid-3.0.STABLE23/include/autoconf.h.in 2010-02-02 22:49:59.000000000 +1300 @@ -562,9 +562,6 @@ /* socklen_t is defined by the system headers */ #undef HAVE_SOCKLEN_T -/* Define to 1 if you have SPNEGO support */ -#undef HAVE_SPNEGO - /* Define to 1 if you have the `srand48' function. */ #undef HAVE_SRAND48 diff -u -r -N squid-3.0.STABLE21/include/version.h squid-3.0.STABLE23/include/version.h --- squid-3.0.STABLE21/include/version.h 2009-12-22 19:50:35.000000000 +1300 +++ squid-3.0.STABLE23/include/version.h 2010-02-02 22:50:03.000000000 +1300 @@ -9,5 +9,5 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1261464621 +#define SQUID_RELEASE_TIME 1265104190 #endif diff -u -r -N squid-3.0.STABLE21/lib/rfc1035.c squid-3.0.STABLE23/lib/rfc1035.c --- squid-3.0.STABLE21/lib/rfc1035.c 2009-12-22 19:50:31.000000000 +1300 +++ squid-3.0.STABLE23/lib/rfc1035.c 2010-02-02 22:49:59.000000000 +1300 @@ -287,7 +287,10 @@ size_t len; assert(ns > 0); do { - assert((*off) < sz); + if ((*off) >= sz) { + RFC1035_UNPACK_DEBUG; + return 1; + } c = *(buf + (*off)); if (c > 191) { /* blasted compression */ diff -u -r -N squid-3.0.STABLE21/RELEASENOTES.html squid-3.0.STABLE23/RELEASENOTES.html --- squid-3.0.STABLE21/RELEASENOTES.html 2009-12-22 19:52:08.000000000 +1300 +++ squid-3.0.STABLE23/RELEASENOTES.html 2010-02-02 22:51:10.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 3.0.STABLE21 release notes + Squid 3.0.STABLE23 release notes -

Squid 3.0.STABLE21 release notes

+

Squid 3.0.STABLE23 release notes

Squid Developers

@@ -60,7 +60,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.0.STABLE21.

+

The Squid Team are pleased to announce the release of Squid-3.0.STABLE23.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.0/ or the mirrors.

diff -u -r -N squid-3.0.STABLE21/src/cf.data.pre squid-3.0.STABLE23/src/cf.data.pre --- squid-3.0.STABLE21/src/cf.data.pre 2009-12-22 19:50:33.000000000 +1300 +++ squid-3.0.STABLE23/src/cf.data.pre 2010-02-02 22:50:01.000000000 +1300 @@ -4735,6 +4735,24 @@ accept_filter data DOC_END +NAME: client_ip_max_connections +TYPE: int +LOC: Config.client_ip_max_connections +DEFAULT: -1 +DOC_START + Set an absolute limit on the number of connections a single + client IP can use. Any more than this and Squid will begin to drop + new connections from the client until it closes some links. + + Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP + connections from the client. For finer control use the ACL access controls. + + Requires client_db to be enabled (the default). + + WARNING: This may noticably slow down traffic received via external proxies + or NAT devices and cause them to rebound error messages back to their clients. +DOC_END + NAME: tcp_recv_bufsize COMMENT: (bytes) TYPE: b_size_t diff -u -r -N squid-3.0.STABLE21/src/comm.cc squid-3.0.STABLE23/src/comm.cc --- squid-3.0.STABLE21/src/comm.cc 2009-12-22 19:50:33.000000000 +1300 +++ squid-3.0.STABLE23/src/comm.cc 2010-02-02 22:50:02.000000000 +1300 @@ -45,6 +45,7 @@ #include "MemBuf.h" #include "pconn.h" #include "SquidTime.h" +#include "protos.h" #if defined(_SQUID_CYGWIN_) #include @@ -1355,6 +1356,13 @@ Slen = sizeof(details.me); memset(&details.me, '\0', Slen); + if ( Config.client_ip_max_connections >= 0) { + if (clientdbEstablished(details.peer.sin_addr, 0) > Config.client_ip_max_connections) { + debugs(50, DBG_IMPORTANT, "WARNING: " << inet_ntoa(details.peer.sin_addr) << " attempting more than " << Config.client_ip_max_connections << " connections."); + return COMM_ERROR; + } + } + getsockname(sock, (struct sockaddr *) &details.me, &Slen); commSetCloseOnExec(sock); /* fdstat update */ diff -u -r -N squid-3.0.STABLE21/src/external_acl.cc squid-3.0.STABLE23/src/external_acl.cc --- squid-3.0.STABLE21/src/external_acl.cc 2009-12-22 19:50:33.000000000 +1300 +++ squid-3.0.STABLE23/src/external_acl.cc 2010-02-02 22:50:02.000000000 +1300 @@ -223,6 +223,8 @@ a->ttl = DEFAULT_EXTERNAL_ACL_TTL; a->negative_ttl = -1; a->children = DEFAULT_EXTERNAL_ACL_CHILDREN; + a->cache_size = 256*1024; + a->quote = external_acl::QUOTE_METHOD_URL; token = strtok(NULL, w_space); @@ -233,8 +235,6 @@ token = strtok(NULL, w_space); - a->quote = external_acl::QUOTE_METHOD_URL; - /* Parse options */ while (token) { if (strncmp(token, "ttl=", 4) == 0) { diff -u -r -N squid-3.0.STABLE21/src/http.cc squid-3.0.STABLE23/src/http.cc --- squid-3.0.STABLE21/src/http.cc 2009-12-22 19:50:33.000000000 +1300 +++ squid-3.0.STABLE23/src/http.cc 2010-02-02 22:50:02.000000000 +1300 @@ -570,7 +570,7 @@ return 0; default: /* Unknown status code */ - debugs (11, 0, HERE << "HttpStateData::cacheableReply: unexpected http status code " << rep->sline.status); + debugs (11, DBG_IMPORTANT, "WARNING: Unexpected http status code " << rep->sline.status); return 0; @@ -799,8 +799,9 @@ if (!vary) { entry->makePrivate(); + if (!fwd->reforwardableStatus(rep->sline.status)) + EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); goto no_cache; - } entry->mem_obj->vary_headers = xstrdup(vary); diff -u -r -N squid-3.0.STABLE21/src/main.cc squid-3.0.STABLE23/src/main.cc --- squid-3.0.STABLE21/src/main.cc 2009-12-22 19:50:33.000000000 +1300 +++ squid-3.0.STABLE23/src/main.cc 2010-02-02 22:50:02.000000000 +1300 @@ -632,7 +632,11 @@ refererCloseLog(); errorClean(); enter_suid(); /* root to read config file */ - parseConfigFile(ConfigFile, manager); + // parse the config returns a count of errors encountered. + if ( parseConfigFile(ConfigFile, manager) != 0) { + // for now any errors are a fatal condition... + self_destruct(); + } setUmask(Config.umask); Mem::Report(); setEffectiveUser(); @@ -1057,29 +1061,49 @@ configured_once = 1; } +// unsafe main routine -- may throw +int SquidMain(int argc, char **argv); +/// unsafe main routine wrapper to catch exceptions +static int SquidMainSafe(int argc, char **argv); + #if USE_WIN32_SERVICE /* When USE_WIN32_SERVICE is defined, the main function is placed in win32.cc */ extern "C" void WINAPI - SquidWinSvcMain(int argc, char **argv) +SquidWinSvcMain(int argc, char **argv) { - SquidMain(argc, argv); + SquidMainSafe(argc, argv); } - -int -SquidMain(int argc, char **argv) #else int main(int argc, char **argv) +{ + return SquidMainSafe(argc, argv); +} #endif + +static int +SquidMainSafe(int argc, char **argv) { - int oldmask; -#ifdef _SQUID_WIN32_ + try { + return SquidMain(argc, argv); + } catch (const std::exception &e) { + std::cerr << "dying from an unhandled exception: " << e.what() << std::endl; + throw; + } catch (...) { + std::cerr << "dying from an unhandled exception." << std::endl; + throw; + } + return -1; // not reached +} +int +SquidMain(int argc, char **argv) +{ +#ifdef _SQUID_WIN32_ int WIN32_init_err; #endif #if HAVE_SBRK - sbrk_start = sbrk(0); #endif @@ -1125,7 +1149,7 @@ * set. Unfortunately, there is no way to get the current * umask value without setting it. */ - oldmask = umask(S_IRWXO); + int oldmask = umask(S_IRWXO); if (oldmask) umask(oldmask); @@ -1210,9 +1234,7 @@ parse_err = parseConfigFile(ConfigFile, manager); Mem::Report(); - - if (opt_parse_cfg_only) - + if (opt_parse_cfg_only || parse_err > 0) return parse_err; } setUmask(Config.umask); diff -u -r -N squid-3.0.STABLE21/src/store.cc squid-3.0.STABLE23/src/store.cc --- squid-3.0.STABLE21/src/store.cc 2009-12-22 19:50:34.000000000 +1300 +++ squid-3.0.STABLE23/src/store.cc 2010-02-02 22:50:02.000000000 +1300 @@ -1429,7 +1429,7 @@ (float) Config.Swap.highWaterMark) / (float) 100); store_swap_low = (long) (((float) Store::Root().maxSize() * (float) Config.Swap.lowWaterMark) / (float) 100); - store_pages_max = Config.memMaxSize / SM_PAGE_SIZE; + store_pages_max = Config.memMaxSize / sizeof(mem_node); } int diff -u -r -N squid-3.0.STABLE21/src/structs.h squid-3.0.STABLE23/src/structs.h --- squid-3.0.STABLE21/src/structs.h 2009-12-22 19:50:34.000000000 +1300 +++ squid-3.0.STABLE23/src/structs.h 2010-02-02 22:50:02.000000000 +1300 @@ -743,6 +743,7 @@ char *accept_filter; int umask; + int client_ip_max_connections; }; struct _SquidConfig2