------------------------------------------------------------
revno: 13812
revision-id: squid3@treenet.co.nz-20150426165518-rzstviriqd6okrvg
parent: squid3@treenet.co.nz-20150426164802-xhlgkspab2qo0vhe
author: Markus Moeller <huaraz@moeller.plus.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2015-04-26 09:55:18 -0700
message:
  Add Kerberos support for MAC OS X 10.x
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150426165518-rzstviriqd6okrvg
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: fe813ae240231bed9c70c04b5d5970e902338c70
# timestamp: 2015-04-26 16:56:17 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20150426164802-\
#   xhlgkspab2qo0vhe
# 
# Begin patch
=== modified file 'acinclude/krb5.m4'
--- acinclude/krb5.m4	2015-01-13 09:13:49 +0000
+++ acinclude/krb5.m4	2015-04-26 16:55:18 +0000
@@ -79,6 +79,9 @@
 KRB5INT_BEGIN_DECLS
 #endif
 #endif
+#if USE_APPLE_KRB5
+#define KERBEROS_APPLE_DEPRECATED(x)
+#endif
 #include <krb5.h>
 krb5_context kc; kc->max_skew = 1;
       ]])
@@ -100,6 +103,9 @@
 KRB5INT_BEGIN_DECLS
 #endif
 #endif
+#if USE_APPLE_KRB5
+#define KERBEROS_APPLE_DEPRECATED(x)
+#endif
 #include <krb5.h>
 int main(int argc, char *argv[])
 {
@@ -127,6 +133,9 @@
 KRB5INT_BEGIN_DECLS
 #endif
 #endif
+#if USE_APPLE_KRB5
+#define KERBEROS_APPLE_DEPRECATED(x)
+#endif
 #include <krb5.h>
 int main(int argc, char *argv[])
 {
@@ -157,6 +166,9 @@
 #include <gss.h>
 #endif
 #else
+#if USE_APPLE_KRB5
+#define GSSKRB_APPLE_DEPRECATED(x)
+#endif
 #if HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
 #elif HAVE_GSSAPI_H
@@ -200,6 +212,9 @@
 #include <gss.h>
 #endif
 #else
+#if USE_APPLE_KRB5
+#define GSSKRB_APPLE_DEPRECATED(x)
+#endif
 #if HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
 #elif HAVE_GSSAPI_H
@@ -239,6 +254,9 @@
 AC_DEFUN([SQUID_CHECK_WORKING_KRB5],[
   AC_CACHE_CHECK([for working krb5], squid_cv_working_krb5, [
     AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#if USE_APPLE_KRB5
+#define KERBEROS_APPLE_DEPRECATED(x)
+#endif
 #if HAVE_KRB5_H
 #if HAVE_BROKEN_SOLARIS_KRB5_H
 #if defined(__cplusplus)
@@ -338,6 +356,9 @@
       [Define to 1 if you have krb5_get_init_creds_opt_alloc]),)
   AC_MSG_CHECKING([for krb5_get_init_creds_free requires krb5_context])
   AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+        #if USE_APPLE_KRB5
+        #define KERBEROS_APPLE_DEPRECATED(x)
+        #endif
 	#include <krb5.h>
     ]],[[krb5_context context;
 	 krb5_get_init_creds_opt *options;

=== modified file 'configure.ac'
--- configure.ac	2015-04-17 05:59:34 +0000
+++ configure.ac	2015-04-26 16:55:18 +0000
@@ -1390,6 +1390,7 @@
     with_mit_krb5=yes
 esac
 ])
+AH_TEMPLATE(USE_APPLE_KRB5,[Apple Kerberos support is available])
 AH_TEMPLATE(USE_MIT_KRB5,[MIT Kerberos support is available])
 AH_TEMPLATE(USE_SOLARIS_KRB5,[Solaris Kerberos support is available])
 
@@ -1480,6 +1481,7 @@
       krb5confpath="`dirname $ac_cv_path_krb5_config`"
       ac_heimdal="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i heimdal`"
       ac_solaris="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i solaris`"
+      ac_apple="`$ac_cv_path_krb5_config --vendor 2>/dev/null | grep -c -i apple`"
       if test $ac_heimdal -gt 0 ; then
 	with_heimdal_krb5=yes
         ac_with_krb5_count=1
@@ -1488,7 +1490,11 @@
 	with_solaris_krb5=yes
         ac_with_krb5_count=1
       fi
-      if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 ; then
+      if test $ac_apple -gt 0 ; then
+	with_apple_krb5=yes
+        ac_with_krb5_count=1
+      fi
+      if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 && test $ac_apple -eq 0; then
 	with_mit_krb5=yes
         ac_with_krb5_count=1
       fi
@@ -1498,7 +1504,7 @@
   fi
 fi
 
-if test "x$with_mit_krb5" = "xyes"; then
+if test "x$with_mit_krb5" = "xyes" || test "x$with_apple_krb5" = "xyes" ; then
   SQUID_STATE_SAVE([squid_krb5_save])
   LIBS="$LIBS $LIB_KRB5_PATH"
 
@@ -1549,10 +1555,15 @@
   ])
 
   if test "x$LIB_KRB5_LIBS" != "x"; then
+    if test "x$with_apple_krb5" = "xyes" ; then
+      AC_DEFINE(USE_APPLE_KRB5,1,[Apple Kerberos support is available])
+      KRB5_FLAVOUR="Apple" 
+    else
+      AC_DEFINE(USE_MIT_KRB5,1,[MIT Kerberos support is available])
+      KRB5_FLAVOUR="MIT" 
+    fi
     KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS"
     KRB5INCS="$LIB_KRB5_CFLAGS"
-    AC_DEFINE(USE_MIT_KRB5,1,[MIT Kerberos support is available])
-    KRB5_FLAVOUR="MIT" 
     
     # check for other specific broken implementations
     CXXFLAGS="$CXXFLAGS $KRB5INCS"

=== modified file 'helpers/external_acl/kerberos_ldap_group/required.m4'
--- helpers/external_acl/kerberos_ldap_group/required.m4	2015-01-13 09:13:49 +0000
+++ helpers/external_acl/kerberos_ldap_group/required.m4	2015-04-26 16:55:18 +0000
@@ -7,5 +7,10 @@
 
 if test "x$with_krb5" == "xyes"; then
   BUILD_HELPER="kerberos_ldap_group"
+  if test "x$with_apple_krb5" = "xyes" ; then
+    AC_CHECK_LIB(resolv, [main], [XTRA_LIBS="$XTRA_LIBS -lresolv"],[
+      AC_MSG_ERROR([library 'resolv' is required for Apple Kerberos])
+    ])
+  fi
   SQUID_CHECK_SASL
 fi

=== modified file 'helpers/external_acl/kerberos_ldap_group/support.h'
--- helpers/external_acl/kerberos_ldap_group/support.h	2015-03-21 06:32:34 +0000
+++ helpers/external_acl/kerberos_ldap_group/support.h	2015-04-26 16:55:18 +0000
@@ -34,6 +34,10 @@
 
 #include <cstring>
 
+#if USE_APPLE_KRB5
+#define KERBEROS_APPLE_DEPRECATED(x)
+#endif
+
 #if HAVE_KRB5_H
 #if HAVE_BROKEN_SOLARIS_KRB5_H
 #warn "Warning! You have a broken Solaris <krb5.h> system header"

=== modified file 'helpers/external_acl/kerberos_ldap_group/support_ldap.cc'
--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2015-01-13 09:13:49 +0000
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2015-04-26 16:55:18 +0000
@@ -114,11 +114,16 @@
     void *params)
 {
     struct ldap_creds *cp = (struct ldap_creds *) params;
+    struct berval cred;
+    if (cp->pw) {
+        cred.bv_val=cp->pw;
+        cred.bv_len=strlen(cp->pw);
+    }
     whop = whop;
     credp = credp;
     methodp = methodp;
     freeit = freeit;
-    return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
+    return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
 }
 #elif HAVE_LDAP_REBIND_PROC
 #if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN
@@ -148,7 +153,12 @@
     void *params)
 {
     struct ldap_creds *cp = (struct ldap_creds *) params;
-    return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
+    struct berval cred;
+    if (cp->pw) {
+        cred.bv_val=cp->pw;
+        cred.bv_len=strlen(cp->pw);
+    }
+    return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
 }
 
 #elif HAVE_LDAP_REBIND_FUNCTION
@@ -188,11 +198,16 @@
     void *params)
 {
     struct ldap_creds *cp = (struct ldap_creds *) params;
+    struct berval cred;
+    if (cp->pw) {
+        cred.bv_val=cp->pw;
+        cred.bv_len=strlen(cp->pw);
+    }
     whop = whop;
     credp = credp;
     methodp = methodp;
     freeit = freeit;
-    return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
+    return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
 }
 #else
 #error "No rebind functione defined"
@@ -202,12 +217,7 @@
 static LDAP_REBIND_PROC ldap_sasl_rebind;
 
 static int
-ldap_sasl_rebind(
-    LDAP * ld,
-    LDAP_CONST char *url,
-    ber_tag_t request,
-    ber_int_t msgid,
-    void *params)
+ldap_sasl_rebind(LDAP *ld, LDAP_CONST char *, ber_tag_t request, ber_int_t msgid, void *params)
 {
     struct ldap_creds *cp = (struct ldap_creds *) params;
     return tool_sasl_bind(ld, cp->dn, cp->pw);
@@ -217,16 +227,16 @@
 static LDAP_REBIND_PROC ldap_simple_rebind;
 
 static int
-ldap_simple_rebind(
-    LDAP * ld,
-    LDAP_CONST char *url,
-    ber_tag_t request,
-    ber_int_t msgid,
-    void *params)
+ldap_simple_rebind(LDAP *ld, LDAP_CONST char *, ber_tag_t request, ber_int_t msgid, void *params)
 {
 
     struct ldap_creds *cp = (struct ldap_creds *) params;
-    return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
+    struct berval cred;
+    if (cp->pw) {
+        cred.bv_val=cp->pw;
+        cred.bv_len=strlen(cp->pw);
+    }
+    return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
 }
 
 #endif
@@ -755,7 +765,7 @@
     xfree(ldapuri);
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-        ldap_unbind(ld);
+        ldap_unbind_ext(ld,NULL,NULL);
         ld = NULL;
         return NULL;
     }
@@ -765,7 +775,7 @@
     rc = ldap_set_defaults(ld);
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-        ldap_unbind(ld);
+        ldap_unbind_ext(ld, NULL, NULL);
         ld = NULL;
         return NULL;
     }
@@ -777,7 +787,7 @@
         rc = ldap_set_ssl_defaults(margs);
         if (rc != LDAP_SUCCESS) {
             error((char *) "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-            ldap_unbind(ld);
+            ldap_unbind_ext(ld, NULL, NULL);
             ld = NULL;
             return NULL;
         }
@@ -788,7 +798,7 @@
         rc = ldap_start_tls_s(ld, NULL, NULL);
         if (rc != LDAP_SUCCESS) {
             error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-            ldap_unbind(ld);
+            ldap_unbind_ext(ld, NULL, NULL);
             ld = NULL;
             url = (LDAPURLDesc *) xmalloc(sizeof(*url));
             memset(url, 0, sizeof(*url));
@@ -820,14 +830,14 @@
             xfree(ldapuri);
             if (rc != LDAP_SUCCESS) {
                 error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-                ldap_unbind(ld);
+                ldap_unbind_ext(ld, NULL, NULL);
                 ld = NULL;
                 return NULL;
             }
             rc = ldap_set_defaults(ld);
             if (rc != LDAP_SUCCESS) {
                 error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-                ldap_unbind(ld);
+                ldap_unbind_ext(ld, NULL, NULL);
                 ld = NULL;
                 return NULL;
             }
@@ -836,14 +846,14 @@
         ld = ldapssl_init(host, port, 1);
         if (!ld) {
             error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
-            ldap_unbind(ld);
+            ldap_unbind_ext(ld, NULL, NULL);
             ld = NULL;
             return NULL;
         }
         rc = ldap_set_defaults(ld);
         if (rc != LDAP_SUCCESS) {
             error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-            ldap_unbind(ld);
+            ldap_unbind_ext(ld, NULL, NULL);
             ld = NULL;
             return NULL;
         }
@@ -945,7 +955,7 @@
             rc = tool_sasl_bind(ld, bindp, margs->ssl);
             if (rc != LDAP_SUCCESS) {
                 error((char *) "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-                ldap_unbind(ld);
+                ldap_unbind_ext(ld, NULL, NULL);
                 ld = NULL;
                 continue;
             }
@@ -958,7 +968,7 @@
                 break;
             }
 #else
-            ldap_unbind(ld);
+            ldap_unbind_ext(ld, NULL, NULL);
             ld = NULL;
             error((char *) "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM);
             continue;
@@ -998,7 +1008,11 @@
         nhosts = get_hostname_list(&hlist, 0, host);
         xfree(host);
         for (size_t i = 0; i < nhosts; ++i) {
-
+            struct berval cred;
+            if (margs->lpass) {
+                cred.bv_val=margs->lpass;
+                cred.bv_len=strlen(margs->lpass);
+            }
             ld = tool_ldap_open(margs, hlist[i].host, port, ssl);
             if (!ld)
                 continue;
@@ -1007,10 +1021,10 @@
              */
 
             debug((char *) "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM);
-            rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass);
+            rc = ldap_sasl_bind_s(ld, margs->luser, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
             if (rc != LDAP_SUCCESS) {
                 error((char *) "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-                ldap_unbind(ld);
+                ldap_unbind_ext(ld, NULL, NULL);
                 ld = NULL;
                 continue;
             }
@@ -1045,7 +1059,7 @@
     rc = check_AD(margs, ld);
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-        ldap_unbind(ld);
+        ldap_unbind_ext(ld, NULL, NULL);
         ld = NULL;
         retval = 0;
         goto cleanup;
@@ -1071,7 +1085,7 @@
 
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
-        ldap_unbind(ld);
+        ldap_unbind_ext(ld, NULL, NULL);
         ld = NULL;
         retval = 0;
         goto cleanup;
@@ -1156,7 +1170,7 @@
         ldap_msgfree(res);
     } else if (ldap_count_entries(ld, res) == 0 && margs->AD) {
         ldap_msgfree(res);
-        ldap_unbind(ld);
+        ldap_unbind_ext(ld, NULL, NULL);
         ld = NULL;
         retval = 0;
         goto cleanup;
@@ -1368,7 +1382,7 @@
             safe_free(attr_value);
         }
     }
-    rc = ldap_unbind(ld);
+    rc = ldap_unbind_ext(ld, NULL, NULL);
     ld = NULL;
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));

=== modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos.h'
--- helpers/negotiate_auth/kerberos/negotiate_kerberos.h	2015-01-13 09:13:49 +0000
+++ helpers/negotiate_auth/kerberos/negotiate_kerberos.h	2015-04-26 16:55:18 +0000
@@ -47,6 +47,11 @@
 #include "base64.h"
 #include "util.h"
 
+#if USE_APPLE_KRB5
+#define KERBEROS_APPLE_DEPRECATED(x)
+#define GSSKRB_APPLE_DEPRECATED(x)
+#endif
+
 #if HAVE_KRB5_H
 #if HAVE_BROKEN_SOLARIS_KRB5_H
 #warn "Warning! You have a broken Solaris <krb5.h> system header"
@@ -144,7 +149,6 @@
     uint32_t pointer;
 } RPC_UNICODE_STRING;
 
-int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
 void align(int n);
 void getustr(RPC_UNICODE_STRING *string);
 char **getgids(char **Rids, uint32_t GroupIds, uint32_t GroupCount);
@@ -161,4 +165,5 @@
 #else
 #define HAVE_PAC_SUPPORT 0
 #endif
+int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
 

=== modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc'
--- helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc	2015-03-21 07:48:43 +0000
+++ helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc	2015-04-26 16:55:18 +0000
@@ -65,7 +65,6 @@
                                  krb5_kt_list *kt_list);
 #endif /* HAVE_KRB5_MEMORY_KEYTAB */
 
-#if HAVE_PAC_SUPPORT || HAVE_KRB5_MEMORY_KEYTAB
 int
 check_k5_err(krb5_context context, const char *function, krb5_error_code code)
 {
@@ -85,7 +84,6 @@
     }
     return code;
 }
-#endif
 
 char *
 gethost_name(void)

=== modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc'
--- helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc	2015-01-13 09:13:49 +0000
+++ helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc	2015-04-26 16:55:18 +0000
@@ -33,6 +33,9 @@
 #include "squid.h"
 
 #if HAVE_GSSAPI
+#if USE_APPLE_KRB5
+#define GSSKRB_APPLE_DEPRECATED(x)
+#endif
 
 #include <cerrno>
 #include <cstring>

=== modified file 'src/peer_proxy_negotiate_auth.cc'
--- src/peer_proxy_negotiate_auth.cc	2015-01-13 09:13:49 +0000
+++ src/peer_proxy_negotiate_auth.cc	2015-04-26 16:55:18 +0000
@@ -13,6 +13,10 @@
 #include "squid.h"
 
 #if HAVE_KRB5 && HAVE_GSSAPI
+#if USE_APPLE_KRB5
+#define KERBEROS_APPLE_DEPRECATED(x)
+#define GSSKRB_APPLE_DEPRECATED(x)
+#endif
 
 #include "base64.h"
 #include "Debug.h"

=== modified file 'tools/squidclient/gssapi_support.h'
--- tools/squidclient/gssapi_support.h	2015-01-13 09:13:49 +0000
+++ tools/squidclient/gssapi_support.h	2015-04-26 16:55:18 +0000
@@ -10,6 +10,9 @@
 #define _SQUID_TOOLS_SQUIDCLIENT_GSSAPI_H
 
 #if HAVE_GSSAPI
+#if USE_APPLE_KRB5
+#define GSSKRB_APPLE_DEPRECATED(x)
+#endif
 
 #if USE_HEIMDAL_KRB5
 #if HAVE_GSSAPI_GSSAPI_H