[packages/squid.git] / squid-2.5.STABLE1-max_user_ip.patch

Index: squid/src/cf.data.pre
diff -c squid/src/cf.data.pre:1.245.2.27 squid/src/cf.data.pre:1.245.2.30
*** squid/src/cf.data.pre:1.245.2.27	Sun Sep 29 13:05:02 2002
--- squid/src/cf.data.pre	Mon Oct  7 22:29:40 2002
***************
*** 1288,1294 ****
  	to replay attacks unless you are using an one-time password
  	system (such as SecureID).  If you are using such a system,
  	you will be vulnerable to replay attacks unless you also
! 	enable the IP ttl is strict option.
  
  	=== Parameters for the digest scheme follow ===
  
--- 1288,1294 ----
  	to replay attacks unless you are using an one-time password
  	system (such as SecureID).  If you are using such a system,
  	you will be vulnerable to replay attacks unless you also
! 	use the max_user_ip ACL in an http_access rule.
  
  	=== Parameters for the digest scheme follow ===
  
***************
*** 1426,1448 ****
  LOC: Config.authenticateIpTTL
  DEFAULT: 0 seconds
  DOC_START
! 	With this option you control how long a proxy authentication
! 	will be bound to a specific IP address. If a request using
! 	the same user name is received during this time then access
! 	will be denied and both users are required to reauthenticate
! 	them selves.  The idea behind this is to make it annoying
! 	for people to share their password to their friends, but
! 	yet allow a dialup user to reconnect on a different dialup
! 	port.
! 
! 	The default is 0 to disable the check. Recommended value
! 	if you have dialup users are no more than 60 seconds to allow
! 	the user to redial without hassle. If all your users are
! 	stationary then higher values may be used.
! 
! 	See also the acl max_user_ip. The max_user_ip acl replaces
! 	the authenticate_ip_ttl_is_strict option found in earlier
! 	Squid versions.
  DOC_END
  
  NAME: external_acl_type
--- 1426,1438 ----
  LOC: Config.authenticateIpTTL
  DEFAULT: 0 seconds
  DOC_START
! 	If you use proxy authentication and the 'max_user_ip' ACL,
! 	this directive controls how long Squid remembers the IP
! 	addresses associated with each user.  Use a small value
! 	(e.g., 60 seconds) if your users might change addresses
! 	quickly, as is the case with dialups.   You might be safe
! 	using a larger value (e.g., 2 hours) in a corporate LAN
! 	environment with relatively static address assignments.
  DOC_END
  
  NAME: external_acl_type
***************
*** 1968,1982 ****
  
  	acl aclname max_user_ip [-s] number
  	  # This will be matched when the user attempts to log in from more
! 	  # than <number> different ip address's. The authenticate_ip_ttl
  	  # parameter controls the timeout on the ip entries.
  	  # If -s is specified then the limit is strict, denying browsing
  	  # from any further IP addresses until the ttl has expired. Without
! 	  # -s Squid will just annoy the user by "randomly" deny requests.
  	  # (the counter is then reset each time the limit is reached and a
  	  # request is denied)
  	  # NOTE: in acceleration mode or where there is mesh of child proxies,
! 	  # clients may appear to come from multiple address's if they are
  	  # going through proxy farms, so a limit of 1 may cause user problems.
  
  	acl aclname req_mime_type mime-type1 ...
--- 1958,1972 ----
  
  	acl aclname max_user_ip [-s] number
  	  # This will be matched when the user attempts to log in from more
! 	  # than <number> different ip addresses. The authenticate_ip_ttl
  	  # parameter controls the timeout on the ip entries.
  	  # If -s is specified then the limit is strict, denying browsing
  	  # from any further IP addresses until the ttl has expired. Without
! 	  # -s Squid will just annoy the user by "randomly" denying requests.
  	  # (the counter is then reset each time the limit is reached and a
  	  # request is denied)
  	  # NOTE: in acceleration mode or where there is mesh of child proxies,
! 	  # clients may appear to come from multiple addresses if they are
  	  # going through proxy farms, so a limit of 1 may cause user problems.
  
  	acl aclname req_mime_type mime-type1 ...
Index: squid/src/authenticate.c
diff -c squid/src/authenticate.c:1.36.2.3 squid/src/authenticate.c:1.36.2.6
*** squid/src/authenticate.c:1.36.2.3	Wed Oct  2 03:02:29 2002
--- squid/src/authenticate.c	Mon Oct  7 21:31:06 2002
***************
*** 244,250 ****
      return NULL;
  }
  
! void
  authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr)
  {
      auth_user_ip_t *ipdata, *tempnode;
--- 244,250 ----
      return NULL;
  }
  
! static void
  authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr)
  {
      auth_user_ip_t *ipdata, *tempnode;
***************
*** 265,271 ****
  	tempnode = (auth_user_ip_t *) ipdata->node.next;
  	/* walk the ip list */
  	if (ipdata->ipaddr.s_addr == ipaddr.s_addr) {
! 	    /* This ip has alreadu been seen. */
  	    found = 1;
  	    /* update IP ttl */
  	    ipdata->ip_expiretime = squid_curtime;
--- 265,271 ----
  	tempnode = (auth_user_ip_t *) ipdata->node.next;
  	/* walk the ip list */
  	if (ipdata->ipaddr.s_addr == ipaddr.s_addr) {
! 	    /* This ip has already been seen. */
  	    found = 1;
  	    /* update IP ttl */
  	    ipdata->ip_expiretime = squid_curtime;
***************
*** 438,446 ****
      }
      /*
       * a note on proxy_auth logix here:
!      * proxy_auth==NULL -> unauthenticated request || already authenticated connection
!      * so we test for an authenticated connection when we recieve no authentication
!      * header.
       */
      if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(*auth_user_request ? *auth_user_request : conn->auth_user_request)))
  	|| (conn->auth_type == AUTH_BROKEN)) {
--- 438,446 ----
      }
      /*
       * a note on proxy_auth logix here:
!      * proxy_auth==NULL -> unauthenticated request || already
!      * authenticated connection so we test for an authenticated
!      * connection when we recieve no authentication header.
       */
      if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(*auth_user_request ? *auth_user_request : conn->auth_user_request)))
  	|| (conn->auth_type == AUTH_BROKEN)) {
***************
*** 585,591 ****
  	    *auth_user_request = t;
  	return t->lastReply;
      }
- 
      /* ok, call the actual authenticator routine. */
      result = authenticateAuthenticate(auth_user_request, headertype, request, conn, src_addr);
      t = *auth_user_request ? *auth_user_request : conn->auth_user_request;
--- 585,590 ----
***************
*** 734,741 ****
  	    }
  	}
      }
!     /* allow protocol specific headers to be _added_ to the existing response - ie
!      * digest auth
       */
      if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0)
  	&& (authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader))
--- 733,741 ----
  	    }
  	}
      }
!     /*
!      * allow protocol specific headers to be _added_ to the existing
!      * response - ie digest auth
       */
      if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0)
  	&& (authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader))
***************
*** 811,827 ****
      return auth_user->references;
  }
  
! /* Combine two user structs. ONLY to be called from within a scheme module.
!  * The scheme module is responsible for ensuring that the two users _can_ be merged 
!  * without invalidating all the request scheme data. 
!  * the scheme is also responsible for merging any user related scheme data itself. */
  void
  authenticateAuthUserMerge(auth_user_t * from, auth_user_t * to)
  {
      dlink_node *link, *tmplink;
      auth_user_request_t *auth_user_request;
! /* XXX combine two authuser structs. Incomplete: it should merge in hash references 
!  * too and ask the module to merge in scheme data */
      debug(29, 5) ("authenticateAuthUserMerge auth_user '%p' into auth_user '%p'.\n", from, to);
      link = from->requests.head;
      while (link) {
--- 811,833 ----
      return auth_user->references;
  }
  
! /*
!  * Combine two user structs. ONLY to be called from within a scheme
!  * module.  The scheme module is responsible for ensuring that the
!  * two users _can_ be merged without invalidating all the request
!  * scheme data. the scheme is also responsible for merging any user
!  * related scheme data itself.
!  */
  void
  authenticateAuthUserMerge(auth_user_t * from, auth_user_t * to)
  {
      dlink_node *link, *tmplink;
      auth_user_request_t *auth_user_request;
!     /*
!      * XXX combine two authuser structs. Incomplete: it should merge
!      * in hash references too and ask the module to merge in scheme
!      * data
!      */
      debug(29, 5) ("authenticateAuthUserMerge auth_user '%p' into auth_user '%p'.\n", from, to);
      link = from->requests.head;
      while (link) {
Index: squid/src/acl.c
diff -c squid/src/acl.c:1.270.2.9 squid/src/acl.c:1.270.2.10
*** squid/src/acl.c:1.270.2.9	Wed Oct  2 03:02:29 2002
--- squid/src/acl.c	Mon Oct  7 21:33:52 2002
***************
*** 1249,1255 ****
      return W;
  }
  
! /* aclMatchUserMaxIP - check for users logging in from multiple IP's 
   * 0 : No match
   * 1 : Match 
   */
--- 1249,1256 ----
      return W;
  }
  
! /*
!  * aclMatchUserMaxIP - check for users logging in from multiple IP's 
   * 0 : No match
   * 1 : Match 
   */
***************
*** 1258,1264 ****
      struct in_addr src_addr)
  {
  /*
!  * > the logic for flush the ip list when the limit is hit vs keep it sorted in most recent access order and just drop the oldest one off is currently undecided
   */
      acl_user_ip_data *acldata = data;
  
--- 1259,1267 ----
      struct in_addr src_addr)
  {
  /*
!  * the logic for flush the ip list when the limit is hit vs keep
!  * it sorted in most recent access order and just drop the oldest
!  * one off is currently undecided
   */
      acl_user_ip_data *acldata = data;
  
***************
*** 1267,1280 ****
  
      /* this is a match */
      if (acldata->flags.strict) {
! 	/* simply deny access - the user name is already associated with
  	 * the request 
  	 */
  	/* remove _this_ ip, as it is the culprit for going over the limit */
  	authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
  	debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
      } else {
! 	/* non-strict - remove some/all of the cached entries 
  	 * ie to allow the user to move machines easily
  	 */
  	authenticateAuthUserRequestClearIp(auth_user_request);
--- 1270,1285 ----
  
      /* this is a match */
      if (acldata->flags.strict) {
! 	/*
! 	 * simply deny access - the user name is already associated with
  	 * the request 
  	 */
  	/* remove _this_ ip, as it is the culprit for going over the limit */
  	authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
  	debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
      } else {
! 	/*
! 	 * non-strict - remove some/all of the cached entries 
  	 * ie to allow the user to move machines easily
  	 */
  	authenticateAuthUserRequestClearIp(auth_user_request);
***************
*** 1288,1294 ****
  aclLookupProxyAuthStart(aclCheck_t * checklist)
  {
      auth_user_request_t *auth_user_request;
!     assert(checklist->auth_user_request != NULL);	/* this is created for us */
      auth_user_request = checklist->auth_user_request;
  
      assert(authenticateValidateUser(auth_user_request));
--- 1293,1300 ----
  aclLookupProxyAuthStart(aclCheck_t * checklist)
  {
      auth_user_request_t *auth_user_request;
!     /* make sure someone created auth_user_request for us */
!     assert(checklist->auth_user_request != NULL);
      auth_user_request = checklist->auth_user_request;
  
      assert(authenticateValidateUser(auth_user_request));
Index: squid/src/protos.h
diff -c squid/src/protos.h:1.420.2.13 squid/src/protos.h:1.420.2.14
*** squid/src/protos.h:1.420.2.13	Wed Oct  2 03:02:30 2002
--- squid/src/protos.h	Tue Oct  8 10:08:30 2002
***************
*** 759,765 ****
  extern void authenticateAuthUserRequestLock(auth_user_request_t *);
  extern char *authenticateAuthUserRequestMessage(auth_user_request_t *);
  extern int authenticateAuthUserInuse(auth_user_t * auth_user);
- extern void authenticateAuthUserRequestSetIp(auth_user_request_t *, struct in_addr);
  extern void authenticateAuthUserRequestRemoveIp(auth_user_request_t *, struct in_addr);
  extern void authenticateAuthUserRequestClearIp(auth_user_request_t *);
  extern size_t authenticateAuthUserRequestIPCount(auth_user_request_t *);
--- 759,764 ----
Commit	Line	Data
d3969417 AM	1	Index: squid/src/cf.data.pre
	2	diff -c squid/src/cf.data.pre:1.245.2.27 squid/src/cf.data.pre:1.245.2.30
	3	*** squid/src/cf.data.pre:1.245.2.27 Sun Sep 29 13:05:02 2002
	4	--- squid/src/cf.data.pre Mon Oct 7 22:29:40 2002
	5	***************
	6	* 1288,1294 **
	7	to replay attacks unless you are using an one-time password
	8	system (such as SecureID). If you are using such a system,
	9	you will be vulnerable to replay attacks unless you also
	10	! enable the IP ttl is strict option.
	11
	12	=== Parameters for the digest scheme follow ===
	13
	14	--- 1288,1294 ----
	15	to replay attacks unless you are using an one-time password
	16	system (such as SecureID). If you are using such a system,
	17	you will be vulnerable to replay attacks unless you also
	18	! use the max_user_ip ACL in an http_access rule.
	19
	20	=== Parameters for the digest scheme follow ===
	21
	22	***************
	23	* 1426,1448 **
	24	LOC: Config.authenticateIpTTL
	25	DEFAULT: 0 seconds
	26	DOC_START
	27	! With this option you control how long a proxy authentication
	28	! will be bound to a specific IP address. If a request using
	29	! the same user name is received during this time then access
	30	! will be denied and both users are required to reauthenticate
	31	! them selves. The idea behind this is to make it annoying
	32	! for people to share their password to their friends, but
	33	! yet allow a dialup user to reconnect on a different dialup
	34	! port.
	35	!
	36	! The default is 0 to disable the check. Recommended value
	37	! if you have dialup users are no more than 60 seconds to allow
	38	! the user to redial without hassle. If all your users are
	39	! stationary then higher values may be used.
	40	!
	41	! See also the acl max_user_ip. The max_user_ip acl replaces
	42	! the authenticate_ip_ttl_is_strict option found in earlier
	43	! Squid versions.
	44	DOC_END
	45
	46	NAME: external_acl_type
	47	--- 1426,1438 ----
	48	LOC: Config.authenticateIpTTL
	49	DEFAULT: 0 seconds
	50	DOC_START
	51	! If you use proxy authentication and the 'max_user_ip' ACL,
	52	! this directive controls how long Squid remembers the IP
	53	! addresses associated with each user. Use a small value
	54	! (e.g., 60 seconds) if your users might change addresses
	55	! quickly, as is the case with dialups. You might be safe
	56	! using a larger value (e.g., 2 hours) in a corporate LAN
	57	! environment with relatively static address assignments.
	58	DOC_END
	59
	60	NAME: external_acl_type
	61	***************
	62	* 1968,1982 **
	63
	64	acl aclname max_user_ip [-s] number
65	# This will be matched when the user attempts to log in from more
66	! # than <number> different ip address's. The authenticate_ip_ttl
67	# parameter controls the timeout on the ip entries.
68	# If -s is specified then the limit is strict, denying browsing
69	# from any further IP addresses until the ttl has expired. Without
70	! # -s Squid will just annoy the user by "randomly" deny requests.
71	# (the counter is then reset each time the limit is reached and a
72	# request is denied)
73	# NOTE: in acceleration mode or where there is mesh of child proxies,
74	! # clients may appear to come from multiple address's if they are
75	# going through proxy farms, so a limit of 1 may cause user problems.
76
77	acl aclname req_mime_type mime-type1 ...
78	--- 1958,1972 ----
79
80	acl aclname max_user_ip [-s] number
81	# This will be matched when the user attempts to log in from more
82	! # than <number> different ip addresses. The authenticate_ip_ttl
83	# parameter controls the timeout on the ip entries.
84	# If -s is specified then the limit is strict, denying browsing
85	# from any further IP addresses until the ttl has expired. Without
86	! # -s Squid will just annoy the user by "randomly" denying requests.
87	# (the counter is then reset each time the limit is reached and a
88	# request is denied)
89	# NOTE: in acceleration mode or where there is mesh of child proxies,
90	! # clients may appear to come from multiple addresses if they are
91	# going through proxy farms, so a limit of 1 may cause user problems.
92
93	acl aclname req_mime_type mime-type1 ...
94	Index: squid/src/authenticate.c
95	diff -c squid/src/authenticate.c:1.36.2.3 squid/src/authenticate.c:1.36.2.6
96	*** squid/src/authenticate.c:1.36.2.3 Wed Oct 2 03:02:29 2002
97	--- squid/src/authenticate.c Mon Oct 7 21:31:06 2002
98	***************
99	* 244,250 **
100	return NULL;
101	}
102
103	! void
104	authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr)
105	{
106	auth_user_ip_t ipdata, tempnode;
107	--- 244,250 ----
108	return NULL;
109	}
110
111	! static void
112	authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr)
113	{
114	auth_user_ip_t ipdata, tempnode;
115	***************
116	* 265,271 **
117	tempnode = (auth_user_ip_t *) ipdata->node.next;
118	/* walk the ip list */
119	if (ipdata->ipaddr.s_addr == ipaddr.s_addr) {
120	! /* This ip has alreadu been seen. */
121	found = 1;
122	/* update IP ttl */
123	ipdata->ip_expiretime = squid_curtime;
124	--- 265,271 ----
125	tempnode = (auth_user_ip_t *) ipdata->node.next;
126	/* walk the ip list */
127	if (ipdata->ipaddr.s_addr == ipaddr.s_addr) {
128	! /* This ip has already been seen. */
129	found = 1;
130	/* update IP ttl */
131	ipdata->ip_expiretime = squid_curtime;
132	***************
133	* 438,446 **
134	}
135	/*
136	* a note on proxy_auth logix here:
137	! * proxy_auth==NULL -> unauthenticated request \|\| already authenticated connection
138	! * so we test for an authenticated connection when we recieve no authentication
139	! * header.
140	*/
141	if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(auth_user_request ? auth_user_request : conn->auth_user_request)))
142	\|\| (conn->auth_type == AUTH_BROKEN)) {
143	--- 438,446 ----
144	}
145	/*
146	* a note on proxy_auth logix here:
147	! * proxy_auth==NULL -> unauthenticated request \|\| already
148	! * authenticated connection so we test for an authenticated
149	! * connection when we recieve no authentication header.
150	*/
151	if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(auth_user_request ? auth_user_request : conn->auth_user_request)))
152	\|\| (conn->auth_type == AUTH_BROKEN)) {
153	***************
154	* 585,591 **
155	*auth_user_request = t;
156	return t->lastReply;
157	}
158	-
159	/* ok, call the actual authenticator routine. */
160	result = authenticateAuthenticate(auth_user_request, headertype, request, conn, src_addr);
161	t = auth_user_request ? auth_user_request : conn->auth_user_request;
162	--- 585,590 ----
163	***************
164	* 734,741 **
165	}
166	}
167	}
168	! /* allow protocol specific headers to be _added_ to the existing response - ie
169	! * digest auth
170	*/
171	if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0)
172	&& (authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader))
173	--- 733,741 ----
174	}
175	}
176	}
177	! /*
178	! * allow protocol specific headers to be _added_ to the existing
179	! * response - ie digest auth
180	*/
181	if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0)
182	&& (authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader))
183	***************
184	* 811,827 **
185	return auth_user->references;
186	}
187
188	! /* Combine two user structs. ONLY to be called from within a scheme module.
189	! * The scheme module is responsible for ensuring that the two users _can_ be merged
190	! * without invalidating all the request scheme data.
191	! * the scheme is also responsible for merging any user related scheme data itself. */
192	void
193	authenticateAuthUserMerge(auth_user_t * from, auth_user_t * to)
194	{
195	dlink_node link, tmplink;
196	auth_user_request_t *auth_user_request;
197	! /* XXX combine two authuser structs. Incomplete: it should merge in hash references
198	! * too and ask the module to merge in scheme data */
199	debug(29, 5) ("authenticateAuthUserMerge auth_user '%p' into auth_user '%p'.\n", from, to);
200	link = from->requests.head;
201	while (link) {
202	--- 811,833 ----
203	return auth_user->references;
204	}
205
206	! /*
207	! * Combine two user structs. ONLY to be called from within a scheme
208	! * module. The scheme module is responsible for ensuring that the
209	! * two users _can_ be merged without invalidating all the request
210	! * scheme data. the scheme is also responsible for merging any user
211	! * related scheme data itself.
212	! */
213	void
214	authenticateAuthUserMerge(auth_user_t * from, auth_user_t * to)
215	{
216	dlink_node link, tmplink;
217	auth_user_request_t *auth_user_request;
218	! /*
219	! * XXX combine two authuser structs. Incomplete: it should merge
220	! * in hash references too and ask the module to merge in scheme
221	! * data
222	! */
223	debug(29, 5) ("authenticateAuthUserMerge auth_user '%p' into auth_user '%p'.\n", from, to);
224	link = from->requests.head;
225	while (link) {
226	Index: squid/src/acl.c
227	diff -c squid/src/acl.c:1.270.2.9 squid/src/acl.c:1.270.2.10
228	*** squid/src/acl.c:1.270.2.9 Wed Oct 2 03:02:29 2002
229	--- squid/src/acl.c Mon Oct 7 21:33:52 2002
230	***************
231	* 1249,1255 **
232	return W;
233	}
234
235	! /* aclMatchUserMaxIP - check for users logging in from multiple IP's
236	* 0 : No match
237	* 1 : Match
238	*/
239	--- 1249,1256 ----
240	return W;
241	}
242
243	! /*
244	! * aclMatchUserMaxIP - check for users logging in from multiple IP's
245	* 0 : No match
246	* 1 : Match
247	*/
248	***************
249	* 1258,1264 **
250	struct in_addr src_addr)
251	{
252	/*
253	! * > the logic for flush the ip list when the limit is hit vs keep it sorted in most recent access order and just drop the oldest one off is currently undecided
254	*/
255	acl_user_ip_data *acldata = data;
256
257	--- 1259,1267 ----
258	struct in_addr src_addr)
259	{
260	/*
261	! * the logic for flush the ip list when the limit is hit vs keep
262	! * it sorted in most recent access order and just drop the oldest
263	! * one off is currently undecided
264	*/
265	acl_user_ip_data *acldata = data;
266
267	***************
268	* 1267,1280 **
269
270	/* this is a match */
271	if (acldata->flags.strict) {
272	! /* simply deny access - the user name is already associated with
273	* the request
274	*/
275	/* remove _this_ ip, as it is the culprit for going over the limit */
276	authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
277	debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
278	} else {
279	! /* non-strict - remove some/all of the cached entries
280	* ie to allow the user to move machines easily
281	*/
282	authenticateAuthUserRequestClearIp(auth_user_request);
283	--- 1270,1285 ----
284
285	/* this is a match */
286	if (acldata->flags.strict) {
287	! /*
288	! * simply deny access - the user name is already associated with
289	* the request
290	*/
291	/* remove _this_ ip, as it is the culprit for going over the limit */
292	authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
293	debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
294	} else {
295	! /*
296	! * non-strict - remove some/all of the cached entries
297	* ie to allow the user to move machines easily
298	*/
299	authenticateAuthUserRequestClearIp(auth_user_request);
300	***************
301	* 1288,1294 **
302	aclLookupProxyAuthStart(aclCheck_t * checklist)
303	{
304	auth_user_request_t *auth_user_request;
305	! assert(checklist->auth_user_request != NULL); /* this is created for us */
306	auth_user_request = checklist->auth_user_request;
307
308	assert(authenticateValidateUser(auth_user_request));
309	--- 1293,1300 ----
310	aclLookupProxyAuthStart(aclCheck_t * checklist)
311	{
312	auth_user_request_t *auth_user_request;
313	! /* make sure someone created auth_user_request for us */
314	! assert(checklist->auth_user_request != NULL);
315	auth_user_request = checklist->auth_user_request;
316
317	assert(authenticateValidateUser(auth_user_request));
318	Index: squid/src/protos.h
319	diff -c squid/src/protos.h:1.420.2.13 squid/src/protos.h:1.420.2.14
320	*** squid/src/protos.h:1.420.2.13 Wed Oct 2 03:02:30 2002
321	--- squid/src/protos.h Tue Oct 8 10:08:30 2002
322	***************
323	* 759,765 **
324	extern void authenticateAuthUserRequestLock(auth_user_request_t *);
325	extern char authenticateAuthUserRequestMessage(auth_user_request_t );
326	extern int authenticateAuthUserInuse(auth_user_t * auth_user);
327	- extern void authenticateAuthUserRequestSetIp(auth_user_request_t *, struct in_addr);
328	extern void authenticateAuthUserRequestRemoveIp(auth_user_request_t *, struct in_addr);
329	extern void authenticateAuthUserRequestClearIp(auth_user_request_t *);
330	extern size_t authenticateAuthUserRequestIPCount(auth_user_request_t *);
331	--- 759,764 ----