[packages/squid.git] / squid-2.5.STABLE6-ntlm_challengereuse_leak.patch

Index: squid/src/auth/ntlm/auth_ntlm.c
diff -c squid/src/auth/ntlm/auth_ntlm.c:1.17.2.12 squid/src/auth/ntlm/auth_ntlm.c:1.17.2.13
*** squid/src/auth/ntlm/auth_ntlm.c:1.17.2.12	Sat Apr 17 19:29:52 2004
--- squid/src/auth/ntlm/auth_ntlm.c	Sat Jul 17 10:05:53 2004
***************
*** 87,95 ****
  static MemPool *ntlm_helper_state_pool = NULL;
  static MemPool *ntlm_user_pool = NULL;
  static MemPool *ntlm_request_pool = NULL;
  static auth_ntlm_config *ntlmConfig = NULL;
  
! static hash_table *proxy_auth_cache = NULL;
  
  /*
   *
--- 87,96 ----
  static MemPool *ntlm_helper_state_pool = NULL;
  static MemPool *ntlm_user_pool = NULL;
  static MemPool *ntlm_request_pool = NULL;
+ static MemPool *ntlm_challenge_pool = NULL;
  static auth_ntlm_config *ntlmConfig = NULL;
  
! static hash_table *ntlm_challenge_cache = NULL;
  
  /*
   *
***************
*** 249,257 ****
  	if (ntlmauthenticators == NULL)
  	    ntlmauthenticators = helperStatefulCreate("ntlmauthenticator");
  	if (ntlmConfig->challengeuses) {
! 	    if (!proxy_auth_cache)
! 		proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
! 	    assert(proxy_auth_cache);
  	}
  	ntlmauthenticators->cmdline = ntlmConfig->authenticate;
  	ntlmauthenticators->n_to_start = ntlmConfig->authenticateChildren;
--- 250,259 ----
  	if (ntlmauthenticators == NULL)
  	    ntlmauthenticators = helperStatefulCreate("ntlmauthenticator");
  	if (ntlmConfig->challengeuses) {
! 	    if (!ntlm_challenge_cache)
! 		ntlm_challenge_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
! 	    if (!ntlm_challenge_pool)
! 		ntlm_challenge_pool = memPoolCreate("NTLM Challenge Cache", sizeof(ntlm_challenge_hash_pointer));
  	}
  	ntlmauthenticators->cmdline = ntlmConfig->authenticate;
  	ntlmauthenticators->n_to_start = ntlmConfig->authenticateChildren;
***************
*** 393,420 ****
      auth_user_request->scheme_data = NULL;
  }
  
  static void
  authenticateNTLMFreeUser(auth_user_t * auth_user)
  {
-     dlink_node *link, *tmplink;
      ntlm_user_t *ntlm_user = auth_user->scheme_data;
-     auth_user_hash_pointer *proxy_auth_hash;
  
      debug(29, 5) ("authenticateNTLMFreeUser: Clearing NTLM scheme data\n");
      if (ntlm_user->username)
  	xfree(ntlm_user->username);
      /* were they linked in by one or more proxy-authenticate headers */
!     link = ntlm_user->proxy_auth_list.head;
!     while (link) {
! 	debug(29, 9) ("authenticateFreeProxyAuthUser: removing proxy_auth hash entry '%p'\n", link->data);
! 	proxy_auth_hash = link->data;
! 	tmplink = link;
! 	link = link->next;
! 	dlinkDelete(tmplink, &ntlm_user->proxy_auth_list);
! 	hash_remove_link(proxy_auth_cache, (hash_link *) proxy_auth_hash);
! 	/* free the key (usually the proxy_auth header) */
! 	xfree(proxy_auth_hash->key);
! 	memFree(proxy_auth_hash, MEM_AUTH_USER_HASH);
      }
      memPoolFree(ntlm_user_pool, ntlm_user);
      auth_user->scheme_data = NULL;
--- 395,413 ----
      auth_user_request->scheme_data = NULL;
  }
  
+ static void authenticateNTLMChallengeCacheRemoveLink(ntlm_challenge_hash_pointer * challenge_hash);
+ 
  static void
  authenticateNTLMFreeUser(auth_user_t * auth_user)
  {
      ntlm_user_t *ntlm_user = auth_user->scheme_data;
  
      debug(29, 5) ("authenticateNTLMFreeUser: Clearing NTLM scheme data\n");
      if (ntlm_user->username)
  	xfree(ntlm_user->username);
      /* were they linked in by one or more proxy-authenticate headers */
!     while (ntlm_user->challenge_list.head) {
! 	authenticateNTLMChallengeCacheRemoveLink(ntlm_user->challenge_list.head->data);
      }
      memPoolFree(ntlm_user_pool, ntlm_user);
      auth_user->scheme_data = NULL;
***************
*** 792,797 ****
--- 785,793 ----
  	statedata->renewed = 0;
  	xfree(statedata->challenge);
  	statedata->challenge = NULL;
+ 	while (statedata->user_list.head) {
+ 	    authenticateNTLMChallengeCacheRemoveLink(statedata->user_list.head->data);
+ 	}
      }
  }
  
***************
*** 880,903 ****
   * Check for this and if found ignore the new link 
   */
  static void
! authenticateProxyAuthCacheAddLink(const char *key, auth_user_t * auth_user)
  {
!     auth_user_hash_pointer *proxy_auth_hash;
!     dlink_node *node;
      ntlm_user_t *ntlm_user;
      ntlm_user = auth_user->scheme_data;
-     node = ntlm_user->proxy_auth_list.head;
      /* prevent duplicates */
!     while (node) {
! 	if (!strcmp(key, ((auth_user_hash_pointer *) node->data)->key))
! 	    return;
! 	node = node->next;
!     }
!     proxy_auth_hash = memAllocate(MEM_AUTH_USER_HASH);
!     proxy_auth_hash->key = xstrdup(key);
!     proxy_auth_hash->auth_user = auth_user;
!     dlinkAddTail(proxy_auth_hash, &proxy_auth_hash->link, &ntlm_user->proxy_auth_list);
!     hash_join(proxy_auth_cache, (hash_link *) proxy_auth_hash);
  }
  
  
--- 876,909 ----
   * Check for this and if found ignore the new link 
   */
  static void
! authenticateNTLMChallengeCacheAddLink(const char *key, auth_user_t * auth_user, helper_stateful_server * auth_server)
  {
!     ntlm_challenge_hash_pointer *challenge_hash;
      ntlm_user_t *ntlm_user;
+     ntlm_helper_state_t *helperstate = helperStatefulServerGetData(auth_server);
      ntlm_user = auth_user->scheme_data;
      /* prevent duplicates */
!     if (hash_lookup(ntlm_challenge_cache, key))
! 	return;
!     challenge_hash = memPoolAlloc(ntlm_challenge_pool);
!     challenge_hash->key = xstrdup(key);
!     challenge_hash->user.auth_user = auth_user;
!     dlinkAddTail(challenge_hash, &challenge_hash->user.link, &ntlm_user->challenge_list);
!     challenge_hash->challenge.authserver = auth_server;
!     dlinkAddTail(challenge_hash, &challenge_hash->challenge.link, &helperstate->user_list);
!     hash_join(ntlm_challenge_cache, (hash_link *) challenge_hash);
! }
! 
! static void
! authenticateNTLMChallengeCacheRemoveLink(ntlm_challenge_hash_pointer * challenge_hash)
! {
!     ntlm_user_t *ntlm_user = challenge_hash->user.auth_user->scheme_data;
!     ntlm_helper_state_t *helperstate = helperStatefulServerGetData(challenge_hash->challenge.authserver);
!     hash_remove_link(ntlm_challenge_cache, (hash_link *) challenge_hash);
!     dlinkDelete(&challenge_hash->user.link, &ntlm_user->challenge_list);
!     dlinkDelete(&challenge_hash->challenge.link, &helperstate->user_list);
!     xfree(challenge_hash->key);
!     memPoolFree(ntlm_challenge_pool, challenge_hash);
  }
  
  
***************
*** 915,921 ****
  authenticateNTLMAuthenticateUser(auth_user_request_t * auth_user_request, request_t * request, ConnStateData * conn, http_hdr_type type)
  {
      const char *proxy_auth;
!     auth_user_hash_pointer *usernamehash, *proxy_auth_hash = NULL;
      auth_user_t *auth_user;
      ntlm_request_t *ntlm_request;
      ntlm_user_t *ntlm_user;
--- 921,928 ----
  authenticateNTLMAuthenticateUser(auth_user_request_t * auth_user_request, request_t * request, ConnStateData * conn, http_hdr_type type)
  {
      const char *proxy_auth;
!     auth_user_hash_pointer *usernamehash;
!     ntlm_challenge_hash_pointer *challenge_hash = NULL;
      auth_user_t *auth_user;
      ntlm_request_t *ntlm_request;
      ntlm_user_t *ntlm_user;
***************
*** 982,990 ****
  	    ntlm_request->authchallenge);
  	/* see if we already know this user's authenticate */
  	debug(29, 9) ("aclMatchProxyAuth: cache lookup with key '%s'\n", ntlmhash);
! 	assert(proxy_auth_cache != NULL);
! 	proxy_auth_hash = hash_lookup(proxy_auth_cache, ntlmhash);
! 	if (!proxy_auth_hash) {	/* not in the hash table */
  	    debug(29, 4) ("authenticateNTLMAuthenticateUser: proxy-auth cache miss.\n");
  	    ntlm_request->auth_state = AUTHENTICATE_STATE_RESPONSE;
  	    /* verify with the ntlm helper */
--- 989,997 ----
  	    ntlm_request->authchallenge);
  	/* see if we already know this user's authenticate */
  	debug(29, 9) ("aclMatchProxyAuth: cache lookup with key '%s'\n", ntlmhash);
! 	assert(ntlm_challenge_cache != NULL);
! 	challenge_hash = hash_lookup(ntlm_challenge_cache, ntlmhash);
! 	if (!challenge_hash) {	/* not in the hash table */
  	    debug(29, 4) ("authenticateNTLMAuthenticateUser: proxy-auth cache miss.\n");
  	    ntlm_request->auth_state = AUTHENTICATE_STATE_RESPONSE;
  	    /* verify with the ntlm helper */
***************
*** 993,1000 ****
  	    /* throw away the temporary entry */
  	    ntlm_request->authserver_deferred = 0;
  	    authenticateNTLMReleaseServer(ntlm_request);
! 	    authenticateAuthUserMerge(auth_user, proxy_auth_hash->auth_user);
! 	    auth_user = proxy_auth_hash->auth_user;
  	    auth_user_request->auth_user = auth_user;
  	    ntlm_request->auth_state = AUTHENTICATE_STATE_DONE;
  	    /* we found one */
--- 1000,1007 ----
  	    /* throw away the temporary entry */
  	    ntlm_request->authserver_deferred = 0;
  	    authenticateNTLMReleaseServer(ntlm_request);
! 	    authenticateAuthUserMerge(auth_user, challenge_hash->user.auth_user);
! 	    auth_user = challenge_hash->user.auth_user;
  	    auth_user_request->auth_user = auth_user;
  	    ntlm_request->auth_state = AUTHENTICATE_STATE_DONE;
  	    /* we found one */
***************
*** 1026,1035 ****
  		usernamehash = usernamehash->next;
  	}
  	if (usernamehash) {
- 	    /*
- 	     * add another link from the new proxy_auth to the
- 	     * auth_user structure and update the information */
- 	    assert(proxy_auth_hash == NULL);
  	    /* we can't seamlessly recheck the username due to the 
  	     * challenge nature of the protocol. Just free the 
  	     * temporary auth_user */
--- 1033,1038 ----
***************
*** 1045,1051 ****
  	    snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s",
  		ntlm_request->ntlmauthenticate,
  		ntlm_request->authchallenge);
! 	    authenticateProxyAuthCacheAddLink(ntlmhash, auth_user);
  	}
  	/* set these to now because this is either a new login from an 
  	 * existing user or a new user */
--- 1048,1054 ----
  	    snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s",
  		ntlm_request->ntlmauthenticate,
  		ntlm_request->authchallenge);
! 	    authenticateNTLMChallengeCacheAddLink(ntlmhash, auth_user, ntlm_request->authserver);
  	}
  	/* set these to now because this is either a new login from an 
  	 * existing user or a new user */
Index: squid/src/auth/ntlm/auth_ntlm.h
diff -c squid/src/auth/ntlm/auth_ntlm.h:1.7.2.1 squid/src/auth/ntlm/auth_ntlm.h:1.7.2.2
*** squid/src/auth/ntlm/auth_ntlm.h:1.7.2.1	Wed Feb  4 10:42:36 2004
--- squid/src/auth/ntlm/auth_ntlm.h	Sat Jul 17 10:05:53 2004
***************
*** 27,35 ****
  struct _ntlm_user {
      /* what username did this connection get? */
      char *username;
!     dlink_list proxy_auth_list;
  };
  
  struct _ntlm_request {
      /* what negotiate string did the client use? */
      char *ntlmnegotiate;
--- 27,50 ----
  struct _ntlm_user {
      /* what username did this connection get? */
      char *username;
!     dlink_list challenge_list;
  };
  
+ struct _ntlm_challenge_hash_pointer {
+     /* first two items must be same as hash_link */
+     char *key;
+     auth_user_hash_pointer *next;
+     struct {
+ 	auth_user_t *auth_user;
+ 	dlink_node link;	/* other hash entries that point to the same auth_user */
+     } user;
+     struct {
+ 	helper_stateful_server *authserver;
+ 	dlink_node link;	/* other hash entries that point to the same challenge */
+     } challenge;
+ };
+ 
+ 
  struct _ntlm_request {
      /* what negotiate string did the client use? */
      char *ntlmnegotiate;
***************
*** 52,57 ****
--- 67,73 ----
      int starve;			/* 0= normal operation. 1=don't hand out any more challenges */
      int challengeuses;		/* the number of times this challenge has been issued */
      time_t renewed;
+     dlink_list user_list;	/* ntlm_challenge_hash_pointer list referring to this challenge */
  };
  
  /* configuration runtime data */
***************
*** 67,72 ****
--- 83,89 ----
  typedef struct _ntlm_request ntlm_request_t;
  typedef struct _ntlm_helper_state_t ntlm_helper_state_t;
  typedef struct _auth_ntlm_config auth_ntlm_config;
+ typedef struct _ntlm_challenge_hash_pointer ntlm_challenge_hash_pointer;
  
  extern MemPool *ntlm_helper_state_pool;
  extern MemPool *ntlm_user_pool;
Commit	Line	Data
a5e09b2b	1	Index: squid/src/auth/ntlm/auth_ntlm.c
	2	diff -c squid/src/auth/ntlm/auth_ntlm.c:1.17.2.12 squid/src/auth/ntlm/auth_ntlm.c:1.17.2.13
	3	*** squid/src/auth/ntlm/auth_ntlm.c:1.17.2.12 Sat Apr 17 19:29:52 2004
	4	--- squid/src/auth/ntlm/auth_ntlm.c Sat Jul 17 10:05:53 2004
	5	***************
	6	* 87,95 **
	7	static MemPool *ntlm_helper_state_pool = NULL;
	8	static MemPool *ntlm_user_pool = NULL;
	9	static MemPool *ntlm_request_pool = NULL;
	10	static auth_ntlm_config *ntlmConfig = NULL;
	11
	12	! static hash_table *proxy_auth_cache = NULL;
	13
	14	/*
	15	*
	16	--- 87,96 ----
	17	static MemPool *ntlm_helper_state_pool = NULL;
	18	static MemPool *ntlm_user_pool = NULL;
	19	static MemPool *ntlm_request_pool = NULL;
	20	+ static MemPool *ntlm_challenge_pool = NULL;
	21	static auth_ntlm_config *ntlmConfig = NULL;
	22
	23	! static hash_table *ntlm_challenge_cache = NULL;
	24
	25	/*
	26	*
	27	***************
	28	* 249,257 **
	29	if (ntlmauthenticators == NULL)
	30	ntlmauthenticators = helperStatefulCreate("ntlmauthenticator");
	31	if (ntlmConfig->challengeuses) {
	32	! if (!proxy_auth_cache)
	33	! proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
	34	! assert(proxy_auth_cache);
	35	}
	36	ntlmauthenticators->cmdline = ntlmConfig->authenticate;
	37	ntlmauthenticators->n_to_start = ntlmConfig->authenticateChildren;
	38	--- 250,259 ----
	39	if (ntlmauthenticators == NULL)
	40	ntlmauthenticators = helperStatefulCreate("ntlmauthenticator");
	41	if (ntlmConfig->challengeuses) {
	42	! if (!ntlm_challenge_cache)
	43	! ntlm_challenge_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
	44	! if (!ntlm_challenge_pool)
	45	! ntlm_challenge_pool = memPoolCreate("NTLM Challenge Cache", sizeof(ntlm_challenge_hash_pointer));
	46	}
	47	ntlmauthenticators->cmdline = ntlmConfig->authenticate;
	48	ntlmauthenticators->n_to_start = ntlmConfig->authenticateChildren;
	49	***************
	50	* 393,420 **
	51	auth_user_request->scheme_data = NULL;
	52	}
	53
	54	static void
	55	authenticateNTLMFreeUser(auth_user_t * auth_user)
	56	{
	57	- dlink_node link, tmplink;
	58	ntlm_user_t *ntlm_user = auth_user->scheme_data;
	59	- auth_user_hash_pointer *proxy_auth_hash;
	60
	61	debug(29, 5) ("authenticateNTLMFreeUser: Clearing NTLM scheme data\n");
	62	if (ntlm_user->username)
	63	xfree(ntlm_user->username);
	64	/* were they linked in by one or more proxy-authenticate headers */
65	! link = ntlm_user->proxy_auth_list.head;
66	! while (link) {
67	! debug(29, 9) ("authenticateFreeProxyAuthUser: removing proxy_auth hash entry '%p'\n", link->data);
68	! proxy_auth_hash = link->data;
69	! tmplink = link;
70	! link = link->next;
71	! dlinkDelete(tmplink, &ntlm_user->proxy_auth_list);
72	! hash_remove_link(proxy_auth_cache, (hash_link *) proxy_auth_hash);
73	! /* free the key (usually the proxy_auth header) */
74	! xfree(proxy_auth_hash->key);
75	! memFree(proxy_auth_hash, MEM_AUTH_USER_HASH);
76	}
77	memPoolFree(ntlm_user_pool, ntlm_user);
78	auth_user->scheme_data = NULL;
79	--- 395,413 ----
80	auth_user_request->scheme_data = NULL;
81	}
82
83	+ static void authenticateNTLMChallengeCacheRemoveLink(ntlm_challenge_hash_pointer * challenge_hash);
84	+
85	static void
86	authenticateNTLMFreeUser(auth_user_t * auth_user)
87	{
88	ntlm_user_t *ntlm_user = auth_user->scheme_data;
89
90	debug(29, 5) ("authenticateNTLMFreeUser: Clearing NTLM scheme data\n");
91	if (ntlm_user->username)
92	xfree(ntlm_user->username);
93	/* were they linked in by one or more proxy-authenticate headers */
94	! while (ntlm_user->challenge_list.head) {
95	! authenticateNTLMChallengeCacheRemoveLink(ntlm_user->challenge_list.head->data);
96	}
97	memPoolFree(ntlm_user_pool, ntlm_user);
98	auth_user->scheme_data = NULL;
99	***************
100	* 792,797 **
101	--- 785,793 ----
102	statedata->renewed = 0;
103	xfree(statedata->challenge);
104	statedata->challenge = NULL;
105	+ while (statedata->user_list.head) {
106	+ authenticateNTLMChallengeCacheRemoveLink(statedata->user_list.head->data);
107	+ }
108	}
109	}
110
111	***************
112	* 880,903 **
113	* Check for this and if found ignore the new link
114	*/
115	static void
116	! authenticateProxyAuthCacheAddLink(const char key, auth_user_t auth_user)
117	{
118	! auth_user_hash_pointer *proxy_auth_hash;
119	! dlink_node *node;
120	ntlm_user_t *ntlm_user;
121	ntlm_user = auth_user->scheme_data;
122	- node = ntlm_user->proxy_auth_list.head;
123	/* prevent duplicates */
124	! while (node) {
125	! if (!strcmp(key, ((auth_user_hash_pointer *) node->data)->key))
126	! return;
127	! node = node->next;
128	! }
129	! proxy_auth_hash = memAllocate(MEM_AUTH_USER_HASH);
130	! proxy_auth_hash->key = xstrdup(key);
131	! proxy_auth_hash->auth_user = auth_user;
132	! dlinkAddTail(proxy_auth_hash, &proxy_auth_hash->link, &ntlm_user->proxy_auth_list);
133	! hash_join(proxy_auth_cache, (hash_link *) proxy_auth_hash);
134	}
135
136
137	--- 876,909 ----
138	* Check for this and if found ignore the new link
139	*/
140	static void
141	! authenticateNTLMChallengeCacheAddLink(const char key, auth_user_t auth_user, helper_stateful_server * auth_server)
142	{
143	! ntlm_challenge_hash_pointer *challenge_hash;
144	ntlm_user_t *ntlm_user;
145	+ ntlm_helper_state_t *helperstate = helperStatefulServerGetData(auth_server);
146	ntlm_user = auth_user->scheme_data;
147	/* prevent duplicates */
148	! if (hash_lookup(ntlm_challenge_cache, key))
149	! return;
150	! challenge_hash = memPoolAlloc(ntlm_challenge_pool);
151	! challenge_hash->key = xstrdup(key);
152	! challenge_hash->user.auth_user = auth_user;
153	! dlinkAddTail(challenge_hash, &challenge_hash->user.link, &ntlm_user->challenge_list);
154	! challenge_hash->challenge.authserver = auth_server;
155	! dlinkAddTail(challenge_hash, &challenge_hash->challenge.link, &helperstate->user_list);
156	! hash_join(ntlm_challenge_cache, (hash_link *) challenge_hash);
157	! }
158	!
159	! static void
160	! authenticateNTLMChallengeCacheRemoveLink(ntlm_challenge_hash_pointer * challenge_hash)
161	! {
162	! ntlm_user_t *ntlm_user = challenge_hash->user.auth_user->scheme_data;
163	! ntlm_helper_state_t *helperstate = helperStatefulServerGetData(challenge_hash->challenge.authserver);
164	! hash_remove_link(ntlm_challenge_cache, (hash_link *) challenge_hash);
165	! dlinkDelete(&challenge_hash->user.link, &ntlm_user->challenge_list);
166	! dlinkDelete(&challenge_hash->challenge.link, &helperstate->user_list);
167	! xfree(challenge_hash->key);
168	! memPoolFree(ntlm_challenge_pool, challenge_hash);
169	}
170
171
172	***************
173	* 915,921 **
174	authenticateNTLMAuthenticateUser(auth_user_request_t * auth_user_request, request_t * request, ConnStateData * conn, http_hdr_type type)
175	{
176	const char *proxy_auth;
177	! auth_user_hash_pointer usernamehash, proxy_auth_hash = NULL;
178	auth_user_t *auth_user;
179	ntlm_request_t *ntlm_request;
180	ntlm_user_t *ntlm_user;
181	--- 921,928 ----
182	authenticateNTLMAuthenticateUser(auth_user_request_t * auth_user_request, request_t * request, ConnStateData * conn, http_hdr_type type)
183	{
184	const char *proxy_auth;
185	! auth_user_hash_pointer *usernamehash;
186	! ntlm_challenge_hash_pointer *challenge_hash = NULL;
187	auth_user_t *auth_user;
188	ntlm_request_t *ntlm_request;
189	ntlm_user_t *ntlm_user;
190	***************
191	* 982,990 **
192	ntlm_request->authchallenge);
193	/* see if we already know this user's authenticate */
194	debug(29, 9) ("aclMatchProxyAuth: cache lookup with key '%s'\n", ntlmhash);
195	! assert(proxy_auth_cache != NULL);
196	! proxy_auth_hash = hash_lookup(proxy_auth_cache, ntlmhash);
197	! if (!proxy_auth_hash) { /* not in the hash table */
198	debug(29, 4) ("authenticateNTLMAuthenticateUser: proxy-auth cache miss.\n");
199	ntlm_request->auth_state = AUTHENTICATE_STATE_RESPONSE;
200	/* verify with the ntlm helper */
201	--- 989,997 ----
202	ntlm_request->authchallenge);
203	/* see if we already know this user's authenticate */
204	debug(29, 9) ("aclMatchProxyAuth: cache lookup with key '%s'\n", ntlmhash);
205	! assert(ntlm_challenge_cache != NULL);
206	! challenge_hash = hash_lookup(ntlm_challenge_cache, ntlmhash);
207	! if (!challenge_hash) { /* not in the hash table */
208	debug(29, 4) ("authenticateNTLMAuthenticateUser: proxy-auth cache miss.\n");
209	ntlm_request->auth_state = AUTHENTICATE_STATE_RESPONSE;
210	/* verify with the ntlm helper */
211	***************
212	* 993,1000 **
213	/* throw away the temporary entry */
214	ntlm_request->authserver_deferred = 0;
215	authenticateNTLMReleaseServer(ntlm_request);
216	! authenticateAuthUserMerge(auth_user, proxy_auth_hash->auth_user);
217	! auth_user = proxy_auth_hash->auth_user;
218	auth_user_request->auth_user = auth_user;
219	ntlm_request->auth_state = AUTHENTICATE_STATE_DONE;
220	/* we found one */
221	--- 1000,1007 ----
222	/* throw away the temporary entry */
223	ntlm_request->authserver_deferred = 0;
224	authenticateNTLMReleaseServer(ntlm_request);
225	! authenticateAuthUserMerge(auth_user, challenge_hash->user.auth_user);
226	! auth_user = challenge_hash->user.auth_user;
227	auth_user_request->auth_user = auth_user;
228	ntlm_request->auth_state = AUTHENTICATE_STATE_DONE;
229	/* we found one */
230	***************
231	* 1026,1035 **
232	usernamehash = usernamehash->next;
233	}
234	if (usernamehash) {
235	- /*
236	- * add another link from the new proxy_auth to the
237	- * auth_user structure and update the information */
238	- assert(proxy_auth_hash == NULL);
239	/* we can't seamlessly recheck the username due to the
240	* challenge nature of the protocol. Just free the
241	* temporary auth_user */
242	--- 1033,1038 ----
243	***************
244	* 1045,1051 **
245	snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s",
246	ntlm_request->ntlmauthenticate,
247	ntlm_request->authchallenge);
248	! authenticateProxyAuthCacheAddLink(ntlmhash, auth_user);
249	}
250	/* set these to now because this is either a new login from an
251	* existing user or a new user */
252	--- 1048,1054 ----
253	snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s",
254	ntlm_request->ntlmauthenticate,
255	ntlm_request->authchallenge);
256	! authenticateNTLMChallengeCacheAddLink(ntlmhash, auth_user, ntlm_request->authserver);
257	}
258	/* set these to now because this is either a new login from an
259	* existing user or a new user */
260	Index: squid/src/auth/ntlm/auth_ntlm.h
261	diff -c squid/src/auth/ntlm/auth_ntlm.h:1.7.2.1 squid/src/auth/ntlm/auth_ntlm.h:1.7.2.2
262	*** squid/src/auth/ntlm/auth_ntlm.h:1.7.2.1 Wed Feb 4 10:42:36 2004
263	--- squid/src/auth/ntlm/auth_ntlm.h Sat Jul 17 10:05:53 2004
264	***************
265	* 27,35 **
266	struct _ntlm_user {
267	/* what username did this connection get? */
268	char *username;
269	! dlink_list proxy_auth_list;
270	};
271
272	struct _ntlm_request {
273	/* what negotiate string did the client use? */
274	char *ntlmnegotiate;
275	--- 27,50 ----
276	struct _ntlm_user {
277	/* what username did this connection get? */
278	char *username;
279	! dlink_list challenge_list;
280	};
281
282	+ struct _ntlm_challenge_hash_pointer {
283	+ /* first two items must be same as hash_link */
284	+ char *key;
285	+ auth_user_hash_pointer *next;
286	+ struct {
287	+ auth_user_t *auth_user;
288	+ dlink_node link; /* other hash entries that point to the same auth_user */
289	+ } user;
290	+ struct {
291	+ helper_stateful_server *authserver;
292	+ dlink_node link; /* other hash entries that point to the same challenge */
293	+ } challenge;
294	+ };
295	+
296	+
297	struct _ntlm_request {
298	/* what negotiate string did the client use? */
299	char *ntlmnegotiate;
300	***************
301	* 52,57 **
302	--- 67,73 ----
303	int starve; /* 0= normal operation. 1=don't hand out any more challenges */
304	int challengeuses; /* the number of times this challenge has been issued */
305	time_t renewed;
306	+ dlink_list user_list; /* ntlm_challenge_hash_pointer list referring to this challenge */
307	};
308
309	/* configuration runtime data */
310	***************
311	* 67,72 **
312	--- 83,89 ----
313	typedef struct _ntlm_request ntlm_request_t;
314	typedef struct _ntlm_helper_state_t ntlm_helper_state_t;
315	typedef struct _auth_ntlm_config auth_ntlm_config;
316	+ typedef struct _ntlm_challenge_hash_pointer ntlm_challenge_hash_pointer;
317
318	extern MemPool *ntlm_helper_state_pool;
319	extern MemPool *ntlm_user_pool;