- fixes CAN-2005-0097

[packages/squid.git] / squid-3.0.PRE3-winbind.patch

Index: squid3/helpers/basic_auth/winbind/wb_basic_auth.c
diff -c squid3/helpers/basic_auth/winbind/wb_basic_auth.c:1.6 squid3/helpers/basic_auth/winbind/wb_basic_auth.c:1.7
*** squid3/helpers/basic_auth/winbind/wb_basic_auth.c:1.6       Tue Feb 11 07:34:31 2003
--- squid3/helpers/basic_auth/winbind/wb_basic_auth.c   Fri Sep 12 04:13:22 2003
***************
*** 31,37 ****
  char debug_enabled=0;
  char *myname;
  pid_t mypid;
- int err = 0;
  
  NSS_STATUS winbindd_request(int req_type,
                            struct winbindd_request *request,
--- 31,36 ----
***************
*** 99,129 ****
      return;
  }
  
! void manage_request(void)
  {
      char buf[BUFFER_SIZE+1];
      int length;
      char *c, *user, *pass;
    
!     if (fgets(buf, BUFFER_SIZE, stdin) == NULL) {
!       warn("fgets() failed! dying..... errno=%d (%s)\n", errno,
!           strerror(errno));
!       exit(1);    /* BIIG buffer */
!     }
!       
      c=memchr(buf,'\n',BUFFER_SIZE);
      if (c) {
        *c = '\0';
        length = c-buf;
      } else {
-       err = 1;
-       return;
-     }
-     if (err) {
        warn("Oversized message\n");
        SEND("ERR");
!       err = 0;
!       return;
      }
    
      debug("Got '%s' from squid (length: %d).\n",buf,length);
--- 98,121 ----
      return;
  }
  
! int manage_request(void)
  {
      char buf[BUFFER_SIZE+1];
      int length;
      char *c, *user, *pass;
    
!     if (fgets(buf, BUFFER_SIZE, stdin) == NULL)
!       return 0;
!     
      c=memchr(buf,'\n',BUFFER_SIZE);
      if (c) {
        *c = '\0';
        length = c-buf;
      } else {
        warn("Oversized message\n");
+       fgets(buf, BUFFER_SIZE, stdin);
        SEND("ERR");
!       return 1;
      }
    
      debug("Got '%s' from squid (length: %d).\n",buf,length);
***************
*** 131,137 ****
      if (buf[0] == '\0') {
        warn("Invalid Request\n");
        SEND("ERR");
!       return;
      }
  
      user=buf;
--- 123,129 ----
      if (buf[0] == '\0') {
        warn("Invalid Request\n");
        SEND("ERR");
!       return 1;
      }
  
      user=buf;
***************
*** 140,146 ****
      if (!pass) {
        warn("Password not found. Denying access\n");
        SEND("ERR");
!       return;
      }
      *pass='\0';
      pass++;
--- 132,138 ----
      if (!pass) {
        warn("Password not found. Denying access\n");
        SEND("ERR");
!       return 1;
      }
      *pass='\0';
      pass++;
***************
*** 149,154 ****
--- 141,169 ----
      rfc1738_unescape(pass);
  
      do_authenticate(user,pass);
+     return 1;
+ }
+ 
+ void
+ check_winbindd()
+ {
+     NSS_STATUS r;
+     int retry=10;
+     struct winbindd_request request;
+     struct winbindd_response response;
+     do {
+       r = winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response);
+       if (r != NSS_STATUS_SUCCESS)
+           retry--; 
+     } while (r != NSS_STATUS_SUCCESS && retry);
+     if (r != NSS_STATUS_SUCCESS) {
+       warn("Can't contact winbindd. Dying\n");
+       exit(1);
+     }
+     if (response.data.interface_version != WINBIND_INTERFACE_VERSION) {
+       warn("Winbind protocol mismatch. Align squid and samba. Dying\n");
+       exit(1);
+     }
  }
  
  
***************
*** 170,177 ****
      setbuf(stdout, NULL);
      setbuf(stderr, NULL);
  
!     while(1) {
!       manage_request();
      }
      return 0;
  }
--- 185,194 ----
      setbuf(stdout, NULL);
      setbuf(stderr, NULL);
  
!     check_winbindd();
! 
!     while(manage_request()) {
!       /* everything is done within manage_request */
      }
      return 0;
  }
Index: squid3/helpers/external_acl/winbind_group/wb_check_group.c
diff -c squid3/helpers/external_acl/winbind_group/wb_check_group.c:1.11 squid3/helpers/external_acl/winbind_group/wb_check_group.c:1.12
*** squid3/helpers/external_acl/winbind_group/wb_check_group.c:1.11     Sun May 11 07:01:34 2003
--- squid3/helpers/external_acl/winbind_group/wb_check_group.c  Fri Sep 12 04:13:23 2003
***************
*** 292,297 ****
--- 292,319 ----
      return;
  }
  
+ void
+ check_winbindd()
+ {
+     NSS_STATUS r;
+     int retry=10;
+     struct winbindd_request request;
+     struct winbindd_response response;
+     do {
+       r = winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response);
+       if (r != NSS_STATUS_SUCCESS)
+           retry--; 
+     } while (r != NSS_STATUS_SUCCESS && retry);
+     if (r != NSS_STATUS_SUCCESS) {
+       warn("Can't contact winbindd. Dying\n");
+       exit(1);
+     }
+     if (response.data.interface_version != WINBIND_INTERFACE_VERSION) {
+       warn("Winbind protocol mismatch. Align squid and samba. Dying\n");
+       exit(1);
+     }
+ }
+ 
  int
  main (int argc, char *argv[])
  {
***************
*** 323,328 ****
--- 345,352 ----
      if (use_case_insensitive_compare)
          debug("Warning: running in case insensitive mode !!!\n");
   
+     check_winbindd();
+ 
      /* Main Loop */
      while (fgets (buf, BUFSIZE, stdin))
      {
Index: squid3/helpers/ntlm_auth/winbind/wb_ntlm_auth.c
diff -c squid3/helpers/ntlm_auth/winbind/wb_ntlm_auth.c:1.8 squid3/helpers/ntlm_auth/winbind/wb_ntlm_auth.c:1.9
*** squid3/helpers/ntlm_auth/winbind/wb_ntlm_auth.c:1.8 Tue Aug  5 15:40:02 2003
--- squid3/helpers/ntlm_auth/winbind/wb_ntlm_auth.c     Fri Sep 12 04:13:25 2003
***************
*** 261,267 ****
      return;                   /* useless */
  }
  
! void
  manage_request(char *target_domain)
  {
      char buf[BUFFER_SIZE + 1];
--- 261,267 ----
      return;                   /* useless */
  }
  
! int
  manage_request(char *target_domain)
  {
      char buf[BUFFER_SIZE + 1];
***************
*** 271,288 ****
  
  
  try_again:
!     if (fgets(buf, BUFFER_SIZE, stdin) == NULL) {
!       warn("fgets() failed! dying..... errno=%d (%s)\n", errno,
!           strerror(errno));
!       exit(1);                /* BIIG buffer */
!     }
  
      c = memchr(buf, '\n', BUFFER_SIZE);
      if (c) {
        if (oversized) {
            helperfail("illegal request received");
            warn("Illegal request received: '%s'\n", buf);
!           return;
        }
        *c = '\0';
      }
--- 271,285 ----
  
  
  try_again:
!     if (fgets(buf, BUFFER_SIZE, stdin) == NULL)
!       return 0;
  
      c = memchr(buf, '\n', BUFFER_SIZE);
      if (c) {
        if (oversized) {
            helperfail("illegal request received");
            warn("Illegal request received: '%s'\n", buf);
!           return 1;
        }
        *c = '\0';
      }
***************
*** 296,339 ****
      if (memcmp(buf, "YR", 2) == 0) {  /* refresh-request */
        sendchallenge(ntlm_make_challenge(target_domain, NULL,
                build_challenge(), CHALLENGE_LEN));
!       return;
      }
      if (strncmp(buf, "KK ", 3) != 0) {        /* not an auth-request */
        helperfail("illegal request received");
        warn("Illegal request received: '%s'\n", buf);
!       return;
      }
      /* At this point I'm sure it's a KK */
      decoded = base64_decode(buf + 3);
      if (!decoded) {           /* decoding failure, return error */
        authfail("-", "-", "Auth-format error, base64-decoding error");
!       return;
      }
      fast_header = (struct _ntlmhdr *) decoded;
  
      /* sanity-check: it IS a NTLMSSP packet, isn't it? */
      if (memcmp(fast_header->signature, "NTLMSSP", 8) != 0) {
        authfail("-", "-", "Broken NTLM packet, missing NTLMSSP signature");
!       return;
      }
      /* Understand what we got */
      switch le32toh(fast_header->type) {
      case NTLM_NEGOTIATE:
        authfail("-", "-", "Received neg-request while expecting auth packet");
!       return;
      case NTLM_CHALLENGE:
        authfail("-", "-", "Received challenge. Refusing to abide");
!       return;
      case NTLM_AUTHENTICATE:
        do_authenticate((ntlm_authenticate *) decoded,
            (strlen(buf) - 3) * 3 / 4);
!       return;
      default:
        helperfail("Unknown authentication packet type");
!       return;
      }
      /* notreached */
!     return;
  }
  
  static char *
--- 293,336 ----
      if (memcmp(buf, "YR", 2) == 0) {  /* refresh-request */
        sendchallenge(ntlm_make_challenge(target_domain, NULL,
                build_challenge(), CHALLENGE_LEN));
!       return 1;
      }
      if (strncmp(buf, "KK ", 3) != 0) {        /* not an auth-request */
        helperfail("illegal request received");
        warn("Illegal request received: '%s'\n", buf);
!       return 1;
      }
      /* At this point I'm sure it's a KK */
      decoded = base64_decode(buf + 3);
      if (!decoded) {           /* decoding failure, return error */
        authfail("-", "-", "Auth-format error, base64-decoding error");
!       return 1;
      }
      fast_header = (struct _ntlmhdr *) decoded;
  
      /* sanity-check: it IS a NTLMSSP packet, isn't it? */
      if (memcmp(fast_header->signature, "NTLMSSP", 8) != 0) {
        authfail("-", "-", "Broken NTLM packet, missing NTLMSSP signature");
!       return 1;
      }
      /* Understand what we got */
      switch le32toh(fast_header->type) {
      case NTLM_NEGOTIATE:
        authfail("-", "-", "Received neg-request while expecting auth packet");
!       return 1;
      case NTLM_CHALLENGE:
        authfail("-", "-", "Received challenge. Refusing to abide");
!       return 1;
      case NTLM_AUTHENTICATE:
        do_authenticate((ntlm_authenticate *) decoded,
            (strlen(buf) - 3) * 3 / 4);
!       return 1;
      default:
        helperfail("Unknown authentication packet type");
!       return 1;
      }
      /* notreached */
!     return 1;
  }
  
  static char *
***************
*** 410,418 ****
  check_winbindd()
  {
      NSS_STATUS r;
      struct winbindd_request request;
      struct winbindd_response response;
!     r = winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response);
      if (r != NSS_STATUS_SUCCESS) {
        warn("Can't contact winbindd. Dying\n");
        exit(1);
--- 407,420 ----
  check_winbindd()
  {
      NSS_STATUS r;
+     int retry=10;
      struct winbindd_request request;
      struct winbindd_response response;
!     do {
!       r = winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response);
!       if (r != NSS_STATUS_SUCCESS)
!           retry--; 
!     } while (r != NSS_STATUS_SUCCESS && retry);
      if (r != NSS_STATUS_SUCCESS) {
        warn("Can't contact winbindd. Dying\n");
        exit(1);
***************
*** 451,458 ****
      setbuf(stdout, NULL);
      setbuf(stderr, NULL);
      init_random();
!     while (1) {
!       manage_request(target_domain);
      }
      return 0;
  }
--- 453,460 ----
      setbuf(stdout, NULL);
      setbuf(stderr, NULL);
      init_random();
!     while (manage_request(target_domain)) {
!       /* everything is done within manage_request */
      }
      return 0;
  }