diff -Nur squid-3/bootstrap.sh squid-3-krb5/bootstrap.sh --- squid-3/bootstrap.sh 2008-11-05 01:10:41.000000000 +0000 +++ squid-3-krb5/bootstrap.sh 2009-08-30 16:38:03.000000000 +0100 @@ -108,8 +108,7 @@ for dir in \ "" \ - lib/libTrie \ - helpers/negotiate_auth/squid_kerb_auth + lib/libTrie do if [ -z "$dir" ] || [ -d $dir ]; then if ( diff -Nur squid-3/configure.in squid-3-krb5/configure.in --- squid-3/configure.in 2008-11-05 01:11:55.000000000 +0000 +++ squid-3-krb5/configure.in 2009-09-08 19:25:10.000000000 +0100 @@ -1626,15 +1626,6 @@ else AC_MSG_ERROR(Negotiate Auth helper $helper does not exist) fi - # Kerberos helper has its own configure system - if test "$srcdir/helpers/negotiate_auth/$helper/configure" ; then - if test $helper = squid_kerb_auth; then - AC_CONFIG_SUBDIRS(helpers/negotiate_auth/squid_kerb_auth) - else - echo "ERROR: configure.in needs to be extended to support $helper!" - exit 1 - fi - fi done echo "Negotiate auth helpers built: $NEGOTIATE_AUTH_HELPERS" fi @@ -1683,6 +1674,209 @@ fi AC_SUBST(DIGEST_AUTH_HELPERS) +dnl +dnl Check Kerberos/GSSAPI/SPNEGO +dnl +SAVED_CPPFLAGS=$CPPFLAGS +SAVED_LIBS=$LIBS +AC_ARG_WITH(krb5-config, + [ --with-krb5-config=PATH specify path to krb5-config @<:@default=detect@:>@], +[ if test "$withval" = "yes"; then + unset krb5confpath + elif test "$withval" != "no"; then + krb5confpath=$withval + else + krb5confpath=no + fi +]) +if test x"$krb5confpath" != xno; then + if test x"$krb5confpath" != x; then + if ! test -x "$krb5confpath"; then + AC_MSG_WARN([krb5-config '$krb5confpath' not executable, ignoring]) + AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no) + krb5confpath=krb5-config + fi + krb5_config_path=`dirname $krb5confpath` + AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no, $krb5_config_path) + else + AC_CHECK_PROG(ac_krb5_config,krb5-config,yes,no) + krb5confpath=krb5-config + fi +fi +if test "$ac_krb5_config" = "yes" ; then + ac_heimdal="`$krb5confpath --version 2>/dev/null | grep -i heimdal`" + ac_solaris="`$krb5confpath --version 2>/dev/null | grep -i solaris`" + if test "x$ac_heimdal" != "x" ; then + AC_DEFINE(HAVE_HEIMDAL_KERBEROS,1,[Define to 1 if you have Heimdal Kerberos]) + else + AC_DEFINE(HAVE_MIT_KERBEROS,1,[Define to 1 if you have MIT Kerberos]) + fi + if test "$ac_solaris" != "" ; then + KRB5INCS="`$krb5confpath --cflags krb5 2>/dev/null`" + KRB5LIBS="`$krb5confpath --libs krb5 2>/dev/null`" + KRB5INCS="-I/usr/include/gssapi $KRB5INCS" + KRB5LIBS="-L/usr/lib -R/usr/lib -lgss -lresolv -lsocket -lnsl $KRB5LIBS" + else + KRB5INCS=`$krb5confpath --cflags krb5 2>/dev/null` + KRB5LIBS=`$krb5confpath --libs krb5 2>/dev/null` + KRB5INCS="`$krb5confpath --cflags gssapi 2>/dev/null` $KRB5INCS" + KRB5LIBS="`$krb5confpath --libs gssapi 2>/dev/null` $KRB5LIBS" + fi + CPPFLAGS="$CPPFLAGS $KRB5INCS" + LIBS="$LIBS $KRB5LIBS" + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h) + if test "x$ac_heimdal" == "x" ; then + AC_CHECK_HEADERS(gssapi/gssapi_generic.h) + fi + AC_CHECK_HEADERS(krb5.h com_err.h) + AC_MSG_CHECKING([for max_skew in struct krb5_context]) +AC_TRY_COMPILE([ +#include + ], + [ krb5_context kc; kc->max_skew = 1; ], + [ AC_DEFINE(HAVE_MAX_SKEW_IN_KRB5_CONTEXT, 1, [Define to 1 if max_skew in struct krb5_context]) + AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) ] + ) + + if test "x$ac_heimdal" == "x" ; then + AC_CHECK_HEADERS(profile.h) + fi + AC_CHECK_LIB(com_err,error_message, + AC_DEFINE(HAVE_ERROR_MESSAGE,1,[Define to 1 if you have error_message]),) + AC_CHECK_LIB(krb5,krb5_get_err_text, + AC_DEFINE(HAVE_KRB5_GET_ERR_TEXT,1,[Define to 1 if you have krb5_get_err_text]),) + AC_CHECK_LIB(krb5,krb5_get_error_message, + AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE,1,[Define to 1 if you have krb5_get_error_message]),) + AC_CHECK_LIB(krb5,krb5_kt_free_entry, + AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1,[Define to 1 if you have krb5_kt_free_entry]),) + AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab, + AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1,[Define to 1 if you have krb5_get_init_creds_keytab]),) + AC_CHECK_LIB(krb5,krb5_get_max_time_skew, + AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1,[Define to 1 if you have krb5_get_max_time_skew]),) + AC_CHECK_LIB(krb5,krb5_get_profile, + AC_DEFINE(HAVE_KRB5_GET_PROFILE,1,[Define to 1 if you have krb5_get_profile]),) + AC_CHECK_LIB(krb5,profile_get_integer, + AC_DEFINE(HAVE_PROFILE_GET_INTEGER,1,[Define to 1 if you have profile_get_integer]),) + AC_CHECK_LIB(krb5,profile_release, + AC_DEFINE(HAVE_PROFILE_RELEASE,1,[Define to 1 if you have profile_release]),) + AC_MSG_CHECKING([for memory cache]) + AC_TRY_RUN([ +#include +main() +{ + krb5_context context; + krb5_ccache cc; + + krb5_init_context(&context); + return krb5_cc_resolve(context, "MEMORY:test_cache", &cc); +}], + [AC_DEFINE(HAVE_KRB5_MEMORY_CACHE,1, [Define to 1 if you have MEMORY: cache support]) + AC_MSG_RESULT(yes)], + AC_MSG_RESULT(no)) + + AC_MSG_CHECKING([for working gssapi]) + AC_TRY_RUN([ +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif + +#ifdef HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif + +#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif + +#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#include +#endif +int +main(void) +{ + OM_uint32 val; + gss_OID_set set; + + gss_create_empty_oid_set(&val, &set); + + return 0; +} +], [AC_DEFINE(HAVE_GSSAPI, 1, [GSSAPI support]) + AC_MSG_RESULT(yes)], + AC_MSG_RESULT(no)) + AC_MSG_CHECKING([for spnego support]) + AC_TRY_RUN([ +#ifdef HAVE_HEIMDAL_KERBEROS +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif defined(HAVE_GSSAPI_H) +#include +#endif +#else +#ifdef HAVE_GSSAPI_GSSAPI_H +#include +#elif defined(HAVE_GSSAPI_H) +#include +#endif +#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif +#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#include +#endif +#endif +#include +int main(int argc, char *argv[]) { + OM_uint32 major_status,minor_status; + gss_OID_set gss_mech_set; + int i; + +static gss_OID_desc _gss_mech_spnego = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; +gss_OID gss_mech_spnego = &_gss_mech_spnego; + + major_status = gss_indicate_mechs( &minor_status, &gss_mech_set); + + for (i=0;icount;i++) { + if (!memcmp(gss_mech_set->elements[i].elements,gss_mech_spnego->elements,gss_mech_set->elements[i].length)) { + return 0; + } + } + + return 1; +}], + [ac_cv_have_spnego=yes + AC_DEFINE(HAVE_SPNEGO,1, [Define to 1 if you have SPNEGO support]) + AC_MSG_RESULT(yes)], + [ac_cv_have_spnego=no + AC_MSG_RESULT(no)]) + AC_MSG_CHECKING([for working krb5]) + AC_TRY_RUN([ +#ifdef HAVE_KRB5_H +#include +#endif + +int +main(void) +{ + krb5_context context; + + krb5_init_context(&context); + + return 0; +} +], [AC_DEFINE(HAVE_KRB5, 1, [KRB5 support]) + AC_MSG_RESULT(yes)], + AC_MSG_RESULT(no)) + LIBS=$SAVED_LIBS + CPPFLAGS=$SAVED_CPPFLAGS + AC_SUBST(KRB5INCS) + AC_SUBST(KRB5LIBS) +fi +AM_CONDITIONAL(HAVE_SPNEGO, test x"$ac_cv_have_spnego" = x"yes" ) + dnl Enable "NTLM fail open" AC_ARG_ENABLE(ntlm-fail-open, AC_HELP_STRING([--enable-ntlm-fail-open], @@ -3814,6 +4008,7 @@ helpers/ntlm_auth/mswin_sspi/Makefile \ helpers/negotiate_auth/Makefile \ helpers/negotiate_auth/mswin_sspi/Makefile \ + helpers/negotiate_auth/squid_kerb_auth/Makefile \ helpers/external_acl/Makefile \ helpers/external_acl/ip_user/Makefile \ helpers/external_acl/ldap_group/Makefile \ diff -Nur squid-3/src/cf.data.pre squid-3-krb5/src/cf.data.pre --- squid-3/src/cf.data.pre 2008-11-05 01:10:51.000000000 +0000 +++ squid-3-krb5/src/cf.data.pre 2009-08-30 23:10:26.000000000 +0100 @@ -1602,7 +1602,7 @@ no-digest no-netdb-exchange no-delay - login=user:password | PASS | *:password + login=user:password | PASS | *:password | NEGOTIATE | NEGOTIATE:principal connect-timeout=nn digest-url=url allow-miss @@ -1725,6 +1725,16 @@ be used to identify this proxy to the peer, similar to the login=username:password option above. + use 'login=NEGOTIATE' if this is a personal/workgroup + proxy and your parent requires a secure proxy authentication. + The first principal from the default keytab or defined by + the environment variable KRB5_KTNAME will be used. + + use 'login=NEGOTIATE:principal_name' if this is a personal/workgroup + proxy and your parent requires a secure proxy authentication. + The principal principal_name from the default keytab or defined by + the environment variable KRB5_KTNAME will be used. + use 'connect-timeout=nn' to specify a peer specific connect timeout (also see the peer_connect_timeout directive) diff -Nur squid-3/src/http.cc squid-3-krb5/src/http.cc --- squid-3/src/http.cc 2008-11-05 01:10:51.000000000 +0000 +++ squid-3-krb5/src/http.cc 2009-08-30 13:12:18.000000000 +0100 @@ -1551,6 +1551,18 @@ } } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) { /* Nothing to do */ +#if HAVE_KRB5 && HAVE_GSSAPI + } else if (strncmp(orig_request->peer_login, "NEGOTIATE",strlen("NEGOTIATE")) == 0) { + char *Token=NULL; + char *PrincipalName=NULL,*p; + if ((p=strchr(orig_request->peer_login,':')) != NULL ) { + PrincipalName=++p; + } + Token = peer_proxy_negotiate_auth(PrincipalName,request->peer_host); + if (Token) { + httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Negotiate %s",Token); + } +#endif /* HAVE_KRB5 && HAVE_GSSAPI */ } else { httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s", base64_encode(orig_request->peer_login)); @@ -1900,6 +1912,7 @@ } mb.init(); + request->peer_host=_peer?_peer->host:NULL; buildRequestPrefix(request, orig_request, entry, &mb, flags); debugs(11, 6, "httpSendRequest: FD " << fd << ":\n" << mb.buf); comm_write_mbuf(fd, &mb, requestSender); diff -Nur squid-3/src/HttpRequest.h squid-3-krb5/src/HttpRequest.h --- squid-3/src/HttpRequest.h 2008-11-05 01:10:50.000000000 +0000 +++ squid-3-krb5/src/HttpRequest.h 2009-08-30 00:27:55.000000000 +0100 @@ -139,6 +139,8 @@ char *peer_login; /* Configured peer login:password */ + char *peer_host; /* Selected peer host*/ + time_t lastmod; /* Used on refreshes */ const char *vary_headers; /* Used when varying entities are detected. Changes how the store key is calculated */ diff -Nur squid-3/src/Makefile.am squid-3-krb5/src/Makefile.am --- squid-3/src/Makefile.am 2008-11-05 01:10:50.000000000 +0000 +++ squid-3-krb5/src/Makefile.am 2009-08-30 00:31:20.000000000 +0100 @@ -215,6 +215,7 @@ INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)/lib/libTrie/include INCLUDES += -I$(top_builddir)/lib -I$(top_srcdir)/lib INCLUDES += @SQUID_CPPUNIT_INC@ +INCLUDES += @KRB5INCS@ EXTRA_PROGRAMS = \ DiskIO/DiskDaemon/diskd \ @@ -578,6 +579,7 @@ pconn.h \ PeerDigest.h \ peer_digest.cc \ + peer_proxy_negotiate_auth.cc \ peer_select.cc \ peer_sourcehash.cc \ peer_userhash.cc \ @@ -700,7 +702,8 @@ -lmiscutil \ @XTRA_LIBS@ \ @EPOLL_LIBS@ \ - @MINGW_LIBS@ + @MINGW_LIBS@ \ + @KRB5LIBS@ squid_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a \ @STORE_OBJS@ \ @STORE_LINKOBJS@ \ @@ -859,6 +862,7 @@ $(XPROF_STATS_SOURCE) \ pconn.cc \ peer_digest.cc \ + peer_proxy_negotiate_auth.cc \ peer_select.cc \ peer_sourcehash.cc \ peer_userhash.cc \ @@ -919,7 +923,8 @@ -lmiscutil \ @XTRA_LIBS@ \ @EPOLL_LIBS@ \ - @MINGW_LIBS@ + @MINGW_LIBS@ \ + @KRB5LIBS@ ufsdump_DEPENDENCIES = $(top_builddir)/lib/libmiscutil.a \ @STORE_OBJS@ \ @STORE_LINKOBJS@ \ diff -Nur squid-3/src/peer_proxy_negotiate_auth.cc squid-3-krb5/src/peer_proxy_negotiate_auth.cc --- squid-3/src/peer_proxy_negotiate_auth.cc 1970-01-01 01:00:00.000000000 +0100 +++ squid-3-krb5/src/peer_proxy_negotiate_auth.cc 2009-09-08 19:44:28.000000000 +0100 @@ -0,0 +1,549 @@ +/* + * ----------------------------------------------------------------------------- + * + * Author: Markus Moeller (markus_moeller at compuserve.com) + * + * Copyright (C) 2007 Markus Moeller. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. + * + * ----------------------------------------------------------------------------- + */ +/* + * Hosted at http://sourceforge.net/projects/squidkerbauth + */ + +#include + +#if HAVE_KRB5 && HAVE_GSSAPI +#ifdef __cplusplus +extern "C" +{ +#endif + +#if HAVE_PROFILE_H +#include +#endif /* HAVE_PROFILE_H */ +#if HAVE_KRB5_H +#include +#endif /* HAVE_KRB5_H */ +#if HAVE_COM_ERR_H +#include +#elif HAVE_ET_COM_ERR_H +#include +#endif /* HAVE_COM_ERR_H */ + +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif /* HAVE_GSSAPI_H */ +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_EXT_H */ +#if HAVE_GSSAPI_GSSAPI_KRB5_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */ +#if HAVE_GSSAPI_GSSAPI_GENERIC_H +#include +#endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ + +#ifndef gss_nt_service_name +#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE +#endif + +#if !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERR_TEXT +#define error_message(code) krb5_get_err_text(kparam.context,code) +#elif !HAVE_ERROR_MESSAGE && HAVE_KRB5_GET_ERROR_MESSAGE +#define error_message(code) krb5_get_error_message(kparam.context,code) +#elif !HAVE_ERROR_MESSAGE +static char err_code[17]; + const char *KRB5_CALLCONV error_message(long code) + { + snprintf(err_code,16,"%ld",code); + return err_code; + } +#endif + +#ifndef gss_mech_spnego + static gss_OID_desc _gss_mech_spnego = + { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; + gss_OID gss_mech_spnego = &_gss_mech_spnego; +#endif + +#if HAVE_NAS_KERBEROS +#include + const char *KRB5_CALLCONV error_message(long code) + { + char *msg = NULL; + krb5_svc_get_msg(code, &msg); + return msg; + } +#endif + +/* + * Kerberos context and cache structure + * Caches authentication details to reduce + * number of authentication requests to kdc + */ + static struct kstruct + { + krb5_context context; + krb5_ccache cc; + } kparam = { + NULL, NULL}; + +/* + * krb5_create_cache creates a Kerberos file credential cache or a memory + * credential cache if supported. The initial key for the principal + * principal_name is extracted from the keytab keytab_filename. + * + * If keytab_filename is NULL the default will be used. + * If principal_name is NULL the first working entry of the keytab will be used. + */ + int krb5_create_cache(char *keytab_filename, char *principal_name); + +/* + * krb5_cleanup clears used Keberos memory + */ + void krb5_cleanup(void); + +/* + * check_gss_err checks for gssapi error codes, extracts the error message + * and prints it. + */ + int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, + const char *function); + + int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, + const char *function) + { + if (GSS_ERROR(major_status)) { + OM_uint32 maj_stat, min_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + char buf[1024]; + size_t len; + + len = 0; + msg_ctx = 0; + while (!msg_ctx) { + /* convert major status code (GSS-API error) to text */ + maj_stat = gss_display_status(&min_stat, major_status, + GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length + 1) { + memcpy(buf + len, status_string.value, + status_string.length); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + if (sizeof(buf) > len + 2) { + strcpy(buf + len, ". "); + len += 2; + } + msg_ctx = 0; + while (!msg_ctx) { + /* convert minor status code (underlying routine error) to text */ + maj_stat = gss_display_status(&min_stat, minor_status, + GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length) { + memcpy(buf + len, status_string.value, + status_string.length); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + debugs(11, 5, HERE << function << "failed: " << buf); + return (1); + } + return (0); + } + + void krb5_cleanup() + { + debugs(11, 5, HERE << "Cleanup kerberos context"); + if (kparam.context) { + if (kparam.cc) + krb5_cc_destroy(kparam.context, kparam.cc); + kparam.cc = NULL; + krb5_free_context(kparam.context); + kparam.context = NULL; + } + } + + int krb5_create_cache(char *kf, char *pn) + { + +#define KT_PATH_MAX 256 +#define MAX_RENEW_TIME "365d" +#define DEFAULT_SKEW (krb5_deltat) 600 + + static char *keytab_filename = NULL, *principal_name = NULL; + static krb5_keytab keytab = 0; + static krb5_keytab_entry entry; + static krb5_kt_cursor cursor; + static krb5_creds *creds = NULL; +#if HAVE_HEIMDAL_KERBEROS + static krb5_creds creds2; +#endif + static krb5_principal principal = NULL; + static krb5_deltat skew; + + krb5_get_init_creds_opt options; + krb5_error_code code = 0; + krb5_deltat rlife; +#if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE + profile_t profile; +#endif +#if HAVE_HEIMDAL_KERBEROS + krb5_kdc_flags flags; + krb5_realm *client_realm; +#endif + char *mem_cache; + + restart: +/* + * Check if credentials need to be renewed + */ + if (creds && + (creds->times.endtime - time(0) > skew) && + (creds->times.renew_till - time(0) > 2 * skew)) { + if (creds->times.endtime - time(0) < 2 * skew) { +#if !HAVE_HEIMDAL_KERBEROS + /* renew ticket */ + code = + krb5_get_renewed_creds(kparam.context, creds, principal, + kparam.cc, NULL); +#else + /* renew ticket */ + flags.i = 0; + flags.b.renewable = flags.b.renew = 1; + + code = + krb5_cc_get_principal(kparam.context, kparam.cc, + &creds2.client); + if (code) { + debugs(11, 5, + HERE << + "Error while getting principal from credential cache : " + << error_message(code)); + return (1); + } + client_realm = krb5_princ_realm(kparam.context, creds2.client); + code = + krb5_make_principal(kparam.context, &creds2.server, + *client_realm, KRB5_TGS_NAME, *client_realm, NULL); + if (code) { + debugs(11, 5, + HERE << "Error while getting krbtgt principal : " << + error_message(code)); + return (1); + } + code = + krb5_get_kdc_cred(kparam.context, kparam.cc, flags, NULL, + NULL, &creds2, &creds); + krb5_free_creds(kparam.context, &creds2); +#endif + if (code) { + if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) { + krb5_free_creds(kparam.context, creds); + creds = NULL; + /* this can happen because of clock skew */ + goto restart; + } + debugs(11, 5, + HERE << "Error while get credentials : " << + error_message(code)); + return (1); + } + } + } else { + /* reinit */ + if (!kparam.context) { + code = krb5_init_context(&kparam.context); + if (code) { + debugs(11, 5, + HERE << "Error while initialising Kerberos library : " + << error_message(code)); + return (1); + } + } +#if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE + code = krb5_get_profile(kparam.context, &profile); + if (code) { + if (profile) + profile_release(profile); + debugs(11, 5, + HERE << "Error while getting profile : " << + error_message(code)); + return (1); + } + code = + profile_get_integer(profile, "libdefaults", "clockskew", 0, + 5 * 60, &skew); + if (profile) + profile_release(profile); + if (code) { + debugs(11, 5, + HERE << "Error while getting clockskew : " << + error_message(code)); + return (1); + } +#elif HAVE_KRB5_GET_MAX_TIME_SKEW && HAVE_HEIMDAL_KERBEROS + skew = krb5_get_max_time_skew(kparam.context); +#elif HAVE_MAX_SKEW_IN_KRB5_CONTEXT && HAVE_HEIMDAL_KERBEROS + skew = kparam.context->max_skew; +#else + skew = DEFAULT_SKEW; +#endif + + if (!kf) { + char buf[KT_PATH_MAX], *p; + + krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX); + p = strchr(buf, ':'); + if (p) + p++; + if (keytab_filename) + xfree(keytab_filename); + keytab_filename = xstrdup(p ? p : buf); + } else { + keytab_filename = xstrdup(kf); + } + + code = krb5_kt_resolve(kparam.context, keytab_filename, &keytab); + if (code) { + debugs(11, 5, + HERE << "Error while resolving keytab filename " << + keytab_filename << " : " << error_message(code)); + return (1); + } + + if (!pn) { + code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor); + if (code) { + debugs(11, 5, + HERE << "Error while starting keytab scan : " << + error_message(code)); + return (1); + } + code = + krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor); + krb5_copy_principal(kparam.context, entry.principal, + &principal); + if (code && code != KRB5_KT_END) { + debugs(11, 5, + HERE << "Error while scanning keytab : " << + error_message(code)); + return (1); + } + + code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor); + if (code) { + debugs(11, 5, + HERE << "Error while ending keytab scan : " << + error_message(code)); + return (1); + } +#if HAVE_HEIMDAL_KERBEROS || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) + code = krb5_kt_free_entry(kparam.context, &entry); +#else + code = krb5_free_keytab_entry_contents(kparam.context, &entry); +#endif + if (code) { + debugs(11, 5, + HERE << "Error while freeing keytab entry : " << + error_message(code)); + return (1); + } + + } else { + principal_name = xstrdup(pn); + } + + if (!principal) { + code = + krb5_parse_name(kparam.context, principal_name, &principal); + if (code) { + debugs(11, 5, + HERE << "Error while parsing principal name " << + principal_name << " : " << error_message(code)); + return (1); + } + } + + creds = (krb5_creds *) xmalloc(sizeof(*creds)); + memset(creds, 0, sizeof(*creds)); + krb5_get_init_creds_opt_init(&options); + code = krb5_string_to_deltat((char *) MAX_RENEW_TIME, &rlife); + if (code != 0 || rlife == 0) { + debugs(11, 5, + HERE << "Error bad lifetime value " << MAX_RENEW_TIME << + " : " << error_message(code)); + return (1); + } + krb5_get_init_creds_opt_set_renew_life(&options, rlife); + + code = + krb5_get_init_creds_keytab(kparam.context, creds, principal, + keytab, 0, NULL, &options); + if (code) { + debugs(11, 5, + HERE << + "Error while initializing credentials from keytab : " << + error_message(code)); + return (1); + } +#if !HAVE_KRB5_MEMORY_CACHE + mem_cache = + (char *) xmalloc(strlen("FILE:/tmp/peer_proxy_negotiate_auth_") + + 16); + snprintf(mem_cache, + strlen("FILE:/tmp/peer_proxy_negotiate_auth_") + 16, + "FILE:/tmp/peer_proxy_negotiate_auth_%d", (int) getpid()); +#else + mem_cache = + (char *) xmalloc(strlen("MEMORY:peer_proxy_negotiate_auth_") + + 16); + snprintf(mem_cache, + strlen("MEMORY:peer_proxy_negotiate_auth_") + 16, + "MEMORY:peer_proxy_negotiate_auth_%d", (int) getpid()); +#endif + + setenv("KRB5CCNAME", mem_cache, 1); + code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc); + if (mem_cache) + xfree(mem_cache); + if (code) { + debugs(11, 5, + HERE << "Error while resolving memory credential cache : " + << error_message(code)); + return (1); + } + code = krb5_cc_initialize(kparam.context, kparam.cc, principal); + if (code) { + debugs(11, 5, + HERE << + "Error while initializing memory credential cache : " << + error_message(code)); + return (1); + } + code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); + if (code) { + debugs(11, 5, + HERE << "Error while storing credentials : " << + error_message(code)); + return (1); + } + + if (!creds->times.starttime) + creds->times.starttime = creds->times.authtime; + } + return (0); + } + +/* + * peer_proxy_negotiate_auth gets a GSSAPI token for principal_name + * and base64 encodes it. + */ + char *peer_proxy_negotiate_auth(char *principal_name, char *proxy) + { + int rc = 0; + OM_uint32 major_status, minor_status; + gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; + gss_name_t server_name = GSS_C_NO_NAME; + gss_buffer_desc service = GSS_C_EMPTY_BUFFER; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; + char *token = NULL; + + setbuf(stdout, NULL); + setbuf(stdin, NULL); + + if (!proxy) { + debugs(11, 5, HERE << "Error : No proxy server name"); + return NULL; + } + + if (principal_name) + debugs(11, 5, + HERE << "Creating credential cache for " << principal_name); + else + debugs(11, 5, HERE << "Creating credential cache"); + rc = krb5_create_cache(NULL, principal_name); + if (rc) { + debugs(11, 5, HERE << "Error : Failed to create Kerberos cache"); + krb5_cleanup(); + return NULL; + } + + service.value = (void *) xmalloc(strlen("HTTP") + strlen(proxy) + 2); + snprintf((char *) service.value, strlen("HTTP") + strlen(proxy) + 2, + "%s@%s", "HTTP", proxy); + service.length = strlen((char *) service.value); + + debugs(11, 5, HERE << "Import gss name"); + major_status = gss_import_name(&minor_status, &service, + gss_nt_service_name, &server_name); + + if (check_gss_err(major_status, minor_status, "gss_import_name()")) + goto cleanup; + + debugs(11, 5, HERE << "Initialize gss security context"); + major_status = gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &gss_context, + server_name, + gss_mech_spnego, + 0, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, NULL, &output_token, NULL, NULL); + + if (check_gss_err(major_status, minor_status, "gss_init_sec_context()")) + goto cleanup; + + debugs(11, 5, HERE << "Got token with length " << output_token.length); + if (output_token.length) { + + token = + (char *) base64_encode_bin((const char *) output_token.value, + output_token.length); + } + + + cleanup: + gss_delete_sec_context(&minor_status, &gss_context, NULL); + gss_release_buffer(&minor_status, &service); + gss_release_buffer(&minor_status, &input_token); + gss_release_buffer(&minor_status, &output_token); + gss_release_name(&minor_status, &server_name); + + return token; + } + +#ifdef __cplusplus +} +#endif +#endif /* HAVE_KRB5 && HAVE_GSSAPI */ diff -Nur squid-3/src/protos.h squid-3-krb5/src/protos.h --- squid-3/src/protos.h 2008-11-05 01:10:51.000000000 +0000 +++ squid-3-krb5/src/protos.h 2009-08-30 01:27:07.000000000 +0100 @@ -817,4 +817,8 @@ #endif +#if HAVE_KRB5 && HAVE_GSSAPI + /* upstream proxy authentication */ + SQUIDCEXTERN char *peer_proxy_negotiate_auth(char *principal_name, char *proxy); +#endif #endif /* SQUID_PROTOS_H */ diff -Nur squid-3/src/tunnel.cc squid-3-krb5/src/tunnel.cc --- squid-3/src/tunnel.cc 2008-11-05 01:10:52.000000000 +0000 +++ squid-3-krb5/src/tunnel.cc 2009-08-30 00:36:22.000000000 +0100 @@ -736,6 +736,7 @@ tunnelState->servers = fs; tunnelState->host = fs->_peer ? fs->_peer->host : xstrdup(request->GetHost()); + request->peer_host = fs->_peer ? fs->_peer->host : NULL; if (fs->_peer == NULL) { tunnelState->port = request->port;