And a sligthly better cleaned up patch.
Basically it boils down to a different form of AF/NA responses where the
negotiate/kerberos responses includes a blob that needs to be sent to
the requesting client, while ntlm just has username or message in the
helper response.
Regards
Henrik
lör 2011-12-17 klockan 03:12 +0100 skrev Henrik Nordström:
> Attached is a patch showing the tiny differences between Negotiate and
> NTLM in the 3.0 sources.
>
> Have not attempted doing the same in later sources as I expect they have
> drifted further apart there when restructured a bit.
>
> Regards
> Henrik
diff -u negotiate/auth_scheme.cc ntlm/auth_scheme.cc
--- negotiate/auth_scheme.cc 2011-12-17 03:22:50.049879582 +0100
+++ ntlm/auth_scheme.cc 2011-12-17 03:21:09.427090943 +0100
@@ -266,28 +266,6 @@
return -2;
}
-/* add the [proxy]authorisation header */
-void
-AuthSCHEMEUserRequest::addHeader(HttpReply * rep, int accel)
-{
- http_hdr_type type;
-
- if (!server_blob)
- return;
-
- /* don't add to authentication error pages */
-
- if ((!accel && rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED)
- || (accel && rep->sline.status == HTTP_UNAUTHORIZED))
- return;
-
- type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
-
- httpHeaderPutStrf(&rep->header, type, "SCHEME %s", server_blob);
-
- safe_free(server_blob);
-}
-
void
AuthSCHEMEConfig::fixHeader(AuthUserRequest *auth_user_request, HttpReply *rep, http_hdr_type type, HttpRequest * request)
{
@@ -328,17 +306,7 @@
/* Special case: authentication finished OK but disallowed by ACL.
* Need to start over to give the client another chance.
*/
-
- if (scheme_request->server_blob) {
- debugs(29, 9, "authenticateSCHEMEFixErrorHeader: Sending type:" << type << " header: 'SCHEME " << scheme_request->server_blob << "'");
- httpHeaderPutStrf(&rep->header, type, "SCHEME %s", scheme_request->server_blob);
- safe_free(scheme_request->server_blob);
- } else {
- debugs(29, 9, "authenticateSCHEMEFixErrorHeader: Connection authenticated");
- httpHeaderPutStrf(&rep->header, type, "SCHEME");
- }
-
- break;
+ /* fall through */
case AUTHENTICATE_STATE_NONE:
/* semantic change: do not drop the connection.
@@ -373,7 +341,7 @@
authenticateStateData *r = static_cast<authenticateStateData *>(data);
int valid;
- char *blob, *arg = NULL;
+ char *blob;
AuthUserRequest *auth_user_request;
AuthUser *auth_user;
@@ -419,17 +387,11 @@
/* seperate out the useful data */
blob = strchr(reply, ' ');
- if (blob) {
+ if (blob)
blob++;
- arg = strchr(blob + 1, ' ');
- } else {
- arg = NULL;
- }
if (strncasecmp(reply, "TT ", 3) == 0) {
/* we have been given a blob to send to the client */
- if (arg)
- *arg++ = '\0';
safe_free(scheme_request->server_blob);
scheme_request->request->flags.must_keepalive = 1;
if (scheme_request->request->flags.proxy_keepalive) {
@@ -441,22 +403,13 @@
scheme_request->auth_state = AUTHENTICATE_STATE_FAILED;
auth_user_request->denyMessage("SCHEME authentication requires a persistent connection");
}
- } else if (strncasecmp(reply, "AF ", 3) == 0 && arg != NULL) {
+ } else if (strncasecmp(reply, "AF ", 3) == 0) {
/* we're finished, release the helper */
-
- if (arg)
- *arg++ = '\0';
-
- scheme_user->username(arg);
-
+ scheme_user->username(blob);
auth_user_request->denyMessage("Login successful");
-
safe_free(scheme_request->server_blob);
- scheme_request->server_blob = xstrdup(blob);
-
debugs(29, 4, "authenticateSCHEMEHandleReply: Successfully validated user via SCHEME. Username '" << blob << "'");
-
/* connection is authenticated */
debugs(29, 4, "AuthSCHEMEUserRequest::authenticate: authenticated user " << scheme_user->username());
/* see if this is an existing user with a different proxy_auth
@@ -483,23 +436,12 @@
local_auth_user->expiretime = current_time.tv_sec;
authenticateSCHEMEReleaseServer(scheme_request);
scheme_request->auth_state = AUTHENTICATE_STATE_DONE;
-
- } else if (strncasecmp(reply, "NA ", 3) == 0 && arg != NULL) {
+ } else if (strncasecmp(reply, "NA ", 3) == 0) {
/* authentication failure (wrong password, etc.) */
-
- if (arg)
- *arg++ = '\0';
-
- auth_user_request->denyMessage(arg);
-
+ auth_user_request->denyMessage(blob);
scheme_request->auth_state = AUTHENTICATE_STATE_FAILED;
-
safe_free(scheme_request->server_blob);
-
- scheme_request->server_blob = xstrdup(blob);
-
authenticateSCHEMEReleaseServer(scheme_request);
-
debugs(29, 4, "authenticateSCHEMEHandleReply: Failed validating user via SCHEME. Error returned '" << blob << "'");
} else if (strncasecmp(reply, "BH ", 3) == 0) {
/* TODO kick off a refresh process. This can occur after a YR or after
diff -u negotiate/auth_scheme.h ntlm/auth_scheme.h
--- negotiate/auth_scheme.h 2011-12-17 03:14:08.323570851 +0100
+++ ntlm/auth_scheme.h 2011-12-17 03:13:35.124351401 +0100
@@ -67,8 +67,6 @@
virtual const AuthUser *user() const {return _theUser;}
- virtual void addHeader(HttpReply * rep, int accel);
-
virtual void user (AuthUser *aUser) {_theUser=dynamic_cast<SCHEMEUser *>(aUser);}
virtual const char * connLastHeader();
