Patch file generated Mon Apr 30 20:21:11  2001 from
CVS branch cygwin
CVS repository: rbcollins@cvs.squid.sourceforge.net:/cvsroot/squid
CVS module: squid/src/auth/basic/helpers

Index: squid/src/auth/basic/helpers/win32_locallogon/Makefile.in
diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/Makefile.in:1.1.2.2
--- /dev/null		Thu Jan  1 01:00:00 1970
+++ squid/src/auth/basic/helpers/win32_locallogon/Makefile.in	Mon Apr 30 03:07:06 2001
@@ -0,0 +1,96 @@
+#
+#  Makefile for the Squid Object Cache server
+#
+#  $Id$
+#
+#  Uncomment and customize the following to suit your needs:
+#
+
+prefix		= @prefix@
+exec_prefix	= @exec_prefix@
+exec_suffix	= @exec_suffix@
+cgi_suffix	= @cgi_suffix@
+top_srcdir	= @top_srcdir@
+bindir		= @bindir@
+libexecdir      = @libexecdir@
+sysconfdir	= @sysconfdir@
+localstatedir   = @localstatedir@
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+# Gotta love the DOS legacy
+#
+AUTH_EXE	= NT_auth$(exec_suffix)
+
+CC		= @CC@
+MAKEDEPEND	= @MAKEDEPEND@
+INSTALL		= @INSTALL@
+INSTALL_BIN 	= @INSTALL_PROGRAM@
+INSTALL_FILE 	= @INSTALL_DATA@
+INSTALL_SUID	= @INSTALL_PROGRAM@ -o root -m 4755
+RANLIB		= @RANLIB@
+LN_S		= @LN_S@
+PERL            = @PERL@
+CRYPTLIB	= @CRYPTLIB@
+REGEXLIB	= @REGEXLIB@
+PTHREADLIB	= @PTHREADLIB@
+SNMPLIB		= @SNMPLIB@
+MALLOCLIB	= @LIB_MALLOC@
+AC_CFLAGS	= @CFLAGS@
+LDFLAGS		= @LDFLAGS@
+XTRA_LIBS	= @XTRA_LIBS@
+XTRA_OBJS 	= @XTRA_OBJS@
+MV		= @MV@
+RM		= @RM@
+SHELL		= /bin/sh
+DEFINES		= 
+
+INCLUDE		= -I. -I../../../../../include -I$(top_srcdir)/include -I$(top_srcdir)/src
+CFLAGS 		= $(AC_CFLAGS) $(INCLUDE) $(DEFINES)
+AUTH_LIBS	= $(XTRA_LIBS) -lnetapi32
+
+LIBPROGS        = $(AUTH_EXE)
+OBJS	 	= NT_auth.o valid.o
+
+all:    $(AUTH_EXE)
+
+$(AUTH_EXE): $(OBJS)
+	$(CC) $(LDFLAGS) $(OBJS) -o $@ $(AUTH_LIBS)
+
+install-mkdirs:
+	-@if test ! -d $(prefix); then \
+		echo "mkdir $(prefix)"; \
+		mkdir $(prefix); \
+	fi
+	-@if test ! -d $(libexecdir); then \
+		echo "mkdir $(libexecdir)"; \
+		mkdir $(libexecdir); \
+	fi
+
+# Michael Lupp <mike@nemesis.saar.de> wants to know about additions
+# to the install target.
+install: all install-mkdirs
+	@for f in $(LIBPROGS); do \
+		if test -f $(libexecdir)/$$f; then \
+			echo $(MV) $(libexecdir)/$$f $(libexecdir)/-$$f; \
+			$(MV) $(libexecdir)/$$f $(libexecdir)/-$$f; \
+		fi; \
+		echo $(INSTALL_BIN) $$f $(libexecdir); \
+		$(INSTALL_BIN) $$f $(libexecdir); \
+		if test -f $(libexecdir)/-$$f; then \
+			echo $(RM) -f $(libexecdir)/-$$f; \
+			$(RM) -f $(libexecdir)/-$$f; \
+		fi; \
+	done
+
+clean: 
+	-rm -rf *.o *pure_* core $(PROGS)
+
+distclean:	clean
+	-rm -f Makefile
+
+tags:
+	ctags *.[ch]
+
+depend:
+	$(MAKEDEPEND) -fMakefile *.c
Index: squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c
diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c:1.1.2.2
--- /dev/null		Thu Jan  1 01:00:00 1970
+++ squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c	Mon Apr 30 03:20:19 2001
@@ -0,0 +1,154 @@
+/*
+  NT_auth -  Version 1.1
+
+  Modified to act as a Squid authenticator module.
+  Can run as dll on NT native port.
+  Removed all Pike stuff.
+  Returns OK for a successful authentication, or ERR upon error.
+
+  Guido Serassio, Torino - Italy
+  Sun Dec 10 22:24:26 CST 2000
+
+  Uses code from -
+    Antonino Iannella 2000
+    Andrew Tridgell 1997
+    Richard Sharpe 1996
+    Bill Welliver 1999
+
+  Released under GNU Public License
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "squid.h"
+#include "valid.h"
+
+/* Main program for simple authentication.
+   Scans and checks for Squid input, and attempts to validate the user.
+*/
+
+#if defined (_SQUID_CYGWIN_)
+static char NTGroup[256];
+
+int
+main(int argc, char **argv)
+#elif defined (_SQUID_MSWIN_)
+typedef struct
+{
+    void *data;
+    acl_proxy_auth_user *auth_user;
+    RH *handler;
+}
+authenticateStateData;
+
+static char *NTGroup = NULL;
+BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason,
+    LPVOID reserved /* Not used. */ );
+
+__declspec(dllexport)
+     int Authenticate(char *username, char *password,
+    authenticateStateData * data, HLPCB callback)
+#else
+#error NON WINDOWS PLATFORM
+#endif
+{
+#if defined(_SQUID_CYGWIN_)
+    char wstr[256];
+    char username[256];
+    char password[256];
+    char *p;
+
+    if (argc != 2) {
+	fprintf(stderr, "Usage: NT_auth <NT Group>\n");
+	exit(1);
+    }
+    strcpy(NTGroup, argv[1]);
+    while (1) {
+	/* Read whole line from standard input. Terminate on break. */
+	if (fgets(wstr, 255, stdin) == NULL)
+	    break;
+	if ((p = strchr(wstr, '\n')) != NULL)
+	    *p = '\0';		/* strip \n */
+	if ((p = strchr(wstr, '\r')) != NULL)
+	    *p = '\0';		/* strip \r */
+	/* Clear any current settings */
+	username[0] = '\0';
+	password[0] = '\0';
+	sscanf(wstr, "%s %s", username, password);	/* Extract parameters */
+#endif
+	/* Check for invalid or blank entries */
+	if ((username[0] == '\0') || (password[0] == '\0')) {
+#if defined(_SQUID_CYGWIN_)
+	    puts("ERR");
+	    fflush(stdout);
+	    continue;
+#else
+	    (callback) (data, "ERR");
+	    return 0;
+#endif
+	}
+	if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR)
+#if defined(_SQUID_CYGWIN_)
+	    puts("OK");
+#else
+	    (callback) (data, "OK");
+#endif
+	else
+#if defined(_SQUID_CYGWIN_)
+	    puts("ERR");
+	fflush(stdout);
+#else
+	    (callback) (data, "ERR");
+#endif
+    }
+    return 0;
+}
+
+/* Valid_User return codes -
+
+   0 - User authenticated successfully.
+   1 - Server error.
+   2 - Protocol error.
+   3 - Logon error; Incorrect password or username given.
+*/
+
+#ifndef _SQUID_CYGWIN_
+
+__declspec(dllexport)
+     int Init(char *Group)
+{
+    if (NTGroup)
+	xfree(NTGroup);
+    NTGroup = xstrdup(Group);
+    return 0;
+}
+BOOL APIENTRY
+DllMain(HINSTANCE hInst /* Library instance handle. */ ,
+    DWORD reason /* Reason this function is being called. */ ,
+    LPVOID reserved /* Not used. */ )
+{
+    switch (reason) {
+    case DLL_PROCESS_ATTACH:
+	break;
+    case DLL_PROCESS_DETACH:
+	break;
+    case DLL_THREAD_ATTACH:
+	break;
+    case DLL_THREAD_DETACH:
+	break;
+    }
+    return TRUE;
+}
+#endif
Index: squid/src/auth/basic/helpers/win32_locallogon/README.txt
diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/README.txt:1.1.2.1
--- /dev/null		Thu Jan  1 01:00:00 1970
+++ squid/src/auth/basic/helpers/win32_locallogon/README.txt	Mon Apr 30 02:47:14 2001
@@ -0,0 +1,77 @@
+This is a simple authentication module for the Squid proxy server running on Windows NT
+compiled with CygWin to authenticate users on an NT domain in native WIN32 mode.
+
+Usage is simple. It accepts a username and password on standard input
+and will return OK if the username/password is valid for the domain/machine,
+or ERR if there was some problem.
+It's possible to authenticate against NT trusted domains specifyng the username 
+in the domain\username Microsoft notation. 
+
+This is released under the GNU General Public License and
+is available from http://serassio.interfree.it.
+
+Allowing Users -
+
+Users that are allowed to access the web proxy must have the Windows NT
+User Rights "logon from the network" and must be included in the NT LOCAL User Group 
+specified in the Authenticator's command line. 
+This can be accomplished creating a local user group on the NT machine, grant the privilege,
+and adding users to it.
+
+The squid process must have the NT User Rights "Act as part of the operating system",
+this is true if squid runs as a service with LocalSystem Account.
+
+Installation -
+
+Type 'make', then 'make install', then 'make clean'.
+
+The default is to install 'nt_auth' into /usr/local/squid/bin.
+
+Refer to Squid documentation for the required changes to squid.conf.
+You will need to set the following line to enable the authenticator:
+
+authenticate_program /usr/local/squid/bin/NT_auth <yourNTgroup>
+
+You will need to set the following lines to enable authentication for
+your access list -
+
+  acl <yourACL> proxy_auth REQUIRED
+  http_access allow <yourACL>
+
+You will need to specify the absolute path to NT_auth in the 
+authenticate_program directive, and check the authenticate_children
+and authenticate_ttl.
+
+Compilation issues -
+
+The Makefile assumes that GCC is in the current PATH.
+NT_auth compile ONLY on CygWin Environment or MS VC++.
+
+Note: Under MS VC++ this package compile as a dll, an work only with my release 
+of native NT Squid 2.3 Stable4 port.
+
+Testing -
+
+I strongly urge that NT_auth is tested prior to being used in a 
+production environment. It may behave differently on different platforms.
+To test it, run it from the command line. Enter username and password
+pairs separated by a space. Press ENTER to get an OK or ERR message.
+Make sure pressing <CTRL><D> behaves the same as a carriage return.
+Make sure pressing <CTRL><C> aborts the program.
+
+NOTE: the NT user running the NT_auth module, must have the NT User Rights
+"Act as part of the operating system".
+
+Test that entering no details does not result in an OK or ERR message.
+Test that entering an invalid username and password results in an ERR message.
+Note that if NT guest user access is allowed on the PDC, an OK message
+may be returned instead of ERR.
+Test that entering an valid username and password results in an OK message.
+Test that entering a guest username and password returns the correct
+response for the site's access policy.
+
+Contact details -
+
+To contact the maintainer of this package, email Guido Serassio
+on serassio@interfree.it.
+The latest version may be found on http://serassio.interfree.it/SquidNT.htm.
Index: squid/src/auth/basic/helpers/win32_locallogon/valid.c
diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/valid.c:1.1.2.1
--- /dev/null		Thu Jan  1 01:00:00 1970
+++ squid/src/auth/basic/helpers/win32_locallogon/valid.c	Mon Apr 30 02:47:14 2001
@@ -0,0 +1,99 @@
+#include "squid.h"
+#include <assert.h>
+#if defined(_SQUID_CYGWIN_)
+#include <wchar.h>
+#endif
+#include <windows.h>
+#include <lm.h>
+#include "valid.h"
+
+int
+Valid_User(char *UserName, char *Password, char *Group)
+{
+    HANDLE hToken;
+    int result = NTV_LOGON_ERROR;
+    int error;
+    char NTDomain[256];
+    char *domain_qualify;
+    char DomainUser[256];
+    WCHAR wszUserName[256];	// Unicode user name
+    WCHAR wszGroup[256];	// Unicode Group
+
+    LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
+    LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
+    DWORD dwLevel = 0;
+    DWORD dwFlags = LG_INCLUDE_INDIRECT;
+    DWORD dwPrefMaxLen = -1;
+    DWORD dwEntriesRead = 0;
+    DWORD dwTotalEntries = 0;
+    NET_API_STATUS nStatus;
+    DWORD i;
+    DWORD dwTotalCount = 0;
+
+/* Convert ANSI User Name and Group to Unicode */
+
+    MultiByteToWideChar(CP_ACP, 0, UserName,
+	strlen(UserName) + 1, wszUserName,
+	sizeof(wszUserName) / sizeof(wszUserName[0]));
+    MultiByteToWideChar(CP_ACP, 0, Group,
+	strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));
+    if ((domain_qualify = strchr(UserName, '\\')) == NULL) {
+	strcpy(DomainUser, UserName);
+	strcpy(NTDomain, ".");
+    } else {
+	strcpy(DomainUser, domain_qualify + 1);
+	domain_qualify[0] = '\0';
+	strcpy(NTDomain, UserName);
+    }
+    /* Log the client on to the local computer. */
+    if (!LogonUser(DomainUser,
+	    NTDomain,
+	    Password,
+	    LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)) {
+	result = NTV_LOGON_ERROR;
+	error = GetLastError();
+    } else {
+	/*
+	 * Call the NetUserGetLocalGroups function 
+	 * specifying information level 0.
+	 * 
+	 * The LG_INCLUDE_INDIRECT flag specifies that the 
+	 * function should also return the names of the local 
+	 * groups in which the user is indirectly a member.
+	 */
+	nStatus = NetUserGetLocalGroups(NULL,
+	    wszUserName,
+	    dwLevel,
+	    dwFlags,
+	    (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries);
+	/*
+	 * If the call succeeds,
+	 */
+	if (nStatus == NERR_Success) {
+	    if ((pTmpBuf = pBuf) != NULL) {
+		for (i = 0; i < dwEntriesRead; i++) {
+		    assert(pTmpBuf != NULL);
+		    if (pTmpBuf == NULL) {
+			result = NTV_SERVER_ERROR;
+			break;
+		    }
+		    if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) {
+			result = NTV_NO_ERROR;
+			break;
+		    }
+		    pTmpBuf++;
+		    dwTotalCount++;
+		}
+	    }
+	} else
+	    result = NTV_SERVER_ERROR;
+	/*
+	 * Free the allocated memory.
+	 */
+	if (pBuf != NULL)
+	    NetApiBufferFree(pBuf);
+    }
+    if (hToken != INVALID_HANDLE_VALUE)
+	CloseHandle(hToken);
+    return result;
+}
Index: squid/src/auth/basic/helpers/win32_locallogon/valid.h
diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/valid.h:1.1.2.2
--- /dev/null		Thu Jan  1 01:00:00 1970
+++ squid/src/auth/basic/helpers/win32_locallogon/valid.h	Mon Apr 30 03:22:08 2001
@@ -0,0 +1,16 @@
+#ifndef _VALID_H_
+#define _VALID_H_
+/* SMB User verification function */
+
+#define NTV_NO_ERROR 0
+#define NTV_SERVER_ERROR 1
+#define NTV_PROTOCOL_ERROR 2
+#define NTV_LOGON_ERROR 3
+
+#ifndef LOGON32_LOGON_NETWORK
+#define LOGON32_LOGON_NETWORK       3
+#endif
+
+int Valid_User(char *, char *, char *);
+
+#endif

