diff -w -B -r -u -N squid-2.7.STABLE6/configure.in squid-2.7.STABLE6-krb5/configure.in
--- squid-2.7.STABLE6/configure.in	2009-02-04 00:44:06.000000000 +0000
+++ squid-2.7.STABLE6-krb5/configure.in	2009-08-01 16:25:06.000000000 +0100
@@ -1423,6 +1423,184 @@
 fi
 AC_SUBST(NEGOTIATE_AUTH_HELPERS)
 
+old_CPPFLAGS=$CPPFLAGS
+old_LIBS=$LIBS
+AC_ARG_WITH(krb5-config,
+ [  --with-krb5-config=PATH specify path to krb5-config @<:@default=detect@:>@],
+ [if test x"$withval" = xyes; then
+     unset krb5confpath
+  elif test x"$withval" != xno; then
+     krb5confpath=$withval
+  else
+     krb5confpath=no
+  fi])
+
+if test x"$krb5confpath" != xno; then
+    if test x"$krb5confpath" != x; then
+        if ! test -x "$krb5confpath"; then
+            AC_MSG_WARN([krb5-config '$krb5confpath' not executable, ignoring])
+            AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no)
+            krb5confpath=krb5-config
+        fi
+        krb5_config_path=`dirname $krb5confpath`
+        AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no, $krb5_config_path)
+    else
+        AC_CHECK_PROG(ac_krb5_config, krb5-config, yes, no)
+        krb5confpath=krb5-config
+    fi
+fi
+
+if test "x$ac_krb5_config" = "xyes" ; then
+    ac_heimdal=`$krb5confpath --version 2>/dev/null | grep -i heimdal`
+    ac_solaris=`$krb5confpath --version 2>/dev/null | grep -i solaris`
+    if test "x$ac_heimdal" != "x" ; then
+        AC_DEFINE(HAVE_HEIMDAL_KERBEROS,1,[Define to 1 if you have Heimdal Kerberos])
+    else
+        AC_DEFINE(HAVE_MIT_KERBEROS,1,[Define to 1 if you have MIT Kerberos])
+    fi
+    if test "x$ac_solaris" != "x" ; then
+        KRB5INCS=`$krb5confpath --cflags krb5 2>/dev/null`
+        KRB5LIBS=`$krb5confpath --libs krb5 2>/dev/null`
+        KRB5INCS="-I/usr/include/gssapi $KRB5INCS"
+        KRB5LIBS="-L/usr/lib -R/usr/lib -lgss -lresolv -lsocket -lnsl $KRB5LIBS"
+    else
+        KRB5INCS=`$krb5confpath --cflags krb5 2>/dev/null`
+        KRB5LIBS=`$krb5confpath --libs krb5 2>/dev/null`
+        KRB5INCS="`$krb5confpath --cflags gssapi 2>/dev/null` $KRB5INCS"
+        KRB5LIBS="`$krb5confpath --libs gssapi 2>/dev/null` $KRB5LIBS"
+    fi
+    CPPFLAGS="$CPPFLAGS $KRB5INCS"
+    LIBS="$LIBS $KRB5LIBS"
+    AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h)
+    if test "x$ac_heimdal" == "x" ; then
+        AC_CHECK_HEADERS(gssapi/gssapi_generic.h)
+    fi
+    AC_CHECK_HEADERS(krb5.h com_err.h)
+    if test "x$ac_heimdal" == "x" ; then
+        AC_CHECK_HEADERS(profile.h)
+    fi
+    AC_CHECK_LIB(krb5,krb5_kt_free_entry,
+        AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1,[Define to 1 if you have krb5_kt_free_entry]),)
+    AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab,
+        AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1,[Define to 1 if you have krb5_get_init_creds_keytab]),)
+    AC_CHECK_LIB(krb5,krb5_get_max_time_skew,
+        AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1,[Define to 1 if you have krb5_get_max_time_skew]),)
+    AC_MSG_CHECKING([for memory cache])
+    AC_TRY_RUN([
+#include<krb5.h>
+main()
+{
+    krb5_context context;
+    krb5_ccache cc;
+
+    krb5_init_context(&context);
+    return krb5_cc_resolve(context, "MEMORY:test_cache", &cc);
+}],
+    [AC_DEFINE(HAVE_KRB5_MEMORY_CACHE,1, [Define to 1 if you have MEMORY: cache support])
+     AC_MSG_RESULT(yes)],
+    AC_MSG_RESULT(no))
+
+    AC_MSG_CHECKING([for working gssapi])
+    AC_TRY_RUN([
+#ifdef HAVE_GSSAPI_GSSAPI_H
+#include <gssapi/gssapi.h>
+#elif HAVE_GSSAPI_H
+#include <gssapi.h>
+#endif
+
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
+#include <gssapi/gssapi_ext.h>
+#endif
+
+#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H
+#include <gssapi/gssapi_krb5.h>
+#endif
+
+#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
+#include <gssapi/gssapi_generic.h>
+#endif
+int
+main(void)
+{
+        OM_uint32 val;
+        gss_OID_set set;
+
+        gss_create_empty_oid_set(&val, &set);
+
+        return 0;
+}
+],  [AC_DEFINE(HAVE_GSSAPI, 1, [GSSAPI support])
+     AC_MSG_RESULT(yes)],
+    AC_MSG_RESULT(no))
+    AC_MSG_CHECKING([for spnego support])
+    AC_TRY_RUN([
+#ifdef HAVE_HEIMDAL_KERBEROS
+#ifdef HAVE_GSSAPI_GSSAPI_H
+#include <gssapi/gssapi.h>
+#elif defined(HAVE_GSSAPI_H)
+#include <gssapi.h>
+#endif
+#else
+#ifdef HAVE_GSSAPI_GSSAPI_H
+#include <gssapi/gssapi.h>
+#elif defined(HAVE_GSSAPI_H)
+#include <gssapi.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H
+#include <gssapi/gssapi_krb5.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
+#include <gssapi/gssapi_generic.h>
+#endif
+#endif
+#include <string.h>
+int main(int argc, char *argv[]) {
+ OM_uint32 major_status,minor_status;
+ gss_OID_set gss_mech_set;
+ int i;
+
+static gss_OID_desc _gss_mech_spnego  = {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
+gss_OID gss_mech_spnego = &_gss_mech_spnego;
+
+ major_status = gss_indicate_mechs( &minor_status, &gss_mech_set);
+
+ for (i=0;i<gss_mech_set->count;i++) {
+     if (!memcmp(gss_mech_set->elements[i].elements,gss_mech_spnego->elements,gss_mech_set->elements[i].length)) {
+        return 0;
+     }
+ }
+
+ return 1;
+}],
+    [ac_cv_have_spnego=yes
+     AC_DEFINE(HAVE_SPNEGO,1, [Define to 1 if you have SPNEGO support])
+     AC_MSG_RESULT(yes)],
+    [ac_cv_have_spnego=no
+     AC_MSG_RESULT(no)])
+    AC_MSG_CHECKING([for working krb5])
+    AC_TRY_RUN([
+#ifdef HAVE_KRB5_H
+#include <krb5.h>
+#endif
+
+int
+main(void)
+{
+        krb5_context context;
+
+        krb5_init_context(&context);
+
+        return 0;
+}
+],  [AC_DEFINE(HAVE_KRB5, 1, [KRB5 support])
+     AC_MSG_RESULT(yes)],
+    AC_MSG_RESULT(no))
+    LIBS=$old_LIBS
+    CPPFLAGS=$old_CPPFLAGS
+    AC_SUBST(KRB5INCS)
+    AC_SUBST(KRB5LIBS)
+fi
+
 dnl Enable "NTLM fail open"
 AC_ARG_ENABLE(ntlm-fail-open,
 [  --enable-ntlm-fail-open Enable NTLM fail open, where a helper that fails one of the
diff -w -B -r -u -N squid-2.7.STABLE6/src/http.c squid-2.7.STABLE6-krb5/src/http.c
--- squid-2.7.STABLE6/src/http.c	2008-09-25 03:33:37.000000000 +0100
+++ squid-2.7.STABLE6-krb5/src/http.c	2009-07-28 23:15:59.000000000 +0100
@@ -1307,6 +1307,14 @@
 	    }
 	} else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) {
 	    /* Nothing to do */
+#if HAVE_KRB5 && HAVE_GSSAPI
+        } else if (strcmp(orig_request->peer_login, "NEGOTIATE") == 0) {
+             char *Token;
+             Token = peer_proxy_negotiate_auth(NULL,request->peer_host);
+             if (Token) {
+               httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Negotiate %s",Token);
+             }
+#endif /* HAVE_KRB5 && HAVE_GSSAPI */
 	} else {
 	    httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
 		base64_encode(orig_request->peer_login));
@@ -1471,6 +1479,7 @@
 	httpState->flags.http11 = httpState->peer->options.http11;
     else
 	httpState->flags.http11 = Config.onoff.server_http11;
+    req->peer_host=httpState->peer?httpState->peer->host:NULL;
     memBufDefInit(&mb);
     httpBuildRequestPrefix(req,
 	httpState->orig_request,
diff -w -B -r -u -N squid-2.7.STABLE6/src/Makefile.am squid-2.7.STABLE6-krb5/src/Makefile.am
--- squid-2.7.STABLE6/src/Makefile.am	2008-01-02 15:50:39.000000000 +0000
+++ squid-2.7.STABLE6-krb5/src/Makefile.am	2009-07-28 22:45:19.000000000 +0100
@@ -97,6 +97,7 @@
 SUBDIRS		= fs repl auth
 
 INCLUDES        = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
+INCLUDES       += @KRB5INCS@
 
 EXTRA_PROGRAMS = \
 	unlinkd \
@@ -220,6 +221,7 @@
 	pconn.c \
 	peer_digest.c \
 	peer_monitor.c \
+        peer_proxy_negotiate_auth.c \
 	peer_select.c \
 	peer_sourcehash.c \
 	peer_userhash.c \
@@ -284,8 +286,8 @@
 	@LIB_EPOLL@ \
 	-lmiscutil \
 	@XTRA_LIBS@ \
-	$(MINGWEXLIB)
-
+	$(MINGWEXLIB) \
+        @KRB5LIBS@
 squid_DEPENDENCIES = \
 	$(REPL_OBJS) \
 	$(STORE_OBJS) \
diff -w -B -r -u -N squid-2.7.STABLE6/src/peer_proxy_negotiate_auth.c squid-2.7.STABLE6-krb5/src/peer_proxy_negotiate_auth.c
--- squid-2.7.STABLE6/src/peer_proxy_negotiate_auth.c	1970-01-01 01:00:00.000000000 +0100
+++ squid-2.7.STABLE6-krb5/src/peer_proxy_negotiate_auth.c	2009-08-01 16:28:17.000000000 +0100
@@ -0,0 +1,473 @@
+/*
+ * -----------------------------------------------------------------------------
+ *
+ * Author: Markus Moeller (markus_moeller at compuserve.com)
+ *
+ * Copyright (C) 2007 Markus Moeller. All rights reserved.
+ *
+ *   This program is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation; either version 2 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, write to the Free Software
+ *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
+ *
+ * -----------------------------------------------------------------------------
+ */
+/*
+ * Hosted at http://sourceforge.net/projects/squidkerbauth
+ */
+
+#include <squid.h>
+
+#if HAVE_KRB5 && HAVE_GSSAPI
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#if HAVE_PROFILE_H
+#include <profile.h>
+#endif /* HAVE_PROFILE_H */
+#if HAVE_KRB5_H
+#include <krb5.h>
+#endif /* HAVE_KRB5_H */
+#if HAVE_COM_ERR_H
+#include <com_err.h>
+#endif /* HAVE_COM_ERR_H */
+
+#if HAVE_GSSAPI_GSSAPI_H
+#include <gssapi/gssapi.h>
+#elif HAVE_GSSAPI_H
+#include <gssapi.h>
+#endif /* HAVE_GSSAPI_H */
+#if HAVE_GSSAPI_GSSAPI_EXT_H
+#include <gssapi/gssapi_ext.h>
+#endif /* HAVE_GSSAPI_GSSAPI_EXT_H */
+#if HAVE_GSSAPI_GSSAPI_KRB5_H
+#include <gssapi/gssapi_krb5.h>
+#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */
+#if HAVE_GSSAPI_GSSAPI_GENERIC_H
+#include <gssapi/gssapi_generic.h>
+#endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */
+
+#ifndef gss_nt_service_name
+#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
+#endif
+
+#if HAVE_HEIMDAL_KERBEROS
+#define error_message(code) krb5_get_err_text(kparam.context,code)
+#endif
+
+#ifndef gss_mech_spnego
+static gss_OID_desc _gss_mech_spnego  = {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
+gss_OID gss_mech_spnego = &_gss_mech_spnego;
+#endif
+
+#if HAVE_NAS_KERBEROS
+#include <ibm_svc/krb5_svc.h>
+const char *KRB5_CALLCONV error_message(long code) {
+ char *msg=NULL;
+ krb5_svc_get_msg(code,&msg);
+ return msg;
+}
+#endif
+
+static struct kstruct {
+  krb5_context context;
+  char* mem_cache_env;
+  krb5_ccache cc;
+} kparam = {NULL, NULL, NULL};
+
+int krb5_create_cache(char* keytab_filename, char* principal_name);
+void krb5_cleanup(void);
+
+int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function);
+
+int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function){
+  if (GSS_ERROR(major_status)) {
+    OM_uint32 maj_stat,min_stat;
+    OM_uint32 msg_ctx = 0;
+    gss_buffer_desc status_string;
+    char buf[1024];
+    size_t len;
+
+    len = 0;
+    msg_ctx = 0;
+    while (!msg_ctx) {
+      /* convert major status code (GSS-API error) to text */
+      maj_stat = gss_display_status(&min_stat, major_status,
+                                    GSS_C_GSS_CODE,
+                                    GSS_C_NULL_OID,
+                                    &msg_ctx, &status_string);
+      if (maj_stat == GSS_S_COMPLETE) {
+        if (sizeof(buf) > len + status_string.length + 1) {
+          memcpy(buf+len, status_string.value, status_string.length);
+          len += status_string.length;
+        }
+        gss_release_buffer(&min_stat, &status_string);
+        break;
+      }
+      gss_release_buffer(&min_stat, &status_string);
+    }
+    if (sizeof(buf) > len + 2) {
+      strcpy(buf+len, ". ");
+      len += 2;
+    }
+    msg_ctx = 0;
+    while (!msg_ctx) {
+      /* convert minor status code (underlying routine error) to text */
+      maj_stat = gss_display_status(&min_stat, minor_status,
+                                    GSS_C_MECH_CODE,
+                                    GSS_C_NULL_OID,
+                                    &msg_ctx, &status_string);
+      if (maj_stat == GSS_S_COMPLETE) {
+        if (sizeof(buf) > len + status_string.length ) {
+          memcpy(buf+len, status_string.value, status_string.length);
+          len += status_string.length;
+        }
+        gss_release_buffer(&min_stat, &status_string);
+        break;
+      }
+      gss_release_buffer(&min_stat, &status_string);
+    }
+    debug(11, 5) ("%s failed: %s\n", function, buf);
+    return(1);
+  }
+  return(0);
+}
+
+void krb5_cleanup() {
+    debug(11, 5) ("Cleanup kerberos context\n");
+    if (kparam.context) {
+        if (kparam.cc)
+            krb5_cc_destroy(kparam.context,kparam.cc);
+        kparam.cc=NULL;
+        krb5_free_context(kparam.context);
+        kparam.context=NULL;
+        if (kparam.mem_cache_env)
+            xfree(kparam.mem_cache_env);
+        kparam.mem_cache_env=NULL;
+    }
+}
+
+int krb5_create_cache(char* kf, char* pn){
+
+#define KT_PATH_MAX 256
+#define MAX_RENEW_TIME "365d"
+
+  static char *keytab_filename=NULL, *principal_name=NULL;
+  static krb5_keytab	keytab = 0;
+  static krb5_keytab_entry entry;
+  static krb5_kt_cursor cursor;
+  static krb5_creds	*creds=NULL;
+#if HAVE_HEIMDAL_KERBEROS
+  static krb5_creds	creds2;
+#endif
+  static krb5_principal principal = NULL;
+  static krb5_deltat	skew;
+
+  krb5_get_init_creds_opt 	options;
+  krb5_error_code 		code = 0;
+  krb5_deltat			rlife;
+#if HAVE_PROFILE_H
+  profile_t                     profile;
+#else
+  krb5_kdc_flags 		flags;
+  krb5_realm 			*client_realm;
+#endif
+  char* mem_cache;
+
+restart:
+  if (creds &&
+     (creds->times.endtime - time(0) > skew) &&
+     (creds->times.renew_till - time(0) > 2*skew))
+    {
+      if (creds->times.endtime - time(0) < 2*skew)
+        {
+#if !HAVE_HEIMDAL_KERBEROS
+           /* renew ticket */
+           code = krb5_get_renewed_creds(kparam.context, creds, principal, kparam.cc, NULL);
+#else
+           /* renew ticket */
+           flags.i = 0;
+           flags.b.renewable = flags.b.renew = 1;
+
+           code = krb5_cc_get_principal(kparam.context, kparam.cc, &creds2.client);
+           if (code)
+             {
+                debug(11, 5) ("Error while getting principal from credential cache : %s\n", error_message(code));
+                return(1) ;
+             }
+           client_realm = krb5_princ_realm (kparam.context, creds2.client);
+           code = krb5_make_principal(kparam.context, &creds2.server, *client_realm,
+                               KRB5_TGS_NAME, *client_realm, NULL);
+           if (code)
+             {
+                debug(11, 5) ("Error while getting krbtgt principal : %s\n", error_message(code));
+                return(1) ;
+             }
+           code = krb5_get_kdc_cred(kparam.context, kparam.cc, flags, NULL, NULL, &creds2, &creds);
+#endif
+           if (code)
+             {
+                if ( code == KRB5KRB_AP_ERR_TKT_EXPIRED ) 
+                  {
+                     creds=NULL;
+                     /* this can happen because of clock skew */
+                     goto restart;
+                  }
+                  debug(11, 5) ("Error while get credentials : %s\n", error_message(code));
+                  return(1) ;
+             }
+        } 
+    } 
+  else
+    {
+      /* reinit */
+      if (!kparam.context)
+        {
+          code = krb5_init_context(&kparam.context);
+          if (code)
+            {
+              debug(11, 5) ("Error while initialising Kerberos library : %s\n", error_message(code));
+              return(1) ;
+            }
+          kparam.mem_cache_env=NULL;
+        }
+
+#if HAVE_PROFILE_H
+      code = krb5_get_profile (kparam.context, &profile);
+      if (code)
+        {
+           if (profile)
+              profile_release(profile);
+           debug(11, 5) ("Error while getting profile : %s\n", error_message(code));
+           return(1) ;
+        }
+      code = profile_get_integer(profile, "libdefaults", "clockskew", 0, 5 * 60, &skew);
+      if (profile)
+         profile_release(profile);
+      if (code)
+        {
+           debug(11, 5) ("Error while getting clockskew : %s\n", error_message(code));
+           return(1) ;
+        }
+#else
+#if HAVE_KRB5_GET_MAX_TIME_SKEW      
+      skew=krb5_get_max_time_skew(kparam.context);
+#else
+      skew=kparam.context->max_skew;
+#endif
+#endif
+
+      if (!kf) 
+        {
+           char      buf[KT_PATH_MAX], *p;
+
+           krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX);
+           p = strchr(buf, ':');            
+           if (p) p++;
+           if (keytab_filename)
+               xfree(keytab_filename);                       
+           keytab_filename = xstrdup(p ? p : buf);
+        }
+      else {
+          keytab_filename = xstrdup(kf); 
+        }
+
+      code = krb5_kt_resolve(kparam.context, keytab_filename, &keytab);
+      if (code)
+        {
+           debug(11, 5) ("Error while resolving keytab filename %s : %s\n", keytab_filename, error_message(code));
+           return(1);
+        }
+
+      if (!pn)
+        {
+           code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor);
+           if (code)
+             {
+                 debug(11, 5) ("Error while starting keytab scan : %s\n", error_message(code));
+                 return(1);
+             }
+           code = krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor);
+           krb5_copy_principal(kparam.context,entry.principal,&principal);
+           if (code && code != KRB5_KT_END)
+             {
+                 debug(11, 5) ("Error while scanning keytab : %s\n", error_message(code));
+                 return(1);
+             }
+
+           code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor);
+           if (code)
+             {
+                 debug(11, 5) ("Error while ending keytab scan : %s\n", error_message(code));
+                return(1);
+             }
+#if HAVE_HEIMDAL_KERBEROS || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY)
+           code = krb5_kt_free_entry(kparam.context,&entry);
+#else
+           code = krb5_free_keytab_entry_contents(kparam.context,&entry);
+#endif
+           if (code)
+           {
+               debug(11, 5) ("Error while freeing keytab entry : %s\n", error_message(code));
+               return(1);
+           }
+
+        }
+      else {
+           principal_name=xstrdup(pn);
+        }
+
+      if (!principal) 
+        {
+           code = krb5_parse_name(kparam.context, principal_name, &principal);
+           if (code)
+             {
+                debug(11, 5) ("Error while parsing principal name %s : %s\n", principal_name, error_message(code));
+                return (1);
+             }
+        }
+
+      creds = (krb5_creds *)xmalloc(sizeof(*creds));
+      memset(creds, 0, sizeof(*creds));
+      krb5_get_init_creds_opt_init(&options);
+      code = krb5_string_to_deltat((char *)MAX_RENEW_TIME, &rlife);
+      if (code != 0 || rlife == 0)
+        {
+           debug(11, 5) ("Error bad lifetime value %s : %s\n", MAX_RENEW_TIME, error_message(code));
+           return (1);
+        }
+      krb5_get_init_creds_opt_set_renew_life(&options, rlife);
+          
+      code = krb5_get_init_creds_keytab(kparam.context, creds, principal, keytab, 0, NULL, &options);
+      if (code)
+        {
+           debug(11, 5) ("Error while initializing credentials from keytab : %s\n", error_message(code));
+           return (1);
+        }
+
+#if !HAVE_KRB5_MEMORY_CACHE
+      mem_cache=(char *)xmalloc(strlen("FILE:/tmp/squid_proxy_auth_")+16);
+      snprintf(mem_cache,strlen("FILE:/tmp/squid_proxy_auth_")+16,"FILE:/tmp/squid_proxy_auth_%d",getpid());
+#else
+      mem_cache=(char *)xmalloc(strlen("MEMORY:squid_proxy_auth_")+16);
+      snprintf(mem_cache,strlen("MEMORY:squid_proxy_auth_")+16,"MEMORY:squid_proxy_auth_%d",getpid());
+#endif
+
+      kparam.mem_cache_env=(char *)xmalloc(strlen("KRB5CCNAME=")+strlen(mem_cache)+1);
+      strcpy(kparam.mem_cache_env,"KRB5CCNAME=");
+      strcat(kparam.mem_cache_env,mem_cache);
+      putenv(kparam.mem_cache_env);
+      code = krb5_cc_resolve(kparam.context, mem_cache , &kparam.cc);
+      if (mem_cache)
+          xfree(mem_cache);
+      if (code) 
+        {
+           debug(11, 5) ("Error while resolving memory credential cache : %s\n", error_message(code));
+           return(1) ;
+        }
+      code = krb5_cc_initialize(kparam.context, kparam.cc, principal);
+      if (code) 
+        {
+           debug(11, 5) ("Error while initializing memory credential cache : %s\n", error_message(code));
+           return(1) ;
+        }
+      code = krb5_cc_store_cred(kparam.context, kparam.cc, creds);
+      if (code) 
+        {
+           debug(11, 5) ("Error while storing credentials : %s\n", error_message(code));
+           return(1) ;
+        }
+
+      if (!creds->times.starttime) 
+        creds->times.starttime = creds->times.authtime;
+    }
+    return(0);
+}
+
+char *peer_proxy_negotiate_auth(char* principal_name, char *proxy) {
+ int rc=0;
+ OM_uint32 major_status, minor_status;
+ gss_ctx_id_t          gss_context = GSS_C_NO_CONTEXT;
+ gss_name_t            server_name = GSS_C_NO_NAME;
+ gss_buffer_desc       service = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc       input_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc       output_token = GSS_C_EMPTY_BUFFER;
+ char   *token = NULL;
+
+  setbuf(stdout,NULL);
+  setbuf(stdin,NULL);
+
+  if (!proxy ) {
+     debug(11, 5) ("Error : No proxy server name\n");
+     return NULL;
+  }
+
+  debug(11, 5) ("Creating credential cache\n");
+  rc = krb5_create_cache(NULL,principal_name);
+  if (rc) {
+     debug(11, 5) ("Error : Failed to create Kerberos cache\n");
+     krb5_cleanup();
+     return NULL;
+  }
+
+  service.value = (void *)xmalloc(strlen("HTTP")+strlen(proxy)+2);
+  snprintf((char *)service.value,strlen("HTTP")+strlen(proxy)+2,"%s@%s","HTTP",proxy);
+  service.length = strlen((char *)service.value);
+ 
+  debug(11, 5) ("Import gss name\n");
+  major_status = gss_import_name(&minor_status, &service,
+                                 gss_nt_service_name, &server_name);
+ 
+  if (check_gss_err(major_status,minor_status,"gss_import_name()") )
+      goto cleanup;
+
+  debug(11, 5) ("Initialize gss security context\n");
+  major_status = gss_init_sec_context(&minor_status,
+                                      GSS_C_NO_CREDENTIAL,
+                                      &gss_context,
+                                      server_name,
+                                      gss_mech_spnego,
+                                      0,
+                                      0,
+                                      GSS_C_NO_CHANNEL_BINDINGS,
+                                      &input_token,
+                                      NULL,
+                                      &output_token,
+                                      NULL,
+                                      NULL);
+
+  if (check_gss_err(major_status,minor_status,"gss_init_sec_context()") )
+      goto cleanup;
+
+  debug(11, 5) ("Got token with length %d\n",output_token.length);
+  if (output_token.length) {
+
+      token = (char *)base64_encode_bin((const char*)output_token.value,output_token.length);
+  } 
+
+
+cleanup:
+  gss_delete_sec_context(&minor_status, &gss_context, NULL);
+  gss_release_buffer(&minor_status, &service);
+  gss_release_buffer(&minor_status, &input_token);
+  gss_release_buffer(&minor_status, &output_token);
+  gss_release_name(&minor_status, &server_name);
+
+  return token; 
+}
+#ifdef __cplusplus
+}
+#endif
+#endif /* HAVE_KRB5 && HAVE_GSSAPI */
+
diff -w -B -r -u -N squid-2.7.STABLE6/src/protos.h squid-2.7.STABLE6-krb5/src/protos.h
--- squid-2.7.STABLE6/src/protos.h	2008-06-27 22:52:56.000000000 +0100
+++ squid-2.7.STABLE6-krb5/src/protos.h	2009-07-28 22:48:49.000000000 +0100
@@ -1496,5 +1496,5 @@
 extern void clientStoreURLRewriteStart(clientHttpRequest * http);
 extern void clientStoreURLRewriteDone(void *data, char *result);
 
-
+extern char *peer_proxy_negotiate_auth(char *principal_name, char *proxy);
 #endif /* SQUID_PROTOS_H */
diff -w -B -r -u -N squid-2.7.STABLE6/src/ssl.c squid-2.7.STABLE6-krb5/src/ssl.c
--- squid-2.7.STABLE6/src/ssl.c	2008-05-05 00:23:13.000000000 +0100
+++ squid-2.7.STABLE6-krb5/src/ssl.c	2009-07-28 22:51:19.000000000 +0100
@@ -628,6 +628,7 @@
     }
     sslState->servers = fs;
     sslState->host = fs->peer ? fs->peer->host : request->host;
+    request->peer_host = fs->peer ? fs->peer->host : NULL;
     if (fs->peer == NULL) {
 	sslState->port = request->port;
     } else if (fs->peer->http_port != 0) {
diff -w -B -r -u -N squid-2.7.STABLE6/src/structs.h squid-2.7.STABLE6-krb5/src/structs.h
--- squid-2.7.STABLE6/src/structs.h	2008-09-25 03:33:37.000000000 +0100
+++ squid-2.7.STABLE6-krb5/src/structs.h	2009-07-28 22:40:45.000000000 +0100
@@ -1949,6 +1949,7 @@
     HierarchyLogEntry hier;
     err_type err_type;
     char *peer_login;		/* Configured peer login:password */
+    char *peer_host;           /* Selected peer host*/
     time_t lastmod;		/* Used on refreshes */
     char *vary_hdr;		/* Used when varying entities are detected. Changes how the store key is calculated */
     char *vary_headers;		/* Used when varying entities are detected. Changes how the store key is calculated */

