From 78d14c18745d7725abf04fcd9a287f82f7eb6c71 Mon Sep 17 00:00:00 2001 From: ankor2023 Date: Thu, 26 Mar 2026 11:32:42 +0300 Subject: [PATCH 1/7] Update negotiate_kerberos.h Version update --- src/auth/negotiate/kerberos/negotiate_kerberos.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos.h b/src/auth/negotiate/kerberos/negotiate_kerberos.h index 6c20b91f405..994a050864d 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos.h +++ b/src/auth/negotiate/kerberos/negotiate_kerberos.h @@ -83,7 +83,7 @@ #define MAX_AUTHTOKEN_LEN 65535 #endif #ifndef SQUID_KERB_AUTH_VERSION -#define SQUID_KERB_AUTH_VERSION "3.1.0sq" +#define SQUID_KERB_AUTH_VERSION "3.2.0sq" #endif char *gethost_name(void); From 92b00490507f9a1f322be99ef6cd9c0d12d2f209 Mon Sep 17 00:00:00 2001 From: ankor2023 Date: Thu, 26 Mar 2026 16:10:54 +0300 Subject: [PATCH 2/7] Add files via upload Add -g option for group attribute name and update helper output format --- .../kerberos/negotiate_kerberos_auth.cc | 30 +++++++++++++++---- .../kerberos/negotiate_kerberos_pac.cc | 15 +++++----- 2 files changed, 31 insertions(+), 14 deletions(-) diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc index 55db7681e8f..98680667cd5 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc +++ b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc @@ -333,6 +333,7 @@ main(int argc, char *const argv[]) #else gss_buffer_desc type_id = GSS_C_EMPTY_BUFFER; #endif + const char* group_attribute_name = "group"; #endif /* HAVE_KRB5_PAC_SUPPORT */ krb5_context context = nullptr; krb5_error_code ret; @@ -366,7 +367,7 @@ main(int argc, char *const argv[]) setbuf(stdout, nullptr); setbuf(stdin, nullptr); - while (-1 != (opt = getopt(argc, argv, "dirs:k:c:t:"))) { + while (-1 != (opt = getopt(argc, argv, "dirs:k:c:t:g:"))) { switch (opt) { case 'd': debug_enabled = 1; @@ -462,9 +463,23 @@ main(int argc, char *const argv[]) exit(EXIT_FAILURE); } break; +#if HAVE_KRB5_PAC_SUPPORT + case 'g': + if (optarg) + group_attribute_name = optarg; + else { + fprintf(stderr, "ERROR: attribute name not given\n"); + exit(EXIT_FAILURE); + } + break; +#endif default: fprintf(stderr, "Usage: \n"); - fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-k keytab] [-c rcdir] [-t rctype]\n"); + fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-k keytab] [-c rcdir] [-t rctype]"); +#if HAVE_KRB5_PAC_SUPPORT + fprintf(stderr, " [-g attribute name]"); +#endif + fprintf(stderr, "\n"); fprintf(stderr, "-d full debug\n"); fprintf(stderr, "-i informational messages\n"); fprintf(stderr, "-r remove realm from username\n"); @@ -472,9 +487,12 @@ main(int argc, char *const argv[]) fprintf(stderr, "-k keytab name\n"); fprintf(stderr, "-c replay cache directory\n"); fprintf(stderr, "-t replay cache type\n"); +#if HAVE_KRB5_PAC_SUPPORT + fprintf(stderr, "-g group annotaion attribute name (default '%s', you can use 'clt_conn_tag' for connection annotation)\n", group_attribute_name); +#endif fprintf(stderr, - "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); - fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n"); + "\nThe SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); + fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n\n"); exit(EXIT_SUCCESS); } } @@ -786,7 +804,7 @@ main(int argc, char *const argv[]) rfc_user = rfc1738_escape(user); #if HAVE_KRB5_PAC_SUPPORT - fprintf(stdout, "OK token=%s user=%s %s\n", token, rfc_user, ag?ag:"group="); + fprintf(stdout, "OK token=%s user=%s %s=%s\n", token, rfc_user, group_attribute_name, ag?ag:""); #else fprintf(stdout, "OK token=%s user=%s\n", token, rfc_user); #endif /* HAVE_KRB5_PAC_SUPPORT */ @@ -828,7 +846,7 @@ main(int argc, char *const argv[]) } rfc_user = rfc1738_escape(user); #if HAVE_KRB5_PAC_SUPPORT - fprintf(stdout, "OK token=%s user=%s %s\n", "AA==", rfc_user, ag?ag:"group="); + fprintf(stdout, "OK token=%s user=%s %s=%s\n", "AA==", rfc_user, group_attribute_name, ag?ag:""); #else fprintf(stdout, "OK token=%s user=%s\n", "AA==", rfc_user); #endif /* HAVE_KRB5_PAC_SUPPORT */ diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc index 37c8577bd68..4d4b765b402 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc +++ b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc @@ -114,6 +114,7 @@ get1byt(void) return var; } +/* static char * pstrcpy( char *src, const char *dst) { @@ -125,6 +126,7 @@ pstrcpy( char *src, const char *dst) } else return src; } +*/ static char * pstrcat( char *src, const char *dst) @@ -236,13 +238,10 @@ getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t Gro ag[1] = ag[1]+1; memcpy((void *)&ag[2],(const void*)&p[bpos+2],6+nauth*4); memcpy((void *)&ag[length],(const void*)Rids[l],4); - if (l==0) { - if (!pstrcpy(ad_groups,"group=")) { - debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", - LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups); - } + if ( l==0 ) { + ad_groups[0] = '\0'; // just clean up } else { - if (!pstrcat(ad_groups," group=")) { + if (!pstrcat(ad_groups, ",")) { debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups); } @@ -330,7 +329,7 @@ getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount) xfree(ag); return nullptr; } else { - if (!pstrcat(ad_groups," group=")) { + if (!pstrcat(ad_groups, ",")) { debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups); } @@ -465,7 +464,7 @@ get_resource_groups(char *ad_groups, uint32_t ResourceGroupDomainSid, uint32_t uint32_t sauth; memcpy((void *)&st[group_domain_sid_len], (const void*)&p[bpos], 4); // rid concatenation - if (!pstrcat(ad_groups, " group=")) { + if (!pstrcat(ad_groups, ",")) { debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups); } From f6d7ccae156732ab5f78d314f93fdc9bca316c73 Mon Sep 17 00:00:00 2001 From: ankor2023 Date: Fri, 27 Mar 2026 12:00:06 +0300 Subject: [PATCH 3/7] Add files via upload Fix review comments --- .../negotiate/kerberos/negotiate_kerberos.h | 2 +- .../kerberos/negotiate_kerberos_pac.cc | 64 +++++++------------ 2 files changed, 24 insertions(+), 42 deletions(-) diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos.h b/src/auth/negotiate/kerberos/negotiate_kerberos.h index 994a050864d..6c20b91f405 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos.h +++ b/src/auth/negotiate/kerberos/negotiate_kerberos.h @@ -83,7 +83,7 @@ #define MAX_AUTHTOKEN_LEN 65535 #endif #ifndef SQUID_KERB_AUTH_VERSION -#define SQUID_KERB_AUTH_VERSION "3.2.0sq" +#define SQUID_KERB_AUTH_VERSION "3.1.0sq" #endif char *gethost_name(void); diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc index 4d4b765b402..f82560feefd 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc +++ b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc @@ -114,30 +114,23 @@ get1byt(void) return var; } -/* + static char * -pstrcpy( char *src, const char *dst) +pstrcat( char *dst, const char *src) { - if (dst) { - if (strlen(dst)>MAX_PAC_GROUP_SIZE) + if (src) { + if ( strlen(dst) + strlen(src) + 1 >= MAX_PAC_GROUP_SIZE ) return nullptr; else - return strcpy(src,dst); + return strcat(dst, src); } else - return src; + return dst; } -*/ static char * -pstrcat( char *src, const char *dst) -{ - if (dst) { - if (strlen(src)+strlen(dst)+1>MAX_PAC_GROUP_SIZE) - return nullptr; - else - return strcat(src,dst); - } else - return src; +append_comma(char *buffer){ + if ( buffer && buffer[0] ) return pstrcat(buffer, ","); + return buffer; } int @@ -238,14 +231,8 @@ getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t Gro ag[1] = ag[1]+1; memcpy((void *)&ag[2],(const void*)&p[bpos+2],6+nauth*4); memcpy((void *)&ag[length],(const void*)Rids[l],4); - if ( l==0 ) { - ad_groups[0] = '\0'; // just clean up - } else { - if (!pstrcat(ad_groups, ",")) { - debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", - LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups); - } - } + + append_comma(ad_groups); struct base64_encode_ctx ctx; base64_encode_init(&ctx); const uint32_t expectedSz = base64_encode_len(length+4) +1 /* terminator */; @@ -280,6 +267,12 @@ getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t Gro char * getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount) { + if (!ad_groups) { + debug((char *) "%s| %s: ERR: No space to store groups\n", + LogTime(), PROGRAM); + return nullptr; + } + if (ExtraSids!= 0) { uint32_t ngroup; uint32_t *pa; @@ -322,19 +315,8 @@ getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount) size_t length = 1+1+6+nauth*4; ag = (char *)xcalloc((length)*sizeof(char),1); memcpy((void *)ag,(const void*)&p[bpos],length); - if (!ad_groups) { - debug((char *) "%s| %s: ERR: No space to store groups\n", - LogTime(), PROGRAM); - xfree(pa); - xfree(ag); - return nullptr; - } else { - if (!pstrcat(ad_groups, ",")) { - debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", - LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups); - } - } + append_comma(ad_groups); struct base64_encode_ctx ctx; base64_encode_init(&ctx); const uint32_t expectedSz = base64_encode_len(length) +1 /* terminator */; @@ -464,11 +446,7 @@ get_resource_groups(char *ad_groups, uint32_t ResourceGroupDomainSid, uint32_t uint32_t sauth; memcpy((void *)&st[group_domain_sid_len], (const void*)&p[bpos], 4); // rid concatenation - if (!pstrcat(ad_groups, ",")) { - debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n", - LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups); - } - + append_comma(ad_groups); struct base64_encode_ctx ctx; base64_encode_init(&ctx); const uint32_t expectedSz = base64_encode_len(length) + 1 /* terminator */; @@ -525,6 +503,8 @@ get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac) return nullptr; } + ad_groups[0] = '\0'; + ad_data = (krb5_data *)xcalloc(1,sizeof(krb5_data)); #define KERB_LOGON_INFO 1 @@ -611,6 +591,8 @@ get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac) if (checkustr(&LogonDomainName)<0) goto k5clean; ad_groups = getdomaingids(ad_groups,LogonDomainId,Rids,GroupCount); + if (!ad_groups) + goto k5clean; // https://learn.microsoft.com/en-us/previous-versions/aa302203(v=msdn.10)?redirectedfrom=MSDN#top-level-pac-structure if ((UserFlags&LOGON_EXTRA_SIDS) != 0) { From d8d5231e20ee88b09f22711c42ba4dec3f652545 Mon Sep 17 00:00:00 2001 From: ankor2023 Date: Fri, 27 Mar 2026 12:08:30 +0300 Subject: [PATCH 4/7] Add files via upload Fix review comments From 94d93ab71e7a0b276dee99dd447688fe4ed5652b Mon Sep 17 00:00:00 2001 From: ankor2023 Date: Fri, 27 Mar 2026 12:14:36 +0300 Subject: [PATCH 5/7] Add files via upload Fix review comments From 987a6dd3f8bf977a7963b5b4c4a48d2c41ad924a Mon Sep 17 00:00:00 2001 From: ankor2023 Date: Fri, 27 Mar 2026 12:19:04 +0300 Subject: [PATCH 6/7] Add files via upload Fix review comments --- .../negotiate/kerberos/negotiate_kerberos_auth.cc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc index 98680667cd5..02d77766fe0 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc +++ b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc @@ -367,7 +367,7 @@ main(int argc, char *const argv[]) setbuf(stdout, nullptr); setbuf(stdin, nullptr); - while (-1 != (opt = getopt(argc, argv, "dirs:k:c:t:g:"))) { + while (-1 != (opt = getopt(argc, argv, "dirs:k:c:t:a:"))) { switch (opt) { case 'd': debug_enabled = 1; @@ -464,11 +464,11 @@ main(int argc, char *const argv[]) } break; #if HAVE_KRB5_PAC_SUPPORT - case 'g': + case 'a': if (optarg) group_attribute_name = optarg; else { - fprintf(stderr, "ERROR: attribute name not given\n"); + fprintf(stderr, "ERROR: '-a' value not given\n"); exit(EXIT_FAILURE); } break; @@ -477,7 +477,7 @@ main(int argc, char *const argv[]) fprintf(stderr, "Usage: \n"); fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-k keytab] [-c rcdir] [-t rctype]"); #if HAVE_KRB5_PAC_SUPPORT - fprintf(stderr, " [-g attribute name]"); + fprintf(stderr, " [-a name]"); #endif fprintf(stderr, "\n"); fprintf(stderr, "-d full debug\n"); @@ -488,7 +488,8 @@ main(int argc, char *const argv[]) fprintf(stderr, "-c replay cache directory\n"); fprintf(stderr, "-t replay cache type\n"); #if HAVE_KRB5_PAC_SUPPORT - fprintf(stderr, "-g group annotaion attribute name (default '%s', you can use 'clt_conn_tag' for connection annotation)\n", group_attribute_name); + fprintf(stderr, "-a annotaion name for reporting user groups (e.g., 'clt_conn_tag'); defaults to '%s'\n", + group_attribute_name); #endif fprintf(stderr, "\nThe SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); From 34375ada79119c97817af3447b0d0830266ae9bd Mon Sep 17 00:00:00 2001 From: ankor2023 Date: Fri, 27 Mar 2026 14:24:56 +0300 Subject: [PATCH 7/7] Update negotiate_kerberos_auth.cc Fixed a typo. --- src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc index 02d77766fe0..1f5d288a8ea 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc +++ b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc @@ -488,7 +488,7 @@ main(int argc, char *const argv[]) fprintf(stderr, "-c replay cache directory\n"); fprintf(stderr, "-t replay cache type\n"); #if HAVE_KRB5_PAC_SUPPORT - fprintf(stderr, "-a annotaion name for reporting user groups (e.g., 'clt_conn_tag'); defaults to '%s'\n", + fprintf(stderr, "-a annotation name for reporting user groups (e.g., 'clt_conn_tag'); defaults to '%s'\n", group_attribute_name); #endif fprintf(stderr,