Hello community, here is the log from the commit of package cntlm for openSUSE:Factory checked in at 2013-11-13 08:55:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cntlm (Old) and /work/SRC/openSUSE:Factory/.cntlm.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cntlm" Changes: -------- --- /work/SRC/openSUSE:Factory/cntlm/cntlm.changes 2011-12-02 16:25:33.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cntlm.new/cntlm.changes 2013-11-13 08:55:02.000000000 +0100 @@ -1,0 +2,15 @@ +Sat Oct 26 15:10:39 UTC 2013 - [email protected] + +- Update to version 0.92.3 + + No changelog available +- Improve systemd support for openSUSE >= 12.3 +- Add some forgotten stuff for sysvinit support +- Little specfile cleanup +- Drop obsolete by upstream changes patchs + * cntlm-0.35.1-config.patch + * cntlm-0.35.1-Makefile.patch +- Add patchs + + cntlm-0.92.3-HTTP-1.1-persistent-connections-with-HTTP-1.0-clients.patch + cntlm doesn't handle correctly requests when use HTTP protocol + +------------------------------------------------------------------- Old: ---- cntlm-0.35.1-Makefile.patch cntlm-0.35.1-config.patch cntlm-0.35.1.tar.bz2 New: ---- cntlm-0.92.3-HTTP-1.1-persistent-connections-with-HTTP-1.0-clients.patch cntlm-0.92.3.tar.bz2 cntlm-override-CFLAGS-CXXFLAGS-makefile.patch cntlm.service cntlm.tmpfiles ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cntlm.spec ++++++ --- /var/tmp/diff_new_pack.6UvuXa/_old 2013-11-13 08:55:03.000000000 +0100 +++ /var/tmp/diff_new_pack.6UvuXa/_new 2013-11-13 08:55:03.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package cntlm # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2007 Scorpio IT, Deidesheim, Germany # # All modifications and additions to the file contributed by third parties @@ -16,11 +16,9 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - - Name: cntlm Summary: Fast NTLM authentication proxy with tunneling -Version: 0.35.1 +Version: 0.92.3 Release: 1 License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy @@ -28,10 +26,23 @@ Source0: %{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.sysconfig -Patch: %{name}-0.35.1-config.patch -Patch1: %{name}-0.35.1-Makefile.patch +Source3: %{name}.service +Source4: %{name}.tmpfiles +# PATCH-FIX-UPSTREAM cntlm-override-CFLAGS-CXXFLAGS-makefile.patch --fix empty debuginfo package +Patch0: cntlm-override-CFLAGS-CXXFLAGS-makefile.patch +# PATCH-FIX-UPSTREAM cntlm-0.92.3-HTTP-1.1-persistent-connections-with-HTTP-1.0-clients.patch --cntlm doesn't handle correctly +# between HTTP-1.0 and HTTP-1.1 +Patch1: cntlm-0.92.3-HTTP-1.1-persistent-connections-with-HTTP-1.0-clients.patch +%if %suse_version < 1230 +Requires(pre): %insserv_prereq %fillup_prereq +%else +Requires(pre): %fillup_prereq +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%endif BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: pwdutils grep +Requires(pre): pwdutils +Requires(pre): grep %description Cntlm is a fast and efficient NTLM proxy, with support for TCP/IP tunneling, @@ -42,23 +53,26 @@ %prep %setup -q -n %{name}-%{version} -%patch -p1 -%patch1 -p1 +%patch0 -p1 +%patch1 -p0 %build -# custom script -./configure -make %{?_smp_mflags} SYSCONFDIR=%{_sysconfdir} \ - BINDIR=%{_sbindir} \ - MANDIR=%{_mandir} +%configure +make %{?_smp_mflags} %install -%makeinstall SYSCONFDIR=%{buildroot}/%{_sysconfdir} \ - BINDIR=%{buildroot}/%{_sbindir} \ - MANDIR=%{buildroot}/%{_mandir} +%makeinstall + +%if %suse_version < 1230 %{__install} -d %{buildroot}/var/run/%{name} %{__install} -D -m 755 %{S:1} %{buildroot}/%{_initrddir}/%{name} %{__ln_s} -f ../..%{_sysconfdir}/init.d/%{name} %{buildroot}/usr/sbin/rc%{name} +%else +# With systemd, use new standard pid directory /run +%{__install} -d %{buildroot}/run/%{name} +%{__install} -D -m 755 %{S:3} %{buildroot}/%{_unitdir}/%{name}.service +%{__install} -D -m 644 %{S:4} %{buildroot}/usr/lib/tmpfiles.d/%{name}.conf +%endif %{__install} -D -m 644 %{S:2} %{buildroot}/var/adm/fillup-templates/sysconfig.%{name} %pre @@ -72,7 +86,11 @@ %preun # on `rpm -e` PARAM is 0 +%if %suse_version < 1230 %stop_on_removal cntlm +%else +%service_del_preun %{name}.service +%endif #if [ "$1" -eq 0 ]; then # %{_sbindir}/userdel %{name} 2>/dev/null #fi @@ -80,21 +98,36 @@ %post # on `rpm -ivh` PARAM is 1 # on `rpm -Uvh` PARAM is 2 +%if %suse_version < 1230 %{fillup_and_insserv cntlm} +%else +%{fillup_only} +%service_add_post %{name}.service +%endif %postun # on `rpm -e` PARAM is 0 +%if %suse_version < 1230 %restart_on_update cntlm %{insserv_cleanup} +%else +%service_del_postun %{name}.service +%endif %files %defattr(-,root,root,-) %doc COPYRIGHT LICENSE README VERSION %config(noreplace) %{_sysconfdir}/%{name}.conf +%if %suse_version < 1230 %config(noreplace) %{_initrddir}/%{name} +%ghost %dir %attr(755,%{name},root) /var/run/%{name} +%else +%config(noreplace) %{_unitdir}/%{name}.service +%{_libexecdir}/tmpfiles.d/%{name}.conf +%ghost %dir %attr(755,%{name},root) /run/%{name} +%endif %{_sbindir}/* %{_mandir}/man1/%{name}.1* -%ghost %dir %attr(755,%{name},root) /var/run/%{name} /var/adm/fillup-templates/sysconfig.%{name} %changelog ++++++ cntlm-0.92.3-HTTP-1.1-persistent-connections-with-HTTP-1.0-clients.patch ++++++ Index: utils.c =================================================================== --- utils.c (revision 305) +++ utils.c (revision 306) @@ -508,6 +508,7 @@ data->body_len = 0; data->empty = 1; data->port = 0; + data->http_version = -1; data->headers = NULL; data->method = NULL; data->url = NULL; @@ -535,6 +536,7 @@ dst->body_len = src->body_len; dst->empty = src->empty; dst->port = src->port; + dst->http_version = src->http_version; if (src->headers) dst->headers = hlist_dup(src->headers); @@ -584,6 +586,7 @@ data->body_len = 0; data->empty = 1; data->port = 0; + data->http_version = -1; if (data->headers) hlist_free(data->headers); if (data->method) free(data->method); @@ -623,6 +626,7 @@ if (data->http) free(data->http); if (data->msg) free(data->msg); if (data->body) free(data->body); + memset(data, 0, sizeof(struct rr_data_s)); free(data); } Index: forward.c =================================================================== --- forward.c (revision 305) +++ forward.c (revision 306) @@ -188,6 +188,7 @@ if (debug) { printf("\nSending PROXY auth request...\n"); + printf("HEAD: %s %s %s\n", auth->method, auth->url, auth->http); hlist_dump(auth->headers); } @@ -316,7 +317,7 @@ * request is NOT freed */ rr_data_t forward_request(void *thread_data, rr_data_t request) { - int i, w, loop, plugin, retry = 0; + int i, loop, plugin, retry = 0; int *rsocket[2], *wsocket[2]; rr_data_t data[2], rc = NULL; hlist_t tl; @@ -368,7 +369,7 @@ sd = proxy_connect(tcreds); if (sd <= 0) { tmp = gen_502_page(request->http, "Parent proxy unreacheable"); - w = write(cd, tmp, strlen(tmp)); + i = write(cd, tmp, strlen(tmp)); free(tmp); rc = (void *)-1; goto bailout; @@ -446,7 +447,9 @@ && strcasecmp(hostname, data[0]->hostname)) { if (debug) printf("\n******* F RETURN: %s *******\n", data[0]->url); - if (authok) + if (authok && data[0]->http_version >= 11 + && (hlist_subcmp(data[0]->headers, "Proxy-Connection", "keep-alive") + || hlist_subcmp(data[0]->headers, "Connection", "keep-alive"))) proxy_alive = 1; rc = dup_rr_data(data[0]); @@ -465,7 +468,7 @@ /* * Modify request headers. * - * Try to request keep-alive for every connection. We keep them in a pool + * Try to request keep-alive for every client supporting HTTP/1.1+. We keep them in a pool * for future reuse. */ if (loop == 0 && data[0]->req) { @@ -474,13 +477,14 @@ */ if (http_parse_basic(data[loop]->headers, "Proxy-Authorization", tcreds) > 0) { if (debug) - printf("NTLM-to-basic: Credentials parsed: %s\\%s at %s\n", tcreds->domain, tcreds->user, tcreds->workstation); + printf("NTLM-to-basic: Credentials parsed: %s\\%s at %s\n", + tcreds->domain, tcreds->user, tcreds->workstation); } else if (ntlmbasic) { if (debug) printf("NTLM-to-basic: Returning client auth request.\n"); tmp = gen_407_page(data[loop]->http); - w = write(cd, tmp, strlen(tmp)); + i = write(cd, tmp, strlen(tmp)); free(tmp); free_rr_data(data[0]); @@ -499,13 +503,14 @@ } /* - * Also remove runaway P-A from the client (e.g. Basic from N-t-B), which might - * cause some ISAs to deny us, even if the connection is already auth'd. + * Force proxy keep-alive if the client can handle it (HTTP >= 1.1) */ - data[0]->headers = hlist_mod(data[0]->headers, "Proxy-Connection", "keep-alive", 1); + if (data[0]->http_version >= 11) + data[0]->headers = hlist_mod(data[0]->headers, "Proxy-Connection", "keep-alive", 1); /* - * Remove all Proxy-Authorization headers from client + * Also remove runaway P-A from the client (e.g. Basic from N-t-B), which might + * cause some ISAs to deny us, even if the connection is already auth'd. */ while (hlist_get(data[loop]->headers, "Proxy-Authorization")) { data[loop]->headers = hlist_del(data[loop]->headers, "Proxy-Authorization"); @@ -623,8 +628,10 @@ if (plugin & PLUG_SENDHEAD) { if (debug) { printf("Sending headers (%d)...\n", *wsocket[loop]); - if (loop == 0) + if (loop == 0) { + printf("HEAD: %s %s %s\n", data[loop]->method, data[loop]->url, data[loop]->http); hlist_dump(data[loop]->headers); + } } /* @@ -672,8 +679,14 @@ * This way, we also tell our caller that proxy keep-alive is impossible. */ if (loop == 1) { - proxy_alive = hlist_subcmp(data[loop]->headers, "Proxy-Connection", "keep-alive"); - if (!proxy_alive) { + proxy_alive = hlist_subcmp(data[1]->headers, "Proxy-Connection", "keep-alive") + && data[0]->http_version >= 11; + if (proxy_alive) { + data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "keep-alive", 1); + data[1]->headers = hlist_mod(data[1]->headers, "Connection", "keep-alive", 1); + } else { + data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "close", 1); + data[1]->headers = hlist_mod(data[1]->headers, "Connection", "close", 1); if (debug) printf("PROXY CLOSING CONNECTION\n"); rc = (void *)-1; Index: utils.h =================================================================== --- utils.h (revision 305) +++ utils.h (revision 306) @@ -89,6 +89,7 @@ int body_len; int empty; int port; + int http_version; char *method; char *url; char *rel_url; Index: http.c =================================================================== --- http.c (revision 305) +++ http.c (revision 306) @@ -84,7 +84,7 @@ */ int headers_recv(int fd, rr_data_t data) { int i, bsize; - int len; + int len, is_http = 0; char *buf; char *tok, *s3 = 0; char *orig = NULL; @@ -108,12 +108,22 @@ orig = strdup(buf); len = strlen(buf); tok = strtok_r(buf, " ", &s3); - if (tok && (!strncasecmp(buf, "HTTP/", 5) || !strncasecmp(tok, "ICY", 3))) { + if (tok && ((is_http = !strncasecmp(tok, "HTTP/", 5)) || !strncasecmp(tok, "ICY", 3))) { data->req = 0; data->empty = 0; data->http = strdup(tok); data->msg = NULL; + /* + * Let's find out the numeric version of the HTTP version: 09, 10, 11. + * Set to -1 if header is misformatted. + */ + if (is_http && (tok = strchr(data->http, '/')) && strlen(tok) >= 4 && isdigit(tok[1]) && isdigit(tok[3])) { + data->http_version = (tok[1] - 0x30) * 10 + (tok[3] - 0x30); + } else { + data->http_version = -1; + } + tok = strtok_r(NULL, " ", &s3); if (tok) { ccode = strdup(tok); @@ -156,6 +166,16 @@ goto bailout; } + /* + * Let's find out the numeric version of the HTTP version: 09, 10, 11. + * Set to -1 if header is misformatted. + */ + if ((tok = strchr(data->http, '/')) && strlen(tok) >= 4 && isdigit(tok[1]) && isdigit(tok[3])) { + data->http_version = (tok[1] - 0x30) * 10 + (tok[3] - 0x30); + } else { + data->http_version = -1; + } + if ((tok = strstr(data->url, "://"))) { tok += 3; } else { @@ -367,7 +387,7 @@ */ int chunked_data_send(int dst, int src) { char *buf; - int bsize; + int bsize, len; int i, w, csize; char *err = NULL; @@ -408,11 +428,14 @@ } while (csize != 0); /* Take care of possible trailer */ + w = len = i = 0; do { i = so_recvln(src, &buf, &bsize); - if (dst >= 0 && i > 0) - w = write(dst, buf, strlen(buf)); - } while (i > 0 && buf[0] != '\r' && buf[0] != '\n'); + if (dst >= 0 && i > 0) { + len = strlen(buf); + w = write(dst, buf, len); + } + } while (w == len && i > 0 && buf[0] != '\r' && buf[0] != '\n'); free(buf); return 1; Index: direct.c =================================================================== --- direct.c (revision 305) +++ direct.c (revision 306) @@ -198,6 +198,8 @@ syslog(LOG_WARNING, "Connection failed for %s:%d (%s)", request->hostname, request->port, strerror(errno)); tmp = gen_502_page(request->http, strerror(errno)); w = write(cd, tmp, strlen(tmp)); + // We don't really care about the result - shut up GCC warning (unused-but-set-variable) + if (!w) w = 1; free(tmp); rc = (void *)-1; @@ -282,10 +284,21 @@ data[0]->url = strdup(data[0]->rel_url); } - data[0]->headers = hlist_mod(data[0]->headers, "Connection", "keep-alive", 1); - data[0]->headers = hlist_del(data[0]->headers, "Proxy-Authorization"); + /* + * Force proxy keep-alive if the client can handle it (HTTP >= 1.1) + */ + if (data[0]->http_version >= 11) + data[0]->headers = hlist_mod(data[0]->headers, "Connection", "keep-alive", 1); /* + * Also remove runaway P-A from the client (e.g. Basic from N-t-B), which might + * cause some ISAs to deny us, even if the connection is already auth'd. + */ + while (hlist_get(data[loop]->headers, "Proxy-Authorization")) { + data[loop]->headers = hlist_del(data[loop]->headers, "Proxy-Authorization"); + } + + /* * Try to get auth from client if present */ if (http_parse_basic(data[0]->headers, "Authorization", tcreds) > 0 && debug) @@ -373,18 +386,25 @@ */ if (loop == 1) { conn_alive = !hlist_subcmp(data[1]->headers, "Connection", "close") - && http_has_body(data[0], data[1]) != -1; + && http_has_body(data[0], data[1]) != -1 + && data[0]->http_version >= 11; if (conn_alive) { data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "keep-alive", 1); data[1]->headers = hlist_mod(data[1]->headers, "Connection", "keep-alive", 1); } else { data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "close", 1); + data[1]->headers = hlist_mod(data[1]->headers, "Connection", "close", 1); rc = (void *)-1; } } - if (debug) + if (debug) { printf("Sending headers (%d)...\n", *wsocket[loop]); + if (loop == 0) { + printf("HEAD: %s %s %s\n", data[loop]->method, data[loop]->url, data[loop]->http); + hlist_dump(data[loop]->headers); + } + } /* * Send headers Index: main.c =================================================================== --- main.c (revision 305) +++ main.c (revision 306) @@ -462,6 +462,8 @@ bs[0] = 5; bs[1] = 0xFF; w = write(cd, bs, 2); + // We don't really care about the result - shut up GCC warning (unused-but-set-variable) + if (!w) w = 1; goto bailout; } else { bs[0] = 5; @@ -1400,6 +1402,8 @@ * If we fail, exit with error. */ if (strlen(cpidfile)) { + int len; + umask(0); cd = open(cpidfile, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (cd < 0) { @@ -1409,7 +1413,11 @@ tmp = new(50); snprintf(tmp, 50, "%d\n", getpid()); - w = write(cd, tmp, strlen(tmp)); + w = write(cd, tmp, (len = strlen(tmp))); + if (w != len) { + syslog(LOG_ERR, "Error writing to the PID file\n"); + myexit(1); + } free(tmp); close(cd); } @@ -1517,6 +1525,8 @@ inet_ntoa(caddr.sin_addr), ntohs(caddr.sin_port)); tmp = gen_denied_page(inet_ntoa(caddr.sin_addr)); w = write(cd, tmp, strlen(tmp)); + // We don't really care about the result - shut up GCC warning (unused-but-set-variable) + if (!w) w = 1; free(tmp); close(cd); continue; Index: scanner.c =================================================================== --- scanner.c (revision 305) +++ scanner.c (revision 306) @@ -153,6 +153,8 @@ tmp = new(MINIBUF_SIZE); snprintf(tmp, MINIBUF_SIZE, "%s 200 OK\r\n", request->http); w = write(cd, tmp, strlen(tmp)); + // We don't really care about the result - shut up GCC warning (unused-but-set-variable) + if (!w) w = 1; free(tmp); } ++++++ cntlm-0.35.1.tar.bz2 -> cntlm-0.92.3.tar.bz2 ++++++ ++++ 10634 lines of diff (skipped) ++++++ cntlm-override-CFLAGS-CXXFLAGS-makefile.patch ++++++ --- a/Makefile +++ b/Makefile @@ -15,10 +15,8 @@ MANDIR=$(DESTDIR)/usr/share/man NAME=cntlm CC=gcc VER=`cat VERSION` -CFLAGS+=$(FLAGS) -std=c99 -Wall -Wno-unused-but-set-variable -pedantic -O3 -D__BSD_VISIBLE -D_ALL_SOURCE -D_XOPEN_SOURCE=600 -D_POSIX_C_SOURCE=200112 -D_ISOC99_SOURCE -D_REENTRANT -D_BSD_SOURCE -DVERSION=\"`cat VERSION`\" -OS=$(shell uname -s) -OSLDFLAGS=$(shell [ $(OS) = "SunOS" ] && echo "-lrt -lsocket -lnsl") -LDFLAGS:=-lpthread $(OSLDFLAGS) +override CFLAGS += -std=c99 -pedantic -D__BSD_VISIBLE -D_ALL_SOURCE -D_XOPEN_SOURCE=600 -D_POSIX_C_SOURCE=200112 -D_ISOC99_SOURCE -D_REENTRANT -D_BSD_SOURCE -DVERSION=\"`cat VERSION`\" +override LDFLAGS += -lpthread ifeq ($(findstring CYGWIN,$(OS)),) OBJS=utils.o ntlm.o xcrypt.o config.o socket.o acl.o auth.o http.o forward.o direct.o scanner.o pages.o main.o @@ -45,16 +43,16 @@ main.o: main.c install: $(NAME) # Special handling for install(1) if [ "`uname -s`" = "AIX" ]; then \ - install -M 755 -S -f $(BINDIR) $(NAME); \ + install -M 755 -f $(BINDIR) $(NAME); \ install -M 644 -f $(MANDIR)/man1 doc/$(NAME).1; \ install -M 600 -c $(SYSCONFDIR) doc/$(NAME).conf; \ elif [ "`uname -s`" = "Darwin" ]; then \ - install -d -m 755 -s $(NAME) $(BINDIR)/$(NAME); \ + install -d -m 755 $(NAME) $(BINDIR)/$(NAME); \ install -d -m 644 doc/$(NAME).1 $(MANDIR)/man1/$(NAME).1; \ [ -f $(SYSCONFDIR)/$(NAME).conf -o -z "$(SYSCONFDIR)" ] \ || install -d -m 600 doc/$(NAME).conf $(SYSCONFDIR)/$(NAME).conf; \ else \ - install -D -m 755 -s $(NAME) $(BINDIR)/$(NAME); \ + install -D -m 755 $(NAME) $(BINDIR)/$(NAME); \ install -D -m 644 doc/$(NAME).1 $(MANDIR)/man1/$(NAME).1; \ [ -f $(SYSCONFDIR)/$(NAME).conf -o -z "$(SYSCONFDIR)" ] \ || install -D -m 600 doc/$(NAME).conf $(SYSCONFDIR)/$(NAME).conf; \ ++++++ cntlm.service ++++++ [Unit] Description=CNTLM HTTP Accelerator For NTLM Secured Proxies Authenticator After=network.target [Service] Type=forking EnvironmentFile=-/etc/sysconfig/cntlmd ExecStart=/usr/sbin/cntlm -c /etc/cntlm.conf -U cntlm -P /run/cntlm/cntlmd.pid [Install] WantedBy=multi-user.target ++++++ cntlm.tmpfiles ++++++ d /run/cntlm 0755 cntlm cntlm -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
