--- cntlm-0.92.3.orig/debian/changelog +++ cntlm-0.92.3/debian/changelog @@ -0,0 +1,139 @@ +cntlm (0.92.3-1ubuntu2) bionic; urgency=high + + * No change rebuild to pick up -fPIE compiler default + + -- Balint Reczey Tue, 03 Apr 2018 12:17:15 +0000 + +cntlm (0.92.3-1ubuntu1) quantal; urgency=low + + * Cherry-pick r306 from 0.93 to properly handle non-HTTP/1.1 keep-alive + (LP: #1009436) + + -- Graham Inggs Wed, 01 Aug 2012 23:04:45 +0200 + +cntlm (0.92.3-1) unstable; urgency=low + + * New upstream release. Closes: #652725, #588920. + * Fix Init script error, thanks Martijn. Closes: #588683. + * Correct spellings in man page. + * Update Standards Version, no changes needed. + + -- David Watson Fri, 27 Apr 2012 15:08:17 +0100 + +cntlm (0.35.1-5) unstable; urgency=low + + * Fix lintian errors in debian/copyright + * Update Standards Version, no changes needed. + + -- David Watson Wed, 02 Sep 2009 12:52:32 +0100 + +cntlm (0.35.1-4) unstable; urgency=low + + * Add set -e to prerm script. + * Add vcs fields to control. + * Update Standards Version, no changes needed. + + -- David Watson Fri, 10 Oct 2008 22:00:42 +0100 + +cntlm (0.35.1-3) unstable; urgency=low + + * Added watch file, thanks Kumar Appaiah. Closes: #471173. + + -- David Watson Sat, 22 Mar 2008 01:22:59 +0000 + +cntlm (0.35.1-2) unstable; urgency=low + + * Fix Dependencies. Closes: #459786. + * Updated Standards Version, no changes needed. + * Removed empty directory from package. + * Fixed hyphens in man page. + + -- David Watson Tue, 08 Jan 2008 23:34:29 +0000 + +cntlm (0.35.1-1) unstable; urgency=low + + [ David Kubicek ] + * New upstream release + * Updated init script for non-persistent /var/run/cntlm (Ubuntu) + * Fixed #1835218 + * Support and new test macros for Mac OS + * Automated ./configure && make system with compiler and arch detection + + -- David Watson Fri, 25 Nov 2007 20:27:45 +0000 + +cntlm (0.35-1) unstable; urgency=low + + * New upstream release + * Built-in SOCKS5 proxy service + * Fixed #1806604 - allow NTLM-free (open) proxy + * Fixed #1820540 - Ubuntu /bin/sh (Dash) compatible + * Added __BSD_VISIBLE def for FreeBSD compilation + * Fixed typo which made tunnels unstable! + * Major code refactoring + + -- David Kubicek Fri, 02 Nov 2007 01:21:46 +0100 + +cntlm (0.34.1-1) unstable; urgency=low + + * New upstream release + * Move Homepage field from description + + -- David Watson Tue, 23 Oct 2007 22:02:38 +0100 + +cntlm (0.33-1) unstable; urgency=low + + * New upstream release + + -- David Watson Tue, 31 Jul 2007 00:53:20 +0100 + +cntlm (0.32-1) unstable; urgency=low + + * New upstream relase + * Error message on stderr if start is not successful (was only error return code) + * Updated init scripts not to display possible error message (uses only RC) + * Feature req #1751349 implemented: NTLM-to-basic with multiuser support + - can detect wrong password, allowing multiple tries without browser restart + - builtin "access denied" page + + -- David Kubicek Thu, 12 Jul 2007 16:23:20 +0200 + +cntlm (0.31.1-1) unstable; urgency=low + + * New upstream release + * Full support + fix for chunked encoding (incl. extensions and trailers) + + -- David Kubicek Mon, 09 Jul 2007 15:01:43 +0200 + +cntlm (0.31-1) unstable; urgency=low + + * New upstream release + * Important feature added for HTTP/1.1 clients - chunked TE + * Major fix for FTP downloads (some didn't work at all) + + -- David Kubicek Tue, 05 Jun 2007 09:27:09 +0200 + +cntlm (0.30-1) unstable; urgency=low + + * New upstream release + + -- David Kubicek Fri, 08 Jun 2007 20:50:31 +0200 + +cntlm (0.29.1-1) unstable; urgency=low + + * New upstream release + + -- David Kubicek Tue, 05 Jun 2007 09:27:09 +0200 + +cntlm (0.29-1) unstable; urgency=low + + * New upstream version + + -- David Kubicek Fri, 01 Jun 2007 17:41:23 +0200 + +cntlm (0.28.1-1) unstable; urgency=low + + * Initial release + * Makefile adjustments regarding installation directories + + -- David Kubicek Fri, 01 Jun 2007 17:36:34 +0200 + --- cntlm-0.92.3.orig/debian/cntlm.default +++ cntlm-0.92.3/debian/cntlm.default @@ -0,0 +1,3 @@ +# Additional options that are passed to the Daemon. +TIMEOUT=1 +RUNAS=cntlm --- cntlm-0.92.3.orig/debian/cntlm.init +++ cntlm-0.92.3/debian/cntlm.init @@ -0,0 +1,93 @@ +#!/bin/sh +# +### BEGIN INIT INFO +# Provides: cntlm +# Required-Start: $remote_fs $syslog $time $network +# Required-Stop: $remote_fs $syslog $time $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Authenticating HTTP accelerator for NTLM secured proxies +# Description: Cntlm is meant to be given your proxy address and becomming +# the primary proxy then, listening on a selected local port. +# You point all your proxy-aware programs to it and don't ever +# have to deal with proxy authentication again. +### END INIT INFO +# +# DAEMON Location of the binary +# PIDFILE Make sure that you or, if used, -U uid can create/write it +# TIMEOUT How long to wait for active connections to finish before +# forcing cntlm to stop with a second signal +# RUNAS Name or number of the non-privileged account to run as +# + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/cntlm +NAME=cntlm +DESC="CNTLM Authentication Proxy" + +# Set default values +PIDFILE=/var/run/cntlm/cntlm.pid +TIMEOUT=1 +RUNAS=cntlm + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions +test -r /etc/default/rcS && . /etc/default/rcS + +# Include custom values if available +if [ -f /etc/default/cntlm ] ; then + . /etc/default/cntlm +fi + +DAEMON_OPTS="$DAEMON_OPTS -U $RUNAS -P $PIDFILE" +PIDDIR=`dirname $PIDFILE 2>/dev/null` + +start() { + echo -n "Starting $DESC: " + + if [ -n "$PIDDIR" -a ! -d "$PIDDIR" ]; then + mkdir -p "$PIDDIR" 2>/dev/null + chown "$RUNAS" "$PIDDIR" 2>/dev/null + chmod 755 "$PIDDIR" 2>/dev/null + fi + + start-stop-daemon --oknodo --quiet --start --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS 2>/dev/null + if [ $? -eq 0 ]; then + echo "$NAME." + else + echo "failed!" + fi +} + +stop() { + echo -n "Stopping $DESC: " + start-stop-daemon --oknodo --quiet --stop --retry -HUP/$TIMEOUT/-HUP/2/forever/-KILL --pidfile $PIDFILE --name $NAME + if [ $? -eq 0 ]; then + echo "$NAME." + else + echo "failed!" + fi +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart|reload|force-reload) + stop + start + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|force-reload|status}" >&2 + exit 2 + ;; +esac + +exit 0 --- cntlm-0.92.3.orig/debian/compat +++ cntlm-0.92.3/debian/compat @@ -0,0 +1 @@ +5 --- cntlm-0.92.3.orig/debian/control +++ cntlm-0.92.3/debian/control @@ -0,0 +1,21 @@ +Source: cntlm +Section: net +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: David Watson +Build-Depends: debhelper (>= 5) +Standards-Version: 3.9.3 +Vcs-Git: git://planetwatson.co.uk/cntlm +Vcs-Browser: http://projects.planetwatson.co.uk/repositories/show/cntlm +Homepage: http://cntlm.sourceforge.net/ + +Package: cntlm +Architecture: any +Depends: adduser, ${misc:Depends}, ${shlibs:Depends} +Replaces: ntlmaps +Description: Fast NTLM authentication proxy with tunneling + Cntlm is a fast and efficient NTLM proxy, with support for TCP/IP tunneling, + authenticated connection caching, ACLs, proper daemon logging and behaviour + and much more. It has up to ten times faster responses than similar NTLM + proxies, while using by orders or magnitude less RAM and CPU. Manual page + contains detailed information. --- cntlm-0.92.3.orig/debian/copyright +++ cntlm-0.92.3/debian/copyright @@ -0,0 +1,32 @@ +This package was debianized by David Kubicek on +Fri, 01 Jun 2007 10:46:26 +0200. + +The current Debian maintainer is David Watson + +It was downloaded from + +Copyright: + + Copyright (C) 2007 David Kubicek + +License: + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License (version 2) as published +by the Free Software Foundation; either version 2 of the License. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License with +the Debian GNU/Linux distribution in file /usr/share/common-licenses/GPL-2; +if not, write to the Free Software Foundation, Inc., 51 Franklin St, +Fifth Floor, Boston, MA 02110-1301, USA. + +On Debian systems, the complete text of the GNU General Public +License, version 2, can be found in /usr/share/common-licenses/GPL-2. + +The Debian packaging is Copyright (C) 2007, David Kubicek and +is licensed under the GPL, see `/usr/share/common-licenses/GPL-2'. --- cntlm-0.92.3.orig/debian/dirs +++ cntlm-0.92.3/debian/dirs @@ -0,0 +1,2 @@ +usr/sbin +usr/share/lintian/overrides --- cntlm-0.92.3.orig/debian/docs +++ cntlm-0.92.3/debian/docs @@ -0,0 +1 @@ +README --- cntlm-0.92.3.orig/debian/lintian-override +++ cntlm-0.92.3/debian/lintian-override @@ -0,0 +1,2 @@ +# Use a non-standard permission to help protect passwords +cntlm binary: non-standard-file-perm etc/cntlm.conf 0600 != 0644 --- cntlm-0.92.3.orig/debian/postinst +++ cntlm-0.92.3/debian/postinst @@ -0,0 +1,33 @@ +#!/bin/sh +# +# Postinst script for cntlm +# + +set -e + +NAME=cntlm +HOME=/var/run/cntlm + +# Create cntlm user and its homedir +if ! getent passwd $NAME >/dev/null; then + adduser --system --home $HOME --shell /bin/sh --disabled-password $NAME +fi + +if ! [ -d $HOME ]; then + mkdir -p $HOME + chmod 755 $HOME + chown -h -R $NAME $HOME +fi + +#DEBHELPER# + +# Automatically added by dh_installinit +if [ -x "/etc/init.d/cntlm" ]; then + update-rc.d cntlm defaults >/dev/null + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d cntlm start || exit $? + else + /etc/init.d/cntlm start || exit $? + fi +fi +# End automatically added section --- cntlm-0.92.3.orig/debian/postrm +++ cntlm-0.92.3/debian/postrm @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Postrm script for cntlm +# + +set -e + +NAME=cntlm + +if [ "$1" = "purge" ]; then + #if [ -e /usr/share/debconf/confmodule ]; then + # . /usr/share/debconf/confmodule + # db_purge + #fi + + # Remove SysV initscript + #update-rc.d $NAME remove >/dev/null || true + + # Remove user cntlm + home=`getent passwd $NAME | cut -d : -f 6` + rm -f "$home/$NAME.pid" >/dev/null 2>&1 || true + userdel $NAME || true + rmdir "$home" >/dev/null 2>&1 || true +fi + +#DEBHELPER# + +# Automatically added by dh_installinit +if [ "$1" = "purge" ] ; then + update-rc.d cntlm remove >/dev/null || exit $? +fi +# End automatically added section --- cntlm-0.92.3.orig/debian/prerm +++ cntlm-0.92.3/debian/prerm @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +# Automatically added by dh_installinit +if [ -x "/etc/init.d/cntlm" ]; then + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d cntlm stop || exit $? + else + /etc/init.d/cntlm stop || exit $? + fi +fi +# End automatically added section --- cntlm-0.92.3.orig/debian/rules +++ cntlm-0.92.3/debian/rules @@ -0,0 +1,82 @@ +#!/usr/bin/make -f +# +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +#export DH_VERBOSE=1 + +CFLAGS = -Wall + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O3 +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + ./configure + touch configure-stamp + +build: build-arch build-indep +build-arch: build-stamp +build-indep: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + $(MAKE) + + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + [ ! -f Makefile ] || $(MAKE) clean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/cntlm. + $(MAKE) DESTDIR=$(CURDIR)/debian/cntlm install + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_install + cp debian/lintian-override debian/cntlm/usr/share/lintian/overrides/cntlm + dh_installdebconf + dh_installinit -n + dh_installman doc/cntlm.1 + dh_link + dh_strip + dh_compress + dh_fixperms -Xcntlm.conf + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- cntlm-0.92.3.orig/debian/source/format +++ cntlm-0.92.3/debian/source/format @@ -0,0 +1 @@ +1.0 --- cntlm-0.92.3.orig/debian/watch +++ cntlm-0.92.3/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://sf.net/cntlm/cntlm-([\.\d]+)\.tar\.gz --- cntlm-0.92.3.orig/direct.c +++ cntlm-0.92.3/direct.c @@ -282,8 +282,19 @@ data[0]->url = strdup(data[0]->rel_url); } - data[0]->headers = hlist_mod(data[0]->headers, "Connection", "keep-alive", 1); - data[0]->headers = hlist_del(data[0]->headers, "Proxy-Authorization"); + /* + * Force proxy keep-alive if the client can handle it (HTTP >= 1.1) + */ + if (data[0]->http_version >= 11) + data[0]->headers = hlist_mod(data[0]->headers, "Connection", "keep-alive", 1); + + /* + * Also remove runaway P-A from the client (e.g. Basic from N-t-B), which might + * cause some ISAs to deny us, even if the connection is already auth'd. + */ + while (hlist_get(data[loop]->headers, "Proxy-Authorization")) { + data[loop]->headers = hlist_del(data[loop]->headers, "Proxy-Authorization"); + } /* * Try to get auth from client if present @@ -373,18 +384,25 @@ */ if (loop == 1) { conn_alive = !hlist_subcmp(data[1]->headers, "Connection", "close") - && http_has_body(data[0], data[1]) != -1; + && http_has_body(data[0], data[1]) != -1 + && data[0]->http_version >= 11; if (conn_alive) { data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "keep-alive", 1); data[1]->headers = hlist_mod(data[1]->headers, "Connection", "keep-alive", 1); } else { data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "close", 1); + data[1]->headers = hlist_mod(data[1]->headers, "Connection", "close", 1); rc = (void *)-1; } } - if (debug) + if (debug) { printf("Sending headers (%d)...\n", *wsocket[loop]); + if (loop == 0) { + printf("HEAD: %s %s %s\n", data[loop]->method, data[loop]->url, data[loop]->http); + hlist_dump(data[loop]->headers); + } + } /* * Send headers --- cntlm-0.92.3.orig/doc/cntlm.1 +++ cntlm-0.92.3/doc/cntlm.1 @@ -124,7 +124,7 @@ .B -c Configuration file. Command-line options, if used, override its single options or are added at the top of the list for multi options (tunnels, parent proxies, etc) with the exception of ACLs, which are completely -overriden. Use \fI/dev/null\fP to disable any config file. +overridden. Use \fI/dev/null\fP to disable any config file. .TP .B -D IP/mask\ \ \ \ (Deny) @@ -191,7 +191,7 @@ .TP .B -L [:]::\ \ \ \ (Tunnel) Tunnel definition. The syntax is the same as in OpenSSH's local forwarding (\fB-L\fP), with a new optional -prefix, \fIsaddr\fP - the source IP address to bind the \fIlport\fP to. \fBCntlm\fP will listen for incomming +prefix, \fIsaddr\fP - the source IP address to bind the \fIlport\fP to. \fBCntlm\fP will listen for incoming connections on the local port \fIlport\fP, forwarding every new connection through the parent proxy to the \fIrhost\fP:\fIrport\fP (authenticating on the go). This option can be used multiple times for unlimited number of tunnels, with or without the \fIsaddr\fP option. See \fB-g\fP for the details concerning local port --- cntlm-0.92.3.orig/forward.c +++ cntlm-0.92.3/forward.c @@ -446,7 +446,9 @@ && strcasecmp(hostname, data[0]->hostname)) { if (debug) printf("\n******* F RETURN: %s *******\n", data[0]->url); - if (authok) + if (authok && data[0]->http_version >= 11 + && (hlist_subcmp(data[0]->headers, "Proxy-Connection", "keep-alive") + || hlist_subcmp(data[0]->headers, "Connection", "keep-alive"))) proxy_alive = 1; rc = dup_rr_data(data[0]); @@ -465,7 +467,7 @@ /* * Modify request headers. * - * Try to request keep-alive for every connection. We keep them in a pool + * Try to request keep-alive for every client supporting HTTP/1.1+. We keep them in a pool * for future reuse. */ if (loop == 0 && data[0]->req) { @@ -499,13 +501,14 @@ } /* - * Also remove runaway P-A from the client (e.g. Basic from N-t-B), which might - * cause some ISAs to deny us, even if the connection is already auth'd. + * Force proxy keep-alive if the client can handle it (HTTP >= 1.1) */ - data[0]->headers = hlist_mod(data[0]->headers, "Proxy-Connection", "keep-alive", 1); + if (data[0]->http_version >= 11) + data[0]->headers = hlist_mod(data[0]->headers, "Proxy-Connection", "keep-alive", 1); /* - * Remove all Proxy-Authorization headers from client + * Also remove runaway P-A from the client (e.g. Basic from N-t-B), which might + * cause some ISAs to deny us, even if the connection is already auth'd. */ while (hlist_get(data[loop]->headers, "Proxy-Authorization")) { data[loop]->headers = hlist_del(data[loop]->headers, "Proxy-Authorization"); @@ -672,8 +675,14 @@ * This way, we also tell our caller that proxy keep-alive is impossible. */ if (loop == 1) { - proxy_alive = hlist_subcmp(data[loop]->headers, "Proxy-Connection", "keep-alive"); - if (!proxy_alive) { + proxy_alive = hlist_subcmp(data[1]->headers, "Proxy-Connection", "keep-alive") + && data[0]->http_version >= 11; + if (proxy_alive) { + data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "keep-alive", 1); + data[1]->headers = hlist_mod(data[1]->headers, "Connection", "keep-alive", 1); + } else { + data[1]->headers = hlist_mod(data[1]->headers, "Proxy-Connection", "close", 1); + data[1]->headers = hlist_mod(data[1]->headers, "Connection", "close", 1); if (debug) printf("PROXY CLOSING CONNECTION\n"); rc = (void *)-1; --- cntlm-0.92.3.orig/http.c +++ cntlm-0.92.3/http.c @@ -84,7 +84,7 @@ */ int headers_recv(int fd, rr_data_t data) { int i, bsize; - int len; + int len, is_http = 0; char *buf; char *tok, *s3 = 0; char *orig = NULL; @@ -108,12 +108,22 @@ orig = strdup(buf); len = strlen(buf); tok = strtok_r(buf, " ", &s3); - if (tok && (!strncasecmp(buf, "HTTP/", 5) || !strncasecmp(tok, "ICY", 3))) { + if (tok && ((is_http = !strncasecmp(tok, "HTTP/", 5)) || !strncasecmp(tok, "ICY", 3))) { data->req = 0; data->empty = 0; data->http = strdup(tok); data->msg = NULL; + /* + * Let's find out the numeric version of the HTTP version: 09, 10, 11. + * Set to -1 if header is misformatted. + */ + if (is_http && (tok = strchr(data->http, '/')) && strlen(tok) >= 4 && isdigit(tok[1]) && isdigit(tok[3])) { + data->http_version = (tok[1] - 0x30) * 10 + (tok[3] - 0x30); + } else { + data->http_version = -1; + } + tok = strtok_r(NULL, " ", &s3); if (tok) { ccode = strdup(tok); @@ -156,6 +166,16 @@ goto bailout; } + /* + * Let's find out the numeric version of the HTTP version: 09, 10, 11. + * Set to -1 if header is misformatted. + */ + if ((tok = strchr(data->http, '/')) && strlen(tok) >= 4 && isdigit(tok[1]) && isdigit(tok[3])) { + data->http_version = (tok[1] - 0x30) * 10 + (tok[3] - 0x30); + } else { + data->http_version = -1; + } + if ((tok = strstr(data->url, "://"))) { tok += 3; } else { --- cntlm-0.92.3.orig/utils.c +++ cntlm-0.92.3/utils.c @@ -508,6 +508,7 @@ data->body_len = 0; data->empty = 1; data->port = 0; + data->http_version = -1; data->headers = NULL; data->method = NULL; data->url = NULL; @@ -535,6 +536,7 @@ dst->body_len = src->body_len; dst->empty = src->empty; dst->port = src->port; + dst->http_version = src->http_version; if (src->headers) dst->headers = hlist_dup(src->headers); @@ -584,6 +586,7 @@ data->body_len = 0; data->empty = 1; data->port = 0; + data->http_version = -1; if (data->headers) hlist_free(data->headers); if (data->method) free(data->method); @@ -623,6 +626,7 @@ if (data->http) free(data->http); if (data->msg) free(data->msg); if (data->body) free(data->body); + memset(data, 0, sizeof(struct rr_data_s)); free(data); } --- cntlm-0.92.3.orig/utils.h +++ cntlm-0.92.3/utils.h @@ -89,6 +89,7 @@ int body_len; int empty; int port; + int http_version; char *method; char *url; char *rel_url;