diff -ruN squid-2.6.STABLE17/ChangeLog squid-2.6.STABLE18/ChangeLog
--- squid-2.6.STABLE17/ChangeLog	2007-11-26 14:36:10.000000000 +0100
+++ squid-2.6.STABLE18/ChangeLog	2008-01-10 13:30:57.000000000 +0100
@@ -1,3 +1,13 @@
+Changes to squid-2.6.STABLE18 (10 Jan 2008)
+
+	- Fix 2 assertion failures related to the fix for SQUID-2007:2
+	- GPL license cleanup to GPLv2 or later. One file in edir_digest_auth
+	  was GPLv2 only, now replaced with a GPLv2 or later licensed vesion.
+	- Minor cleanups to make certain 64-bit platforms happier
+	- Several Digest authentication bugs fixed wich was causing random
+	  authenitcation popups or failures.
+	- --with-valgrind-debug updated for valgrind-3.3.0.
+
 Changes to squid-2.6.STABLE17 (26 Nov 2007)
 
 	- Fix compile error with old GCC 2.x or other ANSI-C compilers before
diff -ruN squid-2.6.STABLE17/configure squid-2.6.STABLE18/configure
--- squid-2.6.STABLE17/configure	2007-11-26 14:39:31.000000000 +0100
+++ squid-2.6.STABLE18/configure	2008-01-10 13:34:23.000000000 +0100
@@ -1,7 +1,7 @@
 #! /bin/sh
-# From configure.in Revision: 1.416.2.22 .
+# From configure.in Revision: 1.416.2.24 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for Squid Web Proxy 2.6.STABLE17.
+# Generated by GNU Autoconf 2.61 for Squid Web Proxy 2.6.STABLE18.
 #
 # Report bugs to <http://www.squid-cache.org/bugs/>.
 #
@@ -575,8 +575,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='2.6.STABLE17'
-PACKAGE_STRING='Squid Web Proxy 2.6.STABLE17'
+PACKAGE_VERSION='2.6.STABLE18'
+PACKAGE_STRING='Squid Web Proxy 2.6.STABLE18'
 PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/'
 
 ac_default_prefix=/usr/local/squid
@@ -1314,7 +1314,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 2.6.STABLE17 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 2.6.STABLE18 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1384,7 +1384,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE17:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE18:";;
    esac
   cat <<\_ACEOF
 
@@ -1662,7 +1662,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 2.6.STABLE17
+Squid Web Proxy configure 2.6.STABLE18
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1676,7 +1676,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 2.6.STABLE17, which was
+It was created by Squid Web Proxy $as_me 2.6.STABLE18, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2349,7 +2349,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='2.6.STABLE17'
+ VERSION='2.6.STABLE18'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -27276,7 +27276,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 2.6.STABLE17, which was
+This file was extended by Squid Web Proxy $as_me 2.6.STABLE18, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -27329,7 +27329,7 @@
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-Squid Web Proxy config.status 2.6.STABLE17
+Squid Web Proxy config.status 2.6.STABLE18
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
diff -ruN squid-2.6.STABLE17/configure.in squid-2.6.STABLE18/configure.in
--- squid-2.6.STABLE17/configure.in	2007-11-26 14:39:31.000000000 +0100
+++ squid-2.6.STABLE18/configure.in	2008-01-10 13:34:23.000000000 +0100
@@ -1,16 +1,16 @@
 dnl
 dnl  Configuration input file for Squid
 dnl
-dnl  $Id: configure.in,v 1.416.2.22 2007/11/26 13:34:35 hno Exp $
+dnl  $Id: configure.in,v 1.416.2.24 2008/01/10 12:30:57 hno Exp $
 dnl
 dnl
 dnl
-AC_INIT(Squid Web Proxy, 2.6.STABLE17, http://www.squid-cache.org/bugs/, squid)
+AC_INIT(Squid Web Proxy, 2.6.STABLE18, http://www.squid-cache.org/bugs/, squid)
 AC_PREREQ(2.52)
 AM_CONFIG_HEADER(include/autoconf.h)
 AC_CONFIG_AUX_DIR(cfgaux)
 AM_INIT_AUTOMAKE
-AC_REVISION($Revision: 1.416.2.22 $)dnl
+AC_REVISION($Revision: 1.416.2.24 $)dnl
 AC_PREFIX_DEFAULT(/usr/local/squid)
 AM_MAINTAINER_MODE
 
diff -ruN squid-2.6.STABLE17/COPYRIGHT squid-2.6.STABLE18/COPYRIGHT
--- squid-2.6.STABLE17/COPYRIGHT	2001-01-12 01:37:09.000000000 +0100
+++ squid-2.6.STABLE18/COPYRIGHT	2008-01-02 17:20:20.000000000 +0100
@@ -22,4 +22,4 @@
 			Suite 330
 			Boston, MA 02111, USA
 
-Or contact info@ircache.net
+Or contact info@squid-cache.org
diff -ruN squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.c squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.c
--- squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.c	2007-08-31 16:16:18.000000000 +0200
+++ squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.c	2008-01-02 17:29:22.000000000 +0100
@@ -1,27 +1,31 @@
 /* 
- * Copyright (C) 2002-2004 Novell, Inc.
+ * NDS LDAP helper functions
+ * Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the
+ * limited functionality needed to access the plain text password only
  *
- * edir_ldapext.c  LDAP extension for reading eDirectory universal password
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of version 2 of the GNU General Public License as published
- * by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, contact Novell, Inc.
+ * Original copyright & license follows:
  *
- * To contact Novell about this file by physical or electronic mail, you may
- * find current contact  information at www.novell.com.
- */ 
+ * Copyright (C) Vince Brimhall			2004-2005
+ *   
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ * 
+*/
 
 #include "digest_common.h"
 
-#ifdef _SQUID_MSWIN_		/* Native Windows port and MinGW */
+#ifdef _SQUID_MSWIN_            /* Native Windows port and MinGW */
 
 #define snprintf _snprintf
 #include <windows.h>
@@ -43,63 +47,45 @@
 #include <ldap.h>
 
 #endif
+#include <wchar.h>
 
 #include "edir_ldapext.h"
 
-/* NMAS error codes */
-#define NMAS_E_BASE                       (-1600)
+#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST	"2.16.840.1.113719.1.39.42.100.3"
+#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE	"2.16.840.1.113719.1.39.42.100.4"
+#define NMASLDAP_SET_PASSWORD_REQUEST		"2.16.840.1.113719.1.39.42.100.11"
+#define NMASLDAP_SET_PASSWORD_RESPONSE		"2.16.840.1.113719.1.39.42.100.12"
+#define NMASLDAP_GET_PASSWORD_REQUEST		"2.16.840.1.113719.1.39.42.100.13"
+#define NMASLDAP_GET_PASSWORD_RESPONSE		"2.16.840.1.113719.1.39.42.100.14"
+
+#define NMAS_LDAP_EXT_VERSION				1
+
+#define SMB_MALLOC_ARRAY(type, nelem)		calloc(sizeof(type), nelem)
+#define DEBUG(level, args)
+
+/**********************************************************************
+ Take the request BER value and input data items and BER encodes the
+ data into the BER value
+**********************************************************************/
 
-#define NMAS_SUCCESS                      0
-#define NMAS_E_SUCCESS                    NMAS_SUCCESS         /* Alias  */
-#define NMAS_OK                           NMAS_SUCCESS         /* Alias  */
-
-#define NMAS_E_FRAG_FAILURE               (NMAS_E_BASE-31)     /* -1631 0xFFFFF9A1 */
-#define NMAS_E_BUFFER_OVERFLOW            (NMAS_E_BASE-33)     /* -1633 0xFFFFF99F */
-#define NMAS_E_SYSTEM_RESOURCES           (NMAS_E_BASE-34)     /* -1634 0xFFFFF99E */
-#define NMAS_E_INSUFFICIENT_MEMORY        (NMAS_E_BASE-35)     /* -1635 0xFFFFF99D */
-#define NMAS_E_NOT_SUPPORTED              (NMAS_E_BASE-36)     /* -1636 0xFFFFF99C */
-#define NMAS_E_INVALID_PARAMETER          (NMAS_E_BASE-43)     /* -1643 0xFFFFF995 */
-#define NMAS_E_INVALID_VERSION            (NMAS_E_BASE-52)     /* -1652 0xFFFFF98C */
-
-/* OID of LDAP extenstion calls to read Universal Password */
-#define NMASLDAP_GET_PASSWORD_REQUEST         "2.16.840.1.113719.1.39.42.100.13"
-#define NMASLDAP_GET_PASSWORD_RESPONSE        "2.16.840.1.113719.1.39.42.100.14"
-
-#define NMAS_LDAP_EXT_VERSION 1
-
-
-
-/* ------------------------------------------------------------------------
- *	berEncodePasswordData
- *	==============================
- *	RequestBer contents:
- *		clientVersion				INTEGER
- *		targetObjectDN				OCTET STRING
- *		password1					OCTET STRING
- *		password2					OCTET STRING
- *
- *	Description:
- *		This function takes the request BER value and input data items
- *		and BER encodes the data into the BER value
- *
- * ------------------------------------------------------------------------ */
-int berEncodePasswordData(
+static int berEncodePasswordData(
 	struct berval **requestBV,
-	char    *objectDN,
-	char    *password,
-	char    *password2)
+	const char    *objectDN,
+	const char    *password,
+	const char    *password2)
 {
 	int err = 0, rc=0;
 	BerElement *requestBer = NULL;
 
-	char    * utf8ObjPtr = NULL;
+	const char    * utf8ObjPtr = NULL;
 	int     utf8ObjSize = 0;
-	char    * utf8PwdPtr = NULL;
+	const char    * utf8PwdPtr = NULL;
 	int     utf8PwdSize = 0;
-	char    * utf8Pwd2Ptr = NULL;
+	const char    * utf8Pwd2Ptr = NULL;
 	int     utf8Pwd2Size = 0;
 
 
+	/* Convert objectDN and tag strings from Unicode to UTF-8 */
 	utf8ObjSize = strlen(objectDN)+1;
 	utf8ObjPtr = objectDN;
 
@@ -115,10 +101,10 @@
 		utf8Pwd2Ptr = password2;
 	}
 
-	/* Allocate a BerElement for the request parameters.*/
+	/* Allocate a BerElement for the request parameters. */
 	if((requestBer = ber_alloc()) == NULL)
 	{
-		err = NMAS_E_FRAG_FAILURE;
+		err = LDAP_ENCODING_ERROR;
 		goto Cleanup;
 	}
 
@@ -140,7 +126,7 @@
 
 	if (rc < 0)
 	{
-		err = NMAS_E_FRAG_FAILURE;
+		err = LDAP_ENCODING_ERROR;
 		goto Cleanup;
 	}
 	else
@@ -148,12 +134,10 @@
 		err = 0;
 	}
 
-	/* 
-	 * Convert the BER we just built to a berval that we'll send with the extended request. 
-	 */
+	/* Convert the BER we just built to a berval that we'll send with the extended request. */
 	if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
 	{
-		err = NMAS_E_FRAG_FAILURE;
+		err = LDAP_ENCODING_ERROR;
 		goto Cleanup;
 	}
 
@@ -165,50 +149,133 @@
 	}
 
 	return err;
-} /* End of berEncodePasswordData */
+}
 
-/* ------------------------------------------------------------------------
- *	berDecodeLoginData()
- *	==============================
- *	ResponseBer contents:
- *		serverVersion				INTEGER
- *		error       				INTEGER
- *		data						OCTET STRING
- *
- *	Description:
- *		This function takes the reply BER Value and decodes the
- *		NMAS server version and return code and if a non null retData
- *		buffer was supplied, tries to decode the the return data and length
- *
- * ------------------------------------------------------------------------ */
-int berDecodeLoginData(
+/**********************************************************************
+ Take the request BER value and input data items and BER encodes the
+ data into the BER value
+**********************************************************************/
+
+static int berEncodeLoginData(
+	struct berval **requestBV,
+	char     *objectDN,
+	unsigned int  methodIDLen,
+	unsigned int *methodID,
+	char     *tag,
+	size_t   putDataLen,
+	void     *putData)
+{
+	int err = 0;
+	BerElement *requestBer = NULL;
+
+	unsigned int i;
+	unsigned int elemCnt = methodIDLen / sizeof(unsigned int);
+
+	char	*utf8ObjPtr=NULL;
+	int     utf8ObjSize = 0;
+
+	char    *utf8TagPtr = NULL;
+	int     utf8TagSize = 0;
+
+	utf8ObjPtr = objectDN;
+	utf8ObjSize = strlen(utf8ObjPtr)+1;
+
+	utf8TagPtr = tag;
+	utf8TagSize = strlen(utf8TagPtr)+1;
+
+	/* Allocate a BerElement for the request parameters. */
+	if((requestBer = ber_alloc()) == NULL)
+	{
+		err = LDAP_ENCODING_ERROR;
+		goto Cleanup;
+	}
+
+	/* BER encode the NMAS Version and the objectDN */
+	err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0;
+
+	/* BER encode the MethodID Length and value */
+	if (!err)
+	{
+		err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0;
+	}
+
+	for (i = 0; !err && i < elemCnt; i++)
+	{
+		err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0;
+	}
+
+	if (!err)
+	{
+		err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0;
+	}
+
+	if(putData)
+	{
+		/* BER Encode the the tag and data */
+		err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0;
+	}
+	else
+	{
+		/* BER Encode the the tag */
+		err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0;
+	}
+
+	if (err)
+	{
+		goto Cleanup;
+	}
+
+	/* Convert the BER we just built to a berval that we'll send with the extended request. */
+	if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
+	{
+		err = LDAP_ENCODING_ERROR;
+		goto Cleanup;
+	}
+
+Cleanup:
+
+	if(requestBer)
+	{
+		ber_free(requestBer, 1);
+	}
+
+	return err;
+}
+
+/**********************************************************************
+ Takes the reply BER Value and decodes the NMAS server version and
+ return code and if a non null retData buffer was supplied, tries to
+ decode the the return data and length
+**********************************************************************/
+
+static int berDecodeLoginData(
 	struct berval *replyBV,
 	int      *serverVersion,
 	size_t   *retDataLen,
 	void     *retData )
 {
-	int rc=0, err = 0;
+	int err = 0;
 	BerElement *replyBer = NULL;
 	char    *retOctStr = NULL;
 	size_t  retOctStrLen = 0;
 
 	if((replyBer = ber_init(replyBV)) == NULL)
 	{
-		err = NMAS_E_SYSTEM_RESOURCES;
+		err = LDAP_OPERATIONS_ERROR;
 		goto Cleanup;
 	}
 
 	if(retData)
 	{
 		retOctStrLen = *retDataLen + 1;
-		retOctStr = (char *)malloc(retOctStrLen);
+		retOctStr = SMB_MALLOC_ARRAY(char, retOctStrLen);
 		if(!retOctStr)
 		{
-			err = NMAS_E_SYSTEM_RESOURCES;
+			err = LDAP_OPERATIONS_ERROR;
 			goto Cleanup;
 		}
-
-		if( (rc = ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen)) != -1)
+	
+		if(ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != -1)
 		{
 			if (*retDataLen >= retOctStrLen)
 			{
@@ -216,23 +283,23 @@
 			}
 			else if (!err)
 			{	
-				err = NMAS_E_BUFFER_OVERFLOW;
+				err = LDAP_NO_MEMORY;
 			}
 
 			*retDataLen = retOctStrLen;
 		}
 		else if (!err)
 		{
-			err = NMAS_E_FRAG_FAILURE;
+			err = LDAP_DECODING_ERROR;
 		}
 	}
 	else
 	{
-		if( (rc = ber_scanf(replyBer, "{ii}", serverVersion, &err)) == -1)
+		if(ber_scanf(replyBer, "{ii}", serverVersion, &err) == -1)
 		{
 			if (!err)
 			{
-				err = NMAS_E_FRAG_FAILURE;
+				err = LDAP_DECODING_ERROR;
 			}
 		}
 	}
@@ -251,23 +318,180 @@
 	}
 
 	return err;
-} /* End of berDecodeLoginData */
+}
 
-/* -----------------------------------------------------------------------
- *	nmasldap_get_password()
- *	==============================
- *
- *	Description:
- *		This API attempts to get the universal password
- *
- * ------------------------------------------------------------------------ */
-int nmasldap_get_password(
+/**********************************************************************
+ Retrieves data in the login configuration of the specified object
+ that is tagged with the specified methodID and tag.
+**********************************************************************/
+
+static int getLoginConfig(
 	LDAP	 *ld,
 	char     *objectDN,
-	size_t   *pwdSize,	// in bytes
+	unsigned int  methodIDLen,
+	unsigned int *methodID,
+	char     *tag,
+	size_t   *dataLen,
+	void     *data )
+{
+	int     err = 0;
+	struct  berval *requestBV = NULL;
+	char    *replyOID = NULL;
+	struct  berval *replyBV = NULL;
+	int     serverVersion = 0;
+
+	/* Validate unicode parameters. */
+	if((strlen(objectDN) == 0) || ld == NULL)
+	{
+		return LDAP_NO_SUCH_ATTRIBUTE;
+	}
+
+	err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
+	if(err)
+	{
+		goto Cleanup;
+	}
+
+	/* Call the ldap_extended_operation (synchronously) */
+	if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
+					requestBV, NULL, NULL, &replyOID, &replyBV)))
+	{
+		goto Cleanup;
+	}
+
+	/* Make sure there is a return OID */
+	if(!replyOID)
+	{
+		err = LDAP_NOT_SUPPORTED;
+		goto Cleanup;
+	}
+
+	/* Is this what we were expecting to get back. */
+	if(strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE))
+	{
+		err = LDAP_NOT_SUPPORTED;
+		goto Cleanup;
+	}
+
+	/* Do we have a good returned berval? */
+	if(!replyBV)
+	{
+		/* No; returned berval means we experienced a rather drastic error. */
+		/* Return operations error. */
+		err = LDAP_OPERATIONS_ERROR;
+		goto Cleanup;
+	}
+
+	err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);
+
+	if(serverVersion != NMAS_LDAP_EXT_VERSION)
+	{
+		err = LDAP_OPERATIONS_ERROR;
+		goto Cleanup;
+	}
+
+Cleanup:
+
+	if(replyBV)
+	{
+		ber_bvfree(replyBV);
+	}
+
+	/* Free the return OID string if one was returned. */
+	if(replyOID)
+	{
+		ldap_memfree(replyOID);
+	}
+
+	/* Free memory allocated while building the request ber and berval. */
+	if(requestBV)
+	{
+		ber_bvfree(requestBV);
+	}
+
+	/* Return the appropriate error/success code. */
+	return err;
+}
+
+/**********************************************************************
+ Attempts to get the Simple Password
+**********************************************************************/
+
+static int nmasldap_get_simple_pwd(
+	LDAP	 *ld,
+	char     *objectDN,
+	size_t	 pwdLen,
 	char     *pwd )
 {
 	int err = 0;
+	unsigned int methodID = 0;
+	unsigned int methodIDLen = sizeof(methodID);
+	char    tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
+	char    *pwdBuf=NULL;
+	size_t  pwdBufLen, bufferLen;
+
+	bufferLen = pwdBufLen = pwdLen+2;
+	pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen); /* digest and null */
+	if(pwdBuf == NULL)
+	{
+		return LDAP_NO_MEMORY;
+	}
+
+	err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
+	if (err == 0)
+	{
+		if (pwdBufLen !=0)
+		{
+			pwdBuf[pwdBufLen] = 0;       /* null terminate */
+
+			switch (pwdBuf[0])
+			{
+				case 1:  /* cleartext password  */
+					break;
+				case 2:  /* SHA1 HASH */
+				case 3:  /* MD5_ID */
+				case 4:  /* UNIXCrypt_ID */
+				case 8:  /* SSHA_ID */
+				default: /* Unknown digest */
+					err = LDAP_INAPPROPRIATE_AUTH;  /* only return clear text */
+					break;
+			}
+
+			if (!err)
+			{
+				if (pwdLen >= pwdBufLen-1)
+				{
+					memcpy(pwd, &pwdBuf[1], pwdBufLen-1);  /* skip digest tag and include null */
+				}
+				else
+				{
+					err = LDAP_NO_MEMORY;
+				}
+			}
+		}
+	}
+
+	if (pwdBuf != NULL)
+	{
+		memset(pwdBuf, 0, bufferLen);
+		free(pwdBuf);
+	}
+
+	return err;
+}
+
+
+/**********************************************************************
+ Attempts to get the Universal Password
+**********************************************************************/
+
+static int nmasldap_get_password(
+	LDAP	 *ld,
+	char     *objectDN,
+	size_t   *pwdSize,	/* in bytes */
+	unsigned char     *pwd )
+{
+	int err = 0;
 
 	struct berval *requestBV = NULL;
 	char *replyOID = NULL;
@@ -276,27 +500,19 @@
 	char *pwdBuf;
 	size_t pwdBufLen, bufferLen;
 
-#ifdef	NOT_N_PLAT_NLM
-	int currentThreadGroupID;
-#endif
-
-	/* Validate char    parameters. */
+	/* Validate char parameters. */
 	if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL)
 	{
-		return NMAS_E_INVALID_PARAMETER;
+		return LDAP_NO_SUCH_ATTRIBUTE;
 	}
 
 	bufferLen = pwdBufLen = *pwdSize;
-	pwdBuf = (char *)malloc(pwdBufLen+2);
+	pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen+2);
 	if(pwdBuf == NULL)
 	{
-		return NMAS_E_INSUFFICIENT_MEMORY;
+		return LDAP_NO_MEMORY;
 	}
 
-#ifdef	NOT_N_PLAT_NLM
-	currentThreadGroupID = SetThreadGroupID(nmasLDAPThreadGroupID);
-#endif
-
 	err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
 	if(err)
 	{
@@ -312,25 +528,23 @@
 	/* Make sure there is a return OID */
 	if(!replyOID)
 	{
-		err = NMAS_E_NOT_SUPPORTED;
+		err = LDAP_NOT_SUPPORTED;
 		goto Cleanup;
 	}
 
 	/* Is this what we were expecting to get back. */
 	if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE))
 	{
-		err = NMAS_E_NOT_SUPPORTED;
+		err = LDAP_NOT_SUPPORTED;
 		goto Cleanup;
 	}
 
 	/* Do we have a good returned berval? */
 	if(!replyBV)
 	{
-		/* 
-		 * No; returned berval means we experienced a rather drastic error.
-		 * Return operations error.
-		 */
-		err = NMAS_E_SYSTEM_RESOURCES;
+		/* No; returned berval means we experienced a rather drastic error. */
+		/* Return operations error. */
+		err = LDAP_OPERATIONS_ERROR;
 		goto Cleanup;
 	}
 
@@ -338,7 +552,7 @@
 
 	if(serverVersion != NMAS_LDAP_EXT_VERSION)
 	{
-		err = NMAS_E_INVALID_VERSION;
+		err = LDAP_OPERATIONS_ERROR;
 		goto Cleanup;
 	}
 
@@ -377,10 +591,47 @@
 		free(pwdBuf);
 	}
 
-#ifdef	NOT_N_PLAT_NLM
-	SetThreadGroupID(currentThreadGroupID);
-#endif
-
 	/* Return the appropriate error/success code. */
 	return err;
-} /* end of nmasldap_get_password */
+}
+
+/**********************************************************************
+ Get the user's password from NDS.
+ *********************************************************************/
+
+int nds_get_password(
+	LDAP *ld,
+	char *object_dn,
+	size_t *pwd_len,
+	char *pwd )
+{
+	int rc = -1;
+
+	rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
+	if (rc == LDAP_SUCCESS) {
+#ifdef DEBUG_PASSWORD
+		DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
+#endif    
+		DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
+	} else {
+		DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
+	}
+
+	if (rc != LDAP_SUCCESS) {
+		rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
+		if (rc == LDAP_SUCCESS) {
+#ifdef DEBUG_PASSWORD
+			DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
+#endif    
+			DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
+		} else {
+			/* We couldn't get the password */
+			DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
+			return LDAP_INVALID_CREDENTIALS;
+		}
+	}
+
+	/* We got the password */
+	return LDAP_SUCCESS;
+}
+
diff -ruN squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.h squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.h
--- squid-2.6.STABLE17/helpers/digest_auth/eDirectory/edir_ldapext.h	2007-08-31 16:16:18.000000000 +0200
+++ squid-2.6.STABLE18/helpers/digest_auth/eDirectory/edir_ldapext.h	2008-01-02 17:29:22.000000000 +0100
@@ -1,14 +1 @@
-/*
- * edir_ldapext.h
- *
- * AUTHOR: Guy Antony Halse <g.halse@ru.ac.za>
- *
- * stubs for FreeRadius's edir_ldapext.h
- *
- */
-#define UNIVERSAL_PASS_LEN    256
-#define NMAS_SUCCESS          0
-
-extern int berEncodePasswordData(struct berval **requestBV, char *objectDN, char *password, char *password2);
-extern int berDecodeLoginData(struct berval *replyBV, int *serverVersion, size_t *retDataLen, void *retData);
-extern int nmasldap_get_password(LDAP *ld, char *objectDN, size_t *pwdSize, char *pwd);
+int nds_get_password(LDAP *ld, char *object_dn, size_t * pwd_len, char *pwd);
diff -ruN squid-2.6.STABLE17/helpers/digest_auth/eDirectory/ldap_backend.c squid-2.6.STABLE18/helpers/digest_auth/eDirectory/ldap_backend.c
--- squid-2.6.STABLE17/helpers/digest_auth/eDirectory/ldap_backend.c	2007-08-31 16:16:18.000000000 +0200
+++ squid-2.6.STABLE18/helpers/digest_auth/eDirectory/ldap_backend.c	2008-01-02 17:29:22.000000000 +0100
@@ -49,14 +49,14 @@
 /* Globals */
 
 static LDAP *ld = NULL;
-static char *passattr = NULL;
+static const char *passattr = NULL;
 static char *ldapServer = NULL;
-static char *userbasedn = NULL;
-static char *userdnattr = NULL;
-static char *usersearchfilter = NULL;
-static char *binddn = NULL;
-static char *bindpasswd = NULL;
-static char *delimiter = ":";
+static const char *userbasedn = NULL;
+static const char *userdnattr = NULL;
+static const char *usersearchfilter = NULL;
+static const char *binddn = NULL;
+static const char *bindpasswd = NULL;
+static const char *delimiter = ":";
 static int encrpass = 0;
 static int searchscope = LDAP_SCOPE_SUBTREE;
 static int persistent = 0;
@@ -80,7 +80,7 @@
 #endif
 
 static void ldapconnect(void);
-static int readSecret(char *filename);
+static int readSecret(const char *filename);
 
 /* Yuck.. we need to glue to different versions of the API */
 
@@ -198,7 +198,7 @@
     char filter[8192];
     char searchbase[8192];
     char *universal_password = NULL;
-    size_t universal_password_len = UNIVERSAL_PASS_LEN;
+    size_t universal_password_len = 256;
     int nmas_res = 0;
     int rc = -1;
     if (ld) {
@@ -252,28 +252,28 @@
 	if (rc == LDAP_SUCCESS) {
 	    entry = ldap_first_entry(ld, res);
 	    if (entry) {
-                if (debug)
-                    printf("ldap dn: %s\n", ldap_get_dn(ld, entry));
-                if (edir_universal_passwd) {
-               
-                    /* allocate some memory for the universal password returned by NMAS */ 
-                    universal_password = malloc(universal_password_len);
-                    memset(universal_password, 0, universal_password_len);
-                    values = malloc(sizeof(char *));
-                    
-                    /* actually talk to NMAS to get a password */
-                    nmas_res = nmasldap_get_password(ld, ldap_get_dn(ld, entry), &universal_password_len, universal_password);
-                    if (nmas_res == NMAS_SUCCESS && universal_password) {
-                        if (debug)
-                          printf("NMAS returned value %s\n", universal_password);
-                        values[0] = universal_password;
-                    } else {
-                        if (debug)
-                          printf("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res));
-                    }
-                } else {
-                    values = ldap_get_values(ld, entry, passattr);
-                }
+		if (debug)
+		    printf("ldap dn: %s\n", ldap_get_dn(ld, entry));
+		if (edir_universal_passwd) {
+
+		    /* allocate some memory for the universal password returned by NMAS */
+		    universal_password = malloc(universal_password_len);
+		    memset(universal_password, 0, universal_password_len);
+		    values = malloc(sizeof(char *));
+
+		    /* actually talk to NMAS to get a password */
+		    nmas_res = nds_get_password(ld, ldap_get_dn(ld, entry), &universal_password_len, universal_password);
+		    if (nmas_res == LDAP_SUCCESS && universal_password) {
+			if (debug)
+			    printf("NMAS returned value %s\n", universal_password);
+			values[0] = universal_password;
+		    } else {
+			if (debug)
+			    printf("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res));
+		    }
+		} else {
+		    values = ldap_get_values(ld, entry, passattr);
+		}
 	    } else {
 		ldap_msgfree(res);
 		return NULL;
@@ -281,8 +281,8 @@
 	    if (!values) {
 		if (debug)
 		    printf("No attribute value found\n");
-                if (edir_universal_passwd)
-                   free(universal_password);
+		if (edir_universal_passwd)
+		    free(universal_password);
 		ldap_msgfree(res);
 		return NULL;
 	    }
@@ -303,12 +303,12 @@
 		printf("password: %s\n", password);
 	    if (password)
 		password = strdup(password);
-            if (edir_universal_passwd) {
-                free(values);
-                free(universal_password);
-            } else {
-	    ldap_value_free(values);
-            }
+	    if (edir_universal_passwd) {
+		free(values);
+		free(universal_password);
+	    } else {
+		ldap_value_free(values);
+	    }
 	    ldap_msgfree(res);
 	    return password;
 	} else {
@@ -427,7 +427,7 @@
     setbuf(stdout, NULL);
 
     while (argc > 1 && argv[1][0] == '-') {
-	char *value = "";
+	const char *value = "";
 	char option = argv[1][1];
 	switch (option) {
 	case 'P':
@@ -437,8 +437,8 @@
 	case 'g':
 	case 'e':
 	case 'S':
-        case 'n':
-        case 'd':
+	case 'n':
+	case 'd':
 	    break;
 	default:
 	    if (strlen(argv[1]) > 2) {
@@ -604,7 +604,7 @@
     }
 
     if (!ldapServer)
-	ldapServer = "localhost";
+	ldapServer = (char *) "localhost";
 
     if (!userbasedn || !((passattr != NULL) || (edir_universal_passwd && usersearchfilter && version == LDAP_VERSION3 && use_tls))) {
 	fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n");
@@ -644,7 +644,7 @@
     return 0;
 }
 static int
-readSecret(char *filename)
+readSecret(const char *filename)
 {
     char buf[BUFSIZ];
     char *e = 0;
@@ -665,13 +665,10 @@
     if ((e = strrchr(buf, '\r')))
 	*e = 0;
 
-    bindpasswd = (char *) calloc(sizeof(char), strlen(buf) + 1);
-    if (bindpasswd) {
-	strcpy(bindpasswd, buf);
-    } else {
+    bindpasswd = strdup(buf);
+    if (!bindpasswd) {
 	fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
     }
-
     fclose(f);
 
     return 0;
@@ -680,7 +677,7 @@
 void
 LDAPHHA1(RequestData * requestData)
 {
-    char *password = "";
+    char *password;
     ldapconnect();
     password = getpassword(requestData->user, requestData->realm);
     if (password != NULL) {
diff -ruN squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c
--- squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c	2007-06-25 00:29:14.000000000 +0200
+++ squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c	2008-01-02 17:15:47.000000000 +0100
@@ -1,263 +1,263 @@
-/* -----------------------------------------------------------------------------
- * spnegohelp.c defines RFC 2478 SPNEGO GSS-API mechanism APIs.
- *
- * Author: Frank Balluffi
- *
- * Copyright (C) 2002-2003 All rights reserved.
- *
- *   This program is free software; you can redistribute it and/or modify
- *   it under the terms of the GNU General Public License as published by
- *   the Free Software Foundation; either version 2 of the License, or
- *   (at your option) any later version.
- *
- *   This program is distributed in the hope that it will be useful,
- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *   GNU General Public License for more details.
- *
- *   You should have received a copy of the GNU General Public License
- *   along with this program; if not, write to the Free Software
- *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
- *
- * -----------------------------------------------------------------------------
- */
-
-#include "spnegohelp.h"
-#include "spnego.h"
-
-#include <stdlib.h>
-
-int makeNegTokenTarg (const unsigned char *  kerberosToken,
-                      size_t                 kerberosTokenLength,
-                      const unsigned char ** negTokenTarg,
-                      size_t *               negTokenTargLength)
-{
-    SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL;
-    int                 rc1          = 1;
-    int                 rc2          = SPNEGO_E_SUCCESS;
-
-    /* Check arguments. */
-
-    if (!kerberosToken ||
-        !negTokenTarg  ||
-        !negTokenTargLength)
-        return 10;
-
-    /* Does IIS reply with 1.2.840.48018.1.2.2 or 1.2.840.113554.1.2.2? */
-
-    /* Does IIS always reply with accept_completed? */
-
-    /* IIS does not include a MIC. */
-
-    rc2 = spnegoCreateNegTokenTarg (spnego_mech_oid_Kerberos_V5_Legacy,
-                                    spnego_negresult_success,
-                                    (unsigned char *) kerberosToken,
-                                    kerberosTokenLength,
-                                    NULL,
-                                    0,
-                                    &hSpnegoToken);
-
-    if (rc2 != SPNEGO_E_SUCCESS)
-    {
-        rc1 = abs(rc2)+100;
-        goto cleanup;
-    }
-
-    /* Get NegTokenTarg length. */
-
-    rc2 = spnegoTokenGetBinary (hSpnegoToken,
-                                NULL,
-                                (unsigned long*) negTokenTargLength);
-
-    if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL)
-    {
-        rc1 = abs(rc2)+200;
-        goto cleanup;
-    }
-
-    *negTokenTarg = malloc (*negTokenTargLength);
-
-    if (!*negTokenTarg)
-    {
-        rc1 = abs(rc2)+300;
-        goto cleanup;
-    }
-
-    /* Get NegTokenTarg data. */
-
-    rc2 = spnegoTokenGetBinary (hSpnegoToken,
-                              (unsigned char *) *negTokenTarg,
-                              (unsigned long*) negTokenTargLength);
-
-
-    if (rc2 != SPNEGO_E_SUCCESS)
-    {
-        rc1 = abs(rc2)+400;
-        goto error;
-    }
-
-    rc1 = 0;
-
-    goto cleanup;
-
-error:
-
-    if (*negTokenTarg)
-    {
-        free ((unsigned char *) *negTokenTarg);
-        *negTokenTarg = NULL;
-        *negTokenTargLength = 0;
-    }
-
-cleanup:
-
-    if (hSpnegoToken)
-        spnegoFreeData (hSpnegoToken);
-
-    LOG(("makeNegTokenTarg returned %d\n",rc1));
-    return rc1;
-}
-
-int parseNegTokenInit (const unsigned char *  negTokenInit,
-                       size_t                 negTokenInitLength,
-                       const unsigned char ** kerberosToken,
-                       size_t *               kerberosTokenLength)
-{
-    SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL;
-    int                 pindex       = -1;
-    int                 rc1          = 1;
-    int                 rc2          = SPNEGO_E_SUCCESS;
-    unsigned char       reqFlags     = 0;
-    int                 tokenType    = 0;
-
-    /* Check arguments. */
-
-    if (!negTokenInit  ||
-        !kerberosToken ||
-        !kerberosTokenLength)
-        return 10;
-
-    /* Decode SPNEGO token. */
-
-    rc2 = spnegoInitFromBinary ((unsigned char *) negTokenInit,
-                                negTokenInitLength,
-                                &hSpnegoToken);
-
-    if (rc2 != SPNEGO_E_SUCCESS)
-    {
-        rc1 = abs(rc2)+100;
-        goto cleanup;
-    }
-
-    /* Check for negTokenInit choice. */
-
-    rc2 = spnegoGetTokenType (hSpnegoToken,
-                              &tokenType);
-
-    if (rc2 != SPNEGO_E_SUCCESS)
-    {
-        rc1 = abs(rc2)+200;
-        goto cleanup;
-    }
-
-    if (tokenType != SPNEGO_TOKEN_INIT)
-    {
-        rc1 = abs(rc2)+300;
-        goto cleanup;
-    }
-
-   /*
-    Check that first mechType is 1.2.840.113554.1.2.2 or 1.2.840.48018.1.2.2.
-    */
-
-   /*
-    IE seems to reply with 1.2.840.48018.1.2.2 and then 1.2.840.113554.1.2.2.
-    */
-
-    rc2 = spnegoIsMechTypeAvailable (hSpnegoToken,
-                                     spnego_mech_oid_Kerberos_V5_Legacy,
-                                     &pindex);
-
-    if (rc2 != SPNEGO_E_SUCCESS ||
-        pindex != 0)
-    {
-        rc2 = spnegoIsMechTypeAvailable (hSpnegoToken,
-                                         spnego_mech_oid_Kerberos_V5,
-                                         &pindex);
-
-        if (rc2 != SPNEGO_E_SUCCESS ||
-            pindex != 0)
-        {
-            rc1 = abs(rc2)+400;
-            goto cleanup;
-        }
-    }
-
-    /* Check for no reqFlags. */
-
-    /* Does IE ever send reqFlags? */
-
-    rc2 = spnegoGetContextFlags (hSpnegoToken,
-                                 &reqFlags);
-
-    if (rc2 == SPNEGO_E_SUCCESS)
-    {
-        rc1 = abs(rc2)+500;
-        goto cleanup;
-    }
-
-    /* Get mechanism token length. */
-
-    rc2 = spnegoGetMechToken (hSpnegoToken,
-                              NULL,
-                              (unsigned long*) kerberosTokenLength);
-
-    if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL)
-    {
-        rc1 = abs(rc2)+600;
-        goto cleanup;
-    }
-
-    *kerberosToken = malloc (*kerberosTokenLength);
-
-    if (!*kerberosToken)
-    {
-        rc1 = abs(rc2)+700;
-        goto cleanup;
-    }
-
-    /* Get mechanism token data. */
-
-    rc2 = spnegoGetMechToken (hSpnegoToken,
-                              (unsigned char *) *kerberosToken,
-                              (unsigned long*) kerberosTokenLength);
-
-    if (rc2 != SPNEGO_E_SUCCESS)
-    {
-        rc1 = abs(rc2)+800;
-        goto error;
-    }
-
-    /* According to Microsoft, IE does not send a MIC. */
-
-    rc1 = 0;
-
-    goto cleanup;
-
-error:
-
-    if (*kerberosToken)
-    {
-        free ((unsigned char *) *kerberosToken);
-        *kerberosToken = NULL;
-        *kerberosTokenLength = 0;
-    }
-
-cleanup:
-
-    if (hSpnegoToken)
-        spnegoFreeData (hSpnegoToken);
-
-    LOG(("parseNegTokenInit returned %d\n",rc1));
-    return rc1;
-}
+/* -----------------------------------------------------------------------------
+ * spnegohelp.c defines RFC 2478 SPNEGO GSS-API mechanism APIs.
+ *
+ * Author: Frank Balluffi
+ *
+ * Copyright (C) 2002-2003 All rights reserved.
+ *
+ *   This program is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation; either version 2 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, write to the Free Software
+ *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
+ *
+ * -----------------------------------------------------------------------------
+ */
+
+#include "spnegohelp.h"
+#include "spnego.h"
+
+#include <stdlib.h>
+
+int makeNegTokenTarg (const unsigned char *  kerberosToken,
+                      size_t                 kerberosTokenLength,
+                      const unsigned char ** negTokenTarg,
+                      size_t *               negTokenTargLength)
+{
+    SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL;
+    int                 rc1          = 1;
+    int                 rc2          = SPNEGO_E_SUCCESS;
+
+    /* Check arguments. */
+
+    if (!kerberosToken ||
+        !negTokenTarg  ||
+        !negTokenTargLength)
+        return 10;
+
+    /* Does IIS reply with 1.2.840.48018.1.2.2 or 1.2.840.113554.1.2.2? */
+
+    /* Does IIS always reply with accept_completed? */
+
+    /* IIS does not include a MIC. */
+
+    rc2 = spnegoCreateNegTokenTarg (spnego_mech_oid_Kerberos_V5_Legacy,
+                                    spnego_negresult_success,
+                                    (unsigned char *) kerberosToken,
+                                    kerberosTokenLength,
+                                    NULL,
+                                    0,
+                                    &hSpnegoToken);
+
+    if (rc2 != SPNEGO_E_SUCCESS)
+    {
+        rc1 = abs(rc2)+100;
+        goto cleanup;
+    }
+
+    /* Get NegTokenTarg length. */
+
+    rc2 = spnegoTokenGetBinary (hSpnegoToken,
+                                NULL,
+                                (unsigned long*) negTokenTargLength);
+
+    if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL)
+    {
+        rc1 = abs(rc2)+200;
+        goto cleanup;
+    }
+
+    *negTokenTarg = malloc (*negTokenTargLength);
+
+    if (!*negTokenTarg)
+    {
+        rc1 = abs(rc2)+300;
+        goto cleanup;
+    }
+
+    /* Get NegTokenTarg data. */
+
+    rc2 = spnegoTokenGetBinary (hSpnegoToken,
+                              (unsigned char *) *negTokenTarg,
+                              (unsigned long*) negTokenTargLength);
+
+
+    if (rc2 != SPNEGO_E_SUCCESS)
+    {
+        rc1 = abs(rc2)+400;
+        goto error;
+    }
+
+    rc1 = 0;
+
+    goto cleanup;
+
+error:
+
+    if (*negTokenTarg)
+    {
+        free ((unsigned char *) *negTokenTarg);
+        *negTokenTarg = NULL;
+        *negTokenTargLength = 0;
+    }
+
+cleanup:
+
+    if (hSpnegoToken)
+        spnegoFreeData (hSpnegoToken);
+
+    LOG(("makeNegTokenTarg returned %d\n",rc1));
+    return rc1;
+}
+
+int parseNegTokenInit (const unsigned char *  negTokenInit,
+                       size_t                 negTokenInitLength,
+                       const unsigned char ** kerberosToken,
+                       size_t *               kerberosTokenLength)
+{
+    SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL;
+    int                 pindex       = -1;
+    int                 rc1          = 1;
+    int                 rc2          = SPNEGO_E_SUCCESS;
+    unsigned char       reqFlags     = 0;
+    int                 tokenType    = 0;
+
+    /* Check arguments. */
+
+    if (!negTokenInit  ||
+        !kerberosToken ||
+        !kerberosTokenLength)
+        return 10;
+
+    /* Decode SPNEGO token. */
+
+    rc2 = spnegoInitFromBinary ((unsigned char *) negTokenInit,
+                                negTokenInitLength,
+                                &hSpnegoToken);
+
+    if (rc2 != SPNEGO_E_SUCCESS)
+    {
+        rc1 = abs(rc2)+100;
+        goto cleanup;
+    }
+
+    /* Check for negTokenInit choice. */
+
+    rc2 = spnegoGetTokenType (hSpnegoToken,
+                              &tokenType);
+
+    if (rc2 != SPNEGO_E_SUCCESS)
+    {
+        rc1 = abs(rc2)+200;
+        goto cleanup;
+    }
+
+    if (tokenType != SPNEGO_TOKEN_INIT)
+    {
+        rc1 = abs(rc2)+300;
+        goto cleanup;
+    }
+
+   /*
+    Check that first mechType is 1.2.840.113554.1.2.2 or 1.2.840.48018.1.2.2.
+    */
+
+   /*
+    IE seems to reply with 1.2.840.48018.1.2.2 and then 1.2.840.113554.1.2.2.
+    */
+
+    rc2 = spnegoIsMechTypeAvailable (hSpnegoToken,
+                                     spnego_mech_oid_Kerberos_V5_Legacy,
+                                     &pindex);
+
+    if (rc2 != SPNEGO_E_SUCCESS ||
+        pindex != 0)
+    {
+        rc2 = spnegoIsMechTypeAvailable (hSpnegoToken,
+                                         spnego_mech_oid_Kerberos_V5,
+                                         &pindex);
+
+        if (rc2 != SPNEGO_E_SUCCESS ||
+            pindex != 0)
+        {
+            rc1 = abs(rc2)+400;
+            goto cleanup;
+        }
+    }
+
+    /* Check for no reqFlags. */
+
+    /* Does IE ever send reqFlags? */
+
+    rc2 = spnegoGetContextFlags (hSpnegoToken,
+                                 &reqFlags);
+
+    if (rc2 == SPNEGO_E_SUCCESS)
+    {
+        rc1 = abs(rc2)+500;
+        goto cleanup;
+    }
+
+    /* Get mechanism token length. */
+
+    rc2 = spnegoGetMechToken (hSpnegoToken,
+                              NULL,
+                              (unsigned long*) kerberosTokenLength);
+
+    if (rc2 != SPNEGO_E_BUFFER_TOO_SMALL)
+    {
+        rc1 = abs(rc2)+600;
+        goto cleanup;
+    }
+
+    *kerberosToken = malloc (*kerberosTokenLength);
+
+    if (!*kerberosToken)
+    {
+        rc1 = abs(rc2)+700;
+        goto cleanup;
+    }
+
+    /* Get mechanism token data. */
+
+    rc2 = spnegoGetMechToken (hSpnegoToken,
+                              (unsigned char *) *kerberosToken,
+                              (unsigned long*) kerberosTokenLength);
+
+    if (rc2 != SPNEGO_E_SUCCESS)
+    {
+        rc1 = abs(rc2)+800;
+        goto error;
+    }
+
+    /* According to Microsoft, IE does not send a MIC. */
+
+    rc1 = 0;
+
+    goto cleanup;
+
+error:
+
+    if (*kerberosToken)
+    {
+        free ((unsigned char *) *kerberosToken);
+        *kerberosToken = NULL;
+        *kerberosTokenLength = 0;
+    }
+
+cleanup:
+
+    if (hSpnegoToken)
+        spnegoFreeData (hSpnegoToken);
+
+    LOG(("parseNegTokenInit returned %d\n",rc1));
+    return rc1;
+}
diff -ruN squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h
--- squid-2.6.STABLE17/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h	2007-06-03 02:47:39.000000000 +0200
+++ squid-2.6.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h	2008-01-02 17:15:47.000000000 +0100
@@ -1,58 +1,58 @@
-/* -----------------------------------------------------------------------------
- * spnegohelp.c declares RFC 2478 SPNEGO GSS-API mechanism APIs.
- *
- * Author: Frank Balluffi
- *
- * Copyright (C) 2002-2003. All rights reserved.
- * -----------------------------------------------------------------------------
- */
-
-#ifndef SPNEGOHELP_H
-#define SPNEGOHELP_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <stddef.h>
-
-/* -----------------------------------------------------------------------------
- * makeNegTokenTarg makes an RFC 2478 SPNEGO NegTokenTarg (token) from an
- * RFC 1964 Kerberos GSS-API token.
- *
- * If makeNegTokenTarg is successful, call free (*negTokenTarg) to free the
- * memory allocated by parseNegTokenInit.
- *
- * Returns 0 if successful, 1 otherwise.
- * -----------------------------------------------------------------------------
- */
-
-int makeNegTokenTarg (const unsigned char *  kerberosToken,
-                      size_t                 kerberosTokenLength,
-                      const unsigned char ** negTokenTarg,
-                      size_t *               negTokenTargLength);
-
-/* -----------------------------------------------------------------------------
- * parseNegTokenInit parses an RFC 2478 SPNEGO NegTokenInit (token) to extract
- * an RFC 1964 Kerberos GSS-API token.
- *
- * If the NegTokenInit does cotain a Kerberos GSS-API token, parseNegTokenInit
- * returns an error.
- *
- * If parseNegTokenInit is successful, call free (*kerberosToken) to
- * free the memory allocated by parseNegTokenInit.
- *
- * Returns 0 if successful, 1 otherwise.
- * -----------------------------------------------------------------------------
- */
-
-int parseNegTokenInit (const unsigned char *  negTokenInit,
-                       size_t                 negTokenInitLength,
-                       const unsigned char ** kerberosToken,
-                       size_t *               kerberosTokenLength);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* SPNEGOHELP_H */
+/* -----------------------------------------------------------------------------
+ * spnegohelp.c declares RFC 2478 SPNEGO GSS-API mechanism APIs.
+ *
+ * Author: Frank Balluffi
+ *
+ * Copyright (C) 2002-2003. All rights reserved.
+ * -----------------------------------------------------------------------------
+ */
+
+#ifndef SPNEGOHELP_H
+#define SPNEGOHELP_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stddef.h>
+
+/* -----------------------------------------------------------------------------
+ * makeNegTokenTarg makes an RFC 2478 SPNEGO NegTokenTarg (token) from an
+ * RFC 1964 Kerberos GSS-API token.
+ *
+ * If makeNegTokenTarg is successful, call free (*negTokenTarg) to free the
+ * memory allocated by parseNegTokenInit.
+ *
+ * Returns 0 if successful, 1 otherwise.
+ * -----------------------------------------------------------------------------
+ */
+
+int makeNegTokenTarg (const unsigned char *  kerberosToken,
+                      size_t                 kerberosTokenLength,
+                      const unsigned char ** negTokenTarg,
+                      size_t *               negTokenTargLength);
+
+/* -----------------------------------------------------------------------------
+ * parseNegTokenInit parses an RFC 2478 SPNEGO NegTokenInit (token) to extract
+ * an RFC 1964 Kerberos GSS-API token.
+ *
+ * If the NegTokenInit does cotain a Kerberos GSS-API token, parseNegTokenInit
+ * returns an error.
+ *
+ * If parseNegTokenInit is successful, call free (*kerberosToken) to
+ * free the memory allocated by parseNegTokenInit.
+ *
+ * Returns 0 if successful, 1 otherwise.
+ * -----------------------------------------------------------------------------
+ */
+
+int parseNegTokenInit (const unsigned char *  negTokenInit,
+                       size_t                 negTokenInitLength,
+                       const unsigned char ** kerberosToken,
+                       size_t *               kerberosTokenLength);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SPNEGOHELP_H */
diff -ruN squid-2.6.STABLE17/include/version.h squid-2.6.STABLE18/include/version.h
--- squid-2.6.STABLE17/include/version.h	2007-11-26 14:39:31.000000000 +0100
+++ squid-2.6.STABLE18/include/version.h	2008-01-10 13:34:23.000000000 +0100
@@ -9,5 +9,5 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1196084366
+#define SQUID_RELEASE_TIME 1199968458
 #endif
diff -ruN squid-2.6.STABLE17/lib/Array.c squid-2.6.STABLE18/lib/Array.c
--- squid-2.6.STABLE17/lib/Array.c	2007-11-26 12:06:12.000000000 +0100
+++ squid-2.6.STABLE18/lib/Array.c	2008-01-09 14:02:07.000000000 +0100
@@ -1,5 +1,5 @@
 /*
- * $Id: Array.c,v 1.8.2.1 2007/11/26 11:06:12 adrian Exp $
+ * $Id: Array.c,v 1.8.2.2 2008/01/09 13:02:07 adrian Exp $
  *
  * AUTHOR: Alex Rousskov
  *
@@ -142,7 +142,7 @@
 void
 arrayShrink(Array *a, int new_count)
 {
-	assert(new_count < a->capacity);
+	assert(new_count <= a->capacity);
 	assert(new_count >= 0);
 	a->count = new_count;
 }
diff -ruN squid-2.6.STABLE17/lib/rfc2617.c squid-2.6.STABLE18/lib/rfc2617.c
--- squid-2.6.STABLE17/lib/rfc2617.c	2007-01-13 17:06:42.000000000 +0100
+++ squid-2.6.STABLE18/lib/rfc2617.c	2008-01-02 18:07:26.000000000 +0100
@@ -13,7 +13,7 @@
 
 
 /*
- * $Id: rfc2617.c,v 1.8 2007/01/13 16:06:42 hno Exp $
+ * $Id: rfc2617.c,v 1.8.2.1 2008/01/02 17:07:26 hno Exp $
  *
  * DEBUG:
  * AUTHOR: RFC 2617 & Robert Collins
@@ -94,7 +94,7 @@
 	else
 	    Bin[i / 2] |= n;
     }
-    for (; i <= HASHHEXLEN; i++) {
+    for (i = i / 2; i < HASHLEN; i++) {
 	Bin[i] = '\0';
     }
 }
diff -ruN squid-2.6.STABLE17/RELEASENOTES.html squid-2.6.STABLE18/RELEASENOTES.html
--- squid-2.6.STABLE17/RELEASENOTES.html	2007-11-26 14:40:06.000000000 +0100
+++ squid-2.6.STABLE18/RELEASENOTES.html	2008-01-10 13:34:58.000000000 +0100
@@ -2,12 +2,12 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
- <TITLE>Squid 2.6.STABLE17 release notes</TITLE>
+ <TITLE>Squid 2.6.STABLE18 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 2.6.STABLE17 release notes</H1>
+<H1>Squid 2.6.STABLE18 release notes</H1>
 
-<H2>Squid Developers</H2>$Id: release-2.6.html,v 1.44.2.15 2007/11/26 13:34:35 hno Exp $
+<H2>Squid Developers</H2>$Id: release-2.6.html,v 1.44.2.16 2008/01/09 14:20:09 hno Exp $
 <HR>
 <EM>This document contains the release notes for version 2.6 of Squid.
 Squid is a WWW Cache application developed by the Web Caching community.</EM>
@@ -78,6 +78,9 @@
 <P>
 <H2><A NAME="toc22">22.</A> <A HREF="#s22">Key changes squid-2.6.STABLE16 to 2.6.STABLE17</A></H2>
 
+<P>
+<H2><A NAME="toc23">23.</A> <A HREF="#s23">Key changes squid-2.6.STABLE17 to 2.6.STABLE18</A></H2>
+
 
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Key changes from squid 2.5</A></H2>
@@ -762,5 +765,19 @@
 </UL>
 </P>
 
+<H2><A NAME="s23">23.</A> <A HREF="#toc23">Key changes squid-2.6.STABLE17 to 2.6.STABLE18</A></H2>
+
+<P>
+<UL>
+<LI>2 assertion failures related to the fix for SQUID-2007:2</LI>
+<LI>Digest authentication bugfixes, fixing random auth popups and failures when using digest authentication (auth_param digest ..)</LI>
+<LI>License cleanup of edir_digest_auth</LI>
+<LI>Code cleanups and portability fixes</LI>
+<LI>See also the list of 
+<A HREF="http://www.squid-cache.org/Versions/v2/2.6/changesets/SQUID_2_6_STABLE16.html">squid-2.6.STABLE16 changes</A> and the 
+<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
+</UL>
+</P>
+
 </BODY>
 </HTML>
diff -ruN squid-2.6.STABLE17/src/auth/digest/auth_digest.c squid-2.6.STABLE18/src/auth/digest/auth_digest.c
--- squid-2.6.STABLE17/src/auth/digest/auth_digest.c	2007-08-31 16:08:53.000000000 +0200
+++ squid-2.6.STABLE18/src/auth/digest/auth_digest.c	2008-01-02 18:07:26.000000000 +0100
@@ -1,6 +1,6 @@
 
 /*
- * $Id: auth_digest.c,v 1.21.2.1 2007/08/31 14:08:53 hno Exp $
+ * $Id: auth_digest.c,v 1.21.2.2 2008/01/02 17:07:26 hno Exp $
  *
  * DEBUG: section 29    Authenticator
  * AUTHOR: Robert Collins
@@ -741,6 +741,7 @@
 	    }
 	} else {
 	    digest_request->flags.credentials_ok = 3;
+	    digest_request->flags.invalid_password = 1;
 	    safe_free(auth_user_request->message);
 	    auth_user_request->message = xstrdup("Incorrect password");
 	    return;
@@ -750,7 +751,6 @@
     if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
 	debug(29, 3) ("authenticateDigestAuthenticateuser: user '%s' validated OK but nonce stale\n",
 	    digest_user->username);
-	digest_request->flags.nonce_stale = 1;
 	digest_request->flags.credentials_ok = 3;
 	safe_free(auth_user_request->message);
 	auth_user_request->message = xstrdup("Stale nonce");
@@ -781,11 +781,8 @@
 	return 0;
     case 2:			/* partway through checking. */
 	return -1;
-    case 3:			/* authentication process failed. */
-	if (digest_request->flags.nonce_stale)
-	    /* nonce is stale, send new challenge */
-	    return 1;
-	return -2;
+    case 3:			/* authentication process failed. Challenge. */
+	return 1;
     }
     return -2;
 }
@@ -855,7 +852,7 @@
     digest_nonce_h *nonce = authenticateDigestNonceNew();
     if (auth_user_request && auth_user_request->scheme_data) {
 	digest_request = auth_user_request->scheme_data;
-	stale = digest_request->flags.nonce_stale;
+	stale = !digest_request->flags.invalid_password;
     }
     if (digestConfig->authenticate) {
 	debug(29, 9) ("authenticateFixHeader: Sending type:%d header: 'Digest realm=\"%s\", nonce=\"%s\", qop=\"%s\", stale=%s\n", type, digestConfig->digestAuthRealm, authenticateDigestNonceNonceb64(nonce), QOP_AUTH, stale ? "true" : "false");
@@ -911,6 +908,7 @@
     digest_user = auth_user_request->auth_user->scheme_data;
     if (reply && (strncasecmp(reply, "ERR", 3) == 0)) {
 	digest_request->flags.credentials_ok = 3;
+	digest_request->flags.invalid_password = 1;
 	safe_free(auth_user_request->message);
 	if (t && *t)
 	    auth_user_request->message = xstrdup(t);
@@ -1273,10 +1271,7 @@
 	/* we couldn't find a matching nonce! */
 	debug(29, 4) ("authenticateDigestDecode: Unexpected or invalid nonce received\n");
 	authDigestLogUsername(auth_user_request, username);
-
-	/* we don't need the scheme specific data anymore */
-	authDigestRequestDelete(digest_request);
-	auth_user_request->scheme_data = NULL;
+	auth_user_request->scheme_data = digest_request;
 	return;
     }
     digest_request->nonce = nonce;
@@ -1284,7 +1279,7 @@
 
     /* check the qop is what we expected. Note that for compatability with 
      * RFC 2069 we should support a missing qop. Tough. */
-    if (!digest_request->qop || strcmp(digest_request->qop, QOP_AUTH)) {
+    if (digest_request->qop && strcmp(digest_request->qop, QOP_AUTH) != 0) {
 	/* we received a qop option we didn't send */
 	debug(29, 4) ("authenticateDigestDecode: Invalid qop option received\n");
 	authDigestLogUsername(auth_user_request, username);
diff -ruN squid-2.6.STABLE17/src/auth/digest/auth_digest.h squid-2.6.STABLE18/src/auth/digest/auth_digest.h
--- squid-2.6.STABLE17/src/auth/digest/auth_digest.h	2006-07-08 15:26:26.000000000 +0200
+++ squid-2.6.STABLE18/src/auth/digest/auth_digest.h	2008-01-02 18:07:26.000000000 +0100
@@ -43,7 +43,7 @@
     struct {
 	unsigned int authinfo_sent:1;
 	unsigned int credentials_ok:2;	/*0=unchecked,1=ok,2=helper,3=failed */
-	unsigned int nonce_stale:1;
+	unsigned int invalid_password:1;
 	unsigned int helper_queried:1;
     } flags;
     digest_nonce_h *nonce;
diff -ruN squid-2.6.STABLE17/src/cbdata.c squid-2.6.STABLE18/src/cbdata.c
--- squid-2.6.STABLE17/src/cbdata.c	2006-05-13 00:04:59.000000000 +0200
+++ squid-2.6.STABLE18/src/cbdata.c	2008-01-02 18:06:50.000000000 +0100
@@ -1,6 +1,6 @@
 
 /*
- * $Id: cbdata.c,v 1.46 2006/05/12 22:04:59 hno Exp $
+ * $Id: cbdata.c,v 1.46.2.1 2008/01/02 17:06:50 hno Exp $
  *
  * DEBUG: section 45    Callback Data Registry
  * ORIGINAL AUTHOR: Duane Wessels
@@ -122,7 +122,7 @@
 }
 
 #else
-#define OFFSET_OF(type, member) ((int)(char *)&((type *)0L)->member)
+#define OFFSET_OF(type, member) ((size_t)(char *)&((type *)0L)->member)
 #endif
 
 void
diff -ruN squid-2.6.STABLE17/src/HttpHeader.c squid-2.6.STABLE18/src/HttpHeader.c
--- squid-2.6.STABLE17/src/HttpHeader.c	2007-11-26 12:06:13.000000000 +0100
+++ squid-2.6.STABLE18/src/HttpHeader.c	2007-12-21 10:56:53.000000000 +0100
@@ -1,6 +1,6 @@
 
 /*
- * $Id: HttpHeader.c,v 1.91.2.3 2007/11/26 11:06:13 adrian Exp $
+ * $Id: HttpHeader.c,v 1.91.2.4 2007/12/21 09:56:53 adrian Exp $
  *
  * DEBUG: section 55    HTTP Header
  * AUTHOR: Alex Rousskov
@@ -391,7 +391,8 @@
     pos = 0;
     while (dp < hdr->entries.count) {
 	for (; dp < hdr->entries.count && hdr->entries.items[dp] == NULL; dp++);
-	assert(dp < hdr->entries.count);
+	if (dp >= hdr->entries.count)
+	    break;
 	hdr->entries.items[pos] = hdr->entries.items[dp];
 	if (dp != pos)
 	    hdr->entries.items[dp] = NULL;
diff -ruN squid-2.6.STABLE17/src/MemPool.c squid-2.6.STABLE18/src/MemPool.c
--- squid-2.6.STABLE17/src/MemPool.c	2006-09-19 00:54:39.000000000 +0200
+++ squid-2.6.STABLE18/src/MemPool.c	2008-01-09 14:58:12.000000000 +0100
@@ -1,6 +1,6 @@
 
 /*
- * $Id: MemPool.c,v 1.39 2006/09/18 22:54:39 hno Exp $
+ * $Id: MemPool.c,v 1.39.2.1 2008/01/09 13:58:12 hno Exp $
  *
  * DEBUG: section 63    Low Level Memory Pool Management
  * AUTHOR: Alex Rousskov
@@ -266,16 +266,16 @@
 	gb_inc(&TheMeter.saved, pool->obj_size);
 	obj = stackPop(&pool->pstack);
 #if DEBUG_MEMPOOL
-	(void) VALGRIND_MAKE_READABLE(obj, pool->real_obj_size + sizeof(struct mempool_cookie));
+	(void) VALGRIND_MAKE_MEM_DEFINED(obj, pool->real_obj_size + sizeof(struct mempool_cookie));
 #else
-	(void) VALGRIND_MAKE_READABLE(obj, pool->obj_size);
+	(void) VALGRIND_MAKE_MEM_DEFINED(obj, pool->obj_size);
 #endif
 #if DEBUG_MEMPOOL
 	{
 	    struct mempool_cookie *cookie = (void *) (((unsigned char *) obj) + pool->real_obj_size);
 	    assert(cookie->cookie == MEMPOOL_COOKIE(obj));
 	    assert(cookie->pool == pool);
-	    (void) VALGRIND_MAKE_NOACCESS(cookie, sizeof(cookie));
+	    (void) VALGRIND_MAKE_MEM_NOACCESS(cookie, sizeof(cookie));
 	}
 #endif
     } else {
@@ -289,7 +289,7 @@
 	    cookie = (struct mempool_cookie *) (((unsigned char *) obj) + pool->real_obj_size);
 	    cookie->cookie = MEMPOOL_COOKIE(obj);
 	    cookie->pool = pool;
-	    (void) VALGRIND_MAKE_NOACCESS(cookie, sizeof(cookie));
+	    (void) VALGRIND_MAKE_MEM_NOACCESS(cookie, sizeof(cookie));
 	}
 #else
 	obj = xcalloc(1, pool->obj_size);
@@ -305,11 +305,11 @@
     memMeterDec(pool->meter.inuse);
     memMeterDel(TheMeter.inuse, pool->obj_size);
     mem_pool_free_calls++;
-    (void) VALGRIND_CHECK_WRITABLE(obj, pool->obj_size);
+    (void) VALGRIND_CHECK_MEM_IS_ADDRESSABLE(obj, pool->obj_size);
 #if DEBUG_MEMPOOL
     {
 	struct mempool_cookie *cookie = (void *) (((unsigned char *) obj) + pool->real_obj_size);
-	(void) VALGRIND_MAKE_READABLE(cookie, sizeof(cookie));
+	(void) VALGRIND_MAKE_MEM_DEFINED(cookie, sizeof(cookie));
 	assert(cookie->cookie == MEMPOOL_COOKIE(obj));
 	assert(cookie->pool == pool);
     }
@@ -319,9 +319,9 @@
 	memMeterAdd(TheMeter.idle, pool->obj_size);
 	memset(obj, 0, pool->obj_size);
 #if DEBUG_MEMPOOL
-	(void) VALGRIND_MAKE_NOACCESS(obj, pool->real_obj_size + sizeof(struct mempool_cookie));
+	(void) VALGRIND_MAKE_MEM_NOACCESS(obj, pool->real_obj_size + sizeof(struct mempool_cookie));
 #else
-	(void) VALGRIND_MAKE_NOACCESS(obj, pool->obj_size);
+	(void) VALGRIND_MAKE_MEM_NOACCESS(obj, pool->obj_size);
 #endif
 	stackPush(&pool->pstack, obj);
     } else {
diff -ruN squid-2.6.STABLE17/src/pinger.c squid-2.6.STABLE18/src/pinger.c
--- squid-2.6.STABLE17/src/pinger.c	2006-05-22 21:20:30.000000000 +0200
+++ squid-2.6.STABLE18/src/pinger.c	2008-01-02 18:06:50.000000000 +0100
@@ -1,6 +1,6 @@
 
 /*
- * $Id: pinger.c,v 1.50 2006/05/22 19:20:30 serassio Exp $
+ * $Id: pinger.c,v 1.50.2.1 2008/01/02 17:06:50 hno Exp $
  *
  * DEBUG: section 42    ICMP Pinger program
  * AUTHOR: Duane Wessels
@@ -307,7 +307,7 @@
     icmp->icmp_seq = (u_short) icmp_pkts_sent++;
     echo = (icmpEchoData *) (icmp + 1);
     echo->opcode = (unsigned char) opcode;
-    echo->tv = current_time;
+    memcpy(&echo->tv, &current_time, sizeof(current_time));
     icmp_pktsize += sizeof(struct timeval) + sizeof(char);
     if (payload) {
 	if (len > MAX_PAYLOAD)
@@ -345,6 +345,7 @@
     struct timeval now;
     icmpEchoData *echo;
     static pingerReplyData preply;
+    struct timeval tv;
 
     if (pkt == NULL)
 	pkt = xmalloc(MAX_PKT_SZ);
@@ -380,7 +381,8 @@
     preply.from = from.sin_addr;
     preply.opcode = echo->opcode;
     preply.hops = ipHops(ip->ip_ttl);
-    preply.rtt = tvSubMsec(echo->tv, now);
+    memcpy(&tv, &echo->tv, sizeof(tv));
+    preply.rtt = tvSubMsec(tv, now);
     preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT_SZ);
     pingerSendtoSquid(&preply);
     pingerLog(icmp, from.sin_addr, preply.rtt, preply.hops);
diff -ruN squid-2.6.STABLE17/src/squid.h squid-2.6.STABLE18/src/squid.h
--- squid-2.6.STABLE17/src/squid.h	2006-09-08 21:41:24.000000000 +0200
+++ squid-2.6.STABLE18/src/squid.h	2008-01-09 14:58:12.000000000 +0100
@@ -1,6 +1,6 @@
 
 /*
- * $Id: squid.h,v 1.244 2006/09/08 19:41:24 serassio Exp $
+ * $Id: squid.h,v 1.244.2.1 2008/01/09 13:58:12 hno Exp $
  *
  * AUTHOR: Duane Wessels
  *
@@ -529,12 +529,19 @@
  */
 #if WITH_VALGRIND
 #include <valgrind/memcheck.h>
+#ifndef VALGRIND_MAKE_MEM_NOACCESS
+/* A little glue for older valgrind version prior to 3.2.0 */
+#define VALGRIND_MAKE_MEM_NOACCESS VALGRIND_MAKE_NOACCESS
+#define VALGRIND_MAME_MEM_UNDEFINED VALGRIND_MAME_WRITABLE
+#define VALGRIND_MAKE_MEM_DEFINED VALGRIND_MAKE_READABLE
+#define VALGRIND_CHECK_MEM_IS_ADDRESSABLE VALGRIND_CHECK_WRITABLE
+#endif
 #else
-#define VALGRIND_MAKE_NOACCESS(a,b) (0)
-#define VALGRIND_MAKE_WRITABLE(a,b) (0)
-#define VALGRIND_MAKE_READABLE(a,b) (0)
-#define VALGRIND_CHECK_WRITABLE(a,b) (0)
-#define VALGRIND_CHECK_READABLE(a,b) (0)
+#define VALGRIND_MAKE_MEM_NOACCESS(a,b) (0)
+#define VALGRIND_MAKE_MEM_UNDEFINED(a,b) (0)
+#define VALGRIND_MAKE_MEM_DEFINED(a,b) (0)
+#define VALGRIND_CHECK_MEM_IS_ADDRESSABLE(a,b) (0)
+#define VALGRIND_CHECK_MEM_IS_DEFINED(a,b) (0)
 #define VALGRIND_MALLOCLIKE_BLOCK(a,b,c,d)
 #define VALGRIND_FREELIKE_BLOCK(a,b)
 #define RUNNING_ON_VALGRIND 0
diff -ruN squid-2.6.STABLE17/src/tools.c squid-2.6.STABLE18/src/tools.c
--- squid-2.6.STABLE17/src/tools.c	2007-09-01 22:09:50.000000000 +0200
+++ squid-2.6.STABLE18/src/tools.c	2008-01-02 18:06:50.000000000 +0100
@@ -1,6 +1,6 @@
 
 /*
- * $Id: tools.c,v 1.250.2.3 2007/09/01 20:09:50 hno Exp $
+ * $Id: tools.c,v 1.250.2.4 2008/01/02 17:06:50 hno Exp $
  *
  * DEBUG: section 21    Misc Functions
  * AUTHOR: Harvest Derived
@@ -976,7 +976,7 @@
 	 * 2 until it becomes positive again.
 	 */
 	kb_t x;
-	x.kb = 1 << 31;
+	x.kb = 1L << 31;
 	while (x.kb && ((k->kb + x.kb) < 0)) {
 	    x.kb <<= 1;
 	}
@@ -1295,7 +1295,7 @@
 void
 setUmask(mode_t mask)
 {
-    static mode_t orig_umask = ~0;
+    static mode_t orig_umask = (mode_t) ~ 0;
     if (orig_umask == (mode_t) ~ 0) {
 	/* Unfortunately, there is no way to get the current
 	 * umask value without setting it.
