[thirdparty/squid.git] / helpers / basic_auth / NCSA / basic_ncsa_auth.cc

/*
 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * AUTHOR: Arjan de Vet <Arjan.deVet@adv.iae.nl>
 *
 * Example authentication program for Squid, based on the original
 * proxy_auth code from client_side.c, written by
 * Jon Thackray <jrmt@uk.gdscorp.com>.
 *
 * Uses a NCSA httpd style password file for authentication with the
 * following improvements suggested by various people:
 *
 * - comment lines are possible and should start with a '#';
 * - empty or blank lines are possible;
 * - extra fields in the password file are ignored; this makes it
 *   possible to use a Unix password file but I do not recommend that.
 *
 *  MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
 */

#include "squid.h"
#include "crypt_md5.h"
#include "helpers/defines.h"
#include "rfc1738.h"

#include <unordered_map>
#if HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#if HAVE_CRYPT_H
#include <crypt.h>
#endif

typedef std::unordered_map<std::string, std::string> usermap_t;
usermap_t usermap;

static void
read_passwd_file(const char *passwdfile)
{
    FILE *f;
    char buf[HELPER_INPUT_BUFFER];
    char *user;
    char *passwd;

    usermap.clear();
    //TODO: change to c++ streams
    f = fopen(passwdfile, "r");
    if (NULL == f) {
        fprintf(stderr, "FATAL: %s: %s\n", passwdfile, xstrerror());
        exit(1);
    }
    unsigned int lineCount = 0;
    buf[HELPER_INPUT_BUFFER-1] = '\0';
    while (fgets(buf, sizeof(buf)-1, f) != NULL) {
        ++lineCount;
        if ((buf[0] == '#') || (buf[0] == ' ') || (buf[0] == '\t') ||
                (buf[0] == '\n'))
            continue;
        user = strtok(buf, ":\n\r");
        if (user == NULL) {
            fprintf(stderr, "ERROR: Missing user name at %s line %d\n", passwdfile, lineCount);
            continue;
        }
        passwd = strtok(NULL, ":\n\r");
        if ((strlen(user) > 0) && passwd) {
            usermap[user] = passwd;
        }
    }
    fclose(f);
}

int
main(int argc, char **argv)
{
    struct stat sb;
    time_t change_time = -1;
    char buf[HELPER_INPUT_BUFFER];
    char *user, *passwd, *p;
    setbuf(stdout, NULL);
    if (argc != 2) {
        fprintf(stderr, "Usage: ncsa_auth <passwordfile>\n");
        exit(1);
    }
    if (stat(argv[1], &sb) != 0) {
        fprintf(stderr, "FATAL: cannot stat %s\n", argv[1]);
        exit(1);
    }
    while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
        if ((p = strchr(buf, '\n')) != NULL)
            *p = '\0';      /* strip \n */
        if (stat(argv[1], &sb) == 0) {
            if (sb.st_mtime != change_time) {
                read_passwd_file(argv[1]);
                change_time = sb.st_mtime;
            }
        }
        if ((user = strtok(buf, " ")) == NULL) {
            SEND_ERR("");
            continue;
        }
        if ((passwd = strtok(NULL, "")) == NULL) {
            SEND_ERR("");
            continue;
        }
        rfc1738_unescape(user);
        rfc1738_unescape(passwd);
        const auto userpassIterator = usermap.find(user);
        if (userpassIterator == usermap.end()) {
            SEND_ERR("No such user");
            continue;
        }
        std::string stored_pass = userpassIterator->second;

        char *crypted = NULL;
#if HAVE_CRYPT
        size_t passwordLength = strlen(passwd);
        // Bug 3831: given algorithms more secure than DES crypt() does not truncate, so we can ignore the bug 3107 length checks below
        // '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), '$6$' = SHA256 (BSD) and SHA512
        if (passwordLength > 1 && stored_pass[0] == '$' &&
                (crypted = crypt(passwd, stored_pass.c_str())) && stored_pass == crypted) {
            SEND_OK("");
            continue;
        }
        // 'other' prefixes indicate DES algorithm.
        if (passwordLength <= 8 && (crypted = crypt(passwd, stored_pass.c_str())) && stored_pass == crypted) {
            SEND_OK("");
            continue;
        }
        if (passwordLength > 8 && (crypted = crypt(passwd, stored_pass.c_str())) && stored_pass == crypted) {
            // Bug 3107: crypt() DES functionality silently truncates long passwords.
            SEND_ERR("Password too long. Only 8 characters accepted.");
            continue;
        }

#endif
        if ( (crypted = crypt_md5(passwd, stored_pass.c_str())) && stored_pass == crypted) {
            SEND_OK("");
            continue;
        }
        if ( (crypted = md5sum(passwd)) && stored_pass == crypted) {
            SEND_OK("");
            continue;
        }
        SEND_ERR("Wrong password");
    }
    exit(0);
}
Commit	Line	Data
5b95b903	1	/*
ef57eb7b	2	* Copyright (C) 1996-2016 The Squid Software Foundation and contributors
5b95b903 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
94439e4e	9	/*
94439e4e	10	* AUTHOR: Arjan de Vet <Arjan.deVet@adv.iae.nl>
	11	*
	12	* Example authentication program for Squid, based on the original
	13	* proxy_auth code from client_side.c, written by
	14	* Jon Thackray <jrmt@uk.gdscorp.com>.
	15	*
	16	* Uses a NCSA httpd style password file for authentication with the
	17	* following improvements suggested by various people:
	18	*
	19	* - comment lines are possible and should start with a '#';
	20	* - empty or blank lines are possible;
	21	* - extra fields in the password file are ignored; this makes it
	22	* possible to use a Unix password file but I do not recommend that.
	23	*
304fb0a1	24	* MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
94439e4e	25	*/
94439e4e	26
f7f3304a	27	#include "squid.h"
43fed740	28	#include "crypt_md5.h"
43fed740	29	#include "helpers/defines.h"
1fa9b1a7	30	#include "rfc1738.h"
81951d76	31
d75ae82c	32	#include <unordered_map>
94439e4e	33	#if HAVE_SYS_STAT_H
	34	#include <sys/stat.h>
	35	#endif
	36	#if HAVE_CRYPT_H
	37	#include <crypt.h>
	38	#endif
	39
d75ae82c FC	40	typedef std::unordered_map<std::string, std::string> usermap_t;
d75ae82c FC	41	usermap_t usermap;
94439e4e	42
	43	static void
	44	read_passwd_file(const char *passwdfile)
	45	{
	46	FILE *f;
3c18a677	47	char buf[HELPER_INPUT_BUFFER];
94439e4e	48	char *user;
94439e4e	49	char *passwd;
d75ae82c FC	50
	51	usermap.clear();
	52	//TODO: change to c++ streams
94439e4e	53	f = fopen(passwdfile, "r");
a2897c13	54	if (NULL == f) {
43fed740	55	fprintf(stderr, "FATAL: %s: %s\n", passwdfile, xstrerror());
26ac0430	56	exit(1);
a2897c13	57	}
3c18a677	58	unsigned int lineCount = 0;
2ea57237	59	buf[HELPER_INPUT_BUFFER-1] = '\0';
3c18a677 AJ	60	while (fgets(buf, sizeof(buf)-1, f) != NULL) {
3c18a677 AJ	61	++lineCount;
26ac0430 AJ	62	if ((buf[0] == '#') \|\| (buf[0] == ' ') \|\| (buf[0] == '\t') \|\|
	63	(buf[0] == '\n'))
	64	continue;
	65	user = strtok(buf, ":\n\r");
3c18a677 AJ	66	if (user == NULL) {
	67	fprintf(stderr, "ERROR: Missing user name at %s line %d\n", passwdfile, lineCount);
	68	continue;
	69	}
26ac0430 AJ	70	passwd = strtok(NULL, ":\n\r");
26ac0430 AJ	71	if ((strlen(user) > 0) && passwd) {
d75ae82c	72	usermap[user] = passwd;
26ac0430	73	}
94439e4e	74	}
	75	fclose(f);
	76	}
	77
	78	int
	79	main(int argc, char **argv)
	80	{
	81	struct stat sb;
407e1c93	82	time_t change_time = -1;
43fed740	83	char buf[HELPER_INPUT_BUFFER];
94439e4e	84	char user, passwd, *p;
94439e4e	85	setbuf(stdout, NULL);
94439e4e	86	if (argc != 2) {
26ac0430 AJ	87	fprintf(stderr, "Usage: ncsa_auth <passwordfile>\n");
26ac0430 AJ	88	exit(1);
94439e4e	89	}
94439e4e	90	if (stat(argv[1], &sb) != 0) {
43fed740	91	fprintf(stderr, "FATAL: cannot stat %s\n", argv[1]);
26ac0430	92	exit(1);
94439e4e	93	}
43fed740	94	while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
26ac0430	95	if ((p = strchr(buf, '\n')) != NULL)
f53969cc	96	p = '\0'; / strip \n */
26ac0430 AJ	97	if (stat(argv[1], &sb) == 0) {
	98	if (sb.st_mtime != change_time) {
	99	read_passwd_file(argv[1]);
	100	change_time = sb.st_mtime;
	101	}
	102	}
	103	if ((user = strtok(buf, " ")) == NULL) {
43fed740	104	SEND_ERR("");
26ac0430 AJ	105	continue;
	106	}
	107	if ((passwd = strtok(NULL, "")) == NULL) {
43fed740	108	SEND_ERR("");
26ac0430 AJ	109	continue;
	110	}
	111	rfc1738_unescape(user);
	112	rfc1738_unescape(passwd);
d75ae82c FC	113	const auto userpassIterator = usermap.find(user);
d75ae82c FC	114	if (userpassIterator == usermap.end()) {
43fed740	115	SEND_ERR("No such user");
2df24144 AJ	116	continue;
2df24144 AJ	117	}
d75ae82c FC	118	std::string stored_pass = userpassIterator->second;
d75ae82c FC	119
2df24144	120	char *crypted = NULL;
8655ee19	121	#if HAVE_CRYPT
f04d5d43	122	size_t passwordLength = strlen(passwd);
2df24144 AJ	123	// Bug 3831: given algorithms more secure than DES crypt() does not truncate, so we can ignore the bug 3107 length checks below
2df24144 AJ	124	// '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), '$6$' = SHA256 (BSD) and SHA512
d75ae82c FC	125	if (passwordLength > 1 && stored_pass[0] == '$' &&
d75ae82c FC	126	(crypted = crypt(passwd, stored_pass.c_str())) && stored_pass == crypted) {
2df24144 AJ	127	SEND_OK("");
	128	continue;
	129	}
	130	// 'other' prefixes indicate DES algorithm.
d75ae82c	131	if (passwordLength <= 8 && (crypted = crypt(passwd, stored_pass.c_str())) && stored_pass == crypted) {
43fed740	132	SEND_OK("");
2df24144 AJ	133	continue;
2df24144 AJ	134	}
d75ae82c	135	if (passwordLength > 8 && (crypted = crypt(passwd, stored_pass.c_str())) && stored_pass == crypted) {
2d2772b0 AJ	136	// Bug 3107: crypt() DES functionality silently truncates long passwords.
2d2772b0 AJ	137	SEND_ERR("Password too long. Only 8 characters accepted.");
2df24144 AJ	138	continue;
	139	}
	140
8655ee19	141	#endif
d75ae82c	142	if ( (crypted = crypt_md5(passwd, stored_pass.c_str())) && stored_pass == crypted) {
43fed740	143	SEND_OK("");
2df24144 AJ	144	continue;
2df24144 AJ	145	}
d75ae82c	146	if ( (crypted = md5sum(passwd)) && stored_pass == crypted) {
43fed740	147	SEND_OK("");
2df24144	148	continue;
26ac0430	149	}
2df24144	150	SEND_ERR("Wrong password");
94439e4e	151	}
	152	exit(0);
	153	}
f53969cc	154