]>
Commit | Line | Data |
---|---|---|
89f77e43 | 1 | /* |
2 | * digest_pw_auth.c | |
3 | * | |
4 | * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet | |
5 | * <Arjan.deVet@adv.iae.nl> | |
6 | * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com> | |
7 | * | |
8 | * Example digest authentication program for Squid, based on the original | |
9 | * proxy_auth code from client_side.c, written by | |
10 | * Jon Thackray <jrmt@uk.gdscorp.com>. | |
11 | * | |
12 | * - comment lines are possible and should start with a '#'; | |
13 | * - empty or blank lines are possible; | |
14 | * - file format is username:password | |
26ac0430 | 15 | * |
89f77e43 | 16 | * To build a directory integrated backend, you need to be able to |
17 | * calculate the HA1 returned to squid. To avoid storing a plaintext | |
18 | * password you can calculate MD5(username:realm:password) when the | |
19 | * user changes their password, and store the tuple username:realm:HA1. | |
20 | * then find the matching username:realm when squid asks for the | |
21 | * HA1. | |
22 | * | |
23 | * This implementation could be improved by using such a triple for | |
24 | * the file format. However storing such a triple does little to | |
25 | * improve security: If compromised the username:realm:HA1 combination | |
26 | * is "plaintext equivalent" - for the purposes of digest authentication | |
27 | * they allow the user access. Password syncronisation is not tackled | |
28 | * by digest - just preventing on the wire compromise. | |
29 | * | |
30 | * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org> | |
31 | */ | |
f7f3304a | 32 | #include "squid.h" |
89f77e43 | 33 | #include "digest_common.h" |
56ff4687 | 34 | #include "helpers/defines.h" |
89f77e43 | 35 | #include "ldap_backend.h" |
56ff4687 | 36 | |
89f77e43 | 37 | #define PROGRAM_NAME "digest_ldap_auth" |
38 | ||
e9505fad | 39 | static void |
89f77e43 | 40 | GetHHA1(RequestData * requestData) |
41 | { | |
42 | LDAPHHA1(requestData); | |
43 | } | |
44 | ||
45 | static void | |
46 | ParseBuffer(char *buf, RequestData * requestData) | |
47 | { | |
48 | char *p; | |
49 | requestData->parsed = 0; | |
50 | if ((p = strchr(buf, '\n')) != NULL) | |
26ac0430 | 51 | *p = '\0'; /* strip \n */ |
89f77e43 | 52 | if ((requestData->user = strtok(buf, "\"")) == NULL) |
26ac0430 | 53 | return; |
89f77e43 | 54 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
26ac0430 | 55 | return; |
89f77e43 | 56 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
26ac0430 | 57 | return; |
89f77e43 | 58 | requestData->parsed = -1; |
59 | } | |
60 | ||
61 | static void | |
62 | OutputHHA1(RequestData * requestData) | |
63 | { | |
64 | requestData->error = 0; | |
65 | GetHHA1(requestData); | |
66 | if (requestData->error) { | |
56ff4687 | 67 | SEND_ERR("No such user"); |
26ac0430 | 68 | return; |
89f77e43 | 69 | } |
70 | printf("%s\n", requestData->HHA1); | |
71 | } | |
72 | ||
73 | static void | |
74 | DoOneRequest(char *buf) | |
75 | { | |
76 | RequestData requestData; | |
77 | ParseBuffer(buf, &requestData); | |
78 | if (!requestData.parsed) { | |
56ff4687 | 79 | SEND_ERR(""); |
26ac0430 | 80 | return; |
89f77e43 | 81 | } |
82 | OutputHHA1(&requestData); | |
83 | } | |
84 | ||
e9505fad | 85 | static void |
89f77e43 | 86 | ProcessArguments(int argc, char **argv) |
87 | { | |
88 | int i; | |
89 | i = LDAPArguments(argc, argv); | |
90 | if (i) | |
26ac0430 | 91 | exit(i); |
89f77e43 | 92 | } |
93 | ||
94 | int | |
95 | main(int argc, char **argv) | |
96 | { | |
56ff4687 | 97 | char buf[HELPER_INPUT_BUFFER]; |
89f77e43 | 98 | setbuf(stdout, NULL); |
99 | ProcessArguments(argc, argv); | |
56ff4687 | 100 | while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) |
26ac0430 | 101 | DoOneRequest(buf); |
89f77e43 | 102 | exit(0); |
103 | } |