]>
Commit | Line | Data |
---|---|---|
89f77e43 | 1 | /* |
2 | * digest_pw_auth.c | |
3 | * | |
4 | * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet | |
5 | * <Arjan.deVet@adv.iae.nl> | |
6 | * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com> | |
7 | * | |
8 | * Example digest authentication program for Squid, based on the original | |
9 | * proxy_auth code from client_side.c, written by | |
10 | * Jon Thackray <jrmt@uk.gdscorp.com>. | |
11 | * | |
12 | * - comment lines are possible and should start with a '#'; | |
13 | * - empty or blank lines are possible; | |
14 | * - file format is username:password | |
15 | * | |
16 | * To build a directory integrated backend, you need to be able to | |
17 | * calculate the HA1 returned to squid. To avoid storing a plaintext | |
18 | * password you can calculate MD5(username:realm:password) when the | |
19 | * user changes their password, and store the tuple username:realm:HA1. | |
20 | * then find the matching username:realm when squid asks for the | |
21 | * HA1. | |
22 | * | |
23 | * This implementation could be improved by using such a triple for | |
24 | * the file format. However storing such a triple does little to | |
25 | * improve security: If compromised the username:realm:HA1 combination | |
26 | * is "plaintext equivalent" - for the purposes of digest authentication | |
27 | * they allow the user access. Password syncronisation is not tackled | |
28 | * by digest - just preventing on the wire compromise. | |
29 | * | |
30 | * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org> | |
31 | */ | |
32 | ||
33 | #include "digest_common.h" | |
34 | #include "ldap_backend.h" | |
35 | #define PROGRAM_NAME "digest_ldap_auth" | |
36 | ||
37 | ||
38 | void | |
39 | GetHHA1(RequestData * requestData) | |
40 | { | |
41 | LDAPHHA1(requestData); | |
42 | } | |
43 | ||
44 | static void | |
45 | ParseBuffer(char *buf, RequestData * requestData) | |
46 | { | |
47 | char *p; | |
48 | requestData->parsed = 0; | |
49 | if ((p = strchr(buf, '\n')) != NULL) | |
50 | *p = '\0'; /* strip \n */ | |
51 | if ((requestData->user = strtok(buf, "\"")) == NULL) | |
52 | return; | |
53 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) | |
54 | return; | |
55 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) | |
56 | return; | |
57 | requestData->parsed = -1; | |
58 | } | |
59 | ||
60 | static void | |
61 | OutputHHA1(RequestData * requestData) | |
62 | { | |
63 | requestData->error = 0; | |
64 | GetHHA1(requestData); | |
65 | if (requestData->error) { | |
66 | printf("ERR No such user\n"); | |
67 | return; | |
68 | } | |
69 | printf("%s\n", requestData->HHA1); | |
70 | } | |
71 | ||
72 | static void | |
73 | DoOneRequest(char *buf) | |
74 | { | |
75 | RequestData requestData; | |
76 | ParseBuffer(buf, &requestData); | |
77 | if (!requestData.parsed) { | |
78 | printf("ERR\n"); | |
79 | return; | |
80 | } | |
81 | OutputHHA1(&requestData); | |
82 | } | |
83 | ||
84 | void | |
85 | ProcessArguments(int argc, char **argv) | |
86 | { | |
87 | int i; | |
88 | i = LDAPArguments(argc, argv); | |
89 | if (i) | |
90 | exit(i); | |
91 | } | |
92 | ||
93 | int | |
94 | main(int argc, char **argv) | |
95 | { | |
96 | char buf[256]; | |
97 | setbuf(stdout, NULL); | |
98 | ProcessArguments(argc, argv); | |
99 | while (fgets(buf, 256, stdin) != NULL) | |
100 | DoOneRequest(buf); | |
101 | exit(0); | |
102 | } |