[thirdparty/squid.git] / helpers / digest_auth / eDirectory / digest_pw_auth.c

/*
 * digest_pw_auth.c
 *
 * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet
 * <Arjan.deVet@adv.iae.nl>
 * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com>
 *
 * Example digest authentication program for Squid, based on the original
 * proxy_auth code from client_side.c, written by
 * Jon Thackray <jrmt@uk.gdscorp.com>.
 *
 * - comment lines are possible and should start with a '#';
 * - empty or blank lines are possible;
 * - file format is username:password
 * 
 * To build a directory integrated backend, you need to be able to
 * calculate the HA1 returned to squid. To avoid storing a plaintext
 * password you can calculate MD5(username:realm:password) when the
 * user changes their password, and store the tuple username:realm:HA1.
 * then find the matching username:realm when squid asks for the
 * HA1.
 *
 * This implementation could be improved by using such a triple for
 * the file format.  However storing such a triple does little to
 * improve security: If compromised the username:realm:HA1 combination
 * is "plaintext equivalent" - for the purposes of digest authentication
 * they allow the user access. Password syncronisation is not tackled
 * by digest - just preventing on the wire compromise.
 *
 * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
 */

#include "digest_common.h"
#include "ldap_backend.h"
#define PROGRAM_NAME "digest_ldap_auth"


void
GetHHA1(RequestData * requestData)
{
    LDAPHHA1(requestData);
}

static void
ParseBuffer(char *buf, RequestData * requestData)
{
    char *p;
    requestData->parsed = 0;
    if ((p = strchr(buf, '\n')) != NULL)
	*p = '\0';		/* strip \n */
    if ((requestData->user = strtok(buf, "\"")) == NULL)
	return;
    if ((requestData->realm = strtok(NULL, "\"")) == NULL)
	return;
    if ((requestData->realm = strtok(NULL, "\"")) == NULL)
	return;
    requestData->parsed = -1;
}

static void
OutputHHA1(RequestData * requestData)
{
    requestData->error = 0;
    GetHHA1(requestData);
    if (requestData->error) {
	printf("ERR No such user\n");
	return;
    }
    printf("%s\n", requestData->HHA1);
}

static void
DoOneRequest(char *buf)
{
    RequestData requestData;
    ParseBuffer(buf, &requestData);
    if (!requestData.parsed) {
	printf("ERR\n");
	return;
    }
    OutputHHA1(&requestData);
}

void
ProcessArguments(int argc, char **argv)
{
    int i;
    i = LDAPArguments(argc, argv);
    if (i)
	exit(i);
}

int
main(int argc, char **argv)
{
    char buf[256];
    setbuf(stdout, NULL);
    ProcessArguments(argc, argv);
    while (fgets(buf, 256, stdin) != NULL)
	DoOneRequest(buf);
    exit(0);
}
Commit	Line	Data
89f77e43	1	/*
	2	* digest_pw_auth.c
	3	*
	4	* AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet
	5	* <Arjan.deVet@adv.iae.nl>
	6	* LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com>
	7	*
	8	* Example digest authentication program for Squid, based on the original
	9	* proxy_auth code from client_side.c, written by
	10	* Jon Thackray <jrmt@uk.gdscorp.com>.
	11	*
	12	* - comment lines are possible and should start with a '#';
	13	* - empty or blank lines are possible;
	14	* - file format is username:password
	15	*
	16	* To build a directory integrated backend, you need to be able to
	17	* calculate the HA1 returned to squid. To avoid storing a plaintext
	18	* password you can calculate MD5(username:realm:password) when the
	19	* user changes their password, and store the tuple username:realm:HA1.
	20	* then find the matching username:realm when squid asks for the
	21	* HA1.
	22	*
	23	* This implementation could be improved by using such a triple for
	24	* the file format. However storing such a triple does little to
	25	* improve security: If compromised the username:realm:HA1 combination
	26	* is "plaintext equivalent" - for the purposes of digest authentication
	27	* they allow the user access. Password syncronisation is not tackled
	28	* by digest - just preventing on the wire compromise.
	29	*
	30	* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
	31	*/
	32
	33	#include "digest_common.h"
	34	#include "ldap_backend.h"
	35	#define PROGRAM_NAME "digest_ldap_auth"
	36
	37
	38	void
	39	GetHHA1(RequestData * requestData)
	40	{
	41	LDAPHHA1(requestData);
	42	}
	43
	44	static void
	45	ParseBuffer(char buf, RequestData requestData)
	46	{
	47	char *p;
	48	requestData->parsed = 0;
	49	if ((p = strchr(buf, '\n')) != NULL)
	50	p = '\0'; / strip \n */
	51	if ((requestData->user = strtok(buf, "\"")) == NULL)
	52	return;
	53	if ((requestData->realm = strtok(NULL, "\"")) == NULL)
	54	return;
	55	if ((requestData->realm = strtok(NULL, "\"")) == NULL)
	56	return;
	57	requestData->parsed = -1;
	58	}
	59
	60	static void
	61	OutputHHA1(RequestData * requestData)
	62	{
	63	requestData->error = 0;
	64	GetHHA1(requestData);
65	if (requestData->error) {
66	printf("ERR No such user\n");
67	return;
68	}
69	printf("%s\n", requestData->HHA1);
70	}
71
72	static void
73	DoOneRequest(char *buf)
74	{
75	RequestData requestData;
76	ParseBuffer(buf, &requestData);
77	if (!requestData.parsed) {
78	printf("ERR\n");
79	return;
80	}
81	OutputHHA1(&requestData);
82	}
83
84	void
85	ProcessArguments(int argc, char **argv)
86	{
87	int i;
88	i = LDAPArguments(argc, argv);
89	if (i)
90	exit(i);
91	}
92
93	int
94	main(int argc, char **argv)
95	{
96	char buf[256];
97	setbuf(stdout, NULL);
98	ProcessArguments(argc, argv);
99	while (fgets(buf, 256, stdin) != NULL)
100	DoOneRequest(buf);
101	exit(0);
102	}