| 89f77e43 |
1 | /* |
| 2 | * digest_pw_auth.c |
| 3 | * |
| 4 | * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet |
| 5 | * <Arjan.deVet@adv.iae.nl> |
| 6 | * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com> |
| 7 | * |
| 8 | * Example digest authentication program for Squid, based on the original |
| 9 | * proxy_auth code from client_side.c, written by |
| 10 | * Jon Thackray <jrmt@uk.gdscorp.com>. |
| 11 | * |
| 12 | * - comment lines are possible and should start with a '#'; |
| 13 | * - empty or blank lines are possible; |
| 14 | * - file format is username:password |
| 26ac0430 |
15 | * |
| 89f77e43 |
16 | * To build a directory integrated backend, you need to be able to |
| 17 | * calculate the HA1 returned to squid. To avoid storing a plaintext |
| 18 | * password you can calculate MD5(username:realm:password) when the |
| 19 | * user changes their password, and store the tuple username:realm:HA1. |
| 20 | * then find the matching username:realm when squid asks for the |
| 21 | * HA1. |
| 22 | * |
| 23 | * This implementation could be improved by using such a triple for |
| 24 | * the file format. However storing such a triple does little to |
| 25 | * improve security: If compromised the username:realm:HA1 combination |
| 26 | * is "plaintext equivalent" - for the purposes of digest authentication |
| 27 | * they allow the user access. Password syncronisation is not tackled |
| 28 | * by digest - just preventing on the wire compromise. |
| 29 | * |
| 30 | * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org> |
| 31 | */ |
| 56ff4687 |
32 | #include "config.h" |
| 89f77e43 |
33 | #include "digest_common.h" |
| 56ff4687 |
34 | #include "helpers/defines.h" |
| 89f77e43 |
35 | #include "ldap_backend.h" |
| 89f77e43 |
36 | |
| 56ff4687 |
37 | #define PROGRAM_NAME "digest_edirectory_auth" |
| 89f77e43 |
38 | |
| e9505fad |
39 | static void |
| 89f77e43 |
40 | GetHHA1(RequestData * requestData) |
| 41 | { |
| 42 | LDAPHHA1(requestData); |
| 43 | } |
| 44 | |
| 45 | static void |
| 46 | ParseBuffer(char *buf, RequestData * requestData) |
| 47 | { |
| 48 | char *p; |
| 49 | requestData->parsed = 0; |
| 50 | if ((p = strchr(buf, '\n')) != NULL) |
| 26ac0430 |
51 | *p = '\0'; /* strip \n */ |
| 89f77e43 |
52 | if ((requestData->user = strtok(buf, "\"")) == NULL) |
| 26ac0430 |
53 | return; |
| 89f77e43 |
54 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
| 26ac0430 |
55 | return; |
| 89f77e43 |
56 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
| 26ac0430 |
57 | return; |
| 89f77e43 |
58 | requestData->parsed = -1; |
| 59 | } |
| 60 | |
| 61 | static void |
| 62 | OutputHHA1(RequestData * requestData) |
| 63 | { |
| 64 | requestData->error = 0; |
| 65 | GetHHA1(requestData); |
| 66 | if (requestData->error) { |
| 56ff4687 |
67 | SEND_ERR("No such user"); |
| 26ac0430 |
68 | return; |
| 89f77e43 |
69 | } |
| 70 | printf("%s\n", requestData->HHA1); |
| 71 | } |
| 72 | |
| 73 | static void |
| 74 | DoOneRequest(char *buf) |
| 75 | { |
| 76 | RequestData requestData; |
| 77 | ParseBuffer(buf, &requestData); |
| 78 | if (!requestData.parsed) { |
| 56ff4687 |
79 | SEND_ERR(""); |
| 26ac0430 |
80 | return; |
| 89f77e43 |
81 | } |
| 82 | OutputHHA1(&requestData); |
| 83 | } |
| 84 | |
| e9505fad |
85 | static void |
| 89f77e43 |
86 | ProcessArguments(int argc, char **argv) |
| 87 | { |
| 88 | int i; |
| 89 | i = LDAPArguments(argc, argv); |
| 90 | if (i) |
| 26ac0430 |
91 | exit(i); |
| 89f77e43 |
92 | } |
| 93 | |
| 94 | int |
| 95 | main(int argc, char **argv) |
| 96 | { |
| 56ff4687 |
97 | char buf[HELPER_INPUT_BUFFER]; |
| 89f77e43 |
98 | setbuf(stdout, NULL); |
| 99 | ProcessArguments(argc, argv); |
| 56ff4687 |
100 | while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) |
| 26ac0430 |
101 | DoOneRequest(buf); |
| 89f77e43 |
102 | exit(0); |
| 103 | } |
projects / thirdparty / squid.git / blame