[thirdparty/squid.git] / helpers / ntlm_auth / SSPI / ntlm_sspi_auth.cc

/*
 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * ntlm_sspi_auth: helper for NTLM Authentication for Squid Cache
 *
 * (C)2002,2005 Guido Serassio - Acme Consulting S.r.l.
 *
 * Authors:
 *  Guido Serassio <guido.serassio@acmeconsulting.it>
 *  Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
 *
 * With contributions from others mentioned in the change history section
 * below.
 *
 * Based on previous work of Francesco Chemolli and Robert Collins.
 *
 * Dependencies: Windows NT4 SP4 and later.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 * History:
 *
 * Version 1.22
 * 29-10-2005 Guido Serassio
 *              Updated for Negotiate auth support.
 * Version 1.21
 * 21-02-2004 Guido Serassio
 *              Removed control of use of NTLM NEGOTIATE packet from
 *              command line, now the support is automatic.
 * Version 1.20
 * 30-11-2003 Guido Serassio
 *              Added support for NTLM local calls.
 *              Added control of use of NTLM NEGOTIATE packet from
 *              command line.
 *              Updated documentation.
 * Version 1.10
 * 07-09-2003 Guido Serassio
 *              Now is true NTLM authenticator.
 *              More debug info.
 *              Updated documentation.
 * Version 1.0
 * 29-06-2002 Guido Serassio
 *              First release.
 *
 *
 */

/************* CONFIGURATION ***************/

#define FAIL_DEBUG 0

/************* END CONFIGURATION ***************/

//typedef unsigned char uchar;

#include "squid.h"
#include "base64.h"
#include "helpers/defines.h"
#include "ntlmauth/ntlmauth.h"
#include "ntlmauth/support_bits.cci"
#include "sspwin32.h"
#include "util.h"

#include <windows.h>
#include <sspi.h>
#include <security.h>
#if HAVE_CTYPE_H
#include <ctype.h>
#endif
#if HAVE_GETOPT_H
#include <getopt.h>
#endif
#include <lm.h>
#include <ntsecapi.h>

int NTLM_packet_debug_enabled = 0;
static int have_challenge;
char * NTAllowedGroup;
char * NTDisAllowedGroup;
int UseDisallowedGroup = 0;
int UseAllowedGroup = 0;

#if FAIL_DEBUG
int fail_debug_enabled = 0;
#endif

/* returns 1 on success, 0 on failure */
int
Valid_Group(char *UserName, char *Group)
{
    int result = FALSE;
    WCHAR wszUserName[UNLEN+1];	// Unicode user name
    WCHAR wszGroup[GNLEN+1];	// Unicode Group

    LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
    LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
    DWORD dwLevel = 0;
    DWORD dwFlags = LG_INCLUDE_INDIRECT;
    DWORD dwPrefMaxLen = -1;
    DWORD dwEntriesRead = 0;
    DWORD dwTotalEntries = 0;
    NET_API_STATUS nStatus;
    DWORD i;
    DWORD dwTotalCount = 0;

    /* Convert ANSI User Name and Group to Unicode */

    MultiByteToWideChar(CP_ACP, 0, UserName,
                        strlen(UserName) + 1, wszUserName,
                        sizeof(wszUserName) / sizeof(wszUserName[0]));
    MultiByteToWideChar(CP_ACP, 0, Group,
                        strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));

    /*
     * Call the NetUserGetLocalGroups function
     * specifying information level 0.
     *
     * The LG_INCLUDE_INDIRECT flag specifies that the
     * function should also return the names of the local
     * groups in which the user is indirectly a member.
     */
    nStatus = NetUserGetLocalGroups(NULL,
                                    wszUserName,
                                    dwLevel,
                                    dwFlags,
                                    (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries);
    /*
     * If the call succeeds,
     */
    if (nStatus == NERR_Success) {
        if ((pTmpBuf = pBuf) != NULL) {
            for (i = 0; i < dwEntriesRead; ++i) {
                if (pTmpBuf == NULL) {
                    result = FALSE;
                    break;
                }
                if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) {
                    result = TRUE;
                    break;
                }
                ++pTmpBuf;
                ++dwTotalCount;
            }
        }
    } else
        result = FALSE;
    /*
     * Free the allocated memory.
     */
    if (pBuf != NULL)
        NetApiBufferFree(pBuf);
    return result;
}

char * AllocStrFromLSAStr(LSA_UNICODE_STRING LsaStr)
{
    size_t len;
    static char * target;

    len = LsaStr.Length/sizeof(WCHAR) + 1;

    /* allocate buffer for str + null termination */
    safe_free(target);
    target = (char *)xmalloc(len);
    if (target == NULL)
        return NULL;

    /* copy unicode buffer */
    WideCharToMultiByte(CP_ACP, 0, LsaStr.Buffer, LsaStr.Length, target, len, NULL, NULL );

    /* add null termination */
    target[len-1] = '\0';
    return target;
}

char * GetDomainName(void)

{
    LSA_HANDLE PolicyHandle;
    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
    NTSTATUS status;
    PPOLICY_PRIMARY_DOMAIN_INFO ppdiDomainInfo;
    PWKSTA_INFO_100 pwkiWorkstationInfo;
    DWORD netret;
    char * DomainName = NULL;

    /*
     * Always initialize the object attributes to all zeroes.
     */
    memset(&ObjectAttributes, '\0', sizeof(ObjectAttributes));

    /*
     * You need the local workstation name. Use NetWkstaGetInfo at level
     * 100 to retrieve a WKSTA_INFO_100 structure.
     *
     * The wki100_computername field contains a pointer to a UNICODE
     * string containing the local computer name.
     */
    netret = NetWkstaGetInfo(NULL, 100, (LPBYTE *)&pwkiWorkstationInfo);
    if (netret == NERR_Success) {
        /*
         * We have the workstation name in:
         * pwkiWorkstationInfo->wki100_computername
         *
         * Next, open the policy object for the local system using
         * the LsaOpenPolicy function.
         */
        status = LsaOpenPolicy(
                     NULL,
                     &ObjectAttributes,
                     GENERIC_READ | POLICY_VIEW_LOCAL_INFORMATION,
                     &PolicyHandle
                 );

        /*
         * Error checking.
         */
        if (status) {
            debug("OpenPolicy Error: %ld\n", status);
        } else {

            /*
             * You have a handle to the policy object. Now, get the
             * domain information using LsaQueryInformationPolicy.
             */
            status = LsaQueryInformationPolicy(PolicyHandle,
                                               PolicyPrimaryDomainInformation,
                                               (void **)&ppdiDomainInfo);
            if (status) {
                debug("LsaQueryInformationPolicy Error: %ld\n", status);
            } else  {

                /* Get name in useable format */
                DomainName = AllocStrFromLSAStr(ppdiDomainInfo->Name);

                /*
                 * Check the Sid pointer, if it is null, the
                 * workstation is either a stand-alone computer
                 * or a member of a workgroup.
                 */
                if (ppdiDomainInfo->Sid) {

                    /*
                     * Member of a domain. Display it in debug mode.
                     */
                    debug("Member of Domain %s\n",DomainName);
                } else {
                    DomainName = NULL;
                }
            }
        }

        /*
         * Clean up all the memory buffers created by the LSA and
         * Net* APIs.
         */
        NetApiBufferFree(pwkiWorkstationInfo);
        LsaFreeMemory((LPVOID)ppdiDomainInfo);
    } else
        debug("NetWkstaGetInfo Error: %ld\n", netret);
    return DomainName;
}

/*
 * Fills auth with the user's credentials.
 *
 * In case of problem returns one of the
 * codes defined in libntlmauth/ntlmauth.h
 */
int
ntlm_check_auth(ntlm_authenticate * auth, char *user, char *domain, int auth_length)
{
    int x;
    int rv;
    char credentials[DNLEN+UNLEN+2];	/* we can afford to waste */

    if (!NTLM_LocalCall) {

        user[0] = '\0';
        domain[0] = '\0';
        x = ntlm_unpack_auth(auth, user, domain, auth_length);

        if (x != NTLM_ERR_NONE)
            return x;

        if (domain[0] == '\0') {
            debug("No domain supplied. Returning no-auth\n");
            return NTLM_BAD_REQUEST;
        }
        if (user[0] == '\0') {
            debug("No username supplied. Returning no-auth\n");
            return NTLM_BAD_REQUEST;
        }
        debug("checking domain: '%s', user: '%s'\n", domain, user);

    } else
        debug("checking local user\n");

    snprintf(credentials, DNLEN+UNLEN+2, "%s\\%s", domain, user);

    rv = SSP_ValidateNTLMCredentials(auth, auth_length, credentials);

    debug("Login attempt had result %d\n", rv);

    if (!rv) {			/* failed */
        return NTLM_SSPI_ERROR;
    }

    if (UseAllowedGroup) {
        if (!Valid_Group(credentials, NTAllowedGroup)) {
            debug("User %s not in allowed Group %s\n", credentials, NTAllowedGroup);
            return NTLM_BAD_NTGROUP;
        }
    }
    if (UseDisallowedGroup) {
        if (Valid_Group(credentials, NTDisAllowedGroup)) {
            debug("User %s is in denied Group %s\n", credentials, NTDisAllowedGroup);
            return NTLM_BAD_NTGROUP;
        }
    }

    debug("credentials: %s\n", credentials);
    return NTLM_ERR_NONE;
}

void
helperfail(const char *reason)
{
#if FAIL_DEBUG
    fail_debug_enabled =1;
#endif
    SEND_BH(reason);
}

/*
  options:
  -d enable debugging.
  -v enable verbose NTLM packet debugging.
  -A can specify a Windows Local Group name allowed to authenticate.
  -D can specify a Windows Local Group name not allowed to authenticate.
 */
char *my_program_name = NULL;

void
usage()
{
    fprintf(stderr,
            "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-h]\n"
            " -d  enable debugging.\n"
            " -v  enable verbose NTLM packet debugging.\n"
            " -A  specify a Windows Local Group name allowed to authenticate\n"
            " -D  specify a Windows Local Group name not allowed to authenticate\n"
            " -h  this message\n\n",
            my_program_name);
}

void
process_options(int argc, char *argv[])
{
    int opt, had_error = 0;

    opterr =0;
    while (-1 != (opt = getopt(argc, argv, "hdvA:D:"))) {
        switch (opt) {
        case 'A':
            safe_free(NTAllowedGroup);
            NTAllowedGroup=xstrdup(optarg);
            UseAllowedGroup = 1;
            break;
        case 'D':
            safe_free(NTDisAllowedGroup);
            NTDisAllowedGroup=xstrdup(optarg);
            UseDisallowedGroup = 1;
            break;
        case 'd':
            debug_enabled = 1;
            break;
        case 'v':
            debug_enabled = 1;
            NTLM_packet_debug_enabled = 1;
            break;
        case 'h':
            usage();
            exit(0);
        case '?':
            opt = optopt;
            /* fall thru to default */
        default:
            fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
            usage();
            had_error = 1;
        }
    }
    if (had_error)
        exit(1);
}

int
manage_request()
{
    ntlmhdr *fast_header;
    char buf[HELPER_INPUT_BUFFER];
    char decoded[HELPER_INPUT_BUFFER];
    int decodedLen;
    char helper_command[3];
    int oversized = 0;
    char * ErrorMessage;
    static ntlm_negotiate local_nego;
    char domain[DNLEN+1];
    char user[UNLEN+1];

    /* NP: for some reason this helper sometimes needs to accept
     * from clients that send no negotiate packet. */
    if (memcpy(local_nego.hdr.signature, "NTLMSSP", 8) != 0) {
        memset(&local_nego, 0, sizeof(ntlm_negotiate));	/* reset */
        memcpy(local_nego.hdr.signature, "NTLMSSP", 8);     /* set the signature */
        local_nego.hdr.type = le32toh(NTLM_NEGOTIATE);      /* this is a challenge */
        local_nego.flags = le32toh(NTLM_NEGOTIATE_ALWAYS_SIGN |
                                   NTLM_NEGOTIATE_USE_NTLM |
                                   NTLM_NEGOTIATE_USE_LM |
                                   NTLM_NEGOTIATE_ASCII );
    }

    do {
        if (fgets(buf, sizeof(buf), stdin) == NULL)
            return 0;

        char *c = static_cast<char*>(memchr(buf, '\n', sizeof(buf)));
        if (c) {
            if (oversized) {
                helperfail("messge=\"illegal request received\"");
                fprintf(stderr, "Illegal request received: '%s'\n", buf);
                return 1;
            }
            *c = '\0';
        } else {
            fprintf(stderr, "No newline in '%s'\n", buf);
            oversized = 1;
            continue;
        }
    } while (false);

    if ((strlen(buf) > 3) && NTLM_packet_debug_enabled) {
        decodedLen = base64_decode(decoded, sizeof(decoded), buf+3);
        strncpy(helper_command, buf, 2);
        debug("Got '%s' from Squid with data:\n", helper_command);
        hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
    } else
        debug("Got '%s' from Squid\n", buf);
    if (memcmp(buf, "YR", 2) == 0) {	/* refresh-request */
        /* figure out what we got */
        if (strlen(buf) > 3)
            decodedLen = base64_decode(decoded, sizeof(decoded), buf+3);
        else {
            debug("Negotiate packet not supplied - self generated\n");
            memcpy(decoded, &local_nego, sizeof(local_nego));
            decodedLen = sizeof(local_nego);
        }
        if ((size_t)decodedLen < sizeof(ntlmhdr)) {		/* decoding failure, return error */
            SEND_ERR("message=\"Packet format error, couldn't base64-decode\"");
            return 1;
        }
        /* fast-track-decode request type. */
        fast_header = (struct _ntlmhdr *) decoded;

        /* sanity-check: it IS a NTLMSSP packet, isn't it? */
        if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) {
            SEND_ERR("message=\"Broken authentication packet\"");
            return 1;
        }
        switch (fast_header->type) {
        case NTLM_NEGOTIATE: {
            /* Obtain challenge against SSPI */
            debug("attempting SSPI challenge retrieval\n");
            char *c = (char *) SSP_MakeChallenge((ntlm_negotiate *) decoded, decodedLen);
            if (c) {
                SEND_TT(c);
                if (NTLM_packet_debug_enabled) {
                    decodedLen = base64_decode(decoded, sizeof(decoded), c);
                    debug("send 'TT' to squid with data:\n");
                    hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
                    if (NTLM_LocalCall) {
                        debug("NTLM Local Call detected\n");
                    }
                }
                have_challenge = 1;
            } else
                helperfail("message=\"can't obtain challenge\"");

            return 1;
        }
        /* notreached */
        case NTLM_CHALLENGE:
            SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\"");
            return 1;
            /* notreached */
        case NTLM_AUTHENTICATE:
            SEND_ERR("message=\"Got authentication request instead of negotiate request\"");
            return 1;
            /* notreached */
        default:
            helperfail("message=\"unknown refresh-request packet type\"");
            return 1;
        }
        return 1;
    }
    if (memcmp(buf, "KK ", 3) == 0) {	/* authenticate-request */
        if (!have_challenge) {
            helperfail("message=\"invalid challenge\"");
            return 1;
        }
        /* figure out what we got */
        decodedLen = base64_decode(decoded, sizeof(decoded), buf+3);

        if ((size_t)decodedLen < sizeof(ntlmhdr)) {		/* decoding failure, return error */
            SEND_ERR("message=\"Packet format error, couldn't base64-decode\"");
            return 1;
        }
        /* fast-track-decode request type. */
        fast_header = (struct _ntlmhdr *) decoded;

        /* sanity-check: it IS a NTLMSSP packet, isn't it? */
        if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) {
            SEND_ERR("message=\"Broken authentication packet\"");
            return 1;
        }
        switch (fast_header->type) {
        case NTLM_NEGOTIATE:
            SEND_ERR("message=\"Invalid negotiation request received\"");
            return 1;
            /* notreached */
        case NTLM_CHALLENGE:
            SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\"");
            return 1;
            /* notreached */
        case NTLM_AUTHENTICATE: {
            /* check against SSPI */
            int err = ntlm_check_auth((ntlm_authenticate *) decoded, user, domain, decodedLen);
            have_challenge = 0;
            if (err != NTLM_ERR_NONE) {
#if FAIL_DEBUG
                fail_debug_enabled =1;
#endif
                switch (err) {
                case NTLM_ERR_NONE:
                    break;
                case NTLM_BAD_NTGROUP:
                    SEND_ERR("message=\"Incorrect Group Membership\"");
                    return 1;
                case NTLM_BAD_REQUEST:
                    SEND_ERR("message=\"Incorrect Request Format\"");
                    return 1;
                case NTLM_SSPI_ERROR:
                    FormatMessage(
                        FORMAT_MESSAGE_ALLOCATE_BUFFER |
                        FORMAT_MESSAGE_FROM_SYSTEM |
                        FORMAT_MESSAGE_IGNORE_INSERTS,
                        NULL,
                        GetLastError(),
                        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
                        (LPTSTR) &ErrorMessage,
                        0,
                        NULL);
                    if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n')
                        ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
                    if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r')
                        ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
                    SEND_ERR(ErrorMessage); // TODO update to new syntax
                    LocalFree(ErrorMessage);
                    return 1;
                default:
                    SEND_ERR("message=\"Unknown Error\"");
                    return 1;
                }
            }
            /* let's lowercase them for our convenience */
            lc(domain);
            lc(user);
            fprintf(stdout, "OK user=\"%s\\%s\"", domain, user);
            return 1;
        }
        default:
            helperfail("message=\"unknown authentication packet type\"");
            return 1;
        }
        return 1;
    } else {	/* not an auth-request */
        helperfail("message=\"illegal request received\"");
        fprintf(stderr, "Illegal request received: '%s'\n", buf);
        return 1;
    }
    helperfail("message=\"detected protocol error\"");
    return 1;
    /********* END ********/
}

int
main(int argc, char *argv[])
{
    my_program_name = argv[0];

    process_options(argc, argv);

    debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name);

    if (LoadSecurityDll(SSP_NTLM, NTLM_PACKAGE_NAME) == NULL) {
        fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n");
        exit(1);
    }
    debug("SSPI initialized OK\n");

    atexit(UnloadSecurityDll);

    /* initialize FDescs */
    setbuf(stdout, NULL);
    setbuf(stderr, NULL);

    while (manage_request()) {
        /* everything is done within manage_request */
    }
    exit(0);
}
Commit	Line	Data
ca02e0ec AJ	1	/*
	2	* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
6e785d85	9	/*
bc25525a	10	* ntlm_sspi_auth: helper for NTLM Authentication for Squid Cache
6e785d85	11	*
9af66127	12	* (C)2002,2005 Guido Serassio - Acme Consulting S.r.l.
6e785d85	13	*
	14	* Authors:
	15	* Guido Serassio <guido.serassio@acmeconsulting.it>
	16	* Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
	17	*
	18	* With contributions from others mentioned in the change history section
	19	* below.
	20	*
	21	* Based on previous work of Francesco Chemolli and Robert Collins.
	22	*
	23	* Dependencies: Windows NT4 SP4 and later.
	24	*
	25	* This program is free software; you can redistribute it and/or modify
	26	* it under the terms of the GNU General Public License as published by
	27	* the Free Software Foundation; either version 2 of the License, or
	28	* (at your option) any later version.
	29	*
	30	* This program is distributed in the hope that it will be useful,
	31	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	32	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	33	* GNU General Public License for more details.
	34	*
	35	* You should have received a copy of the GNU General Public License
	36	* along with this program; if not, write to the Free Software
	37	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	38	*
	39	* History:
	40	*
9af66127	41	* Version 1.22
	42	* 29-10-2005 Guido Serassio
	43	* Updated for Negotiate auth support.
6e785d85	44	* Version 1.21
	45	* 21-02-2004 Guido Serassio
	46	* Removed control of use of NTLM NEGOTIATE packet from
	47	* command line, now the support is automatic.
	48	* Version 1.20
	49	* 30-11-2003 Guido Serassio
	50	* Added support for NTLM local calls.
	51	* Added control of use of NTLM NEGOTIATE packet from
	52	* command line.
	53	* Updated documentation.
	54	* Version 1.10
	55	* 07-09-2003 Guido Serassio
	56	* Now is true NTLM authenticator.
	57	* More debug info.
	58	* Updated documentation.
	59	* Version 1.0
	60	* 29-06-2002 Guido Serassio
	61	* First release.
	62	*
	63	*
	64	*/
	65
bc25525a AJ	66	/*********** CONFIGURATION *************/
	67
	68	#define FAIL_DEBUG 0
	69
	70	/*********** END CONFIGURATION *************/
	71
6ad14574	72	//typedef unsigned char uchar;
bc25525a	73
f7f3304a	74	#include "squid.h"
6ad14574	75	#include "base64.h"
bc25525a	76	#include "helpers/defines.h"
6ad14574 AJ	77	#include "ntlmauth/ntlmauth.h"
6ad14574 AJ	78	#include "ntlmauth/support_bits.cci"
bc25525a	79	#include "sspwin32.h"
6e785d85	80	#include "util.h"
bc25525a AJ	81
	82	#include <windows.h>
	83	#include <sspi.h>
	84	#include <security.h>
6e785d85	85	#if HAVE_CTYPE_H
	86	#include <ctype.h>
	87	#endif
bc25525a AJ	88	#if HAVE_GETOPT_H
	89	#include <getopt.h>
	90	#endif
	91	#include <lm.h>
	92	#include <ntsecapi.h>
6e785d85	93
6e785d85	94	int NTLM_packet_debug_enabled = 0;
6e785d85	95	static int have_challenge;
6e785d85	96	char * NTAllowedGroup;
	97	char * NTDisAllowedGroup;
	98	int UseDisallowedGroup = 0;
	99	int UseAllowedGroup = 0;
bc25525a	100
6e785d85	101	#if FAIL_DEBUG
	102	int fail_debug_enabled = 0;
	103	#endif
	104
bc25525a AJ	105	/* returns 1 on success, 0 on failure */
	106	int
	107	Valid_Group(char UserName, char Group)
6e785d85	108	{
bc25525a AJ	109	int result = FALSE;
	110	WCHAR wszUserName[UNLEN+1]; // Unicode user name
	111	WCHAR wszGroup[GNLEN+1]; // Unicode Group
	112
	113	LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
	114	LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
	115	DWORD dwLevel = 0;
	116	DWORD dwFlags = LG_INCLUDE_INDIRECT;
	117	DWORD dwPrefMaxLen = -1;
	118	DWORD dwEntriesRead = 0;
	119	DWORD dwTotalEntries = 0;
	120	NET_API_STATUS nStatus;
	121	DWORD i;
	122	DWORD dwTotalCount = 0;
	123
	124	/* Convert ANSI User Name and Group to Unicode */
	125
	126	MultiByteToWideChar(CP_ACP, 0, UserName,
	127	strlen(UserName) + 1, wszUserName,
	128	sizeof(wszUserName) / sizeof(wszUserName[0]));
	129	MultiByteToWideChar(CP_ACP, 0, Group,
	130	strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));
	131
	132	/*
	133	* Call the NetUserGetLocalGroups function
	134	* specifying information level 0.
	135	*
	136	* The LG_INCLUDE_INDIRECT flag specifies that the
	137	* function should also return the names of the local
	138	* groups in which the user is indirectly a member.
	139	*/
	140	nStatus = NetUserGetLocalGroups(NULL,
	141	wszUserName,
	142	dwLevel,
	143	dwFlags,
	144	(LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries);
	145	/*
	146	* If the call succeeds,
	147	*/
	148	if (nStatus == NERR_Success) {
	149	if ((pTmpBuf = pBuf) != NULL) {
755494da	150	for (i = 0; i < dwEntriesRead; ++i) {
bc25525a AJ	151	if (pTmpBuf == NULL) {
	152	result = FALSE;
	153	break;
	154	}
	155	if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) {
	156	result = TRUE;
	157	break;
	158	}
755494da FC	159	++pTmpBuf;
755494da FC	160	++dwTotalCount;
bc25525a AJ	161	}
	162	}
	163	} else
	164	result = FALSE;
	165	/*
	166	* Free the allocated memory.
	167	*/
	168	if (pBuf != NULL)
	169	NetApiBufferFree(pBuf);
	170	return result;
	171	}
	172
bc25525a AJ	173	char * AllocStrFromLSAStr(LSA_UNICODE_STRING LsaStr)
	174	{
	175	size_t len;
	176	static char * target;
	177
	178	len = LsaStr.Length/sizeof(WCHAR) + 1;
	179
	180	/* allocate buffer for str + null termination */
	181	safe_free(target);
	182	target = (char *)xmalloc(len);
	183	if (target == NULL)
	184	return NULL;
	185
	186	/* copy unicode buffer */
	187	WideCharToMultiByte(CP_ACP, 0, LsaStr.Buffer, LsaStr.Length, target, len, NULL, NULL );
	188
	189	/* add null termination */
	190	target[len-1] = '\0';
	191	return target;
6e785d85	192	}
6e785d85	193
bc25525a AJ	194	char * GetDomainName(void)
bc25525a AJ	195
6e785d85	196	{
bc25525a AJ	197	LSA_HANDLE PolicyHandle;
	198	LSA_OBJECT_ATTRIBUTES ObjectAttributes;
	199	NTSTATUS status;
	200	PPOLICY_PRIMARY_DOMAIN_INFO ppdiDomainInfo;
	201	PWKSTA_INFO_100 pwkiWorkstationInfo;
	202	DWORD netret;
	203	char * DomainName = NULL;
	204
	205	/*
	206	* Always initialize the object attributes to all zeroes.
	207	*/
	208	memset(&ObjectAttributes, '\0', sizeof(ObjectAttributes));
	209
	210	/*
	211	* You need the local workstation name. Use NetWkstaGetInfo at level
	212	* 100 to retrieve a WKSTA_INFO_100 structure.
	213	*
	214	* The wki100_computername field contains a pointer to a UNICODE
	215	* string containing the local computer name.
	216	*/
	217	netret = NetWkstaGetInfo(NULL, 100, (LPBYTE *)&pwkiWorkstationInfo);
	218	if (netret == NERR_Success) {
	219	/*
	220	* We have the workstation name in:
	221	* pwkiWorkstationInfo->wki100_computername
	222	*
	223	* Next, open the policy object for the local system using
	224	* the LsaOpenPolicy function.
	225	*/
	226	status = LsaOpenPolicy(
	227	NULL,
	228	&ObjectAttributes,
	229	GENERIC_READ \| POLICY_VIEW_LOCAL_INFORMATION,
	230	&PolicyHandle
	231	);
	232
	233	/*
	234	* Error checking.
	235	*/
	236	if (status) {
	237	debug("OpenPolicy Error: %ld\n", status);
	238	} else {
	239
	240	/*
	241	* You have a handle to the policy object. Now, get the
	242	* domain information using LsaQueryInformationPolicy.
	243	*/
	244	status = LsaQueryInformationPolicy(PolicyHandle,
	245	PolicyPrimaryDomainInformation,
	246	(void **)&ppdiDomainInfo);
	247	if (status) {
	248	debug("LsaQueryInformationPolicy Error: %ld\n", status);
	249	} else {
	250
	251	/* Get name in useable format */
	252	DomainName = AllocStrFromLSAStr(ppdiDomainInfo->Name);
	253
	254	/*
	255	* Check the Sid pointer, if it is null, the
	256	* workstation is either a stand-alone computer
	257	* or a member of a workgroup.
	258	*/
	259	if (ppdiDomainInfo->Sid) {
	260
261	/*
262	* Member of a domain. Display it in debug mode.
263	*/
264	debug("Member of Domain %s\n",DomainName);
265	} else {
266	DomainName = NULL;
267	}
268	}
269	}
270
271	/*
272	* Clean up all the memory buffers created by the LSA and
273	* Net* APIs.
274	*/
275	NetApiBufferFree(pwkiWorkstationInfo);
276	LsaFreeMemory((LPVOID)ppdiDomainInfo);
277	} else
278	debug("NetWkstaGetInfo Error: %ld\n", netret);
279	return DomainName;
280	}
281
6ad14574 AJ	282	/*
	283	* Fills auth with the user's credentials.
	284	*
	285	* In case of problem returns one of the
bc25525a AJ	286	* codes defined in libntlmauth/ntlmauth.h
	287	*/
	288	int
	289	ntlm_check_auth(ntlm_authenticate * auth, char user, char domain, int auth_length)
	290	{
	291	int x;
	292	int rv;
	293	char credentials[DNLEN+UNLEN+2]; /* we can afford to waste */
bc25525a AJ	294
	295	if (!NTLM_LocalCall) {
	296
	297	user[0] = '\0';
	298	domain[0] = '\0';
	299	x = ntlm_unpack_auth(auth, user, domain, auth_length);
	300
	301	if (x != NTLM_ERR_NONE)
	302	return x;
	303
	304	if (domain[0] == '\0') {
	305	debug("No domain supplied. Returning no-auth\n");
	306	return NTLM_BAD_REQUEST;
	307	}
	308	if (user[0] == '\0') {
	309	debug("No username supplied. Returning no-auth\n");
	310	return NTLM_BAD_REQUEST;
	311	}
	312	debug("checking domain: '%s', user: '%s'\n", domain, user);
	313
	314	} else
	315	debug("checking local user\n");
	316
	317	snprintf(credentials, DNLEN+UNLEN+2, "%s\\%s", domain, user);
	318
	319	rv = SSP_ValidateNTLMCredentials(auth, auth_length, credentials);
	320
	321	debug("Login attempt had result %d\n", rv);
	322
	323	if (!rv) { /* failed */
	324	return NTLM_SSPI_ERROR;
	325	}
	326
	327	if (UseAllowedGroup) {
	328	if (!Valid_Group(credentials, NTAllowedGroup)) {
	329	debug("User %s not in allowed Group %s\n", credentials, NTAllowedGroup);
	330	return NTLM_BAD_NTGROUP;
	331	}
6e785d85	332	}
bc25525a AJ	333	if (UseDisallowedGroup) {
	334	if (Valid_Group(credentials, NTDisAllowedGroup)) {
	335	debug("User %s is in denied Group %s\n", credentials, NTDisAllowedGroup);
	336	return NTLM_BAD_NTGROUP;
	337	}
	338	}
	339
	340	debug("credentials: %s\n", credentials);
	341	return NTLM_ERR_NONE;
6e785d85	342	}
	343
	344	void
	345	helperfail(const char *reason)
	346	{
	347	#if FAIL_DEBUG
	348	fail_debug_enabled =1;
	349	#endif
6ad14574	350	SEND_BH(reason);
6e785d85	351	}
	352
	353	/*
	354	options:
	355	-d enable debugging.
	356	-v enable verbose NTLM packet debugging.
6e785d85	357	-A can specify a Windows Local Group name allowed to authenticate.
	358	-D can specify a Windows Local Group name not allowed to authenticate.
	359	*/
	360	char *my_program_name = NULL;
	361
	362	void
	363	usage()
	364	{
	365	fprintf(stderr,
26ac0430 AJ	366	"Usage: %s [-d] [-v] [-A\|D LocalUserGroup] [-h]\n"
	367	" -d enable debugging.\n"
	368	" -v enable verbose NTLM packet debugging.\n"
	369	" -A specify a Windows Local Group name allowed to authenticate\n"
	370	" -D specify a Windows Local Group name not allowed to authenticate\n"
	371	" -h this message\n\n",
	372	my_program_name);
6e785d85	373	}
6e785d85	374
6e785d85	375	void
	376	process_options(int argc, char *argv[])
	377	{
	378	int opt, had_error = 0;
	379
	380	opterr =0;
	381	while (-1 != (opt = getopt(argc, argv, "hdvA:D:"))) {
26ac0430 AJ	382	switch (opt) {
	383	case 'A':
	384	safe_free(NTAllowedGroup);
	385	NTAllowedGroup=xstrdup(optarg);
	386	UseAllowedGroup = 1;
	387	break;
	388	case 'D':
	389	safe_free(NTDisAllowedGroup);
	390	NTDisAllowedGroup=xstrdup(optarg);
	391	UseDisallowedGroup = 1;
	392	break;
	393	case 'd':
	394	debug_enabled = 1;
	395	break;
	396	case 'v':
	397	debug_enabled = 1;
	398	NTLM_packet_debug_enabled = 1;
	399	break;
	400	case 'h':
	401	usage();
	402	exit(0);
	403	case '?':
	404	opt = optopt;
	405	/* fall thru to default */
	406	default:
	407	fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
	408	usage();
	409	had_error = 1;
	410	}
6e785d85	411	}
6e785d85	412	if (had_error)
26ac0430	413	exit(1);
6e785d85	414	}
6e785d85	415
6e785d85	416	int
	417	manage_request()
	418	{
	419	ntlmhdr *fast_header;
6ad14574 AJ	420	char buf[HELPER_INPUT_BUFFER];
6ad14574 AJ	421	char decoded[HELPER_INPUT_BUFFER];
8bdd0cec	422	int decodedLen;
6e785d85	423	char helper_command[3];
6e785d85	424	int oversized = 0;
6e785d85	425	char * ErrorMessage;
bc25525a AJ	426	static ntlm_negotiate local_nego;
	427	char domain[DNLEN+1];
	428	char user[UNLEN+1];
	429
	430	/* NP: for some reason this helper sometimes needs to accept
	431	* from clients that send no negotiate packet. */
6ad14574	432	if (memcpy(local_nego.hdr.signature, "NTLMSSP", 8) != 0) {
bc25525a	433	memset(&local_nego, 0, sizeof(ntlm_negotiate)); /* reset */
6ad14574 AJ	434	memcpy(local_nego.hdr.signature, "NTLMSSP", 8); /* set the signature */
6ad14574 AJ	435	local_nego.hdr.type = le32toh(NTLM_NEGOTIATE); /* this is a challenge */
bc25525a AJ	436	local_nego.flags = le32toh(NTLM_NEGOTIATE_ALWAYS_SIGN \|
	437	NTLM_NEGOTIATE_USE_NTLM \|
	438	NTLM_NEGOTIATE_USE_LM \|
	439	NTLM_NEGOTIATE_ASCII );
	440	}
6e785d85	441
6ad14574 AJ	442	do {
	443	if (fgets(buf, sizeof(buf), stdin) == NULL)
	444	return 0;
6e785d85	445
6ad14574 AJ	446	char c = static_cast<char>(memchr(buf, '\n', sizeof(buf)));
	447	if (c) {
	448	if (oversized) {
	449	helperfail("messge=\"illegal request received\"");
	450	fprintf(stderr, "Illegal request received: '%s'\n", buf);
	451	return 1;
	452	}
	453	*c = '\0';
	454	} else {
	455	fprintf(stderr, "No newline in '%s'\n", buf);
	456	oversized = 1;
	457	continue;
26ac0430	458	}
6ad14574 AJ	459	} while (false);
6ad14574 AJ	460
6e785d85	461	if ((strlen(buf) > 3) && NTLM_packet_debug_enabled) {
8bdd0cec	462	decodedLen = base64_decode(decoded, sizeof(decoded), buf+3);
6e785d85	463	strncpy(helper_command, buf, 2);
6e785d85	464	debug("Got '%s' from Squid with data:\n", helper_command);
6ad14574	465	hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
6e785d85	466	} else
	467	debug("Got '%s' from Squid\n", buf);
	468	if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */
26ac0430	469	/* figure out what we got */
6e785d85	470	if (strlen(buf) > 3)
8bdd0cec	471	decodedLen = base64_decode(decoded, sizeof(decoded), buf+3);
bc25525a AJ	472	else {
bc25525a AJ	473	debug("Negotiate packet not supplied - self generated\n");
6ad14574 AJ	474	memcpy(decoded, &local_nego, sizeof(local_nego));
6ad14574 AJ	475	decodedLen = sizeof(local_nego);
bc25525a	476	}
8bdd0cec	477	if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
6ad14574	478	SEND_ERR("message=\"Packet format error, couldn't base64-decode\"");
26ac0430 AJ	479	return 1;
	480	}
	481	/* fast-track-decode request type. */
	482	fast_header = (struct _ntlmhdr *) decoded;
6e785d85	483
26ac0430	484	/* sanity-check: it IS a NTLMSSP packet, isn't it? */
bc25525a	485	if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) {
6ad14574	486	SEND_ERR("message=\"Broken authentication packet\"");
26ac0430 AJ	487	return 1;
	488	}
	489	switch (fast_header->type) {
6ad14574	490	case NTLM_NEGOTIATE: {
26ac0430	491	/* Obtain challenge against SSPI */
23ad9b9e	492	debug("attempting SSPI challenge retrieval\n");
6ad14574 AJ	493	char c = (char ) SSP_MakeChallenge((ntlm_negotiate *) decoded, decodedLen);
	494	if (c) {
	495	SEND_TT(c);
23ad9b9e	496	if (NTLM_packet_debug_enabled) {
23ad9b9e	497	decodedLen = base64_decode(decoded, sizeof(decoded), c);
6ad14574 AJ	498	debug("send 'TT' to squid with data:\n");
	499	hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
	500	if (NTLM_LocalCall) {
23ad9b9e	501	debug("NTLM Local Call detected\n");
6ad14574	502	}
23ad9b9e A	503	}
	504	have_challenge = 1;
	505	} else
6ad14574	506	helperfail("message=\"can't obtain challenge\"");
23ad9b9e A	507
23ad9b9e A	508	return 1;
26d714be A	509	}
26d714be A	510	/* notreached */
23ad9b9e	511	case NTLM_CHALLENGE:
6ad14574	512	SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\"");
23ad9b9e A	513	return 1;
	514	/* notreached */
	515	case NTLM_AUTHENTICATE:
6ad14574	516	SEND_ERR("message=\"Got authentication request instead of negotiate request\"");
23ad9b9e A	517	return 1;
	518	/* notreached */
	519	default:
6ad14574	520	helperfail("message=\"unknown refresh-request packet type\"");
23ad9b9e A	521	return 1;
23ad9b9e A	522	}
26ac0430	523	return 1;
6e785d85	524	}
	525	if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */
	526	if (!have_challenge) {
6ad14574	527	helperfail("message=\"invalid challenge\"");
26ac0430	528	return 1;
6e785d85	529	}
26ac0430	530	/* figure out what we got */
8bdd0cec	531	decodedLen = base64_decode(decoded, sizeof(decoded), buf+3);
6e785d85	532
8bdd0cec	533	if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
6ad14574	534	SEND_ERR("message=\"Packet format error, couldn't base64-decode\"");
26ac0430 AJ	535	return 1;
	536	}
	537	/* fast-track-decode request type. */
	538	fast_header = (struct _ntlmhdr *) decoded;
6e785d85	539
26ac0430	540	/* sanity-check: it IS a NTLMSSP packet, isn't it? */
bc25525a	541	if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) {
6ad14574	542	SEND_ERR("message=\"Broken authentication packet\"");
26ac0430 AJ	543	return 1;
	544	}
	545	switch (fast_header->type) {
	546	case NTLM_NEGOTIATE:
6ad14574	547	SEND_ERR("message=\"Invalid negotiation request received\"");
26ac0430 AJ	548	return 1;
	549	/* notreached */
	550	case NTLM_CHALLENGE:
6ad14574	551	SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\"");
26ac0430 AJ	552	return 1;
26ac0430 AJ	553	/* notreached */
6ad14574	554	case NTLM_AUTHENTICATE: {
26ac0430	555	/* check against SSPI */
6ad14574	556	int err = ntlm_check_auth((ntlm_authenticate *) decoded, user, domain, decodedLen);
6e785d85	557	have_challenge = 0;
bc25525a	558	if (err != NTLM_ERR_NONE) {
6e785d85	559	#if FAIL_DEBUG
	560	fail_debug_enabled =1;
	561	#endif
6ad14574	562	switch (err) {
bc25525a AJ	563	case NTLM_ERR_NONE:
bc25525a AJ	564	break;
26ac0430	565	case NTLM_BAD_NTGROUP:
6ad14574	566	SEND_ERR("message=\"Incorrect Group Membership\"");
26ac0430 AJ	567	return 1;
26ac0430 AJ	568	case NTLM_BAD_REQUEST:
6ad14574	569	SEND_ERR("message=\"Incorrect Request Format\"");
26ac0430 AJ	570	return 1;
	571	case NTLM_SSPI_ERROR:
	572	FormatMessage(
	573	FORMAT_MESSAGE_ALLOCATE_BUFFER \|
	574	FORMAT_MESSAGE_FROM_SYSTEM \|
	575	FORMAT_MESSAGE_IGNORE_INSERTS,
	576	NULL,
	577	GetLastError(),
	578	MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
	579	(LPTSTR) &ErrorMessage,
	580	0,
	581	NULL);
6e785d85	582	if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n')
	583	ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
	584	if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r')
	585	ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
6ad14574	586	SEND_ERR(ErrorMessage); // TODO update to new syntax
6e785d85	587	LocalFree(ErrorMessage);
26ac0430 AJ	588	return 1;
26ac0430 AJ	589	default:
6ad14574	590	SEND_ERR("message=\"Unknown Error\"");
26ac0430 AJ	591	return 1;
	592	}
	593	}
bc25525a	594	/* let's lowercase them for our convenience */
6ad14574 AJ	595	lc(domain);
	596	lc(user);
	597	fprintf(stdout, "OK user=\"%s\\%s\"", domain, user);
26ac0430	598	return 1;
26d714be	599	}
26ac0430	600	default:
6ad14574	601	helperfail("message=\"unknown authentication packet type\"");
26ac0430 AJ	602	return 1;
	603	}
	604	return 1;
6e785d85	605	} else { /* not an auth-request */
6ad14574	606	helperfail("message=\"illegal request received\"");
26ac0430 AJ	607	fprintf(stderr, "Illegal request received: '%s'\n", buf);
26ac0430 AJ	608	return 1;
6e785d85	609	}
6ad14574	610	helperfail("message=\"detected protocol error\"");
6e785d85	611	return 1;
26ac0430	612	/******* END ******/
6e785d85	613	}
	614
	615	int
	616	main(int argc, char *argv[])
	617	{
	618	my_program_name = argv[0];
	619
	620	process_options(argc, argv);
	621
	622	debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name);
26ac0430	623
6e785d85	624	if (LoadSecurityDll(SSP_NTLM, NTLM_PACKAGE_NAME) == NULL) {
26ac0430 AJ	625	fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n");
26ac0430 AJ	626	exit(1);
6e785d85	627	}
	628	debug("SSPI initialized OK\n");
	629
	630	atexit(UnloadSecurityDll);
	631
	632	/* initialize FDescs */
	633	setbuf(stdout, NULL);
	634	setbuf(stderr, NULL);
	635
	636	while (manage_request()) {
26ac0430	637	/* everything is done within manage_request */
6e785d85	638	}
	639	exit(0);
	640	}