[thirdparty/squid.git] / helpers / ntlm_auth / fake / ntlm_fake_auth.cc

/*
 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
 * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
 */

/*
 * Example ntlm authentication program for Squid, based on the
 * original proxy_auth code from client_side.c, written by
 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
 * Andrew Doran <ad@interlude.eu.org>.
 *
 * This code gets the username and returns it. No validation is done.
 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
 * if you can.
 *
 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
 *
 * - Added negotiation of UNICODE char support
 * - More detailed debugging info
 *
 */

/* undefine this to have strict protocol adherence. You don't really need
 * that though */
#define IGNORANCE_IS_BLISS

#include "squid.h"
#include "base64.h"
#include "helpers/defines.h"
#include "ntlmauth/ntlmauth.h"
#include "ntlmauth/support_bits.cci"

#include <cctype>
#include <cstring>
#if HAVE_CRYPT_H
#include <crypt.h>
#endif
#if HAVE_PWD_H
#include <pwd.h>
#endif
#if HAVE_GETOPT_H
#include <getopt.h>
#endif
#if HAVE_STDINT_H
#include <stdint.h>
#endif
#if HAVE_INTTYPES_H
#include <inttypes.h>
#endif

/* A couple of harmless helper macros */
#define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
#ifdef __GNUC__
#define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
#define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
#define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
#else
/* no gcc, no debugging. varargs macros are a gcc extension */
#define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
#define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
#define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
#endif

const char *authenticate_ntlm_domain = "WORKGROUP";
int strip_domain_enabled = 0;
int NTLM_packet_debug_enabled = 0;

/*
 * options:
 * -d enable debugging.
 * -v enable verbose NTLM packet debugging.
 * -l if specified, changes behavior on failures to last-ditch.
 */
char *my_program_name = NULL;

static void
usage(void)
{
    fprintf(stderr,
            "Usage: %s [-d] [-v] [-h]\n"
            " -d  enable debugging.\n"
            " -S  strip domain from username.\n"
            " -v  enable verbose NTLM packet debugging.\n"
            " -h  this message\n\n",
            my_program_name);
}

static void
process_options(int argc, char *argv[])
{
    int opt, had_error = 0;

    opterr = 0;
    while (-1 != (opt = getopt(argc, argv, "hdvS"))) {
        switch (opt) {
        case 'd':
            debug_enabled = 1;
            break;
        case 'v':
            debug_enabled = 1;
            NTLM_packet_debug_enabled = 1;
            break;
        case 'S':
            strip_domain_enabled = 1;
            break;
        case 'h':
            usage();
            exit(0);
        case '?':
            opt = optopt;
        /* fall thru to default */
        default:
            fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
            usage();
            had_error = 1;
        }
    }
    if (had_error)
        exit(1);
}

int
main(int argc, char *argv[])
{
    char buf[HELPER_INPUT_BUFFER];
    int buflen = 0;
    uint8_t decodedBuf[HELPER_INPUT_BUFFER];
    int decodedLen;
    char user[NTLM_MAX_FIELD_LENGTH], domain[NTLM_MAX_FIELD_LENGTH];
    char *p;
    char helper_command[3];
    int len;

    setbuf(stdout, NULL);
    setbuf(stderr, NULL);

    my_program_name = argv[0];

    process_options(argc, argv);

    debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name);

    while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
        user[0] = '\0';     /*no user code */
        domain[0] = '\0';       /*no domain code */

        if ((p = strchr(buf, '\n')) != NULL)
            *p = '\0';      /* strip \n */
        buflen = strlen(buf);   /* keep this so we only scan the buffer for \0 once per loop */
        ntlmhdr *packet;
        struct base64_decode_ctx ctx;
        base64_decode_init(&ctx);
        size_t dstLen = 0;
        if (buflen > 3 &&
                base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast<const uint8_t*>(buf+3)) &&
                base64_decode_final(&ctx)) {
            decodedLen = dstLen;
            packet = (ntlmhdr*)decodedBuf;
        } else {
            packet = NULL;
            decodedLen = 0;
        }

        if (buflen > 3 && NTLM_packet_debug_enabled) {
            strncpy(helper_command, buf, 2);
            helper_command[2] = '\0';
            debug("Got '%s' from Squid with data:\n", helper_command);
            hex_dump((unsigned char *)decodedBuf, decodedLen);
        } else
            debug("Got '%s' from Squid\n", buf);

        if (strncmp(buf, "YR", 2) == 0) {
            char nonce[NTLM_NONCE_LEN];
            ntlm_challenge chal;
            ntlm_make_nonce(nonce);
            if (buflen > 3 && packet) {
                ntlm_negotiate *nego = (ntlm_negotiate *)packet;
                ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, nego->flags);
            } else {
                ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, NTLM_NEGOTIATE_ASCII);
            }
            // TODO: find out what this context means, and why only the fake auth helper contains it.
            chal.context_high = htole32(0x003a<<16);

            len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen);

            struct base64_encode_ctx eCtx;
            base64_encode_init(&eCtx);
            uint8_t *data = (uint8_t*)xcalloc(base64_encode_len(len), 1);
            size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<uint8_t*>(&chal));
            blen += base64_encode_final(&eCtx, data+blen);
            if (NTLM_packet_debug_enabled) {
                printf("TT %.*s\n", (int)blen, data);
                debug("sending 'TT' to squid with data:\n");
                hex_dump((unsigned char *)&chal, len);
            } else
                SEND3("TT %.*s", (int)blen, data);
            safe_free(data);

        } else if (strncmp(buf, "KK ", 3) == 0) {
            if (!packet) {
                SEND("BH received KK with no data! user=");
            } else if (ntlm_validate_packet(packet, NTLM_AUTHENTICATE) == NTLM_ERR_NONE) {
                if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, decodedLen) == NTLM_ERR_NONE) {
                    lc(user);
                    if (strip_domain_enabled) {
                        SEND2("AF %s", user);
                    } else {
                        SEND4("AF %s%s%s", domain, (*domain?"\\":""), user);
                    }
                } else {
                    lc(user);
                    SEND4("NA invalid credentials, user=%s%s%s", domain, (*domain?"\\":""), user);
                }
            } else {
                SEND("BH wrong packet type! user=");
            }
        }
    }
    exit(0);
}
Commit	Line	Data
ca02e0ec	1	/*
bde978a6	2	* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
ca02e0ec AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
75aa769b	9	/*
75aa769b AJ	10	* AUTHOR: Andrew Doran <ad@interlude.eu.org>
75aa769b AJ	11	* AUTHOR: Robert Collins <rbtcollins@hotmail.com>
ca02e0ec	12	* AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
75aa769b	13	*/
ca02e0ec	14
75aa769b AJ	15	/*
	16	* Example ntlm authentication program for Squid, based on the
	17	* original proxy_auth code from client_side.c, written by
	18	* Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
	19	* Andrew Doran <ad@interlude.eu.org>.
	20	*
	21	* This code gets the username and returns it. No validation is done.
	22	* and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
	23	* if you can.
	24	*
	25	* Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
	26	*
	27	* - Added negotiation of UNICODE char support
	28	* - More detailed debugging info
	29	*
	30	*/
	31
	32	/* undefine this to have strict protocol adherence. You don't really need
	33	* that though */
	34	#define IGNORANCE_IS_BLISS
	35
f7f3304a	36	#include "squid.h"
25f98340	37	#include "base64.h"
dcb9c96c	38	#include "helpers/defines.h"
7c16470c AJ	39	#include "ntlmauth/ntlmauth.h"
7c16470c AJ	40	#include "ntlmauth/support_bits.cci"
75aa769b	41
074d6a40 AJ	42	#include <cctype>
074d6a40 AJ	43	#include <cstring>
75aa769b AJ	44	#if HAVE_CRYPT_H
	45	#include <crypt.h>
	46	#endif
	47	#if HAVE_PWD_H
	48	#include <pwd.h>
	49	#endif
	50	#if HAVE_GETOPT_H
	51	#include <getopt.h>
	52	#endif
5dc2526c FC	53	#if HAVE_STDINT_H
	54	#include <stdint.h>
	55	#endif
	56	#if HAVE_INTTYPES_H
	57	#include <inttypes.h>
	58	#endif
75aa769b	59
75aa769b	60	/* A couple of harmless helper macros */
2b506a23	61	#define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
75aa769b	62	#ifdef __GNUC__
2b506a23	63	#define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
af31a408	64	#define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
2b506a23	65	#define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
75aa769b AJ	66	#else
75aa769b AJ	67	/* no gcc, no debugging. varargs macros are a gcc extension */
2b506a23	68	#define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
af31a408	69	#define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
2b506a23	70	#define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
75aa769b AJ	71	#endif
75aa769b AJ	72
75aa769b AJ	73	const char *authenticate_ntlm_domain = "WORKGROUP";
	74	int strip_domain_enabled = 0;
	75	int NTLM_packet_debug_enabled = 0;
	76
75aa769b AJ	77	/*
	78	* options:
	79	* -d enable debugging.
	80	* -v enable verbose NTLM packet debugging.
	81	* -l if specified, changes behavior on failures to last-ditch.
	82	*/
	83	char *my_program_name = NULL;
	84
	85	static void
	86	usage(void)
	87	{
	88	fprintf(stderr,
	89	"Usage: %s [-d] [-v] [-h]\n"
	90	" -d enable debugging.\n"
	91	" -S strip domain from username.\n"
	92	" -v enable verbose NTLM packet debugging.\n"
	93	" -h this message\n\n",
	94	my_program_name);
	95	}
	96
	97	static void
	98	process_options(int argc, char *argv[])
	99	{
	100	int opt, had_error = 0;
	101
	102	opterr = 0;
	103	while (-1 != (opt = getopt(argc, argv, "hdvS"))) {
	104	switch (opt) {
	105	case 'd':
	106	debug_enabled = 1;
	107	break;
	108	case 'v':
	109	debug_enabled = 1;
	110	NTLM_packet_debug_enabled = 1;
	111	break;
	112	case 'S':
	113	strip_domain_enabled = 1;
	114	break;
	115	case 'h':
	116	usage();
	117	exit(0);
	118	case '?':
	119	opt = optopt;
f53969cc	120	/* fall thru to default */
75aa769b AJ	121	default:
	122	fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
	123	usage();
	124	had_error = 1;
	125	}
	126	}
	127	if (had_error)
	128	exit(1);
	129	}
	130
	131	int
	132	main(int argc, char *argv[])
	133	{
4c4ca9c2	134	char buf[HELPER_INPUT_BUFFER];
75aa769b	135	int buflen = 0;
aadbbd7d	136	uint8_t decodedBuf[HELPER_INPUT_BUFFER];
8bdd0cec	137	int decodedLen;
75aa769b	138	char user[NTLM_MAX_FIELD_LENGTH], domain[NTLM_MAX_FIELD_LENGTH];
350f6838	139	char *p;
75aa769b AJ	140	char helper_command[3];
75aa769b AJ	141	int len;
75aa769b AJ	142
	143	setbuf(stdout, NULL);
	144	setbuf(stderr, NULL);
	145
	146	my_program_name = argv[0];
	147
	148	process_options(argc, argv);
	149
	150	debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name);
	151
dcb9c96c	152	while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
f53969cc SM	153	user[0] = '\0'; /no user code /
f53969cc SM	154	domain[0] = '\0'; /no domain code /
75aa769b AJ	155
75aa769b AJ	156	if ((p = strchr(buf, '\n')) != NULL)
f53969cc	157	p = '\0'; / strip \n */
75aa769b	158	buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */
6bb77e97	159	ntlmhdr *packet;
aadbbd7d AJ	160	struct base64_decode_ctx ctx;
	161	base64_decode_init(&ctx);
	162	size_t dstLen = 0;
	163	if (buflen > 3 &&
	164	base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast<const uint8_t*>(buf+3)) &&
	165	base64_decode_final(&ctx)) {
	166	decodedLen = dstLen;
8bdd0cec AJ	167	packet = (ntlmhdr*)decodedBuf;
	168	} else {
	169	packet = NULL;
fb599974	170	decodedLen = 0;
8bdd0cec	171	}
aadbbd7d	172
75aa769b AJ	173	if (buflen > 3 && NTLM_packet_debug_enabled) {
	174	strncpy(helper_command, buf, 2);
	175	helper_command[2] = '\0';
	176	debug("Got '%s' from Squid with data:\n", helper_command);
8bdd0cec	177	hex_dump((unsigned char *)decodedBuf, decodedLen);
75aa769b AJ	178	} else
	179	debug("Got '%s' from Squid\n", buf);
	180
5dc2526c	181	if (strncmp(buf, "YR", 2) == 0) {
75aa769b AJ	182	char nonce[NTLM_NONCE_LEN];
	183	ntlm_challenge chal;
	184	ntlm_make_nonce(nonce);
6bb77e97	185	if (buflen > 3 && packet) {
75aa769b AJ	186	ntlm_negotiate nego = (ntlm_negotiate )packet;
	187	ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, nego->flags);
	188	} else {
1dcf61eb	189	ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, NTLM_NEGOTIATE_ASCII);
75aa769b AJ	190	}
	191	// TODO: find out what this context means, and why only the fake auth helper contains it.
	192	chal.context_high = htole32(0x003a<<16);
	193
	194	len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen);
aadbbd7d AJ	195
	196	struct base64_encode_ctx eCtx;
	197	base64_encode_init(&eCtx);
	198	uint8_t data = (uint8_t)xcalloc(base64_encode_len(len), 1);
	199	size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<uint8_t*>(&chal));
	200	blen += base64_encode_final(&eCtx, data+blen);
75aa769b	201	if (NTLM_packet_debug_enabled) {
af31a408	202	printf("TT %.*s\n", (int)blen, data);
75aa769b AJ	203	debug("sending 'TT' to squid with data:\n");
	204	hex_dump((unsigned char *)&chal, len);
	205	} else
af31a408	206	SEND3("TT %.*s", (int)blen, data);
aadbbd7d AJ	207	safe_free(data);
aadbbd7d AJ	208
5dc2526c	209	} else if (strncmp(buf, "KK ", 3) == 0) {
75aa769b AJ	210	if (!packet) {
75aa769b AJ	211	SEND("BH received KK with no data! user=");
1dcf61eb	212	} else if (ntlm_validate_packet(packet, NTLM_AUTHENTICATE) == NTLM_ERR_NONE) {
8bdd0cec	213	if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, decodedLen) == NTLM_ERR_NONE) {
75aa769b	214	lc(user);
75aa769b AJ	215	if (strip_domain_enabled) {
	216	SEND2("AF %s", user);
	217	} else {
59a09b98	218	SEND4("AF %s%s%s", domain, (*domain?"\\":""), user);
75aa769b AJ	219	}
	220	} else {
	221	lc(user);
59a09b98	222	SEND4("NA invalid credentials, user=%s%s%s", domain, (*domain?"\\":""), user);
75aa769b AJ	223	}
	224	} else {
	225	SEND("BH wrong packet type! user=");
	226	}
	227	}
	228	}
	229	exit(0);
	230	}
f53969cc	231