[thirdparty/squid.git] / src / auth / digest / file / digest_file_auth.cc

/*
 * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * AUTHOR: Robert Collins.
 *
 * Based on ncsa_auth.c by Arjan de Vet <Arjan.deVet@adv.iae.nl>
 *
 * LDAP backend extension by Flavio Pescuma,
 * MARA Systems AB <flavio@marasystems.com>
 *
 * Example digest authentication program for Squid, based on the original
 * proxy_auth code from client_side.c, written by
 * Jon Thackray <jrmt@uk.gdscorp.com>.
 *
 * - comment lines are possible and should start with a '#';
 * - empty or blank lines are possible;
 * - file format is username:password
 *
 * To build a directory integrated backend, you need to be able to
 * calculate the HA1 returned to squid. To avoid storing a plaintext
 * password you can calculate MD5(username:realm:password) when the
 * user changes their password, and store the tuple username:realm:HA1.
 * then find the matching username:realm when squid asks for the
 * HA1.
 *
 * This implementation could be improved by using such a triple for
 * the file format.  However storing such a triple does little to
 * improve security: If compromised the username:realm:HA1 combination
 * is "plaintext equivalent" - for the purposes of digest authentication
 * they allow the user access. Password synchronization is not tackled
 * by digest - just preventing on the wire compromise.
 *
 * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
 */

#include "squid.h"
#include "auth/digest/file/digest_common.h"
#include "auth/digest/file/text_backend.h"
#include "helper/protocol_defines.h"

static void
GetHHA1(RequestData * requestData)
{
    TextHHA1(requestData);
}

static void
ParseBuffer(char *buf, RequestData * requestData)
{
    char *p;
    requestData->parsed = 0;
    if ((p = strchr(buf, '\n')) != NULL)
        *p = '\0';      /* strip \n */

    p = NULL;
    requestData->channelId = strtoll(buf, &p, 10);
    if (*p != ' ') // not a channel-ID
        requestData->channelId = -1;
    else
        buf = ++p;

    if ((requestData->user = strtok(buf, "\"")) == NULL)
        return;
    if ((requestData->realm = strtok(NULL, "\"")) == NULL)
        return;
    if ((requestData->realm = strtok(NULL, "\"")) == NULL)
        return;
    requestData->parsed = -1;
}

static void
OutputHHA1(RequestData * requestData)
{
    requestData->error = 0;
    GetHHA1(requestData);
    if (requestData->channelId >= 0)
        printf("%u ", requestData->channelId);
    if (requestData->error) {
        SEND_ERR("message=\"No such user\"");
        return;
    }
    printf("OK ha1=\"%s\"\n", requestData->HHA1);
}

static void
DoOneRequest(char *buf)
{
    RequestData requestData;
    ParseBuffer(buf, &requestData);
    if (!requestData.parsed) {
        if (requestData.channelId >= 0)
            printf("%u ", requestData.channelId);
        SEND_BH("message=\"Invalid line received\"");
        return;
    }
    OutputHHA1(&requestData);
}

static void
ProcessArguments(int argc, char **argv)
{
    TextArguments(argc, argv);
}

int
main(int argc, char **argv)
{
    char buf[HELPER_INPUT_BUFFER];
    setbuf(stdout, NULL);
    ProcessArguments(argc, argv);
    while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL)
        DoOneRequest(buf);
    return EXIT_SUCCESS;
}
Commit	Line	Data
2d70df72	1	/*
77b1029d	2	* Copyright (C) 1996-2020 The Squid Software Foundation and contributors
2d70df72	3	*
ca02e0ec AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	/*
c152a447 AJ	10	* AUTHOR: Robert Collins.
	11	*
	12	* Based on ncsa_auth.c by Arjan de Vet <Arjan.deVet@adv.iae.nl>
68d57793	13	*
c152a447 AJ	14	* LDAP backend extension by Flavio Pescuma,
c152a447 AJ	15	* MARA Systems AB <flavio@marasystems.com>
2d70df72	16	*
	17	* Example digest authentication program for Squid, based on the original
	18	* proxy_auth code from client_side.c, written by
	19	* Jon Thackray <jrmt@uk.gdscorp.com>.
	20	*
	21	* - comment lines are possible and should start with a '#';
	22	* - empty or blank lines are possible;
	23	* - file format is username:password
26ac0430	24	*
548adcc8	25	* To build a directory integrated backend, you need to be able to
2d70df72	26	* calculate the HA1 returned to squid. To avoid storing a plaintext
548adcc8	27	* password you can calculate MD5(username:realm:password) when the
	28	* user changes their password, and store the tuple username:realm:HA1.
	29	* then find the matching username:realm when squid asks for the
	30	* HA1.
2d70df72	31	*
548adcc8	32	* This implementation could be improved by using such a triple for
	33	* the file format. However storing such a triple does little to
	34	* improve security: If compromised the username:realm:HA1 combination
	35	* is "plaintext equivalent" - for the purposes of digest authentication
2b61af8e	36	* they allow the user access. Password synchronization is not tackled
548adcc8	37	* by digest - just preventing on the wire compromise.
2d70df72	38	*
0ff1980a	39	* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
2d70df72	40	*/
2d70df72	41
f7f3304a	42	#include "squid.h"
d4d7f6dd AJ	43	#include "auth/digest/file/digest_common.h"
d4d7f6dd AJ	44	#include "auth/digest/file/text_backend.h"
079b1d0f	45	#include "helper/protocol_defines.h"
54e8823b	46
e9505fad	47	static void
ca6965d0	48	GetHHA1(RequestData * requestData)
ca6965d0	49	{
b9e9de8a	50	TextHHA1(requestData);
ca6965d0	51	}
2d70df72	52
2d70df72	53	static void
ca6965d0	54	ParseBuffer(char buf, RequestData requestData)
2d70df72	55	{
0ff1980a	56	char *p;
	57	requestData->parsed = 0;
	58	if ((p = strchr(buf, '\n')) != NULL)
f53969cc	59	p = '\0'; / strip \n */
6cb2818d AJ	60
	61	p = NULL;
	62	requestData->channelId = strtoll(buf, &p, 10);
	63	if (*p != ' ') // not a channel-ID
	64	requestData->channelId = -1;
	65	else
	66	buf = ++p;
	67
0ff1980a	68	if ((requestData->user = strtok(buf, "\"")) == NULL)
26ac0430	69	return;
0ff1980a	70	if ((requestData->realm = strtok(NULL, "\"")) == NULL)
26ac0430	71	return;
0ff1980a	72	if ((requestData->realm = strtok(NULL, "\"")) == NULL)
26ac0430	73	return;
0ff1980a	74	requestData->parsed = -1;
2d70df72	75	}
	76
	77	static void
ca6965d0	78	OutputHHA1(RequestData * requestData)
2d70df72	79	{
0ff1980a	80	requestData->error = 0;
0ff1980a	81	GetHHA1(requestData);
6cb2818d AJ	82	if (requestData->channelId >= 0)
6cb2818d AJ	83	printf("%u ", requestData->channelId);
ca6965d0	84	if (requestData->error) {
c69199bb	85	SEND_ERR("message=\"No such user\"");
26ac0430	86	return;
2d70df72	87	}
c69199bb	88	printf("OK ha1=\"%s\"\n", requestData->HHA1);
0ff1980a	89	}
	90
	91	static void
	92	DoOneRequest(char *buf)
	93	{
	94	RequestData requestData;
ca6965d0	95	ParseBuffer(buf, &requestData);
0ff1980a	96	if (!requestData.parsed) {
6cb2818d AJ	97	if (requestData.channelId >= 0)
6cb2818d AJ	98	printf("%u ", requestData.channelId);
c69199bb	99	SEND_BH("message=\"Invalid line received\"");
26ac0430	100	return;
2d70df72	101	}
0ff1980a	102	OutputHHA1(&requestData);
2d70df72	103	}
2d70df72	104
e9505fad	105	static void
ca6965d0	106	ProcessArguments(int argc, char **argv)
ca6965d0	107	{
7ed0602b	108	TextArguments(argc, argv);
ca6965d0	109	}
ca6965d0	110
2d70df72	111	int
	112	main(int argc, char **argv)
	113	{
c152a447	114	char buf[HELPER_INPUT_BUFFER];
2d70df72	115	setbuf(stdout, NULL);
ca6965d0	116	ProcessArguments(argc, argv);
c152a447	117	while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL)
26ac0430	118	DoOneRequest(buf);
24885773	119	return EXIT_SUCCESS;
2d70df72	120	}
f53969cc	121