projects / thirdparty / squid.git / blame
| Commit | Line | Data |
|---|---|---|
| 94439e4e | 1 | /* |
| b8ae064d | 2 | * Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
| 94439e4e | 3 | * |
| bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
| 5 | * contributions from numerous individuals and organizations. | |
| 6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
| 94439e4e | 7 | */ |
| 8 | ||
| bbc27441 AJ |
9 | /* DEBUG: section 29 NTLM Authenticator */ |
| 10 | ||
| 94439e4e | 11 | /* The functions in this file handle authentication. |
| 12 | * They DO NOT perform access control or auditing. | |
| 13 | * See acl.c for access control and client_side.c for auditing */ | |
| 14 | ||
| 582c2af2 | 15 | #include "squid.h" |
| 3ad63615 | 16 | #include "auth/Gadgets.h" |
| 12daeef6 | 17 | #include "auth/ntlm/Config.h" |
| 616cfc4c | 18 | #include "auth/ntlm/Scheme.h" |
| aa110616 | 19 | #include "auth/ntlm/User.h" |
| 616cfc4c | 20 | #include "auth/ntlm/UserRequest.h" |
| 928f3421 | 21 | #include "auth/State.h" |
| 8a01b99e | 22 | #include "cache_cf.h" |
| a46d2c0e | 23 | #include "client_side.h" |
| 24438ec5 | 24 | #include "helper.h" |
| d3dddfb5 | 25 | #include "http/Stream.h" |
| a5bac1d2 | 26 | #include "HttpHeaderTools.h" |
| 924f73bc | 27 | #include "HttpReply.h" |
| a2ac85d9 | 28 | #include "HttpRequest.h" |
| 602d9612 | 29 | #include "mgr/Registration.h" |
| 602d9612 A |
30 | #include "Store.h" |
| 31 | #include "wordlist.h" | |
| c78aa667 | 32 | |
| 94439e4e | 33 | /* NTLM Scheme */ |
| 94439e4e | 34 | static AUTHSSTATS authenticateNTLMStats; |
| 94439e4e | 35 | |
| aee3523a | 36 | statefulhelper *ntlmauthenticators = nullptr; |
| 94439e4e | 37 | static int authntlm_initialised = 0; |
| 38 | ||
| aee3523a | 39 | static hash_table *proxy_auth_cache = nullptr; |
| 94439e4e | 40 | |
| 0bcb6908 | 41 | void |
| 372fccd6 | 42 | Auth::Ntlm::Config::rotateHelpers() |
| 0bcb6908 AJ |
43 | { |
| 44 | /* schedule closure of existing helpers */ | |
| 45 | if (ntlmauthenticators) { | |
| 46 | helperStatefulShutdown(ntlmauthenticators); | |
| 47 | } | |
| 48 | ||
| 49 | /* NP: dynamic helper restart will ensure they start up again as needed. */ | |
| 50 | } | |
| 51 | ||
| 5817ee13 | 52 | /* free any allocated configuration details */ |
| f5691f9c | 53 | void |
| 372fccd6 | 54 | Auth::Ntlm::Config::done() |
| 94439e4e | 55 | { |
| dc79fed8 | 56 | Auth::SchemeConfig::done(); |
| d4806c91 | 57 | |
| 94439e4e | 58 | authntlm_initialised = 0; |
| 62e76326 | 59 | |
| 5817ee13 AJ |
60 | if (ntlmauthenticators) { |
| 61 | helperStatefulShutdown(ntlmauthenticators); | |
| 5817ee13 | 62 | } |
| 62e76326 | 63 | |
| 94439e4e | 64 | if (!shutting_down) |
| 62e76326 | 65 | return; |
| 66 | ||
| 48d54e4d | 67 | delete ntlmauthenticators; |
| aee3523a | 68 | ntlmauthenticators = nullptr; |
| 62e76326 | 69 | |
| 58ee2093 AJ |
70 | if (authenticateProgram) |
| 71 | wordlistDestroy(&authenticateProgram); | |
| cdabe87d | 72 | |
| 372fccd6 | 73 | debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared."); |
| 94439e4e | 74 | } |
| 75 | ||
| f5691f9c | 76 | const char * |
| 372fccd6 | 77 | Auth::Ntlm::Config::type() const |
| 94439e4e | 78 | { |
| d6374be6 | 79 | return Auth::Ntlm::Scheme::GetInstance()->type(); |
| 94439e4e | 80 | } |
| 81 | ||
| 82 | /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the | |
| 83 | * config file */ | |
| f5691f9c | 84 | void |
| dc79fed8 | 85 | Auth::Ntlm::Config::init(Auth::SchemeConfig *) |
| 94439e4e | 86 | { |
| 58ee2093 | 87 | if (authenticateProgram) { |
| 6bf4f823 | 88 | |
| 62e76326 | 89 | authntlm_initialised = 1; |
| 90 | ||
| aee3523a | 91 | if (ntlmauthenticators == nullptr) |
| 48d54e4d | 92 | ntlmauthenticators = new statefulhelper("ntlmauthenticator"); |
| 62e76326 | 93 | |
| 94 | if (!proxy_auth_cache) | |
| 30abd221 | 95 | proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); |
| 62e76326 | 96 | |
| 97 | assert(proxy_auth_cache); | |
| 98 | ||
| 58ee2093 | 99 | ntlmauthenticators->cmdline = authenticateProgram; |
| 62e76326 | 100 | |
| 1af735c7 | 101 | ntlmauthenticators->childs.updateLimits(authenticateChildren); |
| 62e76326 | 102 | |
| 103 | ntlmauthenticators->ipc_type = IPC_STREAM; | |
| 104 | ||
| 62e76326 | 105 | helperStatefulOpenServers(ntlmauthenticators); |
| 94439e4e | 106 | } |
| 107 | } | |
| 108 | ||
| 62ee09ca | 109 | void |
| 372fccd6 | 110 | Auth::Ntlm::Config::registerWithCacheManager(void) |
| 62ee09ca | 111 | { |
| 8822ebee | 112 | Mgr::RegisterAction("ntlmauthenticator", |
| d9fc6862 A |
113 | "NTLM User Authenticator Stats", |
| 114 | authenticateNTLMStats, 0, 1); | |
| 62ee09ca | 115 | } |
| 116 | ||
| f5691f9c | 117 | bool |
| 372fccd6 | 118 | Auth::Ntlm::Config::active() const |
| 2d70df72 | 119 | { |
| f5691f9c | 120 | return authntlm_initialised == 1; |
| 2d70df72 | 121 | } |
| 122 | ||
| f5691f9c | 123 | bool |
| 372fccd6 | 124 | Auth::Ntlm::Config::configured() const |
| 94439e4e | 125 | { |
| aee3523a | 126 | if ((authenticateProgram != nullptr) && (authenticateChildren.n_max != 0)) { |
| bf95c10a | 127 | debugs(29, 9, "returning configured"); |
| f5691f9c | 128 | return true; |
| 2d70df72 | 129 | } |
| 62e76326 | 130 | |
| bf95c10a | 131 | debugs(29, 9, "returning unconfigured"); |
| f5691f9c | 132 | return false; |
| 94439e4e | 133 | } |
| 134 | ||
| 135 | /* NTLM Scheme */ | |
| 94439e4e | 136 | |
| f5691f9c | 137 | void |
| 789217a2 | 138 | Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest * request) |
| 94439e4e | 139 | { |
| 58ee2093 | 140 | if (!authenticateProgram) |
| 6bf4f823 | 141 | return; |
| 62e76326 | 142 | |
| 63a05fa3 | 143 | /* Need keep-alive */ |
| 450fe1cb | 144 | if (!request->flags.proxyKeepalive && request->flags.mustKeepalive) |
| 26ac0430 | 145 | return; |
| 63a05fa3 | 146 | |
| 6bf4f823 | 147 | /* New request, no user details */ |
| aee3523a | 148 | if (auth_user_request == nullptr) { |
| bf95c10a | 149 | debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'"); |
| 18ec8500 | 150 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); |
| 6bf4f823 | 151 | |
| 152 | if (!keep_alive) { | |
| 62e76326 | 153 | /* drop the connection */ |
| e857372a | 154 | request->flags.proxyKeepalive = false; |
| 62e76326 | 155 | } |
| 6bf4f823 | 156 | } else { |
| c7baff40 | 157 | Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw()); |
| aee3523a | 158 | assert(ntlm_request != nullptr); |
| 3a11f20d | 159 | |
| d232141d | 160 | switch (ntlm_request->user()->credentials()) { |
| 62e76326 | 161 | |
| d87154ee | 162 | case Auth::Failed: |
| 6bf4f823 | 163 | /* here it makes sense to drop the connection, as auth is |
| 164 | * tied to it, even if MAYBE the client could handle it - Kinkie */ | |
| e857372a | 165 | request->flags.proxyKeepalive = false; |
| 09835feb | 166 | [[fallthrough]]; |
| 94439e4e | 167 | |
| d87154ee | 168 | case Auth::Ok: |
| 09835feb AR |
169 | /* Special case: authentication finished OK but disallowed by ACL. |
| 170 | * Need to start over to give the client another chance. | |
| 171 | */ | |
| 172 | [[fallthrough]]; | |
| 62e76326 | 173 | |
| d87154ee | 174 | case Auth::Unchecked: |
| 6bf4f823 | 175 | /* semantic change: do not drop the connection. |
| 176 | * 2.5 implementation used to keep it open - Kinkie */ | |
| bf95c10a | 177 | debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'"); |
| 18ec8500 | 178 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); |
| 6bf4f823 | 179 | break; |
| 62e76326 | 180 | |
| d87154ee | 181 | case Auth::Handshake: |
| 6bf4f823 | 182 | /* we're waiting for a response from the client. Pass it the blob */ |
| bf95c10a | 183 | debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'"); |
| 18ec8500 | 184 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob); |
| 6bf4f823 | 185 | safe_free(ntlm_request->server_blob); |
| 186 | break; | |
| 62e76326 | 187 | |
| 6bf4f823 | 188 | default: |
| 372fccd6 | 189 | debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << "."); |
| 6bf4f823 | 190 | fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n"); |
| 191 | } | |
| 192 | } | |
| 193 | } | |
| 62e76326 | 194 | |
| 94439e4e | 195 | static void |
| 196 | authenticateNTLMStats(StoreEntry * sentry) | |
| 197 | { | |
| bf3e8d5a AJ |
198 | if (ntlmauthenticators) |
| 199 | ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics"); | |
| 94439e4e | 200 | } |
| 201 | ||
| 94439e4e | 202 | /* |
| 6bf4f823 | 203 | * Decode a NTLM [Proxy-]Auth string, placing the results in the passed |
| 94439e4e | 204 | * Auth_user structure. |
| 205 | */ | |
| c7baff40 | 206 | Auth::UserRequest::Pointer |
| 7e851a3e | 207 | Auth::Ntlm::Config::decode(char const *proxy_auth, const HttpRequest *, const char *aRequestRealm) |
| 94439e4e | 208 | { |
| dc79fed8 | 209 | Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm); |
| c7baff40 | 210 | Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest(); |
| aee3523a | 211 | assert(auth_user_request->user() == nullptr); |
| a33a428a | 212 | |
| f5691f9c | 213 | auth_user_request->user(newUser); |
| 616cfc4c | 214 | auth_user_request->user()->auth_type = Auth::AUTH_NTLM; |
| 94439e4e | 215 | |
| c10ebce8 AJ |
216 | auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm); |
| 217 | ||
| 94439e4e | 218 | /* all we have to do is identify that it's NTLM - the helper does the rest */ |
| bf95c10a | 219 | debugs(29, 9, "decode: NTLM authentication"); |
| f5691f9c | 220 | return auth_user_request; |
| 94439e4e | 221 | } |
| f53969cc | 222 |