]>
Commit | Line | Data |
---|---|---|
ca02e0ec | 1 | /* |
f6e9a3ee | 2 | * Copyright (C) 1996-2019 The Squid Software Foundation and contributors |
ca02e0ec AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
75aa769b | 9 | /* |
75aa769b AJ |
10 | * AUTHOR: Andrew Doran <ad@interlude.eu.org> |
11 | * AUTHOR: Robert Collins <rbtcollins@hotmail.com> | |
ca02e0ec | 12 | * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it> |
75aa769b | 13 | */ |
ca02e0ec | 14 | |
75aa769b AJ |
15 | /* |
16 | * Example ntlm authentication program for Squid, based on the | |
17 | * original proxy_auth code from client_side.c, written by | |
18 | * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by | |
19 | * Andrew Doran <ad@interlude.eu.org>. | |
20 | * | |
21 | * This code gets the username and returns it. No validation is done. | |
22 | * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP | |
23 | * if you can. | |
24 | * | |
25 | * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it> | |
26 | * | |
27 | * - Added negotiation of UNICODE char support | |
28 | * - More detailed debugging info | |
29 | * | |
30 | */ | |
31 | ||
32 | /* undefine this to have strict protocol adherence. You don't really need | |
33 | * that though */ | |
34 | #define IGNORANCE_IS_BLISS | |
35 | ||
f7f3304a | 36 | #include "squid.h" |
25f98340 | 37 | #include "base64.h" |
079b1d0f | 38 | #include "helper/protocol_defines.h" |
7c16470c AJ |
39 | #include "ntlmauth/ntlmauth.h" |
40 | #include "ntlmauth/support_bits.cci" | |
75aa769b | 41 | |
074d6a40 | 42 | #include <cctype> |
7dba4ac4 | 43 | #include <chrono> |
074d6a40 | 44 | #include <cstring> |
75aa769b AJ |
45 | #if HAVE_CRYPT_H |
46 | #include <crypt.h> | |
47 | #endif | |
48 | #if HAVE_PWD_H | |
49 | #include <pwd.h> | |
50 | #endif | |
51 | #if HAVE_GETOPT_H | |
52 | #include <getopt.h> | |
53 | #endif | |
7dba4ac4 | 54 | #include <thread> |
75aa769b | 55 | |
75aa769b | 56 | /* A couple of harmless helper macros */ |
2b506a23 | 57 | #define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");} |
75aa769b | 58 | #ifdef __GNUC__ |
2b506a23 | 59 | #define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);} |
af31a408 | 60 | #define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);} |
2b506a23 | 61 | #define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);} |
75aa769b AJ |
62 | #else |
63 | /* no gcc, no debugging. varargs macros are a gcc extension */ | |
2b506a23 | 64 | #define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);} |
af31a408 | 65 | #define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);} |
2b506a23 | 66 | #define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);} |
75aa769b AJ |
67 | #endif |
68 | ||
75aa769b AJ |
69 | const char *authenticate_ntlm_domain = "WORKGROUP"; |
70 | int strip_domain_enabled = 0; | |
71 | int NTLM_packet_debug_enabled = 0; | |
7dba4ac4 | 72 | unsigned int response_delay = 0; |
75aa769b | 73 | |
75aa769b AJ |
74 | /* |
75 | * options: | |
76 | * -d enable debugging. | |
77 | * -v enable verbose NTLM packet debugging. | |
78 | * -l if specified, changes behavior on failures to last-ditch. | |
79 | */ | |
80 | char *my_program_name = NULL; | |
81 | ||
82 | static void | |
83 | usage(void) | |
84 | { | |
85 | fprintf(stderr, | |
7dba4ac4 | 86 | "Usage: %s [-d] [-t N] [-v] [-h]\n" |
75aa769b AJ |
87 | " -d enable debugging.\n" |
88 | " -S strip domain from username.\n" | |
7dba4ac4 | 89 | " -t timeout to delay responses (milliseconds).\n" |
75aa769b AJ |
90 | " -v enable verbose NTLM packet debugging.\n" |
91 | " -h this message\n\n", | |
92 | my_program_name); | |
93 | } | |
94 | ||
95 | static void | |
96 | process_options(int argc, char *argv[]) | |
97 | { | |
98 | int opt, had_error = 0; | |
99 | ||
100 | opterr = 0; | |
7dba4ac4 | 101 | while (-1 != (opt = getopt(argc, argv, "hdvSt:"))) { |
75aa769b AJ |
102 | switch (opt) { |
103 | case 'd': | |
104 | debug_enabled = 1; | |
105 | break; | |
106 | case 'v': | |
107 | debug_enabled = 1; | |
108 | NTLM_packet_debug_enabled = 1; | |
109 | break; | |
110 | case 'S': | |
111 | strip_domain_enabled = 1; | |
112 | break; | |
7dba4ac4 AJ |
113 | case 't': |
114 | if (!xstrtoui(optarg, nullptr, &response_delay, 0, 86400)) { | |
115 | fprintf(stderr, "ERROR: invalid parameter value for -t '%s'", optarg); | |
116 | usage(); | |
117 | had_error = 1; | |
118 | } | |
119 | break; | |
75aa769b AJ |
120 | case 'h': |
121 | usage(); | |
24885773 | 122 | exit(EXIT_SUCCESS); |
75aa769b AJ |
123 | case '?': |
124 | opt = optopt; | |
f53969cc | 125 | /* fall thru to default */ |
75aa769b AJ |
126 | default: |
127 | fprintf(stderr, "unknown option: -%c. Exiting\n", opt); | |
128 | usage(); | |
129 | had_error = 1; | |
130 | } | |
131 | } | |
132 | if (had_error) | |
24885773 | 133 | exit(EXIT_FAILURE); |
75aa769b AJ |
134 | } |
135 | ||
136 | int | |
137 | main(int argc, char *argv[]) | |
138 | { | |
4c4ca9c2 | 139 | char buf[HELPER_INPUT_BUFFER]; |
75aa769b | 140 | int buflen = 0; |
aadbbd7d | 141 | uint8_t decodedBuf[HELPER_INPUT_BUFFER]; |
8bdd0cec | 142 | int decodedLen; |
75aa769b | 143 | char user[NTLM_MAX_FIELD_LENGTH], domain[NTLM_MAX_FIELD_LENGTH]; |
350f6838 | 144 | char *p; |
75aa769b AJ |
145 | char helper_command[3]; |
146 | int len; | |
75aa769b AJ |
147 | |
148 | setbuf(stdout, NULL); | |
149 | setbuf(stderr, NULL); | |
150 | ||
151 | my_program_name = argv[0]; | |
152 | ||
153 | process_options(argc, argv); | |
154 | ||
a20277e1 | 155 | debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name); |
75aa769b | 156 | |
dcb9c96c | 157 | while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { |
f53969cc SM |
158 | user[0] = '\0'; /*no user code */ |
159 | domain[0] = '\0'; /*no domain code */ | |
75aa769b AJ |
160 | |
161 | if ((p = strchr(buf, '\n')) != NULL) | |
f53969cc | 162 | *p = '\0'; /* strip \n */ |
75aa769b | 163 | buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */ |
6bb77e97 | 164 | ntlmhdr *packet; |
aadbbd7d AJ |
165 | struct base64_decode_ctx ctx; |
166 | base64_decode_init(&ctx); | |
167 | size_t dstLen = 0; | |
168 | if (buflen > 3 && | |
1d11e9b3 | 169 | base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) && |
aadbbd7d AJ |
170 | base64_decode_final(&ctx)) { |
171 | decodedLen = dstLen; | |
8bdd0cec AJ |
172 | packet = (ntlmhdr*)decodedBuf; |
173 | } else { | |
174 | packet = NULL; | |
fb599974 | 175 | decodedLen = 0; |
8bdd0cec | 176 | } |
aadbbd7d | 177 | |
75aa769b AJ |
178 | if (buflen > 3 && NTLM_packet_debug_enabled) { |
179 | strncpy(helper_command, buf, 2); | |
180 | helper_command[2] = '\0'; | |
181 | debug("Got '%s' from Squid with data:\n", helper_command); | |
8bdd0cec | 182 | hex_dump((unsigned char *)decodedBuf, decodedLen); |
75aa769b AJ |
183 | } else |
184 | debug("Got '%s' from Squid\n", buf); | |
185 | ||
7dba4ac4 AJ |
186 | if (response_delay > 0) { |
187 | std::this_thread::sleep_for(std::chrono::milliseconds(response_delay)); | |
188 | } | |
189 | ||
5dc2526c | 190 | if (strncmp(buf, "YR", 2) == 0) { |
75aa769b AJ |
191 | char nonce[NTLM_NONCE_LEN]; |
192 | ntlm_challenge chal; | |
193 | ntlm_make_nonce(nonce); | |
6bb77e97 | 194 | if (buflen > 3 && packet) { |
75aa769b AJ |
195 | ntlm_negotiate *nego = (ntlm_negotiate *)packet; |
196 | ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, nego->flags); | |
197 | } else { | |
1dcf61eb | 198 | ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, NTLM_NEGOTIATE_ASCII); |
75aa769b AJ |
199 | } |
200 | // TODO: find out what this context means, and why only the fake auth helper contains it. | |
201 | chal.context_high = htole32(0x003a<<16); | |
202 | ||
203 | len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen); | |
aadbbd7d AJ |
204 | |
205 | struct base64_encode_ctx eCtx; | |
206 | base64_encode_init(&eCtx); | |
1d11e9b3 AJ |
207 | char *data = static_cast<char *>(xcalloc(base64_encode_len(len), 1)); |
208 | size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<const uint8_t *>(&chal)); | |
aadbbd7d | 209 | blen += base64_encode_final(&eCtx, data+blen); |
75aa769b | 210 | if (NTLM_packet_debug_enabled) { |
af31a408 | 211 | printf("TT %.*s\n", (int)blen, data); |
75aa769b AJ |
212 | debug("sending 'TT' to squid with data:\n"); |
213 | hex_dump((unsigned char *)&chal, len); | |
214 | } else | |
af31a408 | 215 | SEND3("TT %.*s", (int)blen, data); |
aadbbd7d AJ |
216 | safe_free(data); |
217 | ||
5dc2526c | 218 | } else if (strncmp(buf, "KK ", 3) == 0) { |
75aa769b AJ |
219 | if (!packet) { |
220 | SEND("BH received KK with no data! user="); | |
1dcf61eb | 221 | } else if (ntlm_validate_packet(packet, NTLM_AUTHENTICATE) == NTLM_ERR_NONE) { |
8bdd0cec | 222 | if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, decodedLen) == NTLM_ERR_NONE) { |
75aa769b | 223 | lc(user); |
75aa769b AJ |
224 | if (strip_domain_enabled) { |
225 | SEND2("AF %s", user); | |
226 | } else { | |
59a09b98 | 227 | SEND4("AF %s%s%s", domain, (*domain?"\\":""), user); |
75aa769b AJ |
228 | } |
229 | } else { | |
230 | lc(user); | |
59a09b98 | 231 | SEND4("NA invalid credentials, user=%s%s%s", domain, (*domain?"\\":""), user); |
75aa769b AJ |
232 | } |
233 | } else { | |
234 | SEND("BH wrong packet type! user="); | |
235 | } | |
236 | } | |
237 | } | |
24885773 | 238 | return EXIT_SUCCESS; |
75aa769b | 239 | } |
f53969cc | 240 |