]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (C) 1996-2023 The Squid Software Foundation and contributors | |
3 | * | |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | /* | |
10 | * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet | |
11 | * <Arjan.deVet@adv.iae.nl> | |
12 | * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com> | |
13 | * | |
14 | * Example digest authentication program for Squid, based on the original | |
15 | * proxy_auth code from client_side.c, written by | |
16 | * Jon Thackray <jrmt@uk.gdscorp.com>. | |
17 | * | |
18 | * - comment lines are possible and should start with a '#'; | |
19 | * - empty or blank lines are possible; | |
20 | * - file format is username:password | |
21 | * | |
22 | * To build a directory integrated backend, you need to be able to | |
23 | * calculate the HA1 returned to squid. To avoid storing a plaintext | |
24 | * password you can calculate MD5(username:realm:password) when the | |
25 | * user changes their password, and store the tuple username:realm:HA1. | |
26 | * then find the matching username:realm when squid asks for the | |
27 | * HA1. | |
28 | * | |
29 | * This implementation could be improved by using such a triple for | |
30 | * the file format. However storing such a triple does little to | |
31 | * improve security: If compromised the username:realm:HA1 combination | |
32 | * is "plaintext equivalent" - for the purposes of digest authentication | |
33 | * they allow the user access. Password synchronization is not tackled | |
34 | * by digest - just preventing on the wire compromise. | |
35 | * | |
36 | * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org> | |
37 | */ | |
38 | #include "squid.h" | |
39 | #include "auth/digest/eDirectory/digest_common.h" | |
40 | #include "auth/digest/eDirectory/ldap_backend.h" | |
41 | #include "helper/protocol_defines.h" | |
42 | ||
43 | #define PROGRAM_NAME "digest_edirectory_auth" | |
44 | ||
45 | static void | |
46 | GetHHA1(RequestData * requestData) | |
47 | { | |
48 | LDAPHHA1(requestData); | |
49 | } | |
50 | ||
51 | static void | |
52 | ParseBuffer(char *buf, RequestData * requestData) | |
53 | { | |
54 | char *p; | |
55 | requestData->parsed = 0; | |
56 | if ((p = strchr(buf, '\n')) != nullptr) | |
57 | *p = '\0'; /* strip \n */ | |
58 | ||
59 | p = nullptr; | |
60 | requestData->channelId = strtoll(buf, &p, 10); | |
61 | if (*p != ' ') // not a channel-ID | |
62 | requestData->channelId = -1; | |
63 | else | |
64 | buf = ++p; | |
65 | ||
66 | if ((requestData->user = strtok(buf, "\"")) == nullptr) | |
67 | return; | |
68 | if ((requestData->realm = strtok(nullptr, "\"")) == nullptr) | |
69 | return; | |
70 | if ((requestData->realm = strtok(nullptr, "\"")) == nullptr) | |
71 | return; | |
72 | requestData->parsed = -1; | |
73 | } | |
74 | ||
75 | static void | |
76 | OutputHHA1(RequestData * requestData) | |
77 | { | |
78 | requestData->error = 0; | |
79 | GetHHA1(requestData); | |
80 | if (requestData->channelId >= 0) | |
81 | printf("%u ", requestData->channelId); | |
82 | if (requestData->error) { | |
83 | SEND_ERR("message=\"No such user\""); | |
84 | return; | |
85 | } | |
86 | printf("OK ha1=\"%s\"\n", requestData->HHA1); | |
87 | } | |
88 | ||
89 | static void | |
90 | DoOneRequest(char *buf) | |
91 | { | |
92 | RequestData requestData; | |
93 | ParseBuffer(buf, &requestData); | |
94 | if (!requestData.parsed) { | |
95 | if (requestData.channelId >= 0) | |
96 | printf("%u ", requestData.channelId); | |
97 | SEND_BH("message=\"Invalid line received\""); | |
98 | return; | |
99 | } | |
100 | OutputHHA1(&requestData); | |
101 | } | |
102 | ||
103 | static void | |
104 | ProcessArguments(int argc, char **argv) | |
105 | { | |
106 | if (int i = LDAPArguments(argc, argv)) | |
107 | exit(i); | |
108 | } | |
109 | ||
110 | int | |
111 | main(int argc, char **argv) | |
112 | { | |
113 | char buf[HELPER_INPUT_BUFFER]; | |
114 | setbuf(stdout, nullptr); | |
115 | ProcessArguments(argc, argv); | |
116 | while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != nullptr) | |
117 | DoOneRequest(buf); | |
118 | return EXIT_SUCCESS; | |
119 | } | |
120 |