]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/digest/LDAP/digest_pw_auth.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SourceFormat Enforcement
[thirdparty/squid.git] / src / auth / digest / LDAP / digest_pw_auth.cc
1 /*
2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /*
10 * AUTHOR: Robert Collins.
11 * Based on ncsa_auth.c by Arjan de Vet <Arjan.deVet@adv.iae.nl>
12 * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com>
13 *
14 * Example digest authentication program for Squid, based on the original
15 * proxy_auth code from client_side.c, written by
16 * Jon Thackray <jrmt@uk.gdscorp.com>.
17 *
18 * - comment lines are possible and should start with a '#';
19 * - empty or blank lines are possible;
20 * - file format is username:password
21 *
22 * To build a directory integrated backend, you need to be able to
23 * calculate the HA1 returned to squid. To avoid storing a plaintext
24 * password you can calculate MD5(username:realm:password) when the
25 * user changes their password, and store the tuple username:realm:HA1.
26 * then find the matching username:realm when squid asks for the
27 * HA1.
28 *
29 * This implementation could be improved by using such a triple for
30 * the file format. However storing such a triple does little to
31 * improve security: If compromised the username:realm:HA1 combination
32 * is "plaintext equivalent" - for the purposes of digest authentication
33 * they allow the user access. Password syncronisation is not tackled
34 * by digest - just preventing on the wire compromise.
35 *
36 * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
37 */
38
39 #include "squid.h"
40 #include "auth/digest/LDAP/digest_common.h"
41 #include "auth/digest/LDAP/ldap_backend.h"
42 #include "helper/protocol_defines.h"
43
44 #define PROGRAM_NAME "digest_ldap_auth"
45
46 static void
47 GetHHA1(RequestData * requestData)
48 {
49 LDAPHHA1(requestData);
50 }
51
52 static void
53 ParseBuffer(char *buf, RequestData * requestData)
54 {
55 char *p;
56 requestData->parsed = 0;
57 if ((p = strchr(buf, '\n')) != NULL)
58 *p = '\0'; /* strip \n */
59
60 p = NULL;
61 requestData->channelId = strtoll(buf, &p, 10);
62 if (*p != ' ') // not a channel-ID
63 requestData->channelId = -1;
64 else
65 buf = ++p;
66
67 if ((requestData->user = strtok(buf, "\"")) == NULL)
68 return;
69 if ((requestData->realm = strtok(NULL, "\"")) == NULL)
70 return;
71 if ((requestData->realm = strtok(NULL, "\"")) == NULL)
72 return;
73 requestData->parsed = -1;
74 }
75
76 static void
77 OutputHHA1(RequestData * requestData)
78 {
79 requestData->error = 0;
80 GetHHA1(requestData);
81 if (requestData->channelId >= 0)
82 printf("%u ", requestData->channelId);
83 if (requestData->error) {
84 SEND_ERR("message=\"No such user\"");
85 return;
86 }
87 printf("OK ha1=\"%s\"\n", requestData->HHA1);
88 }
89
90 static void
91 DoOneRequest(char *buf)
92 {
93 RequestData requestData;
94 ParseBuffer(buf, &requestData);
95 if (!requestData.parsed) {
96 if (requestData.channelId >= 0)
97 printf("%u ", requestData.channelId);
98 SEND_BH("message=\"Invalid line received\"");
99 return;
100 }
101 OutputHHA1(&requestData);
102 }
103
104 static void
105 ProcessArguments(int argc, char **argv)
106 {
107 int i;
108 i = LDAPArguments(argc, argv);
109 if (i)
110 exit(i);
111 }
112
113 int
114 main(int argc, char **argv)
115 {
116 char buf[HELPER_INPUT_BUFFER];
117 setbuf(stdout, NULL);
118 ProcessArguments(argc, argv);
119 while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL)
120 DoOneRequest(buf);
121 exit(0);
122 }
123
Mirror of https://github.com/squid-cache/squid.git