]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/ntlm/fake/ntlm_fake_auth.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SourceFormat Enforcement
[thirdparty/squid.git] / src / auth / ntlm / fake / ntlm_fake_auth.cc
1 /*
2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /*
10 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
11 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
12 * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
13 */
14
15 /*
16 * Example ntlm authentication program for Squid, based on the
17 * original proxy_auth code from client_side.c, written by
18 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
19 * Andrew Doran <ad@interlude.eu.org>.
20 *
21 * This code gets the username and returns it. No validation is done.
22 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
23 * if you can.
24 *
25 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
26 *
27 * - Added negotiation of UNICODE char support
28 * - More detailed debugging info
29 *
30 */
31
32 /* undefine this to have strict protocol adherence. You don't really need
33 * that though */
34 #define IGNORANCE_IS_BLISS
35
36 #include "squid.h"
37 #include "base64.h"
38 #include "helper/protocol_defines.h"
39 #include "ntlmauth/ntlmauth.h"
40 #include "ntlmauth/support_bits.cci"
41
42 #include <cctype>
43 #include <cstring>
44 #if HAVE_CRYPT_H
45 #include <crypt.h>
46 #endif
47 #if HAVE_PWD_H
48 #include <pwd.h>
49 #endif
50 #if HAVE_GETOPT_H
51 #include <getopt.h>
52 #endif
53
54 /* A couple of harmless helper macros */
55 #define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
56 #ifdef __GNUC__
57 #define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
58 #define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
59 #define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
60 #else
61 /* no gcc, no debugging. varargs macros are a gcc extension */
62 #define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
63 #define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
64 #define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
65 #endif
66
67 const char *authenticate_ntlm_domain = "WORKGROUP";
68 int strip_domain_enabled = 0;
69 int NTLM_packet_debug_enabled = 0;
70
71 /*
72 * options:
73 * -d enable debugging.
74 * -v enable verbose NTLM packet debugging.
75 * -l if specified, changes behavior on failures to last-ditch.
76 */
77 char *my_program_name = NULL;
78
79 static void
80 usage(void)
81 {
82 fprintf(stderr,
83 "Usage: %s [-d] [-v] [-h]\n"
84 " -d enable debugging.\n"
85 " -S strip domain from username.\n"
86 " -v enable verbose NTLM packet debugging.\n"
87 " -h this message\n\n",
88 my_program_name);
89 }
90
91 static void
92 process_options(int argc, char *argv[])
93 {
94 int opt, had_error = 0;
95
96 opterr = 0;
97 while (-1 != (opt = getopt(argc, argv, "hdvS"))) {
98 switch (opt) {
99 case 'd':
100 debug_enabled = 1;
101 break;
102 case 'v':
103 debug_enabled = 1;
104 NTLM_packet_debug_enabled = 1;
105 break;
106 case 'S':
107 strip_domain_enabled = 1;
108 break;
109 case 'h':
110 usage();
111 exit(0);
112 case '?':
113 opt = optopt;
114 /* fall thru to default */
115 default:
116 fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
117 usage();
118 had_error = 1;
119 }
120 }
121 if (had_error)
122 exit(1);
123 }
124
125 int
126 main(int argc, char *argv[])
127 {
128 char buf[HELPER_INPUT_BUFFER];
129 int buflen = 0;
130 uint8_t decodedBuf[HELPER_INPUT_BUFFER];
131 int decodedLen;
132 char user[NTLM_MAX_FIELD_LENGTH], domain[NTLM_MAX_FIELD_LENGTH];
133 char *p;
134 char helper_command[3];
135 int len;
136
137 setbuf(stdout, NULL);
138 setbuf(stderr, NULL);
139
140 my_program_name = argv[0];
141
142 process_options(argc, argv);
143
144 debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name);
145
146 while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
147 user[0] = '\0'; /*no user code */
148 domain[0] = '\0'; /*no domain code */
149
150 if ((p = strchr(buf, '\n')) != NULL)
151 *p = '\0'; /* strip \n */
152 buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */
153 ntlmhdr *packet;
154 struct base64_decode_ctx ctx;
155 base64_decode_init(&ctx);
156 size_t dstLen = 0;
157 if (buflen > 3 &&
158 base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast<const uint8_t*>(buf+3)) &&
159 base64_decode_final(&ctx)) {
160 decodedLen = dstLen;
161 packet = (ntlmhdr*)decodedBuf;
162 } else {
163 packet = NULL;
164 decodedLen = 0;
165 }
166
167 if (buflen > 3 && NTLM_packet_debug_enabled) {
168 strncpy(helper_command, buf, 2);
169 helper_command[2] = '\0';
170 debug("Got '%s' from Squid with data:\n", helper_command);
171 hex_dump((unsigned char *)decodedBuf, decodedLen);
172 } else
173 debug("Got '%s' from Squid\n", buf);
174
175 if (strncmp(buf, "YR", 2) == 0) {
176 char nonce[NTLM_NONCE_LEN];
177 ntlm_challenge chal;
178 ntlm_make_nonce(nonce);
179 if (buflen > 3 && packet) {
180 ntlm_negotiate *nego = (ntlm_negotiate *)packet;
181 ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, nego->flags);
182 } else {
183 ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, NTLM_NEGOTIATE_ASCII);
184 }
185 // TODO: find out what this context means, and why only the fake auth helper contains it.
186 chal.context_high = htole32(0x003a<<16);
187
188 len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen);
189
190 struct base64_encode_ctx eCtx;
191 base64_encode_init(&eCtx);
192 uint8_t *data = (uint8_t*)xcalloc(base64_encode_len(len), 1);
193 size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<uint8_t*>(&chal));
194 blen += base64_encode_final(&eCtx, data+blen);
195 if (NTLM_packet_debug_enabled) {
196 printf("TT %.*s\n", (int)blen, data);
197 debug("sending 'TT' to squid with data:\n");
198 hex_dump((unsigned char *)&chal, len);
199 } else
200 SEND3("TT %.*s", (int)blen, data);
201 safe_free(data);
202
203 } else if (strncmp(buf, "KK ", 3) == 0) {
204 if (!packet) {
205 SEND("BH received KK with no data! user=");
206 } else if (ntlm_validate_packet(packet, NTLM_AUTHENTICATE) == NTLM_ERR_NONE) {
207 if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, decodedLen) == NTLM_ERR_NONE) {
208 lc(user);
209 if (strip_domain_enabled) {
210 SEND2("AF %s", user);
211 } else {
212 SEND4("AF %s%s%s", domain, (*domain?"\\":""), user);
213 }
214 } else {
215 lc(user);
216 SEND4("NA invalid credentials, user=%s%s%s", domain, (*domain?"\\":""), user);
217 }
218 } else {
219 SEND("BH wrong packet type! user=");
220 }
221 }
222 }
223 exit(0);
224 }
225
Mirror of https://github.com/squid-cache/squid.git