]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/ntlm/fake/ntlm_fake_auth.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Source Format Enforcement (#532)
[thirdparty/squid.git] / src / auth / ntlm / fake / ntlm_fake_auth.cc
1 /*
2 * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /*
10 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
11 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
12 * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
13 */
14
15 /*
16 * Example ntlm authentication program for Squid, based on the
17 * original proxy_auth code from client_side.c, written by
18 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
19 * Andrew Doran <ad@interlude.eu.org>.
20 *
21 * This code gets the username and returns it. No validation is done.
22 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
23 * if you can.
24 *
25 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
26 *
27 * - Added negotiation of UNICODE char support
28 * - More detailed debugging info
29 *
30 */
31
32 /* undefine this to have strict protocol adherence. You don't really need
33 * that though */
34 #define IGNORANCE_IS_BLISS
35
36 #include "squid.h"
37 #include "base64.h"
38 #include "helper/protocol_defines.h"
39 #include "ntlmauth/ntlmauth.h"
40 #include "ntlmauth/support_bits.cci"
41
42 #include <cctype>
43 #include <chrono>
44 #include <cstring>
45 #if HAVE_CRYPT_H
46 #include <crypt.h>
47 #endif
48 #if HAVE_PWD_H
49 #include <pwd.h>
50 #endif
51 #if HAVE_GETOPT_H
52 #include <getopt.h>
53 #endif
54 #include <thread>
55
56 /* A couple of harmless helper macros */
57 #define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
58 #ifdef __GNUC__
59 #define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
60 #define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
61 #define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
62 #else
63 /* no gcc, no debugging. varargs macros are a gcc extension */
64 #define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
65 #define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
66 #define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
67 #endif
68
69 const char *authenticate_ntlm_domain = "WORKGROUP";
70 int strip_domain_enabled = 0;
71 int NTLM_packet_debug_enabled = 0;
72 unsigned int response_delay = 0;
73
74 /*
75 * options:
76 * -d enable debugging.
77 * -v enable verbose NTLM packet debugging.
78 * -l if specified, changes behavior on failures to last-ditch.
79 */
80 char *my_program_name = NULL;
81
82 static void
83 usage(void)
84 {
85 fprintf(stderr,
86 "Usage: %s [-d] [-t N] [-v] [-h]\n"
87 " -d enable debugging.\n"
88 " -S strip domain from username.\n"
89 " -t timeout to delay responses (milliseconds).\n"
90 " -v enable verbose NTLM packet debugging.\n"
91 " -h this message\n\n",
92 my_program_name);
93 }
94
95 static void
96 process_options(int argc, char *argv[])
97 {
98 int opt, had_error = 0;
99
100 opterr = 0;
101 while (-1 != (opt = getopt(argc, argv, "hdvSt:"))) {
102 switch (opt) {
103 case 'd':
104 debug_enabled = 1;
105 break;
106 case 'v':
107 debug_enabled = 1;
108 NTLM_packet_debug_enabled = 1;
109 break;
110 case 'S':
111 strip_domain_enabled = 1;
112 break;
113 case 't':
114 if (!xstrtoui(optarg, nullptr, &response_delay, 0, 86400)) {
115 fprintf(stderr, "ERROR: invalid parameter value for -t '%s'", optarg);
116 usage();
117 had_error = 1;
118 }
119 break;
120 case 'h':
121 usage();
122 exit(EXIT_SUCCESS);
123 case '?':
124 opt = optopt;
125 /* fall thru to default */
126 default:
127 fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
128 usage();
129 had_error = 1;
130 }
131 }
132 if (had_error)
133 exit(EXIT_FAILURE);
134 }
135
136 int
137 main(int argc, char *argv[])
138 {
139 char buf[HELPER_INPUT_BUFFER];
140 int buflen = 0;
141 uint8_t decodedBuf[HELPER_INPUT_BUFFER];
142 int decodedLen;
143 char user[NTLM_MAX_FIELD_LENGTH], domain[NTLM_MAX_FIELD_LENGTH];
144 char *p;
145 char helper_command[3];
146 int len;
147
148 setbuf(stdout, NULL);
149 setbuf(stderr, NULL);
150
151 my_program_name = argv[0];
152
153 process_options(argc, argv);
154
155 debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name);
156
157 while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
158 user[0] = '\0'; /*no user code */
159 domain[0] = '\0'; /*no domain code */
160
161 if ((p = strchr(buf, '\n')) != NULL)
162 *p = '\0'; /* strip \n */
163 buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */
164 ntlmhdr *packet;
165 struct base64_decode_ctx ctx;
166 base64_decode_init(&ctx);
167 size_t dstLen = 0;
168 if (buflen > 3 &&
169 base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) &&
170 base64_decode_final(&ctx)) {
171 decodedLen = dstLen;
172 packet = (ntlmhdr*)decodedBuf;
173 } else {
174 packet = NULL;
175 decodedLen = 0;
176 }
177
178 if (buflen > 3 && NTLM_packet_debug_enabled) {
179 strncpy(helper_command, buf, 2);
180 helper_command[2] = '\0';
181 debug("Got '%s' from Squid with data:\n", helper_command);
182 hex_dump((unsigned char *)decodedBuf, decodedLen);
183 } else
184 debug("Got '%s' from Squid\n", buf);
185
186 if (response_delay > 0) {
187 std::this_thread::sleep_for(std::chrono::milliseconds(response_delay));
188 }
189
190 if (strncmp(buf, "YR", 2) == 0) {
191 char nonce[NTLM_NONCE_LEN];
192 ntlm_challenge chal;
193 ntlm_make_nonce(nonce);
194 if (buflen > 3 && packet) {
195 ntlm_negotiate *nego = (ntlm_negotiate *)packet;
196 ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, nego->flags);
197 } else {
198 ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, NTLM_NEGOTIATE_ASCII);
199 }
200 // TODO: find out what this context means, and why only the fake auth helper contains it.
201 chal.context_high = htole32(0x003a<<16);
202
203 len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen);
204
205 struct base64_encode_ctx eCtx;
206 base64_encode_init(&eCtx);
207 char *data = static_cast<char *>(xcalloc(base64_encode_len(len), 1));
208 size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<const uint8_t *>(&chal));
209 blen += base64_encode_final(&eCtx, data+blen);
210 if (NTLM_packet_debug_enabled) {
211 printf("TT %.*s\n", (int)blen, data);
212 debug("sending 'TT' to squid with data:\n");
213 hex_dump((unsigned char *)&chal, len);
214 } else
215 SEND3("TT %.*s", (int)blen, data);
216 safe_free(data);
217
218 } else if (strncmp(buf, "KK ", 3) == 0) {
219 if (!packet) {
220 SEND("BH received KK with no data! user=");
221 } else if (ntlm_validate_packet(packet, NTLM_AUTHENTICATE) == NTLM_ERR_NONE) {
222 if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, decodedLen) == NTLM_ERR_NONE) {
223 lc(user);
224 if (strip_domain_enabled) {
225 SEND2("AF %s", user);
226 } else {
227 SEND4("AF %s%s%s", domain, (*domain?"\\":""), user);
228 }
229 } else {
230 lc(user);
231 SEND4("NA invalid credentials, user=%s%s%s", domain, (*domain?"\\":""), user);
232 }
233 } else {
234 SEND("BH wrong packet type! user=");
235 }
236 }
237 }
238 return EXIT_SUCCESS;
239 }
240
Mirror of https://github.com/squid-cache/squid.git