[thirdparty/squid.git] / helpers / basic_auth / NCSA / basic_ncsa_auth.cc

/*
 * AUTHOR: Arjan de Vet <Arjan.deVet@adv.iae.nl>
 *
 * Example authentication program for Squid, based on the original
 * proxy_auth code from client_side.c, written by
 * Jon Thackray <jrmt@uk.gdscorp.com>.
 *
 * Uses a NCSA httpd style password file for authentication with the
 * following improvements suggested by various people:
 *
 * - comment lines are possible and should start with a '#';
 * - empty or blank lines are possible;
 * - extra fields in the password file are ignored; this makes it
 *   possible to use a Unix password file but I do not recommend that.
 *
 *  MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
 */

#include "squid.h"
#include "crypt_md5.h"
#include "hash.h"
#include "helpers/defines.h"
#include "rfc1738.h"
#include "util.h"

#if HAVE_STDIO_H
#include <stdio.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#if HAVE_STRING_H
#include <string.h>
#endif
#if HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#if HAVE_CRYPT_H
#include <crypt.h>
#endif
#if HAVE_ERRNO_H
#include <errno.h>
#endif

static hash_table *hash = NULL;
static HASHFREE my_free;

typedef struct _user_data {
    /* first two items must be same as hash_link */
    char *user;
    struct _user_data *next;
    char *passwd;
} user_data;

static void
my_free(void *p)
{
    user_data *u = static_cast<user_data*>(p);
    xfree(u->user);
    xfree(u->passwd);
    xfree(u);
}

static void
read_passwd_file(const char *passwdfile)
{
    FILE *f;
    char buf[8192];
    user_data *u;
    char *user;
    char *passwd;
    if (hash != NULL) {
        hashFreeItems(hash, my_free);
        hashFreeMemory(hash);
    }
    /* initial setup */
    hash = hash_create((HASHCMP *) strcmp, 7921, hash_string);
    if (NULL == hash) {
        fprintf(stderr, "FATAL: Cannot create hash table\n");
        exit(1);
    }
    f = fopen(passwdfile, "r");
    if (NULL == f) {
        fprintf(stderr, "FATAL: %s: %s\n", passwdfile, xstrerror());
        exit(1);
    }
    while (fgets(buf, 8192, f) != NULL) {
        if ((buf[0] == '#') || (buf[0] == ' ') || (buf[0] == '\t') ||
                (buf[0] == '\n'))
            continue;
        user = strtok(buf, ":\n\r");
        passwd = strtok(NULL, ":\n\r");
        if ((strlen(user) > 0) && passwd) {
            u = static_cast<user_data*>(xmalloc(sizeof(*u)));
            u->user = xstrdup(user);
            u->passwd = xstrdup(passwd);
            hash_join(hash, (hash_link *) u);
        }
    }
    fclose(f);
}

int
main(int argc, char **argv)
{
    struct stat sb;
    time_t change_time = -1;
    char buf[HELPER_INPUT_BUFFER];
    char *user, *passwd, *p;
    user_data *u;
    setbuf(stdout, NULL);
    if (argc != 2) {
        fprintf(stderr, "Usage: ncsa_auth <passwordfile>\n");
        exit(1);
    }
    if (stat(argv[1], &sb) != 0) {
        fprintf(stderr, "FATAL: cannot stat %s\n", argv[1]);
        exit(1);
    }
    while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
        if ((p = strchr(buf, '\n')) != NULL)
            *p = '\0';		/* strip \n */
        if (stat(argv[1], &sb) == 0) {
            if (sb.st_mtime != change_time) {
                read_passwd_file(argv[1]);
                change_time = sb.st_mtime;
            }
        }
        if ((user = strtok(buf, " ")) == NULL) {
            SEND_ERR("");
            continue;
        }
        if ((passwd = strtok(NULL, "")) == NULL) {
            SEND_ERR("");
            continue;
        }
        rfc1738_unescape(user);
        rfc1738_unescape(passwd);
        u = (user_data *) hash_lookup(hash, user);
        if (u == NULL) {
            SEND_ERR("No such user");
#if HAVE_CRYPT
        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
            // Bug 3107: crypt() DES functionality silently truncates long passwords.
            SEND_OK("");
        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
            // Bug 3107: crypt() DES functionality silently truncates long passwords.
            SEND_ERR("Password too long. Only 8 characters accepted.");
#endif
        } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
            SEND_OK("");
        } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
            SEND_OK("");
        } else {
            SEND_ERR("Wrong password");
        }
    }
    if (hash != NULL) {
        hashFreeItems(hash, my_free);
        hashFreeMemory(hash);
    }
    exit(0);
}
Commit	Line	Data
94439e4e	1	/*
94439e4e	2	* AUTHOR: Arjan de Vet <Arjan.deVet@adv.iae.nl>
	3	*
	4	* Example authentication program for Squid, based on the original
	5	* proxy_auth code from client_side.c, written by
	6	* Jon Thackray <jrmt@uk.gdscorp.com>.
	7	*
	8	* Uses a NCSA httpd style password file for authentication with the
	9	* following improvements suggested by various people:
	10	*
	11	* - comment lines are possible and should start with a '#';
	12	* - empty or blank lines are possible;
	13	* - extra fields in the password file are ignored; this makes it
	14	* possible to use a Unix password file but I do not recommend that.
	15	*
304fb0a1	16	* MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
94439e4e	17	*/
94439e4e	18
f7f3304a	19	#include "squid.h"
43fed740 AJ	20	#include "crypt_md5.h"
	21	#include "hash.h"
	22	#include "helpers/defines.h"
1fa9b1a7	23	#include "rfc1738.h"
43fed740	24	#include "util.h"
81951d76	25
94439e4e	26	#if HAVE_STDIO_H
	27	#include <stdio.h>
	28	#endif
94439e4e	29	#if HAVE_UNISTD_H
	30	#include <unistd.h>
	31	#endif
	32	#if HAVE_STRING_H
	33	#include <string.h>
	34	#endif
94439e4e	35	#if HAVE_SYS_STAT_H
	36	#include <sys/stat.h>
	37	#endif
	38	#if HAVE_CRYPT_H
	39	#include <crypt.h>
	40	#endif
25f98340 AJ	41	#if HAVE_ERRNO_H
	42	#include <errno.h>
	43	#endif
94439e4e	44
94439e4e	45	static hash_table *hash = NULL;
	46	static HASHFREE my_free;
	47
	48	typedef struct _user_data {
	49	/* first two items must be same as hash_link */
	50	char *user;
	51	struct _user_data *next;
	52	char *passwd;
	53	} user_data;
	54
	55	static void
	56	my_free(void *p)
	57	{
3138a4e4	58	user_data u = static_cast<user_data>(p);
94439e4e	59	xfree(u->user);
	60	xfree(u->passwd);
	61	xfree(u);
	62	}
	63
	64	static void
	65	read_passwd_file(const char *passwdfile)
	66	{
	67	FILE *f;
	68	char buf[8192];
	69	user_data *u;
	70	char *user;
	71	char *passwd;
	72	if (hash != NULL) {
26ac0430 AJ	73	hashFreeItems(hash, my_free);
26ac0430 AJ	74	hashFreeMemory(hash);
94439e4e	75	}
	76	/* initial setup */
	77	hash = hash_create((HASHCMP *) strcmp, 7921, hash_string);
	78	if (NULL == hash) {
43fed740	79	fprintf(stderr, "FATAL: Cannot create hash table\n");
26ac0430	80	exit(1);
94439e4e	81	}
94439e4e	82	f = fopen(passwdfile, "r");
a2897c13	83	if (NULL == f) {
43fed740	84	fprintf(stderr, "FATAL: %s: %s\n", passwdfile, xstrerror());
26ac0430	85	exit(1);
a2897c13	86	}
94439e4e	87	while (fgets(buf, 8192, f) != NULL) {
26ac0430 AJ	88	if ((buf[0] == '#') \|\| (buf[0] == ' ') \|\| (buf[0] == '\t') \|\|
	89	(buf[0] == '\n'))
	90	continue;
	91	user = strtok(buf, ":\n\r");
	92	passwd = strtok(NULL, ":\n\r");
	93	if ((strlen(user) > 0) && passwd) {
3138a4e4	94	u = static_cast<user_data>(xmalloc(sizeof(u)));
26ac0430 AJ	95	u->user = xstrdup(user);
	96	u->passwd = xstrdup(passwd);
	97	hash_join(hash, (hash_link *) u);
	98	}
94439e4e	99	}
	100	fclose(f);
	101	}
	102
	103	int
	104	main(int argc, char **argv)
	105	{
	106	struct stat sb;
407e1c93	107	time_t change_time = -1;
43fed740	108	char buf[HELPER_INPUT_BUFFER];
94439e4e	109	char user, passwd, *p;
	110	user_data *u;
	111	setbuf(stdout, NULL);
	112	if (argc != 2) {
26ac0430 AJ	113	fprintf(stderr, "Usage: ncsa_auth <passwordfile>\n");
26ac0430 AJ	114	exit(1);
94439e4e	115	}
94439e4e	116	if (stat(argv[1], &sb) != 0) {
43fed740	117	fprintf(stderr, "FATAL: cannot stat %s\n", argv[1]);
26ac0430	118	exit(1);
94439e4e	119	}
43fed740	120	while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
26ac0430 AJ	121	if ((p = strchr(buf, '\n')) != NULL)
	122	p = '\0'; / strip \n */
	123	if (stat(argv[1], &sb) == 0) {
	124	if (sb.st_mtime != change_time) {
	125	read_passwd_file(argv[1]);
	126	change_time = sb.st_mtime;
	127	}
	128	}
	129	if ((user = strtok(buf, " ")) == NULL) {
43fed740	130	SEND_ERR("");
26ac0430 AJ	131	continue;
	132	}
	133	if ((passwd = strtok(NULL, "")) == NULL) {
43fed740	134	SEND_ERR("");
26ac0430 AJ	135	continue;
	136	}
	137	rfc1738_unescape(user);
	138	rfc1738_unescape(passwd);
	139	u = (user_data *) hash_lookup(hash, user);
	140	if (u == NULL) {
43fed740	141	SEND_ERR("No such user");
8655ee19	142	#if HAVE_CRYPT
304fb0a1 AJ	143	} else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
304fb0a1 AJ	144	// Bug 3107: crypt() DES functionality silently truncates long passwords.
43fed740	145	SEND_OK("");
2d2772b0 AJ	146	} else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
	147	// Bug 3107: crypt() DES functionality silently truncates long passwords.
	148	SEND_ERR("Password too long. Only 8 characters accepted.");
8655ee19	149	#endif
26ac0430	150	} else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
43fed740	151	SEND_OK("");
304fb0a1	152	} else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
43fed740	153	SEND_OK("");
26ac0430	154	} else {
43fed740	155	SEND_ERR("Wrong password");
26ac0430	156	}
94439e4e	157	}
5fb27788	158	if (hash != NULL) {
26ac0430 AJ	159	hashFreeItems(hash, my_free);
26ac0430 AJ	160	hashFreeMemory(hash);
5fb27788	161	}
94439e4e	162	exit(0);
94439e4e	163	}