| 89f77e43 |
1 | /* |
| 2 | * digest_pw_auth.c |
| 3 | * |
| 4 | * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet |
| 5 | * <Arjan.deVet@adv.iae.nl> |
| 6 | * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com> |
| 7 | * |
| 8 | * Example digest authentication program for Squid, based on the original |
| 9 | * proxy_auth code from client_side.c, written by |
| 10 | * Jon Thackray <jrmt@uk.gdscorp.com>. |
| 11 | * |
| 12 | * - comment lines are possible and should start with a '#'; |
| 13 | * - empty or blank lines are possible; |
| 14 | * - file format is username:password |
| 26ac0430 |
15 | * |
| 89f77e43 |
16 | * To build a directory integrated backend, you need to be able to |
| 17 | * calculate the HA1 returned to squid. To avoid storing a plaintext |
| 18 | * password you can calculate MD5(username:realm:password) when the |
| 19 | * user changes their password, and store the tuple username:realm:HA1. |
| 20 | * then find the matching username:realm when squid asks for the |
| 21 | * HA1. |
| 22 | * |
| 23 | * This implementation could be improved by using such a triple for |
| 24 | * the file format. However storing such a triple does little to |
| 25 | * improve security: If compromised the username:realm:HA1 combination |
| 26 | * is "plaintext equivalent" - for the purposes of digest authentication |
| 27 | * they allow the user access. Password syncronisation is not tackled |
| 28 | * by digest - just preventing on the wire compromise. |
| 29 | * |
| 30 | * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org> |
| 31 | */ |
| 56ff4687 |
32 | #include "config.h" |
| 89f77e43 |
33 | #include "digest_common.h" |
| 56ff4687 |
34 | #include "helpers/defines.h" |
| 89f77e43 |
35 | #include "ldap_backend.h" |
| 56ff4687 |
36 | |
| 89f77e43 |
37 | #define PROGRAM_NAME "digest_ldap_auth" |
| 38 | |
| 39 | |
| e9505fad |
40 | static void |
| 89f77e43 |
41 | GetHHA1(RequestData * requestData) |
| 42 | { |
| 43 | LDAPHHA1(requestData); |
| 44 | } |
| 45 | |
| 46 | static void |
| 47 | ParseBuffer(char *buf, RequestData * requestData) |
| 48 | { |
| 49 | char *p; |
| 50 | requestData->parsed = 0; |
| 51 | if ((p = strchr(buf, '\n')) != NULL) |
| 26ac0430 |
52 | *p = '\0'; /* strip \n */ |
| 89f77e43 |
53 | if ((requestData->user = strtok(buf, "\"")) == NULL) |
| 26ac0430 |
54 | return; |
| 89f77e43 |
55 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
| 26ac0430 |
56 | return; |
| 89f77e43 |
57 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
| 26ac0430 |
58 | return; |
| 89f77e43 |
59 | requestData->parsed = -1; |
| 60 | } |
| 61 | |
| 62 | static void |
| 63 | OutputHHA1(RequestData * requestData) |
| 64 | { |
| 65 | requestData->error = 0; |
| 66 | GetHHA1(requestData); |
| 67 | if (requestData->error) { |
| 56ff4687 |
68 | SEND_ERR("No such user"); |
| 26ac0430 |
69 | return; |
| 89f77e43 |
70 | } |
| 71 | printf("%s\n", requestData->HHA1); |
| 72 | } |
| 73 | |
| 74 | static void |
| 75 | DoOneRequest(char *buf) |
| 76 | { |
| 77 | RequestData requestData; |
| 78 | ParseBuffer(buf, &requestData); |
| 79 | if (!requestData.parsed) { |
| 56ff4687 |
80 | SEND_ERR(""); |
| 26ac0430 |
81 | return; |
| 89f77e43 |
82 | } |
| 83 | OutputHHA1(&requestData); |
| 84 | } |
| 85 | |
| e9505fad |
86 | static void |
| 89f77e43 |
87 | ProcessArguments(int argc, char **argv) |
| 88 | { |
| 89 | int i; |
| 90 | i = LDAPArguments(argc, argv); |
| 91 | if (i) |
| 26ac0430 |
92 | exit(i); |
| 89f77e43 |
93 | } |
| 94 | |
| 95 | int |
| 96 | main(int argc, char **argv) |
| 97 | { |
| 56ff4687 |
98 | char buf[HELPER_INPUT_BUFFER]; |
| 89f77e43 |
99 | setbuf(stdout, NULL); |
| 100 | ProcessArguments(argc, argv); |
| 56ff4687 |
101 | while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) |
| 26ac0430 |
102 | DoOneRequest(buf); |
| 89f77e43 |
103 | exit(0); |
| 104 | } |
projects / thirdparty / squid.git / blame