]>
Commit | Line | Data |
---|---|---|
89f77e43 | 1 | /* |
2 | * digest_pw_auth.c | |
3 | * | |
4 | * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet | |
5 | * <Arjan.deVet@adv.iae.nl> | |
6 | * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com> | |
7 | * | |
8 | * Example digest authentication program for Squid, based on the original | |
9 | * proxy_auth code from client_side.c, written by | |
10 | * Jon Thackray <jrmt@uk.gdscorp.com>. | |
11 | * | |
12 | * - comment lines are possible and should start with a '#'; | |
13 | * - empty or blank lines are possible; | |
14 | * - file format is username:password | |
26ac0430 | 15 | * |
89f77e43 | 16 | * To build a directory integrated backend, you need to be able to |
17 | * calculate the HA1 returned to squid. To avoid storing a plaintext | |
18 | * password you can calculate MD5(username:realm:password) when the | |
19 | * user changes their password, and store the tuple username:realm:HA1. | |
20 | * then find the matching username:realm when squid asks for the | |
21 | * HA1. | |
22 | * | |
23 | * This implementation could be improved by using such a triple for | |
24 | * the file format. However storing such a triple does little to | |
25 | * improve security: If compromised the username:realm:HA1 combination | |
26 | * is "plaintext equivalent" - for the purposes of digest authentication | |
27 | * they allow the user access. Password syncronisation is not tackled | |
28 | * by digest - just preventing on the wire compromise. | |
29 | * | |
30 | * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org> | |
31 | */ | |
56ff4687 | 32 | #include "config.h" |
89f77e43 | 33 | #include "digest_common.h" |
56ff4687 | 34 | #include "helpers/defines.h" |
89f77e43 | 35 | #include "ldap_backend.h" |
56ff4687 | 36 | |
89f77e43 | 37 | #define PROGRAM_NAME "digest_ldap_auth" |
38 | ||
39 | ||
e9505fad | 40 | static void |
89f77e43 | 41 | GetHHA1(RequestData * requestData) |
42 | { | |
43 | LDAPHHA1(requestData); | |
44 | } | |
45 | ||
46 | static void | |
47 | ParseBuffer(char *buf, RequestData * requestData) | |
48 | { | |
49 | char *p; | |
50 | requestData->parsed = 0; | |
51 | if ((p = strchr(buf, '\n')) != NULL) | |
26ac0430 | 52 | *p = '\0'; /* strip \n */ |
89f77e43 | 53 | if ((requestData->user = strtok(buf, "\"")) == NULL) |
26ac0430 | 54 | return; |
89f77e43 | 55 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
26ac0430 | 56 | return; |
89f77e43 | 57 | if ((requestData->realm = strtok(NULL, "\"")) == NULL) |
26ac0430 | 58 | return; |
89f77e43 | 59 | requestData->parsed = -1; |
60 | } | |
61 | ||
62 | static void | |
63 | OutputHHA1(RequestData * requestData) | |
64 | { | |
65 | requestData->error = 0; | |
66 | GetHHA1(requestData); | |
67 | if (requestData->error) { | |
56ff4687 | 68 | SEND_ERR("No such user"); |
26ac0430 | 69 | return; |
89f77e43 | 70 | } |
71 | printf("%s\n", requestData->HHA1); | |
72 | } | |
73 | ||
74 | static void | |
75 | DoOneRequest(char *buf) | |
76 | { | |
77 | RequestData requestData; | |
78 | ParseBuffer(buf, &requestData); | |
79 | if (!requestData.parsed) { | |
56ff4687 | 80 | SEND_ERR(""); |
26ac0430 | 81 | return; |
89f77e43 | 82 | } |
83 | OutputHHA1(&requestData); | |
84 | } | |
85 | ||
e9505fad | 86 | static void |
89f77e43 | 87 | ProcessArguments(int argc, char **argv) |
88 | { | |
89 | int i; | |
90 | i = LDAPArguments(argc, argv); | |
91 | if (i) | |
26ac0430 | 92 | exit(i); |
89f77e43 | 93 | } |
94 | ||
95 | int | |
96 | main(int argc, char **argv) | |
97 | { | |
56ff4687 | 98 | char buf[HELPER_INPUT_BUFFER]; |
89f77e43 | 99 | setbuf(stdout, NULL); |
100 | ProcessArguments(argc, argv); | |
56ff4687 | 101 | while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) |
26ac0430 | 102 | DoOneRequest(buf); |
89f77e43 | 103 | exit(0); |
104 | } |