[thirdparty/squid.git] / helpers / digest_auth / file / digest_file_auth.cc

/*
 * digest_file_auth.cc
 *
 * AUTHOR: Robert Collins.
 *
 * Based on ncsa_auth.c by Arjan de Vet <Arjan.deVet@adv.iae.nl>
 *
 * LDAP backend extension by Flavio Pescuma,
 * MARA Systems AB <flavio@marasystems.com>
 *
 * Example digest authentication program for Squid, based on the original
 * proxy_auth code from client_side.c, written by
 * Jon Thackray <jrmt@uk.gdscorp.com>.
 *
 * - comment lines are possible and should start with a '#';
 * - empty or blank lines are possible;
 * - file format is username:password
 *
 * To build a directory integrated backend, you need to be able to
 * calculate the HA1 returned to squid. To avoid storing a plaintext
 * password you can calculate MD5(username:realm:password) when the
 * user changes their password, and store the tuple username:realm:HA1.
 * then find the matching username:realm when squid asks for the
 * HA1.
 *
 * This implementation could be improved by using such a triple for
 * the file format.  However storing such a triple does little to
 * improve security: If compromised the username:realm:HA1 combination
 * is "plaintext equivalent" - for the purposes of digest authentication
 * they allow the user access. Password syncronisation is not tackled
 * by digest - just preventing on the wire compromise.
 *
 * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
 */

#include "squid.h"
#include "digest_common.h"
#include "helpers/defines.h"
#include "text_backend.h"

#define PROGRAM_NAME "digest_file_auth"

static void
GetHHA1(RequestData * requestData)
{
    TextHHA1(requestData);
}

static void
ParseBuffer(char *buf, RequestData * requestData)
{
    char *p;
    requestData->parsed = 0;
    if ((p = strchr(buf, '\n')) != NULL)
        *p = '\0';		/* strip \n */
    if ((requestData->user = strtok(buf, "\"")) == NULL)
        return;
    if ((requestData->realm = strtok(NULL, "\"")) == NULL)
        return;
    if ((requestData->realm = strtok(NULL, "\"")) == NULL)
        return;
    requestData->parsed = -1;
}

static void
OutputHHA1(RequestData * requestData)
{
    requestData->error = 0;
    GetHHA1(requestData);
    if (requestData->error) {
        SEND_ERR("No such user");
        return;
    }
    printf("%s\n", requestData->HHA1);
}

static void
DoOneRequest(char *buf)
{
    RequestData requestData;
    ParseBuffer(buf, &requestData);
    if (!requestData.parsed) {
        SEND_ERR("");
        return;
    }
    OutputHHA1(&requestData);
}

static void
ProcessArguments(int argc, char **argv)
{
    TextArguments(argc, argv);
}

int
main(int argc, char **argv)
{
    char buf[HELPER_INPUT_BUFFER];
    setbuf(stdout, NULL);
    ProcessArguments(argc, argv);
    while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL)
        DoOneRequest(buf);
    return 0;
}
Commit	Line	Data
2d70df72	1	/*
54e8823b	2	* digest_file_auth.cc
2d70df72	3	*
c152a447 AJ	4	* AUTHOR: Robert Collins.
	5	*
	6	* Based on ncsa_auth.c by Arjan de Vet <Arjan.deVet@adv.iae.nl>
68d57793	7	*
c152a447 AJ	8	* LDAP backend extension by Flavio Pescuma,
c152a447 AJ	9	* MARA Systems AB <flavio@marasystems.com>
2d70df72	10	*
	11	* Example digest authentication program for Squid, based on the original
	12	* proxy_auth code from client_side.c, written by
	13	* Jon Thackray <jrmt@uk.gdscorp.com>.
	14	*
	15	* - comment lines are possible and should start with a '#';
	16	* - empty or blank lines are possible;
	17	* - file format is username:password
26ac0430	18	*
548adcc8	19	* To build a directory integrated backend, you need to be able to
2d70df72	20	* calculate the HA1 returned to squid. To avoid storing a plaintext
548adcc8	21	* password you can calculate MD5(username:realm:password) when the
	22	* user changes their password, and store the tuple username:realm:HA1.
	23	* then find the matching username:realm when squid asks for the
	24	* HA1.
2d70df72	25	*
548adcc8	26	* This implementation could be improved by using such a triple for
	27	* the file format. However storing such a triple does little to
	28	* improve security: If compromised the username:realm:HA1 combination
	29	* is "plaintext equivalent" - for the purposes of digest authentication
	30	* they allow the user access. Password syncronisation is not tackled
	31	* by digest - just preventing on the wire compromise.
2d70df72	32	*
0ff1980a	33	* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
2d70df72	34	*/
2d70df72	35
f7f3304a	36	#include "squid.h"
0ff1980a	37	#include "digest_common.h"
c152a447	38	#include "helpers/defines.h"
b9e9de8a	39	#include "text_backend.h"
54e8823b AJ	40
54e8823b AJ	41	#define PROGRAM_NAME "digest_file_auth"
ca6965d0	42
e9505fad	43	static void
ca6965d0	44	GetHHA1(RequestData * requestData)
ca6965d0	45	{
b9e9de8a	46	TextHHA1(requestData);
ca6965d0	47	}
2d70df72	48
2d70df72	49	static void
ca6965d0	50	ParseBuffer(char buf, RequestData requestData)
2d70df72	51	{
0ff1980a	52	char *p;
	53	requestData->parsed = 0;
	54	if ((p = strchr(buf, '\n')) != NULL)
26ac0430	55	p = '\0'; / strip \n */
0ff1980a	56	if ((requestData->user = strtok(buf, "\"")) == NULL)
26ac0430	57	return;
0ff1980a	58	if ((requestData->realm = strtok(NULL, "\"")) == NULL)
26ac0430	59	return;
0ff1980a	60	if ((requestData->realm = strtok(NULL, "\"")) == NULL)
26ac0430	61	return;
0ff1980a	62	requestData->parsed = -1;
2d70df72	63	}
	64
	65	static void
ca6965d0	66	OutputHHA1(RequestData * requestData)
2d70df72	67	{
0ff1980a	68	requestData->error = 0;
0ff1980a	69	GetHHA1(requestData);
ca6965d0	70	if (requestData->error) {
c152a447	71	SEND_ERR("No such user");
26ac0430	72	return;
2d70df72	73	}
0ff1980a	74	printf("%s\n", requestData->HHA1);
	75	}
	76
	77	static void
	78	DoOneRequest(char *buf)
	79	{
	80	RequestData requestData;
ca6965d0	81	ParseBuffer(buf, &requestData);
0ff1980a	82	if (!requestData.parsed) {
c152a447	83	SEND_ERR("");
26ac0430	84	return;
2d70df72	85	}
0ff1980a	86	OutputHHA1(&requestData);
2d70df72	87	}
2d70df72	88
e9505fad	89	static void
ca6965d0	90	ProcessArguments(int argc, char **argv)
ca6965d0	91	{
7ed0602b	92	TextArguments(argc, argv);
ca6965d0	93	}
ca6965d0	94
2d70df72	95	int
	96	main(int argc, char **argv)
	97	{
c152a447	98	char buf[HELPER_INPUT_BUFFER];
2d70df72	99	setbuf(stdout, NULL);
ca6965d0	100	ProcessArguments(argc, argv);
c152a447	101	while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL)
26ac0430	102	DoOneRequest(buf);
54e8823b	103	return 0;
2d70df72	104	}