]>
Commit | Line | Data |
---|---|---|
94439e4e | 1 | |
2 | /* | |
5dae8514 | 3 | * $Id: auth_ntlm.cc,v 1.4 2001/01/11 00:01:54 hno Exp $ |
94439e4e | 4 | * |
5 | * DEBUG: section 29 NTLM Authenticator | |
6 | * AUTHOR: Robert Collins | |
7 | * | |
8 | * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ | |
9 | * ---------------------------------------------------------- | |
10 | * | |
11 | * Squid is the result of efforts by numerous individuals from the | |
12 | * Internet community. Development is led by Duane Wessels of the | |
13 | * National Laboratory for Applied Network Research and funded by the | |
14 | * National Science Foundation. Squid is Copyrighted (C) 1998 by | |
15 | * the Regents of the University of California. Please see the | |
16 | * COPYRIGHT file for full details. Squid incorporates software | |
17 | * developed and/or copyrighted by other sources. Please see the | |
18 | * CREDITS file for full details. | |
19 | * | |
20 | * This program is free software; you can redistribute it and/or modify | |
21 | * it under the terms of the GNU General Public License as published by | |
22 | * the Free Software Foundation; either version 2 of the License, or | |
23 | * (at your option) any later version. | |
24 | * | |
25 | * This program is distributed in the hope that it will be useful, | |
26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
28 | * GNU General Public License for more details. | |
29 | * | |
30 | * You should have received a copy of the GNU General Public License | |
31 | * along with this program; if not, write to the Free Software | |
32 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
33 | * | |
34 | */ | |
35 | ||
36 | /* The functions in this file handle authentication. | |
37 | * They DO NOT perform access control or auditing. | |
38 | * See acl.c for access control and client_side.c for auditing */ | |
39 | ||
40 | ||
41 | #include "squid.h" | |
42 | #include "auth_ntlm.h" | |
43 | ||
44 | static void | |
45 | authenticateStateFree(authenticateStateData * r) | |
46 | { | |
47 | cbdataFree(r); | |
48 | } | |
49 | ||
50 | /* NTLM Scheme */ | |
51 | static HLPSCB authenticateNTLMHandleReply; | |
52 | static HLPSCB authenticateNTLMHandleplaceholder; | |
53 | static AUTHSACTIVE authenticateNTLMActive; | |
54 | static AUTHSAUTHED authNTLMAuthenticated; | |
55 | static AUTHSAUTHUSER authenticateNTLMAuthenticateUser; | |
56 | static AUTHSFIXERR authenticateNTLMFixErrorHeader; | |
57 | static AUTHSFREE authenticateNTLMFreeUser; | |
58 | static AUTHSDIRECTION authenticateNTLMDirection; | |
59 | static AUTHSDECODE authenticateDecodeNTLMAuth; | |
60 | static AUTHSDUMP authNTLMCfgDump; | |
61 | static AUTHSFREECONFIG authNTLMFreeConfig; | |
62 | static AUTHSINIT authNTLMInit; | |
63 | static AUTHSONCLOSEC authenticateNTLMOnCloseConnection; | |
64 | static AUTHSUSERNAME authenticateNTLMUsername; | |
65 | static AUTHSREQFREE authNTLMAURequestFree; | |
66 | static AUTHSPARSE authNTLMParse; | |
67 | static AUTHSSTART authenticateNTLMStart; | |
68 | static AUTHSSTATS authenticateNTLMStats; | |
69 | static AUTHSSHUTDOWN authNTLMDone; | |
70 | ||
71 | /* helper callbacks to handle per server state data */ | |
72 | static HLPSAVAIL authenticateNTLMHelperServerAvailable; | |
73 | static HLPSONEQ authenticateNTLMHelperServerOnEmpty; | |
74 | ||
75 | static statefulhelper *ntlmauthenticators = NULL; | |
76 | ||
77 | CBDATA_TYPE(authenticateStateData); | |
78 | ||
79 | static int authntlm_initialised = 0; | |
80 | ||
81 | MemPool *ntlm_helper_state_pool = NULL; | |
82 | MemPool *ntlm_user_pool = NULL; | |
83 | MemPool *ntlm_request_pool = NULL; | |
84 | static auth_ntlm_config *ntlmConfig = NULL; | |
85 | ||
86 | static hash_table *proxy_auth_cache = NULL; | |
87 | ||
88 | /* | |
89 | * | |
90 | * Private Functions | |
91 | * | |
92 | */ | |
93 | ||
94 | void | |
95 | authNTLMDone(void) | |
96 | { | |
94439e4e | 97 | if (ntlmauthenticators) |
98 | helperStatefulShutdown(ntlmauthenticators); | |
99 | authntlm_initialised = 0; | |
100 | if (!shutting_down) | |
101 | return; | |
5dae8514 | 102 | if (ntlmauthenticators) |
103 | helperStatefulFree(ntlmauthenticators); | |
94439e4e | 104 | ntlmauthenticators = NULL; |
5dae8514 | 105 | if (ntlm_helper_state_pool) { |
106 | assert(memPoolInUseCount(ntlm_helper_state_pool) == 0); | |
107 | memPoolDestroy(ntlm_helper_state_pool); | |
108 | ntlm_helper_state_pool = NULL; | |
109 | } | |
110 | if (ntlm_request_pool) { | |
111 | assert(memPoolInUseCount(ntlm_request_pool) == 0); | |
112 | memPoolDestroy(ntlm_request_pool); | |
113 | ntlm_request_pool = NULL; | |
114 | } | |
115 | if (ntlm_user_pool) { | |
116 | assert(memPoolInUseCount(ntlm_user_pool) == 0); | |
117 | memPoolDestroy(ntlm_user_pool); | |
118 | ntlm_user_pool = NULL; | |
119 | } | |
120 | debug(29, 2) ("authNTLMDone: NTLM authentication Shutdown.\n"); | |
94439e4e | 121 | } |
122 | ||
123 | /* free any allocated configuration details */ | |
124 | void | |
125 | authNTLMFreeConfig(authScheme * scheme) | |
126 | { | |
127 | if (ntlmConfig == NULL) | |
128 | return; | |
129 | assert(ntlmConfig == scheme->scheme_data); | |
130 | if (ntlmConfig->authenticate) | |
131 | wordlistDestroy(&ntlmConfig->authenticate); | |
132 | xfree(ntlmConfig); | |
133 | ntlmConfig = NULL; | |
134 | } | |
135 | ||
136 | static void | |
137 | authNTLMCfgDump(StoreEntry * entry, const char *name, authScheme * scheme) | |
138 | { | |
139 | auth_ntlm_config *config = scheme->scheme_data; | |
140 | wordlist *list = config->authenticate; | |
141 | storeAppendPrintf(entry, "%s %s", name, "ntlm"); | |
142 | while (list != NULL) { | |
143 | storeAppendPrintf(entry, " %s", list->key); | |
144 | list = list->next; | |
145 | } | |
146 | storeAppendPrintf(entry, "\n%s %s children %d\n%s %s max_challenge_reuses %d\n%s %s max_challenge_lifetime %d seconds\n", | |
147 | name, "ntlm", config->authenticateChildren, | |
148 | name, "ntlm", config->challengeuses, | |
149 | name, "ntlm", config->challengelifetime); | |
150 | ||
151 | } | |
152 | ||
153 | static void | |
154 | authNTLMParse(authScheme * scheme, int n_configured, char *param_str) | |
155 | { | |
156 | if (scheme->scheme_data == NULL) { | |
157 | assert(ntlmConfig == NULL); | |
158 | /* this is the first param to be found */ | |
159 | scheme->scheme_data = xmalloc(sizeof(auth_ntlm_config)); | |
160 | memset(scheme->scheme_data, 0, sizeof(auth_ntlm_config)); | |
161 | ntlmConfig = scheme->scheme_data; | |
162 | ntlmConfig->authenticateChildren = 5; | |
163 | ntlmConfig->challengeuses = 0; | |
164 | ntlmConfig->challengelifetime = 60; | |
165 | } | |
166 | ntlmConfig = scheme->scheme_data; | |
167 | if (strcasecmp(param_str, "program") == 0) { | |
168 | parse_wordlist(&ntlmConfig->authenticate); | |
169 | requirePathnameExists("authparam ntlm program", ntlmConfig->authenticate->key); | |
170 | } else if (strcasecmp(param_str, "children") == 0) { | |
171 | parse_int(&ntlmConfig->authenticateChildren); | |
172 | } else if (strcasecmp(param_str, "max_challenge_reuses") == 0) { | |
173 | parse_int(&ntlmConfig->challengeuses); | |
174 | } else if (strcasecmp(param_str, "max_challenge_lifetime") == 0) { | |
175 | parse_time_t(&ntlmConfig->challengelifetime); | |
176 | } else { | |
177 | debug(28, 0) ("unrecognised ntlm auth scheme parameter '%s'\n", param_str); | |
178 | } | |
179 | } | |
180 | ||
181 | ||
182 | void | |
183 | authSchemeSetup_ntlm(authscheme_entry_t * authscheme) | |
184 | { | |
94439e4e | 185 | assert(!authntlm_initialised); |
186 | authscheme->Active = authenticateNTLMActive; | |
187 | authscheme->parse = authNTLMParse; | |
188 | authscheme->dump = authNTLMCfgDump; | |
189 | authscheme->requestFree = authNTLMAURequestFree; | |
190 | authscheme->freeconfig = authNTLMFreeConfig; | |
191 | authscheme->init = authNTLMInit; | |
192 | authscheme->authAuthenticate = authenticateNTLMAuthenticateUser; | |
193 | authscheme->authenticated = authNTLMAuthenticated; | |
194 | authscheme->authFixHeader = authenticateNTLMFixErrorHeader; | |
195 | authscheme->FreeUser = authenticateNTLMFreeUser; | |
196 | authscheme->authStart = authenticateNTLMStart; | |
197 | authscheme->authStats = authenticateNTLMStats; | |
198 | authscheme->authUserUsername = authenticateNTLMUsername; | |
199 | authscheme->getdirection = authenticateNTLMDirection; | |
200 | authscheme->decodeauth = authenticateDecodeNTLMAuth; | |
201 | authscheme->donefunc = authNTLMDone; | |
202 | authscheme->oncloseconnection = authenticateNTLMOnCloseConnection; | |
203 | } | |
204 | ||
205 | /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the | |
206 | * config file */ | |
207 | static void | |
208 | authNTLMInit(authScheme * scheme) | |
209 | { | |
210 | static int ntlminit = 0; | |
211 | if (ntlmConfig->authenticate) { | |
212 | if (!ntlm_helper_state_pool) | |
213 | ntlm_helper_state_pool = memPoolCreate("NTLM Helper State data", sizeof(ntlm_helper_state_t)); | |
214 | if (!ntlm_user_pool) | |
215 | ntlm_user_pool = memPoolCreate("NTLM Scheme User Data", sizeof(ntlm_user_t)); | |
216 | if (!ntlm_request_pool) | |
217 | ntlm_request_pool = memPoolCreate("NTLM Scheme Request Data", sizeof(ntlm_request_t)); | |
218 | authntlm_initialised = 1; | |
219 | if (ntlmauthenticators == NULL) | |
220 | ntlmauthenticators = helperStatefulCreate("ntlmauthenticator"); | |
221 | if (!proxy_auth_cache) | |
222 | proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); | |
223 | assert(proxy_auth_cache); | |
224 | ntlmauthenticators->cmdline = ntlmConfig->authenticate; | |
225 | ntlmauthenticators->n_to_start = ntlmConfig->authenticateChildren; | |
226 | ntlmauthenticators->ipc_type = IPC_TCP_SOCKET; | |
227 | ntlmauthenticators->datapool = ntlm_helper_state_pool; | |
228 | ntlmauthenticators->IsAvailable = authenticateNTLMHelperServerAvailable; | |
229 | ntlmauthenticators->OnEmptyQueue = authenticateNTLMHelperServerOnEmpty; | |
230 | helperStatefulOpenServers(ntlmauthenticators); | |
231 | /* TODO: In here send the initial YR to preinitialise the challenge cache */ | |
232 | /* Think about this... currently we ask when the challenge is needed. Better? */ | |
233 | if (!ntlminit) { | |
234 | cachemgrRegister("ntlmauthenticator", | |
235 | "User NTLM Authenticator Stats", | |
236 | authenticateNTLMStats, 0, 1); | |
237 | ntlminit++; | |
238 | } | |
239 | CBDATA_INIT_TYPE(authenticateStateData); | |
240 | } | |
241 | } | |
242 | ||
243 | int | |
244 | authenticateNTLMActive() | |
245 | { | |
912b43b8 | 246 | if ((ntlmConfig != NULL) && (ntlmConfig->authenticate != NULL) && |
5dae8514 | 247 | (ntlmConfig->authenticateChildren != 0) && (ntlmConfig->challengeuses > -1) |
248 | && (ntlmConfig->challengelifetime > -1)) | |
249 | return 1; | |
912b43b8 | 250 | return 0; |
94439e4e | 251 | } |
252 | ||
253 | /* NTLM Scheme */ | |
254 | ||
255 | int | |
256 | authenticateNTLMDirection(auth_user_request_t * auth_user_request) | |
257 | { | |
258 | ntlm_request_t *ntlm_request = auth_user_request->scheme_data; | |
259 | /* null auth_user is checked for by authenticateDirection */ | |
260 | switch (ntlm_request->auth_state) { | |
261 | case AUTHENTICATE_STATE_NONE: /* no progress at all. */ | |
262 | debug(28, 1) ("authenticateNTLMDirection: called before NTLM Authenticate!. Report a bug to squid-dev.\n"); | |
263 | return -2; | |
264 | case AUTHENTICATE_STATE_NEGOTIATE: /* send to helper */ | |
265 | case AUTHENTICATE_STATE_RESPONSE: /*send to helper */ | |
266 | return -1; | |
267 | case AUTHENTICATE_STATE_CHALLENGE: /* send to client */ | |
268 | return 1; | |
269 | case AUTHENTICATE_STATE_DONE: /* do nothing.. */ | |
270 | return 0; | |
271 | } | |
272 | return -2; | |
273 | } | |
274 | ||
275 | /* | |
276 | * Send the authenticate error header(s). Note: IE has a bug and the NTLM header | |
277 | * must be first. To ensure that, the configure use --enable-auth=ntlm, anything | |
278 | * else. | |
279 | */ | |
280 | void | |
281 | authenticateNTLMFixErrorHeader(auth_user_request_t * auth_user_request, HttpReply * rep, http_hdr_type type, request_t * request) | |
282 | { | |
283 | ntlm_request_t *ntlm_request; | |
284 | if (ntlmConfig->authenticate) { | |
285 | /* New request, no user details */ | |
286 | if (auth_user_request == NULL) { | |
287 | debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM'\n", type); | |
288 | httpHeaderPutStrf(&rep->header, type, "NTLM"); | |
289 | /* drop the connection */ | |
290 | httpHeaderDelByName(&rep->header, "keep-alive"); | |
291 | /* NTLM has problems if the initial connection is not dropped | |
292 | * I haven't checked the RFC compliance of this hack - RBCollins */ | |
293 | request->flags.proxy_keepalive = 0; | |
294 | } else { | |
295 | ntlm_request = auth_user_request->scheme_data; | |
296 | switch (ntlm_request->auth_state) { | |
297 | case AUTHENTICATE_STATE_NONE: | |
298 | debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM'\n", type); | |
299 | httpHeaderPutStrf(&rep->header, type, "NTLM"); | |
300 | /* drop the connection */ | |
301 | httpHeaderDelByName(&rep->header, "keep-alive"); | |
302 | /* NTLM has problems if the initial connection is not dropped | |
303 | * I haven't checked the RFC compliance of this hack - RBCollins */ | |
304 | request->flags.proxy_keepalive = 0; | |
305 | break; | |
306 | case AUTHENTICATE_STATE_CHALLENGE: | |
307 | /* we are 'waiting' for a response */ | |
308 | /* pass the challenge to the client */ | |
309 | debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM %s'\n", type, ntlm_request->authchallenge); | |
310 | httpHeaderPutStrf(&rep->header, type, "NTLM %s", ntlm_request->authchallenge); | |
311 | break; | |
312 | default: | |
313 | debug(29, 0) ("authenticateNTLMFixErrorHeader: state %d.\n", ntlm_request->auth_state); | |
314 | fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n"); | |
315 | } | |
316 | } | |
317 | } | |
318 | } | |
319 | ||
320 | void | |
321 | authNTLMRequestFree(ntlm_request_t * ntlm_request) | |
322 | { | |
323 | if (!ntlm_request) | |
324 | return; | |
325 | if (ntlm_request->ntlmnegotiate) | |
326 | xfree(ntlm_request->ntlmnegotiate); | |
327 | if (ntlm_request->authchallenge) | |
328 | xfree(ntlm_request->authchallenge); | |
329 | if (ntlm_request->ntlmauthenticate) | |
330 | xfree(ntlm_request->ntlmauthenticate); | |
331 | memPoolFree(ntlm_request_pool, ntlm_request); | |
332 | } | |
333 | ||
334 | void | |
335 | authNTLMAURequestFree(auth_user_request_t * auth_user_request) | |
336 | { | |
337 | if (auth_user_request->scheme_data) | |
338 | authNTLMRequestFree((ntlm_request_t *) auth_user_request->scheme_data); | |
339 | auth_user_request->scheme_data = NULL; | |
340 | } | |
341 | ||
342 | void | |
343 | authenticateNTLMFreeUser(auth_user_t * auth_user) | |
344 | { | |
345 | dlink_node *link, *tmplink; | |
346 | ntlm_user_t *ntlm_user = auth_user->scheme_data; | |
347 | auth_user_hash_pointer *proxy_auth_hash; | |
348 | ||
349 | debug(29, 5) ("authenticateNTLMFreeUser: Clearing NTLM scheme data\n"); | |
350 | if (ntlm_user->username) | |
351 | xfree(ntlm_user->username); | |
352 | /* were they linked in by one or more proxy-authenticate headers */ | |
353 | link = ntlm_user->proxy_auth_list.head; | |
354 | while (link) { | |
355 | debug(29, 9) ("authenticateFreeProxyAuthUser: removing proxy_auth hash entry '%d'\n", link->data); | |
356 | proxy_auth_hash = link->data; | |
357 | tmplink = link; | |
358 | link = link->next; | |
359 | dlinkDelete(tmplink, &ntlm_user->proxy_auth_list); | |
360 | hash_remove_link(proxy_auth_cache, (hash_link *) proxy_auth_hash); | |
361 | /* free the key (usually the proxy_auth header) */ | |
362 | xfree(proxy_auth_hash->key); | |
363 | memFree(proxy_auth_hash, MEM_AUTH_USER_HASH); | |
364 | } | |
365 | memPoolFree(ntlm_user_pool, ntlm_user); | |
366 | auth_user->scheme_data = NULL; | |
367 | } | |
368 | ||
369 | static stateful_helper_callback_t | |
370 | authenticateNTLMHandleplaceholder(void *data, void *lastserver, char *reply) | |
371 | { | |
372 | authenticateStateData *r = data; | |
373 | stateful_helper_callback_t result = S_HELPER_UNKNOWN; | |
374 | int valid; | |
375 | /* we should only be called for placeholder requests - which have no reply string */ | |
376 | assert(reply == NULL); | |
377 | assert(r->auth_user_request); | |
378 | /* standard callback stuff */ | |
379 | valid = cbdataValid(r->data); | |
94439e4e | 380 | /* call authenticateNTLMStart to retry this request */ |
381 | debug(29, 9) ("authenticateNTLMHandleplaceholder: calling authenticateNTLMStart\n"); | |
382 | authenticateNTLMStart(r->auth_user_request, r->handler, r->data); | |
5dae8514 | 383 | cbdataUnlock(r->data); |
94439e4e | 384 | authenticateStateFree(r); |
385 | return result; | |
386 | } | |
387 | ||
388 | static stateful_helper_callback_t | |
389 | authenticateNTLMHandleReply(void *data, void *lastserver, char *reply) | |
390 | { | |
94439e4e | 391 | authenticateStateData *r = data; |
392 | ntlm_helper_state_t *helperstate; | |
393 | int valid; | |
394 | stateful_helper_callback_t result = S_HELPER_UNKNOWN; | |
94439e4e | 395 | char *t = NULL; |
396 | auth_user_request_t *auth_user_request; | |
397 | auth_user_t *auth_user; | |
398 | ntlm_user_t *ntlm_user; | |
399 | ntlm_request_t *ntlm_request; | |
400 | debug(29, 9) ("authenticateNTLMHandleReply: Helper: '%d' {%s}\n", lastserver, reply ? reply : "<NULL>"); | |
401 | valid = cbdataValid(r->data); | |
94439e4e | 402 | if (valid) { |
403 | if (reply) { | |
404 | /* seperate out the useful data */ | |
405 | if (strncasecmp(reply, "TT ", 3) == 0) { | |
406 | reply += 3; | |
407 | /* we have been given a Challenge */ | |
408 | /* we should check we weren't given an empty challenge */ | |
94439e4e | 409 | /* copy the challenge to the state data */ |
410 | helperstate = helperStatefulServerGetData(lastserver); | |
411 | if (helperstate == NULL) | |
412 | fatal("lost NTLm helper state! quitting\n"); | |
413 | helperstate->challenge = xstrndup(reply, NTLM_CHALLENGE_SZ + 5); | |
414 | helperstate->challengeuses = 0; | |
415 | helperstate->renewed = squid_curtime; | |
416 | /* and we satisfy the request that happended on the refresh boundary */ | |
417 | /* note this code is now in two places FIXME */ | |
418 | assert(r->auth_user_request != NULL); | |
419 | assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM); | |
420 | auth_user_request = r->auth_user_request; | |
421 | ntlm_request = auth_user_request->scheme_data; | |
422 | assert(ntlm_request != NULL); | |
423 | result = S_HELPER_DEFER; | |
94439e4e | 424 | debug(29, 9) ("authenticateNTLMHandleReply: helper '%d'\n", lastserver); |
425 | assert(ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE); | |
94439e4e | 426 | ntlm_request->authhelper = lastserver; |
427 | ntlm_request->authchallenge = xstrndup(reply, NTLM_CHALLENGE_SZ + 5); | |
428 | } else if (strncasecmp(reply, "AF ", 3) == 0) { | |
429 | /* we're finished, release the helper */ | |
430 | reply += 3; | |
431 | assert(r->auth_user_request != NULL); | |
432 | assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM); | |
433 | auth_user_request = r->auth_user_request; | |
434 | assert(auth_user_request->scheme_data != NULL); | |
435 | ntlm_request = auth_user_request->scheme_data; | |
436 | auth_user = auth_user_request->auth_user; | |
437 | ntlm_user = auth_user_request->auth_user->scheme_data; | |
438 | assert(ntlm_user != NULL); | |
439 | result = S_HELPER_RELEASE; | |
440 | /* we only expect OK when finishing the handshake */ | |
441 | assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE); | |
442 | ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ); | |
443 | ntlm_request->authhelper = NULL; | |
444 | auth_user->flags.credentials_ok = 1; /* login ok */ | |
445 | } else if (strncasecmp(reply, "NA ", 3) == 0) { | |
446 | /* TODO: only work with auth_user here if it exists */ | |
447 | assert(r->auth_user_request != NULL); | |
448 | assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM); | |
449 | auth_user_request = r->auth_user_request; | |
450 | auth_user = auth_user_request->auth_user; | |
451 | assert(auth_user != NULL); | |
452 | ntlm_user = auth_user->scheme_data; | |
453 | ntlm_request = auth_user_request->scheme_data; | |
454 | assert((ntlm_user != NULL) && (ntlm_request != NULL)); | |
455 | /* todo: action of Negotiate state on error */ | |
456 | result = S_HELPER_RELEASE; /*some error has occured. no more requests */ | |
457 | ntlm_request->authhelper = NULL; | |
458 | auth_user->flags.credentials_ok = 2; /* Login/Usercode failed */ | |
459 | debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM.\n"); | |
460 | ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; | |
461 | if ((t = strchr(reply, ' '))) /* strip after a space */ | |
462 | *t = '\0'; | |
463 | } else if (strncasecmp(reply, "BH ", 3) == 0) { | |
464 | /* TODO kick off a refresh process. This can occur after a YR or after | |
465 | * a KK. If after a YR release the helper and resubmit the request via | |
466 | * Authenticate NTLM start. | |
467 | * If after a KK deny the user's request w/ 407 and mark the helper as | |
468 | * Needing YR. */ | |
469 | assert(r->auth_user_request != NULL); | |
470 | assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM); | |
471 | auth_user_request = r->auth_user_request; | |
472 | auth_user = auth_user_request->auth_user; | |
473 | assert(auth_user != NULL); | |
474 | ntlm_user = auth_user->scheme_data; | |
475 | ntlm_request = auth_user_request->scheme_data; | |
476 | assert((ntlm_user != NULL) && (ntlm_request != NULL)); | |
477 | result = S_HELPER_RELEASE; /*some error has occured. no more requests for | |
478 | * this helper */ | |
479 | helperstate = helperStatefulServerGetData(ntlm_request->authhelper); | |
480 | ntlm_request->authhelper = NULL; | |
481 | if (ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE) { | |
482 | /* The helper broke on YR. It automatically | |
483 | * resets */ | |
484 | auth_user->flags.credentials_ok = 3; /* cannot process */ | |
485 | debug(29, 1) ("authenticateNTLMHandleReply: Error obtaining challenge from helper: %d.\n", lastserver); | |
486 | /* mark it for starving */ | |
487 | helperstate->starve = 1; | |
488 | /* resubmit the request. This helper is currently busy, so we will get | |
489 | * a different one. */ | |
490 | authenticateNTLMStart(auth_user_request, r->handler, r->data); | |
491 | } else { | |
492 | /* the helper broke on a KK */ | |
493 | /* first the standard KK stuff */ | |
494 | auth_user->flags.credentials_ok = 2; /* Login/Usercode failed */ | |
495 | debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM.\n"); | |
496 | ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; | |
497 | if ((t = strchr(reply, ' '))) /* strip after a space */ | |
498 | *t = '\0'; | |
499 | /* now we mark the helper for resetting. */ | |
500 | helperstate->starve = 1; | |
501 | } | |
502 | ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; | |
503 | } else { | |
504 | /* TODO: only work with auth_user here if it exists */ | |
505 | assert(r->auth_user_request != NULL); | |
506 | assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM); | |
507 | auth_user_request = r->auth_user_request; | |
508 | auth_user = auth_user_request->auth_user; | |
509 | assert(auth_user != NULL); | |
510 | ntlm_user = auth_user->scheme_data; | |
511 | ntlm_request = auth_user_request->scheme_data; | |
512 | assert((ntlm_user != NULL) && (ntlm_request != NULL)); | |
513 | debug(29, 1) ("authenticateNTLMHandleReply: Unsupported helper response, '%s'\n", reply); | |
514 | /* restart the authentication process */ | |
515 | ntlm_request->auth_state = AUTHENTICATE_STATE_NONE; | |
516 | auth_user->flags.credentials_ok = 3; /* cannot process */ | |
517 | ntlm_request->authhelper = NULL; | |
518 | } | |
519 | } else { | |
520 | fatal("authenticateNTLMHandleReply: called with no result string\n"); | |
521 | } | |
522 | r->handler(r->data, NULL); | |
523 | } else { | |
524 | debug(29, 1) ("AuthenticateNTLMHandleReply: invalid callback data. Releasing helper '%d'.\n", lastserver); | |
525 | result = S_HELPER_RELEASE; | |
526 | } | |
5dae8514 | 527 | cbdataUnlock(r->data); |
94439e4e | 528 | authenticateStateFree(r); |
529 | debug(29, 9) ("NTLM HandleReply, telling stateful helper : %d\n", result); | |
530 | return result; | |
531 | } | |
532 | ||
94439e4e | 533 | static void |
534 | authenticateNTLMStats(StoreEntry * sentry) | |
535 | { | |
536 | storeAppendPrintf(sentry, "NTLM Authenticator Statistics:\n"); | |
537 | helperStatefulStats(sentry, ntlmauthenticators); | |
538 | } | |
539 | ||
540 | /* is a particular challenge still valid ? */ | |
541 | int | |
542 | authenticateNTLMValidChallenge(ntlm_helper_state_t * helperstate) | |
543 | { | |
544 | if (helperstate->challenge == NULL) | |
545 | return 0; | |
546 | return 1; | |
547 | } | |
548 | ||
549 | /* does our policy call for changing the challenge now? */ | |
550 | int | |
551 | authenticateNTLMChangeChallenge(ntlm_helper_state_t * helperstate) | |
552 | { | |
553 | /* don't check for invalid challenges just for expiry choices */ | |
554 | /* this is needed because we have to starve the helper until all old | |
555 | * requests have been satisfied */ | |
556 | if (helperstate->challengeuses > ntlmConfig->challengeuses) | |
557 | return 1; | |
558 | if (helperstate->renewed + ntlmConfig->challengelifetime >= squid_curtime) | |
559 | return 1; | |
560 | return 0; | |
561 | } | |
562 | ||
563 | /* send the initial data to a stateful ntlm authenticator module */ | |
564 | static void | |
565 | authenticateNTLMStart(auth_user_request_t * auth_user_request, RH * handler, void *data) | |
566 | { | |
94439e4e | 567 | authenticateStateData *r = NULL; |
568 | helper_stateful_server *server; | |
569 | ntlm_helper_state_t *helperstate; | |
570 | char buf[8192]; | |
571 | char *sent_string = NULL; | |
572 | ntlm_user_t *ntlm_user; | |
573 | ntlm_request_t *ntlm_request; | |
574 | auth_user_t *auth_user; | |
575 | ||
576 | assert(auth_user_request); | |
577 | auth_user = auth_user_request->auth_user; | |
578 | ntlm_user = auth_user->scheme_data; | |
579 | ntlm_request = auth_user_request->scheme_data; | |
580 | assert(ntlm_user); | |
581 | assert(ntlm_request); | |
582 | assert(handler); | |
583 | assert(data); | |
584 | assert(auth_user->auth_type = AUTH_NTLM); | |
585 | debug(29, 9) ("authenticateNTLMStart: auth state '%d'\n", ntlm_request->auth_state); | |
586 | switch (ntlm_request->auth_state) { | |
587 | case AUTHENTICATE_STATE_NEGOTIATE: | |
588 | sent_string = xstrdup(ntlm_request->ntlmnegotiate); | |
589 | break; | |
590 | case AUTHENTICATE_STATE_RESPONSE: | |
591 | sent_string = xstrdup(ntlm_request->ntlmauthenticate); | |
592 | assert(ntlm_request->authhelper); | |
593 | debug(29, 9) ("authenticateNTLMStart: Asking NTLMauthenticator '%d'.\n", ntlm_request->authhelper); | |
594 | break; | |
595 | default: | |
596 | fatal("Invalid authenticate state for NTLMStart"); | |
597 | } | |
598 | ||
599 | while (!xisspace(*sent_string)) /*trim NTLM */ | |
600 | sent_string++; | |
601 | ||
602 | while (xisspace(*sent_string)) /*trim leading spaces */ | |
603 | sent_string++; | |
604 | ||
605 | debug(29, 9) ("authenticateNTLMStart: state '%d'\n", ntlm_request->auth_state); | |
606 | debug(29, 9) ("authenticateNTLMStart: '%s'\n", sent_string); | |
607 | if (ntlmConfig->authenticate == NULL) { | |
608 | debug(29, 0) ("authenticateNTLMStart: no NTLM program specified:'%s'\n", sent_string); | |
94439e4e | 609 | handler(data, NULL); |
610 | return; | |
611 | } | |
612 | #ifdef NTLMHELPPROTOCOLV2 | |
613 | r = CBDATA_ALLOC(authenticateStateData, NULL); | |
614 | r->handler = handler; | |
615 | cbdataLock(data); | |
616 | r->data = data; | |
617 | r->auth_user_request = auth_user_request; | |
618 | snprintf(buf, 8192, "%s\n", sent_string); | |
619 | helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); | |
620 | debug(29, 9) ("authenticateNTLMstart: finished\n"); | |
621 | #else | |
622 | /* this is ugly TODO: move the challenge generation routines to their own function and | |
623 | * tidy the logic up to make use of the efficiency we now have */ | |
624 | switch (ntlm_request->auth_state) { | |
625 | case AUTHENTICATE_STATE_NEGOTIATE: | |
626 | /* | |
627 | * 1: get a helper server | |
628 | * 2: does it have a challenge? | |
629 | * 3: tell it to get a challenge, or give ntlmauthdone the challenge | |
630 | */ | |
631 | server = helperStatefulDefer(ntlmauthenticators); | |
632 | helperstate = server ? helperStatefulServerGetData(server) : NULL; | |
633 | while ((server != NULL) && | |
634 | authenticateNTLMChangeChallenge(helperstate)) { | |
635 | /* flag this helper for challenge changing */ | |
636 | helperstate->starve = 1; | |
637 | /* and release the deferred request */ | |
638 | helperStatefulReleaseServer(server); | |
639 | server = helperStatefulDefer(ntlmauthenticators); | |
640 | if (server != NULL) | |
641 | helperstate = helperStatefulServerGetData(server); | |
642 | } | |
643 | if (server == NULL) | |
644 | debug(29, 9) ("unable to get a deferred ntlm helper... all helpers are refreshing challenges. Queuing as a placeholder request.\n"); | |
645 | ||
646 | ntlm_request->authhelper = server; | |
647 | /* tell the log what helper we have been given */ | |
648 | debug(29, 9) ("authenticateNTLMStart: helper '%d' assigned\n", server); | |
649 | /* valid challenge? */ | |
650 | if ((server == NULL) || !authenticateNTLMValidChallenge(helperstate)) { | |
651 | r = CBDATA_ALLOC(authenticateStateData, NULL); | |
652 | r->handler = handler; | |
653 | cbdataLock(data); | |
654 | r->data = data; | |
655 | r->auth_user_request = auth_user_request; | |
656 | if (server == NULL) { | |
657 | helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, ntlm_request->authhelper); | |
658 | } else { | |
659 | snprintf(buf, 8192, "YR\n"); | |
660 | helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); | |
661 | } | |
662 | } else { | |
663 | /* we have a valid challenge */ | |
664 | /* TODO: turn the below into a function and call from here and handlereply */ | |
665 | /* increment the challenge uses */ | |
666 | helperstate->challengeuses++; | |
667 | /* assign the challenge */ | |
668 | ntlm_request->authchallenge = | |
669 | xstrndup(helperstate->challenge, NTLM_CHALLENGE_SZ + 5); | |
670 | handler(data, NULL); | |
671 | } | |
672 | ||
673 | break; | |
674 | case AUTHENTICATE_STATE_RESPONSE: | |
675 | r = CBDATA_ALLOC(authenticateStateData, NULL); | |
676 | r->handler = handler; | |
677 | cbdataLock(data); | |
678 | r->data = data; | |
679 | r->auth_user_request = auth_user_request; | |
680 | snprintf(buf, 8192, "KK %s\n", sent_string); | |
681 | helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authhelper); | |
682 | debug(29, 9) ("authenticateNTLMstart: finished\n"); | |
683 | break; | |
684 | default: | |
685 | fatal("Invalid authenticate state for NTLMStart"); | |
686 | } | |
687 | #endif | |
688 | } | |
689 | ||
690 | /* callback used by stateful helper routines */ | |
691 | int | |
692 | authenticateNTLMHelperServerAvailable(void *data) | |
693 | { | |
694 | ntlm_helper_state_t *statedata = data; | |
695 | if (statedata != NULL) { | |
696 | if (statedata->starve) { | |
697 | debug(29, 4) ("authenticateNTLMHelperServerAvailable: starving - returning 0\n"); | |
698 | return 0; | |
699 | } else { | |
700 | debug(29, 4) ("authenticateNTLMHelperServerAvailable: not starving - returning 1\n"); | |
701 | return 1; | |
702 | } | |
703 | } | |
704 | debug(29, 4) ("authenticateNTLMHelperServerAvailable: no state data - returning 0\n"); | |
705 | return 0; | |
706 | } | |
707 | ||
708 | void | |
709 | authenticateNTLMHelperServerOnEmpty(void *data) | |
710 | { | |
711 | ntlm_helper_state_t *statedata = data; | |
712 | if (statedata == NULL) | |
713 | return; | |
714 | if (statedata->starve) { | |
715 | /* we have been starving the helper */ | |
716 | debug(29, 9) ("authenticateNTLMHelperServerOnEmpty: resetting challenge details\n"); | |
717 | statedata->starve = 0; | |
718 | statedata->challengeuses = 0; | |
719 | statedata->renewed = 0; | |
720 | xfree(statedata->challenge); | |
721 | statedata->challenge = NULL; | |
722 | } | |
723 | } | |
724 | ||
725 | ||
726 | /* clear the NTLM helper of being reserved for future requests */ | |
727 | void | |
728 | authenticateNTLMReleasehelper(auth_user_request_t * auth_user_request) | |
729 | { | |
730 | ntlm_request_t *ntlm_request; | |
731 | assert(auth_user_request->auth_user->auth_type == AUTH_NTLM); | |
732 | assert(auth_user_request->scheme_data != NULL); | |
733 | ntlm_request = auth_user_request->scheme_data; | |
734 | debug(29, 9) ("authenticateNTLMReleasehelper: releasing helper '%d'\n", ntlm_request->authhelper); | |
735 | helperStatefulReleaseServer(ntlm_request->authhelper); | |
736 | ntlm_request->authhelper = NULL; | |
737 | } | |
738 | ||
739 | /* clear any connection related authentication details */ | |
740 | void | |
741 | authenticateNTLMOnCloseConnection(ConnStateData * conn) | |
742 | { | |
743 | ntlm_request_t *ntlm_request; | |
744 | assert(conn != NULL); | |
745 | if (conn->auth_user_request != NULL) { | |
746 | assert(conn->auth_user_request->scheme_data != NULL); | |
747 | ntlm_request = conn->auth_user_request->scheme_data; | |
748 | if (ntlm_request->authhelper != NULL) | |
749 | authenticateNTLMReleasehelper(conn->auth_user_request); | |
750 | /* unlock the connection based lock */ | |
751 | debug(29, 9) ("authenticateNTLMOnCloseConnection: Unlocking auth_user from the connection.\n"); | |
752 | authenticateAuthUserRequestUnlock(conn->auth_user_request); | |
753 | conn->auth_user_request = NULL; | |
754 | } | |
755 | } | |
756 | ||
757 | /* authenticateUserUsername: return a pointer to the username in the */ | |
758 | char * | |
759 | authenticateNTLMUsername(auth_user_t * auth_user) | |
760 | { | |
761 | ntlm_user_t *ntlm_user = auth_user->scheme_data; | |
762 | if (ntlm_user) | |
763 | return ntlm_user->username; | |
764 | return NULL; | |
765 | } | |
766 | ||
767 | ||
768 | /* | |
769 | * Decode an NTLM [Proxy-]Auth string, placing the results in the passed | |
770 | * Auth_user structure. | |
771 | */ | |
772 | ||
773 | void | |
774 | authenticateDecodeNTLMAuth(auth_user_request_t * auth_user_request, const char *proxy_auth) | |
775 | { | |
776 | dlink_node *node; | |
777 | assert(auth_user_request->auth_user == NULL); | |
778 | auth_user_request->auth_user = authenticateAuthUserNew("ntlm"); | |
779 | auth_user_request->auth_user->auth_type = AUTH_NTLM; | |
780 | auth_user_request->auth_user->scheme_data = memPoolAlloc(ntlm_user_pool); | |
781 | auth_user_request->scheme_data = memPoolAlloc(ntlm_request_pool); | |
782 | /* lock for the auth_user_request link */ | |
783 | authenticateAuthUserLock(auth_user_request->auth_user); | |
784 | node = dlinkNodeNew(); | |
785 | dlinkAdd(auth_user_request, node, &auth_user_request->auth_user->requests); | |
786 | ||
787 | /* all we have to do is identify that it's NTLM - the helper does the rest */ | |
788 | debug(29, 9) ("authenticateDecodeNTLMAuth: NTLM authentication\n"); | |
789 | return; | |
790 | } | |
791 | ||
792 | int | |
793 | authenticateNTLMcmpUsername(ntlm_user_t * u1, ntlm_user_t * u2) | |
794 | { | |
795 | return strcmp(u1->username, u2->username); | |
796 | } | |
797 | ||
798 | void | |
799 | authenticateProxyAuthCacheAddLink(const char *key, auth_user_t * auth_user) | |
800 | { | |
801 | auth_user_hash_pointer *proxy_auth_hash; | |
802 | ntlm_user_t *ntlm_user; | |
803 | proxy_auth_hash = | |
804 | memAllocate(MEM_AUTH_USER_HASH); | |
805 | proxy_auth_hash->key = xstrdup(key); | |
806 | proxy_auth_hash->auth_user = auth_user; | |
807 | ntlm_user = auth_user->scheme_data; | |
808 | dlinkAddTail(proxy_auth_hash, &proxy_auth_hash->link, | |
809 | &ntlm_user->proxy_auth_list); | |
810 | hash_join(proxy_auth_cache, (hash_link *) proxy_auth_hash); | |
811 | } | |
812 | ||
813 | ||
814 | int | |
815 | authNTLMAuthenticated(auth_user_request_t * auth_user_request) | |
816 | { | |
817 | ntlm_request_t *ntlm_request = auth_user_request->scheme_data; | |
818 | if (ntlm_request->auth_state == AUTHENTICATE_STATE_DONE) | |
819 | return 1; | |
820 | debug(29, 9) ("User not fully authenticated.\n"); | |
821 | return 0; | |
822 | } | |
823 | ||
94439e4e | 824 | static void |
825 | authenticateNTLMAuthenticateUser(auth_user_request_t * auth_user_request, request_t * request, ConnStateData * conn, http_hdr_type type) | |
94439e4e | 826 | { |
827 | const char *proxy_auth; | |
828 | auth_user_hash_pointer *usernamehash, *proxy_auth_hash = NULL; | |
829 | auth_user_t *auth_user; | |
830 | ntlm_request_t *ntlm_request; | |
831 | ntlm_user_t *ntlm_user; | |
832 | LOCAL_ARRAY(char, ntlmhash, NTLM_CHALLENGE_SZ * 2); | |
833 | /* get header */ | |
834 | proxy_auth = httpHeaderGetStr(&request->header, type); | |
835 | ||
836 | auth_user = auth_user_request->auth_user; | |
837 | assert(auth_user); | |
838 | assert(auth_user->auth_type == AUTH_NTLM); | |
839 | assert(auth_user->scheme_data != NULL); | |
840 | assert(auth_user_request->scheme_data != NULL); | |
841 | ntlm_user = auth_user->scheme_data; | |
842 | ntlm_request = auth_user_request->scheme_data; | |
843 | switch (ntlm_request->auth_state) { | |
844 | case AUTHENTICATE_STATE_NONE: | |
845 | /* we've recieved a negotiate request. pass to a helper */ | |
846 | debug(29, 9) ("authenticateNTLMAuthenticateUser: auth state ntlm none. %s\n", | |
847 | proxy_auth); | |
848 | ntlm_request->auth_state = AUTHENTICATE_STATE_NEGOTIATE; | |
849 | ntlm_request->ntlmnegotiate = xstrndup(proxy_auth, NTLM_CHALLENGE_SZ + 5); | |
850 | conn->auth_type = AUTH_NTLM; | |
851 | conn->auth_user_request = auth_user_request; | |
852 | /* and lock for the connection duration */ | |
853 | debug(29, 9) ("authenticateNTLMAuthenticateUser: Locking auth_user from the connection.\n"); | |
854 | authenticateAuthUserRequestLock(auth_user_request); | |
855 | return; | |
856 | break; | |
857 | case AUTHENTICATE_STATE_NEGOTIATE: | |
858 | ntlm_request->auth_state = AUTHENTICATE_STATE_CHALLENGE; | |
859 | return; | |
860 | break; | |
861 | case AUTHENTICATE_STATE_CHALLENGE: | |
862 | /* we should have recieved a NTLM challenge. pass it to the same | |
863 | * helper process */ | |
864 | debug(29, 9) ("authenticateNTLMAuthenticateUser: auth state challenge with header %s.\n", proxy_auth); | |
865 | /* do a cache lookup here. If it matches it's a successful ntlm | |
866 | * challenge - release the helper and use the existing auth_user | |
867 | * details. */ | |
868 | if (strncmp("NTLM ", proxy_auth, 5) == 0) { | |
869 | ntlm_request->ntlmauthenticate = xstrdup(proxy_auth); | |
870 | } else { | |
871 | fatal("Incorrect scheme in auth header\n"); | |
872 | /* TODO: more fault tolerance.. reset the auth scheme here */ | |
873 | } | |
874 | /* cache entries have authenticateauthheaderchallengestring */ | |
875 | snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s", | |
876 | ntlm_request->ntlmauthenticate, | |
877 | ntlm_request->authchallenge); | |
878 | /* see if we already know this user's authenticate */ | |
879 | debug(29, 9) ("aclMatchProxyAuth: cache lookup with key '%s'\n", ntlmhash); | |
880 | assert(proxy_auth_cache != NULL); | |
881 | proxy_auth_hash = hash_lookup(proxy_auth_cache, ntlmhash); | |
882 | if (!proxy_auth_hash) { /* not in the hash table */ | |
883 | debug(29, 4) ("authenticateNTLMAuthenticateUser: proxy-auth cache miss.\n"); | |
884 | ntlm_request->auth_state = AUTHENTICATE_STATE_RESPONSE; | |
885 | /* verify with the ntlm helper */ | |
886 | } else { | |
887 | debug(29, 4) ("authenticateNTLMAuthenticateUser: ntlm proxy-auth cache hit\n"); | |
888 | /* throw away the temporary entry */ | |
889 | authenticateNTLMReleasehelper(auth_user_request); | |
890 | authenticateAuthUserMerge(auth_user, proxy_auth_hash->auth_user); | |
891 | auth_user = proxy_auth_hash->auth_user; | |
892 | auth_user_request->auth_user = auth_user; | |
893 | ntlm_request->auth_state = AUTHENTICATE_STATE_DONE; | |
894 | /* we found one */ | |
895 | debug(29, 9) ("found matching cache entry\n"); | |
896 | assert(auth_user->auth_type == AUTH_NTLM); | |
897 | /* get the existing entries details */ | |
898 | ntlm_user = auth_user->scheme_data; | |
899 | debug(29, 9) ("Username to be used is %s\n", | |
900 | ntlm_user->username); | |
901 | auth_user->flags.credentials_ok = 1; /* authenticated ok */ | |
902 | /* on ntlm auth we do not unlock the auth_user until the | |
903 | * connection is dropped. Thank MS for this quirk */ | |
904 | auth_user->expiretime = current_time.tv_sec; | |
905 | auth_user->ip_expiretime = squid_curtime; | |
906 | } | |
907 | return; | |
908 | break; | |
909 | case AUTHENTICATE_STATE_RESPONSE: | |
910 | /* auth-challenge pair cache miss. We've just got the response */ | |
911 | /*add to cache and let them through */ | |
912 | ntlm_request->auth_state = AUTHENTICATE_STATE_DONE; | |
913 | /* this connection is authenticated */ | |
914 | debug(29, 4) ("authenticated\nch %s\nauth %s\nauthuser %s\n", | |
915 | ntlm_request->authchallenge, | |
916 | ntlm_request->ntlmauthenticate, | |
917 | ntlm_user->username); | |
918 | /* cache entries have authenticateauthheaderchallengestring */ | |
919 | snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s", | |
920 | ntlm_request->ntlmauthenticate, | |
921 | ntlm_request->authchallenge); | |
922 | /* see if this is an existing user with a different proxy_auth | |
923 | * string */ | |
924 | if ((usernamehash = hash_lookup(proxy_auth_username_cache, | |
925 | ntlm_user->username))) { | |
926 | while ((usernamehash->auth_user->auth_type != | |
927 | auth_user->auth_type) && (usernamehash->next) && | |
928 | !authenticateNTLMcmpUsername(usernamehash->auth_user->scheme_data, ntlm_user)) | |
929 | usernamehash = usernamehash->next; | |
930 | if (usernamehash->auth_user->auth_type == auth_user->auth_type) { | |
931 | /* | |
932 | * add another link from the new proxy_auth to the | |
933 | * auth_user structure and update the information */ | |
934 | assert(proxy_auth_hash == NULL); | |
935 | authenticateProxyAuthCacheAddLink(ntlmhash, usernamehash->auth_user); | |
936 | /* we can't seamlessly recheck the username due to the | |
937 | * challenge nature of the protocol. Just free the | |
938 | * temporary auth_user */ | |
939 | authenticateAuthUserMerge(auth_user, usernamehash->auth_user); | |
940 | auth_user = usernamehash->auth_user; | |
941 | auth_user_request->auth_user = auth_user; | |
94439e4e | 942 | } |
943 | } else { | |
944 | /* store user in hash's */ | |
945 | authenticateUserNameCacheAdd(auth_user); | |
946 | authenticateProxyAuthCacheAddLink(ntlmhash, auth_user); | |
947 | } | |
948 | /* set these to now because this is either a new login from an | |
949 | * existing user or a new user */ | |
950 | auth_user->expiretime = current_time.tv_sec; | |
951 | auth_user->ip_expiretime = squid_curtime; | |
952 | auth_user->flags.credentials_ok = 1; /*authenticated ok */ | |
953 | return; | |
954 | break; | |
955 | case AUTHENTICATE_STATE_DONE: | |
956 | fatal("authenticateNTLMAuthenticateUser: unexpect auth state DONE! Report a bug to the squid developers.\n"); | |
94439e4e | 957 | } |
958 | ||
959 | return; | |
960 | } |