]>
Commit | Line | Data |
---|---|---|
94439e4e | 1 | /* |
262a0e14 | 2 | * $Id$ |
94439e4e | 3 | * |
4 | * DEBUG: section 29 NTLM Authenticator | |
6bf4f823 | 5 | * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli |
94439e4e | 6 | * |
2b6662ba | 7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ |
94439e4e | 8 | * ---------------------------------------------------------- |
9 | * | |
2b6662ba | 10 | * Squid is the result of efforts by numerous individuals from |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
94439e4e | 18 | * |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
94439e4e | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
94439e4e | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | */ | |
34 | ||
35 | /* The functions in this file handle authentication. | |
36 | * They DO NOT perform access control or auditing. | |
37 | * See acl.c for access control and client_side.c for auditing */ | |
38 | ||
39 | ||
40 | #include "squid.h" | |
3ad63615 | 41 | #include "auth/Gadgets.h" |
5817ee13 AJ |
42 | #include "auth/ntlm/auth_ntlm.h" |
43 | #include "auth/ntlm/ntlmScheme.h" | |
928f3421 AJ |
44 | #include "auth/ntlm/ntlmUserRequest.h" |
45 | #include "auth/State.h" | |
62ee09ca | 46 | #include "CacheManager.h" |
e6ccf245 | 47 | #include "Store.h" |
a46d2c0e | 48 | #include "client_side.h" |
924f73bc | 49 | #include "HttpReply.h" |
a2ac85d9 | 50 | #include "HttpRequest.h" |
d295d770 | 51 | #include "wordlist.h" |
cc192b50 | 52 | #include "SquidTime.h" |
c78aa667 | 53 | |
94439e4e | 54 | /* NTLM Scheme */ |
94439e4e | 55 | static AUTHSSTATS authenticateNTLMStats; |
94439e4e | 56 | |
928f3421 | 57 | statefulhelper *ntlmauthenticators = NULL; |
94439e4e | 58 | static int authntlm_initialised = 0; |
59 | ||
94439e4e | 60 | static hash_table *proxy_auth_cache = NULL; |
61 | ||
62 | /* | |
63 | * | |
64 | * Private Functions | |
65 | * | |
66 | */ | |
67 | ||
0bcb6908 AJ |
68 | void |
69 | AuthNTLMConfig::rotateHelpers() | |
70 | { | |
71 | /* schedule closure of existing helpers */ | |
72 | if (ntlmauthenticators) { | |
73 | helperStatefulShutdown(ntlmauthenticators); | |
74 | } | |
75 | ||
76 | /* NP: dynamic helper restart will ensure they start up again as needed. */ | |
77 | } | |
78 | ||
5817ee13 | 79 | /* free any allocated configuration details */ |
f5691f9c | 80 | void |
5817ee13 | 81 | AuthNTLMConfig::done() |
94439e4e | 82 | { |
94439e4e | 83 | authntlm_initialised = 0; |
62e76326 | 84 | |
5817ee13 AJ |
85 | if (ntlmauthenticators) { |
86 | helperStatefulShutdown(ntlmauthenticators); | |
5817ee13 | 87 | } |
62e76326 | 88 | |
94439e4e | 89 | if (!shutting_down) |
62e76326 | 90 | return; |
91 | ||
48d54e4d | 92 | delete ntlmauthenticators; |
94439e4e | 93 | ntlmauthenticators = NULL; |
62e76326 | 94 | |
f5691f9c | 95 | if (authenticate) |
96 | wordlistDestroy(&authenticate); | |
cdabe87d AJ |
97 | |
98 | debugs(29, 2, "ntlmScheme::done: NTLM authentication Shutdown."); | |
94439e4e | 99 | } |
100 | ||
f5691f9c | 101 | void |
102 | AuthNTLMConfig::dump(StoreEntry * entry, const char *name, AuthConfig * scheme) | |
94439e4e | 103 | { |
f5691f9c | 104 | wordlist *list = authenticate; |
94439e4e | 105 | storeAppendPrintf(entry, "%s %s", name, "ntlm"); |
62e76326 | 106 | |
94439e4e | 107 | while (list != NULL) { |
62e76326 | 108 | storeAppendPrintf(entry, " %s", list->key); |
109 | list = list->next; | |
94439e4e | 110 | } |
62e76326 | 111 | |
404cfda1 AJ |
112 | storeAppendPrintf(entry, "\n%s ntlm children %d startup=%d idle=%d concurrency=%d\n", |
113 | name, authenticateChildren.n_max, authenticateChildren.n_startup, authenticateChildren.n_idle, authenticateChildren.concurrency); | |
6bf4f823 | 114 | storeAppendPrintf(entry, "%s %s keep_alive %s\n", name, "ntlm", keep_alive ? "on" : "off"); |
94439e4e | 115 | |
116 | } | |
117 | ||
ea0695f2 | 118 | AuthNTLMConfig::AuthNTLMConfig() : keep_alive(1) |
6bf4f823 | 119 | { } |
62e76326 | 120 | |
f5691f9c | 121 | void |
122 | AuthNTLMConfig::parse(AuthConfig * scheme, int n_configured, char *param_str) | |
123 | { | |
94439e4e | 124 | if (strcasecmp(param_str, "program") == 0) { |
f5691f9c | 125 | if (authenticate) |
126 | wordlistDestroy(&authenticate); | |
62e76326 | 127 | |
f5691f9c | 128 | parse_wordlist(&authenticate); |
62e76326 | 129 | |
42900318 | 130 | requirePathnameExists("auth_param ntlm program", authenticate->key); |
94439e4e | 131 | } else if (strcasecmp(param_str, "children") == 0) { |
48d54e4d | 132 | authenticateChildren.parseConfig(); |
6bf4f823 | 133 | } else if (strcasecmp(param_str, "keep_alive") == 0) { |
134 | parse_onoff(&keep_alive); | |
94439e4e | 135 | } else { |
bf8fe701 | 136 | debugs(29, 0, "AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter '" << param_str << "'"); |
94439e4e | 137 | } |
62e76326 | 138 | |
dff99376 | 139 | /* |
140 | * disable client side request pipelining. There is a race with | |
141 | * NTLM when the client sends a second request on an NTLM | |
142 | * connection before the authenticate challenge is sent. With | |
143 | * this patch, the client may fail to authenticate, but squid's | |
144 | * state will be preserved. Caveats: this should be a post-parse | |
145 | * test, but that can wait for the modular parser to be integrated. | |
721b0310 | 146 | */ |
f5691f9c | 147 | if (authenticate) |
62e76326 | 148 | Config.onoff.pipeline_prefetch = 0; |
94439e4e | 149 | } |
150 | ||
f5691f9c | 151 | const char * |
152 | AuthNTLMConfig::type() const | |
94439e4e | 153 | { |
5817ee13 | 154 | return ntlmScheme::GetInstance()->type(); |
94439e4e | 155 | } |
156 | ||
157 | /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the | |
158 | * config file */ | |
f5691f9c | 159 | void |
160 | AuthNTLMConfig::init(AuthConfig * scheme) | |
94439e4e | 161 | { |
f5691f9c | 162 | if (authenticate) { |
6bf4f823 | 163 | |
62e76326 | 164 | authntlm_initialised = 1; |
165 | ||
166 | if (ntlmauthenticators == NULL) | |
48d54e4d | 167 | ntlmauthenticators = new statefulhelper("ntlmauthenticator"); |
62e76326 | 168 | |
169 | if (!proxy_auth_cache) | |
30abd221 | 170 | proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); |
62e76326 | 171 | |
172 | assert(proxy_auth_cache); | |
173 | ||
f5691f9c | 174 | ntlmauthenticators->cmdline = authenticate; |
62e76326 | 175 | |
48d54e4d | 176 | ntlmauthenticators->childs = authenticateChildren; |
62e76326 | 177 | |
178 | ntlmauthenticators->ipc_type = IPC_STREAM; | |
179 | ||
62e76326 | 180 | helperStatefulOpenServers(ntlmauthenticators); |
181 | ||
62e76326 | 182 | CBDATA_INIT_TYPE(authenticateStateData); |
94439e4e | 183 | } |
184 | } | |
185 | ||
62ee09ca | 186 | void |
15fab853 | 187 | AuthNTLMConfig::registerWithCacheManager(void) |
62ee09ca | 188 | { |
15fab853 | 189 | CacheManager::GetInstance()-> |
26ac0430 AJ |
190 | registerAction("ntlmauthenticator", |
191 | "NTLM User Authenticator Stats", | |
192 | authenticateNTLMStats, 0, 1); | |
62ee09ca | 193 | } |
194 | ||
f5691f9c | 195 | bool |
196 | AuthNTLMConfig::active() const | |
2d70df72 | 197 | { |
f5691f9c | 198 | return authntlm_initialised == 1; |
2d70df72 | 199 | } |
200 | ||
f5691f9c | 201 | bool |
202 | AuthNTLMConfig::configured() const | |
94439e4e | 203 | { |
48d54e4d | 204 | if ((authenticate != NULL) && (authenticateChildren.n_max != 0)) { |
bf8fe701 | 205 | debugs(29, 9, "AuthNTLMConfig::configured: returning configured"); |
f5691f9c | 206 | return true; |
2d70df72 | 207 | } |
62e76326 | 208 | |
bf8fe701 | 209 | debugs(29, 9, "AuthNTLMConfig::configured: returning unconfigured"); |
f5691f9c | 210 | return false; |
94439e4e | 211 | } |
212 | ||
213 | /* NTLM Scheme */ | |
94439e4e | 214 | |
f5691f9c | 215 | void |
a33a428a | 216 | AuthNTLMConfig::fixHeader(AuthUserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request) |
94439e4e | 217 | { |
6bf4f823 | 218 | if (!authenticate) |
219 | return; | |
62e76326 | 220 | |
63a05fa3 | 221 | /* Need keep-alive */ |
222 | if (!request->flags.proxy_keepalive && request->flags.must_keepalive) | |
26ac0430 | 223 | return; |
63a05fa3 | 224 | |
6bf4f823 | 225 | /* New request, no user details */ |
226 | if (auth_user_request == NULL) { | |
18ec8500 FC |
227 | debugs(29, 9, "AuthNTLMConfig::fixHeader: Sending type:" << hdrType << " header: 'NTLM'"); |
228 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); | |
6bf4f823 | 229 | |
230 | if (!keep_alive) { | |
62e76326 | 231 | /* drop the connection */ |
62e76326 | 232 | request->flags.proxy_keepalive = 0; |
62e76326 | 233 | } |
6bf4f823 | 234 | } else { |
a33a428a | 235 | AuthNTLMUserRequest *ntlm_request = dynamic_cast<AuthNTLMUserRequest *>(auth_user_request.getRaw()); |
3a11f20d | 236 | assert(ntlm_request != NULL); |
237 | ||
d232141d | 238 | switch (ntlm_request->user()->credentials()) { |
62e76326 | 239 | |
d232141d | 240 | case AuthUser::Failed: |
6bf4f823 | 241 | /* here it makes sense to drop the connection, as auth is |
242 | * tied to it, even if MAYBE the client could handle it - Kinkie */ | |
6bf4f823 | 243 | request->flags.proxy_keepalive = 0; |
244 | /* fall through */ | |
94439e4e | 245 | |
d232141d | 246 | case AuthUser::Ok: |
6bf4f823 | 247 | /* Special case: authentication finished OK but disallowed by ACL. |
248 | * Need to start over to give the client another chance. | |
249 | */ | |
250 | /* fall through */ | |
62e76326 | 251 | |
d232141d | 252 | case AuthUser::Unchecked: |
6bf4f823 | 253 | /* semantic change: do not drop the connection. |
254 | * 2.5 implementation used to keep it open - Kinkie */ | |
18ec8500 FC |
255 | debugs(29, 9, "AuthNTLMConfig::fixHeader: Sending type:" << hdrType << " header: 'NTLM'"); |
256 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); | |
6bf4f823 | 257 | break; |
62e76326 | 258 | |
d232141d | 259 | case AuthUser::Handshake: |
6bf4f823 | 260 | /* we're waiting for a response from the client. Pass it the blob */ |
18ec8500 FC |
261 | debugs(29, 9, "AuthNTLMConfig::fixHeader: Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'"); |
262 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob); | |
6bf4f823 | 263 | safe_free(ntlm_request->server_blob); |
264 | break; | |
62e76326 | 265 | |
6bf4f823 | 266 | default: |
d232141d | 267 | debugs(29, DBG_CRITICAL, "AuthNTLMConfig::fixHeader: state " << ntlm_request->user()->credentials() << "."); |
6bf4f823 | 268 | fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n"); |
269 | } | |
270 | } | |
271 | } | |
62e76326 | 272 | |
6bf4f823 | 273 | NTLMUser::~NTLMUser() |
274 | { | |
bf8fe701 | 275 | debugs(29, 5, "NTLMUser::~NTLMUser: doing nothing to clearNTLM scheme data for '" << this << "'"); |
94439e4e | 276 | } |
277 | ||
56a49fda AJ |
278 | int32_t |
279 | NTLMUser::ttl() const | |
280 | { | |
281 | return -1; // NTLM credentials cannot be cached. | |
282 | } | |
283 | ||
94439e4e | 284 | static void |
285 | authenticateNTLMStats(StoreEntry * sentry) | |
286 | { | |
9522b380 | 287 | helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics"); |
94439e4e | 288 | } |
289 | ||
94439e4e | 290 | /* |
6bf4f823 | 291 | * Decode a NTLM [Proxy-]Auth string, placing the results in the passed |
94439e4e | 292 | * Auth_user structure. |
293 | */ | |
a33a428a | 294 | AuthUserRequest::Pointer |
f5691f9c | 295 | AuthNTLMConfig::decode(char const *proxy_auth) |
94439e4e | 296 | { |
5817ee13 | 297 | NTLMUser *newUser = new NTLMUser(AuthConfig::Find("ntlm")); |
a33a428a | 298 | AuthUserRequest::Pointer auth_user_request = new AuthNTLMUserRequest(); |
f5691f9c | 299 | assert(auth_user_request->user() == NULL); |
a33a428a | 300 | |
f5691f9c | 301 | auth_user_request->user(newUser); |
302 | auth_user_request->user()->auth_type = AUTH_NTLM; | |
94439e4e | 303 | |
304 | /* all we have to do is identify that it's NTLM - the helper does the rest */ | |
bf8fe701 | 305 | debugs(29, 9, "AuthNTLMConfig::decode: NTLM authentication"); |
f5691f9c | 306 | return auth_user_request; |
94439e4e | 307 | } |
308 | ||
f5691f9c | 309 | void |
310 | NTLMUser::deleteSelf() const | |
311 | { | |
312 | delete this; | |
313 | } | |
314 | ||
18ec8500 | 315 | NTLMUser::NTLMUser (AuthConfig *aConfig) : AuthUser (aConfig) |
f5691f9c | 316 | { |
317 | proxy_auth_list.head = proxy_auth_list.tail = NULL; | |
318 | } |