]> git.ipfire.org Git - thirdparty/squid.git/blob - helpers/basic_auth/NCSA/basic_ncsa_auth.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
merge from trunk
[thirdparty/squid.git] / helpers / basic_auth / NCSA / basic_ncsa_auth.cc
1 /*
2 * AUTHOR: Arjan de Vet <Arjan.deVet@adv.iae.nl>
3 *
4 * Example authentication program for Squid, based on the original
5 * proxy_auth code from client_side.c, written by
6 * Jon Thackray <jrmt@uk.gdscorp.com>.
7 *
8 * Uses a NCSA httpd style password file for authentication with the
9 * following improvements suggested by various people:
10 *
11 * - comment lines are possible and should start with a '#';
12 * - empty or blank lines are possible;
13 * - extra fields in the password file are ignored; this makes it
14 * possible to use a Unix password file but I do not recommend that.
15 *
16 * MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
17 */
18
19 #include "squid.h"
20 #include "crypt_md5.h"
21 #include "hash.h"
22 #include "helpers/defines.h"
23 #include "rfc1738.h"
24 #include "util.h"
25
26 #include <cerrno>
27 #include <cstring>
28 #if HAVE_UNISTD_H
29 #include <unistd.h>
30 #endif
31 #if HAVE_SYS_STAT_H
32 #include <sys/stat.h>
33 #endif
34 #if HAVE_CRYPT_H
35 #include <crypt.h>
36 #endif
37
38 static hash_table *hash = NULL;
39 static HASHFREE my_free;
40
41 typedef struct _user_data {
42 /* first two items must be same as hash_link */
43 char *user;
44 struct _user_data *next;
45 char *passwd;
46 } user_data;
47
48 static void
49 my_free(void *p)
50 {
51 user_data *u = static_cast<user_data*>(p);
52 xfree(u->user);
53 xfree(u->passwd);
54 xfree(u);
55 }
56
57 static void
58 read_passwd_file(const char *passwdfile)
59 {
60 FILE *f;
61 char buf[HELPER_INPUT_BUFFER];
62 user_data *u;
63 char *user;
64 char *passwd;
65 if (hash != NULL) {
66 hashFreeItems(hash, my_free);
67 hashFreeMemory(hash);
68 }
69 /* initial setup */
70 hash = hash_create((HASHCMP *) strcmp, 7921, hash_string);
71 if (NULL == hash) {
72 fprintf(stderr, "FATAL: Cannot create hash table\n");
73 exit(1);
74 }
75 f = fopen(passwdfile, "r");
76 if (NULL == f) {
77 fprintf(stderr, "FATAL: %s: %s\n", passwdfile, xstrerror());
78 exit(1);
79 }
80 unsigned int lineCount = 0;
81 buf[HELPER_INPUT_BUFFER-1] = '\0';
82 while (fgets(buf, sizeof(buf)-1, f) != NULL) {
83 ++lineCount;
84 if ((buf[0] == '#') || (buf[0] == ' ') || (buf[0] == '\t') ||
85 (buf[0] == '\n'))
86 continue;
87 user = strtok(buf, ":\n\r");
88 if (user == NULL) {
89 fprintf(stderr, "ERROR: Missing user name at %s line %d\n", passwdfile, lineCount);
90 continue;
91 }
92 passwd = strtok(NULL, ":\n\r");
93 if ((strlen(user) > 0) && passwd) {
94 u = static_cast<user_data*>(xmalloc(sizeof(*u)));
95 u->user = xstrdup(user);
96 u->passwd = xstrdup(passwd);
97 hash_join(hash, (hash_link *) u);
98 }
99 }
100 fclose(f);
101 }
102
103 int
104 main(int argc, char **argv)
105 {
106 struct stat sb;
107 time_t change_time = -1;
108 char buf[HELPER_INPUT_BUFFER];
109 char *user, *passwd, *p;
110 user_data *u;
111 setbuf(stdout, NULL);
112 if (argc != 2) {
113 fprintf(stderr, "Usage: ncsa_auth <passwordfile>\n");
114 exit(1);
115 }
116 if (stat(argv[1], &sb) != 0) {
117 fprintf(stderr, "FATAL: cannot stat %s\n", argv[1]);
118 exit(1);
119 }
120 while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
121 if ((p = strchr(buf, '\n')) != NULL)
122 *p = '\0'; /* strip \n */
123 if (stat(argv[1], &sb) == 0) {
124 if (sb.st_mtime != change_time) {
125 read_passwd_file(argv[1]);
126 change_time = sb.st_mtime;
127 }
128 }
129 if ((user = strtok(buf, " ")) == NULL) {
130 SEND_ERR("");
131 continue;
132 }
133 if ((passwd = strtok(NULL, "")) == NULL) {
134 SEND_ERR("");
135 continue;
136 }
137 rfc1738_unescape(user);
138 rfc1738_unescape(passwd);
139 u = (user_data *) hash_lookup(hash, user);
140 if (u == NULL) {
141 SEND_ERR("No such user");
142 continue;
143 }
144 char *crypted = NULL;
145 #if HAVE_CRYPT
146 size_t passwordLength = strlen(passwd);
147 // Bug 3831: given algorithms more secure than DES crypt() does not truncate, so we can ignore the bug 3107 length checks below
148 // '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), '$6$' = SHA256 (BSD) and SHA512
149 if (passwordLength > 1 && u->passwd[0] == '$' &&
150 (crypted = crypt(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
151 SEND_OK("");
152 continue;
153 }
154 // 'other' prefixes indicate DES algorithm.
155 if (passwordLength <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
156 SEND_OK("");
157 continue;
158 }
159 if (passwordLength > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
160 // Bug 3107: crypt() DES functionality silently truncates long passwords.
161 SEND_ERR("Password too long. Only 8 characters accepted.");
162 continue;
163 }
164
165 #endif
166 if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
167 SEND_OK("");
168 continue;
169 }
170 if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
171 SEND_OK("");
172 continue;
173 }
174 SEND_ERR("Wrong password");
175 }
176 if (hash != NULL) {
177 hashFreeItems(hash, my_free);
178 hashFreeMemory(hash);
179 }
180 exit(0);
181 }
Mirror of https://github.com/squid-cache/squid.git