helpers/digest_auth/LDAP/digest_pw_auth.cc

   1 /*
   2  * digest_pw_auth.c
   3  *
   4  * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet
   5  * <Arjan.deVet@adv.iae.nl>
   6  * LDAP backend extension by Flavio Pescuma, MARA Systems AB <flavio@marasystems.com>
   7  *
   8  * Example digest authentication program for Squid, based on the original
   9  * proxy_auth code from client_side.c, written by
  10  * Jon Thackray <jrmt@uk.gdscorp.com>.
  11  *
  12  * - comment lines are possible and should start with a '#';
  13  * - empty or blank lines are possible;
  14  * - file format is username:password
  15  *
  16  * To build a directory integrated backend, you need to be able to
  17  * calculate the HA1 returned to squid. To avoid storing a plaintext
  18  * password you can calculate MD5(username:realm:password) when the
  19  * user changes their password, and store the tuple username:realm:HA1.
  20  * then find the matching username:realm when squid asks for the
  21  * HA1.
  22  *
  23  * This implementation could be improved by using such a triple for
  24  * the file format.  However storing such a triple does little to
  25  * improve security: If compromised the username:realm:HA1 combination
  26  * is "plaintext equivalent" - for the purposes of digest authentication
  27  * they allow the user access. Password syncronisation is not tackled
  28  * by digest - just preventing on the wire compromise.
  29  *
  30  * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
  31  */
  32 #include "squid.h"
  33 #include "digest_common.h"
  34 #include "helpers/defines.h"
  35 #include "ldap_backend.h"
  36
  37 #define PROGRAM_NAME "digest_ldap_auth"
  38
  39 static void
  40 GetHHA1(RequestData * requestData)
  41 {
  42     LDAPHHA1(requestData);
  43 }
  44
  45 static void
  46 ParseBuffer(char *buf, RequestData * requestData)
  47 {
  48     char *p;
  49     requestData->parsed = 0;
  50     if ((p = strchr(buf, '\n')) != NULL)
  51         *p = '\0';              /* strip \n */
  52     if ((requestData->user = strtok(buf, "\"")) == NULL)
  53         return;
  54     if ((requestData->realm = strtok(NULL, "\"")) == NULL)
  55         return;
  56     if ((requestData->realm = strtok(NULL, "\"")) == NULL)
  57         return;
  58     requestData->parsed = -1;
  59 }
  60
  61 static void
  62 OutputHHA1(RequestData * requestData)
  63 {
  64     requestData->error = 0;
  65     GetHHA1(requestData);
  66     if (requestData->error) {
  67         SEND_ERR("message=\"No such user\"");
  68         return;
  69     }
  70     printf("OK ha1=\"%s\"\n", requestData->HHA1);
  71 }
  72
  73 static void
  74 DoOneRequest(char *buf)
  75 {
  76     RequestData requestData;
  77     ParseBuffer(buf, &requestData);
  78     if (!requestData.parsed) {
  79         SEND_BH("message=\"Invalid line received\"");
  80         return;
  81     }
  82     OutputHHA1(&requestData);
  83 }
  84
  85 static void
  86 ProcessArguments(int argc, char **argv)
  87 {
  88     int i;
  89     i = LDAPArguments(argc, argv);
  90     if (i)
  91         exit(i);
  92 }
  93
  94 int
  95 main(int argc, char **argv)
  96 {
  97     char buf[HELPER_INPUT_BUFFER];
  98     setbuf(stdout, NULL);
  99     ProcessArguments(argc, argv);
 100     while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL)
 101         DoOneRequest(buf);
 102     exit(0);
 103 }