]>
git.ipfire.org Git - thirdparty/squid.git/blob - helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
2 * -----------------------------------------------------------------------------
4 * Author: Markus Moeller (markus_moeller at compuserve.com)
6 * Copyright (C) 2011 Markus Moeller. All rights reserved.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
22 * -----------------------------------------------------------------------------
25 * Hosted at http://sourceforge.net/projects/squidkerbauth
56 #if !defined(HAVE_DECL_XMALLOC) || !HAVE_DECL_XMALLOC
57 #define xmalloc malloc
59 #if !defined(HAVE_DECL_XSTRDUP) || !HAVE_DECL_XSTRDUP
60 #define xstrdup strdup
62 #if !defined(HAVE_DECL_XFREE) || !HAVE_DECL_XFREE
67 #define PROGRAM "negotiate_wrapper"
69 #define VERSION "1.0.1"
71 #ifndef MAX_AUTHTOKEN_LEN
72 #define MAX_AUTHTOKEN_LEN 65535
75 static const unsigned char ntlmProtocol
[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
81 static time_t last_t
= 0;
84 gettimeofday(&now
, NULL
);
85 if (now
.tv_sec
!= last_t
) {
86 time_t *tmp
= (time_t *) & now
.tv_sec
;
87 struct tm
*tm
= localtime(tmp
);
88 strftime(buf
, 127, "%Y/%m/%d %H:%M:%S", tm
);
96 fprintf(stderr
, "Usage: \n");
97 fprintf(stderr
, "negotiate_wrapper [-h] [-d] --ntlm ntlm helper + arguments --kerberos kerberos helper + arguments\n");
98 fprintf(stderr
, "-h help\n");
99 fprintf(stderr
, "-d full debug\n");
100 fprintf(stderr
, "--ntlm full ntlm helper path with arguments\n");
101 fprintf(stderr
, "--kerberos full kerberos helper path with arguments\n");
105 main(int argc
, char *const argv
[])
107 char buf
[MAX_AUTHTOKEN_LEN
];
108 char tbuff
[MAX_AUTHTOKEN_LEN
];
109 char buff
[MAX_AUTHTOKEN_LEN
+2];
113 int nstart
= 0, kstart
= 0;
114 int nend
= 0, kend
= 0;
116 char **nargs
, **kargs
;
126 setbuf(stdout
, NULL
);
129 if (argc
==1 || !strncasecmp(argv
[1],"-h",2)) {
135 if (!strncasecmp(argv
[1],"-d",2)) {
140 for (i
=j
; i
<argc
; i
++) {
141 if (!strncasecmp(argv
[i
],"--ntlm",6))
143 if (!strncasecmp(argv
[i
],"--kerberos",10))
146 if (nstart
> kstart
) {
153 if (nstart
== 0 || kstart
== 0 || kend
-kstart
<= 0 || nend
-nstart
<= 0 ) {
159 fprintf(stderr
, "%s| %s: Starting version %s\n", LogTime(), PROGRAM
,
162 if ((nargs
= (char **)xmalloc((nend
-nstart
+1)*sizeof(char *))) == NULL
) {
163 fprintf(stderr
, "%s| %s: Error allocating memory for ntlm helper\n", LogTime(), PROGRAM
);
166 memcpy(nargs
,argv
+nstart
+1,(nend
-nstart
)*sizeof(char *));
167 nargs
[nend
-nstart
]=NULL
;
169 fprintf(stderr
, "%s| %s: NTLM command: ", LogTime(), PROGRAM
);
170 for (i
=0; i
<nend
-nstart
; i
++)
171 fprintf(stderr
, "%s ", nargs
[i
]);
172 fprintf(stderr
, "\n");
174 if ((kargs
= (char **)xmalloc((kend
-kstart
+1)*sizeof(char *))) == NULL
) {
175 fprintf(stderr
, "%s| %s: Error allocating memory for kerberos helper\n", LogTime(), PROGRAM
);
178 memcpy(kargs
,argv
+kstart
+1,(kend
-kstart
)*sizeof(char *));
179 kargs
[kend
-kstart
]=NULL
;
181 fprintf(stderr
, "%s| %s: Kerberos command: ", LogTime(), PROGRAM
);
182 for (i
=0; i
<kend
-kstart
; i
++)
183 fprintf(stderr
, "%s ", kargs
[i
]);
184 fprintf(stderr
, "\n");
187 Fork Kerberos helper and NTLM helper and manage IO to send NTLM requests
188 to the right helper. squid must keep session state
191 if (pipe(pkin
) < 0) {
192 fprintf(stderr
, "%s| %s: Could not assign streams for pkin\n", LogTime(), PROGRAM
);
195 if (pipe(pkout
) < 0) {
196 fprintf(stderr
, "%s| %s: Could not assign streams for pkout\n", LogTime(), PROGRAM
);
201 if (( fpid
= vfork()) < 0 ) {
202 fprintf(stderr
, "%s| %s: Failed first fork\n", LogTime(), PROGRAM
);
207 /* First Child for Kerberos helper */
210 dup2(pkin
[0],STDIN_FILENO
);
214 dup2(pkout
[1],STDOUT_FILENO
);
218 setbuf(stdout
, NULL
);
220 execv(kargs
[0], kargs
);
221 fprintf(stderr
, "%s| %s: Failed execv for %s: %s\n", LogTime(), PROGRAM
, kargs
[0], strerror(errno
));
229 if (pipe(pnin
) < 0) {
230 fprintf(stderr
, "%s| %s: Could not assign streams for pnin\n", LogTime(), PROGRAM
);
233 if (pipe(pnout
) < 0) {
234 fprintf(stderr
, "%s| %s: Could not assign streams for pnout\n", LogTime(), PROGRAM
);
238 if (( fpid
= vfork()) < 0 ) {
239 fprintf(stderr
, "%s| %s: Failed second fork\n", LogTime(), PROGRAM
);
244 /* Second Child for NTLM helper */
247 dup2(pnin
[0],STDIN_FILENO
);
251 dup2(pnout
[1],STDOUT_FILENO
);
255 setbuf(stdout
, NULL
);
257 execv(nargs
[0], nargs
);
258 fprintf(stderr
, "%s| %s: Failed execv for %s: %s\n", LogTime(), PROGRAM
, nargs
[0], strerror(errno
));
265 FDKIN
=fdopen(pkin
[1],"w");
266 FDKOUT
=fdopen(pkout
[0],"r");
268 FDNIN
=fdopen(pnin
[1],"w");
269 FDNOUT
=fdopen(pnout
[0],"r");
271 if (!FDKIN
|| !FDKOUT
|| !FDNIN
|| !FDNOUT
) {
272 fprintf(stderr
, "%s| %s: Could not assign streams for FDKIN/FDKOUT/FDNIN/FDNOUT\n", LogTime(), PROGRAM
);
277 setbuf(FDKOUT
, NULL
);
279 setbuf(FDNOUT
, NULL
);
283 if (fgets(buf
, sizeof(buf
) - 1, stdin
) == NULL
) {
287 "%s| %s: fgets() failed! dying..... errno=%d (%s)\n",
288 LogTime(), PROGRAM
, ferror(stdin
),
289 strerror(ferror(stdin
)));
291 fprintf(stdout
, "BH input error\n");
292 return 1; /* BIIG buffer */
294 fprintf(stdout
, "BH input error\n");
297 c
= static_cast<char*>(memchr(buf
, '\n', sizeof(buf
) - 1));
302 fprintf(stderr
, "%s| %s: Got '%s' from squid (length: %d).\n",
303 LogTime(), PROGRAM
, buf
, length
);
306 fprintf(stderr
, "%s| %s: Oversized message\n", LogTime(),
308 fprintf(stdout
, "BH Oversized message\n");
312 if (buf
[0] == '\0') {
314 fprintf(stderr
, "%s| %s: Invalid request\n", LogTime(),
316 fprintf(stdout
, "BH Invalid request\n");
319 if (strlen(buf
) < 2) {
321 fprintf(stderr
, "%s| %s: Invalid request [%s]\n", LogTime(),
323 fprintf(stdout
, "BH Invalid request\n");
326 if (!strncmp(buf
, "QQ", 2)) {
327 fprintf(stdout
, "BH quit command\n");
330 if (strncmp(buf
, "YR", 2) && strncmp(buf
, "KK", 2)) {
332 fprintf(stderr
, "%s| %s: Invalid request [%s]\n", LogTime(),
334 fprintf(stdout
, "BH Invalid request\n");
337 if (strlen(buf
) <= 3) {
339 fprintf(stderr
, "%s| %s: Invalid negotiate request [%s]\n",
340 LogTime(), PROGRAM
, buf
);
341 fprintf(stdout
, "BH Invalid negotiate request\n");
344 length
= base64_decode_len(buf
+3);
346 fprintf(stderr
, "%s| %s: Decode '%s' (decoded length: %d).\n",
347 LogTime(), PROGRAM
, buf
+ 3, (int) length
);
349 if ((token
= (char *)xmalloc(length
)) == NULL
) {
350 fprintf(stderr
, "%s| %s: Error allocating memory for token\n", LogTime(), PROGRAM
);
354 length
= base64_decode(token
, length
, buf
+3);
356 if ((static_cast<size_t>(length
) >= sizeof(ntlmProtocol
) + 1) &&
357 (!memcmp(token
, ntlmProtocol
, sizeof ntlmProtocol
))) {
360 fprintf(stderr
, "%s| %s: received type %d NTLM token\n",
361 LogTime(), PROGRAM
, (int) *((unsigned char *) token
+
362 sizeof ntlmProtocol
));
363 fprintf(FDNIN
, "%s\n",buf
);
364 if (fgets(tbuff
, sizeof(tbuff
) - 1, FDNOUT
) == NULL
) {
365 if (ferror(FDNOUT
)) {
367 "fgets() failed! dying..... errno=%d (%s)\n",
368 ferror(FDNOUT
), strerror(ferror(FDNOUT
)));
371 fprintf(stderr
, "%s| %s: Error reading NTLM helper response\n",
376 Need to translate NTLM reply to Negotiate reply
377 AF user => AF blob user
378 NA reason => NA blob reason
381 if (strlen(tbuff
) >= 3 && (!strncmp(tbuff
,"AF ",3) || !strncmp(tbuff
,"NA ",3))) {
382 strncpy(buff
,tbuff
,3);
384 for (unsigned int i
=2; i
<=strlen(tbuff
); i
++)
385 buff
[i
+2] = tbuff
[i
];
392 fprintf(stderr
, "%s| %s: received Kerberos token\n",
395 fprintf(FDKIN
, "%s\n",buf
);
396 if (fgets(buff
, sizeof(buff
) - 1, FDKOUT
) == NULL
) {
397 if (ferror(FDKOUT
)) {
399 "fgets() failed! dying..... errno=%d (%s)\n",
400 ferror(FDKOUT
), strerror(ferror(FDKOUT
)));
403 fprintf(stderr
, "%s| %s: Error reading Kerberos helper response\n",
408 fprintf(stdout
,"%s",buff
);
410 fprintf(stderr
, "%s| %s: Return '%s'\n",
411 LogTime(), PROGRAM
, buff
);