]>
git.ipfire.org Git - thirdparty/squid.git/blob - helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
2 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 * -----------------------------------------------------------------------------
12 * Author: Markus Moeller (markus_moeller at compuserve.com)
14 * Copyright (C) 2011 Markus Moeller. All rights reserved.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 2 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
30 * -----------------------------------------------------------------------------
47 #if !defined(HAVE_DECL_XMALLOC) || !HAVE_DECL_XMALLOC
48 #define xmalloc malloc
50 #if !defined(HAVE_DECL_XSTRDUP) || !HAVE_DECL_XSTRDUP
51 #define xstrdup strdup
53 #if !defined(HAVE_DECL_XFREE) || !HAVE_DECL_XFREE
58 #define PROGRAM "negotiate_wrapper"
60 #define VERSION "1.0.1"
62 #ifndef MAX_AUTHTOKEN_LEN
63 #define MAX_AUTHTOKEN_LEN 65535
66 static const unsigned char ntlmProtocol
[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
72 static time_t last_t
= 0;
75 gettimeofday(&now
, NULL
);
76 if (now
.tv_sec
!= last_t
) {
77 time_t *tmp
= (time_t *) & now
.tv_sec
;
78 struct tm
*tm
= localtime(tmp
);
79 strftime(buf
, 127, "%Y/%m/%d %H:%M:%S", tm
);
87 fprintf(stderr
, "Usage: \n");
88 fprintf(stderr
, "negotiate_wrapper [-h] [-d] --ntlm ntlm helper + arguments --kerberos kerberos helper + arguments\n");
89 fprintf(stderr
, "-h help\n");
90 fprintf(stderr
, "-d full debug\n");
91 fprintf(stderr
, "--ntlm full ntlm helper path with arguments\n");
92 fprintf(stderr
, "--kerberos full kerberos helper path with arguments\n");
96 main(int argc
, char *const argv
[])
98 char buf
[MAX_AUTHTOKEN_LEN
];
99 char tbuff
[MAX_AUTHTOKEN_LEN
];
100 char buff
[MAX_AUTHTOKEN_LEN
+2];
104 int nstart
= 0, kstart
= 0;
105 int nend
= 0, kend
= 0;
107 char **nargs
, **kargs
;
116 setbuf(stdout
, NULL
);
119 if (argc
==1 || !strncasecmp(argv
[1],"-h",2)) {
125 if (!strncasecmp(argv
[1],"-d",2)) {
130 for (int i
=j
; i
<argc
; ++i
) {
131 if (!strncasecmp(argv
[i
],"--ntlm",6))
133 if (!strncasecmp(argv
[i
],"--kerberos",10))
136 if (nstart
> kstart
) {
143 if (nstart
== 0 || kstart
== 0 || kend
-kstart
<= 0 || nend
-nstart
<= 0 ) {
149 fprintf(stderr
, "%s| %s: Starting version %s\n", LogTime(), PROGRAM
,
152 if ((nargs
= (char **)xmalloc((nend
-nstart
+1)*sizeof(char *))) == NULL
) {
153 fprintf(stderr
, "%s| %s: Error allocating memory for ntlm helper\n", LogTime(), PROGRAM
);
156 memcpy(nargs
,argv
+nstart
+1,(nend
-nstart
)*sizeof(char *));
157 nargs
[nend
-nstart
]=NULL
;
159 fprintf(stderr
, "%s| %s: NTLM command: ", LogTime(), PROGRAM
);
160 for (int i
=0; i
<nend
-nstart
; ++i
)
161 fprintf(stderr
, "%s ", nargs
[i
]);
162 fprintf(stderr
, "\n");
164 if ((kargs
= (char **)xmalloc((kend
-kstart
+1)*sizeof(char *))) == NULL
) {
165 fprintf(stderr
, "%s| %s: Error allocating memory for kerberos helper\n", LogTime(), PROGRAM
);
168 memcpy(kargs
,argv
+kstart
+1,(kend
-kstart
)*sizeof(char *));
169 kargs
[kend
-kstart
]=NULL
;
171 fprintf(stderr
, "%s| %s: Kerberos command: ", LogTime(), PROGRAM
);
172 for (int i
=0; i
<kend
-kstart
; ++i
)
173 fprintf(stderr
, "%s ", kargs
[i
]);
174 fprintf(stderr
, "\n");
177 Fork Kerberos helper and NTLM helper and manage IO to send NTLM requests
178 to the right helper. squid must keep session state
181 if (pipe(pkin
) < 0) {
182 fprintf(stderr
, "%s| %s: Could not assign streams for pkin\n", LogTime(), PROGRAM
);
185 if (pipe(pkout
) < 0) {
186 fprintf(stderr
, "%s| %s: Could not assign streams for pkout\n", LogTime(), PROGRAM
);
190 if (( fpid
= vfork()) < 0 ) {
191 fprintf(stderr
, "%s| %s: Failed first fork\n", LogTime(), PROGRAM
);
196 /* First Child for Kerberos helper */
199 dup2(pkin
[0],STDIN_FILENO
);
203 dup2(pkout
[1],STDOUT_FILENO
);
207 setbuf(stdout
, NULL
);
209 execv(kargs
[0], kargs
);
210 fprintf(stderr
, "%s| %s: Failed execv for %s: %s\n", LogTime(), PROGRAM
, kargs
[0], strerror(errno
));
218 if (pipe(pnin
) < 0) {
219 fprintf(stderr
, "%s| %s: Could not assign streams for pnin\n", LogTime(), PROGRAM
);
222 if (pipe(pnout
) < 0) {
223 fprintf(stderr
, "%s| %s: Could not assign streams for pnout\n", LogTime(), PROGRAM
);
227 if (( fpid
= vfork()) < 0 ) {
228 fprintf(stderr
, "%s| %s: Failed second fork\n", LogTime(), PROGRAM
);
233 /* Second Child for NTLM helper */
236 dup2(pnin
[0],STDIN_FILENO
);
240 dup2(pnout
[1],STDOUT_FILENO
);
244 setbuf(stdout
, NULL
);
246 execv(nargs
[0], nargs
);
247 fprintf(stderr
, "%s| %s: Failed execv for %s: %s\n", LogTime(), PROGRAM
, nargs
[0], strerror(errno
));
254 FDKIN
=fdopen(pkin
[1],"w");
255 FDKOUT
=fdopen(pkout
[0],"r");
257 FDNIN
=fdopen(pnin
[1],"w");
258 FDNOUT
=fdopen(pnout
[0],"r");
260 if (!FDKIN
|| !FDKOUT
|| !FDNIN
|| !FDNOUT
) {
261 fprintf(stderr
, "%s| %s: Could not assign streams for FDKIN/FDKOUT/FDNIN/FDNOUT\n", LogTime(), PROGRAM
);
266 setbuf(FDKOUT
, NULL
);
268 setbuf(FDNOUT
, NULL
);
271 if (fgets(buf
, sizeof(buf
) - 1, stdin
) == NULL
) {
275 "%s| %s: fgets() failed! dying..... errno=%d (%s)\n",
276 LogTime(), PROGRAM
, ferror(stdin
),
277 strerror(ferror(stdin
)));
279 fprintf(stdout
, "BH input error\n");
280 return 1; /* BIIG buffer */
282 fprintf(stdout
, "BH input error\n");
285 c
= static_cast<char*>(memchr(buf
, '\n', sizeof(buf
) - 1));
290 fprintf(stderr
, "%s| %s: Got '%s' from squid (length: %d).\n",
291 LogTime(), PROGRAM
, buf
, length
);
294 fprintf(stderr
, "%s| %s: Oversized message\n", LogTime(),
296 fprintf(stdout
, "BH Oversized message\n");
300 if (buf
[0] == '\0') {
302 fprintf(stderr
, "%s| %s: Invalid request\n", LogTime(),
304 fprintf(stdout
, "BH Invalid request\n");
307 if (strlen(buf
) < 2) {
309 fprintf(stderr
, "%s| %s: Invalid request [%s]\n", LogTime(),
311 fprintf(stdout
, "BH Invalid request\n");
314 if (!strncmp(buf
, "QQ", 2)) {
315 fprintf(stdout
, "BH quit command\n");
318 if (strncmp(buf
, "YR", 2) && strncmp(buf
, "KK", 2)) {
320 fprintf(stderr
, "%s| %s: Invalid request [%s]\n", LogTime(),
322 fprintf(stdout
, "BH Invalid request\n");
325 if (strlen(buf
) <= 3) {
327 fprintf(stderr
, "%s| %s: Invalid negotiate request [%s]\n",
328 LogTime(), PROGRAM
, buf
);
329 fprintf(stdout
, "BH Invalid negotiate request\n");
332 length
= base64_decode_len(buf
+3);
334 fprintf(stderr
, "%s| %s: Decode '%s' (decoded length: %d).\n",
335 LogTime(), PROGRAM
, buf
+ 3, (int) length
);
337 if ((token
= (char *)xmalloc(length
)) == NULL
) {
338 fprintf(stderr
, "%s| %s: Error allocating memory for token\n", LogTime(), PROGRAM
);
342 length
= base64_decode(token
, length
, buf
+3);
344 if ((static_cast<size_t>(length
) >= sizeof(ntlmProtocol
) + 1) &&
345 (!memcmp(token
, ntlmProtocol
, sizeof ntlmProtocol
))) {
348 fprintf(stderr
, "%s| %s: received type %d NTLM token\n",
349 LogTime(), PROGRAM
, (int) *((unsigned char *) token
+
350 sizeof ntlmProtocol
));
351 fprintf(FDNIN
, "%s\n",buf
);
352 if (fgets(tbuff
, sizeof(tbuff
) - 1, FDNOUT
) == NULL
) {
353 if (ferror(FDNOUT
)) {
355 "fgets() failed! dying..... errno=%d (%s)\n",
356 ferror(FDNOUT
), strerror(ferror(FDNOUT
)));
359 fprintf(stderr
, "%s| %s: Error reading NTLM helper response\n",
364 Need to translate NTLM reply to Negotiate reply
365 AF user => AF blob user
366 NA reason => NA blob reason
369 if (strlen(tbuff
) >= 3 && (!strncmp(tbuff
,"AF ",3) || !strncmp(tbuff
,"NA ",3))) {
370 strncpy(buff
,tbuff
,3);
372 for (unsigned int i
=2; i
<=strlen(tbuff
); ++i
)
373 buff
[i
+2] = tbuff
[i
];
380 fprintf(stderr
, "%s| %s: received Kerberos token\n",
383 fprintf(FDKIN
, "%s\n",buf
);
384 if (fgets(buff
, sizeof(buff
) - 1, FDKOUT
) == NULL
) {
385 if (ferror(FDKOUT
)) {
387 "fgets() failed! dying..... errno=%d (%s)\n",
388 ferror(FDKOUT
), strerror(ferror(FDKOUT
)));
391 fprintf(stderr
, "%s| %s: Error reading Kerberos helper response\n",
396 fprintf(stdout
,"%s",buff
);
398 fprintf(stderr
, "%s| %s: Return '%s'\n",
399 LogTime(), PROGRAM
, buff
);