2 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
11 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
12 * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
16 * Example ntlm authentication program for Squid, based on the
17 * original proxy_auth code from client_side.c, written by
18 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
19 * Andrew Doran <ad@interlude.eu.org>.
21 * This code gets the username and returns it. No validation is done.
22 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
25 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
27 * - Added negotiation of UNICODE char support
28 * - More detailed debugging info
32 /* undefine this to have strict protocol adherence. You don't really need
34 #define IGNORANCE_IS_BLISS
38 #include "helpers/defines.h"
39 #include "ntlmauth/ntlmauth.h"
40 #include "ntlmauth/support_bits.cci"
60 /* A couple of harmless helper macros */
61 #define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
63 #define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
64 #define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
65 #define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
67 /* no gcc, no debugging. varargs macros are a gcc extension */
68 #define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
69 #define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
70 #define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
73 const char *authenticate_ntlm_domain
= "WORKGROUP";
74 int strip_domain_enabled
= 0;
75 int NTLM_packet_debug_enabled
= 0;
79 * -d enable debugging.
80 * -v enable verbose NTLM packet debugging.
81 * -l if specified, changes behavior on failures to last-ditch.
83 char *my_program_name
= NULL
;
89 "Usage: %s [-d] [-v] [-h]\n"
90 " -d enable debugging.\n"
91 " -S strip domain from username.\n"
92 " -v enable verbose NTLM packet debugging.\n"
93 " -h this message\n\n",
98 process_options(int argc
, char *argv
[])
100 int opt
, had_error
= 0;
103 while (-1 != (opt
= getopt(argc
, argv
, "hdvS"))) {
110 NTLM_packet_debug_enabled
= 1;
113 strip_domain_enabled
= 1;
120 /* fall thru to default */
122 fprintf(stderr
, "unknown option: -%c. Exiting\n", opt
);
132 main(int argc
, char *argv
[])
134 char buf
[HELPER_INPUT_BUFFER
];
136 uint8_t decodedBuf
[HELPER_INPUT_BUFFER
];
138 char user
[NTLM_MAX_FIELD_LENGTH
], domain
[NTLM_MAX_FIELD_LENGTH
];
140 ntlmhdr
*packet
= NULL
;
141 char helper_command
[3];
144 setbuf(stdout
, NULL
);
145 setbuf(stderr
, NULL
);
147 my_program_name
= argv
[0];
149 process_options(argc
, argv
);
151 debug("%s build " __DATE__
", " __TIME__
" starting up...\n", my_program_name
);
153 while (fgets(buf
, HELPER_INPUT_BUFFER
, stdin
) != NULL
) {
154 user
[0] = '\0'; /*no user code */
155 domain
[0] = '\0'; /*no domain code */
157 if ((p
= strchr(buf
, '\n')) != NULL
)
158 *p
= '\0'; /* strip \n */
159 buflen
= strlen(buf
); /* keep this so we only scan the buffer for \0 once per loop */
160 struct base64_decode_ctx ctx
;
161 base64_decode_init(&ctx
);
164 base64_decode_update(&ctx
, &dstLen
, decodedBuf
, buflen
-3, reinterpret_cast<const uint8_t*>(buf
+3)) &&
165 base64_decode_final(&ctx
)) {
167 packet
= (ntlmhdr
*)decodedBuf
;
173 if (buflen
> 3 && NTLM_packet_debug_enabled
) {
174 strncpy(helper_command
, buf
, 2);
175 helper_command
[2] = '\0';
176 debug("Got '%s' from Squid with data:\n", helper_command
);
177 hex_dump((unsigned char *)decodedBuf
, decodedLen
);
179 debug("Got '%s' from Squid\n", buf
);
181 if (strncmp(buf
, "YR", 2) == 0) {
182 char nonce
[NTLM_NONCE_LEN
];
184 ntlm_make_nonce(nonce
);
186 ntlm_negotiate
*nego
= (ntlm_negotiate
*)packet
;
187 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, nego
->flags
);
189 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, NTLM_NEGOTIATE_ASCII
);
191 // TODO: find out what this context means, and why only the fake auth helper contains it.
192 chal
.context_high
= htole32(0x003a<<16);
194 len
= sizeof(chal
) - sizeof(chal
.payload
) + le16toh(chal
.target
.maxlen
);
196 struct base64_encode_ctx eCtx
;
197 base64_encode_init(&eCtx
);
198 uint8_t *data
= (uint8_t*)xcalloc(base64_encode_len(len
), 1);
199 size_t blen
= base64_encode_update(&eCtx
, data
, len
, reinterpret_cast<uint8_t*>(&chal
));
200 blen
+= base64_encode_final(&eCtx
, data
+blen
);
201 if (NTLM_packet_debug_enabled
) {
202 printf("TT %.*s\n", (int)blen
, data
);
203 debug("sending 'TT' to squid with data:\n");
204 hex_dump((unsigned char *)&chal
, len
);
206 SEND3("TT %.*s", (int)blen
, data
);
209 } else if (strncmp(buf
, "KK ", 3) == 0) {
211 SEND("BH received KK with no data! user=");
212 } else if (ntlm_validate_packet(packet
, NTLM_AUTHENTICATE
) == NTLM_ERR_NONE
) {
213 if (ntlm_unpack_auth((ntlm_authenticate
*)packet
, user
, domain
, decodedLen
) == NTLM_ERR_NONE
) {
215 if (strip_domain_enabled
) {
216 SEND2("AF %s", user
);
218 SEND4("AF %s%s%s", domain
, (*domain
?"\\":""), user
);
222 SEND4("NA invalid credentials, user=%s%s%s", domain
, (*domain
?"\\":""), user
);
225 SEND("BH wrong packet type! user=");