4 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
5 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
6 * AUTHOR: Guido Serassio: <guido.serassio@acmeconsulting.it>
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
11 * Squid is the result of efforts by numerous individuals from
12 * the Internet community; see the CONTRIBUTORS file for full
13 * details. Many organizations have provided support for Squid's
14 * development; see the SPONSORS file for full details. Squid is
15 * Copyrighted (C) 2001 by the Regents of the University of
16 * California; see the COPYRIGHT file for full details. Squid
17 * incorporates software developed and/or copyrighted by other
18 * sources; see the CREDITS file for full details.
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License as published by
22 * the Free Software Foundation; either version 2 of the License, or
23 * (at your option) any later version.
25 * This program is distributed in the hope that it will be useful,
26 * but WITHOUT ANY WARRANTY; without even the implied warranty of
27 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28 * GNU General Public License for more details.
30 * You should have received a copy of the GNU General Public License
31 * along with this program; if not, write to the Free Software
32 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
36 * Example ntlm authentication program for Squid, based on the
37 * original proxy_auth code from client_side.c, written by
38 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
39 * Andrew Doran <ad@interlude.eu.org>.
41 * This code gets the username and returns it. No validation is done.
42 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
45 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
47 * - Added negotiation of UNICODE char support
48 * - More detailed debugging info
52 /* undefine this to have strict protocol adherence. You don't really need
54 #define IGNORANCE_IS_BLISS
58 #include "helpers/defines.h"
59 #include "ntlmauth/ntlmauth.h"
60 #include "ntlmauth/support_bits.cci"
88 /* A couple of harmless helper macros */
89 #define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
91 #define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
92 #define SEND4(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
94 /* no gcc, no debugging. varargs macros are a gcc extension */
95 #define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
96 #define SEND4(X,Y,Z,W) debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);
99 const char *authenticate_ntlm_domain
= "WORKGROUP";
100 int strip_domain_enabled
= 0;
101 int NTLM_packet_debug_enabled
= 0;
105 * -d enable debugging.
106 * -v enable verbose NTLM packet debugging.
107 * -l if specified, changes behavior on failures to last-ditch.
109 char *my_program_name
= NULL
;
115 "Usage: %s [-d] [-v] [-h]\n"
116 " -d enable debugging.\n"
117 " -S strip domain from username.\n"
118 " -v enable verbose NTLM packet debugging.\n"
119 " -h this message\n\n",
124 process_options(int argc
, char *argv
[])
126 int opt
, had_error
= 0;
129 while (-1 != (opt
= getopt(argc
, argv
, "hdvS"))) {
136 NTLM_packet_debug_enabled
= 1;
139 strip_domain_enabled
= 1;
146 /* fall thru to default */
148 fprintf(stderr
, "unknown option: -%c. Exiting\n", opt
);
158 main(int argc
, char *argv
[])
160 char buf
[HELPER_INPUT_BUFFER
];
162 char decodedBuf
[HELPER_INPUT_BUFFER
];
164 char user
[NTLM_MAX_FIELD_LENGTH
], domain
[NTLM_MAX_FIELD_LENGTH
];
166 ntlmhdr
*packet
= NULL
;
167 char helper_command
[3];
171 setbuf(stdout
, NULL
);
172 setbuf(stderr
, NULL
);
174 my_program_name
= argv
[0];
176 process_options(argc
, argv
);
178 debug("%s build " __DATE__
", " __TIME__
" starting up...\n", my_program_name
);
180 while (fgets(buf
, HELPER_INPUT_BUFFER
, stdin
) != NULL
) {
181 user
[0] = '\0'; /*no user code */
182 domain
[0] = '\0'; /*no domain code */
184 if ((p
= strchr(buf
, '\n')) != NULL
)
185 *p
= '\0'; /* strip \n */
186 buflen
= strlen(buf
); /* keep this so we only scan the buffer for \0 once per loop */
188 decodedLen
= base64_decode(decodedBuf
, sizeof(decodedBuf
), buf
+3);
189 packet
= (ntlmhdr
*)decodedBuf
;
194 if (buflen
> 3 && NTLM_packet_debug_enabled
) {
195 strncpy(helper_command
, buf
, 2);
196 helper_command
[2] = '\0';
197 debug("Got '%s' from Squid with data:\n", helper_command
);
198 hex_dump((unsigned char *)decodedBuf
, decodedLen
);
200 debug("Got '%s' from Squid\n", buf
);
202 if (strncmp(buf
, "YR", 2) == 0) {
203 char nonce
[NTLM_NONCE_LEN
];
205 ntlm_make_nonce(nonce
);
207 ntlm_negotiate
*nego
= (ntlm_negotiate
*)packet
;
208 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, nego
->flags
);
210 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, NTLM_NEGOTIATE_ASCII
);
212 // TODO: find out what this context means, and why only the fake auth helper contains it.
213 chal
.context_high
= htole32(0x003a<<16);
215 len
= sizeof(chal
) - sizeof(chal
.payload
) + le16toh(chal
.target
.maxlen
);
216 data
= (char *) base64_encode_bin((char *) &chal
, len
);
217 if (NTLM_packet_debug_enabled
) {
218 printf("TT %s\n", data
);
219 debug("sending 'TT' to squid with data:\n");
220 hex_dump((unsigned char *)&chal
, len
);
222 SEND2("TT %s", data
);
223 } else if (strncmp(buf
, "KK ", 3) == 0) {
225 SEND("BH received KK with no data! user=");
226 } else if (ntlm_validate_packet(packet
, NTLM_AUTHENTICATE
) == NTLM_ERR_NONE
) {
227 if (ntlm_unpack_auth((ntlm_authenticate
*)packet
, user
, domain
, decodedLen
) == NTLM_ERR_NONE
) {
230 if (strip_domain_enabled
) {
231 SEND2("AF %s", user
);
233 SEND4("AF %s%s%s", domain
, (*domain
?"\\":""), user
);
238 SEND4("NA invalid credentials, user=%s%s%s", domain
, (*domain
?"\\":""), user
);
241 SEND("BH wrong packet type! user=");