4 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
5 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
6 * AUTHOR: Guido Serassio: <guido.serassio@acmeconsulting.it>
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
11 * Squid is the result of efforts by numerous individuals from
12 * the Internet community; see the CONTRIBUTORS file for full
13 * details. Many organizations have provided support for Squid's
14 * development; see the SPONSORS file for full details. Squid is
15 * Copyrighted (C) 2001 by the Regents of the University of
16 * California; see the COPYRIGHT file for full details. Squid
17 * incorporates software developed and/or copyrighted by other
18 * sources; see the CREDITS file for full details.
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License as published by
22 * the Free Software Foundation; either version 2 of the License, or
23 * (at your option) any later version.
25 * This program is distributed in the hope that it will be useful,
26 * but WITHOUT ANY WARRANTY; without even the implied warranty of
27 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28 * GNU General Public License for more details.
30 * You should have received a copy of the GNU General Public License
31 * along with this program; if not, write to the Free Software
32 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
36 * Example ntlm authentication program for Squid, based on the
37 * original proxy_auth code from client_side.c, written by
38 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
39 * Andrew Doran <ad@interlude.eu.org>.
41 * This code gets the username and returns it. No validation is done.
42 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
45 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
47 * - Added negotiation of UNICODE char support
48 * - More detailed debugging info
52 /* undefine this to have strict protocol adherence. You don't really need
54 #define IGNORANCE_IS_BLISS
57 #include "libntlmauth/ntlmauth.h"
58 #include "libntlmauth/support_bits.cci"
77 /* A couple of harmless helper macros */
78 #define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
80 #define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
81 #define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
83 /* no gcc, no debugging. varargs macros are a gcc extension */
84 #define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
85 #define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);
91 #define BUFFER_SIZE 10240
93 const char *authenticate_ntlm_domain
= "WORKGROUP";
94 int strip_domain_enabled
= 0;
95 int NTLM_packet_debug_enabled
= 0;
99 * -d enable debugging.
100 * -v enable verbose NTLM packet debugging.
101 * -l if specified, changes behavior on failures to last-ditch.
103 char *my_program_name
= NULL
;
109 "Usage: %s [-d] [-v] [-h]\n"
110 " -d enable debugging.\n"
111 " -S strip domain from username.\n"
112 " -v enable verbose NTLM packet debugging.\n"
113 " -h this message\n\n",
118 process_options(int argc
, char *argv
[])
120 int opt
, had_error
= 0;
123 while (-1 != (opt
= getopt(argc
, argv
, "hdvS"))) {
130 NTLM_packet_debug_enabled
= 1;
133 strip_domain_enabled
= 1;
140 /* fall thru to default */
142 fprintf(stderr
, "unknown option: -%c. Exiting\n", opt
);
152 main(int argc
, char *argv
[])
154 char buf
[BUFFER_SIZE
];
156 char user
[NTLM_MAX_FIELD_LENGTH
], domain
[NTLM_MAX_FIELD_LENGTH
];
158 ntlmhdr
*packet
= NULL
;
159 char helper_command
[3];
163 setbuf(stdout
, NULL
);
164 setbuf(stderr
, NULL
);
166 my_program_name
= argv
[0];
168 process_options(argc
, argv
);
170 debug("%s build " __DATE__
", " __TIME__
" starting up...\n", my_program_name
);
172 while (fgets(buf
, BUFFER_SIZE
, stdin
) != NULL
) {
173 user
[0] = '\0'; /*no user code */
174 domain
[0] = '\0'; /*no domain code */
176 if ((p
= strchr(buf
, '\n')) != NULL
)
177 *p
= '\0'; /* strip \n */
178 buflen
= strlen(buf
); /* keep this so we only scan the buffer for \0 once per loop */
180 packet
= (ntlmhdr
*)base64_decode(buf
+ 3);
181 if (buflen
> 3 && NTLM_packet_debug_enabled
) {
182 strncpy(helper_command
, buf
, 2);
183 helper_command
[2] = '\0';
184 debug("Got '%s' from Squid with data:\n", helper_command
);
185 hex_dump((unsigned char*)packet
, ((buflen
- 3) * 3) / 4);
187 debug("Got '%s' from Squid\n", buf
);
189 if (strncasecmp(buf
, "YR", 2) == 0) {
190 char nonce
[NTLM_NONCE_LEN
];
192 ntlm_make_nonce(nonce
);
194 ntlm_negotiate
*nego
= (ntlm_negotiate
*)packet
;
195 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, nego
->flags
);
197 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, NTLM_NEGOTIATE_ASCII
);
199 // TODO: find out what this context means, and why only the fake auth helper contains it.
200 chal
.context_high
= htole32(0x003a<<16);
202 len
= sizeof(chal
) - sizeof(chal
.payload
) + le16toh(chal
.target
.maxlen
);
203 data
= (char *) base64_encode_bin((char *) &chal
, len
);
204 if (NTLM_packet_debug_enabled
) {
205 printf("TT %s\n", data
);
206 debug("sending 'TT' to squid with data:\n");
207 hex_dump((unsigned char *)&chal
, len
);
209 SEND2("TT %s", data
);
210 } else if (strncasecmp(buf
, "KK ", 3) == 0) {
212 SEND("BH received KK with no data! user=");
213 } else if (ntlm_validate_packet(packet
, NTLM_AUTHENTICATE
) == NTLM_ERR_NONE
) {
214 if (ntlm_unpack_auth((ntlm_authenticate
*)packet
, user
, domain
, (buflen
-3)) == NTLM_ERR_NONE
) {
217 if (strip_domain_enabled
) {
218 SEND2("AF %s", user
);
220 SEND3("AF %s%s%s", domain
, (*domain
?"\\":""), user
);
225 SEND3("NA invalid credentials, user=%s%s%s", domain
, (*domain
?"\\":""), user
);
228 SEND("BH wrong packet type! user=");