4 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
5 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
6 * AUTHOR: Guido Serassio: <guido.serassio@acmeconsulting.it>
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
11 * Squid is the result of efforts by numerous individuals from
12 * the Internet community; see the CONTRIBUTORS file for full
13 * details. Many organizations have provided support for Squid's
14 * development; see the SPONSORS file for full details. Squid is
15 * Copyrighted (C) 2001 by the Regents of the University of
16 * California; see the COPYRIGHT file for full details. Squid
17 * incorporates software developed and/or copyrighted by other
18 * sources; see the CREDITS file for full details.
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License as published by
22 * the Free Software Foundation; either version 2 of the License, or
23 * (at your option) any later version.
25 * This program is distributed in the hope that it will be useful,
26 * but WITHOUT ANY WARRANTY; without even the implied warranty of
27 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28 * GNU General Public License for more details.
30 * You should have received a copy of the GNU General Public License
31 * along with this program; if not, write to the Free Software
32 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
36 * Example ntlm authentication program for Squid, based on the
37 * original proxy_auth code from client_side.c, written by
38 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
39 * Andrew Doran <ad@interlude.eu.org>.
41 * This code gets the username and returns it. No validation is done.
42 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
45 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
47 * - Added negotiation of UNICODE char support
48 * - More detailed debugging info
52 /* undefine this to have strict protocol adherence. You don't really need
54 #define IGNORANCE_IS_BLISS
58 #include "helpers/defines.h"
59 #include "ntlmauth/ntlmauth.h"
60 #include "ntlmauth/support_bits.cci"
79 /* A couple of harmless helper macros */
80 #define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
82 #define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
83 #define SEND4(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
85 /* no gcc, no debugging. varargs macros are a gcc extension */
86 #define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
87 #define SEND4(X,Y,Z,W) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);
90 const char *authenticate_ntlm_domain
= "WORKGROUP";
91 int strip_domain_enabled
= 0;
92 int NTLM_packet_debug_enabled
= 0;
96 * -d enable debugging.
97 * -v enable verbose NTLM packet debugging.
98 * -l if specified, changes behavior on failures to last-ditch.
100 char *my_program_name
= NULL
;
106 "Usage: %s [-d] [-v] [-h]\n"
107 " -d enable debugging.\n"
108 " -S strip domain from username.\n"
109 " -v enable verbose NTLM packet debugging.\n"
110 " -h this message\n\n",
115 process_options(int argc
, char *argv
[])
117 int opt
, had_error
= 0;
120 while (-1 != (opt
= getopt(argc
, argv
, "hdvS"))) {
127 NTLM_packet_debug_enabled
= 1;
130 strip_domain_enabled
= 1;
137 /* fall thru to default */
139 fprintf(stderr
, "unknown option: -%c. Exiting\n", opt
);
149 main(int argc
, char *argv
[])
151 char buf
[HELPER_INPUT_BUFFER
];
153 char user
[NTLM_MAX_FIELD_LENGTH
], domain
[NTLM_MAX_FIELD_LENGTH
];
155 ntlmhdr
*packet
= NULL
;
156 char helper_command
[3];
160 setbuf(stdout
, NULL
);
161 setbuf(stderr
, NULL
);
163 my_program_name
= argv
[0];
165 process_options(argc
, argv
);
167 debug("%s build " __DATE__
", " __TIME__
" starting up...\n", my_program_name
);
169 while (fgets(buf
, HELPER_INPUT_BUFFER
, stdin
) != NULL
) {
170 user
[0] = '\0'; /*no user code */
171 domain
[0] = '\0'; /*no domain code */
173 if ((p
= strchr(buf
, '\n')) != NULL
)
174 *p
= '\0'; /* strip \n */
175 buflen
= strlen(buf
); /* keep this so we only scan the buffer for \0 once per loop */
177 packet
= (ntlmhdr
*)base64_decode(buf
+ 3);
178 if (buflen
> 3 && NTLM_packet_debug_enabled
) {
179 strncpy(helper_command
, buf
, 2);
180 helper_command
[2] = '\0';
181 debug("Got '%s' from Squid with data:\n", helper_command
);
182 hex_dump((unsigned char*)packet
, ((buflen
- 3) * 3) / 4);
184 debug("Got '%s' from Squid\n", buf
);
186 if (strncasecmp(buf
, "YR", 2) == 0) {
187 char nonce
[NTLM_NONCE_LEN
];
189 ntlm_make_nonce(nonce
);
191 ntlm_negotiate
*nego
= (ntlm_negotiate
*)packet
;
192 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, nego
->flags
);
194 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, NTLM_NEGOTIATE_ASCII
);
196 // TODO: find out what this context means, and why only the fake auth helper contains it.
197 chal
.context_high
= htole32(0x003a<<16);
199 len
= sizeof(chal
) - sizeof(chal
.payload
) + le16toh(chal
.target
.maxlen
);
200 data
= (char *) base64_encode_bin((char *) &chal
, len
);
201 if (NTLM_packet_debug_enabled
) {
202 printf("TT %s\n", data
);
203 debug("sending 'TT' to squid with data:\n");
204 hex_dump((unsigned char *)&chal
, len
);
206 SEND2("TT %s", data
);
207 } else if (strncasecmp(buf
, "KK ", 3) == 0) {
209 SEND("BH received KK with no data! user=");
210 } else if (ntlm_validate_packet(packet
, NTLM_AUTHENTICATE
) == NTLM_ERR_NONE
) {
211 if (ntlm_unpack_auth((ntlm_authenticate
*)packet
, user
, domain
, (buflen
-3)) == NTLM_ERR_NONE
) {
214 if (strip_domain_enabled
) {
215 SEND2("AF %s", user
);
217 SEND4("AF %s%s%s", domain
, (*domain
?"\\":""), user
);
222 SEND4("NA invalid credentials, user=%s%s%s", domain
, (*domain
?"\\":""), user
);
225 SEND("BH wrong packet type! user=");