2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 * negotiate_sspi_auth: helper for Negotiate Authentication for Squid Cache
12 * (C)2005 Guido Serassio - Acme Consulting S.r.l.
15 * Guido Serassio <guido.serassio@acmeconsulting.it>
16 * Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
18 * With contributions from others mentioned in the change history section
21 * Based on previous work of Francesco Chemolli and Robert Collins.
23 * Dependencies: Windows 2000 and later.
25 * This program is free software; you can redistribute it and/or modify
26 * it under the terms of the GNU General Public License as published by
27 * the Free Software Foundation; either version 2 of the License, or
28 * (at your option) any later version.
30 * This program is distributed in the hope that it will be useful,
31 * but WITHOUT ANY WARRANTY; without even the implied warranty of
32 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33 * GNU General Public License for more details.
35 * You should have received a copy of the GNU General Public License
36 * along with this program; if not, write to the Free Software
37 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
42 * 29-10-2005 Guido Serassio
48 #include "helper/protocol_defines.h"
49 #include "ntlmauth/ntlmauth.h"
50 #include "ntlmauth/support_bits.cci"
64 int Negotiate_packet_debug_enabled
= 0;
65 static int have_serverblob
;
67 /* A couple of harmless helper macros */
68 #define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
70 #define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
71 #define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
73 /* no gcc, no debugging. varargs macros are a gcc extension */
74 #define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
75 #define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);
78 char *negotiate_check_auth(SSP_blobP auth
, int auth_length
);
82 * -d enable debugging.
83 * -v enable verbose Negotiate packet debugging.
85 char *my_program_name
= NULL
;
91 "Usage: %s [-d] [-v] [-h]\n"
92 " -d enable debugging.\n"
93 " -v enable verbose Negotiate packet debugging.\n"
94 " -h this message\n\n",
99 process_options(int argc
, char *argv
[])
101 int opt
, had_error
= 0;
104 while (-1 != (opt
= getopt(argc
, argv
, "hdv"))) {
111 Negotiate_packet_debug_enabled
= 1;
118 /* fall thru to default */
120 fprintf(stderr
, "ERROR: unknown option: -%c. Exiting\n", opt
);
130 token_decode(size_t *decodedLen
, uint8_t decoded
[], const char *buf
)
132 struct base64_decode_ctx ctx
;
133 base64_decode_init(&ctx
);
134 if (!base64_decode_update(&ctx
, decodedLen
, decoded
, strlen(buf
), reinterpret_cast<const uint8_t*>(buf
)) ||
135 !base64_decode_final(&ctx
)) {
136 SEND("BH base64 decode failed");
137 fprintf(stderr
, "ERROR: base64 decoding failed for: '%s'\n", buf
);
146 char buf
[HELPER_INPUT_BUFFER
];
147 uint8_t decoded
[HELPER_INPUT_BUFFER
];
148 size_t decodedLen
= 0;
149 char helper_command
[3];
154 static char cred
[SSP_MAX_CRED_LEN
+ 1];
158 if (fgets(buf
, HELPER_INPUT_BUFFER
, stdin
))
161 c
= static_cast<char*>(memchr(buf
, '\n', HELPER_INPUT_BUFFER
));
164 SEND("BH illegal request received");
165 fprintf(stderr
, "ERROR: Illegal request received: '%s'\n", buf
);
170 fprintf(stderr
, "No newline in '%s'\n", buf
);
175 if ((strlen(buf
) > 3) && Negotiate_packet_debug_enabled
) {
176 if (!token_decode(&decodedLen
, decoded
, buf
+3))
178 strncpy(helper_command
, buf
, 2);
179 debug("Got '%s' from Squid with data:\n", helper_command
);
180 hex_dump(reinterpret_cast<unsigned char*>(decoded
), decodedLen
);
182 debug("Got '%s' from Squid\n", buf
);
184 if (memcmp(buf
, "YR ", 3) == 0) { /* refresh-request */
185 /* figure out what we got */
186 if (!decodedLen
/* already decoded */ && !token_decode(&decodedLen
, decoded
, buf
+3))
188 if (decodedLen
< sizeof(ntlmhdr
)) { /* decoding failure, return error */
189 SEND("NA * Packet format error");
192 /* Obtain server blob against SSPI */
193 c
= (char *) SSP_MakeNegotiateBlob(decoded
, decodedLen
, &Done
, &status
, cred
);
195 if (status
== SSP_OK
) {
197 lc(cred
); /* let's lowercase them for our convenience */
200 if (Negotiate_packet_debug_enabled
) {
201 if (!token_decode(&decodedLen
, decoded
, c
))
203 debug("sending 'AF' %s to squid with data:\n", cred
);
205 hex_dump(reinterpret_cast<unsigned char*>(decoded
), decodedLen
);
207 fprintf(stderr
, "No data available.\n");
208 printf("AF %s %s\n", c
, cred
);
210 SEND3("AF %s %s", c
, cred
);
212 if (Negotiate_packet_debug_enabled
) {
213 if (!token_decode(&decodedLen
, decoded
, c
))
215 debug("sending 'TT' to squid with data:\n");
216 hex_dump(reinterpret_cast<unsigned char*>(decoded
), decodedLen
);
217 printf("TT %s\n", c
);
224 SEND("BH can't obtain server blob");
227 if (memcmp(buf
, "KK ", 3) == 0) { /* authenticate-request */
228 if (!have_serverblob
) {
229 SEND("BH invalid server blob");
232 /* figure out what we got */
233 if (!decodedLen
/* already decoded */ && !token_decode(&decodedLen
, decoded
, buf
+3))
235 if (decodedLen
< sizeof(ntlmhdr
)) { /* decoding failure, return error */
236 SEND("NA * Packet format error");
239 /* check against SSPI */
240 c
= (char *) SSP_ValidateNegotiateCredentials(decoded
, decodedLen
, &Done
, &status
, cred
);
242 if (status
== SSP_ERROR
) {
243 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER
| FORMAT_MESSAGE_FROM_SYSTEM
|
244 FORMAT_MESSAGE_IGNORE_INSERTS
,
247 MAKELANGID(LANG_NEUTRAL
, SUBLANG_DEFAULT
), /* Default language */
248 (LPTSTR
) & ErrorMessage
,
251 if (ErrorMessage
[strlen(ErrorMessage
) - 1] == '\n')
252 ErrorMessage
[strlen(ErrorMessage
) - 1] = '\0';
253 if (ErrorMessage
[strlen(ErrorMessage
) - 1] == '\r')
254 ErrorMessage
[strlen(ErrorMessage
) - 1] = '\0';
255 SEND2("NA * %s", ErrorMessage
);
256 LocalFree(ErrorMessage
);
260 lc(cred
); /* let's lowercase them for our convenience */
263 if (Negotiate_packet_debug_enabled
) {
264 if (!token_decode(&decodedLen
, decoded
, c
))
266 debug("sending 'AF' %s to squid with data:\n", cred
);
268 hex_dump(reinterpret_cast<unsigned char*>(decoded
), decodedLen
);
270 fprintf(stderr
, "No data available.\n");
271 printf("AF %s %s\n", c
, cred
);
273 SEND3("AF %s %s", c
, cred
);
277 if (Negotiate_packet_debug_enabled
) {
278 if (!token_decode(&decodedLen
, decoded
, c
))
280 debug("sending 'TT' to squid with data:\n");
281 hex_dump(reinterpret_cast<unsigned char*>(decoded
), decodedLen
);
282 printf("TT %s\n", c
);
288 } else { /* not an auth-request */
289 SEND("BH illegal request received");
290 fprintf(stderr
, "Illegal request received: '%s'\n", buf
);
293 SEND("BH detected protocol error");
295 /********* END ********/
299 main(int argc
, char *argv
[])
301 my_program_name
= argv
[0];
303 process_options(argc
, argv
);
305 debug("%s " VERSION
" " SQUID_BUILD_INFO
" starting up...\n", my_program_name
);
307 if (LoadSecurityDll(SSP_NTLM
, NEGOTIATE_PACKAGE_NAME
) == NULL
) {
308 fprintf(stderr
, "FATAL: %s: can't initialize SSPI, exiting.\n", argv
[0]);
311 debug("SSPI initialized OK\n");
313 atexit(UnloadSecurityDll
);
315 /* initialize FDescs */
316 setbuf(stdout
, NULL
);
317 setbuf(stderr
, NULL
);
319 while (manage_request()) {
320 /* everything is done within manage_request */