]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/ntlm/auth_ntlm.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Summary: Final MSVC fixups.
[thirdparty/squid.git] / src / auth / ntlm / auth_ntlm.cc
1
2 /*
3 * $Id: auth_ntlm.cc,v 1.37 2003/08/10 11:00:52 robertc Exp $
4 *
5 * DEBUG: section 29 NTLM Authenticator
6 * AUTHOR: Robert Collins
7 *
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
10 *
11 * Squid is the result of efforts by numerous individuals from
12 * the Internet community; see the CONTRIBUTORS file for full
13 * details. Many organizations have provided support for Squid's
14 * development; see the SPONSORS file for full details. Squid is
15 * Copyrighted (C) 2001 by the Regents of the University of
16 * California; see the COPYRIGHT file for full details. Squid
17 * incorporates software developed and/or copyrighted by other
18 * sources; see the CREDITS file for full details.
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License as published by
22 * the Free Software Foundation; either version 2 of the License, or
23 * (at your option) any later version.
24 *
25 * This program is distributed in the hope that it will be useful,
26 * but WITHOUT ANY WARRANTY; without even the implied warranty of
27 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28 * GNU General Public License for more details.
29 *
30 * You should have received a copy of the GNU General Public License
31 * along with this program; if not, write to the Free Software
32 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
33 *
34 */
35
36 /* The functions in this file handle authentication.
37 * They DO NOT perform access control or auditing.
38 * See acl.c for access control and client_side.c for auditing */
39
40
41 #include "squid.h"
42 #include "auth_ntlm.h"
43 #include "authenticate.h"
44 #include "Store.h"
45 #include "client_side.h"
46 #include "HttpReply.h"
47 #include "HttpRequest.h"
48
49 extern AUTHSSETUP authSchemeSetup_ntlm;
50
51 static void
52 authenticateStateFree(authenticateStateData * r)
53 {
54 cbdataFree(r);
55 }
56
57 /* NTLM Scheme */
58 static HLPSCB authenticateNTLMHandleReply;
59 static HLPSCB authenticateNTLMHandleplaceholder;
60 static AUTHSACTIVE authenticateNTLMActive;
61 static AUTHSAUTHUSER authenticateNTLMAuthenticateUser;
62 static AUTHSCONFIGURED authNTLMConfigured;
63 static AUTHSFIXERR authenticateNTLMFixErrorHeader;
64 static AUTHSFREE authenticateNTLMFreeUser;
65 static AUTHSDECODE authenticateDecodeNTLMAuth;
66 static AUTHSDUMP authNTLMCfgDump;
67 static AUTHSFREECONFIG authNTLMFreeConfig;
68 static AUTHSINIT authNTLMInit;
69 static AUTHSONCLOSEC authenticateNTLMOnCloseConnection;
70 static AUTHSCONNLASTHEADER NTLMLastHeader;
71 static AUTHSUSERNAME authenticateNTLMUsername;
72 static AUTHSPARSE authNTLMParse;
73 static AUTHSSTART authenticateNTLMStart;
74 static AUTHSSTATS authenticateNTLMStats;
75 static AUTHSSHUTDOWN authNTLMDone;
76
77 /* helper callbacks to handle per server state data */
78 static HLPSAVAIL authenticateNTLMHelperServerAvailable;
79 static HLPSONEQ authenticateNTLMHelperServerOnEmpty;
80
81 static statefulhelper *ntlmauthenticators = NULL;
82
83 CBDATA_TYPE(authenticateStateData);
84
85 static int authntlm_initialised = 0;
86
87 static MemPool *ntlm_helper_state_pool = NULL;
88 static MemPool *ntlm_user_pool = NULL;
89 static MemPool *ntlm_user_hash_pool = NULL;
90
91 static auth_ntlm_config *ntlmConfig = NULL;
92
93 static hash_table *proxy_auth_cache = NULL;
94
95 /*
96 *
97 * Private Functions
98 *
99 */
100
101 static void
102 authNTLMDone(void)
103 {
104 debug(29, 2) ("authNTLMDone: shutting down NTLM authentication.\n");
105
106 if (ntlmauthenticators)
107 helperStatefulShutdown(ntlmauthenticators);
108
109 authntlm_initialised = 0;
110
111 if (!shutting_down)
112 return;
113
114 if (ntlmauthenticators)
115 helperStatefulFree(ntlmauthenticators);
116
117 ntlmauthenticators = NULL;
118
119 #if DEBUGSHUTDOWN
120
121 if (ntlm_helper_state_pool) {
122 memPoolDestroy(&ntlm_helper_state_pool);
123 }
124
125 if (ntlm_user_pool) {
126 memPoolDestroy(&ntlm_user_pool);
127 }
128
129 #endif
130 debug(29, 2) ("authNTLMDone: NTLM authentication Shutdown.\n");
131 }
132
133 /* free any allocated configuration details */
134 static void
135 authNTLMFreeConfig(authScheme * scheme)
136 {
137 if (ntlmConfig == NULL)
138 return;
139
140 assert(ntlmConfig == scheme->scheme_data);
141
142 if (ntlmConfig->authenticate)
143 wordlistDestroy(&ntlmConfig->authenticate);
144
145 xfree(ntlmConfig);
146
147 ntlmConfig = NULL;
148 }
149
150 static void
151 authNTLMCfgDump(StoreEntry * entry, const char *name, authScheme * scheme)
152 {
153 auth_ntlm_config *config = static_cast<auth_ntlm_config *>(scheme->scheme_data);
154 wordlist *list = config->authenticate;
155 storeAppendPrintf(entry, "%s %s", name, "ntlm");
156
157 while (list != NULL) {
158 storeAppendPrintf(entry, " %s", list->key);
159 list = list->next;
160 }
161
162 storeAppendPrintf(entry, "\n%s %s children %d\n%s %s max_challenge_reuses %d\n%s %s max_challenge_lifetime %d seconds\n",
163 name, "ntlm", config->authenticateChildren,
164 name, "ntlm", config->challengeuses,
165 name, "ntlm", (int) config->challengelifetime);
166
167 }
168
169 static void
170 authNTLMParse(authScheme * scheme, int n_configured, char *param_str)
171 {
172 if (scheme->scheme_data == NULL) {
173 assert(ntlmConfig == NULL);
174 /* this is the first param to be found */
175 scheme->scheme_data = xmalloc(sizeof(auth_ntlm_config));
176 memset(scheme->scheme_data, 0, sizeof(auth_ntlm_config));
177 ntlmConfig = static_cast<auth_ntlm_config *>(scheme->scheme_data);
178 ntlmConfig->authenticateChildren = 5;
179 ntlmConfig->challengeuses = 0;
180 ntlmConfig->challengelifetime = 60;
181 }
182
183 ntlmConfig = static_cast<auth_ntlm_config *>(scheme->scheme_data);
184
185 if (strcasecmp(param_str, "program") == 0) {
186 if (ntlmConfig->authenticate)
187 wordlistDestroy(&ntlmConfig->authenticate);
188
189 parse_wordlist(&ntlmConfig->authenticate);
190
191 requirePathnameExists("authparam ntlm program", ntlmConfig->authenticate->key);
192 } else if (strcasecmp(param_str, "children") == 0) {
193 parse_int(&ntlmConfig->authenticateChildren);
194 } else if (strcasecmp(param_str, "max_challenge_reuses") == 0) {
195 parse_int(&ntlmConfig->challengeuses);
196 } else if (strcasecmp(param_str, "max_challenge_lifetime") == 0) {
197 parse_time_t(&ntlmConfig->challengelifetime);
198 } else {
199 debug(28, 0) ("unrecognised ntlm auth scheme parameter '%s'\n", param_str);
200 }
201
202 /*
203 * disable client side request pipelining. There is a race with
204 * NTLM when the client sends a second request on an NTLM
205 * connection before the authenticate challenge is sent. With
206 * this patch, the client may fail to authenticate, but squid's
207 * state will be preserved. Caveats: this should be a post-parse
208 * test, but that can wait for the modular parser to be integrated.
209 */
210 if (ntlmConfig->authenticate)
211 Config.onoff.pipeline_prefetch = 0;
212 }
213
214
215 void
216 authSchemeSetup_ntlm(authscheme_entry_t * authscheme)
217 {
218 assert(!authntlm_initialised);
219 authscheme->Active = authenticateNTLMActive;
220 authscheme->configured = authNTLMConfigured;
221 authscheme->parse = authNTLMParse;
222 authscheme->dump = authNTLMCfgDump;
223 authscheme->requestFree = NULL;
224 authscheme->freeconfig = authNTLMFreeConfig;
225 authscheme->init = authNTLMInit;
226 authscheme->authAuthenticate = authenticateNTLMAuthenticateUser;
227 authscheme->authenticated = NULL;
228 authscheme->authFixHeader = authenticateNTLMFixErrorHeader;
229 authscheme->FreeUser = authenticateNTLMFreeUser;
230 authscheme->authStart = authenticateNTLMStart;
231 authscheme->authStats = authenticateNTLMStats;
232 authscheme->authUserUsername = authenticateNTLMUsername;
233 authscheme->getdirection = NULL;
234 authscheme->decodeauth = authenticateDecodeNTLMAuth;
235 authscheme->donefunc = authNTLMDone;
236 authscheme->oncloseconnection = authenticateNTLMOnCloseConnection;
237 authscheme->authConnLastHeader = NTLMLastHeader;
238 }
239
240 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
241 * config file */
242 static void
243 authNTLMInit(authScheme * scheme)
244 {
245 static int ntlminit = 0;
246
247 if (ntlmConfig->authenticate) {
248 if (!ntlm_helper_state_pool)
249 ntlm_helper_state_pool = memPoolCreate("NTLM Helper State data", sizeof(ntlm_helper_state_t));
250
251 if (!ntlm_user_pool)
252 ntlm_user_pool = memPoolCreate("NTLM Scheme User Data", sizeof(ntlm_user_t));
253
254 if (!ntlm_user_hash_pool)
255
256 ntlm_user_hash_pool = memPoolCreate("NTLM Header Hash Data", sizeof(struct ProxyAuthCachePointer));
257
258 authntlm_initialised = 1;
259
260 if (ntlmauthenticators == NULL)
261 ntlmauthenticators = helperStatefulCreate("ntlmauthenticator");
262
263 if (!proxy_auth_cache)
264 proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
265
266 assert(proxy_auth_cache);
267
268 ntlmauthenticators->cmdline = ntlmConfig->authenticate;
269
270 ntlmauthenticators->n_to_start = ntlmConfig->authenticateChildren;
271
272 ntlmauthenticators->ipc_type = IPC_STREAM;
273
274 ntlmauthenticators->datapool = ntlm_helper_state_pool;
275
276 ntlmauthenticators->IsAvailable = authenticateNTLMHelperServerAvailable;
277
278 ntlmauthenticators->OnEmptyQueue = authenticateNTLMHelperServerOnEmpty;
279
280 helperStatefulOpenServers(ntlmauthenticators);
281
282 /*
283 * TODO: In here send the initial YR to preinitialise the
284 * challenge cache
285 */
286 /*
287 * Think about this... currently we ask when the challenge
288 * is needed. Better?
289 */
290 if (!ntlminit) {
291 cachemgrRegister("ntlmauthenticator",
292 "NTLM User Authenticator Stats",
293 authenticateNTLMStats, 0, 1);
294 ntlminit++;
295 }
296
297 CBDATA_INIT_TYPE(authenticateStateData);
298 }
299 }
300
301 static int
302 authenticateNTLMActive()
303 {
304 return (authntlm_initialised == 1) ? 1 : 0;
305 }
306
307
308 static int
309 authNTLMConfigured()
310 {
311 if ((ntlmConfig != NULL) && (ntlmConfig->authenticate != NULL) && (ntlmConfig->authenticateChildren != 0) && (ntlmConfig->challengeuses > -1) && (ntlmConfig->challengelifetime > -1)) {
312 debug(29, 9) ("authNTLMConfigured: returning configured\n");
313 return 1;
314 }
315
316 debug(29, 9) ("authNTLMConfigured: returning unconfigured\n");
317 return 0;
318 }
319
320 /* NTLM Scheme */
321 int
322 ntlm_request_t::direction()
323 {
324 /* null auth_user is checked for by authenticateDirection */
325
326 switch (auth_state) {
327
328 /* no progress at all. */
329
330 case AUTHENTICATE_STATE_NONE:
331 debug(29, 1) ("ntlm_request_t::direction: called before NTLM Authenticate!. Report a bug to squid-dev.\n");
332 /* fall thru */
333
334 case AUTHENTICATE_STATE_FAILED:
335 return -2;
336
337 /* send to helper */
338
339 case AUTHENTICATE_STATE_NEGOTIATE:
340
341 /*send to helper */
342
343 case AUTHENTICATE_STATE_RESPONSE:
344 return -1;
345
346 /* send to client */
347
348 case AUTHENTICATE_STATE_CHALLENGE:
349 return 1;
350
351 /* do nothing.. */
352
353 case AUTHENTICATE_STATE_DONE:
354 return 0;
355 }
356
357 return -2;
358 }
359
360 /*
361 * Send the authenticate error header(s). Note: IE has a bug and the NTLM header
362 * must be first. To ensure that, the configure use --enable-auth=ntlm, anything
363 * else.
364 */
365 static void
366 authenticateNTLMFixErrorHeader(auth_user_request_t * auth_user_request, HttpReply * rep, http_hdr_type type, HttpRequest * request)
367 {
368 ntlm_request_t *ntlm_request;
369
370 if (ntlmConfig->authenticate) {
371 /* New request, no user details */
372
373 if (auth_user_request == NULL) {
374 debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM'\n", type);
375 httpHeaderPutStrf(&rep->header, type, "NTLM");
376 /* drop the connection */
377 httpHeaderDelByName(&rep->header, "keep-alive");
378 /* NTLM has problems if the initial connection is not dropped
379 * I haven't checked the RFC compliance of this hack - RBCollins */
380 request->flags.proxy_keepalive = 0;
381 } else {
382 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
383 assert (ntlm_request);
384
385 switch (ntlm_request->auth_state) {
386
387 case AUTHENTICATE_STATE_NONE:
388
389 case AUTHENTICATE_STATE_FAILED:
390 debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM'\n", type);
391 httpHeaderPutStrf(&rep->header, type, "NTLM");
392 /* drop the connection */
393 httpHeaderDelByName(&rep->header, "keep-alive");
394 /* NTLM has problems if the initial connection is not dropped
395 * I haven't checked the RFC compliance of this hack - RBCollins */
396 request->flags.proxy_keepalive = 0;
397 break;
398
399 case AUTHENTICATE_STATE_CHALLENGE:
400 /* we are 'waiting' for a response */
401 /* pass the challenge to the client */
402 debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM %s'\n", type, ntlm_request->authchallenge);
403 httpHeaderPutStrf(&rep->header, type, "NTLM %s", ntlm_request->authchallenge);
404 break;
405
406 default:
407 debug(29, 0) ("authenticateNTLMFixErrorHeader: state %d.\n", ntlm_request->auth_state);
408 fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
409 }
410 }
411 }
412 }
413
414 ntlm_request_t::~ntlm_request_t()
415 {
416 if (ntlmnegotiate)
417 xfree(ntlmnegotiate);
418
419 if (authchallenge)
420 xfree(authchallenge);
421
422 if (ntlmauthenticate)
423 xfree(ntlmauthenticate);
424
425 if (authserver != NULL && authserver_deferred) {
426 debug(29, 9) ("authenticateNTLMRequestFree: releasing server '%p'\n", authserver);
427 helperStatefulReleaseServer(authserver);
428 authserver = NULL;
429 }
430 }
431
432 static void
433 authenticateNTLMFreeUser(auth_user_t * auth_user)
434 {
435 dlink_node *link, *tmplink;
436 ntlm_user_t *ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
437 ProxyAuthCachePointer *proxy_auth_hash;
438
439 debug(29, 5) ("authenticateNTLMFreeUser: Clearing NTLM scheme data\n");
440
441 if (ntlm_user->username)
442 xfree(ntlm_user->username);
443
444 /* were they linked in by one or more proxy-authenticate headers */
445 link = ntlm_user->proxy_auth_list.head;
446
447 while (link) {
448 debug(29, 9) ("authenticateFreeProxyAuthUser: removing proxy_auth hash entry '%p'\n", link->data);
449 proxy_auth_hash = static_cast<ProxyAuthCachePointer *>(link->data);
450 tmplink = link;
451 link = link->next;
452 dlinkDelete(tmplink, &ntlm_user->proxy_auth_list);
453 hash_remove_link(proxy_auth_cache, (hash_link *) proxy_auth_hash);
454 /* free the key (usually the proxy_auth header) */
455 xfree(proxy_auth_hash->key);
456 memPoolFree(ntlm_user_hash_pool, proxy_auth_hash);
457 }
458
459 memPoolFree(ntlm_user_pool, ntlm_user);
460 auth_user->scheme_data = NULL;
461 }
462
463 static stateful_helper_callback_t
464 authenticateNTLMHandleplaceholder(void *data, void *lastserver, char *reply)
465 {
466 authenticateStateData *r = static_cast<authenticateStateData *>(data);
467 stateful_helper_callback_t result = S_HELPER_UNKNOWN;
468 /* we should only be called for placeholder requests - which have no reply string */
469 assert(reply == NULL);
470 assert(r->auth_user_request);
471 /* standard callback stuff */
472
473 if (!cbdataReferenceValid(r->data)) {
474 debug(29, 1) ("AuthenticateNTLMHandlePlacheholder: invalid callback data.\n");
475 return result;
476 }
477
478 /* call authenticateNTLMStart to retry this request */
479 debug(29, 9) ("authenticateNTLMHandleplaceholder: calling authenticateNTLMStart\n");
480
481 authenticateNTLMStart(r->auth_user_request, r->handler, r->data);
482
483 cbdataReferenceDone(r->data);
484
485 authenticateStateFree(r);
486
487 return result;
488 }
489
490 static stateful_helper_callback_t
491 authenticateNTLMHandleReply(void *data, void *lastserver, char *reply)
492 {
493 authenticateStateData *r = static_cast<authenticateStateData *>(data);
494 ntlm_helper_state_t *helperstate;
495 stateful_helper_callback_t result = S_HELPER_UNKNOWN;
496 char *t = NULL;
497 auth_user_request_t *auth_user_request;
498 auth_user_t *auth_user;
499 ntlm_user_t *ntlm_user;
500 ntlm_request_t *ntlm_request;
501 debug(29, 9) ("authenticateNTLMHandleReply: Helper: '%p' {%s}\n", lastserver, reply ? reply : "<NULL>");
502
503 if (!cbdataReferenceValid(r->data)) {
504 debug(29, 1) ("AuthenticateNTLMHandleReply: invalid callback data. Releasing helper '%p'.\n", lastserver);
505 cbdataReferenceDone(r->data);
506 authenticateStateFree(r);
507 debug(29, 9) ("NTLM HandleReply, telling stateful helper : %d\n", S_HELPER_RELEASE);
508 return S_HELPER_RELEASE;
509 }
510
511 if (!reply) {
512 /*
513 * TODO: this occurs when a helper crashes. We should clean
514 * up that helpers resources and queued requests.
515 */
516 fatal("authenticateNTLMHandleReply: called with no result string\n");
517 }
518
519 /* seperate out the useful data */
520 if (strncasecmp(reply, "TT ", 3) == 0) {
521 reply += 3;
522 /* we have been given a Challenge */
523 /* we should check we weren't given an empty challenge */
524 /* copy the challenge to the state data */
525 helperstate = static_cast<ntlm_helper_state_t *>(helperStatefulServerGetData(static_cast<helper_stateful_server *>(lastserver)));
526
527 if (helperstate == NULL)
528 fatal("lost NTLM helper state! quitting\n");
529
530 helperstate->challenge = xstrndup(reply, NTLM_CHALLENGE_SZ + 5);
531
532 helperstate->challengeuses = 0;
533
534 helperstate->renewed = squid_curtime;
535
536 /* and we satisfy the request that happended on the refresh boundary */
537 /* note this code is now in two places FIXME */
538 assert(r->auth_user_request != NULL);
539
540 assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM);
541
542 auth_user_request = r->auth_user_request;
543
544 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
545
546 assert(ntlm_request != NULL);
547
548 result = S_HELPER_DEFER;
549
550 /* reserve the server for future authentication */
551 ntlm_request->authserver_deferred = 1;
552
553 debug(29, 9) ("authenticateNTLMHandleReply: helper '%p'\n", lastserver);
554
555 assert(ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE);
556
557 ntlm_request->authserver = static_cast<helper_stateful_server *>(lastserver);
558
559 ntlm_request->authchallenge = xstrndup(reply, NTLM_CHALLENGE_SZ + 5);
560 } else if (strncasecmp(reply, "AF ", 3) == 0) {
561 /* we're finished, release the helper */
562 reply += 3;
563 assert(r->auth_user_request != NULL);
564 assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM);
565 auth_user_request = r->auth_user_request;
566 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
567 assert(ntlm_request);
568 auth_user = auth_user_request->auth_user;
569 ntlm_user = static_cast<ntlm_user_t *>(auth_user_request->auth_user->scheme_data);
570 assert(ntlm_user != NULL);
571 result = S_HELPER_RELEASE;
572 /* we only expect OK when finishing the handshake */
573 assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE);
574 ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ);
575 ntlm_request->authserver = NULL;
576 #ifdef NTLM_FAIL_OPEN
577
578 } else if (strncasecmp(reply, "LD ", 3) == 0) {
579 /* This is a variant of BH, which rather than deny access
580 * allows the user through. The helper is starved and then refreshed
581 * via YR, all pending authentications are likely to fail also.
582 * It is meant for those helpers which occasionally fail for
583 * no reason at all (casus belli, NTLMSSP helper on NT domain,
584 * failing about 1 auth out of 1k.
585 * The code is a merge from the BH case with snippets of the AF
586 * case */
587 /* AF code: mark user as authenticated */
588 reply += 3;
589 assert(r->auth_user_request != NULL);
590 assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM);
591 auth_user_request = r->auth_user_request;
592 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
593 assert(ntlm_request);
594 auth_user = auth_user_request->auth_user;
595 ntlm_user = static_cast<ntlm_user_t *>(auth_user_request->auth_user->scheme_data);
596 assert(ntlm_user != NULL);
597 result = S_HELPER_RELEASE;
598 /* we only expect LD when finishing the handshake */
599 assert(ntlm_request->auth_state == AUTHENTICATE_STATE_RESPONSE);
600 ntlm_user->username = xstrndup(reply, MAX_LOGIN_SZ);
601 helperstate = static_cast<ntlm_helper_state_t *>(helperStatefulServerGetData(ntlm_request->authserver));
602 ntlm_request->authserver = NULL;
603 /* BH code: mark helper as broken */
604 /* mark it for starving */
605 helperstate->starve = 1;
606 #endif
607
608 } else if (strncasecmp(reply, "NA ", 3) == 0) {
609 /* TODO: only work with auth_user here if it exists */
610 assert(r->auth_user_request != NULL);
611 assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM);
612 auth_user_request = r->auth_user_request;
613 auth_user = auth_user_request->auth_user;
614 assert(auth_user != NULL);
615 ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
616 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
617 assert((ntlm_user != NULL) && (ntlm_request != NULL));
618 /* todo: action of Negotiate state on error */
619 result = S_HELPER_RELEASE; /*some error has occured. no more requests */
620 ntlm_request->authserver = NULL;
621 debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply);
622 ntlm_request->auth_state = AUTHENTICATE_STATE_FAILED;
623
624 if ((t = strchr(reply, ' '))) /* strip after a space */
625 *t = '\0';
626 } else if (strncasecmp(reply, "NA", 2) == 0) {
627 /* NTLM Helper protocol violation! */
628 fatal("NTLM Helper returned invalid response \"NA\" - a error message MUST be attached\n");
629 } else if (strncasecmp(reply, "BH ", 3) == 0) {
630 /* TODO kick off a refresh process. This can occur after a YR or after
631 * a KK. If after a YR release the helper and resubmit the request via
632 * Authenticate NTLM start.
633 * If after a KK deny the user's request w/ 407 and mark the helper as
634 * Needing YR. */
635 assert(r->auth_user_request != NULL);
636 assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM);
637 auth_user_request = r->auth_user_request;
638 auth_user = auth_user_request->auth_user;
639 assert(auth_user != NULL);
640 ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
641 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
642 assert((ntlm_user != NULL) && (ntlm_request != NULL));
643 /*some error has occured. no more requests for
644 * this helper */
645 result = S_HELPER_RELEASE;
646 assert(ntlm_request->authserver ? ntlm_request->authserver == lastserver : 1);
647 helperstate = static_cast<ntlm_helper_state_t *>(helperStatefulServerGetData(ntlm_request->authserver));
648 ntlm_request->authserver = NULL;
649
650 if (ntlm_request->auth_state == AUTHENTICATE_STATE_NEGOTIATE) {
651 /* The helper broke on YR. It automatically
652 * resets */
653 debug(29, 1) ("authenticateNTLMHandleReply: Error obtaining challenge from helper: %p. Error returned '%s'\n", lastserver, reply);
654 /* mark it for starving */
655 helperstate->starve = 1;
656 /* resubmit the request. This helper is currently busy, so we will get
657 * a different one. Our auth state stays the same */
658 authenticateNTLMStart(auth_user_request, r->handler, r->data);
659 /* don't call the callback */
660 cbdataReferenceDone(r->data);
661 authenticateStateFree(r);
662 debug(29, 9) ("NTLM HandleReply, telling stateful helper : %d\n", result);
663 return result;
664 }
665
666 /* the helper broke on a KK */
667 /* first the standard KK stuff */
668 debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply);
669
670 if ((t = strchr(reply, ' '))) /* strip after a space */
671 *t = '\0';
672
673 /* now we mark the helper for resetting. */
674 helperstate->starve = 1;
675
676 ntlm_request->auth_state = AUTHENTICATE_STATE_FAILED;
677 } else {
678 /* TODO: only work with auth_user here if it exists */
679 /* TODO: take the request state into consideration */
680 assert(r->auth_user_request != NULL);
681 assert(r->auth_user_request->auth_user->auth_type == AUTH_NTLM);
682 auth_user_request = r->auth_user_request;
683 auth_user = auth_user_request->auth_user;
684 assert(auth_user != NULL);
685 ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
686 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
687 assert((ntlm_user != NULL) && (ntlm_request != NULL));
688 debug(29, 1) ("authenticateNTLMHandleReply: *** Unsupported helper response ***, '%s'\n", reply);
689 /* **** NOTE THIS CODE IS EFFECTIVELY UNTESTED **** */
690 /* restart the authentication process */
691 ntlm_request->auth_state = AUTHENTICATE_STATE_NONE;
692 assert(ntlm_request->authserver ? ntlm_request->authserver == lastserver : 1);
693 ntlm_request->authserver = NULL;
694 }
695
696 r->handler(r->data, NULL);
697 cbdataReferenceDone(r->data);
698 authenticateStateFree(r);
699 debug(29, 9) ("NTLM HandleReply, telling stateful helper : %d\n", result);
700 return result;
701 }
702
703 static void
704 authenticateNTLMStats(StoreEntry * sentry)
705 {
706 storeAppendPrintf(sentry, "NTLM Authenticator Statistics:\n");
707 helperStatefulStats(sentry, ntlmauthenticators);
708 }
709
710 /* is a particular challenge still valid ? */
711 static int
712 authenticateNTLMValidChallenge(ntlm_helper_state_t * helperstate)
713 {
714 debug(29, 9) ("authenticateNTLMValidChallenge: Challenge is %s\n", helperstate->challenge ? "Valid" : "Invalid");
715
716 if (helperstate->challenge == NULL)
717 return 0;
718
719 return 1;
720 }
721
722 /* does our policy call for changing the challenge now? */
723 static int
724 authenticateNTLMChangeChallenge_p(ntlm_helper_state_t * helperstate)
725 {
726 /* don't check for invalid challenges just for expiry choices */
727 /* this is needed because we have to starve the helper until all old
728 * requests have been satisfied */
729
730 if (!helperstate->renewed) {
731 /* first use, no challenge has been set. Without this check, it will
732 * loop forever */
733 debug(29, 5) ("authenticateNTLMChangeChallenge_p: first use\n");
734 return 0;
735 }
736
737 if (helperstate->challengeuses > ntlmConfig->challengeuses) {
738 debug(29, 4) ("authenticateNTLMChangeChallenge_p: Challenge uses (%d) exceeded max uses (%d)\n", helperstate->challengeuses, ntlmConfig->challengeuses);
739 return 1;
740 }
741
742 if (helperstate->renewed + ntlmConfig->challengelifetime < squid_curtime) {
743 debug(29, 4) ("authenticateNTLMChangeChallenge_p: Challenge exceeded max lifetime by %d seconds\n", (int) (squid_curtime - (helperstate->renewed + ntlmConfig->challengelifetime)));
744 return 1;
745 }
746
747 debug(29, 9) ("Challenge is to be reused\n");
748 return 0;
749 }
750
751 /* send the initial data to a stateful ntlm authenticator module */
752 static void
753 authenticateNTLMStart(auth_user_request_t * auth_user_request, RH * handler, void *data)
754 {
755 authenticateStateData *r = NULL;
756 helper_stateful_server *server;
757 ntlm_helper_state_t *helperstate;
758 char buf[8192];
759 char *sent_string = NULL;
760 ntlm_user_t *ntlm_user;
761 ntlm_request_t *ntlm_request;
762 auth_user_t *auth_user;
763
764 assert(auth_user_request);
765 auth_user = auth_user_request->auth_user;
766 ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
767 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
768 assert(ntlm_user);
769 assert(ntlm_request);
770 assert(handler);
771 assert(data);
772 assert(auth_user->auth_type = AUTH_NTLM);
773 debug(29, 9) ("authenticateNTLMStart: auth state '%d'\n", ntlm_request->auth_state);
774
775 switch (ntlm_request->auth_state) {
776
777 case AUTHENTICATE_STATE_NEGOTIATE:
778 sent_string = ntlm_request->ntlmnegotiate;
779 break;
780
781 case AUTHENTICATE_STATE_RESPONSE:
782 sent_string = ntlm_request->ntlmauthenticate;
783 assert(ntlm_request->authserver);
784 debug(29, 9) ("authenticateNTLMStart: Asking NTLMauthenticator '%p'.\n", ntlm_request->authserver);
785 break;
786
787 default:
788 fatal("Invalid authenticate state for NTLMStart");
789 }
790
791 while (!xisspace(*sent_string)) /*trim NTLM */
792 sent_string++;
793
794 while (xisspace(*sent_string)) /*trim leading spaces */
795 sent_string++;
796
797 debug(29, 9) ("authenticateNTLMStart: state '%d'\n", ntlm_request->auth_state);
798
799 debug(29, 9) ("authenticateNTLMStart: '%s'\n", sent_string);
800
801 if (ntlmConfig->authenticate == NULL) {
802 debug(29, 0) ("authenticateNTLMStart: no NTLM program specified:'%s'\n", sent_string);
803 handler(data, NULL);
804 return;
805 }
806
807 /* this is ugly TODO: move the challenge generation routines to their own function and
808 * tidy the logic up to make use of the efficiency we now have */
809 switch (ntlm_request->auth_state) {
810
811 case AUTHENTICATE_STATE_NEGOTIATE:
812 /*
813 * 1: get a helper server
814 * 2: does it have a challenge?
815 * 3: tell it to get a challenge, or give ntlmauthdone the challenge
816 */
817 server = helperStatefulDefer(ntlmauthenticators);
818 helperstate = server ? static_cast<ntlm_helper_state_t *>(helperStatefulServerGetData(server)) : NULL;
819
820 while ((server != NULL) && authenticateNTLMChangeChallenge_p(helperstate)) {
821 /* flag this helper for challenge changing */
822 helperstate->starve = 1;
823 /* and release the deferred request */
824 helperStatefulReleaseServer(server);
825 /* Get another deferrable server */
826 server = helperStatefulDefer(ntlmauthenticators);
827 helperstate = server ? static_cast<ntlm_helper_state_t *>(helperStatefulServerGetData(server)) : NULL;
828 }
829
830 if (server == NULL)
831 debug(29, 9) ("unable to get a deferred ntlm helper... all helpers are refreshing challenges. Queuing as a placeholder request.\n");
832
833 ntlm_request->authserver = server;
834
835 /* tell the log what helper we have been given */
836 debug(29, 9) ("authenticateNTLMStart: helper '%p' assigned\n", server);
837
838 /* server and valid challenge? */
839 if ((server == NULL) || !authenticateNTLMValidChallenge(helperstate)) {
840 /* No server, or server with invalid challenge */
841 r = cbdataAlloc(authenticateStateData);
842 r->handler = handler;
843 r->data = cbdataReference(data);
844 r->auth_user_request = auth_user_request;
845
846 if (server == NULL) {
847 helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, NULL);
848 } else {
849 /* Server with invalid challenge */
850 snprintf(buf, 8192, "YR\n");
851 helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver);
852 }
853 } else {
854 /* (server != NULL and we have a valid challenge) */
855 /* TODO: turn the below into a function and call from here and handlereply */
856 /* increment the challenge uses */
857 helperstate->challengeuses++;
858 /* assign the challenge */
859 ntlm_request->authchallenge = xstrndup(helperstate->challenge, NTLM_CHALLENGE_SZ + 5);
860 /* we're not actually submitting a request, so we need to release the helper
861 * should the connection close unexpectedly
862 */
863 ntlm_request->authserver_deferred = 1;
864 handler(data, NULL);
865 }
866
867 break;
868
869 case AUTHENTICATE_STATE_RESPONSE:
870 r = cbdataAlloc(authenticateStateData);
871 r->handler = handler;
872 r->data = cbdataReference(data);
873 r->auth_user_request = auth_user_request;
874 snprintf(buf, 8192, "KK %s\n", sent_string);
875 /* getting rid of deferred request status */
876 ntlm_request->authserver_deferred = 0;
877 helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver);
878 debug(29, 9) ("authenticateNTLMstart: finished\n");
879 break;
880
881 default:
882 fatal("Invalid authenticate state for NTLMStart");
883 }
884 }
885
886 /* callback used by stateful helper routines */
887 static int
888 authenticateNTLMHelperServerAvailable(void *data)
889 {
890 ntlm_helper_state_t *statedata = static_cast<ntlm_helper_state_t *>(data);
891
892 if (statedata != NULL) {
893 if (statedata->starve) {
894 debug(29, 4) ("authenticateNTLMHelperServerAvailable: starving - returning 0\n");
895 return 0;
896 } else {
897 debug(29, 4) ("authenticateNTLMHelperServerAvailable: not starving - returning 1\n");
898 return 1;
899 }
900 }
901
902 debug(29, 4) ("authenticateNTLMHelperServerAvailable: no state data - returning 0\n");
903 return 0;
904 }
905
906 static void
907 authenticateNTLMHelperServerOnEmpty(void *data)
908 {
909 ntlm_helper_state_t *statedata = static_cast<ntlm_helper_state_t *>(data);
910
911 if (statedata == NULL)
912 return;
913
914 if (statedata->starve) {
915 /* we have been starving the helper */
916 debug(29, 9) ("authenticateNTLMHelperServerOnEmpty: resetting challenge details\n");
917 statedata->starve = 0;
918 statedata->challengeuses = 0;
919 statedata->renewed = 0;
920 xfree(statedata->challenge);
921 statedata->challenge = NULL;
922 }
923 }
924
925
926 /* clear the NTLM helper of being reserved for future requests */
927 static void
928 authenticateNTLMReleaseServer(auth_user_request_t * auth_user_request)
929 {
930 ntlm_request_t *ntlm_request;
931 assert(auth_user_request->auth_user->auth_type == AUTH_NTLM);
932 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
933 assert (ntlm_request);
934 debug(29, 9) ("authenticateNTLMReleaseServer: releasing server '%p'\n", ntlm_request->authserver);
935 helperStatefulReleaseServer(ntlm_request->authserver);
936 ntlm_request->authserver = NULL;
937 }
938
939 /* clear any connection related authentication details */
940 static void
941 authenticateNTLMOnCloseConnection(ConnStateData * conn)
942 {
943 ntlm_request_t *ntlm_request;
944 assert(conn != NULL);
945
946 if (conn->auth_user_request != NULL) {
947 ntlm_request = dynamic_cast< ntlm_request_t *>(conn->auth_user_request->state());
948 assert (ntlm_request);
949 assert(ntlm_request->conn == conn);
950
951 if (ntlm_request->authserver != NULL && ntlm_request->authserver_deferred)
952 authenticateNTLMReleaseServer(conn->auth_user_request);
953
954 /* unlock the connection based lock */
955 debug(29, 9) ("authenticateNTLMOnCloseConnection: Unlocking auth_user from the connection.\n");
956
957 /* This still breaks the abstraction, but is at least read only now */
958 /* Ensure that the auth user request will be getting closed */
959 /* IFF we start persisting the struct after the conn closes - say for logging
960 * then this test may become invalid
961 */
962 assert(authenticateRequestRefCount(conn->auth_user_request) == 1);
963
964 authenticateAuthUserRequestUnlock(conn->auth_user_request);
965
966 conn->auth_user_request = NULL;
967 }
968 }
969
970 /* authenticateUserUsername: return a pointer to the username in the */
971 static const char *
972 authenticateNTLMUsername(auth_user_t const * auth_user)
973 {
974 ntlm_user_t *ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
975
976 if (ntlm_user)
977 return ntlm_user->username;
978
979 return NULL;
980 }
981
982 /* NTLMLastHeader: return a pointer to the last header used in authenticating
983 * the request/conneciton
984 */
985 static const char *
986 NTLMLastHeader(auth_user_request_t * auth_user_request)
987 {
988 ntlm_request_t *ntlm_request;
989 assert(auth_user_request != NULL);
990 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
991 assert (ntlm_request);
992 return ntlm_request->ntlmauthenticate;
993 }
994
995 /*
996 * Decode an NTLM [Proxy-]Auth string, placing the results in the passed
997 * Auth_user structure.
998 */
999
1000 static void
1001 authenticateDecodeNTLMAuth(auth_user_request_t * auth_user_request, const char *proxy_auth)
1002 {
1003 dlink_node *node;
1004 assert(auth_user_request->auth_user == NULL);
1005 auth_user_request->auth_user = authenticateAuthUserNew("ntlm");
1006 auth_user_request->auth_user->auth_type = AUTH_NTLM;
1007 auth_user_request->auth_user->scheme_data = memPoolAlloc(ntlm_user_pool);
1008 auth_user_request->state (new ntlm_request_t);
1009 /* lock for the auth_user_request link */
1010 authenticateAuthUserLock(auth_user_request->auth_user);
1011 node = dlinkNodeNew();
1012 dlinkAdd(auth_user_request, node, &auth_user_request->auth_user->requests);
1013
1014 /* all we have to do is identify that it's NTLM - the helper does the rest */
1015 debug(29, 9) ("authenticateDecodeNTLMAuth: NTLM authentication\n");
1016 return;
1017 }
1018
1019 static int
1020 authenticateNTLMcmpUsername(ntlm_user_t * u1, ntlm_user_t * u2)
1021 {
1022 return strcmp(u1->username, u2->username);
1023 }
1024
1025
1026 /* there is a known race where a single client recieves the same challenge
1027 * and sends the same response to squid on a single select cycle.
1028 * Check for this and if found ignore the new link
1029 */
1030 static void
1031 authenticateProxyAuthCacheAddLink(const char *key, auth_user_t * auth_user)
1032 {
1033
1034 struct ProxyAuthCachePointer *proxy_auth_hash;
1035 dlink_node *node;
1036 ntlm_user_t *ntlm_user;
1037 ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
1038 node = ntlm_user->proxy_auth_list.head;
1039 /* prevent duplicates */
1040
1041 while (node) {
1042
1043 if (!strcmp(key, (char const *)((struct ProxyAuthCachePointer *) node->data)->key))
1044 return;
1045
1046 node = node->next;
1047 }
1048
1049 proxy_auth_hash = static_cast<ProxyAuthCachePointer *>(memPoolAlloc(ntlm_user_hash_pool));
1050 proxy_auth_hash->key = xstrdup(key);
1051 proxy_auth_hash->auth_user = auth_user;
1052 dlinkAddTail(proxy_auth_hash, &proxy_auth_hash->link, &ntlm_user->proxy_auth_list);
1053 hash_join(proxy_auth_cache, (hash_link *) proxy_auth_hash);
1054 }
1055
1056 int
1057 ntlm_request_t::authenticated() const
1058 {
1059 if (auth_state == AUTHENTICATE_STATE_DONE)
1060 return 1;
1061
1062 debug(29, 9) ("User not fully authenticated.\n");
1063
1064 return 0;
1065 }
1066
1067 void
1068 ntlm_request_t::authenticate(HttpRequest * request, ConnStateData::Pointer conn, http_hdr_type type)
1069 {
1070 fatal ("unusable");
1071 }
1072
1073 static void
1074 authenticateNTLMAuthenticateUser(auth_user_request_t * auth_user_request, HttpRequest * request, ConnStateData::Pointer conn, http_hdr_type type)
1075 {
1076 const char *proxy_auth;
1077
1078 struct ProxyAuthCachePointer *proxy_auth_hash = NULL;
1079 auth_user_hash_pointer *usernamehash;
1080 auth_user_t *auth_user;
1081 ntlm_request_t *ntlm_request;
1082 ntlm_user_t *ntlm_user;
1083 LOCAL_ARRAY(char, ntlmhash, NTLM_CHALLENGE_SZ * 2);
1084 /* get header */
1085 proxy_auth = httpHeaderGetStr(&request->header, type);
1086
1087 auth_user = auth_user_request->auth_user;
1088 assert(auth_user);
1089 assert(auth_user->auth_type == AUTH_NTLM);
1090 assert(auth_user->scheme_data != NULL);
1091 ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
1092 ntlm_request = dynamic_cast< ntlm_request_t *>(auth_user_request->state());
1093 assert (ntlm_request);
1094 /* Check that we are in the client side, where we can generate
1095 * auth challenges */
1096
1097 if (conn.getRaw() == NULL) {
1098 ntlm_request->auth_state = AUTHENTICATE_STATE_FAILED;
1099 debug(29, 1) ("authenticateNTLMAuthenticateUser: attempt to perform authentication without a connection!\n");
1100 return;
1101 }
1102
1103 switch (ntlm_request->auth_state) {
1104
1105 case AUTHENTICATE_STATE_NONE:
1106 /* we've recieved a negotiate request. pass to a helper */
1107 debug(29, 9) ("authenticateNTLMAuthenticateUser: auth state ntlm none. %s\n", proxy_auth);
1108 ntlm_request->auth_state = AUTHENTICATE_STATE_NEGOTIATE;
1109 ntlm_request->ntlmnegotiate = xstrndup(proxy_auth, NTLM_CHALLENGE_SZ + 5);
1110 conn->auth_type = AUTH_NTLM;
1111 conn->auth_user_request = auth_user_request;
1112 ntlm_request->conn = conn;
1113 /* and lock for the connection duration */
1114 debug(29, 9) ("authenticateNTLMAuthenticateUser: Locking auth_user from the connection.\n");
1115 authenticateAuthUserRequestLock(auth_user_request);
1116 return;
1117 break;
1118
1119 case AUTHENTICATE_STATE_NEGOTIATE:
1120 ntlm_request->auth_state = AUTHENTICATE_STATE_CHALLENGE;
1121 /* We _MUST_ have the auth challenge by now */
1122 assert(ntlm_request->authchallenge);
1123 return;
1124 break;
1125
1126 case AUTHENTICATE_STATE_CHALLENGE:
1127 /* we should have recieved a NTLM challenge. pass it to the same
1128 * helper process */
1129 debug(29, 9) ("authenticateNTLMAuthenticateUser: auth state challenge with header %s.\n", proxy_auth);
1130 /* do a cache lookup here. If it matches it's a successful ntlm
1131 * challenge - release the helper and use the existing auth_user
1132 * details. */
1133
1134 if (strncmp("NTLM ", proxy_auth, 5) == 0) {
1135 ntlm_request->ntlmauthenticate = xstrdup(proxy_auth);
1136 } else {
1137 fatal("Incorrect scheme in auth header\n");
1138 /* TODO: more fault tolerance.. reset the auth scheme here */
1139 }
1140
1141 /* cache entries have authenticateauthheaderchallengestring */
1142 snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s",
1143 ntlm_request->ntlmauthenticate,
1144 ntlm_request->authchallenge);
1145
1146 /* see if we already know this user's authenticate */
1147 debug(29, 9) ("aclMatchProxyAuth: cache lookup with key '%s'\n", ntlmhash);
1148
1149 assert(proxy_auth_cache != NULL);
1150
1151 proxy_auth_hash = static_cast<ProxyAuthCachePointer *>(hash_lookup(proxy_auth_cache, ntlmhash));
1152
1153 if (!proxy_auth_hash) { /* not in the hash table */
1154 debug(29, 4) ("authenticateNTLMAuthenticateUser: proxy-auth cache miss.\n");
1155 ntlm_request->auth_state = AUTHENTICATE_STATE_RESPONSE;
1156 /* verify with the ntlm helper */
1157 } else {
1158 debug(29, 4) ("authenticateNTLMAuthenticateUser: ntlm proxy-auth cache hit\n");
1159 /* throw away the temporary entry */
1160 ntlm_request->authserver_deferred = 0;
1161 authenticateNTLMReleaseServer(auth_user_request);
1162 authenticateAuthUserMerge(auth_user, proxy_auth_hash->auth_user);
1163 auth_user = proxy_auth_hash->auth_user;
1164 auth_user_request->auth_user = auth_user;
1165 ntlm_request->auth_state = AUTHENTICATE_STATE_DONE;
1166 /* we found one */
1167 debug(29, 9) ("found matching cache entry\n");
1168 assert(auth_user->auth_type == AUTH_NTLM);
1169 /* get the existing entries details */
1170 ntlm_user = static_cast<ntlm_user_t *>(auth_user->scheme_data);
1171 debug(29, 9) ("Username to be used is %s\n", ntlm_user->username);
1172 /* on ntlm auth we do not unlock the auth_user until the
1173 * connection is dropped. Thank MS for this quirk */
1174 auth_user->expiretime = current_time.tv_sec;
1175 }
1176
1177 return;
1178 break;
1179
1180 case AUTHENTICATE_STATE_RESPONSE:
1181 /* auth-challenge pair cache miss. We've just got the response from the helper */
1182 /*add to cache and let them through */
1183 ntlm_request->auth_state = AUTHENTICATE_STATE_DONE;
1184 /* this connection is authenticated */
1185 debug(29, 4) ("authenticated\nch %s\nauth %s\nauthuser %s\n",
1186 ntlm_request->authchallenge,
1187 ntlm_request->ntlmauthenticate,
1188 ntlm_user->username);
1189 /* cache entries have authenticateauthheaderchallengestring */
1190 snprintf(ntlmhash, sizeof(ntlmhash) - 1, "%s%s",
1191 ntlm_request->ntlmauthenticate,
1192 ntlm_request->authchallenge);
1193 /* see if this is an existing user with a different proxy_auth
1194 * string */
1195
1196 if ((usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, ntlm_user->username)))
1197 ) {
1198 while ((authUserHashPointerUser(usernamehash)->auth_type != auth_user->auth_type) && (usernamehash->next) && !authenticateNTLMcmpUsername(static_cast<ntlm_user_t *>(authUserHashPointerUser(usernamehash)->scheme_data), ntlm_user)
1199 )
1200 usernamehash = static_cast<AuthUserHashPointer*>(usernamehash->next);
1201 if (authUserHashPointerUser(usernamehash)->auth_type == auth_user->auth_type) {
1202 /*
1203 * add another link from the new proxy_auth to the
1204 * auth_user structure and update the information */
1205 assert(proxy_auth_hash == NULL);
1206 authenticateProxyAuthCacheAddLink(ntlmhash, authUserHashPointerUser(usernamehash));
1207 /* we can't seamlessly recheck the username due to the
1208 * challenge nature of the protocol. Just free the
1209 * temporary auth_user */
1210 authenticateAuthUserMerge(auth_user, authUserHashPointerUser(usernamehash));
1211 auth_user = authUserHashPointerUser(usernamehash);
1212 auth_user_request->auth_user = auth_user;
1213 }
1214 } else {
1215 /* store user in hash's */
1216 authenticateUserNameCacheAdd(auth_user);
1217 authenticateProxyAuthCacheAddLink(ntlmhash, auth_user);
1218 }
1219
1220 /* set these to now because this is either a new login from an
1221 * existing user or a new user */
1222 auth_user->expiretime = current_time.tv_sec;
1223 return;
1224 break;
1225
1226 case AUTHENTICATE_STATE_DONE:
1227 fatal("authenticateNTLMAuthenticateUser: unexpect auth state DONE! Report a bug to the squid developers.\n");
1228 break;
1229
1230 case AUTHENTICATE_STATE_FAILED:
1231 /* we've failed somewhere in authentication */
1232 debug(29, 9) ("authenticateNTLMAuthenticateUser: auth state ntlm failed. %s\n", proxy_auth);
1233 return;
1234 }
1235
1236 return;
1237 }
1238
1239 MemPool (*ntlm_request_t::Pool)(NULL);
1240 void *
1241 ntlm_request_t::operator new (size_t byteCount)
1242 {
1243 /* derived classes with different sizes must implement their own new */
1244 assert (byteCount == sizeof (ntlm_request_t));
1245
1246 if (!Pool)
1247 Pool = memPoolCreate("ntlm_request_t", sizeof (ntlm_request_t));
1248
1249 return memPoolAlloc(Pool);
1250 }
1251
1252 void
1253 ntlm_request_t::operator delete (void *address)
1254 {
1255 memPoolFree (Pool, address);
1256 }
Mirror of https://github.com/squid-cache/squid.git