2 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
11 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
12 * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
16 * Example ntlm authentication program for Squid, based on the
17 * original proxy_auth code from client_side.c, written by
18 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
19 * Andrew Doran <ad@interlude.eu.org>.
21 * This code gets the username and returns it. No validation is done.
22 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
25 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
27 * - Added negotiation of UNICODE char support
28 * - More detailed debugging info
32 /* undefine this to have strict protocol adherence. You don't really need
34 #define IGNORANCE_IS_BLISS
38 #include "helper/protocol_defines.h"
39 #include "ntlmauth/ntlmauth.h"
40 #include "ntlmauth/support_bits.cci"
56 /* A couple of harmless helper macros */
57 #define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
59 #define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
60 #define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
61 #define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
63 /* no gcc, no debugging. varargs macros are a gcc extension */
64 #define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
65 #define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
66 #define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
69 const char *authenticate_ntlm_domain
= "WORKGROUP";
70 int strip_domain_enabled
= 0;
71 int NTLM_packet_debug_enabled
= 0;
72 unsigned int response_delay
= 0;
76 * -d enable debugging.
77 * -v enable verbose NTLM packet debugging.
78 * -l if specified, changes behavior on failures to last-ditch.
80 char *my_program_name
= nullptr;
86 "Usage: %s [-d] [-t N] [-v] [-h]\n"
87 " -d enable debugging.\n"
88 " -S strip domain from username.\n"
89 " -t timeout to delay responses (milliseconds).\n"
90 " -v enable verbose NTLM packet debugging.\n"
91 " -h this message\n\n",
96 process_options(int argc
, char *argv
[])
98 int opt
, had_error
= 0;
101 while (-1 != (opt
= getopt(argc
, argv
, "hdvSt:"))) {
108 NTLM_packet_debug_enabled
= 1;
111 strip_domain_enabled
= 1;
114 if (!xstrtoui(optarg
, nullptr, &response_delay
, 0, 86400)) {
115 fprintf(stderr
, "ERROR: invalid parameter value for -t '%s'", optarg
);
125 /* [[fallthrough]] */
127 fprintf(stderr
, "unknown option: -%c. Exiting\n", opt
);
137 main(int argc
, char *argv
[])
139 char buf
[HELPER_INPUT_BUFFER
];
141 uint8_t decodedBuf
[HELPER_INPUT_BUFFER
];
143 char user
[NTLM_MAX_FIELD_LENGTH
], domain
[NTLM_MAX_FIELD_LENGTH
];
145 char helper_command
[3];
148 setbuf(stdout
, nullptr);
149 setbuf(stderr
, nullptr);
151 my_program_name
= argv
[0];
153 process_options(argc
, argv
);
155 debug("%s " VERSION
" " SQUID_BUILD_INFO
" starting up...\n", my_program_name
);
157 while (fgets(buf
, HELPER_INPUT_BUFFER
, stdin
) != nullptr) {
158 user
[0] = '\0'; /*no user code */
159 domain
[0] = '\0'; /*no domain code */
161 if ((p
= strchr(buf
, '\n')) != nullptr)
162 *p
= '\0'; /* strip \n */
163 buflen
= strlen(buf
); /* keep this so we only scan the buffer for \0 once per loop */
165 struct base64_decode_ctx ctx
;
166 base64_decode_init(&ctx
);
169 base64_decode_update(&ctx
, &dstLen
, decodedBuf
, buflen
-3, buf
+3) &&
170 base64_decode_final(&ctx
)) {
172 packet
= (ntlmhdr
*)decodedBuf
;
178 if (buflen
> 3 && NTLM_packet_debug_enabled
) {
179 strncpy(helper_command
, buf
, 2);
180 helper_command
[2] = '\0';
181 debug("Got '%s' from Squid with data:\n", helper_command
);
182 hex_dump((unsigned char *)decodedBuf
, decodedLen
);
184 debug("Got '%s' from Squid\n", buf
);
186 if (response_delay
> 0) {
187 std::this_thread::sleep_for(std::chrono::milliseconds(response_delay
));
190 if (strncmp(buf
, "YR", 2) == 0) {
191 char nonce
[NTLM_NONCE_LEN
];
193 ntlm_make_nonce(nonce
);
194 if (buflen
> 3 && packet
) {
195 ntlm_negotiate
*nego
= (ntlm_negotiate
*)packet
;
196 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, nullptr, nonce
, NTLM_NONCE_LEN
, nego
->flags
);
198 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, nullptr, nonce
, NTLM_NONCE_LEN
, NTLM_NEGOTIATE_ASCII
);
200 // TODO: find out what this context means, and why only the fake auth helper contains it.
201 chal
.context_high
= htole32(0x003a<<16);
203 len
= sizeof(chal
) - sizeof(chal
.payload
) + le16toh(chal
.target
.maxlen
);
205 struct base64_encode_ctx eCtx
;
206 base64_encode_init(&eCtx
);
207 char *data
= static_cast<char *>(xcalloc(base64_encode_len(len
), 1));
208 size_t blen
= base64_encode_update(&eCtx
, data
, len
, reinterpret_cast<const uint8_t *>(&chal
));
209 blen
+= base64_encode_final(&eCtx
, data
+blen
);
210 if (NTLM_packet_debug_enabled
) {
211 printf("TT %.*s\n", (int)blen
, data
);
212 debug("sending 'TT' to squid with data:\n");
213 hex_dump((unsigned char *)&chal
, len
);
215 SEND3("TT %.*s", (int)blen
, data
);
218 } else if (strncmp(buf
, "KK ", 3) == 0) {
220 SEND("BH received KK with no data! user=");
221 } else if (ntlm_validate_packet(packet
, NTLM_AUTHENTICATE
) == NTLM_ERR_NONE
) {
222 if (ntlm_unpack_auth((ntlm_authenticate
*)packet
, user
, domain
, decodedLen
) == NTLM_ERR_NONE
) {
224 if (strip_domain_enabled
) {
225 SEND2("AF %s", user
);
227 SEND4("AF %s%s%s", domain
, (*domain
?"\\":""), user
);
231 SEND4("NA invalid credentials, user=%s%s%s", domain
, (*domain
?"\\":""), user
);
234 SEND("BH wrong packet type! user=");