2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 * AUTHOR: Andrew Doran <ad@interlude.eu.org>
11 * AUTHOR: Robert Collins <rbtcollins@hotmail.com>
12 * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
16 * Example ntlm authentication program for Squid, based on the
17 * original proxy_auth code from client_side.c, written by
18 * Jon Thackray <jrmt@uk.gdscorp.com>. Initial ntlm code by
19 * Andrew Doran <ad@interlude.eu.org>.
21 * This code gets the username and returns it. No validation is done.
22 * and by the way: it is a complete patch-up. Use the "real thing" NTLMSSP
25 * Revised by Guido Serassio: <guido.serassio@acmeconsulting.it>
27 * - Added negotiation of UNICODE char support
28 * - More detailed debugging info
32 /* undefine this to have strict protocol adherence. You don't really need
34 #define IGNORANCE_IS_BLISS
38 #include "helper/protocol_defines.h"
39 #include "ntlmauth/ntlmauth.h"
40 #include "ntlmauth/support_bits.cci"
54 /* A couple of harmless helper macros */
55 #define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
57 #define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
58 #define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
59 #define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
61 /* no gcc, no debugging. varargs macros are a gcc extension */
62 #define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
63 #define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
64 #define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
67 const char *authenticate_ntlm_domain
= "WORKGROUP";
68 int strip_domain_enabled
= 0;
69 int NTLM_packet_debug_enabled
= 0;
73 * -d enable debugging.
74 * -v enable verbose NTLM packet debugging.
75 * -l if specified, changes behavior on failures to last-ditch.
77 char *my_program_name
= NULL
;
83 "Usage: %s [-d] [-v] [-h]\n"
84 " -d enable debugging.\n"
85 " -S strip domain from username.\n"
86 " -v enable verbose NTLM packet debugging.\n"
87 " -h this message\n\n",
92 process_options(int argc
, char *argv
[])
94 int opt
, had_error
= 0;
97 while (-1 != (opt
= getopt(argc
, argv
, "hdvS"))) {
104 NTLM_packet_debug_enabled
= 1;
107 strip_domain_enabled
= 1;
114 /* fall thru to default */
116 fprintf(stderr
, "unknown option: -%c. Exiting\n", opt
);
126 main(int argc
, char *argv
[])
128 char buf
[HELPER_INPUT_BUFFER
];
130 uint8_t decodedBuf
[HELPER_INPUT_BUFFER
];
132 char user
[NTLM_MAX_FIELD_LENGTH
], domain
[NTLM_MAX_FIELD_LENGTH
];
134 char helper_command
[3];
137 setbuf(stdout
, NULL
);
138 setbuf(stderr
, NULL
);
140 my_program_name
= argv
[0];
142 process_options(argc
, argv
);
144 debug("%s " VERSION
" " SQUID_BUILD_INFO
" starting up...\n", my_program_name
);
146 while (fgets(buf
, HELPER_INPUT_BUFFER
, stdin
) != NULL
) {
147 user
[0] = '\0'; /*no user code */
148 domain
[0] = '\0'; /*no domain code */
150 if ((p
= strchr(buf
, '\n')) != NULL
)
151 *p
= '\0'; /* strip \n */
152 buflen
= strlen(buf
); /* keep this so we only scan the buffer for \0 once per loop */
154 struct base64_decode_ctx ctx
;
155 base64_decode_init(&ctx
);
158 base64_decode_update(&ctx
, &dstLen
, decodedBuf
, buflen
-3, reinterpret_cast<const uint8_t*>(buf
+3)) &&
159 base64_decode_final(&ctx
)) {
161 packet
= (ntlmhdr
*)decodedBuf
;
167 if (buflen
> 3 && NTLM_packet_debug_enabled
) {
168 strncpy(helper_command
, buf
, 2);
169 helper_command
[2] = '\0';
170 debug("Got '%s' from Squid with data:\n", helper_command
);
171 hex_dump((unsigned char *)decodedBuf
, decodedLen
);
173 debug("Got '%s' from Squid\n", buf
);
175 if (strncmp(buf
, "YR", 2) == 0) {
176 char nonce
[NTLM_NONCE_LEN
];
178 ntlm_make_nonce(nonce
);
179 if (buflen
> 3 && packet
) {
180 ntlm_negotiate
*nego
= (ntlm_negotiate
*)packet
;
181 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, nego
->flags
);
183 ntlm_make_challenge(&chal
, authenticate_ntlm_domain
, NULL
, nonce
, NTLM_NONCE_LEN
, NTLM_NEGOTIATE_ASCII
);
185 // TODO: find out what this context means, and why only the fake auth helper contains it.
186 chal
.context_high
= htole32(0x003a<<16);
188 len
= sizeof(chal
) - sizeof(chal
.payload
) + le16toh(chal
.target
.maxlen
);
190 struct base64_encode_ctx eCtx
;
191 base64_encode_init(&eCtx
);
192 uint8_t *data
= (uint8_t*)xcalloc(base64_encode_len(len
), 1);
193 size_t blen
= base64_encode_update(&eCtx
, data
, len
, reinterpret_cast<uint8_t*>(&chal
));
194 blen
+= base64_encode_final(&eCtx
, data
+blen
);
195 if (NTLM_packet_debug_enabled
) {
196 printf("TT %.*s\n", (int)blen
, data
);
197 debug("sending 'TT' to squid with data:\n");
198 hex_dump((unsigned char *)&chal
, len
);
200 SEND3("TT %.*s", (int)blen
, data
);
203 } else if (strncmp(buf
, "KK ", 3) == 0) {
205 SEND("BH received KK with no data! user=");
206 } else if (ntlm_validate_packet(packet
, NTLM_AUTHENTICATE
) == NTLM_ERR_NONE
) {
207 if (ntlm_unpack_auth((ntlm_authenticate
*)packet
, user
, domain
, decodedLen
) == NTLM_ERR_NONE
) {
209 if (strip_domain_enabled
) {
210 SEND2("AF %s", user
);
212 SEND4("AF %s%s%s", domain
, (*domain
?"\\":""), user
);
216 SEND4("NA invalid credentials, user=%s%s%s", domain
, (*domain
?"\\":""), user
);
219 SEND("BH wrong packet type! user=");