/*
- * $Id$
+ * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+/*
* AUTHOR: Andrew Doran <ad@interlude.eu.org>
* AUTHOR: Robert Collins <rbtcollins@hotmail.com>
- * AUTHOR: Guido Serassio: <guido.serassio@acmeconsulting.it>
- *
- * SQUID Web Proxy Cache http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- * Squid is the result of efforts by numerous individuals from
- * the Internet community; see the CONTRIBUTORS file for full
- * details. Many organizations have provided support for Squid's
- * development; see the SPONSORS file for full details. Squid is
- * Copyrighted (C) 2001 by the Regents of the University of
- * California; see the COPYRIGHT file for full details. Squid
- * incorporates software developed and/or copyrighted by other
- * sources; see the CREDITS file for full details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
+ * AUTHOR: Guido Serassio <guido.serassio@acmeconsulting.it>
*/
+
/*
* Example ntlm authentication program for Squid, based on the
* original proxy_auth code from client_side.c, written by
* that though */
#define IGNORANCE_IS_BLISS
-#include "config.h"
+#include "squid.h"
+#include "base64.h"
#include "helpers/defines.h"
-#include "libntlmauth/ntlmauth.h"
-#include "libntlmauth/support_bits.cci"
-#include "util.h"
+#include "ntlmauth/ntlmauth.h"
+#include "ntlmauth/support_bits.cci"
-#if HAVE_CTYPE_H
-#include <ctype.h>
-#endif
-#if HAVE_STRING_H
-#include <string.h>
-#endif
+#include <cctype>
+#include <cstring>
#if HAVE_CRYPT_H
#include <crypt.h>
#endif
#if HAVE_GETOPT_H
#include <getopt.h>
#endif
+#if HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#if HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
/* A couple of harmless helper macros */
-#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
+#define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");}
#ifdef __GNUC__
-#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
-#define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
+#define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
+#define SEND3(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
+#define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
#else
/* no gcc, no debugging. varargs macros are a gcc extension */
-#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
-#define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);
+#define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);}
+#define SEND3(X,Y,Z) {debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);}
+#define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
#endif
const char *authenticate_ntlm_domain = "WORKGROUP";
exit(0);
case '?':
opt = optopt;
- /* fall thru to default */
+ /* fall thru to default */
default:
fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
usage();
{
char buf[HELPER_INPUT_BUFFER];
int buflen = 0;
+ uint8_t decodedBuf[HELPER_INPUT_BUFFER];
+ int decodedLen;
char user[NTLM_MAX_FIELD_LENGTH], domain[NTLM_MAX_FIELD_LENGTH];
char *p;
- ntlmhdr *packet = NULL;
char helper_command[3];
int len;
- char *data = NULL;
setbuf(stdout, NULL);
setbuf(stderr, NULL);
debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name);
while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) {
- user[0] = '\0'; /*no user code */
- domain[0] = '\0'; /*no domain code */
+ user[0] = '\0'; /*no user code */
+ domain[0] = '\0'; /*no domain code */
if ((p = strchr(buf, '\n')) != NULL)
- *p = '\0'; /* strip \n */
+ *p = '\0'; /* strip \n */
buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */
- if (buflen > 3)
- packet = (ntlmhdr*)base64_decode(buf + 3);
+ ntlmhdr *packet;
+ struct base64_decode_ctx ctx;
+ base64_decode_init(&ctx);
+ size_t dstLen = 0;
+ if (buflen > 3 &&
+ base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast<const uint8_t*>(buf+3)) &&
+ base64_decode_final(&ctx)) {
+ decodedLen = dstLen;
+ packet = (ntlmhdr*)decodedBuf;
+ } else {
+ packet = NULL;
+ decodedLen = 0;
+ }
+
if (buflen > 3 && NTLM_packet_debug_enabled) {
strncpy(helper_command, buf, 2);
helper_command[2] = '\0';
debug("Got '%s' from Squid with data:\n", helper_command);
- hex_dump((unsigned char*)packet, ((buflen - 3) * 3) / 4);
+ hex_dump((unsigned char *)decodedBuf, decodedLen);
} else
debug("Got '%s' from Squid\n", buf);
- if (strncasecmp(buf, "YR", 2) == 0) {
+ if (strncmp(buf, "YR", 2) == 0) {
char nonce[NTLM_NONCE_LEN];
ntlm_challenge chal;
ntlm_make_nonce(nonce);
- if (buflen > 3) {
+ if (buflen > 3 && packet) {
ntlm_negotiate *nego = (ntlm_negotiate *)packet;
ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, nego->flags);
} else {
chal.context_high = htole32(0x003a<<16);
len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen);
- data = (char *) base64_encode_bin((char *) &chal, len);
+
+ struct base64_encode_ctx eCtx;
+ base64_encode_init(&eCtx);
+ uint8_t *data = (uint8_t*)xcalloc(base64_encode_len(len), 1);
+ size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<uint8_t*>(&chal));
+ blen += base64_encode_final(&eCtx, data+blen);
if (NTLM_packet_debug_enabled) {
- printf("TT %s\n", data);
+ printf("TT %.*s\n", (int)blen, data);
debug("sending 'TT' to squid with data:\n");
hex_dump((unsigned char *)&chal, len);
} else
- SEND2("TT %s", data);
- } else if (strncasecmp(buf, "KK ", 3) == 0) {
+ SEND3("TT %.*s", (int)blen, data);
+ safe_free(data);
+
+ } else if (strncmp(buf, "KK ", 3) == 0) {
if (!packet) {
SEND("BH received KK with no data! user=");
} else if (ntlm_validate_packet(packet, NTLM_AUTHENTICATE) == NTLM_ERR_NONE) {
- if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, (buflen-3)) == NTLM_ERR_NONE) {
+ if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, decodedLen) == NTLM_ERR_NONE) {
lc(user);
- lc(domain);
if (strip_domain_enabled) {
SEND2("AF %s", user);
} else {
- SEND3("AF %s%s%s", domain, (*domain?"\\":""), user);
+ SEND4("AF %s%s%s", domain, (*domain?"\\":""), user);
}
} else {
lc(user);
- lc(domain);
- SEND3("NA invalid credentials, user=%s%s%s", domain, (*domain?"\\":""), user);
+ SEND4("NA invalid credentials, user=%s%s%s", domain, (*domain?"\\":""), user);
}
} else {
SEND("BH wrong packet type! user=");
}
exit(0);
}
+