+++ /dev/null
-<HTML>
-<HEAD>
-<TITLE>MSNTAUTH readme</TITLE>
-</HEAD>
-<BODY BGCOLOR="#FFFFFF">
-
-<!--
-If you require this document in text form, download the
-HTML-text package from http://members.tripod.com/stellarx.
--->
-
-<H1>
-MSNT Auth v3.0.0<BR>
-Squid web proxy NT authentication module<BR>
-Modified by the Squid HTTP Proxy team<BR>
-Original release by Antonino Iannella, Stellar-X Pty Ltd<BR>
-</H1>
-
-<H2>Contents</H2>
-
-<UL>
-<LI> <A HREF="#introduction">Introduction</A>
-<LI> <A HREF="#installation">Installation</A>
-<LI> <A HREF="#configuration">Configuration</A>
-<LI> <A HREF="#squid">Squid.conf changes</A>
-<LI> <A HREF="#testing">Testing</A>
-<LI> <A HREF="#contact">Support details</A>
-</UL>
-
-<A NAME="introduction"><H2>Introduction</H2>
-
-<P>
-This is an authentication module for the Squid proxy server
-to use an NT domain server.
-
-<P>
-It originates from the Samba and SMB packages by Andrew Tridgell
-and Richard Sharpe. It is sourced from the Pike
-authentication module by William Welliver (hwellive@intersil.com),
-and the SMB 1.0.1 libraries.
-Releases up to version 2.0.3 were created by Antonino Iannella
-(antonino@rager.com.au, http://stellarx.tripod.com).
-The module is now distributed with Squid, and is maintained by the
-Squid proxy team as an Open Source effort.
-Msntauth is released under the GNU General Public License.
-
-<P>
-<i>basic_msnt_auth</i> follows the standard Squid basic authentication helper protocol.
-See <a href="https://wiki.squid-cache.org/Features/AddonHelpers#basic-scheme"
->https://wiki.squid-cache.org/Features/AddonHelpers#basic-scheme</a> for details.
-Problems are logged to syslog.
-
-<P>
-Msntauth works in environments with NT domain controllers on
-Windows (TM) NT 4, 2000, and Samba. It only uses the ancient <i>Lanman</i> protocol,
-the authenticating systems must be configured to accept it.
-
-<A NAME="installation"><H2>Installation</H2>
-
-<P>
-Msntauth will be compiled when you compile Squid, using
-their autoconf system.
-Refer to Squid documentation for details.
-If the build is suitable, you can skip this section.
-
-<A NAME="configuration"><H2>Configuration</H2>
-
-<P>
-As of version 3.0.0, a configuration file is no longer needed.
-The specification of the domains and domain controllers to use is
-passed as a list of arguments on the command line.
-
-The syntax is:
-<PRE>
-basic_msnt_auth domain1/domaincontroller1 [domain2/domaincontroller2 ...]
-</PRE>
-An arbitrary number of domain controllers can be specified, for any number of daomains.
-Domain controllers will be attempted in the same order they are configured, until
-any of them successfully authenticates the user passed by squid. If all domain
-controllers fail to authenticate the user, then access is denied.
-Domain controllers can be specified by their NetBios name.
-
-<P>
-<B>WARNING!</B> this means that a wrong password will be attempted a number of times.
-Watch out for domain lock-out policies!
-
-<A NAME="squid"><H2>Squid.conf changes</H2>
-
-<P>
-Refer to Squid documentation for the required changes to squid.conf.
-You will need to set the following lines to enable authentication for
-your access list -
-
-<PRE>
- acl <I>yourACL</I> proxy_auth REQUIRED
- http_access allow password
- http_access allow <I>yourACL</I>
- http_access deny all
-</PRE>
-
-<P>
-You will also need to review the following directives. The number of
-msntauth children spawned is set with authenticate_children.
-The number of children needed is site-dependent, so some
-experimentation may be required to find the best number.
-There should be no visible delay in performance with Squid once
-msntauth is in use.
-
-Please see <A href="http://www.squid-cache.org/Doc/config/auth_param/"
->http://www.squid-cache.org/Doc/config/auth_param/</A> or your <TT>squid.conf.default</TT>
-file to check how to configure squid to make use of this helper.
-
-<A NAME="testing"><H2>Testing</H2>
-
-<P>
-I strongly urge that Msntauth is tested prior to being used in a
-production environment. It may behave differently on different platforms.
-To test it, run it from the command line, and enter username and password
-pairs separated by a space.
-
-<P>
-It should behave in the following way -
-<PRE>
- - Press ENTER to get an OK or ERR message.
- - Make sure pressing CTRL-D behaves the same as a carriage return.
- - Make sure pressing CTRL-C aborts the program.
- - Test that entering no details does not result in an OK or ERR message.
- - Test that entering an invalid username and password results in
- an ERR message. Note that if NT guest user access is allowed on
- the PDC, an OK message may be returned instead of ERR.
- - Test that entering an valid username and password results in an OK message.
- Try usernames which are and aren't in the denied/allowed user files,
- if they're in use.
- - Test that entering a guest username and password returns the correct response.
-</PRE>
-
-<P>
-If the above didn't work as expected, you may need to modify the main()
-function in msntauth.c. Inform the Squid maintainers of any problems.
-
-<P>
-Usernames and passwords are expected to be URL-encoded (see RFC 1738 for details)
-
-<A NAME="contact"><H2>Support details</H2>
-
-<P>
-Refer to the Squid website at http://www.squid-cache.org.
-You can submit problems or fixes using the Squid project's Bugzilla database.
-
-</BODY>
-</HTML>
+++ /dev/null
-/*
- * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-/*
- * MSNT - Microsoft Windows NT domain squid authenticator module
- * Version 2.0 by Stellar-X Pty Ltd, Antonino Iannella
- * Sun Sep 2 14:39:53 CST 2001
- *
- * Modified to act as a Squid authenticator module.
- * Removed all Pike stuff.
- * Returns OK for a successful authentication, or ERR upon error.
- *
- * Uses code from -
- * Andrew Tridgell 1997
- * Richard Sharpe 1996
- * Bill Welliver 1999
- * Duane Wessels 2000 (wessels@squid-cache.org)
- *
- * Released under GNU Public License
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- */
-#include "squid.h"
-#include "rfc1738.h"
-#include "util.h"
-
-#include <csignal>
-#include <cstring>
-#include <iostream>
-#include <string>
-#include <vector>
-#include <syslog.h>
-
-#include "auth/basic/SMB_LM/msntauth.h"
-#include "auth/basic/SMB_LM/valid.h"
-
-static char msntauth_version[] = "Msntauth v3.0.0 (C) 2 Sep 2001 Stellar-X Antonino Iannella.\nModified by the Squid HTTP Proxy team 2002-2014";
-
-struct domaincontroller {
- std::string domain;
- std::string server;
-};
-typedef std::vector<domaincontroller> domaincontrollers_t;
-domaincontrollers_t domaincontrollers;
-
-static bool
-validate_user(char *username, char *password)
-{
- for (domaincontrollers_t::iterator dc = domaincontrollers.begin(); dc != domaincontrollers.end(); ++dc) {
- //std::cerr << "testing against " << dc->server << std::endl;
- const int rv = Valid_User(username, password, dc->server.c_str(), nullptr, dc->domain.c_str());
- //std::cerr << "check result: " << rv << std::endl;
- if (rv == NTV_NO_ERROR)
- return true;
- }
- return false;
-}
-
-static char instructions[] = "Usage instructions: basic_nsnt_auth <domainname>/<domaincontroller> [<domainname>/<domaincontroller> ...]";
-static void
-display_usage_instructions()
-{
- using std::endl;
- std::cerr << msntauth_version << endl << instructions << endl << endl;
-}
-
-// arguments: domain/server_name [domain/server_name ...]
-int
-main(int argc, char **argv)
-{
- char username[256];
- char password[256];
- char wstr[256];
- int err = 0;
-
- openlog("basic_smb_lm_auth", LOG_PID, LOG_USER);
- setbuf(stdout, nullptr);
-
- for (int j = 1; j < argc; ++j) {
- std::string arg = argv[j];
- size_t pos=arg.find('/');
- if (arg.find('/',pos+1) != std::string::npos) {
- std::cerr << "Error: can't understand domain controller specification '"
- << arg << "'. Ignoring" << std::endl;
- }
- domaincontroller dc;
- dc.domain = arg.substr(0,pos);
- dc.server = arg.substr(pos+1);
- if (dc.domain.length() == 0 || dc.server.length() == 0) {
- std::cerr << "Error: invalid domain specification in '" << arg <<
- "'. Ignoring." << std::endl;
- exit(EXIT_FAILURE);
- }
- domaincontrollers.push_back(dc);
- }
- if (domaincontrollers.empty()) {
- display_usage_instructions();
- std::cerr << "Error: no domain controllers specified" << std::endl;
- exit(EXIT_FAILURE);
- }
-
- while (1) {
- int n;
- /* Read whole line from standard input. Terminate on break. */
- memset(wstr, '\0', sizeof(wstr));
- if (fgets(wstr, 255, stdin) == NULL)
- break;
- /* ignore this line if we didn't get the end-of-line marker */
- if (NULL == strchr(wstr, '\n')) {
- err = 1;
- continue;
- }
- if (err) {
- syslog(LOG_WARNING, "oversized message");
- puts("ERR");
- err = 0;
- continue;
- }
-
- /*
- * extract username and password.
- */
- username[0] = '\0';
- password[0] = '\0';
- n = sscanf(wstr, "%s %[^\n]", username, password);
- if (2 != n) {
- puts("ERR");
- continue;
- }
- /* Check for invalid or blank entries */
- if ((username[0] == '\0') || (password[0] == '\0')) {
- puts("ERR");
- continue;
- }
-
- rfc1738_unescape(username);
- rfc1738_unescape(password);
-
- if (validate_user(username, password)) {
- puts("OK");
- } else {
- syslog(LOG_INFO, "'%s' login failed", username);
- puts("ERR");
- }
- err = 0;
- }
-
- return EXIT_SUCCESS;
-}
-
+++ /dev/null
-/*
- * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-/*
- * (C) 2000 Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it>
- * Distributed freely under the terms of the GNU General Public License,
- * version 2 or later. See the file COPYING for licensing details
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- */
-
-#include "squid.h"
-#include "base64.h"
-#include "compat/debug.h"
-#include "helper/protocol_defines.h"
-#include "ntlmauth/ntlmauth.h"
-#include "ntlmauth/support_bits.cci"
-#include "rfcnb/rfcnb.h"
-#include "smblib/smblib.h"
-
-#include <cassert>
-#include <cctype>
-#include <cerrno>
-#include <csignal>
-#include <cstdlib>
-#include <cstring>
-#include <ctime>
-#if HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#if HAVE_GETOPT_H
-#include <getopt.h>
-#endif
-#if HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-/************* CONFIGURATION ***************/
-
-#define DEAD_DC_RETRY_INTERVAL 30
-
-/************* END CONFIGURATION ***************/
-
-/* A couple of harmless helper macros */
-#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
-#ifdef __GNUC__
-#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
-#define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
-#else
-/* no gcc, no debugging. varargs macros are a gcc extension */
-#define SEND2 printf
-#define SEND3 printf
-#endif
-
-typedef struct _dc dc;
-struct _dc {
- char *domain;
- char *controller;
- time_t dead; /* 0 if it's alive, otherwise time of death */
- dc *next;
-};
-
-/* local functions */
-static void usage(void);
-static void process_options(int argc, char *argv[]);
-static const char * obtain_challenge(void);
-static void manage_request(void);
-static const char *make_challenge(char *domain, char *controller);
-static char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length);
-static void dc_disconnect(void);
-
-#define ENCODED_PASS_LEN 24
-#define MAX_USERNAME_LEN 255
-#define MAX_DOMAIN_LEN 255
-#define MAX_PASSWD_LEN 31
-
-static unsigned char challenge[NTLM_NONCE_LEN];
-static unsigned char lmencoded_empty_pass[ENCODED_PASS_LEN],
- ntencoded_empty_pass[ENCODED_PASS_LEN];
-SMB_Handle_Type handle = nullptr;
-static NtlmError ntlm_errno;
-static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */
-static char my_domain[100], my_domain_controller[100];
-static char errstr[1001];
-#if DEBUG
-char error_messages_buffer[NTLM_BLOB_BUFFER_SIZE];
-#endif
-char load_balance = 0, protocol_pedantic = 0;
-dc *controllers = nullptr;
-int numcontrollers = 0;
-dc *current_dc;
-char smb_error_buffer[1000];
-
-/* Disconnects from the DC. A reconnection will be done upon the next request
- */
-static void
-dc_disconnect()
-{
- if (handle != NULL)
- SMB_Discon(handle, 0);
- handle = nullptr;
-}
-
-/* returns 0 on success, > 0 on failure */
-static int
-init_challenge(char *domain, char *domain_controller)
-{
- int smberr;
-
- if (handle != NULL) {
- return 0;
- }
- debug("Connecting to server %s domain %s\n", domain_controller, domain);
- handle = SMB_Connect_Server(nullptr, domain_controller, domain);
- smberr = SMB_Get_Last_Error();
- SMB_Get_Error_Msg(smberr, errstr, 1000);
-
- if (handle == NULL) { /* couldn't connect */
- debug("Couldn't connect to SMB Server. Error:%s\n", errstr);
- return 1;
- }
- if (SMB_Negotiate(handle, SMB_Prots) < 0) { /* An error */
- debug("Error negotiating protocol with SMB Server\n");
- SMB_Discon(handle, 0);
- handle = nullptr;
- return 2;
- }
- if (handle->Security == 0) { /* share-level security, unusable */
- debug("SMB Server uses share-level security .. we need user security.\n");
- SMB_Discon(handle, 0);
- handle = nullptr;
- return 3;
- }
- memcpy(challenge, handle->Encrypt_Key, NTLM_NONCE_LEN);
- SMBencrypt((unsigned char *)"",challenge,lmencoded_empty_pass);
- SMBNTencrypt((unsigned char *)"",challenge,ntencoded_empty_pass);
- return 0;
-}
-
-static const char *
-make_challenge(char *domain, char *domain_controller)
-{
- /* trying to circumvent some strange problem with pointers in SMBLib */
- /* Ugly as hell, but the lib is going to be dropped... */
- strncpy(my_domain, domain, sizeof(my_domain)-1);
- my_domain[sizeof(my_domain)-1] = '\0';
- strncpy(my_domain_controller, domain_controller, sizeof(my_domain_controller)-1);
- my_domain_controller[sizeof(my_domain_controller)-1] = '\0';
-
- if (init_challenge(my_domain, my_domain_controller) > 0) {
- return nullptr;
- }
-
- ntlm_challenge chal;
- uint32_t flags = NTLM_REQUEST_NON_NT_SESSION_KEY |
- NTLM_CHALLENGE_TARGET_IS_DOMAIN |
- NTLM_NEGOTIATE_ALWAYS_SIGN |
- NTLM_NEGOTIATE_USE_NTLM |
- NTLM_NEGOTIATE_USE_LM |
- NTLM_NEGOTIATE_ASCII;
- ntlm_make_challenge(&chal, my_domain, my_domain_controller, (char *)challenge, NTLM_NONCE_LEN, flags);
-
- size_t len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen);
- // for lack of a good NTLM token size limit, allow up to what the helper input can be
- // validations later will expect to be limited to that size.
- static char b64buf[HELPER_INPUT_BUFFER-10]; /* 10 for other line fields, delimiters and terminator */
- if (base64_encode_len(len) < sizeof(b64buf)-1) {
- debug("base64 encoding of the token challenge will exceed %zu bytes", sizeof(b64buf));
- return nullptr;
- }
-
- struct base64_encode_ctx ctx;
- base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, b64buf, len, reinterpret_cast<const uint8_t *>(&chal));
- blen += base64_encode_final(&ctx, b64buf+blen);
- b64buf[blen] = '\0';
- return b64buf;
-}
-
-/* returns NULL on failure, or a pointer to
- * the user's credentials (domain\\username)
- * upon success. WARNING. It's pointing to static storage.
- * In case of problem sets as side-effect ntlm_errno to one of the
- * codes defined in ntlm.h
- */
-static char *
-ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
-{
- char pass[MAX_PASSWD_LEN+1];
- char *domain = credentials;
- char *user;
- lstring tmp;
-
- if (handle == NULL) { /*if null we aren't connected, but it shouldn't happen */
- debug("Weird, we've been disconnected\n");
- ntlm_errno = NtlmError::NotConnected;
- return nullptr;
- }
-
- /* debug("fetching domain\n"); */
- tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->domain, auth->flags);
- if (tmp.str == NULL || tmp.l == 0) {
- debug("No domain supplied. Returning no-auth\n");
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
- if (tmp.l > MAX_DOMAIN_LEN) {
- debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
- memcpy(domain, tmp.str, tmp.l);
- user = domain + tmp.l;
- *user = '\0';
- ++user;
-
- /* debug("fetching user name\n"); */
- tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->user, auth->flags);
- if (tmp.str == NULL || tmp.l == 0) {
- debug("No username supplied. Returning no-auth\n");
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
- if (tmp.l > MAX_USERNAME_LEN) {
- debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
- memcpy(user, tmp.str, tmp.l);
- *(user + tmp.l) = '\0';
-
- // grab the *response blobs. these are fixed length 24 bytes of binary
- const ntlmhdr *packet = &(auth->hdr);
- {
- const strhdr * str = &auth->lmresponse;
-
- int16_t len = le16toh(str->len);
- int32_t offset = le32toh(str->offset);
-
- if (len != ENCODED_PASS_LEN || offset + len > auth_length || offset == 0) {
- debug("LM response: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", auth_length, len, offset);
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
- tmp.str = (char *)packet + offset;
- tmp.l = len;
- }
- if (tmp.l > MAX_PASSWD_LEN) {
- debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
-
- /* Authenticating against the NT response doesn't seem to work... in SMB LM helper. */
- memcpy(pass, tmp.str, tmp.l);
- pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
-
- debug("Empty LM pass detection: user: '%s', ours:'%s', his: '%s' (length: %d)\n",
- user,lmencoded_empty_pass,tmp.str,tmp.l);
- if (memcmp(tmp.str,lmencoded_empty_pass,ENCODED_PASS_LEN)==0) {
- fprintf(stderr,"Empty LM password supplied for user %s\\%s. "
- "No-auth\n",domain,user);
- ntlm_errno=NtlmError::LoginEror;
- return nullptr;
- }
-
- /* still fetch the NT response and check validity against empty password */
- {
- const strhdr * str = &auth->ntresponse;
- int16_t len = le16toh(str->len);
- // NT response field may be absent. that is okay.
- if (len != 0) {
- int32_t offset = le32toh(str->offset);
-
- if (len != ENCODED_PASS_LEN || offset + len > auth_length || offset == 0) {
- debug("NT response: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", auth_length, len, offset);
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
- tmp.str = (char *)packet + offset;
- tmp.l = len;
-
- debug("Empty NT pass detection: user: '%s', ours:'%s', his: '%s' (length: %d)\n",
- user,ntencoded_empty_pass,tmp.str,tmp.l);
- if (memcmp(tmp.str,lmencoded_empty_pass,ENCODED_PASS_LEN)==0) {
- fprintf(stderr,"ERROR: Empty NT password supplied for user %s\\%s. No-auth\n", domain, user);
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- }
- }
- }
-
- debug("checking domain: '%s', user: '%s', pass='%s'\n", domain, user, pass);
-
- const auto rv = SMB_Logon_Server(handle, user, pass, domain, 1);
- debug("Login attempt had result %d\n", rv);
-
- switch (rv) {
- case SMBlibE_Success:
- ntlm_errno = NtlmError::None;
- break;
- case SMBlibE_BAD:
- ntlm_errno = NtlmError::BlobError;
- return nullptr;
- case SMBlibE_ProtLow:
- case SMBlibE_NoSpace:
- case SMBlibE_BadParam:
- case SMBlibE_NegNoProt:
- case SMBlibE_LowerLayer:
- case SMBlibE_SendFailed:
- case SMBlibE_RecvFailed:
- case SMBlibE_ProtUnknown:
- case SMBlibE_NoSuchMsg:
- ntlm_errno = NtlmError::ProtocolError;
- return nullptr;
- case SMBlibE_NotImpl:
- case SMBlibE_CallFailed:
- case SMBlibE_Remote:
- ntlm_errno = NtlmError::ServerError;
- return nullptr;
- case SMBlibE_GuestOnly:
- ntlm_errno = NtlmError::LoginEror;
- return nullptr;
- default:
- ntlm_errno = NtlmError::ServerError;
- return nullptr;
- }
-
- *(user - 1) = '\\'; /* hack. Performing, but ugly. */
-
- debug("credentials: %s\n", credentials);
- return credentials;
-}
-
-static char got_timeout = 0;
-/** signal handler to be invoked when the authentication operation
- * times out */
-extern "C" void
-timeout_during_auth(int)
-{
- dc_disconnect();
-}
-
-/*
- * options:
- * -b try load-balancing the domain-controllers
- * -f fail-over to another DC if DC connection fails.
- * DEPRECATED and VERBOSELY IGNORED. This is on by default now.
- * -l last-ditch-mode
- * domain\controller ...
- */
-char *my_program_name = nullptr;
-
-static void
-usage()
-{
- fprintf(stderr,
- "%s usage:\n%s [-b] [-f] [-d] [-l] domain\\controller [domain\\controller ...]\n"
- "-b enables load-balancing among controllers\n"
- "-f enables failover among controllers (DEPRECATED and always active)\n"
- "-d enables debugging statements if DEBUG was defined at build-time.\n\n"
- "You MUST specify at least one Domain Controller.\n"
- "You can use either \\ or / as separator between the domain name \n"
- "and the controller name\n",
- my_program_name, my_program_name);
-}
-
-/* int debug_enabled=0; defined in libcompat */
-
-static void
-process_options(int argc, char *argv[])
-{
- int opt, j, had_error = 0;
- dc *new_dc = nullptr, *last_dc = nullptr;
- while (-1 != (opt = getopt(argc, argv, "bfld"))) {
- switch (opt) {
- case 'b':
- load_balance = 1;
- break;
- case 'f':
- fprintf(stderr,
- "WARNING. The -f flag is DEPRECATED and always active.\n");
- break;
- case 'd':
- debug_enabled=1;
- break;
- default:
- fprintf(stderr, "unknown option: -%c. Exiting\n", opt);
- usage();
- had_error = 1;
- }
- }
- if (had_error)
- exit(EXIT_FAILURE);
- /* Okay, now begin filling controllers up */
- /* we can avoid memcpy-ing, and just reuse argv[] */
- for (j = optind; j < argc; ++j) {
- char *d, *c;
- /* d will not be freed in case of non-error. Since we don't reconfigure,
- * it's going to live as long as the process anyways */
- d = static_cast<char*>(xmalloc(strlen(argv[j]) + 1));
- strcpy(d, argv[j]);
- debug("Adding domain-controller %s\n", d);
- if (NULL == (c = strchr(d, '\\')) && NULL == (c = strchr(d, '/'))) {
- fprintf(stderr, "Couldn't grok domain-controller %s\n", d);
- free(d);
- continue;
- }
- /* more than one delimiter is not allowed */
- if (NULL != strchr(c + 1, '\\') || NULL != strchr(c + 1, '/')) {
- fprintf(stderr, "Broken domain-controller %s\n", d);
- free(d);
- continue;
- }
- *c= '\0';
- ++c;
- new_dc = static_cast<dc *>(xmalloc(sizeof(dc)));
- if (!new_dc) {
- fprintf(stderr, "Malloc error while parsing DC options\n");
- free(d);
- continue;
- }
- /* capitalize */
- uc(c);
- uc(d);
- ++numcontrollers;
- new_dc->domain = d;
- new_dc->controller = c;
- new_dc->dead = 0;
- if (controllers == NULL) { /* first controller */
- controllers = new_dc;
- last_dc = new_dc;
- } else {
- last_dc->next = new_dc; /* can't be null */
- last_dc = new_dc;
- }
- }
- if (numcontrollers == 0) {
- fprintf(stderr, "You must specify at least one domain-controller!\n");
- usage();
- exit(EXIT_FAILURE);
- }
- last_dc->next = controllers; /* close the queue, now it's circular */
-}
-
-/**
- * tries connecting to the domain controllers in the "controllers" ring,
- * with failover if the adequate option is specified.
- */
-static const char *
-obtain_challenge()
-{
- int j = 0;
- const char *ch = nullptr;
- for (j = 0; j < numcontrollers; ++j) {
- debug("obtain_challenge: selecting %s\\%s (attempt #%d)\n",
- current_dc->domain, current_dc->controller, j + 1);
- if (current_dc->dead != 0) {
- if (time(NULL) - current_dc->dead >= DEAD_DC_RETRY_INTERVAL) {
- /* mark helper as retry-worthy if it's so. */
- debug("Reviving DC\n");
- current_dc->dead = 0;
- } else { /* skip it */
- debug("Skipping it\n");
- continue;
- }
- }
- /* else branch. Here we KNOW that the DC is fine */
- debug("attempting challenge retrieval\n");
- ch = make_challenge(current_dc->domain, current_dc->controller);
- debug("make_challenge retuned %p\n", ch);
- if (ch) {
- debug("Got it\n");
- return ch; /* All went OK, returning */
- }
- /* Huston, we've got a problem. Take this DC out of the loop */
- debug("Marking DC as DEAD\n");
- current_dc->dead = time(NULL);
- /* Try with the next */
- debug("moving on to next controller\n");
- current_dc = current_dc->next;
- }
- /* all DCs failed. */
- return nullptr;
-}
-
-static void
-manage_request()
-{
- ntlmhdr *fast_header;
- char buf[NTLM_BLOB_BUFFER_SIZE];
- char decoded[NTLM_BLOB_BUFFER_SIZE];
- char *ch2, *cred = nullptr;
-
- if (fgets(buf, NTLM_BLOB_BUFFER_SIZE, stdin) == NULL) {
- fprintf(stderr, "fgets() failed! dying..... errno=%d (%s)\n", errno,
- strerror(errno));
- exit(EXIT_FAILURE); /* BIIG buffer */
- }
- debug("managing request\n");
- ch2 = (char*)memchr(buf, '\n', NTLM_BLOB_BUFFER_SIZE); /* safer against overrun than strchr */
- if (ch2) {
- *ch2 = '\0'; /* terminate the string at newline. */
- }
- debug("ntlm authenticator. Got '%s' from Squid\n", buf);
-
- if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */
- /* figure out what we got */
- struct base64_decode_ctx ctx;
- base64_decode_init(&ctx);
- size_t dstLen = 0;
- int decodedLen = 0;
- if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, buf+3) ||
- !base64_decode_final(&ctx)) {
- SEND("NA Packet format error, couldn't base64-decode");
- return;
- }
- decodedLen = dstLen;
-
- if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
- SEND("NA Packet format error, truncated packet header.");
- return;
- }
- /* fast-track-decode request type. */
- fast_header = (ntlmhdr *) decoded;
-
- /* sanity-check: it IS a NTLMSSP packet, isn't it? */
- if (ntlm_validate_packet(fast_header, NTLM_ANY) < 0) {
- SEND("NA Broken authentication packet");
- return;
- }
- switch (le32toh(fast_header->type)) {
- case NTLM_NEGOTIATE:
- SEND("NA Invalid negotiation request received");
- return;
- /* notreached */
- case NTLM_CHALLENGE:
- SEND("NA Got a challenge. We refuse to have our authority disputed");
- return;
- /* notreached */
- case NTLM_AUTHENTICATE:
- /* check against the DC */
- signal(SIGALRM, timeout_during_auth);
- alarm(30);
- cred = ntlm_check_auth((ntlm_authenticate *) decoded, decodedLen);
- alarm(0);
- signal(SIGALRM, SIG_DFL);
- if (got_timeout != 0) {
- fprintf(stderr, "ntlm-auth[%ld]: Timeout during authentication.\n", (long)getpid());
- SEND("BH Timeout during authentication");
- got_timeout = 0;
- return;
- }
- if (cred == NULL) {
- int smblib_err, smb_errorclass, smb_errorcode, nb_error;
- if (ntlm_errno == NtlmError::LoginEror) { /* hackish */
- SEND("NA Logon Failure");
- return;
- }
- /* there was an error. We have two errno's to look at.
- * libntlmssp's erno is insufficient, we'll have to look at
- * the actual SMB library error codes, to actually figure
- * out what's happening. The thing has braindamaged interfacess..*/
- smblib_err = SMB_Get_Last_Error();
- smb_errorclass = SMBlib_Error_Class(SMB_Get_Last_SMB_Err());
- smb_errorcode = SMBlib_Error_Code(SMB_Get_Last_SMB_Err());
- nb_error = RFCNB_Get_Last_Error();
- debug("No creds. SMBlib error %d, SMB error class %d, SMB error code %d, NB error %d\n",
- smblib_err, smb_errorclass, smb_errorcode, nb_error);
- /* Should I use smblib_err? Actually it seems I can do as well
- * without it.. */
- if (nb_error != 0) { /* netbios-level error */
- SEND("BH NetBios error!");
- fprintf(stderr, "NetBios error code %d (%s)\n", nb_error,
- RFCNB_Error_Strings[abs(nb_error)]);
- return;
- }
- switch (smb_errorclass) {
- case SMBC_SUCCESS:
- debug("Huh? Got a SMB success code but could check auth..");
- SEND("NA Authentication failed");
- return;
- case SMBC_ERRDOS:
- /*this is the most important one for errors */
- debug("DOS error\n");
- switch (smb_errorcode) {
- /* two categories matter to us: those which could be
- * server errors, and those which are auth errors */
- case SMBD_noaccess: /* 5 */
- SEND("NA Access denied");
- return;
- case SMBD_badformat:
- SEND("NA bad format in authentication packet");
- return;
- case SMBD_badaccess:
- SEND("NA Bad access request");
- return;
- case SMBD_baddata:
- SEND("NA Bad Data");
- return;
- default:
- SEND("BH DOS Error");
- return;
- }
- case SMBC_ERRSRV: /* server errors */
- debug("Server error");
- switch (smb_errorcode) {
- /* mostly same as above */
- case SMBV_badpw:
- SEND("NA Bad password");
- return;
- case SMBV_access:
- SEND("NA Server access error");
- return;
- default:
- SEND("BH Server Error");
- return;
- }
- case SMBC_ERRHRD: /* hardware errors don't really matter */
- SEND("BH Domain Controller Hardware error");
- return;
- case SMBC_ERRCMD:
- SEND("BH Domain Controller Command Error");
- return;
- }
- SEND("BH unknown internal error.");
- return;
- }
-
- lc(cred); /* let's lowercase them for our convenience */
- SEND2("AF %s", cred);
- return;
- default:
- SEND("BH unknown authentication packet type");
- return;
- }
- /* notreached */
- return;
- }
- if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */
- dc_disconnect();
- const char *ch = obtain_challenge();
- /* Robert says we can afford to wait forever. I'll trust him on this
- * one */
- while (ch == NULL) {
- sleep(30);
- ch = obtain_challenge();
- }
- SEND2("TT %s", ch);
- return;
- }
- SEND("BH Helper detected protocol error");
- return;
- /********* END ********/
-
-}
-
-int
-main(int argc, char *argv[])
-{
- debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", argv[0]);
-
- my_program_name = argv[0];
- process_options(argc, argv);
-
- debug("options processed OK\n");
-
- /* initialize FDescs */
- setbuf(stdout, nullptr);
- setbuf(stderr, nullptr);
-
- /* select the first domain controller we're going to use */
- current_dc = controllers;
- if (load_balance != 0 && numcontrollers > 1) {
- int n;
- pid_t pid = getpid();
- n = pid % numcontrollers;
- debug("load balancing. Selected controller #%d\n", n);
- while (n > 0) {
- current_dc = current_dc->next;
- --n;
- }
- }
- while (1) {
- manage_request();
- }
- /* notreached */
- return EXIT_SUCCESS;
-}
-
projects / thirdparty / squid.git / commitdiff
