negotiate_sspi_auth.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/*
10 * negotiate_sspi_auth: helper for Negotiate Authentication for Squid Cache
11 *
12 * (C)2005 Guido Serassio - Acme Consulting S.r.l.
13 *
14 * Authors:
15 * Guido Serassio <guido.serassio@acmeconsulting.it>
16 * Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
17 *
18 * With contributions from others mentioned in the change history section
19 * below.
20 *
21 * Based on previous work of Francesco Chemolli and Robert Collins.
22 *
23 * Dependencies: Windows 2000 and later.
24 *
25 * This program is free software; you can redistribute it and/or modify
26 * it under the terms of the GNU General Public License as published by
27 * the Free Software Foundation; either version 2 of the License, or
28 * (at your option) any later version.
29 *
30 * This program is distributed in the hope that it will be useful,
31 * but WITHOUT ANY WARRANTY; without even the implied warranty of
32 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33 * GNU General Public License for more details.
34 *
35 * You should have received a copy of the GNU General Public License
36 * along with this program; if not, write to the Free Software
37 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
38 *
39 * History:
40 *
41 * Version 1.0
42 * 29-10-2005 Guido Serassio
43 * First release.
44 */
45
46#include "squid.h"
47#include "base64.h"
48#include "helper/protocol_defines.h"
49#include "ntlmauth/ntlmauth.h"
50#include "ntlmauth/support_bits.cci"
51#include "sspi/sspwin32.h"
52#include "util.h"
53
54#include <cctype>
55#if HAVE_GETOPT_H
56#include <getopt.h>
57#endif
58
59int Negotiate_packet_debug_enabled = 0;
60static int have_serverblob;
61
62/* A couple of harmless helper macros */
63#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
64#ifdef __GNUC__
65#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
66#define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
67#else
68/* no gcc, no debugging. varargs macros are a gcc extension */
69#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
70#define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);
71#endif
72
73char *negotiate_check_auth(SSP_blobP auth, int auth_length);
74
75/*
76 * options:
77 * -d enable debugging.
78 * -v enable verbose Negotiate packet debugging.
79 */
80char *my_program_name = nullptr;
81
82void
83usage()
84{
85 fprintf(stderr,
86 "Usage: %s [-d] [-v] [-h]\n"
87 " -d enable debugging.\n"
88 " -v enable verbose Negotiate packet debugging.\n"
89 " -h this message\n\n",
90 my_program_name);
91}
92
93void
94process_options(int argc, char *argv[])
95{
96 int opt, had_error = 0;
97
98 opterr = 0;
99 while (-1 != (opt = getopt(argc, argv, "hdv"))) {
100 switch (opt) {
101 case 'd':
102 debug_enabled = 1;
103 break;
104 case 'v':
105 debug_enabled = 1;
106 Negotiate_packet_debug_enabled = 1;
107 break;
108 case 'h':
109 usage();
110 exit(EXIT_SUCCESS);
111 case '?':
112 opt = optopt;
113 [[fallthrough]];
114 default:
115 fprintf(stderr, "ERROR: unknown option: -%c. Exiting\n", opt);
116 usage();
117 had_error = 1;
118 }
119 }
120 if (had_error)
121 exit(EXIT_FAILURE);
122}
123
124static bool
125token_decode(size_t *decodedLen, uint8_t decoded[], const char *buf)
126{
127 struct base64_decode_ctx ctx;
128 base64_decode_init(&ctx);
129 if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), buf) ||
130 !base64_decode_final(&ctx)) {
131 SEND("BH base64 decode failed");
132 fprintf(stderr, "ERROR: base64 decoding failed for: '%s'\n", buf);
133 return false;
134 }
135 return true;
136}
137
138int
139manage_request()
140{
141 char buf[HELPER_INPUT_BUFFER];
142 uint8_t decoded[HELPER_INPUT_BUFFER];
143 size_t decodedLen = 0;
144 char helper_command[3];
145 char *c;
146 int status;
147 int oversized = 0;
148 char *ErrorMessage;
149 static char cred[SSP_MAX_CRED_LEN + 1];
150 BOOL Done = FALSE;
151
152 do {
153 if (fgets(buf, HELPER_INPUT_BUFFER, stdin))
154 return 0;
155
156 c = static_cast<char*>(memchr(buf, '\n', HELPER_INPUT_BUFFER));
157 if (c) {
158 if (oversized) {
159 SEND("BH illegal request received");
160 fprintf(stderr, "ERROR: Illegal request received: '%s'\n", buf);
161 return 1;
162 }
163 *c = '\0';
164 } else {
165 fprintf(stderr, "No newline in '%s'\n", buf);
166 oversized = 1;
167 }
168 } while (!c);
169
170 if ((strlen(buf) > 3) && Negotiate_packet_debug_enabled) {
171 if (!token_decode(&decodedLen, decoded, buf+3))
172 return 1;
173 strncpy(helper_command, buf, 2);
174 debug("Got '%s' from Squid with data:\n", helper_command);
175 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
176 } else
177 debug("Got '%s' from Squid\n", buf);
178
179 if (memcmp(buf, "YR ", 3) == 0) { /* refresh-request */
180 /* figure out what we got */
181 if (!decodedLen /* already decoded */ && !token_decode(&decodedLen, decoded, buf+3))
182 return 1;
183 if (decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
184 SEND("NA * Packet format error");
185 return 1;
186 }
187 /* Obtain server blob against SSPI */
188 c = (char *) SSP_MakeNegotiateBlob(decoded, decodedLen, &Done, &status, cred);
189
190 if (status == SSP_OK) {
191 if (Done) {
192 lc(cred); /* let's lowercase them for our convenience */
193 have_serverblob = 0;
194 Done = FALSE;
195 if (Negotiate_packet_debug_enabled) {
196 if (!token_decode(&decodedLen, decoded, c))
197 return 1;
198 debug("sending 'AF' %s to squid with data:\n", cred);
199 if (c != NULL)
200 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
201 else
202 fprintf(stderr, "No data available.\n");
203 printf("AF %s %s\n", c, cred);
204 } else
205 SEND3("AF %s %s", c, cred);
206 } else {
207 if (Negotiate_packet_debug_enabled) {
208 if (!token_decode(&decodedLen, decoded, c))
209 return 1;
210 debug("sending 'TT' to squid with data:\n");
211 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
212 printf("TT %s\n", c);
213 } else {
214 SEND2("TT %s", c);
215 }
216 have_serverblob = 1;
217 }
218 } else
219 SEND("BH can't obtain server blob");
220 return 1;
221 }
222 if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */
223 if (!have_serverblob) {
224 SEND("BH invalid server blob");
225 return 1;
226 }
227 /* figure out what we got */
228 if (!decodedLen /* already decoded */ && !token_decode(&decodedLen, decoded, buf+3))
229 return 1;
230 if (decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
231 SEND("NA * Packet format error");
232 return 1;
233 }
234 /* check against SSPI */
235 c = (char *) SSP_ValidateNegotiateCredentials(decoded, decodedLen, &Done, &status, cred);
236
237 if (status == SSP_ERROR) {
238 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
239 FORMAT_MESSAGE_IGNORE_INSERTS,
240 nullptr,
241 GetLastError(),
242 MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
243 (LPTSTR) & ErrorMessage,
244 0,
245 nullptr);
246 if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n')
247 ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
248 if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r')
249 ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
250 SEND2("NA * %s", ErrorMessage);
251 LocalFree(ErrorMessage);
252 return 1;
253 }
254 if (Done) {
255 lc(cred); /* let's lowercase them for our convenience */
256 have_serverblob = 0;
257 Done = FALSE;
258 if (Negotiate_packet_debug_enabled) {
259 if (!token_decode(&decodedLen, decoded, c))
260 return 1;
261 debug("sending 'AF' %s to squid with data:\n", cred);
262 if (c != NULL)
263 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
264 else
265 fprintf(stderr, "No data available.\n");
266 printf("AF %s %s\n", c, cred);
267 } else {
268 SEND3("AF %s %s", c, cred);
269 }
270 return 1;
271 } else {
272 if (Negotiate_packet_debug_enabled) {
273 if (!token_decode(&decodedLen, decoded, c))
274 return 1;
275 debug("sending 'TT' to squid with data:\n");
276 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
277 printf("TT %s\n", c);
278 } else
279 SEND2("TT %s", c);
280 return 1;
281 }
282
283 } else { /* not an auth-request */
284 SEND("BH illegal request received");
285 fprintf(stderr, "Illegal request received: '%s'\n", buf);
286 return 1;
287 }
288 SEND("BH detected protocol error");
289 return 1;
290 /********* END ********/
291}
292
293int
294main(int argc, char *argv[])
295{
296 my_program_name = argv[0];
297
298 process_options(argc, argv);
299
300 debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name);
301
302 if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) {
303 fprintf(stderr, "FATAL: %s: can't initialize SSPI, exiting.\n", argv[0]);
304 exit(EXIT_FAILURE);
305 }
306 debug("SSPI initialized OK\n");
307
308 atexit(UnloadSecurityDll);
309
310 /* initialize FDescs */
311 setbuf(stdout, nullptr);
312 setbuf(stderr, nullptr);
313
314 while (manage_request()) {
315 /* everything is done within manage_request */
316 }
317 return EXIT_SUCCESS;
318}
319
base64_decode_init
void base64_decode_init(struct base64_decode_ctx *ctx)
Definition: base64.c:54
base64_decode_update
int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src)
Definition: base64.c:129
base64_decode_final
int base64_decode_final(struct base64_decode_ctx *ctx)
Definition: base64.c:159
HELPER_INPUT_BUFFER
#define HELPER_INPUT_BUFFER
Definition: UserRequest.cc:24
debug_enabled
int debug_enabled
Definition: debug.cc:13
debug
void debug(const char *format,...)
Definition: debug.cc:19
optopt
int optopt
Definition: getopt.c:49
getopt
int getopt(int nargc, char *const *nargv, const char *ostr)
Definition: getopt.c:62
opterr
int opterr
Definition: getopt.c:47
SEND3
#define SEND3(X, Y, Z)
Definition: negotiate_sspi_auth.cc:70
token_decode
static bool token_decode(size_t *decodedLen, uint8_t decoded[], const char *buf)
Definition: negotiate_sspi_auth.cc:125
main
int main(int argc, char *argv[])
Definition: negotiate_sspi_auth.cc:294
manage_request
int manage_request()
Definition: negotiate_sspi_auth.cc:139
usage
void usage()
Definition: negotiate_sspi_auth.cc:83
SEND
#define SEND(X)
Definition: negotiate_sspi_auth.cc:63
my_program_name
char * my_program_name
Definition: negotiate_sspi_auth.cc:80
process_options
void process_options(int argc, char *argv[])
Definition: negotiate_sspi_auth.cc:94
negotiate_check_auth
char * negotiate_check_auth(SSP_blobP auth, int auth_length)
have_serverblob
static int have_serverblob
Definition: negotiate_sspi_auth.cc:60
Negotiate_packet_debug_enabled
int Negotiate_packet_debug_enabled
Definition: negotiate_sspi_auth.cc:59
SEND2
#define SEND2(X, Y)
Definition: negotiate_sspi_auth.cc:69
VERSION
#define VERSION
Definition: negotiate_wrapper.cc:60
protocol_defines.h
UnloadSecurityDll
void UnloadSecurityDll(void)
Definition: sspwin32.cc:77
LoadSecurityDll
HMODULE LoadSecurityDll(int mode, const char *SSP_Package)
Definition: sspwin32.cc:104
SSP_MAX_CRED_LEN
#define SSP_MAX_CRED_LEN
Definition: sspwin32.h:45
SSP_blobP
char * SSP_blobP
Definition: sspwin32.h:37
SSP_OK
#define SSP_OK
Definition: sspwin32.h:49
NEGOTIATE_PACKAGE_NAME
#define NEGOTIATE_PACKAGE_NAME
Definition: sspwin32.h:19
SSP_NTLM
#define SSP_NTLM
Definition: sspwin32.h:43
SSP_ERROR
#define SSP_ERROR
Definition: sspwin32.h:50
FALSE
#define FALSE
Definition: std-includes.h:56
BOOL
#define BOOL
Definition: std-includes.h:38
_ntlmhdr
Definition: ntlmauth.h:80
base64_decode_ctx
Definition: base64.h:123
support_bits.cci
lc
void lc(char *string)
Definition: support_bits.cci:33
hex_dump
void hex_dump(unsigned char *data, int size)
Definition: support_bits.cci:43
NULL
#define NULL
Definition: types.h:145

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors