Squid Web Cache master
Loading...
Searching...
No Matches
negotiate_sspi_auth.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/*
10 * negotiate_sspi_auth: helper for Negotiate Authentication for Squid Cache
11 *
12 * (C)2005 Guido Serassio - Acme Consulting S.r.l.
13 *
14 * Authors:
15 * Guido Serassio <guido.serassio@acmeconsulting.it>
16 * Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
17 *
18 * With contributions from others mentioned in the change history section
19 * below.
20 *
21 * Based on previous work of Francesco Chemolli and Robert Collins.
22 *
23 * Dependencies: Windows 2000 and later.
24 *
25 * This program is free software; you can redistribute it and/or modify
26 * it under the terms of the GNU General Public License as published by
27 * the Free Software Foundation; either version 2 of the License, or
28 * (at your option) any later version.
29 *
30 * This program is distributed in the hope that it will be useful,
31 * but WITHOUT ANY WARRANTY; without even the implied warranty of
32 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33 * GNU General Public License for more details.
34 *
35 * You should have received a copy of the GNU General Public License
36 * along with this program; if not, write to the Free Software
37 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
38 *
39 * History:
40 *
41 * Version 1.0
42 * 29-10-2005 Guido Serassio
43 * First release.
44 */
45
46#include "squid.h"
47#include "base64.h"
48#include "helper/protocol_defines.h"
49#include "ntlmauth/ntlmauth.h"
50#include "ntlmauth/support_bits.cci"
51#include "sspi/sspwin32.h"
52#include "util.h"
53
54#include <cctype>
55#if HAVE_GETOPT_H
56#include <getopt.h>
57#endif
58
59int Negotiate_packet_debug_enabled = 0;
60static int have_serverblob;
61
62/* A couple of harmless helper macros */
63#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
64#ifdef __GNUC__
65#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
66#define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
67#else
68/* no gcc, no debugging. varargs macros are a gcc extension */
69#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
70#define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);
71#endif
72
73/*
74 * options:
75 * -d enable debugging.
76 * -v enable verbose Negotiate packet debugging.
77 */
78char *my_program_name = nullptr;
79
80static void
81usage()
82{
83 fprintf(stderr,
84 "Usage: %s [-d] [-v] [-h]\n"
85 " -d enable debugging.\n"
86 " -v enable verbose Negotiate packet debugging.\n"
87 " -h this message\n\n",
88 my_program_name);
89}
90
91static void
92process_options(int argc, char *argv[])
93{
94 int opt, had_error = 0;
95
96 opterr = 0;
97 while (-1 != (opt = getopt(argc, argv, "hdv"))) {
98 switch (opt) {
99 case 'd':
100 debug_enabled = 1;
101 break;
102 case 'v':
103 debug_enabled = 1;
104 Negotiate_packet_debug_enabled = 1;
105 break;
106 case 'h':
107 usage();
108 exit(EXIT_SUCCESS);
109 case '?':
110 opt = optopt;
111 [[fallthrough]];
112 default:
113 fprintf(stderr, "ERROR: unknown option: -%c. Exiting\n", opt);
114 usage();
115 had_error = 1;
116 }
117 }
118 if (had_error)
119 exit(EXIT_FAILURE);
120}
121
122static bool
123token_decode(size_t *decodedLen, uint8_t decoded[], const char *buf)
124{
125 struct base64_decode_ctx ctx;
126 base64_decode_init(&ctx);
127 if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), buf) ||
128 !base64_decode_final(&ctx)) {
129 SEND("BH base64 decode failed");
130 fprintf(stderr, "ERROR: base64 decoding failed for: '%s'\n", buf);
131 return false;
132 }
133 return true;
134}
135
136static int
137manage_request()
138{
139 char buf[HELPER_INPUT_BUFFER];
140 uint8_t decoded[HELPER_INPUT_BUFFER];
141 size_t decodedLen = 0;
142 char helper_command[3];
143 char *c;
144 int status;
145 int oversized = 0;
146 char *ErrorMessage;
147 static char cred[SSP_MAX_CRED_LEN + 1];
148 BOOL Done = FALSE;
149
150 do {
151 if (!fgets(buf, HELPER_INPUT_BUFFER, stdin))
152 return 0;
153
154 c = static_cast<char*>(memchr(buf, '\n', HELPER_INPUT_BUFFER));
155 if (c) {
156 if (oversized) {
157 SEND("BH illegal request received");
158 fprintf(stderr, "ERROR: Illegal request received: '%s'\n", buf);
159 return 1;
160 }
161 *c = '\0';
162 } else {
163 fprintf(stderr, "No newline in '%s'\n", buf);
164 oversized = 1;
165 }
166 } while (!c);
167
168 if ((strlen(buf) > 3) && Negotiate_packet_debug_enabled) {
169 if (!token_decode(&decodedLen, decoded, buf+3))
170 return 1;
171 xstrncpy(helper_command, buf, sizeof(helper_command));
172 debug("Got '%s' from Squid with data:\n", helper_command);
173 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
174 } else
175 debug("Got '%s' from Squid\n", buf);
176
177 if (memcmp(buf, "YR ", 3) == 0) { /* refresh-request */
178 /* figure out what we got */
179 if (!decodedLen /* already decoded */ && !token_decode(&decodedLen, decoded, buf+3))
180 return 1;
181 if (decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
182 SEND("NA * Packet format error");
183 return 1;
184 }
185 /* Obtain server blob against SSPI */
186 c = (char *) SSP_MakeNegotiateBlob(decoded, decodedLen, &Done, &status, cred);
187
188 if (status == SSP_OK) {
189 if (Done) {
190 lc(cred); /* let's lowercase them for our convenience */
191 have_serverblob = 0;
192 Done = FALSE;
193 if (Negotiate_packet_debug_enabled) {
194 if (!token_decode(&decodedLen, decoded, c))
195 return 1;
196 debug("sending 'AF' %s to squid with data:\n", cred);
197 if (c != NULL)
198 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
199 else
200 fprintf(stderr, "No data available.\n");
201 printf("AF %s %s\n", c, cred);
202 } else
203 SEND3("AF %s %s", c, cred);
204 } else {
205 if (Negotiate_packet_debug_enabled) {
206 if (!token_decode(&decodedLen, decoded, c))
207 return 1;
208 debug("sending 'TT' to squid with data:\n");
209 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
210 printf("TT %s\n", c);
211 } else {
212 SEND2("TT %s", c);
213 }
214 have_serverblob = 1;
215 }
216 } else
217 SEND("BH can't obtain server blob");
218 return 1;
219 }
220 if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */
221 if (!have_serverblob) {
222 SEND("BH invalid server blob");
223 return 1;
224 }
225 /* figure out what we got */
226 if (!decodedLen /* already decoded */ && !token_decode(&decodedLen, decoded, buf+3))
227 return 1;
228 if (decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
229 SEND("NA * Packet format error");
230 return 1;
231 }
232 /* check against SSPI */
233 c = (char *) SSP_ValidateNegotiateCredentials(decoded, decodedLen, &Done, &status, cred);
234
235 if (status == SSP_ERROR) {
236 const auto n = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
237 FORMAT_MESSAGE_IGNORE_INSERTS,
238 nullptr,
239 GetLastError(),
240 MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
241 (LPTSTR) & ErrorMessage,
242 0,
243 nullptr);
244 if (!n) {
245 SEND2("NA * Windows error: %s", GetLastError());
246 return 1;
247 }
248 if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n')
249 ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
250 if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r')
251 ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
252 SEND2("NA * %s", ErrorMessage);
253 LocalFree(ErrorMessage);
254 return 1;
255 }
256 if (Done) {
257 lc(cred); /* let's lowercase them for our convenience */
258 have_serverblob = 0;
259 Done = FALSE;
260 if (Negotiate_packet_debug_enabled) {
261 if (!token_decode(&decodedLen, decoded, c))
262 return 1;
263 debug("sending 'AF' %s to squid with data:\n", cred);
264 if (c != NULL)
265 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
266 else
267 fprintf(stderr, "No data available.\n");
268 printf("AF %s %s\n", c, cred);
269 } else {
270 SEND3("AF %s %s", c, cred);
271 }
272 return 1;
273 } else {
274 if (Negotiate_packet_debug_enabled) {
275 if (!token_decode(&decodedLen, decoded, c))
276 return 1;
277 debug("sending 'TT' to squid with data:\n");
278 hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
279 printf("TT %s\n", c);
280 } else
281 SEND2("TT %s", c);
282 return 1;
283 }
284
285 } else { /* not an auth-request */
286 SEND("BH illegal request received");
287 fprintf(stderr, "Illegal request received: '%s'\n", buf);
288 return 1;
289 }
290 SEND("BH detected protocol error");
291 return 1;
292 /********* END ********/
293}
294
295int
296main(int argc, char *argv[])
297{
298 my_program_name = argv[0];
299
300 process_options(argc, argv);
301
302 debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name);
303
304 if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) {
305 fprintf(stderr, "FATAL: %s: can't initialize SSPI, exiting.\n", argv[0]);
306 exit(EXIT_FAILURE);
307 }
308 debug("SSPI initialized OK\n");
309
310 atexit(UnloadSecurityDll);
311
312 /* initialize FDescs */
313 setbuf(stdout, nullptr);
314 setbuf(stderr, nullptr);
315
316 while (manage_request()) {
317 /* everything is done within manage_request */
318 }
319 return EXIT_SUCCESS;
320}
321
VERSION
#define VERSION
Definition autoconf.h:1683
SQUID_BUILD_INFO
#define SQUID_BUILD_INFO
Definition autoconf.h:1426
base64_decode_init
void base64_decode_init(struct base64_decode_ctx *ctx)
Definition base64.c:54
base64_decode_update
int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src)
Definition base64.c:129
base64_decode_final
int base64_decode_final(struct base64_decode_ctx *ctx)
Definition base64.c:159
HELPER_INPUT_BUFFER
#define HELPER_INPUT_BUFFER
Definition UserRequest.cc:24
debug_enabled
int debug_enabled
Definition debug.cc:13
debug
void debug(const char *format,...)
Definition debug.cc:19
FALSE
#define FALSE
Definition defines.h:16
optopt
int optopt
Definition getopt.c:49
getopt
int getopt(int nargc, char *const *nargv, const char *ostr)
Definition getopt.c:62
opterr
int opterr
Definition getopt.c:47
main
int main()
Definition kerberos_ldap_group.cc:492
SEND3
#define SEND3(X, Y, Z)
Definition negotiate_sspi_auth.cc:70
token_decode
static bool token_decode(size_t *decodedLen, uint8_t decoded[], const char *buf)
Definition negotiate_sspi_auth.cc:123
SEND
#define SEND(X)
Definition negotiate_sspi_auth.cc:63
manage_request
static int manage_request()
Definition negotiate_sspi_auth.cc:137
usage
static void usage()
Definition negotiate_sspi_auth.cc:81
process_options
static void process_options(int argc, char *argv[])
Definition negotiate_sspi_auth.cc:92
my_program_name
char * my_program_name
Definition negotiate_sspi_auth.cc:78
have_serverblob
static int have_serverblob
Definition negotiate_sspi_auth.cc:60
Negotiate_packet_debug_enabled
int Negotiate_packet_debug_enabled
Definition negotiate_sspi_auth.cc:59
SEND2
#define SEND2(X, Y)
Definition negotiate_sspi_auth.cc:69
protocol_defines.h
UnloadSecurityDll
void UnloadSecurityDll(void)
Definition sspwin32.cc:77
LoadSecurityDll
HMODULE LoadSecurityDll(int mode, const char *SSP_Package)
Definition sspwin32.cc:104
SSP_MAX_CRED_LEN
#define SSP_MAX_CRED_LEN
Definition sspwin32.h:45
SSP_OK
#define SSP_OK
Definition sspwin32.h:49
NEGOTIATE_PACKAGE_NAME
#define NEGOTIATE_PACKAGE_NAME
Definition sspwin32.h:19
SSP_NTLM
#define SSP_NTLM
Definition sspwin32.h:43
SSP_ERROR
#define SSP_ERROR
Definition sspwin32.h:50
_ntlmhdr
Definition ntlmauth.h:76
base64_decode_ctx
Definition base64.h:123
support_bits.cci
lc
void lc(char *string)
Definition support_bits.cci:33
hex_dump
void hex_dump(unsigned char *data, int size)
Definition support_bits.cci:43
NULL
#define NULL
Definition types.h:145
xstrncpy
char * xstrncpy(char *dst, const char *src, size_t n)
Definition xstring.cc:37