negotiate_sspi_auth.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /*
10  * negotiate_sspi_auth: helper for Negotiate Authentication for Squid Cache
11  *
12  * (C)2005 Guido Serassio - Acme Consulting S.r.l.
13  *
14  * Authors:
15  * Guido Serassio <guido.serassio@acmeconsulting.it>
16  * Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
17  *
18  * With contributions from others mentioned in the change history section
19  * below.
20  *
21  * Based on previous work of Francesco Chemolli and Robert Collins.
22  *
23  * Dependencies: Windows 2000 and later.
24  *
25  * This program is free software; you can redistribute it and/or modify
26  * it under the terms of the GNU General Public License as published by
27  * the Free Software Foundation; either version 2 of the License, or
28  * (at your option) any later version.
29  *
30  * This program is distributed in the hope that it will be useful,
31  * but WITHOUT ANY WARRANTY; without even the implied warranty of
32  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33  * GNU General Public License for more details.
34  *
35  * You should have received a copy of the GNU General Public License
36  * along with this program; if not, write to the Free Software
37  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
38  *
39  * History:
40  *
41  * Version 1.0
42  * 29-10-2005 Guido Serassio
43  * First release.
44  */
45 
46 #include "squid.h"
47 #include "base64.h"
48 #include "helper/protocol_defines.h"
49 #include "ntlmauth/ntlmauth.h"
50 #include "ntlmauth/support_bits.cci"
51 #include "sspi/sspwin32.h"
52 #include "util.h"
53 
54 #include <cctype>
55 #if HAVE_GETOPT_H
56 #include <getopt.h>
57 #endif
58 
59 int Negotiate_packet_debug_enabled = 0;
60 static int have_serverblob;
61 
62 /* A couple of harmless helper macros */
63 #define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n");
64 #ifdef __GNUC__
65 #define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
66 #define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
67 #else
68 /* no gcc, no debugging. varargs macros are a gcc extension */
69 #define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);
70 #define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z);
71 #endif
72 
73 /*
74  * options:
75  * -d enable debugging.
76  * -v enable verbose Negotiate packet debugging.
77  */
78 char *my_program_name = nullptr;
79 
80 static void
81 usage()
82 {
83  fprintf(stderr,
84  "Usage: %s [-d] [-v] [-h]\n"
85  " -d enable debugging.\n"
86  " -v enable verbose Negotiate packet debugging.\n"
87  " -h this message\n\n",
88  my_program_name);
89 }
90 
91 static void
92 process_options(int argc, char *argv[])
93 {
94  int opt, had_error = 0;
95 
96  opterr = 0;
97  while (-1 != (opt = getopt(argc, argv, "hdv"))) {
98  switch (opt) {
99  case 'd':
100  debug_enabled = 1;
101  break;
102  case 'v':
103  debug_enabled = 1;
104  Negotiate_packet_debug_enabled = 1;
105  break;
106  case 'h':
107  usage();
108  exit(EXIT_SUCCESS);
109  case '?':
110  opt = optopt;
111  [[fallthrough]];
112  default:
113  fprintf(stderr, "ERROR: unknown option: -%c. Exiting\n", opt);
114  usage();
115  had_error = 1;
116  }
117  }
118  if (had_error)
119  exit(EXIT_FAILURE);
120 }
121 
122 static bool
123 token_decode(size_t *decodedLen, uint8_t decoded[], const char *buf)
124 {
125  struct base64_decode_ctx ctx;
126  base64_decode_init(&ctx);
127  if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), buf) ||
128  !base64_decode_final(&ctx)) {
129  SEND("BH base64 decode failed");
130  fprintf(stderr, "ERROR: base64 decoding failed for: '%s'\n", buf);
131  return false;
132  }
133  return true;
134 }
135 
136 static int
137 manage_request()
138 {
139  char buf[HELPER_INPUT_BUFFER];
140  uint8_t decoded[HELPER_INPUT_BUFFER];
141  size_t decodedLen = 0;
142  char helper_command[3];
143  char *c;
144  int status;
145  int oversized = 0;
146  char *ErrorMessage;
147  static char cred[SSP_MAX_CRED_LEN + 1];
148  BOOL Done = FALSE;
149 
150  do {
151  if (fgets(buf, HELPER_INPUT_BUFFER, stdin))
152  return 0;
153 
154  c = static_cast<char*>(memchr(buf, '\n', HELPER_INPUT_BUFFER));
155  if (c) {
156  if (oversized) {
157  SEND("BH illegal request received");
158  fprintf(stderr, "ERROR: Illegal request received: '%s'\n", buf);
159  return 1;
160  }
161  *c = '\0';
162  } else {
163  fprintf(stderr, "No newline in '%s'\n", buf);
164  oversized = 1;
165  }
166  } while (!c);
167 
168  if ((strlen(buf) > 3) && Negotiate_packet_debug_enabled) {
169  if (!token_decode(&decodedLen, decoded, buf+3))
170  return 1;
171  xstrncpy(helper_command, buf, sizeof(helper_command));
172  debug("Got '%s' from Squid with data:\n", helper_command);
173  hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
174  } else
175  debug("Got '%s' from Squid\n", buf);
176 
177  if (memcmp(buf, "YR ", 3) == 0) { /* refresh-request */
178  /* figure out what we got */
179  if (!decodedLen /* already decoded */ && !token_decode(&decodedLen, decoded, buf+3))
180  return 1;
181  if (decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
182  SEND("NA * Packet format error");
183  return 1;
184  }
185  /* Obtain server blob against SSPI */
186  c = (char *) SSP_MakeNegotiateBlob(decoded, decodedLen, &Done, &status, cred);
187 
188  if (status == SSP_OK) {
189  if (Done) {
190  lc(cred); /* let's lowercase them for our convenience */
191  have_serverblob = 0;
192  Done = FALSE;
193  if (Negotiate_packet_debug_enabled) {
194  if (!token_decode(&decodedLen, decoded, c))
195  return 1;
196  debug("sending 'AF' %s to squid with data:\n", cred);
197  if (c != NULL)
198  hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
199  else
200  fprintf(stderr, "No data available.\n");
201  printf("AF %s %s\n", c, cred);
202  } else
203  SEND3("AF %s %s", c, cred);
204  } else {
205  if (Negotiate_packet_debug_enabled) {
206  if (!token_decode(&decodedLen, decoded, c))
207  return 1;
208  debug("sending 'TT' to squid with data:\n");
209  hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
210  printf("TT %s\n", c);
211  } else {
212  SEND2("TT %s", c);
213  }
214  have_serverblob = 1;
215  }
216  } else
217  SEND("BH can't obtain server blob");
218  return 1;
219  }
220  if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */
221  if (!have_serverblob) {
222  SEND("BH invalid server blob");
223  return 1;
224  }
225  /* figure out what we got */
226  if (!decodedLen /* already decoded */ && !token_decode(&decodedLen, decoded, buf+3))
227  return 1;
228  if (decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */
229  SEND("NA * Packet format error");
230  return 1;
231  }
232  /* check against SSPI */
233  c = (char *) SSP_ValidateNegotiateCredentials(decoded, decodedLen, &Done, &status, cred);
234 
235  if (status == SSP_ERROR) {
236  FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
237  FORMAT_MESSAGE_IGNORE_INSERTS,
238  nullptr,
239  GetLastError(),
240  MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
241  (LPTSTR) & ErrorMessage,
242  0,
243  nullptr);
244  if (ErrorMessage[strlen(ErrorMessage) - 1] == '\n')
245  ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
246  if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r')
247  ErrorMessage[strlen(ErrorMessage) - 1] = '\0';
248  SEND2("NA * %s", ErrorMessage);
249  LocalFree(ErrorMessage);
250  return 1;
251  }
252  if (Done) {
253  lc(cred); /* let's lowercase them for our convenience */
254  have_serverblob = 0;
255  Done = FALSE;
256  if (Negotiate_packet_debug_enabled) {
257  if (!token_decode(&decodedLen, decoded, c))
258  return 1;
259  debug("sending 'AF' %s to squid with data:\n", cred);
260  if (c != NULL)
261  hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
262  else
263  fprintf(stderr, "No data available.\n");
264  printf("AF %s %s\n", c, cred);
265  } else {
266  SEND3("AF %s %s", c, cred);
267  }
268  return 1;
269  } else {
270  if (Negotiate_packet_debug_enabled) {
271  if (!token_decode(&decodedLen, decoded, c))
272  return 1;
273  debug("sending 'TT' to squid with data:\n");
274  hex_dump(reinterpret_cast<unsigned char*>(decoded), decodedLen);
275  printf("TT %s\n", c);
276  } else
277  SEND2("TT %s", c);
278  return 1;
279  }
280 
281  } else { /* not an auth-request */
282  SEND("BH illegal request received");
283  fprintf(stderr, "Illegal request received: '%s'\n", buf);
284  return 1;
285  }
286  SEND("BH detected protocol error");
287  return 1;
288  /********* END ********/
289 }
290 
291 int
292 main(int argc, char *argv[])
293 {
294  my_program_name = argv[0];
295 
296  process_options(argc, argv);
297 
298  debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name);
299 
300  if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) {
301  fprintf(stderr, "FATAL: %s: can't initialize SSPI, exiting.\n", argv[0]);
302  exit(EXIT_FAILURE);
303  }
304  debug("SSPI initialized OK\n");
305 
306  atexit(UnloadSecurityDll);
307 
308  /* initialize FDescs */
309  setbuf(stdout, nullptr);
310  setbuf(stderr, nullptr);
311 
312  while (manage_request()) {
313  /* everything is done within manage_request */
314  }
315  return EXIT_SUCCESS;
316 }
317 
support_bits.cci
main
int main(int argc, char *argv[])
Definition: negotiate_sspi_auth.cc:292
opterr
int opterr
Definition: getopt.c:47
FALSE
#define FALSE
Definition: std-includes.h:56
debug
void debug(const char *format,...)
Definition: debug.cc:19
base64_decode_init
void base64_decode_init(struct base64_decode_ctx *ctx)
Definition: base64.c:54
SEND2
#define SEND2(X, Y)
Definition: negotiate_sspi_auth.cc:69
LoadSecurityDll
HMODULE LoadSecurityDll(int mode, const char *SSP_Package)
Definition: sspwin32.cc:104
xstrncpy
char * xstrncpy(char *dst, const char *src, size_t n)
Definition: xstring.cc:37
_ntlmhdr
Definition: ntlmauth.h:76
usage
static void usage()
Definition: negotiate_sspi_auth.cc:81
base64_decode_ctx
Definition: base64.h:122
getopt
int getopt(int nargc, char *const *nargv, const char *ostr)
Definition: getopt.c:62
my_program_name
char * my_program_name
Definition: negotiate_sspi_auth.cc:78
base64_decode_final
int base64_decode_final(struct base64_decode_ctx *ctx)
Definition: base64.c:159
NULL
#define NULL
Definition: types.h:145
lc
void lc(char *string)
Definition: support_bits.cci:33
SSP_MAX_CRED_LEN
#define SSP_MAX_CRED_LEN
Definition: sspwin32.h:45
SEND3
#define SEND3(X, Y, Z)
Definition: negotiate_sspi_auth.cc:70
debug_enabled
int debug_enabled
Definition: debug.cc:13
Negotiate_packet_debug_enabled
int Negotiate_packet_debug_enabled
Definition: negotiate_sspi_auth.cc:59
UnloadSecurityDll
void UnloadSecurityDll(void)
Definition: sspwin32.cc:77
base64_decode_update
int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src)
Definition: base64.c:129
manage_request
static int manage_request()
Definition: negotiate_sspi_auth.cc:137
SSP_NTLM
#define SSP_NTLM
Definition: sspwin32.h:43
HELPER_INPUT_BUFFER
#define HELPER_INPUT_BUFFER
Definition: UserRequest.cc:24
SEND
#define SEND(X)
Definition: negotiate_sspi_auth.cc:63
SSP_ERROR
#define SSP_ERROR
Definition: sspwin32.h:50
optopt
int optopt
Definition: getopt.c:49
NEGOTIATE_PACKAGE_NAME
#define NEGOTIATE_PACKAGE_NAME
Definition: sspwin32.h:19
VERSION
#define VERSION
Definition: negotiate_wrapper.cc:61
SSP_OK
#define SSP_OK
Definition: sspwin32.h:49
process_options
static void process_options(int argc, char *argv[])
Definition: negotiate_sspi_auth.cc:92
protocol_defines.h
BOOL
#define BOOL
Definition: std-includes.h:38
token_decode
static bool token_decode(size_t *decodedLen, uint8_t decoded[], const char *buf)
Definition: negotiate_sspi_auth.cc:123
hex_dump
void hex_dump(unsigned char *data, int size)
Definition: support_bits.cci:43
have_serverblob
static int have_serverblob
Definition: negotiate_sspi_auth.cc:60

 

Introduction

Documentation

Support

Miscellaneous