Context Navigation

source: squid-ssl/trunk/fuentes/helpers/digest_auth/file/text_backend.cc @ 5495

Last change on this file since 5495 was 5495, checked in by Juanma, 4 years ago
Initial release
File size: 5.9 KB

Line
1	/*
2	* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
3	*
4	* Squid software is distributed under GPLv2+ license and includes
5	* contributions from numerous individuals and organizations.
6	* Please see the COPYING and CONTRIBUTORS files for details.
7	*/
8
9	/*
10	* AUTHOR: Robert Collins.
11	* Based on ncsa_auth.c by Arjan de Vet <Arjan.deVet@adv.iae.nl>
12	*
13	* Example digest auth text backend for Squid, based on the original
14	* proxy_auth code from client_side.c, written by
15	* Jon Thackray <jrmt@uk.gdscorp.com>.
16	*
17	* - comment lines are possible and should start with a '#';
18	* - empty or blank lines are possible;
19	* - file format is username:plaintext or username:realm:HA1
20	*
21	* To build a directory integrated backend, you need to be able to
22	* calculate the HA1 returned to squid. To avoid storing a plaintext
23	* password you can calculate MD5(username:realm:password) when the
24	* user changes their password, and store the tuple username:realm:HA1.
25	* then find the matching username:realm when squid asks for the
26	* HA1.
27	*
28	* This implementation could be improved by using such a triple for
29	* the file format. However storing such a triple does little to
30	* improve security: If compromised the username:realm:HA1 combination
31	* is "plaintext equivalent" - for the purposes of digest authentication
32	* they allow the user access. Password syncronisation is not tackled
33	* by digest - just preventing on the wire compromise.
34	*
35	* Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
36	*/
37
38	#include "squid.h"
39	#include "text_backend.h"
40
41	static hash_table *hash = NULL;
42	static HASHFREE my_free;
43	static char *passwdfile = NULL;
44	static int ha1mode = 0;
45	static time_t change_time = 0;
46
47	typedef struct _user_data {
48	hash_link hash;
49	char *passwd;
50	char *ha1;
51	} user_data;
52
53	static void
54	my_free(void *p)
55	{
56	user_data u = static_cast<user_data>(p);
57	xfree(u->hash.key);
58	xfree(u->passwd);
59	xfree(u);
60	}
61
62	static void
63	read_passwd_file(const char *passwordFile, int isHa1Mode)
64	{
65	char buf[8192];
66	user_data *u;
67	char *user;
68	char *passwd;
69	char *ha1 = NULL;
70	char *realm;
71
72	if (hash != NULL) {
73	hashFreeItems(hash, my_free);
74	}
75	/* initial setup */
76	hash = hash_create((HASHCMP *) strcmp, 7921, hash_string);
77	if (NULL == hash) {
78	fprintf(stderr, "digest_file_auth: cannot create hash table\n");
79	exit(1);
80	}
81	FILE *f = fopen(passwordFile, "r");
82	if (!f) {
83	fprintf(stderr, "digest_file_auth: cannot open password file: %s\n", xstrerror());
84	exit(1);
85	}
86	unsigned int lineCount = 0;
87	while (fgets(buf, sizeof(buf), f) != NULL) {
88	++lineCount;
89	if ((buf[0] == '#') \|\| (buf[0] == ' ') \|\| (buf[0] == '\t') \|\|
90	(buf[0] == '\n'))
91	continue;
92	user = strtok(buf, ":\n");
93	if (!user) {
94	fprintf(stderr, "digest_file_auth: missing user name at line %u in '%s'\n", lineCount, passwordFile);
95	continue;
96	}
97	realm = strtok(NULL, ":\n");
98	passwd = strtok(NULL, ":\n");
99	if (!passwd) {
100	passwd = realm;
101	realm = NULL;
102	}
103	if ((strlen(user) > 0) && passwd) {
104	if (strncmp(passwd, "{HHA1}", 6) == 0) {
105	ha1 = passwd + 6;
106	passwd = NULL;
107	} else if (isHa1Mode) {
108	ha1 = passwd;
109	passwd = NULL;
110	}
111	if (ha1 && strlen(ha1) != 32) {
112	/* We cannot accept plaintext passwords when using HA1 encoding,
113	* as the passwords may be output to cache.log if debugging is on.
114	*/
115	fprintf(stderr, "digest_file_auth: ignoring invalid password for %s\n", user);
116	continue;
117	}
118	u = static_cast<user_data>(xcalloc(1, sizeof(u)));
119	if (realm) {
120	int len = strlen(user) + strlen(realm) + 2;
121	u->hash.key = xmalloc(len);
122	snprintf(static_cast<char*>(u->hash.key), len, "%s:%s", user, realm);
123	} else {
124	u->hash.key = xstrdup(user);
125	}
126	if (ha1)
127	u->ha1 = xstrdup(ha1);
128	else
129	u->passwd = xstrdup(passwd);
130	hash_join(hash, &u->hash);
131	}
132	}
133	fclose(f);
134	}
135
136	/* replace when changing the backend */
137	void
138	TextArguments(int argc, char **argv)
139	{
140	struct stat sb;
141	if (argc == 2)
142	passwdfile = argv[1];
143	if ((argc == 3) && !strcmp("-c", argv[1])) {
144	ha1mode = 1;
145	passwdfile = argv[2];
146	}
147	if (!passwdfile) {
148	fprintf(stderr, "Usage: digest_file_auth [OPTIONS] <passwordfile>\n");
149	fprintf(stderr, " -c accept digest hashed passwords rather than plaintext in passwordfile\n");
150	exit(1);
151	}
152	if (stat(passwdfile, &sb) != 0) {
153	fprintf(stderr, "cannot stat %s\n", passwdfile);
154	exit(1);
155	}
156	}
157
158	static const user_data *
159	GetPassword(RequestData * requestData)
160	{
161	user_data *u;
162	struct stat sb;
163	char buf[256];
164	int len;
165	if (stat(passwdfile, &sb) == 0) {
166	if (sb.st_mtime != change_time) {
167	read_passwd_file(passwdfile, ha1mode);
168	change_time = sb.st_mtime;
169	}
170	}
171	if (!hash)
172	return NULL;
173	len = snprintf(buf, sizeof(buf), "%s:%s", requestData->user, requestData->realm);
174	if (len >= static_cast<int>(sizeof(buf)))
175	return NULL;
176	u = (user_data*)hash_lookup(hash, buf);
177	if (u)
178	return u;
179	u = (user_data*)hash_lookup(hash, requestData->user);
180	return u;
181	}
182
183	void
184	TextHHA1(RequestData * requestData)
185	{
186	const user_data *u = GetPassword(requestData);
187	if (!u) {
188	requestData->error = -1;
189	return;
190	}
191	if (u->ha1) {
192	xstrncpy(requestData->HHA1, u->ha1, sizeof(requestData->HHA1));
193	} else {
194	HASH HA1;
195	DigestCalcHA1("md5", requestData->user, requestData->realm, u->passwd, NULL, NULL, HA1, requestData->HHA1);
196	}
197	}
198

Note: See TracBrowser for help on using the repository browser.

Download in other formats: