static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length)
{
char *user, *pass;
user=buf;
pass=memchr(buf,' ',length);
if (!pass) {
DEBUG(2, ("Password not found. Denying access\n"));
x_fprintf(x_stdout, "ERR\n");
return;
}
*pass='******';
pass++;
if (stdio_helper_mode == SQUID_2_5_BASIC) {
rfc1738_unescape(user);
rfc1738_unescape(pass);
}
if (check_plaintext_auth(user, pass, False)) {
x_fprintf(x_stdout, "OK\n");
} else {
x_fprintf(x_stdout, "ERR\n");
}
}
static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
struct loadparm_context *lp_ctx,
char *buf, int length, void **private1,
unsigned int mux_id, void **private2)
{
char *user, *pass;
user=buf;
pass = memchr(buf, ' ', length);
if (!pass) {
DEBUG(2, ("Password not found. Denying access\n"));
mux_printf(mux_id, "ERR\n");
return;
}
*pass='******';
pass++;
if (stdio_helper_mode == SQUID_2_5_BASIC) {
rfc1738_unescape(user);
rfc1738_unescape(pass);
}
if (check_plaintext_auth(user, pass, false)) {
mux_printf(mux_id, "OK\n");
} else {
mux_printf(mux_id, "ERR\n");
}
}
int
main(int argc, char **argv)
{
struct stat sb;
time_t change_time = -1;
char buf[256];
char *user, *passwd, *p;
user_data *u;
setbuf(stdout, NULL);
if (argc != 2) {
fprintf(stderr, "Usage: ncsa_auth <passwordfile>\n");
exit(1);
}
if (stat(argv[1], &sb) != 0) {
fprintf(stderr, "cannot stat %s\n", argv[1]);
exit(1);
}
while (fgets(buf, 256, stdin) != NULL) {
if ((p = strchr(buf, '\n')) != NULL)
*p = '\0'; /* strip \n */
if (stat(argv[1], &sb) == 0) {
if (sb.st_mtime != change_time) {
read_passwd_file(argv[1]);
change_time = sb.st_mtime;
}
}
if ((user = strtok(buf, " ")) == NULL) {
printf("ERR\n");
continue;
}
if ((passwd = strtok(NULL, "")) == NULL) {
printf("ERR\n");
continue;
}
rfc1738_unescape(user);
rfc1738_unescape(passwd);
u = (user_data *) hash_lookup(hash, user);
if (u == NULL) {
printf("ERR No such user\n");
#if HAVE_CRYPT
} else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
printf("OK\n");
#endif
} else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
printf("OK\n");
} else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) { /* md5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */
printf("OK\n");
} else {
printf("ERR Wrong password\n");
}
}
if (hash != NULL) {
hashFreeItems(hash, my_free);
hashFreeMemory(hash);
}
exit(0);
}
static cachemgr_request *
read_request(void)
{
char *buf;
cachemgr_request *req;
char *s;
char *t;
char *q;
if ((buf = read_post_request()) != NULL)
(void) 0;
else if ((buf = read_get_request()) != NULL)
(void) 0;
else
return NULL;
#ifdef _SQUID_MSWIN_
if (strlen(buf) == 0 || strlen(buf) == 4000)
#else
if (strlen(buf) == 0)
#endif
return NULL;
req = xcalloc(1, sizeof(cachemgr_request));
for (s = strtok(buf, "&"); s != NULL; s = strtok(NULL, "&")) {
t = xstrdup(s);
if ((q = strchr(t, '=')) == NULL)
continue;
*q++ = '\0';
rfc1738_unescape(t);
rfc1738_unescape(q);
if (0 == strcasecmp(t, "server") && strlen(q))
req->server = xstrdup(q);
else if (0 == strcasecmp(t, "host") && strlen(q))
req->hostname = xstrdup(q);
else if (0 == strcasecmp(t, "port") && strlen(q))
req->port = atoi(q);
else if (0 == strcasecmp(t, "user_name") && strlen(q))
req->user_name = xstrdup(q);
else if (0 == strcasecmp(t, "passwd") && strlen(q))
req->passwd = xstrdup(q);
else if (0 == strcasecmp(t, "auth") && strlen(q))
req->pub_auth = xstrdup(q), decode_pub_auth(req);
else if (0 == strcasecmp(t, "operation"))
req->action = xstrdup(q);
}
if (req->server && !req->hostname) {
char *p;
req->hostname = strtok(req->server, ":");
if ((p = strtok(NULL, ":")))
req->port = atoi(p);
}
make_pub_auth(req);
debug(1) fprintf(stderr, "cmgr: got req: host: '%s' port: %d uname: '%s' passwd: '%s' auth: '%s' oper: '%s'\n",
safe_str(req->hostname), req->port, safe_str(req->user_name), safe_str(req->passwd), safe_str(req->pub_auth), safe_str(req->action));
return req;
}
int
main(int argc, char **argv)
{
struct stat sb;
time_t change_time = 0;
char buf[256];
char *user, *passwd, *p;
user_data *u;
setbuf(stdout, NULL);
if (argc != 2) {
fprintf(stderr, "Usage: ncsa_auth <passwordfile>\n");
exit(1);
}
if (stat(argv[1], &sb) != 0) {
fprintf(stderr, "cannot stat %s\n", argv[1]);
exit(1);
}
while (fgets(buf, 256, stdin) != NULL) {
if ((p = strchr(buf, '\n')) != NULL)
*p = '\0'; /* strip \n */
if (stat(argv[1], &sb) == 0) {
if (sb.st_mtime != change_time) {
read_passwd_file(argv[1]);
change_time = sb.st_mtime;
}
}
if ((user = strtok(buf, " ")) == NULL) {
printf("ERR\n");
continue;
}
if ((passwd = strtok(NULL, "")) == NULL) {
printf("ERR\n");
continue;
}
rfc1738_unescape(user);
rfc1738_unescape(passwd);
u = hash_lookup(hash, user);
if (u == NULL) {
printf("ERR No such user\n");
} else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd))) {
printf("ERR Wrong password\n");
} else {
printf("OK\n");
}
}
exit(0);
}
static char *uri_unescape_alloc(const char *uritok)
{
char *ret;
ret = (char *)SMB_STRDUP(uritok);
if (!ret) return NULL;
rfc1738_unescape(ret);
return ret;
}
int
main(int argc, char **argv)
{
int auth = 0;
char buf[256];
char *user, *passwd, *p;
setbuf(stdout, NULL);
while (fgets(buf, 256, stdin) != NULL) {
if ((p = strchr(buf, '\n')) != NULL)
*p = '\0'; /* strip \n */
if ((user = strtok(buf, " ")) == NULL) {
printf(ERR);
continue;
}
if ((passwd = strtok(NULL, "")) == NULL) {
printf(ERR);
continue;
}
rfc1738_unescape(user);
rfc1738_unescape(passwd);
#if HAVE_SHADOW_H
auth = shadow_auth(user, passwd);
#else
auth = passwd_auth(user, passwd);
#endif
if (auth == 0) {
printf("ERR No such user\n");
} else {
if (auth == 2) {
printf("ERR Wrong password\n");
} else {
printf(OK);
}
}
}
exit(0);
}
int
main(int argc, char *argv[])
{
char *p;
char buf[BUFSIZE];
char *username;
char *group;
int err = 0;
const char *groups[512];
int n;
if (argc > 0) { /* should always be true */
myname = strrchr(argv[0], '/');
if (myname == NULL)
myname = argv[0];
} else {
myname = "(unknown)";
}
mypid = getpid();
setbuf(stdout, NULL);
setbuf(stderr, NULL);
/* Check Command Line */
process_options(argc, argv);
if (use_global) {
if ((machinedomain = GetDomainName()) == NULL) {
fprintf(stderr, "%s Can't read machine domain\n", myname);
exit(1);
}
strlwr(machinedomain);
if (!DefaultDomain)
DefaultDomain = xstrdup(machinedomain);
}
debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
" starting up...\n");
if (use_global)
debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
if (use_case_insensitive_compare)
debug("Warning: running in case insensitive mode !!!\n");
/* Main Loop */
while (fgets(buf, sizeof(buf), stdin)) {
if (NULL == strchr(buf, '\n')) {
/* too large message received.. skip and deny */
fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf);
while (fgets(buf, sizeof(buf), stdin)) {
fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf);
if (strchr(buf, '\n') != NULL)
break;
}
goto error;
}
if ((p = strchr(buf, '\n')) != NULL)
*p = '\0'; /* strip \n */
if ((p = strchr(buf, '\r')) != NULL)
*p = '\0'; /* strip \r */
debug("Got '%s' from Squid (length: %d).\n", buf, strlen(buf));
if (buf[0] == '\0') {
fprintf(stderr, "Invalid Request\n");
goto error;
}
username = strtok(buf, " ");
for (n = 0; (group = strtok(NULL, " ")) != NULL; n++) {
rfc1738_unescape(group);
groups[n] = group;
}
groups[n] = NULL;
if (NULL == username) {
fprintf(stderr, "Invalid Request\n");
goto error;
}
rfc1738_unescape(username);
if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) {
printf("OK\n");
} else {
error:
printf("ERR\n");
}
err = 0;
}
return 0;
}
int
main(int argc, char **argv)
{
char buf[8192];
char *user, *group, *extension_dn = NULL;
char *ldapServer = NULL;
LDAP *ld = NULL;
int tryagain = 0, rc;
int port = LDAP_PORT;
int use_extension_dn = 0;
int strip_nt_domain = 0;
int strip_kerberos_realm = 0;
setbuf(stdout, NULL);
while (argc > 1 && argv[1][0] == '-') {
char *value = "";
char option = argv[1][1];
switch (option) {
case 'P':
case 'R':
case 'z':
case 'Z':
case 'd':
case 'g':
case 'S':
case 'K':
break;
default:
if (strlen(argv[1]) > 2) {
value = argv[1] + 2;
} else if (argc > 2) {
value = argv[2];
argv++;
argc--;
} else
value = "";
break;
}
argv++;
argc--;
switch (option) {
case 'H':
#if !HAS_URI_SUPPORT
fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
exit(1);
#endif
/* Fall thru to -h */
case 'h':
if (ldapServer) {
int len = strlen(ldapServer) + 1 + strlen(value) + 1;
char *newhost = malloc(len);
snprintf(newhost, len, "%s %s", ldapServer, value);
free(ldapServer);
ldapServer = newhost;
} else {
ldapServer = strdup(value);
}
break;
case 'b':
basedn = value;
break;
case 'f':
searchfilter = value;
break;
case 'B':
userbasedn = value;
break;
case 'F':
usersearchfilter = value;
break;
case 'u':
userdnattr = value;
break;
case 's':
if (strcmp(value, "base") == 0)
searchscope = LDAP_SCOPE_BASE;
else if (strcmp(value, "one") == 0)
searchscope = LDAP_SCOPE_ONELEVEL;
else if (strcmp(value, "sub") == 0)
searchscope = LDAP_SCOPE_SUBTREE;
else {
fprintf(stderr, PROGRAM_NAME " ERROR: Unknown search scope '%s'\n", value);
exit(1);
}
break;
case 'E':
#if defined(NETSCAPE_SSL)
sslpath = value;
if (port == LDAP_PORT)
port = LDAPS_PORT;
#else
fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
exit(1);
#endif
break;
case 'c':
connect_timeout = atoi(value);
break;
case 't':
timelimit = atoi(value);
break;
case 'a':
if (strcmp(value, "never") == 0)
aliasderef = LDAP_DEREF_NEVER;
else if (strcmp(value, "always") == 0)
aliasderef = LDAP_DEREF_ALWAYS;
else if (strcmp(value, "search") == 0)
aliasderef = LDAP_DEREF_SEARCHING;
else if (strcmp(value, "find") == 0)
aliasderef = LDAP_DEREF_FINDING;
else {
fprintf(stderr, PROGRAM_NAME " ERROR: Unknown alias dereference method '%s'\n", value);
exit(1);
}
break;
case 'D':
binddn = value;
break;
case 'w':
bindpasswd = value;
break;
case 'W':
readSecret(value);
break;
case 'P':
persistent = !persistent;
break;
case 'p':
port = atoi(value);
break;
case 'R':
noreferrals = !noreferrals;
break;
#ifdef LDAP_VERSION3
case 'v':
switch (atoi(value)) {
case 2:
version = LDAP_VERSION2;
break;
case 3:
version = LDAP_VERSION3;
break;
default:
fprintf(stderr, "Protocol version should be 2 or 3\n");
exit(1);
}
break;
case 'Z':
if (version == LDAP_VERSION2) {
fprintf(stderr, "TLS (-Z) is incompatible with version %d\n",
version);
exit(1);
}
version = LDAP_VERSION3;
use_tls = 1;
break;
#endif
case 'd':
debug = 1;
break;
case 'g':
use_extension_dn = 1;
break;
case 'S':
strip_nt_domain = 1;
break;
case 'K':
strip_kerberos_realm = 1;
break;
default:
fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
exit(1);
}
}
while (argc > 1) {
char *value = argv[1];
if (ldapServer) {
int len = strlen(ldapServer) + 1 + strlen(value) + 1;
char *newhost = malloc(len);
snprintf(newhost, len, "%s %s", ldapServer, value);
free(ldapServer);
ldapServer = newhost;
} else {
ldapServer = strdup(value);
}
argc--;
argv++;
}
if (!ldapServer)
ldapServer = "localhost";
if (!basedn || !searchfilter) {
fprintf(stderr, "\n" PROGRAM_NAME " version " PROGRAM_VERSION "\n\n");
fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n");
fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under where to search for groups\n");
fprintf(stderr, "\t-f filter (REQUIRED)\tgroup search filter pattern. %%u = user,\n\t\t\t\t%%g = group\n");
fprintf(stderr, "\t-B basedn (REQUIRED)\tbase dn under where to search for users\n");
fprintf(stderr, "\t-F filter (REQUIRED)\tuser search filter pattern. %%s = login\n");
fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
#if HAS_URI_SUPPORT
fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
#endif
fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
#if defined(NETSCAPE_SSL)
fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
#endif
fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
#ifdef LDAP_VERSION3
fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
#endif
fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
fprintf(stderr, "\t-K\t\t\tStrip Kerberos realm from usernames\n");
fprintf(stderr, "\t-d\t\t\tenable debug mode\n");
fprintf(stderr, "\n");
fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
exit(1);
}
/* On Windows ldap_start_tls_s is available starting from Windows XP,
* so we need to bind at run-time with the function entry point
*/
#ifdef _SQUID_MSWIN_
if (use_tls) {
HMODULE WLDAP32Handle;
WLDAP32Handle = GetModuleHandle("wldap32");
if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
exit(1);
}
}
#endif
while (fgets(buf, 256, stdin) != NULL) {
int found = 0;
if (!strchr(buf, '\n')) {
/* too large message received.. skip and deny */
fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf);
while (fgets(buf, sizeof(buf), stdin)) {
fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf);
if (strchr(buf, '\n') != NULL)
break;
}
goto error;
}
user = strtok(buf, " \n");
if (!user) {
fprintf(stderr, "%s: Invalid request\n", argv[0]);
goto error;
}
rfc1738_unescape(user);
if (strip_nt_domain) {
char *u = strrchr(user, '\\');
if (!u)
u = strrchr(user, '/');
if (!u)
u = strrchr(user, '+');
if (u && u[1])
user = u + 1;
}
if (strip_kerberos_realm) {
char *u = strchr(user, '@');
if (u != NULL) {
*u = '\0';
}
}
if (use_extension_dn) {
extension_dn = strtok(NULL, " \n");
if (!extension_dn) {
fprintf(stderr, "%s: Invalid request\n", argv[0]);
goto error;
}
rfc1738_unescape(extension_dn);
}
while (!found && user && (group = strtok(NULL, " \n")) != NULL) {
rfc1738_unescape(group);
recover:
if (ld == NULL) {
#if HAS_URI_SUPPORT
if (strstr(ldapServer, "://") != NULL) {
rc = ldap_initialize(&ld, ldapServer);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
break;
}
} else
#endif
#if NETSCAPE_SSL
if (sslpath) {
if (!sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
sslpath);
exit(1);
} else {
sslinit++;
}
if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
ldapServer, port);
exit(1);
}
} else
#endif
if ((ld = ldap_init(ldapServer, port)) == NULL) {
fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port);
break;
}
if (connect_timeout)
squid_ldap_set_connect_timeout(ld, connect_timeout);
#ifdef LDAP_VERSION3
if (version == -1) {
version = LDAP_VERSION2;
}
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_SUCCESS) {
fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
version);
ldap_unbind(ld);
ld = NULL;
break;
}
if (use_tls) {
#ifdef LDAP_OPT_X_TLS
if (version != LDAP_VERSION3) {
fprintf(stderr, "TLS requires LDAP version 3\n");
exit(1);
} else if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
fprintf(stderr, "Could not Activate TLS connection\n");
ldap_unbind(ld);
ld = NULL;
break;
}
#else
fprintf(stderr, "TLS not supported with your LDAP library\n");
exit(1);
#endif
}
#endif
squid_ldap_set_timelimit(ld, timelimit);
squid_ldap_set_referrals(ld, !noreferrals);
squid_ldap_set_aliasderef(ld, aliasderef);
if (binddn && bindpasswd && *binddn && *bindpasswd) {
rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, PROGRAM_NAME " WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
ldap_unbind(ld);
ld = NULL;
break;
}
}
if (debug)
fprintf(stderr, "Connected OK\n");
}
if (searchLDAP(ld, group, user, extension_dn) == 0) {
found = 1;
break;
} else {
if (tryagain) {
tryagain = 0;
ldap_unbind(ld);
ld = NULL;
goto recover;
}
}
}
if (found)
printf("OK\n");
else {
error:
printf("ERR\n");
}
if (ld != NULL) {
if (!persistent || (squid_ldap_errno(ld) != LDAP_SUCCESS && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS)) {
ldap_unbind(ld);
ld = NULL;
} else {
tryagain = 1;
}
}
}
if (ld)
ldap_unbind(ld);
return 0;
}
int
main(int argc, char **argv)
{
char username[256];
char password[256];
char wstr[256];
int err = 0;
openlog("msnt_auth", LOG_PID, LOG_USER);
setbuf(stdout, NULL);
/* Read configuration file. Abort wildly if error. */
if (OpenConfigFile() == 1)
return 1;
/*
* Read denied and allowed user files.
* If they fails, there is a serious problem.
* Check syslog messages. Deny all users while in this state.
* The msntauth process should then be killed.
*/
if ((Read_denyusers() == 1) || (Read_allowusers() == 1)) {
while (1) {
memset(wstr, '\0', sizeof(wstr));
fgets(wstr, 255, stdin);
puts("ERR");
}
}
/*
* Make Check_forchange() the handle for HUP signals.
* Don't use alarms any more. I don't think it was very
* portable between systems.
* XXX this should be sigaction()
*/
signal(SIGHUP, Check_forchange);
while (1) {
int n;
/* Read whole line from standard input. Terminate on break. */
memset(wstr, '\0', sizeof(wstr));
if (fgets(wstr, 255, stdin) == NULL)
break;
/* ignore this line if we didn't get the end-of-line marker */
if (NULL == strchr(wstr, '\n')) {
err = 1;
continue;
}
if (err) {
syslog(LOG_WARNING, "oversized message");
goto error;
}
/*
* extract username and password.
* XXX is sscanf() safe?
*/
username[0] = '\0';
password[0] = '\0';
n = sscanf(wstr, "%s %[^\n]", username, password);
if (2 != n) {
puts("ERR");
continue;
}
/* Check for invalid or blank entries */
if ((username[0] == '\0') || (password[0] == '\0')) {
puts("ERR");
continue;
}
Checktimer(); /* Check if the user lists have changed */
rfc1738_unescape(username);
rfc1738_unescape(password);
/*
* Check if user is explicitly denied or allowed.
* If user passes both checks, they can be authenticated.
*/
if (Check_user(username) == 1) {
syslog(LOG_INFO, "'%s' denied", username);
puts("ERR");
} else if (QueryServers(username, password) == 0)
puts("OK");
else {
syslog(LOG_INFO, "'%s' login failed", username);
error:
puts("ERR");
}
err = 0;
}
return 0;
}
/***************************************************************************
load all the variables passed to the CGI program. May have multiple variables
with the same name and the same or different values. Takes a file parameter
for simulating CGI invocation eg loading saved preferences.
***************************************************************************/
void cgi_load_variables(void)
{
static char *line;
char *p, *s, *tok;
int len, i;
FILE *f = stdin;
#ifdef DEBUG_COMMENTS
char dummy[100]="";
print_title(dummy);
d_printf("<!== Start dump in cgi_load_variables() %s ==>\n",__FILE__);
#endif
if (!content_length) {
p = getenv("CONTENT_LENGTH");
len = p?atoi(p):0;
} else {
len = content_length;
}
if (len > 0 &&
(request_post ||
((s=getenv("REQUEST_METHOD")) &&
strequal(s,"POST")))) {
while (len && (line=grab_line(f, &len))) {
p = strchr_m(line,'=');
if (!p) continue;
*p = 0;
variables[num_variables].name = SMB_STRDUP(line);
variables[num_variables].value = SMB_STRDUP(p+1);
SAFE_FREE(line);
if (!variables[num_variables].name ||
!variables[num_variables].value)
continue;
plus_to_space_unescape(variables[num_variables].value);
rfc1738_unescape(variables[num_variables].value);
plus_to_space_unescape(variables[num_variables].name);
rfc1738_unescape(variables[num_variables].name);
#ifdef DEBUG_COMMENTS
printf("<!== POST var %s has value \"%s\" ==>\n",
variables[num_variables].name,
variables[num_variables].value);
#endif
num_variables++;
if (num_variables == MAX_VARIABLES) break;
}
}
fclose(stdin);
open("/dev/null", O_RDWR);
if ((s=query_string) || (s=getenv("QUERY_STRING"))) {
char *saveptr;
for (tok=strtok_r(s, "&;", &saveptr); tok;
tok=strtok_r(NULL, "&;", &saveptr)) {
p = strchr_m(tok,'=');
if (!p) continue;
*p = 0;
variables[num_variables].name = SMB_STRDUP(tok);
variables[num_variables].value = SMB_STRDUP(p+1);
if (!variables[num_variables].name ||
!variables[num_variables].value)
continue;
plus_to_space_unescape(variables[num_variables].value);
rfc1738_unescape(variables[num_variables].value);
plus_to_space_unescape(variables[num_variables].name);
rfc1738_unescape(variables[num_variables].name);
#ifdef DEBUG_COMMENTS
printf("<!== Commandline var %s has value \"%s\" ==>\n",
variables[num_variables].name,
variables[num_variables].value);
#endif
num_variables++;
if (num_variables == MAX_VARIABLES) break;
}
}
#ifdef DEBUG_COMMENTS
printf("<!== End dump in cgi_load_variables() ==>\n");
#endif
/* variables from the client are in UTF-8 - convert them
to our internal unix charset before use */
for (i=0;i<num_variables;i++) {
TALLOC_CTX *frame = talloc_stackframe();
char *dest = NULL;
size_t dest_len;
convert_string_allocate(frame, CH_UTF8, CH_UNIX,
variables[i].name, strlen(variables[i].name),
&dest, &dest_len, True);
SAFE_FREE(variables[i].name);
variables[i].name = SMB_STRDUP(dest ? dest : "");
dest = NULL;
convert_string_allocate(frame, CH_UTF8, CH_UNIX,
variables[i].value, strlen(variables[i].value),
&dest, &dest_len, True);
SAFE_FREE(variables[i].value);
variables[i].value = SMB_STRDUP(dest ? dest : "");
TALLOC_FREE(frame);
}
}
/*
* The helper program receives queries on stdin, one
* per line, and must return the result on on stdout
*/
static void
refreshCheckHandleReply(void *data, char *reply)
{
refreshCheckState *state = data;
refreshCheckState *next;
int freshness = -1;
char *log = NULL;
MemBuf hdrs = MemBufNULL;
debug(84, 2) ("refreshCheckHandleReply: reply=\"%s\"\n", reply);
if (reply) {
char *t = NULL;
char *token = strwordtok(reply, &t);
if (token && strcmp(token, "FRESH") == 0)
freshness = 0;
else if (token && strcmp(token, "OK") == 0)
freshness = 0;
while ((token = strwordtok(NULL, &t))) {
char *value = strchr(token, '=');
if (value) {
*value++ = '\0'; /* terminate the token, and move up to the value */
rfc1738_unescape(value);
if (strcmp(token, "freshness") == 0)
freshness = atoi(value);
else if (strcmp(token, "log") == 0)
log = value;
else if (strncmp(token, "res{", 4) == 0) {
char *header, *t;
header = token + 4;
t = strrchr(header, '}');
if (!t)
continue;
*t = '\0';
if (!hdrs.buf)
memBufDefInit(&hdrs);
memBufPrintf(&hdrs, "%s: %s\r\n", header, value);
}
}
}
}
if (freshness >= 0) {
if (hdrs.size) {
HttpReply *rep = httpReplyCreate();
httpHeaderParse(&rep->header, hdrs.buf, hdrs.buf + hdrs.size);
httpReplyUpdateOnNotModified(state->entry->mem_obj->reply, rep);
storeTimestampsSet(state->entry);
if (!httpHeaderHas(&rep->header, HDR_DATE)) {
state->entry->timestamp = squid_curtime;
state->entry->expires = squid_curtime + freshness;
} else if (freshness) {
state->entry->expires = squid_curtime + freshness;
}
httpReplyDestroy(rep);
storeUpdate(state->entry, NULL);
} else {
state->entry->timestamp = squid_curtime;
state->entry->expires = squid_curtime + freshness;
}
}
if (hdrs.buf)
memBufClean(&hdrs);
dlinkDelete(&state->list, &state->def->queue);
do {
cbdataUnlock(state->def);
state->def = NULL;
if (state->callback && cbdataValid(state->callback_data))
state->callback(state->callback_data, freshness >= 0, log);
cbdataUnlock(state->callback_data);
state->callback_data = NULL;
next = state->queue;
cbdataFree(state);
state = next;
} while (state);
}
int
main(int argc, char **argv)
{
char buf[1024];
char *user, *passwd;
char *ldapServer = NULL;
LDAP *ld = NULL;
int tryagain;
int port = LDAP_PORT;
setbuf(stdout, NULL);
while (argc > 1 && argv[1][0] == '-') {
const char *value = "";
char option = argv[1][1];
switch (option) {
case 'P':
case 'R':
case 'z':
case 'Z':
case 'd':
case 'O':
break;
default:
if (strlen(argv[1]) > 2) {
value = argv[1] + 2;
} else if (argc > 2) {
value = argv[2];
argv++;
argc--;
} else
value = "";
break;
}
argv++;
argc--;
switch (option) {
case 'H':
#if !HAS_URI_SUPPORT
fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
exit(1);
#endif
/* Fall thru to -h */
case 'h':
if (ldapServer) {
int len = strlen(ldapServer) + 1 + strlen(value) + 1;
char *newhost = malloc(len);
snprintf(newhost, len, "%s %s", ldapServer, value);
free(ldapServer);
ldapServer = newhost;
} else {
ldapServer = strdup(value);
}
break;
case 'b':
basedn = value;
break;
case 'f':
searchfilter = value;
break;
case 'u':
userattr = value;
break;
case 'U':
passwdattr = value;
break;
case 's':
if (strcmp(value, "base") == 0)
searchscope = LDAP_SCOPE_BASE;
else if (strcmp(value, "one") == 0)
searchscope = LDAP_SCOPE_ONELEVEL;
else if (strcmp(value, "sub") == 0)
searchscope = LDAP_SCOPE_SUBTREE;
else {
fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown search scope '%s'\n", value);
exit(1);
}
break;
case 'E':
#if defined(NETSCAPE_SSL)
sslpath = value;
if (port == LDAP_PORT)
port = LDAPS_PORT;
#else
fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
exit(1);
#endif
break;
case 'c':
connect_timeout = atoi(value);
break;
case 't':
timelimit = atoi(value);
break;
case 'a':
if (strcmp(value, "never") == 0)
aliasderef = LDAP_DEREF_NEVER;
else if (strcmp(value, "always") == 0)
aliasderef = LDAP_DEREF_ALWAYS;
else if (strcmp(value, "search") == 0)
aliasderef = LDAP_DEREF_SEARCHING;
else if (strcmp(value, "find") == 0)
aliasderef = LDAP_DEREF_FINDING;
else {
fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown alias dereference method '%s'\n", value);
exit(1);
}
break;
case 'D':
binddn = value;
break;
case 'w':
bindpasswd = value;
break;
case 'W':
readSecret(value);
break;
case 'P':
persistent = !persistent;
break;
case 'O':
bind_once = !bind_once;
break;
case 'p':
port = atoi(value);
break;
case 'R':
noreferrals = !noreferrals;
break;
#ifdef LDAP_VERSION3
case 'v':
switch (atoi(value)) {
case 2:
version = LDAP_VERSION2;
break;
case 3:
version = LDAP_VERSION3;
break;
default:
fprintf(stderr, "Protocol version should be 2 or 3\n");
exit(1);
}
break;
case 'Z':
if (version == LDAP_VERSION2) {
fprintf(stderr, "TLS (-Z) is incompatible with version %d\n",
version);
exit(1);
}
version = LDAP_VERSION3;
use_tls = 1;
break;
#endif
case 'd':
debug++;
break;
default:
fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option);
exit(1);
}
}
while (argc > 1) {
char *value = argv[1];
if (ldapServer) {
int len = strlen(ldapServer) + 1 + strlen(value) + 1;
char *newhost = malloc(len);
snprintf(newhost, len, "%s %s", ldapServer, value);
free(ldapServer);
ldapServer = newhost;
} else {
ldapServer = strdup(value);
}
argc--;
argv++;
}
if (!ldapServer)
ldapServer = strdup("localhost");
if (!basedn) {
fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn [options] [ldap_server_name[:port]]...\n\n");
fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
#if HAS_URI_SUPPORT
fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
#endif
fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
#if defined(NETSCAPE_SSL)
fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
#endif
fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
#ifdef LDAP_VERSION3
fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires LDAP version 3\n");
#endif
fprintf(stderr, "\n");
fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
exit(1);
}
/* On Windows ldap_start_tls_s is available starting from Windows XP,
* so we need to bind at run-time with the function entry point
*/
#ifdef _SQUID_MSWIN_
if (use_tls) {
HMODULE WLDAP32Handle;
WLDAP32Handle = GetModuleHandle("wldap32");
if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
exit(1);
}
}
#endif
while (fgets(buf, sizeof(buf), stdin) != NULL) {
user = strtok(buf, " \r\n");
passwd = strtok(NULL, "\r\n");
if (!user || !passwd || !passwd[0]) {
printf("ERR\n");
continue;
}
rfc1738_unescape(user);
rfc1738_unescape(passwd);
if (!validUsername(user)) {
printf("ERR No such user\n");
continue;
}
tryagain = (ld != NULL);
recover:
if (ld == NULL && persistent)
ld = open_ldap_connection(ldapServer, port);
if (checkLDAP(ld, user, passwd, ldapServer, port) != 0) {
if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) {
tryagain = 0;
ldap_unbind(ld);
ld = NULL;
goto recover;
}
printf("ERR %s\n", ldap_err2string(squid_ldap_errno(ld)));
} else {
printf("OK\n");
}
if (ld && (squid_ldap_errno(ld) != LDAP_SUCCESS && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS)) {
ldap_unbind(ld);
ld = NULL;
}
}
if (ld)
ldap_unbind(ld);
return 0;
}
int
main(int argc, char *argv[])
{
pam_handle_t *pamh = NULL;
int retval = PAM_SUCCESS;
char *user;
/* char *password; */
char buf[BUFSIZE];
time_t pamh_created = 0;
int ttl = DEFAULT_SQUID_PAM_TTL;
char *service = DEFAULT_SQUID_PAM_SERVICE;
int no_acct_mgmt = 0;
/* make standard output line buffered */
setvbuf(stdout, NULL, _IOLBF, 0);
while (1) {
int ch = getopt(argc, argv, "1n:t:o");
switch (ch) {
case -1:
goto start;
case 'n':
service = optarg;
break;
case 't':
ttl = atoi(optarg);
break;
case '1':
ttl = 0;
break;
case 'o':
no_acct_mgmt = 1;
break;
default:
fprintf(stderr, "Unknown getopt value '%c'\n", ch);
usage(argv[0]);
exit(1);
}
}
start:
if (optind < argc) {
fprintf(stderr, "Unknown option '%s'\n", argv[optind]);
usage(argv[0]);
exit(1);
}
while (fgets(buf, BUFSIZE, stdin)) {
user = buf;
password = strchr(buf, '\n');
if (!password) {
fprintf(stderr, "authenticator: Unexpected input '%s'\n", buf);
goto error;
}
*password = '******';
password = strchr(buf, ' ');
if (!password) {
fprintf(stderr, "authenticator: Unexpected input '%s'\n", buf);
goto error;
}
*password++ = '\0';
rfc1738_unescape(user);
rfc1738_unescape(password);
conv.appdata_ptr = (char *) password; /* from buf above. not allocated */
if (ttl == 0) {
/* Create PAM connection */
retval = pam_start(service, user, &conv, &pamh);
if (retval != PAM_SUCCESS) {
fprintf(stderr, "ERROR: failed to create PAM authenticator\n");
goto error;
}
} else if (!pamh || (time(NULL) - pamh_created) >= ttl || pamh_created > time(NULL)) {
/* Close previous PAM connection */
if (pamh) {
retval = pam_end(pamh, retval);
if (retval != PAM_SUCCESS) {
fprintf(stderr, "WARNING: failed to release PAM authenticator\n");
}
pamh = NULL;
}
/* Initialize persistent PAM connection */
retval = pam_start(service, "squid@", &conv, &pamh);
if (retval != PAM_SUCCESS) {
fprintf(stderr, "ERROR: failed to create PAM authenticator\n");
goto error;
}
pamh_created = time(NULL);
}
/* Authentication */
retval = PAM_SUCCESS;
if (ttl != 0) {
if (retval == PAM_SUCCESS)
retval = pam_set_item(pamh, PAM_USER, user);
if (retval == PAM_SUCCESS)
retval = pam_set_item(pamh, PAM_CONV, &conv);
}
if (retval == PAM_SUCCESS)
retval = pam_authenticate(pamh, 0);
if (retval == PAM_SUCCESS && !no_acct_mgmt)
retval = pam_acct_mgmt(pamh, 0);
if (retval == PAM_SUCCESS) {
fprintf(stdout, "OK\n");
} else {
error:
fprintf(stdout, "ERR\n");
}
/* cleanup */
retval = PAM_SUCCESS;
#ifdef PAM_AUTHTOK
if (ttl != 0) {
if (retval == PAM_SUCCESS)
retval = pam_set_item(pamh, PAM_AUTHTOK, NULL);
}
#endif
if (ttl == 0 || retval != PAM_SUCCESS) {
retval = pam_end(pamh, retval);
if (retval != PAM_SUCCESS) {
fprintf(stderr, "WARNING: failed to release PAM authenticator\n");
}
pamh = NULL;
}
}
if (pamh) {
retval = pam_end(pamh, retval);
if (retval != PAM_SUCCESS) {
pamh = NULL;
fprintf(stderr, "ERROR: failed to release PAM authenticator\n");
}
}
return 0;
}
int
main (int argc, char *argv[])
{
FILE *FH;
char *filename = NULL;
char *program_name = argv[0];
char *cp;
char *username, *address;
char line[BUFSIZE];
struct ip_user_dict *current_entry;
int ch;
setvbuf (stdout, NULL, _IOLBF, 0);
while ((ch = getopt (argc, argv, "f:")) != -1) {
switch (ch) {
case 'f':
filename = optarg;
break;
default:
usage (program_name);
exit (1);
}
}
if (filename == NULL) {
usage (program_name);
exit(1);
}
FH = fopen (filename, "r");
current_entry = load_dict (FH);
while (fgets (line, sizeof (line), stdin)) {
if ((cp = strchr (line, '\n')) == NULL) {
/* too large message received.. skip and deny */
fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], line);
while (fgets(line, sizeof(line), stdin)) {
fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], line);
if (strchr(line, '\n') != NULL)
break;
}
goto error;
}
*cp = '\0';
address = strtok (line, " \t");
username = strtok (NULL, " \t");
if (!address || !username) {
fprintf (stderr, "%s: unable to read tokens\n", argv[0]);
goto error;
}
rfc1738_unescape(address);
rfc1738_unescape(username);
#ifdef DEBUG
printf ("result: %d\n",
dict_lookup (current_entry, username, address));
#endif
if ((dict_lookup (current_entry, username, address)) != 0) {
printf ("OK\n");
} else {
error:
printf ("ERR\n");
}
}
fclose (FH);
return 0;
}
int
main(int argc, char *argv[])
{
char *user, *suser, *p;
char buf[BUFSIZE];
char **grents = NULL;
int check_pw = 0, ch, ngroups = 0, i, j = 0, strip_dm = 0;
/* make standard output line buffered */
setvbuf(stdout, NULL, _IOLBF, 0);
/* get user options */
while ((ch = getopt(argc, argv, "spg:")) != -1) {
switch (ch) {
case 's':
strip_dm = 1;
break;
case 'p':
check_pw = 1;
break;
case 'g':
grents = (char **) realloc(grents, sizeof(*grents) * (ngroups + 1));
grents[ngroups++] = optarg;
break;
case '?':
if (isprint(optopt)) {
fprintf(stderr, "Unknown option '-%c'.\n", optopt);
} else {
fprintf(stderr, "Unknown option character `\\x%x'.\n", optopt);
}
default:
usage(argv[0]);
exit(1);
}
}
if (optind < argc) {
fprintf(stderr, "FATAL: Unknown option '%s'\n", argv[optind]);
usage(argv[0]);
exit(1);
}
while (fgets(buf, sizeof(buf), stdin)) {
j = 0;
if ((p = strchr(buf, '\n')) == NULL) {
/* too large message received.. skip and deny */
fprintf(stderr, "ERROR: %s: Too large: %s\n", argv[0], buf);
while (fgets(buf, sizeof(buf), stdin)) {
fprintf(stderr, "ERROR: %s: Too large..: %s\n", argv[0], buf);
if (strchr(buf, '\n') != NULL)
break;
}
goto error;
}
*p = '\0';
if ((p = strtok(buf, " ")) == NULL) {
goto error;
} else {
user = p;
rfc1738_unescape(user);
if (user && strip_dm) {
suser = strchr(user, '\\');
if (!suser) suser = strchr(user, '/');
if (suser && suser[1]) user = suser + 1;
}
/* check groups supplied by Squid */
while ((p = strtok(NULL, " ")) != NULL) {
rfc1738_unescape(p);
if (check_pw == 1)
j += validate_user_pw(user, p);
j += validate_user_gr(user, p);
}
}
/* check groups supplied on the command line */
for (i = 0; i < ngroups; i++) {
if (check_pw == 1) {
j += validate_user_pw(user, grents[i]);
}
j += validate_user_gr(user, grents[i]);
}
if (j > 0) {
printf("OK\n");
} else {
error:
printf("ERR\n");
}
}
return 0;
}
int
main(int argc, char *argv[])
{
char line[8192];
char *username, *password;
#if SASL_VERSION_MAJOR < 2
const char *errstr;
#endif
int rc;
sasl_conn_t *conn = NULL;
/* make standard output line buffered */
setvbuf(stdout, NULL, _IOLBF, 0);
rc = sasl_server_init( NULL, APP_NAME_SASL );
if ( rc != SASL_OK ) {
fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL ));
fprintf( stdout, "ERR\n" );
return 1;
}
#if SASL_VERSION_MAJOR < 2
rc = sasl_server_new( APP_NAME_SASL, NULL, NULL, NULL, 0, &conn );
#else
rc = sasl_server_new( APP_NAME_SASL, NULL, NULL, NULL, NULL, NULL, 0, &conn );
#endif
if ( rc != SASL_OK ) {
fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL ));
fprintf( stdout, "ERR\n" );
return 1;
}
while ( fgets( line, sizeof( line ), stdin )) {
username = &line[0];
password = strchr( line, '\n' );
if ( !password) {
fprintf( stderr, "authenticator: Unexpected input '%s'\n", line );
fprintf( stdout, "ERR\n" );
continue;
}
*password = '******';
password = strchr ( line, ' ' );
if ( !password) {
fprintf( stderr, "authenticator: Unexpected input '%s'\n", line );
fprintf( stdout, "ERR\n" );
continue;
}
*password++ = '\0';
rfc1738_unescape(username);
rfc1738_unescape(password);
#if SASL_VERSION_MAJOR < 2
rc = sasl_checkpass(conn, username, strlen(username), password, strlen(password), &errstr);
#else
rc = sasl_checkpass(conn, username, strlen(username), password, strlen(password));
#endif
if ( rc != SASL_OK ) {
#if SASL_VERSION_MAJOR < 2
if ( errstr ) {
fprintf( stderr, "errstr %s\n", errstr );
}
if ( rc != SASL_BADAUTH ) {
fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL ));
}
#endif
fprintf( stdout, "ERR\n" );
}
else {
fprintf( stdout, "OK\n" );
}
}
sasl_dispose( &conn );
sasl_done();
return 0;
}
