// ntlm auth header username extraction - also lets connection persist long enough to complete NTLM negotiation int ntlminstance::identify(Socket& peercon, Socket& proxycon, HTTPHeader &h, std::string &string) { FDTunnel fdt; Socket* upstreamcon; Socket ntlmcon; String url; if (transparent) { // we are actually sending to a second Squid, which just does NTLM ntlmcon.connect(transparent_ip, transparent_port); upstreamcon = &ntlmcon; url = h.getUrl(); h.makeTransparent(false); } else { upstreamcon = &proxycon; } String at(h.getAuthType()); if (transparent && (at != "NTLM")) { // obey forwarded-for options in what we send out std::string clientip; if (o.forwarded_for == 1) { if (o.use_xforwardedfor == 1) { // grab the X-Forwarded-For IP if available clientip = h.getXForwardedForIP(); // otherwise, grab the IP directly from the client connection if (clientip.length() == 0) clientip = peercon.getPeerIP(); } else { clientip = peercon.getPeerIP(); } h.addXForwardedFor(clientip); // add squid-like entry } // in transparent mode, we need to make the initial auth required response // appear to come from the smoothie itself as an origin server, not as a proxy. // // accomplish this by redirecting to a URL that results in accessing DG as if it was // a webserver, fudging origin-server-style NTLM auth to the client whilst actually // performing proper proxy-style auth to the parent proxy, then redirecting the client // back to the actual URL. if (!url.contains("sgtransntlmdest=")) { // user has not yet been redirected // get the browser to make a request to the proxy port on the relevant interface, // embedding the original URL they were trying to access. // unless they're accessing a domain for which authentication is not required, // in which case return a no match response straight away. if (no_auth_list >= 0) { #ifdef DGDEBUG std::cout << "NTLM: Checking noauthdomains list" << std::endl; #endif std::string::size_type start = url.find("://"); if (start != std::string::npos) { start += 3; std::string domain; domain = url.getHostname(); #ifdef DGDEBUG std::cout << "NTLM: URL " << url << ", domain " << domain << std::endl; #endif char *i; while ((start = domain.find('.')) != std::string::npos) { i = o.lm.l[no_auth_list]->findInList(domain.c_str()); if (i != NULL) { #ifdef DGDEBUG std::cout << "NTLM: Found domain in noauthdomains list" << std::endl; #endif return DGAUTH_NOMATCH; } domain.assign(domain.substr(start + 1)); } if (!domain.empty()) { domain = "." + domain; i = o.lm.l[no_auth_list]->findInList(domain.c_str()); if (i != NULL) { #ifdef DGDEBUG std::cout << "NTLM: Found domain in noauthdomains list" << std::endl; #endif return DGAUTH_NOMATCH; } } } } string = "http://"; string += hostname; string += ":"; string += String(peercon.getPort()).toCharArray(); string += "/?sgtransntlmdest="; string += url.toCharArray(); #ifdef DGDEBUG std::cout << "NTLM - redirecting client to " << string << std::endl; #endif return DGAUTH_REDIRECT; } #ifdef DGDEBUG std::cout << "NTLM - forging initial auth required from origin server" << std::endl; #endif // obey forwarded-for options in what we send out if (o.forwarded_for == 1) { std::string clientip; if (o.use_xforwardedfor == 1) { // grab the X-Forwarded-For IP if available clientip = h.getXForwardedForIP(); // otherwise, grab the IP directly from the client connection if (clientip.length() == 0) clientip = peercon.getPeerIP(); } else { clientip = peercon.getPeerIP(); } h.addXForwardedFor(clientip); // add squid-like entry } // send a variant on the original request (has to be something Squid will route to the outside // world, and that it will require NTLM authentication for) String domain(url.after("?sgtransntlmdest=").after("://")); if (domain.contains("/")) domain = domain.before("/"); domain = "http://" + domain + "/"; h.setURL(domain); h.makePersistent(); h.out(&peercon, upstreamcon, __DGHEADER_SENDALL); // grab the auth required response and make it look like it's from the origin server h.in(upstreamcon, true); h.makeTransparent(true); h.makePersistent(); // send it to the client h.out(NULL, &peercon, __DGHEADER_SENDALL); if (h.contentLength() != -1) fdt.tunnel(*upstreamcon, peercon, false, h.contentLength(), true); if (h.isPersistent()) { // now grab the client's response to the auth request, and carry on as usual. h.in(&peercon, true); h.makeTransparent(false); at = h.getAuthType(); } else return DGAUTH_NOMATCH; } else if (transparent && url.contains("?sgtransntlmdest=")) { // send a variant on the original request (has to be something Squid will route to the outside // world, and that it will require NTLM authentication for) String domain(url.after("?sgtransntlmdest=").after("://")); if (domain.contains("/")) domain = domain.before("/"); domain = "http://" + domain + "/"; h.setURL(domain); } if (at != "NTLM") { // if no auth currently underway, then... if (at.length() == 0) { // allow the initial request through so the client will get the proxy's initial auth required response. // advertise persistent connections so that parent proxy will agree to advertise NTLM support. #ifdef DGDEBUG std::cout << "No auth negotiation currently in progress - making initial request persistent so that proxy will advertise NTLM" << std::endl; #endif h.makePersistent(); } return DGAUTH_NOMATCH; } #ifdef DGDEBUG std::cout << "NTLM - sending step 1" << std::endl; #endif if (o.forwarded_for) { std::string clientip; if (o.use_xforwardedfor) { // grab the X-Forwarded-For IP if available clientip = h.getXForwardedForIP(); // otherwise, grab the IP directly from the client connection if (clientip.length() == 0) clientip = peercon.getPeerIP(); } else { clientip = peercon.getPeerIP(); } h.addXForwardedFor(clientip); // add squid-like entry } h.makePersistent(); h.out(&peercon, upstreamcon, __DGHEADER_SENDALL); #ifdef DGDEBUG std::cout << "NTLM - receiving step 2" << std::endl; #endif h.in(upstreamcon, true); if (h.authRequired()) { #ifdef DGDEBUG std::cout << "NTLM - sending step 2" << std::endl; #endif if (transparent) h.makeTransparent(true); h.out(NULL, &peercon, __DGHEADER_SENDALL); if (h.contentLength() != -1) fdt.tunnel(*upstreamcon, peercon, false, h.contentLength(), true); #ifdef DGDEBUG std::cout << "NTLM - receiving step 3" << std::endl; #endif h.in(&peercon, true); if (transparent) { h.makeTransparent(false); String domain(url.after("?sgtransntlmdest=").after("://")); if (domain.contains("/")) domain = domain.before("/"); domain = "http://" + domain + "/"; h.setURL(domain); } #ifdef DGDEBUG std::cout << "NTLM - decoding type 3 message" << std::endl; #endif std::string message(h.getAuthData()); ntlm_authenticate auth; ntlm_auth *a = &(auth.a); static char username[256]; // fixed size static char username2[256]; char* inptr = username; char* outptr = username2; size_t l,o; // copy the NTLM message into the union's buffer, simultaneously filling in the struct if ((message.length() > sizeof(ntlm_auth)) || (message.length() < offsetof(ntlm_auth, payload))) { syslog(LOG_ERR, "NTLM - Invalid message of length %zd, message was: %s", message.length(), message.c_str()); #ifdef DGDEBUG std::cerr << "NTLM - Invalid message of length " << message.length() << ", message was: " << message << std::endl; #endif return -3; } memcpy((void *)auth.buf, (const void *)message.c_str(), message.length()); // verify that the message is indeed a type 3 if (strcmp("NTLMSSP",a->h.signature) == 0 && WSWAP(a->h.type) == 3) { // grab the length & offset of the username within the message // cope with the possibility we are a different byte order to Windows l = SSWAP(a->user.len); o = WSWAP(a->user.offset); if ((l > 0) && (o >= 0) && (o + l) <= sizeof(a->payload) && (l <= 254)) { // everything is in range // note offsets are from start of packet - not the start of the payload area memcpy((void *)username, (const void *)&(auth.buf[o]),l); username[l] = '\0'; // check flags - we may need to convert from UTF-16 to something more sensible int f = WSWAP(a->flags); if (f & WSWAP(0x0001)) { iconv_t ic = iconv_open("UTF-8", "UTF-16LE"); if (ic == (iconv_t)-1) { syslog(LOG_ERR, "NTLM - Cannot initialise conversion from UTF-16LE to UTF-8: %s", strerror(errno)); #ifdef DGDEBUG std::cerr << "NTLM - Cannot initialise conversion from UTF-16LE to UTF-8: " << strerror(errno) << std::endl; #endif iconv_close(ic); return -2; } size_t l2 = 256; local_iconv_adaptor(iconv, ic, &inptr, &l, &outptr, &l2); iconv_close(ic); username2[256 - l2] = '\0'; #ifdef DGDEBUG std::cout << "NTLM - got username (converted from UTF-16LE) " << username2 << std::endl; #endif string = username2; } else { #ifdef DGDEBUG std::cout << "NTLM - got username " << username << std::endl; #endif string = username; } if (!transparent) return DGAUTH_OK; // if in transparent mode, send a redirect to the client's original requested URL, // having sent the final headers to the NTLM-only Squid to do with what it will std::string tmp = peercon.getPeerIP(); h.addXForwardedFor(tmp); h.out(&peercon, upstreamcon, __DGHEADER_SENDALL); // also, the return code matters in ways it hasn't mattered before: // mustn't send a redirect if it is still 407, or we get a redirection loop h.in(upstreamcon, true); if (h.returnCode() == 407) { h.makeTransparent(false); h.out(NULL, &peercon, __DGHEADER_SENDALL); return -10; } url = url.after("="); string = url.toCharArray(); return DGAUTH_REDIRECT; } } return DGAUTH_NOMATCH; } else { #ifdef DGDEBUG std::cout << "NTLM - step 2 was not part of an auth handshake!" << std::endl; for (unsigned int i = 0; i < h.header.size(); i++) std::cout << h.header[i] << std::endl; #endif syslog(LOG_ERR, "NTLM - step 2 was not part of an auth handshake! (%s)", h.header[0].toCharArray()); return -1; } }
// send headers out over the given socket // "reconnect" flag gives permission to reconnect to the socket on write error // - this allows us to re-open the proxy connection on pconns if squid's end has // timed out but the client's end hasn't. not much use with NTLM, since squid // will throw a 407 and restart negotiation, but works well with basic & others. void HTTPHeader::out(Socket * peersock, Socket * sock, int sendflag, bool reconnect) throw(std::exception) { String l; // for amalgamating to avoid conflict with the Nagel algorithm if (sendflag == __DGHEADER_SENDALL || sendflag == __DGHEADER_SENDFIRSTLINE) { if (header.size() > 0) { l = header.front() + "\n"; #ifdef DGDEBUG std::cout << "headertoclient:" << l << std::endl; #endif // first reconnect loop - send first line while (true) { if (!(*sock).writeToSocket(l.toCharArray(), l.length(), 0, timeout)) { // reconnect & try again if we've been told to if (reconnect) { // don't try more than once #ifdef DGDEBUG std::cout << "Proxy connection broken (1); trying to re-establish..." << std::endl; syslog(LOG_ERR,"Proxy connection broken (1); trying to re-establish..."); #endif reconnect = false; sock->reset(); int rc = sock->connect(o.proxy_ip, o.proxy_port); if (rc) throw std::exception(); continue; } throw std::exception(); } // if we got here, we succeeded, so break the reconnect loop break; } } if (sendflag == __DGHEADER_SENDFIRSTLINE) { return; } } l = ""; for (std::deque<String>::iterator i = header.begin() + 1; i != header.end(); i++) { l += (*i) + "\n"; } l += "\r\n"; #ifdef DGDEBUG std::cout << "headertoclient:" << l << std::endl; #endif // second reconnect loop while (true) { // send header to the output stream // need exception for bad write if (!(*sock).writeToSocket(l.toCharArray(), l.length(), 0, timeout)) { // reconnect & try again if we've been told to if (reconnect) { // don't try more than once #ifdef DGDEBUG std::cout << "Proxy connection broken (2); trying to re-establish..." << std::endl; syslog(LOG_ERR,"Proxy connection broken (2); trying to re-establish..."); #endif reconnect = false; sock->reset(); int rc = sock->connect(o.proxy_ip, o.proxy_port); if (rc) throw std::exception(); // include the first line on the retry l = header.front() + "\n" + l; continue; } throw std::exception(); } // if we got here, we succeeded, so break the reconnect loop break; } if ((!requestType().startsWith("HTTP")) && (pcontentlength != NULL)) { if (postdatalen > 0) { #ifdef DGDEBUG std::cout << "Sending initial POST data chunk" << std::endl; #endif // Re-add the chopped off \n, if necessary if (postdatachopped) { #ifdef DGDEBUG std::cout << "Re-adding newline to POST data (postdatalen " << postdatalen << ")" << std::endl; #endif postdata[postdatalen-1] = '\n'; postdata[postdatalen] = '\0'; } sock->writeToSockete(postdata, postdatalen, 0, timeout); } #ifdef DGDEBUG std::cout << "Opening tunnel for remainder of POST data" << std::endl; #endif FDTunnel fdt; off_t remaining = contentLength() - postdatalen; if (remaining < 0) throw std::runtime_error("No POST data left to send!?"); fdt.tunnel(*peersock, *sock, false, remaining, true); } }