// ntlm auth header username extraction - also lets connection persist long enough to complete NTLM negotiation
int ntlminstance::identify(Socket& peercon, Socket& proxycon, HTTPHeader &h, std::string &string)
{
FDTunnel fdt;
Socket* upstreamcon;
Socket ntlmcon;
String url;
if (transparent) {
// we are actually sending to a second Squid, which just does NTLM
ntlmcon.connect(transparent_ip, transparent_port);
upstreamcon = &ntlmcon;
url = h.getUrl();
h.makeTransparent(false);
} else {
upstreamcon = &proxycon;
}
String at(h.getAuthType());
if (transparent && (at != "NTLM")) {
// obey forwarded-for options in what we send out
std::string clientip;
if (o.forwarded_for == 1) {
if (o.use_xforwardedfor == 1) {
// grab the X-Forwarded-For IP if available
clientip = h.getXForwardedForIP();
// otherwise, grab the IP directly from the client connection
if (clientip.length() == 0)
clientip = peercon.getPeerIP();
} else {
clientip = peercon.getPeerIP();
}
h.addXForwardedFor(clientip); // add squid-like entry
}
// in transparent mode, we need to make the initial auth required response
// appear to come from the smoothie itself as an origin server, not as a proxy.
//
// accomplish this by redirecting to a URL that results in accessing DG as if it was
// a webserver, fudging origin-server-style NTLM auth to the client whilst actually
// performing proper proxy-style auth to the parent proxy, then redirecting the client
// back to the actual URL.
if (!url.contains("sgtransntlmdest=")) {
// user has not yet been redirected
// get the browser to make a request to the proxy port on the relevant interface,
// embedding the original URL they were trying to access.
// unless they're accessing a domain for which authentication is not required,
// in which case return a no match response straight away.
if (no_auth_list >= 0)
{
#ifdef DGDEBUG
std::cout << "NTLM: Checking noauthdomains list" << std::endl;
#endif
std::string::size_type start = url.find("://");
if (start != std::string::npos)
{
start += 3;
std::string domain;
domain = url.getHostname();
#ifdef DGDEBUG
std::cout << "NTLM: URL " << url << ", domain " << domain << std::endl;
#endif
char *i;
while ((start = domain.find('.')) != std::string::npos)
{
i = o.lm.l[no_auth_list]->findInList(domain.c_str());
if (i != NULL)
{
#ifdef DGDEBUG
std::cout << "NTLM: Found domain in noauthdomains list" << std::endl;
#endif
return DGAUTH_NOMATCH;
}
domain.assign(domain.substr(start + 1));
}
if (!domain.empty())
{
domain = "." + domain;
i = o.lm.l[no_auth_list]->findInList(domain.c_str());
if (i != NULL)
{
#ifdef DGDEBUG
std::cout << "NTLM: Found domain in noauthdomains list" << std::endl;
#endif
return DGAUTH_NOMATCH;
}
}
}
}
string = "http://";
string += hostname;
string += ":";
string += String(peercon.getPort()).toCharArray();
string += "/?sgtransntlmdest=";
string += url.toCharArray();
#ifdef DGDEBUG
std::cout << "NTLM - redirecting client to " << string << std::endl;
#endif
return DGAUTH_REDIRECT;
}
#ifdef DGDEBUG
std::cout << "NTLM - forging initial auth required from origin server" << std::endl;
#endif
// obey forwarded-for options in what we send out
if (o.forwarded_for == 1) {
std::string clientip;
if (o.use_xforwardedfor == 1) {
// grab the X-Forwarded-For IP if available
clientip = h.getXForwardedForIP();
// otherwise, grab the IP directly from the client connection
if (clientip.length() == 0)
clientip = peercon.getPeerIP();
} else {
clientip = peercon.getPeerIP();
}
h.addXForwardedFor(clientip); // add squid-like entry
}
// send a variant on the original request (has to be something Squid will route to the outside
// world, and that it will require NTLM authentication for)
String domain(url.after("?sgtransntlmdest=").after("://"));
if (domain.contains("/")) domain = domain.before("/");
domain = "http://" + domain + "/";
h.setURL(domain);
h.makePersistent();
h.out(&peercon, upstreamcon, __DGHEADER_SENDALL);
// grab the auth required response and make it look like it's from the origin server
h.in(upstreamcon, true);
h.makeTransparent(true);
h.makePersistent();
// send it to the client
h.out(NULL, &peercon, __DGHEADER_SENDALL);
if (h.contentLength() != -1)
fdt.tunnel(*upstreamcon, peercon, false, h.contentLength(), true);
if (h.isPersistent()) {
// now grab the client's response to the auth request, and carry on as usual.
h.in(&peercon, true);
h.makeTransparent(false);
at = h.getAuthType();
} else
return DGAUTH_NOMATCH;
} else if (transparent && url.contains("?sgtransntlmdest=")) {
// send a variant on the original request (has to be something Squid will route to the outside
// world, and that it will require NTLM authentication for)
String domain(url.after("?sgtransntlmdest=").after("://"));
if (domain.contains("/")) domain = domain.before("/");
domain = "http://" + domain + "/";
h.setURL(domain);
}
if (at != "NTLM") {
// if no auth currently underway, then...
if (at.length() == 0) {
// allow the initial request through so the client will get the proxy's initial auth required response.
// advertise persistent connections so that parent proxy will agree to advertise NTLM support.
#ifdef DGDEBUG
std::cout << "No auth negotiation currently in progress - making initial request persistent so that proxy will advertise NTLM" << std::endl;
#endif
h.makePersistent();
}
return DGAUTH_NOMATCH;
}
#ifdef DGDEBUG
std::cout << "NTLM - sending step 1" << std::endl;
#endif
if (o.forwarded_for) {
std::string clientip;
if (o.use_xforwardedfor) {
// grab the X-Forwarded-For IP if available
clientip = h.getXForwardedForIP();
// otherwise, grab the IP directly from the client connection
if (clientip.length() == 0)
clientip = peercon.getPeerIP();
} else {
clientip = peercon.getPeerIP();
}
h.addXForwardedFor(clientip); // add squid-like entry
}
h.makePersistent();
h.out(&peercon, upstreamcon, __DGHEADER_SENDALL);
#ifdef DGDEBUG
std::cout << "NTLM - receiving step 2" << std::endl;
#endif
h.in(upstreamcon, true);
if (h.authRequired()) {
#ifdef DGDEBUG
std::cout << "NTLM - sending step 2" << std::endl;
#endif
if (transparent)
h.makeTransparent(true);
h.out(NULL, &peercon, __DGHEADER_SENDALL);
if (h.contentLength() != -1)
fdt.tunnel(*upstreamcon, peercon, false, h.contentLength(), true);
#ifdef DGDEBUG
std::cout << "NTLM - receiving step 3" << std::endl;
#endif
h.in(&peercon, true);
if (transparent) {
h.makeTransparent(false);
String domain(url.after("?sgtransntlmdest=").after("://"));
if (domain.contains("/")) domain = domain.before("/");
domain = "http://" + domain + "/";
h.setURL(domain);
}
#ifdef DGDEBUG
std::cout << "NTLM - decoding type 3 message" << std::endl;
#endif
std::string message(h.getAuthData());
ntlm_authenticate auth;
ntlm_auth *a = &(auth.a);
static char username[256]; // fixed size
static char username2[256];
char* inptr = username;
char* outptr = username2;
size_t l,o;
// copy the NTLM message into the union's buffer, simultaneously filling in the struct
if ((message.length() > sizeof(ntlm_auth)) || (message.length() < offsetof(ntlm_auth, payload))) {
syslog(LOG_ERR, "NTLM - Invalid message of length %zd, message was: %s", message.length(), message.c_str());
#ifdef DGDEBUG
std::cerr << "NTLM - Invalid message of length " << message.length() << ", message was: " << message << std::endl;
#endif
return -3;
}
memcpy((void *)auth.buf, (const void *)message.c_str(), message.length());
// verify that the message is indeed a type 3
if (strcmp("NTLMSSP",a->h.signature) == 0 && WSWAP(a->h.type) == 3) {
// grab the length & offset of the username within the message
// cope with the possibility we are a different byte order to Windows
l = SSWAP(a->user.len);
o = WSWAP(a->user.offset);
if ((l > 0) && (o >= 0) && (o + l) <= sizeof(a->payload) && (l <= 254)) {
// everything is in range
// note offsets are from start of packet - not the start of the payload area
memcpy((void *)username, (const void *)&(auth.buf[o]),l);
username[l] = '\0';
// check flags - we may need to convert from UTF-16 to something more sensible
int f = WSWAP(a->flags);
if (f & WSWAP(0x0001)) {
iconv_t ic = iconv_open("UTF-8", "UTF-16LE");
if (ic == (iconv_t)-1) {
syslog(LOG_ERR, "NTLM - Cannot initialise conversion from UTF-16LE to UTF-8: %s", strerror(errno));
#ifdef DGDEBUG
std::cerr << "NTLM - Cannot initialise conversion from UTF-16LE to UTF-8: " << strerror(errno) << std::endl;
#endif
iconv_close(ic);
return -2;
}
size_t l2 = 256;
local_iconv_adaptor(iconv, ic, &inptr, &l, &outptr, &l2);
iconv_close(ic);
username2[256 - l2] = '\0';
#ifdef DGDEBUG
std::cout << "NTLM - got username (converted from UTF-16LE) " << username2 << std::endl;
#endif
string = username2;
} else {
#ifdef DGDEBUG
std::cout << "NTLM - got username " << username << std::endl;
#endif
string = username;
}
if (!transparent)
return DGAUTH_OK;
// if in transparent mode, send a redirect to the client's original requested URL,
// having sent the final headers to the NTLM-only Squid to do with what it will
std::string tmp = peercon.getPeerIP();
h.addXForwardedFor(tmp);
h.out(&peercon, upstreamcon, __DGHEADER_SENDALL);
// also, the return code matters in ways it hasn't mattered before:
// mustn't send a redirect if it is still 407, or we get a redirection loop
h.in(upstreamcon, true);
if (h.returnCode() == 407)
{
h.makeTransparent(false);
h.out(NULL, &peercon, __DGHEADER_SENDALL);
return -10;
}
url = url.after("=");
string = url.toCharArray();
return DGAUTH_REDIRECT;
}
}
return DGAUTH_NOMATCH;
} else {
#ifdef DGDEBUG
std::cout << "NTLM - step 2 was not part of an auth handshake!" << std::endl;
for (unsigned int i = 0; i < h.header.size(); i++)
std::cout << h.header[i] << std::endl;
#endif
syslog(LOG_ERR, "NTLM - step 2 was not part of an auth handshake! (%s)", h.header[0].toCharArray());
return -1;
}
}
// send headers out over the given socket
// "reconnect" flag gives permission to reconnect to the socket on write error
// - this allows us to re-open the proxy connection on pconns if squid's end has
// timed out but the client's end hasn't. not much use with NTLM, since squid
// will throw a 407 and restart negotiation, but works well with basic & others.
void HTTPHeader::out(Socket * peersock, Socket * sock, int sendflag, bool reconnect) throw(std::exception)
{
String l; // for amalgamating to avoid conflict with the Nagel algorithm
if (sendflag == __DGHEADER_SENDALL || sendflag == __DGHEADER_SENDFIRSTLINE) {
if (header.size() > 0) {
l = header.front() + "\n";
#ifdef DGDEBUG
std::cout << "headertoclient:" << l << std::endl;
#endif
// first reconnect loop - send first line
while (true) {
if (!(*sock).writeToSocket(l.toCharArray(), l.length(), 0, timeout)) {
// reconnect & try again if we've been told to
if (reconnect) {
// don't try more than once
#ifdef DGDEBUG
std::cout << "Proxy connection broken (1); trying to re-establish..." << std::endl;
syslog(LOG_ERR,"Proxy connection broken (1); trying to re-establish...");
#endif
reconnect = false;
sock->reset();
int rc = sock->connect(o.proxy_ip, o.proxy_port);
if (rc)
throw std::exception();
continue;
}
throw std::exception();
}
// if we got here, we succeeded, so break the reconnect loop
break;
}
}
if (sendflag == __DGHEADER_SENDFIRSTLINE) {
return;
}
}
l = "";
for (std::deque<String>::iterator i = header.begin() + 1; i != header.end(); i++) {
l += (*i) + "\n";
}
l += "\r\n";
#ifdef DGDEBUG
std::cout << "headertoclient:" << l << std::endl;
#endif
// second reconnect loop
while (true) {
// send header to the output stream
// need exception for bad write
if (!(*sock).writeToSocket(l.toCharArray(), l.length(), 0, timeout)) {
// reconnect & try again if we've been told to
if (reconnect) {
// don't try more than once
#ifdef DGDEBUG
std::cout << "Proxy connection broken (2); trying to re-establish..." << std::endl;
syslog(LOG_ERR,"Proxy connection broken (2); trying to re-establish...");
#endif
reconnect = false;
sock->reset();
int rc = sock->connect(o.proxy_ip, o.proxy_port);
if (rc)
throw std::exception();
// include the first line on the retry
l = header.front() + "\n" + l;
continue;
}
throw std::exception();
}
// if we got here, we succeeded, so break the reconnect loop
break;
}
if ((!requestType().startsWith("HTTP")) && (pcontentlength != NULL)) {
if (postdatalen > 0) {
#ifdef DGDEBUG
std::cout << "Sending initial POST data chunk" << std::endl;
#endif
// Re-add the chopped off \n, if necessary
if (postdatachopped) {
#ifdef DGDEBUG
std::cout << "Re-adding newline to POST data (postdatalen " << postdatalen << ")" << std::endl;
#endif
postdata[postdatalen-1] = '\n';
postdata[postdatalen] = '\0';
}
sock->writeToSockete(postdata, postdatalen, 0, timeout);
}
#ifdef DGDEBUG
std::cout << "Opening tunnel for remainder of POST data" << std::endl;
#endif
FDTunnel fdt;
off_t remaining = contentLength() - postdatalen;
if (remaining < 0)
throw std::runtime_error("No POST data left to send!?");
fdt.tunnel(*peersock, *sock, false, remaining, true);
}
}
