http: make SPNEGO helpers individually configurable

Offer a way to run SPNEGO-Kerberos through a helper rather than the C
library interface.

References: GXL-408

Author: jengelh

doc/http.8gx

@@ -72,6 +72,24 @@ Maximum execution time for CGI scripts.
 .br
 Default: \fI10 minutes\fP
 .TP
+.TP
+\fBgss_program\fP
+The helper program to use for authenticating SPNEGO-GSS requests. The value is
+rudimentarily tokenized at whitespaces, so no special characters may be used.
+(If you need to, write a shell wrapper.) The special value "internal-gss" uses
+libgssapi directly.
+The use of Squid's negotiate_wrapper_auth is optional; Gromox can identify
+whether requests are SPNEGO-NTLMSSP or SPNEGO-Kerberos in the same fashion as
+negotiate_wrapper_auth does.
+.br
+Default: \fIinternal\-gss\fP
+.br
+Example: \fI/usr/lib/squid/negotiate_kerberos_auth \-s GSS_C_NO_NAME\fP
+.br
+Example: \fI/usr/lib/squid/negotiate_wrapper_auth \-\-ntlm /usr/bin/ntlm_auth
+\-\-helper\-protocol=squid\-2.5\-ntlmssp \-\-kerberos
+/usr/lib/squid/negotiate_kerberos_auth \-s GSS_C_NO_NAME\fP
+.TP
 \fBhost_id\fP
 A unique identifier for this system. It is used for the Server HTTP responses
 header, for service plugins like exmdb_provider(4gx), which makes use of it for
@@ -90,13 +108,6 @@ Enable HTTP Negotiate authentication.
 .br
 Default: \fIno\fP
 .TP
-\fBhttp_auth_spnego_ntlmssp\fP
-When a client uses HTTP Negotiate authentication and the negotation data looks
-like NTLMSSP, pass the data to ntlm_auth rather than GSS-API. (When this option
-disabled, data is always passed to GSS-API.)
-.br
-Default: \fIyes\fP
-.TP
 \fBhttp_auth_times\fP
 The number of login tries a user is allowed before the account is blocked.
 .br
@@ -200,11 +211,20 @@ all RPCs. Note the daemon log level needs to be "debug" (6), too.
 .br
 Default: \fI0\fP
 .TP
-\fBntlm_auth\fP
-Path to samba-winbind ntlm_auth or equivalent program that accepts the
-arguments `\fB\-d0 \-\-helper\-protocol=squid\-2.5\-ntlmssp\fP`.
+\fBntlmssp_program\fP
+Path to samba-winbind ntlm_auth or equivalent program that implements the Squid
+authentication helper text protocol ("YR, TT, KK, AF"). The value is
+rudimentarily tokenized at whitespaces, so no special characters may be used.
+(If you need to, write a shell wrapper.)
+The use of Squid's negotiate_wrapper_auth is optional; Gromox can identify
+whether requests are SPNEGO-NTLMSSP or SPNEGO-Kerberos in the same fashion as
+negotiate_wrapper_auth does.
+.br
+Default: \fI/usr/bin/ntlm_auth \-\-helper\-protocol=squid\-2.5\-ntlmssp\fP
 .br
-Default: \fI/usr/bin/ntlm_auth\fP
+Example: \fI/usr/lib/squid/negotiate_wrapper_auth \-\-ntlm /usr/bin/ntlm_auth
+\-\-helper\-protocol=squid\-2.5\-ntlmssp \-\-kerberos
+/usr/lib/squid/negotiate_kerberos_auth \-s GSS_C_NO_NAME\fP
 .TP
 \fBrequest_max_mem\fP
 The maximum hint size for fragmented RPC PDU requests that will be allowed

exch/http/http_parser.cpp

@@ -787,19 +787,20 @@ static void ntlm_stop(struct HXproc &pi)
 	pi.p_pid = 0;
 }
 
-static int auth_ntlmssp(http_context &ctx, const char *encinput, size_t encsize,
-    const char *input, size_t isize, std::string &output)
+static int htp_auth_ntlmssp(http_context &ctx, const char *prog,
+    const char *encinput, std::string &output)
 {
+	auto encsize = strlen(encinput);
 	auto &pinfo = ctx.ntlm_proc;
 	output.clear();
 
 	if (pinfo.p_pid <= 0) {
-		auto prog = g_config_file->get_value("ntlm_auth");
 		if (prog == nullptr || *prog == '\0')
-			prog = "/usr/bin/ntlm_auth";
-		const char *argv[] = {prog, "-d0", "--helper-protocol=squid-2.5-ntlmssp", nullptr};
+			prog = "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp";
+		auto args = HX_split(prog, " ", nullptr, 0);
+		auto cl_0 = make_scope_exit([&]() { HX_zvecfree(args); });
 		pinfo.p_flags = HXPROC_STDIN | HXPROC_STDOUT | HXPROC_STDERR;
-		auto ret = HXproc_run_async(argv, &pinfo);
+		auto ret = HXproc_run_async(&args[0], &pinfo);
 		if (ret < 0) {
 			mlog(LV_ERR, "execv ntlm_auth: %s", strerror(-ret));
 			return -1;
@@ -1005,6 +1006,38 @@ static int auth_krb(http_context &ctx, const char *input, size_t isize,
 }
 #endif
 
+static tproc_status htp_auth_spnego(http_context &ctx, const char *past_method)
+{
+	bool rq_ntlmssp = strncmp(past_method, "TlRMTVNT", 8) == 0;
+	auto the_helper = g_config_file->get_value(rq_ntlmssp ? "ntlmssp_program" : "gss_program");
+
+	if (strcmp(the_helper, "internal-gss") != 0) {
+		auto ret = htp_auth_ntlmssp(ctx, the_helper, past_method,
+		           ctx.last_gss_output);
+		ctx.auth_status = ret <= 0 ? http_status::unauthorized : http_status::ok;
+		ctx.auth_method = auth_method::negotiate_b64;
+		if (ret <= 0 && ret != -99)
+			ntlm_stop(ctx.ntlm_proc);
+	} else {
+#ifdef HAVE_GSSAPI
+		char decoded[4096];
+		size_t decode_len = 0;
+		if (decode64(past_method, strlen(past_method), decoded,
+		    std::size(decoded), &decode_len) != 0)
+			return tproc_status::runoff;
+		auto ret = auth_krb(ctx, decoded, decode_len, ctx.last_gss_output);
+		ctx.auth_status = ret <= 0 ? http_status::unauthorized : http_status::ok;
+		ctx.auth_method = auth_method::negotiate;
+#else
+		static bool y = false;
+		if (!y)
+			mlog(LV_DEBUG, "Cannot handle Negotiate request: software built without GSSAPI");
+		y = true;
+#endif
+	}
+	return tproc_status::runoff;
+}
+
 /*
  * Implementation notes.
  *
@@ -1055,38 +1088,16 @@ static tproc_status htp_auth(http_context &ctx)
 		*p++ = '\0';
 		gx_strlcpy(ctx.username, decoded, std::size(ctx.username));
 		gx_strlcpy(ctx.password, p, std::size(ctx.password));
-		return htp_auth_basic(&ctx);
-	} else if (strcasecmp(method, "Negotiate") == 0 &&
-	    strncmp(past_method, "TlRMTVNT", 8) == 0 &&
-	    g_config_file->get_ll("http_auth_spnego") &&
-	    g_config_file->get_ll("http_auth_spnego_ntlmssp")) {
-		char decoded[4096];
-		size_t decode_len = 0;
-		if (decode64(past_method, strlen(past_method), decoded, std::size(decoded), &decode_len) != 0)
-			return tproc_status::runoff;
-		auto ret = auth_ntlmssp(ctx, past_method, strlen(past_method),
-		           decoded, decode_len, ctx.last_gss_output);
-		ctx.auth_status = ret <= 0 ? http_status::unauthorized : http_status::ok;
-		ctx.auth_method = auth_method::negotiate_b64;
-		if (ret <= 0 && ret != -99)
-			ntlm_stop(ctx.ntlm_proc);
+		auto ret = htp_auth_basic(&ctx);
+		if (ret != tproc_status::runoff)
+			return ret;
 	} else if (strcasecmp(method, "Negotiate") == 0 &&
 	    g_config_file->get_ll("http_auth_spnego")) {
-#ifdef HAVE_GSSAPI
-		char decoded[4096];
-		size_t decode_len = 0;
-		if (decode64(past_method, strlen(past_method), decoded, std::size(decoded), &decode_len) != 0)
-			return tproc_status::runoff;
-		auto ret = auth_krb(ctx, decoded, decode_len, ctx.last_gss_output);
-		ctx.auth_status = ret <= 0 ? http_status::unauthorized : http_status::ok;
-		ctx.auth_method = auth_method::negotiate;
-#else
-		static bool y = false;
-		if (!y)
-			mlog(LV_DEBUG, "Cannot handle Negotiate request: software built without GSSAPI");
-		y = true;
-#endif
+		auto ret = htp_auth_spnego(ctx, past_method);
+		if (ret != tproc_status::runoff)
+			return ret;
 	}
+
 	if (g_enforce_auth && ctx.auth_status != http_status::ok)
 		ctx.auth_status = http_status::unauthorized;
 	return tproc_status::runoff;

exch/http/main.cpp

@@ -85,9 +85,9 @@ static constexpr cfg_directive http_cfg_defaults[] = {
 	{"context_num", "400", CFG_SIZE},
 	{"data_file_path", PKGDATADIR "/http:" PKGDATADIR},
 	{"fastcgi_exec_timeout", "10min", CFG_TIME, "1min"},
+	{"gss_program", "internal-gss"},
 	{"http_auth_basic", "1", CFG_BOOL},
 	{"http_auth_spnego", "0", CFG_BOOL},
-	{"http_auth_spnego_ntlmssp", "1", CFG_BOOL},
 	{"http_auth_times", "10", CFG_SIZE, "1"},
 	{"http_conn_timeout", "3min", CFG_TIME, "30s"},
 	{"http_debug", "0"},
@@ -108,7 +108,7 @@ static constexpr cfg_directive http_cfg_defaults[] = {
 	{"listen_port", "http_listen_port", CFG_ALIAS},
 	{"listen_ssl_port", "http_listen_tls_port", CFG_ALIAS},
 	{"msrpc_debug", "0"},
-	{"ntlm_auth", "/usr/bin/ntlm_auth"}, /* part of samba-winbind */
+	{"ntlmssp_program", "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"},
 	{"oxcical_allday_ymd", "1", CFG_BOOL},
 	{"request_max_mem", "4M", CFG_SIZE, "1M"},
 	{"running_identity", RUNNING_IDENTITY},