From 935505bc4f3c98214ad89884feb7f752d6c87490 Mon Sep 17 00:00:00 2001 From: israel Date: Sun, 30 Dec 2012 01:24:30 -0800 Subject: [PATCH] adding some simple authetication code to limit proxy access --- libmproxy/authentication.py | 104 ++++++++++++++++++++++++++++++++++ libmproxy/contrib/md5crypt.py | 94 ++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+) create mode 100644 libmproxy/authentication.py create mode 100644 libmproxy/contrib/md5crypt.py diff --git a/libmproxy/authentication.py b/libmproxy/authentication.py new file mode 100644 index 000000000..bb8a50745 --- /dev/null +++ b/libmproxy/authentication.py @@ -0,0 +1,104 @@ +import binascii +import contrib.md5crypt as md5crypt + +class NullProxyAuth(): + """ No proxy auth at all (returns empty challange headers) """ + def __init__(self, password_manager=None): + self.password_manager = password_manager + self.username = "" + + def authenticate(self, auth_value): + """ Tests that the specified user is allowed to use the proxy (stub) """ + return True + + def auth_challenge_headers(self): + """ Returns a dictionary containing the headers require to challenge the user """ + return {} + + def get_username(self): + return self.username + + +class BasicProxyAuth(NullProxyAuth): + + def __init__(self, password_manager, realm="mitmproxy"): + NullProxyAuth.__init__(self, password_manager) + self.realm = "mitmproxy" + + def authenticate(self, auth_value): + if (not auth_value) or (not auth_value[0]): + print "ROULI: no auth specified" + return False; + try: + scheme, username, password = self.parse_authorization_header(auth_value[0]) + except: + print "ROULI: Malformed Proxy-Authorization header" + return False + if scheme.lower()!='basic': + print "ROULI: Unexpected Authorization scheme" + return False + if not self.password_manager.test(username, password): + print "ROULI: authorization failed!" + return False + self.username = username + return True + + def auth_challenge_headers(self): + return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm} + + def parse_authorization_header(self, auth_value): + print "ROULI: ", auth_value + words = auth_value.split() + print "ROULI basic auth: ", words + scheme = words[0] + user = binascii.a2b_base64(words[1]) + print "ROULI basic auth user: ", user + username, password = user.split(':') + return scheme, username, password + +class PasswordManager(): + def __init__(self): + pass + + def test(self, username, password_token): + return False + +class PermissivePasswordManager(PasswordManager): + + def __init__(self): + PasswordManager.__init__(self) + + def test(self, username, password_token): + if username: + return True + return False + +class HtpasswdPasswordManager(PasswordManager): + """ Read usernames and passwords from a file created by Apache htpasswd""" + + def __init__(self, filehandle): + PasswordManager.__init__(self) + entries = (line.strip().split(':') for line in filehandle) + valid_entries = (entry for entry in entries if len(entry)==2) + self.usernames = {username:token for username,token in valid_entries} + + + def test(self, username, password_token): + if username not in self.usernames: + print "ROULI: username not in db" + return False + full_token = self.usernames[username] + dummy, magic, salt, hashed_password = full_token.split('$') + expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$') + print "ROULI: password", binascii.hexlify(expected), binascii.hexlify(full_token), expected==full_token + return expected==full_token + +class SingleUserPasswordManager(PasswordManager): + + def __init__(self, username, password): + PasswordManager.__init__(self) + self.username = username + self.password = password + + def test(self, username, password_token): + return self.username==username and self.password==password_token diff --git a/libmproxy/contrib/md5crypt.py b/libmproxy/contrib/md5crypt.py new file mode 100644 index 000000000..d64ea8ac4 --- /dev/null +++ b/libmproxy/contrib/md5crypt.py @@ -0,0 +1,94 @@ +# Based on FreeBSD src/lib/libcrypt/crypt.c 1.2 +# http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2&content-type=text/plain + +# Original license: +# * "THE BEER-WARE LICENSE" (Revision 42): +# * wrote this file. As long as you retain this notice you +# * can do whatever you want with this stuff. If we meet some day, and you think +# * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + +# This port adds no further stipulations. I forfeit any copyright interest. + +import md5 + +def md5crypt(password, salt, magic='$1$'): + # /* The password first, since that is what is most unknown */ /* Then our magic string */ /* Then the raw salt */ + m = md5.new() + m.update(password + magic + salt) + + # /* Then just as many characters of the MD5(pw,salt,pw) */ + mixin = md5.md5(password + salt + password).digest() + for i in range(0, len(password)): + m.update(mixin[i % 16]) + + # /* Then something really weird... */ + # Also really broken, as far as I can tell. -m + i = len(password) + while i: + if i & 1: + m.update('\x00') + else: + m.update(password[0]) + i >>= 1 + + final = m.digest() + + # /* and now, just to make sure things don't run too fast */ + for i in range(1000): + m2 = md5.md5() + if i & 1: + m2.update(password) + else: + m2.update(final) + + if i % 3: + m2.update(salt) + + if i % 7: + m2.update(password) + + if i & 1: + m2.update(final) + else: + m2.update(password) + + final = m2.digest() + + # This is the bit that uses to64() in the original code. + + itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' + + rearranged = '' + for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)): + v = ord(final[a]) << 16 | ord(final[b]) << 8 | ord(final[c]) + for i in range(4): + rearranged += itoa64[v & 0x3f]; v >>= 6 + + v = ord(final[11]) + for i in range(2): + rearranged += itoa64[v & 0x3f]; v >>= 6 + + return magic + salt + '$' + rearranged + +if __name__ == '__main__': + + def test(clear_password, the_hash): + magic, salt = the_hash[1:].split('$')[:2] + magic = '$' + magic + '$' + return md5crypt(clear_password, salt, magic) == the_hash + + test_cases = ( + (' ', '$1$yiiZbNIH$YiCsHZjcTkYd31wkgW8JF.'), + ('pass', '$1$YeNsbWdH$wvOF8JdqsoiLix754LTW90'), + ('____fifteen____', '$1$s9lUWACI$Kk1jtIVVdmT01p0z3b/hw1'), + ('____sixteen_____', '$1$dL3xbVZI$kkgqhCanLdxODGq14g/tW1'), + ('____seventeen____', '$1$NaH5na7J$j7y8Iss0hcRbu3kzoJs5V.'), + ('__________thirty-three___________', '$1$HO7Q6vzJ$yGwp2wbL5D7eOVzOmxpsy.'), + ('apache', '$apr1$J.w5a/..$IW9y6DR0oO/ADuhlMF5/X1') + ) + + for clearpw, hashpw in test_cases: + if test(clearpw, hashpw): + print '%s: pass' % clearpw + else: + print '%s: FAIL' % clearpw