* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
- * are also available at http://curl.haxx.se/docs/copyright.html.
+ * are also available at https://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
*
***************************************************************************/
-#include "setup.h"
+#include "curl_setup.h"
-#if defined(USE_NTLM) && defined(NTLM_WB_ENABLED)
+#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
+ defined(NTLM_WB_ENABLED)
/*
* NTLM details:
*
- * http://davenport.sourceforge.net/ntlm.html
- * http://www.innovation.ch/java/ntlm.html
+ * https://davenport.sourceforge.io/ntlm.html
+ * https://www.innovation.ch/java/ntlm.html
*/
#define DEBUG_ME 0
#ifdef HAVE_SIGNAL_H
#include <signal.h>
#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
#include "urldata.h"
#include "sendf.h"
#include "select.h"
+#include "vauth/ntlm.h"
+#include "curl_ntlm_core.h"
#include "curl_ntlm_wb.h"
#include "url.h"
#include "strerror.h"
+#include "strdup.h"
+/* The last 3 #include files should be in this order */
+#include "curl_printf.h"
#include "curl_memory.h"
-
-#define _MPRINTF_REPLACE /* use our functions only */
-#include <curl/mprintf.h>
-
-/* The last #include file should be: */
#include "memdebug.h"
#if DEBUG_ME
conn->ntlm_auth_hlpr_pid = 0;
}
- Curl_safefree(conn->challenge_header);
+ free(conn->challenge_header);
conn->challenge_header = NULL;
- Curl_safefree(conn->response_header);
+ free(conn->response_header);
conn->response_header = NULL;
}
char *slash, *domain = NULL;
const char *ntlm_auth = NULL;
char *ntlm_auth_alloc = NULL;
- int error;
+#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
+ struct passwd pw, *pw_res;
+ char pwbuf[1024];
+#endif
/* Return if communication with ntlm_auth already set up */
if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD ||
return CURLE_OK;
username = userp;
+ /* The real ntlm_auth really doesn't like being invoked with an
+ empty username. It won't make inferences for itself, and expects
+ the client to do so (mostly because it's really designed for
+ servers like squid to use for auth, and client support is an
+ afterthought for it). So try hard to provide a suitable username
+ if we don't already have one. But if we can't, provide the
+ empty one anyway. Perhaps they have an implementation of the
+ ntlm_auth helper which *doesn't* need it so we might as well try */
+ if(!username || !username[0]) {
+ username = getenv("NTLMUSER");
+ if(!username || !username[0])
+ username = getenv("LOGNAME");
+ if(!username || !username[0])
+ username = getenv("USER");
+#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
+ if((!username || !username[0]) &&
+ !getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
+ pw_res) {
+ username = pw.pw_name;
+ }
+#endif
+ if(!username || !username[0])
+ username = userp;
+ }
slash = strpbrk(username, "\\/");
if(slash) {
- if((domain = strdup(username)) == NULL)
+ domain = strdup(username);
+ if(!domain)
return CURLE_OUT_OF_MEMORY;
slash = domain + (slash - username);
*slash = '\0';
ntlm_auth = NTLM_WB_FILE;
if(access(ntlm_auth, X_OK) != 0) {
- error = ERRNO;
failf(conn->data, "Could not access ntlm_auth: %s errno %d: %s",
- ntlm_auth, error, Curl_strerror(conn, error));
+ ntlm_auth, errno, Curl_strerror(conn, errno));
goto done;
}
if(socketpair(AF_UNIX, SOCK_STREAM, 0, sockfds)) {
- error = ERRNO;
failf(conn->data, "Could not open socket pair. errno %d: %s",
- error, Curl_strerror(conn, error));
+ errno, Curl_strerror(conn, errno));
goto done;
}
child_pid = fork();
if(child_pid == -1) {
- error = ERRNO;
sclose(sockfds[0]);
sclose(sockfds[1]);
failf(conn->data, "Could not fork. errno %d: %s",
- error, Curl_strerror(conn, error));
+ errno, Curl_strerror(conn, errno));
goto done;
}
else if(!child_pid) {
/* Don't use sclose in the child since it fools the socket leak detector */
sclose_nolog(sockfds[0]);
if(dup2(sockfds[1], STDIN_FILENO) == -1) {
- error = ERRNO;
failf(conn->data, "Could not redirect child stdin. errno %d: %s",
- error, Curl_strerror(conn, error));
+ errno, Curl_strerror(conn, errno));
exit(1);
}
if(dup2(sockfds[1], STDOUT_FILENO) == -1) {
- error = ERRNO;
failf(conn->data, "Could not redirect child stdout. errno %d: %s",
- error, Curl_strerror(conn, error));
+ errno, Curl_strerror(conn, errno));
exit(1);
}
"--username", username,
NULL);
- error = ERRNO;
sclose_nolog(sockfds[1]);
failf(conn->data, "Could not execl(). errno %d: %s",
- error, Curl_strerror(conn, error));
+ errno, Curl_strerror(conn, errno));
exit(1);
}
sclose(sockfds[1]);
conn->ntlm_auth_hlpr_socket = sockfds[0];
conn->ntlm_auth_hlpr_pid = child_pid;
- Curl_safefree(domain);
- Curl_safefree(ntlm_auth_alloc);
+ free(domain);
+ free(ntlm_auth_alloc);
return CURLE_OK;
done:
- Curl_safefree(domain);
- Curl_safefree(ntlm_auth_alloc);
+ free(domain);
+ free(ntlm_auth_alloc);
return CURLE_REMOTE_ACCESS_DENIED;
}
static CURLcode ntlm_wb_response(struct connectdata *conn,
const char *input, curlntlm state)
{
- ssize_t size;
- char buf[200]; /* enough, type 1, 3 message length is less then 200 */
- char *tmpbuf = buf;
- size_t len_in = strlen(input), len_out = sizeof(buf);
+ char *buf = malloc(NTLM_BUFSIZE);
+ size_t len_in = strlen(input), len_out = 0;
+
+ if(!buf)
+ return CURLE_OUT_OF_MEMORY;
while(len_in > 0) {
ssize_t written = swrite(conn->ntlm_auth_hlpr_socket, input, len_in);
len_in -= written;
}
/* Read one line */
- while(len_out > 0) {
- size = sread(conn->ntlm_auth_hlpr_socket, tmpbuf, len_out);
+ while(1) {
+ ssize_t size;
+ char *newbuf;
+
+ size = sread(conn->ntlm_auth_hlpr_socket, buf + len_out, NTLM_BUFSIZE);
if(size == -1) {
if(errno == EINTR)
continue;
}
else if(size == 0)
goto done;
- else if(tmpbuf[size - 1] == '\n') {
- tmpbuf[size - 1] = '\0';
- goto wrfinish;
+
+ len_out += size;
+ if(buf[len_out - 1] == '\n') {
+ buf[len_out - 1] = '\0';
+ break;
}
- tmpbuf += size;
- len_out -= size;
+ newbuf = Curl_saferealloc(buf, len_out + NTLM_BUFSIZE);
+ if(!newbuf)
+ return CURLE_OUT_OF_MEMORY;
+
+ buf = newbuf;
}
- goto done;
-wrfinish:
+
/* Samba/winbind installed but not configured */
if(state == NTLMSTATE_TYPE1 &&
- size == 3 &&
+ len_out == 3 &&
buf[0] == 'P' && buf[1] == 'W')
- return CURLE_REMOTE_ACCESS_DENIED;
+ goto done;
/* invalid response */
- if(size < 4)
+ if(len_out < 4)
goto done;
if(state == NTLMSTATE_TYPE1 &&
(buf[0]!='Y' || buf[1]!='R' || buf[2]!=' '))
(buf[0]!='A' || buf[1]!='F' || buf[2]!=' '))
goto done;
- conn->response_header = aprintf("NTLM %.*s", size - 4, buf + 3);
+ conn->response_header = aprintf("NTLM %.*s", len_out - 4, buf + 3);
+ free(buf);
return CURLE_OK;
done:
+ free(buf);
return CURLE_REMOTE_ACCESS_DENIED;
}
if(proxy) {
allocuserpwd = &conn->allocptr.proxyuserpwd;
- userp = conn->proxyuser;
+ userp = conn->http_proxy.user;
ntlm = &conn->proxyntlm;
authp = &conn->data->state.authproxy;
}
/* not set means empty */
if(!userp)
- userp="";
+ userp = "";
switch(ntlm->state) {
case NTLMSTATE_TYPE1:
default:
/* Use Samba's 'winbind' daemon to support NTLM authentication,
- * by delegating the NTLM challenge/response protocal to a helper
+ * by delegating the NTLM challenge/response protocol to a helper
* in ntlm_auth.
* http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
- * http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
- * http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
+ * https://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
+ * https://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
* Preprocessor symbol 'NTLM_WB_ENABLED' is defined when this
* feature is enabled and 'NTLM_WB_FILE' symbol holds absolute
* filename of ntlm_auth helper.
if(res)
return res;
- Curl_safefree(*allocuserpwd);
+ free(*allocuserpwd);
*allocuserpwd = aprintf("%sAuthorization: %s\r\n",
proxy ? "Proxy-" : "",
conn->response_header);
DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
- Curl_safefree(conn->response_header);
+ free(conn->response_header);
conn->response_header = NULL;
break;
case NTLMSTATE_TYPE2:
- input = aprintf("TT %s", conn->challenge_header);
+ input = aprintf("TT %s\n", conn->challenge_header);
if(!input)
return CURLE_OUT_OF_MEMORY;
res = ntlm_wb_response(conn, input, ntlm->state);
if(res)
return res;
- Curl_safefree(*allocuserpwd);
+ free(*allocuserpwd);
*allocuserpwd = aprintf("%sAuthorization: %s\r\n",
proxy ? "Proxy-" : "",
conn->response_header);
case NTLMSTATE_TYPE3:
/* connection is already authenticated,
* don't send a header in future requests */
- if(*allocuserpwd) {
- free(*allocuserpwd);
- *allocuserpwd=NULL;
- }
+ free(*allocuserpwd);
+ *allocuserpwd = NULL;
authp->done = TRUE;
break;
}
return CURLE_OK;
}
-#endif /* USE_NTLM && NTLM_WB_ENABLED */
+#endif /* !CURL_DISABLE_HTTP && USE_NTLM && NTLM_WB_ENABLED */
projects / platform / upstream / curl.git / blobdiff