From 10a0bed48536e5a3fe801a5e0d94bd84ad80c559 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Sun, 31 Jul 2011 20:44:41 +0200 Subject: [PATCH] NTLM single-sign on adjustments (VIII) Use preprocessor symbols WINBIND_NTLM_AUTH_ENABLED and WINBIND_NTLM_AUTH_FILE for Samba's winbind daemon ntlm_auth helper code implementation and filename. Retain preprocessor symbol USE_NTLM_SSO for NTLM single-sign-on feature availability implementation independent. For test harness, prefix NTLM_AUTH environment vars with CURL_ Refactor and rename configure option --with-ntlm-auth to --enable-wb-ntlm-auth[=FILE] --- configure.ac | 34 ++++--------------------- lib/http.c | 6 ++++- lib/http_ntlm.c | 34 +++++++++++++------------ lib/http_ntlm.h | 11 +++++---- lib/setup.h | 2 +- lib/url.c | 2 +- lib/urldata.h | 5 ++-- m4/curl-confopts.m4 | 64 ++++++++++++++++++++++++++++++++++++++++++++++-- tests/data/test1310 | 6 ++--- tests/server/fake_ntlm.c | 8 +++--- 10 files changed, 107 insertions(+), 65 deletions(-) diff --git a/configure.ac b/configure.ac index da19ad9..77c613e 100644 --- a/configure.ac +++ b/configure.ac @@ -2687,34 +2687,6 @@ then USE_MANUAL="no"; fi -dnl ********************************************************** -dnl path of NTLM single-sign-on helper ntlm_auth -dnl -AC_ARG_WITH(ntlm-auth, - AC_HELP_STRING([--with-ntlm-auth=PATH], - [Where to look for ntlm_auth, path points to ntlm_auth installation (default: /usr/bin/ntlm_auth);]) - AC_HELP_STRING([--without-ntlm-auth], - [disable ntlm single-sign-on by using ntlm_auth]), -ntlm_auth="$withval", - [if test "$ac_cv_native_windows" = "yes"; then ntlm_auth="no"; else ntlm_auth="/usr/bin/ntlm_auth"; fi]) - -AC_MSG_CHECKING([if using ntlm_auth is requested]) - -if test "$ntlm_auth" != "no"; then - AC_DEFINE(USE_NTLM_AUTH, 1, [Whether or not use Samba's 'winbind' daemon helper 'ntlm_auth' for NTLM single-sign-on]) - AC_SUBST(USE_NTLM_AUTH, [1]) - if test "$ntlm_auth" = "yes"; then - dnl --with-ntlm-auth (without path) used, use default path - ntlm_auth="/usr/bin/ntlm_auth" - fi - AC_MSG_RESULT($ntlm_auth) -else - AC_MSG_RESULT(no) -fi -AC_SUBST(ntlm_auth) -AC_DEFINE_UNQUOTED(NTLM_AUTH, "$ntlm_auth", [Samba's 'winbind' daemon helper 'ntlm_auth' which can be used for NTLM single-sign-on]) - - dnl ************************************************************************* dnl If the manual variable still is set, then we go with providing a built-in dnl manual @@ -2823,6 +2795,10 @@ AC_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]), AC_MSG_RESULT(yes) ) +CURL_CHECK_OPTION_WINBIND_NTLM_AUTH + +CURL_CHECK_WINBIND_NTLM_AUTH + dnl ************************************************************ dnl disable TLS-SRP authentication dnl @@ -2998,7 +2974,7 @@ if test "x$CURL_DISABLE_HTTP" != "x1"; then if test "x$USE_SSLEAY" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \ -o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1"; then SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM" - if test "x$USE_NTLM_AUTH" = "x1"; then + if test "x$WINBIND_NTLM_AUTH_ENABLED" = "x1"; then SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_SSO" fi fi diff --git a/lib/http.c b/lib/http.c index 97946f8..97c9043 100644 --- a/lib/http.c +++ b/lib/http.c @@ -542,9 +542,13 @@ output_auth_headers(struct connectdata *conn, #ifdef USE_NTLM_SSO if(authstatus->picked == CURLAUTH_NTLM_SSO) { auth="NTLM_SSO"; +#ifdef WINBIND_NTLM_AUTH_ENABLED result = Curl_output_ntlm_sso(conn, proxy); if(result) return result; +#else + return CURLE_REMOTE_ACCESS_DENIED; +#endif } else #endif @@ -767,7 +771,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, Curl_input_ntlm(conn, (bool)(httpcode == 407), start); if(CURLNTLM_BAD != ntlm) { data->state.authproblem = FALSE; -#ifdef USE_NTLM_SSO +#ifdef WINBIND_NTLM_AUTH_ENABLED if(authp->picked == CURLAUTH_NTLM_SSO) { *availp &= ~CURLAUTH_NTLM; authp->avail &= ~CURLAUTH_NTLM; diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c index ba0a4d7..9beedfb 100644 --- a/lib/http_ntlm.c +++ b/lib/http_ntlm.c @@ -33,14 +33,16 @@ #define DEBUG_ME 0 +#ifdef HAVE_SYS_TYPES_H +#include +#endif #ifdef HAVE_UNISTD_H #include #endif - -#ifdef USE_NTLM_SSO -#include -#include +#ifdef HAVE_SYS_WAIT_H #include +#endif +#ifdef HAVE_SIGNAL_H #include #endif @@ -677,7 +679,7 @@ static void unicodecpy(unsigned char *dest, } #endif -#ifdef USE_NTLM_SSO +#ifdef WINBIND_NTLM_AUTH_ENABLED static void sso_ntlm_close(struct connectdata *conn) { if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) { @@ -742,17 +744,17 @@ static CURLcode sso_ntlm_initiate(struct connectdata *conn, username = username + (slash - domain) + 1; } - /* When DEBUGBUILD is defined and environment variable NTLM_AUTH is set - * (in test case 2005), use a fake_ntlm to do NTLM challenge/response, - * which only accept commands and output strings pre-written/saved in - * test case 2005 */ + /* For testing purposes, when DEBUGBUILD is defined and environment + variable CURL_NTLM_AUTH is set a fake_ntlm is used to perform + NTLM challenge/response which only accepts commands and output + strings pre-written in test case definitions */ #ifdef DEBUGBUILD - ntlm_auth_alloc = curl_getenv("NTLM_AUTH"); + ntlm_auth_alloc = curl_getenv("CURL_NTLM_AUTH"); if(ntlm_auth_alloc) ntlm_auth = ntlm_auth_alloc; else #endif - ntlm_auth = NTLM_AUTH; + ntlm_auth = WINBIND_NTLM_AUTH_FILE; if(access(ntlm_auth, X_OK) != 0) { error = ERRNO; @@ -940,9 +942,9 @@ CURLcode Curl_output_ntlm_sso(struct connectdata *conn, * http://devel.squid-cache.org/ntlm/squid_helper_protocol.html * http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html * http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html - * The preprocessor variable 'USE_NTLM_AUTH' indicates whether - * this feature is enabled. Another one 'NTLM_AUTH' contains absolute - * path of it. + * Preprocessor symbol 'WINBIND_NTLM_AUTH_ENABLED' is defined when + * this feature is enabled and 'WINBIND_NTLM_AUTH_FILE' symbol holds + * absolute filename of ntlm_auth helper. * If NTLM single-sign-on fails, go back to original request * handling process. */ @@ -996,7 +998,7 @@ CURLcode Curl_output_ntlm_sso(struct connectdata *conn, return CURLE_OK; } -#endif /* USE_NTLM_SSO */ +#endif /* WINBIND_NTLM_AUTH_ENABLED */ /* this is for creating ntlm header output */ CURLcode Curl_output_ntlm(struct connectdata *conn, @@ -1644,7 +1646,7 @@ Curl_ntlm_cleanup(struct connectdata *conn) ntlm_sspi_cleanup(&conn->ntlm); ntlm_sspi_cleanup(&conn->proxyntlm); #else -#ifdef USE_NTLM_SSO +#ifdef WINBIND_NTLM_AUTH_ENABLED sso_ntlm_close(conn); #endif (void)conn; diff --git a/lib/http_ntlm.h b/lib/http_ntlm.h index faa7b0f..5275e46 100644 --- a/lib/http_ntlm.h +++ b/lib/http_ntlm.h @@ -1,5 +1,5 @@ -#ifndef __HTTP_NTLM_H -#define __HTTP_NTLM_H +#ifndef HEADER_CURL_HTTP_NTLM_H +#define HEADER_CURL_HTTP_NTLM_H /*************************************************************************** * _ _ ____ _ * Project ___| | | | _ \| | @@ -38,9 +38,9 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn, bool proxy, /* this is for creating ntlm header output */ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy); -#ifdef USE_NTLM_SSO +#ifdef WINBIND_NTLM_AUTH_ENABLED /* this is for creating ntlm header output by delegating challenge/response - * to a Samba's daemon helper ntlm_auth */ + to Samba's winbind daemon helper ntlm_auth */ CURLcode Curl_output_ntlm_sso(struct connectdata *conn, bool proxy); #endif @@ -152,4 +152,5 @@ void Curl_ntlm_cleanup(struct connectdata *conn); #define NTLMFLAG_NEGOTIATE_56 (1<<31) /* Indicates that 56-bit encryption is supported. */ -#endif + +#endif /* HEADER_CURL_HTTP_NTLM_H */ diff --git a/lib/setup.h b/lib/setup.h index 2aaf564..eb19baf 100644 --- a/lib/setup.h +++ b/lib/setup.h @@ -566,7 +566,7 @@ int netware_init(void); #if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \ defined(USE_GNUTLS) || defined(USE_NSS) #define USE_NTLM -#if defined(USE_NTLM_AUTH) +#if defined(WINBIND_NTLM_AUTH_ENABLED) /* Support NTLM single-sign-on by using Samba's winbind daemon helper 'ntlm_auth' */ #define USE_NTLM_SSO diff --git a/lib/url.c b/lib/url.c index bffa234..59da3e9 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3515,7 +3515,7 @@ static struct connectdata *allocate_conn(struct SessionHandle *data) conn->ip_version = data->set.ipver; -#ifdef USE_NTLM_SSO +#ifdef WINBIND_NTLM_AUTH_ENABLED conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD; conn->ntlm_auth_hlpr_pid = 0; conn->challenge_header = NULL; diff --git a/lib/urldata.h b/lib/urldata.h index f4057cb..6f81153 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -905,9 +905,8 @@ struct connectdata { single requests! */ struct ntlmdata proxyntlm; /* NTLM data for proxy */ -#ifdef USE_NTLM_SSO - /* data used for communication with Samba's winbind daemon helper - ntlm_auth */ +#ifdef WINBIND_NTLM_AUTH_ENABLED + /* used for communication with Samba's winbind daemon helper ntlm_auth */ curl_socket_t ntlm_auth_hlpr_socket; pid_t ntlm_auth_hlpr_pid; char* challenge_header; diff --git a/m4/curl-confopts.m4 b/m4/curl-confopts.m4 index 30fb025..015101e 100644 --- a/m4/curl-confopts.m4 +++ b/m4/curl-confopts.m4 @@ -5,7 +5,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. +# Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -21,7 +21,7 @@ #*************************************************************************** # File version for 'aclocal' use. Keep it a single number. -# serial 14 +# serial 15 dnl CURL_CHECK_OPTION_THREADED_RESOLVER dnl ------------------------------------------------- @@ -496,3 +496,63 @@ AC_DEFUN([CURL_CHECK_LIB_ARES], [ fi ]) + +dnl CURL_CHECK_OPTION_WINBIND_NTLM_AUTH +dnl ------------------------------------------------- +dnl Verify if configure has been invoked with option +dnl --enable-ntlm-auth or --disable-ntlm-auth, and +dnl set shell variable want_wb_ntlm_auth and +dnl want_wb_ntlm_auth_file as appropriate. + +AC_DEFUN([CURL_CHECK_OPTION_WINBIND_NTLM_AUTH], [ + AC_BEFORE([$0],[CURL_CHECK_WINBIND_NTLM_AUTH])dnl + OPT_WINBIND_NTLM_AUTH="default" + AC_ARG_ENABLE(wb-ntlm-auth, +AC_HELP_STRING([--enable-wb-ntlm-auth@<:@=FILE@:>@],[Enable winbind's ntlm_auth helper for NTLM SSO, where FILE is ntlm_auth's absolute filename (default: /usr/bin/ntlm_auth)]) +AC_HELP_STRING([--disable-wb-ntlm-auth],[Disable winbind's ntlm_auth helper for NTLM SSO]), + OPT_WINBIND_NTLM_AUTH=$enableval) + want_wb_ntlm_auth_file="/usr/bin/ntlm_auth" + case "$OPT_WINBIND_NTLM_AUTH" in + no) + dnl --disable-wb-ntlm-auth option used + want_wb_ntlm_auth="no" + ;; + default) + dnl configure option not specified + want_wb_ntlm_auth="yes" + ;; + *) + dnl --enable-wb-ntlm-auth option used + want_wb_ntlm_auth="yes" + if test -n "$enableval" && test "$enableval" != "yes"; then + want_wb_ntlm_auth_file="$enableval" + fi + ;; + esac +]) + + +dnl CURL_CHECK_WINBIND_NTLM_AUTH +dnl ------------------------------------------------- +dnl Check if winbind's ntlm_auth helper support will +dnl finally be enabled depending on configure option +dnl given and target platform. + +AC_DEFUN([CURL_CHECK_WINBIND_NTLM_AUTH], [ + AC_REQUIRE([CURL_CHECK_OPTION_WINBIND_NTLM_AUTH])dnl + AC_REQUIRE([CURL_CHECK_NATIVE_WINDOWS])dnl + AC_MSG_CHECKING([whether to enable winbind's ntlm_auth support for NTLM SSO]) + if test "$ac_cv_native_windows" = "yes"; then + want_wb_ntlm_auth_file="" + want_wb_ntlm_auth="no" + fi + AC_MSG_RESULT([$want_wb_ntlm_auth]) + if test "$want_wb_ntlm_auth" = "yes"; then + AC_DEFINE(WINBIND_NTLM_AUTH_ENABLED, 1, + [Define to enable winbind's ntlm_auth support for NTLM SSO.]) + AC_DEFINE_UNQUOTED(WINBIND_NTLM_AUTH_FILE, "$want_wb_ntlm_auth_file", + [Define absolute filename for winbind's ntlm_auth helper.]) + WINBIND_NTLM_AUTH_ENABLED=1 + fi +]) + diff --git a/tests/data/test1310 b/tests/data/test1310 index e101fd7..9187acf 100644 --- a/tests/data/test1310 +++ b/tests/data/test1310 @@ -70,11 +70,11 @@ CURL_GETHOSTNAME=curlhost # we try to use the LD_PRELOAD hack, if not a debug build LD_PRELOAD=%PWD/libtest/.libs/libhostname.so # set path to fake_auth instead of real ntlm_auth to generate NTLM type1 and type 3 messages -NTLM_AUTH=%PWD/server/fake_ntlm +CURL_NTLM_AUTH=%PWD/server/fake_ntlm # set source directory so fake_ntlm can find the test files -NTLM_AUTH_SRCDIR=%SRCDIR +CURL_NTLM_AUTH_SRCDIR=%SRCDIR # set the test number -NTLM_AUTH_TESTNUM=1310 +CURL_NTLM_AUTH_TESTNUM=1310 http://%HOSTIP:%HTTPPORT/1310 -u testuser:anypasswd --ntlm-sso diff --git a/tests/server/fake_ntlm.c b/tests/server/fake_ntlm.c index c0aa1e0..e97cef9 100644 --- a/tests/server/fake_ntlm.c +++ b/tests/server/fake_ntlm.c @@ -168,21 +168,21 @@ int main(int argc, char *argv[]) helper_user, helper_proto, helper_domain, (use_cached_creds == TRUE) ? "yes" : "no"); - env = getenv("NTLM_AUTH_TESTNUM"); + env = getenv("CURL_NTLM_AUTH_TESTNUM"); if (env) { char *endptr; long lnum = strtol(env, &endptr, 10); if((endptr != env + strlen(env)) || (lnum < 1L)) { - logmsg("Test number not valid in NTLM_AUTH_TESTNUM"); + logmsg("Test number not valid in CURL_NTLM_AUTH_TESTNUM"); exit(1); } testnum = lnum; } else { - logmsg("Test number not specified in NTLM_AUTH_TESTNUM"); + logmsg("Test number not specified in CURL_NTLM_AUTH_TESTNUM"); exit(1); } - env = getenv("NTLM_AUTH_SRCDIR"); + env = getenv("CURL_NTLM_AUTH_SRCDIR"); if (env) { path = env; } -- 2.7.4